From e9073f35dfde197e65d5fc5d94534a8962a9e2d4 Mon Sep 17 00:00:00 2001 From: IaCS solution Date: Wed, 25 Aug 2021 17:03:59 +0200 Subject: [PATCH 1/7] Added first batch of modules --- .../policyAssignments/deploy.json | 155 ++ .../allowedLocations.parameters.json | 25 + .../listOfAllowedSKUs.parameters.json | 25 + .../parameters/parameters.json | 28 + .../policyAssignments/readme.md | 36 + .../Parameters/parameters.json | 54 + .../roleAssignments/deploy.json | 432 ++++++ .../roleAssignments/readme.md | 68 + .../Parameters/parameters.json | 37 + .../roleDefinitions/deploy.json | 238 ++++ .../roleDefinitions/readme.md | 43 + .../managementGroups/deploy.json | 427 ++++++ .../parameters/parameters.json | 29 + .../managementGroups/readme.md | 128 ++ .../aliases/Parameters/parameters.json | 39 + .../aliases/deploy.json | 549 +++++++ .../Microsoft.Subscription/aliases/readme.md | 164 +++ .../aliases/rg-deploy.json | 90 ++ ...e_location_KeyVault_PrivateEndpoints.bicep | 0 .../vaults/.bicep}/nested_rbac_name.bicep | 0 .../Microsoft.KeyVault/vaults}/deploy.bicep | 0 .../Microsoft.KeyVault/vaults}/deploy.json | 0 .../vaults/parameters}/parameters.json | 0 .../Microsoft.KeyVault/vaults}/readme.md | 0 .../workspaces/deploy.json | 1268 +++++++++++++++++ .../workspaces/parameters/parameters.json | 61 + .../workspaces/readme.md | 140 ++ .../resourceGroups/deploy.json | 344 +++++ .../resourceGroups/parameters/parameters.json | 27 + .../resourceGroups/readme.md | 88 ++ 30 files changed, 4495 insertions(+) create mode 100644 managementGroupTemplates/Microsoft.Authorization/policyAssignments/deploy.json create mode 100644 managementGroupTemplates/Microsoft.Authorization/policyAssignments/parameters/allowedLocations.parameters.json create mode 100644 managementGroupTemplates/Microsoft.Authorization/policyAssignments/parameters/listOfAllowedSKUs.parameters.json create mode 100644 managementGroupTemplates/Microsoft.Authorization/policyAssignments/parameters/parameters.json create mode 100644 managementGroupTemplates/Microsoft.Authorization/policyAssignments/readme.md create mode 100644 managementGroupTemplates/Microsoft.Authorization/roleAssignments/Parameters/parameters.json create mode 100644 managementGroupTemplates/Microsoft.Authorization/roleAssignments/deploy.json create mode 100644 managementGroupTemplates/Microsoft.Authorization/roleAssignments/readme.md create mode 100644 managementGroupTemplates/Microsoft.Authorization/roleDefinitions/Parameters/parameters.json create mode 100644 managementGroupTemplates/Microsoft.Authorization/roleDefinitions/deploy.json create mode 100644 managementGroupTemplates/Microsoft.Authorization/roleDefinitions/readme.md create mode 100644 managementGroupTemplates/Microsoft.Management/managementGroups/deploy.json create mode 100644 managementGroupTemplates/Microsoft.Management/managementGroups/parameters/parameters.json create mode 100644 managementGroupTemplates/Microsoft.Management/managementGroups/readme.md create mode 100644 managementGroupTemplates/Microsoft.Subscription/aliases/Parameters/parameters.json create mode 100644 managementGroupTemplates/Microsoft.Subscription/aliases/deploy.json create mode 100644 managementGroupTemplates/Microsoft.Subscription/aliases/readme.md create mode 100644 managementGroupTemplates/Microsoft.Subscription/aliases/rg-deploy.json rename {KeyVault => resourceGroupTemplates/Microsoft.KeyVault/vaults/.bicep}/nested_name_location_KeyVault_PrivateEndpoints.bicep (100%) rename {KeyVault => resourceGroupTemplates/Microsoft.KeyVault/vaults/.bicep}/nested_rbac_name.bicep (100%) rename {KeyVault => resourceGroupTemplates/Microsoft.KeyVault/vaults}/deploy.bicep (100%) rename {KeyVault => resourceGroupTemplates/Microsoft.KeyVault/vaults}/deploy.json (100%) rename {KeyVault => resourceGroupTemplates/Microsoft.KeyVault/vaults/parameters}/parameters.json (100%) rename {KeyVault => resourceGroupTemplates/Microsoft.KeyVault/vaults}/readme.md (100%) create mode 100644 subscriptionTemplates/Microsoft.OperationalInsights/workspaces/deploy.json create mode 100644 subscriptionTemplates/Microsoft.OperationalInsights/workspaces/parameters/parameters.json create mode 100644 subscriptionTemplates/Microsoft.OperationalInsights/workspaces/readme.md create mode 100644 subscriptionTemplates/Microsoft.Resources/resourceGroups/deploy.json create mode 100644 subscriptionTemplates/Microsoft.Resources/resourceGroups/parameters/parameters.json create mode 100644 subscriptionTemplates/Microsoft.Resources/resourceGroups/readme.md diff --git a/managementGroupTemplates/Microsoft.Authorization/policyAssignments/deploy.json b/managementGroupTemplates/Microsoft.Authorization/policyAssignments/deploy.json new file mode 100644 index 0000000000..8435100be2 --- /dev/null +++ b/managementGroupTemplates/Microsoft.Authorization/policyAssignments/deploy.json @@ -0,0 +1,155 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "policyAssignmentName": { + "type": "string", + "metadata": { + "description": "Required. Specifies the name of the policy assignment." + } + }, + "location": { + "type": "string", + "defaultValue": "[deployment().location]", + "metadata": { + "description": "Optional. Location for all resources." + } + }, + "resourceGroupName": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Specifies the name of the resource group where you want to assign the policy." + } + }, + "policyDefinitionID": { + "type": "string", + "metadata": { + "description": "Required. Specifies the ID of the policy definition or policy set definition being assigned." + } + }, + "parameters": { + "type": "object", + "defaultValue": { + }, + "metadata": { + "description": "Optional. Parameters for the policy assignment if needed." + } + }, + "identity": { + "type": "string", + "defaultValue": "SystemAssigned", + "metadata": { + "description": "Optional. The managed identity associated with the policy assignment. Policy assignments must include a resource identity when assigning 'Modify' policy definitions." + } + }, + "cuaId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered" + } + } + }, + "variables": { + "policyAssignmentName": "[replace(parameters('policyAssignmentName'),' ','')]" + }, + "resources": [ + { + "condition": "[not(empty(parameters('cuaId')))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-06-01", + "name": "[concat('pid-', parameters('cuaId'))]", + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [ + ] + } + } + }, + // Policy Assignment on Subscription scope + { + "name": "[concat(variables('policyAssignmentName'), '-subDeployment')]", + "apiVersion": "2020-06-01", + "type": "Microsoft.Resources/deployments", + "location": "[parameters('location')]", + "condition": "[empty(parameters('resourceGroupName'))]", + "dependsOn": [ + ], + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [ + { + "type": "Microsoft.Authorization/policyAssignments", + "name": "[variables('policyAssignmentName')]", + "location": "[parameters('location')]", + "apiVersion": "2019-09-01", + "properties": { + "policyDefinitionId": "[parameters('policyDefinitionID')]", + "parameters": "[parameters('parameters')]" + }, + "identity": { + "type": "[parameters('identity')]" + } + } + ] + } + } + }, + // Policy Assignment on Resource group scope + { + "name": "[concat(variables('policyAssignmentName'), '-rgDeployment')]", + "apiVersion": "2020-06-01", + "type": "Microsoft.Resources/deployments", + "condition": "[not(empty(parameters('resourceGroupName')))]", + "dependsOn": [ + ], + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [ + { + "type": "Microsoft.Authorization/policyAssignments", + "name": "[variables('policyAssignmentName')]", + "location": "[resourceGroup().location]", + "apiVersion": "2019-09-01", + "properties": { + "policyDefinitionId": "[parameters('policyDefinitionID')]", + "parameters": "[parameters('parameters')]" + }, + "identity": { + "type": "[parameters('identity')]" + } + } + ] + } + } + } + ], + "functions": [ + ], + "outputs": { + "policyAssignmentName": { + "type": "string", + "value": "[variables('policyAssignmentName')]", + "metadata": { + "description": "Name of the policy assignment." + } + }, + "assignmentScope": { + "type": "string", + "value": "[if(empty(parameters('resourceGroupName')), subscription().id , concat(subscription().id, '/resourceGroups/', parameters('resourceGroupName')))]", + "metadata": { + "description": "The scope (subscription or resource group) of the assignment." + } + } + } +} \ No newline at end of file diff --git a/managementGroupTemplates/Microsoft.Authorization/policyAssignments/parameters/allowedLocations.parameters.json b/managementGroupTemplates/Microsoft.Authorization/policyAssignments/parameters/allowedLocations.parameters.json new file mode 100644 index 0000000000..cf753f50a5 --- /dev/null +++ b/managementGroupTemplates/Microsoft.Authorization/policyAssignments/parameters/allowedLocations.parameters.json @@ -0,0 +1,25 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "policyAssignmentName": { + "value": "Allowed locations 2" + }, + "policyDefinitionID": { + "value": "/providers/Microsoft.Authorization/policyDefinitions/e56962a6-4747-49cd-b67b-bf8b01975c4c" + }, + "parameters": { + "value": { + "listOfAllowedLocations": { + "value": ["westus","westus2"] + } + } + }, + "location": { + "value": "westus2" + }, + "identity": { + "value": "None" + } + } +} diff --git a/managementGroupTemplates/Microsoft.Authorization/policyAssignments/parameters/listOfAllowedSKUs.parameters.json b/managementGroupTemplates/Microsoft.Authorization/policyAssignments/parameters/listOfAllowedSKUs.parameters.json new file mode 100644 index 0000000000..291eaa2472 --- /dev/null +++ b/managementGroupTemplates/Microsoft.Authorization/policyAssignments/parameters/listOfAllowedSKUs.parameters.json @@ -0,0 +1,25 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "policyAssignmentName": { + "value": "Allowed virtual machine SKUs" + }, + "policyDefinitionID": { + "value": "/providers/Microsoft.Authorization/policyDefinitions/cccc23c7-8427-4f53-ad12-b6a63eb452b3" + }, + "parameters": { + "value": { + "listOfAllowedSKUs": { + "value": ["Standard_B2s","Standard_D2s_v3","Standard_D4s_v3"] + } + } + }, + "location": { + "value": "westus2" + }, + "identity": { + "value": "None" + } + } +} \ No newline at end of file diff --git a/managementGroupTemplates/Microsoft.Authorization/policyAssignments/parameters/parameters.json b/managementGroupTemplates/Microsoft.Authorization/policyAssignments/parameters/parameters.json new file mode 100644 index 0000000000..a511f42ea4 --- /dev/null +++ b/managementGroupTemplates/Microsoft.Authorization/policyAssignments/parameters/parameters.json @@ -0,0 +1,28 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceGroupName": { + "value": "" + }, + "policyAssignmentName": { + "value": "Add a tag to resources" + }, + "policyDefinitionID": { + "value": "/providers/Microsoft.Authorization/policyDefinitions/4f9dc7db-30c1-420c-b61a-e1d640128d26" + }, + "parameters": { + "value": { + "tagName": { + "value": "Tag" + }, + "tagValue": { + "value": "Value" + } + } + }, + "location": { + "value": "westeurope" + } + } +} diff --git a/managementGroupTemplates/Microsoft.Authorization/policyAssignments/readme.md b/managementGroupTemplates/Microsoft.Authorization/policyAssignments/readme.md new file mode 100644 index 0000000000..a36a36cf0d --- /dev/null +++ b/managementGroupTemplates/Microsoft.Authorization/policyAssignments/readme.md @@ -0,0 +1,36 @@ +# PolicyAssignment + +## Resource types + +|Resource Type|ApiVersion| +|:--|:--| +|`Microsoft.Resources/deployments`|2018-02-01| +|`Microsoft.Authorization/policyAssignments`|2018-05-01| + +## Parameters + +| Parameter Name | Type | Description | DefaultValue | Possible values | +| :-- | :-- | :-- | :-- | :-- | +| `policyAssignmentName` | string | Required. Specifies the name of the policy assignment. | | | +| `location` | string | Optional. Location for all resources. | | | +| `resourceGroupName` | string | Optional. Specifies the name of the resource group where you want to assign the policy. | | | +| `policyDefinitionID` | string | Required. Specifies the ID of the policy definition or policy set definition being assigned. | | | +| `parameters` | object | Optional. Parameters for the policy assignment if needed. | | | +| `identity` | string | Optional. The managed identity associated with the policy assignment. | | | +| `cuaId` | string | Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered | | | + + +## Outputs + +| Output Name | Type | Description | +| :-- | :-- | :-- | +| `assignmentScope` | string | The scope (subscription or resource group) of the assignment. | +| `policyAssignmentName` | string | Name of the policy assignment. | + +## Considerations + +## Additional resources + +- [Deployments](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Resources/2018-02-01/deployments) +- [Deployments](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Resources/2019-10-01/deployments) +- [Deployments](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Resources/2019-10-01/deployments) diff --git a/managementGroupTemplates/Microsoft.Authorization/roleAssignments/Parameters/parameters.json b/managementGroupTemplates/Microsoft.Authorization/roleAssignments/Parameters/parameters.json new file mode 100644 index 0000000000..2585e6269c --- /dev/null +++ b/managementGroupTemplates/Microsoft.Authorization/roleAssignments/Parameters/parameters.json @@ -0,0 +1,54 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Resource Group name is optional, when provided, the Role Assignment will target the RG. When not provided the scope will be the subscription. + "resourceGroupName": { + "value": "artifacts-rg" + }, + "roleAssignments": { + "value": [ + // Built-in Role Definition, referenced by Name + { + "roleDefinitionIdOrName": "Owner", + "principalIds": [ + // "12345678-1234-1234-1234-123456780123" + // "abcd5678-1234-1234-1234-123456780123" + ] + }, + // Built-in Role Definition, referenced by Name + { + "roleDefinitionIdOrName": "Reader", + "principalIds": [ + // "12345678-1234-1234-1234-123456780123" + // "abcd5678-1234-1234-1234-123456780123" + ] + }, + // // Built-in Role Definition, referenced by ID + // { + // "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", + // "principalIds": [ + // // "12345678-1234-1234-1234-123456780123" + // // "abcd5678-1234-1234-1234-123456780123" + // ] + // }, + // // Custom Role Definition on Resource Group scope + // { + // "roleDefinitionIdOrName": "/subscriptions/62826c76-d304-46d8-a0f6-718dbdcc536c/providers/Microsoft.Authorization/roleDefinitions/54597af5-2126-5a52-a2ce-4bb56e90d3c8", + // "principalIds": [ + // // "12345678-1234-1234-1234-123456780123" + // // "abcd5678-1234-1234-1234-123456780123" + // ] + // }, + // // Custom Role Definition on Subscription scope + // { + // "roleDefinitionIdOrName": "/subscriptions/62826c76-d304-46d8-a0f6-718dbdcc536c/resourceGroups/rbacTest/providers/Microsoft.Authorization/roleDefinitions/08e417aa-3d20-5a4e-94da-b2aa45bd5929", + // "principalIds": [ + // // "12345678-1234-1234-1234-123456780123" + // // "abcd5678-1234-1234-1234-123456780123" + // ] + // } + ] + } + } +} \ No newline at end of file diff --git a/managementGroupTemplates/Microsoft.Authorization/roleAssignments/deploy.json b/managementGroupTemplates/Microsoft.Authorization/roleAssignments/deploy.json new file mode 100644 index 0000000000..1857dd535e --- /dev/null +++ b/managementGroupTemplates/Microsoft.Authorization/roleAssignments/deploy.json @@ -0,0 +1,432 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "roleAssignments": { + "defaultValue": [ + ], + "type": "array", + "metadata": { + "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalIds' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or it's fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'" + } + }, + "resourceGroupName": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Name of the Resource Group to assign the RBAC role(s) to. If no Resource Group name is provided, the module deploys at subscription level, therefore assigns the provided RBAC role(s) to the subscription." + } + }, + "location": { + "type": "string", + "defaultValue": "[deployment().location]", + "metadata": { + "description": "Optional. Location for all resources." + } + }, + "cuaId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered" + } + } + }, + "variables": { + "builtInRoleNames": { + "AcrDelete": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", + "AcrImageSigner": "/providers/Microsoft.Authorization/roleDefinitions/6cef56e8-d556-48e5-a04f-b8e64114680f", + "AcrPull": "/providers/Microsoft.Authorization/roleDefinitions/7f951dda-4ed3-4680-a7ca-43fe172d538d", + "AcrPush": "/providers/Microsoft.Authorization/roleDefinitions/8311e382-0749-4cb8-b61a-304f252e45ec", + "AcrQuarantineReader": "/providers/Microsoft.Authorization/roleDefinitions/cdda3590-29a3-44f6-95f2-9f980659eb04", + "AcrQuarantineWriter": "/providers/Microsoft.Authorization/roleDefinitions/c8d4ff99-41c3-41a8-9f60-21dfdad59608", + "API Management Service Contributor": "/providers/Microsoft.Authorization/roleDefinitions/312a565d-c81f-4fd8-895a-4e21e48d571c", + "API Management Service Operator Role": "/providers/Microsoft.Authorization/roleDefinitions/e022efe7-f5ba-4159-bbe4-b44f577e9b61", + "API Management Service Reader Role": "/providers/Microsoft.Authorization/roleDefinitions/71522526-b88f-4d52-b57f-d31fc3546d0d", + "App Configuration Data Owner": "/providers/Microsoft.Authorization/roleDefinitions/5ae67dd6-50cb-40e7-96ff-dc2bfa4b606b", + "App Configuration Data Reader": "/providers/Microsoft.Authorization/roleDefinitions/516239f1-63e1-4d78-a4de-a74fb236a071", + "Application Insights Component Contributor": "/providers/Microsoft.Authorization/roleDefinitions/ae349356-3a1b-4a5e-921d-050484c6347e", + "Application Insights Snapshot Debugger": "/providers/Microsoft.Authorization/roleDefinitions/08954f03-6346-4c2e-81c0-ec3a5cfae23b", + "Attestation Contributor": "/providers/Microsoft.Authorization/roleDefinitions/bbf86eb8-f7b4-4cce-96e4-18cddf81d86e", + "Attestation Reader": "/providers/Microsoft.Authorization/roleDefinitions/fd1bd22b-8476-40bc-a0bc-69b95687b9f3", + "Automation Job Operator": "/providers/Microsoft.Authorization/roleDefinitions/4fe576fe-1146-4730-92eb-48519fa6bf9f", + "Automation Operator": "/providers/Microsoft.Authorization/roleDefinitions/d3881f73-407a-4167-8283-e981cbba0404", + "Automation Runbook Operator": "/providers/Microsoft.Authorization/roleDefinitions/5fb5aef8-1081-4b8e-bb16-9d5d0385bab5", + "Avere Contributor": "/providers/Microsoft.Authorization/roleDefinitions/4f8fab4f-1852-4a58-a46a-8eaf358af14a", + "Avere Operator": "/providers/Microsoft.Authorization/roleDefinitions/c025889f-8102-4ebf-b32c-fc0c6f0c6bd9", + "Azure Connected Machine Onboarding": "/providers/Microsoft.Authorization/roleDefinitions/b64e21ea-ac4e-4cdf-9dc9-5b892992bee7", + "Azure Connected Machine Resource Administrator": "/providers/Microsoft.Authorization/roleDefinitions/cd570a14-e51a-42ad-bac8-bafd67325302", + "Azure Digital Twins Owner (Preview)": "/providers/Microsoft.Authorization/roleDefinitions/bcd981a7-7f74-457b-83e1-cceb9e632ffe", + "Azure Digital Twins Reader (Preview)": "/providers/Microsoft.Authorization/roleDefinitions/d57506d4-4c8d-48b1-8587-93c323f6a5a3", + "Azure Event Hubs Data Owner": "/providers/Microsoft.Authorization/roleDefinitions/f526a384-b230-433a-b45c-95f59c4a2dec", + "Azure Event Hubs Data Receiver": "/providers/Microsoft.Authorization/roleDefinitions/a638d3c7-ab3a-418d-83e6-5f17a39d4fde", + "Azure Event Hubs Data Sender": "/providers/Microsoft.Authorization/roleDefinitions/2b629674-e913-4c01-ae53-ef4638d8f975", + "Azure Kubernetes Service Cluster Admin Role": "/providers/Microsoft.Authorization/roleDefinitions/0ab0b1a8-8aac-4efd-b8c2-3ee1fb270be8", + "Azure Kubernetes Service Cluster User Role": "/providers/Microsoft.Authorization/roleDefinitions/4abbcc35-e782-43d8-92c5-2d3f1bd2253f", + "Azure Kubernetes Service Contributor Role": "/providers/Microsoft.Authorization/roleDefinitions/ed7f3fbd-7b88-4dd4-9017-9adb7ce333f8", + "Azure Maps Data Contributor": "/providers/Microsoft.Authorization/roleDefinitions/8f5e0ce6-4f7b-4dcf-bddf-e6f48634a204", + "Azure Maps Data Reader": "/providers/Microsoft.Authorization/roleDefinitions/423170ca-a8f6-4b0f-8487-9e4eb8f49bfa", + "Azure Sentinel Contributor": "/providers/Microsoft.Authorization/roleDefinitions/ab8e14d6-4a74-4a29-9ba8-549422addade", + "Azure Sentinel Reader": "/providers/Microsoft.Authorization/roleDefinitions/8d289c81-5878-46d4-8554-54e1e3d8b5cb", + "Azure Sentinel Responder": "/providers/Microsoft.Authorization/roleDefinitions/3e150937-b8fe-4cfb-8069-0eaf05ecd056", + "Azure Service Bus Data Owner": "/providers/Microsoft.Authorization/roleDefinitions/090c5cfd-751d-490a-894a-3ce6f1109419", + "Azure Service Bus Data Receiver": "/providers/Microsoft.Authorization/roleDefinitions/4f6d3b9b-027b-4f4c-9142-0e5a2a2247e0", + "Azure Service Bus Data Sender": "/providers/Microsoft.Authorization/roleDefinitions/69a216fc-b8fb-44d8-bc22-1f3c2cd27a39", + "Azure Stack Registration Owner": "/providers/Microsoft.Authorization/roleDefinitions/6f12a6df-dd06-4f3e-bcb1-ce8be600526a", + "Backup Contributor": "/providers/Microsoft.Authorization/roleDefinitions/5e467623-bb1f-42f4-a55d-6e525e11384b", + "Backup Operator": "/providers/Microsoft.Authorization/roleDefinitions/00c29273-979b-4161-815c-10b084fb9324", + "Backup Reader": "/providers/Microsoft.Authorization/roleDefinitions/a795c7a0-d4a2-40c1-ae25-d81f01202912", + "Billing Reader": "/providers/Microsoft.Authorization/roleDefinitions/fa23ad8b-c56e-40d8-ac0c-ce449e1d2c64", + "BizTalk Contributor": "/providers/Microsoft.Authorization/roleDefinitions/5e3c6656-6cfa-4708-81fe-0de47ac73342", + "Blockchain Member Node Access (Preview)": "/providers/Microsoft.Authorization/roleDefinitions/31a002a1-acaf-453e-8a5b-297c9ca1ea24", + "Blueprint Contributor": "/providers/Microsoft.Authorization/roleDefinitions/41077137-e803-4205-871c-5a86e6a753b4", + "Blueprint Operator": "/providers/Microsoft.Authorization/roleDefinitions/437d2ced-4a38-4302-8479-ed2bcb43d090", + "CDN Endpoint Contributor": "/providers/Microsoft.Authorization/roleDefinitions/426e0c7f-0c7e-4658-b36f-ff54d6c29b45", + "CDN Endpoint Reader": "/providers/Microsoft.Authorization/roleDefinitions/871e35f6-b5c1-49cc-a043-bde969a0f2cd", + "CDN Profile Contributor": "/providers/Microsoft.Authorization/roleDefinitions/ec156ff8-a8d1-4d15-830c-5b80698ca432", + "CDN Profile Reader": "/providers/Microsoft.Authorization/roleDefinitions/8f96442b-4075-438f-813d-ad51ab4019af", + "Classic Network Contributor": "/providers/Microsoft.Authorization/roleDefinitions/b34d265f-36f7-4a0d-a4d4-e158ca92e90f", + "Classic Storage Account Contributor": "/providers/Microsoft.Authorization/roleDefinitions/86e8f5dc-a6e9-4c67-9d15-de283e8eac25", + "Classic Storage Account Key Operator Service Role": "/providers/Microsoft.Authorization/roleDefinitions/985d6b00-f706-48f5-a6fe-d0ca12fb668d", + "Classic Virtual Machine Contributor": "/providers/Microsoft.Authorization/roleDefinitions/d73bb868-a0df-4d4d-bd69-98a00b01fccb", + "ClearDB MySQL DB Contributor": "/providers/Microsoft.Authorization/roleDefinitions/9106cda0-8a86-4e81-b686-29a22c54effe", + "Cognitive Services Contributor": "/providers/Microsoft.Authorization/roleDefinitions/25fbc0a9-bd7c-42a3-aa1a-3b75d497ee68", + "Cognitive Services Custom Vision Contributor": "/providers/Microsoft.Authorization/roleDefinitions/c1ff6cc2-c111-46fe-8896-e0ef812ad9f3", + "Cognitive Services Custom Vision Deployment": "/providers/Microsoft.Authorization/roleDefinitions/5c4089e1-6d96-4d2f-b296-c1bc7137275f", + "Cognitive Services Custom Vision Labeler": "/providers/Microsoft.Authorization/roleDefinitions/88424f51-ebe7-446f-bc41-7fa16989e96c", + "Cognitive Services Custom Vision Reader": "/providers/Microsoft.Authorization/roleDefinitions/93586559-c37d-4a6b-ba08-b9f0940c2d73", + "Cognitive Services Custom Vision Trainer": "/providers/Microsoft.Authorization/roleDefinitions/0a5ae4ab-0d65-4eeb-be61-29fc9b54394b", + "Cognitive Services Data Reader (Preview)": "/providers/Microsoft.Authorization/roleDefinitions/b59867f0-fa02-499b-be73-45a86b5b3e1c", + "Cognitive Services QnA Maker Editor": "/providers/Microsoft.Authorization/roleDefinitions/f4cc2bf9-21be-47a1-bdf1-5c5804381025", + "Cognitive Services QnA Maker Reader": "/providers/Microsoft.Authorization/roleDefinitions/466ccd10-b268-4a11-b098-b4849f024126", + "Cognitive Services User": "/providers/Microsoft.Authorization/roleDefinitions/a97b65f3-24c7-4388-baec-2e87135dc908", + "Contributor": "/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c", + "Cosmos DB Account Reader Role": "/providers/Microsoft.Authorization/roleDefinitions/fbdf93bf-df7d-467e-a4d2-9458aa1360c8", + "Cosmos DB Operator": "/providers/Microsoft.Authorization/roleDefinitions/230815da-be43-4aae-9cb4-875f7bd000aa", + "CosmosBackupOperator": "/providers/Microsoft.Authorization/roleDefinitions/db7b14f2-5adf-42da-9f96-f2ee17bab5cb", + "Cost Management Contributor": "/providers/Microsoft.Authorization/roleDefinitions/434105ed-43f6-45c7-a02f-909b2ba83430", + "Cost Management Reader": "/providers/Microsoft.Authorization/roleDefinitions/72fafb9e-0641-4937-9268-a91bfd8191a3", + "Data Box Contributor": "/providers/Microsoft.Authorization/roleDefinitions/add466c9-e687-43fc-8d98-dfcf8d720be5", + "Data Box Reader": "/providers/Microsoft.Authorization/roleDefinitions/028f4ed7-e2a9-465e-a8f4-9c0ffdfdc027", + "Data Factory Contributor": "/providers/Microsoft.Authorization/roleDefinitions/673868aa-7521-48a0-acc6-0f60742d39f5", + "Data Lake Analytics Developer": "/providers/Microsoft.Authorization/roleDefinitions/47b7735b-770e-4598-a7da-8b91488b4c88", + "Data Purger": "/providers/Microsoft.Authorization/roleDefinitions/150f5e0c-0603-4f03-8c7f-cf70034c4e90", + "Desktop Virtualization User": "/providers/Microsoft.Authorization/roleDefinitions/1d18fff3-a72a-46b5-b4a9-0b38a3cd7e63", + "DevTest Labs User": "/providers/Microsoft.Authorization/roleDefinitions/76283e04-6283-4c54-8f91-bcf1374a3c64", + "DNS Zone Contributor": "/providers/Microsoft.Authorization/roleDefinitions/befefa01-2a29-4197-83a8-272ff33ce314", + "DocumentDB Account Contributor": "/providers/Microsoft.Authorization/roleDefinitions/5bd9cd88-fe45-4216-938b-f97437e15450", + "EventGrid EventSubscription Contributor": "/providers/Microsoft.Authorization/roleDefinitions/428e0ff0-5e57-4d9c-a221-2c70d0e0a443", + "EventGrid EventSubscription Reader": "/providers/Microsoft.Authorization/roleDefinitions/2414bbcf-6497-4faf-8c65-045460748405", + "Experimentation Administrator": "/providers/Microsoft.Authorization/roleDefinitions/7f646f1b-fa08-80eb-a33b-edd6ce5c915c", + "Experimentation Contributor": "/providers/Microsoft.Authorization/roleDefinitions/7f646f1b-fa08-80eb-a22b-edd6ce5c915c", + "Experimentation Reader": "/providers/Microsoft.Authorization/roleDefinitions/49632ef5-d9ac-41f4-b8e7-bbe587fa74a1", + "FHIR Data Contributor": "/providers/Microsoft.Authorization/roleDefinitions/5a1fc7df-4bf1-4951-a576-89034ee01acd", + "FHIR Data Exporter": "/providers/Microsoft.Authorization/roleDefinitions/3db33094-8700-4567-8da5-1501d4e7e843", + "FHIR Data Reader": "/providers/Microsoft.Authorization/roleDefinitions/4c8d0bbc-75d3-4935-991f-5f3c56d81508", + "FHIR Data Writer": "/providers/Microsoft.Authorization/roleDefinitions/3f88fce4-5892-4214-ae73-ba5294559913", + "Graph Owner": "/providers/Microsoft.Authorization/roleDefinitions/b60367af-1334-4454-b71e-769d9a4f83d9", + "HDInsight Cluster Operator": "/providers/Microsoft.Authorization/roleDefinitions/61ed4efc-fab3-44fd-b111-e24485cc132a", + "HDInsight Domain Services Contributor": "/providers/Microsoft.Authorization/roleDefinitions/8d8d5a11-05d3-4bda-a417-a08778121c7c", + "Hierarchy Settings Administrator": "/providers/Microsoft.Authorization/roleDefinitions/350f8d15-c687-4448-8ae1-157740a3936d", + "Hybrid Server Onboarding": "/providers/Microsoft.Authorization/roleDefinitions/5d1e5ee4-7c68-4a71-ac8b-0739630a3dfb", + "Hybrid Server Resource Administrator": "/providers/Microsoft.Authorization/roleDefinitions/48b40c6e-82e0-4eb3-90d5-19e40f49b624", + "Integration Service Environment Contributor": "/providers/Microsoft.Authorization/roleDefinitions/a41e2c5b-bd99-4a07-88f4-9bf657a760b8", + "Integration Service Environment Developer": "/providers/Microsoft.Authorization/roleDefinitions/c7aa55d3-1abb-444a-a5ca-5e51e485d6ec", + "Intelligent Systems Account Contributor": "/providers/Microsoft.Authorization/roleDefinitions/03a6d094-3444-4b3d-88af-7477090a9e5e", + "Key Vault Contributor": "/providers/Microsoft.Authorization/roleDefinitions/f25e0fa2-a7c8-4377-a976-54943a77a395", + "Knowledge Consumer": "/providers/Microsoft.Authorization/roleDefinitions/ee361c5d-f7b5-4119-b4b6-892157c8f64c", + "Kubernetes Cluster - Azure Arc Onboarding": "/providers/Microsoft.Authorization/roleDefinitions/34e09817-6cbe-4d01-b1a2-e0eac5743d41", + "Lab Creator": "/providers/Microsoft.Authorization/roleDefinitions/b97fb8bc-a8b2-4522-a38b-dd33c7e65ead", + "Log Analytics Contributor": "/providers/Microsoft.Authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293", + "Log Analytics Reader": "/providers/Microsoft.Authorization/roleDefinitions/73c42c96-874c-492b-b04d-ab87d138a893", + "Logic App Contributor": "/providers/Microsoft.Authorization/roleDefinitions/87a39d53-fc1b-424a-814c-f7e04687dc9e", + "Logic App Operator": "/providers/Microsoft.Authorization/roleDefinitions/515c2055-d9d4-4321-b1b9-bd0c9a0f79fe", + "Managed Application Contributor Role": "/providers/Microsoft.Authorization/roleDefinitions/641177b8-a67a-45b9-a033-47bc880bb21e", + "Managed Application Operator Role": "/providers/Microsoft.Authorization/roleDefinitions/c7393b34-138c-406f-901b-d8cf2b17e6ae", + "Managed Applications Reader": "/providers/Microsoft.Authorization/roleDefinitions/b9331d33-8a36-4f8c-b097-4f54124fdb44", + "Managed Identity Contributor": "/providers/Microsoft.Authorization/roleDefinitions/e40ec5ca-96e0-45a2-b4ff-59039f2c2b59", + "Managed Identity Operator": "/providers/Microsoft.Authorization/roleDefinitions/f1a07417-d97a-45cb-824c-7a7467783830", + "Managed Services Registration assignment Delete ": "/providers/Microsoft.Authorization/roleDefinitions/91c1777a-f3dc-4fae-b103-61d183457e46", + "Management Group Contributor": "/providers/Microsoft.Authorization/roleDefinitions/5d58bcaf-24a5-4b20-bdb6-eed9f69fbe4c", + "Management Group Reader": "/providers/Microsoft.Authorization/roleDefinitions/ac63b705-f282-497d-ac71-919bf39d939d", + "Marketplace Admin": "/providers/Microsoft.Authorization/roleDefinitions/dd920d6d-f481-47f1-b461-f338c46b2d9f", + "Monitoring Contributor": "/providers/Microsoft.Authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "Monitoring Metrics Publisher": "/providers/Microsoft.Authorization/roleDefinitions/3913510d-42f4-4e42-8a64-420c390055eb", + "Monitoring Reader": "/providers/Microsoft.Authorization/roleDefinitions/43d0d8ad-25c7-4714-9337-8ba259a9fe05", + "Network Contributor": "/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7", + "New Relic APM Account Contributor": "/providers/Microsoft.Authorization/roleDefinitions/5d28c62d-5b37-4476-8438-e587778df237", + "Object Understanding Account Owner": "/providers/Microsoft.Authorization/roleDefinitions/4dd61c23-6743-42fe-a388-d8bdd41cb745", + "Owner": "/providers/Microsoft.Authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635", + "Policy Insights Data Writer (Preview)": "/providers/Microsoft.Authorization/roleDefinitions/66bb4e9e-b016-4a94-8249-4c0511c2be84", + "Private DNS Zone Contributor": "/providers/Microsoft.Authorization/roleDefinitions/b12aa53e-6015-4669-85d0-8515ebb3ae7f", + "Reader": "/providers/Microsoft.Authorization/roleDefinitions/acdd72a7-3385-48ef-bd42-f606fba81ae7", + "Reader and Data Access": "/providers/Microsoft.Authorization/roleDefinitions/c12c1c16-33a1-487b-954d-41c89c60f349", + "Redis Cache Contributor": "/providers/Microsoft.Authorization/roleDefinitions/e0f68234-74aa-48ed-b826-c38b57376e17", + "Remote Rendering Administrator": "/providers/Microsoft.Authorization/roleDefinitions/3df8b902-2a6f-47c7-8cc5-360e9b272a7e", + "Remote Rendering Client": "/providers/Microsoft.Authorization/roleDefinitions/d39065c4-c120-43c9-ab0a-63eed9795f0a", + "Resource Policy Contributor": "/providers/Microsoft.Authorization/roleDefinitions/36243c78-bf99-498c-9df9-86d9f8d28608", + "Scheduler Job Collections Contributor": "/providers/Microsoft.Authorization/roleDefinitions/188a0f2f-5c9e-469b-ae67-2aa5ce574b94", + "Search Service Contributor": "/providers/Microsoft.Authorization/roleDefinitions/7ca78c08-252a-4471-8644-bb5ff32d4ba0", + "Security Admin": "/providers/Microsoft.Authorization/roleDefinitions/fb1c8493-542b-48eb-b624-b4c8fea62acd", + "Security Assessment Contributor": "/providers/Microsoft.Authorization/roleDefinitions/612c2aa1-cb24-443b-ac28-3ab7272de6f5", + "Security Manager (Legacy)": "/providers/Microsoft.Authorization/roleDefinitions/e3d13bf0-dd5a-482e-ba6b-9b8433878d10", + "Security Reader": "/providers/Microsoft.Authorization/roleDefinitions/39bc4728-0917-49c7-9d2c-d95423bc2eb4", + "SignalR AccessKey Reader": "/providers/Microsoft.Authorization/roleDefinitions/04165923-9d83-45d5-8227-78b77b0a687e", + "SignalR Contributor": "/providers/Microsoft.Authorization/roleDefinitions/8cf5e20a-e4b2-4e9d-b3a1-5ceb692c2761", + "Site Recovery Contributor": "/providers/Microsoft.Authorization/roleDefinitions/6670b86e-a3f7-4917-ac9b-5d6ab1be4567", + "Site Recovery Operator": "/providers/Microsoft.Authorization/roleDefinitions/494ae006-db33-4328-bf46-533a6560a3ca", + "Site Recovery Reader": "/providers/Microsoft.Authorization/roleDefinitions/dbaa88c4-0c30-4179-9fb3-46319faa6149", + "Spatial Anchors Account Contributor": "/providers/Microsoft.Authorization/roleDefinitions/8bbe83f1-e2a6-4df7-8cb4-4e04d4e5c827", + "Spatial Anchors Account Owner": "/providers/Microsoft.Authorization/roleDefinitions/70bbe301-9835-447d-afdd-19eb3167307c", + "Spatial Anchors Account Reader": "/providers/Microsoft.Authorization/roleDefinitions/5d51204f-eb77-4b1c-b86a-2ec626c49413", + "SQL DB Contributor": "/providers/Microsoft.Authorization/roleDefinitions/9b7fa17d-e63e-47b0-bb0a-15c516ac86ec", + "SQL Managed Instance Contributor": "/providers/Microsoft.Authorization/roleDefinitions/4939a1f6-9ae0-4e48-a1e0-f2cbe897382d", + "SQL Security Manager": "/providers/Microsoft.Authorization/roleDefinitions/056cd41c-7e88-42e1-933e-88ba6a50c9c3", + "SQL Server Contributor": "/providers/Microsoft.Authorization/roleDefinitions/6d8ee4ec-f05a-4a1d-8b00-a9b17e38b437", + "Storage Account Contributor": "/providers/Microsoft.Authorization/roleDefinitions/17d1049b-9a84-46fb-8f53-869881c3d3ab", + "Storage Account Key Operator Service Role": "/providers/Microsoft.Authorization/roleDefinitions/81a9662b-bebf-436f-a333-f67b29880f12", + "Storage Blob Data Contributor": "/providers/Microsoft.Authorization/roleDefinitions/ba92f5b4-2d11-453d-a403-e96b0029c9fe", + "Storage Blob Data Owner": "/providers/Microsoft.Authorization/roleDefinitions/b7e6dc6d-f1e8-4753-8033-0f276bb0955b", + "Storage Blob Data Reader": "/providers/Microsoft.Authorization/roleDefinitions/2a2b9908-6ea1-4ae2-8e65-a410df84e7d1", + "Storage Blob Delegator": "/providers/Microsoft.Authorization/roleDefinitions/db58b8e5-c6ad-4a2a-8342-4190687cbf4a", + "Storage File Data SMB Share Contributor": "/providers/Microsoft.Authorization/roleDefinitions/0c867c2a-1d8c-454a-a3db-ab2ea1bdc8bb", + "Storage File Data SMB Share Elevated Contributor": "/providers/Microsoft.Authorization/roleDefinitions/a7264617-510b-434b-a828-9731dc254ea7", + "Storage File Data SMB Share Reader": "/providers/Microsoft.Authorization/roleDefinitions/aba4ae5f-2193-4029-9191-0cb91df5e314", + "Storage Queue Data Contributor": "/providers/Microsoft.Authorization/roleDefinitions/974c5e8b-45b9-4653-ba55-5f855dd0fb88", + "Storage Queue Data Message Processor": "/providers/Microsoft.Authorization/roleDefinitions/8a0f0c08-91a1-4084-bc3d-661d67233fed", + "Storage Queue Data Message Sender": "/providers/Microsoft.Authorization/roleDefinitions/c6a89b2d-59bc-44d0-9896-0f6e12d7b80a", + "Storage Queue Data Reader": "/providers/Microsoft.Authorization/roleDefinitions/19e7f393-937e-4f77-808e-94535e297925", + "Support Request Contributor": "/providers/Microsoft.Authorization/roleDefinitions/cfd33db0-3dd1-45e3-aa9d-cdbdf3b6f24e", + "Tag Contributor": "/providers/Microsoft.Authorization/roleDefinitions/4a9ae827-6dc8-4573-8ac7-8239d42aa03f", + "Traffic Manager Contributor": "/providers/Microsoft.Authorization/roleDefinitions/a4b10055-b0c7-44c2-b00f-c7b5b3550cf7", + "User Access Administrator": "/providers/Microsoft.Authorization/roleDefinitions/18d7d88d-d35e-4fb5-a5c3-7773c20a72d9", + "Virtual Machine Administrator Login": "/providers/Microsoft.Authorization/roleDefinitions/1c0163c0-47e6-4577-8991-ea5c82e286e4", + "Virtual Machine Contributor": "/providers/Microsoft.Authorization/roleDefinitions/9980e02c-c2be-4d73-94e8-173b1dc7cf3c", + "Virtual Machine User Login": "/providers/Microsoft.Authorization/roleDefinitions/fb879df8-f326-4884-b1cf-06f3ad86be52", + "Web Plan Contributor": "/providers/Microsoft.Authorization/roleDefinitions/2cc479cb-7b4d-49a8-b449-8c00fd0f0a4b", + "Website Contributor": "/providers/Microsoft.Authorization/roleDefinitions/de139f84-1756-47ae-9be6-808fbbe84772", + "Workbook Contributor": "/providers/Microsoft.Authorization/roleDefinitions/e8ddcd69-c73f-4f9f-9844-4100522f16ad", + "Workbook Reader": "/providers/Microsoft.Authorization/roleDefinitions/b279062a-9be3-42a0-92ae-8b3cf002ec4d" + } + }, + "resources": [ + // CUA on Subscription scope + { + "condition": "[and(not(empty(parameters('cuaId'))), empty(parameters('resourceGroupName')))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-06-01", + "name": "[concat('pid-', parameters('cuaId'))]", + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [ + ] + } + } + }, + // Role Assignments on Subscription scope + { + "name": "[concat(uniqueString(deployment().name, parameters('location')), 'subscriptionRbacDeplCopy-', copyIndex())]", + "apiVersion": "2020-06-01", + "type": "Microsoft.Resources/deployments", + "location": "[parameters('location')]", + "condition": "[and(not(empty(parameters('roleAssignments'))), empty(parameters('resourceGroupName')))]", + "dependsOn": [ + ], + "copy": { + "name": "subscriptionRbacDeplCopy", + "count": "[length(parameters('roleAssignments'))]" + }, + "properties": { + "mode": "Incremental", + "expressionEvaluationOptions": { + "scope": "inner" + }, + "parameters": { + "roleAssignment": { + "value": "[parameters('roleAssignments')[copyIndex()]]" + }, + "builtInRoleNames": { + "value": "[variables('builtInRoleNames')]" + }, + "subscriptionId": { + "value": "[subscription().id]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "roleAssignment": { + "type": "object" + }, + "builtInRoleNames": { + "type": "object" + }, + "subscriptionId": { + "type": "string" + } + }, + "variables": { + "condition": "[and(not(empty(parameters('roleAssignment'))), contains(parameters('roleAssignment'), 'roleDefinitionIdOrName'), contains(parameters('roleAssignment'), 'principalIds'), not(empty(parameters('roleAssignment').roleDefinitionIdOrName)), not(empty(parameters('roleAssignment').principalIds)) )]" + }, + "resources": [ + { + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2018-09-01-preview", + "name": "[if( variables('condition'), guid( parameters('subscriptionId'), array(parameters('roleAssignment').principalIds)[copyIndex('innerRbacCopy')], parameters('roleAssignment').roleDefinitionIdOrName ), guid('dummy'))]", + "condition": "[variables('condition')]", + "copy": { + "name": "innerRbacCopy", + "count": "[length(array(parameters('roleAssignment').principalIds))]" + }, + "properties": { + "roleDefinitionId": "[if(contains(parameters('builtInRoleNames'), parameters('roleAssignment').roleDefinitionIdOrName ), parameters('builtInRoleNames')[parameters('roleAssignment').roleDefinitionIdOrName] , parameters('roleAssignment').roleDefinitionIdOrName )]", + "principalId": "[array(parameters('roleAssignment').principalIds)[copyIndex('innerRbacCopy')]]" + } + } + ] + } + } + }, + // CUA on Resource Group scope + { + "name": "cuaDeploymentOnResourceGroup", + "apiVersion": "2020-06-01", + "type": "Microsoft.Resources/deployments", + "resourceGroup": "[parameters('resourceGroupName')]", + "condition": "[not(empty(parameters('resourceGroupName')))]", + "dependsOn": [ + ], + "properties": { + "mode": "Incremental", + "expressionEvaluationOptions": { + "scope": "inner" + }, + "parameters": { + "cuaId": { + "value": "[parameters('cuaId')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "cuaId": { + "type": "string" + } + }, + "resources": [ + { + "condition": "[not(empty(parameters('cuaId')))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-06-01", + "name": "[concat('pid-', parameters('cuaId'))]", + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [ + ] + } + } + } + ], + "outputs": { + "resourceGroupId": { + "type": "string", + "value": "[resourceGroup().id]" + } + } + } + } + }, + // Role Assignments on Resource Group scope + { + "name": "[concat('resourceGroupRbacDeplCopy-', copyIndex())]", + "apiVersion": "2020-06-01", + "type": "Microsoft.Resources/deployments", + "resourceGroup": "[parameters('resourceGroupName')]", + "condition": "[and(not(empty(parameters('roleAssignments'))), not(empty(parameters('resourceGroupName'))))]", + "dependsOn": [ + ], + "copy": { + "name": "resourceGroupRbacDeplCopy", + "count": "[length(parameters('roleAssignments'))]" + }, + "properties": { + "mode": "Incremental", + "expressionEvaluationOptions": { + "scope": "inner" + }, + "parameters": { + "roleAssignment": { + "value": "[parameters('roleAssignments')[copyIndex()]]" + }, + "builtInRoleNames": { + "value": "[variables('builtInRoleNames')]" + }, + "resourceGroupName": { + "value": "[parameters('resourceGroupName')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "roleAssignment": { + "type": "object" + }, + "builtInRoleNames": { + "type": "object" + }, + "resourceGroupName": { + "type": "string" + } + }, + "variables": { + "condition": "[and(not(empty(parameters('roleAssignment'))), contains(parameters('roleAssignment'), 'roleDefinitionIdOrName'), contains(parameters('roleAssignment'), 'principalIds'), not(empty(parameters('roleAssignment').roleDefinitionIdOrName)), not(empty(parameters('roleAssignment').principalIds)) )]" + }, + "resources": [ + { + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2020-04-01-preview", + "name": "[if( variables('condition'), guid( parameters('resourceGroupName'), array(parameters('roleAssignment').principalIds)[copyIndex('innerRbacCopy')], parameters('roleAssignment').roleDefinitionIdOrName ), guid('dummy'))]", + "condition": "[variables('condition')]", + "copy": { + "name": "innerRbacCopy", + "count": "[length(array(parameters('roleAssignment').principalIds))]" + }, + "properties": { + "roleDefinitionId": "[if(contains(parameters('builtInRoleNames'), parameters('roleAssignment').roleDefinitionIdOrName ), parameters('builtInRoleNames')[parameters('roleAssignment').roleDefinitionIdOrName] , parameters('roleAssignment').roleDefinitionIdOrName )]", + "principalId": "[array(parameters('roleAssignment').principalIds)[copyIndex('innerRbacCopy')]]" + } + } + ] + } + } + } + ], + "functions": [ + ], + "outputs": { + "assignmentScope": { + "type": "string", + "condition": "[not(empty(parameters('roleAssignments')))]", + "value": "[if(empty(parameters('resourceGroupName')), subscription().id , reference('cuaDeploymentOnResourceGroup').outputs.resourceGroupId.value)]", + "metadata": { + "description": "The scope (subscription or resource group) of the assignments defined in this module were created on." + } + }, + "roleAssignments": { + "type": "array", + "value": "[parameters('roleAssignments')]", + "metadata": { + "description": "Array of role assignment objects." + } + } + } +} \ No newline at end of file diff --git a/managementGroupTemplates/Microsoft.Authorization/roleAssignments/readme.md b/managementGroupTemplates/Microsoft.Authorization/roleAssignments/readme.md new file mode 100644 index 0000000000..72f624e53c --- /dev/null +++ b/managementGroupTemplates/Microsoft.Authorization/roleAssignments/readme.md @@ -0,0 +1,68 @@ +# Role Assignments + +This module deploys Role Assignments. + +## Resource types + +|Resource Type|ApiVersion| +|:--|:--| +|`Microsoft.Authorization/roleAssignments`|2018-09-01-preview| +|`Microsoft.Resources/deployments`|2018-02-01| + +## Parameters + +| Parameter Name | Type | Default Value | Possible values | Description | +| :- | :- | :- | :- | :- | +| `roleAssignments` | array | [] | Complex structure, see below. | Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalIds' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or it's fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' +| `resourceGroupName` | string | "" | | Optional. Name of the Resource Group to deploy the custom role in. If no Resource Group name is provided, the module deploys at subscription level, therefore registers the custom RBAC role definition in the subscription. +| `cuaId` | string | "" | | Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered | +| `location` | string | [deployment().location] | | Optional. Location for all resources. | + +### Parameter Usage: `roleAssignments` + +```json +"roleAssignments": { + "value": [ + { + "roleDefinitionIdOrName": "Desktop Virtualization User", + "principalIds": [ + "12345678-1234-1234-1234-123456789012", // object 1 + "78945612-1234-1234-1234-123456789012" // object 2 + ] + }, + { + "roleDefinitionIdOrName": "Reader", + "principalIds": [ + "12345678-1234-1234-1234-123456789012", // object 1 + "78945612-1234-1234-1234-123456789012" // object 2 + ] + }, + { + "roleDefinitionIdOrName": "/subscriptions/78945612-1234-1234-1234-123456789012/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", + "principalIds": [ + "12345678-1234-1234-1234-123456789012" // object 1 + ] + } + ] +} +``` + +## Outputs + +| Output Name | Type | Description | +| :-- | :-- | :-- | +| `assignmentScope` | string | The scope (subscription or resource group) of the assignments defined in this module were created on. | +| `roleAssignments` | array | Array of role assignment objects. | + +## Considerations + +This module can be deployed both at subscription or resource group level: + +- To deploy the module at resource group level, provide a valid name of an existing Resource Group in the `resourceGroupName` parameter. +- To deploy the module at the subscription level, leave the `resourceGroupName` parameter empty. + +## Additional resources + +- [What is Azure role-based access control (Azure RBAC)?](https://docs.microsoft.com/en-us/azure/role-based-access-control/overview) +- [Microsoft.Authorization roleAssignments template reference](https://docs.microsoft.com/en-us/azure/templates/microsoft.authorization/2018-09-01-preview/roleassignments) +- [Use tags to organize your Azure resources](https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-using-tags) \ No newline at end of file diff --git a/managementGroupTemplates/Microsoft.Authorization/roleDefinitions/Parameters/parameters.json b/managementGroupTemplates/Microsoft.Authorization/roleDefinitions/Parameters/parameters.json new file mode 100644 index 0000000000..9c1e1945c8 --- /dev/null +++ b/managementGroupTemplates/Microsoft.Authorization/roleDefinitions/Parameters/parameters.json @@ -0,0 +1,37 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "roleName": { + "value": "myCustomRoleAtSub" + }, + // "resourceGroupName": { + // "value": "rbacTest" + // }, + "roleDescription": { + "value": "" + }, + "actions": { + "value": [ + "Microsoft.Compute/galleries/read", + "Microsoft.Compute/galleries/images/read", + "Microsoft.Compute/galleries/images/versions/read", + "Microsoft.Compute/galleries/images/versions/write", + "Microsoft.Compute/images/write", + "Microsoft.Compute/images/read", + "Microsoft.Compute/images/delete", + "Microsoft.Network/virtualNetworks/read", + "Microsoft.Network/virtualNetworks/subnets/join/action" + ] + }, + "notActions": { + "value": [] + }, + "dataActions": { + "value": [] + }, + "notDataActions": { + "value": [] + } + } +} \ No newline at end of file diff --git a/managementGroupTemplates/Microsoft.Authorization/roleDefinitions/deploy.json b/managementGroupTemplates/Microsoft.Authorization/roleDefinitions/deploy.json new file mode 100644 index 0000000000..522ac6e8eb --- /dev/null +++ b/managementGroupTemplates/Microsoft.Authorization/roleDefinitions/deploy.json @@ -0,0 +1,238 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "roleName": { + "type": "string", + "metadata": { + "description": "Required. Name of the custom RBAC role to be created." + } + }, + "resourceGroupName": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Name of the Resource Group to deploy the custom role in. If no Resource Group name is provided, the module deploys at subscription level, therefore registers the custom RBAC role definition in the subscription." + } + }, + "roleDescription": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Description of the custom RBAC role to be created." + } + }, + "actions": { + "type": "array", + "defaultValue": [ + ], + "metadata": { + "description": "Optional. List of allowed actions." + } + }, + "notActions": { + "type": "array", + "defaultValue": [ + ], + "metadata": { + "description": "Optional. List of denied actions." + } + }, + "dataActions": { + "type": "array", + "defaultValue": [ + ], + "metadata": { + "description": "Optional. List of allowed data actions." + } + }, + "notDataActions": { + "type": "array", + "defaultValue": [ + ], + "metadata": { + "description": "Optional. List of denied data actions." + } + }, + "cuaId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered" + } + } + }, + "variables": { + }, + "resources": [ + // CUA on Subscription scope + { + "condition": "[and(not(empty(parameters('cuaId'))), empty(parameters('resourceGroupName')))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-06-01", + "name": "[concat('pid-', parameters('cuaId'))]", + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [ + ] + } + } + }, + // Role Definitions on Subscription scope + { + "name": "[guid(parameters('roleName'), subscription().id)]", + "type": "Microsoft.Authorization/roleDefinitions", + "apiVersion": "2018-01-01-preview", + "condition": "[empty(parameters('resourceGroupName'))]", + "properties": { + "roleName": "[parameters('roleName')]", + "description": "[parameters('roleDescription')]", + "type": "customRole", + "permissions": [ + { + "actions": "[parameters('actions')]", + "notActions": "[parameters('notActions')]", + "dataActions": "[parameters('dataActions')]", + "notDataActions": "[parameters('notDataActions')]" + } + ], + "assignableScopes": [ + "[subscription().id]" + ] + } + }, + // CUA & Role Definitions on Resource Group scope + { + "name": "roleDefinitionDeployment", + "apiVersion": "2020-06-01", + "type": "Microsoft.Resources/deployments", + "resourceGroup": "[parameters('resourceGroupName')]", + "condition": "[not(empty(parameters('resourceGroupName')))]", + "properties": { + "mode": "Incremental", + "expressionEvaluationOptions": { + "scope": "inner" + }, + "parameters": { + "roleName": { + "value": "[parameters('roleName')]" + }, + "roleDescription": { + "value": "[parameters('roleDescription')]" + }, + "actions": { + "value": "[parameters('actions')]" + }, + "notActions": { + "value": "[parameters('notActions')]" + }, + "dataActions": { + "value": "[parameters('dataActions')]" + }, + "notDataActions": { + "value": "[parameters('notDataActions')]" + }, + "cuaId": { + "value": "[parameters('cuaId')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "roleName": { + "type": "string" + }, + "roleDescription": { + "type": "string" + }, + "actions": { + "type": "array" + }, + "notActions": { + "type": "array" + }, + "dataActions": { + "type": "array" + }, + "notDataActions": { + "type": "array" + }, + "cuaId": { + "type": "string" + } + }, + "resources": [ + { + "condition": "[not(empty(parameters('cuaId')))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-06-01", + "name": "[concat('pid-', parameters('cuaId'))]", + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [ + ] + } + } + }, + { + "name": "[guid(parameters('roleName'), resourceGroup().id)]", + "type": "Microsoft.Authorization/roleDefinitions", + "apiVersion": "2018-01-01-preview", + "properties": { + "roleName": "[parameters('roleName')]", + "description": "[parameters('roleDescription')]", + "type": "customRole", + "permissions": [ + { + "actions": "[parameters('actions')]", + "notActions": "[parameters('notActions')]", + "dataActions": "[parameters('dataActions')]", + "notDataActions": "[parameters('notDataActions')]" + } + ], + "assignableScopes": [ + "[resourceGroup().id]" + ] + } + } + ], + "outputs": { + "resourceGroupId": { + "type": "string", + "value": "[resourceGroup().id]" + }, + "id": { + "type": "string", + "value": "[resourceId('Microsoft.Authorization/roleDefinitions', guid(parameters('roleName'), resourceGroup().id))]" + } + } + } + } + } + ], + "functions": [ + ], + "outputs": { + "definitionId": { + "type": "string", + "value": "[if(not(empty(parameters('resourceGroupName'))), resourceId('Microsoft.Authorization/roleDefinitions', guid(parameters('roleName'), reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', subscription().id, parameters('resourceGroupName')), 'Microsoft.Resources/deployments', 'roleDefinitionDeployment'), '2019-10-01').outputs.resourceGroupId.value)), resourceId('Microsoft.Authorization/roleDefinitions', guid(parameters('roleName'), subscription().id)))]", + "metadata": { + "description": "The id of the role definition that was created." + } + }, + "definitionScope": { + "type": "string", + "value": "[if(empty(parameters('resourceGroupName')), subscription().id, reference('roleDefinitionDeployment').outputs.resourceGroupId.value)]", + "metadata": { + "description": "The scope (subscription or resource group) this definition was created on." + } + } + } +} \ No newline at end of file diff --git a/managementGroupTemplates/Microsoft.Authorization/roleDefinitions/readme.md b/managementGroupTemplates/Microsoft.Authorization/roleDefinitions/readme.md new file mode 100644 index 0000000000..c0957284dd --- /dev/null +++ b/managementGroupTemplates/Microsoft.Authorization/roleDefinitions/readme.md @@ -0,0 +1,43 @@ +# Role Definitions + +This module deploys custom RBAC Role Definitions. + +## Resource types + +|Resource Type|ApiVersion| +|:--|:--| +|`Microsoft.Authorization/roleDefinitions`|2018-07-01| +|`Microsoft.Resources/deployments`|2018-02-01| + +## Parameters + +| Parameter Name | Type | Default Value | Possible values | Description | +| :- | :- | :- | :- | :- | +| `roleName` | string | | | Required. Name of the custom RBAC role to be created. +| `resourceGroupName` | string | "" | | Optional. Name of the Resource Group to deploy the custom role in. If no Resource Group name is provided, the module deploys at subscription level, therefore registers the custom RBAC role definition in the subscription. +| `roleDescription` | string | [] | | Optional. Description of the custom RBAC role to be created. +| `actions` | array | [] | | Optional. List of allowed actions. +| `notActions` | array | [] | | Optional. List of denied actions. +| `dataActions` | array | [] | | Optional. List of allowed data actions. +| `notDataActions` | array | [] | | Optional. List of denied data actions. +| `cuaId` | string | "" | | Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered + +## Outputs + +| Output Name | Type | Description | +| :-- | :-- | :-- | +| `definitionId` | string | The id of the role definition that was created. | +| `definitionScope` | string | The scope (subscription or resource group) this definition was created on. | + +## Considerations + +This module can be deployed both at subscription or resource group level: + +- To deploy the module at resource group level, provide a valid name of an existing Resource Group in the `resourceGroupName` parameter. +- To deploy the module at the subscription level, leave the `resourceGroupName` parameter empty. + +## Additional resources + +- [Understand Azure role definitions](https://docs.microsoft.com/en-us/azure/role-based-access-control/role-definitions) +- [Microsoft.Authorization roleDefinitions template reference](https://docs.microsoft.com/en-us/azure/templates/microsoft.authorization/2018-01-01-preview/roledefinitions) +- [Use tags to organize your Azure resources](https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-using-tags) \ No newline at end of file diff --git a/managementGroupTemplates/Microsoft.Management/managementGroups/deploy.json b/managementGroupTemplates/Microsoft.Management/managementGroups/deploy.json new file mode 100644 index 0000000000..da47866ea0 --- /dev/null +++ b/managementGroupTemplates/Microsoft.Management/managementGroups/deploy.json @@ -0,0 +1,427 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/tenantDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "mgStructure": { + "type": "array", + "metadata": { + "description": "Required. The structure of the management groups" + } + } + }, + "functions": [], + "variables": { + "builtInRoleNames": { + "AcrDelete": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", + "AcrImageSigner": "/providers/Microsoft.Authorization/roleDefinitions/6cef56e8-d556-48e5-a04f-b8e64114680f", + "AcrPull": "/providers/Microsoft.Authorization/roleDefinitions/7f951dda-4ed3-4680-a7ca-43fe172d538d", + "AcrPush": "/providers/Microsoft.Authorization/roleDefinitions/8311e382-0749-4cb8-b61a-304f252e45ec", + "AcrQuarantineReader": "/providers/Microsoft.Authorization/roleDefinitions/cdda3590-29a3-44f6-95f2-9f980659eb04", + "AcrQuarantineWriter": "/providers/Microsoft.Authorization/roleDefinitions/c8d4ff99-41c3-41a8-9f60-21dfdad59608", + "API Management Service Contributor": "/providers/Microsoft.Authorization/roleDefinitions/312a565d-c81f-4fd8-895a-4e21e48d571c", + "API Management Service Operator Role": "/providers/Microsoft.Authorization/roleDefinitions/e022efe7-f5ba-4159-bbe4-b44f577e9b61", + "API Management Service Reader Role": "/providers/Microsoft.Authorization/roleDefinitions/71522526-b88f-4d52-b57f-d31fc3546d0d", + "App Configuration Data Owner": "/providers/Microsoft.Authorization/roleDefinitions/5ae67dd6-50cb-40e7-96ff-dc2bfa4b606b", + "App Configuration Data Reader": "/providers/Microsoft.Authorization/roleDefinitions/516239f1-63e1-4d78-a4de-a74fb236a071", + "Application Insights Component Contributor": "/providers/Microsoft.Authorization/roleDefinitions/ae349356-3a1b-4a5e-921d-050484c6347e", + "Application Insights Snapshot Debugger": "/providers/Microsoft.Authorization/roleDefinitions/08954f03-6346-4c2e-81c0-ec3a5cfae23b", + "Attestation Contributor": "/providers/Microsoft.Authorization/roleDefinitions/bbf86eb8-f7b4-4cce-96e4-18cddf81d86e", + "Attestation Reader": "/providers/Microsoft.Authorization/roleDefinitions/fd1bd22b-8476-40bc-a0bc-69b95687b9f3", + "Automation Job Operator": "/providers/Microsoft.Authorization/roleDefinitions/4fe576fe-1146-4730-92eb-48519fa6bf9f", + "Automation Operator": "/providers/Microsoft.Authorization/roleDefinitions/d3881f73-407a-4167-8283-e981cbba0404", + "Automation Runbook Operator": "/providers/Microsoft.Authorization/roleDefinitions/5fb5aef8-1081-4b8e-bb16-9d5d0385bab5", + "Avere Contributor": "/providers/Microsoft.Authorization/roleDefinitions/4f8fab4f-1852-4a58-a46a-8eaf358af14a", + "Avere Operator": "/providers/Microsoft.Authorization/roleDefinitions/c025889f-8102-4ebf-b32c-fc0c6f0c6bd9", + "Azure Connected Machine Onboarding": "/providers/Microsoft.Authorization/roleDefinitions/b64e21ea-ac4e-4cdf-9dc9-5b892992bee7", + "Azure Connected Machine Resource Administrator": "/providers/Microsoft.Authorization/roleDefinitions/cd570a14-e51a-42ad-bac8-bafd67325302", + "Azure Digital Twins Owner (Preview)": "/providers/Microsoft.Authorization/roleDefinitions/bcd981a7-7f74-457b-83e1-cceb9e632ffe", + "Azure Digital Twins Reader (Preview)": "/providers/Microsoft.Authorization/roleDefinitions/d57506d4-4c8d-48b1-8587-93c323f6a5a3", + "Azure Event Hubs Data Owner": "/providers/Microsoft.Authorization/roleDefinitions/f526a384-b230-433a-b45c-95f59c4a2dec", + "Azure Event Hubs Data Receiver": "/providers/Microsoft.Authorization/roleDefinitions/a638d3c7-ab3a-418d-83e6-5f17a39d4fde", + "Azure Event Hubs Data Sender": "/providers/Microsoft.Authorization/roleDefinitions/2b629674-e913-4c01-ae53-ef4638d8f975", + "Azure Kubernetes Service Cluster Admin Role": "/providers/Microsoft.Authorization/roleDefinitions/0ab0b1a8-8aac-4efd-b8c2-3ee1fb270be8", + "Azure Kubernetes Service Cluster User Role": "/providers/Microsoft.Authorization/roleDefinitions/4abbcc35-e782-43d8-92c5-2d3f1bd2253f", + "Azure Kubernetes Service Contributor Role": "/providers/Microsoft.Authorization/roleDefinitions/ed7f3fbd-7b88-4dd4-9017-9adb7ce333f8", + "Azure Maps Data Contributor": "/providers/Microsoft.Authorization/roleDefinitions/8f5e0ce6-4f7b-4dcf-bddf-e6f48634a204", + "Azure Maps Data Reader": "/providers/Microsoft.Authorization/roleDefinitions/423170ca-a8f6-4b0f-8487-9e4eb8f49bfa", + "Azure Sentinel Contributor": "/providers/Microsoft.Authorization/roleDefinitions/ab8e14d6-4a74-4a29-9ba8-549422addade", + "Azure Sentinel Reader": "/providers/Microsoft.Authorization/roleDefinitions/8d289c81-5878-46d4-8554-54e1e3d8b5cb", + "Azure Sentinel Responder": "/providers/Microsoft.Authorization/roleDefinitions/3e150937-b8fe-4cfb-8069-0eaf05ecd056", + "Azure Service Bus Data Owner": "/providers/Microsoft.Authorization/roleDefinitions/090c5cfd-751d-490a-894a-3ce6f1109419", + "Azure Service Bus Data Receiver": "/providers/Microsoft.Authorization/roleDefinitions/4f6d3b9b-027b-4f4c-9142-0e5a2a2247e0", + "Azure Service Bus Data Sender": "/providers/Microsoft.Authorization/roleDefinitions/69a216fc-b8fb-44d8-bc22-1f3c2cd27a39", + "Azure Stack Registration Owner": "/providers/Microsoft.Authorization/roleDefinitions/6f12a6df-dd06-4f3e-bcb1-ce8be600526a", + "Backup Contributor": "/providers/Microsoft.Authorization/roleDefinitions/5e467623-bb1f-42f4-a55d-6e525e11384b", + "Backup Operator": "/providers/Microsoft.Authorization/roleDefinitions/00c29273-979b-4161-815c-10b084fb9324", + "Backup Reader": "/providers/Microsoft.Authorization/roleDefinitions/a795c7a0-d4a2-40c1-ae25-d81f01202912", + "Billing Reader": "/providers/Microsoft.Authorization/roleDefinitions/fa23ad8b-c56e-40d8-ac0c-ce449e1d2c64", + "BizTalk Contributor": "/providers/Microsoft.Authorization/roleDefinitions/5e3c6656-6cfa-4708-81fe-0de47ac73342", + "Blockchain Member Node Access (Preview)": "/providers/Microsoft.Authorization/roleDefinitions/31a002a1-acaf-453e-8a5b-297c9ca1ea24", + "Blueprint Contributor": "/providers/Microsoft.Authorization/roleDefinitions/41077137-e803-4205-871c-5a86e6a753b4", + "Blueprint Operator": "/providers/Microsoft.Authorization/roleDefinitions/437d2ced-4a38-4302-8479-ed2bcb43d090", + "CDN Endpoint Contributor": "/providers/Microsoft.Authorization/roleDefinitions/426e0c7f-0c7e-4658-b36f-ff54d6c29b45", + "CDN Endpoint Reader": "/providers/Microsoft.Authorization/roleDefinitions/871e35f6-b5c1-49cc-a043-bde969a0f2cd", + "CDN Profile Contributor": "/providers/Microsoft.Authorization/roleDefinitions/ec156ff8-a8d1-4d15-830c-5b80698ca432", + "CDN Profile Reader": "/providers/Microsoft.Authorization/roleDefinitions/8f96442b-4075-438f-813d-ad51ab4019af", + "Classic Network Contributor": "/providers/Microsoft.Authorization/roleDefinitions/b34d265f-36f7-4a0d-a4d4-e158ca92e90f", + "Classic Storage Account Contributor": "/providers/Microsoft.Authorization/roleDefinitions/86e8f5dc-a6e9-4c67-9d15-de283e8eac25", + "Classic Storage Account Key Operator Service Role": "/providers/Microsoft.Authorization/roleDefinitions/985d6b00-f706-48f5-a6fe-d0ca12fb668d", + "Classic Virtual Machine Contributor": "/providers/Microsoft.Authorization/roleDefinitions/d73bb868-a0df-4d4d-bd69-98a00b01fccb", + "ClearDB MySQL DB Contributor": "/providers/Microsoft.Authorization/roleDefinitions/9106cda0-8a86-4e81-b686-29a22c54effe", + "Cognitive Services Contributor": "/providers/Microsoft.Authorization/roleDefinitions/25fbc0a9-bd7c-42a3-aa1a-3b75d497ee68", + "Cognitive Services Custom Vision Contributor": "/providers/Microsoft.Authorization/roleDefinitions/c1ff6cc2-c111-46fe-8896-e0ef812ad9f3", + "Cognitive Services Custom Vision Deployment": "/providers/Microsoft.Authorization/roleDefinitions/5c4089e1-6d96-4d2f-b296-c1bc7137275f", + "Cognitive Services Custom Vision Labeler": "/providers/Microsoft.Authorization/roleDefinitions/88424f51-ebe7-446f-bc41-7fa16989e96c", + "Cognitive Services Custom Vision Reader": "/providers/Microsoft.Authorization/roleDefinitions/93586559-c37d-4a6b-ba08-b9f0940c2d73", + "Cognitive Services Custom Vision Trainer": "/providers/Microsoft.Authorization/roleDefinitions/0a5ae4ab-0d65-4eeb-be61-29fc9b54394b", + "Cognitive Services Data Reader (Preview)": "/providers/Microsoft.Authorization/roleDefinitions/b59867f0-fa02-499b-be73-45a86b5b3e1c", + "Cognitive Services QnA Maker Editor": "/providers/Microsoft.Authorization/roleDefinitions/f4cc2bf9-21be-47a1-bdf1-5c5804381025", + "Cognitive Services QnA Maker Reader": "/providers/Microsoft.Authorization/roleDefinitions/466ccd10-b268-4a11-b098-b4849f024126", + "Cognitive Services User": "/providers/Microsoft.Authorization/roleDefinitions/a97b65f3-24c7-4388-baec-2e87135dc908", + "Contributor": "/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c", + "Cosmos DB Account Reader Role": "/providers/Microsoft.Authorization/roleDefinitions/fbdf93bf-df7d-467e-a4d2-9458aa1360c8", + "Cosmos DB Operator": "/providers/Microsoft.Authorization/roleDefinitions/230815da-be43-4aae-9cb4-875f7bd000aa", + "CosmosBackupOperator": "/providers/Microsoft.Authorization/roleDefinitions/db7b14f2-5adf-42da-9f96-f2ee17bab5cb", + "Cost Management Contributor": "/providers/Microsoft.Authorization/roleDefinitions/434105ed-43f6-45c7-a02f-909b2ba83430", + "Cost Management Reader": "/providers/Microsoft.Authorization/roleDefinitions/72fafb9e-0641-4937-9268-a91bfd8191a3", + "Data Box Contributor": "/providers/Microsoft.Authorization/roleDefinitions/add466c9-e687-43fc-8d98-dfcf8d720be5", + "Data Box Reader": "/providers/Microsoft.Authorization/roleDefinitions/028f4ed7-e2a9-465e-a8f4-9c0ffdfdc027", + "Data Factory Contributor": "/providers/Microsoft.Authorization/roleDefinitions/673868aa-7521-48a0-acc6-0f60742d39f5", + "Data Lake Analytics Developer": "/providers/Microsoft.Authorization/roleDefinitions/47b7735b-770e-4598-a7da-8b91488b4c88", + "Data Purger": "/providers/Microsoft.Authorization/roleDefinitions/150f5e0c-0603-4f03-8c7f-cf70034c4e90", + "Desktop Virtualization User": "/providers/Microsoft.Authorization/roleDefinitions/1d18fff3-a72a-46b5-b4a9-0b38a3cd7e63", + "DevTest Labs User": "/providers/Microsoft.Authorization/roleDefinitions/76283e04-6283-4c54-8f91-bcf1374a3c64", + "DNS Zone Contributor": "/providers/Microsoft.Authorization/roleDefinitions/befefa01-2a29-4197-83a8-272ff33ce314", + "DocumentDB Account Contributor": "/providers/Microsoft.Authorization/roleDefinitions/5bd9cd88-fe45-4216-938b-f97437e15450", + "EventGrid EventSubscription Contributor": "/providers/Microsoft.Authorization/roleDefinitions/428e0ff0-5e57-4d9c-a221-2c70d0e0a443", + "EventGrid EventSubscription Reader": "/providers/Microsoft.Authorization/roleDefinitions/2414bbcf-6497-4faf-8c65-045460748405", + "Experimentation Administrator": "/providers/Microsoft.Authorization/roleDefinitions/7f646f1b-fa08-80eb-a33b-edd6ce5c915c", + "Experimentation Contributor": "/providers/Microsoft.Authorization/roleDefinitions/7f646f1b-fa08-80eb-a22b-edd6ce5c915c", + "Experimentation Reader": "/providers/Microsoft.Authorization/roleDefinitions/49632ef5-d9ac-41f4-b8e7-bbe587fa74a1", + "FHIR Data Contributor": "/providers/Microsoft.Authorization/roleDefinitions/5a1fc7df-4bf1-4951-a576-89034ee01acd", + "FHIR Data Exporter": "/providers/Microsoft.Authorization/roleDefinitions/3db33094-8700-4567-8da5-1501d4e7e843", + "FHIR Data Reader": "/providers/Microsoft.Authorization/roleDefinitions/4c8d0bbc-75d3-4935-991f-5f3c56d81508", + "FHIR Data Writer": "/providers/Microsoft.Authorization/roleDefinitions/3f88fce4-5892-4214-ae73-ba5294559913", + "Graph Owner": "/providers/Microsoft.Authorization/roleDefinitions/b60367af-1334-4454-b71e-769d9a4f83d9", + "HDInsight Cluster Operator": "/providers/Microsoft.Authorization/roleDefinitions/61ed4efc-fab3-44fd-b111-e24485cc132a", + "HDInsight Domain Services Contributor": "/providers/Microsoft.Authorization/roleDefinitions/8d8d5a11-05d3-4bda-a417-a08778121c7c", + "Hierarchy Settings Administrator": "/providers/Microsoft.Authorization/roleDefinitions/350f8d15-c687-4448-8ae1-157740a3936d", + "Hybrid Server Onboarding": "/providers/Microsoft.Authorization/roleDefinitions/5d1e5ee4-7c68-4a71-ac8b-0739630a3dfb", + "Hybrid Server Resource Administrator": "/providers/Microsoft.Authorization/roleDefinitions/48b40c6e-82e0-4eb3-90d5-19e40f49b624", + "Integration Service Environment Contributor": "/providers/Microsoft.Authorization/roleDefinitions/a41e2c5b-bd99-4a07-88f4-9bf657a760b8", + "Integration Service Environment Developer": "/providers/Microsoft.Authorization/roleDefinitions/c7aa55d3-1abb-444a-a5ca-5e51e485d6ec", + "Intelligent Systems Account Contributor": "/providers/Microsoft.Authorization/roleDefinitions/03a6d094-3444-4b3d-88af-7477090a9e5e", + "Key Vault Contributor": "/providers/Microsoft.Authorization/roleDefinitions/f25e0fa2-a7c8-4377-a976-54943a77a395", + "Knowledge Consumer": "/providers/Microsoft.Authorization/roleDefinitions/ee361c5d-f7b5-4119-b4b6-892157c8f64c", + "Kubernetes Cluster - Azure Arc Onboarding": "/providers/Microsoft.Authorization/roleDefinitions/34e09817-6cbe-4d01-b1a2-e0eac5743d41", + "Lab Creator": "/providers/Microsoft.Authorization/roleDefinitions/b97fb8bc-a8b2-4522-a38b-dd33c7e65ead", + "Log Analytics Contributor": "/providers/Microsoft.Authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293", + "Log Analytics Reader": "/providers/Microsoft.Authorization/roleDefinitions/73c42c96-874c-492b-b04d-ab87d138a893", + "Logic App Contributor": "/providers/Microsoft.Authorization/roleDefinitions/87a39d53-fc1b-424a-814c-f7e04687dc9e", + "Logic App Operator": "/providers/Microsoft.Authorization/roleDefinitions/515c2055-d9d4-4321-b1b9-bd0c9a0f79fe", + "Managed Application Contributor Role": "/providers/Microsoft.Authorization/roleDefinitions/641177b8-a67a-45b9-a033-47bc880bb21e", + "Managed Application Operator Role": "/providers/Microsoft.Authorization/roleDefinitions/c7393b34-138c-406f-901b-d8cf2b17e6ae", + "Managed Applications Reader": "/providers/Microsoft.Authorization/roleDefinitions/b9331d33-8a36-4f8c-b097-4f54124fdb44", + "Managed Identity Contributor": "/providers/Microsoft.Authorization/roleDefinitions/e40ec5ca-96e0-45a2-b4ff-59039f2c2b59", + "Managed Identity Operator": "/providers/Microsoft.Authorization/roleDefinitions/f1a07417-d97a-45cb-824c-7a7467783830", + "Managed Services Registration assignment Delete ": "/providers/Microsoft.Authorization/roleDefinitions/91c1777a-f3dc-4fae-b103-61d183457e46", + "Management Group Contributor": "/providers/Microsoft.Authorization/roleDefinitions/5d58bcaf-24a5-4b20-bdb6-eed9f69fbe4c", + "Management Group Reader": "/providers/Microsoft.Authorization/roleDefinitions/ac63b705-f282-497d-ac71-919bf39d939d", + "Marketplace Admin": "/providers/Microsoft.Authorization/roleDefinitions/dd920d6d-f481-47f1-b461-f338c46b2d9f", + "Monitoring Contributor": "/providers/Microsoft.Authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "Monitoring Metrics Publisher": "/providers/Microsoft.Authorization/roleDefinitions/3913510d-42f4-4e42-8a64-420c390055eb", + "Monitoring Reader": "/providers/Microsoft.Authorization/roleDefinitions/43d0d8ad-25c7-4714-9337-8ba259a9fe05", + "Network Contributor": "/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7", + "New Relic APM Account Contributor": "/providers/Microsoft.Authorization/roleDefinitions/5d28c62d-5b37-4476-8438-e587778df237", + "Object Understanding Account Owner": "/providers/Microsoft.Authorization/roleDefinitions/4dd61c23-6743-42fe-a388-d8bdd41cb745", + "Owner": "/providers/Microsoft.Authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635", + "Policy Insights Data Writer (Preview)": "/providers/Microsoft.Authorization/roleDefinitions/66bb4e9e-b016-4a94-8249-4c0511c2be84", + "Private DNS Zone Contributor": "/providers/Microsoft.Authorization/roleDefinitions/b12aa53e-6015-4669-85d0-8515ebb3ae7f", + "Reader": "/providers/Microsoft.Authorization/roleDefinitions/acdd72a7-3385-48ef-bd42-f606fba81ae7", + "Reader and Data Access": "/providers/Microsoft.Authorization/roleDefinitions/c12c1c16-33a1-487b-954d-41c89c60f349", + "Redis Cache Contributor": "/providers/Microsoft.Authorization/roleDefinitions/e0f68234-74aa-48ed-b826-c38b57376e17", + "Remote Rendering Administrator": "/providers/Microsoft.Authorization/roleDefinitions/3df8b902-2a6f-47c7-8cc5-360e9b272a7e", + "Remote Rendering Client": "/providers/Microsoft.Authorization/roleDefinitions/d39065c4-c120-43c9-ab0a-63eed9795f0a", + "Resource Policy Contributor": "/providers/Microsoft.Authorization/roleDefinitions/36243c78-bf99-498c-9df9-86d9f8d28608", + "Scheduler Job Collections Contributor": "/providers/Microsoft.Authorization/roleDefinitions/188a0f2f-5c9e-469b-ae67-2aa5ce574b94", + "Search Service Contributor": "/providers/Microsoft.Authorization/roleDefinitions/7ca78c08-252a-4471-8644-bb5ff32d4ba0", + "Security Admin": "/providers/Microsoft.Authorization/roleDefinitions/fb1c8493-542b-48eb-b624-b4c8fea62acd", + "Security Assessment Contributor": "/providers/Microsoft.Authorization/roleDefinitions/612c2aa1-cb24-443b-ac28-3ab7272de6f5", + "Security Manager (Legacy)": "/providers/Microsoft.Authorization/roleDefinitions/e3d13bf0-dd5a-482e-ba6b-9b8433878d10", + "Security Reader": "/providers/Microsoft.Authorization/roleDefinitions/39bc4728-0917-49c7-9d2c-d95423bc2eb4", + "SignalR AccessKey Reader": "/providers/Microsoft.Authorization/roleDefinitions/04165923-9d83-45d5-8227-78b77b0a687e", + "SignalR Contributor": "/providers/Microsoft.Authorization/roleDefinitions/8cf5e20a-e4b2-4e9d-b3a1-5ceb692c2761", + "Site Recovery Contributor": "/providers/Microsoft.Authorization/roleDefinitions/6670b86e-a3f7-4917-ac9b-5d6ab1be4567", + "Site Recovery Operator": "/providers/Microsoft.Authorization/roleDefinitions/494ae006-db33-4328-bf46-533a6560a3ca", + "Site Recovery Reader": "/providers/Microsoft.Authorization/roleDefinitions/dbaa88c4-0c30-4179-9fb3-46319faa6149", + "Spatial Anchors Account Contributor": "/providers/Microsoft.Authorization/roleDefinitions/8bbe83f1-e2a6-4df7-8cb4-4e04d4e5c827", + "Spatial Anchors Account Owner": "/providers/Microsoft.Authorization/roleDefinitions/70bbe301-9835-447d-afdd-19eb3167307c", + "Spatial Anchors Account Reader": "/providers/Microsoft.Authorization/roleDefinitions/5d51204f-eb77-4b1c-b86a-2ec626c49413", + "SQL DB Contributor": "/providers/Microsoft.Authorization/roleDefinitions/9b7fa17d-e63e-47b0-bb0a-15c516ac86ec", + "SQL Managed Instance Contributor": "/providers/Microsoft.Authorization/roleDefinitions/4939a1f6-9ae0-4e48-a1e0-f2cbe897382d", + "SQL Security Manager": "/providers/Microsoft.Authorization/roleDefinitions/056cd41c-7e88-42e1-933e-88ba6a50c9c3", + "SQL Server Contributor": "/providers/Microsoft.Authorization/roleDefinitions/6d8ee4ec-f05a-4a1d-8b00-a9b17e38b437", + "Storage Account Contributor": "/providers/Microsoft.Authorization/roleDefinitions/17d1049b-9a84-46fb-8f53-869881c3d3ab", + "Storage Account Key Operator Service Role": "/providers/Microsoft.Authorization/roleDefinitions/81a9662b-bebf-436f-a333-f67b29880f12", + "Storage Blob Data Contributor": "/providers/Microsoft.Authorization/roleDefinitions/ba92f5b4-2d11-453d-a403-e96b0029c9fe", + "Storage Blob Data Owner": "/providers/Microsoft.Authorization/roleDefinitions/b7e6dc6d-f1e8-4753-8033-0f276bb0955b", + "Storage Blob Data Reader": "/providers/Microsoft.Authorization/roleDefinitions/2a2b9908-6ea1-4ae2-8e65-a410df84e7d1", + "Storage Blob Delegator": "/providers/Microsoft.Authorization/roleDefinitions/db58b8e5-c6ad-4a2a-8342-4190687cbf4a", + "Storage File Data SMB Share Contributor": "/providers/Microsoft.Authorization/roleDefinitions/0c867c2a-1d8c-454a-a3db-ab2ea1bdc8bb", + "Storage File Data SMB Share Elevated Contributor": "/providers/Microsoft.Authorization/roleDefinitions/a7264617-510b-434b-a828-9731dc254ea7", + "Storage File Data SMB Share Reader": "/providers/Microsoft.Authorization/roleDefinitions/aba4ae5f-2193-4029-9191-0cb91df5e314", + "Storage Queue Data Contributor": "/providers/Microsoft.Authorization/roleDefinitions/974c5e8b-45b9-4653-ba55-5f855dd0fb88", + "Storage Queue Data Message Processor": "/providers/Microsoft.Authorization/roleDefinitions/8a0f0c08-91a1-4084-bc3d-661d67233fed", + "Storage Queue Data Message Sender": "/providers/Microsoft.Authorization/roleDefinitions/c6a89b2d-59bc-44d0-9896-0f6e12d7b80a", + "Storage Queue Data Reader": "/providers/Microsoft.Authorization/roleDefinitions/19e7f393-937e-4f77-808e-94535e297925", + "Support Request Contributor": "/providers/Microsoft.Authorization/roleDefinitions/cfd33db0-3dd1-45e3-aa9d-cdbdf3b6f24e", + "Tag Contributor": "/providers/Microsoft.Authorization/roleDefinitions/4a9ae827-6dc8-4573-8ac7-8239d42aa03f", + "Traffic Manager Contributor": "/providers/Microsoft.Authorization/roleDefinitions/a4b10055-b0c7-44c2-b00f-c7b5b3550cf7", + "User Access Administrator": "/providers/Microsoft.Authorization/roleDefinitions/18d7d88d-d35e-4fb5-a5c3-7773c20a72d9", + "Virtual Machine Administrator Login": "/providers/Microsoft.Authorization/roleDefinitions/1c0163c0-47e6-4577-8991-ea5c82e286e4", + "Virtual Machine Contributor": "/providers/Microsoft.Authorization/roleDefinitions/9980e02c-c2be-4d73-94e8-173b1dc7cf3c", + "Virtual Machine User Login": "/providers/Microsoft.Authorization/roleDefinitions/fb879df8-f326-4884-b1cf-06f3ad86be52", + "Web Plan Contributor": "/providers/Microsoft.Authorization/roleDefinitions/2cc479cb-7b4d-49a8-b449-8c00fd0f0a4b", + "Website Contributor": "/providers/Microsoft.Authorization/roleDefinitions/de139f84-1756-47ae-9be6-808fbbe84772", + "Workbook Contributor": "/providers/Microsoft.Authorization/roleDefinitions/e8ddcd69-c73f-4f9f-9844-4100522f16ad", + "Workbook Reader": "/providers/Microsoft.Authorization/roleDefinitions/b279062a-9be3-42a0-92ae-8b3cf002ec4d" + } + }, + "resources": [ + { + "type": "Microsoft.Management/managementGroups", + "comments": "Fake deployment, used to specify a non-existent dependency. Never deployed", + "apiVersion": "2020-05-01", + "scope": "/", + "name": "noop", + "condition": false, + "properties": { + "details": { + "parent": { + "id": "" + } + } + } + }, + { + "copy": { + "name": "mgLoop", + "count": "[length(parameters('mgStructure'))]" + }, + + // excludes from creation the root management group that must pre-exist. + // This anyhow allows RBAC at this level to be created + "condition": "[ + not(equals( + parameters('mgStructure')[copyIndex('mgLoop')].parentId, + '/' + )) + ]", + + // if the element contains 'parentNotManagedInThisTemplate' with value true --> this is a top MG managed in this template + // Then -> The resource has no dependencies (noop used as a 'fake' dependency) + // Else -> get dependency from the parent ID + "dependson":[ + "[ + if( + and( + contains( + parameters('mgStructure')[copyIndex('mgLoop')], + 'parentNotManagedInThisTemplate' + ), + parameters('mgStructure')[copyIndex('mgLoop')].parentNotManagedInThisTemplate + ), + 'noop', + parameters('mgStructure')[copyIndex('mgLoop')].parentId + ) + ]" + ], + + "type": "Microsoft.Management/managementGroups", + "apiVersion": "2020-05-01", + "scope": "/", + "name": "[parameters('mgStructure')[copyIndex('mgLoop')].name]", + "properties": { + "displayName":"[ + if( + contains( + parameters('mgStructure')[copyIndex('mgLoop')], + 'displayName' + ), + parameters('mgStructure')[copyIndex('mgLoop')].displayName, + parameters('mgStructure')[copyIndex('mgLoop')].name + ) + ]", + "details": { + "parent": { + "id": "[concat( + '/providers/Microsoft.Management/managementGroups/', + parameters('mgStructure')[copyIndex('mgLoop')].parentId + )]" + } + } + } + }, + + // Management Group RBAC + { + "name": "[concat('MGRBAC-', if(empty(parameters('mgStructure')), 'dummy', copyIndex() ) )]", + "apiVersion": "2020-06-01", + "type": "Microsoft.Resources/deployments", + "condition": "[not(empty(parameters('mgStructure')))]", + "location": "[deployment().location]", + "dependsOn": [ + "mgLoop" + ], + "copy": { + "name": "MGRBACLoop", + "count": "[length(parameters('mgStructure'))]" + }, + "properties": { + "mode": "Incremental", + "expressionEvaluationOptions": { + "scope": "inner" + }, + "parameters": { + "MGConfig": { + "value": "[parameters('mgStructure')[copyIndex()]]" + }, + "builtInRoleNames": { + "value": "[variables('builtInRoleNames')]" + }, + "MGDeplLoop": { + "value": "[copyIndex('MGRBACLoop')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/tenantDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "MGConfig": { + "type": "object" + }, + "builtInRoleNames": { + "type": "object" + }, + "MGDeplLoop": { + "type": "int" + } + }, + "resources": [ + { + "name": "[concat('MGRbacDeplLoop-', parameters('MGDeplLoop'), '-', copyIndex('mgRBACDeplLoop'))]", + "apiVersion": "2020-06-01", + "type": "Microsoft.Resources/deployments", + "condition": "[not(empty(array(parameters('MGConfig').roleAssignments)))]", + "location": "[deployment().location]", + "dependsOn": [ + ], + "copy": { + "name": "mgRBACDeplLoop", + "count": "[ + if( + contains( + parameters('MGConfig'), + 'roleAssignments' + ), + length( + array( + parameters('MGConfig').roleAssignments + ) + ), + 0 + ) + ]" + }, + "properties": { + "mode": "Incremental", + "expressionEvaluationOptions": { + "scope": "inner" + }, + "parameters": { + "MGName": { + "value": "[parameters('MGConfig').name]" + }, + "roleAssignment": { + "value": "[array(parameters('MGConfig').roleAssignments)[copyIndex('mgRBACDeplLoop')]]" + }, + "builtInRoleNames": { + "value": "[parameters('builtInRoleNames')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/tenantDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "MGName": { + "type": "string" + }, + "roleAssignment": { + "type": "object" + }, + "builtInRoleNames": { + "type": "object" + } + }, + "resources": [ + { + "type": "Microsoft.Management/managementGroups/providers/roleAssignments", + "apiVersion": "2020-04-01-preview", + "name": "[ + concat( + parameters('MGName'), + '/Microsoft.Authorization/', + guid( + uniqueString( + concat( + parameters('MGName') , + array( + parameters('roleAssignment').principalIds + )[copyIndex('innerRbacCopy')], + parameters('roleAssignment').roleDefinitionIdOrName + ) + ) + ) + ) + ]", + + "copy": { + "name": "innerRbacCopy", + "count": "[length(parameters('roleAssignment').principalIds)]" + }, + "properties": { + "roleDefinitionId": "[ + if( + contains( + parameters('builtInRoleNames'), + parameters('roleAssignment').roleDefinitionIdOrName + ), + parameters('builtInRoleNames')[parameters('roleAssignment').roleDefinitionIdOrName], + parameters('roleAssignment').roleDefinitionIdOrName + ) + ]", + "principalId": "[ + array( + parameters('roleAssignment').principalIds + )[copyIndex('innerRbacCopy')]]" + } + } + ] + } + } + } + ] + } + } + } + ], + "outputs": { + "managementGroupCount": { + "type": "int", + "value": "[length(parameters('mgStructure'))]", + "metadata": { + "description": "Number of management groups considered in the deployment" + } + } + } +} diff --git a/managementGroupTemplates/Microsoft.Management/managementGroups/parameters/parameters.json b/managementGroupTemplates/Microsoft.Management/managementGroups/parameters/parameters.json new file mode 100644 index 0000000000..02dc4a7f4f --- /dev/null +++ b/managementGroupTemplates/Microsoft.Management/managementGroups/parameters/parameters.json @@ -0,0 +1,29 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "mgStructure": { + "value": [ + { + "name":"root", + "parentId":"284a3525-0ec7-454c-8a03-90ed7e7a68ce", + "parentNotManagedInThisTemplate": true + }, + { + "name":"child1", + "displayName":"child1Description", + "parentId":"root" + }, + { + "name":"child2", + "parentId":"root" + }, + { + "name":"nephew1", + "parentId":"child1", + "parentNotManagedInThisTemplate": false + } + ] + } + } +} \ No newline at end of file diff --git a/managementGroupTemplates/Microsoft.Management/managementGroups/readme.md b/managementGroupTemplates/Microsoft.Management/managementGroups/readme.md new file mode 100644 index 0000000000..1baf9391db --- /dev/null +++ b/managementGroupTemplates/Microsoft.Management/managementGroups/readme.md @@ -0,0 +1,128 @@ +# Management groups + +This template will prepare the Management group structure based on the provided parameter. + +This module has some known **limitations**: +- It's not possible to change the display name of the root management group (the one that has the tenant GUID as ID) +- It can't manage the Root (/) management group + +## Resource types + +|Resource Type|ApiVersion| +|:--|:--| +|`Microsoft.Management/managementGroups`|2020-05-01| +|`Microsoft.Resources/deployments`|2020-06-01| + +## Parameters + +| Parameter Name | Type | Default Value | Possible values | Description | +| :- | :- | :- | :- | :- | +| `mgStructure` | Array of objects | | Complex structure, see below | Required. The structure of the management groups | + +### Parameter Usage: mgStructure + +Describes the Management groups to be created. Each management group is represented by an element of the array + +``` json +"mgStructure": { + "value": [ + { + "name":"tst1", + "parentId":"test-mg", + "parentNotManagedInThisTemplate": true + }, + { + "name":"child1", + "parentId":"tst1", + "roleAssignments":[ + { + "roleDefinitionIdOrName": "Desktop Virtualization User", + "principalIds": [ + "12345567-890a-bcde-f012-456789000000", // object 1 + "12345567-890a-bcde-f012-456789000001" // object 2 + ] + } + ] + }, + { + "name":"child2", + "displayName": "anotherName", + "parentId":"tst1", + "parentNotManagedInThisTemplate": false + }, + { + "name":"nephew1", + "parentId":"child1", + "parentNotManagedInThisTemplate": false + } + ] +} + +``` + +| Parameter Name | Type | Default Value | Possible values | Description | +| :- | :- | :- | :- | :- | +| `name` | string | | | Mandatory. The ID of the Management group | +| `parentId` | string | | A MG name | Mandatory. The template will concatenate `/providers/Microsoft.Management/managementGroups/` to create the resource ID of the parent management group the deployed one is child of | +| `displayName` | string | `name` | | Optional. The display name of the management group. If not specified, the id (name) will be used | +| `parentNotManagedInThisTemplate` | bool | `false` | | Optional. `true` if the parent management group is existing and defined elsewhere, `false` if the parent MG is also managed in this template. This parameter is used to define the deployment sequence | +| `roleAssignments` | array | | | Optional. Array of role assignment objects | + + +### Parameter Usage: `roleAssignments` + +```json +"roleAssignments": [ + { + "roleDefinitionIdOrName": "Desktop Virtualization User", + "principalIds": [ + "12345678-1234-1234-1234-123456789012", // object 1 + "78945612-1234-1234-1234-123456789012" // object 2 + ] + }, + { + "roleDefinitionIdOrName": "Reader", + "principalIds": [ + "12345678-1234-1234-1234-123456789012", // object 1 + "78945612-1234-1234-1234-123456789012" // object 2 + ] + }, + { + "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", + "principalIds": [ + "12345678-1234-1234-1234-123456789012" // object 1 + ] + } +] +``` + +| Parameter Name | Type | Default Value | Possible values | Description | +| :- | :- | :- | :- | :- | +| `roleDefinitionIdOrName` | string | | | Mandatory. The name or the ID of the role to assign to the management group | +| `principalIds` | array | | | Mandatory. An array of principal IDs | + + +## Outputs + +| Output Name | Type | Description | +| :-- | :-- | :-- | +| `managementGroupCount` | int | Number of management groups considered in the deployment | + +## Considerations + +This template is using a **Tenant level deployment**, meaning the user/principal deploying it needs to have the [proper access](https://docs.microsoft.com/en-us/azure/azure-resource-manager/templates/deploy-to-tenant#required-access) + +> If owner access is excessive, the following rights roles will grant enough rights: +> **Automation Job Operator** at **tenant** level (scope '/')
+> **Management Group Contributor** at the top management group that needs to be managed +> +>> Consider using the following script:
+>> `$PrincipalID = ""`
+>> `$TopMGID = ""`
+>> `New-AzRoleAssignment -ObjectId $PrincipalID -Scope "/" -RoleDefinitionName "Automation Job Operator"`
+>> `New-AzRoleAssignment -ObjectId $PrincipalID -Scope "/providers/Microsoft.Management/managementGroups/$TopMGID" -RoleDefinitionName "Management Group Contributor"` + +## Additional resources + +- [Management group](https://docs.microsoft.com/en-us/azure/governance/management-groups/) +- [Template reference](https://docs.microsoft.com/en-us/azure/templates/microsoft.management/managementgroups) \ No newline at end of file diff --git a/managementGroupTemplates/Microsoft.Subscription/aliases/Parameters/parameters.json b/managementGroupTemplates/Microsoft.Subscription/aliases/Parameters/parameters.json new file mode 100644 index 0000000000..c35b881481 --- /dev/null +++ b/managementGroupTemplates/Microsoft.Subscription/aliases/Parameters/parameters.json @@ -0,0 +1,39 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "subscriptionAliasName": { + "value": "Sample-Subscription-01" + }, + "displayName": { + "value": "Sample-Subscription-01" + }, + "targetManagementGroupId": { + "value": "d2bdaa69-7c9c-467d-87b8-aba30eb8987a" + }, + "billingScope": { + "value": "/providers/Microsoft.Billing/billingAccounts/5e98e158-xxxx-xxxx-xxxx-xxxxxxxxxxxx:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx_xxxx-xx-xx/billingProfiles/AW4F-xxxx-xxx-xxx/invoiceSections/SH3V-xxxx-xxx-xxx" + }, //, + // "billingScope": { + // "value": "/providers/Microsoft.Billing/billingAccounts/XXXXXXX/enrollmentAccounts/XXXXXX" + // } + // "roleAssignments": { + // "value": [ + // { + // "roleDefinitionIdOrName": "Desktop Virtualization User", + // "principalIds": [ + // "12345678-1234-1234-1234-123456789012", // object 1 + // "78945612-1234-1234-1234-123456789012" // object 2 + // ] + // } + // ] + // }, + "tags": { + "value": { + "costCenter": "1234", + "environment": "prod", + "contactinfo": "someone@company.com" + } + } + } +} diff --git a/managementGroupTemplates/Microsoft.Subscription/aliases/deploy.json b/managementGroupTemplates/Microsoft.Subscription/aliases/deploy.json new file mode 100644 index 0000000000..0c250601db --- /dev/null +++ b/managementGroupTemplates/Microsoft.Subscription/aliases/deploy.json @@ -0,0 +1,549 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/tenantDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "subscriptionAliasName": { + "type": "string", + "metadata": { + "description": "Required. Unique alias name. Unique and linking ID" + } + }, + "displayName": { + "type": "string", + "metadata": { + "description": "Required. Subscription display name." + } + }, + "targetManagementGroupId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Target management group where the subscription will be created." + } + }, + "billingScope": { + "type": "string", + "metadata": { + "description": "Required. The account to be invoiced for the subscription. e.g. '/providers/Microsoft.Billing/billingAccounts/12345678/enrollmentAccounts/123456" + } + }, + "workload": { + "type": "string", + "allowedValues": [ + "Production", + "DevTest" + ], + "defaultValue": "Production", + "metadata": { + "description": "Optional. Subscription workload." + } + }, + "tags": { + "type": "object", + "defaultValue": { + }, + "metadata": { + "description": "Optional. Tags of the subscription." + } + }, + "roleAssignments": { + "defaultValue": [ + ], + "type": "array", + "metadata": { + "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalIds' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or it's fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'" + } + } + }, + "variables": { + "unique": "[uniqueString(parameters('subscriptionAliasName'))]", + "subDeploymentName": "[concat('Deploy-Sub', variables('unique'))]", + "tagDeploymentName": "[concat('Deploy-Tag', variables('unique'))]", + "rbacDeploymentName": "[concat('Deploy-RBAC', variables('unique'))]" + }, + "resources": [ + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2019-10-01", + "name": "[variables('subDeploymentName')]", + "location": "[deployment().location]", + "properties": { + "mode": "Incremental", + "expressionEvaluationOptions": { + "scope": "inner" + }, + "parameters": { + "subscriptionAliasName": { + "value": "[parameters('subscriptionAliasName')]" + }, + "displayName": { + "value": "[parameters('displayName')]" + }, + "targetManagementGroupId": { + "value": "[parameters('targetManagementGroupId')]" + }, + "billingScope": { + "value": "[parameters('billingScope')]" + }, + "workload": { + "value": "[parameters('workload')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "subscriptionAliasName": { + "type": "string" + }, + "displayName": { + "type": "string" + }, + "targetManagementGroupId": { + "type": "string" + }, + "billingScope": { + "type": "string" + }, + "workload": { + "type": "string" + } + }, + "resources": [ + { + "name": "[parameters('subscriptionAliasName')]", + "type": "Microsoft.Subscription/aliases", + "apiVersion": "2020-09-01", + "properties": { + "workload": "[parameters('workload')]", + "displayName": "[parameters('displayName')]", + "billingScope": "[parameters('billingScope')]", + "managementGroupId": "[tenantResourceId('Microsoft.Management/managementGroups/', parameters('targetManagementGroupId'))]" + } + } + ], + "outputs": { + "subscriptionId": { + "type": "string", + "value": "[reference(parameters('subscriptionAliasName')).subscriptionId]" + } + } + } + } + }, + { + "name": "[variables('tagDeploymentName')]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2019-10-01", + "location": "[deployment().location]", + "condition": "[not(empty(parameters('tags')))]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('subDeploymentName'))]" + ], + "properties": { + "expressionEvaluationOptions": { + "scope": "inner" + }, + "mode": "Incremental", + "parameters": { + "subscriptionId": { + "value": "[reference(variables('subDeploymentName')).outputs.subscriptionId.value]" + }, + "tags": { + "value": "[parameters('tags')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/tenantDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "subscriptionId": { + "type": "string" + }, + "tags": { + "type": "object" + } + }, + "variables": { + "unique": "[uniqueString(parameters('subscriptionId'))]", + "tagDeploymentName": "[concat('nestedTagDeploy-', variables('unique'))]" + }, + "resources": [ + { + "name": "[variables('tagDeploymentName')]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2019-10-01", + "subscriptionId": "[parameters('subscriptionId')]", + "location": "[deployment().location]", + "properties": { + "expressionEvaluationOptions": { + "scope": "inner" + }, + "mode": "Incremental", + "parameters": { + "tags": { + "value": "[parameters('tags')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "tags": { + "type": "object" + } + }, + "resources": [ + { + "name": "default", + "type": "Microsoft.Resources/tags", + "apiVersion": "2020-10-01", + "properties": { + "tags": "[parameters('tags')]" + } + } + ] + } + } + } + ] + } + } + }, + { + "name": "[variables('rbacDeploymentName')]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2019-10-01", + "location": "[deployment().location]", + "condition": "[not(empty(parameters('roleAssignments')))]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('subDeploymentName'))]" + ], + "properties": { + "expressionEvaluationOptions": { + "scope": "inner" + }, + "mode": "Incremental", + "parameters": { + "subscriptionId": { + "value": "[reference(variables('subDeploymentName')).outputs.subscriptionId.value]" + }, + "roleAssignments": { + "value": "[parameters('roleAssignments')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/tenantDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "subscriptionId": { + "type": "string" + }, + "roleAssignments": { + "type": "array" + } + }, + "variables": { + "unique": "[uniqueString(parameters('subscriptionId'))]", + "rbacDeploymentName": "[concat('nestedRBACDeploy-', variables('unique'))]" + }, + "resources": [ + { + "name": "[variables('rbacDeploymentName')]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2019-10-01", + "subscriptionId": "[parameters('subscriptionId')]", + "location": "[deployment().location]", + "properties": { + "expressionEvaluationOptions": { + "scope": "inner" + }, + "mode": "Incremental", + "parameters": { + "roleAssignments": { + "value": "[parameters('roleAssignments')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "roleAssignments": { + "type": "array" + } + }, + "variables": { + "builtInRoleNames": { + "AcrDelete": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", + "AcrImageSigner": "/providers/Microsoft.Authorization/roleDefinitions/6cef56e8-d556-48e5-a04f-b8e64114680f", + "AcrPull": "/providers/Microsoft.Authorization/roleDefinitions/7f951dda-4ed3-4680-a7ca-43fe172d538d", + "AcrPush": "/providers/Microsoft.Authorization/roleDefinitions/8311e382-0749-4cb8-b61a-304f252e45ec", + "AcrQuarantineReader": "/providers/Microsoft.Authorization/roleDefinitions/cdda3590-29a3-44f6-95f2-9f980659eb04", + "AcrQuarantineWriter": "/providers/Microsoft.Authorization/roleDefinitions/c8d4ff99-41c3-41a8-9f60-21dfdad59608", + "API Management Service Contributor": "/providers/Microsoft.Authorization/roleDefinitions/312a565d-c81f-4fd8-895a-4e21e48d571c", + "API Management Service Operator Role": "/providers/Microsoft.Authorization/roleDefinitions/e022efe7-f5ba-4159-bbe4-b44f577e9b61", + "API Management Service Reader Role": "/providers/Microsoft.Authorization/roleDefinitions/71522526-b88f-4d52-b57f-d31fc3546d0d", + "App Configuration Data Owner": "/providers/Microsoft.Authorization/roleDefinitions/5ae67dd6-50cb-40e7-96ff-dc2bfa4b606b", + "App Configuration Data Reader": "/providers/Microsoft.Authorization/roleDefinitions/516239f1-63e1-4d78-a4de-a74fb236a071", + "Application Insights Component Contributor": "/providers/Microsoft.Authorization/roleDefinitions/ae349356-3a1b-4a5e-921d-050484c6347e", + "Application Insights Snapshot Debugger": "/providers/Microsoft.Authorization/roleDefinitions/08954f03-6346-4c2e-81c0-ec3a5cfae23b", + "Attestation Contributor": "/providers/Microsoft.Authorization/roleDefinitions/bbf86eb8-f7b4-4cce-96e4-18cddf81d86e", + "Attestation Reader": "/providers/Microsoft.Authorization/roleDefinitions/fd1bd22b-8476-40bc-a0bc-69b95687b9f3", + "Automation Job Operator": "/providers/Microsoft.Authorization/roleDefinitions/4fe576fe-1146-4730-92eb-48519fa6bf9f", + "Automation Operator": "/providers/Microsoft.Authorization/roleDefinitions/d3881f73-407a-4167-8283-e981cbba0404", + "Automation Runbook Operator": "/providers/Microsoft.Authorization/roleDefinitions/5fb5aef8-1081-4b8e-bb16-9d5d0385bab5", + "Avere Contributor": "/providers/Microsoft.Authorization/roleDefinitions/4f8fab4f-1852-4a58-a46a-8eaf358af14a", + "Avere Operator": "/providers/Microsoft.Authorization/roleDefinitions/c025889f-8102-4ebf-b32c-fc0c6f0c6bd9", + "Azure Connected Machine Onboarding": "/providers/Microsoft.Authorization/roleDefinitions/b64e21ea-ac4e-4cdf-9dc9-5b892992bee7", + "Azure Connected Machine Resource Administrator": "/providers/Microsoft.Authorization/roleDefinitions/cd570a14-e51a-42ad-bac8-bafd67325302", + "Azure Digital Twins Owner (Preview)": "/providers/Microsoft.Authorization/roleDefinitions/bcd981a7-7f74-457b-83e1-cceb9e632ffe", + "Azure Digital Twins Reader (Preview)": "/providers/Microsoft.Authorization/roleDefinitions/d57506d4-4c8d-48b1-8587-93c323f6a5a3", + "Azure Event Hubs Data Owner": "/providers/Microsoft.Authorization/roleDefinitions/f526a384-b230-433a-b45c-95f59c4a2dec", + "Azure Event Hubs Data Receiver": "/providers/Microsoft.Authorization/roleDefinitions/a638d3c7-ab3a-418d-83e6-5f17a39d4fde", + "Azure Event Hubs Data Sender": "/providers/Microsoft.Authorization/roleDefinitions/2b629674-e913-4c01-ae53-ef4638d8f975", + "Azure Kubernetes Service Cluster Admin Role": "/providers/Microsoft.Authorization/roleDefinitions/0ab0b1a8-8aac-4efd-b8c2-3ee1fb270be8", + "Azure Kubernetes Service Cluster User Role": "/providers/Microsoft.Authorization/roleDefinitions/4abbcc35-e782-43d8-92c5-2d3f1bd2253f", + "Azure Kubernetes Service Contributor Role": "/providers/Microsoft.Authorization/roleDefinitions/ed7f3fbd-7b88-4dd4-9017-9adb7ce333f8", + "Azure Maps Data Contributor": "/providers/Microsoft.Authorization/roleDefinitions/8f5e0ce6-4f7b-4dcf-bddf-e6f48634a204", + "Azure Maps Data Reader": "/providers/Microsoft.Authorization/roleDefinitions/423170ca-a8f6-4b0f-8487-9e4eb8f49bfa", + "Azure Sentinel Contributor": "/providers/Microsoft.Authorization/roleDefinitions/ab8e14d6-4a74-4a29-9ba8-549422addade", + "Azure Sentinel Reader": "/providers/Microsoft.Authorization/roleDefinitions/8d289c81-5878-46d4-8554-54e1e3d8b5cb", + "Azure Sentinel Responder": "/providers/Microsoft.Authorization/roleDefinitions/3e150937-b8fe-4cfb-8069-0eaf05ecd056", + "Azure Service Bus Data Owner": "/providers/Microsoft.Authorization/roleDefinitions/090c5cfd-751d-490a-894a-3ce6f1109419", + "Azure Service Bus Data Receiver": "/providers/Microsoft.Authorization/roleDefinitions/4f6d3b9b-027b-4f4c-9142-0e5a2a2247e0", + "Azure Service Bus Data Sender": "/providers/Microsoft.Authorization/roleDefinitions/69a216fc-b8fb-44d8-bc22-1f3c2cd27a39", + "Azure Stack Registration Owner": "/providers/Microsoft.Authorization/roleDefinitions/6f12a6df-dd06-4f3e-bcb1-ce8be600526a", + "Backup Contributor": "/providers/Microsoft.Authorization/roleDefinitions/5e467623-bb1f-42f4-a55d-6e525e11384b", + "Backup Operator": "/providers/Microsoft.Authorization/roleDefinitions/00c29273-979b-4161-815c-10b084fb9324", + "Backup Reader": "/providers/Microsoft.Authorization/roleDefinitions/a795c7a0-d4a2-40c1-ae25-d81f01202912", + "Billing Reader": "/providers/Microsoft.Authorization/roleDefinitions/fa23ad8b-c56e-40d8-ac0c-ce449e1d2c64", + "BizTalk Contributor": "/providers/Microsoft.Authorization/roleDefinitions/5e3c6656-6cfa-4708-81fe-0de47ac73342", + "Blockchain Member Node Access (Preview)": "/providers/Microsoft.Authorization/roleDefinitions/31a002a1-acaf-453e-8a5b-297c9ca1ea24", + "Blueprint Contributor": "/providers/Microsoft.Authorization/roleDefinitions/41077137-e803-4205-871c-5a86e6a753b4", + "Blueprint Operator": "/providers/Microsoft.Authorization/roleDefinitions/437d2ced-4a38-4302-8479-ed2bcb43d090", + "CDN Endpoint Contributor": "/providers/Microsoft.Authorization/roleDefinitions/426e0c7f-0c7e-4658-b36f-ff54d6c29b45", + "CDN Endpoint Reader": "/providers/Microsoft.Authorization/roleDefinitions/871e35f6-b5c1-49cc-a043-bde969a0f2cd", + "CDN Profile Contributor": "/providers/Microsoft.Authorization/roleDefinitions/ec156ff8-a8d1-4d15-830c-5b80698ca432", + "CDN Profile Reader": "/providers/Microsoft.Authorization/roleDefinitions/8f96442b-4075-438f-813d-ad51ab4019af", + "Classic Network Contributor": "/providers/Microsoft.Authorization/roleDefinitions/b34d265f-36f7-4a0d-a4d4-e158ca92e90f", + "Classic Storage Account Contributor": "/providers/Microsoft.Authorization/roleDefinitions/86e8f5dc-a6e9-4c67-9d15-de283e8eac25", + "Classic Storage Account Key Operator Service Role": "/providers/Microsoft.Authorization/roleDefinitions/985d6b00-f706-48f5-a6fe-d0ca12fb668d", + "Classic Virtual Machine Contributor": "/providers/Microsoft.Authorization/roleDefinitions/d73bb868-a0df-4d4d-bd69-98a00b01fccb", + "ClearDB MySQL DB Contributor": "/providers/Microsoft.Authorization/roleDefinitions/9106cda0-8a86-4e81-b686-29a22c54effe", + "Cognitive Services Contributor": "/providers/Microsoft.Authorization/roleDefinitions/25fbc0a9-bd7c-42a3-aa1a-3b75d497ee68", + "Cognitive Services Custom Vision Contributor": "/providers/Microsoft.Authorization/roleDefinitions/c1ff6cc2-c111-46fe-8896-e0ef812ad9f3", + "Cognitive Services Custom Vision Deployment": "/providers/Microsoft.Authorization/roleDefinitions/5c4089e1-6d96-4d2f-b296-c1bc7137275f", + "Cognitive Services Custom Vision Labeler": "/providers/Microsoft.Authorization/roleDefinitions/88424f51-ebe7-446f-bc41-7fa16989e96c", + "Cognitive Services Custom Vision Reader": "/providers/Microsoft.Authorization/roleDefinitions/93586559-c37d-4a6b-ba08-b9f0940c2d73", + "Cognitive Services Custom Vision Trainer": "/providers/Microsoft.Authorization/roleDefinitions/0a5ae4ab-0d65-4eeb-be61-29fc9b54394b", + "Cognitive Services Data Reader (Preview)": "/providers/Microsoft.Authorization/roleDefinitions/b59867f0-fa02-499b-be73-45a86b5b3e1c", + "Cognitive Services QnA Maker Editor": "/providers/Microsoft.Authorization/roleDefinitions/f4cc2bf9-21be-47a1-bdf1-5c5804381025", + "Cognitive Services QnA Maker Reader": "/providers/Microsoft.Authorization/roleDefinitions/466ccd10-b268-4a11-b098-b4849f024126", + "Cognitive Services User": "/providers/Microsoft.Authorization/roleDefinitions/a97b65f3-24c7-4388-baec-2e87135dc908", + "Contributor": "/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c", + "Cosmos DB Account Reader Role": "/providers/Microsoft.Authorization/roleDefinitions/fbdf93bf-df7d-467e-a4d2-9458aa1360c8", + "Cosmos DB Operator": "/providers/Microsoft.Authorization/roleDefinitions/230815da-be43-4aae-9cb4-875f7bd000aa", + "CosmosBackupOperator": "/providers/Microsoft.Authorization/roleDefinitions/db7b14f2-5adf-42da-9f96-f2ee17bab5cb", + "Cost Management Contributor": "/providers/Microsoft.Authorization/roleDefinitions/434105ed-43f6-45c7-a02f-909b2ba83430", + "Cost Management Reader": "/providers/Microsoft.Authorization/roleDefinitions/72fafb9e-0641-4937-9268-a91bfd8191a3", + "Data Box Contributor": "/providers/Microsoft.Authorization/roleDefinitions/add466c9-e687-43fc-8d98-dfcf8d720be5", + "Data Box Reader": "/providers/Microsoft.Authorization/roleDefinitions/028f4ed7-e2a9-465e-a8f4-9c0ffdfdc027", + "Data Factory Contributor": "/providers/Microsoft.Authorization/roleDefinitions/673868aa-7521-48a0-acc6-0f60742d39f5", + "Data Lake Analytics Developer": "/providers/Microsoft.Authorization/roleDefinitions/47b7735b-770e-4598-a7da-8b91488b4c88", + "Data Purger": "/providers/Microsoft.Authorization/roleDefinitions/150f5e0c-0603-4f03-8c7f-cf70034c4e90", + "Desktop Virtualization User": "/providers/Microsoft.Authorization/roleDefinitions/1d18fff3-a72a-46b5-b4a9-0b38a3cd7e63", + "DevTest Labs User": "/providers/Microsoft.Authorization/roleDefinitions/76283e04-6283-4c54-8f91-bcf1374a3c64", + "DNS Zone Contributor": "/providers/Microsoft.Authorization/roleDefinitions/befefa01-2a29-4197-83a8-272ff33ce314", + "DocumentDB Account Contributor": "/providers/Microsoft.Authorization/roleDefinitions/5bd9cd88-fe45-4216-938b-f97437e15450", + "EventGrid EventSubscription Contributor": "/providers/Microsoft.Authorization/roleDefinitions/428e0ff0-5e57-4d9c-a221-2c70d0e0a443", + "EventGrid EventSubscription Reader": "/providers/Microsoft.Authorization/roleDefinitions/2414bbcf-6497-4faf-8c65-045460748405", + "Experimentation Administrator": "/providers/Microsoft.Authorization/roleDefinitions/7f646f1b-fa08-80eb-a33b-edd6ce5c915c", + "Experimentation Contributor": "/providers/Microsoft.Authorization/roleDefinitions/7f646f1b-fa08-80eb-a22b-edd6ce5c915c", + "Experimentation Reader": "/providers/Microsoft.Authorization/roleDefinitions/49632ef5-d9ac-41f4-b8e7-bbe587fa74a1", + "FHIR Data Contributor": "/providers/Microsoft.Authorization/roleDefinitions/5a1fc7df-4bf1-4951-a576-89034ee01acd", + "FHIR Data Exporter": "/providers/Microsoft.Authorization/roleDefinitions/3db33094-8700-4567-8da5-1501d4e7e843", + "FHIR Data Reader": "/providers/Microsoft.Authorization/roleDefinitions/4c8d0bbc-75d3-4935-991f-5f3c56d81508", + "FHIR Data Writer": "/providers/Microsoft.Authorization/roleDefinitions/3f88fce4-5892-4214-ae73-ba5294559913", + "Graph Owner": "/providers/Microsoft.Authorization/roleDefinitions/b60367af-1334-4454-b71e-769d9a4f83d9", + "HDInsight Cluster Operator": "/providers/Microsoft.Authorization/roleDefinitions/61ed4efc-fab3-44fd-b111-e24485cc132a", + "HDInsight Domain Services Contributor": "/providers/Microsoft.Authorization/roleDefinitions/8d8d5a11-05d3-4bda-a417-a08778121c7c", + "Hierarchy Settings Administrator": "/providers/Microsoft.Authorization/roleDefinitions/350f8d15-c687-4448-8ae1-157740a3936d", + "Hybrid Server Onboarding": "/providers/Microsoft.Authorization/roleDefinitions/5d1e5ee4-7c68-4a71-ac8b-0739630a3dfb", + "Hybrid Server Resource Administrator": "/providers/Microsoft.Authorization/roleDefinitions/48b40c6e-82e0-4eb3-90d5-19e40f49b624", + "Integration Service Environment Contributor": "/providers/Microsoft.Authorization/roleDefinitions/a41e2c5b-bd99-4a07-88f4-9bf657a760b8", + "Integration Service Environment Developer": "/providers/Microsoft.Authorization/roleDefinitions/c7aa55d3-1abb-444a-a5ca-5e51e485d6ec", + "Intelligent Systems Account Contributor": "/providers/Microsoft.Authorization/roleDefinitions/03a6d094-3444-4b3d-88af-7477090a9e5e", + "Key Vault Contributor": "/providers/Microsoft.Authorization/roleDefinitions/f25e0fa2-a7c8-4377-a976-54943a77a395", + "Knowledge Consumer": "/providers/Microsoft.Authorization/roleDefinitions/ee361c5d-f7b5-4119-b4b6-892157c8f64c", + "Kubernetes Cluster - Azure Arc Onboarding": "/providers/Microsoft.Authorization/roleDefinitions/34e09817-6cbe-4d01-b1a2-e0eac5743d41", + "Lab Creator": "/providers/Microsoft.Authorization/roleDefinitions/b97fb8bc-a8b2-4522-a38b-dd33c7e65ead", + "Log Analytics Contributor": "/providers/Microsoft.Authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293", + "Log Analytics Reader": "/providers/Microsoft.Authorization/roleDefinitions/73c42c96-874c-492b-b04d-ab87d138a893", + "Logic App Contributor": "/providers/Microsoft.Authorization/roleDefinitions/87a39d53-fc1b-424a-814c-f7e04687dc9e", + "Logic App Operator": "/providers/Microsoft.Authorization/roleDefinitions/515c2055-d9d4-4321-b1b9-bd0c9a0f79fe", + "Managed Application Contributor Role": "/providers/Microsoft.Authorization/roleDefinitions/641177b8-a67a-45b9-a033-47bc880bb21e", + "Managed Application Operator Role": "/providers/Microsoft.Authorization/roleDefinitions/c7393b34-138c-406f-901b-d8cf2b17e6ae", + "Managed Applications Reader": "/providers/Microsoft.Authorization/roleDefinitions/b9331d33-8a36-4f8c-b097-4f54124fdb44", + "Managed Identity Contributor": "/providers/Microsoft.Authorization/roleDefinitions/e40ec5ca-96e0-45a2-b4ff-59039f2c2b59", + "Managed Identity Operator": "/providers/Microsoft.Authorization/roleDefinitions/f1a07417-d97a-45cb-824c-7a7467783830", + "Managed Services Registration assignment Delete ": "/providers/Microsoft.Authorization/roleDefinitions/91c1777a-f3dc-4fae-b103-61d183457e46", + "Management Group Contributor": "/providers/Microsoft.Authorization/roleDefinitions/5d58bcaf-24a5-4b20-bdb6-eed9f69fbe4c", + "Management Group Reader": "/providers/Microsoft.Authorization/roleDefinitions/ac63b705-f282-497d-ac71-919bf39d939d", + "Marketplace Admin": "/providers/Microsoft.Authorization/roleDefinitions/dd920d6d-f481-47f1-b461-f338c46b2d9f", + "Monitoring Contributor": "/providers/Microsoft.Authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "Monitoring Metrics Publisher": "/providers/Microsoft.Authorization/roleDefinitions/3913510d-42f4-4e42-8a64-420c390055eb", + "Monitoring Reader": "/providers/Microsoft.Authorization/roleDefinitions/43d0d8ad-25c7-4714-9337-8ba259a9fe05", + "Network Contributor": "/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7", + "New Relic APM Account Contributor": "/providers/Microsoft.Authorization/roleDefinitions/5d28c62d-5b37-4476-8438-e587778df237", + "Object Understanding Account Owner": "/providers/Microsoft.Authorization/roleDefinitions/4dd61c23-6743-42fe-a388-d8bdd41cb745", + "Owner": "/providers/Microsoft.Authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635", + "Policy Insights Data Writer (Preview)": "/providers/Microsoft.Authorization/roleDefinitions/66bb4e9e-b016-4a94-8249-4c0511c2be84", + "Private DNS Zone Contributor": "/providers/Microsoft.Authorization/roleDefinitions/b12aa53e-6015-4669-85d0-8515ebb3ae7f", + "Reader": "/providers/Microsoft.Authorization/roleDefinitions/acdd72a7-3385-48ef-bd42-f606fba81ae7", + "Reader and Data Access": "/providers/Microsoft.Authorization/roleDefinitions/c12c1c16-33a1-487b-954d-41c89c60f349", + "Redis Cache Contributor": "/providers/Microsoft.Authorization/roleDefinitions/e0f68234-74aa-48ed-b826-c38b57376e17", + "Remote Rendering Administrator": "/providers/Microsoft.Authorization/roleDefinitions/3df8b902-2a6f-47c7-8cc5-360e9b272a7e", + "Remote Rendering Client": "/providers/Microsoft.Authorization/roleDefinitions/d39065c4-c120-43c9-ab0a-63eed9795f0a", + "Resource Policy Contributor": "/providers/Microsoft.Authorization/roleDefinitions/36243c78-bf99-498c-9df9-86d9f8d28608", + "Scheduler Job Collections Contributor": "/providers/Microsoft.Authorization/roleDefinitions/188a0f2f-5c9e-469b-ae67-2aa5ce574b94", + "Search Service Contributor": "/providers/Microsoft.Authorization/roleDefinitions/7ca78c08-252a-4471-8644-bb5ff32d4ba0", + "Security Admin": "/providers/Microsoft.Authorization/roleDefinitions/fb1c8493-542b-48eb-b624-b4c8fea62acd", + "Security Assessment Contributor": "/providers/Microsoft.Authorization/roleDefinitions/612c2aa1-cb24-443b-ac28-3ab7272de6f5", + "Security Manager (Legacy)": "/providers/Microsoft.Authorization/roleDefinitions/e3d13bf0-dd5a-482e-ba6b-9b8433878d10", + "Security Reader": "/providers/Microsoft.Authorization/roleDefinitions/39bc4728-0917-49c7-9d2c-d95423bc2eb4", + "SignalR AccessKey Reader": "/providers/Microsoft.Authorization/roleDefinitions/04165923-9d83-45d5-8227-78b77b0a687e", + "SignalR Contributor": "/providers/Microsoft.Authorization/roleDefinitions/8cf5e20a-e4b2-4e9d-b3a1-5ceb692c2761", + "Site Recovery Contributor": "/providers/Microsoft.Authorization/roleDefinitions/6670b86e-a3f7-4917-ac9b-5d6ab1be4567", + "Site Recovery Operator": "/providers/Microsoft.Authorization/roleDefinitions/494ae006-db33-4328-bf46-533a6560a3ca", + "Site Recovery Reader": "/providers/Microsoft.Authorization/roleDefinitions/dbaa88c4-0c30-4179-9fb3-46319faa6149", + "Spatial Anchors Account Contributor": "/providers/Microsoft.Authorization/roleDefinitions/8bbe83f1-e2a6-4df7-8cb4-4e04d4e5c827", + "Spatial Anchors Account Owner": "/providers/Microsoft.Authorization/roleDefinitions/70bbe301-9835-447d-afdd-19eb3167307c", + "Spatial Anchors Account Reader": "/providers/Microsoft.Authorization/roleDefinitions/5d51204f-eb77-4b1c-b86a-2ec626c49413", + "SQL DB Contributor": "/providers/Microsoft.Authorization/roleDefinitions/9b7fa17d-e63e-47b0-bb0a-15c516ac86ec", + "SQL Managed Instance Contributor": "/providers/Microsoft.Authorization/roleDefinitions/4939a1f6-9ae0-4e48-a1e0-f2cbe897382d", + "SQL Security Manager": "/providers/Microsoft.Authorization/roleDefinitions/056cd41c-7e88-42e1-933e-88ba6a50c9c3", + "SQL Server Contributor": "/providers/Microsoft.Authorization/roleDefinitions/6d8ee4ec-f05a-4a1d-8b00-a9b17e38b437", + "Storage Account Contributor": "/providers/Microsoft.Authorization/roleDefinitions/17d1049b-9a84-46fb-8f53-869881c3d3ab", + "Storage Account Key Operator Service Role": "/providers/Microsoft.Authorization/roleDefinitions/81a9662b-bebf-436f-a333-f67b29880f12", + "Storage Blob Data Contributor": "/providers/Microsoft.Authorization/roleDefinitions/ba92f5b4-2d11-453d-a403-e96b0029c9fe", + "Storage Blob Data Owner": "/providers/Microsoft.Authorization/roleDefinitions/b7e6dc6d-f1e8-4753-8033-0f276bb0955b", + "Storage Blob Data Reader": "/providers/Microsoft.Authorization/roleDefinitions/2a2b9908-6ea1-4ae2-8e65-a410df84e7d1", + "Storage Blob Delegator": "/providers/Microsoft.Authorization/roleDefinitions/db58b8e5-c6ad-4a2a-8342-4190687cbf4a", + "Storage File Data SMB Share Contributor": "/providers/Microsoft.Authorization/roleDefinitions/0c867c2a-1d8c-454a-a3db-ab2ea1bdc8bb", + "Storage File Data SMB Share Elevated Contributor": "/providers/Microsoft.Authorization/roleDefinitions/a7264617-510b-434b-a828-9731dc254ea7", + "Storage File Data SMB Share Reader": "/providers/Microsoft.Authorization/roleDefinitions/aba4ae5f-2193-4029-9191-0cb91df5e314", + "Storage Queue Data Contributor": "/providers/Microsoft.Authorization/roleDefinitions/974c5e8b-45b9-4653-ba55-5f855dd0fb88", + "Storage Queue Data Message Processor": "/providers/Microsoft.Authorization/roleDefinitions/8a0f0c08-91a1-4084-bc3d-661d67233fed", + "Storage Queue Data Message Sender": "/providers/Microsoft.Authorization/roleDefinitions/c6a89b2d-59bc-44d0-9896-0f6e12d7b80a", + "Storage Queue Data Reader": "/providers/Microsoft.Authorization/roleDefinitions/19e7f393-937e-4f77-808e-94535e297925", + "Support Request Contributor": "/providers/Microsoft.Authorization/roleDefinitions/cfd33db0-3dd1-45e3-aa9d-cdbdf3b6f24e", + "Tag Contributor": "/providers/Microsoft.Authorization/roleDefinitions/4a9ae827-6dc8-4573-8ac7-8239d42aa03f", + "Traffic Manager Contributor": "/providers/Microsoft.Authorization/roleDefinitions/a4b10055-b0c7-44c2-b00f-c7b5b3550cf7", + "User Access Administrator": "/providers/Microsoft.Authorization/roleDefinitions/18d7d88d-d35e-4fb5-a5c3-7773c20a72d9", + "Virtual Machine Administrator Login": "/providers/Microsoft.Authorization/roleDefinitions/1c0163c0-47e6-4577-8991-ea5c82e286e4", + "Virtual Machine Contributor": "/providers/Microsoft.Authorization/roleDefinitions/9980e02c-c2be-4d73-94e8-173b1dc7cf3c", + "Virtual Machine User Login": "/providers/Microsoft.Authorization/roleDefinitions/fb879df8-f326-4884-b1cf-06f3ad86be52", + "Web Plan Contributor": "/providers/Microsoft.Authorization/roleDefinitions/2cc479cb-7b4d-49a8-b449-8c00fd0f0a4b", + "Website Contributor": "/providers/Microsoft.Authorization/roleDefinitions/de139f84-1756-47ae-9be6-808fbbe84772", + "Workbook Contributor": "/providers/Microsoft.Authorization/roleDefinitions/e8ddcd69-c73f-4f9f-9844-4100522f16ad", + "Workbook Reader": "/providers/Microsoft.Authorization/roleDefinitions/b279062a-9be3-42a0-92ae-8b3cf002ec4d" + } + }, + "resources": [ + { + "name": "[concat('RbacDeplCopy-',uniqueString(subscription().subscriptionId),'-', copyIndex())]", + "apiVersion": "2020-06-01", + "type": "Microsoft.Resources/deployments", + "location": "[deployment().location]", + "dependsOn": [ + ], + "copy": { + "name": "subscriptionRbacDeplCopy", + "count": "[length(parameters('roleAssignments'))]" + }, + "properties": { + "mode": "Incremental", + "expressionEvaluationOptions": { + "scope": "inner" + }, + "parameters": { + "roleAssignment": { + "value": "[parameters('roleAssignments')[copyIndex()]]" + }, + "builtInRoleNames": { + "value": "[variables('builtInRoleNames')]" + }, + "subscriptionId": { + "value": "[subscription().id]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "roleAssignment": { + "type": "object" + }, + "builtInRoleNames": { + "type": "object" + }, + "subscriptionId": { + "type": "string" + } + }, + "variables": { + "condition": "[and(not(empty(parameters('roleAssignment'))), contains(parameters('roleAssignment'), 'roleDefinitionIdOrName'), contains(parameters('roleAssignment'), 'principalIds'), not(empty(parameters('roleAssignment').roleDefinitionIdOrName)), not(empty(parameters('roleAssignment').principalIds)) )]" + }, + "resources": [ + { + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2018-09-01-preview", + "name": "[if( variables('condition'), guid( parameters('subscriptionId'), array(parameters('roleAssignment').principalIds)[copyIndex('innerRbacCopy')], parameters('roleAssignment').roleDefinitionIdOrName ), guid('dummy'))]", + "condition": "[variables('condition')]", + "copy": { + "name": "innerRbacCopy", + "count": "[length(array(parameters('roleAssignment').principalIds))]" + }, + "properties": { + "roleDefinitionId": "[if(contains(parameters('builtInRoleNames'), parameters('roleAssignment').roleDefinitionIdOrName ), parameters('builtInRoleNames')[parameters('roleAssignment').roleDefinitionIdOrName] , parameters('roleAssignment').roleDefinitionIdOrName )]", + "principalId": "[array(parameters('roleAssignment').principalIds)[copyIndex('innerRbacCopy')]]" + } + } + ] + } + } + } + ] + } + } + } + ] + } + } + } + ], + "functions": [], + "outputs": { + "subscriptionId": { + "type": "string", + "value": "[reference(variables('subDeploymentName')).outputs.subscriptionId.value]", + "metadata": { + "description": "The subscription Id of the created subscription." + } + }, + "tags": { + "type": "object", + "value": "[parameters('tags')]", + "metadata": { + "description": "The tags applied to the subscription." + } + }, + "roleAssignments": { + "type": "array", + "value": "[parameters('roleAssignments')]", + "metadata": { + "description": "Array of role assignment objects." + } + } + } +} diff --git a/managementGroupTemplates/Microsoft.Subscription/aliases/readme.md b/managementGroupTemplates/Microsoft.Subscription/aliases/readme.md new file mode 100644 index 0000000000..b17198bd91 --- /dev/null +++ b/managementGroupTemplates/Microsoft.Subscription/aliases/readme.md @@ -0,0 +1,164 @@ +# Subscription + +This template will create a subscription based on the provided parameter. + +## Resource types + +| Resource Type | Api Version | +| :---------------------------------------- | :----------------- | +| `Microsoft.Resources/deployments` | 2019-10-01 | +| `Microsoft.Subscription/aliases` | 2020-09-01 | +| `Microsoft.Resources/tags` | 2020-10-01 | +| `Microsoft.Authorization/roleAssignments` | 2018-09-01-preview | + +### Resource dependency + +The following resources are required to be able to deploy this resource: + +- *None* + +## Parameters + +| Parameter Name | Type | Default Value | Possible values | Description | +| :------------------------ | :----- | :------------ | :------------------ | :------------------------------------------------------------------------ | +| `subscriptionAliasName` | string | | | Required. Unique alias name. | +| `displayName` | string | | | Required. Subscription display name. | +| `targetManagementGroupId` | string | "" | | Optional. Target management group where the subscription will be created. | +| `billingScope` | string | | | Required. The account to be invoiced for the subscription. | +| `workload` | string | Production | Production, DevTest | Optional. Subscription workload. | +| `tags` | object | [] | | Optional. Tags of the storage account resource. | +| `roleAssignments` | array | [] | | Optional. Array of role assignment objects. | + +### Parameter Usage: `tags` + +Tag names and tag values can be provided as needed. A tag can be left without a value. + +```json +"tags": { + "value": { + "Environment": "Non-Prod", + "Contact": "test.user@testcompany.com", + "PurchaseOrder": "1234", + "CostCenter": "7890", + "ServiceName": "DeploymentValidation", + "Role": "DeploymentValidation" + } +} +``` + +### Parameter Usage: `roleAssignments` + +```json +"roleAssignments": { + "value": [ + // Built-in Role Definition, referenced by Name + { + "roleDefinitionIdOrName": "Owner", + "principalIds": [ + "12345678-1234-1234-1234-123456780123" + "abcd5678-1234-1234-1234-123456780123" + ] + }, + // Built-in Role Definition, referenced by ID + { + "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", + "principalIds": [ + "12345678-1234-1234-1234-123456780123" + "abcd5678-1234-1234-1234-123456780123" + ] + }, + // Custom Role Definition on Subscription scope + { + "roleDefinitionIdOrName": "/subscriptions/bbfef42b-7d75-4e17-9f39-bd431e69189f/providers/Microsoft.Authorization/roleDefinitions/54597af5-2126-5a52-a2ce-4bb56e90d3c8", + "principalIds": [ + "12345678-1234-1234-1234-123456780123" + "abcd5678-1234-1234-1234-123456780123" + ] + }, + // Custom Role Definition on Resource Group scope + { + "roleDefinitionIdOrName": "/subscriptions/bbfef42b-7d75-4e17-9f39-bd431e69189f/resourceGroups/rbacTest/providers/Microsoft.Authorization/roleDefinitions/08e417aa-3d20-5a4e-94da-b2aa45bd5929", + "principalIds": [ + "12345678-1234-1234-1234-123456780123" + "abcd5678-1234-1234-1234-123456780123" + ] + } + ] +} +``` + +## Outputs + +| Output Name | Type | Description | +| :---------------- | :----- | :----------------------------------------------- | +| `subscriptionId` | string | The subscription Id of the created subscription. | +| `tags` | object | The tags applied to the subscription. | +| `roleAssignments` | array | Array of role assignment objects. | + +## Prerequisites + +In order to create a subscription via code, the following pre-requisites are necessary: + +- the used enrollment account in the billing scope is active and created at least one subscription manually +- A single SPN used for the template deployment with permissions to both: + - the billing scope of the EA enrollment account. + - deployments on the tenant scope and management group where the subscription will be provisioned. + +### Permissions to create subscriptions + +Refer to the [Enterprise-Scale - Enabling subscription creation](https://github.com/Azure/Enterprise-Scale/blob/main/docs/Deploy/enable-subscription-creation.md) guide on how to setup permissions. If this does not align with your scenario, please refer to the [official documentation on creating subscriptions using the API](https://docs.microsoft.com/en-us/azure/cost-management-billing/manage/programmatically-create-subscription-preview). +If you cannot find the billingID or enrollmentID using the mentioned guides, find them using the Azure portal under the 'Cost + Billing' blade. Expected format is 5-10 digits for each of the values. + +### Permissions to deploy Azure Resource in tenant + +The subscription module is deployed on the **Tenant scope**. Providing the [required permissions](https://docs.microsoft.com/en-us/azure/azure-resource-manager/templates/deploy-to-tenant#required-access) is not supported in the portal. +To run the commands listed here you need `User Access Administrator` or `Owner` on the tenant scope (also refered to root or '/') . Follow the [official documentation for how to elevate your permissions](https://docs.microsoft.com/en-us/azure/role-based-access-control/elevate-access-global-admin) to this level. + +#### Quick setup + +Using a quick setup we assign `Owner` on the root, allowing for all other activities within the Azure tenant. Quick setup is not recommended in production, as it breaks with principle of least privilege and would potentially scope permissions wider than applicable for your scenario. +Use quick setup for 'Minimal Viable Product' (MVP) configurations, PoC setups or test environments. + +To assign `Owner` role on root to the SPN, execute the following commands: + +```powershell +$SPNObjectID = Get-AzADServicePrincipal -DisplayName "[SPNName]" +New-AzRoleAssignment -ObjectID $SPNObjectID -Scope "/" -RoleDefinitionName "Owner" +``` + +> Note! +> +> Remember to [remove your elevated access](https://docs.microsoft.com/en-us/azure/role-based-access-control/elevate-access-global-admin#remove-elevated-access) after assigning the permissions on the entity that requires the permissions on root. + +#### Least-privilege approach + +If `Owner` permission is too excessive, provide least privilege permissions to the entity used for deploying subscriptions. +As [custom roles are not supported on the root level](https://docs.microsoft.com/en-us/azure/role-based-access-control/custom-roles#custom-role-limits), a built-in role is required. +The build-in role with the least privilege to perform the `Microsoft.Resources/deployments/*` actions is `Automation Job Operator`. + +To assign `Automation Job Operator` role on root to the SPN, execute the following commands: + +```powershell +$SPNObjectID = Get-AzADServicePrincipal -DisplayName "[SPNName]" +New-AzRoleAssignment -ObjectID $SPNObjectID -Scope "/" -RoleDefinitionName "Automation Job Operator" +``` + +A custom role can be created for with following permissions on a management group when using the template by providing the `targetManagementGroup` parameter. Using this parameter will move the subscription to them management group. + +- `Microsoft.Management/managementGroups/read` +- `Microsoft.Management/managementGroups/write` +- `Microsoft.Management/managementGroups/subscriptions/delete` +- `Microsoft.Management/managementGroups/subscriptions/write` + +Scope: `/providers/Microsoft.Management/managementGroups/` + +Consider adding more of the [`Microsoft.Management`](https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftmanagement) and [`Microsoft.Subscription`](https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftsubscription) operations to the custom role as needed. + +## Additional resources + +- [Use tags to organize your Azure resources | Microsoft Docs](https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-using-tags) +- [Azure Resource Manager template reference | Microsoft Docs](https://docs.microsoft.com/en-us/azure/templates/) +- [Deployments | Microsoft Docs](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Resources/2019-10-01/deployments) +- [Aliases | Microsoft Docs](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Subscription/2020-09-01/aliases) +- [Programmatically create Azure subscriptions with preview APIs | Microsoft Docs](https://docs.microsoft.com/en-us/azure/cost-management-billing/manage/programmatically-create-subscription-preview) +- [Enable subscription creation to a service principal | GitHub](https://github.com/Azure/Enterprise-Scale/blob/main/docs/Deploy/enable-subscription-creation.md) diff --git a/managementGroupTemplates/Microsoft.Subscription/aliases/rg-deploy.json b/managementGroupTemplates/Microsoft.Subscription/aliases/rg-deploy.json new file mode 100644 index 0000000000..b5a60c59f2 --- /dev/null +++ b/managementGroupTemplates/Microsoft.Subscription/aliases/rg-deploy.json @@ -0,0 +1,90 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "subscriptionAliasName": { + "type": "string", + "metadata": { + "description": "Required. Unique alias name." + } + }, + "displayName": { + "type": "string", + "metadata": { + "description": "Required. Subscription display name." + } + }, + "targetManagementGroupId": { + "type": "string", + "metadata": { + "details": "Optional. Target management group where the subscription will be created." + } + }, + "billingScope": { + "type": "string", + "metadata": { + "description": "Required. The account to be invoiced for the subscription." + } + }, + "workLoad": { + "type": "string", + "defaultValue": "Production", + "metadata": { + "description": "Optional. Subscription workload." + } + }, + "location": { + "type": "string", + "metadata": { + "description": "Required. Location is required for DeploymentTemplate." + } + } + }, + "variables": {}, + "resources": [ + { + "name": "[concat('subscription-',deployment().name)]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2019-10-01", + "location": "[parameters('location')]", + "properties": { + "expressionEvaluationOptions": { + "scope": "outer" // default + }, + "mode": "Incremental", // default + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "variables": {}, + "resources": [ + { + "name": "[parameters('subscriptionAliasName')]", + "type": "Microsoft.Subscription/aliases", + "apiVersion": "2020-09-01", + "properties": { + "workLoad": "[parameters('workLoad')]", + "displayName": "[parameters('displayName')]", + "billingScope": "[parameters('billingScope')]", + "managementGroupId": "[tenantResourceId('Microsoft.Management/managementGroups/', parameters('targetManagementGroupId'))]" + }, + "dependsOn": [], + "tags": {} + } + ], + "outputs": { + "subscriptionId": { + "type": "string", + "value": "[replace(reference(parameters('subscriptionAliasName')).subscriptionId, 'invalidrandom/', '')]" + } + } + } + } + } + ], + "outputs": { + "messageFromLinkedTemplate": { + "type": "string", + "value": "[reference('subscription-',deployment().name).outputs.subscriptionId.value]" + } + } +} diff --git a/KeyVault/nested_name_location_KeyVault_PrivateEndpoints.bicep b/resourceGroupTemplates/Microsoft.KeyVault/vaults/.bicep/nested_name_location_KeyVault_PrivateEndpoints.bicep similarity index 100% rename from KeyVault/nested_name_location_KeyVault_PrivateEndpoints.bicep rename to resourceGroupTemplates/Microsoft.KeyVault/vaults/.bicep/nested_name_location_KeyVault_PrivateEndpoints.bicep diff --git a/KeyVault/nested_rbac_name.bicep b/resourceGroupTemplates/Microsoft.KeyVault/vaults/.bicep/nested_rbac_name.bicep similarity index 100% rename from KeyVault/nested_rbac_name.bicep rename to resourceGroupTemplates/Microsoft.KeyVault/vaults/.bicep/nested_rbac_name.bicep diff --git a/KeyVault/deploy.bicep b/resourceGroupTemplates/Microsoft.KeyVault/vaults/deploy.bicep similarity index 100% rename from KeyVault/deploy.bicep rename to resourceGroupTemplates/Microsoft.KeyVault/vaults/deploy.bicep diff --git a/KeyVault/deploy.json b/resourceGroupTemplates/Microsoft.KeyVault/vaults/deploy.json similarity index 100% rename from KeyVault/deploy.json rename to resourceGroupTemplates/Microsoft.KeyVault/vaults/deploy.json diff --git a/KeyVault/parameters.json b/resourceGroupTemplates/Microsoft.KeyVault/vaults/parameters/parameters.json similarity index 100% rename from KeyVault/parameters.json rename to resourceGroupTemplates/Microsoft.KeyVault/vaults/parameters/parameters.json diff --git a/KeyVault/readme.md b/resourceGroupTemplates/Microsoft.KeyVault/vaults/readme.md similarity index 100% rename from KeyVault/readme.md rename to resourceGroupTemplates/Microsoft.KeyVault/vaults/readme.md diff --git a/subscriptionTemplates/Microsoft.OperationalInsights/workspaces/deploy.json b/subscriptionTemplates/Microsoft.OperationalInsights/workspaces/deploy.json new file mode 100644 index 0000000000..bcb6fb5f88 --- /dev/null +++ b/subscriptionTemplates/Microsoft.OperationalInsights/workspaces/deploy.json @@ -0,0 +1,1268 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "logAnalyticsWorkspaceName": { + "type": "string", + "metadata": { + "description": "Required. Name of the Log Analytics workspace" + } + }, + "location": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "Optional. Location for all resources." + } + }, + "serviceTier": { + "type": "string", + "defaultValue": "PerGB2018", + "allowedValues": [ + "Free", + "Standalone", + "PerNode", + "PerGB2018" + ], + "metadata": { + "description": "Required. Service Tier: PerGB2018, Free, Standalone, PerGB or PerNode" + } + }, + "solutions": { + "type": "array", + "defaultValue": [], + "metadata": { + "description": "Optional. LAW solutions from the gallery." + } + }, + "dataRetention": { + "type": "int", + "defaultValue": 365, + "minValue": 0, + "maxValue": 730, + "metadata": { + "description": "Required. Number of days data will be retained for" + } + }, + "dailyQuotaGb": { + "type": "int", + "defaultValue": -1, + "minValue": -1, + "metadata": { + "description": "Optional. The workspace daily quota for ingestion." + } + }, + "publicNetworkAccessForIngestion": { + "type": "string", + "defaultValue": "Enabled", + "allowedValues": [ + "Enabled", + "Disabled" + ], + "metadata": { + "description": "Optional. The network access type for accessing Log Analytics ingestion." + } + }, + "publicNetworkAccessForQuery": { + "type": "string", + "defaultValue": "Enabled", + "allowedValues": [ + "Enabled", + "Disabled" + ], + "metadata": { + "description": "Optional. The network access type for accessing Log Analytics query." + } + }, + "diagnosticStorageAccountId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Log Analytics workspace resource identifier" + } + }, + "activityLogAdditionalSubscriptionIDs": { + "type": "array", + "defaultValue": [ + ], + "metadata": { + "description": "Optional. List of additional Subscription IDs to collect Activity logs from. The subscription holding the Log Analytics workspace is added by default. The user/SPN/managed identity has to have reader access on the subscription you'd like to collect Activity logs from." + } + }, + "automationAccountId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Automation Account resource identifier, value used to create a LinkedService between Log Analytics and an Automation Account." + } + }, + "useResourcePermissions": { + "type": "bool", + "defaultValue": false, + "metadata": { + "description": "Optional. Set to 'true' to use resource or workspace permissions and 'false' (or leave empty) to require workspace permissions." + } + }, + "lockForDeletion": { + "type": "bool", + "defaultValue": false, + "metadata": { + "description": "Optional. Switch to lock storage from deletion." + } + }, + "roleAssignments": { + "defaultValue": [ + ], + "type": "array", + "metadata": { + "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'" + } + }, + "tags": { + "type": "object", + "defaultValue": { + }, + "metadata": { + "description": "Optional. Tags of the resource." + } + }, + "cuaId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered" + } + } + }, + "variables": { + "diagnosticStorageAccountName": "[if(not(empty(parameters('diagnosticStorageAccountId'))), split(parameters('diagnosticStorageAccountId'), '/')[8], 'placeholder')]", + "logAnalyticsSearchVersion": 1, + "builtInRoleNames": { + "Azure Sentinel Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ab8e14d6-4a74-4a29-9ba8-549422addade')]", + "Azure Sentinel Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8d289c81-5878-46d4-8554-54e1e3d8b5cb')]", + "Azure Sentinel Responder": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '3e150937-b8fe-4cfb-8069-0eaf05ecd056')]", + "Contributor": "/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c", + "Data Purger": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '150f5e0c-0603-4f03-8c7f-cf70034c4e90')]", + "Log Analytics Contributor": "/providers/Microsoft.Authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293", + "Log Analytics Reader": "/providers/Microsoft.Authorization/roleDefinitions/73c42c96-874c-492b-b04d-ab87d138a893", + "Managed Application Contributor Role": "/providers/Microsoft.Authorization/roleDefinitions/641177b8-a67a-45b9-a033-47bc880bb21e", + "Managed Application Operator Role": "/providers/Microsoft.Authorization/roleDefinitions/c7393b34-138c-406f-901b-d8cf2b17e6ae", + "Managed Applications Reader": "/providers/Microsoft.Authorization/roleDefinitions/b9331d33-8a36-4f8c-b097-4f54124fdb44", + "Monitoring Contributor": "/providers/Microsoft.Authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "Monitoring Metrics Publisher": "/providers/Microsoft.Authorization/roleDefinitions/3913510d-42f4-4e42-8a64-420c390055eb", + "Monitoring Reader": "/providers/Microsoft.Authorization/roleDefinitions/43d0d8ad-25c7-4714-9337-8ba259a9fe05", + "Owner": "/providers/Microsoft.Authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635", + "Reader": "/providers/Microsoft.Authorization/roleDefinitions/acdd72a7-3385-48ef-bd42-f606fba81ae7", + "Resource Policy Contributor": "/providers/Microsoft.Authorization/roleDefinitions/36243c78-bf99-498c-9df9-86d9f8d28608", + "Security Admin": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'fb1c8493-542b-48eb-b624-b4c8fea62acd')]", + "Security Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '39bc4728-0917-49c7-9d2c-d95423bc2eb4')]", + "User Access Administrator": "/providers/Microsoft.Authorization/roleDefinitions/18d7d88d-d35e-4fb5-a5c3-7773c20a72d9" + } + }, + "resources": [ + { + "condition": "[not(empty(parameters('cuaId')))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-06-01", + "name": "[concat('pid-', parameters('cuaId'))]", + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [ + ] + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces", + "apiVersion": "2020-08-01", + "location": "[parameters('location')]", + "name": "[parameters('logAnalyticsWorkspaceName')]", + "tags": "[parameters('tags')]", + "properties": { + "features": { + "searchVersion": "[variables('logAnalyticsSearchVersion')]", + "enableLogAccessUsingOnlyResourcePermissions": "[parameters('useResourcePermissions')]" + }, + "sku": { + "name": "[parameters('serviceTier')]" + }, + "retentionInDays": "[parameters('dataRetention')]", + "workspaceCapping": { + "dailyQuotaGb": "[parameters('dailyQuotaGb')]" + }, + "publicNetworkAccessForIngestion": "[parameters('publicNetworkAccessForIngestion')]", + "publicNetworkAccessForQuery": "[parameters('publicNetworkAccessForQuery')]" + }, + "resources": [ + { + "apiVersion": "2020-03-01-preview", + "name": "VMSSQueries", + "type": "savedSearches", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', parameters('logAnalyticsWorkspaceName'))]" + ], + "properties": { + "etag": "*", + "DisplayName": "VMSS Instance Count", + "Category": "VDC Saved Searches", + "Query": "Event | where Source == \"ServiceFabricNodeBootstrapAgent\" | summarize AggregatedValue = count() by Computer" + } + }, + { + "apiVersion": "2020-03-01-preview", + "name": "AzureFirewallThreatDeny", + "type": "savedSearches", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', parameters('logAnalyticsWorkspaceName'))]" + ], + "properties": { + "etag": "*", + "DisplayName": "Azure Threat Deny", + "Category": "VDC Saved Searches", + "Query": "AzureDiagnostics | where ResourceType == 'AZUREFIREWALLS' and msg_s contains 'Deny'" + } + }, + { + "apiVersion": "2020-03-01-preview", + "type": "datasources", + "kind": "AzureActivityLog", + "name": "[subscription().subscriptionId]", + "location": "[parameters('location')]", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', parameters('logAnalyticsWorkspaceName'))]" + ], + "properties": { + "linkedResourceId": "[concat(subscription().Id, '/providers/microsoft.insights/eventTypes/management')]" + } + }, + { + "apiVersion": "2020-03-01-preview", + "type": "datasources", + "name": "applicationEvent", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', parameters('logAnalyticsWorkspaceName'))]" + ], + "kind": "WindowsEvent", + "properties": { + "eventLogName": "Application", + "eventTypes": [ + { + "eventType": "Error" + }, + { + "eventType": "Warning" + }, + { + "eventType": "Information" + } + ] + } + }, + { + "apiVersion": "2020-03-01-preview", + "type": "datasources", + "name": "systemEvent", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', parameters('logAnalyticsWorkspaceName'))]" + ], + "kind": "WindowsEvent", + "properties": { + "eventLogName": "System", + "eventTypes": [ + { + "eventType": "Error" + }, + { + "eventType": "Warning" + }, + { + "eventType": "Information" + } + ] + } + }, + { + "apiVersion": "2020-03-01-preview", + "type": "datasources", + "name": "windowsPerfCounter1", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', parameters('logAnalyticsWorkspaceName'))]" + ], + "kind": "WindowsPerformanceCounter", + "properties": { + "objectName": "Processor", + "instanceName": "*", + "intervalSeconds": 60, + "counterName": "% Processor Time" + } + }, + { + "apiVersion": "2020-03-01-preview", + "type": "datasources", + "name": "windowsPerfCounter2", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', parameters('logAnalyticsWorkspaceName'))]" + ], + "kind": "WindowsPerformanceCounter", + "properties": { + "objectName": "Processor", + "instanceName": "*", + "intervalSeconds": 60, + "counterName": "% Privileged Time" + } + }, + { + "apiVersion": "2020-03-01-preview", + "type": "datasources", + "name": "windowsPerfCounter3", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', parameters('logAnalyticsWorkspaceName'))]" + ], + "kind": "WindowsPerformanceCounter", + "properties": { + "objectName": "Processor", + "instanceName": "*", + "intervalSeconds": 60, + "counterName": "% User Time" + } + }, + { + "apiVersion": "2020-03-01-preview", + "type": "datasources", + "name": "windowsPerfCounter4", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', parameters('logAnalyticsWorkspaceName'))]" + ], + "kind": "WindowsPerformanceCounter", + "properties": { + "objectName": "Processor", + "instanceName": "*", + "intervalSeconds": 60, + "counterName": "Processor Frequency" + } + }, + { + "apiVersion": "2020-03-01-preview", + "type": "datasources", + "name": "windowsPerfCounter5", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', parameters('logAnalyticsWorkspaceName'))]" + ], + "kind": "WindowsPerformanceCounter", + "properties": { + "objectName": "Process", + "instanceName": "*", + "intervalSeconds": 60, + "counterName": "Thread Count" + } + }, + { + "apiVersion": "2020-03-01-preview", + "type": "datasources", + "name": "windowsPerfCounter6", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', parameters('logAnalyticsWorkspaceName'))]" + ], + "kind": "WindowsPerformanceCounter", + "properties": { + "objectName": "Process", + "instanceName": "*", + "intervalSeconds": 60, + "counterName": "Handle Count" + } + }, + { + "apiVersion": "2020-03-01-preview", + "type": "datasources", + "name": "windowsPerfCounter7", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', parameters('logAnalyticsWorkspaceName'))]" + ], + "kind": "WindowsPerformanceCounter", + "properties": { + "objectName": "System", + "instanceName": "*", + "intervalSeconds": 60, + "counterName": "System Up Time" + } + }, + { + "apiVersion": "2020-03-01-preview", + "type": "datasources", + "name": "windowsPerfCounter8", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', parameters('logAnalyticsWorkspaceName'))]" + ], + "kind": "WindowsPerformanceCounter", + "properties": { + "objectName": "System", + "instanceName": "*", + "intervalSeconds": 60, + "counterName": "Context Switches/sec" + } + }, + { + "apiVersion": "2020-03-01-preview", + "type": "datasources", + "name": "windowsPerfCounter9", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', parameters('logAnalyticsWorkspaceName'))]" + ], + "kind": "WindowsPerformanceCounter", + "properties": { + "objectName": "System", + "instanceName": "*", + "intervalSeconds": 60, + "counterName": "Processor Queue Length" + } + }, + { + "apiVersion": "2020-03-01-preview", + "type": "datasources", + "name": "windowsPerfCounter10", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', parameters('logAnalyticsWorkspaceName'))]" + ], + "kind": "WindowsPerformanceCounter", + "properties": { + "objectName": "System", + "instanceName": "*", + "intervalSeconds": 60, + "counterName": "Processes" + } + }, + { + "apiVersion": "2020-03-01-preview", + "type": "datasources", + "name": "windowsPerfCounter11", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', parameters('logAnalyticsWorkspaceName'))]" + ], + "kind": "WindowsPerformanceCounter", + "properties": { + "objectName": "Memory", + "instanceName": "*", + "intervalSeconds": 60, + "counterName": "% Committed Bytes In Use" + } + }, + { + "apiVersion": "2020-03-01-preview", + "type": "datasources", + "name": "windowsPerfCounter12", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', parameters('logAnalyticsWorkspaceName'))]" + ], + "kind": "WindowsPerformanceCounter", + "properties": { + "objectName": "Memory", + "instanceName": "*", + "intervalSeconds": 60, + "counterName": "Available MBytes" + } + }, + { + "apiVersion": "2020-03-01-preview", + "type": "datasources", + "name": "windowsPerfCounter13", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', parameters('logAnalyticsWorkspaceName'))]" + ], + "kind": "WindowsPerformanceCounter", + "properties": { + "objectName": "Memory", + "instanceName": "*", + "intervalSeconds": 60, + "counterName": "Available Bytes" + } + }, + { + "apiVersion": "2020-03-01-preview", + "type": "datasources", + "name": "windowsPerfCounter14", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', parameters('logAnalyticsWorkspaceName'))]" + ], + "kind": "WindowsPerformanceCounter", + "properties": { + "objectName": "Memory", + "instanceName": "*", + "intervalSeconds": 60, + "counterName": "Committed Bytes" + } + }, + { + "apiVersion": "2020-03-01-preview", + "type": "datasources", + "name": "windowsPerfCounter15", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', parameters('logAnalyticsWorkspaceName'))]" + ], + "kind": "WindowsPerformanceCounter", + "properties": { + "objectName": "Memory", + "instanceName": "*", + "intervalSeconds": 60, + "counterName": "Cache Bytes" + } + }, + { + "apiVersion": "2020-03-01-preview", + "type": "datasources", + "name": "windowsPerfCounter16", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', parameters('logAnalyticsWorkspaceName'))]" + ], + "kind": "WindowsPerformanceCounter", + "properties": { + "objectName": "Memory", + "instanceName": "*", + "intervalSeconds": 60, + "counterName": "Pool Paged Bytes" + } + }, + { + "apiVersion": "2020-03-01-preview", + "type": "datasources", + "name": "windowsPerfCounter17", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', parameters('logAnalyticsWorkspaceName'))]" + ], + "kind": "WindowsPerformanceCounter", + "properties": { + "objectName": "Memory", + "instanceName": "*", + "intervalSeconds": 60, + "counterName": "Pool Nonpaged Bytes" + } + }, + { + "apiVersion": "2020-03-01-preview", + "type": "datasources", + "name": "windowsPerfCounter18", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', parameters('logAnalyticsWorkspaceName'))]" + ], + "kind": "WindowsPerformanceCounter", + "properties": { + "objectName": "Memory", + "instanceName": "*", + "intervalSeconds": 60, + "counterName": "Pages/sec" + } + }, + { + "apiVersion": "2020-03-01-preview", + "type": "datasources", + "name": "windowsPerfCounter19", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', parameters('logAnalyticsWorkspaceName'))]" + ], + "kind": "WindowsPerformanceCounter", + "properties": { + "objectName": "Memory", + "instanceName": "*", + "intervalSeconds": 60, + "counterName": "Page Faults/sec" + } + }, + { + "apiVersion": "2020-03-01-preview", + "type": "datasources", + "name": "windowsPerfCounter20", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', parameters('logAnalyticsWorkspaceName'))]" + ], + "kind": "WindowsPerformanceCounter", + "properties": { + "objectName": "Process", + "instanceName": "*", + "intervalSeconds": 60, + "counterName": "Working Set" + } + }, + { + "apiVersion": "2020-03-01-preview", + "type": "datasources", + "name": "windowsPerfCounter21", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', parameters('logAnalyticsWorkspaceName'))]" + ], + "kind": "WindowsPerformanceCounter", + "properties": { + "objectName": "Process", + "instanceName": "*", + "intervalSeconds": 60, + "counterName": "Working Set - Private" + } + }, + { + "apiVersion": "2020-03-01-preview", + "type": "datasources", + "name": "windowsPerfCounter22", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', parameters('logAnalyticsWorkspaceName'))]" + ], + "kind": "WindowsPerformanceCounter", + "properties": { + "objectName": "LogicalDisk", + "instanceName": "*", + "intervalSeconds": 60, + "counterName": "% Disk Time" + } + }, + { + "apiVersion": "2020-03-01-preview", + "type": "datasources", + "name": "windowsPerfCounter23", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', parameters('logAnalyticsWorkspaceName'))]" + ], + "kind": "WindowsPerformanceCounter", + "properties": { + "objectName": "LogicalDisk", + "instanceName": "*", + "intervalSeconds": 60, + "counterName": "% Disk Read Time" + } + }, + { + "apiVersion": "2020-03-01-preview", + "type": "datasources", + "name": "windowsPerfCounter24", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', parameters('logAnalyticsWorkspaceName'))]" + ], + "kind": "WindowsPerformanceCounter", + "properties": { + "objectName": "LogicalDisk", + "instanceName": "*", + "intervalSeconds": 60, + "counterName": "% Disk Write Time" + } + }, + { + "apiVersion": "2020-03-01-preview", + "type": "datasources", + "name": "windowsPerfCounter25", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', parameters('logAnalyticsWorkspaceName'))]" + ], + "kind": "WindowsPerformanceCounter", + "properties": { + "objectName": "LogicalDisk", + "instanceName": "*", + "intervalSeconds": 60, + "counterName": "% Idle Time" + } + }, + { + "apiVersion": "2020-03-01-preview", + "type": "datasources", + "name": "windowsPerfCounter26", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', parameters('logAnalyticsWorkspaceName'))]" + ], + "kind": "WindowsPerformanceCounter", + "properties": { + "objectName": "LogicalDisk", + "instanceName": "*", + "intervalSeconds": 60, + "counterName": "Disk Bytes/sec" + } + }, + { + "apiVersion": "2020-03-01-preview", + "type": "datasources", + "name": "windowsPerfCounter27", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', parameters('logAnalyticsWorkspaceName'))]" + ], + "kind": "WindowsPerformanceCounter", + "properties": { + "objectName": "LogicalDisk", + "instanceName": "*", + "intervalSeconds": 60, + "counterName": "Disk Read Bytes/sec" + } + }, + { + "apiVersion": "2020-03-01-preview", + "type": "datasources", + "name": "windowsPerfCounter28", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', parameters('logAnalyticsWorkspaceName'))]" + ], + "kind": "WindowsPerformanceCounter", + "properties": { + "objectName": "LogicalDisk", + "instanceName": "*", + "intervalSeconds": 60, + "counterName": "Disk Write Bytes/sec" + } + }, + { + "apiVersion": "2020-03-01-preview", + "type": "datasources", + "name": "windowsPerfCounter29", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', parameters('logAnalyticsWorkspaceName'))]" + ], + "kind": "WindowsPerformanceCounter", + "properties": { + "objectName": "LogicalDisk", + "instanceName": "*", + "intervalSeconds": 60, + "counterName": "Disk Transfers/sec" + } + }, + { + "apiVersion": "2020-03-01-preview", + "type": "datasources", + "name": "windowsPerfCounter30", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', parameters('logAnalyticsWorkspaceName'))]" + ], + "kind": "WindowsPerformanceCounter", + "properties": { + "objectName": "LogicalDisk", + "instanceName": "*", + "intervalSeconds": 60, + "counterName": "Disk Reads/sec" + } + }, + { + "apiVersion": "2020-03-01-preview", + "type": "datasources", + "name": "windowsPerfCounter31", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', parameters('logAnalyticsWorkspaceName'))]" + ], + "kind": "WindowsPerformanceCounter", + "properties": { + "objectName": "LogicalDisk", + "instanceName": "*", + "intervalSeconds": 60, + "counterName": "Disk Writes/sec" + } + }, + { + "apiVersion": "2020-03-01-preview", + "type": "datasources", + "name": "windowsPerfCounter32", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', parameters('logAnalyticsWorkspaceName'))]" + ], + "kind": "WindowsPerformanceCounter", + "properties": { + "objectName": "LogicalDisk", + "instanceName": "*", + "intervalSeconds": 60, + "counterName": "Avg. Disk sec/Transfer" + } + }, + { + "apiVersion": "2020-03-01-preview", + "type": "datasources", + "name": "windowsPerfCounter33", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', parameters('logAnalyticsWorkspaceName'))]" + ], + "kind": "WindowsPerformanceCounter", + "properties": { + "objectName": "LogicalDisk", + "instanceName": "*", + "intervalSeconds": 60, + "counterName": "Avg. Disk sec/Read" + } + }, + { + "apiVersion": "2020-03-01-preview", + "type": "datasources", + "name": "windowsPerfCounter34", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', parameters('logAnalyticsWorkspaceName'))]" + ], + "kind": "WindowsPerformanceCounter", + "properties": { + "objectName": "LogicalDisk", + "instanceName": "*", + "intervalSeconds": 60, + "counterName": "Avg. Disk sec/Write" + } + }, + { + "apiVersion": "2020-03-01-preview", + "type": "datasources", + "name": "windowsPerfCounter35", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', parameters('logAnalyticsWorkspaceName'))]" + ], + "kind": "WindowsPerformanceCounter", + "properties": { + "objectName": "LogicalDisk", + "instanceName": "*", + "intervalSeconds": 60, + "counterName": "Avg. Disk Queue Length" + } + }, + { + "apiVersion": "2020-03-01-preview", + "type": "datasources", + "name": "windowsPerfCounter36", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', parameters('logAnalyticsWorkspaceName'))]" + ], + "kind": "WindowsPerformanceCounter", + "properties": { + "objectName": "LogicalDisk", + "instanceName": "*", + "intervalSeconds": 60, + "counterName": "Avg. Disk Write Queue Length" + } + }, + { + "apiVersion": "2020-03-01-preview", + "type": "datasources", + "name": "windowsPerfCounter37", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', parameters('logAnalyticsWorkspaceName'))]" + ], + "kind": "WindowsPerformanceCounter", + "properties": { + "objectName": "LogicalDisk", + "instanceName": "*", + "intervalSeconds": 60, + "counterName": "% Free Space" + } + }, + { + "apiVersion": "2020-03-01-preview", + "type": "datasources", + "name": "windowsPerfCounter38", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', parameters('logAnalyticsWorkspaceName'))]" + ], + "kind": "WindowsPerformanceCounter", + "properties": { + "objectName": "LogicalDisk", + "instanceName": "*", + "intervalSeconds": 60, + "counterName": "Free Megabytes" + } + }, + { + "apiVersion": "2020-03-01-preview", + "type": "datasources", + "name": "windowsPerfCounter39", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', parameters('logAnalyticsWorkspaceName'))]" + ], + "kind": "WindowsPerformanceCounter", + "properties": { + "objectName": "Network Interface", + "instanceName": "*", + "intervalSeconds": 60, + "counterName": "Bytes Total/sec" + } + }, + { + "apiVersion": "2020-03-01-preview", + "type": "datasources", + "name": "windowsPerfCounter40", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', parameters('logAnalyticsWorkspaceName'))]" + ], + "kind": "WindowsPerformanceCounter", + "properties": { + "objectName": "Network Interface", + "instanceName": "*", + "intervalSeconds": 60, + "counterName": "Bytes Sent/sec" + } + }, + { + "apiVersion": "2020-03-01-preview", + "type": "datasources", + "name": "windowsPerfCounter41", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', parameters('logAnalyticsWorkspaceName'))]" + ], + "kind": "WindowsPerformanceCounter", + "properties": { + "objectName": "Network Interface", + "instanceName": "*", + "intervalSeconds": 60, + "counterName": "Bytes Received/sec" + } + }, + { + "apiVersion": "2020-03-01-preview", + "type": "datasources", + "name": "windowsPerfCounter42", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', parameters('logAnalyticsWorkspaceName'))]" + ], + "kind": "WindowsPerformanceCounter", + "properties": { + "objectName": "Network Interface", + "instanceName": "*", + "intervalSeconds": 60, + "counterName": "Packets/sec" + } + }, + { + "apiVersion": "2020-03-01-preview", + "type": "datasources", + "name": "windowsPerfCounter43", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', parameters('logAnalyticsWorkspaceName'))]" + ], + "kind": "WindowsPerformanceCounter", + "properties": { + "objectName": "Network Interface", + "instanceName": "*", + "intervalSeconds": 60, + "counterName": "Packets Sent/sec" + } + }, + { + "apiVersion": "2020-03-01-preview", + "type": "datasources", + "name": "windowsPerfCounter44", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', parameters('logAnalyticsWorkspaceName'))]" + ], + "kind": "WindowsPerformanceCounter", + "properties": { + "objectName": "Network Interface", + "instanceName": "*", + "intervalSeconds": 60, + "counterName": "Packets Received/sec" + } + }, + { + "apiVersion": "2020-03-01-preview", + "type": "datasources", + "name": "windowsPerfCounter45", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', parameters('logAnalyticsWorkspaceName'))]" + ], + "kind": "WindowsPerformanceCounter", + "properties": { + "objectName": "Network Interface", + "instanceName": "*", + "intervalSeconds": 60, + "counterName": "Packets Outbound Errors" + } + }, + { + "apiVersion": "2020-03-01-preview", + "type": "datasources", + "name": "windowsPerfCounter46", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', parameters('logAnalyticsWorkspaceName'))]" + ], + "kind": "WindowsPerformanceCounter", + "properties": { + "objectName": "Network Interface", + "instanceName": "*", + "intervalSeconds": 60, + "counterName": "Packets Received Errors" + } + }, + { + "apiVersion": "2020-03-01-preview", + "type": "datasources", + "name": "sampleIISLog1", + "condition": false, + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', parameters('logAnalyticsWorkspaceName'))]" + ], + "kind": "IISLogs", + "properties": { + "state": "OnPremiseEnabled" + } + }, + { + "apiVersion": "2020-03-01-preview", + "type": "datasources", + "name": "sampleSyslog1", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', parameters('logAnalyticsWorkspaceName'))]" + ], + "kind": "LinuxSyslog", + "properties": { + "syslogName": "kern", + "syslogSeverities": [ + { + "severity": "emerg" + }, + { + "severity": "alert" + }, + { + "severity": "crit" + }, + { + "severity": "err" + }, + { + "severity": "warning" + } + ] + } + }, + { + "apiVersion": "2020-03-01-preview", + "type": "datasources", + "name": "sampleSyslogCollection1", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', parameters('logAnalyticsWorkspaceName'))]" + ], + "kind": "LinuxSyslogCollection", + "properties": { + "state": "Enabled" + } + }, + { + "apiVersion": "2020-03-01-preview", + "type": "datasources", + "name": "sampleLinuxPerf1", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', parameters('logAnalyticsWorkspaceName'))]" + ], + "kind": "LinuxPerformanceObject", + "properties": { + "performanceCounters": [ + { + "counterName": "% Used Inodes" + }, + { + "counterName": "Free Megabytes" + }, + { + "counterName": "% Used Space" + }, + { + "counterName": "Disk Transfers/sec" + }, + { + "counterName": "Disk Reads/sec" + }, + { + "counterName": "Disk Writes/sec" + } + ], + "objectName": "Logical Disk", + "instanceName": "*", + "intervalSeconds": 10 + } + }, + { + "apiVersion": "2020-03-01-preview", + "type": "datasources", + "name": "sampleLinuxPerfCollection1", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', parameters('logAnalyticsWorkspaceName'))]" + ], + "kind": "LinuxPerformanceCollection", + "properties": { + "state": "Enabled" + } + } + ] + }, + { + "type": "Microsoft.OperationalInsights/workspaces/datasources", + "apiVersion": "2020-03-01-preview", + "location": "[parameters('location')]", + "kind": "AzureActivityLog", + "name": "[concat(parameters('logAnalyticsWorkspaceName'), '/', if(empty(parameters('activityLogAdditionalSubscriptionIDs')),'placeholder',parameters('activityLogAdditionalSubscriptionIDs')[copyIndex()]))]", + "copy": { + "name": "subscriptionCopy", + "count": "[length(parameters('activityLogAdditionalSubscriptionIDs'))]" + }, + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', parameters('logAnalyticsWorkspaceName'))]" + ], + "properties": { + "linkedResourceId": "[concat('/subscriptions/', parameters('activityLogAdditionalSubscriptionIDs')[copyIndex()], '/providers/microsoft.insights/eventTypes/management')]" + } + }, + { + "name": "[concat(parameters('logAnalyticsWorkspaceName'), '/', variables('diagnosticStorageAccountName'))]", + "condition": "[not(empty(parameters('diagnosticStorageAccountId')))]", + "type": "Microsoft.OperationalInsights/workspaces/storageinsightconfigs", + "apiVersion": "2020-03-01-preview", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', parameters('logAnalyticsWorkspaceName'))]" + ], + "properties": { + "containers": [ + ], + "tables": [ + "WADWindowsEventLogsTable", + "WADETWEventTable", + "WADServiceFabric*EventTable", + "LinuxsyslogVer2v0" + ], + "storageAccount": { + "id": "[parameters('diagnosticStorageAccountId')]", + "key": "[if(empty(parameters('diagnosticStorageAccountId')), '', listKeys(parameters('diagnosticStorageAccountId'), '2016-12-01').keys[0].value)]" + } + } + }, + { + "condition": "[not(empty(parameters('solutions')))]", + "type": "Microsoft.OperationsManagement/solutions", + "apiVersion": "2015-11-01-preview", + "name": "[if(empty(parameters('solutions')),'dummy',concat(parameters('solutions')[copyIndex()], '(', parameters('logAnalyticsWorkspaceName'), ')'))]", + "location": "[parameters('location')]", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', parameters('logAnalyticsWorkspaceName'))]" + ], + "copy": { + "name": "solutionCopy", + "count": "[if(greater(length(parameters('solutions')),0),length(parameters('solutions')), 1)]", + "mode": "Serial" + }, + "properties": { + "workspaceResourceId": "[resourceId('Microsoft.OperationalInsights/workspaces', parameters('logAnalyticsWorkspaceName'))]" + }, + "plan": { + "name": "[if(empty(parameters('solutions')),'dummy',concat(parameters('solutions')[copyIndex()], '(', parameters('logAnalyticsWorkspaceName'), ')'))]", + "product": "[if(empty(parameters('solutions')),'dummy',concat('OMSGallery/', parameters('solutions')[copyIndex()]))]", + "promotionCode": "", + "publisher": "Microsoft" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/linkedServices", + "name": "[concat(parameters('logAnalyticsWorkspaceName'), '/' , 'Automation')]", + "apiVersion": "2020-03-01-preview", + "condition": "[not(empty(parameters('automationAccountId')))]", + "location": "[parameters('location')]", + "properties": { + "resourceId": "[parameters('automationAccountId')]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/locks", + "apiVersion": "2016-09-01", + "condition": "[parameters('lockForDeletion')]", + "name": "[concat(parameters('logAnalyticsWorkspaceName'), '/Microsoft.Authorization/logAnalyticsDoNotDelete')]", + "dependsOn": [ + "[parameters('logAnalyticsWorkspaceName')]" + ], + "comments": "Resource lock on Log Analytics", + "properties": { + "level": "CannotDelete" + } + }, + { + "name": "[concat('rbac-',deployment().name, copyIndex())]", + "apiVersion": "2020-06-01", + "type": "Microsoft.Resources/deployments", + "condition": "[not(empty(parameters('roleAssignments')))]", + "dependsOn": [ + "[parameters('logAnalyticsWorkspaceName')]" + ], + "copy": { + "name": "rbacDeplCopy", + "count": "[length(parameters('roleAssignments'))]" + }, + "properties": { + "mode": "Incremental", + "expressionEvaluationOptions": { + "scope": "inner" + }, + "parameters": { + "roleAssignment": { + "value": "[parameters('roleAssignments')[copyIndex()]]" + }, + "builtInRoleNames": { + "value": "[variables('builtInRoleNames')]" + }, + "logAnalyticsWorkspaceName": { + "value": "[parameters('logAnalyticsWorkspaceName')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "roleAssignment": { + "type": "object" + }, + "builtInRoleNames": { + "type": "object" + }, + "logAnalyticsWorkspaceName": { + "type": "string" + } + }, + "resources": [ + { + "type": "Microsoft.OperationalInsights/workspaces/providers/roleAssignments", + "apiVersion": "2020-03-01-preview", + "name": "[concat(parameters('logAnalyticsWorkspaceName'), '/Microsoft.Authorization/', guid(uniqueString(concat(parameters('logAnalyticsWorkspaceName'), array(parameters('roleAssignment').principalIds)[copyIndex('innerRbacCopy')], parameters('roleAssignment').roleDefinitionIdOrName ) )))]", + "dependsOn": [ + ], + "copy": { + "name": "innerRbacCopy", + "count": "[length(parameters('roleAssignment').principalIds)]" + }, + "properties": { + "roleDefinitionId": "[if(contains(parameters('builtInRoleNames'), parameters('roleAssignment').roleDefinitionIdOrName ), parameters('builtInRoleNames')[parameters('roleAssignment').roleDefinitionIdOrName] , parameters('roleAssignment').roleDefinitionIdOrName )]", + "principalId": "[array(parameters('roleAssignment').principalIds)[copyIndex()]]" + } + } + ] + } + } + } + ], + "functions": [ + ], + "outputs": { + "logAnalyticsResourceId": { + "type": "string", + "value": "[resourceId('Microsoft.OperationalInsights/workspaces', parameters('logAnalyticsWorkspaceName'))]", + "metadata": { + "description": "The Resource Id of the Log Analytics workspace deployed." + } + }, + "logAnalyticsResourceGroup": { + "type": "string", + "value": "[resourceGroup().name]", + "metadata": { + "description": "The Resource Group log analytics was deployed to." + } + }, + "logAnalyticsName": { + "type": "string", + "value": "[parameters('logAnalyticsWorkspaceName')]", + "metadata": { + "description": "The Name of the Log Analytics workspace deployed." + } + }, + "logAnalyticsWorkspaceId": { + "type": "string", + "value": "[reference(resourceId('Microsoft.OperationalInsights/workspaces', parameters('logAnalyticsWorkspaceName')), '2015-03-20').customerId]", + "metadata": { + "description": "The Workspace Id for Log Analytics." + } + }, + "logAnalyticsPrimarySharedKey": { + "type": "securestring", + "value": "[listKeys(resourceId('Microsoft.OperationalInsights/workspaces', parameters('logAnalyticsWorkspaceName')), '2015-03-20').primarySharedKey]", + "metadata": { + "description": "The Primary Shared Key for Log Analytics." + } + } + } +} diff --git a/subscriptionTemplates/Microsoft.OperationalInsights/workspaces/parameters/parameters.json b/subscriptionTemplates/Microsoft.OperationalInsights/workspaces/parameters/parameters.json new file mode 100644 index 0000000000..98d193129e --- /dev/null +++ b/subscriptionTemplates/Microsoft.OperationalInsights/workspaces/parameters/parameters.json @@ -0,0 +1,61 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "logAnalyticsWorkspaceName": { + "value": "test-az-la-weu-x-001" + }, + "publicNetworkAccessForIngestion": { + "value": "Disabled" + }, + "publicNetworkAccessForQuery": { + "value": "Disabled" + }, + "dailyQuotaGb": { + "value": 10 + }, + // "solutions": { + // "value": [ + // "Updates", + // "AzureAutomation", + // "AntiMalware", + // "SQLAssessment", + // "Security", + // "SecurityCenterFree", + // "ChangeTracking", + // "KeyVaultAnalytics", + // "AzureSQLAnalytics", + // "ServiceMap", + // "AgentHealthAssessment", + // "AlertManagement", + // "AzureActivity", + // "AzureAppGatewayAnalytics", + // "AzureCdnCoreAnalytics", + // "AzureDataFactoryAnalytics", + // "AzureNSGAnalytics", + // "Containers", + // "InfrastructureInsights", + // "LogicAppsManagement", + // "NetworkMonitoring", + // "ServiceFabric", + // "VMInsights", + // "WaaSUpdateInsights", + // "WireData2" + // ] + // }, + "useResourcePermissions": { + "value": true + } + // "roleAssignments": { + // "value": [ + // { + // "roleDefinitionIdOrName": "Desktop Virtualization User", + // "principalIds": [ + // "12345678-1234-1234-1234-123456789012", // object 1 + // "78945612-1234-1234-1234-123456789012" // object 2 + // ] + // } + // ] + // } + } +} diff --git a/subscriptionTemplates/Microsoft.OperationalInsights/workspaces/readme.md b/subscriptionTemplates/Microsoft.OperationalInsights/workspaces/readme.md new file mode 100644 index 0000000000..85db3b3a67 --- /dev/null +++ b/subscriptionTemplates/Microsoft.OperationalInsights/workspaces/readme.md @@ -0,0 +1,140 @@ +# LogAnalytics + +This template deploys Log Analytics. + +## Resource types + +|ResourceType|ApiVersion| +|:--|:--| +|`Microsoft.Resources/deployments`|2018-02-01| +|`Microsoft.OperationalInsights/workspaces`|2017-03-15-preview| +|`Microsoft.OperationalInsights/workspaces/datasources`|2015-11-01-preview| +|`Microsoft.OperationalInsights/workspaces/storageinsightconfigs`|2015-03-20| +|`Microsoft.OperationsManagement/solutions`|2015-11-01-preview| +|`Microsoft.OperationalInsights/workspaces/linkedServices`|2015-11-01-preview| +|`Microsoft.OperationalInsights/workspaces/providers/locks`|2016-09-01| +|`savedSearches`|2017-03-15-preview| +|`datasources`|2015-11-01-preview| +|`Microsoft.OperationalInsights/workspaces/providers/roleAssignments`|2018-09-01-preview| + +## Parameters + +| Parameter Name | Type | Description | DefaultValue | Possible values | +| :-- | :-- | :-- | :-- | :-- | +| `activityLogAdditionalSubscriptionIDs` | array | Optional. List of additional Subscription IDs to collect Activity logs from. The subscription holding the Log Analytics workspace is added by default. The user/SPN/managed identity has to have reader access on the subscription you'd like to collect Activity logs from. | System.Object[] | | +| `automationAccountId` | string | Optional. Automation Account resource identifier, value used to create a LinkedService between Log Analytics and an Automation Account. | | | +| `cuaId` | string | Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered | | | +| `dataRetention` | int | Required. Number of days data will be retained for | 365 | | +| `dailyQuotaGb` | int | Optional. The workspace daily quota for ingestion. | -1 (i.e. no quota) | | +| `publicNetworkAccessForIngestion` | string | Optional. The network access type for accessing Log Analytics ingestion. | Enabled | Enabled, Disabled | +| `publicNetworkAccessForQuery` | string | Optional. The network access type for accessing Log Analytics query. | Enabled | Enabled, Disabled | +| `diagnosticStorageAccountId` | string | Optional. Log Analytics workspace resource identifier | | | +| `location` | string | Optional. Location for all resources. | [resourceGroup().location] | | +| `lockForDeletion` | bool | Optional. Switch to lock storage from deletion. | False | | +| `logAnalyticsWorkspaceName` | string | Required. Name of the Log Analytics workspace | | | +| `roleAssignments` | array | Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' | System.Object[] | | +| `serviceTier` | string | Required. Service Tier: PerGB2018, Free, Standalone, PerGB or PerNode | PerGB2018 | System.Object[] | +| `solutions` | array | Optional. LAW solutions from the gallery. | [] | "Updates", "AzureAutomation", ... (see below) | +| `tags` | object | Optional. Tags of the resource. | | | +| `useResourcePermissions` | bool | Optional. Set to 'true' to use resource or workspace permissions and 'false' (or leave empty) to require workspace permissions. | False | true, false | + +### Parameter Usage: `solutions` + +```json +"solutions": { + "value": [ + "AgentHealthAssessment", + "AlertManagement", + "AntiMalware", + "AzureActivity", + //"AzureAppGatewayAnalytics", + "AzureAutomation", + "AzureCdnCoreAnalytics", + "AzureDataFactoryAnalytics", + "AzureNSGAnalytics", + "AzureSQLAnalytics", + "ChangeTracking", + "Containers", + "InfrastructureInsights", + "KeyVaultAnalytics", + "LogicAppsManagement", + "NetworkMonitoring", + "Security", + "SecurityCenterFree", + "ServiceFabric", + "ServiceMap", + "SQLAssessment", + "Updates", + "VMInsights", + "WireData2", + "WaaSUpdateInsights" + ] +} +``` + +### Parameter Usage: `roleAssignments` + +```json +"roleAssignments": { + "value": [ + { + "roleDefinitionIdOrName": "Desktop Virtualization User", + "principalIds": [ + "12345678-1234-1234-1234-123456789012", // object 1 + "78945612-1234-1234-1234-123456789012" // object 2 + ] + }, + { + "roleDefinitionIdOrName": "Reader", + "principalIds": [ + "12345678-1234-1234-1234-123456789012", // object 1 + "78945612-1234-1234-1234-123456789012" // object 2 + ] + }, + { + "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", + "principalIds": [ + "12345678-1234-1234-1234-123456789012" // object 1 + ] + } + ] +} +``` + +### Parameter Usage: `tags` + +Tag names and tag values can be provided as needed. A tag can be left without a value. + +```json +"tags": { + "value": { + "Environment": "Non-Prod", + "Contact": "test.user@testcompany.com", + "PurchaseOrder": "1234", + "CostCenter": "7890", + "ServiceName": "DeploymentValidation", + "Role": "DeploymentValidation" + } +} +``` + +## Outputs + +| Output Name | Type | Description | +| :-- | :-- | :-- | +| `logAnalyticsPrimarySharedKey` | securestring | The Primary Shared Key for Log Analytics. | +| `logAnalyticsWorkspaceId` | string | The Workspace Id for Log Analytics. | +| `logAnalyticsName` | string | The Name of the Log Analytics workspace deployed. | +| `logAnalyticsResourceGroup` | string | The Resource Group log analytics was deployed to. | +| `logAnalyticsResourceId` | string | The Resource Id of the Log Analytics workspace deployed. | + +## Considerations + +*N/A* + +## Additional resources + +- [Microsoft.OperationalInsights workspaces template reference](https://docs.microsoft.com/en-us/azure/templates/microsoft.operationalinsights/2015-11-01-preview/workspaces) +- [Microsoft.OperationalManagement solutions template reference](https://docs.microsoft.com/en-us/azure/templates/microsoft.operationsmanagement/2015-11-01-preview/solutions) +- [Use tags to organize your Azure resources](https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-using-tags) +- [Manage access to log data and workspaces in Azure Monitor](https://docs.microsoft.com/en-us/azure/azure-monitor/logs/manage-access) diff --git a/subscriptionTemplates/Microsoft.Resources/resourceGroups/deploy.json b/subscriptionTemplates/Microsoft.Resources/resourceGroups/deploy.json new file mode 100644 index 0000000000..dc436aa017 --- /dev/null +++ b/subscriptionTemplates/Microsoft.Resources/resourceGroups/deploy.json @@ -0,0 +1,344 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceGroupName": { + "type": "string", + "metadata": { + "description": "Required. The name of the Resource Group" + } + }, + "location": { + "type": "string", + "defaultValue": "[deployment().location]", + "metadata": { + "description": "Optional. Location of the Resource Group. It uses the deployment's location when not provided." + } + }, + "lockForDeletion": { + "type": "bool", + "defaultValue": false, + "metadata": { + "description": "Optional. Switch to lock storage from deletion." + } + }, + "roleAssignments": { + "defaultValue": [ + ], + "type": "array", + "metadata": { + "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'" + } + }, + "tags": { + "type": "object", + "defaultValue": { + }, + "metadata": { + "description": "Optional. Tags of the storage account resource." + } + } + }, + "variables": { + "builtInRoleNames": { + "AcrDelete": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c2f4ef07-c644-48eb-af81-4b1b4947fb11')]", + "AcrImageSigner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '6cef56e8-d556-48e5-a04f-b8e64114680f')]", + "AcrPull": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '7f951dda-4ed3-4680-a7ca-43fe172d538d')]", + "AcrPush": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8311e382-0749-4cb8-b61a-304f252e45ec')]", + "AcrQuarantineReader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'cdda3590-29a3-44f6-95f2-9f980659eb04')]", + "AcrQuarantineWriter": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c8d4ff99-41c3-41a8-9f60-21dfdad59608')]", + "API Management Service Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '312a565d-c81f-4fd8-895a-4e21e48d571c')]", + "API Management Service Operator Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'e022efe7-f5ba-4159-bbe4-b44f577e9b61')]", + "API Management Service Reader Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '71522526-b88f-4d52-b57f-d31fc3546d0d')]", + "App Configuration Data Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5ae67dd6-50cb-40e7-96ff-dc2bfa4b606b')]", + "App Configuration Data Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '516239f1-63e1-4d78-a4de-a74fb236a071')]", + "Application Insights Component Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ae349356-3a1b-4a5e-921d-050484c6347e')]", + "Application Insights Snapshot Debugger": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '08954f03-6346-4c2e-81c0-ec3a5cfae23b')]", + "Attestation Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'bbf86eb8-f7b4-4cce-96e4-18cddf81d86e')]", + "Attestation Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'fd1bd22b-8476-40bc-a0bc-69b95687b9f3')]", + "Automation Job Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4fe576fe-1146-4730-92eb-48519fa6bf9f')]", + "Automation Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'd3881f73-407a-4167-8283-e981cbba0404')]", + "Automation Runbook Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5fb5aef8-1081-4b8e-bb16-9d5d0385bab5')]", + "Avere Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4f8fab4f-1852-4a58-a46a-8eaf358af14a')]", + "Avere Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c025889f-8102-4ebf-b32c-fc0c6f0c6bd9')]", + "Azure Connected Machine Onboarding": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b64e21ea-ac4e-4cdf-9dc9-5b892992bee7')]", + "Azure Connected Machine Resource Administrator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'cd570a14-e51a-42ad-bac8-bafd67325302')]", + "Azure Digital Twins Owner (Preview)": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'bcd981a7-7f74-457b-83e1-cceb9e632ffe')]", + "Azure Digital Twins Reader (Preview)": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'd57506d4-4c8d-48b1-8587-93c323f6a5a3')]", + "Azure Event Hubs Data Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'f526a384-b230-433a-b45c-95f59c4a2dec')]", + "Azure Event Hubs Data Receiver": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'a638d3c7-ab3a-418d-83e6-5f17a39d4fde')]", + "Azure Event Hubs Data Sender": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '2b629674-e913-4c01-ae53-ef4638d8f975')]", + "Azure Kubernetes Service Cluster Admin Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '0ab0b1a8-8aac-4efd-b8c2-3ee1fb270be8')]", + "Azure Kubernetes Service Cluster User Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4abbcc35-e782-43d8-92c5-2d3f1bd2253f')]", + "Azure Kubernetes Service Contributor Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ed7f3fbd-7b88-4dd4-9017-9adb7ce333f8')]", + "Azure Maps Data Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8f5e0ce6-4f7b-4dcf-bddf-e6f48634a204')]", + "Azure Maps Data Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '423170ca-a8f6-4b0f-8487-9e4eb8f49bfa')]", + "Azure Sentinel Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ab8e14d6-4a74-4a29-9ba8-549422addade')]", + "Azure Sentinel Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8d289c81-5878-46d4-8554-54e1e3d8b5cb')]", + "Azure Sentinel Responder": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '3e150937-b8fe-4cfb-8069-0eaf05ecd056')]", + "Azure Service Bus Data Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '090c5cfd-751d-490a-894a-3ce6f1109419')]", + "Azure Service Bus Data Receiver": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4f6d3b9b-027b-4f4c-9142-0e5a2a2247e0')]", + "Azure Service Bus Data Sender": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '69a216fc-b8fb-44d8-bc22-1f3c2cd27a39')]", + "Azure Stack Registration Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '6f12a6df-dd06-4f3e-bcb1-ce8be600526a')]", + "Backup Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5e467623-bb1f-42f4-a55d-6e525e11384b')]", + "Backup Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '00c29273-979b-4161-815c-10b084fb9324')]", + "Backup Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'a795c7a0-d4a2-40c1-ae25-d81f01202912')]", + "Billing Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'fa23ad8b-c56e-40d8-ac0c-ce449e1d2c64')]", + "BizTalk Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5e3c6656-6cfa-4708-81fe-0de47ac73342')]", + "Blockchain Member Node Access (Preview)": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '31a002a1-acaf-453e-8a5b-297c9ca1ea24')]", + "Blueprint Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '41077137-e803-4205-871c-5a86e6a753b4')]", + "Blueprint Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '437d2ced-4a38-4302-8479-ed2bcb43d090')]", + "CDN Endpoint Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '426e0c7f-0c7e-4658-b36f-ff54d6c29b45')]", + "CDN Endpoint Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '871e35f6-b5c1-49cc-a043-bde969a0f2cd')]", + "CDN Profile Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ec156ff8-a8d1-4d15-830c-5b80698ca432')]", + "CDN Profile Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8f96442b-4075-438f-813d-ad51ab4019af')]", + "Classic Network Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b34d265f-36f7-4a0d-a4d4-e158ca92e90f')]", + "Classic Storage Account Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '86e8f5dc-a6e9-4c67-9d15-de283e8eac25')]", + "Classic Storage Account Key Operator Service Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '985d6b00-f706-48f5-a6fe-d0ca12fb668d')]", + "Classic Virtual Machine Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'd73bb868-a0df-4d4d-bd69-98a00b01fccb')]", + "ClearDB MySQL DB Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '9106cda0-8a86-4e81-b686-29a22c54effe')]", + "Cognitive Services Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '25fbc0a9-bd7c-42a3-aa1a-3b75d497ee68')]", + "Cognitive Services Custom Vision Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c1ff6cc2-c111-46fe-8896-e0ef812ad9f3')]", + "Cognitive Services Custom Vision Deployment": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5c4089e1-6d96-4d2f-b296-c1bc7137275f')]", + "Cognitive Services Custom Vision Labeler": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '88424f51-ebe7-446f-bc41-7fa16989e96c')]", + "Cognitive Services Custom Vision Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '93586559-c37d-4a6b-ba08-b9f0940c2d73')]", + "Cognitive Services Custom Vision Trainer": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '0a5ae4ab-0d65-4eeb-be61-29fc9b54394b')]", + "Cognitive Services Data Reader (Preview)": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b59867f0-fa02-499b-be73-45a86b5b3e1c')]", + "Cognitive Services QnA Maker Editor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'f4cc2bf9-21be-47a1-bdf1-5c5804381025')]", + "Cognitive Services QnA Maker Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '466ccd10-b268-4a11-b098-b4849f024126')]", + "Cognitive Services User": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'a97b65f3-24c7-4388-baec-2e87135dc908')]", + "Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "Cosmos DB Account Reader Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'fbdf93bf-df7d-467e-a4d2-9458aa1360c8')]", + "Cosmos DB Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '230815da-be43-4aae-9cb4-875f7bd000aa')]", + "CosmosBackupOperator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'db7b14f2-5adf-42da-9f96-f2ee17bab5cb')]", + "Cost Management Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '434105ed-43f6-45c7-a02f-909b2ba83430')]", + "Cost Management Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '72fafb9e-0641-4937-9268-a91bfd8191a3')]", + "Data Box Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'add466c9-e687-43fc-8d98-dfcf8d720be5')]", + "Data Box Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '028f4ed7-e2a9-465e-a8f4-9c0ffdfdc027')]", + "Data Factory Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '673868aa-7521-48a0-acc6-0f60742d39f5')]", + "Data Lake Analytics Developer": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '47b7735b-770e-4598-a7da-8b91488b4c88')]", + "Data Purger": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '150f5e0c-0603-4f03-8c7f-cf70034c4e90')]", + "Desktop Virtualization User": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '1d18fff3-a72a-46b5-b4a9-0b38a3cd7e63')]", + "DevTest Labs User": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '76283e04-6283-4c54-8f91-bcf1374a3c64')]", + "DNS Zone Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'befefa01-2a29-4197-83a8-272ff33ce314')]", + "DocumentDB Account Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5bd9cd88-fe45-4216-938b-f97437e15450')]", + "EventGrid EventSubscription Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '428e0ff0-5e57-4d9c-a221-2c70d0e0a443')]", + "EventGrid EventSubscription Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '2414bbcf-6497-4faf-8c65-045460748405')]", + "Experimentation Administrator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '7f646f1b-fa08-80eb-a33b-edd6ce5c915c')]", + "Experimentation Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '7f646f1b-fa08-80eb-a22b-edd6ce5c915c')]", + "Experimentation Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '49632ef5-d9ac-41f4-b8e7-bbe587fa74a1')]", + "FHIR Data Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5a1fc7df-4bf1-4951-a576-89034ee01acd')]", + "FHIR Data Exporter": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '3db33094-8700-4567-8da5-1501d4e7e843')]", + "FHIR Data Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4c8d0bbc-75d3-4935-991f-5f3c56d81508')]", + "FHIR Data Writer": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '3f88fce4-5892-4214-ae73-ba5294559913')]", + "Graph Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b60367af-1334-4454-b71e-769d9a4f83d9')]", + "HDInsight Cluster Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '61ed4efc-fab3-44fd-b111-e24485cc132a')]", + "HDInsight Domain Services Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8d8d5a11-05d3-4bda-a417-a08778121c7c')]", + "Hierarchy Settings Administrator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '350f8d15-c687-4448-8ae1-157740a3936d')]", + "Hybrid Server Onboarding": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5d1e5ee4-7c68-4a71-ac8b-0739630a3dfb')]", + "Hybrid Server Resource Administrator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '48b40c6e-82e0-4eb3-90d5-19e40f49b624')]", + "Integration Service Environment Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'a41e2c5b-bd99-4a07-88f4-9bf657a760b8')]", + "Integration Service Environment Developer": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c7aa55d3-1abb-444a-a5ca-5e51e485d6ec')]", + "Intelligent Systems Account Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '03a6d094-3444-4b3d-88af-7477090a9e5e')]", + "Key Vault Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'f25e0fa2-a7c8-4377-a976-54943a77a395')]", + "Knowledge Consumer": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ee361c5d-f7b5-4119-b4b6-892157c8f64c')]", + "Kubernetes Cluster - Azure Arc Onboarding": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '34e09817-6cbe-4d01-b1a2-e0eac5743d41')]", + "Lab Creator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b97fb8bc-a8b2-4522-a38b-dd33c7e65ead')]", + "Log Analytics Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]", + "Log Analytics Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '73c42c96-874c-492b-b04d-ab87d138a893')]", + "Logic App Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '87a39d53-fc1b-424a-814c-f7e04687dc9e')]", + "Logic App Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '515c2055-d9d4-4321-b1b9-bd0c9a0f79fe')]", + "Managed Application Contributor Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '641177b8-a67a-45b9-a033-47bc880bb21e')]", + "Managed Application Operator Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')]", + "Managed Applications Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')]", + "Managed Identity Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'e40ec5ca-96e0-45a2-b4ff-59039f2c2b59')]", + "Managed Identity Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'f1a07417-d97a-45cb-824c-7a7467783830')]", + "Managed Services Registration assignment Delete ": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '91c1777a-f3dc-4fae-b103-61d183457e46')]", + "Management Group Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5d58bcaf-24a5-4b20-bdb6-eed9f69fbe4c')]", + "Management Group Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ac63b705-f282-497d-ac71-919bf39d939d')]", + "Marketplace Admin": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'dd920d6d-f481-47f1-b461-f338c46b2d9f')]", + "Monitoring Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')]", + "Monitoring Metrics Publisher": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '3913510d-42f4-4e42-8a64-420c390055eb')]", + "Monitoring Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')]", + "Network Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", + "New Relic APM Account Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5d28c62d-5b37-4476-8438-e587778df237')]", + "Object Understanding Account Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4dd61c23-6743-42fe-a388-d8bdd41cb745')]", + "Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", + "Policy Insights Data Writer (Preview)": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '66bb4e9e-b016-4a94-8249-4c0511c2be84')]", + "Private DNS Zone Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", + "Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", + "Reader and Data Access": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c12c1c16-33a1-487b-954d-41c89c60f349')]", + "Redis Cache Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'e0f68234-74aa-48ed-b826-c38b57376e17')]", + "Remote Rendering Administrator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '3df8b902-2a6f-47c7-8cc5-360e9b272a7e')]", + "Remote Rendering Client": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'd39065c4-c120-43c9-ab0a-63eed9795f0a')]", + "Resource Policy Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '36243c78-bf99-498c-9df9-86d9f8d28608')]", + "Scheduler Job Collections Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '188a0f2f-5c9e-469b-ae67-2aa5ce574b94')]", + "Search Service Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '7ca78c08-252a-4471-8644-bb5ff32d4ba0')]", + "Security Admin": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'fb1c8493-542b-48eb-b624-b4c8fea62acd')]", + "Security Assessment Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '612c2aa1-cb24-443b-ac28-3ab7272de6f5')]", + "Security Manager (Legacy)": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'e3d13bf0-dd5a-482e-ba6b-9b8433878d10')]", + "Security Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '39bc4728-0917-49c7-9d2c-d95423bc2eb4')]", + "SignalR AccessKey Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '04165923-9d83-45d5-8227-78b77b0a687e')]", + "SignalR Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8cf5e20a-e4b2-4e9d-b3a1-5ceb692c2761')]", + "Site Recovery Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '6670b86e-a3f7-4917-ac9b-5d6ab1be4567')]", + "Site Recovery Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '494ae006-db33-4328-bf46-533a6560a3ca')]", + "Site Recovery Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'dbaa88c4-0c30-4179-9fb3-46319faa6149')]", + "Spatial Anchors Account Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8bbe83f1-e2a6-4df7-8cb4-4e04d4e5c827')]", + "Spatial Anchors Account Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '70bbe301-9835-447d-afdd-19eb3167307c')]", + "Spatial Anchors Account Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5d51204f-eb77-4b1c-b86a-2ec626c49413')]", + "SQL DB Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '9b7fa17d-e63e-47b0-bb0a-15c516ac86ec')]", + "SQL Managed Instance Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4939a1f6-9ae0-4e48-a1e0-f2cbe897382d')]", + "SQL Security Manager": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '056cd41c-7e88-42e1-933e-88ba6a50c9c3')]", + "SQL Server Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '6d8ee4ec-f05a-4a1d-8b00-a9b17e38b437')]", + "Storage Account Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '17d1049b-9a84-46fb-8f53-869881c3d3ab')]", + "Storage Account Key Operator Service Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '81a9662b-bebf-436f-a333-f67b29880f12')]", + "Storage Blob Data Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ba92f5b4-2d11-453d-a403-e96b0029c9fe')]", + "Storage Blob Data Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b7e6dc6d-f1e8-4753-8033-0f276bb0955b')]", + "Storage Blob Data Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '2a2b9908-6ea1-4ae2-8e65-a410df84e7d1')]", + "Storage Blob Delegator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'db58b8e5-c6ad-4a2a-8342-4190687cbf4a')]", + "Storage File Data SMB Share Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '0c867c2a-1d8c-454a-a3db-ab2ea1bdc8bb')]", + "Storage File Data SMB Share Elevated Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'a7264617-510b-434b-a828-9731dc254ea7')]", + "Storage File Data SMB Share Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'aba4ae5f-2193-4029-9191-0cb91df5e314')]", + "Storage Queue Data Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '974c5e8b-45b9-4653-ba55-5f855dd0fb88')]", + "Storage Queue Data Message Processor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8a0f0c08-91a1-4084-bc3d-661d67233fed')]", + "Storage Queue Data Message Sender": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c6a89b2d-59bc-44d0-9896-0f6e12d7b80a')]", + "Storage Queue Data Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '19e7f393-937e-4f77-808e-94535e297925')]", + "Support Request Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'cfd33db0-3dd1-45e3-aa9d-cdbdf3b6f24e')]", + "Tag Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4a9ae827-6dc8-4573-8ac7-8239d42aa03f')]", + "Traffic Manager Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'a4b10055-b0c7-44c2-b00f-c7b5b3550cf7')]", + "User Access Administrator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]", + "Virtual Machine Administrator Login": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '1c0163c0-47e6-4577-8991-ea5c82e286e4')]", + "Virtual Machine Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c')]", + "Virtual Machine User Login": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'fb879df8-f326-4884-b1cf-06f3ad86be52')]", + "Web Plan Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '2cc479cb-7b4d-49a8-b449-8c00fd0f0a4b')]", + "Website Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'de139f84-1756-47ae-9be6-808fbbe84772')]", + "Workbook Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'e8ddcd69-c73f-4f9f-9844-4100522f16ad')]", + "Workbook Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b279062a-9be3-42a0-92ae-8b3cf002ec4d')]" + } + }, + "resources": [ + { + "type": "Microsoft.Resources/resourceGroups", + "apiVersion": "2019-05-01", + "location": "[parameters('location')]", + "name": "[parameters('resourceGroupName')]", + "tags": "[parameters('tags')]", + "properties": { + } + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-06-01", + "name": "[concat(parameters('resourceGroupName'), '-lock')]", + "resourceGroup": "[parameters('resourceGroupName')]", + "condition": "[parameters('lockForDeletion')]", + "dependsOn": [ + "[parameters('resourceGroupName')]" + ], + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + }, + "resources": [ + { + "name": "resourceGroupDoNotDelete", + "type": "Microsoft.Authorization/locks", + "apiVersion": "2016-09-01", + "comments": "Resource lock on Resource Group", + "properties": { + "level": "CanNotDelete" + } + } + ] + }, + "parameters": { + } + } + }, + { + "name": "[concat('rbac-',deployment().name, copyIndex())]", + "apiVersion": "2020-06-01", + "type": "Microsoft.Resources/deployments", + "condition": "[not(empty(parameters('roleAssignments')))]", + "resourceGroup": "[parameters('resourceGroupName')]", + "dependsOn": [ + "[parameters('resourceGroupName')]" + ], + "copy": { + "name": "rbacDeplCopy", + "count": "[length(parameters('roleAssignments'))]" + }, + "properties": { + "mode": "Incremental", + "expressionEvaluationOptions": { + "scope": "inner" + }, + "parameters": { + "roleAssignment": { + "value": "[parameters('roleAssignments')[copyIndex()]]" + }, + "builtInRoleNames": { + "value": "[variables('builtInRoleNames')]" + }, + "resourceGroupName": { + "value": "[parameters('resourceGroupName')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "roleAssignment": { + "type": "object" + }, + "builtInRoleNames": { + "type": "object" + }, + "resourceGroupName": { + "type": "string" + } + }, + "resources": [ + { + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2020-03-01-preview", + "name": "[concat(guid(uniqueString(concat(parameters('resourceGroupName'), array(parameters('roleAssignment').principalIds)[copyIndex('innerRbacCopy')], parameters('roleAssignment').roleDefinitionIdOrName ) )))]", + "dependsOn": [ + ], + "copy": { + "name": "innerRbacCopy", + "count": "[length(parameters('roleAssignment').principalIds)]" + }, + "properties": { + "roleDefinitionId": "[if(contains(parameters('builtInRoleNames'), parameters('roleAssignment').roleDefinitionIdOrName ), parameters('builtInRoleNames')[parameters('roleAssignment').roleDefinitionIdOrName] , parameters('roleAssignment').roleDefinitionIdOrName )]", + "principalId": "[array(parameters('roleAssignment').principalIds)[copyIndex()]]", + "scope": "[concat(subscription().id, '/resourceGroups/', parameters('resourceGroupName'))]" + } + } + ] + } + } + } + ], + "functions": [ + ], + "outputs": { + "resourceGroupName": { + "type": "string", + "value": "[parameters('resourceGroupName')]", + "metadata": { + "description": "The name of the Resource Group" + } + }, + "resourceGroupResourceId": { + "type": "string", + "value": "[subscriptionResourceId('Microsoft.Resources/resourceGroups', parameters('resourceGroupName'))]", + "metadata": { + "description": "The resource id of the Resource Group" + } + } + } +} diff --git a/subscriptionTemplates/Microsoft.Resources/resourceGroups/parameters/parameters.json b/subscriptionTemplates/Microsoft.Resources/resourceGroups/parameters/parameters.json new file mode 100644 index 0000000000..3f901eb158 --- /dev/null +++ b/subscriptionTemplates/Microsoft.Resources/resourceGroups/parameters/parameters.json @@ -0,0 +1,27 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceGroupName": { + "value": "sxx-az-rg-weu-x-002" + }, + "lockForDeletion": { + "value": false + }, + // "roleAssignments": { + // "value": [ + // { + // "roleDefinitionIdOrName": "Desktop Virtualization User", + // "principalIds": [ + // "12345678-1234-1234-1234-123456789012", // object 1 + // "78945612-1234-1234-1234-123456789012" // object 2 + // ] + // } + // ] + // }, + "tags": { + "value": { + } + } + } +} \ No newline at end of file diff --git a/subscriptionTemplates/Microsoft.Resources/resourceGroups/readme.md b/subscriptionTemplates/Microsoft.Resources/resourceGroups/readme.md new file mode 100644 index 0000000000..0477ec6d5e --- /dev/null +++ b/subscriptionTemplates/Microsoft.Resources/resourceGroups/readme.md @@ -0,0 +1,88 @@ +# Resource Group + +This module deploys Resource Groups. + +## Resource types + +|Resource Type|ApiVersion| +|:--|:--| +|`Microsoft.Resources/resourceGroups`|2018-05-01| +|`Microsoft.Resources/deployments`|2018-05-01| +|`Microsoft.Authorization/locks`|2016-09-01| +|`Microsoft.Authorization/roleAssignments`|2018-09-01-preview| + +## Parameters + +| Parameter Name | Type | Description | DefaultValue | Possible values | +| :-- | :-- | :-- | :-- | :-- | +| `location` | string | Optional. Location of the Resource Group. It uses the deployment's location when not provided. | [deployment().location] | | +| `lockForDeletion` | bool | Optional. Switch to lock storage from deletion. | False | | +| `resourceGroupName` | string | Required. The name of the Resource Group | | | +| `roleAssignments` | array | Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' | System.Object[] | | +| `tags` | object | Optional. Tags of the storage account resource. | | | + +### Parameter Usage: `roleAssignments` + +```json +"roleAssignments": { + "value": [ + { + "roleDefinitionIdOrName": "Desktop Virtualization User", + "principalIds": [ + "12345678-1234-1234-1234-123456789012", // object 1 + "78945612-1234-1234-1234-123456789012" // object 2 + ] + }, + { + "roleDefinitionIdOrName": "Reader", + "principalIds": [ + "12345678-1234-1234-1234-123456789012", // object 1 + "78945612-1234-1234-1234-123456789012" // object 2 + ] + }, + { + "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", + "principalIds": [ + "12345678-1234-1234-1234-123456789012" // object 1 + ] + } + ] +} +``` + +### Parameter Usage: `tags` + +Tag names and tag values can be provided as needed. A tag can be left without a value. + +```json +"tags": { + "value": { + "Environment": "Non-Prod", + "Contact": "test.user@testcompany.com", + "PurchaseOrder": "1234", + "CostCenter": "7890", + "ServiceName": "DeploymentValidation", + "Role": "DeploymentValidation" + } +} +``` + +## Outputs + +| Output Name | Type | Description | +| :-- | :-- | :-- | +| `resourceGroupName` | string | The name of the Resource Group | +| `resourceGroupResourceId` | string | The resource id of the Resource Group | + +### Scripts + +- There is no Scripts for this Module + +## Considerations + +- There is no deployment considerations for this Module + +## Additional resources + +- [Microsoft Resource Group template reference](https://docs.microsoft.com/en-us/azure/templates/microsoft.resources/2019-05-01/resourcegroups) +- [Use tags to organize your Azure resources](https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-using-tags) From 308d0c4a54d92349d343e4c757bfbef747b8c08e Mon Sep 17 00:00:00 2001 From: IaCS solution Date: Wed, 25 Aug 2021 17:16:20 +0200 Subject: [PATCH 2/7] Removed level --- .../Microsoft.Authorization/policyAssignments/deploy.json | 0 .../policyAssignments/parameters/allowedLocations.parameters.json | 0 .../parameters/listOfAllowedSKUs.parameters.json | 0 .../policyAssignments/parameters/parameters.json | 0 .../Microsoft.Authorization/policyAssignments/readme.md | 0 .../roleAssignments/Parameters/parameters.json | 0 .../Microsoft.Authorization/roleAssignments/deploy.json | 0 .../Microsoft.Authorization/roleAssignments/readme.md | 0 .../roleDefinitions/Parameters/parameters.json | 0 .../Microsoft.Authorization/roleDefinitions/deploy.json | 0 .../Microsoft.Authorization/roleDefinitions/readme.md | 0 .../.bicep/nested_name_location_KeyVault_PrivateEndpoints.bicep | 0 .../Microsoft.KeyVault/vaults/.bicep/nested_rbac_name.bicep | 0 .../Microsoft.KeyVault/vaults/deploy.bicep | 0 .../Microsoft.KeyVault/vaults/deploy.json | 0 .../Microsoft.KeyVault/vaults/parameters/parameters.json | 0 .../Microsoft.KeyVault/vaults/readme.md | 0 .../Microsoft.Management/managementGroups/deploy.json | 0 .../managementGroups/parameters/parameters.json | 0 .../Microsoft.Management/managementGroups/readme.md | 0 .../Microsoft.OperationalInsights/workspaces/deploy.json | 0 .../workspaces/parameters/parameters.json | 0 .../Microsoft.OperationalInsights/workspaces/readme.md | 0 .../Microsoft.Resources/resourceGroups/deploy.json | 0 .../Microsoft.Resources/resourceGroups/parameters/parameters.json | 0 .../Microsoft.Resources/resourceGroups/readme.md | 0 .../Microsoft.Subscription/aliases/Parameters/parameters.json | 0 .../Microsoft.Subscription/aliases/deploy.json | 0 .../Microsoft.Subscription/aliases/readme.md | 0 .../Microsoft.Subscription/aliases/rg-deploy.json | 0 30 files changed, 0 insertions(+), 0 deletions(-) rename {managementGroupTemplates => nativeTemplates}/Microsoft.Authorization/policyAssignments/deploy.json (100%) rename {managementGroupTemplates => nativeTemplates}/Microsoft.Authorization/policyAssignments/parameters/allowedLocations.parameters.json (100%) rename {managementGroupTemplates => nativeTemplates}/Microsoft.Authorization/policyAssignments/parameters/listOfAllowedSKUs.parameters.json (100%) rename {managementGroupTemplates => nativeTemplates}/Microsoft.Authorization/policyAssignments/parameters/parameters.json (100%) rename {managementGroupTemplates => nativeTemplates}/Microsoft.Authorization/policyAssignments/readme.md (100%) rename {managementGroupTemplates => nativeTemplates}/Microsoft.Authorization/roleAssignments/Parameters/parameters.json (100%) rename {managementGroupTemplates => nativeTemplates}/Microsoft.Authorization/roleAssignments/deploy.json (100%) rename {managementGroupTemplates => nativeTemplates}/Microsoft.Authorization/roleAssignments/readme.md (100%) rename {managementGroupTemplates => nativeTemplates}/Microsoft.Authorization/roleDefinitions/Parameters/parameters.json (100%) rename {managementGroupTemplates => nativeTemplates}/Microsoft.Authorization/roleDefinitions/deploy.json (100%) rename {managementGroupTemplates => nativeTemplates}/Microsoft.Authorization/roleDefinitions/readme.md (100%) rename {resourceGroupTemplates => nativeTemplates}/Microsoft.KeyVault/vaults/.bicep/nested_name_location_KeyVault_PrivateEndpoints.bicep (100%) rename {resourceGroupTemplates => nativeTemplates}/Microsoft.KeyVault/vaults/.bicep/nested_rbac_name.bicep (100%) rename {resourceGroupTemplates => nativeTemplates}/Microsoft.KeyVault/vaults/deploy.bicep (100%) rename {resourceGroupTemplates => nativeTemplates}/Microsoft.KeyVault/vaults/deploy.json (100%) rename {resourceGroupTemplates => nativeTemplates}/Microsoft.KeyVault/vaults/parameters/parameters.json (100%) rename {resourceGroupTemplates => nativeTemplates}/Microsoft.KeyVault/vaults/readme.md (100%) rename {managementGroupTemplates => nativeTemplates}/Microsoft.Management/managementGroups/deploy.json (100%) rename {managementGroupTemplates => nativeTemplates}/Microsoft.Management/managementGroups/parameters/parameters.json (100%) rename {managementGroupTemplates => nativeTemplates}/Microsoft.Management/managementGroups/readme.md (100%) rename {subscriptionTemplates => nativeTemplates}/Microsoft.OperationalInsights/workspaces/deploy.json (100%) rename {subscriptionTemplates => nativeTemplates}/Microsoft.OperationalInsights/workspaces/parameters/parameters.json (100%) rename {subscriptionTemplates => nativeTemplates}/Microsoft.OperationalInsights/workspaces/readme.md (100%) rename {subscriptionTemplates => nativeTemplates}/Microsoft.Resources/resourceGroups/deploy.json (100%) rename {subscriptionTemplates => nativeTemplates}/Microsoft.Resources/resourceGroups/parameters/parameters.json (100%) rename {subscriptionTemplates => nativeTemplates}/Microsoft.Resources/resourceGroups/readme.md (100%) rename {managementGroupTemplates => nativeTemplates}/Microsoft.Subscription/aliases/Parameters/parameters.json (100%) rename {managementGroupTemplates => nativeTemplates}/Microsoft.Subscription/aliases/deploy.json (100%) rename {managementGroupTemplates => nativeTemplates}/Microsoft.Subscription/aliases/readme.md (100%) rename {managementGroupTemplates => nativeTemplates}/Microsoft.Subscription/aliases/rg-deploy.json (100%) diff --git a/managementGroupTemplates/Microsoft.Authorization/policyAssignments/deploy.json b/nativeTemplates/Microsoft.Authorization/policyAssignments/deploy.json similarity index 100% rename from managementGroupTemplates/Microsoft.Authorization/policyAssignments/deploy.json rename to nativeTemplates/Microsoft.Authorization/policyAssignments/deploy.json diff --git a/managementGroupTemplates/Microsoft.Authorization/policyAssignments/parameters/allowedLocations.parameters.json b/nativeTemplates/Microsoft.Authorization/policyAssignments/parameters/allowedLocations.parameters.json similarity index 100% rename from managementGroupTemplates/Microsoft.Authorization/policyAssignments/parameters/allowedLocations.parameters.json rename to nativeTemplates/Microsoft.Authorization/policyAssignments/parameters/allowedLocations.parameters.json diff --git a/managementGroupTemplates/Microsoft.Authorization/policyAssignments/parameters/listOfAllowedSKUs.parameters.json b/nativeTemplates/Microsoft.Authorization/policyAssignments/parameters/listOfAllowedSKUs.parameters.json similarity index 100% rename from managementGroupTemplates/Microsoft.Authorization/policyAssignments/parameters/listOfAllowedSKUs.parameters.json rename to nativeTemplates/Microsoft.Authorization/policyAssignments/parameters/listOfAllowedSKUs.parameters.json diff --git a/managementGroupTemplates/Microsoft.Authorization/policyAssignments/parameters/parameters.json b/nativeTemplates/Microsoft.Authorization/policyAssignments/parameters/parameters.json similarity index 100% rename from managementGroupTemplates/Microsoft.Authorization/policyAssignments/parameters/parameters.json rename to nativeTemplates/Microsoft.Authorization/policyAssignments/parameters/parameters.json diff --git a/managementGroupTemplates/Microsoft.Authorization/policyAssignments/readme.md b/nativeTemplates/Microsoft.Authorization/policyAssignments/readme.md similarity index 100% rename from managementGroupTemplates/Microsoft.Authorization/policyAssignments/readme.md rename to nativeTemplates/Microsoft.Authorization/policyAssignments/readme.md diff --git a/managementGroupTemplates/Microsoft.Authorization/roleAssignments/Parameters/parameters.json b/nativeTemplates/Microsoft.Authorization/roleAssignments/Parameters/parameters.json similarity index 100% rename from managementGroupTemplates/Microsoft.Authorization/roleAssignments/Parameters/parameters.json rename to nativeTemplates/Microsoft.Authorization/roleAssignments/Parameters/parameters.json diff --git a/managementGroupTemplates/Microsoft.Authorization/roleAssignments/deploy.json b/nativeTemplates/Microsoft.Authorization/roleAssignments/deploy.json similarity index 100% rename from managementGroupTemplates/Microsoft.Authorization/roleAssignments/deploy.json rename to nativeTemplates/Microsoft.Authorization/roleAssignments/deploy.json diff --git a/managementGroupTemplates/Microsoft.Authorization/roleAssignments/readme.md b/nativeTemplates/Microsoft.Authorization/roleAssignments/readme.md similarity index 100% rename from managementGroupTemplates/Microsoft.Authorization/roleAssignments/readme.md rename to nativeTemplates/Microsoft.Authorization/roleAssignments/readme.md diff --git a/managementGroupTemplates/Microsoft.Authorization/roleDefinitions/Parameters/parameters.json b/nativeTemplates/Microsoft.Authorization/roleDefinitions/Parameters/parameters.json similarity index 100% rename from managementGroupTemplates/Microsoft.Authorization/roleDefinitions/Parameters/parameters.json rename to nativeTemplates/Microsoft.Authorization/roleDefinitions/Parameters/parameters.json diff --git a/managementGroupTemplates/Microsoft.Authorization/roleDefinitions/deploy.json b/nativeTemplates/Microsoft.Authorization/roleDefinitions/deploy.json similarity index 100% rename from managementGroupTemplates/Microsoft.Authorization/roleDefinitions/deploy.json rename to nativeTemplates/Microsoft.Authorization/roleDefinitions/deploy.json diff --git a/managementGroupTemplates/Microsoft.Authorization/roleDefinitions/readme.md b/nativeTemplates/Microsoft.Authorization/roleDefinitions/readme.md similarity index 100% rename from managementGroupTemplates/Microsoft.Authorization/roleDefinitions/readme.md rename to nativeTemplates/Microsoft.Authorization/roleDefinitions/readme.md diff --git a/resourceGroupTemplates/Microsoft.KeyVault/vaults/.bicep/nested_name_location_KeyVault_PrivateEndpoints.bicep b/nativeTemplates/Microsoft.KeyVault/vaults/.bicep/nested_name_location_KeyVault_PrivateEndpoints.bicep similarity index 100% rename from resourceGroupTemplates/Microsoft.KeyVault/vaults/.bicep/nested_name_location_KeyVault_PrivateEndpoints.bicep rename to nativeTemplates/Microsoft.KeyVault/vaults/.bicep/nested_name_location_KeyVault_PrivateEndpoints.bicep diff --git a/resourceGroupTemplates/Microsoft.KeyVault/vaults/.bicep/nested_rbac_name.bicep b/nativeTemplates/Microsoft.KeyVault/vaults/.bicep/nested_rbac_name.bicep similarity index 100% rename from resourceGroupTemplates/Microsoft.KeyVault/vaults/.bicep/nested_rbac_name.bicep rename to nativeTemplates/Microsoft.KeyVault/vaults/.bicep/nested_rbac_name.bicep diff --git a/resourceGroupTemplates/Microsoft.KeyVault/vaults/deploy.bicep b/nativeTemplates/Microsoft.KeyVault/vaults/deploy.bicep similarity index 100% rename from resourceGroupTemplates/Microsoft.KeyVault/vaults/deploy.bicep rename to nativeTemplates/Microsoft.KeyVault/vaults/deploy.bicep diff --git a/resourceGroupTemplates/Microsoft.KeyVault/vaults/deploy.json b/nativeTemplates/Microsoft.KeyVault/vaults/deploy.json similarity index 100% rename from resourceGroupTemplates/Microsoft.KeyVault/vaults/deploy.json rename to nativeTemplates/Microsoft.KeyVault/vaults/deploy.json diff --git a/resourceGroupTemplates/Microsoft.KeyVault/vaults/parameters/parameters.json b/nativeTemplates/Microsoft.KeyVault/vaults/parameters/parameters.json similarity index 100% rename from resourceGroupTemplates/Microsoft.KeyVault/vaults/parameters/parameters.json rename to nativeTemplates/Microsoft.KeyVault/vaults/parameters/parameters.json diff --git a/resourceGroupTemplates/Microsoft.KeyVault/vaults/readme.md b/nativeTemplates/Microsoft.KeyVault/vaults/readme.md similarity index 100% rename from resourceGroupTemplates/Microsoft.KeyVault/vaults/readme.md rename to nativeTemplates/Microsoft.KeyVault/vaults/readme.md diff --git a/managementGroupTemplates/Microsoft.Management/managementGroups/deploy.json b/nativeTemplates/Microsoft.Management/managementGroups/deploy.json similarity index 100% rename from managementGroupTemplates/Microsoft.Management/managementGroups/deploy.json rename to nativeTemplates/Microsoft.Management/managementGroups/deploy.json diff --git a/managementGroupTemplates/Microsoft.Management/managementGroups/parameters/parameters.json b/nativeTemplates/Microsoft.Management/managementGroups/parameters/parameters.json similarity index 100% rename from managementGroupTemplates/Microsoft.Management/managementGroups/parameters/parameters.json rename to nativeTemplates/Microsoft.Management/managementGroups/parameters/parameters.json diff --git a/managementGroupTemplates/Microsoft.Management/managementGroups/readme.md b/nativeTemplates/Microsoft.Management/managementGroups/readme.md similarity index 100% rename from managementGroupTemplates/Microsoft.Management/managementGroups/readme.md rename to nativeTemplates/Microsoft.Management/managementGroups/readme.md diff --git a/subscriptionTemplates/Microsoft.OperationalInsights/workspaces/deploy.json b/nativeTemplates/Microsoft.OperationalInsights/workspaces/deploy.json similarity index 100% rename from subscriptionTemplates/Microsoft.OperationalInsights/workspaces/deploy.json rename to nativeTemplates/Microsoft.OperationalInsights/workspaces/deploy.json diff --git a/subscriptionTemplates/Microsoft.OperationalInsights/workspaces/parameters/parameters.json b/nativeTemplates/Microsoft.OperationalInsights/workspaces/parameters/parameters.json similarity index 100% rename from subscriptionTemplates/Microsoft.OperationalInsights/workspaces/parameters/parameters.json rename to nativeTemplates/Microsoft.OperationalInsights/workspaces/parameters/parameters.json diff --git a/subscriptionTemplates/Microsoft.OperationalInsights/workspaces/readme.md b/nativeTemplates/Microsoft.OperationalInsights/workspaces/readme.md similarity index 100% rename from subscriptionTemplates/Microsoft.OperationalInsights/workspaces/readme.md rename to nativeTemplates/Microsoft.OperationalInsights/workspaces/readme.md diff --git a/subscriptionTemplates/Microsoft.Resources/resourceGroups/deploy.json b/nativeTemplates/Microsoft.Resources/resourceGroups/deploy.json similarity index 100% rename from subscriptionTemplates/Microsoft.Resources/resourceGroups/deploy.json rename to nativeTemplates/Microsoft.Resources/resourceGroups/deploy.json diff --git a/subscriptionTemplates/Microsoft.Resources/resourceGroups/parameters/parameters.json b/nativeTemplates/Microsoft.Resources/resourceGroups/parameters/parameters.json similarity index 100% rename from subscriptionTemplates/Microsoft.Resources/resourceGroups/parameters/parameters.json rename to nativeTemplates/Microsoft.Resources/resourceGroups/parameters/parameters.json diff --git a/subscriptionTemplates/Microsoft.Resources/resourceGroups/readme.md b/nativeTemplates/Microsoft.Resources/resourceGroups/readme.md similarity index 100% rename from subscriptionTemplates/Microsoft.Resources/resourceGroups/readme.md rename to nativeTemplates/Microsoft.Resources/resourceGroups/readme.md diff --git a/managementGroupTemplates/Microsoft.Subscription/aliases/Parameters/parameters.json b/nativeTemplates/Microsoft.Subscription/aliases/Parameters/parameters.json similarity index 100% rename from managementGroupTemplates/Microsoft.Subscription/aliases/Parameters/parameters.json rename to nativeTemplates/Microsoft.Subscription/aliases/Parameters/parameters.json diff --git a/managementGroupTemplates/Microsoft.Subscription/aliases/deploy.json b/nativeTemplates/Microsoft.Subscription/aliases/deploy.json similarity index 100% rename from managementGroupTemplates/Microsoft.Subscription/aliases/deploy.json rename to nativeTemplates/Microsoft.Subscription/aliases/deploy.json diff --git a/managementGroupTemplates/Microsoft.Subscription/aliases/readme.md b/nativeTemplates/Microsoft.Subscription/aliases/readme.md similarity index 100% rename from managementGroupTemplates/Microsoft.Subscription/aliases/readme.md rename to nativeTemplates/Microsoft.Subscription/aliases/readme.md diff --git a/managementGroupTemplates/Microsoft.Subscription/aliases/rg-deploy.json b/nativeTemplates/Microsoft.Subscription/aliases/rg-deploy.json similarity index 100% rename from managementGroupTemplates/Microsoft.Subscription/aliases/rg-deploy.json rename to nativeTemplates/Microsoft.Subscription/aliases/rg-deploy.json From 72a18db6e8d525ffc4e25e3754926cff480a5f4a Mon Sep 17 00:00:00 2001 From: IaCS solution Date: Wed, 25 Aug 2021 17:38:17 +0200 Subject: [PATCH 3/7] upadted linter --- .github/workflows/linter.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/linter.yml b/.github/workflows/linter.yml index 5f836115ea..3e30583cef 100644 --- a/.github/workflows/linter.yml +++ b/.github/workflows/linter.yml @@ -11,8 +11,8 @@ jobs: uses: actions/checkout@v2 - name: Lint Code Base - # uses: github/super-linter:latest - uses: docker://ghcr.io/github/super-linter:slim-v4 + uses: github/super-linter:latest + # uses: docker://ghcr.io/github/super-linter:slim-v4 env: VALIDATE_ALL_CODEBASE: false VALIDATE_MARKDOWN: false From 45693255f004fedf67ebc66217a7a6aec445b23e Mon Sep 17 00:00:00 2001 From: IaCS solution Date: Thu, 26 Aug 2021 00:25:07 +0200 Subject: [PATCH 4/7] Added remaining modules --- OpenSystemsNVA/deploy.json | 649 +++++++++ OpenSystemsNVA/parameters/parameters.json | 6 + OpenSystemsNVA/readme.md | 102 ++ .../policyAssignments/deploy.json | 155 -- .../allowedLocations.parameters.json | 25 - .../listOfAllowedSKUs.parameters.json | 25 - .../parameters/parameters.json | 28 - .../policyAssignments/readme.md | 36 - .../Parameters/parameters.json | 54 - .../roleAssignments/deploy.json | 432 ------ .../roleAssignments/readme.md | 68 - .../Parameters/parameters.json | 37 - .../roleDefinitions/deploy.json | 238 ---- .../roleDefinitions/readme.md | 43 - ...e_location_KeyVault_PrivateEndpoints.bicep | 52 - .../vaults/.bicep/nested_rbac_name.bicep | 12 - .../Microsoft.KeyVault/vaults/deploy.bicep | 277 ---- .../Microsoft.KeyVault/vaults/deploy.json | 611 -------- .../vaults/parameters/parameters.json | 68 - .../Microsoft.KeyVault/vaults/readme.md | 245 ---- .../managementGroups/deploy.json | 427 ------ .../parameters/parameters.json | 29 - .../managementGroups/readme.md | 128 -- .../workspaces/deploy.json | 1268 ----------------- .../workspaces/parameters/parameters.json | 61 - .../workspaces/readme.md | 140 -- .../resourceGroups/deploy.json | 344 ----- .../resourceGroups/parameters/parameters.json | 27 - .../resourceGroups/readme.md | 88 -- .../aliases/Parameters/parameters.json | 39 - .../aliases/deploy.json | 549 ------- .../Microsoft.Subscription/aliases/readme.md | 164 --- .../aliases/rg-deploy.json | 90 -- 33 files changed, 757 insertions(+), 5760 deletions(-) create mode 100644 OpenSystemsNVA/deploy.json create mode 100644 OpenSystemsNVA/parameters/parameters.json create mode 100644 OpenSystemsNVA/readme.md delete mode 100644 nativeTemplates/Microsoft.Authorization/policyAssignments/deploy.json delete mode 100644 nativeTemplates/Microsoft.Authorization/policyAssignments/parameters/allowedLocations.parameters.json delete mode 100644 nativeTemplates/Microsoft.Authorization/policyAssignments/parameters/listOfAllowedSKUs.parameters.json delete mode 100644 nativeTemplates/Microsoft.Authorization/policyAssignments/parameters/parameters.json delete mode 100644 nativeTemplates/Microsoft.Authorization/policyAssignments/readme.md delete mode 100644 nativeTemplates/Microsoft.Authorization/roleAssignments/Parameters/parameters.json delete mode 100644 nativeTemplates/Microsoft.Authorization/roleAssignments/deploy.json delete mode 100644 nativeTemplates/Microsoft.Authorization/roleAssignments/readme.md delete mode 100644 nativeTemplates/Microsoft.Authorization/roleDefinitions/Parameters/parameters.json delete mode 100644 nativeTemplates/Microsoft.Authorization/roleDefinitions/deploy.json delete mode 100644 nativeTemplates/Microsoft.Authorization/roleDefinitions/readme.md delete mode 100644 nativeTemplates/Microsoft.KeyVault/vaults/.bicep/nested_name_location_KeyVault_PrivateEndpoints.bicep delete mode 100644 nativeTemplates/Microsoft.KeyVault/vaults/.bicep/nested_rbac_name.bicep delete mode 100644 nativeTemplates/Microsoft.KeyVault/vaults/deploy.bicep delete mode 100644 nativeTemplates/Microsoft.KeyVault/vaults/deploy.json delete mode 100644 nativeTemplates/Microsoft.KeyVault/vaults/parameters/parameters.json delete mode 100644 nativeTemplates/Microsoft.KeyVault/vaults/readme.md delete mode 100644 nativeTemplates/Microsoft.Management/managementGroups/deploy.json delete mode 100644 nativeTemplates/Microsoft.Management/managementGroups/parameters/parameters.json delete mode 100644 nativeTemplates/Microsoft.Management/managementGroups/readme.md delete mode 100644 nativeTemplates/Microsoft.OperationalInsights/workspaces/deploy.json delete mode 100644 nativeTemplates/Microsoft.OperationalInsights/workspaces/parameters/parameters.json delete mode 100644 nativeTemplates/Microsoft.OperationalInsights/workspaces/readme.md delete mode 100644 nativeTemplates/Microsoft.Resources/resourceGroups/deploy.json delete mode 100644 nativeTemplates/Microsoft.Resources/resourceGroups/parameters/parameters.json delete mode 100644 nativeTemplates/Microsoft.Resources/resourceGroups/readme.md delete mode 100644 nativeTemplates/Microsoft.Subscription/aliases/Parameters/parameters.json delete mode 100644 nativeTemplates/Microsoft.Subscription/aliases/deploy.json delete mode 100644 nativeTemplates/Microsoft.Subscription/aliases/readme.md delete mode 100644 nativeTemplates/Microsoft.Subscription/aliases/rg-deploy.json diff --git a/OpenSystemsNVA/deploy.json b/OpenSystemsNVA/deploy.json new file mode 100644 index 0000000000..63aec5045e --- /dev/null +++ b/OpenSystemsNVA/deploy.json @@ -0,0 +1,649 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "vmSize": { + "type": "string", + "defaultValue": "Standard_D8s_v3", + "metadata": { + "description": "Required. Size of VM." + } + }, + "cuaId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered" + } + }, + "location": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "Optional. Location for all resources." + } + }, + "osImage": { + "type": "string", + "defaultValue": "/subscriptions//resourceGroups/dependencies-rg/providers/Microsoft.Compute/images/sxx-az-img-weu-x-002", + "metadata": { + "description": "Required. OS Image for VM." + } + }, + "vnetId": { + "type": "string", + "defaultValue": "/subscriptions//resourceGroups/dependencies-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-weu-x-002", + "metadata": { + "description": "Required. Virtual Network resource ID." + } }, + "eth0SubnetName": { + "type": "string", + "defaultValue": "sxx-az-subnet-weu-x-001", + "metadata": { + "description": "Required. External Subnet for interface eth0" + } + }, + "eth1SubnetName": { + "type": "string", + "defaultValue": "sxx-az-subnet-weu-x-002", + "metadata": { + "description": "Required. Internal Subnet for interface eth1" + } + }, + "eth2SubnetName": { + "type": "string", + "defaultValue": "sxx-az-subnet-weu-x-003", + "metadata": { + "description": "Required. External Subnet for interface eth2" + } + }, + "eth3SubnetName": { + "type": "string", + "defaultValue": "sxx-az-subnet-weu-x-004", + "metadata": { + "description": "Required. External Subnet for interface eth3" + } + }, + "vm1Eth0PrivateAddress": { + "type": "string", + "defaultValue": "10.0.0.6", + "metadata": { + "description": "Required. VM1 private address." + } + }, + "vm1Eth1PrivateAddress": { + "type": "string", + "defaultValue": "10.0.1.6", + "metadata": { + "description": "Required. VM1 private address." + } + }, + "vm1Eth2PrivateAddress": { + "type": "string", + "defaultValue": "10.0.2.6", + "metadata": { + "description": "Required. VM1 private address." + } + }, + "vm1Eth3PrivateAddress": { + "type": "string", + "defaultValue": "10.0.3.6", + "metadata": { + "description": "Required. VM1 private address." + } + }, + "vm2Eth0PrivateAddress": { + "type": "string", + "defaultValue": "10.0.0.7", + "metadata": { + "description": "Required. VM2 private address." + } + }, + "vm2Eth1PrivateAddress": { + "type": "string", + "defaultValue": "10.0.1.7", + "metadata": { + "description": "Required. VM2 private address." + } + }, + "vm2Eth2PrivateAddress": { + "type": "string", + "defaultValue": "10.0.2.7", + "metadata": { + "description": "Required. VM2 private address." + } + }, + "vm2Eth3PrivateAddress": { + "type": "string", + "defaultValue": "10.0.3.7", + "metadata": { + "description": "Required. VM2 private address." + } + }, + "availabilitySetName": { + "type": "string", + "defaultValue": "AS-wind-sg000", + "metadata": { + "description": "Required. Availability Set Name." + } + }, + "vm1Name": { + "type": "string", + "defaultValue": "wind-sg000-azu-euw-1", + "metadata": { + "description": "Required. VM1 Name." + } + }, + "vm2Name": { + "type": "string", + "defaultValue": "wind-sg000-azu-euw-2", + "metadata": { + "description": "Required. VM2 Name." + } + } + }, + "variables": { + + "metadata": { "comment": "!!!!!!!!!!!!!!!!!!!! BEGIN OF CUSTOMIZATION !!!!!!!!!!!!!!!!!!!!!!!!!!!" }, + + "vm1Nic0Name": "[concat(parameters('vm1Name'), '-eth0')]", + "vm1Nic1Name": "[concat(parameters('vm1Name'), '-eth1')]", + "vm1Nic2Name": "[concat(parameters('vm1Name'), '-eth2')]", + "vm1Nic3Name": "[concat(parameters('vm1Name'), '-eth3')]", + "vm2Nic0Name": "[concat(parameters('vm2Name'), '-eth0')]", + "vm2Nic1Name": "[concat(parameters('vm2Name'), '-eth1')]", + "vm2Nic2Name": "[concat(parameters('vm2Name'), '-eth2')]", + "vm2Nic3Name": "[concat(parameters('vm2Name'), '-eth3')]", + "resourceGroupName": "resourceGroup().name", + "location": "[resourceGroup().location]", + "osType": "Linux", + "vm1PublicIPAddressName": "[concat(variables('vm1Nic0Name'), '-pub')]", + "vm1PublicIPAddressName2": "[concat(variables('vm1Nic2Name'), '-pub')]", + "vm1PublicIPAddressName3": "[concat(variables('vm1Nic3Name'), '-pub')]", + "vm2PublicIPAddressName": "[concat(variables('vm2Nic0Name'), '-pub')]", + "vm2PublicIPAddressName2": "[concat(variables('vm2Nic2Name'), '-pub')]", + "vm2PublicIPAddressName3": "[concat(variables('vm2Nic3Name'), '-pub')]", + "eth0SubnetId": "[concat(parameters('vnetId'), '/subnets/', parameters('eth0SubnetName'))]", + "eth1SubnetId": "[concat(parameters('vnetId'), '/subnets/', parameters('eth1SubnetName'))]", + "eth2SubnetId": "[concat(parameters('vnetId'), '/subnets/', parameters('eth2SubnetName'))]", + "eth3SubnetId": "[concat(parameters('vnetId'), '/subnets/', parameters('eth3SubnetName'))]", + + "metadata": { "comment": "!!!!!!!!!!!!!!!!!!!! END OF CUSTOMIZATION !!!!!!!!!!!!!!!!!!!!!!!!!!!" } + }, + "resources": [ + { + + "condition": "[not(empty(parameters('cuaId')))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-06-01", + "name": "[concat('pid-', parameters('cuaId'))]", + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [ + ] + } + } + }, + { + "apiVersion": "2019-12-01", + "type": "Microsoft.Compute/availabilitySets", + "sku": { + "name": "Aligned" + }, + "name": "[parameters('availabilitySetName')]", + "location": "[parameters('location')]", + "tags": {}, + "scale": null, + "properties": { + "platformUpdateDomainCount": 5, + "platformFaultDomainCount": 2 + } + }, + { + "type": "Microsoft.Network/publicIPAddresses", + "apiVersion": "2020-08-01", + "name": "[variables('vm1PublicIPAddressName')]", + "location": "[parameters('location')]", + "properties": { + "publicIPAddressVersion": "IPv4", + "publicIPAllocationMethod": "static", + "idleTimeoutInMinutes": 30 + } + }, + { + "type": "Microsoft.Network/publicIPAddresses", + "apiVersion": "2020-08-01", + "name": "[variables('vm1PublicIPAddressName2')]", + "location": "[parameters('location')]", + "properties": { + "publicIPAddressVersion": "IPv4", + "publicIPAllocationMethod": "static", + "idleTimeoutInMinutes": 30 + } + }, + { + "type": "Microsoft.Network/publicIPAddresses", + "apiVersion": "2020-08-01", + "name": "[variables('vm1PublicIPAddressName3')]", + "location": "[parameters('location')]", + "properties": { + "publicIPAddressVersion": "IPv4", + "publicIPAllocationMethod": "static", + "idleTimeoutInMinutes": 30 + } + }, + { + "type": "Microsoft.Network/publicIPAddresses", + "apiVersion": "2020-08-01", + "name": "[variables('vm2PublicIPAddressName')]", + "location": "[parameters('location')]", + "properties": { + "publicIPAddressVersion": "IPv4", + "publicIPAllocationMethod": "static", + "idleTimeoutInMinutes": 30 + } + }, + { + "type": "Microsoft.Network/publicIPAddresses", + "apiVersion": "2020-08-01", + "name": "[variables('vm2PublicIPAddressName2')]", + "location": "[parameters('location')]", + "properties": { + "publicIPAddressVersion": "IPv4", + "publicIPAllocationMethod": "static", + "idleTimeoutInMinutes": 30 + } + }, + { + "type": "Microsoft.Network/publicIPAddresses", + "apiVersion": "2020-08-01", + "name": "[variables('vm2PublicIPAddressName3')]", + "location": "[parameters('location')]", + "properties": { + "publicIPAddressVersion": "IPv4", + "publicIPAllocationMethod": "static", + "idleTimeoutInMinutes": 30 + } + }, + { + "type": "Microsoft.Network/networkInterfaces", + "apiVersion": "2020-08-01", + "name": "[variables('vm1Nic0Name')]", + "location": "[parameters('location')]", + "dependsOn": [ + "[resourceId('Microsoft.Network/publicIPAddresses', variables('vm1PublicIPAddressName'))]" + ], + "properties": { + "ipConfigurations": [ + { + "name": "ip-eth0", + "properties": { + "primary": true, + "privateIPAddress": "[parameters('vm1Eth0PrivateAddress')]", + "privateIPAllocationMethod": "Static", + "publicIPAddress": { + "id": "[resourceId('Microsoft.Network/publicIPAddresses',variables('vm1PublicIPAddressName'))]" + }, + "subnet": { + "id": "[variables('eth0SubnetId')]" + } + } + } + ], + "enableIPForwarding": true + } + }, + { + "type": "Microsoft.Network/networkInterfaces", + "apiVersion": "2020-08-01", + "name": "[variables('vm1Nic1Name')]", + "location": "[parameters('location')]", + "properties": { + "ipConfigurations": [ + { + "name": "ip-eth1", + "properties": { + "privateIPAddress": "[parameters('vm1Eth1PrivateAddress')]", + "privateIPAllocationMethod": "Static", + "subnet": { + "id": "[variables('eth1SubnetId')]" + } + } + } + ], + "enableIPForwarding": true + } + }, + { + "type": "Microsoft.Network/networkInterfaces", + "apiVersion": "2020-08-01", + "name": "[variables('vm1Nic2Name')]", + "location": "[parameters('location')]", + "dependsOn": [ + "[resourceId('Microsoft.Network/publicIPAddresses', variables('vm1PublicIPAddressName2'))]" + ], + "properties": { + "ipConfigurations": [ + { + "name": "ip-eth2", + "properties": { + "privateIPAddress": "[parameters('vm1Eth2PrivateAddress')]", + "privateIPAllocationMethod": "Static", + "publicIPAddress": { + "id": "[resourceId('Microsoft.Network/publicIPAddresses',variables('vm1PublicIPAddressName2'))]" + }, + "subnet": { + "id": "[variables('eth2SubnetId')]" + } + } + } + ], + "enableIPForwarding": true + } + }, + { + "type": "Microsoft.Network/networkInterfaces", + "apiVersion": "2020-08-01", + "name": "[variables('vm1Nic3Name')]", + "location": "[parameters('location')]", + "dependsOn": [ + "[resourceId('Microsoft.Network/publicIPAddresses', variables('vm1PublicIPAddressName3'))]" + ], + "properties": { + "ipConfigurations": [ + { + "name": "ip-eth3", + "properties": { + "privateIPAddress": "[parameters('vm1Eth3PrivateAddress')]", + "privateIPAllocationMethod": "Static", + "publicIPAddress": { + "id": "[resourceId('Microsoft.Network/publicIPAddresses',variables('vm1PublicIPAddressName3'))]" + }, + "subnet": { + "id": "[variables('eth3SubnetId')]" + } + } + } + ], + "enableIPForwarding": true + } + }, + { + "apiVersion": "2019-12-01", + "type": "Microsoft.Compute/virtualMachines", + "identity": { + "type": "SystemAssigned" + }, + "name": "[parameters('vm1Name')]", + "location": "[parameters('location')]", + "scale": null, + "dependsOn": [ + "[resourceId('Microsoft.Compute/availabilitySets', parameters('availabilitySetName'))]", + "[resourceId('Microsoft.Network/networkInterfaces', variables('vm1Nic0Name'))]", + "[resourceId('Microsoft.Network/networkInterfaces', variables('vm1Nic1Name'))]", + "[resourceId('Microsoft.Network/networkInterfaces', variables('vm1Nic2Name'))]", + "[resourceId('Microsoft.Network/networkInterfaces', variables('vm1Nic3Name'))]" + ], + "properties": { + "osProfile": { + "computerName": "[parameters('vm1Name')]", + "adminUsername": "nouser", + "adminPassword": "this.Password.1s.never.used!!!" + }, + "hardwareProfile": { + "vmSize": "[parameters('vmSize')]" + }, + "storageProfile": { + "imageReference": { + "id": "[parameters('osImage')]" + }, + "osDisk": { + "osType": "[variables('osType')]", + "name": "[concat(parameters('vm1Name'),'-osDisk')]", + "createOption": "FromImage", + "caching": "ReadWrite", + "managedDisk": { + "storageAccountType": "Premium_LRS" + } + }, + "dataDisks": [] + }, + "networkProfile": { + "networkInterfaces": [ + { + "id": "[resourceId('Microsoft.Network/networkInterfaces', variables('vm1Nic0Name'))]", + "properties": { + "primary": true + } + }, + { + "id": "[resourceId('Microsoft.Network/networkInterfaces', variables('vm1Nic1Name'))]", + "properties": { + "primary": false + } + }, + { + "id": "[resourceId('Microsoft.Network/networkInterfaces', variables('vm1Nic2Name'))]", + "properties": { + "primary": false + } + }, + { + "id": "[resourceId('Microsoft.Network/networkInterfaces', variables('vm1Nic3Name'))]", + "properties": { + "primary": false + } + } + ] + }, + "availabilitySet": { + "id": "[resourceId('Microsoft.Compute/availabilitySets', parameters('availabilitySetName'))]" + } + } + }, + { + "type": "Microsoft.Network/networkInterfaces", + "apiVersion": "2020-08-01", + "name": "[variables('vm2Nic0Name')]", + "location": "[parameters('location')]", + "dependsOn": [ + "[resourceId('Microsoft.Network/publicIPAddresses', variables('vm2PublicIPAddressName'))]" + ], + "properties": { + "ipConfigurations": [ + { + "name": "ip-eth0", + "properties": { + "primary": true, + "privateIPAddress": "[parameters('vm2Eth0PrivateAddress')]", + "privateIPAllocationMethod": "Static", + "publicIPAddress": { + "id": "[resourceId('Microsoft.Network/publicIPAddresses',variables('vm2PublicIPAddressName'))]" + }, + "subnet": { + "id": "[variables('eth0SubnetId')]" + } + } + } + ], + "enableIPForwarding": true + } + }, + { + "type": "Microsoft.Network/networkInterfaces", + "apiVersion": "2020-08-01", + "name": "[variables('vm2Nic1Name')]", + "location": "[parameters('location')]", + "properties": { + "ipConfigurations": [ + { + "name": "ip-eth1", + "properties": { + "privateIPAddress": "[parameters('vm2Eth1PrivateAddress')]", + "privateIPAllocationMethod": "Static", + "subnet": { + "id": "[variables('eth1SubnetId')]" + } + } + } + ], + "enableIPForwarding": true + } + }, + { + "type": "Microsoft.Network/networkInterfaces", + "apiVersion": "2020-08-01", + "name": "[variables('vm2Nic2Name')]", + "location": "[parameters('location')]", + "dependsOn": [ + "[resourceId('Microsoft.Network/publicIPAddresses', variables('vm2PublicIPAddressName2'))]" + ], + "properties": { + "ipConfigurations": [ + { + "name": "ip-eth2", + "properties": { + "privateIPAddress": "[parameters('vm2Eth2PrivateAddress')]", + "privateIPAllocationMethod": "Static", + "publicIPAddress": { + "id": "[resourceId('Microsoft.Network/publicIPAddresses',variables('vm2PublicIPAddressName2'))]" + }, + "subnet": { + "id": "[variables('eth2SubnetId')]" + } + } + } + ], + "enableIPForwarding": true + } + }, + { + "type": "Microsoft.Network/networkInterfaces", + "apiVersion": "2020-08-01", + "name": "[variables('vm2Nic3Name')]", + "location": "[parameters('location')]", + "dependsOn": [ + "[resourceId('Microsoft.Network/publicIPAddresses', variables('vm2PublicIPAddressName3'))]" + ], + "properties": { + "ipConfigurations": [ + { + "name": "ip-eth3", + "properties": { + "privateIPAddress": "[parameters('vm2Eth3PrivateAddress')]", + "privateIPAllocationMethod": "Static", + "publicIPAddress": { + "id": "[resourceId('Microsoft.Network/publicIPAddresses',variables('vm2PublicIPAddressName3'))]" + }, + "subnet": { + "id": "[variables('eth3SubnetId')]" + } + } + } + ], + "enableIPForwarding": true + } + }, + { + "apiVersion": "2019-12-01", + "type": "Microsoft.Compute/virtualMachines", + "identity": { + "type": "SystemAssigned" + }, + "name": "[parameters('vm2Name')]", + "location": "[parameters('location')]", + "scale": null, + "dependsOn": [ + "[resourceId('Microsoft.Compute/availabilitySets', parameters('availabilitySetName'))]", + "[resourceId('Microsoft.Network/networkInterfaces', variables('vm2Nic0Name'))]", + "[resourceId('Microsoft.Network/networkInterfaces', variables('vm2Nic1Name'))]", + "[resourceId('Microsoft.Network/networkInterfaces', variables('vm2Nic2Name'))]", + "[resourceId('Microsoft.Network/networkInterfaces', variables('vm2Nic3Name'))]" + ], + "properties": { + "osProfile": { + "computerName": "[parameters('vm2Name')]", + "adminUsername": "nouser", + "adminPassword": "this.Password.1s.never.used!!!" + }, + "hardwareProfile": { + "vmSize": "[parameters('vmSize')]" + }, + "storageProfile": { + "imageReference": { + "id": "[parameters('osImage')]" + }, + "osDisk": { + "osType": "[variables('osType')]", + "name": "[concat(parameters('vm2Name'),'-osDisk')]", + "createOption": "FromImage", + "caching": "ReadWrite", + "managedDisk": { + "storageAccountType": "Premium_LRS" + } + }, + "dataDisks": [] + }, + "networkProfile": { + "networkInterfaces": [ + { + "id": "[resourceId('Microsoft.Network/networkInterfaces', variables('vm2Nic0Name'))]", + "properties": { + "primary": true + } + }, + { + "id": "[resourceId('Microsoft.Network/networkInterfaces', variables('vm2Nic1Name'))]", + "properties": { + "primary": false + } + }, + { + "id": "[resourceId('Microsoft.Network/networkInterfaces', variables('vm2Nic2Name'))]", + "properties": { + "primary": false + } + }, + { + "id": "[resourceId('Microsoft.Network/networkInterfaces', variables('vm2Nic3Name'))]", + "properties": { + "primary": false + } + } + ] + }, + "availabilitySet": { + "id": "[resourceId('Microsoft.Compute/availabilitySets', parameters('availabilitySetName'))]" + } + } + } + ], + "functions": [], + "outputs": { + "vm1Name": { + "type": "string", + "value": "[parameters('vm1Name')]", + "metadata": { + "description": "The name of the VM." + } + }, + "vm1NameResourceId": { + "type": "string", + "value": "[resourceId('Microsoft.Compute/virtualMachines', parameters('vm1Name'))]", + "metadata": { + "description": "The VM Resource ID." + } + }, + "vm1NameResourceGroup": { + "type": "string", + "value": "[resourceGroup().name]", + "metadata": { + "description": "The Resource Group in which the resource is created." + } + } + + } +} \ No newline at end of file diff --git a/OpenSystemsNVA/parameters/parameters.json b/OpenSystemsNVA/parameters/parameters.json new file mode 100644 index 0000000000..fb2d7f1a97 --- /dev/null +++ b/OpenSystemsNVA/parameters/parameters.json @@ -0,0 +1,6 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + } +} \ No newline at end of file diff --git a/OpenSystemsNVA/readme.md b/OpenSystemsNVA/readme.md new file mode 100644 index 0000000000..05a5defee7 --- /dev/null +++ b/OpenSystemsNVA/readme.md @@ -0,0 +1,102 @@ +# Opensystems NVA + +This module deploys an OpenSystems NVA from an Azure Image into an availability set. + + +## Resource types + +|Resource Type|ApiVersion| +|:--|:--| +|`Microsoft.Compute/availabilitySets`|2017-12-01| +|`Microsoft.Network/publicIPAddresses`|2020-08-01| +|`Microsoft.Network/networkInterfaces`|2020-08-01| +|`Microsoft.Compute/virtualMachines`|2017-12-01| +|`Microsoft.Resources/deployments`|2020-06-01| + +## Parameters + +| Parameter Name | Type | Description | DefaultValue | Possible values | +| :-- | :-- | :-- | :-- | :-- | +| `availabilitySetName` | string | Required. Availability Set Name. | AS-wind-sg000 | | +| `eth0SubnetName` | string | Required. External Subnet for interface eth0 | sxx-az-subnet-weu-x-001 | | +| `eth1SubnetName` | string | Required. Internal Subnet for interface eth1 | sxx-az-subnet-weu-x-002 | | +| `eth2SubnetName` | string | Required. External Subnet for interface eth2 | sxx-az-subnet-weu-x-003 | | +| `eth3SubnetName` | string | Required. External Subnet for interface eth3 | sxx-az-subnet-weu-x-004 | | +| `location` | string | Optional. Location for all resources. | [resourceGroup().location] | | +| `osImage` | string | Required. OS Image for VM. | /subscriptions//resourceGroups/dependencies-rg/providers/Microsoft.Compute/images/sxx-az-img-weu-x-002 | | +| `vm1Eth0PrivateAddress` | string | Required. VM1 private address. | 10.0.0.6 | | +| `vm1Eth1PrivateAddress` | string | Required. VM1 private address. | 10.0.1.6 | | +| `vm1Eth2PrivateAddress` | string | Required. VM1 private address. | 10.0.2.6 | | +| `vm1Eth3PrivateAddress` | string | Required. VM1 private address. | 10.0.3.6 | | +| `vm1Name` | string | Required. VM1 Name. | wind-sg000-azu-euw-1 | | +| `vm2Eth0PrivateAddress` | string | Required. VM2 private address. | 10.0.0.7 | | +| `vm2Eth1PrivateAddress` | string | Required. VM2 private address. | 10.0.1.7 | | +| `vm2Eth2PrivateAddress` | string | Required. VM2 private address. | 10.0.2.7 | | +| `vm2Eth3PrivateAddress` | string | Required. VM2 private address. | 10.0.3.7 | | +| `vm2Name` | string | Required. VM2 Name. | wind-sg000-azu-euw-2 | | +| `vmSize` | string | Required. Size of VM. | Standard_D8s_v3 | | +| `vnetId` | string | Required. Virtual Network resource ID. | /subscriptions//resourceGroups/dependencies-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-weu-x-002 | | +| `cuaId` | string | Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered | | | + +### Resource Details + +| Resource Type | Resource Name | Resource Comment | +| --- | --- | --- | +| Microsoft.Compute/availabilitySets| [parameters('availabilitySetName')] | | +| Microsoft.Network/publicIPAddresses| [variables('vm1PublicIPAddressName')] | | +| Microsoft.Network/publicIPAddresses| [variables('vm1PublicIPAddressName2')] | | +| Microsoft.Network/publicIPAddresses| [variables('vm1PublicIPAddressName3')] | | +| Microsoft.Network/publicIPAddresses| [variables('vm2PublicIPAddressName')] | | +| Microsoft.Network/publicIPAddresses| [variables('vm2PublicIPAddressName2')] | | +| Microsoft.Network/publicIPAddresses| [variables('vm2PublicIPAddressName3')] | | +| Microsoft.Network/networkInterfaces| [variables('vm1Nic0Name')] | | +| Microsoft.Network/networkInterfaces| [variables('vm1Nic1Name')] | | +| Microsoft.Network/networkInterfaces| [variables('vm1Nic2Name')] | | +| Microsoft.Network/networkInterfaces| [variables('vm1Nic3Name')] | | +| Microsoft.Compute/virtualMachines| [parameters('vm1Name')] | | +| Microsoft.Network/networkInterfaces| [variables('vm2Nic0Name')] | | +| Microsoft.Network/networkInterfaces| [variables('vm2Nic1Name')] | | +| Microsoft.Network/networkInterfaces| [variables('vm2Nic2Name')] | | +| Microsoft.Network/networkInterfaces| [variables('vm2Nic3Name')] | | +| Microsoft.Compute/virtualMachines| [parameters('vm2Name')] | | + +### Parameter Usage: `vNetId` + +```json +"vNetId": { + "value": "/subscriptions/00000000/resourceGroups/resourceGroup" +} +``` + + +## Outputs + +| Output Name | Type | Description | +| :-- | :-- | :-- | +| `vm1Name` | string | The name of the VM. | +| `vm1NameResourceGroup` | string | The Resource Group in which the resource is created. | +| `vm1NameResourceId` | string | The VM Resource ID. | + +## Considerations + +*N/A* + +## Additional resources + +- [AvAilAbilitySets](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Compute/2017-12-01/availabilitySets) +- [PublicIPAddresses](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Network/2018-02-01/publicIPAddresses) +- [PublicIPAddresses](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Network/2018-02-01/publicIPAddresses) +- [PublicIPAddresses](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Network/2018-02-01/publicIPAddresses) +- [PublicIPAddresses](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Network/2018-02-01/publicIPAddresses) +- [PublicIPAddresses](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Network/2018-02-01/publicIPAddresses) +- [PublicIPAddresses](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Network/2018-02-01/publicIPAddresses) +- [NetworkINterfaces](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Network/2018-02-01/networkInterfaces) +- [NetworkINterfaces](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Network/2018-02-01/networkInterfaces) +- [NetworkINterfaces](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Network/2018-02-01/networkInterfaces) +- [NetworkINterfaces](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Network/2018-02-01/networkInterfaces) +- [VirtualMachines](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Compute/2017-12-01/virtualMachines) +- [NetworkINterfaces](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Network/2018-02-01/networkInterfaces) +- [NetworkINterfaces](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Network/2018-02-01/networkInterfaces) +- [NetworkINterfaces](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Network/2018-02-01/networkInterfaces) +- [NetworkINterfaces](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Network/2018-02-01/networkInterfaces) +- [VirtualMachines](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Compute/2017-12-01/virtualMachines) \ No newline at end of file diff --git a/nativeTemplates/Microsoft.Authorization/policyAssignments/deploy.json b/nativeTemplates/Microsoft.Authorization/policyAssignments/deploy.json deleted file mode 100644 index 8435100be2..0000000000 --- a/nativeTemplates/Microsoft.Authorization/policyAssignments/deploy.json +++ /dev/null @@ -1,155 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "policyAssignmentName": { - "type": "string", - "metadata": { - "description": "Required. Specifies the name of the policy assignment." - } - }, - "location": { - "type": "string", - "defaultValue": "[deployment().location]", - "metadata": { - "description": "Optional. Location for all resources." - } - }, - "resourceGroupName": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Specifies the name of the resource group where you want to assign the policy." - } - }, - "policyDefinitionID": { - "type": "string", - "metadata": { - "description": "Required. Specifies the ID of the policy definition or policy set definition being assigned." - } - }, - "parameters": { - "type": "object", - "defaultValue": { - }, - "metadata": { - "description": "Optional. Parameters for the policy assignment if needed." - } - }, - "identity": { - "type": "string", - "defaultValue": "SystemAssigned", - "metadata": { - "description": "Optional. The managed identity associated with the policy assignment. Policy assignments must include a resource identity when assigning 'Modify' policy definitions." - } - }, - "cuaId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered" - } - } - }, - "variables": { - "policyAssignmentName": "[replace(parameters('policyAssignmentName'),' ','')]" - }, - "resources": [ - { - "condition": "[not(empty(parameters('cuaId')))]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2020-06-01", - "name": "[concat('pid-', parameters('cuaId'))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [ - ] - } - } - }, - // Policy Assignment on Subscription scope - { - "name": "[concat(variables('policyAssignmentName'), '-subDeployment')]", - "apiVersion": "2020-06-01", - "type": "Microsoft.Resources/deployments", - "location": "[parameters('location')]", - "condition": "[empty(parameters('resourceGroupName'))]", - "dependsOn": [ - ], - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [ - { - "type": "Microsoft.Authorization/policyAssignments", - "name": "[variables('policyAssignmentName')]", - "location": "[parameters('location')]", - "apiVersion": "2019-09-01", - "properties": { - "policyDefinitionId": "[parameters('policyDefinitionID')]", - "parameters": "[parameters('parameters')]" - }, - "identity": { - "type": "[parameters('identity')]" - } - } - ] - } - } - }, - // Policy Assignment on Resource group scope - { - "name": "[concat(variables('policyAssignmentName'), '-rgDeployment')]", - "apiVersion": "2020-06-01", - "type": "Microsoft.Resources/deployments", - "condition": "[not(empty(parameters('resourceGroupName')))]", - "dependsOn": [ - ], - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [ - { - "type": "Microsoft.Authorization/policyAssignments", - "name": "[variables('policyAssignmentName')]", - "location": "[resourceGroup().location]", - "apiVersion": "2019-09-01", - "properties": { - "policyDefinitionId": "[parameters('policyDefinitionID')]", - "parameters": "[parameters('parameters')]" - }, - "identity": { - "type": "[parameters('identity')]" - } - } - ] - } - } - } - ], - "functions": [ - ], - "outputs": { - "policyAssignmentName": { - "type": "string", - "value": "[variables('policyAssignmentName')]", - "metadata": { - "description": "Name of the policy assignment." - } - }, - "assignmentScope": { - "type": "string", - "value": "[if(empty(parameters('resourceGroupName')), subscription().id , concat(subscription().id, '/resourceGroups/', parameters('resourceGroupName')))]", - "metadata": { - "description": "The scope (subscription or resource group) of the assignment." - } - } - } -} \ No newline at end of file diff --git a/nativeTemplates/Microsoft.Authorization/policyAssignments/parameters/allowedLocations.parameters.json b/nativeTemplates/Microsoft.Authorization/policyAssignments/parameters/allowedLocations.parameters.json deleted file mode 100644 index cf753f50a5..0000000000 --- a/nativeTemplates/Microsoft.Authorization/policyAssignments/parameters/allowedLocations.parameters.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "policyAssignmentName": { - "value": "Allowed locations 2" - }, - "policyDefinitionID": { - "value": "/providers/Microsoft.Authorization/policyDefinitions/e56962a6-4747-49cd-b67b-bf8b01975c4c" - }, - "parameters": { - "value": { - "listOfAllowedLocations": { - "value": ["westus","westus2"] - } - } - }, - "location": { - "value": "westus2" - }, - "identity": { - "value": "None" - } - } -} diff --git a/nativeTemplates/Microsoft.Authorization/policyAssignments/parameters/listOfAllowedSKUs.parameters.json b/nativeTemplates/Microsoft.Authorization/policyAssignments/parameters/listOfAllowedSKUs.parameters.json deleted file mode 100644 index 291eaa2472..0000000000 --- a/nativeTemplates/Microsoft.Authorization/policyAssignments/parameters/listOfAllowedSKUs.parameters.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "policyAssignmentName": { - "value": "Allowed virtual machine SKUs" - }, - "policyDefinitionID": { - "value": "/providers/Microsoft.Authorization/policyDefinitions/cccc23c7-8427-4f53-ad12-b6a63eb452b3" - }, - "parameters": { - "value": { - "listOfAllowedSKUs": { - "value": ["Standard_B2s","Standard_D2s_v3","Standard_D4s_v3"] - } - } - }, - "location": { - "value": "westus2" - }, - "identity": { - "value": "None" - } - } -} \ No newline at end of file diff --git a/nativeTemplates/Microsoft.Authorization/policyAssignments/parameters/parameters.json b/nativeTemplates/Microsoft.Authorization/policyAssignments/parameters/parameters.json deleted file mode 100644 index a511f42ea4..0000000000 --- a/nativeTemplates/Microsoft.Authorization/policyAssignments/parameters/parameters.json +++ /dev/null @@ -1,28 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "resourceGroupName": { - "value": "" - }, - "policyAssignmentName": { - "value": "Add a tag to resources" - }, - "policyDefinitionID": { - "value": "/providers/Microsoft.Authorization/policyDefinitions/4f9dc7db-30c1-420c-b61a-e1d640128d26" - }, - "parameters": { - "value": { - "tagName": { - "value": "Tag" - }, - "tagValue": { - "value": "Value" - } - } - }, - "location": { - "value": "westeurope" - } - } -} diff --git a/nativeTemplates/Microsoft.Authorization/policyAssignments/readme.md b/nativeTemplates/Microsoft.Authorization/policyAssignments/readme.md deleted file mode 100644 index a36a36cf0d..0000000000 --- a/nativeTemplates/Microsoft.Authorization/policyAssignments/readme.md +++ /dev/null @@ -1,36 +0,0 @@ -# PolicyAssignment - -## Resource types - -|Resource Type|ApiVersion| -|:--|:--| -|`Microsoft.Resources/deployments`|2018-02-01| -|`Microsoft.Authorization/policyAssignments`|2018-05-01| - -## Parameters - -| Parameter Name | Type | Description | DefaultValue | Possible values | -| :-- | :-- | :-- | :-- | :-- | -| `policyAssignmentName` | string | Required. Specifies the name of the policy assignment. | | | -| `location` | string | Optional. Location for all resources. | | | -| `resourceGroupName` | string | Optional. Specifies the name of the resource group where you want to assign the policy. | | | -| `policyDefinitionID` | string | Required. Specifies the ID of the policy definition or policy set definition being assigned. | | | -| `parameters` | object | Optional. Parameters for the policy assignment if needed. | | | -| `identity` | string | Optional. The managed identity associated with the policy assignment. | | | -| `cuaId` | string | Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered | | | - - -## Outputs - -| Output Name | Type | Description | -| :-- | :-- | :-- | -| `assignmentScope` | string | The scope (subscription or resource group) of the assignment. | -| `policyAssignmentName` | string | Name of the policy assignment. | - -## Considerations - -## Additional resources - -- [Deployments](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Resources/2018-02-01/deployments) -- [Deployments](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Resources/2019-10-01/deployments) -- [Deployments](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Resources/2019-10-01/deployments) diff --git a/nativeTemplates/Microsoft.Authorization/roleAssignments/Parameters/parameters.json b/nativeTemplates/Microsoft.Authorization/roleAssignments/Parameters/parameters.json deleted file mode 100644 index 2585e6269c..0000000000 --- a/nativeTemplates/Microsoft.Authorization/roleAssignments/Parameters/parameters.json +++ /dev/null @@ -1,54 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Resource Group name is optional, when provided, the Role Assignment will target the RG. When not provided the scope will be the subscription. - "resourceGroupName": { - "value": "artifacts-rg" - }, - "roleAssignments": { - "value": [ - // Built-in Role Definition, referenced by Name - { - "roleDefinitionIdOrName": "Owner", - "principalIds": [ - // "12345678-1234-1234-1234-123456780123" - // "abcd5678-1234-1234-1234-123456780123" - ] - }, - // Built-in Role Definition, referenced by Name - { - "roleDefinitionIdOrName": "Reader", - "principalIds": [ - // "12345678-1234-1234-1234-123456780123" - // "abcd5678-1234-1234-1234-123456780123" - ] - }, - // // Built-in Role Definition, referenced by ID - // { - // "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", - // "principalIds": [ - // // "12345678-1234-1234-1234-123456780123" - // // "abcd5678-1234-1234-1234-123456780123" - // ] - // }, - // // Custom Role Definition on Resource Group scope - // { - // "roleDefinitionIdOrName": "/subscriptions/62826c76-d304-46d8-a0f6-718dbdcc536c/providers/Microsoft.Authorization/roleDefinitions/54597af5-2126-5a52-a2ce-4bb56e90d3c8", - // "principalIds": [ - // // "12345678-1234-1234-1234-123456780123" - // // "abcd5678-1234-1234-1234-123456780123" - // ] - // }, - // // Custom Role Definition on Subscription scope - // { - // "roleDefinitionIdOrName": "/subscriptions/62826c76-d304-46d8-a0f6-718dbdcc536c/resourceGroups/rbacTest/providers/Microsoft.Authorization/roleDefinitions/08e417aa-3d20-5a4e-94da-b2aa45bd5929", - // "principalIds": [ - // // "12345678-1234-1234-1234-123456780123" - // // "abcd5678-1234-1234-1234-123456780123" - // ] - // } - ] - } - } -} \ No newline at end of file diff --git a/nativeTemplates/Microsoft.Authorization/roleAssignments/deploy.json b/nativeTemplates/Microsoft.Authorization/roleAssignments/deploy.json deleted file mode 100644 index 1857dd535e..0000000000 --- a/nativeTemplates/Microsoft.Authorization/roleAssignments/deploy.json +++ /dev/null @@ -1,432 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "roleAssignments": { - "defaultValue": [ - ], - "type": "array", - "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalIds' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or it's fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'" - } - }, - "resourceGroupName": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Name of the Resource Group to assign the RBAC role(s) to. If no Resource Group name is provided, the module deploys at subscription level, therefore assigns the provided RBAC role(s) to the subscription." - } - }, - "location": { - "type": "string", - "defaultValue": "[deployment().location]", - "metadata": { - "description": "Optional. Location for all resources." - } - }, - "cuaId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered" - } - } - }, - "variables": { - "builtInRoleNames": { - "AcrDelete": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", - "AcrImageSigner": "/providers/Microsoft.Authorization/roleDefinitions/6cef56e8-d556-48e5-a04f-b8e64114680f", - "AcrPull": "/providers/Microsoft.Authorization/roleDefinitions/7f951dda-4ed3-4680-a7ca-43fe172d538d", - "AcrPush": "/providers/Microsoft.Authorization/roleDefinitions/8311e382-0749-4cb8-b61a-304f252e45ec", - "AcrQuarantineReader": "/providers/Microsoft.Authorization/roleDefinitions/cdda3590-29a3-44f6-95f2-9f980659eb04", - "AcrQuarantineWriter": "/providers/Microsoft.Authorization/roleDefinitions/c8d4ff99-41c3-41a8-9f60-21dfdad59608", - "API Management Service Contributor": "/providers/Microsoft.Authorization/roleDefinitions/312a565d-c81f-4fd8-895a-4e21e48d571c", - "API Management Service Operator Role": "/providers/Microsoft.Authorization/roleDefinitions/e022efe7-f5ba-4159-bbe4-b44f577e9b61", - "API Management Service Reader Role": "/providers/Microsoft.Authorization/roleDefinitions/71522526-b88f-4d52-b57f-d31fc3546d0d", - "App Configuration Data Owner": "/providers/Microsoft.Authorization/roleDefinitions/5ae67dd6-50cb-40e7-96ff-dc2bfa4b606b", - "App Configuration Data Reader": "/providers/Microsoft.Authorization/roleDefinitions/516239f1-63e1-4d78-a4de-a74fb236a071", - "Application Insights Component Contributor": "/providers/Microsoft.Authorization/roleDefinitions/ae349356-3a1b-4a5e-921d-050484c6347e", - "Application Insights Snapshot Debugger": "/providers/Microsoft.Authorization/roleDefinitions/08954f03-6346-4c2e-81c0-ec3a5cfae23b", - "Attestation Contributor": "/providers/Microsoft.Authorization/roleDefinitions/bbf86eb8-f7b4-4cce-96e4-18cddf81d86e", - "Attestation Reader": "/providers/Microsoft.Authorization/roleDefinitions/fd1bd22b-8476-40bc-a0bc-69b95687b9f3", - "Automation Job Operator": "/providers/Microsoft.Authorization/roleDefinitions/4fe576fe-1146-4730-92eb-48519fa6bf9f", - "Automation Operator": "/providers/Microsoft.Authorization/roleDefinitions/d3881f73-407a-4167-8283-e981cbba0404", - "Automation Runbook Operator": "/providers/Microsoft.Authorization/roleDefinitions/5fb5aef8-1081-4b8e-bb16-9d5d0385bab5", - "Avere Contributor": "/providers/Microsoft.Authorization/roleDefinitions/4f8fab4f-1852-4a58-a46a-8eaf358af14a", - "Avere Operator": "/providers/Microsoft.Authorization/roleDefinitions/c025889f-8102-4ebf-b32c-fc0c6f0c6bd9", - "Azure Connected Machine Onboarding": "/providers/Microsoft.Authorization/roleDefinitions/b64e21ea-ac4e-4cdf-9dc9-5b892992bee7", - "Azure Connected Machine Resource Administrator": "/providers/Microsoft.Authorization/roleDefinitions/cd570a14-e51a-42ad-bac8-bafd67325302", - "Azure Digital Twins Owner (Preview)": "/providers/Microsoft.Authorization/roleDefinitions/bcd981a7-7f74-457b-83e1-cceb9e632ffe", - "Azure Digital Twins Reader (Preview)": "/providers/Microsoft.Authorization/roleDefinitions/d57506d4-4c8d-48b1-8587-93c323f6a5a3", - "Azure Event Hubs Data Owner": "/providers/Microsoft.Authorization/roleDefinitions/f526a384-b230-433a-b45c-95f59c4a2dec", - "Azure Event Hubs Data Receiver": "/providers/Microsoft.Authorization/roleDefinitions/a638d3c7-ab3a-418d-83e6-5f17a39d4fde", - "Azure Event Hubs Data Sender": "/providers/Microsoft.Authorization/roleDefinitions/2b629674-e913-4c01-ae53-ef4638d8f975", - "Azure Kubernetes Service Cluster Admin Role": "/providers/Microsoft.Authorization/roleDefinitions/0ab0b1a8-8aac-4efd-b8c2-3ee1fb270be8", - "Azure Kubernetes Service Cluster User Role": "/providers/Microsoft.Authorization/roleDefinitions/4abbcc35-e782-43d8-92c5-2d3f1bd2253f", - "Azure Kubernetes Service Contributor Role": "/providers/Microsoft.Authorization/roleDefinitions/ed7f3fbd-7b88-4dd4-9017-9adb7ce333f8", - "Azure Maps Data Contributor": "/providers/Microsoft.Authorization/roleDefinitions/8f5e0ce6-4f7b-4dcf-bddf-e6f48634a204", - "Azure Maps Data Reader": "/providers/Microsoft.Authorization/roleDefinitions/423170ca-a8f6-4b0f-8487-9e4eb8f49bfa", - "Azure Sentinel Contributor": "/providers/Microsoft.Authorization/roleDefinitions/ab8e14d6-4a74-4a29-9ba8-549422addade", - "Azure Sentinel Reader": "/providers/Microsoft.Authorization/roleDefinitions/8d289c81-5878-46d4-8554-54e1e3d8b5cb", - "Azure Sentinel Responder": "/providers/Microsoft.Authorization/roleDefinitions/3e150937-b8fe-4cfb-8069-0eaf05ecd056", - "Azure Service Bus Data Owner": "/providers/Microsoft.Authorization/roleDefinitions/090c5cfd-751d-490a-894a-3ce6f1109419", - "Azure Service Bus Data Receiver": "/providers/Microsoft.Authorization/roleDefinitions/4f6d3b9b-027b-4f4c-9142-0e5a2a2247e0", - "Azure Service Bus Data Sender": "/providers/Microsoft.Authorization/roleDefinitions/69a216fc-b8fb-44d8-bc22-1f3c2cd27a39", - "Azure Stack Registration Owner": "/providers/Microsoft.Authorization/roleDefinitions/6f12a6df-dd06-4f3e-bcb1-ce8be600526a", - "Backup Contributor": "/providers/Microsoft.Authorization/roleDefinitions/5e467623-bb1f-42f4-a55d-6e525e11384b", - "Backup Operator": "/providers/Microsoft.Authorization/roleDefinitions/00c29273-979b-4161-815c-10b084fb9324", - "Backup Reader": "/providers/Microsoft.Authorization/roleDefinitions/a795c7a0-d4a2-40c1-ae25-d81f01202912", - "Billing Reader": "/providers/Microsoft.Authorization/roleDefinitions/fa23ad8b-c56e-40d8-ac0c-ce449e1d2c64", - "BizTalk Contributor": "/providers/Microsoft.Authorization/roleDefinitions/5e3c6656-6cfa-4708-81fe-0de47ac73342", - "Blockchain Member Node Access (Preview)": "/providers/Microsoft.Authorization/roleDefinitions/31a002a1-acaf-453e-8a5b-297c9ca1ea24", - "Blueprint Contributor": "/providers/Microsoft.Authorization/roleDefinitions/41077137-e803-4205-871c-5a86e6a753b4", - "Blueprint Operator": "/providers/Microsoft.Authorization/roleDefinitions/437d2ced-4a38-4302-8479-ed2bcb43d090", - "CDN Endpoint Contributor": "/providers/Microsoft.Authorization/roleDefinitions/426e0c7f-0c7e-4658-b36f-ff54d6c29b45", - "CDN Endpoint Reader": "/providers/Microsoft.Authorization/roleDefinitions/871e35f6-b5c1-49cc-a043-bde969a0f2cd", - "CDN Profile Contributor": "/providers/Microsoft.Authorization/roleDefinitions/ec156ff8-a8d1-4d15-830c-5b80698ca432", - "CDN Profile Reader": "/providers/Microsoft.Authorization/roleDefinitions/8f96442b-4075-438f-813d-ad51ab4019af", - "Classic Network Contributor": "/providers/Microsoft.Authorization/roleDefinitions/b34d265f-36f7-4a0d-a4d4-e158ca92e90f", - "Classic Storage Account Contributor": "/providers/Microsoft.Authorization/roleDefinitions/86e8f5dc-a6e9-4c67-9d15-de283e8eac25", - "Classic Storage Account Key Operator Service Role": "/providers/Microsoft.Authorization/roleDefinitions/985d6b00-f706-48f5-a6fe-d0ca12fb668d", - "Classic Virtual Machine Contributor": "/providers/Microsoft.Authorization/roleDefinitions/d73bb868-a0df-4d4d-bd69-98a00b01fccb", - "ClearDB MySQL DB Contributor": "/providers/Microsoft.Authorization/roleDefinitions/9106cda0-8a86-4e81-b686-29a22c54effe", - "Cognitive Services Contributor": "/providers/Microsoft.Authorization/roleDefinitions/25fbc0a9-bd7c-42a3-aa1a-3b75d497ee68", - "Cognitive Services Custom Vision Contributor": "/providers/Microsoft.Authorization/roleDefinitions/c1ff6cc2-c111-46fe-8896-e0ef812ad9f3", - "Cognitive Services Custom Vision Deployment": "/providers/Microsoft.Authorization/roleDefinitions/5c4089e1-6d96-4d2f-b296-c1bc7137275f", - "Cognitive Services Custom Vision Labeler": "/providers/Microsoft.Authorization/roleDefinitions/88424f51-ebe7-446f-bc41-7fa16989e96c", - "Cognitive Services Custom Vision Reader": "/providers/Microsoft.Authorization/roleDefinitions/93586559-c37d-4a6b-ba08-b9f0940c2d73", - "Cognitive Services Custom Vision Trainer": "/providers/Microsoft.Authorization/roleDefinitions/0a5ae4ab-0d65-4eeb-be61-29fc9b54394b", - "Cognitive Services Data Reader (Preview)": "/providers/Microsoft.Authorization/roleDefinitions/b59867f0-fa02-499b-be73-45a86b5b3e1c", - "Cognitive Services QnA Maker Editor": "/providers/Microsoft.Authorization/roleDefinitions/f4cc2bf9-21be-47a1-bdf1-5c5804381025", - "Cognitive Services QnA Maker Reader": "/providers/Microsoft.Authorization/roleDefinitions/466ccd10-b268-4a11-b098-b4849f024126", - "Cognitive Services User": "/providers/Microsoft.Authorization/roleDefinitions/a97b65f3-24c7-4388-baec-2e87135dc908", - "Contributor": "/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c", - "Cosmos DB Account Reader Role": "/providers/Microsoft.Authorization/roleDefinitions/fbdf93bf-df7d-467e-a4d2-9458aa1360c8", - "Cosmos DB Operator": "/providers/Microsoft.Authorization/roleDefinitions/230815da-be43-4aae-9cb4-875f7bd000aa", - "CosmosBackupOperator": "/providers/Microsoft.Authorization/roleDefinitions/db7b14f2-5adf-42da-9f96-f2ee17bab5cb", - "Cost Management Contributor": "/providers/Microsoft.Authorization/roleDefinitions/434105ed-43f6-45c7-a02f-909b2ba83430", - "Cost Management Reader": "/providers/Microsoft.Authorization/roleDefinitions/72fafb9e-0641-4937-9268-a91bfd8191a3", - "Data Box Contributor": "/providers/Microsoft.Authorization/roleDefinitions/add466c9-e687-43fc-8d98-dfcf8d720be5", - "Data Box Reader": "/providers/Microsoft.Authorization/roleDefinitions/028f4ed7-e2a9-465e-a8f4-9c0ffdfdc027", - "Data Factory Contributor": "/providers/Microsoft.Authorization/roleDefinitions/673868aa-7521-48a0-acc6-0f60742d39f5", - "Data Lake Analytics Developer": "/providers/Microsoft.Authorization/roleDefinitions/47b7735b-770e-4598-a7da-8b91488b4c88", - "Data Purger": "/providers/Microsoft.Authorization/roleDefinitions/150f5e0c-0603-4f03-8c7f-cf70034c4e90", - "Desktop Virtualization User": "/providers/Microsoft.Authorization/roleDefinitions/1d18fff3-a72a-46b5-b4a9-0b38a3cd7e63", - "DevTest Labs User": "/providers/Microsoft.Authorization/roleDefinitions/76283e04-6283-4c54-8f91-bcf1374a3c64", - "DNS Zone Contributor": "/providers/Microsoft.Authorization/roleDefinitions/befefa01-2a29-4197-83a8-272ff33ce314", - "DocumentDB Account Contributor": "/providers/Microsoft.Authorization/roleDefinitions/5bd9cd88-fe45-4216-938b-f97437e15450", - "EventGrid EventSubscription Contributor": "/providers/Microsoft.Authorization/roleDefinitions/428e0ff0-5e57-4d9c-a221-2c70d0e0a443", - "EventGrid EventSubscription Reader": "/providers/Microsoft.Authorization/roleDefinitions/2414bbcf-6497-4faf-8c65-045460748405", - "Experimentation Administrator": "/providers/Microsoft.Authorization/roleDefinitions/7f646f1b-fa08-80eb-a33b-edd6ce5c915c", - "Experimentation Contributor": "/providers/Microsoft.Authorization/roleDefinitions/7f646f1b-fa08-80eb-a22b-edd6ce5c915c", - "Experimentation Reader": "/providers/Microsoft.Authorization/roleDefinitions/49632ef5-d9ac-41f4-b8e7-bbe587fa74a1", - "FHIR Data Contributor": "/providers/Microsoft.Authorization/roleDefinitions/5a1fc7df-4bf1-4951-a576-89034ee01acd", - "FHIR Data Exporter": "/providers/Microsoft.Authorization/roleDefinitions/3db33094-8700-4567-8da5-1501d4e7e843", - "FHIR Data Reader": "/providers/Microsoft.Authorization/roleDefinitions/4c8d0bbc-75d3-4935-991f-5f3c56d81508", - "FHIR Data Writer": "/providers/Microsoft.Authorization/roleDefinitions/3f88fce4-5892-4214-ae73-ba5294559913", - "Graph Owner": "/providers/Microsoft.Authorization/roleDefinitions/b60367af-1334-4454-b71e-769d9a4f83d9", - "HDInsight Cluster Operator": "/providers/Microsoft.Authorization/roleDefinitions/61ed4efc-fab3-44fd-b111-e24485cc132a", - "HDInsight Domain Services Contributor": "/providers/Microsoft.Authorization/roleDefinitions/8d8d5a11-05d3-4bda-a417-a08778121c7c", - "Hierarchy Settings Administrator": "/providers/Microsoft.Authorization/roleDefinitions/350f8d15-c687-4448-8ae1-157740a3936d", - "Hybrid Server Onboarding": "/providers/Microsoft.Authorization/roleDefinitions/5d1e5ee4-7c68-4a71-ac8b-0739630a3dfb", - "Hybrid Server Resource Administrator": "/providers/Microsoft.Authorization/roleDefinitions/48b40c6e-82e0-4eb3-90d5-19e40f49b624", - "Integration Service Environment Contributor": "/providers/Microsoft.Authorization/roleDefinitions/a41e2c5b-bd99-4a07-88f4-9bf657a760b8", - "Integration Service Environment Developer": "/providers/Microsoft.Authorization/roleDefinitions/c7aa55d3-1abb-444a-a5ca-5e51e485d6ec", - "Intelligent Systems Account Contributor": "/providers/Microsoft.Authorization/roleDefinitions/03a6d094-3444-4b3d-88af-7477090a9e5e", - "Key Vault Contributor": "/providers/Microsoft.Authorization/roleDefinitions/f25e0fa2-a7c8-4377-a976-54943a77a395", - "Knowledge Consumer": "/providers/Microsoft.Authorization/roleDefinitions/ee361c5d-f7b5-4119-b4b6-892157c8f64c", - "Kubernetes Cluster - Azure Arc Onboarding": "/providers/Microsoft.Authorization/roleDefinitions/34e09817-6cbe-4d01-b1a2-e0eac5743d41", - "Lab Creator": "/providers/Microsoft.Authorization/roleDefinitions/b97fb8bc-a8b2-4522-a38b-dd33c7e65ead", - "Log Analytics Contributor": "/providers/Microsoft.Authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293", - "Log Analytics Reader": "/providers/Microsoft.Authorization/roleDefinitions/73c42c96-874c-492b-b04d-ab87d138a893", - "Logic App Contributor": "/providers/Microsoft.Authorization/roleDefinitions/87a39d53-fc1b-424a-814c-f7e04687dc9e", - "Logic App Operator": "/providers/Microsoft.Authorization/roleDefinitions/515c2055-d9d4-4321-b1b9-bd0c9a0f79fe", - "Managed Application Contributor Role": "/providers/Microsoft.Authorization/roleDefinitions/641177b8-a67a-45b9-a033-47bc880bb21e", - "Managed Application Operator Role": "/providers/Microsoft.Authorization/roleDefinitions/c7393b34-138c-406f-901b-d8cf2b17e6ae", - "Managed Applications Reader": "/providers/Microsoft.Authorization/roleDefinitions/b9331d33-8a36-4f8c-b097-4f54124fdb44", - "Managed Identity Contributor": "/providers/Microsoft.Authorization/roleDefinitions/e40ec5ca-96e0-45a2-b4ff-59039f2c2b59", - "Managed Identity Operator": "/providers/Microsoft.Authorization/roleDefinitions/f1a07417-d97a-45cb-824c-7a7467783830", - "Managed Services Registration assignment Delete ": "/providers/Microsoft.Authorization/roleDefinitions/91c1777a-f3dc-4fae-b103-61d183457e46", - "Management Group Contributor": "/providers/Microsoft.Authorization/roleDefinitions/5d58bcaf-24a5-4b20-bdb6-eed9f69fbe4c", - "Management Group Reader": "/providers/Microsoft.Authorization/roleDefinitions/ac63b705-f282-497d-ac71-919bf39d939d", - "Marketplace Admin": "/providers/Microsoft.Authorization/roleDefinitions/dd920d6d-f481-47f1-b461-f338c46b2d9f", - "Monitoring Contributor": "/providers/Microsoft.Authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", - "Monitoring Metrics Publisher": "/providers/Microsoft.Authorization/roleDefinitions/3913510d-42f4-4e42-8a64-420c390055eb", - "Monitoring Reader": "/providers/Microsoft.Authorization/roleDefinitions/43d0d8ad-25c7-4714-9337-8ba259a9fe05", - "Network Contributor": "/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7", - "New Relic APM Account Contributor": "/providers/Microsoft.Authorization/roleDefinitions/5d28c62d-5b37-4476-8438-e587778df237", - "Object Understanding Account Owner": "/providers/Microsoft.Authorization/roleDefinitions/4dd61c23-6743-42fe-a388-d8bdd41cb745", - "Owner": "/providers/Microsoft.Authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635", - "Policy Insights Data Writer (Preview)": "/providers/Microsoft.Authorization/roleDefinitions/66bb4e9e-b016-4a94-8249-4c0511c2be84", - "Private DNS Zone Contributor": "/providers/Microsoft.Authorization/roleDefinitions/b12aa53e-6015-4669-85d0-8515ebb3ae7f", - "Reader": "/providers/Microsoft.Authorization/roleDefinitions/acdd72a7-3385-48ef-bd42-f606fba81ae7", - "Reader and Data Access": "/providers/Microsoft.Authorization/roleDefinitions/c12c1c16-33a1-487b-954d-41c89c60f349", - "Redis Cache Contributor": "/providers/Microsoft.Authorization/roleDefinitions/e0f68234-74aa-48ed-b826-c38b57376e17", - "Remote Rendering Administrator": "/providers/Microsoft.Authorization/roleDefinitions/3df8b902-2a6f-47c7-8cc5-360e9b272a7e", - "Remote Rendering Client": "/providers/Microsoft.Authorization/roleDefinitions/d39065c4-c120-43c9-ab0a-63eed9795f0a", - "Resource Policy Contributor": "/providers/Microsoft.Authorization/roleDefinitions/36243c78-bf99-498c-9df9-86d9f8d28608", - "Scheduler Job Collections Contributor": "/providers/Microsoft.Authorization/roleDefinitions/188a0f2f-5c9e-469b-ae67-2aa5ce574b94", - "Search Service Contributor": "/providers/Microsoft.Authorization/roleDefinitions/7ca78c08-252a-4471-8644-bb5ff32d4ba0", - "Security Admin": "/providers/Microsoft.Authorization/roleDefinitions/fb1c8493-542b-48eb-b624-b4c8fea62acd", - "Security Assessment Contributor": "/providers/Microsoft.Authorization/roleDefinitions/612c2aa1-cb24-443b-ac28-3ab7272de6f5", - "Security Manager (Legacy)": "/providers/Microsoft.Authorization/roleDefinitions/e3d13bf0-dd5a-482e-ba6b-9b8433878d10", - "Security Reader": "/providers/Microsoft.Authorization/roleDefinitions/39bc4728-0917-49c7-9d2c-d95423bc2eb4", - "SignalR AccessKey Reader": "/providers/Microsoft.Authorization/roleDefinitions/04165923-9d83-45d5-8227-78b77b0a687e", - "SignalR Contributor": "/providers/Microsoft.Authorization/roleDefinitions/8cf5e20a-e4b2-4e9d-b3a1-5ceb692c2761", - "Site Recovery Contributor": "/providers/Microsoft.Authorization/roleDefinitions/6670b86e-a3f7-4917-ac9b-5d6ab1be4567", - "Site Recovery Operator": "/providers/Microsoft.Authorization/roleDefinitions/494ae006-db33-4328-bf46-533a6560a3ca", - "Site Recovery Reader": "/providers/Microsoft.Authorization/roleDefinitions/dbaa88c4-0c30-4179-9fb3-46319faa6149", - "Spatial Anchors Account Contributor": "/providers/Microsoft.Authorization/roleDefinitions/8bbe83f1-e2a6-4df7-8cb4-4e04d4e5c827", - "Spatial Anchors Account Owner": "/providers/Microsoft.Authorization/roleDefinitions/70bbe301-9835-447d-afdd-19eb3167307c", - "Spatial Anchors Account Reader": "/providers/Microsoft.Authorization/roleDefinitions/5d51204f-eb77-4b1c-b86a-2ec626c49413", - "SQL DB Contributor": "/providers/Microsoft.Authorization/roleDefinitions/9b7fa17d-e63e-47b0-bb0a-15c516ac86ec", - "SQL Managed Instance Contributor": "/providers/Microsoft.Authorization/roleDefinitions/4939a1f6-9ae0-4e48-a1e0-f2cbe897382d", - "SQL Security Manager": "/providers/Microsoft.Authorization/roleDefinitions/056cd41c-7e88-42e1-933e-88ba6a50c9c3", - "SQL Server Contributor": "/providers/Microsoft.Authorization/roleDefinitions/6d8ee4ec-f05a-4a1d-8b00-a9b17e38b437", - "Storage Account Contributor": "/providers/Microsoft.Authorization/roleDefinitions/17d1049b-9a84-46fb-8f53-869881c3d3ab", - "Storage Account Key Operator Service Role": "/providers/Microsoft.Authorization/roleDefinitions/81a9662b-bebf-436f-a333-f67b29880f12", - "Storage Blob Data Contributor": "/providers/Microsoft.Authorization/roleDefinitions/ba92f5b4-2d11-453d-a403-e96b0029c9fe", - "Storage Blob Data Owner": "/providers/Microsoft.Authorization/roleDefinitions/b7e6dc6d-f1e8-4753-8033-0f276bb0955b", - "Storage Blob Data Reader": "/providers/Microsoft.Authorization/roleDefinitions/2a2b9908-6ea1-4ae2-8e65-a410df84e7d1", - "Storage Blob Delegator": "/providers/Microsoft.Authorization/roleDefinitions/db58b8e5-c6ad-4a2a-8342-4190687cbf4a", - "Storage File Data SMB Share Contributor": "/providers/Microsoft.Authorization/roleDefinitions/0c867c2a-1d8c-454a-a3db-ab2ea1bdc8bb", - "Storage File Data SMB Share Elevated Contributor": "/providers/Microsoft.Authorization/roleDefinitions/a7264617-510b-434b-a828-9731dc254ea7", - "Storage File Data SMB Share Reader": "/providers/Microsoft.Authorization/roleDefinitions/aba4ae5f-2193-4029-9191-0cb91df5e314", - "Storage Queue Data Contributor": "/providers/Microsoft.Authorization/roleDefinitions/974c5e8b-45b9-4653-ba55-5f855dd0fb88", - "Storage Queue Data Message Processor": "/providers/Microsoft.Authorization/roleDefinitions/8a0f0c08-91a1-4084-bc3d-661d67233fed", - "Storage Queue Data Message Sender": "/providers/Microsoft.Authorization/roleDefinitions/c6a89b2d-59bc-44d0-9896-0f6e12d7b80a", - "Storage Queue Data Reader": "/providers/Microsoft.Authorization/roleDefinitions/19e7f393-937e-4f77-808e-94535e297925", - "Support Request Contributor": "/providers/Microsoft.Authorization/roleDefinitions/cfd33db0-3dd1-45e3-aa9d-cdbdf3b6f24e", - "Tag Contributor": "/providers/Microsoft.Authorization/roleDefinitions/4a9ae827-6dc8-4573-8ac7-8239d42aa03f", - "Traffic Manager Contributor": "/providers/Microsoft.Authorization/roleDefinitions/a4b10055-b0c7-44c2-b00f-c7b5b3550cf7", - "User Access Administrator": "/providers/Microsoft.Authorization/roleDefinitions/18d7d88d-d35e-4fb5-a5c3-7773c20a72d9", - "Virtual Machine Administrator Login": "/providers/Microsoft.Authorization/roleDefinitions/1c0163c0-47e6-4577-8991-ea5c82e286e4", - "Virtual Machine Contributor": "/providers/Microsoft.Authorization/roleDefinitions/9980e02c-c2be-4d73-94e8-173b1dc7cf3c", - "Virtual Machine User Login": "/providers/Microsoft.Authorization/roleDefinitions/fb879df8-f326-4884-b1cf-06f3ad86be52", - "Web Plan Contributor": "/providers/Microsoft.Authorization/roleDefinitions/2cc479cb-7b4d-49a8-b449-8c00fd0f0a4b", - "Website Contributor": "/providers/Microsoft.Authorization/roleDefinitions/de139f84-1756-47ae-9be6-808fbbe84772", - "Workbook Contributor": "/providers/Microsoft.Authorization/roleDefinitions/e8ddcd69-c73f-4f9f-9844-4100522f16ad", - "Workbook Reader": "/providers/Microsoft.Authorization/roleDefinitions/b279062a-9be3-42a0-92ae-8b3cf002ec4d" - } - }, - "resources": [ - // CUA on Subscription scope - { - "condition": "[and(not(empty(parameters('cuaId'))), empty(parameters('resourceGroupName')))]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2020-06-01", - "name": "[concat('pid-', parameters('cuaId'))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [ - ] - } - } - }, - // Role Assignments on Subscription scope - { - "name": "[concat(uniqueString(deployment().name, parameters('location')), 'subscriptionRbacDeplCopy-', copyIndex())]", - "apiVersion": "2020-06-01", - "type": "Microsoft.Resources/deployments", - "location": "[parameters('location')]", - "condition": "[and(not(empty(parameters('roleAssignments'))), empty(parameters('resourceGroupName')))]", - "dependsOn": [ - ], - "copy": { - "name": "subscriptionRbacDeplCopy", - "count": "[length(parameters('roleAssignments'))]" - }, - "properties": { - "mode": "Incremental", - "expressionEvaluationOptions": { - "scope": "inner" - }, - "parameters": { - "roleAssignment": { - "value": "[parameters('roleAssignments')[copyIndex()]]" - }, - "builtInRoleNames": { - "value": "[variables('builtInRoleNames')]" - }, - "subscriptionId": { - "value": "[subscription().id]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "roleAssignment": { - "type": "object" - }, - "builtInRoleNames": { - "type": "object" - }, - "subscriptionId": { - "type": "string" - } - }, - "variables": { - "condition": "[and(not(empty(parameters('roleAssignment'))), contains(parameters('roleAssignment'), 'roleDefinitionIdOrName'), contains(parameters('roleAssignment'), 'principalIds'), not(empty(parameters('roleAssignment').roleDefinitionIdOrName)), not(empty(parameters('roleAssignment').principalIds)) )]" - }, - "resources": [ - { - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2018-09-01-preview", - "name": "[if( variables('condition'), guid( parameters('subscriptionId'), array(parameters('roleAssignment').principalIds)[copyIndex('innerRbacCopy')], parameters('roleAssignment').roleDefinitionIdOrName ), guid('dummy'))]", - "condition": "[variables('condition')]", - "copy": { - "name": "innerRbacCopy", - "count": "[length(array(parameters('roleAssignment').principalIds))]" - }, - "properties": { - "roleDefinitionId": "[if(contains(parameters('builtInRoleNames'), parameters('roleAssignment').roleDefinitionIdOrName ), parameters('builtInRoleNames')[parameters('roleAssignment').roleDefinitionIdOrName] , parameters('roleAssignment').roleDefinitionIdOrName )]", - "principalId": "[array(parameters('roleAssignment').principalIds)[copyIndex('innerRbacCopy')]]" - } - } - ] - } - } - }, - // CUA on Resource Group scope - { - "name": "cuaDeploymentOnResourceGroup", - "apiVersion": "2020-06-01", - "type": "Microsoft.Resources/deployments", - "resourceGroup": "[parameters('resourceGroupName')]", - "condition": "[not(empty(parameters('resourceGroupName')))]", - "dependsOn": [ - ], - "properties": { - "mode": "Incremental", - "expressionEvaluationOptions": { - "scope": "inner" - }, - "parameters": { - "cuaId": { - "value": "[parameters('cuaId')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "cuaId": { - "type": "string" - } - }, - "resources": [ - { - "condition": "[not(empty(parameters('cuaId')))]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2020-06-01", - "name": "[concat('pid-', parameters('cuaId'))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [ - ] - } - } - } - ], - "outputs": { - "resourceGroupId": { - "type": "string", - "value": "[resourceGroup().id]" - } - } - } - } - }, - // Role Assignments on Resource Group scope - { - "name": "[concat('resourceGroupRbacDeplCopy-', copyIndex())]", - "apiVersion": "2020-06-01", - "type": "Microsoft.Resources/deployments", - "resourceGroup": "[parameters('resourceGroupName')]", - "condition": "[and(not(empty(parameters('roleAssignments'))), not(empty(parameters('resourceGroupName'))))]", - "dependsOn": [ - ], - "copy": { - "name": "resourceGroupRbacDeplCopy", - "count": "[length(parameters('roleAssignments'))]" - }, - "properties": { - "mode": "Incremental", - "expressionEvaluationOptions": { - "scope": "inner" - }, - "parameters": { - "roleAssignment": { - "value": "[parameters('roleAssignments')[copyIndex()]]" - }, - "builtInRoleNames": { - "value": "[variables('builtInRoleNames')]" - }, - "resourceGroupName": { - "value": "[parameters('resourceGroupName')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "roleAssignment": { - "type": "object" - }, - "builtInRoleNames": { - "type": "object" - }, - "resourceGroupName": { - "type": "string" - } - }, - "variables": { - "condition": "[and(not(empty(parameters('roleAssignment'))), contains(parameters('roleAssignment'), 'roleDefinitionIdOrName'), contains(parameters('roleAssignment'), 'principalIds'), not(empty(parameters('roleAssignment').roleDefinitionIdOrName)), not(empty(parameters('roleAssignment').principalIds)) )]" - }, - "resources": [ - { - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2020-04-01-preview", - "name": "[if( variables('condition'), guid( parameters('resourceGroupName'), array(parameters('roleAssignment').principalIds)[copyIndex('innerRbacCopy')], parameters('roleAssignment').roleDefinitionIdOrName ), guid('dummy'))]", - "condition": "[variables('condition')]", - "copy": { - "name": "innerRbacCopy", - "count": "[length(array(parameters('roleAssignment').principalIds))]" - }, - "properties": { - "roleDefinitionId": "[if(contains(parameters('builtInRoleNames'), parameters('roleAssignment').roleDefinitionIdOrName ), parameters('builtInRoleNames')[parameters('roleAssignment').roleDefinitionIdOrName] , parameters('roleAssignment').roleDefinitionIdOrName )]", - "principalId": "[array(parameters('roleAssignment').principalIds)[copyIndex('innerRbacCopy')]]" - } - } - ] - } - } - } - ], - "functions": [ - ], - "outputs": { - "assignmentScope": { - "type": "string", - "condition": "[not(empty(parameters('roleAssignments')))]", - "value": "[if(empty(parameters('resourceGroupName')), subscription().id , reference('cuaDeploymentOnResourceGroup').outputs.resourceGroupId.value)]", - "metadata": { - "description": "The scope (subscription or resource group) of the assignments defined in this module were created on." - } - }, - "roleAssignments": { - "type": "array", - "value": "[parameters('roleAssignments')]", - "metadata": { - "description": "Array of role assignment objects." - } - } - } -} \ No newline at end of file diff --git a/nativeTemplates/Microsoft.Authorization/roleAssignments/readme.md b/nativeTemplates/Microsoft.Authorization/roleAssignments/readme.md deleted file mode 100644 index 72f624e53c..0000000000 --- a/nativeTemplates/Microsoft.Authorization/roleAssignments/readme.md +++ /dev/null @@ -1,68 +0,0 @@ -# Role Assignments - -This module deploys Role Assignments. - -## Resource types - -|Resource Type|ApiVersion| -|:--|:--| -|`Microsoft.Authorization/roleAssignments`|2018-09-01-preview| -|`Microsoft.Resources/deployments`|2018-02-01| - -## Parameters - -| Parameter Name | Type | Default Value | Possible values | Description | -| :- | :- | :- | :- | :- | -| `roleAssignments` | array | [] | Complex structure, see below. | Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalIds' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or it's fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' -| `resourceGroupName` | string | "" | | Optional. Name of the Resource Group to deploy the custom role in. If no Resource Group name is provided, the module deploys at subscription level, therefore registers the custom RBAC role definition in the subscription. -| `cuaId` | string | "" | | Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered | -| `location` | string | [deployment().location] | | Optional. Location for all resources. | - -### Parameter Usage: `roleAssignments` - -```json -"roleAssignments": { - "value": [ - { - "roleDefinitionIdOrName": "Desktop Virtualization User", - "principalIds": [ - "12345678-1234-1234-1234-123456789012", // object 1 - "78945612-1234-1234-1234-123456789012" // object 2 - ] - }, - { - "roleDefinitionIdOrName": "Reader", - "principalIds": [ - "12345678-1234-1234-1234-123456789012", // object 1 - "78945612-1234-1234-1234-123456789012" // object 2 - ] - }, - { - "roleDefinitionIdOrName": "/subscriptions/78945612-1234-1234-1234-123456789012/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", - "principalIds": [ - "12345678-1234-1234-1234-123456789012" // object 1 - ] - } - ] -} -``` - -## Outputs - -| Output Name | Type | Description | -| :-- | :-- | :-- | -| `assignmentScope` | string | The scope (subscription or resource group) of the assignments defined in this module were created on. | -| `roleAssignments` | array | Array of role assignment objects. | - -## Considerations - -This module can be deployed both at subscription or resource group level: - -- To deploy the module at resource group level, provide a valid name of an existing Resource Group in the `resourceGroupName` parameter. -- To deploy the module at the subscription level, leave the `resourceGroupName` parameter empty. - -## Additional resources - -- [What is Azure role-based access control (Azure RBAC)?](https://docs.microsoft.com/en-us/azure/role-based-access-control/overview) -- [Microsoft.Authorization roleAssignments template reference](https://docs.microsoft.com/en-us/azure/templates/microsoft.authorization/2018-09-01-preview/roleassignments) -- [Use tags to organize your Azure resources](https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-using-tags) \ No newline at end of file diff --git a/nativeTemplates/Microsoft.Authorization/roleDefinitions/Parameters/parameters.json b/nativeTemplates/Microsoft.Authorization/roleDefinitions/Parameters/parameters.json deleted file mode 100644 index 9c1e1945c8..0000000000 --- a/nativeTemplates/Microsoft.Authorization/roleDefinitions/Parameters/parameters.json +++ /dev/null @@ -1,37 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "roleName": { - "value": "myCustomRoleAtSub" - }, - // "resourceGroupName": { - // "value": "rbacTest" - // }, - "roleDescription": { - "value": "" - }, - "actions": { - "value": [ - "Microsoft.Compute/galleries/read", - "Microsoft.Compute/galleries/images/read", - "Microsoft.Compute/galleries/images/versions/read", - "Microsoft.Compute/galleries/images/versions/write", - "Microsoft.Compute/images/write", - "Microsoft.Compute/images/read", - "Microsoft.Compute/images/delete", - "Microsoft.Network/virtualNetworks/read", - "Microsoft.Network/virtualNetworks/subnets/join/action" - ] - }, - "notActions": { - "value": [] - }, - "dataActions": { - "value": [] - }, - "notDataActions": { - "value": [] - } - } -} \ No newline at end of file diff --git a/nativeTemplates/Microsoft.Authorization/roleDefinitions/deploy.json b/nativeTemplates/Microsoft.Authorization/roleDefinitions/deploy.json deleted file mode 100644 index 522ac6e8eb..0000000000 --- a/nativeTemplates/Microsoft.Authorization/roleDefinitions/deploy.json +++ /dev/null @@ -1,238 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "roleName": { - "type": "string", - "metadata": { - "description": "Required. Name of the custom RBAC role to be created." - } - }, - "resourceGroupName": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Name of the Resource Group to deploy the custom role in. If no Resource Group name is provided, the module deploys at subscription level, therefore registers the custom RBAC role definition in the subscription." - } - }, - "roleDescription": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Description of the custom RBAC role to be created." - } - }, - "actions": { - "type": "array", - "defaultValue": [ - ], - "metadata": { - "description": "Optional. List of allowed actions." - } - }, - "notActions": { - "type": "array", - "defaultValue": [ - ], - "metadata": { - "description": "Optional. List of denied actions." - } - }, - "dataActions": { - "type": "array", - "defaultValue": [ - ], - "metadata": { - "description": "Optional. List of allowed data actions." - } - }, - "notDataActions": { - "type": "array", - "defaultValue": [ - ], - "metadata": { - "description": "Optional. List of denied data actions." - } - }, - "cuaId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered" - } - } - }, - "variables": { - }, - "resources": [ - // CUA on Subscription scope - { - "condition": "[and(not(empty(parameters('cuaId'))), empty(parameters('resourceGroupName')))]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2020-06-01", - "name": "[concat('pid-', parameters('cuaId'))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [ - ] - } - } - }, - // Role Definitions on Subscription scope - { - "name": "[guid(parameters('roleName'), subscription().id)]", - "type": "Microsoft.Authorization/roleDefinitions", - "apiVersion": "2018-01-01-preview", - "condition": "[empty(parameters('resourceGroupName'))]", - "properties": { - "roleName": "[parameters('roleName')]", - "description": "[parameters('roleDescription')]", - "type": "customRole", - "permissions": [ - { - "actions": "[parameters('actions')]", - "notActions": "[parameters('notActions')]", - "dataActions": "[parameters('dataActions')]", - "notDataActions": "[parameters('notDataActions')]" - } - ], - "assignableScopes": [ - "[subscription().id]" - ] - } - }, - // CUA & Role Definitions on Resource Group scope - { - "name": "roleDefinitionDeployment", - "apiVersion": "2020-06-01", - "type": "Microsoft.Resources/deployments", - "resourceGroup": "[parameters('resourceGroupName')]", - "condition": "[not(empty(parameters('resourceGroupName')))]", - "properties": { - "mode": "Incremental", - "expressionEvaluationOptions": { - "scope": "inner" - }, - "parameters": { - "roleName": { - "value": "[parameters('roleName')]" - }, - "roleDescription": { - "value": "[parameters('roleDescription')]" - }, - "actions": { - "value": "[parameters('actions')]" - }, - "notActions": { - "value": "[parameters('notActions')]" - }, - "dataActions": { - "value": "[parameters('dataActions')]" - }, - "notDataActions": { - "value": "[parameters('notDataActions')]" - }, - "cuaId": { - "value": "[parameters('cuaId')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "roleName": { - "type": "string" - }, - "roleDescription": { - "type": "string" - }, - "actions": { - "type": "array" - }, - "notActions": { - "type": "array" - }, - "dataActions": { - "type": "array" - }, - "notDataActions": { - "type": "array" - }, - "cuaId": { - "type": "string" - } - }, - "resources": [ - { - "condition": "[not(empty(parameters('cuaId')))]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2020-06-01", - "name": "[concat('pid-', parameters('cuaId'))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [ - ] - } - } - }, - { - "name": "[guid(parameters('roleName'), resourceGroup().id)]", - "type": "Microsoft.Authorization/roleDefinitions", - "apiVersion": "2018-01-01-preview", - "properties": { - "roleName": "[parameters('roleName')]", - "description": "[parameters('roleDescription')]", - "type": "customRole", - "permissions": [ - { - "actions": "[parameters('actions')]", - "notActions": "[parameters('notActions')]", - "dataActions": "[parameters('dataActions')]", - "notDataActions": "[parameters('notDataActions')]" - } - ], - "assignableScopes": [ - "[resourceGroup().id]" - ] - } - } - ], - "outputs": { - "resourceGroupId": { - "type": "string", - "value": "[resourceGroup().id]" - }, - "id": { - "type": "string", - "value": "[resourceId('Microsoft.Authorization/roleDefinitions', guid(parameters('roleName'), resourceGroup().id))]" - } - } - } - } - } - ], - "functions": [ - ], - "outputs": { - "definitionId": { - "type": "string", - "value": "[if(not(empty(parameters('resourceGroupName'))), resourceId('Microsoft.Authorization/roleDefinitions', guid(parameters('roleName'), reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', subscription().id, parameters('resourceGroupName')), 'Microsoft.Resources/deployments', 'roleDefinitionDeployment'), '2019-10-01').outputs.resourceGroupId.value)), resourceId('Microsoft.Authorization/roleDefinitions', guid(parameters('roleName'), subscription().id)))]", - "metadata": { - "description": "The id of the role definition that was created." - } - }, - "definitionScope": { - "type": "string", - "value": "[if(empty(parameters('resourceGroupName')), subscription().id, reference('roleDefinitionDeployment').outputs.resourceGroupId.value)]", - "metadata": { - "description": "The scope (subscription or resource group) this definition was created on." - } - } - } -} \ No newline at end of file diff --git a/nativeTemplates/Microsoft.Authorization/roleDefinitions/readme.md b/nativeTemplates/Microsoft.Authorization/roleDefinitions/readme.md deleted file mode 100644 index c0957284dd..0000000000 --- a/nativeTemplates/Microsoft.Authorization/roleDefinitions/readme.md +++ /dev/null @@ -1,43 +0,0 @@ -# Role Definitions - -This module deploys custom RBAC Role Definitions. - -## Resource types - -|Resource Type|ApiVersion| -|:--|:--| -|`Microsoft.Authorization/roleDefinitions`|2018-07-01| -|`Microsoft.Resources/deployments`|2018-02-01| - -## Parameters - -| Parameter Name | Type | Default Value | Possible values | Description | -| :- | :- | :- | :- | :- | -| `roleName` | string | | | Required. Name of the custom RBAC role to be created. -| `resourceGroupName` | string | "" | | Optional. Name of the Resource Group to deploy the custom role in. If no Resource Group name is provided, the module deploys at subscription level, therefore registers the custom RBAC role definition in the subscription. -| `roleDescription` | string | [] | | Optional. Description of the custom RBAC role to be created. -| `actions` | array | [] | | Optional. List of allowed actions. -| `notActions` | array | [] | | Optional. List of denied actions. -| `dataActions` | array | [] | | Optional. List of allowed data actions. -| `notDataActions` | array | [] | | Optional. List of denied data actions. -| `cuaId` | string | "" | | Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered - -## Outputs - -| Output Name | Type | Description | -| :-- | :-- | :-- | -| `definitionId` | string | The id of the role definition that was created. | -| `definitionScope` | string | The scope (subscription or resource group) this definition was created on. | - -## Considerations - -This module can be deployed both at subscription or resource group level: - -- To deploy the module at resource group level, provide a valid name of an existing Resource Group in the `resourceGroupName` parameter. -- To deploy the module at the subscription level, leave the `resourceGroupName` parameter empty. - -## Additional resources - -- [Understand Azure role definitions](https://docs.microsoft.com/en-us/azure/role-based-access-control/role-definitions) -- [Microsoft.Authorization roleDefinitions template reference](https://docs.microsoft.com/en-us/azure/templates/microsoft.authorization/2018-01-01-preview/roledefinitions) -- [Use tags to organize your Azure resources](https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-using-tags) \ No newline at end of file diff --git a/nativeTemplates/Microsoft.KeyVault/vaults/.bicep/nested_name_location_KeyVault_PrivateEndpoints.bicep b/nativeTemplates/Microsoft.KeyVault/vaults/.bicep/nested_name_location_KeyVault_PrivateEndpoints.bicep deleted file mode 100644 index 4a16ebcc28..0000000000 --- a/nativeTemplates/Microsoft.KeyVault/vaults/.bicep/nested_name_location_KeyVault_PrivateEndpoints.bicep +++ /dev/null @@ -1,52 +0,0 @@ -param privateEndpointResourceId string -param privateEndpointVnetLocation string -param privateEndpoint object -param tags object - -var privateEndpointResourceName = last(split(privateEndpointResourceId, '/')) -var privateEndpoint_var = { - name: (contains(privateEndpoint, 'name') ? (empty(privateEndpoint.name) ? '${privateEndpointResourceName}-${privateEndpoint.service}' : privateEndpoint.name) : '${privateEndpointResourceName}-${privateEndpoint.service}') - subnetResourceId: privateEndpoint.subnetResourceId - service: [ - privateEndpoint.service - ] - privateDnsZoneResourceIds: (contains(privateEndpoint, 'privateDnsZoneResourceIds') ? (empty(privateEndpoint.privateDnsZoneResourceIds) ? createArray() : privateEndpoint.privateDnsZoneResourceIds) : createArray()) - customDnsConfigs: (contains(privateEndpoint, 'customDnsConfigs') ? (empty(privateEndpoint.customDnsConfigs) ? json('null') : privateEndpoint.customDnsConfigs) : json('null')) -} - -resource privateEndpoint_name 'Microsoft.Network/privateEndpoints@2020-05-01' = { - name: privateEndpoint_var.name - location: privateEndpointVnetLocation - tags: tags - properties: { - privateLinkServiceConnections: [ - { - name: privateEndpoint_var.name - properties: { - privateLinkServiceId: privateEndpointResourceId - groupIds: privateEndpoint_var.service - } - } - ] - manualPrivateLinkServiceConnections: [] - subnet: { - id: privateEndpoint_var.subnetResourceId - } - customDnsConfigs: privateEndpoint_var.customDnsConfigs - } -} - -resource privateEndpoint_name_default 'Microsoft.Network/privateEndpoints/privateDnsZoneGroups@2020-05-01' = if (!empty(privateEndpoint_var.privateDnsZoneResourceIds)) { - name: '${privateEndpoint_var.name}/default' - properties: { - privateDnsZoneConfigs: [for j in range(0, length(privateEndpoint_var.privateDnsZoneResourceIds)): { - name: last(split(privateEndpoint_var.privateDnsZoneResourceIds[j], '/')) - properties: { - privateDnsZoneId: privateEndpoint_var.privateDnsZoneResourceIds[j] - } - }] - } - dependsOn: [ - privateEndpoint_name - ] -} \ No newline at end of file diff --git a/nativeTemplates/Microsoft.KeyVault/vaults/.bicep/nested_rbac_name.bicep b/nativeTemplates/Microsoft.KeyVault/vaults/.bicep/nested_rbac_name.bicep deleted file mode 100644 index 102fd302d2..0000000000 --- a/nativeTemplates/Microsoft.KeyVault/vaults/.bicep/nested_rbac_name.bicep +++ /dev/null @@ -1,12 +0,0 @@ -param roleAssignment object -param builtInRoleNames object -param keyVaultName string - -resource keyVaultName_Microsoft_Authorization_keyVaultName_roleAssignment_principalIds_innerRbacCopy_roleAssignment_roleDefinitionIdOrName 'Microsoft.KeyVault/vaults/providers/roleAssignments@2018-09-01-preview' = [for i in range(0, length(roleAssignment.principalIds)): { - name: '${keyVaultName}/Microsoft.Authorization/${guid(uniqueString(concat(keyVaultName, array(roleAssignment.principalIds)[i], roleAssignment.roleDefinitionIdOrName)))}' - properties: { - roleDefinitionId: (contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName) - principalId: array(roleAssignment.principalIds)[i] - } - dependsOn: [] -}] \ No newline at end of file diff --git a/nativeTemplates/Microsoft.KeyVault/vaults/deploy.bicep b/nativeTemplates/Microsoft.KeyVault/vaults/deploy.bicep deleted file mode 100644 index ad4c72bf66..0000000000 --- a/nativeTemplates/Microsoft.KeyVault/vaults/deploy.bicep +++ /dev/null @@ -1,277 +0,0 @@ -@description('Optional. Name of the Key Vault. If no name is provided, then unique name will be created.') -@maxLength(24) -param keyVaultName string = '' - -@description('Optional. Location for all resources.') -param location string = resourceGroup().location - -@description('Optional. Array of access policies object') -param accessPolicies array = [] - -@description('Optional. All secrets [{"secretName":"","secretValue":""} wrapped in a secure object]') -@secure() -param secretsObject object = { - secrets: [] -} - -@description('Optional. All keys [{"keyName":"","keyType":"","keyOps":"","keySize":"","curvename":""} wrapped in a secure object]') -@secure() -param keysObject object = { - keys: [] -} - -@description('Optional. Specifies if the vault is enabled for deployment by script or compute') -@allowed([ - true - false -]) -param enableVaultForDeployment bool = true - -@description('Optional. Specifies if the vault is enabled for a template deployment') -@allowed([ - true - false -]) -param enableVaultForTemplateDeployment bool = true - -@description('Optional. Specifies if the azure platform has access to the vault for enabling disk encryption scenarios.') -@allowed([ - true - false -]) -param enableVaultForDiskEncryption bool = true - -@description('Optional. Switch to enable/disable Key Vault\'s soft delete feature.') -param enableSoftDelete bool = true - -@description('Optional. softDelete data retention days. It accepts >=7 and <=90.') -param softDeleteRetentionInDays int = 90 - -@description('Optional. Property that controls how data actions are authorized. When true, the key vault will use Role Based Access Control (RBAC) for authorization of data actions, and the access policies specified in vault properties will be ignored (warning: this is a preview feature). When false, the key vault will use the access policies specified in vault properties, and any policy stored on Azure Resource Manager will be ignored. If null or not specified, the vault is created with the default value of false. Note that management actions are always authorized with RBAC.') -param enableRbacAuthorization bool = false - -@description('Optional. The vault\'s create mode to indicate whether the vault need to be recovered or not. - recover or default.') -param createMode string = 'default' - -@description('Optional. Provide \'true\' to enable Key Vault\'s purge protection feature.') -param enablePurgeProtection bool = false - -@description('Optional. Specifies the SKU for the vault') -@allowed([ - 'Premium' - 'Standard' -]) -param vaultSku string = 'Premium' - -@description('Optional. Service endpoint object information') -param networkAcls object = {} - -@description('Optional. Virtual Network resource identifier, if networkAcls is passed, this value must be passed as well') -param vNetId string = '' - -@description('Optional. The name of the Diagnostic setting.') -param diagnosticSettingName string = 'service' - -@description('Optional. Specifies the number of days that logs will be kept for; a value of 0 will retain data indefinitely.') -@minValue(0) -@maxValue(365) -param diagnosticLogsRetentionInDays int = 365 - -@description('Optional. Resource identifier of the Diagnostic Storage Account.') -param diagnosticStorageAccountId string = '' - -@description('Optional. Resource identifier of Log Analytics.') -param workspaceId string = '' - -@description('Optional. Resource ID of the event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to.') -param eventHubAuthorizationRuleId string = '' - -@description('Optional. Name of the event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category.') -param eventHubName string = '' - -@description('Optional. Switch to lock Key Vault from deletion.') -param lockForDeletion bool = false - -@description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'') -param roleAssignments array = [] - -@description('Optional. Configuration Details for private endpoints.') -param privateEndpoints array = [] - -@description('Optional. Resource tags.') -param tags object = {} - -@description('Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered') -param cuaId string = '' - -@description('Generated. Do not provide a value! This date value is used to generate a SAS token to access the modules.') -param baseTime string = utcNow('u') - -var moduleName = 'Key Vault' -var maxNameLength = 24 -var uniqueKeyVaultNameUntrim = uniqueString(concat(moduleName, baseTime)) -var uniqueKeyVaultName = ((length(uniqueKeyVaultNameUntrim) > maxNameLength) ? substring(uniqueKeyVaultNameUntrim, 0, maxNameLength) : uniqueKeyVaultNameUntrim) -var keyVaultName_var = (empty(keyVaultName) ? uniqueKeyVaultName : keyVaultName) -var deployServiceEndpoint = (!empty(networkAcls)) -var virtualNetworkRules = { - virtualNetworkRules: [for j in range(0, ((!deployServiceEndpoint) ? 0 : length(networkAcls.virtualNetworkRules))): { - id: '${vNetId}/subnets/${networkAcls.virtualNetworkRules[j].subnet}' - }] -} -var networkAcls_var = { - bypass: ((!deployServiceEndpoint) ? json('null') : networkAcls.bypass) - defaultAction: ((!deployServiceEndpoint) ? json('null') : networkAcls.defaultAction) - virtualNetworkRules: ((!deployServiceEndpoint) ? json('null') : ((length(networkAcls.virtualNetworkRules) == 0) ? emptyArray : virtualNetworkRules.virtualNetworkRules)) - ipRules: ((!deployServiceEndpoint) ? json('null') : ((length(networkAcls.ipRules) == 0) ? emptyArray : networkAcls.ipRules)) -} -var emptyArray = [] -var diagnosticsMetrics = [ - { - category: 'AllMetrics' - timeGrain: null - enabled: true - retentionPolicy: { - enabled: true - days: diagnosticLogsRetentionInDays - } - } -] -var diagnosticsLogs = [ - { - category: 'AuditEvent' - enabled: true - retentionPolicy: { - enabled: true - days: diagnosticLogsRetentionInDays - } - } -] -var builtInRoleNames = { - Owner: '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635' - Contributor: '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c' - Reader: '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/acdd72a7-3385-48ef-bd42-f606fba81ae7' - 'Key Vault Administrator (preview)': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/00482a5a-887f-4fb3-b363-3b7fe8e74483' - 'Key Vault Certificates Officer (preview)': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/a4417e6f-fecd-4de8-b567-7b0420556985' - 'Key Vault Contributor': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/f25e0fa2-a7c8-4377-a976-54943a77a395' - 'Key Vault Crypto Officer (preview)': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/14b46e9e-c2b7-41b4-b07b-48a6ebf60603' - 'Key Vault Crypto Service Encryption User (preview)': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/e147488a-f6f5-4113-8e2d-b22465e65bf6' - 'Key Vault Crypto User (preview)': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/12338af0-0e69-4776-bea7-57ae8d297424' - 'Key Vault Reader (preview)': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/21090545-7ca7-4776-b22c-e363652d74d2' - 'Key Vault Secrets Officer (preview)': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/b86a8fe4-44ce-4948-aee5-eccb2c155cd7' - 'Key Vault Secrets User (preview)': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/4633458b-17de-408a-b874-0445c86b69e6' - 'Log Analytics Contributor': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293' - 'Log Analytics Reader': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/73c42c96-874c-492b-b04d-ab87d138a893' - 'Managed Application Contributor Role': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/641177b8-a67a-45b9-a033-47bc880bb21e' - 'Managed Application Operator Role': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/c7393b34-138c-406f-901b-d8cf2b17e6ae' - 'Managed Applications Reader': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/b9331d33-8a36-4f8c-b097-4f54124fdb44' - 'Monitoring Contributor': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa' - 'Monitoring Metrics Publisher': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/3913510d-42f4-4e42-8a64-420c390055eb' - 'Monitoring Reader': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/43d0d8ad-25c7-4714-9337-8ba259a9fe05' - 'Resource Policy Contributor': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/36243c78-bf99-498c-9df9-86d9f8d28608' - 'User Access Administrator': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/18d7d88d-d35e-4fb5-a5c3-7773c20a72d9' - 'Azure Service Deploy Release Management Contributor': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/21d96096-b162-414a-8302-d8354f9d91b2' - masterreader: '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/a48d7796-14b4-4889-afef-fbb65a93e5a2' -} - -resource keyVaultName_resource 'Microsoft.KeyVault/vaults@2019-09-01' = { - name: keyVaultName_var - location: location - tags: tags - properties: { - enabledForDeployment: enableVaultForDeployment - enabledForTemplateDeployment: enableVaultForTemplateDeployment - enabledForDiskEncryption: enableVaultForDiskEncryption - enableSoftDelete: enableSoftDelete - softDeleteRetentionInDays: softDeleteRetentionInDays - enableRbacAuthorization: enableRbacAuthorization - createMode: createMode - enablePurgeProtection: ((!enablePurgeProtection) ? json('null') : enablePurgeProtection) - tenantId: subscription().tenantId - accessPolicies: accessPolicies - sku: { - name: vaultSku - family: 'A' - } - networkAcls: ((!deployServiceEndpoint) ? json('null') : networkAcls_var) - } -} - -resource keyVaultName_Microsoft_Authorization_keyVaultDoNotDelete 'Microsoft.KeyVault/vaults/providers/locks@2016-09-01' = if (lockForDeletion) { - name: '${keyVaultName_var}/Microsoft.Authorization/keyVaultDoNotDelete' - properties: { - level: 'CannotDelete' - } - dependsOn: [ - keyVaultName_resource - ] -} - -resource keyVaultName_Microsoft_Insights_diagnosticSettingName 'Microsoft.KeyVault/vaults/providers/diagnosticsettings@2017-05-01-preview' = if ((!empty(diagnosticStorageAccountId)) || (!empty(workspaceId)) || (!empty(eventHubAuthorizationRuleId)) || (!empty(eventHubName))) { - name: '${keyVaultName_var}/Microsoft.Insights/${diagnosticSettingName}' - location: location - properties: { - storageAccountId: (empty(diagnosticStorageAccountId) ? json('null') : diagnosticStorageAccountId) - workspaceId: (empty(workspaceId) ? json('null') : workspaceId) - eventHubAuthorizationRuleId: (empty(eventHubAuthorizationRuleId) ? json('null') : eventHubAuthorizationRuleId) - eventHubName: (empty(eventHubName) ? json('null') : eventHubName) - metrics: ((empty(diagnosticStorageAccountId) && empty(workspaceId) && empty(eventHubAuthorizationRuleId) && empty(eventHubName)) ? json('null') : diagnosticsMetrics) - logs: ((empty(diagnosticStorageAccountId) && empty(workspaceId) && empty(eventHubAuthorizationRuleId) && empty(eventHubName)) ? json('null') : diagnosticsLogs) - } - dependsOn: [ - keyVaultName_resource - ] -} - -resource secretsObject_secrets_keyVaultName_secretEntity_keyVaultName_secretsObject_secrets_secretName 'Microsoft.KeyVault/vaults/secrets@2019-09-01' = [for i in range(0, length(secretsObject.secrets)): if (!empty(secretsObject.secrets)) { - name: (empty(secretsObject.secrets) ? '${keyVaultName_var}/secretEntity' : '${keyVaultName_var}/${secretsObject.secrets[i].secretName}') - properties: { - value: secretsObject.secrets[i].secretValue - } - dependsOn: [ - keyVaultName_resource - ] -}] - -resource keysObject_keys_keyVaultName_keyEntity_keyVaultName_keysObject_keys_keyName 'Microsoft.KeyVault/vaults/keys@2019-09-01' = [for i in range(0, length(keysObject.keys)): if (!empty(keysObject.keys)) { - name: (empty(keysObject.keys) ? '${keyVaultName_var}/keyEntity' : '${keyVaultName_var}/${keysObject.keys[i].keyName}') - location: location - properties: { - kty: keysObject.keys[i].keyType - keyOps: keysObject.keys[i].keyOps - keySize: keysObject.keys[i].keySize - curveName: keysObject.keys[i].curveName - } - dependsOn: [ - keyVaultName_resource - ] -}] - -module name_location_KeyVault_PrivateEndpoints './nested_name_location_KeyVault_PrivateEndpoints.bicep' = [for (item, i) in privateEndpoints: { - name: '${uniqueString(deployment().name, location)}-KeyVault-PrivateEndpoints-${i}' - params: { - privateEndpointResourceId: keyVaultName_resource.id - privateEndpointVnetLocation: (empty(privateEndpoints) ? 'dummy' : reference(split(item.subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location) - privateEndpoint: item - tags: tags - } - dependsOn: [ - keyVaultName_resource - ] -}] - -module rbac_name './nested_rbac_name.bicep' = [for (item, i) in roleAssignments: { - name: 'rbac-${deployment().name}${i}' - params: { - roleAssignment: item - builtInRoleNames: builtInRoleNames - keyVaultName: keyVaultName_var - } - dependsOn: [ - keyVaultName_resource - ] -}] - -output keyVaultResourceId string = keyVaultName_resource.id -output keyVaultResourceGroup string = resourceGroup().name -output keyVaultName string = keyVaultName_var -output keyVaultUrl string = reference(keyVaultName_resource.id, '2019-09-01').vaultUri diff --git a/nativeTemplates/Microsoft.KeyVault/vaults/deploy.json b/nativeTemplates/Microsoft.KeyVault/vaults/deploy.json deleted file mode 100644 index c503b82e0c..0000000000 --- a/nativeTemplates/Microsoft.KeyVault/vaults/deploy.json +++ /dev/null @@ -1,611 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "keyVaultName": { - "type": "string", - "defaultValue": "", - "maxLength": 24, - "metadata": { - "description": "Optional. Name of the Key Vault. If no name is provided, then unique name will be created." - } - }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Optional. Location for all resources." - } - }, - "accessPolicies": { - "type": "array", - "defaultValue": [ - ], - "metadata": { - "description": "Optional. Array of access policies object" - } - }, - "secretsObject": { - "type": "secureObject", - "defaultValue": { - "secrets": [ - ] - }, - "metadata": { - "description": "Optional. All secrets [{\"secretName\":\"\",\"secretValue\":\"\"} wrapped in a secure object]" - } - }, - "keysObject": { - "type": "secureObject", - "defaultValue": { - "keys": [ - ] - }, - "metadata": { - "description": "Optional. All keys [{\"keyName\":\"\",\"keyType\":\"\",\"keyOps\":\"\",\"keySize\":\"\",\"curvename\":\"\"} wrapped in a secure object]" - } - }, - "enableVaultForDeployment": { - "type": "bool", - "defaultValue": true, - "allowedValues": [ - true, - false - ], - "metadata": { - "description": "Optional. Specifies if the vault is enabled for deployment by script or compute" - } - }, - "enableVaultForTemplateDeployment": { - "type": "bool", - "defaultValue": true, - "allowedValues": [ - true, - false - ], - "metadata": { - "description": "Optional. Specifies if the vault is enabled for a template deployment" - } - }, - "enableVaultForDiskEncryption": { - "type": "bool", - "defaultValue": true, - "allowedValues": [ - true, - false - ], - "metadata": { - "description": "Optional. Specifies if the azure platform has access to the vault for enabling disk encryption scenarios." - } - }, - "enableSoftDelete": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Switch to enable/disable Key Vault's soft delete feature." - } - }, - "softDeleteRetentionInDays": { - "type": "int", - "defaultValue": 90, - "metadata": { - "description": "Optional. softDelete data retention days. It accepts >=7 and <=90." - } - }, - "enableRbacAuthorization": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Property that controls how data actions are authorized. When true, the key vault will use Role Based Access Control (RBAC) for authorization of data actions, and the access policies specified in vault properties will be ignored (warning: this is a preview feature). When false, the key vault will use the access policies specified in vault properties, and any policy stored on Azure Resource Manager will be ignored. If null or not specified, the vault is created with the default value of false. Note that management actions are always authorized with RBAC." - } - }, - "createMode": { - "type": "string", - "defaultValue": "default", - "metadata": { - "description": "Optional. The vault's create mode to indicate whether the vault need to be recovered or not. - recover or default." - } - }, - "enablePurgeProtection": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Provide 'true' to enable Key Vault's purge protection feature." - } - }, - "vaultSku": { - "type": "string", - "defaultValue": "Premium", - "allowedValues": [ - "Premium", - "Standard" - ], - "metadata": { - "description": "Optional. Specifies the SKU for the vault" - } - }, - "networkAcls": { - "type": "object", - "defaultValue": { - }, - "metadata": { - "description": "Optional. Service endpoint object information" - } - }, - "vNetId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Virtual Network resource identifier, if networkAcls is passed, this value must be passed as well" - } - }, - "diagnosticSettingName": { - "type": "string", - "defaultValue": "service", - "metadata": { - "description": "Optional. The name of the Diagnostic setting." - } - }, - "diagnosticLogsRetentionInDays": { - "type": "int", - "defaultValue": 365, - "minValue": 0, - "maxValue": 365, - "metadata": { - "description": "Optional. Specifies the number of days that logs will be kept for; a value of 0 will retain data indefinitely." - } - }, - "diagnosticStorageAccountId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Resource identifier of the Diagnostic Storage Account." - } - }, - "workspaceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Resource identifier of Log Analytics." - } - }, - "eventHubAuthorizationRuleId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Resource ID of the event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." - } - }, - "eventHubName": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Name of the event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category." - } - }, - "lockForDeletion": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Switch to lock Key Vault from deletion." - } - }, - "roleAssignments": { - "defaultValue": [ - ], - "type": "array", - "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'" - } - }, - "privateEndpoints": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. Configuration Details for private endpoints." - } - }, - "tags": { - "type": "object", - "defaultValue": { - }, - "metadata": { - "description": "Optional. Resource tags." - } - }, - "cuaId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered" - } - }, - "baseTime": { - "type": "string", - "defaultValue": "[utcNow('u')]", - "metadata": { - "description": "Generated. Do not provide a value! This date value is used to generate a SAS token to access the modules." - } - } - }, - - "variables": { - "moduleName": "Key Vault", - "maxNameLength": 24, - "uniqueKeyVaultNameUntrim": "[uniqueString(concat(variables('moduleName'),parameters('baseTime')))]", - "uniqueKeyVaultName": "[if(greater(length(variables('uniqueKeyVaultNameUntrim')),variables('maxNameLength')),substring(variables('uniqueKeyVaultNameUntrim'),0,variables('maxNameLength')),variables('uniqueKeyVaultNameUntrim'))]", - "keyVaultName": "[if(empty(parameters('keyVaultName')),variables('uniqueKeyVaultName'),parameters('keyVaultName'))]", - "deployServiceEndpoint": "[not(empty(parameters('networkAcls')))]", - "virtualNetworkRules": { - "copy": [ - { - "name": "virtualNetworkRules", - "count": "[if(not(variables('deployServiceEndpoint')), 0, length(parameters('networkAcls').virtualNetworkRules))]", - "input": { - "id": "[concat(parameters('vNetId'), '/subnets/', parameters('networkAcls').virtualNetworkRules[copyIndex('virtualNetworkRules')].subnet)]" - } - } - ] - }, - "networkAcls": { - "bypass": "[if(not(variables('deployServiceEndpoint')), json('null'), parameters('networkAcls').bypass)]", - "defaultAction": "[if(not(variables('deployServiceEndpoint')), json('null'), parameters('networkAcls').defaultAction)]", - "virtualNetworkRules": "[if(not(variables('deployServiceEndpoint')), json('null'), if(equals(length(parameters('networkAcls').virtualNetworkRules), 0), variables('emptyArray'), variables('virtualNetworkRules').virtualNetworkRules))]", - "ipRules": "[if(not(variables('deployServiceEndpoint')), json('null'), if(equals(length(parameters('networkAcls').ipRules), 0), variables('emptyArray'), parameters('networkAcls').ipRules))]" - }, - "emptyArray": [ - ], - "diagnosticsMetrics": [ - { - "category": "AllMetrics", - "timeGrain": null, - "enabled": true, - "retentionPolicy": { - "enabled": true, - "days": "[parameters('diagnosticLogsRetentionInDays')]" - } - } - ], - "diagnosticsLogs": [ - { - "category": "AuditEvent", - "enabled": true, - "retentionPolicy": { - "enabled": true, - "days": "[parameters('diagnosticLogsRetentionInDays')]" - } - } - ], - "builtInRoleNames": { - "Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Key Vault Administrator (preview)": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '00482a5a-887f-4fb3-b363-3b7fe8e74483')]", - "Key Vault Certificates Officer (preview)": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'a4417e6f-fecd-4de8-b567-7b0420556985')]", - "Key Vault Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'f25e0fa2-a7c8-4377-a976-54943a77a395')]", - "Key Vault Crypto Officer (preview)": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '14b46e9e-c2b7-41b4-b07b-48a6ebf60603')]", - "Key Vault Crypto Service Encryption User (preview)": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'e147488a-f6f5-4113-8e2d-b22465e65bf6')]", - "Key Vault Crypto User (preview)": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '12338af0-0e69-4776-bea7-57ae8d297424')]", - "Key Vault Reader (preview)": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '21090545-7ca7-4776-b22c-e363652d74d2')]", - "Key Vault Secrets Officer (preview)": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b86a8fe4-44ce-4948-aee5-eccb2c155cd7')]", - "Key Vault Secrets User (preview)": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4633458b-17de-408a-b874-0445c86b69e6')]", - "Log Analytics Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]", - "Log Analytics Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '73c42c96-874c-492b-b04d-ab87d138a893')]", - "Managed Application Contributor Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '641177b8-a67a-45b9-a033-47bc880bb21e')]", - "Managed Application Operator Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')]", - "Managed Applications Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')]", - "Monitoring Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')]", - "Monitoring Metrics Publisher": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '3913510d-42f4-4e42-8a64-420c390055eb')]", - "Monitoring Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')]", - "Resource Policy Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '36243c78-bf99-498c-9df9-86d9f8d28608')]", - "User Access Administrator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]", - "Azure Service Deploy Release Management Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '21d96096-b162-414a-8302-d8354f9d91b2')]", - "masterreader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'a48d7796-14b4-4889-afef-fbb65a93e5a2')]" - } - }, - "resources": [ - // Key Vault - { - "type": "Microsoft.KeyVault/vaults", - "apiVersion": "2019-09-01", - "name": "[variables('keyVaultName')]", - "location": "[parameters('location')]", - "tags": "[parameters('tags')]", - "properties": { - "enabledForDeployment": "[parameters('enableVaultForDeployment')]", - "enabledForTemplateDeployment": "[parameters('enableVaultForTemplateDeployment')]", - "enabledForDiskEncryption": "[parameters('enableVaultForDiskEncryption')]", - "enableSoftDelete": "[parameters('enableSoftDelete')]", - "softDeleteRetentionInDays": "[parameters('softDeleteRetentionInDays')]", - "enableRbacAuthorization": "[parameters('enableRbacAuthorization')]", - "createMode": "[parameters('createMode')]", - "enablePurgeProtection": "[if(not(parameters('enablePurgeProtection')), json('null'), parameters('enablePurgeProtection'))]", - "tenantId": "[subscription().tenantId]", - "accessPolicies": "[parameters('accessPolicies')]", - "sku": { - "name": "[parameters('vaultSku')]", - "family": "A" - }, - "networkAcls": "[if(not(variables('deployServiceEndpoint')), json('null'), variables('networkAcls'))]" - }, - "resources": [ - { - "type": "providers/locks", - "apiVersion": "2016-09-01", - "condition": "[parameters('lockForDeletion')]", - "name": "Microsoft.Authorization/keyVaultDoNotDelete", - "dependsOn": [ - "[concat('Microsoft.KeyVault/vaults/', variables('keyVaultName'))]" - ], - "comments": "Resource lock on Azure Key Vault", - "properties": { - "level": "CannotDelete" - } - }, - { - "type": "Microsoft.KeyVault/vaults/providers/diagnosticsettings", - "apiVersion": "2017-05-01-preview", - "name": "[concat(variables('keyVaultName'), '/Microsoft.Insights/', parameters('diagnosticSettingName'))]", - "location": "[parameters('location')]", - "condition": "[or(not(empty(parameters('diagnosticStorageAccountId'))),not(empty(parameters('workspaceId'))),not(empty(parameters('eventHubAuthorizationRuleId'))),not(empty(parameters('eventHubName'))))]", - "dependsOn": [ - "[concat('Microsoft.KeyVault/vaults/', variables('keyVaultName'))]" - ], - "properties": { - "storageAccountId": "[if(empty(parameters('diagnosticStorageAccountId')), json('null'), parameters('diagnosticStorageAccountId'))]", - "workspaceId": "[if(empty(parameters('workspaceId')), json('null'), parameters('workspaceId'))]", - "eventHubAuthorizationRuleId": "[if(empty(parameters('eventHubAuthorizationRuleId')), json('null'), parameters('eventHubAuthorizationRuleId'))]", - "eventHubName": "[if(empty(parameters('eventHubName')), json('null'), parameters('eventHubName'))]", - "metrics": "[if(and(empty(parameters('diagnosticStorageAccountId')), empty(parameters('workspaceId')), empty(parameters('eventHubAuthorizationRuleId')), empty(parameters('eventHubName'))), json('null'), variables('diagnosticsMetrics'))]", - "logs": "[if(and(empty(parameters('diagnosticStorageAccountId')), empty(parameters('workspaceId')), empty(parameters('eventHubAuthorizationRuleId')), empty(parameters('eventHubName'))), json('null'), variables('diagnosticsLogs'))]" - } - } - ] - }, - // Key Vault Secrets - { - "type": "Microsoft.KeyVault/vaults/secrets", - "apiVersion": "2019-09-01", - "condition": "[not(empty(parameters('secretsObject').secrets))]", - "name": "[if(empty(parameters('secretsObject').secrets), concat(variables('keyVaultName'), '/', 'secretEntity'), concat(variables('keyVaultName'), '/', parameters('secretsObject').secrets[copyIndex()].secretName))]", - "properties": { - "value": "[parameters('secretsObject').secrets[copyIndex()].secretValue]" - }, - "dependsOn": [ - "[concat('Microsoft.KeyVault/vaults/', variables('keyVaultName'))]" - ], - "copy": { - "name": "secretsCopy", - "count": "[length(parameters('secretsObject').secrets)]" - } - }, - // Key Vault Keys - { - "type": "Microsoft.KeyVault/vaults/keys", - "apiVersion": "2019-09-01", - "condition": "[not(empty(parameters('keysObject').keys))]", - "name": "[if(empty(parameters('keysObject').keys), concat(variables('keyVaultName'), '/', 'keyEntity'), concat(variables('keyVaultName'), '/', parameters('keysObject').keys[copyIndex()].keyName))]", - "location": "[parameters('location')]", - "dependsOn": [ - "[resourceId('Microsoft.KeyVault/vaults', variables('keyVaultName'))]" - ], - "properties": { - "kty": "[parameters('keysObject').keys[copyIndex()].keyType]", - "keyOps": "[parameters('keysObject').keys[copyIndex()].keyOps]", - "keySize": "[parameters('keysObject').keys[copyIndex()].keySize]", - "curveName": "[parameters('keysObject').keys[copyIndex()].curveName]" - }, - "copy": { - "name": "keyCopy", - "count": "[length(parameters('keysObject').keys)]" - } - }, - // Private Endpoints - { - "type": "Microsoft.Resources/deployments", - "apiVersion": "2020-06-01", - "name": "[concat(uniqueString(deployment().name, parameters('location')), '-KeyVault-PrivateEndpoints','-',copyIndex())]", - "condition": "[not(empty(parameters('privateEndpoints')))]", - "dependsOn": [ - "[variables('keyVaultName')]" - ], - "copy": { - "name": "privateEndpointsCopy", - "count": "[length(parameters('privateEndpoints'))]" - }, - "properties": { - "mode": "Incremental", - "expressionEvaluationOptions": { - "scope": "inner" - }, - "parameters": { - "privateEndpointResourceId": { - "value": "[resourceId('Microsoft.KeyVault/vaults/', variables('keyVaultName'))]" - }, - "privateEndpointVnetLocation": { - "value": "[if(empty(parameters('privateEndpoints')),'dummy',reference(split(parameters('privateEndpoints')[copyIndex()].subnetResourceId,'/subnets/')[0],'2020-06-01', 'Full').location)]" - }, - "privateEndpoint": { - "value": "[parameters('privateEndpoints')[copyIndex()]]" - }, - "tags": { - "value": "[parameters('tags')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "privateEndpointResourceId": { - "type": "string" - }, - "privateEndpointVnetLocation": { - "type": "string" - }, - "privateEndpoint": { - "type": "object" - }, - "tags": { - "type": "object" - } - }, - "variables": { - "privateEndpointResourceName": "[last(split(parameters('privateEndpointResourceId'),'/'))]", - "privateEndpoint": { - "name": "[if(contains(parameters('privateEndpoint'), 'name'),if(empty(parameters('privateEndpoint').name),concat(variables('privateEndpointResourceName'),'-',parameters('privateEndpoint').service),parameters('privateEndpoint').name),concat(variables('privateEndpointResourceName'),'-',parameters('privateEndpoint').service))]", - "subnetResourceId": "[parameters('privateEndpoint').subnetResourceId]", - "service": [ - "[parameters('privateEndpoint').service]" - ], - "privateDnsZoneResourceIds": "[if(contains(parameters('privateEndpoint'), 'privateDnsZoneResourceIds'),if(empty(parameters('privateEndpoint').privateDnsZoneResourceIds),createArray(),parameters('privateEndpoint').privateDnsZoneResourceIds),createArray())]", - "customDnsConfigs": "[if(contains(parameters('privateEndpoint'), 'customDnsConfigs'),if(empty(parameters('privateEndpoint').customDnsConfigs),json('null'),parameters('privateEndpoint').customDnsConfigs),json('null'))]" - } - }, - "resources": [ - { - "type": "Microsoft.Network/privateEndpoints", - "apiVersion": "2020-05-01", - "name": "[variables('privateEndpoint').name]", - "location": "[parameters('privateEndpointVnetLocation')]", - "tags": "[parameters('tags')]", - "properties": { - "privateLinkServiceConnections": [ - { - "name": "[variables('privateEndpoint').name]", - "properties": { - "privateLinkServiceId": "[parameters('privateEndpointResourceId')]", - "groupIds": "[variables('privateEndpoint').service]" - } - } - ], - "manualPrivateLinkServiceConnections": [], - "subnet": { - "id": "[variables('privateEndpoint').subnetResourceId]" - }, - "customDnsConfigs": "[variables('privateEndpoint').customDnsConfigs]" - } - }, - { - "type": "Microsoft.Network/privateEndpoints/privateDnsZoneGroups", - "apiVersion": "2020-05-01", - "condition": "[not(empty(variables('privateEndpoint').privateDnsZoneResourceIds))]", - "name": "[concat(variables('privateEndpoint').name, '/default')]", - "dependsOn": [ - "[resourceId('Microsoft.Network/privateEndpoints', variables('privateEndpoint').name)]" - ], - "properties": { - "copy": [ - { - "name": "privateDnsZoneConfigs", - "count": "[length(variables('privateEndpoint').privateDnsZoneResourceIds)]", - "input": { - "name": "[last(split(variables('privateEndpoint').privateDnsZoneResourceIds[copyIndex('privateDnsZoneConfigs')],'/'))]", - "properties": { - "privateDnsZoneId": "[variables('privateEndpoint').privateDnsZoneResourceIds[copyIndex('privateDnsZoneConfigs')]]" - } - } - } - ] - } - } - ] - } - } - }, - // RBAC - { - "name": "[concat('rbac-',deployment().name, copyIndex())]", - "apiVersion": "2020-06-01", - "type": "Microsoft.Resources/deployments", - "condition": "[not(empty(parameters('roleAssignments')))]", - "dependsOn": [ - "[variables('keyVaultName')]" - ], - "copy": { - "name": "rbacDeplCopy", - "count": "[length(parameters('roleAssignments'))]" - }, - "properties": { - "mode": "Incremental", - "expressionEvaluationOptions": { - "scope": "inner" - }, - "parameters": { - "roleAssignment": { - "value": "[parameters('roleAssignments')[copyIndex()]]" - }, - "builtInRoleNames": { - "value": "[variables('builtInRoleNames')]" - }, - "keyVaultName": { - "value": "[variables('keyVaultName')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "roleAssignment": { - "type": "object" - }, - "builtInRoleNames": { - "type": "object" - }, - "keyVaultName": { - "type": "string" - } - }, - "resources": [ - { - "type": "Microsoft.KeyVault/vaults/providers/roleAssignments", - "apiVersion": "2018-09-01-preview", - "name": "[concat(parameters('keyVaultName'), '/Microsoft.Authorization/', guid(uniqueString(concat(parameters('keyVaultName'), array(parameters('roleAssignment').principalIds)[copyIndex('innerRbacCopy')], parameters('roleAssignment').roleDefinitionIdOrName ) )))]", - "dependsOn": [ - ], - "copy": { - "name": "innerRbacCopy", - "count": "[length(parameters('roleAssignment').principalIds)]" - }, - "properties": { - "roleDefinitionId": "[if(contains(parameters('builtInRoleNames'), parameters('roleAssignment').roleDefinitionIdOrName ), parameters('builtInRoleNames')[parameters('roleAssignment').roleDefinitionIdOrName] , parameters('roleAssignment').roleDefinitionIdOrName )]", - "principalId": "[array(parameters('roleAssignment').principalIds)[copyIndex()]]" - } - } - ] - } - } - } - ], - "functions": [ - ], - "outputs": { - "keyVaultResourceId": { - "type": "string", - "value": "[resourceId('Microsoft.KeyVault/vaults', variables('keyVaultName'))]", - "metadata": { - "description": "The Resource Id of the Key Vault." - } - }, - "keyVaultResourceGroup": { - "type": "string", - "value": "[resourceGroup().name]", - "metadata": { - "description": "The name of the Resource Group the Key Vault was created in." - } - }, - "keyVaultName": { - "type": "string", - "value": "[variables('keyVaultName')]", - "metadata": { - "description": "The Name of the Key Vault." - } - }, - "keyVaultUrl": { - "type": "string", - "value": "[reference(resourceId('Microsoft.KeyVault/vaults', variables('keyVaultName')),'2019-09-01').vaultUri]", - "metadata": { - "description": "The URL of the Key Vault." - } - } - } -} diff --git a/nativeTemplates/Microsoft.KeyVault/vaults/parameters/parameters.json b/nativeTemplates/Microsoft.KeyVault/vaults/parameters/parameters.json deleted file mode 100644 index fbcfd5abf6..0000000000 --- a/nativeTemplates/Microsoft.KeyVault/vaults/parameters/parameters.json +++ /dev/null @@ -1,68 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "keyVaultName": { - "value": "sxx-az-kv-weu-x-001" - }, - "keysObject": { - "value": { - "keys": [ - { - "keyName": "keyRSA", - "keyType": "RSA", - "keyOps": [ - "encrypt", - "decrypt", - "sign", - "verify", - "wrapKey", - "unwrapKey" - ], - "keySize": "2048", - "curveName": "" - } - ] - } - }, - "accessPolicies": { - "value": [ - { - "tenantId": "", - "objectId": "", - "permissions": { - "certificates": ["All"], - "keys": ["All"], - "secrets": ["All"] - } - }, - { - "tenantId": "", - "objectId": "", - "permissions": { - "certificates": ["All"], - "keys": ["All"], - "secrets": ["All"] - } - } - ] - }, - "enableSoftDelete": { - "value": true - }, - "softDeleteRetentionInDays": { - "value": 7 - }, -// "networkAcls": { -// "value": { -// "bypass": "AzureServices", -// "defaultAction": "Deny", -// "virtualNetworkRules": [], -// "ipRules": [] -// } -// }, - "enableRbacAuthorization": { - "value": false - } - } -} \ No newline at end of file diff --git a/nativeTemplates/Microsoft.KeyVault/vaults/readme.md b/nativeTemplates/Microsoft.KeyVault/vaults/readme.md deleted file mode 100644 index 7162fd5e79..0000000000 --- a/nativeTemplates/Microsoft.KeyVault/vaults/readme.md +++ /dev/null @@ -1,245 +0,0 @@ -# KeyVault - -[![Deploy to Azure](/docs/media/deploytoazure.svg?sanitize=true)]() - -[![Deploy To Azure US Gov](/docs/media/deploytoazuregov.svg?sanitize=true)]() - -[![Visualize](/docs/media/visualizebutton.svg?sanitize=true)]() - -## Resource types - -| Resource Type | Api Version | -| :-- | :-- | -| `Microsoft.KeyVault/vaults/keys` | 2019-09-01 | -| `Microsoft.KeyVault/vaults/providers/diagnosticsettings` | 2017-05-01-preview | -| `Microsoft.KeyVault/vaults/providers/roleAssignments` | 2018-09-01-preview | -| `Microsoft.KeyVault/vaults/secrets` | 2019-09-01 | -| `Microsoft.KeyVault/vaults` | 2019-09-01 | -| `Microsoft.Network/privateEndpoints/privateDnsZoneGroups` | 2020-05-01 | -| `Microsoft.Network/privateEndpoints` | 2020-05-01 | -| `Microsoft.Resources/deployments` | 2020-06-01 | -| `providers/locks` | 2016-09-01 | - -## Parameters - -| Parameter Name | Type | Default Value | Possible values | Description | -| :- | :- | :- | :- | :- | -| `keyVaultName` | string | | | Optional. Name of the Key Vault Name. If no name is provided, then unique name will be created.| -| `location` | string | `[resourceGroup().location]` | | Optional. Location for all resources. -| `accessPolicies` | object | `{}` | Complex structure, see below. | Optional. Access policies object -| `secretsObject` | object | `{}` | Complex structure, see below. | Optional. All secrets {\"secretName\":\"\",\"secretValue\":\"\"} wrapped in a secure object -| `keysObject` | object | `{}` | Complex structure, see below. | Optional. All secrets {\"secretName\":\"\",\"secretValue\":\"\"} wrapped in a secure object -| `enableVaultForDeployment` | bool | `true` | | Optional. Specifies if the vault is enabled for deployment by script or compute -| `enableVaultForTemplateDeployment` | bool | `true` | | Optional. Specifies if the vault is enabled for a template deployment -| `enableVaultForDiskEncryption` | bool | `true` | | Optional. Specifies if the azure platform has access to the vault for enabling disk encryption scenarios. -| `enableSoftDelete` | bool | `true` | | Optional. Switch to enable Key Vault's soft delete feature. -| `softDeleteRetentionInDays` | int | 90 | | Optional. softDelete data retention days. It accepts >=7 and <=90. -| `enableRbacAuthorization` | bool | `false` | | Optional. Property that controls how data actions are authorized. When true, the key vault will use Role Based Access Control (RBAC) for authorization of data actions, and the access policies specified in vault properties will be ignored (warning: this is a preview feature). When false, the key vault will use the access policies specified in vault properties, and any policy stored on Azure Resource Manager will be ignored. If null or not specified, the vault is created with the default value of false. Note that management actions are always authorized with RBAC. -| `createMode` | bool | `true` | | Optional. The vault's create mode to indicate whether the vault need to be recovered or not. - recover or default. -| `enablePurgeProtection` | bool | `false` | | Optional. Switch to enable Key Vault's purge protection feature. -| `vaultSku` | string | `Premium` | Premium, Standard |Optional. Specifies the SKU for the vault -| `vNetId` | string | "" | | Optional. Virtual Network Identifier used to create a service endpoint. -| `networkAcls` | object | {} | Complex structure, see below. | Optional. Network ACLs, this value contains IPs to whitelist and/or Subnet information. -| `diagnosticSettingName` | string | `service` | | Optional. The name of the Diagnostic setting. -| `diagnosticLogsRetentionInDays` | int | `365` | | Optional. Specifies the number of days that logs will be kept for; a value of 0 will retain data indefinitely. -| `diagnosticStorageAccountId` | string | "" | | Optional. Resource identifier of the Diagnostic Storage Account. -| `workspaceId` | string | "" | | Optional. Resource identifier of Log Analytics. -| `eventHubAuthorizationRuleId` | string | "" | | Optional. Resource ID of the event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. -| `eventHubName` | string | "" | | Optional. Name of the event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. -| `lockForDeletion` | bool | `true` | | Optional. Switch to lock Azure Key Vault from deletion. -| `roleAssignments` | array | [] | Complex structure, see below. | Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or it's fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' -| `privateEndpoints` | array | System.Object[] | | Optional. Configuration Details for private endpoints. | -| `tags` | object | {} | Complex structure, see below. | Optional. Tags of the Azure Key Vault resource. -| `cuaId` | string | "" | | Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered. -| `baseTime` | string | utcNow('u') | | Generated. Do not provide a value! This date value is used to generate a SAS token toaccess the modules. - -### Parameter Usage: `roleAssignments` - -```json -"roleAssignments": { - "value": [ - { - "roleDefinitionIdOrName": "Desktop Virtualization User", - "principalIds": [ - "12345678-1234-1234-1234-123456789012", // object 1 - "78945612-1234-1234-1234-123456789012" // object 2 - ] - }, - { - "roleDefinitionIdOrName": "Reader", - "principalIds": [ - "12345678-1234-1234-1234-123456789012", // object 1 - "78945612-1234-1234-1234-123456789012" // object 2 - ] - }, - { - "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", - "principalIds": [ - "12345678-1234-1234-1234-123456789012" // object 1 - ] - } - ] -} -``` - -### Parameter Usage: `tags` - -Tag names and tag values can be provided as needed. A tag can be left without a value. - -```json -"tags": { - "value": { - "Environment": "Non-Prod", - "Contact": "test.user@testcompany.com", - "PurchaseOrder": "1234", - "CostCenter": "7890", - "ServiceName": "DeploymentValidation", - "Role": "DeploymentValidation" - } -} -``` - -### Parameter Usage: `networkAcls` - -```json -"networkAcls": { - "value": { - "bypass": "AzureServices", - "defaultAction": "Deny", - "virtualNetworkRules": [ - { - "subnet": "sharedsvcs" - } - ], - "ipRules": [] - } -} -``` - -### Parameter Usage: `vNetId` - -```json -"vNetId": { - "value": "/subscriptions/00000000/resourceGroups/resourceGroup" -} -``` - -### Parameter Usage: `accessPolicies` - -```json -"accessPolicies": { - "value": [ - { - "tenantId": null, - "objectId": null, - "permissions": { - "certificates": [ - "All" - ], - "keys": [ - "All" - ], - "secrets": [ - "All" - ] - } - } - ] -} -``` - -### Parameter Usage: `secretsObject` - -```json -"secretsObject": { - "value": { - "secrets": [ - { - "secretName": "Secret--AzureAd--Domain", - "secretValue": "Some value" - } - ] - } -} -``` - -### Parameter Usage: `keysObject` - -```json -"keysObject": { - "value": { - "keys": [ - { - "keyName": "keyRSA", // The name of the key to be created - "keyType": "RSA", // The JsonWebKeyType of the key to be created - "keyOps": [ //The permitted JSON web key operations of the key to be created - "encrypt", - "decrypt", - "sign", - "verify", - "wrapKey", - "unwrapKey" - ], - "keySize": "2048", //The size in bits of the key to be created - "curveName": "" // The JsonWebKeyCurveName of the key to be created - } - ] - } -} -``` - -### Parameter Usage: `privateEndpoints` - -To use Private Endpoint the following dependencies must be deployed: - -- Destination subnet must be created with the following configuration option - `"privateEndpointNetworkPolicies": "Disabled"`. Setting this option acknowledges that NSG rules are not applied to Private Endpoints (this capability is coming soon). A full example is available in the Virtual Network Module. - -- Although not strictly required, it is highly recommened to first create a private DNS Zone to host Private Endpoint DNS records. See [Azure Private Endpoint DNS configuration](https://docs.microsoft.com/en-us/azure/private-link/private-endpoint-dns) for more information. - -```json -"privateEndpoints": { - "value": [ - // Example showing all available fields - { - "name": "sxx-az-sa-cac-y-123-pe", // Optional: Name will be automatically generated if one is not provided here - "subnetResourceId": "/subscriptions/xxxxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxx/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-weu-x-001/subnets/sxx-az-subnet-weu-x-001", - "service": "vault", - "privateDnsZoneResourceIds": [ // Optional: No DNS record will be created if a private DNS zone Resource ID is not specified - "/subscriptions/xxxxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxx/resourceGroups/validation-rg/providers/Microsoft.Network/privateDnsZones/privatelink.vaultcore.azure.net" - ], - "customDnsConfigs": [ // Optional - { - "fqdn": "customname.test.local", - "ipAddresses": [ - "10.10.10.10" - ] - } - ] - } - ] -} -``` - -## Outputs - -| Output Name | Type | Description | -| :-- | :-- | :-- | -| `keyVaultName` | string | The Name of the Key Vault. | -| `keyVaultResourceGroup` | string | The name of the Resource Group the Key Vault was created in. | -| `keyVaultResourceId` | string | The Resource Id of the Key Vault. | -| `keyVaultUrl` | string | The URL of the Key Vault. | - -## Considerations - -**N/A* - -## Additional resources - -- [What is Azure Key Vault?](https://docs.microsoft.com/en-us/azure/key-vault/key-vault-whatis) -- [Microsoft.KeyVault vaults template reference](https://docs.microsoft.com/en-us/azure/templates/microsoft.keyvault/2018-02-14/vaults) -- [Use tags to organize your Azure resources](https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-using-tags) -- [Deployments](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Resources/2020-06-01/deployments) -- [Vaults](https://docs.microsoft.com/en-us/azure/templates/Microsoft.KeyVault/2019-09-01/vaults) -- [Vaults](https://docs.microsoft.com/en-us/azure/templates/Microsoft.KeyVault/2019-09-01/vaults/secrets) -- [Vaults](https://docs.microsoft.com/en-us/azure/templates/Microsoft.KeyVault/2019-09-01/vaults/keys) -- [Deployments](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Resources/2020-06-01/deployments) \ No newline at end of file diff --git a/nativeTemplates/Microsoft.Management/managementGroups/deploy.json b/nativeTemplates/Microsoft.Management/managementGroups/deploy.json deleted file mode 100644 index da47866ea0..0000000000 --- a/nativeTemplates/Microsoft.Management/managementGroups/deploy.json +++ /dev/null @@ -1,427 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-08-01/tenantDeploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "mgStructure": { - "type": "array", - "metadata": { - "description": "Required. The structure of the management groups" - } - } - }, - "functions": [], - "variables": { - "builtInRoleNames": { - "AcrDelete": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", - "AcrImageSigner": "/providers/Microsoft.Authorization/roleDefinitions/6cef56e8-d556-48e5-a04f-b8e64114680f", - "AcrPull": "/providers/Microsoft.Authorization/roleDefinitions/7f951dda-4ed3-4680-a7ca-43fe172d538d", - "AcrPush": "/providers/Microsoft.Authorization/roleDefinitions/8311e382-0749-4cb8-b61a-304f252e45ec", - "AcrQuarantineReader": "/providers/Microsoft.Authorization/roleDefinitions/cdda3590-29a3-44f6-95f2-9f980659eb04", - "AcrQuarantineWriter": "/providers/Microsoft.Authorization/roleDefinitions/c8d4ff99-41c3-41a8-9f60-21dfdad59608", - "API Management Service Contributor": "/providers/Microsoft.Authorization/roleDefinitions/312a565d-c81f-4fd8-895a-4e21e48d571c", - "API Management Service Operator Role": "/providers/Microsoft.Authorization/roleDefinitions/e022efe7-f5ba-4159-bbe4-b44f577e9b61", - "API Management Service Reader Role": "/providers/Microsoft.Authorization/roleDefinitions/71522526-b88f-4d52-b57f-d31fc3546d0d", - "App Configuration Data Owner": "/providers/Microsoft.Authorization/roleDefinitions/5ae67dd6-50cb-40e7-96ff-dc2bfa4b606b", - "App Configuration Data Reader": "/providers/Microsoft.Authorization/roleDefinitions/516239f1-63e1-4d78-a4de-a74fb236a071", - "Application Insights Component Contributor": "/providers/Microsoft.Authorization/roleDefinitions/ae349356-3a1b-4a5e-921d-050484c6347e", - "Application Insights Snapshot Debugger": "/providers/Microsoft.Authorization/roleDefinitions/08954f03-6346-4c2e-81c0-ec3a5cfae23b", - "Attestation Contributor": "/providers/Microsoft.Authorization/roleDefinitions/bbf86eb8-f7b4-4cce-96e4-18cddf81d86e", - "Attestation Reader": "/providers/Microsoft.Authorization/roleDefinitions/fd1bd22b-8476-40bc-a0bc-69b95687b9f3", - "Automation Job Operator": "/providers/Microsoft.Authorization/roleDefinitions/4fe576fe-1146-4730-92eb-48519fa6bf9f", - "Automation Operator": "/providers/Microsoft.Authorization/roleDefinitions/d3881f73-407a-4167-8283-e981cbba0404", - "Automation Runbook Operator": "/providers/Microsoft.Authorization/roleDefinitions/5fb5aef8-1081-4b8e-bb16-9d5d0385bab5", - "Avere Contributor": "/providers/Microsoft.Authorization/roleDefinitions/4f8fab4f-1852-4a58-a46a-8eaf358af14a", - "Avere Operator": "/providers/Microsoft.Authorization/roleDefinitions/c025889f-8102-4ebf-b32c-fc0c6f0c6bd9", - "Azure Connected Machine Onboarding": "/providers/Microsoft.Authorization/roleDefinitions/b64e21ea-ac4e-4cdf-9dc9-5b892992bee7", - "Azure Connected Machine Resource Administrator": "/providers/Microsoft.Authorization/roleDefinitions/cd570a14-e51a-42ad-bac8-bafd67325302", - "Azure Digital Twins Owner (Preview)": "/providers/Microsoft.Authorization/roleDefinitions/bcd981a7-7f74-457b-83e1-cceb9e632ffe", - "Azure Digital Twins Reader (Preview)": "/providers/Microsoft.Authorization/roleDefinitions/d57506d4-4c8d-48b1-8587-93c323f6a5a3", - "Azure Event Hubs Data Owner": "/providers/Microsoft.Authorization/roleDefinitions/f526a384-b230-433a-b45c-95f59c4a2dec", - "Azure Event Hubs Data Receiver": "/providers/Microsoft.Authorization/roleDefinitions/a638d3c7-ab3a-418d-83e6-5f17a39d4fde", - "Azure Event Hubs Data Sender": "/providers/Microsoft.Authorization/roleDefinitions/2b629674-e913-4c01-ae53-ef4638d8f975", - "Azure Kubernetes Service Cluster Admin Role": "/providers/Microsoft.Authorization/roleDefinitions/0ab0b1a8-8aac-4efd-b8c2-3ee1fb270be8", - "Azure Kubernetes Service Cluster User Role": "/providers/Microsoft.Authorization/roleDefinitions/4abbcc35-e782-43d8-92c5-2d3f1bd2253f", - "Azure Kubernetes Service Contributor Role": "/providers/Microsoft.Authorization/roleDefinitions/ed7f3fbd-7b88-4dd4-9017-9adb7ce333f8", - "Azure Maps Data Contributor": "/providers/Microsoft.Authorization/roleDefinitions/8f5e0ce6-4f7b-4dcf-bddf-e6f48634a204", - "Azure Maps Data Reader": "/providers/Microsoft.Authorization/roleDefinitions/423170ca-a8f6-4b0f-8487-9e4eb8f49bfa", - "Azure Sentinel Contributor": "/providers/Microsoft.Authorization/roleDefinitions/ab8e14d6-4a74-4a29-9ba8-549422addade", - "Azure Sentinel Reader": "/providers/Microsoft.Authorization/roleDefinitions/8d289c81-5878-46d4-8554-54e1e3d8b5cb", - "Azure Sentinel Responder": "/providers/Microsoft.Authorization/roleDefinitions/3e150937-b8fe-4cfb-8069-0eaf05ecd056", - "Azure Service Bus Data Owner": "/providers/Microsoft.Authorization/roleDefinitions/090c5cfd-751d-490a-894a-3ce6f1109419", - "Azure Service Bus Data Receiver": "/providers/Microsoft.Authorization/roleDefinitions/4f6d3b9b-027b-4f4c-9142-0e5a2a2247e0", - "Azure Service Bus Data Sender": "/providers/Microsoft.Authorization/roleDefinitions/69a216fc-b8fb-44d8-bc22-1f3c2cd27a39", - "Azure Stack Registration Owner": "/providers/Microsoft.Authorization/roleDefinitions/6f12a6df-dd06-4f3e-bcb1-ce8be600526a", - "Backup Contributor": "/providers/Microsoft.Authorization/roleDefinitions/5e467623-bb1f-42f4-a55d-6e525e11384b", - "Backup Operator": "/providers/Microsoft.Authorization/roleDefinitions/00c29273-979b-4161-815c-10b084fb9324", - "Backup Reader": "/providers/Microsoft.Authorization/roleDefinitions/a795c7a0-d4a2-40c1-ae25-d81f01202912", - "Billing Reader": "/providers/Microsoft.Authorization/roleDefinitions/fa23ad8b-c56e-40d8-ac0c-ce449e1d2c64", - "BizTalk Contributor": "/providers/Microsoft.Authorization/roleDefinitions/5e3c6656-6cfa-4708-81fe-0de47ac73342", - "Blockchain Member Node Access (Preview)": "/providers/Microsoft.Authorization/roleDefinitions/31a002a1-acaf-453e-8a5b-297c9ca1ea24", - "Blueprint Contributor": "/providers/Microsoft.Authorization/roleDefinitions/41077137-e803-4205-871c-5a86e6a753b4", - "Blueprint Operator": "/providers/Microsoft.Authorization/roleDefinitions/437d2ced-4a38-4302-8479-ed2bcb43d090", - "CDN Endpoint Contributor": "/providers/Microsoft.Authorization/roleDefinitions/426e0c7f-0c7e-4658-b36f-ff54d6c29b45", - "CDN Endpoint Reader": "/providers/Microsoft.Authorization/roleDefinitions/871e35f6-b5c1-49cc-a043-bde969a0f2cd", - "CDN Profile Contributor": "/providers/Microsoft.Authorization/roleDefinitions/ec156ff8-a8d1-4d15-830c-5b80698ca432", - "CDN Profile Reader": "/providers/Microsoft.Authorization/roleDefinitions/8f96442b-4075-438f-813d-ad51ab4019af", - "Classic Network Contributor": "/providers/Microsoft.Authorization/roleDefinitions/b34d265f-36f7-4a0d-a4d4-e158ca92e90f", - "Classic Storage Account Contributor": "/providers/Microsoft.Authorization/roleDefinitions/86e8f5dc-a6e9-4c67-9d15-de283e8eac25", - "Classic Storage Account Key Operator Service Role": "/providers/Microsoft.Authorization/roleDefinitions/985d6b00-f706-48f5-a6fe-d0ca12fb668d", - "Classic Virtual Machine Contributor": "/providers/Microsoft.Authorization/roleDefinitions/d73bb868-a0df-4d4d-bd69-98a00b01fccb", - "ClearDB MySQL DB Contributor": "/providers/Microsoft.Authorization/roleDefinitions/9106cda0-8a86-4e81-b686-29a22c54effe", - "Cognitive Services Contributor": "/providers/Microsoft.Authorization/roleDefinitions/25fbc0a9-bd7c-42a3-aa1a-3b75d497ee68", - "Cognitive Services Custom Vision Contributor": "/providers/Microsoft.Authorization/roleDefinitions/c1ff6cc2-c111-46fe-8896-e0ef812ad9f3", - "Cognitive Services Custom Vision Deployment": "/providers/Microsoft.Authorization/roleDefinitions/5c4089e1-6d96-4d2f-b296-c1bc7137275f", - "Cognitive Services Custom Vision Labeler": "/providers/Microsoft.Authorization/roleDefinitions/88424f51-ebe7-446f-bc41-7fa16989e96c", - "Cognitive Services Custom Vision Reader": "/providers/Microsoft.Authorization/roleDefinitions/93586559-c37d-4a6b-ba08-b9f0940c2d73", - "Cognitive Services Custom Vision Trainer": "/providers/Microsoft.Authorization/roleDefinitions/0a5ae4ab-0d65-4eeb-be61-29fc9b54394b", - "Cognitive Services Data Reader (Preview)": "/providers/Microsoft.Authorization/roleDefinitions/b59867f0-fa02-499b-be73-45a86b5b3e1c", - "Cognitive Services QnA Maker Editor": "/providers/Microsoft.Authorization/roleDefinitions/f4cc2bf9-21be-47a1-bdf1-5c5804381025", - "Cognitive Services QnA Maker Reader": "/providers/Microsoft.Authorization/roleDefinitions/466ccd10-b268-4a11-b098-b4849f024126", - "Cognitive Services User": "/providers/Microsoft.Authorization/roleDefinitions/a97b65f3-24c7-4388-baec-2e87135dc908", - "Contributor": "/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c", - "Cosmos DB Account Reader Role": "/providers/Microsoft.Authorization/roleDefinitions/fbdf93bf-df7d-467e-a4d2-9458aa1360c8", - "Cosmos DB Operator": "/providers/Microsoft.Authorization/roleDefinitions/230815da-be43-4aae-9cb4-875f7bd000aa", - "CosmosBackupOperator": "/providers/Microsoft.Authorization/roleDefinitions/db7b14f2-5adf-42da-9f96-f2ee17bab5cb", - "Cost Management Contributor": "/providers/Microsoft.Authorization/roleDefinitions/434105ed-43f6-45c7-a02f-909b2ba83430", - "Cost Management Reader": "/providers/Microsoft.Authorization/roleDefinitions/72fafb9e-0641-4937-9268-a91bfd8191a3", - "Data Box Contributor": "/providers/Microsoft.Authorization/roleDefinitions/add466c9-e687-43fc-8d98-dfcf8d720be5", - "Data Box Reader": "/providers/Microsoft.Authorization/roleDefinitions/028f4ed7-e2a9-465e-a8f4-9c0ffdfdc027", - "Data Factory Contributor": "/providers/Microsoft.Authorization/roleDefinitions/673868aa-7521-48a0-acc6-0f60742d39f5", - "Data Lake Analytics Developer": "/providers/Microsoft.Authorization/roleDefinitions/47b7735b-770e-4598-a7da-8b91488b4c88", - "Data Purger": "/providers/Microsoft.Authorization/roleDefinitions/150f5e0c-0603-4f03-8c7f-cf70034c4e90", - "Desktop Virtualization User": "/providers/Microsoft.Authorization/roleDefinitions/1d18fff3-a72a-46b5-b4a9-0b38a3cd7e63", - "DevTest Labs User": "/providers/Microsoft.Authorization/roleDefinitions/76283e04-6283-4c54-8f91-bcf1374a3c64", - "DNS Zone Contributor": "/providers/Microsoft.Authorization/roleDefinitions/befefa01-2a29-4197-83a8-272ff33ce314", - "DocumentDB Account Contributor": "/providers/Microsoft.Authorization/roleDefinitions/5bd9cd88-fe45-4216-938b-f97437e15450", - "EventGrid EventSubscription Contributor": "/providers/Microsoft.Authorization/roleDefinitions/428e0ff0-5e57-4d9c-a221-2c70d0e0a443", - "EventGrid EventSubscription Reader": "/providers/Microsoft.Authorization/roleDefinitions/2414bbcf-6497-4faf-8c65-045460748405", - "Experimentation Administrator": "/providers/Microsoft.Authorization/roleDefinitions/7f646f1b-fa08-80eb-a33b-edd6ce5c915c", - "Experimentation Contributor": "/providers/Microsoft.Authorization/roleDefinitions/7f646f1b-fa08-80eb-a22b-edd6ce5c915c", - "Experimentation Reader": "/providers/Microsoft.Authorization/roleDefinitions/49632ef5-d9ac-41f4-b8e7-bbe587fa74a1", - "FHIR Data Contributor": "/providers/Microsoft.Authorization/roleDefinitions/5a1fc7df-4bf1-4951-a576-89034ee01acd", - "FHIR Data Exporter": "/providers/Microsoft.Authorization/roleDefinitions/3db33094-8700-4567-8da5-1501d4e7e843", - "FHIR Data Reader": "/providers/Microsoft.Authorization/roleDefinitions/4c8d0bbc-75d3-4935-991f-5f3c56d81508", - "FHIR Data Writer": "/providers/Microsoft.Authorization/roleDefinitions/3f88fce4-5892-4214-ae73-ba5294559913", - "Graph Owner": "/providers/Microsoft.Authorization/roleDefinitions/b60367af-1334-4454-b71e-769d9a4f83d9", - "HDInsight Cluster Operator": "/providers/Microsoft.Authorization/roleDefinitions/61ed4efc-fab3-44fd-b111-e24485cc132a", - "HDInsight Domain Services Contributor": "/providers/Microsoft.Authorization/roleDefinitions/8d8d5a11-05d3-4bda-a417-a08778121c7c", - "Hierarchy Settings Administrator": "/providers/Microsoft.Authorization/roleDefinitions/350f8d15-c687-4448-8ae1-157740a3936d", - "Hybrid Server Onboarding": "/providers/Microsoft.Authorization/roleDefinitions/5d1e5ee4-7c68-4a71-ac8b-0739630a3dfb", - "Hybrid Server Resource Administrator": "/providers/Microsoft.Authorization/roleDefinitions/48b40c6e-82e0-4eb3-90d5-19e40f49b624", - "Integration Service Environment Contributor": "/providers/Microsoft.Authorization/roleDefinitions/a41e2c5b-bd99-4a07-88f4-9bf657a760b8", - "Integration Service Environment Developer": "/providers/Microsoft.Authorization/roleDefinitions/c7aa55d3-1abb-444a-a5ca-5e51e485d6ec", - "Intelligent Systems Account Contributor": "/providers/Microsoft.Authorization/roleDefinitions/03a6d094-3444-4b3d-88af-7477090a9e5e", - "Key Vault Contributor": "/providers/Microsoft.Authorization/roleDefinitions/f25e0fa2-a7c8-4377-a976-54943a77a395", - "Knowledge Consumer": "/providers/Microsoft.Authorization/roleDefinitions/ee361c5d-f7b5-4119-b4b6-892157c8f64c", - "Kubernetes Cluster - Azure Arc Onboarding": "/providers/Microsoft.Authorization/roleDefinitions/34e09817-6cbe-4d01-b1a2-e0eac5743d41", - "Lab Creator": "/providers/Microsoft.Authorization/roleDefinitions/b97fb8bc-a8b2-4522-a38b-dd33c7e65ead", - "Log Analytics Contributor": "/providers/Microsoft.Authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293", - "Log Analytics Reader": "/providers/Microsoft.Authorization/roleDefinitions/73c42c96-874c-492b-b04d-ab87d138a893", - "Logic App Contributor": "/providers/Microsoft.Authorization/roleDefinitions/87a39d53-fc1b-424a-814c-f7e04687dc9e", - "Logic App Operator": "/providers/Microsoft.Authorization/roleDefinitions/515c2055-d9d4-4321-b1b9-bd0c9a0f79fe", - "Managed Application Contributor Role": "/providers/Microsoft.Authorization/roleDefinitions/641177b8-a67a-45b9-a033-47bc880bb21e", - "Managed Application Operator Role": "/providers/Microsoft.Authorization/roleDefinitions/c7393b34-138c-406f-901b-d8cf2b17e6ae", - "Managed Applications Reader": "/providers/Microsoft.Authorization/roleDefinitions/b9331d33-8a36-4f8c-b097-4f54124fdb44", - "Managed Identity Contributor": "/providers/Microsoft.Authorization/roleDefinitions/e40ec5ca-96e0-45a2-b4ff-59039f2c2b59", - "Managed Identity Operator": "/providers/Microsoft.Authorization/roleDefinitions/f1a07417-d97a-45cb-824c-7a7467783830", - "Managed Services Registration assignment Delete ": "/providers/Microsoft.Authorization/roleDefinitions/91c1777a-f3dc-4fae-b103-61d183457e46", - "Management Group Contributor": "/providers/Microsoft.Authorization/roleDefinitions/5d58bcaf-24a5-4b20-bdb6-eed9f69fbe4c", - "Management Group Reader": "/providers/Microsoft.Authorization/roleDefinitions/ac63b705-f282-497d-ac71-919bf39d939d", - "Marketplace Admin": "/providers/Microsoft.Authorization/roleDefinitions/dd920d6d-f481-47f1-b461-f338c46b2d9f", - "Monitoring Contributor": "/providers/Microsoft.Authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", - "Monitoring Metrics Publisher": "/providers/Microsoft.Authorization/roleDefinitions/3913510d-42f4-4e42-8a64-420c390055eb", - "Monitoring Reader": "/providers/Microsoft.Authorization/roleDefinitions/43d0d8ad-25c7-4714-9337-8ba259a9fe05", - "Network Contributor": "/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7", - "New Relic APM Account Contributor": "/providers/Microsoft.Authorization/roleDefinitions/5d28c62d-5b37-4476-8438-e587778df237", - "Object Understanding Account Owner": "/providers/Microsoft.Authorization/roleDefinitions/4dd61c23-6743-42fe-a388-d8bdd41cb745", - "Owner": "/providers/Microsoft.Authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635", - "Policy Insights Data Writer (Preview)": "/providers/Microsoft.Authorization/roleDefinitions/66bb4e9e-b016-4a94-8249-4c0511c2be84", - "Private DNS Zone Contributor": "/providers/Microsoft.Authorization/roleDefinitions/b12aa53e-6015-4669-85d0-8515ebb3ae7f", - "Reader": "/providers/Microsoft.Authorization/roleDefinitions/acdd72a7-3385-48ef-bd42-f606fba81ae7", - "Reader and Data Access": "/providers/Microsoft.Authorization/roleDefinitions/c12c1c16-33a1-487b-954d-41c89c60f349", - "Redis Cache Contributor": "/providers/Microsoft.Authorization/roleDefinitions/e0f68234-74aa-48ed-b826-c38b57376e17", - "Remote Rendering Administrator": "/providers/Microsoft.Authorization/roleDefinitions/3df8b902-2a6f-47c7-8cc5-360e9b272a7e", - "Remote Rendering Client": "/providers/Microsoft.Authorization/roleDefinitions/d39065c4-c120-43c9-ab0a-63eed9795f0a", - "Resource Policy Contributor": "/providers/Microsoft.Authorization/roleDefinitions/36243c78-bf99-498c-9df9-86d9f8d28608", - "Scheduler Job Collections Contributor": "/providers/Microsoft.Authorization/roleDefinitions/188a0f2f-5c9e-469b-ae67-2aa5ce574b94", - "Search Service Contributor": "/providers/Microsoft.Authorization/roleDefinitions/7ca78c08-252a-4471-8644-bb5ff32d4ba0", - "Security Admin": "/providers/Microsoft.Authorization/roleDefinitions/fb1c8493-542b-48eb-b624-b4c8fea62acd", - "Security Assessment Contributor": "/providers/Microsoft.Authorization/roleDefinitions/612c2aa1-cb24-443b-ac28-3ab7272de6f5", - "Security Manager (Legacy)": "/providers/Microsoft.Authorization/roleDefinitions/e3d13bf0-dd5a-482e-ba6b-9b8433878d10", - "Security Reader": "/providers/Microsoft.Authorization/roleDefinitions/39bc4728-0917-49c7-9d2c-d95423bc2eb4", - "SignalR AccessKey Reader": "/providers/Microsoft.Authorization/roleDefinitions/04165923-9d83-45d5-8227-78b77b0a687e", - "SignalR Contributor": "/providers/Microsoft.Authorization/roleDefinitions/8cf5e20a-e4b2-4e9d-b3a1-5ceb692c2761", - "Site Recovery Contributor": "/providers/Microsoft.Authorization/roleDefinitions/6670b86e-a3f7-4917-ac9b-5d6ab1be4567", - "Site Recovery Operator": "/providers/Microsoft.Authorization/roleDefinitions/494ae006-db33-4328-bf46-533a6560a3ca", - "Site Recovery Reader": "/providers/Microsoft.Authorization/roleDefinitions/dbaa88c4-0c30-4179-9fb3-46319faa6149", - "Spatial Anchors Account Contributor": "/providers/Microsoft.Authorization/roleDefinitions/8bbe83f1-e2a6-4df7-8cb4-4e04d4e5c827", - "Spatial Anchors Account Owner": "/providers/Microsoft.Authorization/roleDefinitions/70bbe301-9835-447d-afdd-19eb3167307c", - "Spatial Anchors Account Reader": "/providers/Microsoft.Authorization/roleDefinitions/5d51204f-eb77-4b1c-b86a-2ec626c49413", - "SQL DB Contributor": "/providers/Microsoft.Authorization/roleDefinitions/9b7fa17d-e63e-47b0-bb0a-15c516ac86ec", - "SQL Managed Instance Contributor": "/providers/Microsoft.Authorization/roleDefinitions/4939a1f6-9ae0-4e48-a1e0-f2cbe897382d", - "SQL Security Manager": "/providers/Microsoft.Authorization/roleDefinitions/056cd41c-7e88-42e1-933e-88ba6a50c9c3", - "SQL Server Contributor": "/providers/Microsoft.Authorization/roleDefinitions/6d8ee4ec-f05a-4a1d-8b00-a9b17e38b437", - "Storage Account Contributor": "/providers/Microsoft.Authorization/roleDefinitions/17d1049b-9a84-46fb-8f53-869881c3d3ab", - "Storage Account Key Operator Service Role": "/providers/Microsoft.Authorization/roleDefinitions/81a9662b-bebf-436f-a333-f67b29880f12", - "Storage Blob Data Contributor": "/providers/Microsoft.Authorization/roleDefinitions/ba92f5b4-2d11-453d-a403-e96b0029c9fe", - "Storage Blob Data Owner": "/providers/Microsoft.Authorization/roleDefinitions/b7e6dc6d-f1e8-4753-8033-0f276bb0955b", - "Storage Blob Data Reader": "/providers/Microsoft.Authorization/roleDefinitions/2a2b9908-6ea1-4ae2-8e65-a410df84e7d1", - "Storage Blob Delegator": "/providers/Microsoft.Authorization/roleDefinitions/db58b8e5-c6ad-4a2a-8342-4190687cbf4a", - "Storage File Data SMB Share Contributor": "/providers/Microsoft.Authorization/roleDefinitions/0c867c2a-1d8c-454a-a3db-ab2ea1bdc8bb", - "Storage File Data SMB Share Elevated Contributor": "/providers/Microsoft.Authorization/roleDefinitions/a7264617-510b-434b-a828-9731dc254ea7", - "Storage File Data SMB Share Reader": "/providers/Microsoft.Authorization/roleDefinitions/aba4ae5f-2193-4029-9191-0cb91df5e314", - "Storage Queue Data Contributor": "/providers/Microsoft.Authorization/roleDefinitions/974c5e8b-45b9-4653-ba55-5f855dd0fb88", - "Storage Queue Data Message Processor": "/providers/Microsoft.Authorization/roleDefinitions/8a0f0c08-91a1-4084-bc3d-661d67233fed", - "Storage Queue Data Message Sender": "/providers/Microsoft.Authorization/roleDefinitions/c6a89b2d-59bc-44d0-9896-0f6e12d7b80a", - "Storage Queue Data Reader": "/providers/Microsoft.Authorization/roleDefinitions/19e7f393-937e-4f77-808e-94535e297925", - "Support Request Contributor": "/providers/Microsoft.Authorization/roleDefinitions/cfd33db0-3dd1-45e3-aa9d-cdbdf3b6f24e", - "Tag Contributor": "/providers/Microsoft.Authorization/roleDefinitions/4a9ae827-6dc8-4573-8ac7-8239d42aa03f", - "Traffic Manager Contributor": "/providers/Microsoft.Authorization/roleDefinitions/a4b10055-b0c7-44c2-b00f-c7b5b3550cf7", - "User Access Administrator": "/providers/Microsoft.Authorization/roleDefinitions/18d7d88d-d35e-4fb5-a5c3-7773c20a72d9", - "Virtual Machine Administrator Login": "/providers/Microsoft.Authorization/roleDefinitions/1c0163c0-47e6-4577-8991-ea5c82e286e4", - "Virtual Machine Contributor": "/providers/Microsoft.Authorization/roleDefinitions/9980e02c-c2be-4d73-94e8-173b1dc7cf3c", - "Virtual Machine User Login": "/providers/Microsoft.Authorization/roleDefinitions/fb879df8-f326-4884-b1cf-06f3ad86be52", - "Web Plan Contributor": "/providers/Microsoft.Authorization/roleDefinitions/2cc479cb-7b4d-49a8-b449-8c00fd0f0a4b", - "Website Contributor": "/providers/Microsoft.Authorization/roleDefinitions/de139f84-1756-47ae-9be6-808fbbe84772", - "Workbook Contributor": "/providers/Microsoft.Authorization/roleDefinitions/e8ddcd69-c73f-4f9f-9844-4100522f16ad", - "Workbook Reader": "/providers/Microsoft.Authorization/roleDefinitions/b279062a-9be3-42a0-92ae-8b3cf002ec4d" - } - }, - "resources": [ - { - "type": "Microsoft.Management/managementGroups", - "comments": "Fake deployment, used to specify a non-existent dependency. Never deployed", - "apiVersion": "2020-05-01", - "scope": "/", - "name": "noop", - "condition": false, - "properties": { - "details": { - "parent": { - "id": "" - } - } - } - }, - { - "copy": { - "name": "mgLoop", - "count": "[length(parameters('mgStructure'))]" - }, - - // excludes from creation the root management group that must pre-exist. - // This anyhow allows RBAC at this level to be created - "condition": "[ - not(equals( - parameters('mgStructure')[copyIndex('mgLoop')].parentId, - '/' - )) - ]", - - // if the element contains 'parentNotManagedInThisTemplate' with value true --> this is a top MG managed in this template - // Then -> The resource has no dependencies (noop used as a 'fake' dependency) - // Else -> get dependency from the parent ID - "dependson":[ - "[ - if( - and( - contains( - parameters('mgStructure')[copyIndex('mgLoop')], - 'parentNotManagedInThisTemplate' - ), - parameters('mgStructure')[copyIndex('mgLoop')].parentNotManagedInThisTemplate - ), - 'noop', - parameters('mgStructure')[copyIndex('mgLoop')].parentId - ) - ]" - ], - - "type": "Microsoft.Management/managementGroups", - "apiVersion": "2020-05-01", - "scope": "/", - "name": "[parameters('mgStructure')[copyIndex('mgLoop')].name]", - "properties": { - "displayName":"[ - if( - contains( - parameters('mgStructure')[copyIndex('mgLoop')], - 'displayName' - ), - parameters('mgStructure')[copyIndex('mgLoop')].displayName, - parameters('mgStructure')[copyIndex('mgLoop')].name - ) - ]", - "details": { - "parent": { - "id": "[concat( - '/providers/Microsoft.Management/managementGroups/', - parameters('mgStructure')[copyIndex('mgLoop')].parentId - )]" - } - } - } - }, - - // Management Group RBAC - { - "name": "[concat('MGRBAC-', if(empty(parameters('mgStructure')), 'dummy', copyIndex() ) )]", - "apiVersion": "2020-06-01", - "type": "Microsoft.Resources/deployments", - "condition": "[not(empty(parameters('mgStructure')))]", - "location": "[deployment().location]", - "dependsOn": [ - "mgLoop" - ], - "copy": { - "name": "MGRBACLoop", - "count": "[length(parameters('mgStructure'))]" - }, - "properties": { - "mode": "Incremental", - "expressionEvaluationOptions": { - "scope": "inner" - }, - "parameters": { - "MGConfig": { - "value": "[parameters('mgStructure')[copyIndex()]]" - }, - "builtInRoleNames": { - "value": "[variables('builtInRoleNames')]" - }, - "MGDeplLoop": { - "value": "[copyIndex('MGRBACLoop')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-08-01/tenantDeploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "MGConfig": { - "type": "object" - }, - "builtInRoleNames": { - "type": "object" - }, - "MGDeplLoop": { - "type": "int" - } - }, - "resources": [ - { - "name": "[concat('MGRbacDeplLoop-', parameters('MGDeplLoop'), '-', copyIndex('mgRBACDeplLoop'))]", - "apiVersion": "2020-06-01", - "type": "Microsoft.Resources/deployments", - "condition": "[not(empty(array(parameters('MGConfig').roleAssignments)))]", - "location": "[deployment().location]", - "dependsOn": [ - ], - "copy": { - "name": "mgRBACDeplLoop", - "count": "[ - if( - contains( - parameters('MGConfig'), - 'roleAssignments' - ), - length( - array( - parameters('MGConfig').roleAssignments - ) - ), - 0 - ) - ]" - }, - "properties": { - "mode": "Incremental", - "expressionEvaluationOptions": { - "scope": "inner" - }, - "parameters": { - "MGName": { - "value": "[parameters('MGConfig').name]" - }, - "roleAssignment": { - "value": "[array(parameters('MGConfig').roleAssignments)[copyIndex('mgRBACDeplLoop')]]" - }, - "builtInRoleNames": { - "value": "[parameters('builtInRoleNames')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-08-01/tenantDeploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "MGName": { - "type": "string" - }, - "roleAssignment": { - "type": "object" - }, - "builtInRoleNames": { - "type": "object" - } - }, - "resources": [ - { - "type": "Microsoft.Management/managementGroups/providers/roleAssignments", - "apiVersion": "2020-04-01-preview", - "name": "[ - concat( - parameters('MGName'), - '/Microsoft.Authorization/', - guid( - uniqueString( - concat( - parameters('MGName') , - array( - parameters('roleAssignment').principalIds - )[copyIndex('innerRbacCopy')], - parameters('roleAssignment').roleDefinitionIdOrName - ) - ) - ) - ) - ]", - - "copy": { - "name": "innerRbacCopy", - "count": "[length(parameters('roleAssignment').principalIds)]" - }, - "properties": { - "roleDefinitionId": "[ - if( - contains( - parameters('builtInRoleNames'), - parameters('roleAssignment').roleDefinitionIdOrName - ), - parameters('builtInRoleNames')[parameters('roleAssignment').roleDefinitionIdOrName], - parameters('roleAssignment').roleDefinitionIdOrName - ) - ]", - "principalId": "[ - array( - parameters('roleAssignment').principalIds - )[copyIndex('innerRbacCopy')]]" - } - } - ] - } - } - } - ] - } - } - } - ], - "outputs": { - "managementGroupCount": { - "type": "int", - "value": "[length(parameters('mgStructure'))]", - "metadata": { - "description": "Number of management groups considered in the deployment" - } - } - } -} diff --git a/nativeTemplates/Microsoft.Management/managementGroups/parameters/parameters.json b/nativeTemplates/Microsoft.Management/managementGroups/parameters/parameters.json deleted file mode 100644 index 02dc4a7f4f..0000000000 --- a/nativeTemplates/Microsoft.Management/managementGroups/parameters/parameters.json +++ /dev/null @@ -1,29 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "mgStructure": { - "value": [ - { - "name":"root", - "parentId":"284a3525-0ec7-454c-8a03-90ed7e7a68ce", - "parentNotManagedInThisTemplate": true - }, - { - "name":"child1", - "displayName":"child1Description", - "parentId":"root" - }, - { - "name":"child2", - "parentId":"root" - }, - { - "name":"nephew1", - "parentId":"child1", - "parentNotManagedInThisTemplate": false - } - ] - } - } -} \ No newline at end of file diff --git a/nativeTemplates/Microsoft.Management/managementGroups/readme.md b/nativeTemplates/Microsoft.Management/managementGroups/readme.md deleted file mode 100644 index 1baf9391db..0000000000 --- a/nativeTemplates/Microsoft.Management/managementGroups/readme.md +++ /dev/null @@ -1,128 +0,0 @@ -# Management groups - -This template will prepare the Management group structure based on the provided parameter. - -This module has some known **limitations**: -- It's not possible to change the display name of the root management group (the one that has the tenant GUID as ID) -- It can't manage the Root (/) management group - -## Resource types - -|Resource Type|ApiVersion| -|:--|:--| -|`Microsoft.Management/managementGroups`|2020-05-01| -|`Microsoft.Resources/deployments`|2020-06-01| - -## Parameters - -| Parameter Name | Type | Default Value | Possible values | Description | -| :- | :- | :- | :- | :- | -| `mgStructure` | Array of objects | | Complex structure, see below | Required. The structure of the management groups | - -### Parameter Usage: mgStructure - -Describes the Management groups to be created. Each management group is represented by an element of the array - -``` json -"mgStructure": { - "value": [ - { - "name":"tst1", - "parentId":"test-mg", - "parentNotManagedInThisTemplate": true - }, - { - "name":"child1", - "parentId":"tst1", - "roleAssignments":[ - { - "roleDefinitionIdOrName": "Desktop Virtualization User", - "principalIds": [ - "12345567-890a-bcde-f012-456789000000", // object 1 - "12345567-890a-bcde-f012-456789000001" // object 2 - ] - } - ] - }, - { - "name":"child2", - "displayName": "anotherName", - "parentId":"tst1", - "parentNotManagedInThisTemplate": false - }, - { - "name":"nephew1", - "parentId":"child1", - "parentNotManagedInThisTemplate": false - } - ] -} - -``` - -| Parameter Name | Type | Default Value | Possible values | Description | -| :- | :- | :- | :- | :- | -| `name` | string | | | Mandatory. The ID of the Management group | -| `parentId` | string | | A MG name | Mandatory. The template will concatenate `/providers/Microsoft.Management/managementGroups/` to create the resource ID of the parent management group the deployed one is child of | -| `displayName` | string | `name` | | Optional. The display name of the management group. If not specified, the id (name) will be used | -| `parentNotManagedInThisTemplate` | bool | `false` | | Optional. `true` if the parent management group is existing and defined elsewhere, `false` if the parent MG is also managed in this template. This parameter is used to define the deployment sequence | -| `roleAssignments` | array | | | Optional. Array of role assignment objects | - - -### Parameter Usage: `roleAssignments` - -```json -"roleAssignments": [ - { - "roleDefinitionIdOrName": "Desktop Virtualization User", - "principalIds": [ - "12345678-1234-1234-1234-123456789012", // object 1 - "78945612-1234-1234-1234-123456789012" // object 2 - ] - }, - { - "roleDefinitionIdOrName": "Reader", - "principalIds": [ - "12345678-1234-1234-1234-123456789012", // object 1 - "78945612-1234-1234-1234-123456789012" // object 2 - ] - }, - { - "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", - "principalIds": [ - "12345678-1234-1234-1234-123456789012" // object 1 - ] - } -] -``` - -| Parameter Name | Type | Default Value | Possible values | Description | -| :- | :- | :- | :- | :- | -| `roleDefinitionIdOrName` | string | | | Mandatory. The name or the ID of the role to assign to the management group | -| `principalIds` | array | | | Mandatory. An array of principal IDs | - - -## Outputs - -| Output Name | Type | Description | -| :-- | :-- | :-- | -| `managementGroupCount` | int | Number of management groups considered in the deployment | - -## Considerations - -This template is using a **Tenant level deployment**, meaning the user/principal deploying it needs to have the [proper access](https://docs.microsoft.com/en-us/azure/azure-resource-manager/templates/deploy-to-tenant#required-access) - -> If owner access is excessive, the following rights roles will grant enough rights: -> **Automation Job Operator** at **tenant** level (scope '/')
-> **Management Group Contributor** at the top management group that needs to be managed -> ->> Consider using the following script:
->> `$PrincipalID = ""`
->> `$TopMGID = ""`
->> `New-AzRoleAssignment -ObjectId $PrincipalID -Scope "/" -RoleDefinitionName "Automation Job Operator"`
->> `New-AzRoleAssignment -ObjectId $PrincipalID -Scope "/providers/Microsoft.Management/managementGroups/$TopMGID" -RoleDefinitionName "Management Group Contributor"` - -## Additional resources - -- [Management group](https://docs.microsoft.com/en-us/azure/governance/management-groups/) -- [Template reference](https://docs.microsoft.com/en-us/azure/templates/microsoft.management/managementgroups) \ No newline at end of file diff --git a/nativeTemplates/Microsoft.OperationalInsights/workspaces/deploy.json b/nativeTemplates/Microsoft.OperationalInsights/workspaces/deploy.json deleted file mode 100644 index bcb6fb5f88..0000000000 --- a/nativeTemplates/Microsoft.OperationalInsights/workspaces/deploy.json +++ /dev/null @@ -1,1268 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "logAnalyticsWorkspaceName": { - "type": "string", - "metadata": { - "description": "Required. Name of the Log Analytics workspace" - } - }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Optional. Location for all resources." - } - }, - "serviceTier": { - "type": "string", - "defaultValue": "PerGB2018", - "allowedValues": [ - "Free", - "Standalone", - "PerNode", - "PerGB2018" - ], - "metadata": { - "description": "Required. Service Tier: PerGB2018, Free, Standalone, PerGB or PerNode" - } - }, - "solutions": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. LAW solutions from the gallery." - } - }, - "dataRetention": { - "type": "int", - "defaultValue": 365, - "minValue": 0, - "maxValue": 730, - "metadata": { - "description": "Required. Number of days data will be retained for" - } - }, - "dailyQuotaGb": { - "type": "int", - "defaultValue": -1, - "minValue": -1, - "metadata": { - "description": "Optional. The workspace daily quota for ingestion." - } - }, - "publicNetworkAccessForIngestion": { - "type": "string", - "defaultValue": "Enabled", - "allowedValues": [ - "Enabled", - "Disabled" - ], - "metadata": { - "description": "Optional. The network access type for accessing Log Analytics ingestion." - } - }, - "publicNetworkAccessForQuery": { - "type": "string", - "defaultValue": "Enabled", - "allowedValues": [ - "Enabled", - "Disabled" - ], - "metadata": { - "description": "Optional. The network access type for accessing Log Analytics query." - } - }, - "diagnosticStorageAccountId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Log Analytics workspace resource identifier" - } - }, - "activityLogAdditionalSubscriptionIDs": { - "type": "array", - "defaultValue": [ - ], - "metadata": { - "description": "Optional. List of additional Subscription IDs to collect Activity logs from. The subscription holding the Log Analytics workspace is added by default. The user/SPN/managed identity has to have reader access on the subscription you'd like to collect Activity logs from." - } - }, - "automationAccountId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Automation Account resource identifier, value used to create a LinkedService between Log Analytics and an Automation Account." - } - }, - "useResourcePermissions": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Set to 'true' to use resource or workspace permissions and 'false' (or leave empty) to require workspace permissions." - } - }, - "lockForDeletion": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Switch to lock storage from deletion." - } - }, - "roleAssignments": { - "defaultValue": [ - ], - "type": "array", - "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'" - } - }, - "tags": { - "type": "object", - "defaultValue": { - }, - "metadata": { - "description": "Optional. Tags of the resource." - } - }, - "cuaId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered" - } - } - }, - "variables": { - "diagnosticStorageAccountName": "[if(not(empty(parameters('diagnosticStorageAccountId'))), split(parameters('diagnosticStorageAccountId'), '/')[8], 'placeholder')]", - "logAnalyticsSearchVersion": 1, - "builtInRoleNames": { - "Azure Sentinel Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ab8e14d6-4a74-4a29-9ba8-549422addade')]", - "Azure Sentinel Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8d289c81-5878-46d4-8554-54e1e3d8b5cb')]", - "Azure Sentinel Responder": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '3e150937-b8fe-4cfb-8069-0eaf05ecd056')]", - "Contributor": "/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c", - "Data Purger": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '150f5e0c-0603-4f03-8c7f-cf70034c4e90')]", - "Log Analytics Contributor": "/providers/Microsoft.Authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293", - "Log Analytics Reader": "/providers/Microsoft.Authorization/roleDefinitions/73c42c96-874c-492b-b04d-ab87d138a893", - "Managed Application Contributor Role": "/providers/Microsoft.Authorization/roleDefinitions/641177b8-a67a-45b9-a033-47bc880bb21e", - "Managed Application Operator Role": "/providers/Microsoft.Authorization/roleDefinitions/c7393b34-138c-406f-901b-d8cf2b17e6ae", - "Managed Applications Reader": "/providers/Microsoft.Authorization/roleDefinitions/b9331d33-8a36-4f8c-b097-4f54124fdb44", - "Monitoring Contributor": "/providers/Microsoft.Authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", - "Monitoring Metrics Publisher": "/providers/Microsoft.Authorization/roleDefinitions/3913510d-42f4-4e42-8a64-420c390055eb", - "Monitoring Reader": "/providers/Microsoft.Authorization/roleDefinitions/43d0d8ad-25c7-4714-9337-8ba259a9fe05", - "Owner": "/providers/Microsoft.Authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635", - "Reader": "/providers/Microsoft.Authorization/roleDefinitions/acdd72a7-3385-48ef-bd42-f606fba81ae7", - "Resource Policy Contributor": "/providers/Microsoft.Authorization/roleDefinitions/36243c78-bf99-498c-9df9-86d9f8d28608", - "Security Admin": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'fb1c8493-542b-48eb-b624-b4c8fea62acd')]", - "Security Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '39bc4728-0917-49c7-9d2c-d95423bc2eb4')]", - "User Access Administrator": "/providers/Microsoft.Authorization/roleDefinitions/18d7d88d-d35e-4fb5-a5c3-7773c20a72d9" - } - }, - "resources": [ - { - "condition": "[not(empty(parameters('cuaId')))]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2020-06-01", - "name": "[concat('pid-', parameters('cuaId'))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [ - ] - } - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2020-08-01", - "location": "[parameters('location')]", - "name": "[parameters('logAnalyticsWorkspaceName')]", - "tags": "[parameters('tags')]", - "properties": { - "features": { - "searchVersion": "[variables('logAnalyticsSearchVersion')]", - "enableLogAccessUsingOnlyResourcePermissions": "[parameters('useResourcePermissions')]" - }, - "sku": { - "name": "[parameters('serviceTier')]" - }, - "retentionInDays": "[parameters('dataRetention')]", - "workspaceCapping": { - "dailyQuotaGb": "[parameters('dailyQuotaGb')]" - }, - "publicNetworkAccessForIngestion": "[parameters('publicNetworkAccessForIngestion')]", - "publicNetworkAccessForQuery": "[parameters('publicNetworkAccessForQuery')]" - }, - "resources": [ - { - "apiVersion": "2020-03-01-preview", - "name": "VMSSQueries", - "type": "savedSearches", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('logAnalyticsWorkspaceName'))]" - ], - "properties": { - "etag": "*", - "DisplayName": "VMSS Instance Count", - "Category": "VDC Saved Searches", - "Query": "Event | where Source == \"ServiceFabricNodeBootstrapAgent\" | summarize AggregatedValue = count() by Computer" - } - }, - { - "apiVersion": "2020-03-01-preview", - "name": "AzureFirewallThreatDeny", - "type": "savedSearches", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('logAnalyticsWorkspaceName'))]" - ], - "properties": { - "etag": "*", - "DisplayName": "Azure Threat Deny", - "Category": "VDC Saved Searches", - "Query": "AzureDiagnostics | where ResourceType == 'AZUREFIREWALLS' and msg_s contains 'Deny'" - } - }, - { - "apiVersion": "2020-03-01-preview", - "type": "datasources", - "kind": "AzureActivityLog", - "name": "[subscription().subscriptionId]", - "location": "[parameters('location')]", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('logAnalyticsWorkspaceName'))]" - ], - "properties": { - "linkedResourceId": "[concat(subscription().Id, '/providers/microsoft.insights/eventTypes/management')]" - } - }, - { - "apiVersion": "2020-03-01-preview", - "type": "datasources", - "name": "applicationEvent", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('logAnalyticsWorkspaceName'))]" - ], - "kind": "WindowsEvent", - "properties": { - "eventLogName": "Application", - "eventTypes": [ - { - "eventType": "Error" - }, - { - "eventType": "Warning" - }, - { - "eventType": "Information" - } - ] - } - }, - { - "apiVersion": "2020-03-01-preview", - "type": "datasources", - "name": "systemEvent", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('logAnalyticsWorkspaceName'))]" - ], - "kind": "WindowsEvent", - "properties": { - "eventLogName": "System", - "eventTypes": [ - { - "eventType": "Error" - }, - { - "eventType": "Warning" - }, - { - "eventType": "Information" - } - ] - } - }, - { - "apiVersion": "2020-03-01-preview", - "type": "datasources", - "name": "windowsPerfCounter1", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('logAnalyticsWorkspaceName'))]" - ], - "kind": "WindowsPerformanceCounter", - "properties": { - "objectName": "Processor", - "instanceName": "*", - "intervalSeconds": 60, - "counterName": "% Processor Time" - } - }, - { - "apiVersion": "2020-03-01-preview", - "type": "datasources", - "name": "windowsPerfCounter2", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('logAnalyticsWorkspaceName'))]" - ], - "kind": "WindowsPerformanceCounter", - "properties": { - "objectName": "Processor", - "instanceName": "*", - "intervalSeconds": 60, - "counterName": "% Privileged Time" - } - }, - { - "apiVersion": "2020-03-01-preview", - "type": "datasources", - "name": "windowsPerfCounter3", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('logAnalyticsWorkspaceName'))]" - ], - "kind": "WindowsPerformanceCounter", - "properties": { - "objectName": "Processor", - "instanceName": "*", - "intervalSeconds": 60, - "counterName": "% User Time" - } - }, - { - "apiVersion": "2020-03-01-preview", - "type": "datasources", - "name": "windowsPerfCounter4", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('logAnalyticsWorkspaceName'))]" - ], - "kind": "WindowsPerformanceCounter", - "properties": { - "objectName": "Processor", - "instanceName": "*", - "intervalSeconds": 60, - "counterName": "Processor Frequency" - } - }, - { - "apiVersion": "2020-03-01-preview", - "type": "datasources", - "name": "windowsPerfCounter5", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('logAnalyticsWorkspaceName'))]" - ], - "kind": "WindowsPerformanceCounter", - "properties": { - "objectName": "Process", - "instanceName": "*", - "intervalSeconds": 60, - "counterName": "Thread Count" - } - }, - { - "apiVersion": "2020-03-01-preview", - "type": "datasources", - "name": "windowsPerfCounter6", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('logAnalyticsWorkspaceName'))]" - ], - "kind": "WindowsPerformanceCounter", - "properties": { - "objectName": "Process", - "instanceName": "*", - "intervalSeconds": 60, - "counterName": "Handle Count" - } - }, - { - "apiVersion": "2020-03-01-preview", - "type": "datasources", - "name": "windowsPerfCounter7", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('logAnalyticsWorkspaceName'))]" - ], - "kind": "WindowsPerformanceCounter", - "properties": { - "objectName": "System", - "instanceName": "*", - "intervalSeconds": 60, - "counterName": "System Up Time" - } - }, - { - "apiVersion": "2020-03-01-preview", - "type": "datasources", - "name": "windowsPerfCounter8", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('logAnalyticsWorkspaceName'))]" - ], - "kind": "WindowsPerformanceCounter", - "properties": { - "objectName": "System", - "instanceName": "*", - "intervalSeconds": 60, - "counterName": "Context Switches/sec" - } - }, - { - "apiVersion": "2020-03-01-preview", - "type": "datasources", - "name": "windowsPerfCounter9", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('logAnalyticsWorkspaceName'))]" - ], - "kind": "WindowsPerformanceCounter", - "properties": { - "objectName": "System", - "instanceName": "*", - "intervalSeconds": 60, - "counterName": "Processor Queue Length" - } - }, - { - "apiVersion": "2020-03-01-preview", - "type": "datasources", - "name": "windowsPerfCounter10", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('logAnalyticsWorkspaceName'))]" - ], - "kind": "WindowsPerformanceCounter", - "properties": { - "objectName": "System", - "instanceName": "*", - "intervalSeconds": 60, - "counterName": "Processes" - } - }, - { - "apiVersion": "2020-03-01-preview", - "type": "datasources", - "name": "windowsPerfCounter11", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('logAnalyticsWorkspaceName'))]" - ], - "kind": "WindowsPerformanceCounter", - "properties": { - "objectName": "Memory", - "instanceName": "*", - "intervalSeconds": 60, - "counterName": "% Committed Bytes In Use" - } - }, - { - "apiVersion": "2020-03-01-preview", - "type": "datasources", - "name": "windowsPerfCounter12", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('logAnalyticsWorkspaceName'))]" - ], - "kind": "WindowsPerformanceCounter", - "properties": { - "objectName": "Memory", - "instanceName": "*", - "intervalSeconds": 60, - "counterName": "Available MBytes" - } - }, - { - "apiVersion": "2020-03-01-preview", - "type": "datasources", - "name": "windowsPerfCounter13", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('logAnalyticsWorkspaceName'))]" - ], - "kind": "WindowsPerformanceCounter", - "properties": { - "objectName": "Memory", - "instanceName": "*", - "intervalSeconds": 60, - "counterName": "Available Bytes" - } - }, - { - "apiVersion": "2020-03-01-preview", - "type": "datasources", - "name": "windowsPerfCounter14", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('logAnalyticsWorkspaceName'))]" - ], - "kind": "WindowsPerformanceCounter", - "properties": { - "objectName": "Memory", - "instanceName": "*", - "intervalSeconds": 60, - "counterName": "Committed Bytes" - } - }, - { - "apiVersion": "2020-03-01-preview", - "type": "datasources", - "name": "windowsPerfCounter15", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('logAnalyticsWorkspaceName'))]" - ], - "kind": "WindowsPerformanceCounter", - "properties": { - "objectName": "Memory", - "instanceName": "*", - "intervalSeconds": 60, - "counterName": "Cache Bytes" - } - }, - { - "apiVersion": "2020-03-01-preview", - "type": "datasources", - "name": "windowsPerfCounter16", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('logAnalyticsWorkspaceName'))]" - ], - "kind": "WindowsPerformanceCounter", - "properties": { - "objectName": "Memory", - "instanceName": "*", - "intervalSeconds": 60, - "counterName": "Pool Paged Bytes" - } - }, - { - "apiVersion": "2020-03-01-preview", - "type": "datasources", - "name": "windowsPerfCounter17", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('logAnalyticsWorkspaceName'))]" - ], - "kind": "WindowsPerformanceCounter", - "properties": { - "objectName": "Memory", - "instanceName": "*", - "intervalSeconds": 60, - "counterName": "Pool Nonpaged Bytes" - } - }, - { - "apiVersion": "2020-03-01-preview", - "type": "datasources", - "name": "windowsPerfCounter18", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('logAnalyticsWorkspaceName'))]" - ], - "kind": "WindowsPerformanceCounter", - "properties": { - "objectName": "Memory", - "instanceName": "*", - "intervalSeconds": 60, - "counterName": "Pages/sec" - } - }, - { - "apiVersion": "2020-03-01-preview", - "type": "datasources", - "name": "windowsPerfCounter19", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('logAnalyticsWorkspaceName'))]" - ], - "kind": "WindowsPerformanceCounter", - "properties": { - "objectName": "Memory", - "instanceName": "*", - "intervalSeconds": 60, - "counterName": "Page Faults/sec" - } - }, - { - "apiVersion": "2020-03-01-preview", - "type": "datasources", - "name": "windowsPerfCounter20", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('logAnalyticsWorkspaceName'))]" - ], - "kind": "WindowsPerformanceCounter", - "properties": { - "objectName": "Process", - "instanceName": "*", - "intervalSeconds": 60, - "counterName": "Working Set" - } - }, - { - "apiVersion": "2020-03-01-preview", - "type": "datasources", - "name": "windowsPerfCounter21", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('logAnalyticsWorkspaceName'))]" - ], - "kind": "WindowsPerformanceCounter", - "properties": { - "objectName": "Process", - "instanceName": "*", - "intervalSeconds": 60, - "counterName": "Working Set - Private" - } - }, - { - "apiVersion": "2020-03-01-preview", - "type": "datasources", - "name": "windowsPerfCounter22", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('logAnalyticsWorkspaceName'))]" - ], - "kind": "WindowsPerformanceCounter", - "properties": { - "objectName": "LogicalDisk", - "instanceName": "*", - "intervalSeconds": 60, - "counterName": "% Disk Time" - } - }, - { - "apiVersion": "2020-03-01-preview", - "type": "datasources", - "name": "windowsPerfCounter23", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('logAnalyticsWorkspaceName'))]" - ], - "kind": "WindowsPerformanceCounter", - "properties": { - "objectName": "LogicalDisk", - "instanceName": "*", - "intervalSeconds": 60, - "counterName": "% Disk Read Time" - } - }, - { - "apiVersion": "2020-03-01-preview", - "type": "datasources", - "name": "windowsPerfCounter24", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('logAnalyticsWorkspaceName'))]" - ], - "kind": "WindowsPerformanceCounter", - "properties": { - "objectName": "LogicalDisk", - "instanceName": "*", - "intervalSeconds": 60, - "counterName": "% Disk Write Time" - } - }, - { - "apiVersion": "2020-03-01-preview", - "type": "datasources", - "name": "windowsPerfCounter25", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('logAnalyticsWorkspaceName'))]" - ], - "kind": "WindowsPerformanceCounter", - "properties": { - "objectName": "LogicalDisk", - "instanceName": "*", - "intervalSeconds": 60, - "counterName": "% Idle Time" - } - }, - { - "apiVersion": "2020-03-01-preview", - "type": "datasources", - "name": "windowsPerfCounter26", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('logAnalyticsWorkspaceName'))]" - ], - "kind": "WindowsPerformanceCounter", - "properties": { - "objectName": "LogicalDisk", - "instanceName": "*", - "intervalSeconds": 60, - "counterName": "Disk Bytes/sec" - } - }, - { - "apiVersion": "2020-03-01-preview", - "type": "datasources", - "name": "windowsPerfCounter27", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('logAnalyticsWorkspaceName'))]" - ], - "kind": "WindowsPerformanceCounter", - "properties": { - "objectName": "LogicalDisk", - "instanceName": "*", - "intervalSeconds": 60, - "counterName": "Disk Read Bytes/sec" - } - }, - { - "apiVersion": "2020-03-01-preview", - "type": "datasources", - "name": "windowsPerfCounter28", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('logAnalyticsWorkspaceName'))]" - ], - "kind": "WindowsPerformanceCounter", - "properties": { - "objectName": "LogicalDisk", - "instanceName": "*", - "intervalSeconds": 60, - "counterName": "Disk Write Bytes/sec" - } - }, - { - "apiVersion": "2020-03-01-preview", - "type": "datasources", - "name": "windowsPerfCounter29", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('logAnalyticsWorkspaceName'))]" - ], - "kind": "WindowsPerformanceCounter", - "properties": { - "objectName": "LogicalDisk", - "instanceName": "*", - "intervalSeconds": 60, - "counterName": "Disk Transfers/sec" - } - }, - { - "apiVersion": "2020-03-01-preview", - "type": "datasources", - "name": "windowsPerfCounter30", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('logAnalyticsWorkspaceName'))]" - ], - "kind": "WindowsPerformanceCounter", - "properties": { - "objectName": "LogicalDisk", - "instanceName": "*", - "intervalSeconds": 60, - "counterName": "Disk Reads/sec" - } - }, - { - "apiVersion": "2020-03-01-preview", - "type": "datasources", - "name": "windowsPerfCounter31", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('logAnalyticsWorkspaceName'))]" - ], - "kind": "WindowsPerformanceCounter", - "properties": { - "objectName": "LogicalDisk", - "instanceName": "*", - "intervalSeconds": 60, - "counterName": "Disk Writes/sec" - } - }, - { - "apiVersion": "2020-03-01-preview", - "type": "datasources", - "name": "windowsPerfCounter32", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('logAnalyticsWorkspaceName'))]" - ], - "kind": "WindowsPerformanceCounter", - "properties": { - "objectName": "LogicalDisk", - "instanceName": "*", - "intervalSeconds": 60, - "counterName": "Avg. Disk sec/Transfer" - } - }, - { - "apiVersion": "2020-03-01-preview", - "type": "datasources", - "name": "windowsPerfCounter33", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('logAnalyticsWorkspaceName'))]" - ], - "kind": "WindowsPerformanceCounter", - "properties": { - "objectName": "LogicalDisk", - "instanceName": "*", - "intervalSeconds": 60, - "counterName": "Avg. Disk sec/Read" - } - }, - { - "apiVersion": "2020-03-01-preview", - "type": "datasources", - "name": "windowsPerfCounter34", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('logAnalyticsWorkspaceName'))]" - ], - "kind": "WindowsPerformanceCounter", - "properties": { - "objectName": "LogicalDisk", - "instanceName": "*", - "intervalSeconds": 60, - "counterName": "Avg. Disk sec/Write" - } - }, - { - "apiVersion": "2020-03-01-preview", - "type": "datasources", - "name": "windowsPerfCounter35", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('logAnalyticsWorkspaceName'))]" - ], - "kind": "WindowsPerformanceCounter", - "properties": { - "objectName": "LogicalDisk", - "instanceName": "*", - "intervalSeconds": 60, - "counterName": "Avg. Disk Queue Length" - } - }, - { - "apiVersion": "2020-03-01-preview", - "type": "datasources", - "name": "windowsPerfCounter36", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('logAnalyticsWorkspaceName'))]" - ], - "kind": "WindowsPerformanceCounter", - "properties": { - "objectName": "LogicalDisk", - "instanceName": "*", - "intervalSeconds": 60, - "counterName": "Avg. Disk Write Queue Length" - } - }, - { - "apiVersion": "2020-03-01-preview", - "type": "datasources", - "name": "windowsPerfCounter37", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('logAnalyticsWorkspaceName'))]" - ], - "kind": "WindowsPerformanceCounter", - "properties": { - "objectName": "LogicalDisk", - "instanceName": "*", - "intervalSeconds": 60, - "counterName": "% Free Space" - } - }, - { - "apiVersion": "2020-03-01-preview", - "type": "datasources", - "name": "windowsPerfCounter38", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('logAnalyticsWorkspaceName'))]" - ], - "kind": "WindowsPerformanceCounter", - "properties": { - "objectName": "LogicalDisk", - "instanceName": "*", - "intervalSeconds": 60, - "counterName": "Free Megabytes" - } - }, - { - "apiVersion": "2020-03-01-preview", - "type": "datasources", - "name": "windowsPerfCounter39", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('logAnalyticsWorkspaceName'))]" - ], - "kind": "WindowsPerformanceCounter", - "properties": { - "objectName": "Network Interface", - "instanceName": "*", - "intervalSeconds": 60, - "counterName": "Bytes Total/sec" - } - }, - { - "apiVersion": "2020-03-01-preview", - "type": "datasources", - "name": "windowsPerfCounter40", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('logAnalyticsWorkspaceName'))]" - ], - "kind": "WindowsPerformanceCounter", - "properties": { - "objectName": "Network Interface", - "instanceName": "*", - "intervalSeconds": 60, - "counterName": "Bytes Sent/sec" - } - }, - { - "apiVersion": "2020-03-01-preview", - "type": "datasources", - "name": "windowsPerfCounter41", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('logAnalyticsWorkspaceName'))]" - ], - "kind": "WindowsPerformanceCounter", - "properties": { - "objectName": "Network Interface", - "instanceName": "*", - "intervalSeconds": 60, - "counterName": "Bytes Received/sec" - } - }, - { - "apiVersion": "2020-03-01-preview", - "type": "datasources", - "name": "windowsPerfCounter42", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('logAnalyticsWorkspaceName'))]" - ], - "kind": "WindowsPerformanceCounter", - "properties": { - "objectName": "Network Interface", - "instanceName": "*", - "intervalSeconds": 60, - "counterName": "Packets/sec" - } - }, - { - "apiVersion": "2020-03-01-preview", - "type": "datasources", - "name": "windowsPerfCounter43", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('logAnalyticsWorkspaceName'))]" - ], - "kind": "WindowsPerformanceCounter", - "properties": { - "objectName": "Network Interface", - "instanceName": "*", - "intervalSeconds": 60, - "counterName": "Packets Sent/sec" - } - }, - { - "apiVersion": "2020-03-01-preview", - "type": "datasources", - "name": "windowsPerfCounter44", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('logAnalyticsWorkspaceName'))]" - ], - "kind": "WindowsPerformanceCounter", - "properties": { - "objectName": "Network Interface", - "instanceName": "*", - "intervalSeconds": 60, - "counterName": "Packets Received/sec" - } - }, - { - "apiVersion": "2020-03-01-preview", - "type": "datasources", - "name": "windowsPerfCounter45", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('logAnalyticsWorkspaceName'))]" - ], - "kind": "WindowsPerformanceCounter", - "properties": { - "objectName": "Network Interface", - "instanceName": "*", - "intervalSeconds": 60, - "counterName": "Packets Outbound Errors" - } - }, - { - "apiVersion": "2020-03-01-preview", - "type": "datasources", - "name": "windowsPerfCounter46", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('logAnalyticsWorkspaceName'))]" - ], - "kind": "WindowsPerformanceCounter", - "properties": { - "objectName": "Network Interface", - "instanceName": "*", - "intervalSeconds": 60, - "counterName": "Packets Received Errors" - } - }, - { - "apiVersion": "2020-03-01-preview", - "type": "datasources", - "name": "sampleIISLog1", - "condition": false, - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('logAnalyticsWorkspaceName'))]" - ], - "kind": "IISLogs", - "properties": { - "state": "OnPremiseEnabled" - } - }, - { - "apiVersion": "2020-03-01-preview", - "type": "datasources", - "name": "sampleSyslog1", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('logAnalyticsWorkspaceName'))]" - ], - "kind": "LinuxSyslog", - "properties": { - "syslogName": "kern", - "syslogSeverities": [ - { - "severity": "emerg" - }, - { - "severity": "alert" - }, - { - "severity": "crit" - }, - { - "severity": "err" - }, - { - "severity": "warning" - } - ] - } - }, - { - "apiVersion": "2020-03-01-preview", - "type": "datasources", - "name": "sampleSyslogCollection1", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('logAnalyticsWorkspaceName'))]" - ], - "kind": "LinuxSyslogCollection", - "properties": { - "state": "Enabled" - } - }, - { - "apiVersion": "2020-03-01-preview", - "type": "datasources", - "name": "sampleLinuxPerf1", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('logAnalyticsWorkspaceName'))]" - ], - "kind": "LinuxPerformanceObject", - "properties": { - "performanceCounters": [ - { - "counterName": "% Used Inodes" - }, - { - "counterName": "Free Megabytes" - }, - { - "counterName": "% Used Space" - }, - { - "counterName": "Disk Transfers/sec" - }, - { - "counterName": "Disk Reads/sec" - }, - { - "counterName": "Disk Writes/sec" - } - ], - "objectName": "Logical Disk", - "instanceName": "*", - "intervalSeconds": 10 - } - }, - { - "apiVersion": "2020-03-01-preview", - "type": "datasources", - "name": "sampleLinuxPerfCollection1", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('logAnalyticsWorkspaceName'))]" - ], - "kind": "LinuxPerformanceCollection", - "properties": { - "state": "Enabled" - } - } - ] - }, - { - "type": "Microsoft.OperationalInsights/workspaces/datasources", - "apiVersion": "2020-03-01-preview", - "location": "[parameters('location')]", - "kind": "AzureActivityLog", - "name": "[concat(parameters('logAnalyticsWorkspaceName'), '/', if(empty(parameters('activityLogAdditionalSubscriptionIDs')),'placeholder',parameters('activityLogAdditionalSubscriptionIDs')[copyIndex()]))]", - "copy": { - "name": "subscriptionCopy", - "count": "[length(parameters('activityLogAdditionalSubscriptionIDs'))]" - }, - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('logAnalyticsWorkspaceName'))]" - ], - "properties": { - "linkedResourceId": "[concat('/subscriptions/', parameters('activityLogAdditionalSubscriptionIDs')[copyIndex()], '/providers/microsoft.insights/eventTypes/management')]" - } - }, - { - "name": "[concat(parameters('logAnalyticsWorkspaceName'), '/', variables('diagnosticStorageAccountName'))]", - "condition": "[not(empty(parameters('diagnosticStorageAccountId')))]", - "type": "Microsoft.OperationalInsights/workspaces/storageinsightconfigs", - "apiVersion": "2020-03-01-preview", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('logAnalyticsWorkspaceName'))]" - ], - "properties": { - "containers": [ - ], - "tables": [ - "WADWindowsEventLogsTable", - "WADETWEventTable", - "WADServiceFabric*EventTable", - "LinuxsyslogVer2v0" - ], - "storageAccount": { - "id": "[parameters('diagnosticStorageAccountId')]", - "key": "[if(empty(parameters('diagnosticStorageAccountId')), '', listKeys(parameters('diagnosticStorageAccountId'), '2016-12-01').keys[0].value)]" - } - } - }, - { - "condition": "[not(empty(parameters('solutions')))]", - "type": "Microsoft.OperationsManagement/solutions", - "apiVersion": "2015-11-01-preview", - "name": "[if(empty(parameters('solutions')),'dummy',concat(parameters('solutions')[copyIndex()], '(', parameters('logAnalyticsWorkspaceName'), ')'))]", - "location": "[parameters('location')]", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('logAnalyticsWorkspaceName'))]" - ], - "copy": { - "name": "solutionCopy", - "count": "[if(greater(length(parameters('solutions')),0),length(parameters('solutions')), 1)]", - "mode": "Serial" - }, - "properties": { - "workspaceResourceId": "[resourceId('Microsoft.OperationalInsights/workspaces', parameters('logAnalyticsWorkspaceName'))]" - }, - "plan": { - "name": "[if(empty(parameters('solutions')),'dummy',concat(parameters('solutions')[copyIndex()], '(', parameters('logAnalyticsWorkspaceName'), ')'))]", - "product": "[if(empty(parameters('solutions')),'dummy',concat('OMSGallery/', parameters('solutions')[copyIndex()]))]", - "promotionCode": "", - "publisher": "Microsoft" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/linkedServices", - "name": "[concat(parameters('logAnalyticsWorkspaceName'), '/' , 'Automation')]", - "apiVersion": "2020-03-01-preview", - "condition": "[not(empty(parameters('automationAccountId')))]", - "location": "[parameters('location')]", - "properties": { - "resourceId": "[parameters('automationAccountId')]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/locks", - "apiVersion": "2016-09-01", - "condition": "[parameters('lockForDeletion')]", - "name": "[concat(parameters('logAnalyticsWorkspaceName'), '/Microsoft.Authorization/logAnalyticsDoNotDelete')]", - "dependsOn": [ - "[parameters('logAnalyticsWorkspaceName')]" - ], - "comments": "Resource lock on Log Analytics", - "properties": { - "level": "CannotDelete" - } - }, - { - "name": "[concat('rbac-',deployment().name, copyIndex())]", - "apiVersion": "2020-06-01", - "type": "Microsoft.Resources/deployments", - "condition": "[not(empty(parameters('roleAssignments')))]", - "dependsOn": [ - "[parameters('logAnalyticsWorkspaceName')]" - ], - "copy": { - "name": "rbacDeplCopy", - "count": "[length(parameters('roleAssignments'))]" - }, - "properties": { - "mode": "Incremental", - "expressionEvaluationOptions": { - "scope": "inner" - }, - "parameters": { - "roleAssignment": { - "value": "[parameters('roleAssignments')[copyIndex()]]" - }, - "builtInRoleNames": { - "value": "[variables('builtInRoleNames')]" - }, - "logAnalyticsWorkspaceName": { - "value": "[parameters('logAnalyticsWorkspaceName')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "roleAssignment": { - "type": "object" - }, - "builtInRoleNames": { - "type": "object" - }, - "logAnalyticsWorkspaceName": { - "type": "string" - } - }, - "resources": [ - { - "type": "Microsoft.OperationalInsights/workspaces/providers/roleAssignments", - "apiVersion": "2020-03-01-preview", - "name": "[concat(parameters('logAnalyticsWorkspaceName'), '/Microsoft.Authorization/', guid(uniqueString(concat(parameters('logAnalyticsWorkspaceName'), array(parameters('roleAssignment').principalIds)[copyIndex('innerRbacCopy')], parameters('roleAssignment').roleDefinitionIdOrName ) )))]", - "dependsOn": [ - ], - "copy": { - "name": "innerRbacCopy", - "count": "[length(parameters('roleAssignment').principalIds)]" - }, - "properties": { - "roleDefinitionId": "[if(contains(parameters('builtInRoleNames'), parameters('roleAssignment').roleDefinitionIdOrName ), parameters('builtInRoleNames')[parameters('roleAssignment').roleDefinitionIdOrName] , parameters('roleAssignment').roleDefinitionIdOrName )]", - "principalId": "[array(parameters('roleAssignment').principalIds)[copyIndex()]]" - } - } - ] - } - } - } - ], - "functions": [ - ], - "outputs": { - "logAnalyticsResourceId": { - "type": "string", - "value": "[resourceId('Microsoft.OperationalInsights/workspaces', parameters('logAnalyticsWorkspaceName'))]", - "metadata": { - "description": "The Resource Id of the Log Analytics workspace deployed." - } - }, - "logAnalyticsResourceGroup": { - "type": "string", - "value": "[resourceGroup().name]", - "metadata": { - "description": "The Resource Group log analytics was deployed to." - } - }, - "logAnalyticsName": { - "type": "string", - "value": "[parameters('logAnalyticsWorkspaceName')]", - "metadata": { - "description": "The Name of the Log Analytics workspace deployed." - } - }, - "logAnalyticsWorkspaceId": { - "type": "string", - "value": "[reference(resourceId('Microsoft.OperationalInsights/workspaces', parameters('logAnalyticsWorkspaceName')), '2015-03-20').customerId]", - "metadata": { - "description": "The Workspace Id for Log Analytics." - } - }, - "logAnalyticsPrimarySharedKey": { - "type": "securestring", - "value": "[listKeys(resourceId('Microsoft.OperationalInsights/workspaces', parameters('logAnalyticsWorkspaceName')), '2015-03-20').primarySharedKey]", - "metadata": { - "description": "The Primary Shared Key for Log Analytics." - } - } - } -} diff --git a/nativeTemplates/Microsoft.OperationalInsights/workspaces/parameters/parameters.json b/nativeTemplates/Microsoft.OperationalInsights/workspaces/parameters/parameters.json deleted file mode 100644 index 98d193129e..0000000000 --- a/nativeTemplates/Microsoft.OperationalInsights/workspaces/parameters/parameters.json +++ /dev/null @@ -1,61 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "logAnalyticsWorkspaceName": { - "value": "test-az-la-weu-x-001" - }, - "publicNetworkAccessForIngestion": { - "value": "Disabled" - }, - "publicNetworkAccessForQuery": { - "value": "Disabled" - }, - "dailyQuotaGb": { - "value": 10 - }, - // "solutions": { - // "value": [ - // "Updates", - // "AzureAutomation", - // "AntiMalware", - // "SQLAssessment", - // "Security", - // "SecurityCenterFree", - // "ChangeTracking", - // "KeyVaultAnalytics", - // "AzureSQLAnalytics", - // "ServiceMap", - // "AgentHealthAssessment", - // "AlertManagement", - // "AzureActivity", - // "AzureAppGatewayAnalytics", - // "AzureCdnCoreAnalytics", - // "AzureDataFactoryAnalytics", - // "AzureNSGAnalytics", - // "Containers", - // "InfrastructureInsights", - // "LogicAppsManagement", - // "NetworkMonitoring", - // "ServiceFabric", - // "VMInsights", - // "WaaSUpdateInsights", - // "WireData2" - // ] - // }, - "useResourcePermissions": { - "value": true - } - // "roleAssignments": { - // "value": [ - // { - // "roleDefinitionIdOrName": "Desktop Virtualization User", - // "principalIds": [ - // "12345678-1234-1234-1234-123456789012", // object 1 - // "78945612-1234-1234-1234-123456789012" // object 2 - // ] - // } - // ] - // } - } -} diff --git a/nativeTemplates/Microsoft.OperationalInsights/workspaces/readme.md b/nativeTemplates/Microsoft.OperationalInsights/workspaces/readme.md deleted file mode 100644 index 85db3b3a67..0000000000 --- a/nativeTemplates/Microsoft.OperationalInsights/workspaces/readme.md +++ /dev/null @@ -1,140 +0,0 @@ -# LogAnalytics - -This template deploys Log Analytics. - -## Resource types - -|ResourceType|ApiVersion| -|:--|:--| -|`Microsoft.Resources/deployments`|2018-02-01| -|`Microsoft.OperationalInsights/workspaces`|2017-03-15-preview| -|`Microsoft.OperationalInsights/workspaces/datasources`|2015-11-01-preview| -|`Microsoft.OperationalInsights/workspaces/storageinsightconfigs`|2015-03-20| -|`Microsoft.OperationsManagement/solutions`|2015-11-01-preview| -|`Microsoft.OperationalInsights/workspaces/linkedServices`|2015-11-01-preview| -|`Microsoft.OperationalInsights/workspaces/providers/locks`|2016-09-01| -|`savedSearches`|2017-03-15-preview| -|`datasources`|2015-11-01-preview| -|`Microsoft.OperationalInsights/workspaces/providers/roleAssignments`|2018-09-01-preview| - -## Parameters - -| Parameter Name | Type | Description | DefaultValue | Possible values | -| :-- | :-- | :-- | :-- | :-- | -| `activityLogAdditionalSubscriptionIDs` | array | Optional. List of additional Subscription IDs to collect Activity logs from. The subscription holding the Log Analytics workspace is added by default. The user/SPN/managed identity has to have reader access on the subscription you'd like to collect Activity logs from. | System.Object[] | | -| `automationAccountId` | string | Optional. Automation Account resource identifier, value used to create a LinkedService between Log Analytics and an Automation Account. | | | -| `cuaId` | string | Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered | | | -| `dataRetention` | int | Required. Number of days data will be retained for | 365 | | -| `dailyQuotaGb` | int | Optional. The workspace daily quota for ingestion. | -1 (i.e. no quota) | | -| `publicNetworkAccessForIngestion` | string | Optional. The network access type for accessing Log Analytics ingestion. | Enabled | Enabled, Disabled | -| `publicNetworkAccessForQuery` | string | Optional. The network access type for accessing Log Analytics query. | Enabled | Enabled, Disabled | -| `diagnosticStorageAccountId` | string | Optional. Log Analytics workspace resource identifier | | | -| `location` | string | Optional. Location for all resources. | [resourceGroup().location] | | -| `lockForDeletion` | bool | Optional. Switch to lock storage from deletion. | False | | -| `logAnalyticsWorkspaceName` | string | Required. Name of the Log Analytics workspace | | | -| `roleAssignments` | array | Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' | System.Object[] | | -| `serviceTier` | string | Required. Service Tier: PerGB2018, Free, Standalone, PerGB or PerNode | PerGB2018 | System.Object[] | -| `solutions` | array | Optional. LAW solutions from the gallery. | [] | "Updates", "AzureAutomation", ... (see below) | -| `tags` | object | Optional. Tags of the resource. | | | -| `useResourcePermissions` | bool | Optional. Set to 'true' to use resource or workspace permissions and 'false' (or leave empty) to require workspace permissions. | False | true, false | - -### Parameter Usage: `solutions` - -```json -"solutions": { - "value": [ - "AgentHealthAssessment", - "AlertManagement", - "AntiMalware", - "AzureActivity", - //"AzureAppGatewayAnalytics", - "AzureAutomation", - "AzureCdnCoreAnalytics", - "AzureDataFactoryAnalytics", - "AzureNSGAnalytics", - "AzureSQLAnalytics", - "ChangeTracking", - "Containers", - "InfrastructureInsights", - "KeyVaultAnalytics", - "LogicAppsManagement", - "NetworkMonitoring", - "Security", - "SecurityCenterFree", - "ServiceFabric", - "ServiceMap", - "SQLAssessment", - "Updates", - "VMInsights", - "WireData2", - "WaaSUpdateInsights" - ] -} -``` - -### Parameter Usage: `roleAssignments` - -```json -"roleAssignments": { - "value": [ - { - "roleDefinitionIdOrName": "Desktop Virtualization User", - "principalIds": [ - "12345678-1234-1234-1234-123456789012", // object 1 - "78945612-1234-1234-1234-123456789012" // object 2 - ] - }, - { - "roleDefinitionIdOrName": "Reader", - "principalIds": [ - "12345678-1234-1234-1234-123456789012", // object 1 - "78945612-1234-1234-1234-123456789012" // object 2 - ] - }, - { - "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", - "principalIds": [ - "12345678-1234-1234-1234-123456789012" // object 1 - ] - } - ] -} -``` - -### Parameter Usage: `tags` - -Tag names and tag values can be provided as needed. A tag can be left without a value. - -```json -"tags": { - "value": { - "Environment": "Non-Prod", - "Contact": "test.user@testcompany.com", - "PurchaseOrder": "1234", - "CostCenter": "7890", - "ServiceName": "DeploymentValidation", - "Role": "DeploymentValidation" - } -} -``` - -## Outputs - -| Output Name | Type | Description | -| :-- | :-- | :-- | -| `logAnalyticsPrimarySharedKey` | securestring | The Primary Shared Key for Log Analytics. | -| `logAnalyticsWorkspaceId` | string | The Workspace Id for Log Analytics. | -| `logAnalyticsName` | string | The Name of the Log Analytics workspace deployed. | -| `logAnalyticsResourceGroup` | string | The Resource Group log analytics was deployed to. | -| `logAnalyticsResourceId` | string | The Resource Id of the Log Analytics workspace deployed. | - -## Considerations - -*N/A* - -## Additional resources - -- [Microsoft.OperationalInsights workspaces template reference](https://docs.microsoft.com/en-us/azure/templates/microsoft.operationalinsights/2015-11-01-preview/workspaces) -- [Microsoft.OperationalManagement solutions template reference](https://docs.microsoft.com/en-us/azure/templates/microsoft.operationsmanagement/2015-11-01-preview/solutions) -- [Use tags to organize your Azure resources](https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-using-tags) -- [Manage access to log data and workspaces in Azure Monitor](https://docs.microsoft.com/en-us/azure/azure-monitor/logs/manage-access) diff --git a/nativeTemplates/Microsoft.Resources/resourceGroups/deploy.json b/nativeTemplates/Microsoft.Resources/resourceGroups/deploy.json deleted file mode 100644 index dc436aa017..0000000000 --- a/nativeTemplates/Microsoft.Resources/resourceGroups/deploy.json +++ /dev/null @@ -1,344 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "Required. The name of the Resource Group" - } - }, - "location": { - "type": "string", - "defaultValue": "[deployment().location]", - "metadata": { - "description": "Optional. Location of the Resource Group. It uses the deployment's location when not provided." - } - }, - "lockForDeletion": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Switch to lock storage from deletion." - } - }, - "roleAssignments": { - "defaultValue": [ - ], - "type": "array", - "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'" - } - }, - "tags": { - "type": "object", - "defaultValue": { - }, - "metadata": { - "description": "Optional. Tags of the storage account resource." - } - } - }, - "variables": { - "builtInRoleNames": { - "AcrDelete": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c2f4ef07-c644-48eb-af81-4b1b4947fb11')]", - "AcrImageSigner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '6cef56e8-d556-48e5-a04f-b8e64114680f')]", - "AcrPull": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '7f951dda-4ed3-4680-a7ca-43fe172d538d')]", - "AcrPush": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8311e382-0749-4cb8-b61a-304f252e45ec')]", - "AcrQuarantineReader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'cdda3590-29a3-44f6-95f2-9f980659eb04')]", - "AcrQuarantineWriter": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c8d4ff99-41c3-41a8-9f60-21dfdad59608')]", - "API Management Service Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '312a565d-c81f-4fd8-895a-4e21e48d571c')]", - "API Management Service Operator Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'e022efe7-f5ba-4159-bbe4-b44f577e9b61')]", - "API Management Service Reader Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '71522526-b88f-4d52-b57f-d31fc3546d0d')]", - "App Configuration Data Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5ae67dd6-50cb-40e7-96ff-dc2bfa4b606b')]", - "App Configuration Data Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '516239f1-63e1-4d78-a4de-a74fb236a071')]", - "Application Insights Component Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ae349356-3a1b-4a5e-921d-050484c6347e')]", - "Application Insights Snapshot Debugger": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '08954f03-6346-4c2e-81c0-ec3a5cfae23b')]", - "Attestation Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'bbf86eb8-f7b4-4cce-96e4-18cddf81d86e')]", - "Attestation Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'fd1bd22b-8476-40bc-a0bc-69b95687b9f3')]", - "Automation Job Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4fe576fe-1146-4730-92eb-48519fa6bf9f')]", - "Automation Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'd3881f73-407a-4167-8283-e981cbba0404')]", - "Automation Runbook Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5fb5aef8-1081-4b8e-bb16-9d5d0385bab5')]", - "Avere Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4f8fab4f-1852-4a58-a46a-8eaf358af14a')]", - "Avere Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c025889f-8102-4ebf-b32c-fc0c6f0c6bd9')]", - "Azure Connected Machine Onboarding": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b64e21ea-ac4e-4cdf-9dc9-5b892992bee7')]", - "Azure Connected Machine Resource Administrator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'cd570a14-e51a-42ad-bac8-bafd67325302')]", - "Azure Digital Twins Owner (Preview)": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'bcd981a7-7f74-457b-83e1-cceb9e632ffe')]", - "Azure Digital Twins Reader (Preview)": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'd57506d4-4c8d-48b1-8587-93c323f6a5a3')]", - "Azure Event Hubs Data Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'f526a384-b230-433a-b45c-95f59c4a2dec')]", - "Azure Event Hubs Data Receiver": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'a638d3c7-ab3a-418d-83e6-5f17a39d4fde')]", - "Azure Event Hubs Data Sender": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '2b629674-e913-4c01-ae53-ef4638d8f975')]", - "Azure Kubernetes Service Cluster Admin Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '0ab0b1a8-8aac-4efd-b8c2-3ee1fb270be8')]", - "Azure Kubernetes Service Cluster User Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4abbcc35-e782-43d8-92c5-2d3f1bd2253f')]", - "Azure Kubernetes Service Contributor Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ed7f3fbd-7b88-4dd4-9017-9adb7ce333f8')]", - "Azure Maps Data Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8f5e0ce6-4f7b-4dcf-bddf-e6f48634a204')]", - "Azure Maps Data Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '423170ca-a8f6-4b0f-8487-9e4eb8f49bfa')]", - "Azure Sentinel Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ab8e14d6-4a74-4a29-9ba8-549422addade')]", - "Azure Sentinel Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8d289c81-5878-46d4-8554-54e1e3d8b5cb')]", - "Azure Sentinel Responder": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '3e150937-b8fe-4cfb-8069-0eaf05ecd056')]", - "Azure Service Bus Data Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '090c5cfd-751d-490a-894a-3ce6f1109419')]", - "Azure Service Bus Data Receiver": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4f6d3b9b-027b-4f4c-9142-0e5a2a2247e0')]", - "Azure Service Bus Data Sender": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '69a216fc-b8fb-44d8-bc22-1f3c2cd27a39')]", - "Azure Stack Registration Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '6f12a6df-dd06-4f3e-bcb1-ce8be600526a')]", - "Backup Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5e467623-bb1f-42f4-a55d-6e525e11384b')]", - "Backup Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '00c29273-979b-4161-815c-10b084fb9324')]", - "Backup Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'a795c7a0-d4a2-40c1-ae25-d81f01202912')]", - "Billing Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'fa23ad8b-c56e-40d8-ac0c-ce449e1d2c64')]", - "BizTalk Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5e3c6656-6cfa-4708-81fe-0de47ac73342')]", - "Blockchain Member Node Access (Preview)": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '31a002a1-acaf-453e-8a5b-297c9ca1ea24')]", - "Blueprint Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '41077137-e803-4205-871c-5a86e6a753b4')]", - "Blueprint Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '437d2ced-4a38-4302-8479-ed2bcb43d090')]", - "CDN Endpoint Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '426e0c7f-0c7e-4658-b36f-ff54d6c29b45')]", - "CDN Endpoint Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '871e35f6-b5c1-49cc-a043-bde969a0f2cd')]", - "CDN Profile Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ec156ff8-a8d1-4d15-830c-5b80698ca432')]", - "CDN Profile Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8f96442b-4075-438f-813d-ad51ab4019af')]", - "Classic Network Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b34d265f-36f7-4a0d-a4d4-e158ca92e90f')]", - "Classic Storage Account Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '86e8f5dc-a6e9-4c67-9d15-de283e8eac25')]", - "Classic Storage Account Key Operator Service Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '985d6b00-f706-48f5-a6fe-d0ca12fb668d')]", - "Classic Virtual Machine Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'd73bb868-a0df-4d4d-bd69-98a00b01fccb')]", - "ClearDB MySQL DB Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '9106cda0-8a86-4e81-b686-29a22c54effe')]", - "Cognitive Services Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '25fbc0a9-bd7c-42a3-aa1a-3b75d497ee68')]", - "Cognitive Services Custom Vision Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c1ff6cc2-c111-46fe-8896-e0ef812ad9f3')]", - "Cognitive Services Custom Vision Deployment": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5c4089e1-6d96-4d2f-b296-c1bc7137275f')]", - "Cognitive Services Custom Vision Labeler": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '88424f51-ebe7-446f-bc41-7fa16989e96c')]", - "Cognitive Services Custom Vision Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '93586559-c37d-4a6b-ba08-b9f0940c2d73')]", - "Cognitive Services Custom Vision Trainer": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '0a5ae4ab-0d65-4eeb-be61-29fc9b54394b')]", - "Cognitive Services Data Reader (Preview)": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b59867f0-fa02-499b-be73-45a86b5b3e1c')]", - "Cognitive Services QnA Maker Editor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'f4cc2bf9-21be-47a1-bdf1-5c5804381025')]", - "Cognitive Services QnA Maker Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '466ccd10-b268-4a11-b098-b4849f024126')]", - "Cognitive Services User": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'a97b65f3-24c7-4388-baec-2e87135dc908')]", - "Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Cosmos DB Account Reader Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'fbdf93bf-df7d-467e-a4d2-9458aa1360c8')]", - "Cosmos DB Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '230815da-be43-4aae-9cb4-875f7bd000aa')]", - "CosmosBackupOperator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'db7b14f2-5adf-42da-9f96-f2ee17bab5cb')]", - "Cost Management Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '434105ed-43f6-45c7-a02f-909b2ba83430')]", - "Cost Management Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '72fafb9e-0641-4937-9268-a91bfd8191a3')]", - "Data Box Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'add466c9-e687-43fc-8d98-dfcf8d720be5')]", - "Data Box Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '028f4ed7-e2a9-465e-a8f4-9c0ffdfdc027')]", - "Data Factory Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '673868aa-7521-48a0-acc6-0f60742d39f5')]", - "Data Lake Analytics Developer": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '47b7735b-770e-4598-a7da-8b91488b4c88')]", - "Data Purger": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '150f5e0c-0603-4f03-8c7f-cf70034c4e90')]", - "Desktop Virtualization User": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '1d18fff3-a72a-46b5-b4a9-0b38a3cd7e63')]", - "DevTest Labs User": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '76283e04-6283-4c54-8f91-bcf1374a3c64')]", - "DNS Zone Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'befefa01-2a29-4197-83a8-272ff33ce314')]", - "DocumentDB Account Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5bd9cd88-fe45-4216-938b-f97437e15450')]", - "EventGrid EventSubscription Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '428e0ff0-5e57-4d9c-a221-2c70d0e0a443')]", - "EventGrid EventSubscription Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '2414bbcf-6497-4faf-8c65-045460748405')]", - "Experimentation Administrator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '7f646f1b-fa08-80eb-a33b-edd6ce5c915c')]", - "Experimentation Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '7f646f1b-fa08-80eb-a22b-edd6ce5c915c')]", - "Experimentation Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '49632ef5-d9ac-41f4-b8e7-bbe587fa74a1')]", - "FHIR Data Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5a1fc7df-4bf1-4951-a576-89034ee01acd')]", - "FHIR Data Exporter": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '3db33094-8700-4567-8da5-1501d4e7e843')]", - "FHIR Data Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4c8d0bbc-75d3-4935-991f-5f3c56d81508')]", - "FHIR Data Writer": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '3f88fce4-5892-4214-ae73-ba5294559913')]", - "Graph Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b60367af-1334-4454-b71e-769d9a4f83d9')]", - "HDInsight Cluster Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '61ed4efc-fab3-44fd-b111-e24485cc132a')]", - "HDInsight Domain Services Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8d8d5a11-05d3-4bda-a417-a08778121c7c')]", - "Hierarchy Settings Administrator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '350f8d15-c687-4448-8ae1-157740a3936d')]", - "Hybrid Server Onboarding": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5d1e5ee4-7c68-4a71-ac8b-0739630a3dfb')]", - "Hybrid Server Resource Administrator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '48b40c6e-82e0-4eb3-90d5-19e40f49b624')]", - "Integration Service Environment Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'a41e2c5b-bd99-4a07-88f4-9bf657a760b8')]", - "Integration Service Environment Developer": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c7aa55d3-1abb-444a-a5ca-5e51e485d6ec')]", - "Intelligent Systems Account Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '03a6d094-3444-4b3d-88af-7477090a9e5e')]", - "Key Vault Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'f25e0fa2-a7c8-4377-a976-54943a77a395')]", - "Knowledge Consumer": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ee361c5d-f7b5-4119-b4b6-892157c8f64c')]", - "Kubernetes Cluster - Azure Arc Onboarding": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '34e09817-6cbe-4d01-b1a2-e0eac5743d41')]", - "Lab Creator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b97fb8bc-a8b2-4522-a38b-dd33c7e65ead')]", - "Log Analytics Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]", - "Log Analytics Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '73c42c96-874c-492b-b04d-ab87d138a893')]", - "Logic App Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '87a39d53-fc1b-424a-814c-f7e04687dc9e')]", - "Logic App Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '515c2055-d9d4-4321-b1b9-bd0c9a0f79fe')]", - "Managed Application Contributor Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '641177b8-a67a-45b9-a033-47bc880bb21e')]", - "Managed Application Operator Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')]", - "Managed Applications Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')]", - "Managed Identity Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'e40ec5ca-96e0-45a2-b4ff-59039f2c2b59')]", - "Managed Identity Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'f1a07417-d97a-45cb-824c-7a7467783830')]", - "Managed Services Registration assignment Delete ": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '91c1777a-f3dc-4fae-b103-61d183457e46')]", - "Management Group Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5d58bcaf-24a5-4b20-bdb6-eed9f69fbe4c')]", - "Management Group Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ac63b705-f282-497d-ac71-919bf39d939d')]", - "Marketplace Admin": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'dd920d6d-f481-47f1-b461-f338c46b2d9f')]", - "Monitoring Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')]", - "Monitoring Metrics Publisher": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '3913510d-42f4-4e42-8a64-420c390055eb')]", - "Monitoring Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')]", - "Network Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", - "New Relic APM Account Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5d28c62d-5b37-4476-8438-e587778df237')]", - "Object Understanding Account Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4dd61c23-6743-42fe-a388-d8bdd41cb745')]", - "Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Policy Insights Data Writer (Preview)": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '66bb4e9e-b016-4a94-8249-4c0511c2be84')]", - "Private DNS Zone Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", - "Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Reader and Data Access": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c12c1c16-33a1-487b-954d-41c89c60f349')]", - "Redis Cache Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'e0f68234-74aa-48ed-b826-c38b57376e17')]", - "Remote Rendering Administrator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '3df8b902-2a6f-47c7-8cc5-360e9b272a7e')]", - "Remote Rendering Client": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'd39065c4-c120-43c9-ab0a-63eed9795f0a')]", - "Resource Policy Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '36243c78-bf99-498c-9df9-86d9f8d28608')]", - "Scheduler Job Collections Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '188a0f2f-5c9e-469b-ae67-2aa5ce574b94')]", - "Search Service Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '7ca78c08-252a-4471-8644-bb5ff32d4ba0')]", - "Security Admin": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'fb1c8493-542b-48eb-b624-b4c8fea62acd')]", - "Security Assessment Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '612c2aa1-cb24-443b-ac28-3ab7272de6f5')]", - "Security Manager (Legacy)": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'e3d13bf0-dd5a-482e-ba6b-9b8433878d10')]", - "Security Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '39bc4728-0917-49c7-9d2c-d95423bc2eb4')]", - "SignalR AccessKey Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '04165923-9d83-45d5-8227-78b77b0a687e')]", - "SignalR Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8cf5e20a-e4b2-4e9d-b3a1-5ceb692c2761')]", - "Site Recovery Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '6670b86e-a3f7-4917-ac9b-5d6ab1be4567')]", - "Site Recovery Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '494ae006-db33-4328-bf46-533a6560a3ca')]", - "Site Recovery Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'dbaa88c4-0c30-4179-9fb3-46319faa6149')]", - "Spatial Anchors Account Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8bbe83f1-e2a6-4df7-8cb4-4e04d4e5c827')]", - "Spatial Anchors Account Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '70bbe301-9835-447d-afdd-19eb3167307c')]", - "Spatial Anchors Account Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5d51204f-eb77-4b1c-b86a-2ec626c49413')]", - "SQL DB Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '9b7fa17d-e63e-47b0-bb0a-15c516ac86ec')]", - "SQL Managed Instance Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4939a1f6-9ae0-4e48-a1e0-f2cbe897382d')]", - "SQL Security Manager": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '056cd41c-7e88-42e1-933e-88ba6a50c9c3')]", - "SQL Server Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '6d8ee4ec-f05a-4a1d-8b00-a9b17e38b437')]", - "Storage Account Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '17d1049b-9a84-46fb-8f53-869881c3d3ab')]", - "Storage Account Key Operator Service Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '81a9662b-bebf-436f-a333-f67b29880f12')]", - "Storage Blob Data Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ba92f5b4-2d11-453d-a403-e96b0029c9fe')]", - "Storage Blob Data Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b7e6dc6d-f1e8-4753-8033-0f276bb0955b')]", - "Storage Blob Data Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '2a2b9908-6ea1-4ae2-8e65-a410df84e7d1')]", - "Storage Blob Delegator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'db58b8e5-c6ad-4a2a-8342-4190687cbf4a')]", - "Storage File Data SMB Share Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '0c867c2a-1d8c-454a-a3db-ab2ea1bdc8bb')]", - "Storage File Data SMB Share Elevated Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'a7264617-510b-434b-a828-9731dc254ea7')]", - "Storage File Data SMB Share Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'aba4ae5f-2193-4029-9191-0cb91df5e314')]", - "Storage Queue Data Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '974c5e8b-45b9-4653-ba55-5f855dd0fb88')]", - "Storage Queue Data Message Processor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8a0f0c08-91a1-4084-bc3d-661d67233fed')]", - "Storage Queue Data Message Sender": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c6a89b2d-59bc-44d0-9896-0f6e12d7b80a')]", - "Storage Queue Data Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '19e7f393-937e-4f77-808e-94535e297925')]", - "Support Request Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'cfd33db0-3dd1-45e3-aa9d-cdbdf3b6f24e')]", - "Tag Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4a9ae827-6dc8-4573-8ac7-8239d42aa03f')]", - "Traffic Manager Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'a4b10055-b0c7-44c2-b00f-c7b5b3550cf7')]", - "User Access Administrator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]", - "Virtual Machine Administrator Login": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '1c0163c0-47e6-4577-8991-ea5c82e286e4')]", - "Virtual Machine Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c')]", - "Virtual Machine User Login": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'fb879df8-f326-4884-b1cf-06f3ad86be52')]", - "Web Plan Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '2cc479cb-7b4d-49a8-b449-8c00fd0f0a4b')]", - "Website Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'de139f84-1756-47ae-9be6-808fbbe84772')]", - "Workbook Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'e8ddcd69-c73f-4f9f-9844-4100522f16ad')]", - "Workbook Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b279062a-9be3-42a0-92ae-8b3cf002ec4d')]" - } - }, - "resources": [ - { - "type": "Microsoft.Resources/resourceGroups", - "apiVersion": "2019-05-01", - "location": "[parameters('location')]", - "name": "[parameters('resourceGroupName')]", - "tags": "[parameters('tags')]", - "properties": { - } - }, - { - "type": "Microsoft.Resources/deployments", - "apiVersion": "2020-06-01", - "name": "[concat(parameters('resourceGroupName'), '-lock')]", - "resourceGroup": "[parameters('resourceGroupName')]", - "condition": "[parameters('lockForDeletion')]", - "dependsOn": [ - "[parameters('resourceGroupName')]" - ], - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "parameters": { - }, - "resources": [ - { - "name": "resourceGroupDoNotDelete", - "type": "Microsoft.Authorization/locks", - "apiVersion": "2016-09-01", - "comments": "Resource lock on Resource Group", - "properties": { - "level": "CanNotDelete" - } - } - ] - }, - "parameters": { - } - } - }, - { - "name": "[concat('rbac-',deployment().name, copyIndex())]", - "apiVersion": "2020-06-01", - "type": "Microsoft.Resources/deployments", - "condition": "[not(empty(parameters('roleAssignments')))]", - "resourceGroup": "[parameters('resourceGroupName')]", - "dependsOn": [ - "[parameters('resourceGroupName')]" - ], - "copy": { - "name": "rbacDeplCopy", - "count": "[length(parameters('roleAssignments'))]" - }, - "properties": { - "mode": "Incremental", - "expressionEvaluationOptions": { - "scope": "inner" - }, - "parameters": { - "roleAssignment": { - "value": "[parameters('roleAssignments')[copyIndex()]]" - }, - "builtInRoleNames": { - "value": "[variables('builtInRoleNames')]" - }, - "resourceGroupName": { - "value": "[parameters('resourceGroupName')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "roleAssignment": { - "type": "object" - }, - "builtInRoleNames": { - "type": "object" - }, - "resourceGroupName": { - "type": "string" - } - }, - "resources": [ - { - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2020-03-01-preview", - "name": "[concat(guid(uniqueString(concat(parameters('resourceGroupName'), array(parameters('roleAssignment').principalIds)[copyIndex('innerRbacCopy')], parameters('roleAssignment').roleDefinitionIdOrName ) )))]", - "dependsOn": [ - ], - "copy": { - "name": "innerRbacCopy", - "count": "[length(parameters('roleAssignment').principalIds)]" - }, - "properties": { - "roleDefinitionId": "[if(contains(parameters('builtInRoleNames'), parameters('roleAssignment').roleDefinitionIdOrName ), parameters('builtInRoleNames')[parameters('roleAssignment').roleDefinitionIdOrName] , parameters('roleAssignment').roleDefinitionIdOrName )]", - "principalId": "[array(parameters('roleAssignment').principalIds)[copyIndex()]]", - "scope": "[concat(subscription().id, '/resourceGroups/', parameters('resourceGroupName'))]" - } - } - ] - } - } - } - ], - "functions": [ - ], - "outputs": { - "resourceGroupName": { - "type": "string", - "value": "[parameters('resourceGroupName')]", - "metadata": { - "description": "The name of the Resource Group" - } - }, - "resourceGroupResourceId": { - "type": "string", - "value": "[subscriptionResourceId('Microsoft.Resources/resourceGroups', parameters('resourceGroupName'))]", - "metadata": { - "description": "The resource id of the Resource Group" - } - } - } -} diff --git a/nativeTemplates/Microsoft.Resources/resourceGroups/parameters/parameters.json b/nativeTemplates/Microsoft.Resources/resourceGroups/parameters/parameters.json deleted file mode 100644 index 3f901eb158..0000000000 --- a/nativeTemplates/Microsoft.Resources/resourceGroups/parameters/parameters.json +++ /dev/null @@ -1,27 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "resourceGroupName": { - "value": "sxx-az-rg-weu-x-002" - }, - "lockForDeletion": { - "value": false - }, - // "roleAssignments": { - // "value": [ - // { - // "roleDefinitionIdOrName": "Desktop Virtualization User", - // "principalIds": [ - // "12345678-1234-1234-1234-123456789012", // object 1 - // "78945612-1234-1234-1234-123456789012" // object 2 - // ] - // } - // ] - // }, - "tags": { - "value": { - } - } - } -} \ No newline at end of file diff --git a/nativeTemplates/Microsoft.Resources/resourceGroups/readme.md b/nativeTemplates/Microsoft.Resources/resourceGroups/readme.md deleted file mode 100644 index 0477ec6d5e..0000000000 --- a/nativeTemplates/Microsoft.Resources/resourceGroups/readme.md +++ /dev/null @@ -1,88 +0,0 @@ -# Resource Group - -This module deploys Resource Groups. - -## Resource types - -|Resource Type|ApiVersion| -|:--|:--| -|`Microsoft.Resources/resourceGroups`|2018-05-01| -|`Microsoft.Resources/deployments`|2018-05-01| -|`Microsoft.Authorization/locks`|2016-09-01| -|`Microsoft.Authorization/roleAssignments`|2018-09-01-preview| - -## Parameters - -| Parameter Name | Type | Description | DefaultValue | Possible values | -| :-- | :-- | :-- | :-- | :-- | -| `location` | string | Optional. Location of the Resource Group. It uses the deployment's location when not provided. | [deployment().location] | | -| `lockForDeletion` | bool | Optional. Switch to lock storage from deletion. | False | | -| `resourceGroupName` | string | Required. The name of the Resource Group | | | -| `roleAssignments` | array | Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' | System.Object[] | | -| `tags` | object | Optional. Tags of the storage account resource. | | | - -### Parameter Usage: `roleAssignments` - -```json -"roleAssignments": { - "value": [ - { - "roleDefinitionIdOrName": "Desktop Virtualization User", - "principalIds": [ - "12345678-1234-1234-1234-123456789012", // object 1 - "78945612-1234-1234-1234-123456789012" // object 2 - ] - }, - { - "roleDefinitionIdOrName": "Reader", - "principalIds": [ - "12345678-1234-1234-1234-123456789012", // object 1 - "78945612-1234-1234-1234-123456789012" // object 2 - ] - }, - { - "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", - "principalIds": [ - "12345678-1234-1234-1234-123456789012" // object 1 - ] - } - ] -} -``` - -### Parameter Usage: `tags` - -Tag names and tag values can be provided as needed. A tag can be left without a value. - -```json -"tags": { - "value": { - "Environment": "Non-Prod", - "Contact": "test.user@testcompany.com", - "PurchaseOrder": "1234", - "CostCenter": "7890", - "ServiceName": "DeploymentValidation", - "Role": "DeploymentValidation" - } -} -``` - -## Outputs - -| Output Name | Type | Description | -| :-- | :-- | :-- | -| `resourceGroupName` | string | The name of the Resource Group | -| `resourceGroupResourceId` | string | The resource id of the Resource Group | - -### Scripts - -- There is no Scripts for this Module - -## Considerations - -- There is no deployment considerations for this Module - -## Additional resources - -- [Microsoft Resource Group template reference](https://docs.microsoft.com/en-us/azure/templates/microsoft.resources/2019-05-01/resourcegroups) -- [Use tags to organize your Azure resources](https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-using-tags) diff --git a/nativeTemplates/Microsoft.Subscription/aliases/Parameters/parameters.json b/nativeTemplates/Microsoft.Subscription/aliases/Parameters/parameters.json deleted file mode 100644 index c35b881481..0000000000 --- a/nativeTemplates/Microsoft.Subscription/aliases/Parameters/parameters.json +++ /dev/null @@ -1,39 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "subscriptionAliasName": { - "value": "Sample-Subscription-01" - }, - "displayName": { - "value": "Sample-Subscription-01" - }, - "targetManagementGroupId": { - "value": "d2bdaa69-7c9c-467d-87b8-aba30eb8987a" - }, - "billingScope": { - "value": "/providers/Microsoft.Billing/billingAccounts/5e98e158-xxxx-xxxx-xxxx-xxxxxxxxxxxx:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx_xxxx-xx-xx/billingProfiles/AW4F-xxxx-xxx-xxx/invoiceSections/SH3V-xxxx-xxx-xxx" - }, //, - // "billingScope": { - // "value": "/providers/Microsoft.Billing/billingAccounts/XXXXXXX/enrollmentAccounts/XXXXXX" - // } - // "roleAssignments": { - // "value": [ - // { - // "roleDefinitionIdOrName": "Desktop Virtualization User", - // "principalIds": [ - // "12345678-1234-1234-1234-123456789012", // object 1 - // "78945612-1234-1234-1234-123456789012" // object 2 - // ] - // } - // ] - // }, - "tags": { - "value": { - "costCenter": "1234", - "environment": "prod", - "contactinfo": "someone@company.com" - } - } - } -} diff --git a/nativeTemplates/Microsoft.Subscription/aliases/deploy.json b/nativeTemplates/Microsoft.Subscription/aliases/deploy.json deleted file mode 100644 index 0c250601db..0000000000 --- a/nativeTemplates/Microsoft.Subscription/aliases/deploy.json +++ /dev/null @@ -1,549 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-08-01/tenantDeploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "subscriptionAliasName": { - "type": "string", - "metadata": { - "description": "Required. Unique alias name. Unique and linking ID" - } - }, - "displayName": { - "type": "string", - "metadata": { - "description": "Required. Subscription display name." - } - }, - "targetManagementGroupId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Target management group where the subscription will be created." - } - }, - "billingScope": { - "type": "string", - "metadata": { - "description": "Required. The account to be invoiced for the subscription. e.g. '/providers/Microsoft.Billing/billingAccounts/12345678/enrollmentAccounts/123456" - } - }, - "workload": { - "type": "string", - "allowedValues": [ - "Production", - "DevTest" - ], - "defaultValue": "Production", - "metadata": { - "description": "Optional. Subscription workload." - } - }, - "tags": { - "type": "object", - "defaultValue": { - }, - "metadata": { - "description": "Optional. Tags of the subscription." - } - }, - "roleAssignments": { - "defaultValue": [ - ], - "type": "array", - "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalIds' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or it's fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'" - } - } - }, - "variables": { - "unique": "[uniqueString(parameters('subscriptionAliasName'))]", - "subDeploymentName": "[concat('Deploy-Sub', variables('unique'))]", - "tagDeploymentName": "[concat('Deploy-Tag', variables('unique'))]", - "rbacDeploymentName": "[concat('Deploy-RBAC', variables('unique'))]" - }, - "resources": [ - { - "type": "Microsoft.Resources/deployments", - "apiVersion": "2019-10-01", - "name": "[variables('subDeploymentName')]", - "location": "[deployment().location]", - "properties": { - "mode": "Incremental", - "expressionEvaluationOptions": { - "scope": "inner" - }, - "parameters": { - "subscriptionAliasName": { - "value": "[parameters('subscriptionAliasName')]" - }, - "displayName": { - "value": "[parameters('displayName')]" - }, - "targetManagementGroupId": { - "value": "[parameters('targetManagementGroupId')]" - }, - "billingScope": { - "value": "[parameters('billingScope')]" - }, - "workload": { - "value": "[parameters('workload')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "subscriptionAliasName": { - "type": "string" - }, - "displayName": { - "type": "string" - }, - "targetManagementGroupId": { - "type": "string" - }, - "billingScope": { - "type": "string" - }, - "workload": { - "type": "string" - } - }, - "resources": [ - { - "name": "[parameters('subscriptionAliasName')]", - "type": "Microsoft.Subscription/aliases", - "apiVersion": "2020-09-01", - "properties": { - "workload": "[parameters('workload')]", - "displayName": "[parameters('displayName')]", - "billingScope": "[parameters('billingScope')]", - "managementGroupId": "[tenantResourceId('Microsoft.Management/managementGroups/', parameters('targetManagementGroupId'))]" - } - } - ], - "outputs": { - "subscriptionId": { - "type": "string", - "value": "[reference(parameters('subscriptionAliasName')).subscriptionId]" - } - } - } - } - }, - { - "name": "[variables('tagDeploymentName')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2019-10-01", - "location": "[deployment().location]", - "condition": "[not(empty(parameters('tags')))]", - "dependsOn": [ - "[resourceId('Microsoft.Resources/deployments', variables('subDeploymentName'))]" - ], - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "subscriptionId": { - "value": "[reference(variables('subDeploymentName')).outputs.subscriptionId.value]" - }, - "tags": { - "value": "[parameters('tags')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-08-01/tenantDeploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "subscriptionId": { - "type": "string" - }, - "tags": { - "type": "object" - } - }, - "variables": { - "unique": "[uniqueString(parameters('subscriptionId'))]", - "tagDeploymentName": "[concat('nestedTagDeploy-', variables('unique'))]" - }, - "resources": [ - { - "name": "[variables('tagDeploymentName')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2019-10-01", - "subscriptionId": "[parameters('subscriptionId')]", - "location": "[deployment().location]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "tags": { - "value": "[parameters('tags')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "tags": { - "type": "object" - } - }, - "resources": [ - { - "name": "default", - "type": "Microsoft.Resources/tags", - "apiVersion": "2020-10-01", - "properties": { - "tags": "[parameters('tags')]" - } - } - ] - } - } - } - ] - } - } - }, - { - "name": "[variables('rbacDeploymentName')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2019-10-01", - "location": "[deployment().location]", - "condition": "[not(empty(parameters('roleAssignments')))]", - "dependsOn": [ - "[resourceId('Microsoft.Resources/deployments', variables('subDeploymentName'))]" - ], - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "subscriptionId": { - "value": "[reference(variables('subDeploymentName')).outputs.subscriptionId.value]" - }, - "roleAssignments": { - "value": "[parameters('roleAssignments')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-08-01/tenantDeploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "subscriptionId": { - "type": "string" - }, - "roleAssignments": { - "type": "array" - } - }, - "variables": { - "unique": "[uniqueString(parameters('subscriptionId'))]", - "rbacDeploymentName": "[concat('nestedRBACDeploy-', variables('unique'))]" - }, - "resources": [ - { - "name": "[variables('rbacDeploymentName')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2019-10-01", - "subscriptionId": "[parameters('subscriptionId')]", - "location": "[deployment().location]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "roleAssignments": { - "value": "[parameters('roleAssignments')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "roleAssignments": { - "type": "array" - } - }, - "variables": { - "builtInRoleNames": { - "AcrDelete": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", - "AcrImageSigner": "/providers/Microsoft.Authorization/roleDefinitions/6cef56e8-d556-48e5-a04f-b8e64114680f", - "AcrPull": "/providers/Microsoft.Authorization/roleDefinitions/7f951dda-4ed3-4680-a7ca-43fe172d538d", - "AcrPush": "/providers/Microsoft.Authorization/roleDefinitions/8311e382-0749-4cb8-b61a-304f252e45ec", - "AcrQuarantineReader": "/providers/Microsoft.Authorization/roleDefinitions/cdda3590-29a3-44f6-95f2-9f980659eb04", - "AcrQuarantineWriter": "/providers/Microsoft.Authorization/roleDefinitions/c8d4ff99-41c3-41a8-9f60-21dfdad59608", - "API Management Service Contributor": "/providers/Microsoft.Authorization/roleDefinitions/312a565d-c81f-4fd8-895a-4e21e48d571c", - "API Management Service Operator Role": "/providers/Microsoft.Authorization/roleDefinitions/e022efe7-f5ba-4159-bbe4-b44f577e9b61", - "API Management Service Reader Role": "/providers/Microsoft.Authorization/roleDefinitions/71522526-b88f-4d52-b57f-d31fc3546d0d", - "App Configuration Data Owner": "/providers/Microsoft.Authorization/roleDefinitions/5ae67dd6-50cb-40e7-96ff-dc2bfa4b606b", - "App Configuration Data Reader": "/providers/Microsoft.Authorization/roleDefinitions/516239f1-63e1-4d78-a4de-a74fb236a071", - "Application Insights Component Contributor": "/providers/Microsoft.Authorization/roleDefinitions/ae349356-3a1b-4a5e-921d-050484c6347e", - "Application Insights Snapshot Debugger": "/providers/Microsoft.Authorization/roleDefinitions/08954f03-6346-4c2e-81c0-ec3a5cfae23b", - "Attestation Contributor": "/providers/Microsoft.Authorization/roleDefinitions/bbf86eb8-f7b4-4cce-96e4-18cddf81d86e", - "Attestation Reader": "/providers/Microsoft.Authorization/roleDefinitions/fd1bd22b-8476-40bc-a0bc-69b95687b9f3", - "Automation Job Operator": "/providers/Microsoft.Authorization/roleDefinitions/4fe576fe-1146-4730-92eb-48519fa6bf9f", - "Automation Operator": "/providers/Microsoft.Authorization/roleDefinitions/d3881f73-407a-4167-8283-e981cbba0404", - "Automation Runbook Operator": "/providers/Microsoft.Authorization/roleDefinitions/5fb5aef8-1081-4b8e-bb16-9d5d0385bab5", - "Avere Contributor": "/providers/Microsoft.Authorization/roleDefinitions/4f8fab4f-1852-4a58-a46a-8eaf358af14a", - "Avere Operator": "/providers/Microsoft.Authorization/roleDefinitions/c025889f-8102-4ebf-b32c-fc0c6f0c6bd9", - "Azure Connected Machine Onboarding": "/providers/Microsoft.Authorization/roleDefinitions/b64e21ea-ac4e-4cdf-9dc9-5b892992bee7", - "Azure Connected Machine Resource Administrator": "/providers/Microsoft.Authorization/roleDefinitions/cd570a14-e51a-42ad-bac8-bafd67325302", - "Azure Digital Twins Owner (Preview)": "/providers/Microsoft.Authorization/roleDefinitions/bcd981a7-7f74-457b-83e1-cceb9e632ffe", - "Azure Digital Twins Reader (Preview)": "/providers/Microsoft.Authorization/roleDefinitions/d57506d4-4c8d-48b1-8587-93c323f6a5a3", - "Azure Event Hubs Data Owner": "/providers/Microsoft.Authorization/roleDefinitions/f526a384-b230-433a-b45c-95f59c4a2dec", - "Azure Event Hubs Data Receiver": "/providers/Microsoft.Authorization/roleDefinitions/a638d3c7-ab3a-418d-83e6-5f17a39d4fde", - "Azure Event Hubs Data Sender": "/providers/Microsoft.Authorization/roleDefinitions/2b629674-e913-4c01-ae53-ef4638d8f975", - "Azure Kubernetes Service Cluster Admin Role": "/providers/Microsoft.Authorization/roleDefinitions/0ab0b1a8-8aac-4efd-b8c2-3ee1fb270be8", - "Azure Kubernetes Service Cluster User Role": "/providers/Microsoft.Authorization/roleDefinitions/4abbcc35-e782-43d8-92c5-2d3f1bd2253f", - "Azure Kubernetes Service Contributor Role": "/providers/Microsoft.Authorization/roleDefinitions/ed7f3fbd-7b88-4dd4-9017-9adb7ce333f8", - "Azure Maps Data Contributor": "/providers/Microsoft.Authorization/roleDefinitions/8f5e0ce6-4f7b-4dcf-bddf-e6f48634a204", - "Azure Maps Data Reader": "/providers/Microsoft.Authorization/roleDefinitions/423170ca-a8f6-4b0f-8487-9e4eb8f49bfa", - "Azure Sentinel Contributor": "/providers/Microsoft.Authorization/roleDefinitions/ab8e14d6-4a74-4a29-9ba8-549422addade", - "Azure Sentinel Reader": "/providers/Microsoft.Authorization/roleDefinitions/8d289c81-5878-46d4-8554-54e1e3d8b5cb", - "Azure Sentinel Responder": "/providers/Microsoft.Authorization/roleDefinitions/3e150937-b8fe-4cfb-8069-0eaf05ecd056", - "Azure Service Bus Data Owner": "/providers/Microsoft.Authorization/roleDefinitions/090c5cfd-751d-490a-894a-3ce6f1109419", - "Azure Service Bus Data Receiver": "/providers/Microsoft.Authorization/roleDefinitions/4f6d3b9b-027b-4f4c-9142-0e5a2a2247e0", - "Azure Service Bus Data Sender": "/providers/Microsoft.Authorization/roleDefinitions/69a216fc-b8fb-44d8-bc22-1f3c2cd27a39", - "Azure Stack Registration Owner": "/providers/Microsoft.Authorization/roleDefinitions/6f12a6df-dd06-4f3e-bcb1-ce8be600526a", - "Backup Contributor": "/providers/Microsoft.Authorization/roleDefinitions/5e467623-bb1f-42f4-a55d-6e525e11384b", - "Backup Operator": "/providers/Microsoft.Authorization/roleDefinitions/00c29273-979b-4161-815c-10b084fb9324", - "Backup Reader": "/providers/Microsoft.Authorization/roleDefinitions/a795c7a0-d4a2-40c1-ae25-d81f01202912", - "Billing Reader": "/providers/Microsoft.Authorization/roleDefinitions/fa23ad8b-c56e-40d8-ac0c-ce449e1d2c64", - "BizTalk Contributor": "/providers/Microsoft.Authorization/roleDefinitions/5e3c6656-6cfa-4708-81fe-0de47ac73342", - "Blockchain Member Node Access (Preview)": "/providers/Microsoft.Authorization/roleDefinitions/31a002a1-acaf-453e-8a5b-297c9ca1ea24", - "Blueprint Contributor": "/providers/Microsoft.Authorization/roleDefinitions/41077137-e803-4205-871c-5a86e6a753b4", - "Blueprint Operator": "/providers/Microsoft.Authorization/roleDefinitions/437d2ced-4a38-4302-8479-ed2bcb43d090", - "CDN Endpoint Contributor": "/providers/Microsoft.Authorization/roleDefinitions/426e0c7f-0c7e-4658-b36f-ff54d6c29b45", - "CDN Endpoint Reader": "/providers/Microsoft.Authorization/roleDefinitions/871e35f6-b5c1-49cc-a043-bde969a0f2cd", - "CDN Profile Contributor": "/providers/Microsoft.Authorization/roleDefinitions/ec156ff8-a8d1-4d15-830c-5b80698ca432", - "CDN Profile Reader": "/providers/Microsoft.Authorization/roleDefinitions/8f96442b-4075-438f-813d-ad51ab4019af", - "Classic Network Contributor": "/providers/Microsoft.Authorization/roleDefinitions/b34d265f-36f7-4a0d-a4d4-e158ca92e90f", - "Classic Storage Account Contributor": "/providers/Microsoft.Authorization/roleDefinitions/86e8f5dc-a6e9-4c67-9d15-de283e8eac25", - "Classic Storage Account Key Operator Service Role": "/providers/Microsoft.Authorization/roleDefinitions/985d6b00-f706-48f5-a6fe-d0ca12fb668d", - "Classic Virtual Machine Contributor": "/providers/Microsoft.Authorization/roleDefinitions/d73bb868-a0df-4d4d-bd69-98a00b01fccb", - "ClearDB MySQL DB Contributor": "/providers/Microsoft.Authorization/roleDefinitions/9106cda0-8a86-4e81-b686-29a22c54effe", - "Cognitive Services Contributor": "/providers/Microsoft.Authorization/roleDefinitions/25fbc0a9-bd7c-42a3-aa1a-3b75d497ee68", - "Cognitive Services Custom Vision Contributor": "/providers/Microsoft.Authorization/roleDefinitions/c1ff6cc2-c111-46fe-8896-e0ef812ad9f3", - "Cognitive Services Custom Vision Deployment": "/providers/Microsoft.Authorization/roleDefinitions/5c4089e1-6d96-4d2f-b296-c1bc7137275f", - "Cognitive Services Custom Vision Labeler": "/providers/Microsoft.Authorization/roleDefinitions/88424f51-ebe7-446f-bc41-7fa16989e96c", - "Cognitive Services Custom Vision Reader": "/providers/Microsoft.Authorization/roleDefinitions/93586559-c37d-4a6b-ba08-b9f0940c2d73", - "Cognitive Services Custom Vision Trainer": "/providers/Microsoft.Authorization/roleDefinitions/0a5ae4ab-0d65-4eeb-be61-29fc9b54394b", - "Cognitive Services Data Reader (Preview)": "/providers/Microsoft.Authorization/roleDefinitions/b59867f0-fa02-499b-be73-45a86b5b3e1c", - "Cognitive Services QnA Maker Editor": "/providers/Microsoft.Authorization/roleDefinitions/f4cc2bf9-21be-47a1-bdf1-5c5804381025", - "Cognitive Services QnA Maker Reader": "/providers/Microsoft.Authorization/roleDefinitions/466ccd10-b268-4a11-b098-b4849f024126", - "Cognitive Services User": "/providers/Microsoft.Authorization/roleDefinitions/a97b65f3-24c7-4388-baec-2e87135dc908", - "Contributor": "/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c", - "Cosmos DB Account Reader Role": "/providers/Microsoft.Authorization/roleDefinitions/fbdf93bf-df7d-467e-a4d2-9458aa1360c8", - "Cosmos DB Operator": "/providers/Microsoft.Authorization/roleDefinitions/230815da-be43-4aae-9cb4-875f7bd000aa", - "CosmosBackupOperator": "/providers/Microsoft.Authorization/roleDefinitions/db7b14f2-5adf-42da-9f96-f2ee17bab5cb", - "Cost Management Contributor": "/providers/Microsoft.Authorization/roleDefinitions/434105ed-43f6-45c7-a02f-909b2ba83430", - "Cost Management Reader": "/providers/Microsoft.Authorization/roleDefinitions/72fafb9e-0641-4937-9268-a91bfd8191a3", - "Data Box Contributor": "/providers/Microsoft.Authorization/roleDefinitions/add466c9-e687-43fc-8d98-dfcf8d720be5", - "Data Box Reader": "/providers/Microsoft.Authorization/roleDefinitions/028f4ed7-e2a9-465e-a8f4-9c0ffdfdc027", - "Data Factory Contributor": "/providers/Microsoft.Authorization/roleDefinitions/673868aa-7521-48a0-acc6-0f60742d39f5", - "Data Lake Analytics Developer": "/providers/Microsoft.Authorization/roleDefinitions/47b7735b-770e-4598-a7da-8b91488b4c88", - "Data Purger": "/providers/Microsoft.Authorization/roleDefinitions/150f5e0c-0603-4f03-8c7f-cf70034c4e90", - "Desktop Virtualization User": "/providers/Microsoft.Authorization/roleDefinitions/1d18fff3-a72a-46b5-b4a9-0b38a3cd7e63", - "DevTest Labs User": "/providers/Microsoft.Authorization/roleDefinitions/76283e04-6283-4c54-8f91-bcf1374a3c64", - "DNS Zone Contributor": "/providers/Microsoft.Authorization/roleDefinitions/befefa01-2a29-4197-83a8-272ff33ce314", - "DocumentDB Account Contributor": "/providers/Microsoft.Authorization/roleDefinitions/5bd9cd88-fe45-4216-938b-f97437e15450", - "EventGrid EventSubscription Contributor": "/providers/Microsoft.Authorization/roleDefinitions/428e0ff0-5e57-4d9c-a221-2c70d0e0a443", - "EventGrid EventSubscription Reader": "/providers/Microsoft.Authorization/roleDefinitions/2414bbcf-6497-4faf-8c65-045460748405", - "Experimentation Administrator": "/providers/Microsoft.Authorization/roleDefinitions/7f646f1b-fa08-80eb-a33b-edd6ce5c915c", - "Experimentation Contributor": "/providers/Microsoft.Authorization/roleDefinitions/7f646f1b-fa08-80eb-a22b-edd6ce5c915c", - "Experimentation Reader": "/providers/Microsoft.Authorization/roleDefinitions/49632ef5-d9ac-41f4-b8e7-bbe587fa74a1", - "FHIR Data Contributor": "/providers/Microsoft.Authorization/roleDefinitions/5a1fc7df-4bf1-4951-a576-89034ee01acd", - "FHIR Data Exporter": "/providers/Microsoft.Authorization/roleDefinitions/3db33094-8700-4567-8da5-1501d4e7e843", - "FHIR Data Reader": "/providers/Microsoft.Authorization/roleDefinitions/4c8d0bbc-75d3-4935-991f-5f3c56d81508", - "FHIR Data Writer": "/providers/Microsoft.Authorization/roleDefinitions/3f88fce4-5892-4214-ae73-ba5294559913", - "Graph Owner": "/providers/Microsoft.Authorization/roleDefinitions/b60367af-1334-4454-b71e-769d9a4f83d9", - "HDInsight Cluster Operator": "/providers/Microsoft.Authorization/roleDefinitions/61ed4efc-fab3-44fd-b111-e24485cc132a", - "HDInsight Domain Services Contributor": "/providers/Microsoft.Authorization/roleDefinitions/8d8d5a11-05d3-4bda-a417-a08778121c7c", - "Hierarchy Settings Administrator": "/providers/Microsoft.Authorization/roleDefinitions/350f8d15-c687-4448-8ae1-157740a3936d", - "Hybrid Server Onboarding": "/providers/Microsoft.Authorization/roleDefinitions/5d1e5ee4-7c68-4a71-ac8b-0739630a3dfb", - "Hybrid Server Resource Administrator": "/providers/Microsoft.Authorization/roleDefinitions/48b40c6e-82e0-4eb3-90d5-19e40f49b624", - "Integration Service Environment Contributor": "/providers/Microsoft.Authorization/roleDefinitions/a41e2c5b-bd99-4a07-88f4-9bf657a760b8", - "Integration Service Environment Developer": "/providers/Microsoft.Authorization/roleDefinitions/c7aa55d3-1abb-444a-a5ca-5e51e485d6ec", - "Intelligent Systems Account Contributor": "/providers/Microsoft.Authorization/roleDefinitions/03a6d094-3444-4b3d-88af-7477090a9e5e", - "Key Vault Contributor": "/providers/Microsoft.Authorization/roleDefinitions/f25e0fa2-a7c8-4377-a976-54943a77a395", - "Knowledge Consumer": "/providers/Microsoft.Authorization/roleDefinitions/ee361c5d-f7b5-4119-b4b6-892157c8f64c", - "Kubernetes Cluster - Azure Arc Onboarding": "/providers/Microsoft.Authorization/roleDefinitions/34e09817-6cbe-4d01-b1a2-e0eac5743d41", - "Lab Creator": "/providers/Microsoft.Authorization/roleDefinitions/b97fb8bc-a8b2-4522-a38b-dd33c7e65ead", - "Log Analytics Contributor": "/providers/Microsoft.Authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293", - "Log Analytics Reader": "/providers/Microsoft.Authorization/roleDefinitions/73c42c96-874c-492b-b04d-ab87d138a893", - "Logic App Contributor": "/providers/Microsoft.Authorization/roleDefinitions/87a39d53-fc1b-424a-814c-f7e04687dc9e", - "Logic App Operator": "/providers/Microsoft.Authorization/roleDefinitions/515c2055-d9d4-4321-b1b9-bd0c9a0f79fe", - "Managed Application Contributor Role": "/providers/Microsoft.Authorization/roleDefinitions/641177b8-a67a-45b9-a033-47bc880bb21e", - "Managed Application Operator Role": "/providers/Microsoft.Authorization/roleDefinitions/c7393b34-138c-406f-901b-d8cf2b17e6ae", - "Managed Applications Reader": "/providers/Microsoft.Authorization/roleDefinitions/b9331d33-8a36-4f8c-b097-4f54124fdb44", - "Managed Identity Contributor": "/providers/Microsoft.Authorization/roleDefinitions/e40ec5ca-96e0-45a2-b4ff-59039f2c2b59", - "Managed Identity Operator": "/providers/Microsoft.Authorization/roleDefinitions/f1a07417-d97a-45cb-824c-7a7467783830", - "Managed Services Registration assignment Delete ": "/providers/Microsoft.Authorization/roleDefinitions/91c1777a-f3dc-4fae-b103-61d183457e46", - "Management Group Contributor": "/providers/Microsoft.Authorization/roleDefinitions/5d58bcaf-24a5-4b20-bdb6-eed9f69fbe4c", - "Management Group Reader": "/providers/Microsoft.Authorization/roleDefinitions/ac63b705-f282-497d-ac71-919bf39d939d", - "Marketplace Admin": "/providers/Microsoft.Authorization/roleDefinitions/dd920d6d-f481-47f1-b461-f338c46b2d9f", - "Monitoring Contributor": "/providers/Microsoft.Authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", - "Monitoring Metrics Publisher": "/providers/Microsoft.Authorization/roleDefinitions/3913510d-42f4-4e42-8a64-420c390055eb", - "Monitoring Reader": "/providers/Microsoft.Authorization/roleDefinitions/43d0d8ad-25c7-4714-9337-8ba259a9fe05", - "Network Contributor": "/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7", - "New Relic APM Account Contributor": "/providers/Microsoft.Authorization/roleDefinitions/5d28c62d-5b37-4476-8438-e587778df237", - "Object Understanding Account Owner": "/providers/Microsoft.Authorization/roleDefinitions/4dd61c23-6743-42fe-a388-d8bdd41cb745", - "Owner": "/providers/Microsoft.Authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635", - "Policy Insights Data Writer (Preview)": "/providers/Microsoft.Authorization/roleDefinitions/66bb4e9e-b016-4a94-8249-4c0511c2be84", - "Private DNS Zone Contributor": "/providers/Microsoft.Authorization/roleDefinitions/b12aa53e-6015-4669-85d0-8515ebb3ae7f", - "Reader": "/providers/Microsoft.Authorization/roleDefinitions/acdd72a7-3385-48ef-bd42-f606fba81ae7", - "Reader and Data Access": "/providers/Microsoft.Authorization/roleDefinitions/c12c1c16-33a1-487b-954d-41c89c60f349", - "Redis Cache Contributor": "/providers/Microsoft.Authorization/roleDefinitions/e0f68234-74aa-48ed-b826-c38b57376e17", - "Remote Rendering Administrator": "/providers/Microsoft.Authorization/roleDefinitions/3df8b902-2a6f-47c7-8cc5-360e9b272a7e", - "Remote Rendering Client": "/providers/Microsoft.Authorization/roleDefinitions/d39065c4-c120-43c9-ab0a-63eed9795f0a", - "Resource Policy Contributor": "/providers/Microsoft.Authorization/roleDefinitions/36243c78-bf99-498c-9df9-86d9f8d28608", - "Scheduler Job Collections Contributor": "/providers/Microsoft.Authorization/roleDefinitions/188a0f2f-5c9e-469b-ae67-2aa5ce574b94", - "Search Service Contributor": "/providers/Microsoft.Authorization/roleDefinitions/7ca78c08-252a-4471-8644-bb5ff32d4ba0", - "Security Admin": "/providers/Microsoft.Authorization/roleDefinitions/fb1c8493-542b-48eb-b624-b4c8fea62acd", - "Security Assessment Contributor": "/providers/Microsoft.Authorization/roleDefinitions/612c2aa1-cb24-443b-ac28-3ab7272de6f5", - "Security Manager (Legacy)": "/providers/Microsoft.Authorization/roleDefinitions/e3d13bf0-dd5a-482e-ba6b-9b8433878d10", - "Security Reader": "/providers/Microsoft.Authorization/roleDefinitions/39bc4728-0917-49c7-9d2c-d95423bc2eb4", - "SignalR AccessKey Reader": "/providers/Microsoft.Authorization/roleDefinitions/04165923-9d83-45d5-8227-78b77b0a687e", - "SignalR Contributor": "/providers/Microsoft.Authorization/roleDefinitions/8cf5e20a-e4b2-4e9d-b3a1-5ceb692c2761", - "Site Recovery Contributor": "/providers/Microsoft.Authorization/roleDefinitions/6670b86e-a3f7-4917-ac9b-5d6ab1be4567", - "Site Recovery Operator": "/providers/Microsoft.Authorization/roleDefinitions/494ae006-db33-4328-bf46-533a6560a3ca", - "Site Recovery Reader": "/providers/Microsoft.Authorization/roleDefinitions/dbaa88c4-0c30-4179-9fb3-46319faa6149", - "Spatial Anchors Account Contributor": "/providers/Microsoft.Authorization/roleDefinitions/8bbe83f1-e2a6-4df7-8cb4-4e04d4e5c827", - "Spatial Anchors Account Owner": "/providers/Microsoft.Authorization/roleDefinitions/70bbe301-9835-447d-afdd-19eb3167307c", - "Spatial Anchors Account Reader": "/providers/Microsoft.Authorization/roleDefinitions/5d51204f-eb77-4b1c-b86a-2ec626c49413", - "SQL DB Contributor": "/providers/Microsoft.Authorization/roleDefinitions/9b7fa17d-e63e-47b0-bb0a-15c516ac86ec", - "SQL Managed Instance Contributor": "/providers/Microsoft.Authorization/roleDefinitions/4939a1f6-9ae0-4e48-a1e0-f2cbe897382d", - "SQL Security Manager": "/providers/Microsoft.Authorization/roleDefinitions/056cd41c-7e88-42e1-933e-88ba6a50c9c3", - "SQL Server Contributor": "/providers/Microsoft.Authorization/roleDefinitions/6d8ee4ec-f05a-4a1d-8b00-a9b17e38b437", - "Storage Account Contributor": "/providers/Microsoft.Authorization/roleDefinitions/17d1049b-9a84-46fb-8f53-869881c3d3ab", - "Storage Account Key Operator Service Role": "/providers/Microsoft.Authorization/roleDefinitions/81a9662b-bebf-436f-a333-f67b29880f12", - "Storage Blob Data Contributor": "/providers/Microsoft.Authorization/roleDefinitions/ba92f5b4-2d11-453d-a403-e96b0029c9fe", - "Storage Blob Data Owner": "/providers/Microsoft.Authorization/roleDefinitions/b7e6dc6d-f1e8-4753-8033-0f276bb0955b", - "Storage Blob Data Reader": "/providers/Microsoft.Authorization/roleDefinitions/2a2b9908-6ea1-4ae2-8e65-a410df84e7d1", - "Storage Blob Delegator": "/providers/Microsoft.Authorization/roleDefinitions/db58b8e5-c6ad-4a2a-8342-4190687cbf4a", - "Storage File Data SMB Share Contributor": "/providers/Microsoft.Authorization/roleDefinitions/0c867c2a-1d8c-454a-a3db-ab2ea1bdc8bb", - "Storage File Data SMB Share Elevated Contributor": "/providers/Microsoft.Authorization/roleDefinitions/a7264617-510b-434b-a828-9731dc254ea7", - "Storage File Data SMB Share Reader": "/providers/Microsoft.Authorization/roleDefinitions/aba4ae5f-2193-4029-9191-0cb91df5e314", - "Storage Queue Data Contributor": "/providers/Microsoft.Authorization/roleDefinitions/974c5e8b-45b9-4653-ba55-5f855dd0fb88", - "Storage Queue Data Message Processor": "/providers/Microsoft.Authorization/roleDefinitions/8a0f0c08-91a1-4084-bc3d-661d67233fed", - "Storage Queue Data Message Sender": "/providers/Microsoft.Authorization/roleDefinitions/c6a89b2d-59bc-44d0-9896-0f6e12d7b80a", - "Storage Queue Data Reader": "/providers/Microsoft.Authorization/roleDefinitions/19e7f393-937e-4f77-808e-94535e297925", - "Support Request Contributor": "/providers/Microsoft.Authorization/roleDefinitions/cfd33db0-3dd1-45e3-aa9d-cdbdf3b6f24e", - "Tag Contributor": "/providers/Microsoft.Authorization/roleDefinitions/4a9ae827-6dc8-4573-8ac7-8239d42aa03f", - "Traffic Manager Contributor": "/providers/Microsoft.Authorization/roleDefinitions/a4b10055-b0c7-44c2-b00f-c7b5b3550cf7", - "User Access Administrator": "/providers/Microsoft.Authorization/roleDefinitions/18d7d88d-d35e-4fb5-a5c3-7773c20a72d9", - "Virtual Machine Administrator Login": "/providers/Microsoft.Authorization/roleDefinitions/1c0163c0-47e6-4577-8991-ea5c82e286e4", - "Virtual Machine Contributor": "/providers/Microsoft.Authorization/roleDefinitions/9980e02c-c2be-4d73-94e8-173b1dc7cf3c", - "Virtual Machine User Login": "/providers/Microsoft.Authorization/roleDefinitions/fb879df8-f326-4884-b1cf-06f3ad86be52", - "Web Plan Contributor": "/providers/Microsoft.Authorization/roleDefinitions/2cc479cb-7b4d-49a8-b449-8c00fd0f0a4b", - "Website Contributor": "/providers/Microsoft.Authorization/roleDefinitions/de139f84-1756-47ae-9be6-808fbbe84772", - "Workbook Contributor": "/providers/Microsoft.Authorization/roleDefinitions/e8ddcd69-c73f-4f9f-9844-4100522f16ad", - "Workbook Reader": "/providers/Microsoft.Authorization/roleDefinitions/b279062a-9be3-42a0-92ae-8b3cf002ec4d" - } - }, - "resources": [ - { - "name": "[concat('RbacDeplCopy-',uniqueString(subscription().subscriptionId),'-', copyIndex())]", - "apiVersion": "2020-06-01", - "type": "Microsoft.Resources/deployments", - "location": "[deployment().location]", - "dependsOn": [ - ], - "copy": { - "name": "subscriptionRbacDeplCopy", - "count": "[length(parameters('roleAssignments'))]" - }, - "properties": { - "mode": "Incremental", - "expressionEvaluationOptions": { - "scope": "inner" - }, - "parameters": { - "roleAssignment": { - "value": "[parameters('roleAssignments')[copyIndex()]]" - }, - "builtInRoleNames": { - "value": "[variables('builtInRoleNames')]" - }, - "subscriptionId": { - "value": "[subscription().id]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "roleAssignment": { - "type": "object" - }, - "builtInRoleNames": { - "type": "object" - }, - "subscriptionId": { - "type": "string" - } - }, - "variables": { - "condition": "[and(not(empty(parameters('roleAssignment'))), contains(parameters('roleAssignment'), 'roleDefinitionIdOrName'), contains(parameters('roleAssignment'), 'principalIds'), not(empty(parameters('roleAssignment').roleDefinitionIdOrName)), not(empty(parameters('roleAssignment').principalIds)) )]" - }, - "resources": [ - { - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2018-09-01-preview", - "name": "[if( variables('condition'), guid( parameters('subscriptionId'), array(parameters('roleAssignment').principalIds)[copyIndex('innerRbacCopy')], parameters('roleAssignment').roleDefinitionIdOrName ), guid('dummy'))]", - "condition": "[variables('condition')]", - "copy": { - "name": "innerRbacCopy", - "count": "[length(array(parameters('roleAssignment').principalIds))]" - }, - "properties": { - "roleDefinitionId": "[if(contains(parameters('builtInRoleNames'), parameters('roleAssignment').roleDefinitionIdOrName ), parameters('builtInRoleNames')[parameters('roleAssignment').roleDefinitionIdOrName] , parameters('roleAssignment').roleDefinitionIdOrName )]", - "principalId": "[array(parameters('roleAssignment').principalIds)[copyIndex('innerRbacCopy')]]" - } - } - ] - } - } - } - ] - } - } - } - ] - } - } - } - ], - "functions": [], - "outputs": { - "subscriptionId": { - "type": "string", - "value": "[reference(variables('subDeploymentName')).outputs.subscriptionId.value]", - "metadata": { - "description": "The subscription Id of the created subscription." - } - }, - "tags": { - "type": "object", - "value": "[parameters('tags')]", - "metadata": { - "description": "The tags applied to the subscription." - } - }, - "roleAssignments": { - "type": "array", - "value": "[parameters('roleAssignments')]", - "metadata": { - "description": "Array of role assignment objects." - } - } - } -} diff --git a/nativeTemplates/Microsoft.Subscription/aliases/readme.md b/nativeTemplates/Microsoft.Subscription/aliases/readme.md deleted file mode 100644 index b17198bd91..0000000000 --- a/nativeTemplates/Microsoft.Subscription/aliases/readme.md +++ /dev/null @@ -1,164 +0,0 @@ -# Subscription - -This template will create a subscription based on the provided parameter. - -## Resource types - -| Resource Type | Api Version | -| :---------------------------------------- | :----------------- | -| `Microsoft.Resources/deployments` | 2019-10-01 | -| `Microsoft.Subscription/aliases` | 2020-09-01 | -| `Microsoft.Resources/tags` | 2020-10-01 | -| `Microsoft.Authorization/roleAssignments` | 2018-09-01-preview | - -### Resource dependency - -The following resources are required to be able to deploy this resource: - -- *None* - -## Parameters - -| Parameter Name | Type | Default Value | Possible values | Description | -| :------------------------ | :----- | :------------ | :------------------ | :------------------------------------------------------------------------ | -| `subscriptionAliasName` | string | | | Required. Unique alias name. | -| `displayName` | string | | | Required. Subscription display name. | -| `targetManagementGroupId` | string | "" | | Optional. Target management group where the subscription will be created. | -| `billingScope` | string | | | Required. The account to be invoiced for the subscription. | -| `workload` | string | Production | Production, DevTest | Optional. Subscription workload. | -| `tags` | object | [] | | Optional. Tags of the storage account resource. | -| `roleAssignments` | array | [] | | Optional. Array of role assignment objects. | - -### Parameter Usage: `tags` - -Tag names and tag values can be provided as needed. A tag can be left without a value. - -```json -"tags": { - "value": { - "Environment": "Non-Prod", - "Contact": "test.user@testcompany.com", - "PurchaseOrder": "1234", - "CostCenter": "7890", - "ServiceName": "DeploymentValidation", - "Role": "DeploymentValidation" - } -} -``` - -### Parameter Usage: `roleAssignments` - -```json -"roleAssignments": { - "value": [ - // Built-in Role Definition, referenced by Name - { - "roleDefinitionIdOrName": "Owner", - "principalIds": [ - "12345678-1234-1234-1234-123456780123" - "abcd5678-1234-1234-1234-123456780123" - ] - }, - // Built-in Role Definition, referenced by ID - { - "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", - "principalIds": [ - "12345678-1234-1234-1234-123456780123" - "abcd5678-1234-1234-1234-123456780123" - ] - }, - // Custom Role Definition on Subscription scope - { - "roleDefinitionIdOrName": "/subscriptions/bbfef42b-7d75-4e17-9f39-bd431e69189f/providers/Microsoft.Authorization/roleDefinitions/54597af5-2126-5a52-a2ce-4bb56e90d3c8", - "principalIds": [ - "12345678-1234-1234-1234-123456780123" - "abcd5678-1234-1234-1234-123456780123" - ] - }, - // Custom Role Definition on Resource Group scope - { - "roleDefinitionIdOrName": "/subscriptions/bbfef42b-7d75-4e17-9f39-bd431e69189f/resourceGroups/rbacTest/providers/Microsoft.Authorization/roleDefinitions/08e417aa-3d20-5a4e-94da-b2aa45bd5929", - "principalIds": [ - "12345678-1234-1234-1234-123456780123" - "abcd5678-1234-1234-1234-123456780123" - ] - } - ] -} -``` - -## Outputs - -| Output Name | Type | Description | -| :---------------- | :----- | :----------------------------------------------- | -| `subscriptionId` | string | The subscription Id of the created subscription. | -| `tags` | object | The tags applied to the subscription. | -| `roleAssignments` | array | Array of role assignment objects. | - -## Prerequisites - -In order to create a subscription via code, the following pre-requisites are necessary: - -- the used enrollment account in the billing scope is active and created at least one subscription manually -- A single SPN used for the template deployment with permissions to both: - - the billing scope of the EA enrollment account. - - deployments on the tenant scope and management group where the subscription will be provisioned. - -### Permissions to create subscriptions - -Refer to the [Enterprise-Scale - Enabling subscription creation](https://github.com/Azure/Enterprise-Scale/blob/main/docs/Deploy/enable-subscription-creation.md) guide on how to setup permissions. If this does not align with your scenario, please refer to the [official documentation on creating subscriptions using the API](https://docs.microsoft.com/en-us/azure/cost-management-billing/manage/programmatically-create-subscription-preview). -If you cannot find the billingID or enrollmentID using the mentioned guides, find them using the Azure portal under the 'Cost + Billing' blade. Expected format is 5-10 digits for each of the values. - -### Permissions to deploy Azure Resource in tenant - -The subscription module is deployed on the **Tenant scope**. Providing the [required permissions](https://docs.microsoft.com/en-us/azure/azure-resource-manager/templates/deploy-to-tenant#required-access) is not supported in the portal. -To run the commands listed here you need `User Access Administrator` or `Owner` on the tenant scope (also refered to root or '/') . Follow the [official documentation for how to elevate your permissions](https://docs.microsoft.com/en-us/azure/role-based-access-control/elevate-access-global-admin) to this level. - -#### Quick setup - -Using a quick setup we assign `Owner` on the root, allowing for all other activities within the Azure tenant. Quick setup is not recommended in production, as it breaks with principle of least privilege and would potentially scope permissions wider than applicable for your scenario. -Use quick setup for 'Minimal Viable Product' (MVP) configurations, PoC setups or test environments. - -To assign `Owner` role on root to the SPN, execute the following commands: - -```powershell -$SPNObjectID = Get-AzADServicePrincipal -DisplayName "[SPNName]" -New-AzRoleAssignment -ObjectID $SPNObjectID -Scope "/" -RoleDefinitionName "Owner" -``` - -> Note! -> -> Remember to [remove your elevated access](https://docs.microsoft.com/en-us/azure/role-based-access-control/elevate-access-global-admin#remove-elevated-access) after assigning the permissions on the entity that requires the permissions on root. - -#### Least-privilege approach - -If `Owner` permission is too excessive, provide least privilege permissions to the entity used for deploying subscriptions. -As [custom roles are not supported on the root level](https://docs.microsoft.com/en-us/azure/role-based-access-control/custom-roles#custom-role-limits), a built-in role is required. -The build-in role with the least privilege to perform the `Microsoft.Resources/deployments/*` actions is `Automation Job Operator`. - -To assign `Automation Job Operator` role on root to the SPN, execute the following commands: - -```powershell -$SPNObjectID = Get-AzADServicePrincipal -DisplayName "[SPNName]" -New-AzRoleAssignment -ObjectID $SPNObjectID -Scope "/" -RoleDefinitionName "Automation Job Operator" -``` - -A custom role can be created for with following permissions on a management group when using the template by providing the `targetManagementGroup` parameter. Using this parameter will move the subscription to them management group. - -- `Microsoft.Management/managementGroups/read` -- `Microsoft.Management/managementGroups/write` -- `Microsoft.Management/managementGroups/subscriptions/delete` -- `Microsoft.Management/managementGroups/subscriptions/write` - -Scope: `/providers/Microsoft.Management/managementGroups/` - -Consider adding more of the [`Microsoft.Management`](https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftmanagement) and [`Microsoft.Subscription`](https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftsubscription) operations to the custom role as needed. - -## Additional resources - -- [Use tags to organize your Azure resources | Microsoft Docs](https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-using-tags) -- [Azure Resource Manager template reference | Microsoft Docs](https://docs.microsoft.com/en-us/azure/templates/) -- [Deployments | Microsoft Docs](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Resources/2019-10-01/deployments) -- [Aliases | Microsoft Docs](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Subscription/2020-09-01/aliases) -- [Programmatically create Azure subscriptions with preview APIs | Microsoft Docs](https://docs.microsoft.com/en-us/azure/cost-management-billing/manage/programmatically-create-subscription-preview) -- [Enable subscription creation to a service principal | GitHub](https://github.com/Azure/Enterprise-Scale/blob/main/docs/Deploy/enable-subscription-creation.md) diff --git a/nativeTemplates/Microsoft.Subscription/aliases/rg-deploy.json b/nativeTemplates/Microsoft.Subscription/aliases/rg-deploy.json deleted file mode 100644 index b5a60c59f2..0000000000 --- a/nativeTemplates/Microsoft.Subscription/aliases/rg-deploy.json +++ /dev/null @@ -1,90 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "subscriptionAliasName": { - "type": "string", - "metadata": { - "description": "Required. Unique alias name." - } - }, - "displayName": { - "type": "string", - "metadata": { - "description": "Required. Subscription display name." - } - }, - "targetManagementGroupId": { - "type": "string", - "metadata": { - "details": "Optional. Target management group where the subscription will be created." - } - }, - "billingScope": { - "type": "string", - "metadata": { - "description": "Required. The account to be invoiced for the subscription." - } - }, - "workLoad": { - "type": "string", - "defaultValue": "Production", - "metadata": { - "description": "Optional. Subscription workload." - } - }, - "location": { - "type": "string", - "metadata": { - "description": "Required. Location is required for DeploymentTemplate." - } - } - }, - "variables": {}, - "resources": [ - { - "name": "[concat('subscription-',deployment().name)]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2019-10-01", - "location": "[parameters('location')]", - "properties": { - "expressionEvaluationOptions": { - "scope": "outer" // default - }, - "mode": "Incremental", // default - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "variables": {}, - "resources": [ - { - "name": "[parameters('subscriptionAliasName')]", - "type": "Microsoft.Subscription/aliases", - "apiVersion": "2020-09-01", - "properties": { - "workLoad": "[parameters('workLoad')]", - "displayName": "[parameters('displayName')]", - "billingScope": "[parameters('billingScope')]", - "managementGroupId": "[tenantResourceId('Microsoft.Management/managementGroups/', parameters('targetManagementGroupId'))]" - }, - "dependsOn": [], - "tags": {} - } - ], - "outputs": { - "subscriptionId": { - "type": "string", - "value": "[replace(reference(parameters('subscriptionAliasName')).subscriptionId, 'invalidrandom/', '')]" - } - } - } - } - } - ], - "outputs": { - "messageFromLinkedTemplate": { - "type": "string", - "value": "[reference('subscription-',deployment().name).outputs.subscriptionId.value]" - } - } -} From 436ce2a7772a67337810b9b498f46304b7038a31 Mon Sep 17 00:00:00 2001 From: IaCS solution Date: Thu, 26 Aug 2021 00:42:18 +0200 Subject: [PATCH 5/7] Enabled arm folder --- .gitignore | 4 +- .../service/deploy.json | 756 +++++ .../service/parameters/parameters.json | 38 + arm/Microsoft.ApiManagement/service/readme.md | Bin 0 -> 20718 bytes .../serviceApis/deploy.json | 287 ++ .../serviceApis/parameters/parameters.json | 31 + .../serviceApis/readme.md | Bin 0 -> 11586 bytes .../serviceAuthorizationServers/deploy.json | 217 ++ .../parameters/parameters.json | 32 + .../serviceAuthorizationServers/readme.md | Bin 0 -> 10900 bytes .../serviceBackends/deploy.json | 169 + .../parameters/parameters.json | 21 + .../serviceBackends/readme.md | Bin 0 -> 17658 bytes .../serviceCaches/deploy.json | 136 + .../serviceCaches/parameters/parameters.json | 21 + .../serviceCaches/readme.md | Bin 0 -> 5094 bytes .../serviceNamedValues/deploy.json | 136 + .../parameters/parameters.json | 18 + .../serviceNamedValues/readme.md | Bin 0 -> 6094 bytes .../serviceProducts/deploy.json | 231 ++ .../parameters/parameters.json | 28 + .../serviceProducts/readme.md | Bin 0 -> 8994 bytes .../serviceSubscriptions/deploy.json | 138 + .../parameters/parameters.json | 15 + .../serviceSubscriptions/readme.md | Bin 0 -> 6594 bytes .../policyAssignments/deploy.json | 155 + .../allowedLocations.parameters.json | 25 + .../listOfAllowedSKUs.parameters.json | 25 + .../parameters/parameters.json | 28 + .../policyAssignments/readme.md | 36 + .../roleAssignments/deploy.json | 432 +++ .../parameters/parameters.json | 54 + .../roleAssignments/readme.md | 68 + .../roleDefinitions/deploy.json | 238 ++ .../parameters/parameters.json | 37 + .../roleDefinitions/readme.md | 43 + arm/Microsoft.Automanage/accounts/deploy.json | 269 ++ .../accounts/parameters/parameters.json | 36 + arm/Microsoft.Automanage/accounts/readme.md | Bin 0 -> 5718 bytes .../deploy.json | 473 +++ .../Linux_Automatic-Wave1.parameters.json | 49 + .../Linux_Automatic-Wave2.parameters.json | 49 + .../parameters/Linux_CatchAll.parameters.json | 44 + .../parameters/Linux_ZeroDay.parameters.json | 43 + ...indows_Automatic-DefUpdate.parameters.json | 35 + .../Windows_Automatic-Wave1.parameters.json | 57 + .../Windows_Automatic-Wave2.parameters.json | 57 + .../Windows_CatchAll.parameters.json | 44 + .../Windows_ZeroDay.parameters.json | 45 + .../readme.md | 122 + .../automationAccounts/deploy.json | 762 +++++ .../parameters/parameters.json | 48 + .../automationAccounts/readme.md | 289 ++ arm/Microsoft.Batch/batchAccounts/deploy.json | 190 ++ .../batchAccounts/parameters/parameters.json | 9 + arm/Microsoft.Batch/batchAccounts/readme.md | 69 + .../accounts/deploy.json | 705 ++++ .../accounts/parameters/parameters.json | 24 + .../accounts/readme.md | 172 + .../diskEncryptionSets/deploy.json | 385 +++ .../parameters/parameters.json | 26 + .../diskEncryptionSets/readme.md | 88 + arm/Microsoft.Compute/galleries/deploy.json | 366 ++ .../galleries/parameters/parameters.json | 9 + arm/Microsoft.Compute/galleries/readme.md | 89 + .../galleryImages/deploy.json | 546 +++ .../galleryImages/parameters/parameters.json | 56 + arm/Microsoft.Compute/galleryImages/readme.md | 107 + arm/Microsoft.Compute/images/deploy.json | 385 +++ .../images/parameters/parameters.json | 38 + arm/Microsoft.Compute/images/readme.md | 93 + .../virtualMachineScaleSets/deploy.json | 1299 +++++++ .../parameters/linux.parameters.json | 128 + .../parameters/windows.parameters.json | 88 + .../virtualMachineScaleSets/readme.md | 391 +++ .../virtualMachines/deploy.json | 2983 +++++++++++++++++ .../parameters/parameters.json | 87 + .../virtualMachines/readme.md | 474 +++ arm/Microsoft.Consumption/budgets/deploy.json | 115 + .../budgets/parameters/parameters.json | 20 + arm/Microsoft.Consumption/budgets/readme.md | 39 + .../containerGroups/deploy.json | 217 ++ .../parameters/parameters.json | 47 + .../containerGroups/readme.md | 92 + .../registries/deploy.json | 510 +++ .../registries/parameters/parameters.json | 34 + .../registries/readme.md | 122 + .../managedClusters/deploy.json | 779 +++++ .../parameters/parameters.json | 135 + .../managedClusters/readme.md | 240 ++ .../factories/deploy.json | 569 ++++ .../factories/parameters/parameters.json | 72 + arm/Microsoft.DataFactory/factories/readme.md | 162 + .../workspaces/deploy.json | 377 +++ .../workspaces/parameters/parameters.json | 53 + arm/Microsoft.Databricks/workspaces/readme.md | 136 + .../applicationGroupApplications/deploy.json | 101 + .../parameters/parameters.json | 38 + .../applicationGroupApplications/readme.md | 70 + .../applicationgroups/deploy.json | 472 +++ .../parameters/parameters.json | 35 + .../applicationgroups/readme.md | 97 + .../hostpools/deploy.json | 355 ++ .../hostpools/parameters/parameters.json | 55 + .../hostpools/readme.md | 113 + .../workspaces/deploy.json | 225 ++ .../workspaces/parameters/parameters.json | 23 + .../workspaces/readme.md | 67 + .../wvdScalingScheduler/deploy.json | 231 ++ .../parameters/parameters.json | 44 + .../wvdScalingScheduler/readme.md | 193 ++ arm/Microsoft.EventGrid/topics/deploy.json | 582 ++++ .../topics/parameters/parameters.json | 9 + arm/Microsoft.EventGrid/topics/readme.md | 136 + .../namespaceEventHubs/deploy.json | 457 +++ .../parameters/parameters.json | 39 + .../namespaceEventHubs/readme.md | 183 + arm/Microsoft.EventHub/namespaces/deploy.json | 772 +++++ .../namespaces/parameters/parameters.json | 43 + arm/Microsoft.EventHub/namespaces/readme.md | 195 ++ .../healthBots/deploy.json | 363 ++ .../healthBots/parameters/parameters.json | 9 + arm/Microsoft.HealthBot/healthBots/readme.md | 90 + .../actionGroups/deploy.json | 437 +++ .../actionGroups/parameters/parameters.json | 46 + arm/Microsoft.Insights/actionGroups/readme.md | 141 + .../activityLogAlerts/deploy.json | 375 +++ .../parameters/parameters.json | 45 + .../activityLogAlerts/readme.md | 184 + arm/Microsoft.Insights/components/deploy.json | 239 ++ .../components/parameters/parameters.json | 28 + arm/Microsoft.Insights/components/readme.md | 95 + .../diagnosticSettings/deploy.json | 158 + .../parameters/parameters.json | 12 + .../diagnosticSettings/readme.md | 39 + .../metricAlerts/deploy.json | 457 +++ .../metricAlerts/parameters/parameters.json | 53 + arm/Microsoft.Insights/metricAlerts/readme.md | 167 + .../privateLinkScopes/deploy.json | 377 +++ .../parameters/parameters.json | 44 + .../privateLinkScopes/readme.md | 148 + .../scheduledQueryRules/deploy.json | 309 ++ .../parameters/parameters.json | 27 + .../scheduledQueryRules/readme.md | 70 + ...e_location_KeyVault_PrivateEndpoints.bicep | 52 + .../vaults/.bicep/nested_rbac_name.bicep | 12 + arm/Microsoft.KeyVault/vaults/deploy.bicep | 277 ++ arm/Microsoft.KeyVault/vaults/deploy.json | 626 ++++ .../vaults/parameters/parameters.json | 68 + arm/Microsoft.KeyVault/vaults/readme.md | 245 ++ .../workspaces/workspaces/deploy.json | 497 +++ .../workspaces/parameters/parameters.json | 57 + .../workspaces/workspaces/readme.md | 133 + .../userAssignedIdentities/deploy.json | 360 ++ .../parameters/parameters.json | 20 + .../userAssignedIdentities/readme.md | 89 + .../.attachments/LH.png | Bin 0 -> 12856 bytes .../registrationDefinitions/deploy.json | 161 + .../parameters/parameters.json | 35 + .../parameters/rg-parameters.json | 37 + .../registrationDefinitions/readme.md | 129 + .../managementGroups/deploy.json | 427 +++ .../parameters/parameters.json | 29 + .../managementGroups/readme.md | 128 + .../netAppAccounts/deploy.json | 757 +++++ .../netAppAccounts/parameters/parameters.json | 155 + arm/Microsoft.NetApp/netAppAccounts/readme.md | 196 ++ .../applicationGateways/deploy.json | 885 +++++ .../parameters/parameters.json | 145 + .../applicationGateways/readme.md | Bin 0 -> 45106 bytes .../applicationSecurityGroups/deploy.json | 354 ++ .../parameters/parameters.json | 20 + .../applicationSecurityGroups/readme.md | 87 + .../azureFirewalls/deploy.json | 664 ++++ .../azureFirewalls/parameters/parameters.json | 104 + .../azureFirewalls/readme.md | 112 + .../bastionHosts/deploy.json | 550 +++ .../bastionHosts/parameters/parameters.json | 26 + arm/Microsoft.Network/bastionHosts/readme.md | 100 + arm/Microsoft.Network/connections/deploy.json | 229 ++ .../connections/parameters/parameters.json | 32 + arm/Microsoft.Network/connections/readme.md | 102 + .../ddosProtectionPlans/deploy.json | 356 ++ .../parameters/parameters.json | 20 + .../ddosProtectionPlans/readme.md | 89 + .../expressRouteCircuits/deploy.json | 558 +++ .../parameters/parameters.json | 35 + .../expressRouteCircuits/readme.md | 105 + arm/Microsoft.Network/ipGroups/deploy.json | 364 ++ .../ipGroups/parameters/parameters.json | 15 + arm/Microsoft.Network/ipGroups/readme.md | 88 + .../loadBalancers/deploy.json | 543 +++ .../loadBalancers/parameters/parameters.json | 87 + arm/Microsoft.Network/loadBalancers/readme.md | 227 ++ .../localNetworkGateways/deploy.json | 406 +++ .../parameters/parameters.json | 37 + .../localNetworkGateways/readme.md | 92 + arm/Microsoft.Network/natGateways/deploy.json | 558 +++ .../natGateways/parameters/parameters.json | 12 + arm/Microsoft.Network/natGateways/readme.md | 116 + .../networkSecurityGroups/deploy.json | 534 +++ .../parameters/parameters.json | 117 + .../networkSecurityGroups/readme.md | 192 ++ .../networkWatcherFlowLogs/deploy.json | 180 + .../parameters/parameters.json | 36 + .../networkWatcherFlowLogs/readme.md | 65 + .../networkWatchers/deploy.json | 137 + .../parameters/parameters.json | 9 + .../networkWatchers/readme.md | 116 + .../privateDnsZones/deploy.json | 201 ++ .../parameters/parameters.json | 27 + .../privateDnsZones/readme.md | Bin 0 -> 8604 bytes .../privateEndpoints/deploy.json | 142 + .../parameters/parameters.json | 21 + .../privateEndpoints/readme.md | Bin 0 -> 6164 bytes .../publicIPAddresses/deploy.json | 486 +++ .../parameters/parameters.json | 18 + .../publicIPAddresses/readme.md | Bin 0 -> 9224 bytes .../publicIPPrefixes/deploy.json | 368 ++ .../parameters/parameters.json | 23 + .../publicIPPrefixes/readme.md | 87 + arm/Microsoft.Network/routeTables/deploy.json | 371 ++ .../routeTables/parameters/parameters.json | 32 + arm/Microsoft.Network/routeTables/readme.md | 130 + .../trafficmanagerprofiles/deploy.json | 503 +++ .../parameters/parameters.json | 12 + .../trafficmanagerprofiles/readme.md | 139 + .../virtualNetworkGateways/deploy.json | 774 +++++ .../parameters/er.parameters.json | 59 + .../parameters/parameters.json | 47 + .../virtualNetworkGateways/readme.md | 144 + .../virtualNetworkPeerings/deploy.json | 166 + .../parameters/parameters.json | 27 + .../virtualNetworkPeerings/readme.md | 67 + .../virtualNetworks/deploy.json | 521 +++ .../parameters/parameters.json | 122 + .../virtualNetworks/readme.md | 165 + arm/Microsoft.Network/virtualWans/deploy.json | 487 +++ .../virtualWans/parameters/parameters.json | 32 + arm/Microsoft.Network/virtualWans/readme.md | 99 + .../workspaces/deploy.json | 1268 +++++++ .../workspaces/parameters/parameters.json | 61 + .../workspaces/readme.md | 140 + .../vaults/deploy.json | 645 ++++ .../vaults/parameters/parameters.json | 250 ++ .../vaults/readme.md | 341 ++ .../deploymentScripts/deploy.json | 258 ++ .../parameters/parameters.json | 36 + .../deploymentScripts/readme.md | 72 + .../resourceGroups/deploy.json | 344 ++ .../resourceGroups/parameters/parameters.json | 27 + .../resourceGroups/readme.md | 88 + .../azureSecurityCenter/deploy.json | 318 ++ .../parameters/parameters.json | 20 + .../azureSecurityCenter/readme.md | 138 + .../namespaceQueues/deploy.json | 536 +++ .../parameters/parameters.json | 12 + .../namespaceQueues/readme.md | 156 + .../namespaces/deploy.json | 741 ++++ .../namespaces/parameters/parameters.json | 29 + arm/Microsoft.ServiceBus/namespaces/readme.md | 195 ++ .../managedInstanceDatabases/deploy.json | 368 ++ .../parameters/parameters.json | 12 + .../managedInstanceDatabases/readme.md | 103 + .../managedInstances/deploy.json | 724 ++++ .../parameters/parameters.json | 76 + arm/Microsoft.Sql/managedInstances/readme.md | 139 + arm/Microsoft.Sql/serverDatabases/deploy.json | 294 ++ .../parameters/parameters.json | 75 + arm/Microsoft.Sql/serverDatabases/readme.md | 79 + arm/Microsoft.Sql/servers/deploy.json | 397 +++ .../servers/parameters/parameters.json | 42 + arm/Microsoft.Sql/servers/readme.md | 93 + .../storageAccounts/deploy.json | 1287 +++++++ .../parameters/noname.parameters.json | 81 + .../parameters/parameters.json | 149 + .../storageAccounts/readme.md | 294 ++ .../aliases/deploy.json | 549 +++ .../aliases/parameters/parameters.json | 39 + arm/Microsoft.Subscription/aliases/readme.md | 164 + .../aliases/rg-deploy.json | 90 + .../imageTemplates/deploy.json | 284 ++ .../imageTemplates/parameters/parameters.json | 62 + .../imageTemplates/readme.md | 104 + arm/Microsoft.Web/appService/deploy.json | 389 +++ .../appService/parameters/parameters.json | 12 + arm/Microsoft.Web/appService/readme.md | 111 + arm/Microsoft.Web/appServicePlan/deploy.json | 432 +++ .../appServicePlan/parameters/parameters.json | 29 + arm/Microsoft.Web/appServicePlan/readme.md | 111 + arm/Microsoft.Web/connections/deploy.json | 408 +++ .../connections/parameters/parameters.json | 20 + arm/Microsoft.Web/connections/readme.md | 116 + .../hostingEnvironments/deploy.json | 573 ++++ .../parameters/parameters.json | 12 + .../hostingEnvironments/readme.md | 159 + arm/Microsoft.Web/sitesFunction/deploy.json | 505 +++ .../sitesFunction/parameters/parameters.json | 40 + arm/Microsoft.Web/sitesFunction/readme.md | 125 + arm/Microsoft.Web/webApp/deploy.json | 586 ++++ .../webApp/parameters/parameters.json | 43 + arm/Microsoft.Web/webApp/readme.md | 157 + arm/servers/deploy.json | 227 ++ arm/servers/parameters/parameters.json | 12 + arm/servers/readme.md | Bin 0 -> 6938 bytes 305 files changed, 60324 insertions(+), 2 deletions(-) create mode 100644 arm/Microsoft.ApiManagement/service/deploy.json create mode 100644 arm/Microsoft.ApiManagement/service/parameters/parameters.json create mode 100644 arm/Microsoft.ApiManagement/service/readme.md create mode 100644 arm/Microsoft.ApiManagement/serviceApis/deploy.json create mode 100644 arm/Microsoft.ApiManagement/serviceApis/parameters/parameters.json create mode 100644 arm/Microsoft.ApiManagement/serviceApis/readme.md create mode 100644 arm/Microsoft.ApiManagement/serviceAuthorizationServers/deploy.json create mode 100644 arm/Microsoft.ApiManagement/serviceAuthorizationServers/parameters/parameters.json create mode 100644 arm/Microsoft.ApiManagement/serviceAuthorizationServers/readme.md create mode 100644 arm/Microsoft.ApiManagement/serviceBackends/deploy.json create mode 100644 arm/Microsoft.ApiManagement/serviceBackends/parameters/parameters.json create mode 100644 arm/Microsoft.ApiManagement/serviceBackends/readme.md create mode 100644 arm/Microsoft.ApiManagement/serviceCaches/deploy.json create mode 100644 arm/Microsoft.ApiManagement/serviceCaches/parameters/parameters.json create mode 100644 arm/Microsoft.ApiManagement/serviceCaches/readme.md create mode 100644 arm/Microsoft.ApiManagement/serviceNamedValues/deploy.json create mode 100644 arm/Microsoft.ApiManagement/serviceNamedValues/parameters/parameters.json create mode 100644 arm/Microsoft.ApiManagement/serviceNamedValues/readme.md create mode 100644 arm/Microsoft.ApiManagement/serviceProducts/deploy.json create mode 100644 arm/Microsoft.ApiManagement/serviceProducts/parameters/parameters.json create mode 100644 arm/Microsoft.ApiManagement/serviceProducts/readme.md create mode 100644 arm/Microsoft.ApiManagement/serviceSubscriptions/deploy.json create mode 100644 arm/Microsoft.ApiManagement/serviceSubscriptions/parameters/parameters.json create mode 100644 arm/Microsoft.ApiManagement/serviceSubscriptions/readme.md create mode 100644 arm/Microsoft.Authorization/policyAssignments/deploy.json create mode 100644 arm/Microsoft.Authorization/policyAssignments/parameters/allowedLocations.parameters.json create mode 100644 arm/Microsoft.Authorization/policyAssignments/parameters/listOfAllowedSKUs.parameters.json create mode 100644 arm/Microsoft.Authorization/policyAssignments/parameters/parameters.json create mode 100644 arm/Microsoft.Authorization/policyAssignments/readme.md create mode 100644 arm/Microsoft.Authorization/roleAssignments/deploy.json create mode 100644 arm/Microsoft.Authorization/roleAssignments/parameters/parameters.json create mode 100644 arm/Microsoft.Authorization/roleAssignments/readme.md create mode 100644 arm/Microsoft.Authorization/roleDefinitions/deploy.json create mode 100644 arm/Microsoft.Authorization/roleDefinitions/parameters/parameters.json create mode 100644 arm/Microsoft.Authorization/roleDefinitions/readme.md create mode 100644 arm/Microsoft.Automanage/accounts/deploy.json create mode 100644 arm/Microsoft.Automanage/accounts/parameters/parameters.json create mode 100644 arm/Microsoft.Automanage/accounts/readme.md create mode 100644 arm/Microsoft.Automation/automationAccountSoftwareUpdateConfigurations/deploy.json create mode 100644 arm/Microsoft.Automation/automationAccountSoftwareUpdateConfigurations/parameters/Linux_Automatic-Wave1.parameters.json create mode 100644 arm/Microsoft.Automation/automationAccountSoftwareUpdateConfigurations/parameters/Linux_Automatic-Wave2.parameters.json create mode 100644 arm/Microsoft.Automation/automationAccountSoftwareUpdateConfigurations/parameters/Linux_CatchAll.parameters.json create mode 100644 arm/Microsoft.Automation/automationAccountSoftwareUpdateConfigurations/parameters/Linux_ZeroDay.parameters.json create mode 100644 arm/Microsoft.Automation/automationAccountSoftwareUpdateConfigurations/parameters/Windows_Automatic-DefUpdate.parameters.json create mode 100644 arm/Microsoft.Automation/automationAccountSoftwareUpdateConfigurations/parameters/Windows_Automatic-Wave1.parameters.json create mode 100644 arm/Microsoft.Automation/automationAccountSoftwareUpdateConfigurations/parameters/Windows_Automatic-Wave2.parameters.json create mode 100644 arm/Microsoft.Automation/automationAccountSoftwareUpdateConfigurations/parameters/Windows_CatchAll.parameters.json create mode 100644 arm/Microsoft.Automation/automationAccountSoftwareUpdateConfigurations/parameters/Windows_ZeroDay.parameters.json create mode 100644 arm/Microsoft.Automation/automationAccountSoftwareUpdateConfigurations/readme.md create mode 100644 arm/Microsoft.Automation/automationAccounts/deploy.json create mode 100644 arm/Microsoft.Automation/automationAccounts/parameters/parameters.json create mode 100644 arm/Microsoft.Automation/automationAccounts/readme.md create mode 100644 arm/Microsoft.Batch/batchAccounts/deploy.json create mode 100644 arm/Microsoft.Batch/batchAccounts/parameters/parameters.json create mode 100644 arm/Microsoft.Batch/batchAccounts/readme.md create mode 100644 arm/Microsoft.CognitiveServices/accounts/deploy.json create mode 100644 arm/Microsoft.CognitiveServices/accounts/parameters/parameters.json create mode 100644 arm/Microsoft.CognitiveServices/accounts/readme.md create mode 100644 arm/Microsoft.Compute/diskEncryptionSets/deploy.json create mode 100644 arm/Microsoft.Compute/diskEncryptionSets/parameters/parameters.json create mode 100644 arm/Microsoft.Compute/diskEncryptionSets/readme.md create mode 100644 arm/Microsoft.Compute/galleries/deploy.json create mode 100644 arm/Microsoft.Compute/galleries/parameters/parameters.json create mode 100644 arm/Microsoft.Compute/galleries/readme.md create mode 100644 arm/Microsoft.Compute/galleryImages/deploy.json create mode 100644 arm/Microsoft.Compute/galleryImages/parameters/parameters.json create mode 100644 arm/Microsoft.Compute/galleryImages/readme.md create mode 100644 arm/Microsoft.Compute/images/deploy.json create mode 100644 arm/Microsoft.Compute/images/parameters/parameters.json create mode 100644 arm/Microsoft.Compute/images/readme.md create mode 100644 arm/Microsoft.Compute/virtualMachineScaleSets/deploy.json create mode 100644 arm/Microsoft.Compute/virtualMachineScaleSets/parameters/linux.parameters.json create mode 100644 arm/Microsoft.Compute/virtualMachineScaleSets/parameters/windows.parameters.json create mode 100644 arm/Microsoft.Compute/virtualMachineScaleSets/readme.md create mode 100644 arm/Microsoft.Compute/virtualMachines/deploy.json create mode 100644 arm/Microsoft.Compute/virtualMachines/parameters/parameters.json create mode 100644 arm/Microsoft.Compute/virtualMachines/readme.md create mode 100644 arm/Microsoft.Consumption/budgets/deploy.json create mode 100644 arm/Microsoft.Consumption/budgets/parameters/parameters.json create mode 100644 arm/Microsoft.Consumption/budgets/readme.md create mode 100644 arm/Microsoft.ContainerInstance/containerGroups/deploy.json create mode 100644 arm/Microsoft.ContainerInstance/containerGroups/parameters/parameters.json create mode 100644 arm/Microsoft.ContainerInstance/containerGroups/readme.md create mode 100644 arm/Microsoft.ContainerRegistry/registries/deploy.json create mode 100644 arm/Microsoft.ContainerRegistry/registries/parameters/parameters.json create mode 100644 arm/Microsoft.ContainerRegistry/registries/readme.md create mode 100644 arm/Microsoft.ContainerService/managedClusters/deploy.json create mode 100644 arm/Microsoft.ContainerService/managedClusters/parameters/parameters.json create mode 100644 arm/Microsoft.ContainerService/managedClusters/readme.md create mode 100644 arm/Microsoft.DataFactory/factories/deploy.json create mode 100644 arm/Microsoft.DataFactory/factories/parameters/parameters.json create mode 100644 arm/Microsoft.DataFactory/factories/readme.md create mode 100644 arm/Microsoft.Databricks/workspaces/deploy.json create mode 100644 arm/Microsoft.Databricks/workspaces/parameters/parameters.json create mode 100644 arm/Microsoft.Databricks/workspaces/readme.md create mode 100644 arm/Microsoft.DesktopVirtualization/applicationGroupApplications/deploy.json create mode 100644 arm/Microsoft.DesktopVirtualization/applicationGroupApplications/parameters/parameters.json create mode 100644 arm/Microsoft.DesktopVirtualization/applicationGroupApplications/readme.md create mode 100644 arm/Microsoft.DesktopVirtualization/applicationgroups/deploy.json create mode 100644 arm/Microsoft.DesktopVirtualization/applicationgroups/parameters/parameters.json create mode 100644 arm/Microsoft.DesktopVirtualization/applicationgroups/readme.md create mode 100644 arm/Microsoft.DesktopVirtualization/hostpools/deploy.json create mode 100644 arm/Microsoft.DesktopVirtualization/hostpools/parameters/parameters.json create mode 100644 arm/Microsoft.DesktopVirtualization/hostpools/readme.md create mode 100644 arm/Microsoft.DesktopVirtualization/workspaces/deploy.json create mode 100644 arm/Microsoft.DesktopVirtualization/workspaces/parameters/parameters.json create mode 100644 arm/Microsoft.DesktopVirtualization/workspaces/readme.md create mode 100644 arm/Microsoft.DesktopVirtualization/wvdScalingScheduler/deploy.json create mode 100644 arm/Microsoft.DesktopVirtualization/wvdScalingScheduler/parameters/parameters.json create mode 100644 arm/Microsoft.DesktopVirtualization/wvdScalingScheduler/readme.md create mode 100644 arm/Microsoft.EventGrid/topics/deploy.json create mode 100644 arm/Microsoft.EventGrid/topics/parameters/parameters.json create mode 100644 arm/Microsoft.EventGrid/topics/readme.md create mode 100644 arm/Microsoft.EventHub/namespaceEventHubs/deploy.json create mode 100644 arm/Microsoft.EventHub/namespaceEventHubs/parameters/parameters.json create mode 100644 arm/Microsoft.EventHub/namespaceEventHubs/readme.md create mode 100644 arm/Microsoft.EventHub/namespaces/deploy.json create mode 100644 arm/Microsoft.EventHub/namespaces/parameters/parameters.json create mode 100644 arm/Microsoft.EventHub/namespaces/readme.md create mode 100644 arm/Microsoft.HealthBot/healthBots/deploy.json create mode 100644 arm/Microsoft.HealthBot/healthBots/parameters/parameters.json create mode 100644 arm/Microsoft.HealthBot/healthBots/readme.md create mode 100644 arm/Microsoft.Insights/actionGroups/deploy.json create mode 100644 arm/Microsoft.Insights/actionGroups/parameters/parameters.json create mode 100644 arm/Microsoft.Insights/actionGroups/readme.md create mode 100644 arm/Microsoft.Insights/activityLogAlerts/deploy.json create mode 100644 arm/Microsoft.Insights/activityLogAlerts/parameters/parameters.json create mode 100644 arm/Microsoft.Insights/activityLogAlerts/readme.md create mode 100644 arm/Microsoft.Insights/components/deploy.json create mode 100644 arm/Microsoft.Insights/components/parameters/parameters.json create mode 100644 arm/Microsoft.Insights/components/readme.md create mode 100644 arm/Microsoft.Insights/diagnosticSettings/deploy.json create mode 100644 arm/Microsoft.Insights/diagnosticSettings/parameters/parameters.json create mode 100644 arm/Microsoft.Insights/diagnosticSettings/readme.md create mode 100644 arm/Microsoft.Insights/metricAlerts/deploy.json create mode 100644 arm/Microsoft.Insights/metricAlerts/parameters/parameters.json create mode 100644 arm/Microsoft.Insights/metricAlerts/readme.md create mode 100644 arm/Microsoft.Insights/privateLinkScopes/deploy.json create mode 100644 arm/Microsoft.Insights/privateLinkScopes/parameters/parameters.json create mode 100644 arm/Microsoft.Insights/privateLinkScopes/readme.md create mode 100644 arm/Microsoft.Insights/scheduledQueryRules/deploy.json create mode 100644 arm/Microsoft.Insights/scheduledQueryRules/parameters/parameters.json create mode 100644 arm/Microsoft.Insights/scheduledQueryRules/readme.md create mode 100644 arm/Microsoft.KeyVault/vaults/.bicep/nested_name_location_KeyVault_PrivateEndpoints.bicep create mode 100644 arm/Microsoft.KeyVault/vaults/.bicep/nested_rbac_name.bicep create mode 100644 arm/Microsoft.KeyVault/vaults/deploy.bicep create mode 100644 arm/Microsoft.KeyVault/vaults/deploy.json create mode 100644 arm/Microsoft.KeyVault/vaults/parameters/parameters.json create mode 100644 arm/Microsoft.KeyVault/vaults/readme.md create mode 100644 arm/Microsoft.MachineLearningServices/workspaces/workspaces/deploy.json create mode 100644 arm/Microsoft.MachineLearningServices/workspaces/workspaces/parameters/parameters.json create mode 100644 arm/Microsoft.MachineLearningServices/workspaces/workspaces/readme.md create mode 100644 arm/Microsoft.ManagedIdentity/userAssignedIdentities/deploy.json create mode 100644 arm/Microsoft.ManagedIdentity/userAssignedIdentities/parameters/parameters.json create mode 100644 arm/Microsoft.ManagedIdentity/userAssignedIdentities/readme.md create mode 100644 arm/Microsoft.ManagedServices/registrationDefinitions/.attachments/LH.png create mode 100644 arm/Microsoft.ManagedServices/registrationDefinitions/deploy.json create mode 100644 arm/Microsoft.ManagedServices/registrationDefinitions/parameters/parameters.json create mode 100644 arm/Microsoft.ManagedServices/registrationDefinitions/parameters/rg-parameters.json create mode 100644 arm/Microsoft.ManagedServices/registrationDefinitions/readme.md create mode 100644 arm/Microsoft.Management/managementGroups/deploy.json create mode 100644 arm/Microsoft.Management/managementGroups/parameters/parameters.json create mode 100644 arm/Microsoft.Management/managementGroups/readme.md create mode 100644 arm/Microsoft.NetApp/netAppAccounts/deploy.json create mode 100644 arm/Microsoft.NetApp/netAppAccounts/parameters/parameters.json create mode 100644 arm/Microsoft.NetApp/netAppAccounts/readme.md create mode 100644 arm/Microsoft.Network/applicationGateways/deploy.json create mode 100644 arm/Microsoft.Network/applicationGateways/parameters/parameters.json create mode 100644 arm/Microsoft.Network/applicationGateways/readme.md create mode 100644 arm/Microsoft.Network/applicationSecurityGroups/deploy.json create mode 100644 arm/Microsoft.Network/applicationSecurityGroups/parameters/parameters.json create mode 100644 arm/Microsoft.Network/applicationSecurityGroups/readme.md create mode 100644 arm/Microsoft.Network/azureFirewalls/deploy.json create mode 100644 arm/Microsoft.Network/azureFirewalls/parameters/parameters.json create mode 100644 arm/Microsoft.Network/azureFirewalls/readme.md create mode 100644 arm/Microsoft.Network/bastionHosts/deploy.json create mode 100644 arm/Microsoft.Network/bastionHosts/parameters/parameters.json create mode 100644 arm/Microsoft.Network/bastionHosts/readme.md create mode 100644 arm/Microsoft.Network/connections/deploy.json create mode 100644 arm/Microsoft.Network/connections/parameters/parameters.json create mode 100644 arm/Microsoft.Network/connections/readme.md create mode 100644 arm/Microsoft.Network/ddosProtectionPlans/deploy.json create mode 100644 arm/Microsoft.Network/ddosProtectionPlans/parameters/parameters.json create mode 100644 arm/Microsoft.Network/ddosProtectionPlans/readme.md create mode 100644 arm/Microsoft.Network/expressRouteCircuits/deploy.json create mode 100644 arm/Microsoft.Network/expressRouteCircuits/parameters/parameters.json create mode 100644 arm/Microsoft.Network/expressRouteCircuits/readme.md create mode 100644 arm/Microsoft.Network/ipGroups/deploy.json create mode 100644 arm/Microsoft.Network/ipGroups/parameters/parameters.json create mode 100644 arm/Microsoft.Network/ipGroups/readme.md create mode 100644 arm/Microsoft.Network/loadBalancers/deploy.json create mode 100644 arm/Microsoft.Network/loadBalancers/parameters/parameters.json create mode 100644 arm/Microsoft.Network/loadBalancers/readme.md create mode 100644 arm/Microsoft.Network/localNetworkGateways/deploy.json create mode 100644 arm/Microsoft.Network/localNetworkGateways/parameters/parameters.json create mode 100644 arm/Microsoft.Network/localNetworkGateways/readme.md create mode 100644 arm/Microsoft.Network/natGateways/deploy.json create mode 100644 arm/Microsoft.Network/natGateways/parameters/parameters.json create mode 100644 arm/Microsoft.Network/natGateways/readme.md create mode 100644 arm/Microsoft.Network/networkSecurityGroups/deploy.json create mode 100644 arm/Microsoft.Network/networkSecurityGroups/parameters/parameters.json create mode 100644 arm/Microsoft.Network/networkSecurityGroups/readme.md create mode 100644 arm/Microsoft.Network/networkWatcherFlowLogs/deploy.json create mode 100644 arm/Microsoft.Network/networkWatcherFlowLogs/parameters/parameters.json create mode 100644 arm/Microsoft.Network/networkWatcherFlowLogs/readme.md create mode 100644 arm/Microsoft.Network/networkWatchers/deploy.json create mode 100644 arm/Microsoft.Network/networkWatchers/parameters/parameters.json create mode 100644 arm/Microsoft.Network/networkWatchers/readme.md create mode 100644 arm/Microsoft.Network/privateDnsZones/deploy.json create mode 100644 arm/Microsoft.Network/privateDnsZones/parameters/parameters.json create mode 100644 arm/Microsoft.Network/privateDnsZones/readme.md create mode 100644 arm/Microsoft.Network/privateEndpoints/deploy.json create mode 100644 arm/Microsoft.Network/privateEndpoints/parameters/parameters.json create mode 100644 arm/Microsoft.Network/privateEndpoints/readme.md create mode 100644 arm/Microsoft.Network/publicIPAddresses/deploy.json create mode 100644 arm/Microsoft.Network/publicIPAddresses/parameters/parameters.json create mode 100644 arm/Microsoft.Network/publicIPAddresses/readme.md create mode 100644 arm/Microsoft.Network/publicIPPrefixes/deploy.json create mode 100644 arm/Microsoft.Network/publicIPPrefixes/parameters/parameters.json create mode 100644 arm/Microsoft.Network/publicIPPrefixes/readme.md create mode 100644 arm/Microsoft.Network/routeTables/deploy.json create mode 100644 arm/Microsoft.Network/routeTables/parameters/parameters.json create mode 100644 arm/Microsoft.Network/routeTables/readme.md create mode 100644 arm/Microsoft.Network/trafficmanagerprofiles/deploy.json create mode 100644 arm/Microsoft.Network/trafficmanagerprofiles/parameters/parameters.json create mode 100644 arm/Microsoft.Network/trafficmanagerprofiles/readme.md create mode 100644 arm/Microsoft.Network/virtualNetworkGateways/deploy.json create mode 100644 arm/Microsoft.Network/virtualNetworkGateways/parameters/er.parameters.json create mode 100644 arm/Microsoft.Network/virtualNetworkGateways/parameters/parameters.json create mode 100644 arm/Microsoft.Network/virtualNetworkGateways/readme.md create mode 100644 arm/Microsoft.Network/virtualNetworkPeerings/deploy.json create mode 100644 arm/Microsoft.Network/virtualNetworkPeerings/parameters/parameters.json create mode 100644 arm/Microsoft.Network/virtualNetworkPeerings/readme.md create mode 100644 arm/Microsoft.Network/virtualNetworks/deploy.json create mode 100644 arm/Microsoft.Network/virtualNetworks/parameters/parameters.json create mode 100644 arm/Microsoft.Network/virtualNetworks/readme.md create mode 100644 arm/Microsoft.Network/virtualWans/deploy.json create mode 100644 arm/Microsoft.Network/virtualWans/parameters/parameters.json create mode 100644 arm/Microsoft.Network/virtualWans/readme.md create mode 100644 arm/Microsoft.OperationalInsights/workspaces/deploy.json create mode 100644 arm/Microsoft.OperationalInsights/workspaces/parameters/parameters.json create mode 100644 arm/Microsoft.OperationalInsights/workspaces/readme.md create mode 100644 arm/Microsoft.RecoveryServices/vaults/deploy.json create mode 100644 arm/Microsoft.RecoveryServices/vaults/parameters/parameters.json create mode 100644 arm/Microsoft.RecoveryServices/vaults/readme.md create mode 100644 arm/Microsoft.Resources/deploymentScripts/deploy.json create mode 100644 arm/Microsoft.Resources/deploymentScripts/parameters/parameters.json create mode 100644 arm/Microsoft.Resources/deploymentScripts/readme.md create mode 100644 arm/Microsoft.Resources/resourceGroups/deploy.json create mode 100644 arm/Microsoft.Resources/resourceGroups/parameters/parameters.json create mode 100644 arm/Microsoft.Resources/resourceGroups/readme.md create mode 100644 arm/Microsoft.Security/azureSecurityCenter/deploy.json create mode 100644 arm/Microsoft.Security/azureSecurityCenter/parameters/parameters.json create mode 100644 arm/Microsoft.Security/azureSecurityCenter/readme.md create mode 100644 arm/Microsoft.ServiceBus/namespaceQueues/deploy.json create mode 100644 arm/Microsoft.ServiceBus/namespaceQueues/parameters/parameters.json create mode 100644 arm/Microsoft.ServiceBus/namespaceQueues/readme.md create mode 100644 arm/Microsoft.ServiceBus/namespaces/deploy.json create mode 100644 arm/Microsoft.ServiceBus/namespaces/parameters/parameters.json create mode 100644 arm/Microsoft.ServiceBus/namespaces/readme.md create mode 100644 arm/Microsoft.Sql/managedInstanceDatabases/deploy.json create mode 100644 arm/Microsoft.Sql/managedInstanceDatabases/parameters/parameters.json create mode 100644 arm/Microsoft.Sql/managedInstanceDatabases/readme.md create mode 100644 arm/Microsoft.Sql/managedInstances/deploy.json create mode 100644 arm/Microsoft.Sql/managedInstances/parameters/parameters.json create mode 100644 arm/Microsoft.Sql/managedInstances/readme.md create mode 100644 arm/Microsoft.Sql/serverDatabases/deploy.json create mode 100644 arm/Microsoft.Sql/serverDatabases/parameters/parameters.json create mode 100644 arm/Microsoft.Sql/serverDatabases/readme.md create mode 100644 arm/Microsoft.Sql/servers/deploy.json create mode 100644 arm/Microsoft.Sql/servers/parameters/parameters.json create mode 100644 arm/Microsoft.Sql/servers/readme.md create mode 100644 arm/Microsoft.Storage/storageAccounts/deploy.json create mode 100644 arm/Microsoft.Storage/storageAccounts/parameters/noname.parameters.json create mode 100644 arm/Microsoft.Storage/storageAccounts/parameters/parameters.json create mode 100644 arm/Microsoft.Storage/storageAccounts/readme.md create mode 100644 arm/Microsoft.Subscription/aliases/deploy.json create mode 100644 arm/Microsoft.Subscription/aliases/parameters/parameters.json create mode 100644 arm/Microsoft.Subscription/aliases/readme.md create mode 100644 arm/Microsoft.Subscription/aliases/rg-deploy.json create mode 100644 arm/Microsoft.VirtualMachineImages/imageTemplates/deploy.json create mode 100644 arm/Microsoft.VirtualMachineImages/imageTemplates/parameters/parameters.json create mode 100644 arm/Microsoft.VirtualMachineImages/imageTemplates/readme.md create mode 100644 arm/Microsoft.Web/appService/deploy.json create mode 100644 arm/Microsoft.Web/appService/parameters/parameters.json create mode 100644 arm/Microsoft.Web/appService/readme.md create mode 100644 arm/Microsoft.Web/appServicePlan/deploy.json create mode 100644 arm/Microsoft.Web/appServicePlan/parameters/parameters.json create mode 100644 arm/Microsoft.Web/appServicePlan/readme.md create mode 100644 arm/Microsoft.Web/connections/deploy.json create mode 100644 arm/Microsoft.Web/connections/parameters/parameters.json create mode 100644 arm/Microsoft.Web/connections/readme.md create mode 100644 arm/Microsoft.Web/hostingEnvironments/deploy.json create mode 100644 arm/Microsoft.Web/hostingEnvironments/parameters/parameters.json create mode 100644 arm/Microsoft.Web/hostingEnvironments/readme.md create mode 100644 arm/Microsoft.Web/sitesFunction/deploy.json create mode 100644 arm/Microsoft.Web/sitesFunction/parameters/parameters.json create mode 100644 arm/Microsoft.Web/sitesFunction/readme.md create mode 100644 arm/Microsoft.Web/webApp/deploy.json create mode 100644 arm/Microsoft.Web/webApp/parameters/parameters.json create mode 100644 arm/Microsoft.Web/webApp/readme.md create mode 100644 arm/servers/deploy.json create mode 100644 arm/servers/parameters/parameters.json create mode 100644 arm/servers/readme.md diff --git a/.gitignore b/.gitignore index dfcfd56f44..5ac5819690 100644 --- a/.gitignore +++ b/.gitignore @@ -23,8 +23,8 @@ mono_crash.* [Rr]eleases/ x64/ x86/ -[Aa][Rr][Mm]/ -[Aa][Rr][Mm]64/ +# [Aa][Rr][Mm]/ +# [Aa][Rr][Mm]64/ bld/ [Bb]in/ [Oo]bj/ diff --git a/arm/Microsoft.ApiManagement/service/deploy.json b/arm/Microsoft.ApiManagement/service/deploy.json new file mode 100644 index 0000000000..ba38048c1e --- /dev/null +++ b/arm/Microsoft.ApiManagement/service/deploy.json @@ -0,0 +1,756 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "additionalLocations": { + "type": "array", + "defaultValue": [], + "metadata": { + "description": "Optional. Additional datacenter locations of the API Management service." + } + }, + "apiManagementServiceName": { + "type": "string", + "metadata": { + "description": "Required. The name of the of the Api Management service." + } + }, + "apiManagementServicePolicy": { + "type": "object", + "defaultValue": {}, + "metadata": { + "description": "Optional. Policy content for the Api Management Service. Format: Format of the policyContent. - xml, xml-link, rawxml, rawxml-link. Value: Contents of the Policy as defined by the format." + } + }, + "certificates": { + "type": "array", + "maxLength": 10, + "defaultValue": [], + "metadata": { + "description": "Optional. List of Certificates that need to be installed in the API Management service. Max supported certificates that can be installed is 10." + } + }, + "cuaId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered" + } + }, + "customProperties": { + "type": "object", + "defaultValue": {}, + "metadata": { + "description": "Optional. Custom properties of the API Management service." + } + }, + "diagnosticLogsRetentionInDays": { + "type": "int", + "defaultValue": 365, + "minValue": 0, + "maxValue": 365, + "metadata": { + "description": "Optional. Specifies the number of days that logs will be kept for; a value of 0 will retain data indefinitely." + } + }, + "diagnosticStorageAccountId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Resource identifier of the Diagnostic Storage Account." + } + }, + "disableGateway": { + "type": "bool", + "defaultValue": false, + "metadata": { + "description": "Optional. Property only valid for an Api Management service deployed in multiple locations. This can be used to disable the gateway in master region." + } + }, + "enableClientCertificate": { + "type": "bool", + "defaultValue": false, + "metadata": { + "description": "Optional. Property only meant to be used for Consumption SKU Service. This enforces a client certificate to be presented on each request to the gateway. This also enables the ability to authenticate the certificate in the policy on the gateway." + } + }, + "eventHubAuthorizationRuleId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Resource ID of the event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." + } + }, + "eventHubName": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Name of the event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category." + } + }, + "hostnameConfigurations": { + "type": "array", + "defaultValue": [], + "metadata": { + "description": "Optional. Custom hostname configuration of the API Management service." + } + }, + "identity": { + "type": "object", + "defaultValue": {}, + "metadata": { + "description": "Optional. Managed service identity of the Api Management service." + } + }, + "identityProviderAllowedTenants": { + "type": "array", + "defaultValue": [], + "metadata": { + "description": "Optional. List of Allowed Tenants when configuring Azure Active Directory login. - string" + } + }, + "identityProviderAuthority": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. OpenID Connect discovery endpoint hostname for AAD or AAD B2C." + } + }, + "identityProviderClientId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Client Id of the Application in the external Identity Provider. Required if identity provider is used." + } + }, + "identityProviderClientSecret": { + "type": "securestring", + "defaultValue": "", + "metadata": { + "description": "Optional. Client secret of the Application in external Identity Provider, used to authenticate login request. Required if identity provider is used." + } + }, + "identityProviderPasswordResetPolicyName": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Password Reset Policy Name. Only applies to AAD B2C Identity Provider." + } + }, + "identityProviderProfileEditingPolicyName": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Profile Editing Policy Name. Only applies to AAD B2C Identity Provider." + } + }, + "identityProviderSignInPolicyName": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Signin Policy Name. Only applies to AAD B2C Identity Provider." + } + }, + "identityProviderSignInTenant": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. The TenantId to use instead of Common when logging into Active Directory" + } + }, + "identityProviderSignUpPolicyName": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Signup Policy Name. Only applies to AAD B2C Identity Provider." + } + }, + "identityProviderType": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Identity Provider Type identifier. - aad , aadB2C" + } + }, + "location": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "Optional. Location for all Resources." + } + }, + "lockForDeletion": { + "type": "bool", + "defaultValue": false, + "metadata": { + "description": "Optional. Switch to lock Key Vault from deletion." + } + }, + "minApiVersion": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Limit control plane API calls to API Management service with version equal to or newer than this value." + } + }, + "notificationSenderEmail": { + "type": "string", + "defaultValue": "apimgmt-noreply@mail.windowsazure.com", + "metadata": { + "description": "Optional. The notification sender email address for the service." + } + }, + "portalSignIn": { + "type": "object", + "defaultValue": {}, + "metadata": { + "description": "Optional. Portal sign in settings." + } + }, + "portalSignUp": { + "type": "object", + "defaultValue": {}, + "metadata": { + "description": "Optional. Portal sign up settings." + } + }, + "publisherEmail": { + "type": "string", + "metadata": { + "description": "Required. The email address of the owner of the service." + } + }, + "publisherName": { + "type": "string", + "metadata": { + "description": "Required. The name of the owner of the service." + } + }, + "restore": { + "type": "bool", + "defaultValue": false, + "metadata": { + "description": "Optional. Undelete Api Management Service if it was previously soft-deleted. If this flag is specified and set to True all other properties will be ignored." + } + }, + "roleAssignments": { + "defaultValue": [ + ], + "type": "array", + "metadata": { + "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'" + } + }, + "sku": { + "type": "string", + "defaultValue": "Developer", + "allowedValues": [ + "Consumption", + "Developer", + "Basic", + "Standard", + "Premium" + ], + "metadata": { + "description": "Optional. The pricing tier of this Api Management service." + } + }, + "skuCount": { + "type": "string", + "allowedValues": [ + "1", + "2" + ], + "defaultValue": "1", + "metadata": { + "description": "Optional. The instance size of this Api Management service." + } + }, + "subnetResourceId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. The full resource ID of a subnet in a virtual network to deploy the API Management service in." + } + }, + "tags": { + "type": "object", + "defaultValue": { + }, + "metadata": { + "description": "Optional. Tags of the resource." + } + }, + "virtualNetworkType": { + "type": "string", + "defaultValue": "None", + "allowedValues": [ "None", "External", "Internal" ], + "metadata": { + "description": "Optional. The type of VPN in which API Management service needs to be configured in. None (Default Value) means the API Management service is not part of any Virtual Network, External means the API Management deployment is set up inside a Virtual Network having an Internet Facing Endpoint, and Internal means that API Management deployment is setup inside a Virtual Network having an Intranet Facing Endpoint only." + } + }, + "workspaceId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Resource identifier of Log Analytics." + } + }, + "zones": { + "type": "array", + "defaultValue": [], + "metadata": { + "description": "Optional. A list of availability zones denoting where the resource needs to come from." + } + } + }, + "variables": { + "builtInRoleNames": { + "AcrDelete": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c2f4ef07-c644-48eb-af81-4b1b4947fb11')]", + "AcrImageSigner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '6cef56e8-d556-48e5-a04f-b8e64114680f')]", + "AcrPull": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '7f951dda-4ed3-4680-a7ca-43fe172d538d')]", + "AcrPush": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8311e382-0749-4cb8-b61a-304f252e45ec')]", + "AcrQuarantineReader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'cdda3590-29a3-44f6-95f2-9f980659eb04')]", + "AcrQuarantineWriter": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c8d4ff99-41c3-41a8-9f60-21dfdad59608')]", + "API Management Service Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '312a565d-c81f-4fd8-895a-4e21e48d571c')]", + "API Management Service Operator Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'e022efe7-f5ba-4159-bbe4-b44f577e9b61')]", + "API Management Service Reader Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '71522526-b88f-4d52-b57f-d31fc3546d0d')]", + "App Configuration Data Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5ae67dd6-50cb-40e7-96ff-dc2bfa4b606b')]", + "App Configuration Data Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '516239f1-63e1-4d78-a4de-a74fb236a071')]", + "Application Insights Component Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ae349356-3a1b-4a5e-921d-050484c6347e')]", + "Application Insights Snapshot Debugger": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '08954f03-6346-4c2e-81c0-ec3a5cfae23b')]", + "Attestation Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'bbf86eb8-f7b4-4cce-96e4-18cddf81d86e')]", + "Attestation Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'fd1bd22b-8476-40bc-a0bc-69b95687b9f3')]", + "Automation Job Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4fe576fe-1146-4730-92eb-48519fa6bf9f')]", + "Automation Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'd3881f73-407a-4167-8283-e981cbba0404')]", + "Automation Runbook Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5fb5aef8-1081-4b8e-bb16-9d5d0385bab5')]", + "Avere Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4f8fab4f-1852-4a58-a46a-8eaf358af14a')]", + "Avere Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c025889f-8102-4ebf-b32c-fc0c6f0c6bd9')]", + "Azure Connected Machine Onboarding": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b64e21ea-ac4e-4cdf-9dc9-5b892992bee7')]", + "Azure Connected Machine Resource Administrator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'cd570a14-e51a-42ad-bac8-bafd67325302')]", + "Azure Digital Twins Owner (Preview)": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'bcd981a7-7f74-457b-83e1-cceb9e632ffe')]", + "Azure Digital Twins Reader (Preview)": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'd57506d4-4c8d-48b1-8587-93c323f6a5a3')]", + "Azure Event Hubs Data Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'f526a384-b230-433a-b45c-95f59c4a2dec')]", + "Azure Event Hubs Data Receiver": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'a638d3c7-ab3a-418d-83e6-5f17a39d4fde')]", + "Azure Event Hubs Data Sender": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '2b629674-e913-4c01-ae53-ef4638d8f975')]", + "Azure Kubernetes Service Cluster Admin Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '0ab0b1a8-8aac-4efd-b8c2-3ee1fb270be8')]", + "Azure Kubernetes Service Cluster User Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4abbcc35-e782-43d8-92c5-2d3f1bd2253f')]", + "Azure Kubernetes Service Contributor Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ed7f3fbd-7b88-4dd4-9017-9adb7ce333f8')]", + "Azure Maps Data Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8f5e0ce6-4f7b-4dcf-bddf-e6f48634a204')]", + "Azure Maps Data Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '423170ca-a8f6-4b0f-8487-9e4eb8f49bfa')]", + "Azure Sentinel Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ab8e14d6-4a74-4a29-9ba8-549422addade')]", + "Azure Sentinel Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8d289c81-5878-46d4-8554-54e1e3d8b5cb')]", + "Azure Sentinel Responder": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '3e150937-b8fe-4cfb-8069-0eaf05ecd056')]", + "Azure Service Bus Data Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '090c5cfd-751d-490a-894a-3ce6f1109419')]", + "Azure Service Bus Data Receiver": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4f6d3b9b-027b-4f4c-9142-0e5a2a2247e0')]", + "Azure Service Bus Data Sender": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '69a216fc-b8fb-44d8-bc22-1f3c2cd27a39')]", + "Azure Stack Registration Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '6f12a6df-dd06-4f3e-bcb1-ce8be600526a')]", + "Backup Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5e467623-bb1f-42f4-a55d-6e525e11384b')]", + "Backup Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '00c29273-979b-4161-815c-10b084fb9324')]", + "Backup Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'a795c7a0-d4a2-40c1-ae25-d81f01202912')]", + "Billing Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'fa23ad8b-c56e-40d8-ac0c-ce449e1d2c64')]", + "BizTalk Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5e3c6656-6cfa-4708-81fe-0de47ac73342')]", + "Blockchain Member Node Access (Preview)": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '31a002a1-acaf-453e-8a5b-297c9ca1ea24')]", + "Blueprint Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '41077137-e803-4205-871c-5a86e6a753b4')]", + "Blueprint Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '437d2ced-4a38-4302-8479-ed2bcb43d090')]", + "CDN Endpoint Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '426e0c7f-0c7e-4658-b36f-ff54d6c29b45')]", + "CDN Endpoint Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '871e35f6-b5c1-49cc-a043-bde969a0f2cd')]", + "CDN Profile Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ec156ff8-a8d1-4d15-830c-5b80698ca432')]", + "CDN Profile Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8f96442b-4075-438f-813d-ad51ab4019af')]", + "Classic Network Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b34d265f-36f7-4a0d-a4d4-e158ca92e90f')]", + "Classic Storage Account Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '86e8f5dc-a6e9-4c67-9d15-de283e8eac25')]", + "Classic Storage Account Key Operator Service Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '985d6b00-f706-48f5-a6fe-d0ca12fb668d')]", + "Classic Virtual Machine Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'd73bb868-a0df-4d4d-bd69-98a00b01fccb')]", + "ClearDB MySQL DB Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '9106cda0-8a86-4e81-b686-29a22c54effe')]", + "Cognitive Services Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '25fbc0a9-bd7c-42a3-aa1a-3b75d497ee68')]", + "Cognitive Services Custom Vision Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c1ff6cc2-c111-46fe-8896-e0ef812ad9f3')]", + "Cognitive Services Custom Vision Deployment": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5c4089e1-6d96-4d2f-b296-c1bc7137275f')]", + "Cognitive Services Custom Vision Labeler": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '88424f51-ebe7-446f-bc41-7fa16989e96c')]", + "Cognitive Services Custom Vision Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '93586559-c37d-4a6b-ba08-b9f0940c2d73')]", + "Cognitive Services Custom Vision Trainer": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '0a5ae4ab-0d65-4eeb-be61-29fc9b54394b')]", + "Cognitive Services Data Reader (Preview)": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b59867f0-fa02-499b-be73-45a86b5b3e1c')]", + "Cognitive Services QnA Maker Editor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'f4cc2bf9-21be-47a1-bdf1-5c5804381025')]", + "Cognitive Services QnA Maker Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '466ccd10-b268-4a11-b098-b4849f024126')]", + "Cognitive Services User": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'a97b65f3-24c7-4388-baec-2e87135dc908')]", + "Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "Cosmos DB Account Reader Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'fbdf93bf-df7d-467e-a4d2-9458aa1360c8')]", + "Cosmos DB Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '230815da-be43-4aae-9cb4-875f7bd000aa')]", + "CosmosBackupOperator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'db7b14f2-5adf-42da-9f96-f2ee17bab5cb')]", + "Cost Management Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '434105ed-43f6-45c7-a02f-909b2ba83430')]", + "Cost Management Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '72fafb9e-0641-4937-9268-a91bfd8191a3')]", + "Data Box Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'add466c9-e687-43fc-8d98-dfcf8d720be5')]", + "Data Box Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '028f4ed7-e2a9-465e-a8f4-9c0ffdfdc027')]", + "Data Factory Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '673868aa-7521-48a0-acc6-0f60742d39f5')]", + "Data Lake Analytics Developer": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '47b7735b-770e-4598-a7da-8b91488b4c88')]", + "Data Purger": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '150f5e0c-0603-4f03-8c7f-cf70034c4e90')]", + "Desktop Virtualization User": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '1d18fff3-a72a-46b5-b4a9-0b38a3cd7e63')]", + "DevTest Labs User": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '76283e04-6283-4c54-8f91-bcf1374a3c64')]", + "DNS Zone Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'befefa01-2a29-4197-83a8-272ff33ce314')]", + "DocumentDB Account Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5bd9cd88-fe45-4216-938b-f97437e15450')]", + "EventGrid EventSubscription Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '428e0ff0-5e57-4d9c-a221-2c70d0e0a443')]", + "EventGrid EventSubscription Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '2414bbcf-6497-4faf-8c65-045460748405')]", + "Experimentation Administrator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '7f646f1b-fa08-80eb-a33b-edd6ce5c915c')]", + "Experimentation Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '7f646f1b-fa08-80eb-a22b-edd6ce5c915c')]", + "Experimentation Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '49632ef5-d9ac-41f4-b8e7-bbe587fa74a1')]", + "FHIR Data Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5a1fc7df-4bf1-4951-a576-89034ee01acd')]", + "FHIR Data Exporter": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '3db33094-8700-4567-8da5-1501d4e7e843')]", + "FHIR Data Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4c8d0bbc-75d3-4935-991f-5f3c56d81508')]", + "FHIR Data Writer": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '3f88fce4-5892-4214-ae73-ba5294559913')]", + "Graph Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b60367af-1334-4454-b71e-769d9a4f83d9')]", + "HDInsight Cluster Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '61ed4efc-fab3-44fd-b111-e24485cc132a')]", + "HDInsight Domain Services Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8d8d5a11-05d3-4bda-a417-a08778121c7c')]", + "Hierarchy Settings Administrator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '350f8d15-c687-4448-8ae1-157740a3936d')]", + "Hybrid Server Onboarding": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5d1e5ee4-7c68-4a71-ac8b-0739630a3dfb')]", + "Hybrid Server Resource Administrator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '48b40c6e-82e0-4eb3-90d5-19e40f49b624')]", + "Integration Service Environment Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'a41e2c5b-bd99-4a07-88f4-9bf657a760b8')]", + "Integration Service Environment Developer": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c7aa55d3-1abb-444a-a5ca-5e51e485d6ec')]", + "Intelligent Systems Account Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '03a6d094-3444-4b3d-88af-7477090a9e5e')]", + "Key Vault Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'f25e0fa2-a7c8-4377-a976-54943a77a395')]", + "Knowledge Consumer": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ee361c5d-f7b5-4119-b4b6-892157c8f64c')]", + "Kubernetes Cluster - Azure Arc Onboarding": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '34e09817-6cbe-4d01-b1a2-e0eac5743d41')]", + "Lab Creator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b97fb8bc-a8b2-4522-a38b-dd33c7e65ead')]", + "Log Analytics Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]", + "Log Analytics Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '73c42c96-874c-492b-b04d-ab87d138a893')]", + "Logic App Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '87a39d53-fc1b-424a-814c-f7e04687dc9e')]", + "Logic App Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '515c2055-d9d4-4321-b1b9-bd0c9a0f79fe')]", + "Managed Application Contributor Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '641177b8-a67a-45b9-a033-47bc880bb21e')]", + "Managed Application Operator Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')]", + "Managed Applications Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')]", + "Managed Identity Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'e40ec5ca-96e0-45a2-b4ff-59039f2c2b59')]", + "Managed Identity Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'f1a07417-d97a-45cb-824c-7a7467783830')]", + "Managed Services Registration assignment Delete ": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '91c1777a-f3dc-4fae-b103-61d183457e46')]", + "Management Group Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5d58bcaf-24a5-4b20-bdb6-eed9f69fbe4c')]", + "Management Group Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ac63b705-f282-497d-ac71-919bf39d939d')]", + "Marketplace Admin": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'dd920d6d-f481-47f1-b461-f338c46b2d9f')]", + "Monitoring Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')]", + "Monitoring Metrics Publisher": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '3913510d-42f4-4e42-8a64-420c390055eb')]", + "Monitoring Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')]", + "Network Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", + "New Relic APM Account Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5d28c62d-5b37-4476-8438-e587778df237')]", + "Object Understanding Account Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4dd61c23-6743-42fe-a388-d8bdd41cb745')]", + "Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", + "Policy Insights Data Writer (Preview)": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '66bb4e9e-b016-4a94-8249-4c0511c2be84')]", + "Private DNS Zone Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", + "Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", + "Reader and Data Access": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c12c1c16-33a1-487b-954d-41c89c60f349')]", + "Redis Cache Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'e0f68234-74aa-48ed-b826-c38b57376e17')]", + "Remote Rendering Administrator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '3df8b902-2a6f-47c7-8cc5-360e9b272a7e')]", + "Remote Rendering Client": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'd39065c4-c120-43c9-ab0a-63eed9795f0a')]", + "Resource Policy Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '36243c78-bf99-498c-9df9-86d9f8d28608')]", + "Scheduler Job Collections Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '188a0f2f-5c9e-469b-ae67-2aa5ce574b94')]", + "Search Service Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '7ca78c08-252a-4471-8644-bb5ff32d4ba0')]", + "Security Admin": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'fb1c8493-542b-48eb-b624-b4c8fea62acd')]", + "Security Assessment Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '612c2aa1-cb24-443b-ac28-3ab7272de6f5')]", + "Security Manager (Legacy)": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'e3d13bf0-dd5a-482e-ba6b-9b8433878d10')]", + "Security Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '39bc4728-0917-49c7-9d2c-d95423bc2eb4')]", + "SignalR AccessKey Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '04165923-9d83-45d5-8227-78b77b0a687e')]", + "SignalR Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8cf5e20a-e4b2-4e9d-b3a1-5ceb692c2761')]", + "Site Recovery Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '6670b86e-a3f7-4917-ac9b-5d6ab1be4567')]", + "Site Recovery Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '494ae006-db33-4328-bf46-533a6560a3ca')]", + "Site Recovery Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'dbaa88c4-0c30-4179-9fb3-46319faa6149')]", + "Spatial Anchors Account Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8bbe83f1-e2a6-4df7-8cb4-4e04d4e5c827')]", + "Spatial Anchors Account Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '70bbe301-9835-447d-afdd-19eb3167307c')]", + "Spatial Anchors Account Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5d51204f-eb77-4b1c-b86a-2ec626c49413')]", + "SQL DB Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '9b7fa17d-e63e-47b0-bb0a-15c516ac86ec')]", + "SQL Managed Instance Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4939a1f6-9ae0-4e48-a1e0-f2cbe897382d')]", + "SQL Security Manager": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '056cd41c-7e88-42e1-933e-88ba6a50c9c3')]", + "SQL Server Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '6d8ee4ec-f05a-4a1d-8b00-a9b17e38b437')]", + "Storage Account Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '17d1049b-9a84-46fb-8f53-869881c3d3ab')]", + "Storage Account Key Operator Service Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '81a9662b-bebf-436f-a333-f67b29880f12')]", + "Storage Blob Data Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ba92f5b4-2d11-453d-a403-e96b0029c9fe')]", + "Storage Blob Data Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b7e6dc6d-f1e8-4753-8033-0f276bb0955b')]", + "Storage Blob Data Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '2a2b9908-6ea1-4ae2-8e65-a410df84e7d1')]", + "Storage Blob Delegator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'db58b8e5-c6ad-4a2a-8342-4190687cbf4a')]", + "Storage File Data SMB Share Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '0c867c2a-1d8c-454a-a3db-ab2ea1bdc8bb')]", + "Storage File Data SMB Share Elevated Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'a7264617-510b-434b-a828-9731dc254ea7')]", + "Storage File Data SMB Share Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'aba4ae5f-2193-4029-9191-0cb91df5e314')]", + "Storage Queue Data Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '974c5e8b-45b9-4653-ba55-5f855dd0fb88')]", + "Storage Queue Data Message Processor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8a0f0c08-91a1-4084-bc3d-661d67233fed')]", + "Storage Queue Data Message Sender": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c6a89b2d-59bc-44d0-9896-0f6e12d7b80a')]", + "Storage Queue Data Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '19e7f393-937e-4f77-808e-94535e297925')]", + "Support Request Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'cfd33db0-3dd1-45e3-aa9d-cdbdf3b6f24e')]", + "Tag Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4a9ae827-6dc8-4573-8ac7-8239d42aa03f')]", + "Traffic Manager Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'a4b10055-b0c7-44c2-b00f-c7b5b3550cf7')]", + "User Access Administrator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]", + "Virtual Machine Administrator Login": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '1c0163c0-47e6-4577-8991-ea5c82e286e4')]", + "Virtual Machine Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c')]", + "Virtual Machine User Login": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'fb879df8-f326-4884-b1cf-06f3ad86be52')]", + "Web Plan Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '2cc479cb-7b4d-49a8-b449-8c00fd0f0a4b')]", + "Website Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'de139f84-1756-47ae-9be6-808fbbe84772')]", + "Workbook Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'e8ddcd69-c73f-4f9f-9844-4100522f16ad')]", + "Workbook Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b279062a-9be3-42a0-92ae-8b3cf002ec4d')]" + }, + "diagnosticsMetrics": [ + { + "category": "AllMetrics", + "enabled": true, + "retentionPolicy": { + "days": "[parameters('diagnosticLogsRetentionInDays')]", + "enabled": true + } + } + ], + "diagnosticsLogs": [ + { + "category": "GatewayLogs", + "enabled": true, + "retentionPolicy": { + "days": "[parameters('diagnosticLogsRetentionInDays')]", + "enabled": true + } + } + ], + "isAadB2C": "[equals(parameters('identityProviderType'),'aadB2C')]" + }, + "resources": [ + { + "condition": "[not(empty(parameters('cuaId')))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-06-01", + "name": "[concat('pid-', parameters('cuaId'))]", + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [ + ] + } + } + }, + { + "type": "Microsoft.ApiManagement/service", + "apiVersion": "2020-06-01-preview", + "name": "[parameters('apiManagementServiceName')]", + "location": "[parameters('location')]", + "tags": "[parameters('tags')]", + "sku": { + "name": "[parameters('sku')]", + "capacity": "[parameters('skuCount')]" + }, + "zones": "[parameters('zones')]", + "identity": "[if(not(empty(parameters('identity'))), parameters('identity'), json(concat('{\"type\": \"None\"}')))]", + "properties": { + "publisherEmail": "[parameters('publisherEmail')]", + "publisherName": "[parameters('publisherName')]", + "notificationSenderEmail": "[parameters('notificationSenderEmail')]", + "hostnameConfigurations": "[parameters('hostnameConfigurations')]", + "additionalLocations": "[parameters('additionalLocations')]", + "customProperties": "[parameters('customProperties')]", + "certificates": "[parameters('certificates')]", + "enableClientCertificate": "[if(parameters('enableClientCertificate'), 'true', json('null'))]", + "disableGateway": "[parameters('disableGateway')]", + "virtualNetworkType": "[parameters('virtualNetworkType')]", + "virtualNetworkConfiguration": "[if(not(empty(parameters('subnetResourceId'))), json(concat('{\"subnetResourceId\": \"', parameters('subnetResourceId'), '\"}')), json('null'))]", + "apiVersionConstraint": "[if(not(empty(parameters('minApiVersion'))), json(concat('{\"minApiVersion\": \"', parameters('minApiVersion'), '\"}')), json('null'))]", + "restore": "[parameters('restore')]" + }, + "resources": [ + { + "type": "providers/locks", + "apiVersion": "2016-09-01", + "condition": "[parameters('lockForDeletion')]", + "name": "Microsoft.Authorization/apiManagementServicesDoNotDelete", + "dependsOn": [ + "[concat('Microsoft.ApiManagement/service/', parameters('apiManagementServiceName'))]" + ], + "comments": "Resource lock", + "properties": { + "level": "CannotDelete" + } + }, + { + "type": "Microsoft.ApiManagement/service/providers/diagnosticsettings", + "apiVersion": "2017-05-01-preview", + "name": "[concat(parameters('apiManagementServiceName'), '/Microsoft.Insights/service')]", + "condition": "[or(not(empty(parameters('diagnosticStorageAccountId'))),not(empty(parameters('workspaceId'))),not(empty(parameters('eventHubAuthorizationRuleId'))),not(empty(parameters('eventHubName'))))]", + "dependsOn": [ + "[concat('Microsoft.ApiManagement/service/', parameters('apiManagementServiceName'))]" + ], + "properties": { + "storageAccountId": "[if(empty(parameters('diagnosticStorageAccountId')), json('null'), parameters('diagnosticStorageAccountId'))]", + "workspaceId": "[if(empty(parameters('workspaceId')), json('null'), parameters('workspaceId'))]", + "eventHubAuthorizationRuleId": "[if(empty(parameters('eventHubAuthorizationRuleId')), json('null'), parameters('eventHubAuthorizationRuleId'))]", + "eventHubName": "[if(empty(parameters('eventHubName')), json('null'), parameters('eventHubName'))]", + "metrics": "[if(and(empty(parameters('diagnosticStorageAccountId')), empty(parameters('workspaceId')), empty(parameters('eventHubAuthorizationRuleId')), empty(parameters('eventHubName'))), json('null'), variables('diagnosticsMetrics'))]", + "logs": "[if(and(empty(parameters('diagnosticStorageAccountId')), empty(parameters('workspaceId')), empty(parameters('eventHubAuthorizationRuleId')), empty(parameters('eventHubName'))), json('null'), variables('diagnosticsLogs'))]" + } + } + ] + }, + { + "name": "[concat(parameters('apiManagementServiceName'),'-','identityProvider')]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2019-10-01", + "condition": "[not(empty(parameters('identityProviderType')))]", + "dependsOn": [ + "[resourceId('Microsoft.ApiManagement/service', parameters('apiManagementServiceName'))]" + ], + "properties": { + "expressionEvaluationOptions": { + "scope": "outer" + }, + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.ApiManagement/service/identityProviders", + "apiVersion": "2020-06-01-preview", + "name": "[concat(parameters('apiManagementServiceName'), '/', parameters('identityProviderType'))]", + "properties": { + "type": "[parameters('identityProviderType')]", + "signinTenant": "[parameters('identityProviderSignInTenant')]", + "allowedTenants": "[parameters('identityProviderAllowedTenants')]", + "authority": "[parameters('identityProviderAuthority')]", + "signupPolicyName": "[if(variables('isAadB2C'), parameters('identityProviderSignUpPolicyName'), json('null'))]", + "signinPolicyName": "[if(variables('isAadB2C'), parameters('identityProviderSignInPolicyName'), json('null'))]", + "profileEditingPolicyName": "[if(variables('isAadB2C'), parameters('identityProviderProfileEditingPolicyName'), json('null'))]", + "passwordResetPolicyName": "[if(variables('isAadB2C'), parameters('identityProviderPasswordResetPolicyName'), json('null'))]", + "clientId": "[parameters('identityProviderClientId')]", + "clientSecret": "[parameters('identityProviderClientSecret')]" + } + } + ], + "outputs": {} + } + } + }, + { + "name": "[concat('policy-',deployment().name)]", + "type": "Microsoft.Resources/deployments", + "condition": "[not(empty(parameters('apiManagementServicePolicy')))]", + "apiVersion": "2020-06-01", + "dependsOn": [ + "[resourceId('Microsoft.ApiManagement/service', parameters('apiManagementServiceName'))]" + ], + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "variables": {}, + "resources": [ + { + "name": "[concat(parameters('apiManagementServiceName'), '/', 'policy')]", + "type": "Microsoft.ApiManagement/service/policies", + "apiVersion": "2020-06-01-preview", + "properties": "[parameters('apiManagementServicePolicy')]" + } + ], + "outputs": {} + } + } + }, + { + "type": "Microsoft.ApiManagement/service/portalsettings", + "apiVersion": "2019-12-01", + "condition": "[not(empty(parameters('portalSignIn')))]", + "name": "[concat(parameters('apiManagementServiceName'), '/signin')]", + "dependsOn": [ + "[resourceId('Microsoft.ApiManagement/service', parameters('apiManagementServiceName'))]" + ], + "properties": "[parameters('portalSignIn')]" + }, + { + "type": "Microsoft.ApiManagement/service/portalsettings", + "apiVersion": "2019-12-01", + "condition": "[not(empty(parameters('portalSignUp')))]", + "name": "[concat(parameters('apiManagementServiceName'), '/signup')]", + "dependsOn": [ + "[resourceId('Microsoft.ApiManagement/service', parameters('apiManagementServiceName'))]" + ], + "properties": "[parameters('portalSignUp')]" + }, + { + "name": "[concat('rbac-',deployment().name, copyIndex())]", + "apiVersion": "2020-06-01", + "type": "Microsoft.Resources/deployments", + "condition": "[not(empty(parameters('roleAssignments')))]", + "dependsOn": [ + "[resourceId('Microsoft.ApiManagement/service', parameters('apiManagementServiceName'))]" + ], + "copy": { + "name": "rbacDeplCopy", + "count": "[length(parameters('roleAssignments'))]" + }, + "properties": { + "mode": "Incremental", + "expressionEvaluationOptions": { + "scope": "inner" + }, + "parameters": { + "roleAssignment": { + "value": "[parameters('roleAssignments')[copyIndex()]]" + }, + "builtInRoleNames": { + "value": "[variables('builtInRoleNames')]" + }, + "apiManagementServiceName": { + "value": "[parameters('apiManagementServiceName')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "roleAssignment": { + "type": "object" + }, + "builtInRoleNames": { + "type": "object" + }, + "apiManagementServiceName": { + "type": "string" + } + }, + "resources": [ + { + "type": "Microsoft.Web/serverfarms/providers/roleAssignments", + "apiVersion": "2018-09-01-preview", + "name": "[concat(parameters('apiManagementServiceName'), '/Microsoft.Authorization/', guid(uniqueString(concat(parameters('apiManagementServiceName'), array(parameters('roleAssignment').principalIds)[copyIndex('innerRbacCopy')], parameters('roleAssignment').roleDefinitionIdOrName ) )))]", + "dependsOn": [ + ], + "copy": { + "name": "innerRbacCopy", + "count": "[length(parameters('roleAssignment').principalIds)]" + }, + "properties": { + "roleDefinitionId": "[if(contains(parameters('builtInRoleNames'), parameters('roleAssignment').roleDefinitionIdOrName ), parameters('builtInRoleNames')[parameters('roleAssignment').roleDefinitionIdOrName] , parameters('roleAssignment').roleDefinitionIdOrName )]", + "principalId": "[array(parameters('roleAssignment').principalIds)[copyIndex()]]" + } + } + ] + } + } + } + ], + "functions": [ + ], + "outputs": { + "apimServiceName": { + "type": "string", + "value": "[parameters('apiManagementServiceName')]", + "metadata": { + "description": "The Api Management Service Name" + } + }, + "apimServiceResourceId": { + "type": "string", + "value": "[resourceId('Microsoft.ApiManagement/service', parameters('apiManagementServiceName'))]", + "metadata": { + "description": "The Resource Id of the Api Management Service" + } + }, + "apimServiceResourceGroup": { + "type": "string", + "value": "[resourceGroup().name]", + "metadata": { + "description": "The name of the Resource Group with the Api Management Service" + } + } + } +} diff --git a/arm/Microsoft.ApiManagement/service/parameters/parameters.json b/arm/Microsoft.ApiManagement/service/parameters/parameters.json new file mode 100644 index 0000000000..7dc0557f79 --- /dev/null +++ b/arm/Microsoft.ApiManagement/service/parameters/parameters.json @@ -0,0 +1,38 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "apiManagementServiceName": { + "value": "sxx-az-am-weu-x-002" + }, + "publisherEmail": { + "value": "apimgmt-noreply@mail.windowsazure.com" + }, + "publisherName": { + "value": "sxx-az-amorg-weu-x-001" + }, + "cuaId": { + "value": "00000-0-000000" + }, + "apiManagementServicePolicy": { + "value": { + "value": " ", + "format": "xml" + } + }, + "portalSignIn": { + "value": { + "enabled": false + } + }, + "portalSignUp": { + "value": { + "enabled": false, + "termsOfService": { + "enabled": false, + "consentRequired": false + } + } + } + } +} \ No newline at end of file diff --git a/arm/Microsoft.ApiManagement/service/readme.md b/arm/Microsoft.ApiManagement/service/readme.md new file mode 100644 index 0000000000000000000000000000000000000000..1170db650934d34f5c83277976df293f560623ec GIT binary patch literal 20718 zcmeI4Yf~J@6^7??s`4MU)*ocK0ti{Y#z~n-vO^+EDuLw>Dp!HH1q)V$MaDSxUr+Kr z{qCW=XJ>a=F0oZ{QNS|O(|xY*xpWWz`S&|buUTo1ntlELs@ZG?`rd1HnnQgLnv>@D z&F|9pdh-vB8EVvF^Saq?-ZTdq(bK0LJ$;~SXX!38Fyqr^HH{sgaq)c4cN$iIrWuBM z{!Me-Y^6C*G}lqO8ms@*Ic|M4uGersxOlE7k2T}I=7g4?(t3>ev{}%XN9WJ1!QBn< zzb^`o^&Ir(kNE?K0US5Ea^AWKx+H?K9dZXi~C%Mrj60+cbhv6-wXQw zF#TNC&m)c5N#l2#(=_t>Xgd-m2Z_>st?^4!axD35iXJ3*lH@gz)zwrjH=jr*%aRjP zTE2F9v~{y2E$t`kA0!Jvi(4}&{3y}(!HB|})Zq16PTS{(vfk2@!~1KEv@N#ut#0r6 zM*4lJxx-WNf?dh@SSZ4pSbXgvOX&*OvZ4`q@t!=Yo1W$7<0N_P1Phri|E{&bt*z#j z)+yz?Jo3qyH~7RG!K`l7vi$IWqrjFBAn*(H1TA-y7qaT9IK$?9;Fct|ho}d2| zGVZ5O+q!b1XM2( z!Ga?YbNqf!b9uZ`wnpd&ngi_DIfe2(?a5ZAavv!_I+B6DgVwRnJarWG}UY2#kDSL32n+Eom1{6``MA* zgLZgUNC^xLu34|NSiFPWVqZQ$^hPpewsXCn`bcYF>%r6g39FlSXz3-KHCH8)<15Sr z27u^r&9%(+ync+={-EcF!q+2xAv0vb%#);4(uwR?-;t)9K6JIL$ZIX&<-PM{*UQ6O(iKYF`k07N4dYW~7?y$b_ zk9jSnBUuj12gh1Or>eHsab7m3q-qBUEGCz%$ z@ke`ML|=O)d6w~s3}Gi(NgIi}B)O*1_@V80MIJ&#c#|Y{H9tW&bq(#B)3vDOnk5*P z@<7}{OIh#qnwmeBdu7xZzs?>-H9(caU&B30KQ?~Fu zUCR;+)F-BcdtgY$AGo*tjkW%nvsUtoSmC~?#+$H!?zj{ldlT9rheI3qT^Z-HR6=LY z4~SBS$xkDnUu*s@^u`*IL7AauiNl@eA)?{^c=lGo`J`A^Q)SdgUr=nVxvGGREul=V z#8@YD6`oXUv9=3aJ5^h$pAzNJ8Mx!FQP4)65k)JLqS`a`PqZ=4C8c{ z(STl*W%5_i@=~5Nkmza3AZ!mYM;A3ijRV&YQl8)pioPP&lo6!o$&Hm+VjoQPw z-X&@0b8Xp%p0oFw2GGD7*prlx6`?HYEM@ctb-|g@iTJrEx`^Ci@j2tU-kPG$_uBNp z0m#%vQCp8!$pg#mflhYBiuv=`G74kgplrr-Jd13~2**m}TuiHp>)G1cY|rg{BKPB0 zkFn5{(r+0rX9x3rS>oa8CF3)F>0T!T;Jy}gc(B(#&G;pa#I z48(68OSkpZ>%c*guZmoxQJQMLLIV2}ISI{f04EXJm8p`d!I6 z`JM6mq>v@oY}HqlD+m$u&nMr@$dzanQkk8{IVxG3cre;fy3m7x}~GJ)pf#>;DkoA(uv%oACs#`4=NHBz=LX~zJRRONE325tb3z_p%Wq4) zUENb+X8PT~Zoi0K(aYNa`ko%)u@9f3sUtc_LaqRglK*XvtiyE{mg2mKj4jtiSchvT z=OB|Qf01(0vKRTKu29t-sUuG(zCG9M9nnXv)uWdS_3qY^%am&l$MQO_`f9Xi#x63* z9o1a$bJ^HGuPo1otl(Vuk=B^?fAeBRnMw2Bi?QH5W`J%g;_1UJN zdj1@VI)r(Nv#u=YL%2svJf#XMcaPCMl6KdMUe-L-rTgl14d}aLeM7As9X7Ha=dG3- zwTk!2sLS}wlkNfV$+>6l-?!yOHygcT>7~t*Y5Hu&v7#s)R-*T08G85oP!a4<^DXFE zDD!Ezv*z>j85Wc7nVCwG9&c1+i%GWVczX2{h(3vOSIt2?wNFrw2XImWy2#kFXCNsw zIK4tXN<4YrG4PW}6;heM-Urj;bQh~T18_VsHRXA)w(h#0yl*v7A!hAX8ao!Exw&njY(2ax4pv#2e~6v-I1hf4(?7jrxIXuluaVt&;>g)O{(}!XPBOS@@Rs38;gKXR$jRXGIqZB&U~)rdLx%ol$F7 zw#1Gb{=kg%n5j==?~^c!uCLaJ~ycOS>b6XTBdN zEd|$6H&52kV@bj&PyD>9MY3~(=LQeY)faiJzmOO)oQlVF<$Mx{LgKt5V?H(R*a#wf zPm?iT4gF-^-W|orT(eTY`n>jSjf^uM5qaTYJ__w+u6l?+1Z_g`TK_NaB z+9HxX9NPhzpEja**f>wq{X!~m7nzuA1|!J6qz1=$(R2#gnc5Ua^BfV%(RMYh0HUHN z*5X`L#@mOwUhZ$XKjX}>eAa&3=9lOpf}wq>OuyL>F3I5p~G^Op?Yw$2(3xj!@#J_L5gbg)7t2XXuO2*Jz(9%G5X` zi(Z3m(tTi1Gvj+3L-X0?j3{6UwwL=^SzA;S@wN;*J?NgX-m5H6@^VgmL-(C0uSk~B zHwaHehRnzJM*8|L>1>d$^k+QVPp9MmmBv!%@YR<`2AcW)i|T%itDlOi@jI_f9@frs zvCFca@H+j3tK@Y=S9;Yoe$*$cEGI0mudE&ZW9|0uzUJ~<7j=a))RRcKo4@f{c;oJU z<)j}dfBh)EVHH>WHXir7KE?P?(z{r96TLlU#!Fhej_k`*`3Q>oX?3z=X7+o4m!+he zj=NLo__p)z&l9w86LtbJ(ck+``~Q#HUrPR*D{{K#OB3Ev{^je|w-24VF=0A3O~Ql{ zmp$g^gdUDn+?^*9=DLU{`CbcuDn)pn-o&0p&*N)C+$cn6`UG=!iBL~i>T_?}~ zOw?f;^UqlNjJ>7pGxPe5ckI4O+QDDgU$M+;DU|09a$d=5T{e4}S+8c_b!OUcK9i1+ zviosZ=bvRepXu*`x;pNiZI7<`jPi~$G{$?6cR{1hbcJ`J=-}Yl-p&1!`i*y$U)@Q4 zM>2j8f&GpHjdwqhj_r2C$PY*3@B;Viu*H~{5ua<1pS!kG&Lu9MpEC@vTGhNOnlbNM z-cGA8jX2={XpHmqQZ(_VJ`@J8?)5?~UbUc~^zuNL!O1zzn$(3l_ z*1=@2D7(&7y%^xvb*zsgv1MMO2N>Q*;sAbN2K`DKW); zk$5K}SIqNqSN0>j<=S3a?+-@9AvFqJ3dk6TtU)c<36SN%Em$Btw_ zpQd`1lN|2ofS;TmCIZuy1kaoUENP~JFozsrNh`;hkMgq-skF)k`3_V%IvwlDHbo2K zBW%pGgNA!rDRQUV2}6+Xi;A~#y_b>D=V*wC-n%1@u)KHm2`aoFa{cmPrE*o|Rr1i4 zgWQB(y6EWI1#HU^db|E#)1?2HQ}R|L+W$tjT|C*_OM8gSsGB!pKQ=+vntWhMR*seM zH@jvfk8g|q;{QqcziusyC$OuX{SMzs-rE0}=_0(yA{Od`+ zUww0?s=9l8M?}b)aZh*ksdN3#rTf4Cc`uF9X1Yid{eO}6(^Q}1bePWcnWjsf-O5lCGXDs1E6IL#t{%Zb;8)eV#V-|6F>4+9b=dx7hU$>BGclU7tVZ?~n9-p*;_? zJr2{m#mcAW>b^WYH3zL-@WD&z>S?*^`VzLNy*6Ut=6%Cw&;ULyZC(32akih&`r1Dg36uPLtSgtgca+{_YWw={Nc7oSGFC>^ z;!X7qCF1b@$NKr+Qc7#)Rpx#_jpNUB{z%tB9nk7K z9iQq~tbQep%=I@}YUAy41-c}bp)t>~JW+IAYVF;yU=>Ex=R>YN?Ml24VMB|sMy8NC zJbo^|X1d>A0oUf;-*|HE3D0zOGrdY%`X6XfFmAH&K_orW2P<&L3+au0!h^1~+a%LP zo9u1B;n#uI&N6LhiP&vOzLBWb*k@YoM7{yV+5PLR_4OX*KL01W58HjZknK;IGoRbn z`MG#I%98y{zux8Og32hbbFRYwIn$>;)!k<~hOCv65$5Ad$K=c6OYJZF|Eg-F z^`v2$wxwU{mGJnx#n6!MYh(ab@w(7*cbAc@T}x#-;BYISpX&NZd=-4MCz8+4Gru78 zIQ?F$II2;t@1-AUmG7qpITTgUlpN5vahKCts)BbQ!Fi?IqS0|GA zQW0PT+)*5WC{(V`(#tB!UZ=k<)(lxV_6cso`y5fVZsGHH`jma^tIo?*%P%wXMoey} zKkMAC?hAy32Kkow1xJhZ`ZO-IitM#6$xgDLT&XHJSyCI;U0XY?)}S@#?;+i62`|U; zvV( z?wDu>eW=LZWVu3C;$W2CPhV*DmMY5+at_~B%$nagPq*AwTcxj~yPZpNGCSySobPqD z+>Z#X-mhLC9`(b~G#tz5or(`mu}-nqD19l^dy&4<75bW){GI+t3FLZ`T zy->6hs;Q3wAX|;dXnIyU=Pgdy3 z1B?3H6nrvb!V!6cd+`r4OtMAeHf1epeySO8x!A1j8Q(~PgUqp`r{x04L1gNym`x((Py{0H^Q;g0PWvtU zGNUK@tUv3E8S_K3UOhG36kn4^R$LL`Ey{R4)y;AB-hmCs+}e;R>DNYok^I-1t2n=- zNoV+|HA+0(zXE`cT6~Y{2qYrDnGsOK#{~DTa&^%?qPoq-pNlRr z&t7HzG*kiaba2hs%-qa)M*P@=LKerAbpQf-%Edfx$PR(U_+y=w>O6QL8suGOImOfA z-FtR*6IEr%et!$@N+#;kuE%wAR)1$dhl-v1C{eKIuGl(cmHxznId7MnGG|)N&u#Ya z){%u~OjW1S(pJVKSBYVx+AF%8y_0Uo^1vP0H9AG^4nFU1vFEy*ih;?&MAie_n6;4~ z&+?T(PIDQS{a!qLmMa~vkJ&N4ijT*-$ll`|)l7$7Sr^IbXFq*h0qvu6{6tju#3N|g z_VMV0sX#mp+0*f!X2l@gG@o6&;l4FJulzBu8fgdq)-sOxSxEnCSrvT|Yu5C~{Bc8n zT{J;jqdZSp>M4z%5xcem!`dkj_x+Mj7SLx%8~@j&e{h<*jqb*i_0?J`_aR?Dqi`o0 zuVcPwvaW;r^U=W0VV(MET8$4MHmwa$Vs6&d5NdQiYLzb-0f*u>{J!h&eNP$Y?j}T=%3^h91MTTIVxEfclSQVo zYN>#z2JHK#7U|<+TggJn-L1QOKc_Eq1NWiq!G}%cID=7-9t&-F&*BGh zG*aefrU*`K>I_Gm<-7Ksxt?jhFaPxu(7CD)DmK@r%m~3No-EeyrZMX|(<CaCN^_W+ke zA4fWZ3%^0~^!n)TioR+YsOsYV#^?xs4!aETG4$?XSC8;J^akOocid{(TGWeo6*l6T*oT=h<7TZvoFd1L!w{rnnraW}a)6bVc>K^=Oj MU#BLzQlgvx0aPKm$N&HU literal 0 HcmV?d00001 diff --git a/arm/Microsoft.ApiManagement/serviceAuthorizationServers/deploy.json b/arm/Microsoft.ApiManagement/serviceAuthorizationServers/deploy.json new file mode 100644 index 0000000000..f376f54657 --- /dev/null +++ b/arm/Microsoft.ApiManagement/serviceAuthorizationServers/deploy.json @@ -0,0 +1,217 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "apiManagementServiceAuthorizationServerName": { + "type": "string", + "metadata": { + "description": "Required. Identifier of the authorization server." + } + }, + "apiManagementServiceName": { + "type": "string", + "metadata": { + "description": "Required. The name of the of the Api Management service." + } + }, + "authorizationEndpoint": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Required. OAuth authorization endpoint. See http://tools.ietf.org/html/rfc6749#section-3.2." + } + }, + "authorizationMethods": { + "type": "array", + "defaultValue": [ "GET" ], + "metadata": { + "description": "Optional. HTTP verbs supported by the authorization endpoint. GET must be always present. POST is optional. - HEAD, OPTIONS, TRACE, GET, POST, PUT, PATCH, DELETE" + } + }, + "bearerTokenSendingMethods": { + "type": "array", + "defaultValue": [ "authorizationHeader" ], + "metadata": { + "description": "Required. Specifies the mechanism by which access token is passed to the API. - authorizationHeader or query" + } + }, + "clientAuthenticationMethod": { + "type": "array", + "defaultValue": [], + "metadata": { + "description": "Required. Method of authentication supported by the token endpoint of this authorization server. Possible values are Basic and/or Body. When Body is specified, client credentials and other parameters are passed within the request body in the application/x-www-form-urlencoded format. - Basic or Body" + } + }, + "clientId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Required. Client or app id registered with this authorization server." + } + }, + "clientRegistrationEndpoint": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Required. Optional reference to a page where client or app registration for this authorization server is performed. Contains absolute URL to entity being referenced." + } + }, + "clientSecret": { + "type": "securestring", + "defaultValue": "", + "metadata": { + "description": "Required. Client or app secret registered with this authorization server. This property will not be filled on 'GET' operations! Use '/listSecrets' POST request to get the value." + } + }, + "cuaId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered" + } + }, + "defaultScope": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Access token scope that is going to be requested by default. Can be overridden at the API level. Should be provided in the form of a string containing space-delimited values." + } + }, + "description": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Description of the authorization server. Can contain HTML formatting tags." + } + }, + "grantTypes": { + "type": "array", + "defaultValue": [], + "metadata": { + "description": "Required. Form of an authorization grant, which the client uses to request the access token. - authorizationCode, implicit, resourceOwnerPassword, clientCredentials" + } + }, + "location": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "Optional. Location for all Resources." + } + }, + "resourceOwnerPassword": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Can be optionally specified when resource owner password grant type is supported by this authorization server. Default resource owner password." + } + }, + "resourceOwnerUsername": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Can be optionally specified when resource owner password grant type is supported by this authorization server. Default resource owner username." + } + }, + "supportState": { + "type": "bool", + "defaultValue": false, + "metadata": { + "description": "Optional. If true, authorization server will include state parameter from the authorization request to its response. Client may use state parameter to raise protocol security." + } + }, + "tags": { + "type": "object", + "defaultValue": { + }, + "metadata": { + "description": "Optional. Tags of the resource." + } + }, + "tokenBodyParameters": { + "type": "array", + "defaultValue": [], + "metadata": { + "description": "Optional. Additional parameters required by the token endpoint of this authorization server represented as an array of JSON objects with name and value string properties, i.e. {\"name\" : \"name value\", \"value\": \"a value\"}. - TokenBodyParameterContract object" + } + }, + "tokenEndpoint": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. OAuth token endpoint. Contains absolute URI to entity being referenced." + } + } + }, + "variables": { + "defaultAuthorizationMethods": [ "GET" ], + "setAuthorizationMethods": "[union(parameters('authorizationMethods'), variables('defaultAuthorizationMethods'))]" + }, + "resources": [ + { + "condition": "[not(empty(parameters('cuaId')))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-06-01", + "name": "[concat('pid-', parameters('cuaId'))]", + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [ + ] + } + } + }, + { + "type": "Microsoft.ApiManagement/service/authorizationServers", + "apiVersion": "2020-06-01-preview", + "name": "[concat(parameters('apiManagementServiceName'),'/',parameters('apiManagementServiceAuthorizationServerName'))]", + "location": "[parameters('location')]", + "tags": "[parameters('tags')]", + "properties": { + "description": "[parameters('description')]", + "authorizationMethods": "[variables('setAuthorizationMethods')]", + "clientAuthenticationMethod": "[parameters('clientAuthenticationMethod')]", + "tokenBodyParameters": "[parameters('tokenBodyParameters')]", + "tokenEndpoint": "[parameters('tokenEndpoint')]", + "supportState": "[parameters('supportState')]", + "defaultScope": "[parameters('defaultScope')]", + "bearerTokenSendingMethods": "[parameters('bearerTokenSendingMethods')]", + "resourceOwnerUsername": "[parameters('resourceOwnerUsername')]", + "resourceOwnerPassword": "[parameters('resourceOwnerPassword')]", + "displayName": "[parameters('apiManagementServiceAuthorizationServerName')]", + "clientRegistrationEndpoint": "[parameters('clientRegistrationEndpoint')]", + "authorizationEndpoint": "[parameters('authorizationEndpoint')]", + "grantTypes": "[parameters('grantTypes')]", + "clientId": "[parameters('clientId')]", + "clientSecret": "[parameters('clientSecret')]" + }, + "resources": [] + } + ], + "functions": [ + ], + "outputs": { + "apimServiceAuthorizationServerResourceName": { + "type": "string", + "value": "[parameters('apiManagementServiceAuthorizationServerName')]", + "metadata": { + "description": "The Api Management Service Authorization Server Name" + } + }, + "apimServiceAuthorizationServerResourceId": { + "type": "string", + "value": "[resourceId('Microsoft.ApiManagement/service', parameters('apiManagementServiceAuthorizationServerName'))]", + "metadata": { + "description": "The Resource Id of the Api Management Service Authorization Server" + } + }, + "apimServiceAuthorizationServerResourceGroup": { + "type": "string", + "value": "[resourceGroup().name]", + "metadata": { + "description": "The name of the Resource Group with the Api Management Service Authorization Server" + } + } + } +} \ No newline at end of file diff --git a/arm/Microsoft.ApiManagement/serviceAuthorizationServers/parameters/parameters.json b/arm/Microsoft.ApiManagement/serviceAuthorizationServers/parameters/parameters.json new file mode 100644 index 0000000000..011f5e7aeb --- /dev/null +++ b/arm/Microsoft.ApiManagement/serviceAuthorizationServers/parameters/parameters.json @@ -0,0 +1,32 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "apiManagementServiceName": { + "value": "sxx-az-am-weu-x-001" + }, + "apiManagementServiceAuthorizationServerName": { + "value": "AuthServer1" + }, + "authorizationEndpoint": { + "value": "https://login.microsoftonline.com/651b43ce-ccb8-4301-b551-b04dd872d401/oauth2/v2.0/authorize" + }, + "grantTypes": { + "value": [ + "authorizationCode" + ] + }, + "clientId": { + "value": "test" + }, + "clientSecret": { + "value": "test" + }, + "clientRegistrationEndpoint": { + "value": "http://localhost" + }, + "tokenEndpoint": { + "value": "https://login.microsoftonline.com/651b43ce-ccb8-4301-b551-b04dd872d401/oauth2/v2.0/token" + } + } +} \ No newline at end of file diff --git a/arm/Microsoft.ApiManagement/serviceAuthorizationServers/readme.md b/arm/Microsoft.ApiManagement/serviceAuthorizationServers/readme.md new file mode 100644 index 0000000000000000000000000000000000000000..e52f681fd54202a551a8fd48687ad0247de614f7 GIT binary patch literal 10900 zcmeI2+izP{7RLAUNc;~bJd{c#W&nYvLP#b}X-6%NYL|Ja(8SHHfjG{@PBSg=ug~!P z*7EY+=VB)gsb(IKW&2$AWnI4Yt+n?#|NYNLsgru?Je}zOSsJA?eUH;&8tZ$OX1Y4i z(M5Wr7W+D)^`)-AP7_@{N$=EtrvHgr=eG2irVr9z>^oHJ6PLeYg|EZ01px<*H zPtsev`@ZDZT1fIyLf_|_cdA)0C8g^$lLY5>HDvy^wcT*uu9LVQ^8TQn=o?n})#jtc zgS4rSx6a4R!QDMs9IIYP7UVgSCAa3Iw)vu~R;4exvi&k&gx6fMy}1mZrB4&zO?|(# z-@oejToN3bhY!=0wOlP>-G0;5l~=Pb13Ob`=(@Mf%bl<`erflNj|&z#I+L~DE_#70 z5P2lqof?j=WY06eW>e4x=$<;F7Pt=o%i^NEo)I|G*e9*r6c~4ATFy(+4y%Pt0-00E z4Uai$(8_i5UyxoRWlMLT%#nz`NBS~q$D-HKfd!YxWoHq?^kckitv&U-nXZ3ai-;Zg z-Z29IWDTlk!E|k`lr?fcG<90WQ9BmZ=dvC4pDoy8eV_CfS!uQHok#MF$O<~}*=tEK zll>ov&AK|8=yNJ>ZJCc}vd)&ST!>w|)^@DBU7a5(0=`UNr7zOo#9>p7wXfcu3pUf| z>h)QRpO@L>nfk*qV63tGiqW6u^S(?!&f7SG`$c3D;b{Cg z4fWa8(Hr%;P;Vl7s^~x02OSw1UVLRUBF}ZGZnNxnX-D&r^)F4@%&@1*GibxSo_(+z z7(l*VX*95&UNuZwbbw?^_tc4eqM-%HzS!+n>9qZr+fU#OQK z^>nnYF*$pvUQbQ>9i5dCN{;Y6a-sH<^s~tghR9IPBX{k?HWnJlCLk?12up^ai06Iz zjA{-Gj&;vHd8MmF>1$mX>7VLnYF+^Eu1m-I;Fpozb0l~!j2U{e;uG@~ept?Sk2U_t z_|iF&U-%T%IhHfe?+cxN1JWS8G_kE$2N&>5<8`R9V?lI zVh*h9h>zLYYHT8fdOY&St~`eimu2dxdcHM(VoN**TDunOo%F5#59AMG?;nx@`SR7k z!?cFD1B;Z>YaNYERpgZ#90=opOrH-u9YNp#e8Fj;H7XifGD01F)OBthBnuSM($NGL zf^pXaiOY6mRn{3*9Cg#bRr_AqXHzVWt;f2;s(|{BT9fe{|8XB2VkdB4T9n?U%}UNF zZAA4Ds9itLZ5J_uHJQ`3LuVKpn;h%dvx9r1BOTp-ZoBm{woIGn#ccR8^4^Z&DTDHn1Q3I5FA?| z3G8g^9F`l&D`)fgAO}-#P!}Na3uUjTHa9C1G{v^8Q$34%rfIW=&#}y7WGau+vfknv zxF;K|TMw_oBwQ7F58$F}cX+?&@3_tYvz z$%vk&4|V;8?1Ojii910Q)+#MJ)ty{nxW*+zIZnYRvILLil@;iydhSvvxjARlqs7tY z)z`$B7CfUxL`hFlxW``^_F@mi+2mu{3GA>;WhXFOMwv$? zY*p$C)8-ZFK)7))+>ATgH1BDQ_6mnptB>wpz|Rr0$GQ{I<^J-00W`?IbmVwdRh8Ur zPR0wgP3GB}b>@LSL^HfyV!$h^j$xAA?v?sL*v5*d#_cYLqn!P?$W7I37iTllzreM=BLGVuOP0FE$3iqC&a?`My~EJ=ZmZEp@)ngzXzzNg(ml(@TBfY| z!*bPpNR(pl$fH%HXP#QNV!$@5*8$to0ZbtesETR~baBlyPu`L3OX@SVztB3vS0Pts zg=WpUZG9QrGh|epC9|-@T&^I(Pt~Yk@8@MhlJ9f{xz5wa#)0**u3v3Gt<9e63S=cW zJvZxT?VD)3xqX)FM#OgX;kS(~BSM^IV8^KDTuxZLxdwga1Ok8g4bjC*Mu=-Jri zYg+}w4{#2QAAG%PRdH4%|Z6ki&wX8qqP)+C6qKOP?%ftD)v6FGp4kOVuN@IdklD#jXb#25riH zh>+{{nY@i*d-6Yfge9-GAt3yQSMxKf>Rv3?j{Q1v-+{ak`{<=j)?-S?i&yaYkeuq3 zE?F4#pV@ETjrJPz?^*@1^UBQGlk~_t55b5&3e|tEC>?eAIgBGJR&wkLPUp45mX7i1 zFKI)vxYssx{y^V+r5t<1dTtc6ZOmI!8D|+b(r-30mCSHq-Q_5urold7haLZ_?jSes zZDw!ns88vuKw7gFDdV6GP31F>JihN0lrvzhkoCG9hbL;wShw48=&0YHpZ`w_I2u7@ zJZo?AUb!6wIW@5KzvLSFkkH!jPy{`VS<%(JJF8NJB^L)*v9Z=19~gN-@Z<0dCBm!|rbPStMj zN5{N|x?aoR^fHH`Pu*@j(TkN?nPs95SpCHM_SVXXxmz5p-s1}lG_63tx~<-??qI|t z)3XXso}2@yX?_1N$0^zLpQ;SVm4`a2#&&x}RIlNxqrF`0!bTMtIg5RgW5p9sJ>OXr zyw$wyYZDLe>iy2WqsK zqdeYh%(tnYNa<{Mp`LY#Hf?Q;?C0~*eLreb7WTULzF89MzO3lhL`caO{xpNP2H1g# zH3+j;pQzluJ*XqgS+Q5C1M5L#;$1-akjiSRcNy;5FKu$Py@gk|Bl5Pr#nv_KHzhB1 gtFp~a-`X4e54Cp&DUlOCX}3cC9m3ncsdzvA4kQm=ZU6uP literal 0 HcmV?d00001 diff --git a/arm/Microsoft.ApiManagement/serviceBackends/deploy.json b/arm/Microsoft.ApiManagement/serviceBackends/deploy.json new file mode 100644 index 0000000000..acaae3a69e --- /dev/null +++ b/arm/Microsoft.ApiManagement/serviceBackends/deploy.json @@ -0,0 +1,169 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "apiManagementServiceName": { + "type": "string", + "metadata": { + "description": "Required. The name of the of the Api Management service." + } + }, + "backendName": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Required. Backend Name." + } + }, + "credentials": { + "type": "object", + "defaultValue": {}, + "metadata": { + "description": "Optional. Backend Credentials Contract Properties." + } + }, + "cuaId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered" + } + }, + "description": { + "type": "string", + "defaultValue":"", + "metadata": { + "description": "Optional. Backend Description." + } + }, + "location": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "Optional. Location for all Resources." + } + }, + "protocol": { + "type": "string", + "defaultValue": "http", + "metadata": { + "description": "Required. Backend communication protocol. - http or soap" + } + }, + "proxy": { + "type": "object", + "defaultValue": {}, + "metadata": { + "description": "Optional. Backend Proxy Contract Properties" + } + }, + "resourceId": { + "type": "string", + "defaultValue":"", + "metadata": { + "description": "Optional. Management Uri of the Resource in External System. This url can be the Arm Resource Id of Logic Apps, Function Apps or Api Apps." + } + }, + "serviceFabricCluster": { + "type": "object", + "defaultValue": {}, + "metadata": { + "description": "Optional. Backend Service Fabric Cluster Properties." + } + }, + "tags": { + "type": "object", + "defaultValue": { + }, + "metadata": { + "description": "Optional. Tags of the resource." + } + }, + "title": { + "type": "string", + "defaultValue":"", + "metadata": { + "description": "Optional. Backend Title." + } + }, + "tls": { + "type": "object", + "defaultValue": { + "validateCertificateChain": false, + "validateCertificateName": false + }, + "metadata": { + "description": "Optional. Backend TLS Properties" + } + }, + "url": { + "type": "string", + "metadata": { + "description": "Required. Runtime Url of the Backend." + } + } + + }, + "variables": {}, + "resources": [ + { + "condition": "[not(empty(parameters('cuaId')))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-06-01", + "name": "[concat('pid-', parameters('cuaId'))]", + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [ + ] + } + } + }, + { + "name": "[concat(parameters('apiManagementServiceName'),'/',parameters('backendName'))]", + "type": "Microsoft.ApiManagement/service/backends", + "location": "[parameters('location')]", + "tags": "[parameters('tags')]", + "apiVersion": "2020-06-01-preview", + "properties": { + "title": "[if(not(empty(parameters('title'))), parameters('title'), json('null'))]", + "description": "[if(not(empty(parameters('description'))), parameters('description'), json('null'))]", + "resourceId": "[if(not(empty(parameters('resourceId'))), parameters('resourceId'), json('null'))]", + "properties": { + "serviceFabricCluster": "[if(not(empty(parameters('serviceFabricCluster'))), parameters('serviceFabricCluster'), json('null'))]" + }, + "credentials": "[if(not(empty(parameters('credentials'))), parameters('credentials'), json('null'))]", + "proxy": "[if(not(empty(parameters('proxy'))), parameters('proxy'), json('null'))]", + "tls": "[if(not(empty(parameters('tls'))), parameters('tls'), json('null'))]", + "url": "[parameters('url')]", + "protocol": "[parameters('protocol')]" + } + } + ], + "functions": [], + "outputs": { + "backendResourceId": { + "type": "string", + "value": "[resourceId('Microsoft.ApiManagement/service/backends',parameters('apiManagementServiceName'),parameters('backendName'))]", + "metadata": { + "description": "The Api Management Service Backend Id" + } + }, + "backendResourceName": { + "type": "string", + "value": "[parameters('backendName')]", + "metadata": { + "description": "The Api Management Service Backend Name" + } + }, + "backendResourceGroup": { + "type": "string", + "value": "[resourceGroup().name]", + "metadata": { + "description": "The name of the Resource Group with the Api Management Service backend" + } + } + } +} diff --git a/arm/Microsoft.ApiManagement/serviceBackends/parameters/parameters.json b/arm/Microsoft.ApiManagement/serviceBackends/parameters/parameters.json new file mode 100644 index 0000000000..5fe145b54e --- /dev/null +++ b/arm/Microsoft.ApiManagement/serviceBackends/parameters/parameters.json @@ -0,0 +1,21 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "apiManagementServiceName": { + "value": "sxx-az-am-weu-x-001" + }, + "backendName": { + "value": "backend" + }, + "url": { + "value": "http://echoapi.cloudapp.net/api" + }, + "tls": { + "value": { + "validateCertificateChain": false, + "validateCertificateName": false + } + } + } +} \ No newline at end of file diff --git a/arm/Microsoft.ApiManagement/serviceBackends/readme.md b/arm/Microsoft.ApiManagement/serviceBackends/readme.md new file mode 100644 index 0000000000000000000000000000000000000000..ae74a8424121a5d6ea5dd8b65dddcdf29b54dce3 GIT binary patch literal 17658 zcmeI4Yi}G$6^83G691v){QxUr8<0R^5g&rtERh0)*t;M_5#!6)G1z0TXL4Jze;s(A zI&-F~yQ@7lGf6f`qn15A-E}$jo=crmr)vKDpU*-Q9)#O)sn0)!<1o?RMHq)`{Y}D5 zPY-o>7hb8vsqUKadzCm1|BCO=!ZiFi{3!k%g%>I_Rf+3x6VAfRa23m+>Hn?nZ^GO7 zcC+607X5t|p#7;@pQ`PbqS5G^sh`{U)G2#cEO#_7*96`>Ro|%Qom#w9n-e{M7yF~c z7hzYIl}`8c!P}A01ED+BgPwC?w>NLKgzLUa<+$#LlMb$hIU_|1b3a zRy~a)SH|J>ykw(KuKQ`~A~p^C;#T63bAGBZ*=S1?I5PAFC(69Ac9A6RCc@|Kf`7;h z@^mh=uA+Rr7J?H=UlYfca}}vNj!*5~x8nC@{C=i4GqunNKUzE1r^%f?%|}K_mr>Bm zdq{Exk2mG!XfaAd=1HXfIBL~QJtJYcboSpj;m@iAFN_CmY5jwqpX)t3hK_!t`zw9( z(odokBE^ozt3?U0L}F=U8YT8p(lk@qI*A|Bg#3Auz+<(2S+p!|yW*pDnVX8DJJmFK zfL^28{v*S=4D9Kx%M%vNa6=1?=it)*=K5aJ&8DN9w4Ut1sH3TyQ{J|yiSyllu`c7e zCc!Uwp0xBvbp2EBPoqS15&KKVW9rd%x8H+e`%O5Ak^w)k{K(rA-QTE1BpFJOq&~GT zRsNCat>bBl!UM@Pl5i6_dZ(Vh)_0qsu-P+RNXd!HB?-P%pH28__)4W8NzOlyw59pU zpEFZg`))mwRb@t*3a7Vf3Dhst3zRToc+i#ztV~~*)*pA5Gi6=vBF-FpDs&u);r^e+ zQRMdTD?MS%x55p)x@|p=BX%t;@#=A>ceCv940*fKCt92L*_RpczY+b6gIQsC1TR!- zCTf>ig)Wk`dmZ^c5l3^h8nxE$9ekM$QeQVJfpxgin5^$)>8$n}NsLpyxkf&T6wzj_ z7PjRQS_tU0ydTGf}B8!yEApEy7MC6^9y~Y1VZ|Px0v}0hg$2 zGdy!R_WXg~UhA{p6Qgu`kVBH#~*QBF%OWp)P&1EL-5J-uC}%P zw}+zfMD^(DKvbJuVVv(z8rm}^V@Q1>A9=5JHhQKOE;P3FX*`;@;CMTCx{}vL58P*> zc)aNQ{u#eyak{#Fv}m*6+x;`8c}L6}SkJMr^qK8Ea@3!`(0kW=X^(UEess~Hu0QoOY6yHXZwfs}8{2x`=0UEYI?xrv`W-17F#7J=mmq=>{;BUqi-{4$NmTkJon z?WLw>O_|#Mw&k`6J$v2reSsVyJOD7V2xj$>GJ;afvwBN)SPvog z*Tp!Pq2XY@^47@9D@E&jEomXfIF2RFgI{M1)EUBr=gY34@%=HQZT%6ldWg49v~wB0 z(`Y>w8ZD))hVoBA5*`eWk*Gd#7(F*MOt0E21EwSHmHKLTNwU)F)EB~VG~nN+)nSY8 z$(7i;+5^e!qwo{ydn5h!bxiafolR@hBegx!Y9F!vB-*&0fxdQ>w`jt@V;Se#&OBa0 z+j-x9n@W`}rnUI2)uPw&&z(rG*_{jZ0e1e*Kc6cOFFoIhk%-wLr~doFvN;!*mv%1q zW!~$SC~}G!)oGL)A|k7?qjiE|$zgRP)kr+ulc$zj;hll;rJipk4Q)GC*MCV$Q!b!1 zBb2%IeT!H2&HkG#F4qo^`O-R>*TK$}==6BmQKxSO(KFGQMK(J@OQE$hqJFk}b*m;hsGjp4B^7dt?#tiHJ#= z=c!8$CPkEO#L1?#d1l!Z_jyOEyZZI<`HH^}|D0~$i$a!hqRX@Kwim^b?#qI;@+!8K zW)%9BK-3ih4a4{r@(5aPRJhYsab;p{^y^YoVz*QovWG zspmFl$m8FU{zpIZcS1d`>? z{qo$?S?9j*dH0{xwp&xPrc7;r+j3h3as-gA07r0hwX%%#pKvK=!-U1_`?$Jt(WaxaYGTF8P~ zdl&qb*6WGloHO`%##hI;&jliq{2a%Z9louLxFH8p{mf_`ezs#T-)*#x#Han<7XRW~ z8``yUdw(v}JzLr=+ZJ@Lt3^K~s-@gt^T zu({;J*eq+?kZns%?Mh$W4)6n6CEG#nTzn|2kEdpS?3rc>Ka*lUAglfOjr?auJ=FDB zpXIrm=iWniSGu3?o2mpSeXimPy`8Bzi!zVASbr1UF`K(5igmcs{Kc+?OHs?pHtYLk zD%u`^pSV2HIMcad_TO+)Htk9~(RXG+cI8a8yJE;L*CFlN`=M}l+wuR7a{Wp$yA#Px z-Nygz^Q-xrbbirdv9u3^_@I1}EsyJM?aS(x@6!rETc$k9WYrzXy#KTl_7jQsb3Vjy za5aybmYsgbzIM+7-cOUu8#P0byx^`>N;;B@N(2*bPpJn`rf-a(5vBQ!QZ`CjINl)L!JD&F2f38&^KX*9Q z9=-i|N}qF)}}" + } + }, + "cuaId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered" + } + }, + "description": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Cache description" + } + }, + + "location": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "Optional. Location for all Resources." + } + }, + "resourceId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Original uri of entity in external system cache points to." + } + }, + "tags": { + "type": "object", + "defaultValue": { + }, + "metadata": { + "description": "Optional. Tags of the resource." + } + }, + "useFromLocation": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Required. Location identifier to use cache from (should be either 'default' or valid Azure region identifier)" + } + } + }, + "variables": { + + }, + "resources": [ + { + "condition": "[not(empty(parameters('cuaId')))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-06-01", + "name": "[concat('pid-', parameters('cuaId'))]", + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [ + ] + } + } + }, + { + "name": "[concat(parameters('apiManagementServiceName'), '/', parameters('cacheName'))]", + "type": "Microsoft.ApiManagement/service/caches", + "apiVersion": "2020-06-01-preview", + "location": "[parameters('location')]", + "tags": "[parameters('tags')]", + "properties": { + "description": "[if(empty(parameters('description')),json('null'), parameters('description'))]", + "connectionString": "[parameters('connectionString')]", + "useFromLocation": "[parameters('useFromLocation')]", + "resourceId": "[if(empty(parameters('resourceId')),json('null'),parameters('resourceId'))]" + } + } + ], + "functions": [ + ], + "outputs": { + "apimServiceName": { + "type": "string", + "value": "[parameters('apiManagementServiceName')]", + "metadata": { + "description": "The Api Management Service Name" + } + }, + "apimExternalCacheResourceId": { + "type": "string", + "value": "[resourceId('Microsoft.ApiManagement/service/caches',parameters('apiManagementServiceName'),parameters('cacheName'))]", + "metadata": { + "description": "The Resource Id of the Api Management Service's service external cache" + } + }, + "apimServiceResourceId": { + "type": "string", + "value": "[resourceId('Microsoft.ApiManagement/service', parameters('apiManagementServiceName'))]", + "metadata": { + "description": "The Resource Id of the Api Management Service" + } + }, + "apimServiceResourceGroup": { + "type": "string", + "value": "[resourceGroup().name]", + "metadata": { + "description": "The name of the Resource Group with the Api Management Service" + } + } + } +} diff --git a/arm/Microsoft.ApiManagement/serviceCaches/parameters/parameters.json b/arm/Microsoft.ApiManagement/serviceCaches/parameters/parameters.json new file mode 100644 index 0000000000..4e0866b95b --- /dev/null +++ b/arm/Microsoft.ApiManagement/serviceCaches/parameters/parameters.json @@ -0,0 +1,21 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "apiManagementServiceName": { + "value": "sxx-az-am-weu-x-001" + }, + "cacheName": { + "value": "westeurope" + }, + "connectionString": { + "value": "connectionstringtest" + }, + "useFromLocation": { + "value": "westeurope" + }, + "cuaId": { + "value": "00000-0-000000" + } + } +} \ No newline at end of file diff --git a/arm/Microsoft.ApiManagement/serviceCaches/readme.md b/arm/Microsoft.ApiManagement/serviceCaches/readme.md new file mode 100644 index 0000000000000000000000000000000000000000..f5ffdad57cd03901fe81c76852e512b7cb7af86f GIT binary patch literal 5094 zcmc&&O>Y}V4CT2%|HA+|*e)tN?V*RFC=jG=5TK0>+s(xYV8xc~O|+7#T_;hR{`I!+ zkxR{oR&o*-HH4K`I~)%A_{ibxKYu@vAdh4&6@Gt{p-gdI$w+EkQ)%(^1a}L01BnaV z1$hjK3%SPqm-2;Pr}$S%gRxp>aw#`5QOQeu&v8GKrH)ej=dZTETJM3->SJhcp!){a znPn~3nd?)x>_e~IX(tzi=)%v?ZY1)a3>gRV!3?`43GNymGx!O?TzMr;R}pJ@@lA0ZR`(3 zywd-d7-^v)$V=5W#IG^Wo~FK0(pgFj(-k7K80EXh^L*u{A#hA&tW1uj{9GRo z@(gnr4dX)2*PrlwjB#ce^Yc0GC-~>mN6JI;*wJ{ik|37kEOj)>*$SL$A^UNh-;@jK z^T@#=bXUDqC9f&&t#iMDMGMR{KG0sX+P=x+lmq)1bw06r8E(u&i#c)0|9QsuWoIa| zliFh?I8So*?p8nTGK2V!agiIPt+Cn$jI$zFxR$6eX(bMLYFU=++J!gQ@Sa>@wpgBw zR0lJV>+R^w$fzB)fg{EnYG##u4=v0b%fc(@FwXR?yr=f%xKVnF`4=m`og{Jo{MaAE zF2ltlf1!5eD>14mr>s82y6b38;hkYbPsfUo)vi&8-x3l-T+TFN6Z0zo=Sp5HN~|zn zWAsmaen{j8iTsc97d|D!ZmL#v=^1!B!%zKrBu7hj*#Ao>>b8sjm`0_BG7$5&W`RfCd_r``9VdfI7lo4N0M)k={nS0-;q@{2~bmNGV*nUPw> zc$IroscBQKwwh#CYI0AbI(ewVzu0yNp6+zttGOh&VZfDYjD7Mh@H{3))mY6PxJ0}T+8+Ei#2I3 z+8N_9>gp6+;ttN8HtuLKBYC#@3MUInj&SFhY#JV6=A|NNeVtYR1tim&nQJ@Ku7b7I ztG3m2#%+OJgy;PVeIq57c*ebCy_3xKzd((bJF@9rM(SH$qtZ7o YCvtxtTAk`UjrMz5z6aX=Mrlv}1#n1e)c^nh literal 0 HcmV?d00001 diff --git a/arm/Microsoft.ApiManagement/serviceNamedValues/deploy.json b/arm/Microsoft.ApiManagement/serviceNamedValues/deploy.json new file mode 100644 index 0000000000..ac5f178c62 --- /dev/null +++ b/arm/Microsoft.ApiManagement/serviceNamedValues/deploy.json @@ -0,0 +1,136 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "apiManagementServiceName": { + "type": "string", + "defaultValue":"", + "metadata": { + "description": "Required. The name of the of the Api Management service." + } + }, + "cuaId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered" + } + }, + "displayName": { + "type": "string", + "defaultValue":"", + "metadata": { + "description": "Required. Unique name of NamedValue. It may contain only letters, digits, period, dash, and underscore characters." + } + }, + "keyVault": { + "type": "object", + "defaultValue": {}, + "metadata": { + "description": "Optional. KeyVault location details of the namedValue. " + } + }, + "location": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "Optional. Location for all Resources." + } + }, + "namedValueName": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Required. Named value Name." + } + }, + "tags": { + "type": "object", + "defaultValue": { + }, + "metadata": { + "description": "Optional. Tags of the resource." + } + }, + "namedValueTags": { + "type": "array", + "defaultValue": [], + "metadata": { + "description": "Optional. Tags that when provided can be used to filter the NamedValue list. - string" + } + }, + "secret": { + "type": "bool", + "defaultValue": false, + "metadata": { + "description": "Optional. Determines whether the value is a secret and should be encrypted or not. Default value is false." + } + }, + "value": { + "type": "string", + "defaultValue": "[newGuid()]", + "metadata": { + "description": "Optional. Value of the NamedValue. Can contain policy expressions. It may not be empty or consist only of whitespace. This property will not be filled on 'GET' operations! Use '/listSecrets' POST request to get the value." + } + } + + }, + "variables": { + "keyVaultEmpty":"[empty(parameters('keyVault'))]" + }, + "resources": [ + { + "condition": "[not(empty(parameters('cuaId')))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-06-01", + "name": "[concat('pid-', parameters('cuaId'))]", + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [ + ] + } + } + }, + { + "name": "[concat(parameters('apiManagementServiceName'),'/',parameters('namedValueName'))]", + "type": "Microsoft.ApiManagement/service/namedValues", + "location": "[parameters('location')]", + "apiVersion": "2020-06-01-preview", + "tags":"[parameters('tags')]", + "properties": { + "tags": "[if(not(empty(parameters('namedValueTags'))),parameters('namedValueTags'),json('null'))]", + "secret": "[parameters('secret')]", + "displayName": "[parameters('displayName')]", + "value": "[if(variables('keyVaultEmpty'), parameters('value'), json('null'))]", + "keyVault": "[if(not(variables('keyVaultEmpty')),parameters('keyVault'),json('null'))]" + } + } + ], + "functions": [], + "outputs": { + "namedValueResourceId": { + "type": "string", + "value": "[resourceId('Microsoft.ApiManagement/service/namedValues', parameters('apiManagementServiceName'), parameters('namedValueName'))]", + "metadata": { + "description": "The Api Management Service named value Id" + } + }, + "namedValueResourceName": { + "type": "string", + "value": "[parameters('namedValueName')]", + "metadata": { + "description": "The Api Management Service named value Name" + } + }, + "namedValueResourceGroup": { + "type": "string", + "value": "[resourceGroup().name]", + "metadata": { + "description": "The name of the Resource Group with the Api Management Service named value" + } + } + } +} diff --git a/arm/Microsoft.ApiManagement/serviceNamedValues/parameters/parameters.json b/arm/Microsoft.ApiManagement/serviceNamedValues/parameters/parameters.json new file mode 100644 index 0000000000..34328ddb8c --- /dev/null +++ b/arm/Microsoft.ApiManagement/serviceNamedValues/parameters/parameters.json @@ -0,0 +1,18 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "apiManagementServiceName": { + "value": "sxx-az-am-weu-x-001" + }, + "namedValueName": { + "value": "apimkey" + }, + "displayName": { + "value": "apimkey" + }, + "secret": { + "value": true + } + } +} \ No newline at end of file diff --git a/arm/Microsoft.ApiManagement/serviceNamedValues/readme.md b/arm/Microsoft.ApiManagement/serviceNamedValues/readme.md new file mode 100644 index 0000000000000000000000000000000000000000..630422f48aa9593f5e6522f0c278b36ed6a9533c GIT binary patch literal 6094 zcmchb+fN%;5XR4QrT!0Fcp#BtX#3EIydly?s25Nnc|ld}1Vh|{?RrfJY5K3X{eCkZ zpR*SVQPRk=y}Rc!Gv9o3+4Ileo2g2>X`Uwf|1piyRNwP7PM7*l(^5~5bhSvYHRGkO zs`Qg)FnX%%=eoW~SGudy=jk*19;a8DTWj<(%{1#uGgx=3-?^@5>BdGsj@0e7+|9Hp zDLn^j%8cyrJQ{-g(EXc~xROw0o|V3+X$N-cvn)XY!cwI1Tji+4&k27##{t z5L;+nt?!wz++OY4hx3kRl{oL1CmiPz<>5-=*Xhf|ccAY#_WPB7=aM%zUyalCYG$?8 zxL>C>Vs+YS_$ruC%O5k{Pb00L>`b2x2X-{H}n9Ypw*@r@;)@QOtp6DTu0CTHI(SqTt-tIx9WPm$shT zD0zIO6(8=UXY%O8e1}ikzKZ=%3r2(1zA(Thbf|sfOTtW&gehvOo!`uOxAy@5{A>HZy+L%p23)BQy9hQyl)L zF;xc>BeP*2jEWrx6 z!-&^Oa)3YgI(a5mQA=Qb&Y2m7vcg5)FJP_JCSOUa+=4$iy9p5sf+OP_ge9GRwBA2{amPW;2;3&Y9r@or@y4^bN(DQD(X zbKQ0{Dywi;CZojWxWiiFw&ce9XNc_oW}O4=GGf|H&02;>+WxE3iQ#*#IzyjzYVmzH zBTJ4nb?W00dhMAHx*2_L456PUR>tX#@fo|KGxt2utPAd$U^r2Q@7TdT=XHY}u(+%n zt}R@mQXpq8&3OMo%UoYQs=S8y&h)IFshZL~o~TE}o_AJT!t-10wq;Lzmz>Y*^o5?& z1rQ5c>dGU|j`Sp=sJ7LI$`(i3DR;x@j7=WRywUlc_deO@nGI#<-q(MkiT5LqweK)> zYg=@%hn8!2^Yi+)tA2K0dJ>knXuvA2 zgXR6zgIFP2kW;OEcsrgT0tZSQxc;m0)bIS)nG(G5cd7&NZK*irxA`_zj^v8%_2t+y zdQ=-S_=mm&p_QKi1lP-stKGkV?NGL|qMLWgH0bu(5Ht`qC%JNnL1VimictgB6QBT+x7m*-ZSC+V#*@jUA%JJ?+Oeyl3S=@M@)RBSr8_8A#f`BJmUU<2*UdDLhvqr4t;C~fO9qdY6{UekLF-i_%R91p4iT5#Gm{vYr_ z5}i#*1+UTua$20b=Cizy@0UJ3`p!VxIHGUgiQ;Xikfm+S%(o+q<7_(jo=2Yu^FCWW UJCr;L5A@sIKEb{3sjy@6FY}WP=>Px# literal 0 HcmV?d00001 diff --git a/arm/Microsoft.ApiManagement/serviceProducts/deploy.json b/arm/Microsoft.ApiManagement/serviceProducts/deploy.json new file mode 100644 index 0000000000..d178156041 --- /dev/null +++ b/arm/Microsoft.ApiManagement/serviceProducts/deploy.json @@ -0,0 +1,231 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "apiManagementServiceName": { + "type": "string", + "metadata": { + "description": "Required. The name of the of the Api Management service." + } + }, + "approvalRequired": { + "type": "bool", + "defaultValue": false, + "metadata": { + "description": "Optional. Whether subscription approval is required. If false, new subscriptions will be approved automatically enabling developers to call the product’s APIs immediately after subscribing. If true, administrators must manually approve the subscription before the developer can any of the product’s APIs. Can be present only if subscriptionRequired property is present and has a value of false." + } + }, + "cuaId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered" + } + }, + "description": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Product description. May include HTML formatting tags." + } + }, + "location": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "Optional. Location for all Resources." + } + }, + "productApis": { + "type": "array", + "defaultValue": [], + "metadata": { + "description": "Optional. Product API's name list." + } + }, + "productGroups": { + "type": "array", + "defaultValue": [], + "metadata": { + "description": "Optional. Product's Group name list." + } + }, + "productName": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Required. Product Name." + } + }, + "state": { + "type": "string", + "defaultValue": "published", + "metadata": { + "description": "Optional. whether product is published or not. Published products are discoverable by users of developer portal. Non published products are visible only to administrators. Default state of Product is notPublished. - notPublished or published" + } + }, + "subscriptionRequired": { + "type": "bool", + "defaultValue": false, + "metadata": { + "description": "Optional. Whether a product subscription is required for accessing APIs included in this product. If true, the product is referred to as \"protected\" and a valid subscription key is required for a request to an API included in the product to succeed. If false, the product is referred to as \"open\" and requests to an API included in the product can be made without a subscription key. If property is omitted when creating a new product it's value is assumed to be true." + } + }, + "subscriptionsLimit": { + "type": "int", + "defaultValue": 1, + "metadata": { + "description": "Optional. Whether the number of subscriptions a user can have to this product at the same time. Set to null or omit to allow unlimited per user subscriptions. Can be present only if subscriptionRequired property is present and has a value of false." + } + }, + "tags": { + "type": "object", + "defaultValue": { + }, + "metadata": { + "description": "Optional. Tags of the resource." + } + }, + "terms": { + "type": "string", + "defaultValue": " ", + "metadata": { + "description": "Optional. Product terms of use. Developers trying to subscribe to the product will be presented and required to accept these terms before they can complete the subscription process." + } + } + }, + "variables": {}, + "resources": [ + { + "condition": "[not(empty(parameters('cuaId')))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-06-01", + "name": "[concat('pid-', parameters('cuaId'))]", + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [ + ] + } + } + }, + { + "type": "Microsoft.ApiManagement/service/products", + "apiVersion": "2020-06-01-preview", + "name": "[concat(parameters('apiManagementServiceName'),'/',parameters('productName'))]", + "location": "[parameters('location')]", + "tags": "[parameters('tags')]", + "properties": { + "description": "[parameters('description')]", + "displayName": "[parameters('productName')]", + "terms": "[parameters('terms')]", + "subscriptionRequired": "[parameters('subscriptionRequired')]", + "approvalRequired": "[if(parameters('subscriptionRequired'), parameters('approvalRequired'), json('null'))]", + "subscriptionsLimit": "[if(parameters('subscriptionRequired'), parameters('subscriptionsLimit'), json('null'))]", + "state": "[parameters('state')]" + } + }, + { + "condition": "[not(empty(parameters('productApis')))]", + "name": "[concat('productApis-', deployment().name, '-', copyIndex())]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "copy": { + "count": "[length(parameters('productApis'))]", + "name": "productApisCopy" + }, + "dependsOn": [ + "[resourceId('Microsoft.ApiManagement/service/products', parameters('apiManagementServiceName'), parameters('productName'))]" + ], + "properties": { + "expressionEvaluationOptions": { + "scope": "outer" + }, + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [ + { + "name": "[concat(parameters('apiManagementServiceName'),'/',parameters('productName'), '/', parameters('productApis')[copyIndex()])]", + "type": "Microsoft.ApiManagement/service/products/apis", + "apiVersion": "2020-06-01-preview", + "properties": {} + } + ], + "outputs": {} + } + } + }, + { + "condition": "[not(empty(parameters('productGroups')))]", + "name": "[concat('group-', deployment().name, '-', copyIndex())]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "copy": { + "count": "[length(parameters('productGroups'))]", + "name": "productGroupsCopy" + }, + "dependsOn": [ + "[resourceId('Microsoft.ApiManagement/service/products', parameters('apiManagementServiceName'), parameters('productName'))]" + ], + "properties": { + "expressionEvaluationOptions": { + "scope": "outer" + }, + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [ + { + "name": "[concat(parameters('apiManagementServiceName'),'/',parameters('productName'), '/', parameters('productGroups')[copyIndex()])]", + "type": "Microsoft.ApiManagement/service/products/groups", + "apiVersion": "2020-06-01-preview", + "properties": {} + } + ], + "outputs": {} + } + } + } + ], + "functions": [ + ], + "outputs": { + "productResourceId": { + "type": "string", + "value": "[resourceId('Microsoft.ApiManagement/service/products', parameters('apiManagementServiceName'), parameters('productName'))]", + "metadata": { + "description": "Resource id of the service product." + } + }, + "productApisResourceIds": { + "type": "array", + "condition": "[not(empty(parameters('productApis')))]", + "copy": { + "count": "[length(parameters('productApis'))]", + "input": "[resourceId('Microsoft.ApiManagement/service/products/apis', parameters('apiManagementServiceName'), parameters('productName'), parameters('productApis')[copyIndex()])]" + }, + "metadata": { + "description": "The Resources Ids of the Product apis." + } + }, + "productResourceName": { + "type": "string", + "value": "[parameters('productName')]", + "metadata": { + "description": "The Api Management Service product Name" + } + }, + "productResourceGroup": { + "type": "string", + "value": "[resourceGroup().name]", + "metadata": { + "description": "The name of the Resource Group with the Api Management Service product" + } + } + } +} diff --git a/arm/Microsoft.ApiManagement/serviceProducts/parameters/parameters.json b/arm/Microsoft.ApiManagement/serviceProducts/parameters/parameters.json new file mode 100644 index 0000000000..7d87aa2f3b --- /dev/null +++ b/arm/Microsoft.ApiManagement/serviceProducts/parameters/parameters.json @@ -0,0 +1,28 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "apiManagementServiceName": { + "value": "sxx-az-am-weu-x-001" + }, + "productName": { + "value": "Starter" + }, + "subscriptionRequired": { + "value": false + }, + "approvalRequired": { + "value": false + }, + "productApis": { + "value": [ + "echo-api" + ] + }, + "productGroups": { + "value": [ + "developers" + ] + } + } +} \ No newline at end of file diff --git a/arm/Microsoft.ApiManagement/serviceProducts/readme.md b/arm/Microsoft.ApiManagement/serviceProducts/readme.md new file mode 100644 index 0000000000000000000000000000000000000000..f277bc3412c27e14903e0e499032e0badc613933 GIT binary patch literal 8994 zcmds-%Wf1$6ozXZDG!ic%PayCwqq7qu(LoRNL(yz$ihOI@s&yJ8D}ma2zm7+|5vAv ztGc>-#>57R2z9%syXsv2bFC`=`TJI=!gja_BmI3EhGDGhG#rO>UE?s<+g&|P!&{9w z)Ke99^lK81!a~32VHUm(-^6P#ywRAMMx58*&*Jza-7mtK-o1}sug7iUlHaX>>@P%p zCfW;0W%A9%=OVs!$v$?D+pEV_f$uKWE6tpW;z%^ddjB!y%&B6T@R?+sk{}X@1_}0Gtp~x7;-$(i~7lkSuL~29*wFtGhxn_*? zXvVv84k-eOhU@y*;8IINW+zHNjQM9S&cvdlN1V04SK*oFU<-?qW?Vni`xAX%NLRAi zD?Oj-myh0w@k+cq8gDO0fF(SkF^jQ1lF!dI_G-DIFK6WMQ#@F-cjby^26k=T-)E9& zdg%|yYf{@CAI^PXLtovW$n}OB`O0h#F3n$_8M`E_giD^qpq?`3K=dzSewrvhfqN;9 z>u?~R__oRXQydHBT$AS+_RxaYFEKLkRir?gh3wd6t5T9mh+$v6yTs>lL<6rmi~8Nw zxUt5OUHdpdi>M?%Q-me$j}_NM=0et*2=!s~qr=GKOtD^xKK8&1J+_I+x4NjER5W72 zW7uaVt2OJ#cNJr|6)%tDtdV$P>myNzH&o#|l&%(MrEUkc9N=t-;Acb*cnn49JdOZI zzCd+S%XqGFyrmbQr&#C?GR84SCCT51tf5Kn!&Yg08=Xoq3OA%1M_x@&UWO1_KB#9~ zezdxZ7g`@g%$o+I=pTLZmOft95nvXiJ8|DDIUqG&@pl)Jw@?Jt6)ykG3XT;>n%~M^WzE;Zb-gUwIhr#ONf?Sd{sD z{J}jVN15)D9&T16jHOTGT=Pwfo?KU~-;VSDuJ?|-D|NM%^y#7x;^aZIAyt}M!q_VO zti1X(JkgW+s>L`MS*4yw6lW2cToa-jzjZYGb=Z#)kk{fzQEED|+Y$4U*6ZjYRekTW z_mhIVOON+iF2kR5o^1`9ab@))^+a?dWCt*#I_>HSzhsTE5uVGFe$z8+iT$uz-qKE% z;l39|a|X~f04k7xQlmQ-Ch^vgo7%lpk#SF8_TR#~yqLrI!IlAxaxt4mRxCxIvRn zzVAC!!M;n&Jda(q9=bo>RL@71Y@%IuGI`H#Sl|_T*OzC#L-`3A4;xwL&bz2Q=i~2; zv7W>zHzfhvcJE~V-bC4&oHolAu7hK?bT>R}Tb>SGfbr-6KiIGQB9QkO%wc|F9edmcA%a(zuBki7|= zy#KV`h7Q1b16Bs;K#v1{SZS4I5*CJByMLrdgRXf2>krmJ*o1wkV{u8{2OND3Q(6KV zR-5u})4Y*R6iIFE;3%1Xz8*l*t7L+ix+B&h@bfG{{D25`!}dy+bt~n1&;5cG#<^;d zb*z@b`|!28P-%wc{IqJI@1{PumQe4CYV2oGVEZ!k$F`0JZ=OJ8SASEiAffeBmQCGu z&da*3NnB$tgb5vtA!Rwhte;EWuOHmM_O*<6%kC$WtWV6l414bCHTGncQ`y+7qWcPw zk@vHu_YzH0VV`PI&YvnjdkwPe)U>%rA$xkR zT^ZZuo&?{~-&VEeTV6XnCzkt#!#YD#N1YQCcy_G1SLxIj&xv$j=c)qiIWo^FEz5+a zjo0I3DR#|#FSTn&@TD}gHS2xx85FfAtx$Ytv9#8zRfW$Ri1tA17yM})_bI(T`}v6T zTGRPK75bpH+Nd|FRS-h+iP(m1YTtJbY9Z;>?8YZ^+Fz#M=iS?DMHIN=3cCX?b9K$fz9+N z^tdTKz%XC6*6osNARg%4&Kl)tdM5g$<}Q_0rF7nAG2s4`VgMc`S|tZx-Sx}lNSUA7 z?gs1Vikv!J%GeKya)UgfMp&|RDg ztFb74h*|c1M1vLFw%%|~O77*J$J0!EFSmsh-6ZFF_jT6AX%~A_L;<}>dAeyCeN&Xi z%1+cX&Mcir{=DAew=RlEX`VLK%u=Ft>EV_%>Q)QaC86njCn9Nh3l+zFXV!#C`QievZS}W#e>;eH9!3-*hA6{tLCSAw2*9 literal 0 HcmV?d00001 diff --git a/arm/Microsoft.ApiManagement/serviceSubscriptions/deploy.json b/arm/Microsoft.ApiManagement/serviceSubscriptions/deploy.json new file mode 100644 index 0000000000..a095627915 --- /dev/null +++ b/arm/Microsoft.ApiManagement/serviceSubscriptions/deploy.json @@ -0,0 +1,138 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "allowTracing": { + "type": "bool", + "defaultValue": true, + "metadata": { + "description": "Optional. Determines whether tracing can be enabled." + } + }, + "apiManagementServiceName": { + "type": "string", + "metadata": { + "description": "Required. The name of the of the Api Management service." + } + }, + "cuaId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered" + } + }, + "ownerId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. User (user id path) for whom subscription is being created in form /users/{userId}" + } + }, + "primaryKey": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Primary subscription key. If not specified during request key will be generated automatically." + } + }, + "scope": { + "type": "string", + "defaultValue": "/apis", + "metadata": { + "description": "Required. Scope type to choose between a product, allApis or a specific api. Scope like /products/{productId} or /apis or /apis/{apiId}." + } + }, + "secondaryKey": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Secondary subscription key. If not specified during request key will be generated automatically." + } + }, + "state": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Initial subscription state. If no value is specified, subscription is created with Submitted state. Possible states are * active ? the subscription is active, * suspended ? the subscription is blocked, and the subscriber cannot call any APIs of the product, * submitted ? the subscription request has been made by the developer, but has not yet been approved or rejected, * rejected ? the subscription request has been denied by an administrator, * cancelled ? the subscription has been cancelled by the developer or administrator, * expired ? the subscription reached its expiration date and was deactivated. - suspended, active, expired, submitted, rejected, cancelled" + } + }, + "subscriptionName": { + "type": "string", + "metadata": { + "description": "Required. Subscription name." + } + }, + "location": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "Optional. Location for all Resources." + } + }, + "tags": { + "type": "object", + "defaultValue": {}, + "metadata": { + "description": "Optional. Tags of the resource." + } + } + }, + "variables": {}, + "resources": [ + { + "condition": "[not(empty(parameters('cuaId')))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-06-01", + "name": "[concat('pid-', parameters('cuaId'))]", + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [] + } + } + }, + { + "type": "Microsoft.ApiManagement/service/subscriptions", + "apiVersion": "2020-06-01-preview", + "name": "[concat(parameters('apiManagementServiceName'),'/',parameters('subscriptionName'))]", + "tags": "[parameters('tags')]", + "properties": { + "scope": "[parameters('scope')]", + "displayName": "[parameters('subscriptionName')]", + "ownerId": "[if(not(empty(parameters('ownerId'))),parameters('ownerId'),json('null'))]", + "primaryKey": "[if(not(empty(parameters('primaryKey'))),parameters('primaryKey'),json('null'))]", + "secondaryKey": "[if(not(empty(parameters('secondaryKey'))),parameters('secondaryKey'),json('null'))]", + "state": "[if(not(empty(parameters('state'))),parameters('state'),json('null'))]", + "allowTracing": "[parameters('allowTracing')]", + "tags": "[parameters('tags')]" + } + } + ], + "functions": [], + "outputs": { + "subscriptionResourceId": { + "type": "string", + "value": "[resourceId('Microsoft.ApiManagement/service/products', parameters('apiManagementServiceName'), parameters('subscriptionName'))]", + "metadata": { + "description": "Resource id of the service product." + } + }, + "subscriptionResourceName": { + "type": "string", + "value": "[parameters('apiManagementServiceName')]", + "metadata": { + "description": "The Api Management Service subscription Name" + } + }, + "subscriptionResourceGroup": { + "type": "string", + "value": "[resourceGroup().name]", + "metadata": { + "description": "The name of the Resource Group with the Api Management Service subscription" + } + } + } +} \ No newline at end of file diff --git a/arm/Microsoft.ApiManagement/serviceSubscriptions/parameters/parameters.json b/arm/Microsoft.ApiManagement/serviceSubscriptions/parameters/parameters.json new file mode 100644 index 0000000000..5b5c5a0c6e --- /dev/null +++ b/arm/Microsoft.ApiManagement/serviceSubscriptions/parameters/parameters.json @@ -0,0 +1,15 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "apiManagementServiceName": { + "value": "sxx-az-am-weu-x-001" + }, + "scope": { + "value": "/apis" + }, + "subscriptionName": { + "value": "testArmSubscriptionAllApis" + } + } +} \ No newline at end of file diff --git a/arm/Microsoft.ApiManagement/serviceSubscriptions/readme.md b/arm/Microsoft.ApiManagement/serviceSubscriptions/readme.md new file mode 100644 index 0000000000000000000000000000000000000000..40e250d60ab944916137b3f91e9a1e7fe513f7dd GIT binary patch literal 6594 zcmdU!-)|d55Xbi!iT~lGzO)D@zyl8mfvQ%jA}EdO(3hwpj&n&2iEU!HsVn|=;QN{J zc=yhCNocA{C~|V%+npcZ`OfU@=AXYGq$)j5^EA=l=V_Ft`kbXYUFtJUON|cGn{=EO zX`HS!Yp$_Ln(5sleV#tE&p|rZ*g|tJ_2xwLFSNSSQ?28r$NpwGAV`)mE4OG<5W>U3>0Z?>t8*h0F? z=tQ&^=_b8_47!L!cPv~k?BQuDd{&$I!4#Nrs_0!9Gp>cjRE(?4qcW=SX=J1R?oVMg zvF|5(vy_BNyhPeaf1PnYT6)IJU?-TB8Zxhl@qMFtwDHoB**EJ)mPt!#hG8HVk=lM= zrC+p$SUBUFY<;TnQ@tm<$jeuHzR#x&+ydH@G9^>HFvEC8?@baqg!pB||bp|hY*0wv2mnIKSD(Qex#2AE$cB!$F zZfaUE1wIB_PE2afb?l}Nc4h9+q(|OHl)|5dX$>BOqI==L$-R=h_!4=5H6HJoV(VNb zp3QGjr@AbwghE+UkY4&U7Ph0br(C?7wOzc*c~b% zNuEAT&op~a%zI>b4g7ivLQI$lfzs>nx~Ee(5WmBi>;{zsH9r zt*iylG=jFdEXLBdtk;HXM79g1pIh3!%7GRPhV9!`xE(EWW@_=gU&M%y=fguo(4Rdb zb3^D{USFdj0IwY$;He)Ik28@~OZ_hsye`9u~_ z@mJ|5$z9!pvHJ~aH+l7kX(A4LmVr~@Ky_V+3AI(OQ`zPI(b-^S-ml1O>JTej5*2B( zj<@elbW&-8W4-&*MzPte6WV8*;d7hljct_L3eKe!7a9XMxYCsGjA@Pq zZ(Pr=tU_kioJU}rzx6ffE!l>b;7X73aTqt;lKB5--BP%~)_&GG&-`~+J=_zz6UmrJ z64kH2vXDQnt(k|FI$YLzkK>VUGK*}2iT$#DRl8D=qx1}Mx}l?B7xV0F+OyqP<@aze zdekrMncSGjZaDp;KHiz!ZXsP#ti&Uv;g$RAy)^sjf00R7%#KKgIZpIK-aUIC-o%Zp zCxg9bib@!@2~Vf08tnM{s+OL2W!KWo*3ye(RrV6$yLrLxQdZb=S%6mT^t!};LATEs zmId035d-|Ej$au|yg#WFcb5|$t~7%Rp5;o&{-wc9PN(>tr>;Bj}B zGn>4D%dCQ7@FPp}-IY4eZG_ht=P~oI*E|5@oPR#cPY0X}x3dst=lQj9E9=CTT$4)P zGumbfV_n!bcdPE6?EdGFp(;$*-A*OM{AAMJIjPiV!X);Enbt=}lsiKIzHqRX&_3mW zOxclV&2isQr5DyW&Fy#dG+n;A{TzMYGjKlZHY;ep9edgGhCU=P^K6YilJjDFcATD? z=Roi2;}qKN$TD6?JTl&P#kQ^Mb{27FqsDrt*MCn)oz2$uA(Nx?p%&+}T0f#;bMUy$ zwl)ft&Z%(%^d6qQB=0C6$M@`U=JXTQY;IF0Vh9N4nw1$&9r{hTL(Hu8#Of^Ju~wc~ z_46A{@3*d63~Wj}v@<+Wjg01rlK?x&nXF*fd2exFX^fK(40vx(tlO6VT4(2TNm;6v zFLZahtDh6C9qZeU?N#()oH5`vcct{;mzu>MH;`ny{?SH9`8?RtH_%F~^m~Xat!!H~ zkRK6Km+m{l$H$|s6}(Cx zo=R)nxaT|FPh-b(@ueN#Hjdcab)(&P8(sRw2`kr^-Sz(^I88SHFERW?xOe&MRifld WM4{X7_Dw$j5omhZS49`=xc>`jPJzh) literal 0 HcmV?d00001 diff --git a/arm/Microsoft.Authorization/policyAssignments/deploy.json b/arm/Microsoft.Authorization/policyAssignments/deploy.json new file mode 100644 index 0000000000..8435100be2 --- /dev/null +++ b/arm/Microsoft.Authorization/policyAssignments/deploy.json @@ -0,0 +1,155 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "policyAssignmentName": { + "type": "string", + "metadata": { + "description": "Required. Specifies the name of the policy assignment." + } + }, + "location": { + "type": "string", + "defaultValue": "[deployment().location]", + "metadata": { + "description": "Optional. Location for all resources." + } + }, + "resourceGroupName": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Specifies the name of the resource group where you want to assign the policy." + } + }, + "policyDefinitionID": { + "type": "string", + "metadata": { + "description": "Required. Specifies the ID of the policy definition or policy set definition being assigned." + } + }, + "parameters": { + "type": "object", + "defaultValue": { + }, + "metadata": { + "description": "Optional. Parameters for the policy assignment if needed." + } + }, + "identity": { + "type": "string", + "defaultValue": "SystemAssigned", + "metadata": { + "description": "Optional. The managed identity associated with the policy assignment. Policy assignments must include a resource identity when assigning 'Modify' policy definitions." + } + }, + "cuaId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered" + } + } + }, + "variables": { + "policyAssignmentName": "[replace(parameters('policyAssignmentName'),' ','')]" + }, + "resources": [ + { + "condition": "[not(empty(parameters('cuaId')))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-06-01", + "name": "[concat('pid-', parameters('cuaId'))]", + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [ + ] + } + } + }, + // Policy Assignment on Subscription scope + { + "name": "[concat(variables('policyAssignmentName'), '-subDeployment')]", + "apiVersion": "2020-06-01", + "type": "Microsoft.Resources/deployments", + "location": "[parameters('location')]", + "condition": "[empty(parameters('resourceGroupName'))]", + "dependsOn": [ + ], + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [ + { + "type": "Microsoft.Authorization/policyAssignments", + "name": "[variables('policyAssignmentName')]", + "location": "[parameters('location')]", + "apiVersion": "2019-09-01", + "properties": { + "policyDefinitionId": "[parameters('policyDefinitionID')]", + "parameters": "[parameters('parameters')]" + }, + "identity": { + "type": "[parameters('identity')]" + } + } + ] + } + } + }, + // Policy Assignment on Resource group scope + { + "name": "[concat(variables('policyAssignmentName'), '-rgDeployment')]", + "apiVersion": "2020-06-01", + "type": "Microsoft.Resources/deployments", + "condition": "[not(empty(parameters('resourceGroupName')))]", + "dependsOn": [ + ], + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [ + { + "type": "Microsoft.Authorization/policyAssignments", + "name": "[variables('policyAssignmentName')]", + "location": "[resourceGroup().location]", + "apiVersion": "2019-09-01", + "properties": { + "policyDefinitionId": "[parameters('policyDefinitionID')]", + "parameters": "[parameters('parameters')]" + }, + "identity": { + "type": "[parameters('identity')]" + } + } + ] + } + } + } + ], + "functions": [ + ], + "outputs": { + "policyAssignmentName": { + "type": "string", + "value": "[variables('policyAssignmentName')]", + "metadata": { + "description": "Name of the policy assignment." + } + }, + "assignmentScope": { + "type": "string", + "value": "[if(empty(parameters('resourceGroupName')), subscription().id , concat(subscription().id, '/resourceGroups/', parameters('resourceGroupName')))]", + "metadata": { + "description": "The scope (subscription or resource group) of the assignment." + } + } + } +} \ No newline at end of file diff --git a/arm/Microsoft.Authorization/policyAssignments/parameters/allowedLocations.parameters.json b/arm/Microsoft.Authorization/policyAssignments/parameters/allowedLocations.parameters.json new file mode 100644 index 0000000000..cf753f50a5 --- /dev/null +++ b/arm/Microsoft.Authorization/policyAssignments/parameters/allowedLocations.parameters.json @@ -0,0 +1,25 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "policyAssignmentName": { + "value": "Allowed locations 2" + }, + "policyDefinitionID": { + "value": "/providers/Microsoft.Authorization/policyDefinitions/e56962a6-4747-49cd-b67b-bf8b01975c4c" + }, + "parameters": { + "value": { + "listOfAllowedLocations": { + "value": ["westus","westus2"] + } + } + }, + "location": { + "value": "westus2" + }, + "identity": { + "value": "None" + } + } +} diff --git a/arm/Microsoft.Authorization/policyAssignments/parameters/listOfAllowedSKUs.parameters.json b/arm/Microsoft.Authorization/policyAssignments/parameters/listOfAllowedSKUs.parameters.json new file mode 100644 index 0000000000..291eaa2472 --- /dev/null +++ b/arm/Microsoft.Authorization/policyAssignments/parameters/listOfAllowedSKUs.parameters.json @@ -0,0 +1,25 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "policyAssignmentName": { + "value": "Allowed virtual machine SKUs" + }, + "policyDefinitionID": { + "value": "/providers/Microsoft.Authorization/policyDefinitions/cccc23c7-8427-4f53-ad12-b6a63eb452b3" + }, + "parameters": { + "value": { + "listOfAllowedSKUs": { + "value": ["Standard_B2s","Standard_D2s_v3","Standard_D4s_v3"] + } + } + }, + "location": { + "value": "westus2" + }, + "identity": { + "value": "None" + } + } +} \ No newline at end of file diff --git a/arm/Microsoft.Authorization/policyAssignments/parameters/parameters.json b/arm/Microsoft.Authorization/policyAssignments/parameters/parameters.json new file mode 100644 index 0000000000..a511f42ea4 --- /dev/null +++ b/arm/Microsoft.Authorization/policyAssignments/parameters/parameters.json @@ -0,0 +1,28 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceGroupName": { + "value": "" + }, + "policyAssignmentName": { + "value": "Add a tag to resources" + }, + "policyDefinitionID": { + "value": "/providers/Microsoft.Authorization/policyDefinitions/4f9dc7db-30c1-420c-b61a-e1d640128d26" + }, + "parameters": { + "value": { + "tagName": { + "value": "Tag" + }, + "tagValue": { + "value": "Value" + } + } + }, + "location": { + "value": "westeurope" + } + } +} diff --git a/arm/Microsoft.Authorization/policyAssignments/readme.md b/arm/Microsoft.Authorization/policyAssignments/readme.md new file mode 100644 index 0000000000..a36a36cf0d --- /dev/null +++ b/arm/Microsoft.Authorization/policyAssignments/readme.md @@ -0,0 +1,36 @@ +# PolicyAssignment + +## Resource types + +|Resource Type|ApiVersion| +|:--|:--| +|`Microsoft.Resources/deployments`|2018-02-01| +|`Microsoft.Authorization/policyAssignments`|2018-05-01| + +## Parameters + +| Parameter Name | Type | Description | DefaultValue | Possible values | +| :-- | :-- | :-- | :-- | :-- | +| `policyAssignmentName` | string | Required. Specifies the name of the policy assignment. | | | +| `location` | string | Optional. Location for all resources. | | | +| `resourceGroupName` | string | Optional. Specifies the name of the resource group where you want to assign the policy. | | | +| `policyDefinitionID` | string | Required. Specifies the ID of the policy definition or policy set definition being assigned. | | | +| `parameters` | object | Optional. Parameters for the policy assignment if needed. | | | +| `identity` | string | Optional. The managed identity associated with the policy assignment. | | | +| `cuaId` | string | Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered | | | + + +## Outputs + +| Output Name | Type | Description | +| :-- | :-- | :-- | +| `assignmentScope` | string | The scope (subscription or resource group) of the assignment. | +| `policyAssignmentName` | string | Name of the policy assignment. | + +## Considerations + +## Additional resources + +- [Deployments](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Resources/2018-02-01/deployments) +- [Deployments](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Resources/2019-10-01/deployments) +- [Deployments](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Resources/2019-10-01/deployments) diff --git a/arm/Microsoft.Authorization/roleAssignments/deploy.json b/arm/Microsoft.Authorization/roleAssignments/deploy.json new file mode 100644 index 0000000000..1857dd535e --- /dev/null +++ b/arm/Microsoft.Authorization/roleAssignments/deploy.json @@ -0,0 +1,432 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "roleAssignments": { + "defaultValue": [ + ], + "type": "array", + "metadata": { + "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalIds' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or it's fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'" + } + }, + "resourceGroupName": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Name of the Resource Group to assign the RBAC role(s) to. If no Resource Group name is provided, the module deploys at subscription level, therefore assigns the provided RBAC role(s) to the subscription." + } + }, + "location": { + "type": "string", + "defaultValue": "[deployment().location]", + "metadata": { + "description": "Optional. Location for all resources." + } + }, + "cuaId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered" + } + } + }, + "variables": { + "builtInRoleNames": { + "AcrDelete": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", + "AcrImageSigner": "/providers/Microsoft.Authorization/roleDefinitions/6cef56e8-d556-48e5-a04f-b8e64114680f", + "AcrPull": "/providers/Microsoft.Authorization/roleDefinitions/7f951dda-4ed3-4680-a7ca-43fe172d538d", + "AcrPush": "/providers/Microsoft.Authorization/roleDefinitions/8311e382-0749-4cb8-b61a-304f252e45ec", + "AcrQuarantineReader": "/providers/Microsoft.Authorization/roleDefinitions/cdda3590-29a3-44f6-95f2-9f980659eb04", + "AcrQuarantineWriter": "/providers/Microsoft.Authorization/roleDefinitions/c8d4ff99-41c3-41a8-9f60-21dfdad59608", + "API Management Service Contributor": "/providers/Microsoft.Authorization/roleDefinitions/312a565d-c81f-4fd8-895a-4e21e48d571c", + "API Management Service Operator Role": "/providers/Microsoft.Authorization/roleDefinitions/e022efe7-f5ba-4159-bbe4-b44f577e9b61", + "API Management Service Reader Role": "/providers/Microsoft.Authorization/roleDefinitions/71522526-b88f-4d52-b57f-d31fc3546d0d", + "App Configuration Data Owner": "/providers/Microsoft.Authorization/roleDefinitions/5ae67dd6-50cb-40e7-96ff-dc2bfa4b606b", + "App Configuration Data Reader": "/providers/Microsoft.Authorization/roleDefinitions/516239f1-63e1-4d78-a4de-a74fb236a071", + "Application Insights Component Contributor": "/providers/Microsoft.Authorization/roleDefinitions/ae349356-3a1b-4a5e-921d-050484c6347e", + "Application Insights Snapshot Debugger": "/providers/Microsoft.Authorization/roleDefinitions/08954f03-6346-4c2e-81c0-ec3a5cfae23b", + "Attestation Contributor": "/providers/Microsoft.Authorization/roleDefinitions/bbf86eb8-f7b4-4cce-96e4-18cddf81d86e", + "Attestation Reader": "/providers/Microsoft.Authorization/roleDefinitions/fd1bd22b-8476-40bc-a0bc-69b95687b9f3", + "Automation Job Operator": "/providers/Microsoft.Authorization/roleDefinitions/4fe576fe-1146-4730-92eb-48519fa6bf9f", + "Automation Operator": "/providers/Microsoft.Authorization/roleDefinitions/d3881f73-407a-4167-8283-e981cbba0404", + "Automation Runbook Operator": "/providers/Microsoft.Authorization/roleDefinitions/5fb5aef8-1081-4b8e-bb16-9d5d0385bab5", + "Avere Contributor": "/providers/Microsoft.Authorization/roleDefinitions/4f8fab4f-1852-4a58-a46a-8eaf358af14a", + "Avere Operator": "/providers/Microsoft.Authorization/roleDefinitions/c025889f-8102-4ebf-b32c-fc0c6f0c6bd9", + "Azure Connected Machine Onboarding": "/providers/Microsoft.Authorization/roleDefinitions/b64e21ea-ac4e-4cdf-9dc9-5b892992bee7", + "Azure Connected Machine Resource Administrator": "/providers/Microsoft.Authorization/roleDefinitions/cd570a14-e51a-42ad-bac8-bafd67325302", + "Azure Digital Twins Owner (Preview)": "/providers/Microsoft.Authorization/roleDefinitions/bcd981a7-7f74-457b-83e1-cceb9e632ffe", + "Azure Digital Twins Reader (Preview)": "/providers/Microsoft.Authorization/roleDefinitions/d57506d4-4c8d-48b1-8587-93c323f6a5a3", + "Azure Event Hubs Data Owner": "/providers/Microsoft.Authorization/roleDefinitions/f526a384-b230-433a-b45c-95f59c4a2dec", + "Azure Event Hubs Data Receiver": "/providers/Microsoft.Authorization/roleDefinitions/a638d3c7-ab3a-418d-83e6-5f17a39d4fde", + "Azure Event Hubs Data Sender": "/providers/Microsoft.Authorization/roleDefinitions/2b629674-e913-4c01-ae53-ef4638d8f975", + "Azure Kubernetes Service Cluster Admin Role": "/providers/Microsoft.Authorization/roleDefinitions/0ab0b1a8-8aac-4efd-b8c2-3ee1fb270be8", + "Azure Kubernetes Service Cluster User Role": "/providers/Microsoft.Authorization/roleDefinitions/4abbcc35-e782-43d8-92c5-2d3f1bd2253f", + "Azure Kubernetes Service Contributor Role": "/providers/Microsoft.Authorization/roleDefinitions/ed7f3fbd-7b88-4dd4-9017-9adb7ce333f8", + "Azure Maps Data Contributor": "/providers/Microsoft.Authorization/roleDefinitions/8f5e0ce6-4f7b-4dcf-bddf-e6f48634a204", + "Azure Maps Data Reader": "/providers/Microsoft.Authorization/roleDefinitions/423170ca-a8f6-4b0f-8487-9e4eb8f49bfa", + "Azure Sentinel Contributor": "/providers/Microsoft.Authorization/roleDefinitions/ab8e14d6-4a74-4a29-9ba8-549422addade", + "Azure Sentinel Reader": "/providers/Microsoft.Authorization/roleDefinitions/8d289c81-5878-46d4-8554-54e1e3d8b5cb", + "Azure Sentinel Responder": "/providers/Microsoft.Authorization/roleDefinitions/3e150937-b8fe-4cfb-8069-0eaf05ecd056", + "Azure Service Bus Data Owner": "/providers/Microsoft.Authorization/roleDefinitions/090c5cfd-751d-490a-894a-3ce6f1109419", + "Azure Service Bus Data Receiver": "/providers/Microsoft.Authorization/roleDefinitions/4f6d3b9b-027b-4f4c-9142-0e5a2a2247e0", + "Azure Service Bus Data Sender": "/providers/Microsoft.Authorization/roleDefinitions/69a216fc-b8fb-44d8-bc22-1f3c2cd27a39", + "Azure Stack Registration Owner": "/providers/Microsoft.Authorization/roleDefinitions/6f12a6df-dd06-4f3e-bcb1-ce8be600526a", + "Backup Contributor": "/providers/Microsoft.Authorization/roleDefinitions/5e467623-bb1f-42f4-a55d-6e525e11384b", + "Backup Operator": "/providers/Microsoft.Authorization/roleDefinitions/00c29273-979b-4161-815c-10b084fb9324", + "Backup Reader": "/providers/Microsoft.Authorization/roleDefinitions/a795c7a0-d4a2-40c1-ae25-d81f01202912", + "Billing Reader": "/providers/Microsoft.Authorization/roleDefinitions/fa23ad8b-c56e-40d8-ac0c-ce449e1d2c64", + "BizTalk Contributor": "/providers/Microsoft.Authorization/roleDefinitions/5e3c6656-6cfa-4708-81fe-0de47ac73342", + "Blockchain Member Node Access (Preview)": "/providers/Microsoft.Authorization/roleDefinitions/31a002a1-acaf-453e-8a5b-297c9ca1ea24", + "Blueprint Contributor": "/providers/Microsoft.Authorization/roleDefinitions/41077137-e803-4205-871c-5a86e6a753b4", + "Blueprint Operator": "/providers/Microsoft.Authorization/roleDefinitions/437d2ced-4a38-4302-8479-ed2bcb43d090", + "CDN Endpoint Contributor": "/providers/Microsoft.Authorization/roleDefinitions/426e0c7f-0c7e-4658-b36f-ff54d6c29b45", + "CDN Endpoint Reader": "/providers/Microsoft.Authorization/roleDefinitions/871e35f6-b5c1-49cc-a043-bde969a0f2cd", + "CDN Profile Contributor": "/providers/Microsoft.Authorization/roleDefinitions/ec156ff8-a8d1-4d15-830c-5b80698ca432", + "CDN Profile Reader": "/providers/Microsoft.Authorization/roleDefinitions/8f96442b-4075-438f-813d-ad51ab4019af", + "Classic Network Contributor": "/providers/Microsoft.Authorization/roleDefinitions/b34d265f-36f7-4a0d-a4d4-e158ca92e90f", + "Classic Storage Account Contributor": "/providers/Microsoft.Authorization/roleDefinitions/86e8f5dc-a6e9-4c67-9d15-de283e8eac25", + "Classic Storage Account Key Operator Service Role": "/providers/Microsoft.Authorization/roleDefinitions/985d6b00-f706-48f5-a6fe-d0ca12fb668d", + "Classic Virtual Machine Contributor": "/providers/Microsoft.Authorization/roleDefinitions/d73bb868-a0df-4d4d-bd69-98a00b01fccb", + "ClearDB MySQL DB Contributor": "/providers/Microsoft.Authorization/roleDefinitions/9106cda0-8a86-4e81-b686-29a22c54effe", + "Cognitive Services Contributor": "/providers/Microsoft.Authorization/roleDefinitions/25fbc0a9-bd7c-42a3-aa1a-3b75d497ee68", + "Cognitive Services Custom Vision Contributor": "/providers/Microsoft.Authorization/roleDefinitions/c1ff6cc2-c111-46fe-8896-e0ef812ad9f3", + "Cognitive Services Custom Vision Deployment": "/providers/Microsoft.Authorization/roleDefinitions/5c4089e1-6d96-4d2f-b296-c1bc7137275f", + "Cognitive Services Custom Vision Labeler": "/providers/Microsoft.Authorization/roleDefinitions/88424f51-ebe7-446f-bc41-7fa16989e96c", + "Cognitive Services Custom Vision Reader": "/providers/Microsoft.Authorization/roleDefinitions/93586559-c37d-4a6b-ba08-b9f0940c2d73", + "Cognitive Services Custom Vision Trainer": "/providers/Microsoft.Authorization/roleDefinitions/0a5ae4ab-0d65-4eeb-be61-29fc9b54394b", + "Cognitive Services Data Reader (Preview)": "/providers/Microsoft.Authorization/roleDefinitions/b59867f0-fa02-499b-be73-45a86b5b3e1c", + "Cognitive Services QnA Maker Editor": "/providers/Microsoft.Authorization/roleDefinitions/f4cc2bf9-21be-47a1-bdf1-5c5804381025", + "Cognitive Services QnA Maker Reader": "/providers/Microsoft.Authorization/roleDefinitions/466ccd10-b268-4a11-b098-b4849f024126", + "Cognitive Services User": "/providers/Microsoft.Authorization/roleDefinitions/a97b65f3-24c7-4388-baec-2e87135dc908", + "Contributor": "/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c", + "Cosmos DB Account Reader Role": "/providers/Microsoft.Authorization/roleDefinitions/fbdf93bf-df7d-467e-a4d2-9458aa1360c8", + "Cosmos DB Operator": "/providers/Microsoft.Authorization/roleDefinitions/230815da-be43-4aae-9cb4-875f7bd000aa", + "CosmosBackupOperator": "/providers/Microsoft.Authorization/roleDefinitions/db7b14f2-5adf-42da-9f96-f2ee17bab5cb", + "Cost Management Contributor": "/providers/Microsoft.Authorization/roleDefinitions/434105ed-43f6-45c7-a02f-909b2ba83430", + "Cost Management Reader": "/providers/Microsoft.Authorization/roleDefinitions/72fafb9e-0641-4937-9268-a91bfd8191a3", + "Data Box Contributor": "/providers/Microsoft.Authorization/roleDefinitions/add466c9-e687-43fc-8d98-dfcf8d720be5", + "Data Box Reader": "/providers/Microsoft.Authorization/roleDefinitions/028f4ed7-e2a9-465e-a8f4-9c0ffdfdc027", + "Data Factory Contributor": "/providers/Microsoft.Authorization/roleDefinitions/673868aa-7521-48a0-acc6-0f60742d39f5", + "Data Lake Analytics Developer": "/providers/Microsoft.Authorization/roleDefinitions/47b7735b-770e-4598-a7da-8b91488b4c88", + "Data Purger": "/providers/Microsoft.Authorization/roleDefinitions/150f5e0c-0603-4f03-8c7f-cf70034c4e90", + "Desktop Virtualization User": "/providers/Microsoft.Authorization/roleDefinitions/1d18fff3-a72a-46b5-b4a9-0b38a3cd7e63", + "DevTest Labs User": "/providers/Microsoft.Authorization/roleDefinitions/76283e04-6283-4c54-8f91-bcf1374a3c64", + "DNS Zone Contributor": "/providers/Microsoft.Authorization/roleDefinitions/befefa01-2a29-4197-83a8-272ff33ce314", + "DocumentDB Account Contributor": "/providers/Microsoft.Authorization/roleDefinitions/5bd9cd88-fe45-4216-938b-f97437e15450", + "EventGrid EventSubscription Contributor": "/providers/Microsoft.Authorization/roleDefinitions/428e0ff0-5e57-4d9c-a221-2c70d0e0a443", + "EventGrid EventSubscription Reader": "/providers/Microsoft.Authorization/roleDefinitions/2414bbcf-6497-4faf-8c65-045460748405", + "Experimentation Administrator": "/providers/Microsoft.Authorization/roleDefinitions/7f646f1b-fa08-80eb-a33b-edd6ce5c915c", + "Experimentation Contributor": "/providers/Microsoft.Authorization/roleDefinitions/7f646f1b-fa08-80eb-a22b-edd6ce5c915c", + "Experimentation Reader": "/providers/Microsoft.Authorization/roleDefinitions/49632ef5-d9ac-41f4-b8e7-bbe587fa74a1", + "FHIR Data Contributor": "/providers/Microsoft.Authorization/roleDefinitions/5a1fc7df-4bf1-4951-a576-89034ee01acd", + "FHIR Data Exporter": "/providers/Microsoft.Authorization/roleDefinitions/3db33094-8700-4567-8da5-1501d4e7e843", + "FHIR Data Reader": "/providers/Microsoft.Authorization/roleDefinitions/4c8d0bbc-75d3-4935-991f-5f3c56d81508", + "FHIR Data Writer": "/providers/Microsoft.Authorization/roleDefinitions/3f88fce4-5892-4214-ae73-ba5294559913", + "Graph Owner": "/providers/Microsoft.Authorization/roleDefinitions/b60367af-1334-4454-b71e-769d9a4f83d9", + "HDInsight Cluster Operator": "/providers/Microsoft.Authorization/roleDefinitions/61ed4efc-fab3-44fd-b111-e24485cc132a", + "HDInsight Domain Services Contributor": "/providers/Microsoft.Authorization/roleDefinitions/8d8d5a11-05d3-4bda-a417-a08778121c7c", + "Hierarchy Settings Administrator": "/providers/Microsoft.Authorization/roleDefinitions/350f8d15-c687-4448-8ae1-157740a3936d", + "Hybrid Server Onboarding": "/providers/Microsoft.Authorization/roleDefinitions/5d1e5ee4-7c68-4a71-ac8b-0739630a3dfb", + "Hybrid Server Resource Administrator": "/providers/Microsoft.Authorization/roleDefinitions/48b40c6e-82e0-4eb3-90d5-19e40f49b624", + "Integration Service Environment Contributor": "/providers/Microsoft.Authorization/roleDefinitions/a41e2c5b-bd99-4a07-88f4-9bf657a760b8", + "Integration Service Environment Developer": "/providers/Microsoft.Authorization/roleDefinitions/c7aa55d3-1abb-444a-a5ca-5e51e485d6ec", + "Intelligent Systems Account Contributor": "/providers/Microsoft.Authorization/roleDefinitions/03a6d094-3444-4b3d-88af-7477090a9e5e", + "Key Vault Contributor": "/providers/Microsoft.Authorization/roleDefinitions/f25e0fa2-a7c8-4377-a976-54943a77a395", + "Knowledge Consumer": "/providers/Microsoft.Authorization/roleDefinitions/ee361c5d-f7b5-4119-b4b6-892157c8f64c", + "Kubernetes Cluster - Azure Arc Onboarding": "/providers/Microsoft.Authorization/roleDefinitions/34e09817-6cbe-4d01-b1a2-e0eac5743d41", + "Lab Creator": "/providers/Microsoft.Authorization/roleDefinitions/b97fb8bc-a8b2-4522-a38b-dd33c7e65ead", + "Log Analytics Contributor": "/providers/Microsoft.Authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293", + "Log Analytics Reader": "/providers/Microsoft.Authorization/roleDefinitions/73c42c96-874c-492b-b04d-ab87d138a893", + "Logic App Contributor": "/providers/Microsoft.Authorization/roleDefinitions/87a39d53-fc1b-424a-814c-f7e04687dc9e", + "Logic App Operator": "/providers/Microsoft.Authorization/roleDefinitions/515c2055-d9d4-4321-b1b9-bd0c9a0f79fe", + "Managed Application Contributor Role": "/providers/Microsoft.Authorization/roleDefinitions/641177b8-a67a-45b9-a033-47bc880bb21e", + "Managed Application Operator Role": "/providers/Microsoft.Authorization/roleDefinitions/c7393b34-138c-406f-901b-d8cf2b17e6ae", + "Managed Applications Reader": "/providers/Microsoft.Authorization/roleDefinitions/b9331d33-8a36-4f8c-b097-4f54124fdb44", + "Managed Identity Contributor": "/providers/Microsoft.Authorization/roleDefinitions/e40ec5ca-96e0-45a2-b4ff-59039f2c2b59", + "Managed Identity Operator": "/providers/Microsoft.Authorization/roleDefinitions/f1a07417-d97a-45cb-824c-7a7467783830", + "Managed Services Registration assignment Delete ": "/providers/Microsoft.Authorization/roleDefinitions/91c1777a-f3dc-4fae-b103-61d183457e46", + "Management Group Contributor": "/providers/Microsoft.Authorization/roleDefinitions/5d58bcaf-24a5-4b20-bdb6-eed9f69fbe4c", + "Management Group Reader": "/providers/Microsoft.Authorization/roleDefinitions/ac63b705-f282-497d-ac71-919bf39d939d", + "Marketplace Admin": "/providers/Microsoft.Authorization/roleDefinitions/dd920d6d-f481-47f1-b461-f338c46b2d9f", + "Monitoring Contributor": "/providers/Microsoft.Authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "Monitoring Metrics Publisher": "/providers/Microsoft.Authorization/roleDefinitions/3913510d-42f4-4e42-8a64-420c390055eb", + "Monitoring Reader": "/providers/Microsoft.Authorization/roleDefinitions/43d0d8ad-25c7-4714-9337-8ba259a9fe05", + "Network Contributor": "/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7", + "New Relic APM Account Contributor": "/providers/Microsoft.Authorization/roleDefinitions/5d28c62d-5b37-4476-8438-e587778df237", + "Object Understanding Account Owner": "/providers/Microsoft.Authorization/roleDefinitions/4dd61c23-6743-42fe-a388-d8bdd41cb745", + "Owner": "/providers/Microsoft.Authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635", + "Policy Insights Data Writer (Preview)": "/providers/Microsoft.Authorization/roleDefinitions/66bb4e9e-b016-4a94-8249-4c0511c2be84", + "Private DNS Zone Contributor": "/providers/Microsoft.Authorization/roleDefinitions/b12aa53e-6015-4669-85d0-8515ebb3ae7f", + "Reader": "/providers/Microsoft.Authorization/roleDefinitions/acdd72a7-3385-48ef-bd42-f606fba81ae7", + "Reader and Data Access": "/providers/Microsoft.Authorization/roleDefinitions/c12c1c16-33a1-487b-954d-41c89c60f349", + "Redis Cache Contributor": "/providers/Microsoft.Authorization/roleDefinitions/e0f68234-74aa-48ed-b826-c38b57376e17", + "Remote Rendering Administrator": "/providers/Microsoft.Authorization/roleDefinitions/3df8b902-2a6f-47c7-8cc5-360e9b272a7e", + "Remote Rendering Client": "/providers/Microsoft.Authorization/roleDefinitions/d39065c4-c120-43c9-ab0a-63eed9795f0a", + "Resource Policy Contributor": "/providers/Microsoft.Authorization/roleDefinitions/36243c78-bf99-498c-9df9-86d9f8d28608", + "Scheduler Job Collections Contributor": "/providers/Microsoft.Authorization/roleDefinitions/188a0f2f-5c9e-469b-ae67-2aa5ce574b94", + "Search Service Contributor": "/providers/Microsoft.Authorization/roleDefinitions/7ca78c08-252a-4471-8644-bb5ff32d4ba0", + "Security Admin": "/providers/Microsoft.Authorization/roleDefinitions/fb1c8493-542b-48eb-b624-b4c8fea62acd", + "Security Assessment Contributor": "/providers/Microsoft.Authorization/roleDefinitions/612c2aa1-cb24-443b-ac28-3ab7272de6f5", + "Security Manager (Legacy)": "/providers/Microsoft.Authorization/roleDefinitions/e3d13bf0-dd5a-482e-ba6b-9b8433878d10", + "Security Reader": "/providers/Microsoft.Authorization/roleDefinitions/39bc4728-0917-49c7-9d2c-d95423bc2eb4", + "SignalR AccessKey Reader": "/providers/Microsoft.Authorization/roleDefinitions/04165923-9d83-45d5-8227-78b77b0a687e", + "SignalR Contributor": "/providers/Microsoft.Authorization/roleDefinitions/8cf5e20a-e4b2-4e9d-b3a1-5ceb692c2761", + "Site Recovery Contributor": "/providers/Microsoft.Authorization/roleDefinitions/6670b86e-a3f7-4917-ac9b-5d6ab1be4567", + "Site Recovery Operator": "/providers/Microsoft.Authorization/roleDefinitions/494ae006-db33-4328-bf46-533a6560a3ca", + "Site Recovery Reader": "/providers/Microsoft.Authorization/roleDefinitions/dbaa88c4-0c30-4179-9fb3-46319faa6149", + "Spatial Anchors Account Contributor": "/providers/Microsoft.Authorization/roleDefinitions/8bbe83f1-e2a6-4df7-8cb4-4e04d4e5c827", + "Spatial Anchors Account Owner": "/providers/Microsoft.Authorization/roleDefinitions/70bbe301-9835-447d-afdd-19eb3167307c", + "Spatial Anchors Account Reader": "/providers/Microsoft.Authorization/roleDefinitions/5d51204f-eb77-4b1c-b86a-2ec626c49413", + "SQL DB Contributor": "/providers/Microsoft.Authorization/roleDefinitions/9b7fa17d-e63e-47b0-bb0a-15c516ac86ec", + "SQL Managed Instance Contributor": "/providers/Microsoft.Authorization/roleDefinitions/4939a1f6-9ae0-4e48-a1e0-f2cbe897382d", + "SQL Security Manager": "/providers/Microsoft.Authorization/roleDefinitions/056cd41c-7e88-42e1-933e-88ba6a50c9c3", + "SQL Server Contributor": "/providers/Microsoft.Authorization/roleDefinitions/6d8ee4ec-f05a-4a1d-8b00-a9b17e38b437", + "Storage Account Contributor": "/providers/Microsoft.Authorization/roleDefinitions/17d1049b-9a84-46fb-8f53-869881c3d3ab", + "Storage Account Key Operator Service Role": "/providers/Microsoft.Authorization/roleDefinitions/81a9662b-bebf-436f-a333-f67b29880f12", + "Storage Blob Data Contributor": "/providers/Microsoft.Authorization/roleDefinitions/ba92f5b4-2d11-453d-a403-e96b0029c9fe", + "Storage Blob Data Owner": "/providers/Microsoft.Authorization/roleDefinitions/b7e6dc6d-f1e8-4753-8033-0f276bb0955b", + "Storage Blob Data Reader": "/providers/Microsoft.Authorization/roleDefinitions/2a2b9908-6ea1-4ae2-8e65-a410df84e7d1", + "Storage Blob Delegator": "/providers/Microsoft.Authorization/roleDefinitions/db58b8e5-c6ad-4a2a-8342-4190687cbf4a", + "Storage File Data SMB Share Contributor": "/providers/Microsoft.Authorization/roleDefinitions/0c867c2a-1d8c-454a-a3db-ab2ea1bdc8bb", + "Storage File Data SMB Share Elevated Contributor": "/providers/Microsoft.Authorization/roleDefinitions/a7264617-510b-434b-a828-9731dc254ea7", + "Storage File Data SMB Share Reader": "/providers/Microsoft.Authorization/roleDefinitions/aba4ae5f-2193-4029-9191-0cb91df5e314", + "Storage Queue Data Contributor": "/providers/Microsoft.Authorization/roleDefinitions/974c5e8b-45b9-4653-ba55-5f855dd0fb88", + "Storage Queue Data Message Processor": "/providers/Microsoft.Authorization/roleDefinitions/8a0f0c08-91a1-4084-bc3d-661d67233fed", + "Storage Queue Data Message Sender": "/providers/Microsoft.Authorization/roleDefinitions/c6a89b2d-59bc-44d0-9896-0f6e12d7b80a", + "Storage Queue Data Reader": "/providers/Microsoft.Authorization/roleDefinitions/19e7f393-937e-4f77-808e-94535e297925", + "Support Request Contributor": "/providers/Microsoft.Authorization/roleDefinitions/cfd33db0-3dd1-45e3-aa9d-cdbdf3b6f24e", + "Tag Contributor": "/providers/Microsoft.Authorization/roleDefinitions/4a9ae827-6dc8-4573-8ac7-8239d42aa03f", + "Traffic Manager Contributor": "/providers/Microsoft.Authorization/roleDefinitions/a4b10055-b0c7-44c2-b00f-c7b5b3550cf7", + "User Access Administrator": "/providers/Microsoft.Authorization/roleDefinitions/18d7d88d-d35e-4fb5-a5c3-7773c20a72d9", + "Virtual Machine Administrator Login": "/providers/Microsoft.Authorization/roleDefinitions/1c0163c0-47e6-4577-8991-ea5c82e286e4", + "Virtual Machine Contributor": "/providers/Microsoft.Authorization/roleDefinitions/9980e02c-c2be-4d73-94e8-173b1dc7cf3c", + "Virtual Machine User Login": "/providers/Microsoft.Authorization/roleDefinitions/fb879df8-f326-4884-b1cf-06f3ad86be52", + "Web Plan Contributor": "/providers/Microsoft.Authorization/roleDefinitions/2cc479cb-7b4d-49a8-b449-8c00fd0f0a4b", + "Website Contributor": "/providers/Microsoft.Authorization/roleDefinitions/de139f84-1756-47ae-9be6-808fbbe84772", + "Workbook Contributor": "/providers/Microsoft.Authorization/roleDefinitions/e8ddcd69-c73f-4f9f-9844-4100522f16ad", + "Workbook Reader": "/providers/Microsoft.Authorization/roleDefinitions/b279062a-9be3-42a0-92ae-8b3cf002ec4d" + } + }, + "resources": [ + // CUA on Subscription scope + { + "condition": "[and(not(empty(parameters('cuaId'))), empty(parameters('resourceGroupName')))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-06-01", + "name": "[concat('pid-', parameters('cuaId'))]", + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [ + ] + } + } + }, + // Role Assignments on Subscription scope + { + "name": "[concat(uniqueString(deployment().name, parameters('location')), 'subscriptionRbacDeplCopy-', copyIndex())]", + "apiVersion": "2020-06-01", + "type": "Microsoft.Resources/deployments", + "location": "[parameters('location')]", + "condition": "[and(not(empty(parameters('roleAssignments'))), empty(parameters('resourceGroupName')))]", + "dependsOn": [ + ], + "copy": { + "name": "subscriptionRbacDeplCopy", + "count": "[length(parameters('roleAssignments'))]" + }, + "properties": { + "mode": "Incremental", + "expressionEvaluationOptions": { + "scope": "inner" + }, + "parameters": { + "roleAssignment": { + "value": "[parameters('roleAssignments')[copyIndex()]]" + }, + "builtInRoleNames": { + "value": "[variables('builtInRoleNames')]" + }, + "subscriptionId": { + "value": "[subscription().id]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "roleAssignment": { + "type": "object" + }, + "builtInRoleNames": { + "type": "object" + }, + "subscriptionId": { + "type": "string" + } + }, + "variables": { + "condition": "[and(not(empty(parameters('roleAssignment'))), contains(parameters('roleAssignment'), 'roleDefinitionIdOrName'), contains(parameters('roleAssignment'), 'principalIds'), not(empty(parameters('roleAssignment').roleDefinitionIdOrName)), not(empty(parameters('roleAssignment').principalIds)) )]" + }, + "resources": [ + { + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2018-09-01-preview", + "name": "[if( variables('condition'), guid( parameters('subscriptionId'), array(parameters('roleAssignment').principalIds)[copyIndex('innerRbacCopy')], parameters('roleAssignment').roleDefinitionIdOrName ), guid('dummy'))]", + "condition": "[variables('condition')]", + "copy": { + "name": "innerRbacCopy", + "count": "[length(array(parameters('roleAssignment').principalIds))]" + }, + "properties": { + "roleDefinitionId": "[if(contains(parameters('builtInRoleNames'), parameters('roleAssignment').roleDefinitionIdOrName ), parameters('builtInRoleNames')[parameters('roleAssignment').roleDefinitionIdOrName] , parameters('roleAssignment').roleDefinitionIdOrName )]", + "principalId": "[array(parameters('roleAssignment').principalIds)[copyIndex('innerRbacCopy')]]" + } + } + ] + } + } + }, + // CUA on Resource Group scope + { + "name": "cuaDeploymentOnResourceGroup", + "apiVersion": "2020-06-01", + "type": "Microsoft.Resources/deployments", + "resourceGroup": "[parameters('resourceGroupName')]", + "condition": "[not(empty(parameters('resourceGroupName')))]", + "dependsOn": [ + ], + "properties": { + "mode": "Incremental", + "expressionEvaluationOptions": { + "scope": "inner" + }, + "parameters": { + "cuaId": { + "value": "[parameters('cuaId')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "cuaId": { + "type": "string" + } + }, + "resources": [ + { + "condition": "[not(empty(parameters('cuaId')))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-06-01", + "name": "[concat('pid-', parameters('cuaId'))]", + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [ + ] + } + } + } + ], + "outputs": { + "resourceGroupId": { + "type": "string", + "value": "[resourceGroup().id]" + } + } + } + } + }, + // Role Assignments on Resource Group scope + { + "name": "[concat('resourceGroupRbacDeplCopy-', copyIndex())]", + "apiVersion": "2020-06-01", + "type": "Microsoft.Resources/deployments", + "resourceGroup": "[parameters('resourceGroupName')]", + "condition": "[and(not(empty(parameters('roleAssignments'))), not(empty(parameters('resourceGroupName'))))]", + "dependsOn": [ + ], + "copy": { + "name": "resourceGroupRbacDeplCopy", + "count": "[length(parameters('roleAssignments'))]" + }, + "properties": { + "mode": "Incremental", + "expressionEvaluationOptions": { + "scope": "inner" + }, + "parameters": { + "roleAssignment": { + "value": "[parameters('roleAssignments')[copyIndex()]]" + }, + "builtInRoleNames": { + "value": "[variables('builtInRoleNames')]" + }, + "resourceGroupName": { + "value": "[parameters('resourceGroupName')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "roleAssignment": { + "type": "object" + }, + "builtInRoleNames": { + "type": "object" + }, + "resourceGroupName": { + "type": "string" + } + }, + "variables": { + "condition": "[and(not(empty(parameters('roleAssignment'))), contains(parameters('roleAssignment'), 'roleDefinitionIdOrName'), contains(parameters('roleAssignment'), 'principalIds'), not(empty(parameters('roleAssignment').roleDefinitionIdOrName)), not(empty(parameters('roleAssignment').principalIds)) )]" + }, + "resources": [ + { + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2020-04-01-preview", + "name": "[if( variables('condition'), guid( parameters('resourceGroupName'), array(parameters('roleAssignment').principalIds)[copyIndex('innerRbacCopy')], parameters('roleAssignment').roleDefinitionIdOrName ), guid('dummy'))]", + "condition": "[variables('condition')]", + "copy": { + "name": "innerRbacCopy", + "count": "[length(array(parameters('roleAssignment').principalIds))]" + }, + "properties": { + "roleDefinitionId": "[if(contains(parameters('builtInRoleNames'), parameters('roleAssignment').roleDefinitionIdOrName ), parameters('builtInRoleNames')[parameters('roleAssignment').roleDefinitionIdOrName] , parameters('roleAssignment').roleDefinitionIdOrName )]", + "principalId": "[array(parameters('roleAssignment').principalIds)[copyIndex('innerRbacCopy')]]" + } + } + ] + } + } + } + ], + "functions": [ + ], + "outputs": { + "assignmentScope": { + "type": "string", + "condition": "[not(empty(parameters('roleAssignments')))]", + "value": "[if(empty(parameters('resourceGroupName')), subscription().id , reference('cuaDeploymentOnResourceGroup').outputs.resourceGroupId.value)]", + "metadata": { + "description": "The scope (subscription or resource group) of the assignments defined in this module were created on." + } + }, + "roleAssignments": { + "type": "array", + "value": "[parameters('roleAssignments')]", + "metadata": { + "description": "Array of role assignment objects." + } + } + } +} \ No newline at end of file diff --git a/arm/Microsoft.Authorization/roleAssignments/parameters/parameters.json b/arm/Microsoft.Authorization/roleAssignments/parameters/parameters.json new file mode 100644 index 0000000000..2585e6269c --- /dev/null +++ b/arm/Microsoft.Authorization/roleAssignments/parameters/parameters.json @@ -0,0 +1,54 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Resource Group name is optional, when provided, the Role Assignment will target the RG. When not provided the scope will be the subscription. + "resourceGroupName": { + "value": "artifacts-rg" + }, + "roleAssignments": { + "value": [ + // Built-in Role Definition, referenced by Name + { + "roleDefinitionIdOrName": "Owner", + "principalIds": [ + // "12345678-1234-1234-1234-123456780123" + // "abcd5678-1234-1234-1234-123456780123" + ] + }, + // Built-in Role Definition, referenced by Name + { + "roleDefinitionIdOrName": "Reader", + "principalIds": [ + // "12345678-1234-1234-1234-123456780123" + // "abcd5678-1234-1234-1234-123456780123" + ] + }, + // // Built-in Role Definition, referenced by ID + // { + // "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", + // "principalIds": [ + // // "12345678-1234-1234-1234-123456780123" + // // "abcd5678-1234-1234-1234-123456780123" + // ] + // }, + // // Custom Role Definition on Resource Group scope + // { + // "roleDefinitionIdOrName": "/subscriptions/62826c76-d304-46d8-a0f6-718dbdcc536c/providers/Microsoft.Authorization/roleDefinitions/54597af5-2126-5a52-a2ce-4bb56e90d3c8", + // "principalIds": [ + // // "12345678-1234-1234-1234-123456780123" + // // "abcd5678-1234-1234-1234-123456780123" + // ] + // }, + // // Custom Role Definition on Subscription scope + // { + // "roleDefinitionIdOrName": "/subscriptions/62826c76-d304-46d8-a0f6-718dbdcc536c/resourceGroups/rbacTest/providers/Microsoft.Authorization/roleDefinitions/08e417aa-3d20-5a4e-94da-b2aa45bd5929", + // "principalIds": [ + // // "12345678-1234-1234-1234-123456780123" + // // "abcd5678-1234-1234-1234-123456780123" + // ] + // } + ] + } + } +} \ No newline at end of file diff --git a/arm/Microsoft.Authorization/roleAssignments/readme.md b/arm/Microsoft.Authorization/roleAssignments/readme.md new file mode 100644 index 0000000000..72f624e53c --- /dev/null +++ b/arm/Microsoft.Authorization/roleAssignments/readme.md @@ -0,0 +1,68 @@ +# Role Assignments + +This module deploys Role Assignments. + +## Resource types + +|Resource Type|ApiVersion| +|:--|:--| +|`Microsoft.Authorization/roleAssignments`|2018-09-01-preview| +|`Microsoft.Resources/deployments`|2018-02-01| + +## Parameters + +| Parameter Name | Type | Default Value | Possible values | Description | +| :- | :- | :- | :- | :- | +| `roleAssignments` | array | [] | Complex structure, see below. | Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalIds' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or it's fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' +| `resourceGroupName` | string | "" | | Optional. Name of the Resource Group to deploy the custom role in. If no Resource Group name is provided, the module deploys at subscription level, therefore registers the custom RBAC role definition in the subscription. +| `cuaId` | string | "" | | Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered | +| `location` | string | [deployment().location] | | Optional. Location for all resources. | + +### Parameter Usage: `roleAssignments` + +```json +"roleAssignments": { + "value": [ + { + "roleDefinitionIdOrName": "Desktop Virtualization User", + "principalIds": [ + "12345678-1234-1234-1234-123456789012", // object 1 + "78945612-1234-1234-1234-123456789012" // object 2 + ] + }, + { + "roleDefinitionIdOrName": "Reader", + "principalIds": [ + "12345678-1234-1234-1234-123456789012", // object 1 + "78945612-1234-1234-1234-123456789012" // object 2 + ] + }, + { + "roleDefinitionIdOrName": "/subscriptions/78945612-1234-1234-1234-123456789012/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", + "principalIds": [ + "12345678-1234-1234-1234-123456789012" // object 1 + ] + } + ] +} +``` + +## Outputs + +| Output Name | Type | Description | +| :-- | :-- | :-- | +| `assignmentScope` | string | The scope (subscription or resource group) of the assignments defined in this module were created on. | +| `roleAssignments` | array | Array of role assignment objects. | + +## Considerations + +This module can be deployed both at subscription or resource group level: + +- To deploy the module at resource group level, provide a valid name of an existing Resource Group in the `resourceGroupName` parameter. +- To deploy the module at the subscription level, leave the `resourceGroupName` parameter empty. + +## Additional resources + +- [What is Azure role-based access control (Azure RBAC)?](https://docs.microsoft.com/en-us/azure/role-based-access-control/overview) +- [Microsoft.Authorization roleAssignments template reference](https://docs.microsoft.com/en-us/azure/templates/microsoft.authorization/2018-09-01-preview/roleassignments) +- [Use tags to organize your Azure resources](https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-using-tags) \ No newline at end of file diff --git a/arm/Microsoft.Authorization/roleDefinitions/deploy.json b/arm/Microsoft.Authorization/roleDefinitions/deploy.json new file mode 100644 index 0000000000..522ac6e8eb --- /dev/null +++ b/arm/Microsoft.Authorization/roleDefinitions/deploy.json @@ -0,0 +1,238 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "roleName": { + "type": "string", + "metadata": { + "description": "Required. Name of the custom RBAC role to be created." + } + }, + "resourceGroupName": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Name of the Resource Group to deploy the custom role in. If no Resource Group name is provided, the module deploys at subscription level, therefore registers the custom RBAC role definition in the subscription." + } + }, + "roleDescription": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Description of the custom RBAC role to be created." + } + }, + "actions": { + "type": "array", + "defaultValue": [ + ], + "metadata": { + "description": "Optional. List of allowed actions." + } + }, + "notActions": { + "type": "array", + "defaultValue": [ + ], + "metadata": { + "description": "Optional. List of denied actions." + } + }, + "dataActions": { + "type": "array", + "defaultValue": [ + ], + "metadata": { + "description": "Optional. List of allowed data actions." + } + }, + "notDataActions": { + "type": "array", + "defaultValue": [ + ], + "metadata": { + "description": "Optional. List of denied data actions." + } + }, + "cuaId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered" + } + } + }, + "variables": { + }, + "resources": [ + // CUA on Subscription scope + { + "condition": "[and(not(empty(parameters('cuaId'))), empty(parameters('resourceGroupName')))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-06-01", + "name": "[concat('pid-', parameters('cuaId'))]", + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [ + ] + } + } + }, + // Role Definitions on Subscription scope + { + "name": "[guid(parameters('roleName'), subscription().id)]", + "type": "Microsoft.Authorization/roleDefinitions", + "apiVersion": "2018-01-01-preview", + "condition": "[empty(parameters('resourceGroupName'))]", + "properties": { + "roleName": "[parameters('roleName')]", + "description": "[parameters('roleDescription')]", + "type": "customRole", + "permissions": [ + { + "actions": "[parameters('actions')]", + "notActions": "[parameters('notActions')]", + "dataActions": "[parameters('dataActions')]", + "notDataActions": "[parameters('notDataActions')]" + } + ], + "assignableScopes": [ + "[subscription().id]" + ] + } + }, + // CUA & Role Definitions on Resource Group scope + { + "name": "roleDefinitionDeployment", + "apiVersion": "2020-06-01", + "type": "Microsoft.Resources/deployments", + "resourceGroup": "[parameters('resourceGroupName')]", + "condition": "[not(empty(parameters('resourceGroupName')))]", + "properties": { + "mode": "Incremental", + "expressionEvaluationOptions": { + "scope": "inner" + }, + "parameters": { + "roleName": { + "value": "[parameters('roleName')]" + }, + "roleDescription": { + "value": "[parameters('roleDescription')]" + }, + "actions": { + "value": "[parameters('actions')]" + }, + "notActions": { + "value": "[parameters('notActions')]" + }, + "dataActions": { + "value": "[parameters('dataActions')]" + }, + "notDataActions": { + "value": "[parameters('notDataActions')]" + }, + "cuaId": { + "value": "[parameters('cuaId')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "roleName": { + "type": "string" + }, + "roleDescription": { + "type": "string" + }, + "actions": { + "type": "array" + }, + "notActions": { + "type": "array" + }, + "dataActions": { + "type": "array" + }, + "notDataActions": { + "type": "array" + }, + "cuaId": { + "type": "string" + } + }, + "resources": [ + { + "condition": "[not(empty(parameters('cuaId')))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-06-01", + "name": "[concat('pid-', parameters('cuaId'))]", + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [ + ] + } + } + }, + { + "name": "[guid(parameters('roleName'), resourceGroup().id)]", + "type": "Microsoft.Authorization/roleDefinitions", + "apiVersion": "2018-01-01-preview", + "properties": { + "roleName": "[parameters('roleName')]", + "description": "[parameters('roleDescription')]", + "type": "customRole", + "permissions": [ + { + "actions": "[parameters('actions')]", + "notActions": "[parameters('notActions')]", + "dataActions": "[parameters('dataActions')]", + "notDataActions": "[parameters('notDataActions')]" + } + ], + "assignableScopes": [ + "[resourceGroup().id]" + ] + } + } + ], + "outputs": { + "resourceGroupId": { + "type": "string", + "value": "[resourceGroup().id]" + }, + "id": { + "type": "string", + "value": "[resourceId('Microsoft.Authorization/roleDefinitions', guid(parameters('roleName'), resourceGroup().id))]" + } + } + } + } + } + ], + "functions": [ + ], + "outputs": { + "definitionId": { + "type": "string", + "value": "[if(not(empty(parameters('resourceGroupName'))), resourceId('Microsoft.Authorization/roleDefinitions', guid(parameters('roleName'), reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', subscription().id, parameters('resourceGroupName')), 'Microsoft.Resources/deployments', 'roleDefinitionDeployment'), '2019-10-01').outputs.resourceGroupId.value)), resourceId('Microsoft.Authorization/roleDefinitions', guid(parameters('roleName'), subscription().id)))]", + "metadata": { + "description": "The id of the role definition that was created." + } + }, + "definitionScope": { + "type": "string", + "value": "[if(empty(parameters('resourceGroupName')), subscription().id, reference('roleDefinitionDeployment').outputs.resourceGroupId.value)]", + "metadata": { + "description": "The scope (subscription or resource group) this definition was created on." + } + } + } +} \ No newline at end of file diff --git a/arm/Microsoft.Authorization/roleDefinitions/parameters/parameters.json b/arm/Microsoft.Authorization/roleDefinitions/parameters/parameters.json new file mode 100644 index 0000000000..9c1e1945c8 --- /dev/null +++ b/arm/Microsoft.Authorization/roleDefinitions/parameters/parameters.json @@ -0,0 +1,37 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "roleName": { + "value": "myCustomRoleAtSub" + }, + // "resourceGroupName": { + // "value": "rbacTest" + // }, + "roleDescription": { + "value": "" + }, + "actions": { + "value": [ + "Microsoft.Compute/galleries/read", + "Microsoft.Compute/galleries/images/read", + "Microsoft.Compute/galleries/images/versions/read", + "Microsoft.Compute/galleries/images/versions/write", + "Microsoft.Compute/images/write", + "Microsoft.Compute/images/read", + "Microsoft.Compute/images/delete", + "Microsoft.Network/virtualNetworks/read", + "Microsoft.Network/virtualNetworks/subnets/join/action" + ] + }, + "notActions": { + "value": [] + }, + "dataActions": { + "value": [] + }, + "notDataActions": { + "value": [] + } + } +} \ No newline at end of file diff --git a/arm/Microsoft.Authorization/roleDefinitions/readme.md b/arm/Microsoft.Authorization/roleDefinitions/readme.md new file mode 100644 index 0000000000..c0957284dd --- /dev/null +++ b/arm/Microsoft.Authorization/roleDefinitions/readme.md @@ -0,0 +1,43 @@ +# Role Definitions + +This module deploys custom RBAC Role Definitions. + +## Resource types + +|Resource Type|ApiVersion| +|:--|:--| +|`Microsoft.Authorization/roleDefinitions`|2018-07-01| +|`Microsoft.Resources/deployments`|2018-02-01| + +## Parameters + +| Parameter Name | Type | Default Value | Possible values | Description | +| :- | :- | :- | :- | :- | +| `roleName` | string | | | Required. Name of the custom RBAC role to be created. +| `resourceGroupName` | string | "" | | Optional. Name of the Resource Group to deploy the custom role in. If no Resource Group name is provided, the module deploys at subscription level, therefore registers the custom RBAC role definition in the subscription. +| `roleDescription` | string | [] | | Optional. Description of the custom RBAC role to be created. +| `actions` | array | [] | | Optional. List of allowed actions. +| `notActions` | array | [] | | Optional. List of denied actions. +| `dataActions` | array | [] | | Optional. List of allowed data actions. +| `notDataActions` | array | [] | | Optional. List of denied data actions. +| `cuaId` | string | "" | | Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered + +## Outputs + +| Output Name | Type | Description | +| :-- | :-- | :-- | +| `definitionId` | string | The id of the role definition that was created. | +| `definitionScope` | string | The scope (subscription or resource group) this definition was created on. | + +## Considerations + +This module can be deployed both at subscription or resource group level: + +- To deploy the module at resource group level, provide a valid name of an existing Resource Group in the `resourceGroupName` parameter. +- To deploy the module at the subscription level, leave the `resourceGroupName` parameter empty. + +## Additional resources + +- [Understand Azure role definitions](https://docs.microsoft.com/en-us/azure/role-based-access-control/role-definitions) +- [Microsoft.Authorization roleDefinitions template reference](https://docs.microsoft.com/en-us/azure/templates/microsoft.authorization/2018-01-01-preview/roledefinitions) +- [Use tags to organize your Azure resources](https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-using-tags) \ No newline at end of file diff --git a/arm/Microsoft.Automanage/accounts/deploy.json b/arm/Microsoft.Automanage/accounts/deploy.json new file mode 100644 index 0000000000..d5ec8d9cb3 --- /dev/null +++ b/arm/Microsoft.Automanage/accounts/deploy.json @@ -0,0 +1,269 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#", + "contentVersion": "1.0.0.1", + "parameters": { + "autoManageAccountSubscriptionId": { + "type": "string", + "metadata": { + "description": "Required. The Subscription id where automanage will be created" + } + }, + "autoManageAccountResourceGroup": { + "type": "string", + "metadata": { + "description": "Required. The resource group name where automanage will be created" + } + }, + "autoManageAccountName": { + "type": "string", + "metadata": { + "description": "Required. The name of automanage account" + } + }, + "location": { + "type": "string", + "metadata": { + "description": "Required. Location for all Resources." + } + }, + "vMResourceGroup": { + "type": "string", + "metadata": { + "description": "Required. The name of the VM resourcegroup" + } + }, + "vMName": { + "type": "string", + "metadata": { + "description": "Required. The name of the VM to be associated" + } + }, + "configurationProfile": { + "type": "string", + "defaultValue": "Production", + "allowedValues": [ + "Production", + "Dev/Test" + ], + "metadata": { + "description": "Required. The configuration profile of automanage, by default it is the best practices - prod" + } + }, + "autoManageAccountDeployName": { + "type": "string", + "defaultValue": "[concat(parameters('autoManageAccountName'), '-', utcNow('yyyyMMddHHmmss'))]", + "metadata": { + "description": "Required. The name of the deployment name" + } + }, + "assignmentDeployName": { + "type": "string", + "defaultValue": "[concat('AssignmentDeployment-', parameters('vMName'))]", + "metadata": { + "description": "Required. The name of the deployment - assignment Id" + } + }, + "createAutoManageAccount": { + "type": "bool", + "defaultValue": true, + "metadata": { + "description": "Required. The flag to confirm creation of automanage" + } + }, + "cuaId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered." + } + } + }, + "variables": { + "autoManageAccountResourceId": "[concat('/subscriptions/',subscription().subscriptionId,'/resourceGroups/',parameters('autoManageAccountResourceGroup'),'/providers/','Microsoft.Automanage/accounts/',parameters('autoManageAccountName'))]", + "contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "resourcePolicyContributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '36243c78-bf99-498c-9df9-86d9f8d28608')]" + + }, + "resources": [ + { + "condition": "[not(empty(parameters('cuaId')))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-06-01", + "name": "[concat('pid-', parameters('cuaId'))]", + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [ + ] + } + } + }, + { + "condition": "[and(parameters('createAutoManageAccount'), equals(parameters('autoManageAccountSubscriptionId'), subscription().subscriptionId))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2019-10-01", + "name": "[parameters('autoManageAccountDeployName')]", + "resourceGroup": "[parameters('autoManageAccountResourceGroup')]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/resourceGroups', parameters('autoManageAccountResourceGroup'))]" + ], + "properties": { + "mode": "Incremental", + "expressionEvaluationOptions": { + "scope": "inner" + }, + "parameters": { + "location": { + "value": "[parameters('location')]" + }, + "autoManageAccountName": { + "value": "[parameters('autoManageAccountName')]" + } + }, + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "location": { + "type": "string" + }, + "autoManageAccountName": { + "type": "string" + } + }, + "resources": [ + { + "type": "Microsoft.Automanage/accounts", + "apiVersion": "2020-06-30-preview", + "name": "[parameters('autoManageAccountName')]", + "location": "[parameters('location')]", + "identity": { + "type": "SystemAssigned" + } + } + ], + "outputs": { + "principalId": { + "type": "string", + "value": "[reference(resourceId('Microsoft.Automanage/accounts', parameters('autoManageAccountName')), '2020-06-30-preview', 'Full').Identity.principalId]" + } + } + } + } + }, + { + "condition": "[parameters('createAutoManageAccount')]", + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2020-04-01-preview", + "name": "[guid(parameters('autoManageAccountName'), parameters('autoManageAccountResourceGroup'), variables('contributor'))]", + "dependsOn": [ + "[subscriptionResourceId('Microsoft.Resources/resourceGroups', parameters('autoManageAccountResourceGroup'))]", + "[parameters('autoManageAccountDeployName')]" + ], + "properties": { + "roleDefinitionId": "[variables('contributor')]", + "principalId": "[if(parameters('createAutoManageAccount'), reference(parameters('autoManageAccountDeployName')).outputs.principalId.value, 'resource not deployed')]", + "principalType": "ServicePrincipal", + "scope": "[subscription().id]" + } + }, + { + "condition": "[parameters('createAutoManageAccount')]", + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2020-04-01-preview", + "name": "[guid(parameters('autoManageAccountName'), parameters('autoManageAccountResourceGroup'), variables('resourcePolicyContributor'))]", + "dependsOn": [ + "[subscriptionResourceId('Microsoft.Resources/resourceGroups', parameters('autoManageAccountResourceGroup'))]", + "[parameters('autoManageAccountDeployName')]" + ], + "properties": { + "roleDefinitionId": "[variables('resourcePolicyContributor')]", + "principalId": "[if(parameters('createAutoManageAccount'), reference(parameters('autoManageAccountDeployName')).outputs.principalId.value, 'resource not deployed')]", + "principalType": "ServicePrincipal", + "scope": "[subscription().id]" + } + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2019-10-01", + "name": "[parameters('assignmentDeployName')]", + "resourceGroup": "[parameters('vMResourceGroup')]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/resourceGroups', parameters('autoManageAccountResourceGroup'))]", + "[subscriptionResourceId('Microsoft.Resources/resourceGroups', parameters('autoManageAccountResourceGroup'))]", + "[parameters('autoManageAccountDeployName')]" + ], + "properties": { + "mode": "Incremental", + "expressionEvaluationOptions": { + "scope": "inner" + }, + "parameters": { + "vMName": { + "value": "[parameters('vMName')]" + }, + "configurationProfile": { + "value": "[parameters('configurationProfile')]" + }, + "autoManageAccountResourceId": { + "value": "[variables('autoManageAccountResourceId')]" + } + }, + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "vMName": { + "type": "string" + }, + "configurationProfile": { + "type": "string" + }, + "autoManageAccountResourceId": { + "type": "string" + } + }, + "resources": [ + { + "type": "Microsoft.Compute/virtualMachines/providers/configurationProfileAssignments", + "apiVersion": "2020-06-30-preview", + "name": "[concat(parameters('vMName'), '/Microsoft.Automanage/default')]", + "properties": { + "accountId": "[parameters('autoManageAccountResourceId')]", + "configurationProfile": "[parameters('configurationProfile')]", + "configurationProfilePreferenceId": null + } + } + ] + } + } + } + ], + "functions": [ + ], + "outputs": { + "autoManageAccountResourceId": { + "type": "string", + "value": "[variables('autoManageAccountResourceId')]", + "metadata": { + "description": "The Resource Id of the AutoManage account." + } + }, + "autoManageAccountName": { + "type": "string", + "value": "[parameters('autoManageAccountName')]", + "metadata": { + "description": "The Name of the Auto Manage Account." + } + }, + "autoManageAccountResourceGroup": { + "type": "string", + "value": "[parameters('autoManageAccountResourceGroup')]", + "metadata": { + "description": "The name of the Resource Group the AutoManage Account was created in." + } + } + } +} \ No newline at end of file diff --git a/arm/Microsoft.Automanage/accounts/parameters/parameters.json b/arm/Microsoft.Automanage/accounts/parameters/parameters.json new file mode 100644 index 0000000000..3c02a433b5 --- /dev/null +++ b/arm/Microsoft.Automanage/accounts/parameters/parameters.json @@ -0,0 +1,36 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "autoManageAccountSubscriptionId": { + "value": "" + }, + "autoManageAccountResourceGroup": { + "value": "" + }, + "autoManageAccountName": { + "value": "" + }, + "location": { + "value": "" + }, + "vMResourceGroup": { + "value": "" + }, + "vMName": { + "value": "" + }, + "configurationProfile": { + "value": "" + }, + "autoManageAccountDeployName": { + "value": "" + }, + "assignmentDeployName": { + "value": "" + }, + "createAutoManageAccount": { + "value": true + } + } +} \ No newline at end of file diff --git a/arm/Microsoft.Automanage/accounts/readme.md b/arm/Microsoft.Automanage/accounts/readme.md new file mode 100644 index 0000000000000000000000000000000000000000..f98188a8dbfacea05e901792b1867e63d6681dd1 GIT binary patch literal 5718 zcmeI0U2hXd6o%)zQvbt>TqK|-ZVEywcUCH;T+l?2<|aY{J9cmt+o{(9f%xsT?=#0I zGrQik9k~c0RV%M|cg~!T_k7Hm`RB_{C_*>fhIyEV7vXJ~=yw$c;m7bp{GEk&VH8SH zjYV-O%4>}ldK!cqJx{~OILgdsPK7x3bxk#QB00QIG@t)c*HmL8JajE>q6VQ8 zwVmntR&uXng!N-YO*C3+9RAZtMMU9)j`YI|!-x(ZCN>Pe(@4$8{V;5^C;7P>RZPJKQ%a&6i2#RQnS3o(>lI8It z{IQ_7c=YVDx8KBLsBvlm`FyVDYrT<&WW}kpw&?CfKNa$?Q;^}%z@v3Ok;#=dyX!(P~J%-o!($Hcy9e-f7) z&8(vjpZCfJm%kex>UzD9X_ASFzlG{Zvj>X01C3IRL76IzoI*$sb*EDDcB#AD=6V#0 zMX$BhdQ*hwu?{E9L2P*~=vFF5Zma9RIeu+ute5MuzzSSUko}{?ap4 z7k9Om_-U)M?YdFbi3IONR^=bHswYjXI_K*q9WJP{CVB-YK3IiJ0=a=r^tez_$xU)S zYVwHcE@Ck6=c_f`(d@~FX^czO7J?_^YLtR|Fjv$RgqDzZ0gVdm9^Q2r7Lop) zouBdd>O}^4S)<4&^EsEe|b=E*$HN^(3WMwLSGBXOhZ(mF}|? z+GEM8pH)z^$D-l{Vn1dxCj_7LL_T-KiPe)mg>@_JfSb-d>KH@E2}XT)$_YqY#FnZ- zAZvE!`wZX9d>ft5VG;SDTzktvlb!{rf)#7x5INzF+_TWBgxl CCf@1* literal 0 HcmV?d00001 diff --git a/arm/Microsoft.Automation/automationAccountSoftwareUpdateConfigurations/deploy.json b/arm/Microsoft.Automation/automationAccountSoftwareUpdateConfigurations/deploy.json new file mode 100644 index 0000000000..5d82b80044 --- /dev/null +++ b/arm/Microsoft.Automation/automationAccountSoftwareUpdateConfigurations/deploy.json @@ -0,0 +1,473 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "deploymentScheduleName": { + "type": "string", + "metadata": { + "description": "Required. The name of the Deployment schedule." + } + }, + "location": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "Optional. Location for the resource." + } + }, + "automationAccountName": { + "type": "string", + "metadata": { + "description": "Required. Name of the Automation Account to deploy the schedule to." + } + }, + "operatingSystem": { + "type": "string", + "allowedValues": [ + "Windows", + "Linux" + ], + "metadata": { + "description": "Required. The operating system to be configured by the deployment schedule." + } + }, + "maintenanceWindow": { + "type": "string", + "defaultValue": "PT2H", + "metadata": { + "description": "Required. Maximum time allowed for the deployment schedule to run. Duration needs to be specified using the format PT[n]H[n]M[n]S as per ISO8601" + } + }, + "updateClassifications": { + "type": "array", + "allowedValues": [ + "Critical", //Both + "Security", //Both + "UpdateRollup", //Windows only + "FeaturePack", //Windows only + "ServicePack", //Windows only + "Definition", //Windows only + "Tools", //Windows only + "Updates", //Windows only + "Other" //Linux only + ], + "defaultValue": [ + "Critical", + "Security" + ], + "metadata": { + "description": "Optional. Update classification included in the deployment schedule." + } + }, + "rebootSetting": { + "type": "string", + "allowedValues": [ + "IfRequired", + "Never", + "RebootOnly", + "Always" + ], + "metadata": { + "description": "Required. Reboot setting for the deployment schedule." + } + }, + "excludeUpdates": { + "type": "array", + "defaultValue": [], + "metadata": { + "description": "Optional. KB numbers or Linux packages excluded in the deployment schedule." + } + }, + "includeUpdates": { + "type": "array", + "defaultValue": [], + "metadata": { + "description": "Optional. KB numbers or Linux packages included in the deployment schedule." + } + }, + "scopeByResources": { + "type": "array", + "defaultValue": [ + "[subscription().id]" + ], + "metadata": { + "description": "Optional. Specify the resources to scope the deployment schedule to." + } + }, + "scopeByTags": { + "type": "object", + "defaultValue": {}, + "metadata": { + "description": "Optional. Specify tags to which to scope the deployment schedule to." + } + }, + "scopeByTagsOperation": { + "type": "string", + "defaultValue": "All", + "allowedValues": [ + "All", + "Any" + ], + "metadata": { + "description": "Optional. Enables the scopeByTags to require All (Tag A and Tag B) or Any (Tag A or Tag B)." + } + }, + "scopeByLocations": { + "type": "array", + "defaultValue": [], + "metadata": { + "description": "Optional. Specify locations to which to scope the deployment schedule to." + } + }, + "preTaskParameters": { + "type": "object", + "defaultValue": {}, + "metadata": { + "description": "Optional. Parameters provided to the task running before the deployment schedule." + } + }, + "preTaskSource": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. The source of the task running before the deployment schedule." + } + }, + "postTaskParameters": { + "type": "object", + "defaultValue": {}, + "metadata": { + "description": "Optional. Parameters provided to the task running after the deployment schedule." + } + }, + "postTaskSource": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. The source of the task running after the deployment schedule." + } + }, + "interval": { + "type": "int", + "maxValue": 100, + "defaultValue": 0, + "metadata": { + "description": "Optional. The interval of the frequency for the deployment schedule. 1 Hour is every hour, 2 Day is every second day, etc." + } + }, + "frequency": { + "type": "string", + "allowedValues": [ + "OneTime", + "Hour", + "Day", + "Week", + "Month" + ], + "metadata": { + "description": "Required. The frequency of the deployment schedule. When using 'Hour', 'Day', 'Week' or 'Month', an interval needs to be provided." + } + }, + "isEnabled": { + "type": "bool", + "defaultValue": true, + "metadata": { + "description": "Optional. Enables the deployment schedule." + } + }, + "timeZone": { + "type": "string", + "defaultValue": "UTC", + "metadata": { + "description": "Optional. Time zone for the deployment schedule. IANA ID or a Windows Time Zone ID." + } + }, + "nonAzureQueries": { + "type": "array", + "defaultValue": [], + "metadata": { + "description": "Optional. Array of functions from a Log Analytics workspace, used to scope the deployment schedule." + } + }, + "azureVirtualMachines": { + "type": "array", + "defaultValue": [], + "metadata": { + "description": "Optional. List of azure resource Ids for azure virtual machines in scope for the deployment schedule." + } + }, + "nonAzureComputerNames": { + "type": "array", + "defaultValue": [], + "metadata": { + "description": "Optional. List of names of non-azure machines in scope for the deployment schedule." + } + }, + "weekDays": { + "type": "array", + "defaultValue": [], + "allowedValues": [ + "Monday", + "Tuesday", + "Wednesday", + "Thursday", + "Friday", + "Saturday", + "Sunday" + ], + "metadata": { + "description": "Optional. Required when used with frequency 'Week'. Specified the day of the week to run the deployment schedule." + } + }, + "monthDays": { + "type": "array", + "defaultValue": [], + "allowedValues": [ + 1, + 2, + 3, + 4, + 5, + 6, + 7, + 8, + 9, + 10, + 11, + 12, + 13, + 14, + 15, + 16, + 17, + 18, + 19, + 20, + 21, + 22, + 23, + 24, + 25, + 26, + 27, + 28, + 29, + 30, + 31 + ], + "metadata": { + "description": "Optional. Can be used with frequency 'Month'. Provides the specific days of the month to run the deployment schedule." + } + }, + "monthlyOccurrences": { + "type": "array", + "defaultValue": [], + "metadata": { + "description": "Optional. Can be used with frequency 'Month'. Provides the pattern/cadence for running the deployment schedule in a month. Takes objects formed like this {occurance(int),day(string)}. Day is the name of the day to run the deployment schedule, the occurance specifies which occurance of that day to run the deployment schedule." + } + }, + "startTime": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. The start time of the deployment schedule in ISO 8601 format. To specify a specific time use YYYY-MM-DDTHH:MM:SS, 2021-12-31T23:00:00. For schedules where we want to start the deployment as soon as possible, specify the time segment only in 24 hour format, HH:MM, 22:00." + } + }, + "expiryTime": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. The end time of the deployment schedule in ISO 8601 format. YYYY-MM-DDTHH:MM:SS, 2021-12-31T23:00:00" + } + }, + "expiryTimeOffsetMinutes": { + "type": "int", + "defaultValue": 0, + "metadata": { + "description": "Optional. The expiry time's offset in minutes." + } + }, + "nextRun": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. The next run time of the deployment schedule in ISO 8601 format. YYYY-MM-DDTHH:MM:SS, 2021-12-31T23:00:00" + } + }, + "nextRunOffsetMinutes": { + "type": "int", + "defaultValue": 0, + "metadata": { + "description": "Optional. The next run time's offset in minutes." + } + }, + "description": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. The schedules description." + } + }, + "baseTime": { + "type": "string", + "defaultValue": "[utcNow('u')]", + "metadata": { + "description": "Generated. Do not touch. Is used to provide the base time for time comparrison for startTime. If startTime is specified in HH:MM format, baseTime is used to check if the provided startTime has passed, adding one day before setting the deployment schedule." + } + }, + "cuaId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered" + } + } + }, + "functions": [ + { + "namespace": "Array", + "members": { + "ConvertToString": { + "parameters": [ + { + "name": "arrayToConvert", + "type": "array" + } + ], + "output": { + "type": "string", + "value": "[replace(replace(replace(replace(string(parameters('arrayToConvert')),',',', '),'[',''),']',''),'\"','')]" + } + } + } + } + ], + "variables": { + "updateClassifications": "[if(equals(parameters('operatingSystem'), 'Windows'), + 'includedUpdateClassifications', + 'includedPackageClassifications' + )]", + "exclude": "[if(equals(parameters('operatingSystem'), 'Windows'), + 'excludedKbNumbers', + 'excludedPackageNameMasks' + )]", + "include": "[if(equals(parameters('operatingSystem'), 'Windows'), + 'includedKbNumbers', + 'includedPackageNameMasks' + )]", + "timeLimit": "[dateTimeAdd(parameters('baseTime'), 'PT5M', 'u')]", + "providedStartTime": "[dateTimeAdd(parameters('startTime'), 'PT0S', 'u')]", + "startTime": "[ + if( greater( variables('providedStartTime'), variables('timeLimit') ), + variables('providedStartTime'), + dateTimeAdd(variables('providedStartTime'), 'P1D', 'u') + )]" + }, + "resources": [ + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-06-01", + "name": "[concat('pid-', parameters('cuaId'))]", + "condition": "[not(empty(parameters('cuaId')))]", + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [ + ] + } + } + }, + { + "type": "Microsoft.Automation/automationAccounts/softwareUpdateConfigurations", + "name": "[concat(parameters('automationAccountName'),'/',parameters('DeploymentScheduleName'))]", + "apiVersion": "2019-06-01", + "location": "[parameters('location')]", + "properties": { + "updateConfiguration": { + "operatingSystem": "[parameters('operatingSystem')]", + "duration": "[parameters('maintenanceWindow')]", + "[parameters('operatingSystem')]": { + "[variables('updateClassifications')]": "[Array.ConvertToString(parameters('updateClassifications'))]", + "[variables('exclude')]": "[parameters('excludeUpdates')]", + "[variables('include')]": "[parameters('includeUpdates')]", + "rebootSetting": "[parameters('rebootSetting')]" + }, + "targets": { + "azureQueries": [ + { + "scope": "[parameters('scopeByResources')]", + "tagSettings": { + "tags": "[parameters('scopeByTags')]", + "filterOperator": "[parameters('scopeByTagsOperation')]" + }, + "locations": "[parameters('scopeByLocations')]" + } + ], + "nonAzureQueries": "[parameters('nonAzureQueries')]" + }, + "azureVirtualMachines": "[parameters('azureVirtualMachines')]", + "nonAzureComputerNames": "[parameters('nonAzureComputerNames')]" + }, + "tasks": { + "preTask": { + "parameters": "[parameters('preTaskParameters')]", + "source": "[parameters('preTaskSource')]" + }, + "postTask": { + "parameters": "[parameters('postTaskParameters')]", + "source": "[parameters('postTaskSource')]" + } + }, + "scheduleInfo": { + "interval": "[parameters('interval')]", + "frequency": "[parameters('frequency')]", + "isEnabled": "[parameters('isEnabled')]", + "timeZone": "[parameters('timeZone')]", + "advancedSchedule": { + "weekDays": "[if(empty(parameters('weekDays')),null(),parameters('weekDays'))]", + "monthDays": "[if(empty(parameters('monthDays')),null(),parameters('monthDays'))]", + "monthlyOccurrences": "[if(empty(parameters('monthlyOccurrences')),null(),parameters('monthlyOccurrences'))]" + }, + "startTime": "[variables('startTime')]", + "expiryTime": "[parameters('expiryTime')]", + "expiryTimeOffsetMinutes": "[parameters('expiryTimeOffsetMinutes')]", + "nextRun": "[parameters('nextRun')]", + "nextRunOffsetMinutes": "[parameters('nextRunOffsetMinutes')]", + "description": "[parameters('description')]" + } + } + } + ], + "outputs": { + "deploymentScheduleName": { + "type": "string", + "value": "[concat(parameters('automationAccountName'),'/',parameters('DeploymentScheduleName'))]", + "metadata": { + "description": "The name of the Software Update Configuration." + } + }, + "resourceId": { + "type": "string", + "value": "[resourceId('Microsoft.Automation/automationAccounts/softwareUpdateConfigurations', parameters('automationAccountName'),parameters('DeploymentScheduleName'))]", + "metadata": { + "description": "The Resource Id of the Software Update Configuration." + } + }, + "automationAccountName": { + "type": "string", + "value": "[parameters('automationAccountName')]", + "metadata": { + "description": "The Automation Account the Software Update Configuration was deployed to." + } + }, + "resourceGroupName": { + "type": "string", + "value": "[resourceGroup().name]", + "metadata": { + "description": "The Resource Group the Software Update Configuration was deployed to." + } + } + } +} diff --git a/arm/Microsoft.Automation/automationAccountSoftwareUpdateConfigurations/parameters/Linux_Automatic-Wave1.parameters.json b/arm/Microsoft.Automation/automationAccountSoftwareUpdateConfigurations/parameters/Linux_Automatic-Wave1.parameters.json new file mode 100644 index 0000000000..f987e14c10 --- /dev/null +++ b/arm/Microsoft.Automation/automationAccountSoftwareUpdateConfigurations/parameters/Linux_Automatic-Wave1.parameters.json @@ -0,0 +1,49 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "deploymentScheduleName": { + "value": "Linux_Wave1" + }, + "automationAccountName": { + "value": "sxx-wd-aut-weu-x-741" + }, + "operatingSystem": { + "value": "Linux" + }, + "scopeByTags": { + "value": { + "Update": [ + "Automatic-Wave1" + ] + } + }, + "maintenanceWindow": { + "value": "PT4H" + }, + "updateClassifications": { + "value": [ + "Critical", + "Security", + "Other" + ] + }, + "rebootSetting": { + "value": "IfRequired" + }, + "interval": { + "value": 1 + }, + "frequency": { + "value": "Week" + }, + "weekDays": { + "value": [ + "Friday" + ] + }, + "startTime": { + "value": "22:00" + } + } +} diff --git a/arm/Microsoft.Automation/automationAccountSoftwareUpdateConfigurations/parameters/Linux_Automatic-Wave2.parameters.json b/arm/Microsoft.Automation/automationAccountSoftwareUpdateConfigurations/parameters/Linux_Automatic-Wave2.parameters.json new file mode 100644 index 0000000000..10bd3d3be0 --- /dev/null +++ b/arm/Microsoft.Automation/automationAccountSoftwareUpdateConfigurations/parameters/Linux_Automatic-Wave2.parameters.json @@ -0,0 +1,49 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "deploymentScheduleName": { + "value": "Linux_Wave2" + }, + "automationAccountName": { + "value": "sxx-wd-aut-weu-x-741" + }, + "operatingSystem": { + "value": "Linux" + }, + "scopeByTags": { + "value": { + "Update": [ + "Automatic-Wave2" + ] + } + }, + "maintenanceWindow": { + "value": "PT4H" + }, + "updateClassifications": { + "value": [ + "Critical", + "Security", + "Other" + ] + }, + "rebootSetting": { + "value": "IfRequired" + }, + "interval": { + "value": 1 + }, + "frequency": { + "value": "Week" + }, + "weekDays": { + "value": [ + "Saturday" + ] + }, + "startTime": { + "value": "22:00" + } + } +} diff --git a/arm/Microsoft.Automation/automationAccountSoftwareUpdateConfigurations/parameters/Linux_CatchAll.parameters.json b/arm/Microsoft.Automation/automationAccountSoftwareUpdateConfigurations/parameters/Linux_CatchAll.parameters.json new file mode 100644 index 0000000000..981c2ccb75 --- /dev/null +++ b/arm/Microsoft.Automation/automationAccountSoftwareUpdateConfigurations/parameters/Linux_CatchAll.parameters.json @@ -0,0 +1,44 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "deploymentScheduleName": { + "value": "Linux_CatchAll" + }, + "automationAccountName": { + "value": "sxx-wd-aut-weu-x-741" + }, + "operatingSystem": { + "value": "Linux" + }, + "maintenanceWindow": { + "value": "PT4H" + }, + "updateClassifications": { + "value": [ + "Critical", + "Security" + ] + }, + "rebootSetting": { + "value": "IfRequired" + }, + "interval": { + "value": 1 + }, + "frequency": { + "value": "Month" + }, + "monthlyOccurrences": { + "value": [ + { + "occurrence": 4, + "day": "Saturday" + } + ] + }, + "startTime": { + "value": "22:00" + } + } +} diff --git a/arm/Microsoft.Automation/automationAccountSoftwareUpdateConfigurations/parameters/Linux_ZeroDay.parameters.json b/arm/Microsoft.Automation/automationAccountSoftwareUpdateConfigurations/parameters/Linux_ZeroDay.parameters.json new file mode 100644 index 0000000000..86d378990f --- /dev/null +++ b/arm/Microsoft.Automation/automationAccountSoftwareUpdateConfigurations/parameters/Linux_ZeroDay.parameters.json @@ -0,0 +1,43 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "deploymentScheduleName": { + "value": "Linux_ZeroDay" + }, + "automationAccountName": { + "value": "sxx-wd-aut-weu-x-741" + }, + "operatingSystem": { + "value": "Linux" + }, + "maintenanceWindow": { + "value": "PT4H" + }, + "updateClassifications": { + "value": [ + "Critical", + "Security" + ] + }, + "includeUpdates": { + "value": [ + "kernel" + ] + }, + "excludeUpdates": { + "value": [ + "icacls" + ] + }, + "rebootSetting": { + "value": "IfRequired" + }, + "frequency": { + "value": "OneTime" + }, + "startTime": { + "value": "2021-12-31T06:00" + } + } +} diff --git a/arm/Microsoft.Automation/automationAccountSoftwareUpdateConfigurations/parameters/Windows_Automatic-DefUpdate.parameters.json b/arm/Microsoft.Automation/automationAccountSoftwareUpdateConfigurations/parameters/Windows_Automatic-DefUpdate.parameters.json new file mode 100644 index 0000000000..ad178cfab0 --- /dev/null +++ b/arm/Microsoft.Automation/automationAccountSoftwareUpdateConfigurations/parameters/Windows_Automatic-DefUpdate.parameters.json @@ -0,0 +1,35 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "deploymentScheduleName": { + "value": "Windows_DefUpdate" + }, + "automationAccountName": { + "value": "sxx-wd-aut-weu-x-741" + }, + "operatingSystem": { + "value": "Windows" + }, + "maintenanceWindow": { + "value": "PT1H" + }, + "updateClassifications": { + "value": [ + "Definition" + ] + }, + "rebootSetting": { + "value": "Never" + }, + "interval": { + "value": 8 + }, + "frequency": { + "value": "Hour" + }, + "startTime": { + "value": "00:00" + } + } +} diff --git a/arm/Microsoft.Automation/automationAccountSoftwareUpdateConfigurations/parameters/Windows_Automatic-Wave1.parameters.json b/arm/Microsoft.Automation/automationAccountSoftwareUpdateConfigurations/parameters/Windows_Automatic-Wave1.parameters.json new file mode 100644 index 0000000000..782de9364d --- /dev/null +++ b/arm/Microsoft.Automation/automationAccountSoftwareUpdateConfigurations/parameters/Windows_Automatic-Wave1.parameters.json @@ -0,0 +1,57 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "deploymentScheduleName": { + "value": "Windows_Wave1" + }, + "automationAccountName": { + "value": "sxx-wd-aut-weu-x-741" + }, + "operatingSystem": { + "value": "Windows" + }, + "scopeByTags": { + "value": { + "Update": [ + "Automatic-Wave1" + ] + } + }, + "maintenanceWindow": { + "value": "PT4H" + }, + "updateClassifications": { + "value": [ + "Critical", + "Security", + "UpdateRollup", + "FeaturePack", + "ServicePack", + "Definition", + "Tools", + "Updates" + ] + }, + "rebootSetting": { + "value": "IfRequired" + }, + "interval": { + "value": 1 + }, + "frequency": { + "value": "Month" + }, + "monthlyOccurrences": { + "value": [ + { + "occurrence": 3, + "day": "Friday" + } + ] + }, + "startTime": { + "value": "22:00" + } + } +} diff --git a/arm/Microsoft.Automation/automationAccountSoftwareUpdateConfigurations/parameters/Windows_Automatic-Wave2.parameters.json b/arm/Microsoft.Automation/automationAccountSoftwareUpdateConfigurations/parameters/Windows_Automatic-Wave2.parameters.json new file mode 100644 index 0000000000..42b57877ac --- /dev/null +++ b/arm/Microsoft.Automation/automationAccountSoftwareUpdateConfigurations/parameters/Windows_Automatic-Wave2.parameters.json @@ -0,0 +1,57 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "deploymentScheduleName": { + "value": "Windows_Wave2" + }, + "automationAccountName": { + "value": "sxx-wd-aut-weu-x-741" + }, + "operatingSystem": { + "value": "Windows" + }, + "scopeByTags": { + "value": { + "Update": [ + "Automatic-Wave2" + ] + } + }, + "maintenanceWindow": { + "value": "PT4H" + }, + "updateClassifications": { + "value": [ + "Critical", + "Security", + "UpdateRollup", + "FeaturePack", + "ServicePack", + "Definition", + "Tools", + "Updates" + ] + }, + "rebootSetting": { + "value": "IfRequired" + }, + "interval": { + "value": 1 + }, + "frequency": { + "value": "Month" + }, + "monthlyOccurrences": { + "value": [ + { + "occurrence": 3, + "day": "Saturday" + } + ] + }, + "startTime": { + "value": "22:00" + } + } +} diff --git a/arm/Microsoft.Automation/automationAccountSoftwareUpdateConfigurations/parameters/Windows_CatchAll.parameters.json b/arm/Microsoft.Automation/automationAccountSoftwareUpdateConfigurations/parameters/Windows_CatchAll.parameters.json new file mode 100644 index 0000000000..3c5c975f97 --- /dev/null +++ b/arm/Microsoft.Automation/automationAccountSoftwareUpdateConfigurations/parameters/Windows_CatchAll.parameters.json @@ -0,0 +1,44 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "deploymentScheduleName": { + "value": "Windows_CatchAll" + }, + "automationAccountName": { + "value": "sxx-wd-aut-weu-x-741" + }, + "operatingSystem": { + "value": "Windows" + }, + "maintenanceWindow": { + "value": "PT4H" + }, + "updateClassifications": { + "value": [ + "Critical", + "Security" + ] + }, + "rebootSetting": { + "value": "IfRequired" + }, + "interval": { + "value": 1 + }, + "frequency": { + "value": "Month" + }, + "monthlyOccurrences": { + "value": [ + { + "occurrence": 4, + "day": "Saturday" + } + ] + }, + "startTime": { + "value": "22:00" + } + } +} diff --git a/arm/Microsoft.Automation/automationAccountSoftwareUpdateConfigurations/parameters/Windows_ZeroDay.parameters.json b/arm/Microsoft.Automation/automationAccountSoftwareUpdateConfigurations/parameters/Windows_ZeroDay.parameters.json new file mode 100644 index 0000000000..51df67d13a --- /dev/null +++ b/arm/Microsoft.Automation/automationAccountSoftwareUpdateConfigurations/parameters/Windows_ZeroDay.parameters.json @@ -0,0 +1,45 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "deploymentScheduleName": { + "value": "Windows_ZeroDay" + }, + "automationAccountName": { + "value": "sxx-wd-aut-weu-x-741" + }, + "operatingSystem": { + "value": "Windows" + }, + "maintenanceWindow": { + "value": "PT4H" + }, + "updateClassifications": { + "value": [ + "Critical" + ] + }, + "includeUpdates": { + "value": [ + "KB123456" + ] + }, + "excludeUpdates": { + "value": [ + "KB654321" + ] + }, + "rebootSetting": { + "value": "IfRequired" + }, + "frequency": { + "value": "OneTime" + }, + "startTime": { + "value": "2021-12-31T06:00" + }, + "timeZone": { + "value": "Europe/Oslo" + } + } +} diff --git a/arm/Microsoft.Automation/automationAccountSoftwareUpdateConfigurations/readme.md b/arm/Microsoft.Automation/automationAccountSoftwareUpdateConfigurations/readme.md new file mode 100644 index 0000000000..806324985d --- /dev/null +++ b/arm/Microsoft.Automation/automationAccountSoftwareUpdateConfigurations/readme.md @@ -0,0 +1,122 @@ +# Software Update Configuration + +This module deploys a Software Update Configuration into an existing Automation Account. +Also known as Patch Management, Update Management and patch deployment schedules. + +## Resource types + +| Resource Type | Api Version | +| :--------------------------------------------------------------------- | :---------- | +| `Microsoft.Resources/deployments` | 2020-06-01 | +| `Microsoft.Automation/automationAccounts/softwareUpdateConfigurations` | 2019-06-01 | + +### Resource dependency + +The following resources are required to be able to deploy this resource. + +- Microsoft.Automation/automationAccounts + +## Parameters + +| Parameter Name | Type | Default Value | Possible values | Description | +| :------------------------ | :----- | :-------------------------------------------------------------------------------------- | :---------------------------------------------------------------------------------------------------------------------------------------------------------- | :------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| `automationAccountName` | string | | | Required. Name of the Automation Account to deploy the schedule to. | +| `azureVirtualMachines` | array | [] | | Optional. List of azure resource Ids for azure virtual machines in scope for the deployment schedule. | +| `baseTime` | string | [utcNow('u')] | | Generated. Do not touch. Is used to provide the base time for time comparrison for startTime. If startTime is specified in HH:MM format, baseTime is used to check if the provided startTime has passed, adding one day before setting the deployment schedule. | +| `cuaId` | string | Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered | | Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered | +| `deploymentScheduleName` | string | | | Required. The name of the Deployment schedule. | +| `description` | string | | | Optional. The schedules description. | +| `excludeUpdates` | array | [] | | Optional. KB numbers or Linux packages excluded in the deployment schedule. | +| `expiryTime` | string | | | Optional. The end time of the deployment schedule in ISO 8601 format. YYYY-MM-DDTHH:MM:SS, 2021-12-31T23:00:00 | +| `expiryTimeOffsetMinutes` | int | 0 | | Optional. The expiry time's offset in minutes. | +| `frequency` | string | | "OneTime","Hour","Day","Week","Month" | Required. The frequency of the deployment schedule. When using 'Hour', 'Day', 'Week' or 'Month', an interval needs to be provided. | +| `includeUpdates` | array | [] | | Optional. KB numbers or Linux packages included in the deployment schedule. | +| `interval` | int | 0 | 0-100 | Optional. The interval of the frequency for the deployment schedule. 1 Hour is every hour, 2 Day is every second day, etc. | +| `isEnabled` | bool | True | | Optional. Enables the deployment schedule. | +| `location` | string | [resourceGroup().location] | | Optional. Location for the resource. | +| `maintenanceWindow` | string | PT2H | [ISO 8601 Duration format](https://en.wikipedia.org/wiki/ISO_8601#Durations) | Required. Maximum time allowed for the deployment schedule to run. Duration needs to be specified using the format PT[n]H[n]M[n]S as per ISO8601 | +| `monthDays` | array | [] | 1-31 | Optional. Can be used with frequency 'Month'. Provides the specific days of the month to run the deployment schedule. | +| `monthlyOccurrences` | array | [] | | Optional. Can be used with frequency 'Month'. Provides the pattern/cadence for running the deployment schedule in a month. Takes objects formed like this {occurance(int),day(string)}. Day is the name of the day to run the deployment schedule, the occurance specifies which occurance of that day to run the deployment schedule. | +| `nextRun` | string | | | Optional. The next run time of the deployment schedule in ISO 8601 format. YYYY-MM-DDTHH:MM:SS, 2021-12-31T23:00:00 | +| `nextRunOffsetMinutes` | int | 0 | | Optional. The next run time's offset in minutes. | +| `nonAzureComputerNames` | array | [] | | Optional. List of names of non-azure machines in scope for the deployment schedule. | +| `nonAzureQueries` | array | [] | | Optional. Array of functions from a Log Analytics workspace, used to scope the deployment schedule. | +| `operatingSystem` | string | | 'Windows', 'Linux' | Required. The operating system to be configured by the deployment schedule. | +| `postTaskParameters` | object | | | Optional. Parameters provided to the task running after the deployment schedule. | +| `postTaskSource` | string | | | Optional. The source of the task running after the deployment schedule. | +| `preTaskParameters` | object | | | Optional. Parameters provided to the task running before the deployment schedule. | +| `preTaskSource` | string | | | Optional. The source of the task running before the deployment schedule. | +| `rebootSetting` | string | | 'IfRequired', 'Never', 'RebootOnly', 'Always' | Required. Reboot setting for the deployment schedule. | +| `scopeByLocations` | array | [] | | Optional. Specify locations to which to scope the deployment schedule to. | +| `scopeByResources` | array | [subscription().id] | ResourceIDs of subscriptions, resourceGroups and virtual machines | Optional. Specify the resources to scope the deployment schedule to. | +| `scopeByTags` | object | | | Optional. Specify tags to which to scope the deployment schedule to. | +| `scopeByTagsOperation` | string | All | 'All', 'Any' | Optional. Enables the scopeByTags to require All (Tag A and Tag B) or Any (Tag A or Tag B). | +| `startTime` | string | | ISO 8601 [Date](https://en.wikipedia.org/wiki/ISO_8601#Dates) and [Time](https://en.wikipedia.org/wiki/ISO_8601#Times) format, YYYY-MM-DDTHH:MM:SS or HH:MM | Optional. The start time of the deployment schedule in ISO 8601 format. To specify a specific time use YYYY-MM-DDTHH:MM:SS, 2021-12-31T23:00:00. For schedules where we want to start the deployment as soon as possible, specify the time segment only in 24 hour format, HH:MM, 22:00. | +| `timeZone` | string | UTC | IANA ID or Windows Time Zone ID, i.e. Europe/London or America/New_York | Optional. Time zone for the deployment schedule. IANA ID or a Windows Time Zone ID. | +| `updateClassifications` | array | ['Critical','Security'] | 'Critical', 'Security', 'UpdateRollup', 'FeaturePack', 'ServicePack', 'Definition', 'Tools', 'Updates', 'Other' | Optional. Update classification included in the deployment schedule. | +| `weekDays` | array | [] | 'Monday', 'Tuesday', 'Wednesday', 'Thursday', 'Friday', 'Saturday', 'Sunday' | Optional. Required when used with frequency 'Week'. Specified the day of the week to run the deployment schedule. | + +### Parameter Usage: `scopeByTags` + +Provide tag keys, with an array of values, filtering in machines that should be included in the deployment schedule. + +| Property name | Type | Possible values | Description | +| :------------ | :---- | :-------------- | :---------- | +| \ | array | string | tag values | + +```json +"scopeByTags": { + "value": { + "Update": [ + "Automatic" + ], + "MaintenanceWindow": [ + "1-Sat-22" + ] + } +} +``` + +### Parameter Usage: `monthlyOccurrences` + +Occurrences of days within a month. + +| Property name | Type | Possible values | Description | +| :------------ | :----- | :------------------------------------------------------------- | :----------------------------------------------------------------------------------- | +| `occurance` | int | 1-5 | Occurrence of the week within the month. Must be between 1 and 5, where 5 is "last". | +| `day` | string | Monday, Tuesday, Wednesday, Thursday, Friday, Saturday, Sunday | Day of the occurrence. | + +```json +"monthlyOccurrences": { + "value": [ + { + "occurrence": 1, + "day": "Monday" + }, + { + "occurrence": 2, + "day": "Friday" + } + ] +} +``` + +## Outputs + +| Output Name | Type | Description | +| :----------------------- | :----- | :------------------------------------------------------------------------ | +| `automationAccountName` | string | The Automation Account the Software Update Configuration was deployed to. | +| `deploymentScheduleName` | string | The name of the Software Update Configuration. | +| `resourceGroupName` | string | The Resource Group the Software Update Configuration was deployed to. | +| `resourceId` | string | The Resource Id of the Software Update Configuration. | + +## Considerations + +- *None* + +## Additional resources + +- [Template reference](https://docs.microsoft.com/en-us/azure/templates/microsoft.automation/automationaccounts/softwareupdateconfigurations) +- [ISO 8601 Time format](https://en.wikipedia.org/wiki/ISO_8601) +- [IANA time zone list](https://en.wikipedia.org/wiki/List_of_tz_database_time_zones) +- [Update classifications - Update Management | Microsoft Docs](https://docs.microsoft.com/en-us/azure/automation/update-management/overview#update-classifications) diff --git a/arm/Microsoft.Automation/automationAccounts/deploy.json b/arm/Microsoft.Automation/automationAccounts/deploy.json new file mode 100644 index 0000000000..5c37f962f5 --- /dev/null +++ b/arm/Microsoft.Automation/automationAccounts/deploy.json @@ -0,0 +1,762 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "automationAccountName": { + "type": "string", + "metadata": { + "description": "Required. Name of the Automation Account" + } + }, + "location": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "Optional. Location for all resources." + } + }, + "skuName": { + "type": "string", + "defaultValue": "Basic", + "allowedValues": [ + "Free", + "Basic" + ], + "metadata": { + "description": "Optional. SKU name of the account" + } + }, + "runbooks": { + "type": "array", + "minLength": 0, + "metadata": { + "description": "Optional. List of runbooks to be created in the automation account" + }, + "defaultValue": [ + ] + }, + "sasTokenValidityLength": { + "defaultValue": "PT8H", + "type": "string", + "metadata": { + "description": "Optional. SAS token validity length. Usage: 'PT8H' - valid for 8 hours; 'P5D' - valid for 5 days; 'P1Y' - valid for 1 year. When not provided, the SAS token will be valid for 8 hours." + } + }, + "schedules": { + "type": "array", + "minLength": 0, + "metadata": { + "description": "Optional. List of schedules to be created in the automation account" + }, + "defaultValue": [ + ] + }, + "jobSchedules": { + "type": "array", + "minLength": 0, + "metadata": { + "description": "Optional. List of jobSchedules to be created in the automation account" + }, + "defaultValue": [ + ] + }, + "privateEndpoints": { + "type": "array", + "defaultValue": [], + "metadata": { + "description": "Optional. Configuration Details for private endpoints." + } + }, + "diagnosticLogsRetentionInDays": { + "type": "int", + "defaultValue": 365, + "minValue": 0, + "maxValue": 365, + "metadata": { + "description": "Optional. Specifies the number of days that logs will be kept for; a value of 0 will retain data indefinitely." + } + }, + "diagnosticStorageAccountId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Resource identifier of the Diagnostic Storage Account." + } + }, + "workspaceId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Resource identifier of Log Analytics." + } + }, + "eventHubAuthorizationRuleId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Resource ID of the event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." + } + }, + "eventHubName": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Name of the event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category." + } + }, + "lockForDeletion": { + "type": "bool", + "defaultValue": false, + "metadata": { + "description": "Optional. Switch to lock Automation Account from deletion." + } + }, + "roleAssignments": { + "defaultValue": [ + ], + "type": "array", + "metadata": { + "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'" + } + }, + "tags": { + "type": "object", + "defaultValue": { + }, + "metadata": { + "description": "Optional. Tags of the Automation Account resource." + } + }, + "baseTime": { + "type": "string", + "defaultValue": "[utcNow('u')]", + "metadata": { + "description": "Optional. Time used as a basis for e.g. the schedule start date" + } + }, + "cuaId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered" + } + } + }, + "variables": { + "diagnosticsMetrics": [ + { + "category": "AllMetrics", + "timeGrain": null, + "enabled": true, + "retentionPolicy": { + "enabled": true, + "days": "[parameters('diagnosticLogsRetentionInDays')]" + } + } + ], + "diagnosticsLogs": [ + { + "category": "JobLogs", + "enabled": true, + "retentionPolicy": { + "enabled": true, + "days": "[parameters('diagnosticLogsRetentionInDays')]" + } + }, + { + "category": "JobStreams", + "enabled": true, + "retentionPolicy": { + "enabled": true, + "days": "[parameters('diagnosticLogsRetentionInDays')]" + } + }, + { + "category": "DscNodeStatus", + "enabled": true, + "retentionPolicy": { + "enabled": true, + "days": "[parameters('diagnosticLogsRetentionInDays')]" + } + } + ], + "dummyJobSchedule": { + "jobScheduleName": "dummyJobScheduleValue" + }, + "dummySchedule": { + "scheduleName": "dummScheduleValue" + }, + "dummyRunbooks": { + "runbookName": "dummRunbookValue" + }, + "jobSchedules": "[if(greater(length(parameters('jobSchedules')),0),parameters('jobSchedules'), array(variables('dummyJobSchedule')))]", + "schedules": "[if(greater(length(parameters('schedules')),0),parameters('schedules'), array(variables('dummySchedule')))]", + "runbooks": "[if(greater(length(parameters('runbooks')),0),parameters('runbooks'), array(variables('dummyRunbooks')))]", + "accountSasProperties": { + "signedServices": "b", //Blob (b), Queue (q), Table (t), File (f). + "signedPermission": "r", //Read (r), Write (w), Delete (d), List (l), Add (a), Create (c), Update (u) and Process (p) + "signedExpiry": "[dateTimeAdd(parameters('baseTime'), parameters('sasTokenValidityLength'))]", //format: 2017-05-24T10:42:03Z + "signedResourceTypes": "o", //Service (s): Access to service-level APIs; Container (c): Access to container-level APIs; Object (o): Access to object-level APIs for blobs, queue messages, table entities, and files. + "signedProtocol": "https" + }, + "builtInRoleNames": { + "AcrDelete": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c2f4ef07-c644-48eb-af81-4b1b4947fb11')]", + "AcrImageSigner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '6cef56e8-d556-48e5-a04f-b8e64114680f')]", + "AcrPull": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '7f951dda-4ed3-4680-a7ca-43fe172d538d')]", + "AcrPush": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8311e382-0749-4cb8-b61a-304f252e45ec')]", + "AcrQuarantineReader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'cdda3590-29a3-44f6-95f2-9f980659eb04')]", + "AcrQuarantineWriter": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c8d4ff99-41c3-41a8-9f60-21dfdad59608')]", + "API Management Service Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '312a565d-c81f-4fd8-895a-4e21e48d571c')]", + "API Management Service Operator Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'e022efe7-f5ba-4159-bbe4-b44f577e9b61')]", + "API Management Service Reader Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '71522526-b88f-4d52-b57f-d31fc3546d0d')]", + "App Configuration Data Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5ae67dd6-50cb-40e7-96ff-dc2bfa4b606b')]", + "App Configuration Data Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '516239f1-63e1-4d78-a4de-a74fb236a071')]", + "Application Insights Component Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ae349356-3a1b-4a5e-921d-050484c6347e')]", + "Application Insights Snapshot Debugger": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '08954f03-6346-4c2e-81c0-ec3a5cfae23b')]", + "Attestation Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'bbf86eb8-f7b4-4cce-96e4-18cddf81d86e')]", + "Attestation Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'fd1bd22b-8476-40bc-a0bc-69b95687b9f3')]", + "Automation Job Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4fe576fe-1146-4730-92eb-48519fa6bf9f')]", + "Automation Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'd3881f73-407a-4167-8283-e981cbba0404')]", + "Automation Runbook Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5fb5aef8-1081-4b8e-bb16-9d5d0385bab5')]", + "Avere Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4f8fab4f-1852-4a58-a46a-8eaf358af14a')]", + "Avere Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c025889f-8102-4ebf-b32c-fc0c6f0c6bd9')]", + "Azure Connected Machine Onboarding": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b64e21ea-ac4e-4cdf-9dc9-5b892992bee7')]", + "Azure Connected Machine Resource Administrator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'cd570a14-e51a-42ad-bac8-bafd67325302')]", + "Azure Digital Twins Owner (Preview)": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'bcd981a7-7f74-457b-83e1-cceb9e632ffe')]", + "Azure Digital Twins Reader (Preview)": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'd57506d4-4c8d-48b1-8587-93c323f6a5a3')]", + "Azure Event Hubs Data Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'f526a384-b230-433a-b45c-95f59c4a2dec')]", + "Azure Event Hubs Data Receiver": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'a638d3c7-ab3a-418d-83e6-5f17a39d4fde')]", + "Azure Event Hubs Data Sender": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '2b629674-e913-4c01-ae53-ef4638d8f975')]", + "Azure Kubernetes Service Cluster Admin Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '0ab0b1a8-8aac-4efd-b8c2-3ee1fb270be8')]", + "Azure Kubernetes Service Cluster User Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4abbcc35-e782-43d8-92c5-2d3f1bd2253f')]", + "Azure Kubernetes Service Contributor Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ed7f3fbd-7b88-4dd4-9017-9adb7ce333f8')]", + "Azure Maps Data Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8f5e0ce6-4f7b-4dcf-bddf-e6f48634a204')]", + "Azure Maps Data Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '423170ca-a8f6-4b0f-8487-9e4eb8f49bfa')]", + "Azure Sentinel Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ab8e14d6-4a74-4a29-9ba8-549422addade')]", + "Azure Sentinel Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8d289c81-5878-46d4-8554-54e1e3d8b5cb')]", + "Azure Sentinel Responder": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '3e150937-b8fe-4cfb-8069-0eaf05ecd056')]", + "Azure Service Bus Data Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '090c5cfd-751d-490a-894a-3ce6f1109419')]", + "Azure Service Bus Data Receiver": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4f6d3b9b-027b-4f4c-9142-0e5a2a2247e0')]", + "Azure Service Bus Data Sender": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '69a216fc-b8fb-44d8-bc22-1f3c2cd27a39')]", + "Azure Stack Registration Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '6f12a6df-dd06-4f3e-bcb1-ce8be600526a')]", + "Backup Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5e467623-bb1f-42f4-a55d-6e525e11384b')]", + "Backup Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '00c29273-979b-4161-815c-10b084fb9324')]", + "Backup Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'a795c7a0-d4a2-40c1-ae25-d81f01202912')]", + "Billing Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'fa23ad8b-c56e-40d8-ac0c-ce449e1d2c64')]", + "BizTalk Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5e3c6656-6cfa-4708-81fe-0de47ac73342')]", + "Blockchain Member Node Access (Preview)": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '31a002a1-acaf-453e-8a5b-297c9ca1ea24')]", + "Blueprint Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '41077137-e803-4205-871c-5a86e6a753b4')]", + "Blueprint Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '437d2ced-4a38-4302-8479-ed2bcb43d090')]", + "CDN Endpoint Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '426e0c7f-0c7e-4658-b36f-ff54d6c29b45')]", + "CDN Endpoint Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '871e35f6-b5c1-49cc-a043-bde969a0f2cd')]", + "CDN Profile Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ec156ff8-a8d1-4d15-830c-5b80698ca432')]", + "CDN Profile Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8f96442b-4075-438f-813d-ad51ab4019af')]", + "Classic Network Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b34d265f-36f7-4a0d-a4d4-e158ca92e90f')]", + "Classic Storage Account Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '86e8f5dc-a6e9-4c67-9d15-de283e8eac25')]", + "Classic Storage Account Key Operator Service Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '985d6b00-f706-48f5-a6fe-d0ca12fb668d')]", + "Classic Virtual Machine Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'd73bb868-a0df-4d4d-bd69-98a00b01fccb')]", + "ClearDB MySQL DB Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '9106cda0-8a86-4e81-b686-29a22c54effe')]", + "Cognitive Services Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '25fbc0a9-bd7c-42a3-aa1a-3b75d497ee68')]", + "Cognitive Services Custom Vision Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c1ff6cc2-c111-46fe-8896-e0ef812ad9f3')]", + "Cognitive Services Custom Vision Deployment": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5c4089e1-6d96-4d2f-b296-c1bc7137275f')]", + "Cognitive Services Custom Vision Labeler": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '88424f51-ebe7-446f-bc41-7fa16989e96c')]", + "Cognitive Services Custom Vision Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '93586559-c37d-4a6b-ba08-b9f0940c2d73')]", + "Cognitive Services Custom Vision Trainer": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '0a5ae4ab-0d65-4eeb-be61-29fc9b54394b')]", + "Cognitive Services Data Reader (Preview)": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b59867f0-fa02-499b-be73-45a86b5b3e1c')]", + "Cognitive Services QnA Maker Editor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'f4cc2bf9-21be-47a1-bdf1-5c5804381025')]", + "Cognitive Services QnA Maker Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '466ccd10-b268-4a11-b098-b4849f024126')]", + "Cognitive Services User": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'a97b65f3-24c7-4388-baec-2e87135dc908')]", + "Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "Cosmos DB Account Reader Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'fbdf93bf-df7d-467e-a4d2-9458aa1360c8')]", + "Cosmos DB Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '230815da-be43-4aae-9cb4-875f7bd000aa')]", + "CosmosBackupOperator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'db7b14f2-5adf-42da-9f96-f2ee17bab5cb')]", + "Cost Management Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '434105ed-43f6-45c7-a02f-909b2ba83430')]", + "Cost Management Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '72fafb9e-0641-4937-9268-a91bfd8191a3')]", + "Data Box Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'add466c9-e687-43fc-8d98-dfcf8d720be5')]", + "Data Box Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '028f4ed7-e2a9-465e-a8f4-9c0ffdfdc027')]", + "Data Factory Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '673868aa-7521-48a0-acc6-0f60742d39f5')]", + "Data Lake Analytics Developer": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '47b7735b-770e-4598-a7da-8b91488b4c88')]", + "Data Purger": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '150f5e0c-0603-4f03-8c7f-cf70034c4e90')]", + "Desktop Virtualization User": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '1d18fff3-a72a-46b5-b4a9-0b38a3cd7e63')]", + "DevTest Labs User": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '76283e04-6283-4c54-8f91-bcf1374a3c64')]", + "DNS Zone Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'befefa01-2a29-4197-83a8-272ff33ce314')]", + "DocumentDB Account Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5bd9cd88-fe45-4216-938b-f97437e15450')]", + "EventGrid EventSubscription Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '428e0ff0-5e57-4d9c-a221-2c70d0e0a443')]", + "EventGrid EventSubscription Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '2414bbcf-6497-4faf-8c65-045460748405')]", + "Experimentation Administrator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '7f646f1b-fa08-80eb-a33b-edd6ce5c915c')]", + "Experimentation Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '7f646f1b-fa08-80eb-a22b-edd6ce5c915c')]", + "Experimentation Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '49632ef5-d9ac-41f4-b8e7-bbe587fa74a1')]", + "FHIR Data Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5a1fc7df-4bf1-4951-a576-89034ee01acd')]", + "FHIR Data Exporter": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '3db33094-8700-4567-8da5-1501d4e7e843')]", + "FHIR Data Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4c8d0bbc-75d3-4935-991f-5f3c56d81508')]", + "FHIR Data Writer": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '3f88fce4-5892-4214-ae73-ba5294559913')]", + "Graph Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b60367af-1334-4454-b71e-769d9a4f83d9')]", + "HDInsight Cluster Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '61ed4efc-fab3-44fd-b111-e24485cc132a')]", + "HDInsight Domain Services Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8d8d5a11-05d3-4bda-a417-a08778121c7c')]", + "Hierarchy Settings Administrator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '350f8d15-c687-4448-8ae1-157740a3936d')]", + "Hybrid Server Onboarding": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5d1e5ee4-7c68-4a71-ac8b-0739630a3dfb')]", + "Hybrid Server Resource Administrator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '48b40c6e-82e0-4eb3-90d5-19e40f49b624')]", + "Integration Service Environment Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'a41e2c5b-bd99-4a07-88f4-9bf657a760b8')]", + "Integration Service Environment Developer": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c7aa55d3-1abb-444a-a5ca-5e51e485d6ec')]", + "Intelligent Systems Account Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '03a6d094-3444-4b3d-88af-7477090a9e5e')]", + "Key Vault Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'f25e0fa2-a7c8-4377-a976-54943a77a395')]", + "Knowledge Consumer": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ee361c5d-f7b5-4119-b4b6-892157c8f64c')]", + "Kubernetes Cluster - Azure Arc Onboarding": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '34e09817-6cbe-4d01-b1a2-e0eac5743d41')]", + "Lab Creator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b97fb8bc-a8b2-4522-a38b-dd33c7e65ead')]", + "Log Analytics Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]", + "Log Analytics Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '73c42c96-874c-492b-b04d-ab87d138a893')]", + "Logic App Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '87a39d53-fc1b-424a-814c-f7e04687dc9e')]", + "Logic App Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '515c2055-d9d4-4321-b1b9-bd0c9a0f79fe')]", + "Managed Application Contributor Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '641177b8-a67a-45b9-a033-47bc880bb21e')]", + "Managed Application Operator Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')]", + "Managed Applications Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')]", + "Managed Identity Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'e40ec5ca-96e0-45a2-b4ff-59039f2c2b59')]", + "Managed Identity Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'f1a07417-d97a-45cb-824c-7a7467783830')]", + "Managed Services Registration assignment Delete ": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '91c1777a-f3dc-4fae-b103-61d183457e46')]", + "Management Group Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5d58bcaf-24a5-4b20-bdb6-eed9f69fbe4c')]", + "Management Group Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ac63b705-f282-497d-ac71-919bf39d939d')]", + "Marketplace Admin": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'dd920d6d-f481-47f1-b461-f338c46b2d9f')]", + "Monitoring Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')]", + "Monitoring Metrics Publisher": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '3913510d-42f4-4e42-8a64-420c390055eb')]", + "Monitoring Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')]", + "Network Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", + "New Relic APM Account Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5d28c62d-5b37-4476-8438-e587778df237')]", + "Object Understanding Account Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4dd61c23-6743-42fe-a388-d8bdd41cb745')]", + "Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", + "Policy Insights Data Writer (Preview)": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '66bb4e9e-b016-4a94-8249-4c0511c2be84')]", + "Private DNS Zone Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", + "Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", + "Reader and Data Access": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c12c1c16-33a1-487b-954d-41c89c60f349')]", + "Redis Cache Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'e0f68234-74aa-48ed-b826-c38b57376e17')]", + "Remote Rendering Administrator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '3df8b902-2a6f-47c7-8cc5-360e9b272a7e')]", + "Remote Rendering Client": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'd39065c4-c120-43c9-ab0a-63eed9795f0a')]", + "Resource Policy Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '36243c78-bf99-498c-9df9-86d9f8d28608')]", + "Scheduler Job Collections Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '188a0f2f-5c9e-469b-ae67-2aa5ce574b94')]", + "Search Service Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '7ca78c08-252a-4471-8644-bb5ff32d4ba0')]", + "Security Admin": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'fb1c8493-542b-48eb-b624-b4c8fea62acd')]", + "Security Assessment Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '612c2aa1-cb24-443b-ac28-3ab7272de6f5')]", + "Security Manager (Legacy)": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'e3d13bf0-dd5a-482e-ba6b-9b8433878d10')]", + "Security Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '39bc4728-0917-49c7-9d2c-d95423bc2eb4')]", + "SignalR AccessKey Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '04165923-9d83-45d5-8227-78b77b0a687e')]", + "SignalR Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8cf5e20a-e4b2-4e9d-b3a1-5ceb692c2761')]", + "Site Recovery Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '6670b86e-a3f7-4917-ac9b-5d6ab1be4567')]", + "Site Recovery Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '494ae006-db33-4328-bf46-533a6560a3ca')]", + "Site Recovery Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'dbaa88c4-0c30-4179-9fb3-46319faa6149')]", + "Spatial Anchors Account Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8bbe83f1-e2a6-4df7-8cb4-4e04d4e5c827')]", + "Spatial Anchors Account Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '70bbe301-9835-447d-afdd-19eb3167307c')]", + "Spatial Anchors Account Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5d51204f-eb77-4b1c-b86a-2ec626c49413')]", + "SQL DB Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '9b7fa17d-e63e-47b0-bb0a-15c516ac86ec')]", + "SQL Managed Instance Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4939a1f6-9ae0-4e48-a1e0-f2cbe897382d')]", + "SQL Security Manager": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '056cd41c-7e88-42e1-933e-88ba6a50c9c3')]", + "SQL Server Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '6d8ee4ec-f05a-4a1d-8b00-a9b17e38b437')]", + "Storage Account Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '17d1049b-9a84-46fb-8f53-869881c3d3ab')]", + "Storage Account Key Operator Service Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '81a9662b-bebf-436f-a333-f67b29880f12')]", + "Storage Blob Data Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ba92f5b4-2d11-453d-a403-e96b0029c9fe')]", + "Storage Blob Data Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b7e6dc6d-f1e8-4753-8033-0f276bb0955b')]", + "Storage Blob Data Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '2a2b9908-6ea1-4ae2-8e65-a410df84e7d1')]", + "Storage Blob Delegator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'db58b8e5-c6ad-4a2a-8342-4190687cbf4a')]", + "Storage File Data SMB Share Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '0c867c2a-1d8c-454a-a3db-ab2ea1bdc8bb')]", + "Storage File Data SMB Share Elevated Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'a7264617-510b-434b-a828-9731dc254ea7')]", + "Storage File Data SMB Share Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'aba4ae5f-2193-4029-9191-0cb91df5e314')]", + "Storage Queue Data Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '974c5e8b-45b9-4653-ba55-5f855dd0fb88')]", + "Storage Queue Data Message Processor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8a0f0c08-91a1-4084-bc3d-661d67233fed')]", + "Storage Queue Data Message Sender": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c6a89b2d-59bc-44d0-9896-0f6e12d7b80a')]", + "Storage Queue Data Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '19e7f393-937e-4f77-808e-94535e297925')]", + "Support Request Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'cfd33db0-3dd1-45e3-aa9d-cdbdf3b6f24e')]", + "Tag Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4a9ae827-6dc8-4573-8ac7-8239d42aa03f')]", + "Traffic Manager Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'a4b10055-b0c7-44c2-b00f-c7b5b3550cf7')]", + "User Access Administrator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]", + "Virtual Machine Administrator Login": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '1c0163c0-47e6-4577-8991-ea5c82e286e4')]", + "Virtual Machine Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c')]", + "Virtual Machine User Login": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'fb879df8-f326-4884-b1cf-06f3ad86be52')]", + "Web Plan Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '2cc479cb-7b4d-49a8-b449-8c00fd0f0a4b')]", + "Website Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'de139f84-1756-47ae-9be6-808fbbe84772')]", + "Workbook Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'e8ddcd69-c73f-4f9f-9844-4100522f16ad')]", + "Workbook Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b279062a-9be3-42a0-92ae-8b3cf002ec4d')]" + } + }, + "resources": [ + { + "condition": "[not(empty(parameters('cuaId')))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-06-01", + "name": "[concat('pid-', parameters('cuaId'))]", + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [ + ] + } + } + }, + { + "type": "Microsoft.Automation/automationAccounts", + "apiVersion": "2020-01-13-preview", + "name": "[parameters('automationAccountName')]", + "location": "[parameters('location')]", + "tags": "[parameters('tags')]", + "properties": { + "sku": { + "name": "[parameters('skuName')]" + } + }, + "resources": [ + { + "type": "Microsoft.Automation/automationAccounts/providers/locks", + "apiVersion": "2016-09-01", + "condition": "[parameters('lockForDeletion')]", + "name": "[concat(parameters('automationAccountName'), '/Microsoft.Authorization/automationAccountDoNotDelete')]", + "dependsOn": [ + "[concat('Microsoft.Automation/automationAccounts/', parameters('automationAccountName'))]" + ], + "comments": "Resource lock on Automation Account", + "properties": { + "level": "CannotDelete" + } + }, + { + "type": "Microsoft.Automation/automationAccounts/providers/diagnosticsettings", + "apiVersion": "2017-05-01-preview", + "name": "[concat(parameters('automationAccountName'), '/Microsoft.Insights/service')]", + "condition": "[or(not(empty(parameters('diagnosticStorageAccountId'))),not(empty(parameters('workspaceId'))),not(empty(parameters('eventHubAuthorizationRuleId'))),not(empty(parameters('eventHubName'))))]", + "location": "[parameters('location')]", + "dependsOn": [ + "[concat('Microsoft.Automation/automationAccounts/', parameters('automationAccountName'))]" + ], + "properties": { + "storageAccountId": "[if(empty(parameters('diagnosticStorageAccountId')), json('null'), parameters('diagnosticStorageAccountId'))]", + "workspaceId": "[if(empty(parameters('workspaceId')), json('null'), parameters('workspaceId'))]", + "eventHubAuthorizationRuleId": "[if(empty(parameters('eventHubAuthorizationRuleId')), json('null'), parameters('eventHubAuthorizationRuleId'))]", + "eventHubName": "[if(empty(parameters('eventHubName')), json('null'), parameters('eventHubName'))]", + "metrics": "[if(and(empty(parameters('diagnosticStorageAccountId')), empty(parameters('workspaceId')), empty(parameters('eventHubAuthorizationRuleId')), empty(parameters('eventHubName'))), json('null'), variables('diagnosticsMetrics'))]", + "logs": "[if(and(empty(parameters('diagnosticStorageAccountId')), empty(parameters('workspaceId')), empty(parameters('eventHubAuthorizationRuleId')), empty(parameters('eventHubName'))), json('null'), variables('diagnosticsLogs'))]" + } + } + ] + }, + { + "condition": "[not(empty(array(parameters('runbooks'))))]", + "type": "Microsoft.Resources/deployments", + "name": "[concat('runbook-', if(empty(parameters('runbooks')), 'dummy', copyIndex('runbookCopy')))]", + "apiVersion": "2020-06-01", + "copy": { + "name": "runbookCopy", + "count": "[if(not(empty(variables('runbooks'))), length(variables('runbooks')), 1)]" + }, + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [ + { + "type": "Microsoft.Automation/automationAccounts/runbooks", + "name": "[concat(parameters('automationAccountName'), '/', variables('runbooks')[copyIndex()].runbookName)]", + "apiVersion": "2018-06-30", + "location": "[resourceGroup().location]", + "properties": { + "runbookType": "[if(empty(variables('runbooks')[copyIndex()].runbookType), json('null'), variables('runbooks')[copyIndex()].runbookType)]", + "publishContentLink": { + "uri": "[if(empty(variables('runbooks')[copyIndex()].runbookScriptUri), json('null'), concat(variables('runbooks')[copyIndex()].runbookScriptUri, if(contains(variables('runbooks')[copyIndex()], 'scriptStorageAccountId'), concat('?', listAccountSas(variables('runbooks')[copyIndex()].scriptStorageAccountId, '2019-04-01', variables('accountSasProperties')).accountSasToken),'')))]", + "version": "[if(empty(variables('runbooks')[copyIndex()].version), json('null'), variables('runbooks')[copyIndex()].version)]" + } + } + } + ] + } + }, + "dependsOn": [ + "[concat('Microsoft.Automation/automationAccounts/', parameters('automationAccountName'))]" + ] + }, + { + "condition": "[not(empty(array(parameters('schedules'))))]", + "type": "Microsoft.Resources/deployments", + "name": "[concat('schedule-', if(empty(parameters('schedules')), 'dummy', copyIndex('schedulesCopy')))]", + "apiVersion": "2020-06-01", + "copy": { + "name": "schedulesCopy", + "count": "[length(variables('schedules'))]" + }, + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [ + { + "type": "Microsoft.Automation/automationAccounts/schedules", + "name": "[concat(parameters('automationAccountName'), '/', variables('schedules')[copyIndex()].scheduleName)]", + "apiVersion": "2015-10-31", + "location": "[resourceGroup().location]", + "properties": { + "startTime": "[if(empty(variables('schedules')[copyIndex()].startTime), dateTimeAdd(parameters('baseTime'), 'PT10M'), variables('schedules')[copyIndex()].startTime)]", + "frequency": "[variables('schedules')[copyIndex()].frequency]", + "expiryTime": "[if(empty(variables('schedules')[copyIndex()].expiryTime), json('null'), variables('schedules')[copyIndex()].expiryTime)]", + "interval": "[if(equals(0, variables('schedules')[copyIndex()].interval), json('null'), variables('schedules')[copyIndex()].interval)]", + "timeZone": "[if(empty(variables('schedules')[copyIndex()].timeZone), json('null'), variables('schedules')[copyIndex()].timeZone)]", + "advancedSchedule": "[if(empty(variables('schedules')[copyIndex()].advancedSchedule), json('null'), variables('schedules')[copyIndex()].advancedSchedule)]" + } + } + ] + } + }, + "dependsOn": [ + "[resourceId('Microsoft.Automation/automationAccounts/', parameters('automationAccountName'))]" + ] + }, + { + "condition": "[not(empty(array(parameters('jobSchedules'))))]", + "type": "Microsoft.Resources/deployments", + "name": "[concat('jobschedule-', if(empty(parameters('jobSchedules')), 'dummy', copyIndex('jobSchedulesCopy')))]", + "apiVersion": "2020-06-01", + "copy": { + "name": "jobSchedulesCopy", + "count": "[length(variables('jobSchedules'))]" + }, + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [ + { + "type": "Microsoft.Automation/automationAccounts/jobSchedules", + "name": "[concat(parameters('automationAccountName'), '/', guid(variables('jobSchedules')[copyIndex()].jobScheduleName))]", + "apiVersion": "2015-10-31", + "location": "[resourceGroup().location]", + "properties": { + "schedule": { + "name": "[variables('jobSchedules')[copyIndex()].scheduleName]" + }, + "runbook": { + "name": "[variables('jobSchedules')[copyIndex()].runbookName]" + }, + "runOn": "[if(empty(variables('jobSchedules')[copyIndex()].runOn), json('null'), variables('jobSchedules')[copyIndex()].runOn)]", + "parameters": "[if(empty(variables('jobSchedules')[copyIndex()].parameters), json('null'), variables('jobSchedules')[copyIndex()].parameters)]" + } + } + ] + } + }, + "dependsOn": [ + "runbookCopy", + "schedulesCopy" + ] + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-06-01", + "name": "[concat(uniqueString(deployment().name, parameters('location')), '-Automation-PrivateEndpoints','-',copyIndex())]", + "condition": "[not(empty(parameters('privateEndpoints')))]", + "dependsOn": [ + "[parameters('automationAccountName')]" + ], + "copy": { + "name": "privateEndpointsCopy", + "count": "[length(parameters('privateEndpoints'))]" + }, + "properties": { + "mode": "Incremental", + "expressionEvaluationOptions": { + "scope": "inner" + }, + "parameters": { + "privateEndpointResourceId": { + "value": "[resourceId('Microsoft.Automation/automationAccounts/', parameters('automationAccountName'))]" + }, + "privateEndpointVnetLocation": { + "value": "[if(empty(parameters('privateEndpoints')),'dummy',reference(split(parameters('privateEndpoints')[copyIndex()].subnetResourceId,'/subnets/')[0],'2020-06-01', 'Full').location)]" + }, + "privateEndpoint": { + "value": "[parameters('privateEndpoints')[copyIndex()]]" + }, + "tags": { + "value": "[parameters('tags')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "privateEndpointResourceId": { + "type": "string" + }, + "privateEndpointVnetLocation": { + "type": "string" + }, + "privateEndpoint": { + "type": "object" + }, + "tags": { + "type": "object" + } + }, + "variables": { + "privateEndpointResourceName": "[last(split(parameters('privateEndpointResourceId'),'/'))]", + "privateEndpoint": { + "name": "[if(contains(parameters('privateEndpoint'), 'name'),if(empty(parameters('privateEndpoint').name),concat(variables('privateEndpointResourceName'),'-',parameters('privateEndpoint').service),parameters('privateEndpoint').name),concat(variables('privateEndpointResourceName'),'-',parameters('privateEndpoint').service))]", + "subnetResourceId": "[parameters('privateEndpoint').subnetResourceId]", + "service": [ + "[parameters('privateEndpoint').service]" + ], + "privateDnsZoneResourceIds": "[if(contains(parameters('privateEndpoint'), 'privateDnsZoneResourceIds'),if(empty(parameters('privateEndpoint').privateDnsZoneResourceIds),createArray(),parameters('privateEndpoint').privateDnsZoneResourceIds),createArray())]", + "customDnsConfigs": "[if(contains(parameters('privateEndpoint'), 'customDnsConfigs'),if(empty(parameters('privateEndpoint').customDnsConfigs),json('null'),parameters('privateEndpoint').customDnsConfigs),json('null'))]" + } + }, + "resources": [ + { + "type": "Microsoft.Network/privateEndpoints", + "apiVersion": "2020-05-01", + "name": "[variables('privateEndpoint').name]", + "location": "[parameters('privateEndpointVnetLocation')]", + "tags": "[parameters('tags')]", + "properties": { + "privateLinkServiceConnections": [ + { + "name": "[variables('privateEndpoint').name]", + "properties": { + "privateLinkServiceId": "[parameters('privateEndpointResourceId')]", + "groupIds": "[variables('privateEndpoint').service]" + } + } + ], + "manualPrivateLinkServiceConnections": [], + "subnet": { + "id": "[variables('privateEndpoint').subnetResourceId]" + }, + "customDnsConfigs": "[variables('privateEndpoint').customDnsConfigs]" + } + }, + { + "type": "Microsoft.Network/privateEndpoints/privateDnsZoneGroups", + "apiVersion": "2020-05-01", + "condition": "[not(empty(variables('privateEndpoint').privateDnsZoneResourceIds))]", + "name": "[concat(variables('privateEndpoint').name, '/default')]", + "dependsOn": [ + "[resourceId('Microsoft.Network/privateEndpoints', variables('privateEndpoint').name)]" + ], + "properties": { + "copy": [ + { + "name": "privateDnsZoneConfigs", + "count": "[length(variables('privateEndpoint').privateDnsZoneResourceIds)]", + "input": { + "name": "[last(split(variables('privateEndpoint').privateDnsZoneResourceIds[copyIndex('privateDnsZoneConfigs')],'/'))]", + "properties": { + "privateDnsZoneId": "[variables('privateEndpoint').privateDnsZoneResourceIds[copyIndex('privateDnsZoneConfigs')]]" + } + } + } + ] + } + } + ] + } + } + }, + { + "name": "[concat('rbac-',deployment().name, copyIndex())]", + "apiVersion": "2020-06-01", + "type": "Microsoft.Resources/deployments", + "condition": "[not(empty(parameters('roleAssignments')))]", + "dependsOn": [ + "[parameters('automationAccountName')]" + ], + "copy": { + "name": "rbacDeplCopy", + "count": "[length(parameters('roleAssignments'))]" + }, + "properties": { + "mode": "Incremental", + "expressionEvaluationOptions": { + "scope": "inner" + }, + "parameters": { + "roleAssignment": { + "value": "[parameters('roleAssignments')[copyIndex()]]" + }, + "builtInRoleNames": { + "value": "[variables('builtInRoleNames')]" + }, + "automationAccountName": { + "value": "[parameters('automationAccountName')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "roleAssignment": { + "type": "object" + }, + "builtInRoleNames": { + "type": "object" + }, + "automationAccountName": { + "type": "string" + } + }, + "resources": [ + { + "type": "Microsoft.Automation/automationAccounts/providers/roleAssignments", + "apiVersion": "2018-09-01-preview", + "name": "[concat(parameters('automationAccountName'), '/Microsoft.Authorization/', guid(uniqueString(concat(parameters('automationAccountName'), array(parameters('roleAssignment').principalIds)[copyIndex('innerRbacCopy')], parameters('roleAssignment').roleDefinitionIdOrName ) )))]", + "dependsOn": [ + ], + "copy": { + "name": "innerRbacCopy", + "count": "[length(parameters('roleAssignment').principalIds)]" + }, + "properties": { + "roleDefinitionId": "[if(contains(parameters('builtInRoleNames'), parameters('roleAssignment').roleDefinitionIdOrName ), parameters('builtInRoleNames')[parameters('roleAssignment').roleDefinitionIdOrName] , parameters('roleAssignment').roleDefinitionIdOrName )]", + "principalId": "[array(parameters('roleAssignment').principalIds)[copyIndex()]]" + } + } + ] + } + } + } + ], + "functions": [ + ], + "outputs": { + "automationAccountResourceId": { + "type": "string", + "value": "[resourceId('Microsoft.Automation/automationAccounts', parameters('automationAccountName'))]", + "metadata": { + "description": "The Resource Id of the Automation Account." + } + }, + "automationAccountResourceGroup": { + "type": "string", + "value": "[resourceGroup().name]", + "metadata": { + "description": "The Resource Group the Automation Account was deployed to." + } + }, + "automationAccountName": { + "type": "string", + "value": "[parameters('automationAccountName')]", + "metadata": { + "description": "The Name of the Automation Account." + } + }, + "dummyObject": { + "type": "array", + "value": "[variables('jobSchedules')]", + "metadata": { + "description": "The Name of the Automation Account." + } + }, + "dummyString": { + "type": "array", + "value": "[variables('schedules')]", + "metadata": { + "description": "The Name of the Automation Account." + } + } + } +} \ No newline at end of file diff --git a/arm/Microsoft.Automation/automationAccounts/parameters/parameters.json b/arm/Microsoft.Automation/automationAccounts/parameters/parameters.json new file mode 100644 index 0000000000..4cf5c8567d --- /dev/null +++ b/arm/Microsoft.Automation/automationAccounts/parameters/parameters.json @@ -0,0 +1,48 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "automationAccountName": { + "value": "sxx-wd-aut-weu-x-001" + }, + // "roleAssignments": { + // "value": [ + // { + // "roleDefinitionIdOrName": "Desktop Virtualization User", + // "principalIds": [ + // "12345678-1234-1234-1234-123456789012", // object 1 + // "78945612-1234-1234-1234-123456789012" // object 2 + // ] + // } + // ] + // }, + "schedules": { + "value": [ + { + "scheduleName": "ScalingRunbook_Schedule", // The schedule name. + "startTime": "", // Gets or sets the start time of the schedule. + "expiryTime": "9999-12-31T23:59:00+00:00", // Gets or sets the end time of the schedule. + "interval": 15, // Gets or sets the interval of the schedule. + "frequency": "Minute", // Gets or sets the frequency of the schedule. - OneTime, Day, Hour, Week, Month, Minute + "timeZone": "Europe/Berlin", // Gets or sets the time zone of the schedule. + "advancedSchedule": "" // Gets or sets the AdvancedSchedule + } + ] + } + , + "privateEndpoints": { + "value": [ + + // Example showing only mandatory fields + { + "subnetResourceId": "/subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2/resourceGroups/dependencies-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-weu-x-002/subnets/sxx-az-subnet-weu-x-005", + "service": "Webhook" + }, + { + "subnetResourceId": "/subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2/resourceGroups/dependencies-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-weu-x-002/subnets/sxx-az-subnet-weu-x-005", + "service": "DSCAndHybridWorker" + } + ] + } + } +} diff --git a/arm/Microsoft.Automation/automationAccounts/readme.md b/arm/Microsoft.Automation/automationAccounts/readme.md new file mode 100644 index 0000000000..b90f601e52 --- /dev/null +++ b/arm/Microsoft.Automation/automationAccounts/readme.md @@ -0,0 +1,289 @@ +# AutomationAccounts + +This module deploys an Azure Automation Account, with resource lock. + +## Resource Types + +|Resource Type|Api Version| +|:--|:--| +|`Microsoft.Automation/automationAccounts`|2015-10-31| +|`Microsoft.Automation/automationAccounts/runbooks`|2018-06-30| +|`Microsoft.Automation/automationAccounts/providers/locks`|2016-09-01| +|`Microsoft.Automation/automationAccounts/schedules`|2015-10-31| +|`Microsoft.Automation/automationAccounts/jobSchedules`|2015-10-31| +|`Microsoft.Automation/automationAccounts/providers/diagnosticsettings`|2017-05-01-preview|  +|`Microsoft.Automation/automationAccounts/providers/roleAssignments`|2018-09-01-preview|  +|`Microsoft.Resources/deployments`|2018-02-01|  +|`Microsoft.Network/privateEndpoints`|2020-05-01| +|`Microsoft.Network/privateEndpoints/privateDnsZoneGroups`|2020-05-01| + + +## Parameters + +| Parameter Name | Type | Default Value | Possible values | Description | +| :- | :- | :- | :- | :- | +| `cuaId` | string | | | Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered +| `automationAccountName` | string | | | Required. Name of the Azure Automation Account +| `location` | string | `[resourceGroup().location]` | | Optional. Location for all resources. +| `skuName` | string | `Basic` | `Free`, `Basic` | Optional. Specifies the SKU for the Automation Account +| `runbooks` | array | [] | | Optional. List of runbooks to be created in the automation account. Complex structure, see below. +| `schedules` | array | [] | | Optional. List of schedules to be created in the automation account. Complex structure, see below. +| `jobSchedules` | array | [] | | Optional. List of jobSchedules to be created in the automation account. Complex structure, see below. +| `baseTime` | string | [utcNow('u')] | | Optional. Time used as a basis for e.g. the schedule start date | +| `diagnosticLogsRetentionInDays` | int | `365` | | Optional. Specifies the number of days that logs will be kept for; a value of 0 will retain data indefinitely. +| `diagnosticStorageAccountId` | string | | | Optional. Resource identifier of the Diagnostic Storage Account. +| `workspaceId` | string | | | Optional. Resource identifier of Log Analytics. +| `privateEndpoints` | array | System.Object[] | | Optional. Configuration Details for private endpoints. | +| `eventHubAuthorizationRuleId` | string | | | Optional. Resource ID of the event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. +| `eventHubName` | string | | | Optional. Name of the event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. +| `lockForDeletion` | bool | `false` | | Optional. Switch to lock Automation Account from deletion. +| `roleAssignments` | array | [] | Complex structure, see below. | Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or it's fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' +| `tags` | object | | | Optional. Tags of the Automation Account resource. +| `sasTokenValidityLength` | string | PT8H | | Optional. SAS token validity length. Usage: 'PT8H' - valid for 8 hours; 'P5D' - valid for 5 days; 'P1Y' - valid for 1 year. When not provided, the SAS token will be valid for 8 hours. + +### Parameter Usage: `automationAccountName` + +Name of the Azure Automation Account + +```json +"automationAccountName": { + "value": "wvd-scaling-autoaccount" +} +``` + +### Parameter Usage: `location` + +Location for all resources. + +```json +"location": { + "value": "westeurope" +} +``` + +### Parameter Usage: `skuName` + +Specifies the SKU for the Automation Account + +```json +"skuName": { + "value": "Basic" +} +``` + +### Parameter Usage: `runbooks` + +List of runbooks to be created in the automation account + +```json +"runbooks": { + "value": [ + { + "runbookName": "ScalingRunbook", // Name for a runbook if you intent to deploy one + "runbookType": "PowerShell", // Type of script + "runbookScriptUri": "https://raw.githubusercontent.com/Azure/basicScale.ps1", // The uri where the runbook script is located + "scriptStorageAccountId": "/subscriptions/62826c76-d304-46d8-a0f6-718dbdcc536c/resourceGroups/WVD-Mgmt-PO-RG/providers/Microsoft.Storage/storageAccounts/wvdassetsstore", + "version": "1.0.0.0" // version of api + } + ] +} +``` + +### Parameter Usage: `schedules` + +List of schedules to be created in the automation account + +```json +"schedules": { + "value": [ + { + "scheduleName": "ScalingRunbook_Schedule", // The schedule name. + "startTime": "", // Gets or sets the start time of the schedule. + "expiryTime": "9999-12-31T23:59:00+00:00", // Gets or sets the end time of the schedule. + "interval": 15, // Gets or sets the interval of the schedule. + "frequency": "Minute", // Gets or sets the frequency of the schedule. - OneTime, Day, Hour, Week, Month, Minute + "timeZone": "Europe/Berlin", // Gets or sets the time zone of the schedule. + "advancedSchedule": "" // Gets or sets the AdvancedSchedule + } + ] +} +``` + +### Parameter Usage: `jobSchedules` + +List of jobSchedules to be created in the automation account + +```json +"jobSchedules": { + "value": [ + { + "jobScheduleName": "ScalingRunbook_JobSchedule", // jobSchedule used to generate unique id + "scheduleName": "ScalingRunbook_Schedule", // Gets or sets the schedule + "runbookName": "ScalingRunbook", // Gets or sets the runbook + "parameters": { // Gets or sets a list of job properties. + "param1": "value1" + }, + "runOn": "" // Gets or sets the hybrid worker group that the scheduled job should run on. + } + ] +} +``` + +### Parameter Usage: `privateEndpoints` +To use Private Endpoint the following dependencies must be deployed: +- Destination subnet must be created with the following configuration option - `"privateEndpointNetworkPolicies": "Disabled"`. Setting this option acknowledges that NSG rules are not applied to Private Endpoints (this capability is coming soon). A full example is available in the Virtual Network Module. +- Although not strictly required, it is highly recommened to first create a private DNS Zone to host Private Endpoint DNS records. See [Azure Private Endpoint DNS configuration](https://docs.microsoft.com/en-us/azure/private-link/private-endpoint-dns) for more information. +```json +"privateEndpoints": { + "value": [ + // Example showing all available fields + { + "name": "sxx-az-sa-cac-y-123-pe", // Optional: Name will be automatically generated if one is not provided here + "subnetResourceId": "/subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-weu-x-001/subnets/sxx-az-subnet-weu-x-001", + "service": "blob", + "privateDnsZoneResourceIds": [ // Optional: No DNS record will be created if a private DNS zone Resource ID is not specified + "/subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2/resourceGroups/validation-rg/providers/Microsoft.Network/privateDnsZones/privatelink.blob.core.windows.net" + ], + "customDnsConfigs": [ // Optional + { + "fqdn": "customname.test.local", + "ipAddresses": [ + "10.10.10.10" + ] + } + ] + }, + // Example showing only mandatory fields + { + "subnetResourceId": "/subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-weu-x-001/subnets/sxx-az-subnet-weu-x-001", + "service": "file" + } + ] +} +``` + +### Parameter Usage: `diagnosticLogsRetentionInDays` + +Specifies the number of days that logs will be kept for; a value of 0 will retain data indefinitely. + +```json +"diagnosticLogsRetentionInDays": { + "value": 30 +} +``` + +### Parameter Usage: `diagnosticStorageAccountId` + +Resource identifier of the Diagnostic Storage Account. + +```json +"diagnosticStorageAccountId": { + "value": "/subscriptions/396826c76-d304-46d8-a0f6-718dbded536c/resourceGroups/Base-RG/providers/Microsoft.Storage/storageAccounts/sharedSA" +} +``` + +### Parameter Usage: `workspaceId` + +Resource identifier of Log Analytics. + +```json +"workspaceId": { + "value": "/subscriptions/396826c76-d304-46d8-a0f6-718dbded536c/resourceGroups/Base-RG/providers/microsoft.operationalinsights/workspaces/my-sbx-eu-la" +} +``` + +### Parameter Usage: `eventHubAuthorizationRuleId` + +Resource ID of the event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. + +```json +"eventHubAuthorizationRuleId": { + "value": "/subscriptions/396826c76-d304-46d8-a0f6-718dbded536c/resourceGroups/Base-RG/providers/Microsoft.EventHub/namespaces/my-sbx-02-eh/authorizationRules/myRule" +} +``` + +### Parameter Usage: `eventHubName` + +Name of the event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. + +```json +"eventHubName": { + "value": "myEventHub" +} +``` + +### Parameter Usage: `lockForDeletion` + +Switch to lock Logic App from deletion. + +```json +"lockForDeletion": { + "value": true +} +``` + +### Parameter Usage: `roleAssignments` + +```json +"roleAssignments": { + "value": [ + { + "roleDefinitionIdOrName": "Desktop Virtualization User", + "principalIds": [ + "12345678-1234-1234-1234-123456789012", // object 1 + "78945612-1234-1234-1234-123456789012" // object 2 + ] + }, + { + "roleDefinitionIdOrName": "Reader", + "principalIds": [ + "12345678-1234-1234-1234-123456789012", // object 1 + "78945612-1234-1234-1234-123456789012" // object 2 + ] + }, + { + "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", + "principalIds": [ + "12345678-1234-1234-1234-123456789012" // object 1 + ] + } + ] +} +``` + +### Parameter Usage: `tags` + +Tag names and tag values can be provided as needed. A tag can be left without a value. + +```json +"tags": { + "value": { + "Environment": "Non-Prod", + "Contact": "test.user@testcompany.com", + "PurchaseOrder": "1234", + "CostCenter": "7890", + "ServiceName": "DeploymentValidation", + "Role": "DeploymentValidation" + } +} +``` + +## Outputs + +| Output Name | Type | Description | +| :-- | :-- | :-- | +| `automationAccountName` | string | The Name of the Automation Account. | +| `automationAccountResourceGroup` | string | The Resource Group the Automation Account was deployed to. | +| `automationAccountResourceId` | string | The Resource Id of the Automation Account. | +| `dummyObject` | array | The Name of the Automation Account. | +| `dummyString` | array | The Name of the Automation Account. | + +## Considerations + +*N/A* + +## Additional resources + +- [An introduction to Azure Automation](https://docs.microsoft.com/en-us/azure/automation/automation-intro) +- [Microsoft.Automation automationAccounts template reference](https://docs.microsoft.com/en-us/azure/templates/microsoft.automation/allversions) +- [Use tags to organize your Azure resources](https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-using-tags) \ No newline at end of file diff --git a/arm/Microsoft.Batch/batchAccounts/deploy.json b/arm/Microsoft.Batch/batchAccounts/deploy.json new file mode 100644 index 0000000000..fe9a29281d --- /dev/null +++ b/arm/Microsoft.Batch/batchAccounts/deploy.json @@ -0,0 +1,190 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "batchAccountName": { + "type": "string", + "metadata": { + "description": "Required. Name of the Azure Batch" + } + }, + "location": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "Optional. Location for all Resources." + } + }, + "diagnosticLogsRetentionInDays": { + "type": "int", + "defaultValue": 365, + "minValue": 0, + "maxValue": 365, + "metadata": { + "description": "Optional. Specifies the number of days that logs will be kept for; a value of 0 will retain data indefinitely." + } + }, + "diagnosticStorageAccountId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Resource identifier of the Diagnostic Storage Account." + } + }, + "workspaceId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Resource identifier of Log Analytics." + } + }, + "eventHubAuthorizationRuleId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Resource ID of the event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." + } + }, + "eventHubName": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Name of the event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category." + } + }, + "lockForDeletion": { + "type": "bool", + "defaultValue": false, + "metadata": { + "description": "Optional. Switch to lock Key Vault from deletion." + } + }, + "tags": { + "type": "object", + "defaultValue": { + }, + "metadata": { + "description": "Optional. Tags of the resource." + } + }, + "cuaId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered" + } + } + }, + "variables": { + "diagnosticsMetrics": [ + { + "category": "AllMetrics", + "enabled": true, + "retentionPolicy": { + "days": "[parameters('diagnosticLogsRetentionInDays')]", + "enabled": true + } + } + ], + "diagnosticsLogs": [ + { + "category": "ServiceLog ", + "enabled": true, + "retentionPolicy": { + "enabled": true, + "days": "[parameters('diagnosticLogsRetentionInDays')]" + } + } + ] + }, + "resources": [ + { + "condition": "[not(empty(parameters('cuaId')))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-06-01", + "name": "[concat('pid-', parameters('cuaId'))]", + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [ + ] + } + } + }, + { + "type": "Microsoft.Batch/batchAccounts", + "apiVersion": "2020-09-01", + "name": "[parameters('batchAccountName')]", + "location": "[parameters('location')]", + "tags": "[parameters('tags')]", + "properties": { + }, + "resources": [ + { + "type": "providers/locks", + "apiVersion": "2016-09-01", + "condition": "[parameters('lockForDeletion')]", + "name": "Microsoft.Authorization/batchAccountDoNotDelete", + "dependsOn": [ + "[concat('Microsoft.Batch/batchAccounts/', parameters('batchAccountName'))]" + ], + "comments": "Resource lock", + "properties": { + "level": "CannotDelete" + } + }, + { + "type": "Microsoft.Batch/batchAccounts/providers/diagnosticsettings", + "apiVersion": "2017-05-01-preview", + "name": "[concat(parameters('batchAccountName'), '/Microsoft.Insights/service')]", + "condition": "[or(not(empty(parameters('diagnosticStorageAccountId'))),not(empty(parameters('workspaceId'))),not(empty(parameters('eventHubAuthorizationRuleId'))),not(empty(parameters('eventHubName'))))]", + "dependsOn": [ + "[concat('Microsoft.Batch/batchAccounts/', parameters('batchAccountName'))]" + ], + "properties": { + "storageAccountId": "[if(empty(parameters('diagnosticStorageAccountId')), json('null'), parameters('diagnosticStorageAccountId'))]", + "workspaceId": "[if(empty(parameters('workspaceId')), json('null'), parameters('workspaceId'))]", + "eventHubAuthorizationRuleId": "[if(empty(parameters('eventHubAuthorizationRuleId')), json('null'), parameters('eventHubAuthorizationRuleId'))]", + "eventHubName": "[if(empty(parameters('eventHubName')), json('null'), parameters('eventHubName'))]", + "metrics": "[if(and(empty(parameters('diagnosticStorageAccountId')), empty(parameters('workspaceId')), empty(parameters('eventHubAuthorizationRuleId')), empty(parameters('eventHubName'))), json('null'), variables('diagnosticsMetrics'))]", + "logs": "[if(and(empty(parameters('diagnosticStorageAccountId')), empty(parameters('workspaceId')), empty(parameters('eventHubAuthorizationRuleId')), empty(parameters('eventHubName'))), json('null'), variables('diagnosticsLogs'))]" + } + } + ] + } + ], + "functions": [ + ], + "outputs": { + "batchAccountName": { + "type": "string", + "value": "[parameters('batchAccountName')]", + "metadata": { + "description": "The Name of the Azure Batch Account" + } + }, + "batchAccountResourceId": { + "type": "string", + "value": "[resourceId('Microsoft.Batch/batchAccounts',parameters('batchAccountName'))]", + "metadata": { + "description": "The Resource Id of the Azure Batch Account" + } + }, + "batchAccountResourceGroup": { + "type": "string", + "value": "[resourceGroup().name]", + "metadata": { + "description": "The name of the Resource Group with the Azure Batch Account" + } + }, + "batchAccountPrimaryKey": { + "type": "string", + "value": "listkeys(variables('resourceId'), variables('apiVersion')).primaryKey]", + "metadata": { + "description": "The Azure Batch Account Primary Key" + } + } + } +} diff --git a/arm/Microsoft.Batch/batchAccounts/parameters/parameters.json b/arm/Microsoft.Batch/batchAccounts/parameters/parameters.json new file mode 100644 index 0000000000..9a7a169e72 --- /dev/null +++ b/arm/Microsoft.Batch/batchAccounts/parameters/parameters.json @@ -0,0 +1,9 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "batchAccountName": { + "value": "sxxazbaweux001" + } + } +} \ No newline at end of file diff --git a/arm/Microsoft.Batch/batchAccounts/readme.md b/arm/Microsoft.Batch/batchAccounts/readme.md new file mode 100644 index 0000000000..3ad8f64bd3 --- /dev/null +++ b/arm/Microsoft.Batch/batchAccounts/readme.md @@ -0,0 +1,69 @@ +# Batch Accounts + +## Resource types + +|Resource Type|Api Version| +|:--|:--| +|`Microsoft.Resources/deployments`|2018-02-01| +|`Microsoft.Batch/batchAccounts`|2020-03-01| +|`providers/locks`|2016-09-01| +|`Microsoft.Batch/batchAccounts/providers/diagnosticsettings`|2017-05-01-preview| + +### Resource dependency + +The following resources are required to be able to deploy this resource. + +## Parameters + +| Parameter Name | Type | Description | DefaultValue | Allowed Values | +| :-- | :-- | :-- | :-- | :-- | +| `batchAccountName` | string | Required. Name of the Azure Batch | | | +| `cuaId` | string | Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered | | | +| `diagnosticLogsRetentionInDays` | int | Optional. Specifies the number of days that logs will be kept for; a value of 0 will retain data indefinitely. | 365 | | +| `diagnosticStorageAccountId` | string | Optional. Resource identifier of the Diagnostic Storage Account. | | | +| `eventHubAuthorizationRuleId` | string | Optional. Resource ID of the event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | | | +| `eventHubName` | string | Optional. Name of the event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. | | | +| `location` | string | Optional. Location for all Resources. | [resourceGroup().location] | | +| `lockForDeletion` | bool | Optional. Switch to lock Key Vault from deletion. | False | | +| `tags` | object | Optional. Tags of the resource. | | | +| `workspaceId` | string | Optional. Resource identifier of Log Analytics. | | | + +### Parameter Usage: `tags` + +Tag names and tag values can be provided as needed. A tag can be left without a value. + +```json +"tags": { + "value": { + "Environment": "Non-Prod", + "Contact": "test.user@testcompany.com", + "PurchaseOrder": "1234", + "CostCenter": "7890", + "ServiceName": "DeploymentValidation", + "Role": "DeploymentValidation" + } +} +``` + +## Outputs + +| Output Name | Type | Description | +| :-- | :-- | :-- | +| `batchAccountName` | string | The Name of the Azure Batch Account | +| `batchAccountPrimaryKey` | string | The Azure Batch Account Primary Key | +| `batchAccountResourceGroup` | string | The name of the Resource Group with the Azure Batch Account | +| `batchAccountResourceId` | string | The Resource Id of the Azure Batch Account | + +### References + +### Template references + +- [Deployments](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Resources/2018-02-01/deployments) +- [BatchAccounts](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Batch/2020-03-01/batchAccounts) + +## Considerations + +## Additional resources + +- [Deployments](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Resources/2018-02-01/deployments) +- [BatchAccounts](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Batch/2020-03-01/batchAccounts) diff --git a/arm/Microsoft.CognitiveServices/accounts/deploy.json b/arm/Microsoft.CognitiveServices/accounts/deploy.json new file mode 100644 index 0000000000..34205515bc --- /dev/null +++ b/arm/Microsoft.CognitiveServices/accounts/deploy.json @@ -0,0 +1,705 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "accountName": { + "type": "string", + "metadata": { + "description": "Required. The name of Cognitive Services account" + } + }, + "kind": { + "type": "string", + "metadata": { + "description": "Required. Kind of the Cognitive Services. Use 'Get-AzCognitiveServicesAccountSku' to determine a valid combinations of 'kind' and 'sku' for your Azure region." + }, + "allowedValues": [ + "AnomalyDetector", + "Bing.Autosuggest.v7", + "Bing.CustomSearch", + "Bing.EntitySearch", + "Bing.Search.v7", + "Bing.SpellCheck.v7", + "CognitiveServices", + "ComputerVision", + "ContentModerator", + "CustomVision.Prediction", + "CustomVision.Training", + "Face", + "FormRecognizer", + "ImmersiveReader", + "Internal.AllInOne", + "LUIS", + "LUIS.Authoring", + "Personalizer", + "QnAMaker", + "SpeechServices", + "TextAnalytics", + "TextTranslation" + ] + }, + "sku": { + "type": "string", + "defaultValue": "S0", + "metadata": { + "description": "Optional. SKU of the Cognitive Services resource. Use 'Get-AzCognitiveServicesAccountSku' to determine a valid combinations of 'kind' and 'sku' for your Azure region." + }, + "allowedValues": [ + "C2", + "C3", + "C4", + "F0", + "F1", + "S", + "S0", + "S1", + "S10", + "S2", + "S3", + "S4", + "S5", + "S6", + "S7", + "S8", + "S9" + ] + }, + "location": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "Optional. Location for all Resources." + } + }, + "diagnosticLogsRetentionInDays": { + "type": "int", + "defaultValue": 365, + "minValue": 0, + "maxValue": 365, + "metadata": { + "description": "Optional. Specifies the number of days that logs will be kept for; a value of 0 will retain data indefinitely." + } + }, + "diagnosticStorageAccountId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Resource identifier of the Diagnostic Storage Account." + } + }, + "workspaceId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Resource identifier of Log Analytics." + } + }, + "eventHubAuthorizationRuleId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Resource ID of the event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." + } + }, + "eventHubName": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Name of the event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category." + } + }, + "customSubDomainName": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Subdomain name used for token-based authentication. Required if 'networkAcls' are set." + } + }, + "publicNetworkAccess": { + "type": "string", + "defaultValue": "Enabled", + "metadata": { + "description": "Optional. Subdomain name used for token-based authentication. Must be set if 'networkAcls' are set." + }, + "allowedValues": [ + "Enabled", + "Disabled" + ] + }, + "networkAcls": { + "type": "object", + "defaultValue": { + }, + "metadata": { + "description": "Optional. Service endpoint object information" + } + }, + "managedIdentity": { + "type": "string", + "defaultValue": "None", + "allowedValues": [ + "None", + "SystemAssigned" + ], + "metadata": { + "description": "Optional. Type of managed service identity." + } + }, + "lockForDeletion": { + "type": "bool", + "defaultValue": false, + "metadata": { + "description": "Optional. Switch to lock Cognitive Services from deletion." + } + }, + "privateEndpoints": { + "type": "array", + "defaultValue": [], + "metadata": { + "description": "Optional. Configuration Details for private endpoints." + } + }, + "roleAssignments": { + "defaultValue": [ + ], + "type": "array", + "metadata": { + "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'" + } + }, + "tags": { + "type": "object", + "defaultValue": { + }, + "metadata": { + "description": "Optional. Tags of the resource." + } + }, + "cuaId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered" + } + } + }, + "variables": { + "diagnosticsMetrics": [ + { + "category": "AllMetrics", + "timeGrain": null, + "enabled": true, + "retentionPolicy": { + "enabled": true, + "days": "[parameters('diagnosticLogsRetentionInDays')]" + } + } + ], + "diagnosticsLogs": [ + { + "category": "Audit", + "enabled": true, + "retentionPolicy": { + "enabled": true, + "days": "[parameters('diagnosticLogsRetentionInDays')]" + } + }, + { + "category": "RequestResponse", + "enabled": true, + "retentionPolicy": { + "enabled": true, + "days": "[parameters('diagnosticLogsRetentionInDays')]" + } + } + ], + "builtInRoleNames": { + "AcrDelete": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c2f4ef07-c644-48eb-af81-4b1b4947fb11')]", + "AcrImageSigner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '6cef56e8-d556-48e5-a04f-b8e64114680f')]", + "AcrPull": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '7f951dda-4ed3-4680-a7ca-43fe172d538d')]", + "AcrPush": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8311e382-0749-4cb8-b61a-304f252e45ec')]", + "AcrQuarantineReader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'cdda3590-29a3-44f6-95f2-9f980659eb04')]", + "AcrQuarantineWriter": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c8d4ff99-41c3-41a8-9f60-21dfdad59608')]", + "API Management Service Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '312a565d-c81f-4fd8-895a-4e21e48d571c')]", + "API Management Service Operator Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'e022efe7-f5ba-4159-bbe4-b44f577e9b61')]", + "API Management Service Reader Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '71522526-b88f-4d52-b57f-d31fc3546d0d')]", + "App Configuration Data Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5ae67dd6-50cb-40e7-96ff-dc2bfa4b606b')]", + "App Configuration Data Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '516239f1-63e1-4d78-a4de-a74fb236a071')]", + "Application Insights Component Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ae349356-3a1b-4a5e-921d-050484c6347e')]", + "Application Insights Snapshot Debugger": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '08954f03-6346-4c2e-81c0-ec3a5cfae23b')]", + "Attestation Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'bbf86eb8-f7b4-4cce-96e4-18cddf81d86e')]", + "Attestation Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'fd1bd22b-8476-40bc-a0bc-69b95687b9f3')]", + "Automation Job Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4fe576fe-1146-4730-92eb-48519fa6bf9f')]", + "Automation Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'd3881f73-407a-4167-8283-e981cbba0404')]", + "Automation Runbook Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5fb5aef8-1081-4b8e-bb16-9d5d0385bab5')]", + "Avere Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4f8fab4f-1852-4a58-a46a-8eaf358af14a')]", + "Avere Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c025889f-8102-4ebf-b32c-fc0c6f0c6bd9')]", + "Azure Connected Machine Onboarding": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b64e21ea-ac4e-4cdf-9dc9-5b892992bee7')]", + "Azure Connected Machine Resource Administrator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'cd570a14-e51a-42ad-bac8-bafd67325302')]", + "Azure Digital Twins Owner (Preview)": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'bcd981a7-7f74-457b-83e1-cceb9e632ffe')]", + "Azure Digital Twins Reader (Preview)": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'd57506d4-4c8d-48b1-8587-93c323f6a5a3')]", + "Azure Event Hubs Data Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'f526a384-b230-433a-b45c-95f59c4a2dec')]", + "Azure Event Hubs Data Receiver": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'a638d3c7-ab3a-418d-83e6-5f17a39d4fde')]", + "Azure Event Hubs Data Sender": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '2b629674-e913-4c01-ae53-ef4638d8f975')]", + "Azure Kubernetes Service Cluster Admin Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '0ab0b1a8-8aac-4efd-b8c2-3ee1fb270be8')]", + "Azure Kubernetes Service Cluster User Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4abbcc35-e782-43d8-92c5-2d3f1bd2253f')]", + "Azure Kubernetes Service Contributor Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ed7f3fbd-7b88-4dd4-9017-9adb7ce333f8')]", + "Azure Maps Data Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8f5e0ce6-4f7b-4dcf-bddf-e6f48634a204')]", + "Azure Maps Data Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '423170ca-a8f6-4b0f-8487-9e4eb8f49bfa')]", + "Azure Sentinel Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ab8e14d6-4a74-4a29-9ba8-549422addade')]", + "Azure Sentinel Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8d289c81-5878-46d4-8554-54e1e3d8b5cb')]", + "Azure Sentinel Responder": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '3e150937-b8fe-4cfb-8069-0eaf05ecd056')]", + "Azure Service Bus Data Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '090c5cfd-751d-490a-894a-3ce6f1109419')]", + "Azure Service Bus Data Receiver": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4f6d3b9b-027b-4f4c-9142-0e5a2a2247e0')]", + "Azure Service Bus Data Sender": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '69a216fc-b8fb-44d8-bc22-1f3c2cd27a39')]", + "Azure Stack Registration Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '6f12a6df-dd06-4f3e-bcb1-ce8be600526a')]", + "Backup Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5e467623-bb1f-42f4-a55d-6e525e11384b')]", + "Backup Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '00c29273-979b-4161-815c-10b084fb9324')]", + "Backup Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'a795c7a0-d4a2-40c1-ae25-d81f01202912')]", + "Billing Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'fa23ad8b-c56e-40d8-ac0c-ce449e1d2c64')]", + "BizTalk Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5e3c6656-6cfa-4708-81fe-0de47ac73342')]", + "Blockchain Member Node Access (Preview)": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '31a002a1-acaf-453e-8a5b-297c9ca1ea24')]", + "Blueprint Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '41077137-e803-4205-871c-5a86e6a753b4')]", + "Blueprint Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '437d2ced-4a38-4302-8479-ed2bcb43d090')]", + "CDN Endpoint Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '426e0c7f-0c7e-4658-b36f-ff54d6c29b45')]", + "CDN Endpoint Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '871e35f6-b5c1-49cc-a043-bde969a0f2cd')]", + "CDN Profile Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ec156ff8-a8d1-4d15-830c-5b80698ca432')]", + "CDN Profile Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8f96442b-4075-438f-813d-ad51ab4019af')]", + "Classic Network Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b34d265f-36f7-4a0d-a4d4-e158ca92e90f')]", + "Classic Storage Account Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '86e8f5dc-a6e9-4c67-9d15-de283e8eac25')]", + "Classic Storage Account Key Operator Service Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '985d6b00-f706-48f5-a6fe-d0ca12fb668d')]", + "Classic Virtual Machine Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'd73bb868-a0df-4d4d-bd69-98a00b01fccb')]", + "ClearDB MySQL DB Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '9106cda0-8a86-4e81-b686-29a22c54effe')]", + "Cognitive Services Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '25fbc0a9-bd7c-42a3-aa1a-3b75d497ee68')]", + "Cognitive Services Custom Vision Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c1ff6cc2-c111-46fe-8896-e0ef812ad9f3')]", + "Cognitive Services Custom Vision Deployment": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5c4089e1-6d96-4d2f-b296-c1bc7137275f')]", + "Cognitive Services Custom Vision Labeler": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '88424f51-ebe7-446f-bc41-7fa16989e96c')]", + "Cognitive Services Custom Vision Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '93586559-c37d-4a6b-ba08-b9f0940c2d73')]", + "Cognitive Services Custom Vision Trainer": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '0a5ae4ab-0d65-4eeb-be61-29fc9b54394b')]", + "Cognitive Services Data Reader (Preview)": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b59867f0-fa02-499b-be73-45a86b5b3e1c')]", + "Cognitive Services QnA Maker Editor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'f4cc2bf9-21be-47a1-bdf1-5c5804381025')]", + "Cognitive Services QnA Maker Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '466ccd10-b268-4a11-b098-b4849f024126')]", + "Cognitive Services User": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'a97b65f3-24c7-4388-baec-2e87135dc908')]", + "Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "Cosmos DB Account Reader Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'fbdf93bf-df7d-467e-a4d2-9458aa1360c8')]", + "Cosmos DB Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '230815da-be43-4aae-9cb4-875f7bd000aa')]", + "CosmosBackupOperator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'db7b14f2-5adf-42da-9f96-f2ee17bab5cb')]", + "Cost Management Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '434105ed-43f6-45c7-a02f-909b2ba83430')]", + "Cost Management Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '72fafb9e-0641-4937-9268-a91bfd8191a3')]", + "Data Box Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'add466c9-e687-43fc-8d98-dfcf8d720be5')]", + "Data Box Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '028f4ed7-e2a9-465e-a8f4-9c0ffdfdc027')]", + "Data Factory Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '673868aa-7521-48a0-acc6-0f60742d39f5')]", + "Data Lake Analytics Developer": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '47b7735b-770e-4598-a7da-8b91488b4c88')]", + "Data Purger": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '150f5e0c-0603-4f03-8c7f-cf70034c4e90')]", + "Desktop Virtualization User": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '1d18fff3-a72a-46b5-b4a9-0b38a3cd7e63')]", + "DevTest Labs User": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '76283e04-6283-4c54-8f91-bcf1374a3c64')]", + "DNS Zone Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'befefa01-2a29-4197-83a8-272ff33ce314')]", + "DocumentDB Account Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5bd9cd88-fe45-4216-938b-f97437e15450')]", + "EventGrid EventSubscription Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '428e0ff0-5e57-4d9c-a221-2c70d0e0a443')]", + "EventGrid EventSubscription Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '2414bbcf-6497-4faf-8c65-045460748405')]", + "Experimentation Administrator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '7f646f1b-fa08-80eb-a33b-edd6ce5c915c')]", + "Experimentation Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '7f646f1b-fa08-80eb-a22b-edd6ce5c915c')]", + "Experimentation Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '49632ef5-d9ac-41f4-b8e7-bbe587fa74a1')]", + "FHIR Data Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5a1fc7df-4bf1-4951-a576-89034ee01acd')]", + "FHIR Data Exporter": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '3db33094-8700-4567-8da5-1501d4e7e843')]", + "FHIR Data Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4c8d0bbc-75d3-4935-991f-5f3c56d81508')]", + "FHIR Data Writer": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '3f88fce4-5892-4214-ae73-ba5294559913')]", + "Graph Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b60367af-1334-4454-b71e-769d9a4f83d9')]", + "HDInsight Cluster Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '61ed4efc-fab3-44fd-b111-e24485cc132a')]", + "HDInsight Domain Services Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8d8d5a11-05d3-4bda-a417-a08778121c7c')]", + "Hierarchy Settings Administrator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '350f8d15-c687-4448-8ae1-157740a3936d')]", + "Hybrid Server Onboarding": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5d1e5ee4-7c68-4a71-ac8b-0739630a3dfb')]", + "Hybrid Server Resource Administrator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '48b40c6e-82e0-4eb3-90d5-19e40f49b624')]", + "Integration Service Environment Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'a41e2c5b-bd99-4a07-88f4-9bf657a760b8')]", + "Integration Service Environment Developer": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c7aa55d3-1abb-444a-a5ca-5e51e485d6ec')]", + "Intelligent Systems Account Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '03a6d094-3444-4b3d-88af-7477090a9e5e')]", + "Key Vault Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'f25e0fa2-a7c8-4377-a976-54943a77a395')]", + "Knowledge Consumer": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ee361c5d-f7b5-4119-b4b6-892157c8f64c')]", + "Kubernetes Cluster - Azure Arc Onboarding": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '34e09817-6cbe-4d01-b1a2-e0eac5743d41')]", + "Lab Creator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b97fb8bc-a8b2-4522-a38b-dd33c7e65ead')]", + "Log Analytics Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]", + "Log Analytics Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '73c42c96-874c-492b-b04d-ab87d138a893')]", + "Logic App Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '87a39d53-fc1b-424a-814c-f7e04687dc9e')]", + "Logic App Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '515c2055-d9d4-4321-b1b9-bd0c9a0f79fe')]", + "Managed Application Contributor Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '641177b8-a67a-45b9-a033-47bc880bb21e')]", + "Managed Application Operator Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')]", + "Managed Applications Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')]", + "Managed Identity Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'e40ec5ca-96e0-45a2-b4ff-59039f2c2b59')]", + "Managed Identity Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'f1a07417-d97a-45cb-824c-7a7467783830')]", + "Managed Services Registration assignment Delete ": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '91c1777a-f3dc-4fae-b103-61d183457e46')]", + "Management Group Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5d58bcaf-24a5-4b20-bdb6-eed9f69fbe4c')]", + "Management Group Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ac63b705-f282-497d-ac71-919bf39d939d')]", + "Marketplace Admin": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'dd920d6d-f481-47f1-b461-f338c46b2d9f')]", + "Monitoring Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')]", + "Monitoring Metrics Publisher": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '3913510d-42f4-4e42-8a64-420c390055eb')]", + "Monitoring Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')]", + "Network Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", + "New Relic APM Account Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5d28c62d-5b37-4476-8438-e587778df237')]", + "Object Understanding Account Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4dd61c23-6743-42fe-a388-d8bdd41cb745')]", + "Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", + "Policy Insights Data Writer (Preview)": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '66bb4e9e-b016-4a94-8249-4c0511c2be84')]", + "Private DNS Zone Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", + "Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", + "Reader and Data Access": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c12c1c16-33a1-487b-954d-41c89c60f349')]", + "Redis Cache Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'e0f68234-74aa-48ed-b826-c38b57376e17')]", + "Remote Rendering Administrator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '3df8b902-2a6f-47c7-8cc5-360e9b272a7e')]", + "Remote Rendering Client": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'd39065c4-c120-43c9-ab0a-63eed9795f0a')]", + "Resource Policy Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '36243c78-bf99-498c-9df9-86d9f8d28608')]", + "Scheduler Job Collections Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '188a0f2f-5c9e-469b-ae67-2aa5ce574b94')]", + "Search Service Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '7ca78c08-252a-4471-8644-bb5ff32d4ba0')]", + "Security Admin": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'fb1c8493-542b-48eb-b624-b4c8fea62acd')]", + "Security Assessment Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '612c2aa1-cb24-443b-ac28-3ab7272de6f5')]", + "Security Manager (Legacy)": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'e3d13bf0-dd5a-482e-ba6b-9b8433878d10')]", + "Security Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '39bc4728-0917-49c7-9d2c-d95423bc2eb4')]", + "SignalR AccessKey Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '04165923-9d83-45d5-8227-78b77b0a687e')]", + "SignalR Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8cf5e20a-e4b2-4e9d-b3a1-5ceb692c2761')]", + "Site Recovery Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '6670b86e-a3f7-4917-ac9b-5d6ab1be4567')]", + "Site Recovery Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '494ae006-db33-4328-bf46-533a6560a3ca')]", + "Site Recovery Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'dbaa88c4-0c30-4179-9fb3-46319faa6149')]", + "Spatial Anchors Account Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8bbe83f1-e2a6-4df7-8cb4-4e04d4e5c827')]", + "Spatial Anchors Account Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '70bbe301-9835-447d-afdd-19eb3167307c')]", + "Spatial Anchors Account Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5d51204f-eb77-4b1c-b86a-2ec626c49413')]", + "SQL DB Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '9b7fa17d-e63e-47b0-bb0a-15c516ac86ec')]", + "SQL Managed Instance Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4939a1f6-9ae0-4e48-a1e0-f2cbe897382d')]", + "SQL Security Manager": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '056cd41c-7e88-42e1-933e-88ba6a50c9c3')]", + "SQL Server Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '6d8ee4ec-f05a-4a1d-8b00-a9b17e38b437')]", + "Storage Account Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '17d1049b-9a84-46fb-8f53-869881c3d3ab')]", + "Storage Account Key Operator Service Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '81a9662b-bebf-436f-a333-f67b29880f12')]", + "Storage Blob Data Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ba92f5b4-2d11-453d-a403-e96b0029c9fe')]", + "Storage Blob Data Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b7e6dc6d-f1e8-4753-8033-0f276bb0955b')]", + "Storage Blob Data Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '2a2b9908-6ea1-4ae2-8e65-a410df84e7d1')]", + "Storage Blob Delegator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'db58b8e5-c6ad-4a2a-8342-4190687cbf4a')]", + "Storage File Data SMB Share Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '0c867c2a-1d8c-454a-a3db-ab2ea1bdc8bb')]", + "Storage File Data SMB Share Elevated Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'a7264617-510b-434b-a828-9731dc254ea7')]", + "Storage File Data SMB Share Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'aba4ae5f-2193-4029-9191-0cb91df5e314')]", + "Storage Queue Data Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '974c5e8b-45b9-4653-ba55-5f855dd0fb88')]", + "Storage Queue Data Message Processor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8a0f0c08-91a1-4084-bc3d-661d67233fed')]", + "Storage Queue Data Message Sender": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c6a89b2d-59bc-44d0-9896-0f6e12d7b80a')]", + "Storage Queue Data Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '19e7f393-937e-4f77-808e-94535e297925')]", + "Support Request Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'cfd33db0-3dd1-45e3-aa9d-cdbdf3b6f24e')]", + "Tag Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4a9ae827-6dc8-4573-8ac7-8239d42aa03f')]", + "Traffic Manager Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'a4b10055-b0c7-44c2-b00f-c7b5b3550cf7')]", + "User Access Administrator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]", + "Virtual Machine Administrator Login": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '1c0163c0-47e6-4577-8991-ea5c82e286e4')]", + "Virtual Machine Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c')]", + "Virtual Machine User Login": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'fb879df8-f326-4884-b1cf-06f3ad86be52')]", + "Web Plan Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '2cc479cb-7b4d-49a8-b449-8c00fd0f0a4b')]", + "Website Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'de139f84-1756-47ae-9be6-808fbbe84772')]", + "Workbook Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'e8ddcd69-c73f-4f9f-9844-4100522f16ad')]", + "Workbook Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b279062a-9be3-42a0-92ae-8b3cf002ec4d')]" + }, + "deployServiceEndpoint": "[not(empty(parameters('networkAcls')))]", + "emptyArray": [ + ], + "networkAcls": { + "defaultAction": "[if(not(variables('deployServiceEndpoint')), json('null'), parameters('networkAcls').defaultAction)]", + "virtualNetworkRules": "[if(not(variables('deployServiceEndpoint')), json('null'), if(equals(length(parameters('networkAcls').virtualNetworkRules), 0), variables('emptyArray'), parameters('networkAcls').virtualNetworkRules))]", + "ipRules": "[if(not(variables('deployServiceEndpoint')), json('null'), if(equals(length(parameters('networkAcls').ipRules), 0), variables('emptyArray'), parameters('networkAcls').ipRules))]" + }, + "cognitiveServicesName": "[parameters('accountName')]", + "cognitiveServicesResourceId": "[resourceId('Microsoft.CognitiveServices/accounts',variables('cognitiveServicesName'))]", + "diagnosticSettingName": "[concat(variables('cognitiveServicesName'), '/','Microsoft.Insights/service')]" + }, + "resources": [ + { + "condition": "[not(empty(parameters('cuaId')))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-06-01", + "name": "[concat('pid-', parameters('cuaId'))]", + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [ + ] + } + } + }, + { + "type": "Microsoft.CognitiveServices/accounts", + "apiVersion": "2017-04-18", + "name": "[variables('cognitiveServicesName')]", + "kind": "[parameters('kind')]", + "identity": { + "type": "[parameters('managedIdentity')]" + }, + "location": "[parameters('location')]", + "tags": "[parameters('tags')]", + "sku": { + "name": "[parameters('sku')]" + }, + "properties": { + "customSubDomainName": "[if(empty(parameters('customSubDomainName')), json('null'), parameters('customSubDomainName'))]", + "networkAcls": "[if(not(variables('deployServiceEndpoint')), json('null'), variables('networkAcls'))]", + "publicNetworkAccess": "[parameters('publicNetworkAccess')]" + }, + "resources": [ + { + "type": "providers/locks", + "apiVersion": "2016-09-01", + "condition": "[parameters('lockForDeletion')]", + "name": "Microsoft.Authorization/CognitiveServicesDoNotDelete", + "dependsOn": [ + "[variables('cognitiveServicesResourceId')]" + ], + "comments": "Resource lock for Cognitive Services", + "properties": { + "level": "CannotDelete" + } + }, + { + "type": "Microsoft.CognitiveServices/accounts/providers/diagnosticsettings", + "apiVersion": "2017-05-01-preview", + "name": "[variables('diagnosticSettingName')]", + "dependsOn": [ + "[variables('cognitiveServicesResourceId')]" + ], + "properties": { + "storageAccountId": "[if(empty(parameters('diagnosticStorageAccountId')), json('null'), parameters('diagnosticStorageAccountId'))]", + "workspaceId": "[if(empty(parameters('workspaceId')), json('null'), parameters('workspaceId'))]", + "eventHubAuthorizationRuleId": "[if(empty(parameters('eventHubAuthorizationRuleId')), json('null'), parameters('eventHubAuthorizationRuleId'))]", + "eventHubName": "[if(empty(parameters('eventHubName')), json('null'), parameters('eventHubName'))]", + "metrics": "[if(and(empty(parameters('diagnosticStorageAccountId')), empty(parameters('workspaceId')), empty(parameters('eventHubAuthorizationRuleId')), empty(parameters('eventHubName'))), json('null'), variables('diagnosticsMetrics'))]", + "logs": "[if(and(empty(parameters('diagnosticStorageAccountId')), empty(parameters('workspaceId')), empty(parameters('eventHubAuthorizationRuleId')), empty(parameters('eventHubName'))), json('null'), variables('diagnosticsLogs'))]" + } + } + ] + }, + // Private Endpoints + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-06-01", + "name": "[concat(uniqueString(deployment().name, parameters('location')), '-CognitiveServices-PrivateEndpoints','-',copyIndex())]", + "condition": "[not(empty(parameters('privateEndpoints')))]", + "dependsOn": [ + "[variables('cognitiveServicesName')]" + ], + "copy": { + "name": "privateEndpointsCopy", + "count": "[length(parameters('privateEndpoints'))]" + }, + "properties": { + "mode": "Incremental", + "expressionEvaluationOptions": { + "scope": "inner" + }, + "parameters": { + "privateEndpointResourceId": { + "value": "[resourceId('Microsoft.CognitiveServices/accounts/', variables('cognitiveServicesName'))]" + }, + "privateEndpointVnetLocation": { + "value": "[if(empty(parameters('privateEndpoints')),'dummy',reference(split(parameters('privateEndpoints')[copyIndex()].subnetResourceId,'/subnets/')[0],'2020-06-01', 'Full').location)]" + }, + "privateEndpoint": { + "value": "[parameters('privateEndpoints')[copyIndex()]]" + }, + "tags": { + "value": "[parameters('tags')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "privateEndpointResourceId": { + "type": "string" + }, + "privateEndpointVnetLocation": { + "type": "string" + }, + "privateEndpoint": { + "type": "object" + }, + "tags": { + "type": "object" + } + }, + "variables": { + "privateEndpointResourceName": "[last(split(parameters('privateEndpointResourceId'),'/'))]", + "privateEndpoint": { + "name": "[if(contains(parameters('privateEndpoint'), 'name'),if(empty(parameters('privateEndpoint').name),concat(variables('privateEndpointResourceName'),'-',parameters('privateEndpoint').service),parameters('privateEndpoint').name),concat(variables('privateEndpointResourceName'),'-',parameters('privateEndpoint').service))]", + "subnetResourceId": "[parameters('privateEndpoint').subnetResourceId]", + "service": [ + "[parameters('privateEndpoint').service]" + ], + "privateDnsZoneResourceIds": "[if(contains(parameters('privateEndpoint'), 'privateDnsZoneResourceIds'),if(empty(parameters('privateEndpoint').privateDnsZoneResourceIds),createArray(),parameters('privateEndpoint').privateDnsZoneResourceIds),createArray())]", + "customDnsConfigs": "[if(contains(parameters('privateEndpoint'), 'customDnsConfigs'),if(empty(parameters('privateEndpoint').customDnsConfigs),json('null'),parameters('privateEndpoint').customDnsConfigs),json('null'))]" + } + }, + "resources": [ + { + "type": "Microsoft.Network/privateEndpoints", + "apiVersion": "2020-05-01", + "name": "[variables('privateEndpoint').name]", + "location": "[parameters('privateEndpointVnetLocation')]", + "tags": "[parameters('tags')]", + "properties": { + "privateLinkServiceConnections": [ + { + "name": "[variables('privateEndpoint').name]", + "properties": { + "privateLinkServiceId": "[parameters('privateEndpointResourceId')]", + "groupIds": "[variables('privateEndpoint').service]" + } + } + ], + "manualPrivateLinkServiceConnections": [], + "subnet": { + "id": "[variables('privateEndpoint').subnetResourceId]" + }, + "customDnsConfigs": "[variables('privateEndpoint').customDnsConfigs]" + } + }, + { + "type": "Microsoft.Network/privateEndpoints/privateDnsZoneGroups", + "apiVersion": "2020-05-01", + "condition": "[not(empty(variables('privateEndpoint').privateDnsZoneResourceIds))]", + "name": "[concat(variables('privateEndpoint').name, '/default')]", + "dependsOn": [ + "[resourceId('Microsoft.Network/privateEndpoints', variables('privateEndpoint').name)]" + ], + "properties": { + "copy": [ + { + "name": "privateDnsZoneConfigs", + "count": "[length(variables('privateEndpoint').privateDnsZoneResourceIds)]", + "input": { + "name": "[last(split(variables('privateEndpoint').privateDnsZoneResourceIds[copyIndex('privateDnsZoneConfigs')],'/'))]", + "properties": { + "privateDnsZoneId": "[variables('privateEndpoint').privateDnsZoneResourceIds[copyIndex('privateDnsZoneConfigs')]]" + } + } + } + ] + } + } + ] + } + } + }, + { + "name": "[concat('rbac-',deployment().name, copyIndex())]", + "apiVersion": "2020-06-01", + "type": "Microsoft.Resources/deployments", + "condition": "[not(empty(parameters('roleAssignments')))]", + "dependsOn": [ + "[variables('cognitiveServicesResourceId')]" + ], + "copy": { + "name": "rbacDeplCopy", + "count": "[length(parameters('roleAssignments'))]" + }, + "properties": { + "mode": "Incremental", + "expressionEvaluationOptions": { + "scope": "inner" + }, + "parameters": { + "roleAssignment": { + "value": "[parameters('roleAssignments')[copyIndex()]]" + }, + "builtInRoleNames": { + "value": "[variables('builtInRoleNames')]" + }, + "accountName": { + "value": "[parameters('accountName')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "roleAssignment": { + "type": "object" + }, + "builtInRoleNames": { + "type": "object" + }, + "accountName": { + "type": "string" + } + }, + "resources": [ + { + "type": "Microsoft.CognitiveServices/accounts/providers/roleAssignments", + "apiVersion": "2018-09-01-preview", + "name": "[concat(parameters('accountName'), '/Microsoft.Authorization/', guid(uniqueString(concat(parameters('accountName'), array(parameters('roleAssignment').principalIds)[copyIndex('innerRbacCopy')], parameters('roleAssignment').roleDefinitionIdOrName ) )))]", + "dependsOn": [ + ], + "copy": { + "name": "innerRbacCopy", + "count": "[length(parameters('roleAssignment').principalIds)]" + }, + "properties": { + "roleDefinitionId": "[if(contains(parameters('builtInRoleNames'), parameters('roleAssignment').roleDefinitionIdOrName ), parameters('builtInRoleNames')[parameters('roleAssignment').roleDefinitionIdOrName] , parameters('roleAssignment').roleDefinitionIdOrName )]", + "principalId": "[array(parameters('roleAssignment').principalIds)[copyIndex()]]" + } + } + ] + } + } + } + ], + "functions": [ + ], + "outputs": { + "cognitiveServicesName": { + "type": "string", + "value": "[variables('cognitiveServicesName')]", + "metadata": { + "description": "The Name of the Cognitive Services" + } + }, + "cognitiveServicesResourceId": { + "type": "string", + "value": "[variables('cognitiveServicesResourceId')]", + "metadata": { + "description": "The Resource Id of the Cognitive Services" + } + }, + "cognitiveServicesResourceGroup": { + "type": "string", + "value": "[resourceGroup().name]", + "metadata": { + "description": "The name of the Resource Group with the Cognitive Services" + } + }, + "cognitiveServicesKeys": { + "type": "object", + "value": "[listKeys(variables('CognitiveServicesResourceId'),'2017-04-18')]", + "metadata": { + "description": "Cognitive Services Keys" + } + }, + "cognitiveServicesKey1": { + "type": "string", + "value": "[listKeys(variables('CognitiveServicesResourceId'),'2017-04-18').key1]", + "metadata": { + "description": "Cognitive Services Key1" + } + }, + "cognitiveServicesKey2": { + "type": "string", + "value": "[listKeys(variables('CognitiveServicesResourceId'),'2017-04-18').key2]", + "metadata": { + "description": "Cognitive Services Key2" + } + }, + "cognitiveServicesEndpoint": { + "type": "string", + "value": "[reference(variables('CognitiveServicesResourceId'),'2017-04-18').endpoint]", + "metadata": { + "description": "Cognitive Services Endpoint" + } + }, + "principalId": { + "type": "string", + "condition": "[equals(parameters('managedIdentity'), 'SystemAssigned')]", + "value": "[reference(variables('CognitiveServicesResourceId'), '2017-04-18', 'Full').identity.principalId]", + "metadata": { + "description": "Cognitive Services identity Principal ID." + } + } + } +} \ No newline at end of file diff --git a/arm/Microsoft.CognitiveServices/accounts/parameters/parameters.json b/arm/Microsoft.CognitiveServices/accounts/parameters/parameters.json new file mode 100644 index 0000000000..2cf7eb8a4e --- /dev/null +++ b/arm/Microsoft.CognitiveServices/accounts/parameters/parameters.json @@ -0,0 +1,24 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "accountName": { + "value": "sxx-az-cgs-weu-x-001" + }, + "kind": { + "value": "Face" + }, + "sku": { + "value": "F0" + }, + "diagnosticStorageAccountId": { + "value": "/subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2/resourceGroups/dependencies-rg/providers/Microsoft.Storage/storageAccounts/sxxazsaweux003" + }, + "workspaceId": { + "value": "/subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2/resourcegroups/dependencies-rg/providers/microsoft.operationalinsights/workspaces/sxx-az-la-weu-x-003" + }, + "cuaId": { + "value": "00000000-0000-0000-0000-000000000000" + } + } +} \ No newline at end of file diff --git a/arm/Microsoft.CognitiveServices/accounts/readme.md b/arm/Microsoft.CognitiveServices/accounts/readme.md new file mode 100644 index 0000000000..5023eddf77 --- /dev/null +++ b/arm/Microsoft.CognitiveServices/accounts/readme.md @@ -0,0 +1,172 @@ +# CognitiveServices + +This module deploys different kinds of Cognitive Services resources + +## Resource types + +| Resource Type | Api Version | +| :-- | :-- | +| `Microsoft.CognitiveServices/accounts` | 2017-04-18 | +| `Microsoft.CognitiveServices/accounts/providers/diagnosticsettings` | 2017-05-01-preview | +| `Microsoft.CognitiveServices/accounts/providers/roleAssignments` | 2018-09-01-preview | +| `Microsoft.Network/privateEndpoints/privateDnsZoneGroups` | 2020-05-01 | +| `Microsoft.Network/privateEndpoints` | 2020-05-01 | +| `Microsoft.Resources/deployments` | 2020-06-01 | +| `providers/locks` | 2016-09-01 | + +## Parameters + +| Parameter Name | Type | Description | DefaultValue | Possible values | +| :-- | :-- | :-- | :-- | :-- | +| `accountName` | string | Required. The name of Cognitive Services account | | | +| `cuaId` | string | Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered | | | +| `customSubDomainName` | string | Optional. Subdomain name used for token-based authentication. Required if 'networkAcls' are set. | | | +| `diagnosticLogsRetentionInDays` | int | Optional. Specifies the number of days that logs will be kept for; a value of 0 will retain data indefinitely. | 365 | | +| `diagnosticStorageAccountId` | string | Optional. Resource identifier of the Diagnostic Storage Account. | | | +| `eventHubAuthorizationRuleId` | string | Optional. Resource ID of the event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | | | +| `eventHubName` | string | Optional. Name of the event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. | | | +| `kind` | string | Required. Kind of the Cognitive Services. Use `Get-AzCognitiveServicesAccountSku` to determine a valid pairs of 'kind' and 'sku' for your Azure region. | | "AnomalyDetector", "Bing.Autosuggest.v7", "Bing.CustomSearch", "Bing.EntitySearch", "Bing.Search.v7", "Bing.SpellCheck.v7", "CognitiveServices", "ComputerVision" "ContentModerator", "CustomVision.Prediction", "CustomVision.Training", "Face", "FormRecognizer", "ImmersiveReader", "Internal.AllInOne", "LUIS", "LUIS.Authoring", "Personalizer", "QnAMaker", "SpeechServices", "TextAnalytics", "TextTranslation" | +| `location` | string | Optional. Location for all Resources. | [resourceGroup().location] | | +| `lockForDeletion` | bool | Optional. Switch to lock Cognitive Services from deletion. | False | | +| `managedIdentity` | string | Optional. Type of managed service identity. | None | "None", "SystemAssigned" | +| `networkAcls` | object | Optional. Service endpoint object information | | | +| `publicNetworkAccess` | string | Optional. Subdomain name used for token-based authentication. Must be set if 'networkAcls' are set. | Enabled | "Enabled", "Disabled" | +| `roleAssignments` | array | Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' | [] | | +| `privateEndpoints` | array | Optional. Configuration Details for private endpoints. | System.Object[] | | +| `sku` | string | Optional. SKU of the Cognitive Services resource. Use `Get-AzCognitiveServicesAccountSku` to determine a valid combinations of 'kind' and 'sku' for your Azure region. | S0 | "C2", "C3", "C4", "F0", "F1", "S", "S0", "S1", "S10", "S2", "S3", "S4", "S5", "S6", "S7", "S8", "S9" | +| `tags` | object | Optional. Tags of the resource. | | | +| `workspaceId` | string | Optional. Resource identifier of Log Analytics. | | | + +### Parameter Usage: `roleAssignments` + +```json +"roleAssignments": { + "value": [ + { + "roleDefinitionIdOrName": "Desktop Virtualization User", + "principalIds": [ + "12345678-1234-1234-1234-123456789012", // object 1 + "78945612-1234-1234-1234-123456789012" // object 2 + ] + }, + { + "roleDefinitionIdOrName": "Reader", + "principalIds": [ + "12345678-1234-1234-1234-123456789012", // object 1 + "78945612-1234-1234-1234-123456789012" // object 2 + ] + }, + { + "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", + "principalIds": [ + "12345678-1234-1234-1234-123456789012" // object 1 + ] + } + ] +} +``` + +### Parameter Usage: `privateEndpoints` + +To use Private Endpoint the following dependencies must be deployed: + +- Destination subnet must be created with the following configuration option - `"privateEndpointNetworkPolicies": "Disabled"`. Setting this option acknowledges that NSG rules are not applied to Private Endpoints (this capability is coming soon). A full example is available in the Virtual Network Module. + +- Although not strictly required, it is highly recommened to first create a private DNS Zone to host Private Endpoint DNS records. See [Azure Private Endpoint DNS configuration](https://docs.microsoft.com/en-us/azure/private-link/private-endpoint-dns) for more information. + +```json +"privateEndpoints": { + "value": [ + // Example showing all available fields + { + "name": "sxx-az-sa-cac-y-123-pe", // Optional: Name will be automatically generated if one is not provided here + "subnetResourceId": "/subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-weu-x-001/subnets/sxx-az-subnet-weu-x-001", + "service": "vault", + "privateDnsZoneResourceIds": [ // Optional: No DNS record will be created if a private DNS zone Resource ID is not specified + "/subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2/resourceGroups/validation-rg/providers/Microsoft.Network/privateDnsZones/privatelink.vaultcore.azure.net" + ], + "customDnsConfigs": [ // Optional + { + "fqdn": "customname.test.local", + "ipAddresses": [ + "10.10.10.10" + ] + } + ] + } + ] +} +``` + +### Parameter Usage: `tags` + +Tag names and tag values can be provided as needed. A tag can be left without a value. + +```json +"tags": { + "value": { + "Environment": "Non-Prod", + "Contact": "test.user@testcompany.com", + "PurchaseOrder": "1234", + "CostCenter": "7890", + "ServiceName": "DeploymentValidation", + "Role": "DeploymentValidation" + } +} +``` + +### Parameter Usage: `networkAcls` + +```json +"networkAcls": { + "value": { + "defaultAction": "Deny", + "virtualNetworkRules": [ + { + "id": "/subscriptions//resourceGroups/resourceGroup/providers/Microsoft.Network/virtualNetworks//subnets/", + "ignoreMissingVnetServiceEndpoint": false + } + ], + "ipRules": [ + { + "value": "1.1.1.1" + }, + { + "value": "" + } + ] + } +}, +``` + +## Outputs + +| Output Name | Type | Description | +| :-- | :-- | :-- | +| `cognitiveServicesEndpoint` | string | Cognitive Services Endpoint | +| `cognitiveServicesKey1` | string | Cognitive Services Key1 | +| `cognitiveServicesKey2` | string | Cognitive Services Key2 | +| `cognitiveServicesKeys` | object | Cognitive Services Keys | +| `cognitiveServicesName` | string | The Name of the Cognitive Services | +| `cognitiveServicesResourceGroup` | string | The name of the Resource Group with the Cognitive Services | +| `cognitiveServicesResourceId` | string | The Resource Id of the Cognitive Services | +| `principalId` | string | Cognitive Services identity Principal ID (if applicable). | + +## Considerations + +- Not all combinations of parameters `kind` and `sku` are valid and they may vary in different Azure Regions. Please use PowerShell CmdLet `Get-AzCognitiveServicesAccountSku` or another methods to determine valid values in your region. +- Not all kinds of Cognitive Services support virtual networks. Please visit the link below to determine supported services. + +### References + +#### Template references + +- [Cognitive Services Accounts](https://docs.microsoft.com/en-us/azure/templates/Microsoft.CognitiveServices/2017-04-18/accounts) +- [Deployments](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Resources/2020-06-01/deployments) + +## Additional resources + +- [What are Azure Cognitive Services?](https://docs.microsoft.com/en-us/azure/cognitive-services/welcome) +- [Get-AzCognitiveServicesAccountSku](https://docs.microsoft.com/en-us/powershell/module/az.cognitiveservices/get-azcognitiveservicesaccountsku) +- [Use tags to organize your Azure resources](https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-using-tags) +- [Azure Cognitive Services virtual networks](https://docs.microsoft.com/en-us/azure/cognitive-services/cognitive-services-virtual-networks) diff --git a/arm/Microsoft.Compute/diskEncryptionSets/deploy.json b/arm/Microsoft.Compute/diskEncryptionSets/deploy.json new file mode 100644 index 0000000000..e4e0c2e09e --- /dev/null +++ b/arm/Microsoft.Compute/diskEncryptionSets/deploy.json @@ -0,0 +1,385 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "diskEncryptionSetName": { + "type": "string", + "metadata": { + "description": "Required. The name of the disk encryption set that is being created." + } + }, + "location": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "Optional. Resource location." + } + }, + "keyVaultId": { + "type": "string", + "metadata": { + "description": "Required. Resource id of the KeyVault containing the key or secret." + } + }, + "keyUrl": { + "type": "string", + "metadata": { + "description": "Required. Key Url (with version) pointing to a key or secret in KeyVault." + } + }, + "roleAssignments": { + "defaultValue": [ + ], + "type": "array", + "metadata": { + "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'" + } + }, + "tags": { + "type": "object", + "defaultValue": { + }, + "metadata": { + "description": "Optional. Tags of the Automation Account resource." + } + }, + "cuaId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered" + } + } + }, + "variables": { + "keyVaultName": "[last(split(parameters('keyVaultId'),'/'))]", + "builtInRoleNames": { + "AcrDelete": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c2f4ef07-c644-48eb-af81-4b1b4947fb11')]", + "AcrImageSigner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '6cef56e8-d556-48e5-a04f-b8e64114680f')]", + "AcrPull": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '7f951dda-4ed3-4680-a7ca-43fe172d538d')]", + "AcrPush": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8311e382-0749-4cb8-b61a-304f252e45ec')]", + "AcrQuarantineReader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'cdda3590-29a3-44f6-95f2-9f980659eb04')]", + "AcrQuarantineWriter": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c8d4ff99-41c3-41a8-9f60-21dfdad59608')]", + "API Management Service Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '312a565d-c81f-4fd8-895a-4e21e48d571c')]", + "API Management Service Operator Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'e022efe7-f5ba-4159-bbe4-b44f577e9b61')]", + "API Management Service Reader Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '71522526-b88f-4d52-b57f-d31fc3546d0d')]", + "App Configuration Data Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5ae67dd6-50cb-40e7-96ff-dc2bfa4b606b')]", + "App Configuration Data Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '516239f1-63e1-4d78-a4de-a74fb236a071')]", + "Application Insights Component Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ae349356-3a1b-4a5e-921d-050484c6347e')]", + "Application Insights Snapshot Debugger": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '08954f03-6346-4c2e-81c0-ec3a5cfae23b')]", + "Attestation Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'bbf86eb8-f7b4-4cce-96e4-18cddf81d86e')]", + "Attestation Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'fd1bd22b-8476-40bc-a0bc-69b95687b9f3')]", + "Automation Job Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4fe576fe-1146-4730-92eb-48519fa6bf9f')]", + "Automation Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'd3881f73-407a-4167-8283-e981cbba0404')]", + "Automation Runbook Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5fb5aef8-1081-4b8e-bb16-9d5d0385bab5')]", + "Avere Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4f8fab4f-1852-4a58-a46a-8eaf358af14a')]", + "Avere Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c025889f-8102-4ebf-b32c-fc0c6f0c6bd9')]", + "Azure Connected Machine Onboarding": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b64e21ea-ac4e-4cdf-9dc9-5b892992bee7')]", + "Azure Connected Machine Resource Administrator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'cd570a14-e51a-42ad-bac8-bafd67325302')]", + "Azure Digital Twins Owner (Preview)": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'bcd981a7-7f74-457b-83e1-cceb9e632ffe')]", + "Azure Digital Twins Reader (Preview)": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'd57506d4-4c8d-48b1-8587-93c323f6a5a3')]", + "Azure Event Hubs Data Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'f526a384-b230-433a-b45c-95f59c4a2dec')]", + "Azure Event Hubs Data Receiver": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'a638d3c7-ab3a-418d-83e6-5f17a39d4fde')]", + "Azure Event Hubs Data Sender": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '2b629674-e913-4c01-ae53-ef4638d8f975')]", + "Azure Kubernetes Service Cluster Admin Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '0ab0b1a8-8aac-4efd-b8c2-3ee1fb270be8')]", + "Azure Kubernetes Service Cluster User Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4abbcc35-e782-43d8-92c5-2d3f1bd2253f')]", + "Azure Kubernetes Service Contributor Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ed7f3fbd-7b88-4dd4-9017-9adb7ce333f8')]", + "Azure Maps Data Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8f5e0ce6-4f7b-4dcf-bddf-e6f48634a204')]", + "Azure Maps Data Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '423170ca-a8f6-4b0f-8487-9e4eb8f49bfa')]", + "Azure Sentinel Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ab8e14d6-4a74-4a29-9ba8-549422addade')]", + "Azure Sentinel Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8d289c81-5878-46d4-8554-54e1e3d8b5cb')]", + "Azure Sentinel Responder": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '3e150937-b8fe-4cfb-8069-0eaf05ecd056')]", + "Azure Service Bus Data Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '090c5cfd-751d-490a-894a-3ce6f1109419')]", + "Azure Service Bus Data Receiver": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4f6d3b9b-027b-4f4c-9142-0e5a2a2247e0')]", + "Azure Service Bus Data Sender": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '69a216fc-b8fb-44d8-bc22-1f3c2cd27a39')]", + "Azure Stack Registration Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '6f12a6df-dd06-4f3e-bcb1-ce8be600526a')]", + "Backup Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5e467623-bb1f-42f4-a55d-6e525e11384b')]", + "Backup Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '00c29273-979b-4161-815c-10b084fb9324')]", + "Backup Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'a795c7a0-d4a2-40c1-ae25-d81f01202912')]", + "Billing Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'fa23ad8b-c56e-40d8-ac0c-ce449e1d2c64')]", + "BizTalk Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5e3c6656-6cfa-4708-81fe-0de47ac73342')]", + "Blockchain Member Node Access (Preview)": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '31a002a1-acaf-453e-8a5b-297c9ca1ea24')]", + "Blueprint Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '41077137-e803-4205-871c-5a86e6a753b4')]", + "Blueprint Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '437d2ced-4a38-4302-8479-ed2bcb43d090')]", + "CDN Endpoint Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '426e0c7f-0c7e-4658-b36f-ff54d6c29b45')]", + "CDN Endpoint Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '871e35f6-b5c1-49cc-a043-bde969a0f2cd')]", + "CDN Profile Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ec156ff8-a8d1-4d15-830c-5b80698ca432')]", + "CDN Profile Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8f96442b-4075-438f-813d-ad51ab4019af')]", + "Classic Network Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b34d265f-36f7-4a0d-a4d4-e158ca92e90f')]", + "Classic Storage Account Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '86e8f5dc-a6e9-4c67-9d15-de283e8eac25')]", + "Classic Storage Account Key Operator Service Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '985d6b00-f706-48f5-a6fe-d0ca12fb668d')]", + "Classic Virtual Machine Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'd73bb868-a0df-4d4d-bd69-98a00b01fccb')]", + "ClearDB MySQL DB Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '9106cda0-8a86-4e81-b686-29a22c54effe')]", + "Cognitive Services Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '25fbc0a9-bd7c-42a3-aa1a-3b75d497ee68')]", + "Cognitive Services Custom Vision Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c1ff6cc2-c111-46fe-8896-e0ef812ad9f3')]", + "Cognitive Services Custom Vision Deployment": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5c4089e1-6d96-4d2f-b296-c1bc7137275f')]", + "Cognitive Services Custom Vision Labeler": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '88424f51-ebe7-446f-bc41-7fa16989e96c')]", + "Cognitive Services Custom Vision Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '93586559-c37d-4a6b-ba08-b9f0940c2d73')]", + "Cognitive Services Custom Vision Trainer": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '0a5ae4ab-0d65-4eeb-be61-29fc9b54394b')]", + "Cognitive Services Data Reader (Preview)": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b59867f0-fa02-499b-be73-45a86b5b3e1c')]", + "Cognitive Services QnA Maker Editor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'f4cc2bf9-21be-47a1-bdf1-5c5804381025')]", + "Cognitive Services QnA Maker Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '466ccd10-b268-4a11-b098-b4849f024126')]", + "Cognitive Services User": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'a97b65f3-24c7-4388-baec-2e87135dc908')]", + "Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "Cosmos DB Account Reader Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'fbdf93bf-df7d-467e-a4d2-9458aa1360c8')]", + "Cosmos DB Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '230815da-be43-4aae-9cb4-875f7bd000aa')]", + "CosmosBackupOperator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'db7b14f2-5adf-42da-9f96-f2ee17bab5cb')]", + "Cost Management Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '434105ed-43f6-45c7-a02f-909b2ba83430')]", + "Cost Management Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '72fafb9e-0641-4937-9268-a91bfd8191a3')]", + "Data Box Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'add466c9-e687-43fc-8d98-dfcf8d720be5')]", + "Data Box Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '028f4ed7-e2a9-465e-a8f4-9c0ffdfdc027')]", + "Data Factory Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '673868aa-7521-48a0-acc6-0f60742d39f5')]", + "Data Lake Analytics Developer": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '47b7735b-770e-4598-a7da-8b91488b4c88')]", + "Data Purger": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '150f5e0c-0603-4f03-8c7f-cf70034c4e90')]", + "Desktop Virtualization User": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '1d18fff3-a72a-46b5-b4a9-0b38a3cd7e63')]", + "DevTest Labs User": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '76283e04-6283-4c54-8f91-bcf1374a3c64')]", + "DNS Zone Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'befefa01-2a29-4197-83a8-272ff33ce314')]", + "DocumentDB Account Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5bd9cd88-fe45-4216-938b-f97437e15450')]", + "EventGrid EventSubscription Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '428e0ff0-5e57-4d9c-a221-2c70d0e0a443')]", + "EventGrid EventSubscription Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '2414bbcf-6497-4faf-8c65-045460748405')]", + "Experimentation Administrator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '7f646f1b-fa08-80eb-a33b-edd6ce5c915c')]", + "Experimentation Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '7f646f1b-fa08-80eb-a22b-edd6ce5c915c')]", + "Experimentation Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '49632ef5-d9ac-41f4-b8e7-bbe587fa74a1')]", + "FHIR Data Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5a1fc7df-4bf1-4951-a576-89034ee01acd')]", + "FHIR Data Exporter": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '3db33094-8700-4567-8da5-1501d4e7e843')]", + "FHIR Data Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4c8d0bbc-75d3-4935-991f-5f3c56d81508')]", + "FHIR Data Writer": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '3f88fce4-5892-4214-ae73-ba5294559913')]", + "Graph Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b60367af-1334-4454-b71e-769d9a4f83d9')]", + "HDInsight Cluster Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '61ed4efc-fab3-44fd-b111-e24485cc132a')]", + "HDInsight Domain Services Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8d8d5a11-05d3-4bda-a417-a08778121c7c')]", + "Hierarchy Settings Administrator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '350f8d15-c687-4448-8ae1-157740a3936d')]", + "Hybrid Server Onboarding": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5d1e5ee4-7c68-4a71-ac8b-0739630a3dfb')]", + "Hybrid Server Resource Administrator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '48b40c6e-82e0-4eb3-90d5-19e40f49b624')]", + "Integration Service Environment Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'a41e2c5b-bd99-4a07-88f4-9bf657a760b8')]", + "Integration Service Environment Developer": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c7aa55d3-1abb-444a-a5ca-5e51e485d6ec')]", + "Intelligent Systems Account Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '03a6d094-3444-4b3d-88af-7477090a9e5e')]", + "Key Vault Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'f25e0fa2-a7c8-4377-a976-54943a77a395')]", + "Knowledge Consumer": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ee361c5d-f7b5-4119-b4b6-892157c8f64c')]", + "Kubernetes Cluster - Azure Arc Onboarding": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '34e09817-6cbe-4d01-b1a2-e0eac5743d41')]", + "Lab Creator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b97fb8bc-a8b2-4522-a38b-dd33c7e65ead')]", + "Log Analytics Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]", + "Log Analytics Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '73c42c96-874c-492b-b04d-ab87d138a893')]", + "Logic App Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '87a39d53-fc1b-424a-814c-f7e04687dc9e')]", + "Logic App Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '515c2055-d9d4-4321-b1b9-bd0c9a0f79fe')]", + "Managed Application Contributor Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '641177b8-a67a-45b9-a033-47bc880bb21e')]", + "Managed Application Operator Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')]", + "Managed Applications Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')]", + "Managed Identity Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'e40ec5ca-96e0-45a2-b4ff-59039f2c2b59')]", + "Managed Identity Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'f1a07417-d97a-45cb-824c-7a7467783830')]", + "Managed Services Registration assignment Delete ": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '91c1777a-f3dc-4fae-b103-61d183457e46')]", + "Management Group Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5d58bcaf-24a5-4b20-bdb6-eed9f69fbe4c')]", + "Management Group Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ac63b705-f282-497d-ac71-919bf39d939d')]", + "Marketplace Admin": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'dd920d6d-f481-47f1-b461-f338c46b2d9f')]", + "Monitoring Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')]", + "Monitoring Metrics Publisher": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '3913510d-42f4-4e42-8a64-420c390055eb')]", + "Monitoring Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')]", + "Network Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", + "New Relic APM Account Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5d28c62d-5b37-4476-8438-e587778df237')]", + "Object Understanding Account Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4dd61c23-6743-42fe-a388-d8bdd41cb745')]", + "Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", + "Policy Insights Data Writer (Preview)": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '66bb4e9e-b016-4a94-8249-4c0511c2be84')]", + "Private DNS Zone Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", + "Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", + "Reader and Data Access": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c12c1c16-33a1-487b-954d-41c89c60f349')]", + "Redis Cache Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'e0f68234-74aa-48ed-b826-c38b57376e17')]", + "Remote Rendering Administrator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '3df8b902-2a6f-47c7-8cc5-360e9b272a7e')]", + "Remote Rendering Client": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'd39065c4-c120-43c9-ab0a-63eed9795f0a')]", + "Resource Policy Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '36243c78-bf99-498c-9df9-86d9f8d28608')]", + "Scheduler Job Collections Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '188a0f2f-5c9e-469b-ae67-2aa5ce574b94')]", + "Search Service Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '7ca78c08-252a-4471-8644-bb5ff32d4ba0')]", + "Security Admin": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'fb1c8493-542b-48eb-b624-b4c8fea62acd')]", + "Security Assessment Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '612c2aa1-cb24-443b-ac28-3ab7272de6f5')]", + "Security Manager (Legacy)": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'e3d13bf0-dd5a-482e-ba6b-9b8433878d10')]", + "Security Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '39bc4728-0917-49c7-9d2c-d95423bc2eb4')]", + "SignalR AccessKey Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '04165923-9d83-45d5-8227-78b77b0a687e')]", + "SignalR Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8cf5e20a-e4b2-4e9d-b3a1-5ceb692c2761')]", + "Site Recovery Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '6670b86e-a3f7-4917-ac9b-5d6ab1be4567')]", + "Site Recovery Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '494ae006-db33-4328-bf46-533a6560a3ca')]", + "Site Recovery Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'dbaa88c4-0c30-4179-9fb3-46319faa6149')]", + "Spatial Anchors Account Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8bbe83f1-e2a6-4df7-8cb4-4e04d4e5c827')]", + "Spatial Anchors Account Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '70bbe301-9835-447d-afdd-19eb3167307c')]", + "Spatial Anchors Account Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5d51204f-eb77-4b1c-b86a-2ec626c49413')]", + "SQL DB Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '9b7fa17d-e63e-47b0-bb0a-15c516ac86ec')]", + "SQL Managed Instance Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4939a1f6-9ae0-4e48-a1e0-f2cbe897382d')]", + "SQL Security Manager": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '056cd41c-7e88-42e1-933e-88ba6a50c9c3')]", + "SQL Server Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '6d8ee4ec-f05a-4a1d-8b00-a9b17e38b437')]", + "Storage Account Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '17d1049b-9a84-46fb-8f53-869881c3d3ab')]", + "Storage Account Key Operator Service Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '81a9662b-bebf-436f-a333-f67b29880f12')]", + "Storage Blob Data Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ba92f5b4-2d11-453d-a403-e96b0029c9fe')]", + "Storage Blob Data Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b7e6dc6d-f1e8-4753-8033-0f276bb0955b')]", + "Storage Blob Data Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '2a2b9908-6ea1-4ae2-8e65-a410df84e7d1')]", + "Storage Blob Delegator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'db58b8e5-c6ad-4a2a-8342-4190687cbf4a')]", + "Storage File Data SMB Share Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '0c867c2a-1d8c-454a-a3db-ab2ea1bdc8bb')]", + "Storage File Data SMB Share Elevated Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'a7264617-510b-434b-a828-9731dc254ea7')]", + "Storage File Data SMB Share Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'aba4ae5f-2193-4029-9191-0cb91df5e314')]", + "Storage Queue Data Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '974c5e8b-45b9-4653-ba55-5f855dd0fb88')]", + "Storage Queue Data Message Processor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8a0f0c08-91a1-4084-bc3d-661d67233fed')]", + "Storage Queue Data Message Sender": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c6a89b2d-59bc-44d0-9896-0f6e12d7b80a')]", + "Storage Queue Data Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '19e7f393-937e-4f77-808e-94535e297925')]", + "Support Request Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'cfd33db0-3dd1-45e3-aa9d-cdbdf3b6f24e')]", + "Tag Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4a9ae827-6dc8-4573-8ac7-8239d42aa03f')]", + "Traffic Manager Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'a4b10055-b0c7-44c2-b00f-c7b5b3550cf7')]", + "User Access Administrator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]", + "Virtual Machine Administrator Login": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '1c0163c0-47e6-4577-8991-ea5c82e286e4')]", + "Virtual Machine Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c')]", + "Virtual Machine User Login": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'fb879df8-f326-4884-b1cf-06f3ad86be52')]", + "Web Plan Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '2cc479cb-7b4d-49a8-b449-8c00fd0f0a4b')]", + "Website Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'de139f84-1756-47ae-9be6-808fbbe84772')]", + "Workbook Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'e8ddcd69-c73f-4f9f-9844-4100522f16ad')]", + "Workbook Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b279062a-9be3-42a0-92ae-8b3cf002ec4d')]" + } + }, + "resources": [ + { + "condition": "[not(empty(parameters('cuaId')))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-06-01", + "name": "[concat('pid-', parameters('cuaId'))]", + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [ + ] + } + } + }, + { + "type": "Microsoft.KeyVault/vaults/accessPolicies", + "name": "[concat(variables('keyVaultName'), '/add')]", + "apiVersion": "2019-09-01", + "properties": { + "accessPolicies": [ + { + "tenantId": "[subscription().tenantId]", + "objectId": "[reference(concat('Microsoft.Compute/diskEncryptionSets/', parameters('diskEncryptionSetName')), '2019-11-01', 'Full').identity.principalId]", + "permissions": { + "keys": [ + "get", + "wrapkey", + "unwrapkey" + ], + "secrets": [ + ], + "certificates": [ + ] + } + } + ] + } + }, + { + "apiVersion": "2020-06-30", + "type": "Microsoft.Compute/diskEncryptionSets", + "name": "[parameters('diskEncryptionSetName')]", + "location": "[parameters('location')]", + "tags": "[parameters('tags')]", + "identity": { + "type": "SystemAssigned" + }, + "properties": { + "activeKey": { + "sourceVault": { + "id": "[parameters('keyVaultId')]" + }, + "keyUrl": "[parameters('keyUrl')]" + } + } + }, + { + "name": "[concat('rbac-',deployment().name, copyIndex())]", + "apiVersion": "2020-06-01", + "type": "Microsoft.Resources/deployments", + "condition": "[not(empty(parameters('roleAssignments')))]", + "dependsOn": [ + "[parameters('diskEncryptionSetName')]" + ], + "copy": { + "name": "rbacDeplCopy", + "count": "[length(parameters('roleAssignments'))]" + }, + "properties": { + "mode": "Incremental", + "expressionEvaluationOptions": { + "scope": "inner" + }, + "parameters": { + "roleAssignment": { + "value": "[parameters('roleAssignments')[copyIndex()]]" + }, + "builtInRoleNames": { + "value": "[variables('builtInRoleNames')]" + }, + "diskEncryptionSetName": { + "value": "[parameters('diskEncryptionSetName')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "roleAssignment": { + "type": "object" + }, + "builtInRoleNames": { + "type": "object" + }, + "diskEncryptionSetName": { + "type": "string" + } + }, + "resources": [ + { + "type": "Microsoft.Compute/diskEncryptionSets/providers/roleAssignments", + "apiVersion": "2018-09-01-preview", + "name": "[concat(parameters('diskEncryptionSetName'), '/Microsoft.Authorization/', guid(uniqueString(concat(parameters('diskEncryptionSetName'), array(parameters('roleAssignment').principalIds)[copyIndex('innerRbacCopy')], parameters('roleAssignment').roleDefinitionIdOrName ) )))]", + "dependsOn": [ + ], + "copy": { + "name": "innerRbacCopy", + "count": "[length(parameters('roleAssignment').principalIds)]" + }, + "properties": { + "roleDefinitionId": "[if(contains(parameters('builtInRoleNames'), parameters('roleAssignment').roleDefinitionIdOrName ), parameters('builtInRoleNames')[parameters('roleAssignment').roleDefinitionIdOrName] , parameters('roleAssignment').roleDefinitionIdOrName )]", + "principalId": "[array(parameters('roleAssignment').principalIds)[copyIndex()]]" + } + } + ] + } + } + } + ], + "functions": [ + ], + "outputs": { + "diskEncryptionSetResourceId": { + "type": "string", + "value": "[resourceId('Microsoft.Compute/diskEncryptionSets/', parameters('diskEncryptionSetName'))]", + "metadata": { + "description": "Resourece ID of the resource." + } + }, + "principalId": { + "type": "string", + "value": "[reference(concat('Microsoft.Compute/diskEncryptionSets/', parameters('diskEncryptionSetName')), '2019-11-01', 'Full').identity.principalId]", + "metadata": { + "description": "Principal ID." + } + }, + "keyVaultName": { + "type": "string", + "value": "[variables('keyVaultName')]", + "metadata": { + "description": "Name of the KeyVault." + } + }, + "diskEncryptionResourceGroup": { + "type": "string", + "value": "[resourceGroup().name]", + "metadata": { + "description": "Name of the Resource Group." + } + } + } +} \ No newline at end of file diff --git a/arm/Microsoft.Compute/diskEncryptionSets/parameters/parameters.json b/arm/Microsoft.Compute/diskEncryptionSets/parameters/parameters.json new file mode 100644 index 0000000000..484adfc243 --- /dev/null +++ b/arm/Microsoft.Compute/diskEncryptionSets/parameters/parameters.json @@ -0,0 +1,26 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "diskEncryptionSetName": { + "value": "sxx-az-des-weu-x-001" + }, + "keyVaultId": { + "value": "/subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2/resourceGroups/dependencies-rg/providers/Microsoft.KeyVault/vaults/sxx-az-kv-weu-x-004" + }, + "keyUrl": { + "value": "https://sxx-az-kv-weu-x-004.vault.azure.net/keys/encryptionKey/7d046905e20340d6a2186aa963eb3513" + } + // "roleAssignments": { + // "value": [ + // { + // "roleDefinitionIdOrName": "Desktop Virtualization User", + // "principalIds": [ + // "12345678-1234-1234-1234-123456789012", // object 1 + // "78945612-1234-1234-1234-123456789012" // object 2 + // ] + // } + // ] + // }, + } +} \ No newline at end of file diff --git a/arm/Microsoft.Compute/diskEncryptionSets/readme.md b/arm/Microsoft.Compute/diskEncryptionSets/readme.md new file mode 100644 index 0000000000..327d699476 --- /dev/null +++ b/arm/Microsoft.Compute/diskEncryptionSets/readme.md @@ -0,0 +1,88 @@ +# DiskEncryptionSet + +This template deploys a Disk Encryption Set + + +## Resource types + +|Resource Type|ApiVersion| +|:--|:--| +|`Microsoft.Resources/deployments`|2018-02-01| +|`Microsoft.KeyVault/vaults/accessPolicies`|2019-09-01| +|`Microsoft.Compute/diskEncryptionSets`|2019-11-01| +|`Microsoft.Compute/diskEncryptionSets/providers/roleAssignments`|2018-09-01-preview| + +## Parameters + +| Parameter Name | Type | Description | DefaultValue | Possible values | +| :-- | :-- | :-- | :-- | :-- | +| `cuaId` | string | Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered | | | +| `diskEncryptionSetName` | string | Required. The name of the disk encryption set that is being created. | | | +| `keyUrl` | string | Required. Key Url (with version) pointing to a key or secret in KeyVault. | | | +| `keyVaultId` | string | Required. Resource id of the KeyVault containing the key or secret. | | | +| `location` | string | Optional. Resource location. | [resourceGroup().location] | | +| `roleAssignments` | array | Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' | System.Object[] | | +| `tags` | object | Optional. Tags of the Automation Account resource. | | | + +### Parameter Usage: `roleAssignments` + +```json +"roleAssignments": { + "value": [ + { + "roleDefinitionIdOrName": "Desktop Virtualization User", + "principalIds": [ + "12345678-1234-1234-1234-123456789012", // object 1 + "78945612-1234-1234-1234-123456789012" // object 2 + ] + }, + { + "roleDefinitionIdOrName": "Reader", + "principalIds": [ + "12345678-1234-1234-1234-123456789012", // object 1 + "78945612-1234-1234-1234-123456789012" // object 2 + ] + }, + { + "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", + "principalIds": [ + "12345678-1234-1234-1234-123456789012" // object 1 + ] + } + ] +} +``` + +### Parameter Usage: `tags` + +Tag names and tag values can be provided as needed. A tag can be left without a value. + +```json +"tags": { + "value": { + "Environment": "Non-Prod", + "Contact": "test.user@testcompany.com", + "PurchaseOrder": "1234", + "CostCenter": "7890", + "ServiceName": "DeploymentValidation", + "Role": "DeploymentValidation" + } +} +``` + +## Outputs + +| Output Name | Type | Description | +| :-- | :-- | :-- | +| `diskEncryptionResourceGroup` | string | Name of the Resource Group. | +| `diskEncryptionSetResourceId` | string | Resourece ID of the resource. | +| `keyVaultName` | string | Name of the KeyVault. | +| `principalId` | string | Principal ID. | + +## Considerations + +N/A + +## Additional resources + +- [Microsoft.Compute diskEncryptionSets template reference](https://docs.microsoft.com/en-us/azure/templates/microsoft.compute/diskencryptionsets) diff --git a/arm/Microsoft.Compute/galleries/deploy.json b/arm/Microsoft.Compute/galleries/deploy.json new file mode 100644 index 0000000000..2ffdee2009 --- /dev/null +++ b/arm/Microsoft.Compute/galleries/deploy.json @@ -0,0 +1,366 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "galleryName": { + "type": "string", + "minLength": 1, + "metadata": { + "description": "Required. Name of the Azure Shared Image Gallery" + } + }, + "location": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "Optional. Location for all resources." + } + }, + "galleryDescription": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Description of the Azure Shared Image Gallery" + } + }, + "lockForDeletion": { + "type": "bool", + "defaultValue": false, + "metadata": { + "description": "Optional. Switch to lock resources from deletion." + } + }, + "roleAssignments": { + "defaultValue": [ + ], + "type": "array", + "metadata": { + "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'" + } + }, + "tags": { + "type": "object", + "defaultValue": { + }, + "metadata": { + "description": "Optional. Tags for all resources." + } + }, + "cuaId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered" + } + } + }, + "variables": { + "pidName": "[concat('pid-', parameters('cuaId'))]", + "builtInRoleNames": { + "AcrDelete": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c2f4ef07-c644-48eb-af81-4b1b4947fb11')]", + "AcrImageSigner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '6cef56e8-d556-48e5-a04f-b8e64114680f')]", + "AcrPull": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '7f951dda-4ed3-4680-a7ca-43fe172d538d')]", + "AcrPush": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8311e382-0749-4cb8-b61a-304f252e45ec')]", + "AcrQuarantineReader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'cdda3590-29a3-44f6-95f2-9f980659eb04')]", + "AcrQuarantineWriter": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c8d4ff99-41c3-41a8-9f60-21dfdad59608')]", + "API Management Service Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '312a565d-c81f-4fd8-895a-4e21e48d571c')]", + "API Management Service Operator Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'e022efe7-f5ba-4159-bbe4-b44f577e9b61')]", + "API Management Service Reader Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '71522526-b88f-4d52-b57f-d31fc3546d0d')]", + "App Configuration Data Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5ae67dd6-50cb-40e7-96ff-dc2bfa4b606b')]", + "App Configuration Data Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '516239f1-63e1-4d78-a4de-a74fb236a071')]", + "Application Insights Component Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ae349356-3a1b-4a5e-921d-050484c6347e')]", + "Application Insights Snapshot Debugger": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '08954f03-6346-4c2e-81c0-ec3a5cfae23b')]", + "Attestation Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'bbf86eb8-f7b4-4cce-96e4-18cddf81d86e')]", + "Attestation Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'fd1bd22b-8476-40bc-a0bc-69b95687b9f3')]", + "Automation Job Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4fe576fe-1146-4730-92eb-48519fa6bf9f')]", + "Automation Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'd3881f73-407a-4167-8283-e981cbba0404')]", + "Automation Runbook Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5fb5aef8-1081-4b8e-bb16-9d5d0385bab5')]", + "Avere Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4f8fab4f-1852-4a58-a46a-8eaf358af14a')]", + "Avere Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c025889f-8102-4ebf-b32c-fc0c6f0c6bd9')]", + "Azure Connected Machine Onboarding": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b64e21ea-ac4e-4cdf-9dc9-5b892992bee7')]", + "Azure Connected Machine Resource Administrator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'cd570a14-e51a-42ad-bac8-bafd67325302')]", + "Azure Digital Twins Owner (Preview)": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'bcd981a7-7f74-457b-83e1-cceb9e632ffe')]", + "Azure Digital Twins Reader (Preview)": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'd57506d4-4c8d-48b1-8587-93c323f6a5a3')]", + "Azure Event Hubs Data Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'f526a384-b230-433a-b45c-95f59c4a2dec')]", + "Azure Event Hubs Data Receiver": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'a638d3c7-ab3a-418d-83e6-5f17a39d4fde')]", + "Azure Event Hubs Data Sender": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '2b629674-e913-4c01-ae53-ef4638d8f975')]", + "Azure Kubernetes Service Cluster Admin Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '0ab0b1a8-8aac-4efd-b8c2-3ee1fb270be8')]", + "Azure Kubernetes Service Cluster User Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4abbcc35-e782-43d8-92c5-2d3f1bd2253f')]", + "Azure Kubernetes Service Contributor Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ed7f3fbd-7b88-4dd4-9017-9adb7ce333f8')]", + "Azure Maps Data Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8f5e0ce6-4f7b-4dcf-bddf-e6f48634a204')]", + "Azure Maps Data Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '423170ca-a8f6-4b0f-8487-9e4eb8f49bfa')]", + "Azure Sentinel Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ab8e14d6-4a74-4a29-9ba8-549422addade')]", + "Azure Sentinel Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8d289c81-5878-46d4-8554-54e1e3d8b5cb')]", + "Azure Sentinel Responder": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '3e150937-b8fe-4cfb-8069-0eaf05ecd056')]", + "Azure Service Bus Data Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '090c5cfd-751d-490a-894a-3ce6f1109419')]", + "Azure Service Bus Data Receiver": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4f6d3b9b-027b-4f4c-9142-0e5a2a2247e0')]", + "Azure Service Bus Data Sender": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '69a216fc-b8fb-44d8-bc22-1f3c2cd27a39')]", + "Azure Stack Registration Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '6f12a6df-dd06-4f3e-bcb1-ce8be600526a')]", + "Backup Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5e467623-bb1f-42f4-a55d-6e525e11384b')]", + "Backup Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '00c29273-979b-4161-815c-10b084fb9324')]", + "Backup Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'a795c7a0-d4a2-40c1-ae25-d81f01202912')]", + "Billing Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'fa23ad8b-c56e-40d8-ac0c-ce449e1d2c64')]", + "BizTalk Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5e3c6656-6cfa-4708-81fe-0de47ac73342')]", + "Blockchain Member Node Access (Preview)": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '31a002a1-acaf-453e-8a5b-297c9ca1ea24')]", + "Blueprint Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '41077137-e803-4205-871c-5a86e6a753b4')]", + "Blueprint Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '437d2ced-4a38-4302-8479-ed2bcb43d090')]", + "CDN Endpoint Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '426e0c7f-0c7e-4658-b36f-ff54d6c29b45')]", + "CDN Endpoint Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '871e35f6-b5c1-49cc-a043-bde969a0f2cd')]", + "CDN Profile Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ec156ff8-a8d1-4d15-830c-5b80698ca432')]", + "CDN Profile Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8f96442b-4075-438f-813d-ad51ab4019af')]", + "Classic Network Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b34d265f-36f7-4a0d-a4d4-e158ca92e90f')]", + "Classic Storage Account Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '86e8f5dc-a6e9-4c67-9d15-de283e8eac25')]", + "Classic Storage Account Key Operator Service Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '985d6b00-f706-48f5-a6fe-d0ca12fb668d')]", + "Classic Virtual Machine Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'd73bb868-a0df-4d4d-bd69-98a00b01fccb')]", + "ClearDB MySQL DB Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '9106cda0-8a86-4e81-b686-29a22c54effe')]", + "Cognitive Services Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '25fbc0a9-bd7c-42a3-aa1a-3b75d497ee68')]", + "Cognitive Services Custom Vision Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c1ff6cc2-c111-46fe-8896-e0ef812ad9f3')]", + "Cognitive Services Custom Vision Deployment": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5c4089e1-6d96-4d2f-b296-c1bc7137275f')]", + "Cognitive Services Custom Vision Labeler": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '88424f51-ebe7-446f-bc41-7fa16989e96c')]", + "Cognitive Services Custom Vision Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '93586559-c37d-4a6b-ba08-b9f0940c2d73')]", + "Cognitive Services Custom Vision Trainer": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '0a5ae4ab-0d65-4eeb-be61-29fc9b54394b')]", + "Cognitive Services Data Reader (Preview)": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b59867f0-fa02-499b-be73-45a86b5b3e1c')]", + "Cognitive Services QnA Maker Editor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'f4cc2bf9-21be-47a1-bdf1-5c5804381025')]", + "Cognitive Services QnA Maker Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '466ccd10-b268-4a11-b098-b4849f024126')]", + "Cognitive Services User": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'a97b65f3-24c7-4388-baec-2e87135dc908')]", + "Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "Cosmos DB Account Reader Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'fbdf93bf-df7d-467e-a4d2-9458aa1360c8')]", + "Cosmos DB Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '230815da-be43-4aae-9cb4-875f7bd000aa')]", + "CosmosBackupOperator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'db7b14f2-5adf-42da-9f96-f2ee17bab5cb')]", + "Cost Management Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '434105ed-43f6-45c7-a02f-909b2ba83430')]", + "Cost Management Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '72fafb9e-0641-4937-9268-a91bfd8191a3')]", + "Data Box Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'add466c9-e687-43fc-8d98-dfcf8d720be5')]", + "Data Box Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '028f4ed7-e2a9-465e-a8f4-9c0ffdfdc027')]", + "Data Factory Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '673868aa-7521-48a0-acc6-0f60742d39f5')]", + "Data Lake Analytics Developer": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '47b7735b-770e-4598-a7da-8b91488b4c88')]", + "Data Purger": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '150f5e0c-0603-4f03-8c7f-cf70034c4e90')]", + "Desktop Virtualization User": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '1d18fff3-a72a-46b5-b4a9-0b38a3cd7e63')]", + "DevTest Labs User": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '76283e04-6283-4c54-8f91-bcf1374a3c64')]", + "DNS Zone Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'befefa01-2a29-4197-83a8-272ff33ce314')]", + "DocumentDB Account Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5bd9cd88-fe45-4216-938b-f97437e15450')]", + "EventGrid EventSubscription Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '428e0ff0-5e57-4d9c-a221-2c70d0e0a443')]", + "EventGrid EventSubscription Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '2414bbcf-6497-4faf-8c65-045460748405')]", + "Experimentation Administrator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '7f646f1b-fa08-80eb-a33b-edd6ce5c915c')]", + "Experimentation Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '7f646f1b-fa08-80eb-a22b-edd6ce5c915c')]", + "Experimentation Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '49632ef5-d9ac-41f4-b8e7-bbe587fa74a1')]", + "FHIR Data Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5a1fc7df-4bf1-4951-a576-89034ee01acd')]", + "FHIR Data Exporter": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '3db33094-8700-4567-8da5-1501d4e7e843')]", + "FHIR Data Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4c8d0bbc-75d3-4935-991f-5f3c56d81508')]", + "FHIR Data Writer": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '3f88fce4-5892-4214-ae73-ba5294559913')]", + "Graph Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b60367af-1334-4454-b71e-769d9a4f83d9')]", + "HDInsight Cluster Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '61ed4efc-fab3-44fd-b111-e24485cc132a')]", + "HDInsight Domain Services Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8d8d5a11-05d3-4bda-a417-a08778121c7c')]", + "Hierarchy Settings Administrator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '350f8d15-c687-4448-8ae1-157740a3936d')]", + "Hybrid Server Onboarding": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5d1e5ee4-7c68-4a71-ac8b-0739630a3dfb')]", + "Hybrid Server Resource Administrator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '48b40c6e-82e0-4eb3-90d5-19e40f49b624')]", + "Integration Service Environment Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'a41e2c5b-bd99-4a07-88f4-9bf657a760b8')]", + "Integration Service Environment Developer": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c7aa55d3-1abb-444a-a5ca-5e51e485d6ec')]", + "Intelligent Systems Account Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '03a6d094-3444-4b3d-88af-7477090a9e5e')]", + "Key Vault Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'f25e0fa2-a7c8-4377-a976-54943a77a395')]", + "Knowledge Consumer": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ee361c5d-f7b5-4119-b4b6-892157c8f64c')]", + "Kubernetes Cluster - Azure Arc Onboarding": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '34e09817-6cbe-4d01-b1a2-e0eac5743d41')]", + "Lab Creator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b97fb8bc-a8b2-4522-a38b-dd33c7e65ead')]", + "Log Analytics Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]", + "Log Analytics Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '73c42c96-874c-492b-b04d-ab87d138a893')]", + "Logic App Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '87a39d53-fc1b-424a-814c-f7e04687dc9e')]", + "Logic App Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '515c2055-d9d4-4321-b1b9-bd0c9a0f79fe')]", + "Managed Application Contributor Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '641177b8-a67a-45b9-a033-47bc880bb21e')]", + "Managed Application Operator Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')]", + "Managed Applications Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')]", + "Managed Identity Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'e40ec5ca-96e0-45a2-b4ff-59039f2c2b59')]", + "Managed Identity Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'f1a07417-d97a-45cb-824c-7a7467783830')]", + "Managed Services Registration assignment Delete ": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '91c1777a-f3dc-4fae-b103-61d183457e46')]", + "Management Group Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5d58bcaf-24a5-4b20-bdb6-eed9f69fbe4c')]", + "Management Group Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ac63b705-f282-497d-ac71-919bf39d939d')]", + "Marketplace Admin": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'dd920d6d-f481-47f1-b461-f338c46b2d9f')]", + "Monitoring Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')]", + "Monitoring Metrics Publisher": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '3913510d-42f4-4e42-8a64-420c390055eb')]", + "Monitoring Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')]", + "Network Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", + "New Relic APM Account Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5d28c62d-5b37-4476-8438-e587778df237')]", + "Object Understanding Account Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4dd61c23-6743-42fe-a388-d8bdd41cb745')]", + "Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", + "Policy Insights Data Writer (Preview)": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '66bb4e9e-b016-4a94-8249-4c0511c2be84')]", + "Private DNS Zone Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", + "Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", + "Reader and Data Access": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c12c1c16-33a1-487b-954d-41c89c60f349')]", + "Redis Cache Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'e0f68234-74aa-48ed-b826-c38b57376e17')]", + "Remote Rendering Administrator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '3df8b902-2a6f-47c7-8cc5-360e9b272a7e')]", + "Remote Rendering Client": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'd39065c4-c120-43c9-ab0a-63eed9795f0a')]", + "Resource Policy Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '36243c78-bf99-498c-9df9-86d9f8d28608')]", + "Scheduler Job Collections Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '188a0f2f-5c9e-469b-ae67-2aa5ce574b94')]", + "Search Service Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '7ca78c08-252a-4471-8644-bb5ff32d4ba0')]", + "Security Admin": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'fb1c8493-542b-48eb-b624-b4c8fea62acd')]", + "Security Assessment Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '612c2aa1-cb24-443b-ac28-3ab7272de6f5')]", + "Security Manager (Legacy)": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'e3d13bf0-dd5a-482e-ba6b-9b8433878d10')]", + "Security Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '39bc4728-0917-49c7-9d2c-d95423bc2eb4')]", + "SignalR AccessKey Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '04165923-9d83-45d5-8227-78b77b0a687e')]", + "SignalR Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8cf5e20a-e4b2-4e9d-b3a1-5ceb692c2761')]", + "Site Recovery Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '6670b86e-a3f7-4917-ac9b-5d6ab1be4567')]", + "Site Recovery Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '494ae006-db33-4328-bf46-533a6560a3ca')]", + "Site Recovery Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'dbaa88c4-0c30-4179-9fb3-46319faa6149')]", + "Spatial Anchors Account Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8bbe83f1-e2a6-4df7-8cb4-4e04d4e5c827')]", + "Spatial Anchors Account Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '70bbe301-9835-447d-afdd-19eb3167307c')]", + "Spatial Anchors Account Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5d51204f-eb77-4b1c-b86a-2ec626c49413')]", + "SQL DB Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '9b7fa17d-e63e-47b0-bb0a-15c516ac86ec')]", + "SQL Managed Instance Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4939a1f6-9ae0-4e48-a1e0-f2cbe897382d')]", + "SQL Security Manager": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '056cd41c-7e88-42e1-933e-88ba6a50c9c3')]", + "SQL Server Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '6d8ee4ec-f05a-4a1d-8b00-a9b17e38b437')]", + "Storage Account Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '17d1049b-9a84-46fb-8f53-869881c3d3ab')]", + "Storage Account Key Operator Service Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '81a9662b-bebf-436f-a333-f67b29880f12')]", + "Storage Blob Data Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ba92f5b4-2d11-453d-a403-e96b0029c9fe')]", + "Storage Blob Data Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b7e6dc6d-f1e8-4753-8033-0f276bb0955b')]", + "Storage Blob Data Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '2a2b9908-6ea1-4ae2-8e65-a410df84e7d1')]", + "Storage Blob Delegator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'db58b8e5-c6ad-4a2a-8342-4190687cbf4a')]", + "Storage File Data SMB Share Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '0c867c2a-1d8c-454a-a3db-ab2ea1bdc8bb')]", + "Storage File Data SMB Share Elevated Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'a7264617-510b-434b-a828-9731dc254ea7')]", + "Storage File Data SMB Share Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'aba4ae5f-2193-4029-9191-0cb91df5e314')]", + "Storage Queue Data Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '974c5e8b-45b9-4653-ba55-5f855dd0fb88')]", + "Storage Queue Data Message Processor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8a0f0c08-91a1-4084-bc3d-661d67233fed')]", + "Storage Queue Data Message Sender": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c6a89b2d-59bc-44d0-9896-0f6e12d7b80a')]", + "Storage Queue Data Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '19e7f393-937e-4f77-808e-94535e297925')]", + "Support Request Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'cfd33db0-3dd1-45e3-aa9d-cdbdf3b6f24e')]", + "Tag Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4a9ae827-6dc8-4573-8ac7-8239d42aa03f')]", + "Traffic Manager Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'a4b10055-b0c7-44c2-b00f-c7b5b3550cf7')]", + "User Access Administrator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]", + "Virtual Machine Administrator Login": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '1c0163c0-47e6-4577-8991-ea5c82e286e4')]", + "Virtual Machine Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c')]", + "Virtual Machine User Login": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'fb879df8-f326-4884-b1cf-06f3ad86be52')]", + "Web Plan Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '2cc479cb-7b4d-49a8-b449-8c00fd0f0a4b')]", + "Website Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'de139f84-1756-47ae-9be6-808fbbe84772')]", + "Workbook Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'e8ddcd69-c73f-4f9f-9844-4100522f16ad')]", + "Workbook Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b279062a-9be3-42a0-92ae-8b3cf002ec4d')]" + } + }, + "resources": [ + { + "condition": "[not(empty(parameters('cuaId')))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-06-01", + "name": "[variables('pidName')]", + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [ + ] + } + } + }, + { + "type": "Microsoft.Compute/galleries", + "apiVersion": "2019-12-01", + "name": "[parameters('galleryName')]", + "location": "[parameters('location')]", + "tags": "[parameters('tags')]", + "properties": { + "description": "[parameters('galleryDescription')]", + "identifier": { + } + }, + "resources": [ + { + "type": "providers/locks", + "apiVersion": "2016-09-01", + "condition": "[parameters('lockForDeletion')]", + "name": "Microsoft.Authorization/sharedImageGallerDoNotDelete", + "dependsOn": [ + "[concat('Microsoft.Compute/galleries/', parameters('galleryName'))]" + ], + "comments": "Resource lock on Azure Shared Image Gallery", + "properties": { + "level": "CannotDelete" + } + } + ] + }, + { + "name": "[concat('rbac-',deployment().name, copyIndex())]", + "apiVersion": "2020-06-01", + "type": "Microsoft.Resources/deployments", + "condition": "[not(empty(parameters('roleAssignments')))]", + "dependsOn": [ + "[parameters('galleryName')]" + ], + "copy": { + "name": "rbacDeplCopy", + "count": "[length(parameters('roleAssignments'))]" + }, + "properties": { + "mode": "Incremental", + "expressionEvaluationOptions": { + "scope": "inner" + }, + "parameters": { + "roleAssignment": { + "value": "[parameters('roleAssignments')[copyIndex()]]" + }, + "builtInRoleNames": { + "value": "[variables('builtInRoleNames')]" + }, + "galleryName": { + "value": "[parameters('galleryName')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "roleAssignment": { + "type": "object" + }, + "builtInRoleNames": { + "type": "object" + }, + "galleryName": { + "type": "string" + } + }, + "resources": [ + { + "type": "Microsoft.Compute/galleries/providers/roleAssignments", + "apiVersion": "2020-04-01-preview", + "name": "[concat(parameters('galleryName'), '/Microsoft.Authorization/', guid(uniqueString(concat(parameters('galleryName'), array(parameters('roleAssignment').principalIds)[copyIndex('innerRbacCopy')], parameters('roleAssignment').roleDefinitionIdOrName ) )))]", + "dependsOn": [ + ], + "copy": { + "name": "innerRbacCopy", + "count": "[length(parameters('roleAssignment').principalIds)]" + }, + "properties": { + "roleDefinitionId": "[if(contains(parameters('builtInRoleNames'), parameters('roleAssignment').roleDefinitionIdOrName ), parameters('builtInRoleNames')[parameters('roleAssignment').roleDefinitionIdOrName] , parameters('roleAssignment').roleDefinitionIdOrName )]", + "principalId": "[array(parameters('roleAssignment').principalIds)[copyIndex()]]" + } + } + ] + } + } + } + ], + "functions": [ + ], + "outputs": { + "galleryResourceId": { + "type": "string", + "value": "[resourceId('Microsoft.Compute/galleries', parameters('galleryName'))]", + "metadata": { + "description": "The Resource Id of the Shared Image Gallery." + } + }, + "galleryResourceGroup": { + "type": "string", + "value": "[resourceGroup().name]", + "metadata": { + "description": "The name of the Resource Group the Shared Image Gallery was created in." + } + }, + "galleryName": { + "type": "string", + "value": "[parameters('galleryName')]", + "metadata": { + "description": "The Name of the Shared Image Gallery." + } + } + } +} diff --git a/arm/Microsoft.Compute/galleries/parameters/parameters.json b/arm/Microsoft.Compute/galleries/parameters/parameters.json new file mode 100644 index 0000000000..1a9cdcc8a8 --- /dev/null +++ b/arm/Microsoft.Compute/galleries/parameters/parameters.json @@ -0,0 +1,9 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "galleryName": { + "value": "sxxazsigweux003" + } + } +} diff --git a/arm/Microsoft.Compute/galleries/readme.md b/arm/Microsoft.Compute/galleries/readme.md new file mode 100644 index 0000000000..b2e24e852d --- /dev/null +++ b/arm/Microsoft.Compute/galleries/readme.md @@ -0,0 +1,89 @@ +# Shared Image Gallery + +This module deploys Share Image Gallery, with resource lock. + + +## Resource types + +|Resource Type|ApiVersion| +|:--|:--| +|`Microsoft.Resources/deployments`|2019-10-01| +|`Microsoft.Compute/galleries`|2019-12-01| +|`providers/locks`|2016-09-01| +|`Microsoft.Compute/galleries/providers/roleAssignments`|2018-09-01-preview| + +## Parameters + +| Parameter Name | Type | Description | DefaultValue | Possible values | +| :-- | :-- | :-- | :-- | :-- | +| `cuaId` | string | Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered | | | +| `galleryDescription` | string | Optional. Description of the Azure Shared Image Gallery | | | +| `galleryName` | string | Required. Name of the Azure Shared Image Gallery | | | +| `location` | string | Optional. Location for all resources. | [resourceGroup().location] | | +| `lockForDeletion` | bool | Optional. Switch to lock resources from deletion. | False | | +| `roleAssignments` | array | Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' | System.Object[] | | +| `tags` | object | Optional. Tags for all resources. | | | + +### Parameter Usage: `roleAssignments` + +```json +"roleAssignments": { + "value": [ + { + "roleDefinitionIdOrName": "Desktop Virtualization User", + "principalIds": [ + "12345678-1234-1234-1234-123456789012", // object 1 + "78945612-1234-1234-1234-123456789012" // object 2 + ] + }, + { + "roleDefinitionIdOrName": "Reader", + "principalIds": [ + "12345678-1234-1234-1234-123456789012", // object 1 + "78945612-1234-1234-1234-123456789012" // object 2 + ] + }, + { + "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", + "principalIds": [ + "12345678-1234-1234-1234-123456789012" // object 1 + ] + } + ] +} +``` + +### Parameter Usage: `tags` + +Tag names and tag values can be provided as needed. A tag can be left without a value. + +```json +"tags": { + "value": { + "Environment": "Non-Prod", + "Contact": "test.user@testcompany.com", + "PurchaseOrder": "1234", + "CostCenter": "7890", + "ServiceName": "DeploymentValidation", + "Role": "DeploymentValidation" + } +} +``` + +## Outputs + +| Output Name | Type | Description | +| :-- | :-- | :-- | +| `galleryName` | string | The Name of the Shared Image Gallery. | +| `galleryResourceGroup` | string | The name of the Resource Group the Shared Image Gallery was created in.| +| `galleryResourceId` | string | The Resource Id of the Shared Image Gallery. | + +## Considerations + +*N/A* + +## Additional resources + +- [Shared Image Galleries overview](https://docs.microsoft.com/en-us/azure/virtual-machines/linux/shared-image-galleries) +- [Microsoft.Compute galleries template reference](https://docs.microsoft.com/en-us/azure/templates/microsoft.compute/2019-07-01/galleries) +- [Use tags to organize your Azure resources](https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-using-tags) diff --git a/arm/Microsoft.Compute/galleryImages/deploy.json b/arm/Microsoft.Compute/galleryImages/deploy.json new file mode 100644 index 0000000000..92ee1eff45 --- /dev/null +++ b/arm/Microsoft.Compute/galleryImages/deploy.json @@ -0,0 +1,546 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "imageDefinitionName": { + "type": "string", + "metadata": { + "description": "Required. Name of the image definition." + } + }, + "cuaId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered" + } + }, + "location": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "Optional. Location for all resources." + } + }, + "galleryName": { + "type": "string", + "minLength": 1, + "metadata": { + "description": "Required. Name of the Azure Shared Image Gallery" + } + }, + "osType": { + "type": "string", + "allowedValues": [ + "Windows", + "Linux" + ], + "defaultValue": "Windows", + "metadata": { + "description": "Optional. OS type of the image to be created." + } + }, + "osState": { + "type": "string", + "allowedValues": [ + "Generalized", + "Specialized" + ], + "defaultValue": "Generalized", + "metadata": { + "description": "Optional. This property allows the user to specify whether the virtual machines created under this image are 'Generalized' or 'Specialized'." + } + }, + "publisher": { + "type": "string", + "defaultValue": "MicrosoftWindowsServer", + "metadata": { + "description": "Optional. The name of the gallery Image Definition publisher." + } + }, + "offer": { + "type": "string", + "defaultValue": "WindowsServer", + "metadata": { + "description": "Optional. The name of the gallery Image Definition offer." + } + }, + "sku": { + "type": "string", + "defaultValue": "2019-Datacenter", + "metadata": { + "description": "Optional. The name of the gallery Image Definition SKU." + } + }, + "minRecommendedvCPUs": { + "type": "int", + "defaultValue": 1, + "minValue": 1, + "maxValue": 128, + "metadata": { + "description": "Optional. The minimum number of the CPU cores recommended for this image." + } + }, + "maxRecommendedvCPUs": { + "type": "int", + "defaultValue": 4, + "minValue": 1, + "maxValue": 128, + "metadata": { + "description": "Optional. The maximum number of the CPU cores recommended for this image." + } + }, + "minRecommendedMemory": { + "type": "int", + "defaultValue": 4, + "minValue": 1, + "maxValue": 4000, + "metadata": { + "description": "Optional. The minimum amount of RAM in GB recommended for this image." + } + }, + "maxRecommendedMemory": { + "type": "int", + "defaultValue": 16, + "minValue": 1, + "maxValue": 4000, + "metadata": { + "description": "Optional. The maximum amount of RAM in GB recommended for this image." + } + }, + "hyperVGeneration": { + "type": "string", + "defaultValue": "V1", + "allowedValues": [ + "V1", + "V2" + ], + "metadata": { + "description": "Optional. The hypervisor generation of the Virtual Machine. Applicable to OS disks only. - V1 or V2" + } + }, + "imageDefinitionDescription": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. The description of this gallery Image Definition resource. This property is updatable." + } + }, + "eula": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. The Eula agreement for the gallery Image Definition. Has to be a valid URL." + } + }, + "privacyStatementUri": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. The privacy statement uri. Has to be a valid URL." + } + }, + "releaseNoteUri": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. The release note uri. Has to be a valid URL." + } + }, + "productName": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. The product ID." + } + }, + "planName": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. The plan ID." + } + }, + "planPublisherName": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. The publisher ID." + } + }, + "endOfLife": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. The end of life date of the gallery Image Definition. This property can be used for decommissioning purposes. This property is updatable. Allowed format: 2020-01-10T23:00:00.000Z" + } + }, + "excludedDiskTypes": { + "type": "array", + "defaultValue": [ + ], + "metadata": { + "description": "Optional. List of the excluded disk types. E.g. Standard_LRS" + } + }, + "roleAssignments": { + "defaultValue": [ + ], + "type": "array", + "metadata": { + "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'" + } + }, + "tags": { + "type": "object", + "defaultValue": { + }, + "metadata": { + "description": "Optional. Tags for all resources." + } + } + }, + "variables": { + "builtInRoleNames": { + "AcrDelete": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c2f4ef07-c644-48eb-af81-4b1b4947fb11')]", + "AcrImageSigner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '6cef56e8-d556-48e5-a04f-b8e64114680f')]", + "AcrPull": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '7f951dda-4ed3-4680-a7ca-43fe172d538d')]", + "AcrPush": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8311e382-0749-4cb8-b61a-304f252e45ec')]", + "AcrQuarantineReader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'cdda3590-29a3-44f6-95f2-9f980659eb04')]", + "AcrQuarantineWriter": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c8d4ff99-41c3-41a8-9f60-21dfdad59608')]", + "API Management Service Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '312a565d-c81f-4fd8-895a-4e21e48d571c')]", + "API Management Service Operator Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'e022efe7-f5ba-4159-bbe4-b44f577e9b61')]", + "API Management Service Reader Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '71522526-b88f-4d52-b57f-d31fc3546d0d')]", + "App Configuration Data Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5ae67dd6-50cb-40e7-96ff-dc2bfa4b606b')]", + "App Configuration Data Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '516239f1-63e1-4d78-a4de-a74fb236a071')]", + "Application Insights Component Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ae349356-3a1b-4a5e-921d-050484c6347e')]", + "Application Insights Snapshot Debugger": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '08954f03-6346-4c2e-81c0-ec3a5cfae23b')]", + "Attestation Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'bbf86eb8-f7b4-4cce-96e4-18cddf81d86e')]", + "Attestation Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'fd1bd22b-8476-40bc-a0bc-69b95687b9f3')]", + "Automation Job Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4fe576fe-1146-4730-92eb-48519fa6bf9f')]", + "Automation Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'd3881f73-407a-4167-8283-e981cbba0404')]", + "Automation Runbook Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5fb5aef8-1081-4b8e-bb16-9d5d0385bab5')]", + "Avere Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4f8fab4f-1852-4a58-a46a-8eaf358af14a')]", + "Avere Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c025889f-8102-4ebf-b32c-fc0c6f0c6bd9')]", + "Azure Connected Machine Onboarding": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b64e21ea-ac4e-4cdf-9dc9-5b892992bee7')]", + "Azure Connected Machine Resource Administrator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'cd570a14-e51a-42ad-bac8-bafd67325302')]", + "Azure Digital Twins Owner (Preview)": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'bcd981a7-7f74-457b-83e1-cceb9e632ffe')]", + "Azure Digital Twins Reader (Preview)": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'd57506d4-4c8d-48b1-8587-93c323f6a5a3')]", + "Azure Event Hubs Data Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'f526a384-b230-433a-b45c-95f59c4a2dec')]", + "Azure Event Hubs Data Receiver": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'a638d3c7-ab3a-418d-83e6-5f17a39d4fde')]", + "Azure Event Hubs Data Sender": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '2b629674-e913-4c01-ae53-ef4638d8f975')]", + "Azure Kubernetes Service Cluster Admin Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '0ab0b1a8-8aac-4efd-b8c2-3ee1fb270be8')]", + "Azure Kubernetes Service Cluster User Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4abbcc35-e782-43d8-92c5-2d3f1bd2253f')]", + "Azure Kubernetes Service Contributor Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ed7f3fbd-7b88-4dd4-9017-9adb7ce333f8')]", + "Azure Maps Data Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8f5e0ce6-4f7b-4dcf-bddf-e6f48634a204')]", + "Azure Maps Data Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '423170ca-a8f6-4b0f-8487-9e4eb8f49bfa')]", + "Azure Sentinel Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ab8e14d6-4a74-4a29-9ba8-549422addade')]", + "Azure Sentinel Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8d289c81-5878-46d4-8554-54e1e3d8b5cb')]", + "Azure Sentinel Responder": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '3e150937-b8fe-4cfb-8069-0eaf05ecd056')]", + "Azure Service Bus Data Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '090c5cfd-751d-490a-894a-3ce6f1109419')]", + "Azure Service Bus Data Receiver": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4f6d3b9b-027b-4f4c-9142-0e5a2a2247e0')]", + "Azure Service Bus Data Sender": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '69a216fc-b8fb-44d8-bc22-1f3c2cd27a39')]", + "Azure Stack Registration Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '6f12a6df-dd06-4f3e-bcb1-ce8be600526a')]", + "Backup Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5e467623-bb1f-42f4-a55d-6e525e11384b')]", + "Backup Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '00c29273-979b-4161-815c-10b084fb9324')]", + "Backup Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'a795c7a0-d4a2-40c1-ae25-d81f01202912')]", + "Billing Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'fa23ad8b-c56e-40d8-ac0c-ce449e1d2c64')]", + "BizTalk Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5e3c6656-6cfa-4708-81fe-0de47ac73342')]", + "Blockchain Member Node Access (Preview)": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '31a002a1-acaf-453e-8a5b-297c9ca1ea24')]", + "Blueprint Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '41077137-e803-4205-871c-5a86e6a753b4')]", + "Blueprint Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '437d2ced-4a38-4302-8479-ed2bcb43d090')]", + "CDN Endpoint Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '426e0c7f-0c7e-4658-b36f-ff54d6c29b45')]", + "CDN Endpoint Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '871e35f6-b5c1-49cc-a043-bde969a0f2cd')]", + "CDN Profile Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ec156ff8-a8d1-4d15-830c-5b80698ca432')]", + "CDN Profile Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8f96442b-4075-438f-813d-ad51ab4019af')]", + "Classic Network Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b34d265f-36f7-4a0d-a4d4-e158ca92e90f')]", + "Classic Storage Account Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '86e8f5dc-a6e9-4c67-9d15-de283e8eac25')]", + "Classic Storage Account Key Operator Service Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '985d6b00-f706-48f5-a6fe-d0ca12fb668d')]", + "Classic Virtual Machine Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'd73bb868-a0df-4d4d-bd69-98a00b01fccb')]", + "ClearDB MySQL DB Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '9106cda0-8a86-4e81-b686-29a22c54effe')]", + "Cognitive Services Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '25fbc0a9-bd7c-42a3-aa1a-3b75d497ee68')]", + "Cognitive Services Custom Vision Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c1ff6cc2-c111-46fe-8896-e0ef812ad9f3')]", + "Cognitive Services Custom Vision Deployment": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5c4089e1-6d96-4d2f-b296-c1bc7137275f')]", + "Cognitive Services Custom Vision Labeler": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '88424f51-ebe7-446f-bc41-7fa16989e96c')]", + "Cognitive Services Custom Vision Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '93586559-c37d-4a6b-ba08-b9f0940c2d73')]", + "Cognitive Services Custom Vision Trainer": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '0a5ae4ab-0d65-4eeb-be61-29fc9b54394b')]", + "Cognitive Services Data Reader (Preview)": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b59867f0-fa02-499b-be73-45a86b5b3e1c')]", + "Cognitive Services QnA Maker Editor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'f4cc2bf9-21be-47a1-bdf1-5c5804381025')]", + "Cognitive Services QnA Maker Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '466ccd10-b268-4a11-b098-b4849f024126')]", + "Cognitive Services User": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'a97b65f3-24c7-4388-baec-2e87135dc908')]", + "Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "Cosmos DB Account Reader Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'fbdf93bf-df7d-467e-a4d2-9458aa1360c8')]", + "Cosmos DB Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '230815da-be43-4aae-9cb4-875f7bd000aa')]", + "CosmosBackupOperator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'db7b14f2-5adf-42da-9f96-f2ee17bab5cb')]", + "Cost Management Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '434105ed-43f6-45c7-a02f-909b2ba83430')]", + "Cost Management Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '72fafb9e-0641-4937-9268-a91bfd8191a3')]", + "Data Box Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'add466c9-e687-43fc-8d98-dfcf8d720be5')]", + "Data Box Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '028f4ed7-e2a9-465e-a8f4-9c0ffdfdc027')]", + "Data Factory Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '673868aa-7521-48a0-acc6-0f60742d39f5')]", + "Data Lake Analytics Developer": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '47b7735b-770e-4598-a7da-8b91488b4c88')]", + "Data Purger": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '150f5e0c-0603-4f03-8c7f-cf70034c4e90')]", + "Desktop Virtualization User": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '1d18fff3-a72a-46b5-b4a9-0b38a3cd7e63')]", + "DevTest Labs User": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '76283e04-6283-4c54-8f91-bcf1374a3c64')]", + "DNS Zone Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'befefa01-2a29-4197-83a8-272ff33ce314')]", + "DocumentDB Account Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5bd9cd88-fe45-4216-938b-f97437e15450')]", + "EventGrid EventSubscription Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '428e0ff0-5e57-4d9c-a221-2c70d0e0a443')]", + "EventGrid EventSubscription Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '2414bbcf-6497-4faf-8c65-045460748405')]", + "Experimentation Administrator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '7f646f1b-fa08-80eb-a33b-edd6ce5c915c')]", + "Experimentation Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '7f646f1b-fa08-80eb-a22b-edd6ce5c915c')]", + "Experimentation Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '49632ef5-d9ac-41f4-b8e7-bbe587fa74a1')]", + "FHIR Data Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5a1fc7df-4bf1-4951-a576-89034ee01acd')]", + "FHIR Data Exporter": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '3db33094-8700-4567-8da5-1501d4e7e843')]", + "FHIR Data Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4c8d0bbc-75d3-4935-991f-5f3c56d81508')]", + "FHIR Data Writer": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '3f88fce4-5892-4214-ae73-ba5294559913')]", + "Graph Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b60367af-1334-4454-b71e-769d9a4f83d9')]", + "HDInsight Cluster Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '61ed4efc-fab3-44fd-b111-e24485cc132a')]", + "HDInsight Domain Services Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8d8d5a11-05d3-4bda-a417-a08778121c7c')]", + "Hierarchy Settings Administrator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '350f8d15-c687-4448-8ae1-157740a3936d')]", + "Hybrid Server Onboarding": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5d1e5ee4-7c68-4a71-ac8b-0739630a3dfb')]", + "Hybrid Server Resource Administrator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '48b40c6e-82e0-4eb3-90d5-19e40f49b624')]", + "Integration Service Environment Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'a41e2c5b-bd99-4a07-88f4-9bf657a760b8')]", + "Integration Service Environment Developer": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c7aa55d3-1abb-444a-a5ca-5e51e485d6ec')]", + "Intelligent Systems Account Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '03a6d094-3444-4b3d-88af-7477090a9e5e')]", + "Key Vault Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'f25e0fa2-a7c8-4377-a976-54943a77a395')]", + "Knowledge Consumer": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ee361c5d-f7b5-4119-b4b6-892157c8f64c')]", + "Kubernetes Cluster - Azure Arc Onboarding": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '34e09817-6cbe-4d01-b1a2-e0eac5743d41')]", + "Lab Creator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b97fb8bc-a8b2-4522-a38b-dd33c7e65ead')]", + "Log Analytics Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]", + "Log Analytics Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '73c42c96-874c-492b-b04d-ab87d138a893')]", + "Logic App Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '87a39d53-fc1b-424a-814c-f7e04687dc9e')]", + "Logic App Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '515c2055-d9d4-4321-b1b9-bd0c9a0f79fe')]", + "Managed Application Contributor Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '641177b8-a67a-45b9-a033-47bc880bb21e')]", + "Managed Application Operator Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')]", + "Managed Applications Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')]", + "Managed Identity Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'e40ec5ca-96e0-45a2-b4ff-59039f2c2b59')]", + "Managed Identity Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'f1a07417-d97a-45cb-824c-7a7467783830')]", + "Managed Services Registration assignment Delete ": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '91c1777a-f3dc-4fae-b103-61d183457e46')]", + "Management Group Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5d58bcaf-24a5-4b20-bdb6-eed9f69fbe4c')]", + "Management Group Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ac63b705-f282-497d-ac71-919bf39d939d')]", + "Marketplace Admin": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'dd920d6d-f481-47f1-b461-f338c46b2d9f')]", + "Monitoring Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')]", + "Monitoring Metrics Publisher": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '3913510d-42f4-4e42-8a64-420c390055eb')]", + "Monitoring Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')]", + "Network Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", + "New Relic APM Account Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5d28c62d-5b37-4476-8438-e587778df237')]", + "Object Understanding Account Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4dd61c23-6743-42fe-a388-d8bdd41cb745')]", + "Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", + "Policy Insights Data Writer (Preview)": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '66bb4e9e-b016-4a94-8249-4c0511c2be84')]", + "Private DNS Zone Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", + "Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", + "Reader and Data Access": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c12c1c16-33a1-487b-954d-41c89c60f349')]", + "Redis Cache Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'e0f68234-74aa-48ed-b826-c38b57376e17')]", + "Remote Rendering Administrator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '3df8b902-2a6f-47c7-8cc5-360e9b272a7e')]", + "Remote Rendering Client": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'd39065c4-c120-43c9-ab0a-63eed9795f0a')]", + "Resource Policy Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '36243c78-bf99-498c-9df9-86d9f8d28608')]", + "Scheduler Job Collections Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '188a0f2f-5c9e-469b-ae67-2aa5ce574b94')]", + "Search Service Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '7ca78c08-252a-4471-8644-bb5ff32d4ba0')]", + "Security Admin": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'fb1c8493-542b-48eb-b624-b4c8fea62acd')]", + "Security Assessment Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '612c2aa1-cb24-443b-ac28-3ab7272de6f5')]", + "Security Manager (Legacy)": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'e3d13bf0-dd5a-482e-ba6b-9b8433878d10')]", + "Security Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '39bc4728-0917-49c7-9d2c-d95423bc2eb4')]", + "SignalR AccessKey Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '04165923-9d83-45d5-8227-78b77b0a687e')]", + "SignalR Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8cf5e20a-e4b2-4e9d-b3a1-5ceb692c2761')]", + "Site Recovery Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '6670b86e-a3f7-4917-ac9b-5d6ab1be4567')]", + "Site Recovery Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '494ae006-db33-4328-bf46-533a6560a3ca')]", + "Site Recovery Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'dbaa88c4-0c30-4179-9fb3-46319faa6149')]", + "Spatial Anchors Account Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8bbe83f1-e2a6-4df7-8cb4-4e04d4e5c827')]", + "Spatial Anchors Account Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '70bbe301-9835-447d-afdd-19eb3167307c')]", + "Spatial Anchors Account Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5d51204f-eb77-4b1c-b86a-2ec626c49413')]", + "SQL DB Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '9b7fa17d-e63e-47b0-bb0a-15c516ac86ec')]", + "SQL Managed Instance Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4939a1f6-9ae0-4e48-a1e0-f2cbe897382d')]", + "SQL Security Manager": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '056cd41c-7e88-42e1-933e-88ba6a50c9c3')]", + "SQL Server Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '6d8ee4ec-f05a-4a1d-8b00-a9b17e38b437')]", + "Storage Account Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '17d1049b-9a84-46fb-8f53-869881c3d3ab')]", + "Storage Account Key Operator Service Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '81a9662b-bebf-436f-a333-f67b29880f12')]", + "Storage Blob Data Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ba92f5b4-2d11-453d-a403-e96b0029c9fe')]", + "Storage Blob Data Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b7e6dc6d-f1e8-4753-8033-0f276bb0955b')]", + "Storage Blob Data Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '2a2b9908-6ea1-4ae2-8e65-a410df84e7d1')]", + "Storage Blob Delegator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'db58b8e5-c6ad-4a2a-8342-4190687cbf4a')]", + "Storage File Data SMB Share Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '0c867c2a-1d8c-454a-a3db-ab2ea1bdc8bb')]", + "Storage File Data SMB Share Elevated Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'a7264617-510b-434b-a828-9731dc254ea7')]", + "Storage File Data SMB Share Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'aba4ae5f-2193-4029-9191-0cb91df5e314')]", + "Storage Queue Data Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '974c5e8b-45b9-4653-ba55-5f855dd0fb88')]", + "Storage Queue Data Message Processor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8a0f0c08-91a1-4084-bc3d-661d67233fed')]", + "Storage Queue Data Message Sender": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c6a89b2d-59bc-44d0-9896-0f6e12d7b80a')]", + "Storage Queue Data Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '19e7f393-937e-4f77-808e-94535e297925')]", + "Support Request Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'cfd33db0-3dd1-45e3-aa9d-cdbdf3b6f24e')]", + "Tag Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4a9ae827-6dc8-4573-8ac7-8239d42aa03f')]", + "Traffic Manager Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'a4b10055-b0c7-44c2-b00f-c7b5b3550cf7')]", + "User Access Administrator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]", + "Virtual Machine Administrator Login": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '1c0163c0-47e6-4577-8991-ea5c82e286e4')]", + "Virtual Machine Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c')]", + "Virtual Machine User Login": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'fb879df8-f326-4884-b1cf-06f3ad86be52')]", + "Web Plan Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '2cc479cb-7b4d-49a8-b449-8c00fd0f0a4b')]", + "Website Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'de139f84-1756-47ae-9be6-808fbbe84772')]", + "Workbook Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'e8ddcd69-c73f-4f9f-9844-4100522f16ad')]", + "Workbook Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b279062a-9be3-42a0-92ae-8b3cf002ec4d')]" + } + }, + "resources": [ + { + "condition": "[not(empty(parameters('cuaId')))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-06-01", + "name": "[concat('pid-', parameters('cuaId'))]", + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [ + ] + } + } + }, + { + "type": "Microsoft.Compute/galleries/images", + "name": "[concat(parameters('galleryName'), '/', parameters('imageDefinitionName'))]", + "apiVersion": "2019-12-01", + "location": "[parameters('location')]", + "tags": "[parameters('tags')]", + "properties": { + "osType": "[parameters('osType')]", + "osState": "[parameters('osState')]", + "identifier": { + "publisher": "[parameters('publisher')]", + "offer": "[parameters('offer')]", + "sku": "[parameters('sku')]" + }, + "recommended": { + "vCPUs": { + "min": "[parameters('minRecommendedvCPUs')]", + "max": "[parameters('maxRecommendedvCPUs')]" + }, + "memory": { + "min": "[parameters('minRecommendedMemory')]", + "max": "[parameters('maxRecommendedMemory')]" + } + }, + "hyperVGeneration": "[parameters('hyperVGeneration')]", + "description": "[parameters('imageDefinitionDescription')]", + "eula": "[parameters('eula')]", + "privacyStatementUri": "[parameters('privacyStatementUri')]", + "releaseNoteUri": "[parameters('releaseNoteUri')]", + "purchasePlan": { + "product": "[parameters('productName')]", + "name": "[parameters('planName')]", + "publisher": "[parameters('planPublisherName')]" + }, + "endOfLifeDate": "[parameters('endOfLife')]", + "disallowed": { + "diskTypes": "[parameters('excludedDiskTypes')]" + } + }, + "resources": [ + ] + }, + { + "name": "[concat('rbac-',deployment().name, copyIndex())]", + "apiVersion": "2020-06-01", + "type": "Microsoft.Resources/deployments", + "condition": "[not(empty(parameters('roleAssignments')))]", + "dependsOn": [ + "[parameters('imageDefinitionName')]" + ], + "copy": { + "name": "rbacDeplCopy", + "count": "[length(parameters('roleAssignments'))]" + }, + "properties": { + "mode": "Incremental", + "expressionEvaluationOptions": { + "scope": "inner" + }, + "parameters": { + "roleAssignment": { + "value": "[parameters('roleAssignments')[copyIndex()]]" + }, + "builtInRoleNames": { + "value": "[variables('builtInRoleNames')]" + }, + "imageDefinitionName": { + "value": "[parameters('imageDefinitionName')]" + }, + "galleryName":{ + "value": "[parameters('galleryName')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "roleAssignment": { + "type": "object" + }, + "builtInRoleNames": { + "type": "object" + }, + "imageDefinitionName": { + "type": "string" + }, + "galleryName": { + "type": "string" + } + }, + "resources": [ + { + "type": "Microsoft.Compute/galleries/images/providers/roleAssignments", + "apiVersion": "2020-04-01-preview", + "name": "[concat(parameters('galleryName'), '/', parameters('imageDefinitionName'), '/Microsoft.Authorization/', guid(uniqueString(concat(parameters('imageDefinitionName'), array(parameters('roleAssignment').principalIds)[copyIndex('innerRbacCopy')], parameters('roleAssignment').roleDefinitionIdOrName ) )))]", + "dependsOn": [ + ], + "copy": { + "name": "innerRbacCopy", + "count": "[length(parameters('roleAssignment').principalIds)]" + }, + "properties": { + "roleDefinitionId": "[if(contains(parameters('builtInRoleNames'), parameters('roleAssignment').roleDefinitionIdOrName ), parameters('builtInRoleNames')[parameters('roleAssignment').roleDefinitionIdOrName] , parameters('roleAssignment').roleDefinitionIdOrName )]", + "principalId": "[array(parameters('roleAssignment').principalIds)[copyIndex()]]" + } + } + ] + } + } + } + ], + "functions": [ + ], + "outputs": { + "galleryResourceId": { + "type": "string", + "value": "[resourceId('Microsoft.Compute/galleries', parameters('galleryName'))]", + "metadata": { + "description": "The Resource Id of the Shared Image Gallery." + } + }, + "galleryResourceGroup": { + "type": "string", + "value": "[resourceGroup().name]", + "metadata": { + "description": "The name of the Resource Group the Shared Image Gallery was created in." + } + }, + "galleryName": { + "type": "string", + "value": "[parameters('galleryName')]", + "metadata": { + "description": "The Name of the Shared Image Gallery." + } + }, + "imageDefinitionResourceId": { + "type": "string", + "value": "[resourceId('Microsoft.Compute/galleries/images', parameters('galleryName'), parameters('imageDefinitionName') )]", + "metadata": { + "description": "The Resource Id of the Shared Image Definition." + } + }, + "imageDefinitionName": { + "type": "string", + "value": "[parameters('imageDefinitionName')]", + "metadata": { + "description": "The Name of the Shared Image Definition." + } + } + } +} \ No newline at end of file diff --git a/arm/Microsoft.Compute/galleryImages/parameters/parameters.json b/arm/Microsoft.Compute/galleryImages/parameters/parameters.json new file mode 100644 index 0000000000..b004bc3052 --- /dev/null +++ b/arm/Microsoft.Compute/galleryImages/parameters/parameters.json @@ -0,0 +1,56 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "imageDefinitionName": { + "value": "sxx-az-imgd-weu-x-001" + }, + "location": { + "value": "westeurope" + }, + "galleryName": { + "value": "sxxazsigweux003" + }, + "osType": { + "value": "Windows" + }, + "osState": { + "value": "Generalized" + }, + "publisher": { + "value": "MicrosoftWindowsServer" + }, + "offer": { + "value": "WindowsServer" + }, + "sku": { + "value": "2019-Datacenter" + }, + "minRecommendedvCPUs": { + "value": 2 + }, + "maxRecommendedvCPUs": { + "value": 8 + }, + "minRecommendedMemory": { + "value": 4 + }, + "maxRecommendedMemory": { + "value": 16 + }, + "hyperVGeneration": { + "value": "V1" + } + // "roleAssignments": { + // "value": [ + // { + // "roleDefinitionIdOrName": "Desktop Virtualization User", + // "principalIds": [ + // "12345678-1234-1234-1234-123456789012", // object 1 + // "78945612-1234-1234-1234-123456789012" // object 2 + // ] + // } + // ] + // } + } +} diff --git a/arm/Microsoft.Compute/galleryImages/readme.md b/arm/Microsoft.Compute/galleryImages/readme.md new file mode 100644 index 0000000000..5323ea1e02 --- /dev/null +++ b/arm/Microsoft.Compute/galleryImages/readme.md @@ -0,0 +1,107 @@ +# Shared Image Definition + +This module deploys an Image Definition in a Shared Image Gallery. + +## Resource types + +|Resource Type|ApiVersion| +|:--|:--| +|`Microsoft.Compute/galleries/images`|2019-12-01| +|`Microsoft.Compute/galleries/images/providers/roleAssignments`|2018-09-01-preview| +|`Microsoft.Resources/deployments`|2020-06-01| + +## Parameters + +| Parameter Name | Type | Description | DefaultValue | Possible values | +| :-- | :-- | :-- | :-- | :-- | +| `endOfLife` | string | Optional. The end of life date of the gallery Image Definition. This property can be used for decommissioning purposes. This property is updatable. Allowed format: 2020-01-10T23:00:00.000Z | | | +| `eula` | string | Optional. The Eula agreement for the gallery Image Definition. Has to be a valid URL. | | | +| `excludedDiskTypes` | array | Optional. List of the excluded disk types. E.g. Standard_LRS | System.Object[] | | +| `galleryName` | string | Required. Name of the Azure Shared Image Gallery | | | +| `hyperVGeneration` | string | Optional. The hypervisor generation of the Virtual Machine. Applicable to OS disks only. - V1 or V2 | V1 | System.Object[] | +| `imageDefinitionDescription` | string | Optional. The description of this gallery Image Definition resource. This property is updatable. | | | +| `imageDefinitionName` | string | Required. Name of the image definition. | | | +| `location` | string | Optional. Location for all resources. | [resourceGroup().location] | | +| `maxRecommendedMemory` | int | Optional. The maximum amount of RAM in GB recommended for this image. | 16 | | +| `maxRecommendedvCPUs` | int | Optional. The maximum number of the CPU cores recommended for this image. | 4 | | +| `minRecommendedMemory` | int | Optional. The minimum amount of RAM in GB recommended for this image. | 4 | | +| `minRecommendedvCPUs` | int | Optional. The minimum number of the CPU cores recommended for this image. | 1 | | +| `offer` | string | Optional. The name of the gallery Image Definition offer. | WindowsServer | | +| `osState` | string | Optional. This property allows the user to specify whether the virtual machines created under this image are 'Generalized' or 'Specialized'. | Generalized | System.Object[] | +| `osType` | string | Optional. OS type of the image to be created. | Windows | System.Object[] | +| `planName` | string | Optional. The plan ID. | | | +| `planPublisherName` | string | Optional. The publisher ID. | | | +| `privacyStatementUri` | string | Optional. The privacy statement uri. Has to be a valid URL. | | | +| `productName` | string | Optional. The product ID. | | | +| `publisher` | string | Optional. The name of the gallery Image Definition publisher. | MicrosoftWindowsServer | | +| `releaseNoteUri` | string | Optional. The release note uri. Has to be a valid URL. | | | +| `roleAssignments` | array | Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' | System.Object[] | | +| `sku` | string | Optional. The name of the gallery Image Definition SKU. | 2019-Datacenter | | +| `tags` | object | Optional. Tags for all resources. | | | +| `cuaId` | string | Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered | | | + +### Parameter Usage: `roleAssignments` + +```json +"roleAssignments": { + "value": [ + { + "roleDefinitionIdOrName": "Desktop Virtualization User", + "principalIds": [ + "12345678-1234-1234-1234-123456789012", // object 1 + "78945612-1234-1234-1234-123456789012" // object 2 + ] + }, + { + "roleDefinitionIdOrName": "Reader", + "principalIds": [ + "12345678-1234-1234-1234-123456789012", // object 1 + "78945612-1234-1234-1234-123456789012" // object 2 + ] + }, + { + "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", + "principalIds": [ + "12345678-1234-1234-1234-123456789012" // object 1 + ] + } + ] +} +``` + +### Parameter Usage: `tags` + +Tag names and tag values can be provided as needed. A tag can be left without a value. + +```json +"tags": { + "value": { + "Environment": "Non-Prod", + "Contact": "test.user@testcompany.com", + "PurchaseOrder": "1234", + "CostCenter": "7890", + "ServiceName": "DeploymentValidation", + "Role": "DeploymentValidation" + } +} +``` + +## Outputs + +| Output Name | Type | Description | +| :-- | :-- | :-- | +| `galleryName` | string | The Name of the Shared Image Gallery. | +| `galleryResourceGroup` | string | The name of the Resource Group the Shared Image Gallery was created in. | +| `galleryResourceId` | string | The Resource Id of the Shared Image Gallery. | +| `imageDefinitionName` | string | The Name of the Shared Image Definition. | +| `imageDefinitionResourceId` | string | The Resource Id of the Shared Image Definition. | + +## Considerations + +*N/A* + +## Additional resources + +- [Shared Image Galleries overview](https://docs.microsoft.com/en-us/azure/virtual-machines/linux/shared-image-galleries) +- [Microsoft.Compute galleries/images template reference](https://docs.microsoft.com/en-us/azure/templates/microsoft.compute/2019-07-01/galleries/images) +- [Use tags to organize your Azure resources](https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-using-tags) diff --git a/arm/Microsoft.Compute/images/deploy.json b/arm/Microsoft.Compute/images/deploy.json new file mode 100644 index 0000000000..a2cee35d96 --- /dev/null +++ b/arm/Microsoft.Compute/images/deploy.json @@ -0,0 +1,385 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "imageName": { + "type": "string", + "metadata": { + "description": "Required. The name of the image." + } + }, + "location": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "Optional. Location for all resources." + } + }, + "osDiskBlobUri": { + "type": "string", + "metadata": { + "description": "Required. The Virtual Hard Disk." + } + }, + "osType": { + "type": "string", + "defaultvalue": "Windows", + "metadata": { + "description": "Required. This property allows you to specify the type of the OS that is included in the disk if creating a VM from a custom image. - Windows or Linux" + } + }, + "osDiskCaching": { + "type": "string", + "defaultvalue": "ReadWrite", + "metadata": { + "description": "Optional. Specifies the caching requirements. Default: None for Standard storage. ReadOnly for Premium storage. - None, ReadOnly, ReadWrite" + } + }, + "osAccountType": { + "type": "string", + "defaultvalue": "Premium_LRS", + "metadata": { + "description": "Optional. Specifies the storage account type for the managed disk. NOTE: UltraSSD_LRS can only be used with data disks, it cannot be used with OS Disk. - Standard_LRS, Premium_LRS, StandardSSD_LRS, UltraSSD_LRS" + } + }, + "zoneResilient": { + "type": "bool", + "defaultValue": false, + "metadata": { + "description": "Optional. Default is false. Specifies whether an image is zone resilient or not. Zone resilient images can be created only in regions that provide Zone Redundant Storage (ZRS)." + } + }, + "hyperVGeneration": { + "type": "string", + "defaultValue": "V1", + "metadata": { + "description": "Optional. Gets the HyperVGenerationType of the VirtualMachine created from the image. - V1 or V2" + } + }, + "roleAssignments": { + "defaultValue": [ + ], + "type": "array", + "metadata": { + "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'" + } + }, + "tags": { + "type": "object", + "defaultValue": { + }, + "metadata": { + "description": "Optional. Tags of the resource." + } + }, + "cuaId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered" + } + } + }, + "variables": { + "builtInRoleNames": { + "AcrDelete": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c2f4ef07-c644-48eb-af81-4b1b4947fb11')]", + "AcrImageSigner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '6cef56e8-d556-48e5-a04f-b8e64114680f')]", + "AcrPull": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '7f951dda-4ed3-4680-a7ca-43fe172d538d')]", + "AcrPush": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8311e382-0749-4cb8-b61a-304f252e45ec')]", + "AcrQuarantineReader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'cdda3590-29a3-44f6-95f2-9f980659eb04')]", + "AcrQuarantineWriter": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c8d4ff99-41c3-41a8-9f60-21dfdad59608')]", + "API Management Service Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '312a565d-c81f-4fd8-895a-4e21e48d571c')]", + "API Management Service Operator Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'e022efe7-f5ba-4159-bbe4-b44f577e9b61')]", + "API Management Service Reader Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '71522526-b88f-4d52-b57f-d31fc3546d0d')]", + "App Configuration Data Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5ae67dd6-50cb-40e7-96ff-dc2bfa4b606b')]", + "App Configuration Data Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '516239f1-63e1-4d78-a4de-a74fb236a071')]", + "Application Insights Component Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ae349356-3a1b-4a5e-921d-050484c6347e')]", + "Application Insights Snapshot Debugger": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '08954f03-6346-4c2e-81c0-ec3a5cfae23b')]", + "Attestation Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'bbf86eb8-f7b4-4cce-96e4-18cddf81d86e')]", + "Attestation Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'fd1bd22b-8476-40bc-a0bc-69b95687b9f3')]", + "Automation Job Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4fe576fe-1146-4730-92eb-48519fa6bf9f')]", + "Automation Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'd3881f73-407a-4167-8283-e981cbba0404')]", + "Automation Runbook Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5fb5aef8-1081-4b8e-bb16-9d5d0385bab5')]", + "Avere Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4f8fab4f-1852-4a58-a46a-8eaf358af14a')]", + "Avere Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c025889f-8102-4ebf-b32c-fc0c6f0c6bd9')]", + "Azure Connected Machine Onboarding": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b64e21ea-ac4e-4cdf-9dc9-5b892992bee7')]", + "Azure Connected Machine Resource Administrator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'cd570a14-e51a-42ad-bac8-bafd67325302')]", + "Azure Digital Twins Owner (Preview)": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'bcd981a7-7f74-457b-83e1-cceb9e632ffe')]", + "Azure Digital Twins Reader (Preview)": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'd57506d4-4c8d-48b1-8587-93c323f6a5a3')]", + "Azure Event Hubs Data Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'f526a384-b230-433a-b45c-95f59c4a2dec')]", + "Azure Event Hubs Data Receiver": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'a638d3c7-ab3a-418d-83e6-5f17a39d4fde')]", + "Azure Event Hubs Data Sender": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '2b629674-e913-4c01-ae53-ef4638d8f975')]", + "Azure Kubernetes Service Cluster Admin Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '0ab0b1a8-8aac-4efd-b8c2-3ee1fb270be8')]", + "Azure Kubernetes Service Cluster User Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4abbcc35-e782-43d8-92c5-2d3f1bd2253f')]", + "Azure Kubernetes Service Contributor Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ed7f3fbd-7b88-4dd4-9017-9adb7ce333f8')]", + "Azure Maps Data Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8f5e0ce6-4f7b-4dcf-bddf-e6f48634a204')]", + "Azure Maps Data Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '423170ca-a8f6-4b0f-8487-9e4eb8f49bfa')]", + "Azure Sentinel Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ab8e14d6-4a74-4a29-9ba8-549422addade')]", + "Azure Sentinel Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8d289c81-5878-46d4-8554-54e1e3d8b5cb')]", + "Azure Sentinel Responder": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '3e150937-b8fe-4cfb-8069-0eaf05ecd056')]", + "Azure Service Bus Data Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '090c5cfd-751d-490a-894a-3ce6f1109419')]", + "Azure Service Bus Data Receiver": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4f6d3b9b-027b-4f4c-9142-0e5a2a2247e0')]", + "Azure Service Bus Data Sender": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '69a216fc-b8fb-44d8-bc22-1f3c2cd27a39')]", + "Azure Stack Registration Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '6f12a6df-dd06-4f3e-bcb1-ce8be600526a')]", + "Backup Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5e467623-bb1f-42f4-a55d-6e525e11384b')]", + "Backup Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '00c29273-979b-4161-815c-10b084fb9324')]", + "Backup Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'a795c7a0-d4a2-40c1-ae25-d81f01202912')]", + "Billing Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'fa23ad8b-c56e-40d8-ac0c-ce449e1d2c64')]", + "BizTalk Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5e3c6656-6cfa-4708-81fe-0de47ac73342')]", + "Blockchain Member Node Access (Preview)": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '31a002a1-acaf-453e-8a5b-297c9ca1ea24')]", + "Blueprint Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '41077137-e803-4205-871c-5a86e6a753b4')]", + "Blueprint Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '437d2ced-4a38-4302-8479-ed2bcb43d090')]", + "CDN Endpoint Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '426e0c7f-0c7e-4658-b36f-ff54d6c29b45')]", + "CDN Endpoint Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '871e35f6-b5c1-49cc-a043-bde969a0f2cd')]", + "CDN Profile Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ec156ff8-a8d1-4d15-830c-5b80698ca432')]", + "CDN Profile Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8f96442b-4075-438f-813d-ad51ab4019af')]", + "Classic Network Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b34d265f-36f7-4a0d-a4d4-e158ca92e90f')]", + "Classic Storage Account Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '86e8f5dc-a6e9-4c67-9d15-de283e8eac25')]", + "Classic Storage Account Key Operator Service Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '985d6b00-f706-48f5-a6fe-d0ca12fb668d')]", + "Classic Virtual Machine Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'd73bb868-a0df-4d4d-bd69-98a00b01fccb')]", + "ClearDB MySQL DB Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '9106cda0-8a86-4e81-b686-29a22c54effe')]", + "Cognitive Services Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '25fbc0a9-bd7c-42a3-aa1a-3b75d497ee68')]", + "Cognitive Services Custom Vision Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c1ff6cc2-c111-46fe-8896-e0ef812ad9f3')]", + "Cognitive Services Custom Vision Deployment": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5c4089e1-6d96-4d2f-b296-c1bc7137275f')]", + "Cognitive Services Custom Vision Labeler": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '88424f51-ebe7-446f-bc41-7fa16989e96c')]", + "Cognitive Services Custom Vision Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '93586559-c37d-4a6b-ba08-b9f0940c2d73')]", + "Cognitive Services Custom Vision Trainer": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '0a5ae4ab-0d65-4eeb-be61-29fc9b54394b')]", + "Cognitive Services Data Reader (Preview)": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b59867f0-fa02-499b-be73-45a86b5b3e1c')]", + "Cognitive Services QnA Maker Editor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'f4cc2bf9-21be-47a1-bdf1-5c5804381025')]", + "Cognitive Services QnA Maker Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '466ccd10-b268-4a11-b098-b4849f024126')]", + "Cognitive Services User": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'a97b65f3-24c7-4388-baec-2e87135dc908')]", + "Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "Cosmos DB Account Reader Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'fbdf93bf-df7d-467e-a4d2-9458aa1360c8')]", + "Cosmos DB Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '230815da-be43-4aae-9cb4-875f7bd000aa')]", + "CosmosBackupOperator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'db7b14f2-5adf-42da-9f96-f2ee17bab5cb')]", + "Cost Management Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '434105ed-43f6-45c7-a02f-909b2ba83430')]", + "Cost Management Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '72fafb9e-0641-4937-9268-a91bfd8191a3')]", + "Data Box Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'add466c9-e687-43fc-8d98-dfcf8d720be5')]", + "Data Box Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '028f4ed7-e2a9-465e-a8f4-9c0ffdfdc027')]", + "Data Factory Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '673868aa-7521-48a0-acc6-0f60742d39f5')]", + "Data Lake Analytics Developer": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '47b7735b-770e-4598-a7da-8b91488b4c88')]", + "Data Purger": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '150f5e0c-0603-4f03-8c7f-cf70034c4e90')]", + "Desktop Virtualization User": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '1d18fff3-a72a-46b5-b4a9-0b38a3cd7e63')]", + "DevTest Labs User": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '76283e04-6283-4c54-8f91-bcf1374a3c64')]", + "DNS Zone Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'befefa01-2a29-4197-83a8-272ff33ce314')]", + "DocumentDB Account Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5bd9cd88-fe45-4216-938b-f97437e15450')]", + "EventGrid EventSubscription Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '428e0ff0-5e57-4d9c-a221-2c70d0e0a443')]", + "EventGrid EventSubscription Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '2414bbcf-6497-4faf-8c65-045460748405')]", + "Experimentation Administrator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '7f646f1b-fa08-80eb-a33b-edd6ce5c915c')]", + "Experimentation Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '7f646f1b-fa08-80eb-a22b-edd6ce5c915c')]", + "Experimentation Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '49632ef5-d9ac-41f4-b8e7-bbe587fa74a1')]", + "FHIR Data Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5a1fc7df-4bf1-4951-a576-89034ee01acd')]", + "FHIR Data Exporter": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '3db33094-8700-4567-8da5-1501d4e7e843')]", + "FHIR Data Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4c8d0bbc-75d3-4935-991f-5f3c56d81508')]", + "FHIR Data Writer": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '3f88fce4-5892-4214-ae73-ba5294559913')]", + "Graph Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b60367af-1334-4454-b71e-769d9a4f83d9')]", + "HDInsight Cluster Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '61ed4efc-fab3-44fd-b111-e24485cc132a')]", + "HDInsight Domain Services Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8d8d5a11-05d3-4bda-a417-a08778121c7c')]", + "Hierarchy Settings Administrator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '350f8d15-c687-4448-8ae1-157740a3936d')]", + "Hybrid Server Onboarding": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5d1e5ee4-7c68-4a71-ac8b-0739630a3dfb')]", + "Hybrid Server Resource Administrator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '48b40c6e-82e0-4eb3-90d5-19e40f49b624')]", + "Integration Service Environment Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'a41e2c5b-bd99-4a07-88f4-9bf657a760b8')]", + "Integration Service Environment Developer": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c7aa55d3-1abb-444a-a5ca-5e51e485d6ec')]", + "Intelligent Systems Account Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '03a6d094-3444-4b3d-88af-7477090a9e5e')]", + "Key Vault Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'f25e0fa2-a7c8-4377-a976-54943a77a395')]", + "Knowledge Consumer": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ee361c5d-f7b5-4119-b4b6-892157c8f64c')]", + "Kubernetes Cluster - Azure Arc Onboarding": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '34e09817-6cbe-4d01-b1a2-e0eac5743d41')]", + "Lab Creator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b97fb8bc-a8b2-4522-a38b-dd33c7e65ead')]", + "Log Analytics Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]", + "Log Analytics Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '73c42c96-874c-492b-b04d-ab87d138a893')]", + "Logic App Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '87a39d53-fc1b-424a-814c-f7e04687dc9e')]", + "Logic App Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '515c2055-d9d4-4321-b1b9-bd0c9a0f79fe')]", + "Managed Application Contributor Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '641177b8-a67a-45b9-a033-47bc880bb21e')]", + "Managed Application Operator Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')]", + "Managed Applications Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')]", + "Managed Identity Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'e40ec5ca-96e0-45a2-b4ff-59039f2c2b59')]", + "Managed Identity Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'f1a07417-d97a-45cb-824c-7a7467783830')]", + "Managed Services Registration assignment Delete ": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '91c1777a-f3dc-4fae-b103-61d183457e46')]", + "Management Group Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5d58bcaf-24a5-4b20-bdb6-eed9f69fbe4c')]", + "Management Group Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ac63b705-f282-497d-ac71-919bf39d939d')]", + "Marketplace Admin": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'dd920d6d-f481-47f1-b461-f338c46b2d9f')]", + "Monitoring Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')]", + "Monitoring Metrics Publisher": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '3913510d-42f4-4e42-8a64-420c390055eb')]", + "Monitoring Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')]", + "Network Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", + "New Relic APM Account Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5d28c62d-5b37-4476-8438-e587778df237')]", + "Object Understanding Account Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4dd61c23-6743-42fe-a388-d8bdd41cb745')]", + "Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", + "Policy Insights Data Writer (Preview)": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '66bb4e9e-b016-4a94-8249-4c0511c2be84')]", + "Private DNS Zone Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", + "Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", + "Reader and Data Access": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c12c1c16-33a1-487b-954d-41c89c60f349')]", + "Redis Cache Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'e0f68234-74aa-48ed-b826-c38b57376e17')]", + "Remote Rendering Administrator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '3df8b902-2a6f-47c7-8cc5-360e9b272a7e')]", + "Remote Rendering Client": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'd39065c4-c120-43c9-ab0a-63eed9795f0a')]", + "Resource Policy Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '36243c78-bf99-498c-9df9-86d9f8d28608')]", + "Scheduler Job Collections Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '188a0f2f-5c9e-469b-ae67-2aa5ce574b94')]", + "Search Service Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '7ca78c08-252a-4471-8644-bb5ff32d4ba0')]", + "Security Admin": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'fb1c8493-542b-48eb-b624-b4c8fea62acd')]", + "Security Assessment Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '612c2aa1-cb24-443b-ac28-3ab7272de6f5')]", + "Security Manager (Legacy)": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'e3d13bf0-dd5a-482e-ba6b-9b8433878d10')]", + "Security Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '39bc4728-0917-49c7-9d2c-d95423bc2eb4')]", + "SignalR AccessKey Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '04165923-9d83-45d5-8227-78b77b0a687e')]", + "SignalR Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8cf5e20a-e4b2-4e9d-b3a1-5ceb692c2761')]", + "Site Recovery Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '6670b86e-a3f7-4917-ac9b-5d6ab1be4567')]", + "Site Recovery Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '494ae006-db33-4328-bf46-533a6560a3ca')]", + "Site Recovery Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'dbaa88c4-0c30-4179-9fb3-46319faa6149')]", + "Spatial Anchors Account Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8bbe83f1-e2a6-4df7-8cb4-4e04d4e5c827')]", + "Spatial Anchors Account Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '70bbe301-9835-447d-afdd-19eb3167307c')]", + "Spatial Anchors Account Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5d51204f-eb77-4b1c-b86a-2ec626c49413')]", + "SQL DB Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '9b7fa17d-e63e-47b0-bb0a-15c516ac86ec')]", + "SQL Managed Instance Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4939a1f6-9ae0-4e48-a1e0-f2cbe897382d')]", + "SQL Security Manager": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '056cd41c-7e88-42e1-933e-88ba6a50c9c3')]", + "SQL Server Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '6d8ee4ec-f05a-4a1d-8b00-a9b17e38b437')]", + "Storage Account Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '17d1049b-9a84-46fb-8f53-869881c3d3ab')]", + "Storage Account Key Operator Service Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '81a9662b-bebf-436f-a333-f67b29880f12')]", + "Storage Blob Data Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ba92f5b4-2d11-453d-a403-e96b0029c9fe')]", + "Storage Blob Data Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b7e6dc6d-f1e8-4753-8033-0f276bb0955b')]", + "Storage Blob Data Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '2a2b9908-6ea1-4ae2-8e65-a410df84e7d1')]", + "Storage Blob Delegator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'db58b8e5-c6ad-4a2a-8342-4190687cbf4a')]", + "Storage File Data SMB Share Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '0c867c2a-1d8c-454a-a3db-ab2ea1bdc8bb')]", + "Storage File Data SMB Share Elevated Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'a7264617-510b-434b-a828-9731dc254ea7')]", + "Storage File Data SMB Share Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'aba4ae5f-2193-4029-9191-0cb91df5e314')]", + "Storage Queue Data Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '974c5e8b-45b9-4653-ba55-5f855dd0fb88')]", + "Storage Queue Data Message Processor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8a0f0c08-91a1-4084-bc3d-661d67233fed')]", + "Storage Queue Data Message Sender": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c6a89b2d-59bc-44d0-9896-0f6e12d7b80a')]", + "Storage Queue Data Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '19e7f393-937e-4f77-808e-94535e297925')]", + "Support Request Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'cfd33db0-3dd1-45e3-aa9d-cdbdf3b6f24e')]", + "Tag Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4a9ae827-6dc8-4573-8ac7-8239d42aa03f')]", + "Traffic Manager Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'a4b10055-b0c7-44c2-b00f-c7b5b3550cf7')]", + "User Access Administrator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]", + "Virtual Machine Administrator Login": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '1c0163c0-47e6-4577-8991-ea5c82e286e4')]", + "Virtual Machine Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c')]", + "Virtual Machine User Login": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'fb879df8-f326-4884-b1cf-06f3ad86be52')]", + "Web Plan Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '2cc479cb-7b4d-49a8-b449-8c00fd0f0a4b')]", + "Website Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'de139f84-1756-47ae-9be6-808fbbe84772')]", + "Workbook Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'e8ddcd69-c73f-4f9f-9844-4100522f16ad')]", + "Workbook Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b279062a-9be3-42a0-92ae-8b3cf002ec4d')]" + } + }, + "resources": [ + { + "condition": "[not(empty(parameters('cuaId')))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-06-01", + "name": "[concat('pid-', parameters('cuaId'))]", + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [ + ] + } + } + }, + { + "apiVersion": "2020-06-01", + "type": "Microsoft.Compute/images", + "name": "[parameters('imageName')]", + "location": "[parameters('location')]", + "tags": "[parameters('tags')]", + "properties": { + "storageProfile": { + "osDisk": { + "osType": "[parameters('osType')]", + "blobUri": "[parameters('osDiskBlobUri')]", + "caching": "[parameters('osDiskCaching')]", + "storageAccountType": "[parameters('osAccountType')]" + }, + "dataDisks": [ + ], + "zoneResilient": "[parameters('zoneResilient')]" + }, + "hyperVGeneration": "[parameters('hyperVGeneration')]" + } + }, + { + "name": "[concat('rbac-',deployment().name, copyIndex())]", + "apiVersion": "2020-06-01", + "type": "Microsoft.Resources/deployments", + "condition": "[not(empty(parameters('roleAssignments')))]", + "dependsOn": [ + "[parameters('imageName')]" + ], + "copy": { + "name": "rbacDeplCopy", + "count": "[length(parameters('roleAssignments'))]" + }, + "properties": { + "mode": "Incremental", + "expressionEvaluationOptions": { + "scope": "inner" + }, + "parameters": { + "roleAssignment": { + "value": "[parameters('roleAssignments')[copyIndex()]]" + }, + "builtInRoleNames": { + "value": "[variables('builtInRoleNames')]" + }, + "imageName": { + "value": "[parameters('imageName')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "roleAssignment": { + "type": "object" + }, + "builtInRoleNames": { + "type": "object" + }, + "imageName": { + "type": "string" + } + }, + "resources": [ + { + "type": "Microsoft.Compute/images/providers/roleAssignments", + "apiVersion": "2018-09-01-preview", + "name": "[concat(parameters('imageName'), '/Microsoft.Authorization/', guid(uniqueString(concat(parameters('imageName'), array(parameters('roleAssignment').principalIds)[copyIndex('innerRbacCopy')], parameters('roleAssignment').roleDefinitionIdOrName ) )))]", + "dependsOn": [ + ], + "copy": { + "name": "innerRbacCopy", + "count": "[length(parameters('roleAssignment').principalIds)]" + }, + "properties": { + "roleDefinitionId": "[if(contains(parameters('builtInRoleNames'), parameters('roleAssignment').roleDefinitionIdOrName ), parameters('builtInRoleNames')[parameters('roleAssignment').roleDefinitionIdOrName] , parameters('roleAssignment').roleDefinitionIdOrName )]", + "principalId": "[array(parameters('roleAssignment').principalIds)[copyIndex()]]" + } + } + ] + } + } + } + ], + "functions": [ + ], + "outputs": { + "imageResourceId": { + "type": "string", + "value": "[resourceId('Microsoft.Compute/images', parameters('imageName'))]", + "metadata": { + "description": "Resource ID" + } + }, + "imageResourceGroup": { + "type": "string", + "value": "[resourceGroup().name]", + "metadata": { + "description": "The name of the Resource Group the resource was created in." + } + }, + "imageName": { + "type": "string", + "value": "[parameters('imageName')]", + "metadata": { + "description": "The Name of the resource." + } + } + } +} \ No newline at end of file diff --git a/arm/Microsoft.Compute/images/parameters/parameters.json b/arm/Microsoft.Compute/images/parameters/parameters.json new file mode 100644 index 0000000000..fdf269af21 --- /dev/null +++ b/arm/Microsoft.Compute/images/parameters/parameters.json @@ -0,0 +1,38 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "imageName": { + "value": "sxx-az-img-weu-x-001" + }, + "osAccountType": { + "value": "Premium_LRS" + }, + "osType": { + "value": "Linux" + }, + "osDiskBlobUri": { + "value": "https://rgwesteuimage.blob.core.windows.net/opensystemsimage/osix-11.82.0-100GB.vhd" + }, + "osDiskCaching": { + "value": "ReadWrite" + }, + "zoneResilient": { + "value": true + }, + "hyperVGeneration": { + "value": "V1" + } + // "roleAssignments": { + // "value": [ + // { + // "roleDefinitionIdOrName": "Desktop Virtualization User", + // "principalIds": [ + // "12345678-1234-1234-1234-123456789012", // object 1 + // "78945612-1234-1234-1234-123456789012" // object 2 + // ] + // } + // ] + // } + } +} diff --git a/arm/Microsoft.Compute/images/readme.md b/arm/Microsoft.Compute/images/readme.md new file mode 100644 index 0000000000..e1fb241f96 --- /dev/null +++ b/arm/Microsoft.Compute/images/readme.md @@ -0,0 +1,93 @@ +# Image + +This module deploys Images. + + +## Resource types + +|Resource Type|ApiVersion| +|:--|:--| +|`Microsoft.Resources/deployments`|2018-02-01| +|`Microsoft.Compute/images`|2019-03-01| +|`Microsoft.Compute/images/providers/roleAssignments`|2018-09-01-preview| + +## Parameters + +| Parameter Name | Type | Description | DefaultValue | Possible values | +| :-- | :-- | :-- | :-- | :-- | +| `cuaId` | string | Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered | | | +| `hyperVGeneration` | string | Optional. Gets the HyperVGenerationType of the VirtualMachine created from the image. - V1 or V2 | V1 | | +| `imageName` | string | Required. The name of the image. | | | +| `location` | string | Optional. Location for all resources. | [resourceGroup().location] | | +| `osAccountType` | string | Optional. Specifies the storage account type for the managed disk. NOTE: UltraSSD_LRS can only be used with data disks, it cannot be used with OS Disk. - Standard_LRS, Premium_LRS, StandardSSD_LRS, UltraSSD_LRS | Premium_LRS | | +| `osDiskBlobUri` | string | Required. The Virtual Hard Disk. | | | +| `osDiskCaching` | string | Optional. Specifies the caching requirements. Default: None for Standard storage. ReadOnly for Premium storage. - None, ReadOnly, ReadWrite | ReadWrite | | +| `osType` | string | Required. This property allows you to specify the type of the OS that is included in the disk if creating a VM from a custom image. - Windows or Linux | Windows | | +| `roleAssignments` | array | Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' | System.Object[] | | +| `tags` | object | Optional. Tags of the resource. | | | +| `zoneResilient` | bool | Optional. Default is false. Specifies whether an image is zone resilient or not. Zone resilient images can be created only in regions that provide Zone Redundant Storage (ZRS). | False | | + +### Parameter Usage: `roleAssignments` + +```json +"roleAssignments": { + "value": [ + { + "roleDefinitionIdOrName": "Desktop Virtualization User", + "principalIds": [ + "12345678-1234-1234-1234-123456789012", // object 1 + "78945612-1234-1234-1234-123456789012" // object 2 + ] + }, + { + "roleDefinitionIdOrName": "Reader", + "principalIds": [ + "12345678-1234-1234-1234-123456789012", // object 1 + "78945612-1234-1234-1234-123456789012" // object 2 + ] + }, + { + "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", + "principalIds": [ + "12345678-1234-1234-1234-123456789012" // object 1 + ] + } + ] +} +``` + +### Parameter Usage: `tags` + +Tag names and tag values can be provided as needed. A tag can be left without a value. + +```json +"tags": { + "value": { + "Environment": "Non-Prod", + "Contact": "test.user@testcompany.com", + "PurchaseOrder": "1234", + "CostCenter": "7890", + "ServiceName": "DeploymentValidation", + "Role": "DeploymentValidation" + } +} +``` + +## Outputs + +| Output Name | Type | Description | +| :-- | :-- | :-- | +| `imageName` | string | The Name of the resource. | +| `imageResourceGroup` | string | The name of the Resource Group the resource was created in. | +| `imageResourceId` | string | Resource ID | + +## Considerations + +*N/A* + +## Additional resources + +- [Deployments](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Resources/2018-02-01/deployments) +- [Images](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Compute/2019-03-01/images) +- [Deployments](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Resources/2019-10-01/deployments) + diff --git a/arm/Microsoft.Compute/virtualMachineScaleSets/deploy.json b/arm/Microsoft.Compute/virtualMachineScaleSets/deploy.json new file mode 100644 index 0000000000..053ab54f8e --- /dev/null +++ b/arm/Microsoft.Compute/virtualMachineScaleSets/deploy.json @@ -0,0 +1,1299 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "vmssName": { + "type": "string", + "metadata": { + "description": "Optional. Name of the VMSS." + } + }, + "location": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "Optional. Location for all resources." + } + }, + "imageReference": { + "type": "object", + "defaultValue": { + }, + "metadata": { + "description": "Optional. OS image reference. In case of marketplace images, it's the combination of the publisher, offer, sku, version attributes. In case of custom images it's the resource ID of the custom image." + } + }, + "plan": { + "type": "object", + "defaultValue": { + }, + "metadata": { + "description": "Optional. Specifies information about the marketplace image used to create the virtual machine. This element is only used for marketplace images. Before you can use a marketplace image from an API, you must enable the image for programmatic use." + } + }, + "osDisk": { + "type": "object", + "metadata": { + "description": "Required. Specifies the OS disk." + } + }, + "dataDisks": { + "type": "array", + "defaultValue": [], + "metadata": { + "description": "Optional. Specifies the data disks." + } + }, + "ultraSSDEnabled": { + "type": "bool", + "defaultValue": false, + "metadata": { + "description": "Optional. The flag that enables or disables a capability to have one or more managed data disks with UltraSSD_LRS storage account type on the VM or VMSS. Managed disks with storage account type UltraSSD_LRS can be added to a virtual machine or virtual machine scale set only if this property is enabled." + } + }, + "adminUsername": { + "type": "securestring", + "metadata": { + "description": "Required. Administrator username" + } + }, + "adminPassword": { + "type": "securestring", + "defaultValue": "", + "metadata": { + "description": "Required. When specifying a Windows Virtual Machine, this value should be passed" + } + }, + "customData": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Custom data associated to the VM, this value will be automatically converted into base64 to account for the expected VM format." + } + }, + "roleAssignments": { + "type": "array", + "defaultValue": [], + "metadata": { + "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'" + } + }, + "scaleSetFaultDomain": { + "type": "int", + "defaultValue": 2, + "metadata": { + "description": "Optional. Fault Domain count for each placement group." + } + }, + "proximityPlacementGroupName": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Creates an proximity placement group and adds the VMs to it." + } + }, + "proximityPlacementGroupType": { + "type": "string", + "allowedValues": [ + "Standard", + "Ultra" + ], + "defaultValue": "Standard", + "metadata": { + "description": "Optional. Specifies the type of the proximity placement group." + } + }, + "nicConfigurations": { + "type": "array", + "defaultValue": [], + "metadata": { + "description": "Required. Configures NICs and PIPs." + } + }, + "vmPriority": { + "type": "string", + "defaultValue": "Regular", + "allowedValues": [ + "Regular", + "Low", + "Spot" + ], + "metadata": { + "description": "Optional. Specifies the priority for the virtual machine." + } + }, + "enableEvictionPolicy": { + "type": "bool", + "defaultValue": false, + "metadata": { + "description": "Optional. Specifies the eviction policy for the low priority virtual machine. Will result in 'Deallocate' eviction policy." + } + }, + "maxPriceForLowPriorityVm": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Specifies the maximum price you are willing to pay for a low priority VM/VMSS. This price is in US Dollars." + } + }, + "licenseType": { + "type": "string", + "defaultValue": "", + "allowedValues": [ + "Windows_Client", + "Windows_Server", + "" + ], + "metadata": { + "description": "Optional. Specifies that the image or disk that is being used was licensed on-premises. This element is only used for images that contain the Windows Server operating system." + } + }, + "enableMicrosoftAntiMalware": { + "type": "bool", + "defaultValue": false, + "metadata": { + "description": "Optional. Enables Microsoft Windows Defender AV." + } + }, + "microsoftAntiMalwareSettings": { + "type": "object", + "defaultValue": { + }, + "metadata": { + "description": "Optional. Settings for Microsoft Windows Defender AV extension." + } + }, + "enableWindowsMMAAgent": { + "type": "bool", + "defaultValue": false, + "metadata": { + "description": "Optional. Specifies if MMA agent for Windows VM should be enabled." + } + }, + "enableLinuxMMAAgent": { + "type": "bool", + "defaultValue": false, + "metadata": { + "description": "Optional. Specifies if MMA agent for Linux VM should be enabled." + } + }, + "enableWindowsDependencyAgent": { + "type": "bool", + "defaultValue": false, + "metadata": { + "description": "Optional. Specifies if Azure Dependency Agent for Windows VM should be enabled. Requires WindowsMMAAgent to be enabled." + } + }, + "enableLinuxDependencyAgent": { + "type": "bool", + "defaultValue": false, + "metadata": { + "description": "Optional. Specifies if Azure Dependency Agent for Linux VM should be enabled. Requires LinuxMMAAgent to be enabled." + } + }, + "enableNetworkWatcherWindows": { + "type": "bool", + "defaultValue": false, + "metadata": { + "description": "Optional. Specifies if Azure Network Watcher Agent for Windows VM should be enabled." + } + }, + "enableNetworkWatcherLinux": { + "type": "bool", + "defaultValue": false, + "metadata": { + "description": "Optional. Specifies if Azure Network Watcher Agent for Linux VM should be enabled." + } + }, + "enableWindowsDiskEncryption": { + "type": "bool", + "defaultValue": false, + "metadata": { + "description": "Optional. Specifies if Windows VM disks should be encrypted. If enabled, boot diagnostics must be enabled as well." + } + }, + "enableServerSideEncryption": { + "type": "bool", + "defaultValue": false, + "metadata": { + "description": "Optional. Specifies if Windows VM disks should be encrypted with Server-side encryption + Customer managed Key." + } + }, + "enableLinuxDiskEncryption": { + "type": "bool", + "defaultValue": false, + "metadata": { + "description": "Optional. Specifies if Linux VM disks should be encrypted. If enabled, boot diagnostics must be enabled as well." + } + }, + "diskKeyEncryptionAlgorithm": { + "type": "string", + "defaultValue": "RSA-OAEP", + "allowedValues": [ + "RSA-OAEP", + "RSA-OAEP-256", + "RSA1_5" + ], + "metadata": { + "description": "Optional. Specifies disk key encryption algorithm." + } + }, + "keyEncryptionKeyURL": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. URL of the KeyEncryptionKey used to encrypt the volume encryption key" + } + }, + "keyVaultUri": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. URL of the Key Vault instance where the Key Encryption Key (KEK) resides" + } + }, + "keyVaultId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Resource identifier of the Key Vault instance where the Key Encryption Key (KEK) resides" + } + }, + "diskEncryptionVolumeType": { + "type": "string", + "defaultValue": "All", + "allowedValues": [ + "OS", + "Data", + "All" + ], + "metadata": { + "description": "Optional. Type of the volume OS or Data to perform encryption operation" + } + }, + "forceUpdateTag": { + "type": "string", + "defaultValue": "1.0", + "metadata": { + "description": "Optional. Pass in an unique value like a GUID everytime the operation needs to be force run" + } + }, + "resizeOSDisk": { + "type": "bool", + "defaultValue": false, + "metadata": { + "description": "Optional. Should the OS partition be resized to occupy full OS VHD before splitting system volume" + } + }, + "windowsScriptExtensionFileData": { + "type": "array", + "defaultValue": [ + ], + "metadata": { + "description": "Optional. Array of objects that specifies URIs and the storageAccountId of the scripts that need to be downloaded and run by the Custom Script Extension on a Windows VM." + } + }, + "windowsScriptExtensionCommandToExecute": { + "type": "securestring", + "defaultValue": "", + "metadata": { + "description": "Optional. Specifies the command that should be run on a Windows VM." + } + }, + "cseStorageAccountName": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. The name of the storage account to access for the CSE script(s)." + } + }, + "cseStorageAccountKey": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. The storage key of the storage account to access for the CSE script(s)." + } + }, + "cseManagedIdentity": { + "type": "object", + "defaultValue": {}, + "metadata": { + "description": "Optional. A managed identity to use for the CSE." + } + }, + "domainName": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Specifies the FQDN the of the domain the VM will be joined to. Currently implemented for Windows VMs only" + } + }, + "domainJoinUser": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Mandatory if domainName is specified. User used for the join to the domain. Format: username@domainFQDN" + } + }, + "domainJoinOU": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Specifies an organizational unit (OU) for the domain account. Enter the full distinguished name of the OU in quotation marks. Example: \"OU=testOU; DC=domain; DC=Domain; DC=com\"" + } + }, + "domainJoinPassword": { + "type": "securestring", + "defaultValue": "", + "metadata": { + "description": "Optional. Required if domainName is specified. Password of the user specified in domainJoinUser parameter" + } + }, + "domainJoinRestart": { + "type": "bool", + "defaultValue": false, + "metadata": { + "description": "Optional. Controls the restart of vm after executing domain join" + } + }, + "domainJoinOptions": { + "type": "int", + "defaultValue": 3, + "metadata": { + "description": "Optional. Set of bit flags that define the join options. Default value of 3 is a combination of NETSETUP_JOIN_DOMAIN (0x00000001) & NETSETUP_ACCT_CREATE (0x00000002) i.e. will join the domain and create the account on the domain. For more information see https://msdn.microsoft.com/en-us/library/aa392154(v=vs.85).aspx" + } + }, + "dscConfiguration": { + "type": "object", + "defaultValue": { + }, + "metadata": { + "description": "Optional. The DSC configuration object" + } + }, + "bootDiagnosticStorageAccountUri": { + "type": "string", + "defaultValue": ".blob.core.windows.net/", + "metadata": { + "description": "Optional. Storage account boot diagnostic base URI." + } + }, + "bootDiagnosticStorageAccountName": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Storage account used to store boot diagnostic information. Boot diagnostics will be disabled if no value is provided." + } + }, + "diagnosticLogsRetentionInDays": { + "type": "int", + "defaultValue": 365, + "minValue": 0, + "maxValue": 365, + "metadata": { + "description": "Optional. Specifies the number of days that logs will be kept for; a value of 0 will retain data indefinitely." + } + }, + "diagnosticStorageAccountId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Resource identifier of the Diagnostic Storage Account." + } + }, + "workspaceId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Resource identifier of Log Analytics." + } + }, + "eventHubAuthorizationRuleId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Resource ID of the event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." + } + }, + "eventHubName": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Name of the event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category." + } + }, + "lockForDeletion": { + "type": "bool", + "defaultValue": false, + "metadata": { + "description": "Optional. Switch to lock VM from deletion." + } + }, + "upgradePolicyMode": { + "defaultValue": "Manual", + "type": "string", + "allowedValues": [ + "Manual", + "Automatic", + "Rolling" + ], + "metadata": { + "description": "Optional. Specifies the mode of an upgrade to virtual machines in the scale set.' Manual - You control the application of updates to virtual machines in the scale set. You do this by using the manualUpgrade action. ; Automatic - All virtual machines in the scale set are automatically updated at the same time. - Automatic, Manual, Rolling" + } + }, + "maxBatchInstancePercent": { + "type": "int", + "defaultValue": 20, + "metadata": { + "description": "Optional. The maximum percent of total virtual machine instances that will be upgraded simultaneously by the rolling upgrade in one batch. As this is a maximum, unhealthy instances in previous or future batches can cause the percentage of instances in a batch to decrease to ensure higher reliability." + } + }, + "maxUnhealthyInstancePercent": { + "type": "int", + "defaultValue": 20, + "metadata": { + "description": "Optional. The maximum percentage of the total virtual machine instances in the scale set that can be simultaneously unhealthy, either as a result of being upgraded, or by being found in an unhealthy state by the virtual machine health checks before the rolling upgrade aborts. This constraint will be checked prior to starting any batch" + } + }, + "maxUnhealthyUpgradedInstancePercent": { + "type": "int", + "defaultValue": 20, + "metadata": { + "description": "Optional. The maximum percentage of the total virtual machine instances in the scale set that can be simultaneously unhealthy, either as a result of being upgraded, or by being found in an unhealthy state by the virtual machine health checks before the rolling upgrade aborts. This constraint will be checked prior to starting any batch." + } + }, + "pauseTimeBetweenBatches": { + "type": "string", + "defaultValue": "PT0S", + "metadata": { + "description": "Optional. The wait time between completing the update for all virtual machines in one batch and starting the next batch. The time duration should be specified in ISO 8601 format" + } + }, + "enableAutomaticOSUpgrade": { + "type": "bool", + "defaultValue": false, + "metadata": { + "description": "Optional. Indicates whether OS upgrades should automatically be applied to scale set instances in a rolling fashion when a newer version of the OS image becomes available. Default value is false. If this is set to true for Windows based scale sets, enableAutomaticUpdates is automatically set to false and cannot be set to true." + } + }, + "disableAutomaticRollback": { + "type": "bool", + "defaultValue": false, + "metadata": { + "description": "Optional. Whether OS image rollback feature should be disabled." + } + }, + "automaticRepairsPolicyEnabled": { + "type": "bool", + "defaultValue": false, + "metadata": { + "description": "Optional. Specifies whether automatic repairs should be enabled on the virtual machine scale set." + } + }, + "gracePeriod": { + "type": "string", + "defaultValue": "PT30M", + "metadata": { + "description": "Optional. The amount of time for which automatic repairs are suspended due to a state change on VM. The grace time starts after the state change has completed. This helps avoid premature or accidental repairs. The time duration should be specified in ISO 8601 format. The minimum allowed grace period is 30 minutes (PT30M). The maximum allowed grace period is 90 minutes (PT90M)." + } + }, + "vmNamePrefix": { + "type": "string", + "defaultValue": "vmssvm", + "minLength": 1, + "maxLength": 15, + "metadata": { + "description": "Optional. Specifies the computer name prefix for all of the virtual machines in the scale set." + } + }, + "provisionVMAgent": { + "type": "bool", + "defaultValue": true, + "metadata": { + "description": "Optional. Indicates whether virtual machine agent should be provisioned on the virtual machine. When this property is not specified in the request body, default behavior is to set it to true. This will ensure that VM Agent is installed on the VM so that extensions can be added to the VM later." + } + }, + "enableAutomaticUpdates": { + "type": "bool", + "defaultValue": true, + "metadata": { + "description": "Optional. Indicates whether Automatic Updates is enabled for the Windows virtual machine. Default value is true. For virtual machine scale sets, this property can be updated and updates will take effect on OS reprovisioning." + } + }, + "timeZone": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Specifies the time zone of the virtual machine. e.g. 'Pacific Standard Time'. Possible values can be TimeZoneInfo.Id value from time zones returned by TimeZoneInfo.GetSystemTimeZones." + } + }, + "additionalUnattendContent": { + "type": "array", + "defaultValue": [], + "metadata": { + "description": "Optional. Specifies additional base-64 encoded XML formatted information that can be included in the Unattend.xml file, which is used by Windows Setup. - AdditionalUnattendContent object" + } + }, + "winRMListeners": { + "type": "object", + "defaultValue": {}, + "metadata": { + "description": "Optional. Specifies the Windows Remote Management listeners. This enables remote Windows PowerShell. - WinRMConfiguration object." + } + }, + "disablePasswordAuthentication": { + "type": "bool", + "defaultValue": false, + "metadata": { + "description": "Optional. Specifies whether password authentication should be disabled." + } + }, + "publicKeys": { + "type": "array", + "defaultValue": [], + "metadata": { + "description": "Optional. The list of SSH public keys used to authenticate with linux based VMs" + } + }, + "secrets": { + "type": "array", + "defaultValue": [], + "metadata": { + "description": "Optional. Specifies set of certificates that should be installed onto the virtual machines in the scale set." + } + }, + "scheduledEventsProfile": { + "type": "object", + "defaultValue": {}, + "metadata": { + "description": "Optional. Specifies Scheduled Event related configurations" + } + }, + "overprovision": { + "type": "bool", + "defaultValue": false, + "metadata": { + "description": "Optional. Specifies whether the Virtual Machine Scale Set should be overprovisioned." + } + }, + "doNotRunExtensionsOnOverprovisionedVMs": { + "type": "bool", + "defaultValue": false, + "metadata": { + "description": "Optional. When Overprovision is enabled, extensions are launched only on the requested number of VMs which are finally kept. This property will hence ensure that the extensions do not run on the extra overprovisioned VMs." + } + }, + "zoneBalance": { + "type": "bool", + "defaultValue": false, + "metadata": { + "description": "Optional. Whether to force strictly even Virtual Machine distribution cross x-zones in case there is zone outage." + } + }, + "singlePlacementGroup": { + "type": "bool", + "defaultValue": true, + "metadata": { + "description": "Optional. When true this limits the scale set to a single placement group, of max size 100 virtual machines. NOTE: If singlePlacementGroup is true, it may be modified to false. However, if singlePlacementGroup is false, it may not be modified to true." + } + }, + "scaleInPolicy": { + "type": "object", + "defaultValue": { + "rules": [ + "Default" + ] + }, + "metadata": { + "description": "Optional. Specifies the scale-in policy that decides which virtual machines are chosen for removal when a Virtual Machine Scale Set is scaled-in" + } + }, + "instanceSize": { + "type": "string", + "defaultValue": {}, + "metadata": { + "description": "Optional. The SKU size of the VMs." + } + }, + "instanceCount": { + "type": "string", + "defaultValue": 1, + "metadata": { + "description": "Optional. The initial instance count of scale set VMs." + } + }, + "availabilityZones": { + "type": "array", + "defaultValue": [], + "metadata": { + "description": "Optional. The virtual machine scale set zones. NOTE: Availability zones can only be set when you create the scale set." + } + }, + "tags": { + "type": "object", + "defaultValue": { + }, + "metadata": { + "description": "Optional. Tags of the resource." + } + }, + "cuaId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered" + } + }, + "osType": { + "type": "string", + "allowedValues": [ + "Windows", + "Linux" + ], + "metadata": { + "description": "Optional. The chosen OS type" + } + }, + "baseTime": { + "type": "string", + "defaultValue": "[utcNow('u')]", + "metadata": { + "description": "Generated. Do not provide a value! This date value is used to generate a registration token." + } + }, + "sasTokenValidityLength": { + "defaultValue": "PT8H", + "type": "string", + "metadata": { + "description": "Optional. SAS token validity length to use to download files from storage accounts. Usage: 'PT8H' - valid for 8 hours; 'P5D' - valid for 5 days; 'P1Y' - valid for 1 year. When not provided, the SAS token will be valid for 8 hours." + } + }, + "managedIdentityType": { + "type": "string", + "allowedValues": [ + "SystemAssigned", + "UserAssigned", + "None", + "" + ], + "defaultValue": "", + "metadata": { + "description": "Optional. The type of identity used for the virtual machine scale set. The type 'SystemAssigned, UserAssigned' includes both an implicitly created identity and a set of user assigned identities. The type 'None' will remove any identities from the virtual machine scale set. - SystemAssigned, UserAssigned, SystemAssigned, UserAssigned, None" + } + }, + "managedIdentityIdentities": { + "type": "object", + "defaultValue": {}, + "metadata": { + "description": "Optional. The list of user identities associated with the virtual machine scale set. The user identity dictionary key references will be ARM resource ids in the form: '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{identityName}'." + } + } + }, + "variables": { + "linuxConfiguration": { + "disablePasswordAuthentication": "[parameters('disablePasswordAuthentication')]", + "ssh": { + "copy": [ + { + "name": "publicKeys", + "count": "[length(parameters('publicKeys'))]", + "input": { + "path": "[parameters('publicKeys')[copyIndex('publicKeys')].path]", + "keyData": "[parameters('publicKeys')[copyIndex('publicKeys')].keyData]" + } + } + ] + }, + "provisionVMAgent": "[parameters('provisionVMAgent')]" + }, + "windowsConfiguration": { + "provisionVMAgent": "[parameters('provisionVMAgent')]", + "enableAutomaticUpdates": "[ parameters('enableAutomaticUpdates')]", + "timeZone": "[if(empty(parameters('timeZone')), json('null'), parameters('timeZone'))]", + "additionalUnattendContent": "[if(empty(parameters('additionalUnattendContent')), json('null'), parameters('additionalUnattendContent'))]", + "winRM": "[if(empty(parameters('winRMListeners')), json('null'), json(concat('{\"listeners\": \"', parameters('winRMListeners'), '\"}')))]" + }, + "diagnosticsMetrics": [ + { + "category": "AllMetrics", + "timeGrain": null, + "enabled": true, + "retentionPolicy": { + "enabled": true, + "days": "[parameters('diagnosticLogsRetentionInDays')]" + } + } + ], + "accountSasProperties": { + "signedServices": "b", //Blob (b), Queue (q), Table (t), File (f). + "signedPermission": "r", //Read (r), Write (w), Delete (d), List (l), Add (a), Create (c), Update (u) and Process (p) + "signedExpiry": "[dateTimeAdd(parameters('baseTime'), parameters('sasTokenValidityLength'))]", //format: 2017-05-24T10:42:03Z + "signedResourceTypes": "o", //Service (s): Access to service-level APIs; Container (c): Access to container-level APIs; Object (o): Access to object-level APIs for blobs, queue messages, table entities, and files. + "signedProtocol": "https" + }, + "diagnosticLogs": [], + "pidName": "[concat('pid-', parameters('cuaId'))]", + "builtInRoleNames": { + "Avere Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4f8fab4f-1852-4a58-a46a-8eaf358af14a')]", + "Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "DevTest Labs User": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '76283e04-6283-4c54-8f91-bcf1374a3c64')]", + "Log Analytics Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]", + "Log Analytics Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '73c42c96-874c-492b-b04d-ab87d138a893')]", + "Managed Application Contributor Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '641177b8-a67a-45b9-a033-47bc880bb21e')]", + "Managed Application Operator Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')]", + "Managed Applications Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')]", + "Monitoring Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')]", + "Monitoring Metrics Publisher": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '3913510d-42f4-4e42-8a64-420c390055eb')]", + "Monitoring Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')]", + "Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", + "Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", + "Resource Policy Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '36243c78-bf99-498c-9df9-86d9f8d28608')]", + "User Access Administrator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]", + "Virtual Machine Administrator Login": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '1c0163c0-47e6-4577-8991-ea5c82e286e4')]", + "Virtual Machine Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c')]", + "Virtual Machine User Login": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'fb879df8-f326-4884-b1cf-06f3ad86be52')]" + } + }, + "resources": [ + { + "name": "[variables('pidName')]", + "condition": "[not(empty(parameters('cuaId')))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-06-01", + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [ + ] + } + } + }, + { + "name": "[if(not(empty(parameters('proximityPlacementGroupName'))),parameters('proximityPlacementGroupName'),'dummyProximityGroup')]", + "type": "Microsoft.Compute/proximityPlacementGroups", + "apiVersion": "2019-12-01", + "condition": "[not(empty(parameters('proximityPlacementGroupName')))]", + "location": "[parameters('location')]", + "tags": "[parameters('tags')]", + "properties": { + "proximityPlacementGroupType": "[parameters('proximityPlacementGroupType')]" + } + }, + { + "type": "Microsoft.Compute/virtualMachineScaleSets", + "name": "[parameters('vmssName')]", + "apiVersion": "2020-06-01", + "condition": "[not(empty(parameters('vmssName')))]", + "location": "[parameters('location')]", + "tags": "[parameters('tags')]", + "dependsOn": [ + "[if(not(empty(parameters('proximityPlacementGroupName'))),parameters('proximityPlacementGroupName'),'dummyProximityGroup')]" + ], + "identity": "[if(empty(parameters('managedIdentityType')), json('null'), json(concat('{\"type\":\"', parameters('managedIdentityType'), if(not(empty(parameters('managedIdentityIdentities'))),concat(',\"userAssignedIdentities\":\"',parameters('managedIdentityIdentities') ),''), '\"}')))]", + "zones": "[parameters('availabilityZones')]", + "properties": { + "proximityPlacementGroup": "[if(empty(parameters('proximityPlacementGroupName')), json('null'), json(concat('{\"id\":\"', resourceId('Microsoft.Compute/proximityPlacementGroups', parameters('proximityPlacementGroupName')),'\"}')))]", + "upgradePolicy": { + "mode": "[parameters('upgradePolicyMode')]", + "rollingUpgradePolicy": { + "maxBatchInstancePercent": "[parameters('maxBatchInstancePercent')]", + "maxUnhealthyInstancePercent": "[parameters('maxUnhealthyInstancePercent')]", + "maxUnhealthyUpgradedInstancePercent": "[parameters('maxUnhealthyUpgradedInstancePercent')]", + "pauseTimeBetweenBatches": "[parameters('pauseTimeBetweenBatches')]" + }, + "automaticOSUpgradePolicy": { + "enableAutomaticOSUpgrade": "[parameters('enableAutomaticOSUpgrade')]", + "disableAutomaticRollback": "[parameters('disableAutomaticRollback')]" + } + }, + "automaticRepairsPolicy": { + "enabled": "[parameters('automaticRepairsPolicyEnabled')]", + "gracePeriod": "[parameters('gracePeriod')]" + }, + "virtualMachineProfile": { + "osProfile": { + "computerNamePrefix": "[parameters('vmNamePrefix')]", + "adminUsername": "[parameters('adminUsername')]", + "adminPassword": "[if(empty(parameters('adminPassword')), json('null'), parameters('adminPassword'))]", + "customData": "[if(empty(parameters('customData')), json('null'), base64(parameters('customData')))]", + "windowsConfiguration": "[if(equals(parameters('osType'), 'Windows'), variables('windowsConfiguration'), json('null'))]", + "linuxConfiguration": "[if(equals(parameters('osType'), 'Linux'), variables('linuxConfiguration'), json('null'))]", + "secrets": "[parameters('secrets')]" + }, + "storageProfile": { + "imageReference": "[parameters('imageReference')]", + "osDisk": { + "createOption": "[parameters('osDisk').createOption]", + "diskSizeGB": "[parameters('osDisk').diskSizeGB]", + "caching": "[if(contains(parameters('osDisk'), 'caching'), parameters('osDisk').caching, json('null'))]", + "writeAcceleratorEnabled": "[if(contains(parameters('osDisk'), 'writeAcceleratorEnabled'), parameters('osDisk').writeAcceleratorEnabled, json('null'))]", + "diffDiskSettings": "[if(contains(parameters('osDisk'), 'diffDiskSettings'), parameters('osDisk').diffDiskSettings, json('null'))]", + "osType": "[if(contains(parameters('osDisk'), 'osType'), parameters('osDisk').osType, json('null'))]", + "image": "[if(contains(parameters('osDisk'), 'image'), parameters('osDisk').image, json('null'))]", + "vhdContainers": "[if(contains(parameters('osDisk'), 'vhdContainers'), parameters('osDisk').vhdContainers, json('null'))]", + "managedDisk": { + "storageAccountType": "[parameters('osDisk').managedDisk.storageAccountType]", + "diskEncryptionSet": "[if(contains(parameters('osDisk'), 'diskEncryptionSet'), parameters('osDisk').diskEncryptionSet, json('null'))]" + } + }, + "copy": [ + { + "name": "dataDisks", + "count": "[length(parameters('dataDisks'))]", + "input": { + "lun": "[copyIndex('dataDisks')]", + "diskSizeGB": "[parameters('dataDisks')[copyIndex('dataDisks')].diskSizeGB]", + "createOption": "[parameters('dataDisks')[copyIndex('dataDisks')].createOption]", + "caching": "[parameters('dataDisks')[copyIndex('dataDisks')].caching]", + "writeAcceleratorEnabled": "[if(contains(parameters('osDisk'), 'writeAcceleratorEnabled'), parameters('osDisk').writeAcceleratorEnabled, json('null'))]", + "managedDisk": { + "storageAccountType": "[parameters('dataDisks')[copyIndex('dataDisks')].managedDisk.storageAccountType]", + "diskEncryptionSet": { + "id": "[if(parameters('enableServerSideEncryption'), parameters('dataDisks')[copyIndex('dataDisks')].managedDisk.diskEncryptionSet.id, json('null'))]" + } + }, + "diskIOPSReadWrite": "[if(contains(parameters('osDisk'), 'diskIOPSReadWrite'),parameters('dataDisks')[copyIndex('dataDisks')].diskIOPSReadWrite, json('null'))]", + "diskMBpsReadWrite": "[if(contains(parameters('osDisk'), 'diskMBpsReadWrite'),parameters('dataDisks')[copyIndex('dataDisks')].diskMBpsReadWrite, json('null'))]" + } + } + ] + }, + "networkProfile": { + "copy": [ + { + "name": "networkInterfaceConfigurations", + "count": "[length(parameters('nicConfigurations'))]", + "input": { + "name": "[concat(parameters('vmssName'), parameters('nicConfigurations')[copyIndex('networkInterfaceConfigurations')].nicSuffix, 'configuration-', copyIndex('networkInterfaceConfigurations'))]", + "properties": { + "primary": "[if(equals(copyIndex('networkInterfaceConfigurations'), 0), 'true', 'false')]", + "enableAcceleratedNetworking": "[if(contains(parameters('nicConfigurations'), 'enableAcceleratedNetworking'), parameters('nicConfigurations')[copyIndex('networkInterfaceConfigurations')].enableAcceleratedNetworking, json('null'))]", + "networkSecurityGroup": "[if(contains(parameters('nicConfigurations'), 'nsgId'), json(concat('{\"id\": \"', parameters('nicConfigurations')[copyIndex('networkInterfaceConfigurations')].nsgId, '\"}')), json('null'))]", + "ipConfigurations": "[parameters('nicConfigurations')[copyIndex('networkInterfaceConfigurations')].ipConfigurations]" + } + } + } + ] + }, + "diagnosticsProfile": { + "bootDiagnostics": { + "enabled": "[not(empty(parameters('bootDiagnosticStorageAccountName')))]", + "storageUri": "[if(empty(parameters('bootDiagnosticStorageAccountName')), json('null'), concat('https://', parameters('bootDiagnosticStorageAccountName'), parameters('bootDiagnosticStorageAccountUri')))]" + } + }, + "licenseType": "[if(empty(parameters('licenseType')), json('null'),parameters('licenseType'))]", + "priority": "[parameters('vmPriority')]", + "evictionPolicy": "[if(parameters('enableEvictionPolicy'), 'Deallocate', json('null'))]", + "billingProfile": "[if(and(not(empty(parameters('vmPriority'))),not(empty(parameters('maxPriceForLowPriorityVm')))), json(concat('{\"maxPrice\":\"',parameters('maxPriceForLowPriorityVm'),'\"}')), json('null'))]", + "scheduledEventsProfile": "[parameters('scheduledEventsProfile')]" + }, + "overprovision": "[parameters('overprovision')]", + "doNotRunExtensionsOnOverprovisionedVMs": "[parameters('doNotRunExtensionsOnOverprovisionedVMs')]", + "zoneBalance": "[if(equals(parameters('zoneBalance'), 'true'), parameters('zoneBalance'), json('null'))]", + "platformFaultDomainCount": "[parameters('scaleSetFaultDomain')]", + "singlePlacementGroup": "[parameters('singlePlacementGroup')]", + "additionalCapabilities": { + "ultraSSDEnabled": "[parameters('ultraSSDEnabled')]" + }, + "scaleInPolicy": "[parameters('scaleInPolicy')]" + }, + "sku": { + "name": "[parameters('instanceSize')]", + "capacity": "[int(parameters('instanceCount'))]" + }, + "plan": "[if(empty(parameters('plan')), json('null'),parameters('plan'))]", + "resources": [ + { + "type": "providers/locks", + "apiVersion": "2016-09-01", + "condition": "[parameters('lockForDeletion')]", + "name": "Microsoft.Authorization/vmssDoNotDelete", + "dependsOn": [ + "[concat('Microsoft.Compute/virtualMachineScaleSets/', parameters('vmssName'))]" + ], + "comments": "Resource lock on VM Scale Set", + "properties": { + "level": "CannotDelete" + } + }, + { + "type": "Microsoft.Compute/virtualMachineScaleSets/extensions", + "name": "[concat(parameters('vmssName'),'/DomainJoin')]", + "apiVersion": "2020-06-01", + "location": "[parameters('location')]", + "condition": "[not(empty(parameters('domainName')))]", + "dependsOn": [ + "[concat('Microsoft.Compute/virtualMachineScaleSets/', parameters('vmssName'))]" + ], + "properties": { + "publisher": "Microsoft.Compute", + "type": "JsonADDomainExtension", + "typeHandlerVersion": "1.3", + "autoUpgradeMinorVersion": true, + "settings": { + "Name": "[parameters('domainName')]", + "User": "[parameters('domainJoinUser')]", + "OUPath": "[parameters('domainJoinOU')]", + "Restart": "[parameters('domainJoinRestart')]", + "Options": "[parameters('domainJoinOptions')]" + }, + "protectedSettings": { + "Password": "[parameters('domainJoinPassword')]" + } + } + }, + { + "type": "Microsoft.Compute/virtualMachineScaleSets/extensions", + "name": "[concat(parameters('vmssName'), '/MicrosoftAntiMalware')]", + "apiVersion": "2020-06-01", + "location": "[parameters('location')]", + "condition": "[parameters('enableMicrosoftAntiMalware')]", + "dependsOn": [ + "[concat('Microsoft.Compute/virtualMachineScaleSets/', parameters('vmssName'))]", + "[resourceId('Microsoft.Compute/virtualMachineScaleSets/extensions', parameters('vmssName'), 'DomainJoin')]" + ], + "properties": { + "publisher": "Microsoft.Azure.Security", + "type": "IaaSAntimalware", + "typeHandlerVersion": "1.3", + "autoUpgradeMinorVersion": true, + "settings": "[parameters('microsoftAntiMalwareSettings')]" + } + }, + { + "type": "Microsoft.Compute/virtualMachineScaleSets/extensions", + "name": "[concat(parameters('vmssName'), '/WindowsMMAAgent')]", + "apiVersion": "2020-06-01", + "location": "[parameters('location')]", + "condition": "[parameters('enableWindowsMMAAgent')]", + "dependsOn": [ + "[concat('Microsoft.Compute/virtualMachineScaleSets/', parameters('vmssName'))]", + "[resourceId('Microsoft.Compute/virtualMachineScaleSets/extensions', parameters('vmssName'), 'MicrosoftAntiMalware')]" + ], + "properties": { + "publisher": "Microsoft.EnterpriseCloud.Monitoring", + "type": "MicrosoftMonitoringAgent", + "typeHandlerVersion": "1.0", + "autoUpgradeMinorVersion": true, + "settings": { + "workspaceId": "[if(empty(parameters('workspaceId')), 'dummy', reference(parameters('workspaceId'), '2015-11-01-preview').customerId)]" + }, + "protectedSettings": { + "workspaceKey": "[if(empty(parameters('workspaceId')), 'dummy', listKeys(parameters('workspaceId'), '2015-11-01-preview').primarySharedKey)]" + } + } + }, + { + "type": "Microsoft.Compute/virtualMachineScaleSets/extensions", + "name": "[concat(parameters('vmssName'), '/LinuxMMAAgent')]", + "apiVersion": "2020-06-01", + "location": "[parameters('location')]", + "condition": "[parameters('enableLinuxMMAAgent')]", + "dependsOn": [ + "[concat('Microsoft.Compute/virtualMachineScaleSets/', parameters('vmssName'))]", + "[resourceId('Microsoft.Compute/virtualMachineScaleSets/extensions', parameters('vmssName'), 'WindowsMMAAgent')]" + ], + "properties": { + "publisher": "Microsoft.EnterpriseCloud.Monitoring", + "type": "OmsAgentForLinux", + "typeHandlerVersion": "1.7", + "autoUpgradeMinorVersion": true, + "settings": { + "workspaceId": "[if(empty(parameters('workspaceId')), 'dummy', reference(parameters('workspaceId'), '2015-11-01-preview').customerId)]" + }, + "protectedSettings": { + "workspaceKey": "[if(empty(parameters('workspaceId')), 'dummy', listKeys(parameters('workspaceId'), '2015-11-01-preview').primarySharedKey)]" + } + } + }, + { + "type": "Microsoft.Compute/virtualMachineScaleSets/extensions", + "name": "[concat(parameters('vmssName'), '/WindowsDiskEncryption')]", + "apiVersion": "2019-07-01", + "location": "[parameters('location')]", + "condition": "[parameters('enableWindowsDiskEncryption')]", + "dependsOn": [ + "[concat('Microsoft.Compute/virtualMachineScaleSets/', parameters('vmssName'))]", + "[resourceId('Microsoft.Compute/virtualMachineScaleSets/extensions', parameters('vmssName'), 'LinuxMMAAgent')]" + ], + "properties": { + "publisher": "Microsoft.Azure.Security", + "type": "AzureDiskEncryption", + "typeHandlerVersion": "2.2", + "autoUpgradeMinorVersion": true, + "forceUpdateTag": "[parameters('forceUpdateTag')]", + "settings": { + "EncryptionOperation": "EnableEncryption", + "KeyVaultURL": "[parameters('keyVaultUri')]", + "KeyVaultResourceId": "[parameters('keyVaultId')]", + "KeyEncryptionKeyURL": "[parameters('keyEncryptionKeyURL')]", + "KekVaultResourceId": "[parameters('keyVaultId')]", + "KeyEncryptionAlgorithm": "[parameters('diskKeyEncryptionAlgorithm')]", + "VolumeType": "[parameters('diskEncryptionVolumeType')]", + "ResizeOSDisk": "[parameters('resizeOSDisk')]" + } + } + }, + { + "type": "Microsoft.Compute/virtualMachineScaleSets/extensions", + "name": "[concat(parameters('vmssName'), '/LinuxDiskEncryption')]", + "apiVersion": "2020-06-01", + "location": "[parameters('location')]", + "condition": "[parameters('enableLinuxDiskEncryption')]", + "dependsOn": [ + "[concat('Microsoft.Compute/virtualMachineScaleSets/', parameters('vmssName'))]", + "[resourceId('Microsoft.Compute/virtualMachineScaleSets/extensions', parameters('vmssName'), 'WindowsDiskEncryption')]" + ], + "properties": { + "publisher": "Microsoft.Azure.Security", + "type": "AzureDiskEncryptionForLinux", + "typeHandlerVersion": "1.1", + "autoUpgradeMinorVersion": true, + "forceUpdateTag": "[parameters('forceUpdateTag')]", + "settings": { + "EncryptionOperation": "EnableEncryption", + "KeyVaultURL": "[parameters('keyVaultUri')]", + "KeyVaultResourceId": "[parameters('keyVaultId')]", + "KeyEncryptionKeyURL": "[parameters('keyEncryptionKeyURL')]", + "KekVaultResourceId": "[parameters('keyVaultId')]", + "KeyEncryptionAlgorithm": "[parameters('diskKeyEncryptionAlgorithm')]", + "VolumeType": "[parameters('diskEncryptionVolumeType')]" + } + } + }, + { + "type": "Microsoft.Compute/virtualMachineScaleSets/extensions", + "apiVersion": "2020-06-01", + "name": "[concat(parameters('vmssName'), '/DependencyAgentWindows')]", + "location": "[parameters('location')]", + "condition": "[parameters('enableWindowsDependencyAgent')]", + "dependsOn": [ + "[concat('Microsoft.Compute/virtualMachineScaleSets/', parameters('vmssName'))]", + "[resourceId('Microsoft.Compute/virtualMachineScaleSets/extensions', parameters('vmssName'), 'LinuxDiskEncryption')]" + ], + "properties": { + "publisher": "Microsoft.Azure.Monitoring.DependencyAgent", + "type": "DependencyAgentWindows", + "typeHandlerVersion": "9.5", + "autoUpgradeMinorVersion": true + } + }, + { + "type": "Microsoft.Compute/virtualMachineScaleSets/extensions", + "apiVersion": "2020-06-01", + "name": "[concat(parameters('vmssName'), '/DependencyAgentLinux')]", + "location": "[parameters('location')]", + "condition": "[parameters('enableLinuxDependencyAgent')]", + "dependsOn": [ + "[concat('Microsoft.Compute/virtualMachineScaleSets/', parameters('vmssName'))]", + "[resourceId('Microsoft.Compute/virtualMachineScaleSets/extensions', parameters('vmssName'), 'DependencyAgentWindows')]" + ], + "properties": { + "publisher": "Microsoft.Azure.Monitoring.DependencyAgent", + "type": "DependencyAgentLinux", + "typeHandlerVersion": "9.5", + "autoUpgradeMinorVersion": true + } + }, + { + "type": "Microsoft.Compute/virtualMachineScaleSets/extensions", + "name": "[concat(parameters('vmssName'), '/NetworkWatcherAgentWindows')]", + "apiVersion": "2020-06-01", + "location": "[parameters('location')]", + "condition": "[parameters('enableNetworkWatcherWindows')]", + "dependsOn": [ + "[concat('Microsoft.Compute/virtualMachineScaleSets/', parameters('vmssName'))]", + "[resourceId('Microsoft.Compute/virtualMachineScaleSets/extensions', parameters('vmssName'), 'DependencyAgentLinux')]" + ], + "properties": { + "publisher": "Microsoft.Azure.NetworkWatcher", + "type": "NetworkWatcherAgentWindows", + "typeHandlerVersion": "1.4", + "autoUpgradeMinorVersion": true, + "settings": { + } + } + }, + { + "type": "Microsoft.Compute/virtualMachineScaleSets/extensions", + "name": "[concat(parameters('vmssName'), '/NetworkWatcherAgentLinux')]", + "apiVersion": "2020-06-01", + "location": "[parameters('location')]", + "condition": "[parameters('enableNetworkWatcherLinux')]", + "dependsOn": [ + "[concat('Microsoft.Compute/virtualMachineScaleSets/', parameters('vmssName'))]", + "[resourceId('Microsoft.Compute/virtualMachineScaleSets/extensions', parameters('vmssName'), 'NetworkWatcherAgentWindows')]" + ], + "properties": { + "publisher": "Microsoft.Azure.NetworkWatcher", + "type": "NetworkWatcherAgentLinux", + "typeHandlerVersion": "1.4", + "autoUpgradeMinorVersion": true, + "settings": { + } + } + }, + { + "type": "Microsoft.Compute/virtualMachineScaleSets/extensions", + "name": "[concat(parameters('vmssName'), '/windowsDsc')]", + "apiVersion": "2020-06-01", + "location": "[parameters('location')]", + "condition": "[not(empty(parameters('dscConfiguration')))]", + "dependsOn": [ + "[concat('Microsoft.Compute/virtualMachineScaleSets/', parameters('vmssName'))]", + "[resourceId('Microsoft.Compute/virtualMachineScaleSets/extensions', parameters('vmssName'), 'NetworkWatcherAgentLinux')]" + ], + "properties": { + "publisher": "Microsoft.Powershell", + "type": "DSC", + "typeHandlerVersion": "2.77", + "autoUpgradeMinorVersion": true, + "settings": "[parameters('dscConfiguration').settings]", + "protectedSettings": "[if( contains(parameters('dscConfiguration'), 'protectedSettings'), parameters('dscConfiguration').protectedSettings, json('null') )]" + } + } + ] + }, + { + "type": "Microsoft.Compute/virtualMachineScaleSets/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "location": "[parameters('location')]", + "tags": "[parameters('tags')]", + "name": "[concat(parameters('vmssName'), '/Microsoft.Insights/service')]", + "condition": "[or(not(empty(parameters('diagnosticStorageAccountId'))),not(empty(parameters('workspaceId'))),not(empty(parameters('eventHubAuthorizationRuleId'))),not(empty(parameters('eventHubName'))))]", + "dependsOn": [ + "[concat('Microsoft.Compute/virtualMachineScaleSets/', parameters('vmssName'))]" + ], + "properties": { + "storageAccountId": "[if(empty(parameters('diagnosticStorageAccountId')), json('null'), parameters('diagnosticStorageAccountId'))]", + "workspaceId": "[if(empty(parameters('workspaceId')), json('null'), parameters('workspaceId'))]", + "eventHubAuthorizationRuleId": "[if(empty(parameters('eventHubAuthorizationRuleId')), json('null'), parameters('eventHubAuthorizationRuleId'))]", + "eventHubName": "[if(empty(parameters('eventHubName')), json('null'), parameters('eventHubName'))]", + "metrics": "[if(and(empty(parameters('diagnosticStorageAccountId')), empty(parameters('workspaceId')), empty(parameters('eventHubAuthorizationRuleId')), empty(parameters('eventHubName'))), json('null'), variables('diagnosticsMetrics'))]", + "logs": "[if(and(empty(parameters('diagnosticStorageAccountId')), empty(parameters('workspaceId')), empty(parameters('eventHubAuthorizationRuleId')), empty(parameters('eventHubName'))), json('null'), variables('diagnosticLogs'))]" + } + }, + // This WindowsCustomScriptExtension has to be a top level resource, as the 'fileUris' property copy loop only works if this extension is not a nested resource within the VM. + { + "apiVersion": "2019-07-01", + "type": "Microsoft.Compute/virtualMachineScaleSets/extensions", + "name": "[concat(parameters('vmssName'), '/WindowsCustomScriptExtension')]", + "location": "[parameters('location')]", + "condition": "[and(not(empty(parameters('windowsScriptExtensionFileData'))),not(empty(parameters('windowsScriptExtensionCommandToExecute'))))]", + "dependsOn": [ + "[concat('Microsoft.Compute/virtualMachineScaleSets/', parameters('vmssName'))]", + "[resourceId('Microsoft.Compute/virtualMachineScaleSets/extensions', parameters('vmssName'), 'windowsDsc')]" + ], + "properties": { + "publisher": "Microsoft.Compute", + "type": "CustomScriptExtension", + "typeHandlerVersion": "1.9", + "autoUpgradeMinorVersion": true, + "settings": { + "copy": [ + { + "name": "fileUris", + "count": "[length(parameters('windowsScriptExtensionFileData'))]", + "input": "[concat(parameters('windowsScriptExtensionFileData')[copyIndex('fileUris')].uri,if(contains(parameters('windowsScriptExtensionFileData')[copyIndex('fileUris')], 'storageAccountId'),concat('?',listAccountSas(parameters('windowsScriptExtensionFileData')[copyIndex('fileUris')].storageAccountId, '2019-04-01', variables('accountSasProperties')).accountSasToken) , '' ))]" + } + ] + }, + "protectedSettings": { + "commandToExecute": "[parameters('windowsScriptExtensionCommandToExecute')]", + "storageAccountName": "[if(not(empty(parameters('cseStorageAccountName'))), parameters('cseStorageAccountName'), json('null'))]", + "storageAccountKey": "[if(not(empty(parameters('cseStorageAccountKey'))), parameters('cseStorageAccountKey'), json('null'))]", + "managedIdentity": "[if(not(empty(parameters('cseManagedIdentity'))), parameters('cseManagedIdentity'), json('null'))]" + } + } + }, + { + "name": "[concat('rbac-',deployment().name, copyIndex())]", + "apiVersion": "2020-06-01", + "type": "Microsoft.Resources/deployments", + "condition": "[not(empty(parameters('roleAssignments')))]", + "dependsOn": [ + "[parameters('vmssName')]" + ], + "copy": { + "name": "rbacDeplCopy", + "count": "[length(parameters('roleAssignments'))]" + }, + "properties": { + "mode": "Incremental", + "expressionEvaluationOptions": { + "scope": "inner" + }, + "parameters": { + "roleAssignment": { + "value": "[parameters('roleAssignments')[copyIndex()]]" + }, + "builtInRoleNames": { + "value": "[variables('builtInRoleNames')]" + }, + "vmssName": { + "value": "[parameters('vmssName')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "roleAssignment": { + "type": "object" + }, + "builtInRoleNames": { + "type": "object" + }, + "vmssName": { + "type": "string" + } + }, + "resources": [ + { + "type": "Microsoft.Compute/virtualMachineScaleSets/providers/roleAssignments", + "apiVersion": "2018-09-01-preview", + "name": "[concat(parameters('vmssName'), '/Microsoft.Authorization/', guid(uniqueString(concat(parameters('vmssName'), array(parameters('roleAssignment').principalIds)[copyIndex('innerRbacCopy')], parameters('roleAssignment').roleDefinitionIdOrName ))))]", + "dependsOn": [ + ], + "copy": { + "name": "innerRbacCopy", + "count": "[length(parameters('roleAssignment').principalIds)]" + }, + "properties": { + "roleDefinitionId": "[if(contains(parameters('builtInRoleNames'), parameters('roleAssignment').roleDefinitionIdOrName ), parameters('builtInRoleNames')[parameters('roleAssignment').roleDefinitionIdOrName] , parameters('roleAssignment').roleDefinitionIdOrName )]", + "principalId": "[array(parameters('roleAssignment').principalIds)[copyIndex()]]" + } + } + ] + } + } + } + ], + "functions": [ + ], + "outputs": { + "vmssResourceIds": { + "type": "string", + "value": "[resourceId('Microsoft.Compute/virtualMachineScaleSets', parameters('vmssName'))]", + "metadata": { + "description": "The Resource Id of the VMSS." + } + }, + "vmssResourceGroup": { + "type": "string", + "value": "[resourceGroup().name]", + "metadata": { + "description": "The name of the Resource Group the VMSS was/were created in." + } + }, + "vmssName": { + "type": "string", + "value": "[parameters('vmssName')]", + "metadata": { + "description": "The Names of the VMSS" + } + } + } +} \ No newline at end of file diff --git a/arm/Microsoft.Compute/virtualMachineScaleSets/parameters/linux.parameters.json b/arm/Microsoft.Compute/virtualMachineScaleSets/parameters/linux.parameters.json new file mode 100644 index 0000000000..26b513c247 --- /dev/null +++ b/arm/Microsoft.Compute/virtualMachineScaleSets/parameters/linux.parameters.json @@ -0,0 +1,128 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "vmssName": { + "value": "linux-scaleset" + }, + "vmNamePrefix": { + "value": "vmsslinvm" + }, + "instanceSize": { + "value": "Standard_B2s" + }, + "instanceCount": { + "value": "1" + }, + "upgradePolicyMode": { + "value": "Manual" + }, + "vmPriority": { + "value": "Regular" + }, + "osDisk": { + "value": { + "createOption": "fromImage", + "diskSizeGB": "128", + "managedDisk": { + "storageAccountType": "Premium_LRS" + } + } + }, + "availabilityZones": { + "value": [ + "2" + ] + }, + "scaleSetFaultDomain": { + "value": 1 + }, + "managedIdentityType": { + "value": "SystemAssigned" + }, + "workspaceId": { + "value": "/subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2/resourcegroups/dependencies-rg/providers/microsoft.operationalinsights/workspaces/sxx-az-la-weu-x-003" + }, + "diagnosticStorageAccountId": { + "value": "/subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2/resourceGroups/dependencies-rg/providers/Microsoft.Storage/storageAccounts/sxxazsaweux003" + }, + "enableLinuxMMAAgent": { + "value": true + }, + "bootDiagnosticStorageAccountName": { + "value": "sxxazsaweux003" + }, + "osType": { + "value": "Linux" + }, + "imageReference": { + "value": { + "publisher": "Canonical", + "offer": "UbuntuServer", + "sku": "18.04-LTS", + "version": "latest" + } + }, + "adminUsername": { + "value": "scaleSetAdmin" + }, + "disablePasswordAuthentication": { + "value": true + }, + "publicKeys": { + "value": [ + { + "path": "/home/scaleSetAdmin/.ssh/authorized_keys", + "keyData": "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDdOir5eO28EBwxU0Dyra7g9h0HUXDyMNFp2z8PhaTUQgHjrimkMxjYRwEOG/lxnYL7+TqZk+HcPTfbZOunHBw0Wx2CITzILt6531vmIYZGfq5YyYXbxZa5MON7L/PVivoRlPj5Z/t4RhqMhyfR7EPcZ516LJ8lXPTo8dE/bkOCS+kFBEYHvPEEKAyLs19sRcK37SeHjpX04zdg62nqtuRr00Tp7oeiTXA1xn5K5mxeAswotmd8CU0lWUcJuPBWQedo649b+L2cm52kTncOBI6YChAeyEc1PDF0Tn9FmpdOWKtI9efh+S3f8qkcVEtSTXoTeroBd31nzjAunMrZeM8Ut6dre+XeQQIjT7I8oEm+ZkIuIyq0x2fls8JXP2YJDWDqu8v1+yLGTQ3Z9XVt2lMti/7bIgYxS0JvwOr5n5L4IzKvhb4fm13LLDGFa3o7Nsfe3fPb882APE0bLFCmfyIeiPh7go70WqZHakpgIr6LCWTyePez9CsI/rfWDb6eAM8= generated-by-azure" + } + ] + }, + "dataDisks": { + "value": [ + { + "caching": "ReadOnly", + "createOption": "Empty", + "diskSizeGB": "256", + "managedDisk": { + "storageAccountType": "Premium_LRS" + } + }, + { + "caching": "ReadOnly", + "createOption": "Empty", + "diskSizeGB": "128", + "managedDisk": { + "storageAccountType": "Premium_LRS" + } + } + ] + }, + "nicConfigurations": { + "value": [ + { + "nicSuffix": "-nic01", + "ipConfigurations": [ + { + "name": "ipconfig1", + "properties": { + "subnet": { + "id": "subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2/resourceGroups/dependencies-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-weu-x-002/subnets/sxx-az-subnet-weu-x-002" + } + } + } + ] + } + ] + }, + "roleAssignments": { + "value": [ + { + "roleDefinitionIdOrName": "Contributor", + "principalIds": [ + "3813e339-f61f-4746-b280-a0270b0e39af" + ] + } + ] + } + } +} \ No newline at end of file diff --git a/arm/Microsoft.Compute/virtualMachineScaleSets/parameters/windows.parameters.json b/arm/Microsoft.Compute/virtualMachineScaleSets/parameters/windows.parameters.json new file mode 100644 index 0000000000..18ce8ea839 --- /dev/null +++ b/arm/Microsoft.Compute/virtualMachineScaleSets/parameters/windows.parameters.json @@ -0,0 +1,88 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "vmssName": { + "value": "windows-scaleset" + }, + "vmNamePrefix": { + "value": "vmsswinvm" + }, + "instanceSize": { + "value": "Standard_B2s" + }, + "instanceCount": { + "value": "1" + }, + "upgradePolicyMode": { + "value": "Manual" + }, + "vmPriority": { + "value": "Regular" + }, + "osDisk": { + "value": { + "createOption": "fromImage", + "diskSizeGB": "128", + "managedDisk": { + "storageAccountType": "Premium_LRS" + } + } + }, + "osType": { + "value": "Windows" + }, + "imageReference": { + "value": { + "publisher": "MicrosoftWindowsServer", + "offer": "WindowsServer", + "sku": "2016-Datacenter", + "version": "latest" + } + }, + "adminUsername": { + "reference": { + "keyVault": { + "id": "/subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2/resourceGroups/dependencies-rg/providers/Microsoft.KeyVault/vaults/sxx-az-kv-weu-x-004" + }, + "secretName": "adminUsername" + } + }, + "adminPassword": { + "reference": { + "keyVault": { + "id": "/subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2/resourceGroups/dependencies-rg/providers/Microsoft.KeyVault/vaults/sxx-az-kv-weu-x-004" + }, + "secretName": "adminPassword" + } + }, + "nicConfigurations": { + "value": [ + { + "nicSuffix": "-nic01", + "ipConfigurations": [ + { + "name": "ipconfig1", + "properties": { + "subnet": { + "id": "subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2/resourceGroups/dependencies-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-weu-x-002/subnets/sxx-az-subnet-weu-x-002" + } + } + } + ] + } + ] + } + // "windowsScriptExtensionFileData": { + // "value": [ + // { + // "uri": "https://sxxazsaweux003.blob.core.windows.net/wvdscripts/testscript.ps1", + // "storageAccountId": "/subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2/resourceGroups/dependencies-rg/providers/Microsoft.Storage/storageAccounts/sxxazsaweux003" + // } + // ] + // }, + // "windowsScriptExtensionCommandToExecute": { + // "value": "powershell -ExecutionPolicy Unrestricted -Command '& .\testscript.ps1'" + // } + } +} \ No newline at end of file diff --git a/arm/Microsoft.Compute/virtualMachineScaleSets/readme.md b/arm/Microsoft.Compute/virtualMachineScaleSets/readme.md new file mode 100644 index 0000000000..e443b10647 --- /dev/null +++ b/arm/Microsoft.Compute/virtualMachineScaleSets/readme.md @@ -0,0 +1,391 @@ +# Virtual Machine Scale Sets + +This module deploys a virtual machine scale set + +## Resource types + +| Resource Type | Api Version | +| :-- | :-- | +| `Microsoft.Compute/ProximityPlacementGroups` | 2019-12-01 | +| `Microsoft.Compute/virtualMachineScaleSets/extensions` | 2020-06-01 | +| `Microsoft.Compute/virtualMachineScaleSets/providers/diagnosticSettings` | 2017-05-01-preview | +| `Microsoft.Compute/virtualMachineScaleSets/providers/roleAssignments` | 2018-09-01-preview | +| `Microsoft.Compute/virtualMachineScaleSets` | 2020-06-01 | +| `Microsoft.Resources/deployments` | 2020-06-01 | +| `providers/locks` | 2016-09-01 | + +### Resource dependency + +The following resources are required to be able to deploy this resource. +- VirtualNetwork + +## Parameters + +| Parameter Name | Type | Description | DefaultValue | Possible values | +| :-- | :-- | :-- | :-- | :-- | +| `additionalUnattendContent` | array | Optional. Specifies additional base-64 encoded XML formatted information that can be included in the Unattend.xml file, which is used by Windows Setup. - AdditionalUnattendContent object | System.Object[] | | +| `adminPassword` | securestring | Required. When specifying a Windows Virtual Machine, this value should be passed | | | +| `adminUsername` | securestring | Required. Administrator username | | | +| `automaticRepairsPolicyEnabled` | bool | Optional. Specifies whether automatic repairs should be enabled on the virtual machine scale set. | False | | +| `availabilityZones` | array | Optional. The virtual machine scale set zones. NOTE: Availability zones can only be set when you create the scale set. | System.Object[] | | +| `baseTime` | string | Generated. Do not provide a value! This date value is used to generate a registration token. | [utcNow('u')] | | +| `bootDiagnosticStorageAccountName` | string | Optional. Storage account used to store boot diagnostic information. Boot diagnostics will be disabled if no value is provided. | | | +| `bootDiagnosticStorageAccountUri` | string | Optional. Storage account boot diagnostic base URI. | | | +| `cuaId` | string | Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered | | | +| `customData` | string | Optional. Custom data associated to the VM, this value will be automatically converted into base64 to account for the expected VM format. | | | +| `dataDisks` | array | Optional. Specifies the data disks. | System.Object[] | | +| `diagnosticLogsRetentionInDays` | int | Optional. Specifies the number of days that logs will be kept for; a value of 0 will retain data indefinitely. | 365 | | +| `diagnosticStorageAccountId` | string | Optional. Resource identifier of the Diagnostic Storage Account. | | | +| `disableAutomaticRollback` | bool | Optional. Whether OS image rollback feature should be disabled. | False | | +| `disablePasswordAuthentication` | bool | Optional. Specifies whether password authentication should be disabled. | False | | +| `diskEncryptionVolumeType` | string | Optional. Type of the volume OS or Data to perform encryption operation | All | System.Object[] | +| `diskKeyEncryptionAlgorithm` | string | Optional. Specifies disk key encryption algorithm. | RSA-OAEP | System.Object[] | +| `domainJoinOptions` | int | Optional. Set of bit flags that define the join options. Default value of 3 is a combination of NETSETUP_JOIN_DOMAIN (0x00000001) & NETSETUP_ACCT_CREATE (0x00000002) i.e. will join the domain and create the account on the domain. For more information see https://msdn.microsoft.com/en-us/library/aa392154(v=vs.85).aspx | 3 | | +| `domainJoinOU` | string | Optional. Specifies an organizational unit (OU) for the domain account. Enter the full distinguished name of the OU in quotation marks. Example: "OU=testOU; DC=domain; DC=Domain; DC=com" | | | +| `domainJoinPassword` | securestring | Optional. Required if domainName is specified. Password of the user specified in domainJoinUser parameter | | | +| `domainJoinRestart` | bool | Optional. Controls the restart of vm after executing domain join | False | | +| `domainJoinUser` | string | Optional. Mandatory if domainName is specified. User used for the join to the domain. Format: username@domainFQDN | | | +| `domainName` | string | Optional. Specifies the FQDN the of the domain the VM will be joined to. Currently implemented for Windows VMs only | | | +| `doNotRunExtensionsOnOverprovisionedVMs` | bool | Optional. When Overprovision is enabled, extensions are launched only on the requested number of VMs which are finally kept. This property will hence ensure that the extensions do not run on the extra overprovisioned VMs. | False | | +| `dscConfiguration` | object | Optional. The DSC configuration object | | | +| `enableAutomaticOSUpgrade` | bool | Optional. Indicates whether OS upgrades should automatically be applied to scale set instances in a rolling fashion when a newer version of the OS image becomes available. Default value is false. If this is set to true for Windows based scale sets, enableAutomaticUpdates is automatically set to false and cannot be set to true. | False | | +| `enableAutomaticUpdates` | bool | Optional. Indicates whether Automatic Updates is enabled for the Windows virtual machine. Default value is true. For virtual machine scale sets, this property can be updated and updates will take effect on OS reprovisioning. | True | | +| `enableEvictionPolicy` | bool | Optional. Specifies the eviction policy for the low priority virtual machine. Will result in 'Deallocate' eviction policy. | False | | +| `enableLinuxDependencyAgent` | bool | Optional. Specifies if Azure Dependency Agent for Linux VM should be enabled. Requires LinuxMMAAgent to be enabled. | False | | +| `enableLinuxDiskEncryption` | bool | Optional. Specifies if Linux VM disks should be encrypted. If enabled, boot diagnostics must be enabled as well. | False | | +| `enableLinuxMMAAgent` | bool | Optional. Specifies if MMA agent for Linux VM should be enabled. | False | | +| `enableMicrosoftAntiMalware` | bool | Optional. Enables Microsoft Windows Defender AV. | False | | +| `enableNetworkWatcherLinux` | bool | Optional. Specifies if Azure Network Watcher Agent for Linux VM should be enabled. | False | | +| `enableNetworkWatcherWindows` | bool | Optional. Specifies if Azure Network Watcher Agent for Windows VM should be enabled. | False | | +| `enableServerSideEncryption` | bool | Optional. Specifies if Windows VM disks should be encrypted with Server-side encryption + Customer managed Key. | False | | +| `enableWindowsDependencyAgent` | bool | Optional. Specifies if Azure Dependency Agent for Windows VM should be enabled. Requires WindowsMMAAgent to be enabled. | False | | +| `enableWindowsDiskEncryption` | bool | Optional. Specifies if Windows VM disks should be encrypted. If enabled, boot diagnostics must be enabled as well. | False | | +| `enableWindowsMMAAgent` | bool | Optional. Specifies if MMA agent for Windows VM should be enabled. | False | | +| `eventHubAuthorizationRuleId` | string | Optional. Resource ID of the event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | | | +| `eventHubName` | string | Optional. Name of the event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. | | | +| `forceUpdateTag` | string | Optional. Pass in an unique value like a GUID everytime the operation needs to be force run | 1.0 | | +| `gracePeriod` | string | Optional. The amount of time for which automatic repairs are suspended due to a state change on VM. The grace time starts after the state change has completed. This helps avoid premature or accidental repairs. The time duration should be specified in ISO 8601 format. The minimum allowed grace period is 30 minutes (PT30M). The maximum allowed grace period is 90 minutes (PT90M). | PT30M | | +| `imageReference` | object | Optional. OS image reference. In case of marketplace images, it's the combination of the publisher, offer, sku, version attributes. In case of custom images it's the resource ID of the custom image. | | | +| `instanceCount` | string | Optional. The initial instance count of scale set VMs. | 1 | | +| `instanceSize` | string | Optional. The SKU size of the VMs. | | | +| `keyEncryptionKeyURL` | string | Optional. URL of the KeyEncryptionKey used to encrypt the volume encryption key | | | +| `keyVaultId` | string | Optional. Resource identifier of the Key Vault instance where the Key Encryption Key (KEK) resides | | | +| `keyVaultUri` | string | Optional. URL of the Key Vault instance where the Key Encryption Key (KEK) resides | | | +| `licenseType` | string | Optional. Specifies that the image or disk that is being used was licensed on-premises. This element is only used for images that contain the Windows Server operating system. | | System.Object[] | +| `location` | string | Optional. Location for all resources. | [resourceGroup().location] | | +| `lockForDeletion` | bool | Optional. Switch to lock VM from deletion. | False | | +| `maxBatchInstancePercent` | int | Optional. The maximum percent of total virtual machine instances that will be upgraded simultaneously by the rolling upgrade in one batch. As this is a maximum, unhealthy instances in previous or future batches can cause the percentage of instances in a batch to decrease to ensure higher reliability. | 20 | | +| `maxPriceForLowPriorityVm` | string | Optional. Specifies the maximum price you are willing to pay for a low priority VM/VMSS. This price is in US Dollars. | | | +| `maxUnhealthyInstancePercent` | int | Optional. The maximum percentage of the total virtual machine instances in the scale set that can be simultaneously unhealthy, either as a result of being upgraded, or by being found in an unhealthy state by the virtual machine health checks before the rolling upgrade aborts. This constraint will be checked prior to starting any batch | 20 | | +| `maxUnhealthyUpgradedInstancePercent` | int | Optional. The maximum percentage of the total virtual machine instances in the scale set that can be simultaneously unhealthy, either as a result of being upgraded, or by being found in an unhealthy state by the virtual machine health checks before the rolling upgrade aborts. This constraint will be checked prior to starting any batch. | 20 | | +| `microsoftAntiMalwareSettings` | object | Optional. Settings for Microsoft Windows Defender AV extension. | | | +| `nicConfigurations` | array | Required. Configures NICs and PIPs. | System.Object[] | | +| `osDisk` | object | Required. Specifies the OS disk. | | | +| `osType` | string | Optional. The chosen OS type | | System.Object[] | +| `overprovision` | bool | Optional. Specifies whether the Virtual Machine Scale Set should be overprovisioned. | False | | +| `pauseTimeBetweenBatches` | string | Optional. The wait time between completing the update for all virtual machines in one batch and starting the next batch. The time duration should be specified in ISO 8601 format | PT0S | | +| `plan` | object | Optional. Specifies information about the marketplace image used to create the virtual machine. This element is only used for marketplace images. Before you can use a marketplace image from an API, you must enable the image for programmatic use. | | | +| `provisionVMAgent` | bool | Optional. Indicates whether virtual machine agent should be provisioned on the virtual machine. When this property is not specified in the request body, default behavior is to set it to true. This will ensure that VM Agent is installed on the VM so that extensions can be added to the VM later. | True | | +| `proximityPlacementGroupName` | string | Optional. Creates an proximity placement group and adds the VMs to it. | | | +| `proximityPlacementGroupType` | string | Optional. Specifies the type of the proximity placement group. | Standard | System.Object[] | +| `publicKeys` | array | Optional. The list of SSH public keys used to authenticate with linux based VMs | System.Object[] | | +| `resizeOSDisk` | bool | Optional. Should the OS partition be resized to occupy full OS VHD before splitting system volume | False | | +| `roleAssignments` | array | Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' | System.Object[] | | +| `sasTokenValidityLength` | string | Optional. SAS token validity length to use to download files from storage accounts. Usage: 'PT8H' - valid for 8 hours; 'P5D' - valid for 5 days; 'P1Y' - valid for 1 year. When not provided, the SAS token will be valid for 8 hours. | PT8H | | +| `scaleInPolicy` | object | Optional. Specifies the scale-in policy that decides which virtual machines are chosen for removal when a Virtual Machine Scale Set is scaled-in | | | +| `scaleSetFaultDomain` | int | Optional. Fault Domain count for each placement group. | 2 | | +| `scheduledEventsProfile` | object | Optional. Specifies Scheduled Event related configurations | | | +| `secrets` | array | Optional. Specifies set of certificates that should be installed onto the virtual machines in the scale set. | System.Object[] | | +| `singlePlacementGroup` | bool | Optional. When true this limits the scale set to a single placement group, of max size 100 virtual machines. NOTE: If singlePlacementGroup is true, it may be modified to false. However, if singlePlacementGroup is false, it may not be modified to true. | True | | +| `tags` | object | Optional. Tags of the resource. | | | +| `timeZone` | string | Optional. Specifies the time zone of the virtual machine. e.g. 'Pacific Standard Time'. Possible values can be TimeZoneInfo.Id value from time zones returned by TimeZoneInfo.GetSystemTimeZones. | | | +| `ultraSSDEnabled` | bool | Optional. The flag that enables or disables a capability to have one or more managed data disks with UltraSSD_LRS storage account type on the VM or VMSS. Managed disks with storage account type UltraSSD_LRS can be added to a virtual machine or virtual machine scale set only if this property is enabled. | False | | +| `upgradePolicyMode` | string | Optional. Specifies the mode of an upgrade to virtual machines in the scale set.' Manual - You control the application of updates to virtual machines in the scale set. You do this by using the manualUpgrade action. ; Automatic - All virtual machines in the scale set are automatically updated at the same time. - Automatic, Manual, Rolling | Manual | System.Object[] | +| `vmNamePrefix` | string | Optional. Specifies the computer name prefix for all of the virtual machines in the scale set. | vmssvm | | +| `vmPriority` | string | Optional. Specifies the priority for the virtual machine. | Regular | System.Object[] | +| `vmssName` | string | Optional. Name of the VMSS. | | | +| `windowsScriptExtensionCommandToExecute` | securestring | Optional. Specifies the command that should be run on a Windows VM. | | | +| `windowsScriptExtensionFileData` | array | Optional. Array of objects that specifies URIs and the storageAccountId of the scripts that need to be downloaded and run by the Custom Script Extension on a Windows VM. | System.Object[] | | +| `cseStorageAccountName` | string | Optional. The name of the storage account to fetch to blob data from | | | +| `cseStorageAccountKey` | string | Optional. The key of the storage account to fetch the FileData blobs from | | | +| `cseManagedIdentity` | string | Optional. The managed identity to use to fetch the blob data. | | | +| `winRMListeners` | object | Optional. Specifies the Windows Remote Management listeners. This enables remote Windows PowerShell. - WinRMConfiguration object. | | | +| `workspaceId` | string | Optional. Resource identifier of Log Analytics. | | | +| `zoneBalance` | bool | Optional. Whether to force strictly even Virtual Machine distribution cross x-zones in case there is zone outage. | False | | +| `managedIdentityType` | string | Optional. The type of identity used for the virtual machine scale set. The type 'SystemAssigned, UserAssigned' includes both an implicitly created identity and a set of user assigned identities. The type 'None' will remove any identities from the virtual machine scale set. - SystemAssigned, UserAssigned, SystemAssigned, UserAssigned, None | | | +| `managedIdentityIdentities`| object | Optional. The list of user identities associated with the virtual machine scale set. The user identity dictionary key references will be ARM resource ids in the form: `'/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{identityName}'`. | | | + +#### Marketplace images + +```json +"imageReference": { + "value": { + "publisher": "MicrosoftWindowsServer", + "offer": "WindowsServer", + "sku": "2016-Datacenter", + "version": "latest" + } +} +``` + +#### Custom images + +```json +"imageReference": { + "value": { + "id": "/subscriptions/12345-6789-1011-1213-15161718/resourceGroups/rg-name/providers/Microsoft.Compute/images/imagename" + } +} +``` + +### Parameter Usage: `plan` + +```json +"plan": { + "value": { + "name": "qvsa-25", + "product": "qualys-virtual-scanner", + "publisher": "qualysguard" + } +} +``` + +### Parameter Usage: `osDisk` + +```json + "osDisk": { + "value": { + "createOption": "fromImage", + "diskSizeGB": "128", + "managedDisk": { + "storageAccountType": "Premium_LRS" + } + } +} +``` + +### Parameter Usage: `dataDisks` + +```json +"dataDisks": { + "value": [{ + "caching": "ReadOnly", + "createOption": "Empty", + "diskSizeGB": "256", + "writeAcceleratorEnabled": true, + "managedDisk": { + "storageAccountType": "Premium_LRS" + } + }, + { + "caching": "ReadOnly", + "createOption": "Empty", + "diskSizeGB": "128", + "writeAcceleratorEnabled": true, + "managedDisk": { + "storageAccountType": "Premium_LRS" + } + }] +} +``` + +### Parameter Usage: `microsoftAntiMalwareSettings` + +```json +"microsoftAntiMalwareSettings": { + "AntimalwareEnabled": true, + "Exclusions": { + "Extensions": ".log;.ldf", + "Paths": "D:\\IISlogs;D:\\DatabaseLogs", + "Processes": "mssence.svc" + }, + "RealtimeProtectionEnabled": true, + "ScheduledScanSettings": { + "isEnabled": "true", + "scanType": "Quick", + "day": "7", + "time": "120" + } +} +``` + +### Parameter Usage: `publicKeys` + +```json +"publicKeys": { + "value": [ + { + "path": "/home/scaleSetAdmin/.ssh/authorized_keys", + "keyData": "ssh-rsa AAAAB3NzaC1yc2FAAAADAQABAAABgQDdOir5eO28EBwxU0Dyra7g9h0HUXDyMNFp2z8PhaTUQgHjrimkMxjYRwEOG/lxnYL7+TqZk+HcPTfbZOunHBw0Wx2CITzILt6531vmIYZGfq5YyYXbxZa5MON7L/PVivoRlPj5Z/g4RhqMhyfR7EPcZ516LJ8lXPTo8dE/bkOCS+kFBEYHvPEEKAyLs19sRcK37SeHjpX04zdg62nqtuRr00Tp7oeiTXA1xn5K5mxeAswotmd8CU0lWUcJuPBWQedo649b+L2cm52kTncOBI6YChAeyEc1PDF0Tn9FmpdOWKtI9efh+S3f8qkcVEtSTXKTeroBd31nzjAunMrZeM8Ut6dre+XeQQIjT7I8oEm+ZkIuItq0x2fls8JXP2YJDWDqu8v1+yLGTQ3Z9XVt2lMti/7bIgYxS0JvwOr7n5L4IzKvhb4fm21LLDGFa3o7Nsfe3fPb882APE0bLFCmfyIeiPh7go70WqZHakpgIr6LCWTyePez9CsI/rfWDb6eAM8= generated-by-azure" + } + ] +} +``` + + +### Paramter Usage `nicConfigurations` +```json +"nicConfigurations": { + "value": [ + { + "nicSuffix": "-nic01", + "ipConfigurations": [ + { + "name": "ipconfig1", + "properties": { + "subnet": { + "id": "/subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2/resourceGroups/agents-vmss-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-weu-x-scaleset/subnets/sxx-az-subnet-weu-scaleset-linux" + } + } + } + ] + } + ] +} +``` + +### Parameter Usage: `windowsScriptExtensionFileData` + +```json +"windowsScriptExtensionFileData": { + "value": [ + //storage accounts with SAS token requirement + { + "uri": "https://storageAccount.blob.core.windows.net/wvdscripts/File1.ps1", + "storageAccountId": "/subscriptions/12345678-1234-1234-1234-123456789012/resourceGroups/rgName/providers/Microsoft.Storage/storageAccounts/storageAccountName" + }, + { + "uri": "https://storageAccount.blob.core.windows.net/wvdscripts/File2.ps1", + "storageAccountId": "/subscriptions/12345678-1234-1234-1234-123456789012/resourceGroups/rgName/providers/Microsoft.Storage/storageAccounts/storageAccountName" + }, + //storage account with public container (no SAS token is required) OR other public URL (not a storage account) + { + "uri": "https://github.com/myProject/File3.ps1" + } + ] +} +``` + +### Parameter Usage: `windowsScriptExtensionFileData` with native storage account key support + +```json +"windowsScriptExtensionFileData": { + "value": [ + { + "https://mystorageaccount.blob.core.windows.net/wvdscripts/testscript.ps1" + } + ] +}, +"windowsScriptExtensionCommandToExecute": { + "value": "powershell -ExecutionPolicy Unrestricted -File testscript.ps1" +}, +"cseStorageAccountName": { + "value": "mystorageaccount" +}, +"cseStorageAccountKey": { + "value": "MyPlaceholder" +} +``` + +### Parameter Usage: `dscConfiguration` + +```json +"dscConfiguration": { + "value": { + "settings": { + "wmfVersion": "latest", + "configuration": { + "url": "http://validURLToConfigLocation", + "script": "ConfigurationScript.ps1", + "function": "ConfigurationFunction" + }, + "configurationArguments": { + "argument1": "Value1", + "argument2": "Value2" + }, + "configurationData": { + "url": "https://foo.psd1" + }, + "privacy": { + "dataCollection": "enable" + }, + "advancedOptions": { + "forcePullAndApply": false, + "downloadMappings": { + "specificDependencyKey": "https://myCustomDependencyLocation" + } + } + }, + "protectedSettings": { + "configurationArguments": { + "mySecret": "MyPlaceholder" + }, + "configurationUrlSasToken": "MyPlaceholder", + "configurationDataUrlSasToken": "MyPlaceholder" + } + } +} +``` + +### Parameter Usage: `roleAssignments` + +```json +"roleAssignments": { + "value": [ + { + "roleDefinitionIdOrName": "Desktop Virtualization User", + "principalIds": [ + "12345678-1234-1234-1234-123456789012", // object 1 + "78945612-1234-1234-1234-123456789012" // object 2 + ] + }, + { + "roleDefinitionIdOrName": "Reader", + "principalIds": [ + "12345678-1234-1234-1234-123456789012", // object 1 + "78945612-1234-1234-1234-123456789012" // object 2 + ] + }, + { + "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", + "principalIds": [ + "12345678-1234-1234-1234-123456789012" // object 1 + ] + } + ] +} +``` + +### Parameter Usage: `tags` + +Tag names and tag values can be provided as needed. A tag can be left without a value. + +```json +"tags": { + "value": { + "Environment": "Non-Prod", + "Contact": "test.user@testcompany.com", + "PurchaseOrder": "1234", + "CostCenter": "7890", + "ServiceName": "DeploymentValidation", + "Role": "DeploymentValidation" + } +} +``` + +## Outputs + +| Output Name | Type | Description | +| :-- | :-- | :-- | +| `vmssName` | string | The Names of the VMSS | +| `vmssResourceGroup` | string | The name of the Resource Group the VMSS was/were created in. | +| `vmssResourceIds` | string | The Resource Id of the VMSS. | + +## Considerations + + +## Additional resources + +- [Deployments](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Resources/2020-06-01/deployments) +- [ProximityPlacementGroups](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Compute/2019-12-01/ProximityPlacementGroups) +- [VirtualMachineScaleSets](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Compute/2020-06-01/virtualMachineScaleSets) \ No newline at end of file diff --git a/arm/Microsoft.Compute/virtualMachines/deploy.json b/arm/Microsoft.Compute/virtualMachines/deploy.json new file mode 100644 index 0000000000..7f72227eeb --- /dev/null +++ b/arm/Microsoft.Compute/virtualMachines/deploy.json @@ -0,0 +1,2983 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "vmNames": { + "type": "array", + "defaultValue": [ + ], + "metadata": { + "description": "Optional. Name(s) of the virtual machine(s). If no explicit names are provided, VM name(s) will be generated based on the vmNamePrefix, vmNumberOfInstances and vmInitialNumber parameters." + } + }, + "vmNamePrefix": { + "type": "string", + "metadata": { + "description": "Optional. If no explicit values were provided in the vmNames parameter, this prefix will be used in combination with the vmNumberOfInstances and the vmInitialNumber parameters to create unique VM names. You should use a unique prefix to reduce name collisions in Active Directory. If no value is provided, a 10 character long unique string will be generated based on the Resource Group's name." + }, + "defaultValue": "[take(toLower(uniqueString(resourceGroup().name)),10)]" + }, + "vmComputerNames": { + "type": "object", + "defaultValue": {}, + "metadata": { + "description": "Optional. Specifies the VM computer names for the VMs. If the VM name is not in the object as key the VM name is used as computer name. Be aware of the maximum size of 15 characters and limitations regarding special characters for the computer name. Once set it can't be changed via template." + } + }, + "vmComputerNamesTransformation": { + "type": "string", + "defaultValue": "none", + "metadata": { + "description": "Optional. Specifies whether the computer names should be transformed. The transformation is performed on all computer names. Available transformations are 'none' (Default), 'uppercase' and 'lowercase'." + } + }, + "vmNumberOfInstances": { + "type": "int", + "minValue": 1, + "maxValue": 800, + "defaultValue": 1, + "metadata": { + "description": "Optional. If no explicit values were provided in the vmNames parameter, this parameter will be used to generate VM names, using the vmNamePrefix and the vmInitialNumber values." + } + }, + "vmInitialNumber": { + "type": "int", + "metadata": { + "description": "Optional. If no explicit values were provided in the vmNames parameter, this parameter will be used to generate VM names, using the vmNamePrefix and the vmNumberOfInstances values." + }, + "defaultValue": 1 + }, + "maxNumberOfVmsPerDeployment": { + "type": "int", + "defaultValue": 50, + "metadata": { + "description": "Optional. The maximum number of VMs allowed in a single deployment. The template will create additional deployments if the number of VMs to be deployed exceeds this quota." + } + }, + "location": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "Optional. Location for all resources." + } + }, + "vmSize": { + "type": "string", + "defaultValue": "Standard_D2s_v3", + "metadata": { + "description": "Optional. Specifies the size for the VMs" + } + }, + "imageReference": { + "type": "object", + "defaultValue": { + }, + "metadata": { + "description": "Optional. OS image reference. In case of marketplace images, it's the combination of the publisher, offer, sku, version attributes. In case of custom images it's the resource ID of the custom image." + } + }, + "plan": { + "type": "object", + "defaultValue": { + }, + "metadata": { + "description": "Optional. Specifies information about the marketplace image used to create the virtual machine. This element is only used for marketplace images. Before you can use a marketplace image from an API, you must enable the image for programmatic use." + } + }, + "osDisk": { + "type": "object", + "metadata": { + "description": "Required. Specifies the OS disk." + } + }, + "dataDisks": { + "type": "array", + "defaultValue": [ + ], + "metadata": { + "description": "Optional. Specifies the data disks." + } + }, + "ultraSSDEnabled": { + "type": "bool", + "defaultValue": false, + "metadata": { + "description": "Optional. The flag that enables or disables a capability to have one or more managed data disks with UltraSSD_LRS storage account type on the VM or VMSS. Managed disks with storage account type UltraSSD_LRS can be added to a virtual machine or virtual machine scale set only if this property is enabled." + } + }, + "adminUsername": { + "type": "securestring", + "metadata": { + "description": "Required. Administrator username" + } + }, + "adminPassword": { + "type": "securestring", + "defaultValue": "", + "metadata": { + "description": "Required. When specifying a Windows Virtual Machine, this value should be passed" + } + }, + "customData": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Custom data associated to the VM, this value will be automatically converted into base64 to account for the expected VM format." + } + }, + "windowsConfiguration": { + "type": "object", + "defaultValue": { + }, + "metadata": { + "description": "Optional. Specifies Windows operating system settings on the virtual machine." + } + }, + "linuxConfiguration": { + "type": "object", + "defaultValue": { + }, + "metadata": { + "description": "Optional. Specifies the Linux operating system settings on the virtual machine." + } + }, + "certificatesToBeInstalled": { + "type": "array", + "defaultValue": [ + ], + "metadata": { + "description": "Optional. Specifies set of certificates that should be installed onto the virtual machine." + } + }, + "allowExtensionOperations": { + "type": "bool", + "defaultValue": true, + "metadata": { + "description": "Optional. Specifies whether extension operations should be allowed on the virtual machine. This may only be set to False when no extensions are present on the virtual machine." + } + }, + "availabilitySetNames": { + "type": "array", + "defaultValue": [ + ], + "metadata": { + "description": "Optional. Name(s) of the availability set(s). If no explicit names are provided, availability set name(s) will be generated based on the availabilitySetName, vmNumberOfInstances and maxNumberOfVmsPerAvSet parameters." + } + }, + "availabilitySetName": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Creates an availability set with the given name and adds the VMs to it. Cannot be used in combination with availability zone nor scale set." + } + }, + "availabilitySetFaultDomain": { + "type": "int", + "defaultValue": 2, + "metadata": { + "description": "Optional. The number of fault domains to use." + } + }, + "availabilitySetUpdateDomain": { + "type": "int", + "defaultValue": 5, + "metadata": { + "description": "Optional. The number of update domains to use." + } + }, + "availabilitySetSku": { + "type": "string", + "defaultValue": "Aligned", + "metadata": { + "description": "Optional. Sku of the availability set. Use 'Aligned' for virtual machines with managed disks and 'Classic' for virtual machines with unmanaged disks." + } + }, + "maxNumberOfVmsPerAvSet": { + "type": "int", + "minValue": 1, + "maxValue": 200, + "defaultValue": 200, + "metadata": { + "description": "Optional. The maximum number of VMs allowed in an availability set. The template will create additional availability sets if the number of VMs to be deployed exceeds this quota." + } + }, + "proximityPlacementGroupName": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Creates an proximity placement group and adds the VMs to it." + } + }, + "proximityPlacementGroupType": { + "type": "string", + "allowedValues": [ + "Standard", + "Ultra" + ], + "defaultValue": "Standard", + "metadata": { + "description": "Optional. Specifies the type of the proximity placement group." + } + }, + "useAvailabilityZone": { + "type": "bool", + "defaultValue": false, + "metadata": { + "description": "Optional. Creates an availability zone and adds the VMs to it. Cannot be used in combination with availability set nor scale set." + } + }, + "availabilityZone": { + "type": "int", + "defaultValue": 0, + "allowedValues": [ 0, 1, 2, 3 ], + "metadata": { + "description": "Optional. If set to 1, 2 or 3, the availability zone for all VMs is hardcoded to that value. If zero, then the automatic algorithm will be used to give every VM in a different zone (up to three zones). Cannot be used in combination with availability set nor scale set." + } + }, + "nicConfigurations": { + "type": "array", + "metadata": { + "description": "Required. Configures NICs and PIPs." + } + }, + "vmPriority": { + "type": "string", + "defaultValue": "Regular", + "allowedValues": [ + "Regular", + "Low", + "Spot" + ], + "metadata": { + "description": "Optional. Specifies the priority for the virtual machine." + } + }, + "enableEvictionPolicy": { + "type": "bool", + "defaultValue": false, + "metadata": { + "description": "Optional. Specifies the eviction policy for the low priority virtual machine. Will result in 'Deallocate' eviction policy." + } + }, + "maxPriceForLowPriorityVm": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Specifies the maximum price you are willing to pay for a low priority VM/VMSS. This price is in US Dollars." + } + }, + "dedicatedHostId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Specifies resource Id about the dedicated host that the virtual machine resides in." + } + }, + "licenseType": { + "type": "string", + "defaultValue": "", + "allowedValues": [ + "Windows_Client", + "Windows_Server", + "" + ], + "metadata": { + "description": "Optional. Specifies that the image or disk that is being used was licensed on-premises. This element is only used for images that contain the Windows Server operating system." + } + }, + "enableMicrosoftAntiMalware": { + "type": "bool", + "defaultValue": false, + "metadata": { + "description": "Optional. Enables Microsoft Windows Defender AV." + } + }, + "microsoftAntiMalwareSettings": { + "type": "object", + "defaultValue": { + }, + "metadata": { + "description": "Optional. Settings for Microsoft Windows Defender AV extension." + } + }, + "enableWindowsMMAAgent": { + "type": "bool", + "defaultValue": false, + "metadata": { + "description": "Optional. Specifies if MMA agent for Windows VM should be enabled." + } + }, + "enableLinuxMMAAgent": { + "type": "bool", + "defaultValue": false, + "metadata": { + "description": "Optional. Specifies if MMA agent for Linux VM should be enabled." + } + }, + "enableWindowsDependencyAgent": { + "type": "bool", + "defaultValue": false, + "metadata": { + "description": "Optional. Specifies if Azure Dependency Agent for Windows VM should be enabled. Requires WindowsMMAAgent to be enabled." + } + }, + "enableLinuxDependencyAgent": { + "type": "bool", + "defaultValue": false, + "metadata": { + "description": "Optional. Specifies if Azure Dependency Agent for Linux VM should be enabled. Requires LinuxMMAAgent to be enabled." + } + }, + "enableNetworkWatcherWindows": { + "type": "bool", + "defaultValue": false, + "metadata": { + "description": "Optional. Specifies if Azure Network Watcher Agent for Windows VM should be enabled." + } + }, + "enableNetworkWatcherLinux": { + "type": "bool", + "defaultValue": false, + "metadata": { + "description": "Optional. Specifies if Azure Network Watcher Agent for Linux VM should be enabled." + } + }, + "enableWindowsDiskEncryption": { + "type": "bool", + "defaultValue": false, + "metadata": { + "description": "Optional. Specifies if Windows VM disks should be encrypted. If enabled, boot diagnostics must be enabled as well." + } + }, + "enableServerSideEncryption": { + "type": "bool", + "defaultValue": false, + "metadata": { + "description": "Optional. Specifies if Windows VM disks should be encrypted with Server-side encryption + Customer managed Key." + } + }, + "enableLinuxDiskEncryption": { + "type": "bool", + "defaultValue": false, + "metadata": { + "description": "Optional. Specifies if Linux VM disks should be encrypted. If enabled, boot diagnostics must be enabled as well." + } + }, + "managedServiceIdentity": { + "type": "string", + "defaultValue": "None", + "allowedValues": [ + "None", + "SystemAssigned", + "UserAssigned", + "SystemAssigned, UserAssigned", + "UserAssigned, SystemAssigned" + ], + "metadata": { + "description": "Optional. The type of identity used for the virtual machine. The type 'SystemAssigned, UserAssigned' includes both an implicitly created identity and a set of user assigned identities. The type 'None' (default) will remove any identities from the virtual machine." + } + }, + "userAssignedIdentities": { + "type": "object", + "defaultValue": {}, + "metadata": { + "description": "Optional. Mandatory if 'managedServiceIdentity' contains UserAssigned. The list of user identities associated with the Virtual Machine." + } + }, + "diskKeyEncryptionAlgorithm": { + "type": "string", + "defaultValue": "RSA-OAEP", + "allowedValues": [ + "RSA-OAEP", + "RSA-OAEP-256", + "RSA1_5" + ], + "metadata": { + "description": "Optional. Specifies disk key encryption algorithm." + } + }, + "keyEncryptionKeyURL": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. URL of the KeyEncryptionKey used to encrypt the volume encryption key" + } + }, + "keyVaultUri": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. URL of the Key Vault instance where the Key Encryption Key (KEK) resides" + } + }, + "keyVaultId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Resource identifier of the Key Vault instance where the Key Encryption Key (KEK) resides" + } + }, + "diskEncryptionVolumeType": { + "type": "string", + "defaultValue": "All", + "allowedValues": [ + "OS", + "Data", + "All" + ], + "metadata": { + "description": "Optional. Type of the volume OS or Data to perform encryption operation" + } + }, + "forceUpdateTag": { + "type": "string", + "defaultValue": "1.0", + "metadata": { + "description": "Optional. Pass in an unique value like a GUID everytime the operation needs to be force run" + } + }, + "resizeOSDisk": { + "type": "bool", + "defaultValue": false, + "metadata": { + "description": "Optional. Should the OS partition be resized to occupy full OS VHD before splitting system volume" + } + }, + "windowsScriptExtensionFileData": { + "type": "array", + "defaultValue": [ + ], + "metadata": { + "description": "Optional. Array of objects that specifies URIs and the storageAccountId of the scripts that need to be downloaded and run by the Custom Script Extension on a Windows VM." + } + }, + "windowsScriptExtensionCommandToExecute": { + "type": "securestring", + "defaultValue": "", + "metadata": { + "description": "Optional. Specifies the command that should be run on a Windows VM." + } + }, + "cseStorageAccountName": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. The name of the storage account to access for the CSE script(s)." + } + }, + "cseStorageAccountKey": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. The storage key of the storage account to access for the CSE script(s)." + } + }, + "cseManagedIdentity": { + "type": "object", + "defaultValue": {}, + "metadata": { + "description": "Optional. A managed identity to use for the CSE." + } + }, + "backupVaultName": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Recovery service vault name to add VMs to backup." + } + }, + "backupVaultResourceGroup": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Resource group of the backup recovery service vault." + } + }, + "backupPolicyName": { + "type": "string", + "defaultValue": "DefaultPolicy", + "metadata": { + "description": "Optional. Backup policy the VMs should be using for backup." + } + }, + "domainName": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Specifies the FQDN the of the domain the VM will be joined to. Currently implemented for Windows VMs only" + } + }, + "domainJoinUser": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Mandatory if domainName is specified. User used for the join to the domain. Format: username@domainFQDN" + } + }, + "domainJoinOU": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Specifies an organizational unit (OU) for the domain account. Enter the full distinguished name of the OU in quotation marks. Example: \"OU=testOU; DC=domain; DC=Domain; DC=com\"" + } + }, + "domainJoinPassword": { + "type": "securestring", + "defaultValue": "", + "metadata": { + "description": "Optional. Required if domainName is specified. Password of the user specified in domainJoinUser parameter" + } + }, + "domainJoinRestart": { + "type": "bool", + "defaultValue": false, + "metadata": { + "description": "Optional. Controls the restart of vm after executing domain join" + } + }, + "domainJoinOptions": { + "type": "int", + "defaultValue": 3, + "metadata": { + "description": "Optional. Set of bit flags that define the join options. Default value of 3 is a combination of NETSETUP_JOIN_DOMAIN (0x00000001) & NETSETUP_ACCT_CREATE (0x00000002) i.e. will join the domain and create the account on the domain. For more information see https://msdn.microsoft.com/en-us/library/aa392154(v=vs.85).aspx" + } + }, + "dscConfiguration": { + "type": "object", + "defaultValue": { + }, + "metadata": { + "description": "Optional. The DSC configuration object" + } + }, + "bootDiagnosticStorageAccountName": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Storage account used to store boot diagnostic information. Boot diagnostics will be disabled if no value is provided." + } + }, + "bootDiagnosticStorageAccountUri": { + "type": "string", + "defaultValue": ".blob.core.windows.net/", + "metadata": { + "description": "Optional. Storage account boot diagnostic base URI." + } + }, + "diagnosticSettingName": { + "type": "string", + "defaultValue": "service", + "metadata": { + "description": "Optional. The name of the Diagnostic setting." + } + }, + "diagnosticLogsRetentionInDays": { + "type": "int", + "defaultValue": 365, + "minValue": 0, + "maxValue": 365, + "metadata": { + "description": "Optional. Specifies the number of days that logs will be kept for; a value of 0 will retain data indefinitely." + } + }, + "diagnosticStorageAccountId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Resource identifier of the Diagnostic Storage Account." + } + }, + "workspaceId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Resource identifier of Log Analytics." + } + }, + "eventHubAuthorizationRuleId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Resource ID of the event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." + } + }, + "eventHubName": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Name of the event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category." + } + }, + "lockForDeletion": { + "type": "bool", + "defaultValue": false, + "metadata": { + "description": "Optional. Switch to lock VM from deletion." + } + }, + "roleAssignments": { + "defaultValue": [ + ], + "type": "array", + "metadata": { + "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'" + } + }, + "tags": { + "type": "object", + "defaultValue": { + }, + "metadata": { + "description": "Optional. Tags of the resource." + } + }, + "cuaId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered" + } + }, + "baseTime": { + "type": "string", + "defaultValue": "[utcNow('u')]", + "metadata": { + "description": "Generated. Do not provide a value! This date value is used to generate a registration token." + } + }, + "sasTokenValidityLength": { + "defaultValue": "PT8H", + "type": "string", + "metadata": { + "description": "Optional. SAS token validity length to use to download files from storage accounts. Usage: 'PT8H' - valid for 8 hours; 'P5D' - valid for 5 days; 'P1Y' - valid for 1 year. When not provided, the SAS token will be valid for 8 hours." + } + } + }, + "variables": { + "diagnosticsMetrics": [ + { + "category": "AllMetrics", + "timeGrain": null, + "enabled": true, + "retentionPolicy": { + "enabled": true, + "days": "[parameters('diagnosticLogsRetentionInDays')]" + } + } + ], + "identity": { + "type": "[parameters('managedServiceIdentity')]", + "userAssignedIdentities": "[if(empty(parameters('userAssignedIdentities')),json('null'),parameters('userAssignedIdentities') )]" + }, + "pidName": "[concat('pid-', parameters('cuaId'))]", + "copy": [ + { + "name": "vmGeneratedNames", + "count": "[parameters('vmNumberOfInstances')]", + "input": "[concat(parameters('vmNamePrefix'), padLeft( copyIndex('vmGeneratedNames', parameters('vmInitialNumber') ),3,'0' ) )]" + }, + { + "name": "avSetGeneratedNames", + "count": "[if(equals(mod(parameters('vmNumberOfInstances'), parameters('maxNumberOfVmsPerAvSet')), 0), div(parameters('vmNumberOfInstances'), parameters('maxNumberOfVmsPerAvSet') ), add(div(parameters('vmNumberOfInstances'), parameters('maxNumberOfVmsPerAvSet') ),1))]", + "input": "[concat(parameters('availabilitySetName'), '-', padLeft( copyIndex('avSetGeneratedNames', 1 ),3,'0' ) )]" + }, + { + "name": "availabilityZones", + "count": "[length(variables('vmNames'))]", + "input": "[if(equals(parameters('availabilityZone'), 0), string(add(mod(copyIndex('availabilityZones'), 3), 1)), string(parameters('availabilityZone')))]" + } + ], + "vmNames": "[if( empty( parameters('vmNames') ), variables('vmGeneratedNames'), parameters('vmNames') )]", + "avSetNames": "[if(and(empty( parameters('availabilitySetNames')), empty( parameters('availabilitySetName'))), json('[]'), if(empty( parameters('availabilitySetNames') ), variables('avSetGeneratedNames'), parameters('availabilitySetNames')))]", + "accountSasProperties": { + "signedServices": "b", //Blob (b), Queue (q), Table (t), File (f). + "signedPermission": "r", //Read (r), Write (w), Delete (d), List (l), Add (a), Create (c), Update (u) and Process (p) + "signedExpiry": "[dateTimeAdd(parameters('baseTime'), parameters('sasTokenValidityLength'))]", //format: 2017-05-24T10:42:03Z + "signedResourceTypes": "o", //Service (s): Access to service-level APIs; Container (c): Access to container-level APIs; Object (o): Access to object-level APIs for blobs, queue messages, table entities, and files. + "signedProtocol": "https" + }, + "builtInRoleNames": { + "Avere Cluster Create": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'a7b1b19a-0e83-4fe5-935c-faaefbfd18c3')]", + "Avere Cluster Runtime Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'e078ab98-ef3a-4c9a-aba7-12f5172b45d0')]", + "Avere Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4f8fab4f-1852-4a58-a46a-8eaf358af14a')]", + "Avere Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c025889f-8102-4ebf-b32c-fc0c6f0c6bd9')]", + "Azure Service Deploy Release Management Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '21d96096-b162-414a-8302-d8354f9d91b2')]", + "Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "CAL-Custom-Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '7b266cd7-0bba-4ae2-8423-90ede5e1e898')]", + "DevTest Labs User": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '76283e04-6283-4c54-8f91-bcf1374a3c64')]", + "Log Analytics Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]", + "Log Analytics Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '73c42c96-874c-492b-b04d-ab87d138a893')]", + "masterreader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'a48d7796-14b4-4889-afef-fbb65a93e5a2')]", + "Managed Application Contributor Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '641177b8-a67a-45b9-a033-47bc880bb21e')]", + "Managed Application Operator Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')]", + "Managed Applications Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')]", + "Microsoft OneAsset Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'fd1bb084-1503-4bd2-99c0-630220046786')]", + "Monitoring Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')]", + "Monitoring Metrics Publisher": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '3913510d-42f4-4e42-8a64-420c390055eb')]", + "Monitoring Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')]", + "Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", + "Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", + "Reservation Purchaser": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'f7b75c60-3036-4b75-91c3-6b41c27c1689')]", + "Resource Policy Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '36243c78-bf99-498c-9df9-86d9f8d28608')]", + "User Access Administrator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]", + "Virtual Machine Administrator Login": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '1c0163c0-47e6-4577-8991-ea5c82e286e4')]", + "Virtual Machine Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c')]", + "Virtual Machine User Login": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'fb879df8-f326-4884-b1cf-06f3ad86be52')]" + } + }, + "resources": [ + // CUA ID + { + "condition": "[not(empty(parameters('cuaId')))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-06-01", + "name": "[variables('pidName')]", + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [ + ] + } + } + }, + // Proximity Placement Groups + { + "type": "Microsoft.Compute/proximityPlacementGroups", + "apiVersion": "2020-12-01", + "condition": "[not(empty(parameters('proximityPlacementGroupName')))]", + "location": "[parameters('location')]", + "tags": "[parameters('tags')]", + "name": "[if(not(empty(parameters('proximityPlacementGroupName'))),parameters('proximityPlacementGroupName'),'dummyProximityGroup')]", + "properties": { + "proximityPlacementGroupType": "[parameters('proximityPlacementGroupType')]" + } + }, + // Availability Sets + { + "type": "Microsoft.Compute/availabilitySets", + "apiVersion": "2020-12-01", + "condition": "[not(empty(variables('avSetNames')))]", + "location": "[parameters('location')]", + "tags": "[parameters('tags')]", + "name": "[if(not(empty(variables('avSetNames'))),variables('avSetNames')[copyIndex('avSetLoop')],'dummyAvailabilitySet')]", + "dependsOn": [ + "[if(not(empty(parameters('proximityPlacementGroupName'))),parameters('proximityPlacementGroupName'),'dummyProximityGroup')]" + ], + "copy": { + "name": "avSetLoop", + "count": "[length(variables('avSetNames'))]" + }, + "properties": { + "platformFaultDomainCount": "[parameters('availabilitySetFaultDomain')]", + "platformUpdateDomainCount": "[parameters('availabilitySetUpdateDomain')]", + "proximityPlacementGroup": "[if(empty(parameters('proximityPlacementGroupName')), json('null'), json(concat('{\"id\":\"', resourceId('Microsoft.Compute/proximityPlacementGroups', parameters('proximityPlacementGroupName')),'\"}')))]" + }, + "sku": { + "name": "[parameters('availabilitySetSku')]" + } + }, + // Deployment bulkVMdeployment + { + "name": "[concat('bulkVMdeployment-', copyIndex('vmDepBulkVMdeployment'))]", + "apiVersion": "2020-06-01", + "type": "Microsoft.Resources/deployments", + "dependsOn": [ + "avSetLoop" + ], + "copy": { + "name": "vmDepBulkVMdeployment", + "count": "[if(equals(mod(length(variables('vmNames')), parameters('maxNumberOfVmsPerDeployment')), 0), div(length(variables('vmNames')), parameters('maxNumberOfVmsPerDeployment') ), add(div(length(variables('vmNames')), parameters('maxNumberOfVmsPerDeployment') ),1))]" + }, + "properties": { + "mode": "Incremental", + "expressionEvaluationOptions": { + "scope": "Inner" + }, + "parameters": { + "vmNames": { + "value": "[take( skip(variables('vmNames'), mul( copyIndex(), parameters('maxNumberOfVmsPerDeployment') ) ), parameters('maxNumberOfVmsPerDeployment'))]" + }, + "nicConfigurations": { + "value": "[parameters('nicConfigurations')]" + }, + "avSetNames": { + "value": "[variables('avSetNames')]" + }, + "maxNumberOfVmsPerAvSet": { + "value": "[parameters('maxNumberOfVmsPerAvSet')]" + }, + "maxNumberOfVmsPerDeployment": { + "value": "[parameters('maxNumberOfVmsPerDeployment')]" + }, + "bulkVMdeploymentLoopIndex": { + "value": "[copyIndex('vmDepBulkVMdeployment')]" + }, + "proximityPlacementGroupName": { + "value": "[parameters('proximityPlacementGroupName')]" + }, + "location": { + "value": "[parameters('location')]" + }, + "tags": { + "value": "[parameters('tags')]" + }, + "vmComputerNames": { + "value": "[parameters('vmComputerNames')]" + }, + "vmComputerNamesTransformation": { + "value": "[parameters('vmComputerNamesTransformation')]" + }, + "useAvailabilityZone": { + "value": "[parameters('useAvailabilityZone')]" + }, + "availabilityZones": { + "value": "[variables('availabilityZones')]" + }, + "plan": { + "value": "[parameters('plan')]" + }, + "lockForDeletion": { + "value": "[parameters('lockForDeletion')]" + }, + "diagnosticSettingName": { + "value": "[parameters('diagnosticSettingName')]" + }, + "diagnosticStorageAccountId": { + "value": "[parameters('diagnosticStorageAccountId')]" + }, + "workspaceId": { + "value": "[parameters('workspaceId')]" + }, + "eventHubAuthorizationRuleId": { + "value": "[parameters('eventHubAuthorizationRuleId')]" + }, + "eventHubName": { + "value": "[parameters('eventHubName')]" + }, + "diagnosticsMetrics": { + "value": "[variables('diagnosticsMetrics')]" + }, + "diagnosticLogsRetentionInDays": { + "value": "[parameters('diagnosticLogsRetentionInDays')]" + }, + "vmSize": { + "value": "[parameters('vmSize')]" + }, + "imageReference": { + "value": "[parameters('imageReference')]" + }, + "osDisk": { + "value": "[parameters('osDisk')]" + }, + "dataDisks": { + "value": "[parameters('dataDisks')]" + }, + "enableServerSideEncryption": { + "value": "[parameters('enableServerSideEncryption')]" + }, + "ultraSSDEnabled": { + "value": "[parameters('ultraSSDEnabled')]" + }, + "adminUsername": { + "value": "[parameters('adminUsername')]" + }, + "adminPassword": { + "value": "[parameters('adminPassword')]" + }, + "customData": { + "value": "[parameters('customData')]" + }, + "windowsConfiguration": { + "value": "[parameters('windowsConfiguration')]" + }, + "linuxConfiguration": { + "value": "[parameters('linuxConfiguration')]" + }, + "certificatesToBeInstalled": { + "value": "[parameters('certificatesToBeInstalled')]" + }, + "allowExtensionOperations": { + "value": "[parameters('allowExtensionOperations')]" + }, + "bootDiagnosticStorageAccountName": { + "value": "[parameters('bootDiagnosticStorageAccountName')]" + }, + "bootDiagnosticStorageAccountUri": { + "value": "[parameters('bootDiagnosticStorageAccountUri')]" + }, + "vmPriority": { + "value": "[parameters('vmPriority')]" + }, + "enableEvictionPolicy": { + "value": "[parameters('enableEvictionPolicy')]" + }, + "dedicatedHostId": { + "value": "[parameters('dedicatedHostId')]" + }, + "licenseType": { + "value": "[parameters('licenseType')]" + }, + "domainName": { + "value": "[parameters('domainName')]" + }, + "domainJoinUser": { + "value": "[parameters('domainJoinUser')]" + }, + "domainJoinOU": { + "value": "[parameters('domainJoinOU')]" + }, + "domainJoinRestart": { + "value": "[parameters('domainJoinRestart')]" + }, + "domainJoinOptions": { + "value": "[parameters('domainJoinOptions')]" + }, + "domainJoinPassword": { + "value": "[parameters('domainJoinPassword')]" + }, + "enableMicrosoftAntiMalware": { + "value": "[parameters('enableMicrosoftAntiMalware')]" + }, + "microsoftAntiMalwareSettings": { + "value": "[parameters('microsoftAntiMalwareSettings')]" + }, + "enableWindowsMMAAgent": { + "value": "[parameters('enableWindowsMMAAgent')]" + }, + "enableLinuxMMAAgent": { + "value": "[parameters('enableLinuxMMAAgent')]" + }, + "enableWindowsDiskEncryption": { + "value": "[parameters('enableWindowsDiskEncryption')]" + }, + "forceUpdateTag": { + "value": "[parameters('forceUpdateTag')]" + }, + "keyVaultUri": { + "value": "[parameters('keyVaultUri')]" + }, + "keyVaultId": { + "value": "[parameters('keyVaultId')]" + }, + "keyEncryptionKeyURL": { + "value": "[parameters('keyEncryptionKeyURL')]" + }, + "diskKeyEncryptionAlgorithm": { + "value": "[parameters('diskKeyEncryptionAlgorithm')]" + }, + "diskEncryptionVolumeType": { + "value": "[parameters('diskEncryptionVolumeType')]" + }, + "resizeOSDisk": { + "value": "[parameters('resizeOSDisk')]" + }, + "enableLinuxDiskEncryption": { + "value": "[parameters('enableLinuxDiskEncryption')]" + }, + "enableWindowsDependencyAgent": { + "value": "[parameters('enableWindowsDependencyAgent')]" + }, + "enableLinuxDependencyAgent": { + "value": "[parameters('enableLinuxDependencyAgent')]" + }, + "enableNetworkWatcherWindows": { + "value": "[parameters('enableNetworkWatcherWindows')]" + }, + "enableNetworkWatcherLinux": { + "value": "[parameters('enableNetworkWatcherLinux')]" + }, + "identity": { + "value": "[variables('identity')]" + }, + "dscConfiguration": { + "value": "[parameters('dscConfiguration')]" + }, + "windowsScriptExtensionFileData": { + "value": "[parameters('windowsScriptExtensionFileData')]" + }, + "windowsScriptExtensionCommandToExecute": { + "value": "[parameters('windowsScriptExtensionCommandToExecute')]" + }, + "cseStorageAccountName": { + "value": "[parameters('cseStorageAccountName')]" + }, + "cseStorageAccountKey": { + "value": "[parameters('cseStorageAccountKey')]" + }, + "cseManagedIdentity": { + "value": "[parameters('cseManagedIdentity')]" + }, + "maxPriceForLowPriorityVm": { + "value": "[parameters('maxPriceForLowPriorityVm')]" + }, + "accountSasProperties": { + "value": "[variables('accountSasProperties')]" + }, + "roleAssignments": { + "value": "[parameters('roleAssignments')]" + }, + "builtInRoleNames": { + "value": "[variables('builtInRoleNames')]" + }, + "backupVaultName": { + "value": "[parameters('backupVaultName')]" + }, + "backupVaultResourceGroup": { + "value": "[parameters('backupVaultResourceGroup')]" + }, + "backupPolicyName": { + "value": "[parameters('backupPolicyName')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "vmNames": { + "type": "array" + }, + "nicConfigurations": { + "type": "array" + }, + "avSetNames": { + "type": "array" + }, + "maxNumberOfVmsPerAvSet": { + "type": "int" + }, + "maxNumberOfVmsPerDeployment": { + "type": "int" + }, + "bulkVMdeploymentLoopIndex": { + "type": "int" + }, + "proximityPlacementGroupName": { + "type": "string" + }, + "location": { + "type": "string" + }, + "tags": { + "type": "object" + }, + "vmComputerNames": { + "type": "object" + }, + "vmComputerNamesTransformation": { + "type": "string" + }, + "useAvailabilityZone": { + "type": "bool" + }, + "availabilityZones": { + "type": "array" + }, + "plan": { + "type": "object" + }, + "lockForDeletion": { + "type": "bool" + }, + "diagnosticSettingName": { + "type": "string" + }, + "diagnosticStorageAccountId": { + "type": "string" + }, + "workspaceId": { + "type": "string" + }, + "eventHubAuthorizationRuleId": { + "type": "string" + }, + "eventHubName": { + "type": "string" + }, + "diagnosticsMetrics": { + "type": "array" + }, + "diagnosticLogsRetentionInDays": { + "type": "int" + }, + "vmSize": { + "type": "string" + }, + "imageReference": { + "type": "object" + }, + "osDisk": { + "type": "object" + }, + "dataDisks": { + "type": "array" + }, + "enableServerSideEncryption": { + "type": "bool" + }, + "ultraSSDEnabled": { + "type": "bool" + }, + "adminUsername": { + "type": "securestring" + }, + "adminPassword": { + "type": "securestring" + }, + "customData": { + "type": "string" + }, + "windowsConfiguration": { + "type": "object" + }, + "linuxConfiguration": { + "type": "object" + }, + "certificatesToBeInstalled": { + "type": "array" + }, + "allowExtensionOperations": { + "type": "bool" + }, + "bootDiagnosticStorageAccountName": { + "type": "string" + }, + "bootDiagnosticStorageAccountUri": { + "type": "string" + }, + "vmPriority": { + "type": "string" + }, + "enableEvictionPolicy": { + "type": "bool" + }, + "dedicatedHostId": { + "type": "string" + }, + "licenseType": { + "type": "string" + }, + "domainName": { + "type": "string" + }, + "domainJoinUser": { + "type": "string" + }, + "domainJoinOU": { + "type": "string" + }, + "domainJoinRestart": { + "type": "bool" + }, + "domainJoinOptions": { + "type": "int" + }, + "domainJoinPassword": { + "type": "securestring" + }, + "enableMicrosoftAntiMalware": { + "type": "bool" + }, + "microsoftAntiMalwareSettings": { + "type": "object" + }, + "enableWindowsMMAAgent": { + "type": "bool" + }, + "enableLinuxMMAAgent": { + "type": "bool" + }, + "enableWindowsDiskEncryption": { + "type": "bool" + }, + "forceUpdateTag": { + "type": "string" + }, + "keyVaultUri": { + "type": "string" + }, + "keyVaultId": { + "type": "string" + }, + "keyEncryptionKeyURL": { + "type": "string" + }, + "diskKeyEncryptionAlgorithm": { + "type": "string" + }, + "diskEncryptionVolumeType": { + "type": "string" + }, + "resizeOSDisk": { + "type": "bool" + }, + "enableLinuxDiskEncryption": { + "type": "bool" + }, + "enableWindowsDependencyAgent": { + "type": "bool" + }, + "enableLinuxDependencyAgent": { + "type": "bool" + }, + "enableNetworkWatcherWindows": { + "type": "bool" + }, + "enableNetworkWatcherLinux": { + "type": "bool" + }, + "identity": { + "type": "object" + }, + "dscConfiguration": { + "type": "object" + }, + "windowsScriptExtensionFileData": { + "type": "array" + }, + "windowsScriptExtensionCommandToExecute": { + "type": "securestring" + }, + "cseStorageAccountName": { + "type": "string" + }, + "cseStorageAccountKey": { + "type": "string" + }, + "cseManagedIdentity": { + "type": "object" + }, + "maxPriceForLowPriorityVm": { + "type": "securestring" + }, + "accountSasProperties": { + "type": "object" + }, + "roleAssignments": { + "type": "array" + }, + "builtInRoleNames": { + "type": "object" + }, + "backupVaultName": { + "type": "string" + }, + "backupVaultResourceGroup": { + "type": "string" + }, + "backupPolicyName": { + "type": "string" + } + }, + "resources": [ + // Deployment VM Loop + { + "name": "[concat(parameters('vmNames')[copyIndex('vmLoop')], '-vmLoop')]", + "apiVersion": "2020-06-01", + "type": "Microsoft.Resources/deployments", + "condition": "[not(empty(parameters('nicConfigurations')))]", + "dependsOn": [ + ], + "copy": { + "name": "vmLoop", + "count": "[length(parameters('vmNames'))]" + }, + "properties": { + "mode": "Incremental", + "expressionEvaluationOptions": { + "scope": "inner" + }, + "parameters": { + "location": { + "value": "[parameters('location')]" + }, + "tags": { + "value": "[parameters('tags')]" + }, + "vmLoopIndex": { + "value": "[copyIndex('vmLoop')]" + }, + "vmName": { + "value": "[parameters('vmNames')[copyIndex('vmLoop')]]" + }, + "vmComputerNames": { + "value": "[parameters('vmComputerNames')]" + }, + "vmComputerNamesTransformation": { + "value": "[parameters('vmComputerNamesTransformation')]" + }, + "useAvailabilityZone": { + "value": "[parameters('useAvailabilityZone')]" + }, + "availabilityZone": { + "value": "[parameters('availabilityZones')[copyIndex('vmLoop')]]" + }, + "plan": { + "value": "[parameters('plan')]" + }, + "nicConfigurations": { + "value": "[parameters('nicConfigurations')]" + }, + "lockForDeletion": { + "value": "[parameters('lockForDeletion')]" + }, + "diagnosticSettingName": { + "value": "[parameters('diagnosticSettingName')]" + }, + "diagnosticStorageAccountId": { + "value": "[parameters('diagnosticStorageAccountId')]" + }, + "workspaceId": { + "value": "[parameters('workspaceId')]" + }, + "eventHubAuthorizationRuleId": { + "value": "[parameters('eventHubAuthorizationRuleId')]" + }, + "eventHubName": { + "value": "[parameters('eventHubName')]" + }, + "diagnosticsMetrics": { + "value": "[parameters('diagnosticsMetrics')]" + }, + "diagnosticLogsRetentionInDays": { + "value": "[parameters('diagnosticLogsRetentionInDays')]" + }, + "vmSize": { + "value": "[parameters('vmSize')]" + }, + "imageReference": { + "value": "[parameters('imageReference')]" + }, + "osDisk": { + "value": "[parameters('osDisk')]" + }, + "dataDisks": { + "value": "[parameters('dataDisks')]" + }, + "enableServerSideEncryption": { + "value": "[parameters('enableServerSideEncryption')]" + }, + "ultraSSDEnabled": { + "value": "[parameters('ultraSSDEnabled')]" + }, + "adminUsername": { + "value": "[parameters('adminUsername')]" + }, + "adminPassword": { + "value": "[parameters('adminPassword')]" + }, + "customData": { + "value": "[parameters('customData')]" + }, + "windowsConfiguration": { + "value": "[parameters('windowsConfiguration')]" + }, + "linuxConfiguration": { + "value": "[parameters('linuxConfiguration')]" + }, + "certificatesToBeInstalled": { + "value": "[parameters('certificatesToBeInstalled')]" + }, + "allowExtensionOperations": { + "value": "[parameters('allowExtensionOperations')]" + }, + "bootDiagnosticStorageAccountName": { + "value": "[parameters('bootDiagnosticStorageAccountName')]" + }, + "bootDiagnosticStorageAccountUri": { + "value": "[parameters('bootDiagnosticStorageAccountUri')]" + }, + "avSetNames": { + "value": "[parameters('avSetNames')]" + }, + "maxNumberOfVmsPerAvSet": { + "value": "[parameters('maxNumberOfVmsPerAvSet')]" + }, + "maxNumberOfVmsPerDeployment": { + "value": "[parameters('maxNumberOfVmsPerDeployment')]" + }, + "bulkVMdeploymentLoopIndex": { + "value": "[parameters('bulkVMdeploymentLoopIndex')]" + }, + "proximityPlacementGroupName": { + "value": "[parameters('proximityPlacementGroupName')]" + }, + "vmPriority": { + "value": "[parameters('vmPriority')]" + }, + "enableEvictionPolicy": { + "value": "[parameters('enableEvictionPolicy')]" + }, + "dedicatedHostId": { + "value": "[parameters('dedicatedHostId')]" + }, + "licenseType": { + "value": "[parameters('licenseType')]" + }, + "domainName": { + "value": "[parameters('domainName')]" + }, + "domainJoinUser": { + "value": "[parameters('domainJoinUser')]" + }, + "domainJoinOU": { + "value": "[parameters('domainJoinOU')]" + }, + "domainJoinRestart": { + "value": "[parameters('domainJoinRestart')]" + }, + "domainJoinOptions": { + "value": "[parameters('domainJoinOptions')]" + }, + "domainJoinPassword": { + "value": "[parameters('domainJoinPassword')]" + }, + "enableMicrosoftAntiMalware": { + "value": "[parameters('enableMicrosoftAntiMalware')]" + }, + "microsoftAntiMalwareSettings": { + "value": "[parameters('microsoftAntiMalwareSettings')]" + }, + "enableWindowsMMAAgent": { + "value": "[parameters('enableWindowsMMAAgent')]" + }, + "enableLinuxMMAAgent": { + "value": "[parameters('enableLinuxMMAAgent')]" + }, + "enableWindowsDiskEncryption": { + "value": "[parameters('enableWindowsDiskEncryption')]" + }, + "forceUpdateTag": { + "value": "[parameters('forceUpdateTag')]" + }, + "keyVaultUri": { + "value": "[parameters('keyVaultUri')]" + }, + "keyVaultId": { + "value": "[parameters('keyVaultId')]" + }, + "keyEncryptionKeyURL": { + "value": "[parameters('keyEncryptionKeyURL')]" + }, + "diskKeyEncryptionAlgorithm": { + "value": "[parameters('diskKeyEncryptionAlgorithm')]" + }, + "diskEncryptionVolumeType": { + "value": "[parameters('diskEncryptionVolumeType')]" + }, + "resizeOSDisk": { + "value": "[parameters('resizeOSDisk')]" + }, + "enableLinuxDiskEncryption": { + "value": "[parameters('enableLinuxDiskEncryption')]" + }, + "enableWindowsDependencyAgent": { + "value": "[parameters('enableWindowsDependencyAgent')]" + }, + "enableLinuxDependencyAgent": { + "value": "[parameters('enableLinuxDependencyAgent')]" + }, + "enableNetworkWatcherWindows": { + "value": "[parameters('enableNetworkWatcherWindows')]" + }, + "enableNetworkWatcherLinux": { + "value": "[parameters('enableNetworkWatcherLinux')]" + }, + "identity": { + "value": "[parameters('identity')]" + }, + "dscConfiguration": { + "value": "[parameters('dscConfiguration')]" + }, + "windowsScriptExtensionFileData": { + "value": "[parameters('windowsScriptExtensionFileData')]" + }, + "windowsScriptExtensionCommandToExecute": { + "value": "[parameters('windowsScriptExtensionCommandToExecute')]" + }, + "cseStorageAccountName": { + "value": "[parameters('cseStorageAccountName')]" + }, + "cseStorageAccountKey": { + "value": "[parameters('cseStorageAccountKey')]" + }, + "cseManagedIdentity": { + "value": "[parameters('cseManagedIdentity')]" + }, + "maxPriceForLowPriorityVm": { + "value": "[parameters('maxPriceForLowPriorityVm')]" + }, + "accountSasProperties": { + "value": "[parameters('accountSasProperties')]" + }, + "roleAssignments": { + "value": "[parameters('roleAssignments')]" + }, + "builtInRoleNames": { + "value": "[parameters('builtInRoleNames')]" + }, + "backupVaultName": { + "value": "[parameters('backupVaultName')]" + }, + "backupVaultResourceGroup": { + "value": "[parameters('backupVaultResourceGroup')]" + }, + "backupPolicyName": { + "value": "[parameters('backupPolicyName')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "location": { + "type": "string" + }, + "tags": { + "type": "object" + }, + "vmName": { + "type": "string" + }, + "vmLoopIndex": { + "type": "int" + }, + "vmComputerNames": { + "type": "object" + }, + "vmComputerNamesTransformation": { + "type": "string" + }, + "useAvailabilityZone": { + "type": "bool" + }, + "availabilityZone": { + "type": "string" + }, + "plan": { + "type": "object" + }, + "nicConfigurations": { + "type": "array" + }, + "lockForDeletion": { + "type": "bool" + }, + "diagnosticSettingName": { + "type": "string" + }, + "diagnosticStorageAccountId": { + "type": "string" + }, + "workspaceId": { + "type": "string" + }, + "eventHubAuthorizationRuleId": { + "type": "string" + }, + "eventHubName": { + "type": "string" + }, + "diagnosticsMetrics": { + "type": "array" + }, + "diagnosticLogsRetentionInDays": { + "type": "int" + }, + "vmSize": { + "type": "string" + }, + "imageReference": { + "type": "object" + }, + "osDisk": { + "type": "object" + }, + "dataDisks": { + "type": "array" + }, + "enableServerSideEncryption": { + "type": "bool" + }, + "ultraSSDEnabled": { + "type": "bool" + }, + "adminUsername": { + "type": "securestring" + }, + "adminPassword": { + "type": "securestring" + }, + "customData": { + "type": "string" + }, + "windowsConfiguration": { + "type": "object" + }, + "linuxConfiguration": { + "type": "object" + }, + "certificatesToBeInstalled": { + "type": "array" + }, + "allowExtensionOperations": { + "type": "bool" + }, + "bootDiagnosticStorageAccountName": { + "type": "string" + }, + "bootDiagnosticStorageAccountUri": { + "type": "string" + }, + "avSetNames": { + "type": "array" + }, + "maxNumberOfVmsPerAvSet": { + "type": "int" + }, + "maxNumberOfVmsPerDeployment": { + "type": "int" + }, + "bulkVMdeploymentLoopIndex": { + "type": "int" + }, + "proximityPlacementGroupName": { + "type": "string" + }, + "vmPriority": { + "type": "string" + }, + "enableEvictionPolicy": { + "type": "bool" + }, + "dedicatedHostId": { + "type": "string" + }, + "licenseType": { + "type": "string" + }, + "domainName": { + "type": "string" + }, + "domainJoinUser": { + "type": "string" + }, + "domainJoinOU": { + "type": "string" + }, + "domainJoinRestart": { + "type": "bool" + }, + "domainJoinOptions": { + "type": "int" + }, + "domainJoinPassword": { + "type": "securestring" + }, + "enableMicrosoftAntiMalware": { + "type": "bool" + }, + "microsoftAntiMalwareSettings": { + "type": "object" + }, + "enableWindowsMMAAgent": { + "type": "bool" + }, + "enableLinuxMMAAgent": { + "type": "bool" + }, + "enableWindowsDiskEncryption": { + "type": "bool" + }, + "forceUpdateTag": { + "type": "string" + }, + "keyVaultUri": { + "type": "string" + }, + "keyVaultId": { + "type": "string" + }, + "keyEncryptionKeyURL": { + "type": "string" + }, + "diskKeyEncryptionAlgorithm": { + "type": "string" + }, + "diskEncryptionVolumeType": { + "type": "string" + }, + "resizeOSDisk": { + "type": "bool" + }, + "enableLinuxDiskEncryption": { + "type": "bool" + }, + "enableWindowsDependencyAgent": { + "type": "bool" + }, + "enableLinuxDependencyAgent": { + "type": "bool" + }, + "enableNetworkWatcherWindows": { + "type": "bool" + }, + "enableNetworkWatcherLinux": { + "type": "bool" + }, + "identity": { + "type": "object" + }, + "dscConfiguration": { + "type": "object" + }, + "windowsScriptExtensionFileData": { + "type": "array" + }, + "windowsScriptExtensionCommandToExecute": { + "type": "securestring" + }, + "cseStorageAccountName": { + "type": "string" + }, + "cseStorageAccountKey": { + "type": "string" + }, + "cseManagedIdentity": { + "type": "object" + }, + "maxPriceForLowPriorityVm": { + "type": "securestring" + }, + "accountSasProperties": { + "type": "object" + }, + "roleAssignments": { + "type": "array" + }, + "builtInRoleNames": { + "type": "object" + }, + "backupVaultName": { + "type": "string" + }, + "backupVaultResourceGroup": { + "type": "string" + }, + "backupPolicyName": { + "type": "string" + } + }, + "variables": { + "vmComputerName": "[if(contains(parameters('vmComputerNames'), parameters('vmName')), parameters('vmComputerNames')[parameters('vmName')], parameters('vmName') )]", + "vmComputerNameTransformed": "[if(equals(parameters('vmComputerNamesTransformation'), 'uppercase'), toUpper(variables('vmComputerName')), if(equals(parameters('vmComputerNamesTransformation'), 'lowercase'), toLower(variables('vmComputerName')), variables('vmComputerName')))]", + "availabilitySetName": "[if(not(empty(parameters('avSetNames'))), parameters('avSetNames')[div(add(parameters('vmLoopIndex'),mul(parameters('maxNumberOfVmsPerDeployment'),parameters('bulkVMdeploymentLoopIndex'))),parameters('maxNumberOfVmsPerAvSet'))], '')]", + "nicName": "[if(equals(length(parameters('nicConfigurations')),1), concat(parameters('vmName'), parameters('nicConfigurations')[0].nicSuffix), json('[]'))]", + "dnsServersValues": { + "dnsServers": "[if(equals(length(parameters('nicConfigurations')),1), if(contains(parameters('nicConfigurations')[0], 'dnsServers'), parameters('nicConfigurations')[0].dnsServers, json('[]')), json('[]'))]" + } + }, + // Network Interfaces, PIP, Virtual Machine + Extensions, WindowsCustomScriptExtension, backup, rbac + "resources": [ + // // Single Network Interface + // Deployment PIP + { + "name": "[if(equals(length(parameters('nicConfigurations')),1), concat(parameters('vmName'), parameters('nicConfigurations')[0].nicSuffix, '-', parameters('nicConfigurations')[0].ipConfigurations[copyIndex('vmNicPipConfigLoop')].name , '-vmNicPipConfigLoop'),'dummyVmNicPipConfigLoop')]", + "apiVersion": "2020-06-01", + "type": "Microsoft.Resources/deployments", + "condition": "[and(equals(length(parameters('nicConfigurations')),1), not(empty(parameters('nicConfigurations')[0].ipConfigurations)), contains(parameters('nicConfigurations')[0].ipConfigurations[copyIndex('vmNicPipConfigLoop')], 'enablePublicIP'), parameters('nicConfigurations')[0].ipConfigurations[copyIndex('vmNicPipConfigLoop')].enablePublicIP)]", + "dependsOn": [ + ], + "copy": { + "name": "vmNicPipConfigLoop", + "count": "[if(equals(length(parameters('nicConfigurations')),1), length(parameters('nicConfigurations')[0].ipConfigurations),0)]" + }, + "properties": { + "mode": "Incremental", + "expressionEvaluationOptions": { + "scope": "inner" + }, + "parameters": { + "location": { + "value": "[parameters('location')]" + }, + "tags": { + "value": "[parameters('tags')]" + }, + "vmName": { + "value": "[parameters('vmName')]" + }, + "ipConfiguration": { + "value": "[parameters('nicConfigurations')[0].ipConfigurations[copyIndex('vmNicPipConfigLoop')]]" + }, + "lockForDeletion": { + "value": "[parameters('lockForDeletion')]" + }, + "diagnosticSettingName": { + "value": "[parameters('diagnosticSettingName')]" + }, + "diagnosticStorageAccountId": { + "value": "[parameters('diagnosticStorageAccountId')]" + }, + "workspaceId": { + "value": "[parameters('workspaceId')]" + }, + "eventHubAuthorizationRuleId": { + "value": "[parameters('eventHubAuthorizationRuleId')]" + }, + "eventHubName": { + "value": "[parameters('eventHubName')]" + }, + "diagnosticsMetrics": { + "value": "[parameters('diagnosticsMetrics')]" + }, + "diagnosticLogsRetentionInDays": { + "value": "[parameters('diagnosticLogsRetentionInDays')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "location": { + "type": "string" + }, + "tags": { + "type": "object" + }, + "vmName": { + "type": "string" + }, + "ipConfiguration": { + "type": "object" + }, + "lockForDeletion": { + "type": "bool" + }, + "diagnosticSettingName": { + "type": "string" + }, + "diagnosticStorageAccountId": { + "type": "string" + }, + "workspaceId": { + "type": "string" + }, + "eventHubAuthorizationRuleId": { + "type": "string" + }, + "eventHubName": { + "type": "string" + }, + "diagnosticsMetrics": { + "type": "array" + }, + "diagnosticLogsRetentionInDays": { + "type": "int" + } + }, + "variables": { + "pipName": "[if(contains(parameters('ipConfiguration'), 'publicIpNameSuffix'), concat(parameters('vmName'), parameters('ipConfiguration').publicIpNameSuffix), 'dummyPipName')]", + "pipDiagnosticsLogs": [ + { + "category": "DDoSProtectionNotifications", + "enabled": true, + "retentionPolicy": { + "enabled": true, + "days": "[parameters('diagnosticLogsRetentionInDays')]" + } + }, + { + "category": "DDoSMitigationFlowLogs", + "enabled": true, + "retentionPolicy": { + "enabled": true, + "days": "[parameters('diagnosticLogsRetentionInDays')]" + } + }, + { + "category": "DDoSMitigationReports", + "enabled": true, + "retentionPolicy": { + "enabled": true, + "days": "[parameters('diagnosticLogsRetentionInDays')]" + } + } + ] + }, + "resources": [ + // Network Interfaces Object PIP + { + "type": "Microsoft.Network/publicIPAddresses", + "apiVersion": "2020-08-01", + "name": "[variables('pipName')]", + "location": "[parameters('location')]", + "tags": "[parameters('tags')]", + "condition": "[and(contains(parameters('ipConfiguration') , 'enablePublicIP'), parameters('ipConfiguration').enablePublicIP)]", + "sku": { + "name": "Standard" + }, + "properties": { + "publicIPAllocationMethod": "Static", + "publicIPPrefix": "[if(contains(parameters('ipConfiguration') , 'publicIPPrefixId'), if(not(empty(parameters('ipConfiguration').publicIPPrefixId)), json(concat('{\"id\": \"', parameters('ipConfiguration').publicIPPrefixId, '\"}')), json('null')), json('null'))]" + }, + "zones": "[json('null')]", + "resources": [ + { + "type": "providers/locks", + "apiVersion": "2016-09-01", + "condition": "[and(and(contains(parameters('ipConfiguration'), 'enablePublicIP'), parameters('ipConfiguration').enablePublicIP),parameters('lockForDeletion'))]", + "name": "Microsoft.Authorization/publicIpDoNotDelete", + "dependsOn": [ + "[concat('Microsoft.Network/publicIPAddresses/', variables('pipName'))]" + ], + "comments": "Resource lock on Public IP", + "properties": { + "level": "CannotDelete" + } + }, + { + "type": "Microsoft.Network/publicIPAddresses/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "location": "[parameters('location')]", + "tags": "[parameters('tags')]", + "condition": "[and(and(contains(parameters('ipConfiguration'), 'enablePublicIP'), parameters('ipConfiguration').enablePublicIP), or(not(empty(parameters('diagnosticStorageAccountId'))),not(empty(parameters('workspaceId'))),not(empty(parameters('eventHubAuthorizationRuleId'))),not(empty(parameters('eventHubName')))))]", + "name": "[concat(variables('pipName'), '/Microsoft.Insights/', parameters('diagnosticSettingName'))]", + "dependsOn": [ + "[concat('Microsoft.Network/publicIPAddresses/', variables('pipName'))]" + ], + "properties": { + "storageAccountId": "[if(empty(parameters('diagnosticStorageAccountId')), json('null'), parameters('diagnosticStorageAccountId'))]", + "workspaceId": "[if(empty(parameters('workspaceId')), json('null'), parameters('workspaceId'))]", + "eventHubAuthorizationRuleId": "[if(empty(parameters('eventHubAuthorizationRuleId')), json('null'), parameters('eventHubAuthorizationRuleId'))]", + "eventHubName": "[if(empty(parameters('eventHubName')), json('null'), parameters('eventHubName'))]", + "metrics": "[if(and(empty(parameters('diagnosticStorageAccountId')), empty(parameters('workspaceId')), empty(parameters('eventHubAuthorizationRuleId')), empty(parameters('eventHubName'))), json('null'), parameters('diagnosticsMetrics'))]", + "logs": "[if(and(empty(parameters('diagnosticStorageAccountId')), empty(parameters('workspaceId')), empty(parameters('eventHubAuthorizationRuleId')), empty(parameters('eventHubName'))), json('null'), variables('pipDiagnosticsLogs'))]" + } + } + ] + } + ] + } + } + }, + // Network Interface + { + "type": "Microsoft.Network/networkInterfaces", + "apiVersion": "2020-08-01", + "location": "[parameters('location')]", + "tags": "[parameters('tags')]", + "condition": "[and(equals(length(parameters('nicConfigurations')),1), not(empty(parameters('nicConfigurations')[0].ipConfigurations)))]", + "name": "[if(equals(length(parameters('nicConfigurations')),1), variables('nicName'),'dummyVmNic')]", + "dependsOn": [ + "vmNicPipConfigLoop" + ], + "properties": { + "enableIPForwarding": "[if(contains(parameters('nicConfigurations')[0], 'enableIPForwarding'), parameters('nicConfigurations')[0].enableIPForwarding, 'false')]", + "enableAcceleratedNetworking": "[if(contains(parameters('nicConfigurations')[0], 'enableAcceleratedNetworking'), parameters('nicConfigurations')[0].enableAcceleratedNetworking, 'false')]", + "dnsSettings": "[if(contains(parameters('nicConfigurations')[0], 'dnsServers'), if(empty(parameters('nicConfigurations')[0].dnsServers), json('null'), variables('dnsServersValues')), json('null'))]", + "copy": [ + { + "name": "ipConfigurations", + "count": "[if(contains(parameters('nicConfigurations')[0], 'ipConfigurations'), length(parameters('nicConfigurations')[0].ipConfigurations),0)]", + "input": { + "name": "[if(contains(parameters('nicConfigurations')[0].ipConfigurations[copyIndex('ipConfigurations')], 'name'), parameters('nicConfigurations')[0].ipConfigurations[copyIndex('ipConfigurations')].name, concat('ipconfig', copyIndex('ipConfigurations', 1)))]", + "properties": { + "primary": "[if(equals(copyIndex('ipConfigurations'), 0), 'true', 'false')]", + "privateIPAllocationMethod": "[if(contains(parameters('nicConfigurations')[0].ipConfigurations[copyIndex('ipConfigurations')], 'vmIPAddress'), if(empty(parameters('nicConfigurations')[0].ipConfigurations[copyIndex('ipConfigurations')].vmIPAddress), 'Dynamic', 'Static'), 'Dynamic')]", + "publicIPAddress": "[if(contains(parameters('nicConfigurations')[0].ipConfigurations[copyIndex('ipConfigurations')], 'enablePublicIP'), if(parameters('nicConfigurations')[0].ipConfigurations[copyIndex('ipConfigurations')].enablePublicIP, json(concat('{\"id\":\"', resourceId('Microsoft.Network/publicIPAddresses', concat(parameters('vmName'), parameters('nicConfigurations')[0].ipConfigurations[copyIndex('ipConfigurations')].publicIpNameSuffix)),'\"}')), json('null')), json('null'))]", + "privateIPAddress": "[if(contains(parameters('nicConfigurations')[0].ipConfigurations[copyIndex('ipConfigurations')], 'vmIPAddress'), if(empty(parameters('nicConfigurations')[0].ipConfigurations[copyIndex('ipConfigurations')].vmIPAddress), json('null'), iacs.nextIP(parameters('nicConfigurations')[0].ipConfigurations[copyIndex('ipConfigurations')].vmIPAddress, parameters('vmLoopIndex'))), json('null'))]", + "subnet": { + "id": "[parameters('nicConfigurations')[0].ipConfigurations[copyIndex('ipConfigurations')].subnetId]" + }, + "loadBalancerBackendAddressPools": "[if(contains(parameters('nicConfigurations')[0].ipConfigurations[copyIndex('ipConfigurations')], 'loadBalancerBackendAddressPools'), parameters('nicConfigurations')[0].ipConfigurations[copyIndex('ipConfigurations')].loadBalancerBackendAddressPools, '')]", + "applicationSecurityGroups": "[if(contains(parameters('nicConfigurations')[0].ipConfigurations[copyIndex('ipConfigurations')], 'applicationSecurityGroups'), parameters('nicConfigurations')[0].ipConfigurations[copyIndex('ipConfigurations')].applicationSecurityGroups, '')]" + } + } + } + ] + }, + "resources": [ + { + "type": "providers/locks", + "apiVersion": "2016-09-01", + "condition": "[parameters('lockForDeletion')]", + "name": "Microsoft.Authorization/networkInterfaceDoNotDelete", + "dependsOn": [ + "[concat('Microsoft.Network/networkInterfaces/', if(equals(length(parameters('nicConfigurations')),1), variables('nicName'),'dummyVmNic'))]" + ], + "comments": "Resource lock on Network Interface", + "properties": { + "level": "CannotDelete" + } + }, + { + "type": "Microsoft.Network/networkInterfaces/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "location": "[parameters('location')]", + "tags": "[parameters('tags')]", + "name": "[concat(if(equals(length(parameters('nicConfigurations')),1), variables('nicName'),'dummyVmNic'), '/Microsoft.Insights/', parameters('diagnosticSettingName'))]", + "condition": "[or(not(empty(parameters('diagnosticStorageAccountId'))),not(empty(parameters('workspaceId'))),not(empty(parameters('eventHubAuthorizationRuleId'))),not(empty(parameters('eventHubName'))))]", + "dependsOn": [ + "[concat('Microsoft.Network/networkInterfaces/', if(equals(length(parameters('nicConfigurations')),1), variables('nicName'),'dummyVmNic'))]" + ], + "properties": { + "storageAccountId": "[if(empty(parameters('diagnosticStorageAccountId')), json('null'), parameters('diagnosticStorageAccountId'))]", + "workspaceId": "[if(empty(parameters('workspaceId')), json('null'), parameters('workspaceId'))]", + "eventHubAuthorizationRuleId": "[if(empty(parameters('eventHubAuthorizationRuleId')), json('null'), parameters('eventHubAuthorizationRuleId'))]", + "eventHubName": "[if(empty(parameters('eventHubName')), json('null'), parameters('eventHubName'))]", + "metrics": "[if(and(empty(parameters('diagnosticStorageAccountId')), empty(parameters('workspaceId')), empty(parameters('eventHubAuthorizationRuleId')), empty(parameters('eventHubName'))), json('null'), parameters('diagnosticsMetrics'))]" + } + } + ] + }, + // // Multiple Network Interfaces + // Deployment Nic Loop + { + "name": "[if(greater(length(parameters('nicConfigurations')),1), concat(parameters('vmName'), parameters('nicConfigurations')[copyIndex('vmNicDeployInnerLoop')].nicSuffix, '-vmNicDeployInnerLoop'), 'dummyVmNicDeployInnerLoop')]", + "apiVersion": "2020-06-01", + "type": "Microsoft.Resources/deployments", + "condition": "[greater(length(parameters('nicConfigurations')),1)]", + "dependsOn": [ + ], + "copy": { + "name": "vmNicDeployInnerLoop", + "count": "[length(parameters('nicConfigurations'))]" + }, + "properties": { + "mode": "Incremental", + "expressionEvaluationOptions": { + "scope": "inner" + }, + "parameters": { + "location": { + "value": "[parameters('location')]" + }, + "tags": { + "value": "[parameters('tags')]" + }, + "vmName": { + "value": "[parameters('vmName')]" + }, + "vmLoopIndex": { + "value": "[parameters('vmLoopIndex')]" + }, + "nicConfiguration": { + "value": "[parameters('nicConfigurations')[copyIndex('vmNicDeployInnerLoop')]]" + }, + "lockForDeletion": { + "value": "[parameters('lockForDeletion')]" + }, + "diagnosticSettingName": { + "value": "[parameters('diagnosticSettingName')]" + }, + "diagnosticStorageAccountId": { + "value": "[parameters('diagnosticStorageAccountId')]" + }, + "workspaceId": { + "value": "[parameters('workspaceId')]" + }, + "eventHubAuthorizationRuleId": { + "value": "[parameters('eventHubAuthorizationRuleId')]" + }, + "eventHubName": { + "value": "[parameters('eventHubName')]" + }, + "diagnosticsMetrics": { + "value": "[parameters('diagnosticsMetrics')]" + }, + "diagnosticLogsRetentionInDays": { + "value": "[parameters('diagnosticLogsRetentionInDays')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "location": { + "type": "string" + }, + "tags": { + "type": "object" + }, + "vmName": { + "type": "string" + }, + "vmLoopIndex": { + "type": "int" + }, + "nicConfiguration": { + "type": "object" + }, + "lockForDeletion": { + "type": "bool" + }, + "diagnosticSettingName": { + "type": "string" + }, + "diagnosticStorageAccountId": { + "type": "string" + }, + "workspaceId": { + "type": "string" + }, + "eventHubAuthorizationRuleId": { + "type": "string" + }, + "eventHubName": { + "type": "string" + }, + "diagnosticsMetrics": { + "type": "array" + }, + "diagnosticLogsRetentionInDays": { + "type": "int" + } + }, + "variables": { + "nicName": "[concat(parameters('vmName'), parameters('nicConfiguration').nicSuffix)]", + "dnsServersValues": { + "dnsServers": "[if(contains(parameters('nicConfiguration'), 'dnsServers'), parameters('nicConfiguration').dnsServers, json('[]'))]" + } + }, + // Network Interfaces, PIP + "resources": [ + // Deployment PIP Loop + { + "name": "[concat(parameters('vmName'), parameters('nicConfiguration').nicSuffix, '-', parameters('nicConfiguration').ipConfigurations[copyIndex('vmNicPipConfigLoop')].name, '-vmNicPipConfigLoop')]", + "apiVersion": "2020-06-01", + "type": "Microsoft.Resources/deployments", + "condition": "[and(not(empty(parameters('nicConfiguration').ipConfigurations)), contains(parameters('nicConfiguration').ipConfigurations[copyIndex('vmNicPipConfigLoop')], 'enablePublicIP'), parameters('nicConfiguration').ipConfigurations[copyIndex('vmNicPipConfigLoop')].enablePublicIP)]", + "dependsOn": [ + ], + "copy": { + "name": "vmNicPipConfigLoop", + "count": "[length(parameters('nicConfiguration').ipConfigurations)]" + }, + "properties": { + "mode": "Incremental", + "expressionEvaluationOptions": { + "scope": "inner" + }, + "parameters": { + "location": { + "value": "[parameters('location')]" + }, + "tags": { + "value": "[parameters('tags')]" + }, + "vmName": { + "value": "[parameters('vmName')]" + }, + "ipConfiguration": { + "value": "[parameters('nicConfiguration').ipConfigurations[copyIndex('vmNicPipConfigLoop')]]" + }, + "lockForDeletion": { + "value": "[parameters('lockForDeletion')]" + }, + "diagnosticSettingName": { + "value": "[parameters('diagnosticSettingName')]" + }, + "diagnosticStorageAccountId": { + "value": "[parameters('diagnosticStorageAccountId')]" + }, + "workspaceId": { + "value": "[parameters('workspaceId')]" + }, + "eventHubAuthorizationRuleId": { + "value": "[parameters('eventHubAuthorizationRuleId')]" + }, + "eventHubName": { + "value": "[parameters('eventHubName')]" + }, + "diagnosticsMetrics": { + "value": "[parameters('diagnosticsMetrics')]" + }, + "diagnosticLogsRetentionInDays": { + "value": "[parameters('diagnosticLogsRetentionInDays')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "location": { + "type": "string" + }, + "tags": { + "type": "object" + }, + "vmName": { + "type": "string" + }, + "ipConfiguration": { + "type": "object" + }, + "lockForDeletion": { + "type": "bool" + }, + "diagnosticSettingName": { + "type": "string" + }, + "diagnosticStorageAccountId": { + "type": "string" + }, + "workspaceId": { + "type": "string" + }, + "eventHubAuthorizationRuleId": { + "type": "string" + }, + "eventHubName": { + "type": "string" + }, + "diagnosticsMetrics": { + "type": "array" + }, + "diagnosticLogsRetentionInDays": { + "type": "int" + } + }, + "variables": { + "pipName": "[if(contains(parameters('ipConfiguration'), 'publicIpNameSuffix'), concat(parameters('vmName'), parameters('ipConfiguration').publicIpNameSuffix), 'dummyPipName')]", + "pipDiagnosticsLogs": [ + { + "category": "DDoSProtectionNotifications", + "enabled": true, + "retentionPolicy": { + "enabled": true, + "days": "[parameters('diagnosticLogsRetentionInDays')]" + } + }, + { + "category": "DDoSMitigationFlowLogs", + "enabled": true, + "retentionPolicy": { + "enabled": true, + "days": "[parameters('diagnosticLogsRetentionInDays')]" + } + }, + { + "category": "DDoSMitigationReports", + "enabled": true, + "retentionPolicy": { + "enabled": true, + "days": "[parameters('diagnosticLogsRetentionInDays')]" + } + } + ] + }, + "resources": [ + // PIP + { + "type": "Microsoft.Network/publicIPAddresses", + "apiVersion": "2020-08-01", + "name": "[variables('pipName')]", + "location": "[parameters('location')]", + "tags": "[parameters('tags')]", + "condition": "[and(contains(parameters('ipConfiguration') , 'enablePublicIP'), parameters('ipConfiguration').enablePublicIP)]", + "sku": { + "name": "Standard" + }, + "properties": { + "publicIPAllocationMethod": "Static", + "publicIPPrefix": "[if(contains(parameters('ipConfiguration') , 'publicIPPrefixId'), if(not(empty(parameters('ipConfiguration').publicIPPrefixId)), json(concat('{\"id\": \"', parameters('ipConfiguration').publicIPPrefixId, '\"}')), json('null')), json('null'))]" + }, + "zones": "[json('null')]", + "resources": [ + // PIP locks + { + "type": "providers/locks", + "apiVersion": "2016-09-01", + "condition": "[and(and(contains(parameters('ipConfiguration'), 'enablePublicIP'), parameters('ipConfiguration').enablePublicIP),parameters('lockForDeletion'))]", + "name": "Microsoft.Authorization/publicIpDoNotDelete", + "dependsOn": [ + "[concat('Microsoft.Network/publicIPAddresses/', variables('pipName'))]" + ], + "comments": "Resource lock on Public IP", + "properties": { + "level": "CannotDelete" + } + }, + // PIP diagnostic settings + { + "type": "Microsoft.Network/publicIPAddresses/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "location": "[parameters('location')]", + "tags": "[parameters('tags')]", + "condition": "[and(and(contains(parameters('ipConfiguration'), 'enablePublicIP'), parameters('ipConfiguration').enablePublicIP), or(not(empty(parameters('diagnosticStorageAccountId'))),not(empty(parameters('workspaceId'))),not(empty(parameters('eventHubAuthorizationRuleId'))),not(empty(parameters('eventHubName')))))]", + "name": "[concat(variables('pipName'), '/Microsoft.Insights/', parameters('diagnosticSettingName'))]", + "dependsOn": [ + "[concat('Microsoft.Network/publicIPAddresses/', variables('pipName'))]" + ], + "properties": { + "storageAccountId": "[if(empty(parameters('diagnosticStorageAccountId')), json('null'), parameters('diagnosticStorageAccountId'))]", + "workspaceId": "[if(empty(parameters('workspaceId')), json('null'), parameters('workspaceId'))]", + "eventHubAuthorizationRuleId": "[if(empty(parameters('eventHubAuthorizationRuleId')), json('null'), parameters('eventHubAuthorizationRuleId'))]", + "eventHubName": "[if(empty(parameters('eventHubName')), json('null'), parameters('eventHubName'))]", + "metrics": "[if(and(empty(parameters('diagnosticStorageAccountId')), empty(parameters('workspaceId')), empty(parameters('eventHubAuthorizationRuleId')), empty(parameters('eventHubName'))), json('null'), parameters('diagnosticsMetrics'))]", + "logs": "[if(and(empty(parameters('diagnosticStorageAccountId')), empty(parameters('workspaceId')), empty(parameters('eventHubAuthorizationRuleId')), empty(parameters('eventHubName'))), json('null'), variables('pipDiagnosticsLogs'))]" + } + } + ] + } + ] + } + } + }, + // Network Interfaces + { + "type": "Microsoft.Network/networkInterfaces", + "apiVersion": "2020-08-01", + "location": "[parameters('location')]", + "tags": "[parameters('tags')]", + "dependsOn": [ + "vmNicPipConfigLoop" + ], + "name": "[variables('nicName')]", + "properties": { + "enableIPForwarding": "[if(contains(parameters('nicConfiguration'), 'enableIPForwarding'), parameters('nicConfiguration').enableIPForwarding, 'false')]", + "enableAcceleratedNetworking": "[if(contains(parameters('nicConfiguration'), 'enableAcceleratedNetworking'), parameters('nicConfiguration').enableAcceleratedNetworking, 'false')]", + "dnsSettings": "[if(contains(parameters('nicConfiguration'), 'dnsServers'), if(empty(parameters('nicConfiguration').dnsServers), json('null'), variables('dnsServersValues')), json('null'))]", + "copy": [ + { + "name": "ipConfigurations", + "count": "[length(parameters('nicConfiguration').ipConfigurations)]", + "input": { + "name": "[if(contains(parameters('nicConfiguration').ipConfigurations[copyIndex('ipConfigurations')], 'name'), parameters('nicConfiguration').ipConfigurations[copyIndex('ipConfigurations')].name, concat('ipconfig', copyIndex('ipConfigurations', 1)))]", + "properties": { + "primary": "[if(equals(copyIndex('ipConfigurations'), 0), 'true', 'false')]", + "privateIPAllocationMethod": "[if(contains(parameters('nicConfiguration').ipConfigurations[copyIndex('ipConfigurations')], 'vmIPAddress'), if(empty(parameters('nicConfiguration').ipConfigurations[copyIndex('ipConfigurations')].vmIPAddress), 'Dynamic', 'Static'), 'Dynamic')]", + "publicIPAddress": "[if(contains(parameters('nicConfiguration').ipConfigurations[copyIndex('ipConfigurations')], 'enablePublicIP'), if(parameters('nicConfiguration').ipConfigurations[copyIndex('ipConfigurations')].enablePublicIP, json(concat('{\"id\":\"', resourceId('Microsoft.Network/publicIPAddresses', concat(parameters('vmName'), parameters('nicConfiguration').ipConfigurations[copyIndex('ipConfigurations')].publicIpNameSuffix)),'\"}')), json('null')), json('null'))]", + "privateIPAddress": "[if(contains(parameters('nicConfiguration').ipConfigurations[copyIndex('ipConfigurations')], 'vmIPAddress'), if(empty(parameters('nicConfiguration').ipConfigurations[copyIndex('ipConfigurations')].vmIPAddress), json('null'), iacs.nextIP(parameters('nicConfiguration').ipConfigurations[copyIndex('ipConfigurations')].vmIPAddress, parameters('vmLoopIndex'))), json('null'))]", + "subnet": { + "id": "[parameters('nicConfiguration').ipConfigurations[copyIndex('ipConfigurations')].subnetId]" + }, + "loadBalancerBackendAddressPools": "[if(contains(parameters('nicConfiguration').ipConfigurations[copyIndex('ipConfigurations')], 'loadBalancerBackendAddressPools'), parameters('nicConfiguration').ipConfigurations[copyIndex('ipConfigurations')].loadBalancerBackendAddressPools, '')]", + "applicationSecurityGroups": "[if(contains(parameters('nicConfiguration').ipConfigurations[copyIndex('ipConfigurations')], 'applicationSecurityGroups'), parameters('nicConfiguration').ipConfigurations[copyIndex('ipConfigurations')].applicationSecurityGroups, '')]" + } + } + } + ] + }, + "resources": [ + { + "type": "providers/locks", + "apiVersion": "2016-09-01", + "condition": "[parameters('lockForDeletion')]", + "name": "Microsoft.Authorization/networkInterfaceDoNotDelete", + "dependsOn": [ + "[concat('Microsoft.Network/networkInterfaces/', variables('nicName'))]" + ], + "comments": "Resource lock on Network Interface", + "properties": { + "level": "CannotDelete" + } + }, + { + "type": "Microsoft.Network/networkInterfaces/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "location": "[parameters('location')]", + "tags": "[parameters('tags')]", + "name": "[concat(variables('nicName'), '/Microsoft.Insights/', parameters('diagnosticSettingName'))]", + "condition": "[or(not(empty(parameters('diagnosticStorageAccountId'))),not(empty(parameters('workspaceId'))),not(empty(parameters('eventHubAuthorizationRuleId'))),not(empty(parameters('eventHubName'))))]", + "dependsOn": [ + "[concat('Microsoft.Network/networkInterfaces/', variables('nicName'))]" + ], + "properties": { + "storageAccountId": "[if(empty(parameters('diagnosticStorageAccountId')), json('null'), parameters('diagnosticStorageAccountId'))]", + "workspaceId": "[if(empty(parameters('workspaceId')), json('null'), parameters('workspaceId'))]", + "eventHubAuthorizationRuleId": "[if(empty(parameters('eventHubAuthorizationRuleId')), json('null'), parameters('eventHubAuthorizationRuleId'))]", + "eventHubName": "[if(empty(parameters('eventHubName')), json('null'), parameters('eventHubName'))]", + "metrics": "[if(and(empty(parameters('diagnosticStorageAccountId')), empty(parameters('workspaceId')), empty(parameters('eventHubAuthorizationRuleId')), empty(parameters('eventHubName'))), json('null'), parameters('diagnosticsMetrics'))]" + } + } + ] + } + ], + "functions": [ + { + "namespace": "iacs", + "members": { + "nextIP": { + "parameters": [ + { + "name": "ip", + "type": "string" + }, + { + "name": "operand", + "type": "int" + } + ], + "output": { + "type": "string", + "value": "[concat(split(parameters('ip'), '.')[0], '.' ,split(parameters('ip'), '.')[1], '.' ,split(parameters('ip'), '.')[2], '.', add(int(split(parameters('ip'), '.')[3]), parameters('operand')))]" + } + } + } + } + ] + } + } + }, + // Virtual Machine + Extensions + { + "name": "[parameters('vmName')]", + "type": "Microsoft.Compute/virtualMachines", + "apiVersion": "2020-06-01", + "dependsOn": [ + "[if(greater(length(parameters('nicConfigurations')),1), 'vmNicDeployInnerLoop', variables('nicName') )]" + ], + "location": "[parameters('location')]", + "identity": "[parameters('identity')]", + "tags": "[parameters('tags')]", + "zones": "[if(parameters('useAvailabilityZone'), array(parameters('availabilityZone')), json('null'))]", + "plan": "[if(empty(parameters('plan')), json('null'),parameters('plan'))]", + "properties": { + "hardwareProfile": { + "vmSize": "[parameters('vmSize')]" + }, + "storageProfile": { + "imageReference": "[parameters('imageReference')]", + "osDisk": { + "name": "[concat(parameters('vmName'), '-disk-os-01')]", + "createOption": "[parameters('osDisk').createOption]", + "diskSizeGB": "[parameters('osDisk').diskSizeGB]", + "managedDisk": { + "storageAccountType": "[parameters('osDisk').managedDisk.storageAccountType]" + } + }, + "copy": [ + { + "name": "dataDisks", + "count": "[length(parameters('dataDisks'))]", + "input": { + "lun": "[copyIndex('dataDisks')]", + "name": "[concat(parameters('vmName'), '-disk-data-', padLeft(copyIndex('dataDisks',1),2,'0'))]", + "diskSizeGB": "[parameters('dataDisks')[copyIndex('dataDisks')].diskSizeGB]", + "createOption": "[parameters('dataDisks')[copyIndex('dataDisks')].createOption]", + "caching": "[parameters('dataDisks')[copyIndex('dataDisks')].caching]", + "managedDisk": { + "storageAccountType": "[parameters('dataDisks')[copyIndex('dataDisks')].managedDisk.storageAccountType]", + "diskEncryptionSet": { + "id": "[if(parameters('enableServerSideEncryption'), parameters('dataDisks')[copyIndex('dataDisks')].managedDisk.diskEncryptionSet.id, json('null'))]" + } + } + } + } + ] + }, + "additionalCapabilities": { + "ultraSSDEnabled": "[parameters('ultraSSDEnabled')]" + }, + "osProfile": { + "computerName": "[variables('vmComputerNameTransformed')]", + "adminUsername": "[parameters('adminUsername')]", + "adminPassword": "[parameters('adminPassword')]", + "customData": "[if(empty(parameters('customData')), json('null'), base64(parameters('customData')))]", + "windowsConfiguration": "[if(empty(parameters('windowsConfiguration')), json('null'),parameters('windowsConfiguration'))]", + "linuxConfiguration": "[if(empty(parameters('linuxConfiguration')), json('null'),parameters('linuxConfiguration'))]", + "secrets": "[parameters('certificatesToBeInstalled')]", + "allowExtensionOperations": "[parameters('allowExtensionOperations')]" + //"requireGuestProvisionSignal": "[parameters('requireGuestProvisionSignal')]" + }, + "networkProfile": { + "copy": [ + { + "name": "networkInterfaces", + "count": "[length(parameters('nicConfigurations'))]", + "input": { + "properties": { + "primary": "[if(equals(copyIndex('networkInterfaces'), 0), 'true', 'false')]" + }, + "id": "[resourceId('Microsoft.Network/networkInterfaces', concat(parameters('vmName'), parameters('nicConfigurations')[copyIndex('networkInterfaces')].nicSuffix))]" + } + } + ] + }, + "diagnosticsProfile": { + "bootDiagnostics": { + "enabled": "[not(empty(parameters('bootDiagnosticStorageAccountName')))]", + "storageUri": "[if(empty(parameters('bootDiagnosticStorageAccountName')), json('null'), concat('https://', parameters('bootDiagnosticStorageAccountName'), parameters('bootDiagnosticStorageAccountUri')))]" + } + }, + "availabilitySet": "[if(not(empty(variables('availabilitySetName'))), json(concat('{\"id\":\"', resourceId('Microsoft.Compute/availabilitySets', variables('availabilitySetName')),'\"}')), json('null'))]", + "proximityPlacementGroup": "[if(empty(parameters('proximityPlacementGroupName')), json('null'), json(concat('{\"id\":\"', resourceId('Microsoft.Compute/proximityPlacementGroups', parameters('proximityPlacementGroupName')),'\"}')))]", + "priority": "[parameters('vmPriority')]", + "evictionPolicy": "[if(parameters('enableEvictionPolicy'), 'Deallocate', json('null'))]", + "billingProfile": "[if(and(not(empty(parameters('vmPriority'))),not(empty(parameters('maxPriceForLowPriorityVm')))), json(concat('{\"maxPrice\":\"',parameters('maxPriceForLowPriorityVm'),'\"}')), json('null'))]", + "host": "[if(not(empty(parameters('dedicatedHostId'))), json(concat('{\"id\":\"',parameters('dedicatedHostId'),'\"}')), json('null'))]", + "licenseType": "[if(empty(parameters('licenseType')), json('null'),parameters('licenseType'))]" + }, + "resources": [ + // VM locks + { + "type": "providers/locks", + "apiVersion": "2016-09-01", + "condition": "[parameters('lockForDeletion')]", + "name": "Microsoft.Authorization/vmDoNotDelete", + "dependsOn": [ + "[concat('Microsoft.Compute/virtualMachines/', parameters('vmName'))]" + ], + "comments": "Resource lock on Azure Virtual Machines", + "properties": { + "level": "CannotDelete" + } + }, + // VM DomainJoin extension + { + "type": "Microsoft.Compute/virtualMachines/extensions", + "name": "[concat(parameters('vmName'),'/DomainJoin')]", + "apiVersion": "2019-07-01", + "location": "[parameters('location')]", + "condition": "[not(empty(parameters('domainName')))]", + "dependsOn": [ + "[concat('Microsoft.Compute/virtualMachines/', parameters('vmName'))]" + ], + "properties": { + "publisher": "Microsoft.Compute", + "type": "JsonADDomainExtension", + "typeHandlerVersion": "1.3", + "autoUpgradeMinorVersion": true, + "settings": { + "Name": "[parameters('domainName')]", + "User": "[parameters('domainJoinUser')]", + "OUPath": "[parameters('domainJoinOU')]", + "Restart": "[parameters('domainJoinRestart')]", + "Options": "[parameters('domainJoinOptions')]" + }, + "protectedSettings": { + "Password": "[parameters('domainJoinPassword')]" + } + } + }, + // VM MicrosoftAntiMalware extension + { + "type": "Microsoft.Compute/virtualMachines/extensions", + "name": "[concat(parameters('vmName'), '/MicrosoftAntiMalware')]", + "apiVersion": "2019-07-01", + "location": "[parameters('location')]", + "condition": "[parameters('enableMicrosoftAntiMalware')]", + "dependsOn": [ + "[concat('Microsoft.Compute/virtualMachines/', parameters('vmName'))]", + "[resourceId('Microsoft.Compute/virtualMachines/extensions', parameters('vmName'), 'DomainJoin')]" + ], + "properties": { + "publisher": "Microsoft.Azure.Security", + "type": "IaaSAntimalware", + "typeHandlerVersion": "1.3", + "autoUpgradeMinorVersion": true, + "settings": "[parameters('microsoftAntiMalwareSettings')]" + } + }, + // VM WindowsMMAAgent extension + { + "type": "Microsoft.Compute/virtualMachines/extensions", + "name": "[concat(parameters('vmName'), '/WindowsMMAAgent')]", + "apiVersion": "2019-07-01", + "location": "[parameters('location')]", + "condition": "[parameters('enableWindowsMMAAgent')]", + "dependsOn": [ + "[concat('Microsoft.Compute/virtualMachines/', parameters('vmName'))]", + "[resourceId('Microsoft.Compute/virtualMachines/extensions', parameters('vmName'), 'MicrosoftAntiMalware')]" + ], + "properties": { + "publisher": "Microsoft.EnterpriseCloud.Monitoring", + "type": "MicrosoftMonitoringAgent", + "typeHandlerVersion": "1.0", + "autoUpgradeMinorVersion": true, + "settings": { + "workspaceId": "[if(empty(parameters('workspaceId')), 'dummy', reference(parameters('workspaceId'), '2015-11-01-preview').customerId)]" + }, + "protectedSettings": { + "workspaceKey": "[if(empty(parameters('workspaceId')), 'dummy', listKeys(parameters('workspaceId'), '2015-11-01-preview').primarySharedKey)]" + } + } + }, + // VM LinuxMMAAgent extension + { + "type": "Microsoft.Compute/virtualMachines/extensions", + "name": "[concat(parameters('vmName'), '/LinuxMMAAgent')]", + "apiVersion": "2019-07-01", + "location": "[parameters('location')]", + "condition": "[parameters('enableLinuxMMAAgent')]", + "dependsOn": [ + "[concat('Microsoft.Compute/virtualMachines/', parameters('vmName'))]", + "[resourceId('Microsoft.Compute/virtualMachines/extensions', parameters('vmName'), 'WindowsMMAAgent')]" + ], + "properties": { + "publisher": "Microsoft.EnterpriseCloud.Monitoring", + "type": "OmsAgentForLinux", + "typeHandlerVersion": "1.7", + "autoUpgradeMinorVersion": true, + "settings": { + "workspaceId": "[if(empty(parameters('workspaceId')), 'dummy', reference(parameters('workspaceId'), '2015-11-01-preview').customerId)]" + }, + "protectedSettings": { + "workspaceKey": "[if(empty(parameters('workspaceId')), 'dummy', listKeys(parameters('workspaceId'), '2015-11-01-preview').primarySharedKey)]" + } + } + }, + // VM WindowsDiskEncryption extension + { + "type": "Microsoft.Compute/virtualMachines/extensions", + "name": "[concat(parameters('vmName'), '/WindowsDiskEncryption')]", + "apiVersion": "2019-07-01", + "location": "[parameters('location')]", + "condition": "[parameters('enableWindowsDiskEncryption')]", + "dependsOn": [ + "[concat('Microsoft.Compute/virtualMachines/', parameters('vmName'))]", + "[resourceId('Microsoft.Compute/virtualMachines/extensions', parameters('vmName'), 'LinuxMMAAgent')]" + ], + "properties": { + "publisher": "Microsoft.Azure.Security", + "type": "AzureDiskEncryption", + "typeHandlerVersion": "2.2", + "autoUpgradeMinorVersion": true, + "forceUpdateTag": "[parameters('forceUpdateTag')]", + "settings": { + "EncryptionOperation": "EnableEncryption", + "KeyVaultURL": "[parameters('keyVaultUri')]", + "KeyVaultResourceId": "[parameters('keyVaultId')]", + "KeyEncryptionKeyURL": "[parameters('keyEncryptionKeyURL')]", + "KekVaultResourceId": "[parameters('keyVaultId')]", + "KeyEncryptionAlgorithm": "[parameters('diskKeyEncryptionAlgorithm')]", + "VolumeType": "[parameters('diskEncryptionVolumeType')]", + "ResizeOSDisk": "[parameters('resizeOSDisk')]" + } + } + }, + // VM LinuxDiskEncryption extension + { + "type": "Microsoft.Compute/virtualMachines/extensions", + "name": "[concat(parameters('vmName'), '/LinuxDiskEncryption')]", + "apiVersion": "2019-07-01", + "location": "[parameters('location')]", + "condition": "[parameters('enableLinuxDiskEncryption')]", + "dependsOn": [ + "[concat('Microsoft.Compute/virtualMachines/', parameters('vmName'))]", + "[resourceId('Microsoft.Compute/virtualMachines/extensions', parameters('vmName'), 'WindowsDiskEncryption')]" + ], + "properties": { + "publisher": "Microsoft.Azure.Security", + "type": "AzureDiskEncryptionForLinux", + "typeHandlerVersion": "1.1", + "autoUpgradeMinorVersion": true, + "forceUpdateTag": "[parameters('forceUpdateTag')]", + "settings": { + "EncryptionOperation": "EnableEncryption", + "KeyVaultURL": "[parameters('keyVaultUri')]", + "KeyVaultResourceId": "[parameters('keyVaultId')]", + "KeyEncryptionKeyURL": "[parameters('keyEncryptionKeyURL')]", + "KekVaultResourceId": "[parameters('keyVaultId')]", + "KeyEncryptionAlgorithm": "[parameters('diskKeyEncryptionAlgorithm')]", + "VolumeType": "[parameters('diskEncryptionVolumeType')]" + } + } + }, + // VM DependencyAgentWindows extension + { + "type": "Microsoft.Compute/virtualMachines/extensions", + "apiVersion": "2019-07-01", + "name": "[concat(parameters('vmName'), '/DependencyAgentWindows')]", + "location": "[parameters('location')]", + "condition": "[parameters('enableWindowsDependencyAgent')]", + "dependsOn": [ + "[concat('Microsoft.Compute/virtualMachines/', parameters('vmName'))]", + "[resourceId('Microsoft.Compute/virtualMachines/extensions', parameters('vmName'), 'LinuxDiskEncryption')]" + ], + "properties": { + "publisher": "Microsoft.Azure.Monitoring.DependencyAgent", + "type": "DependencyAgentWindows", + "typeHandlerVersion": "9.5", + "autoUpgradeMinorVersion": true + } + }, + // VM DependencyAgentLinux extension + { + "type": "Microsoft.Compute/virtualMachines/extensions", + "apiVersion": "2019-07-01", + "name": "[concat(parameters('vmName'), '/DependencyAgentLinux')]", + "location": "[parameters('location')]", + "condition": "[parameters('enableLinuxDependencyAgent')]", + "dependsOn": [ + "[concat('Microsoft.Compute/virtualMachines/', parameters('vmName'))]", + "[resourceId('Microsoft.Compute/virtualMachines/extensions', parameters('vmName'), 'DependencyAgentWindows')]" + ], + "properties": { + "publisher": "Microsoft.Azure.Monitoring.DependencyAgent", + "type": "DependencyAgentLinux", + "typeHandlerVersion": "9.5", + "autoUpgradeMinorVersion": true + } + }, + // VM NetworkWatcherAgentWindows extension + { + "type": "Microsoft.Compute/virtualMachines/extensions", + "name": "[concat(parameters('vmName'), '/NetworkWatcherAgentWindows')]", + "apiVersion": "2019-07-01", + "location": "[parameters('location')]", + "condition": "[parameters('enableNetworkWatcherWindows')]", + "dependsOn": [ + "[concat('Microsoft.Compute/virtualMachines/', parameters('vmName'))]", + "[resourceId('Microsoft.Compute/virtualMachines/extensions', parameters('vmName'), 'DependencyAgentLinux')]" + ], + "properties": { + "publisher": "Microsoft.Azure.NetworkWatcher", + "type": "NetworkWatcherAgentWindows", + "typeHandlerVersion": "1.4", + "autoUpgradeMinorVersion": true, + "settings": { + } + } + }, + // VM NetworkWatcherAgentLinux extension + { + "type": "Microsoft.Compute/virtualMachines/extensions", + "name": "[concat(parameters('vmName'), '/NetworkWatcherAgentLinux')]", + "apiVersion": "2019-07-01", + "location": "[parameters('location')]", + "condition": "[parameters('enableNetworkWatcherLinux')]", + "dependsOn": [ + "[concat('Microsoft.Compute/virtualMachines/', parameters('vmName'))]", + "[resourceId('Microsoft.Compute/virtualMachines/extensions', parameters('vmName'), 'NetworkWatcherAgentWindows')]" + ], + "properties": { + "publisher": "Microsoft.Azure.NetworkWatcher", + "type": "NetworkWatcherAgentLinux", + "typeHandlerVersion": "1.4", + "autoUpgradeMinorVersion": true, + "settings": { + } + } + }, + // VM windowsDsc extension + { + "type": "Microsoft.Compute/virtualMachines/extensions", + "name": "[concat(parameters('vmName'), '/windowsDsc')]", + "apiVersion": "2018-10-01", + "location": "[parameters('location')]", + "condition": "[not(empty(parameters('dscConfiguration')))]", + "dependsOn": [ + "[concat('Microsoft.Compute/virtualMachines/', parameters('vmName'))]", + "[resourceId('Microsoft.Compute/virtualMachines/extensions', parameters('vmName'), 'NetworkWatcherAgentLinux')]" + ], + "properties": { + "publisher": "Microsoft.Powershell", + "type": "DSC", + "typeHandlerVersion": "2.77", + "autoUpgradeMinorVersion": true, + "settings": "[parameters('dscConfiguration').settings]", + "protectedSettings": "[if( contains(parameters('dscConfiguration'), 'protectedSettings'), parameters('dscConfiguration').protectedSettings, json('null') )]" + } + } + ] + }, + // This WindowsCustomScriptExtension has to be a top level resource, as the 'fileUris' property copy loop only works if this extension is not a nested resource within the VM. + { + "apiVersion": "2019-07-01", + "type": "Microsoft.Compute/virtualMachines/extensions", + "name": "[concat(parameters('vmName'), '/WindowsCustomScriptExtension')]", + "location": "[parameters('location')]", + "condition": "[and(not(empty(parameters('windowsScriptExtensionFileData'))),not(empty(parameters('windowsScriptExtensionCommandToExecute'))))]", + "dependsOn": [ + "[concat('Microsoft.Compute/virtualMachines/', parameters('vmName'))]", + "[resourceId('Microsoft.Compute/virtualMachines/extensions', parameters('vmName'), 'windowsDsc')]" + ], + "properties": { + "publisher": "Microsoft.Compute", + "type": "CustomScriptExtension", + "typeHandlerVersion": "1.9", + "autoUpgradeMinorVersion": true, + "settings": { + "copy": [ + { + "name": "fileUris", + "count": "[length(parameters('windowsScriptExtensionFileData'))]", + "input": "[concat(parameters('windowsScriptExtensionFileData')[copyIndex('fileUris')].uri,if(contains(parameters('windowsScriptExtensionFileData')[copyIndex('fileUris')], 'storageAccountId'),concat('?',listAccountSas(parameters('windowsScriptExtensionFileData')[copyIndex('fileUris')].storageAccountId, '2019-04-01', parameters('accountSasProperties')).accountSasToken) , '' ))]" + } + ] + }, + "protectedSettings": { + "commandToExecute": "[parameters('windowsScriptExtensionCommandToExecute')]", + "storageAccountName": "[if(not(empty(parameters('cseStorageAccountName'))), parameters('cseStorageAccountName'), json('null'))]", + "storageAccountKey": "[if(not(empty(parameters('cseStorageAccountKey'))), parameters('cseStorageAccountKey'), json('null'))]", + "managedIdentity": "[if(not(empty(parameters('cseManagedIdentity'))), parameters('cseManagedIdentity'), json('null'))]" + } + } + }, + // Deployment VM Backup + { + "name": "[concat('add-', parameters('vmName'), '-ToBackup')]", + "condition": "[not(empty(parameters('backupVaultName')))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-06-01", + "dependsOn": [ + "[resourceId('Microsoft.Compute/virtualMachines/extensions', parameters('vmName'), 'WindowsCustomScriptExtension')]", + "[resourceId('Microsoft.Compute/virtualMachines/extensions', parameters('vmName'), 'NetworkWatcherAgentLinux')]" + ], + "resourceGroup": "[parameters('backupVaultResourceGroup')]", + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [ + // VM Backup + { + "apiVersion": "2016-12-01", + "type": "Microsoft.RecoveryServices/vaults/backupFabrics/protectionContainers/protectedItems", + "name": "[concat(parameters('backupVaultName'), '/Azure/iaasvmcontainer;iaasvmcontainerv2;', resourceGroup().name, ';', parameters('vmName'), '/vm;iaasvmcontainerv2;', resourceGroup().name, ';', parameters('vmName'))]", + "properties": { + "protectedItemType": "Microsoft.Compute/virtualMachines", + "policyId": "[resourceId('Microsoft.RecoveryServices/vaults/backupPolicies', parameters('backupVaultName'), parameters('backupPolicyName'))]", + "sourceResourceId": "[resourceId('Microsoft.Compute/virtualMachines/', parameters('vmName'))]" + } + } + ] + } + } + }, + // Deployment VM RBAC + { + "name": "[concat('rbac-', parameters('vmName'), '-', copyIndex('rbacDeplCopy'))]", + "apiVersion": "2020-06-01", + "type": "Microsoft.Resources/deployments", + "condition": "[not(empty(parameters('roleAssignments')))]", + "dependsOn": [ + "[parameters('vmName')]" + ], + "copy": { + "name": "rbacDeplCopy", + "count": "[length(parameters('roleAssignments'))]" + }, + "properties": { + "mode": "Incremental", + "expressionEvaluationOptions": { + "scope": "inner" + }, + "parameters": { + "roleAssignment": { + "value": "[parameters('roleAssignments')[copyIndex()]]" + }, + "builtInRoleNames": { + "value": "[parameters('builtInRoleNames')]" + }, + "vmName": { + "value": "[parameters('vmName')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "roleAssignment": { + "type": "object" + }, + "builtInRoleNames": { + "type": "object" + }, + "vmName": { + "type": "string" + } + }, + "resources": [ + // VM RBAC + { + "type": "Microsoft.Compute/virtualMachines/providers/roleAssignments", + "apiVersion": "2018-09-01-preview", + "name": "[concat(parameters('vmName'), '/Microsoft.Authorization/', guid(uniqueString(concat(parameters('vmName'), array(parameters('roleAssignment').principalIds)[copyIndex('innerRbacCopy')], parameters('roleAssignment').roleDefinitionIdOrName ) )))]", + "dependsOn": [ + ], + "copy": { + "name": "innerRbacCopy", + "count": "[length(parameters('roleAssignment').principalIds)]" + }, + "properties": { + "roleDefinitionId": "[if(contains(parameters('builtInRoleNames'), parameters('roleAssignment').roleDefinitionIdOrName ), parameters('builtInRoleNames')[parameters('roleAssignment').roleDefinitionIdOrName] , parameters('roleAssignment').roleDefinitionIdOrName )]", + "principalId": "[array(parameters('roleAssignment').principalIds)[copyIndex()]]" + } + } + ] + } + } + } + ], + "functions": [ + { + "namespace": "iacs", + "members": { + "nextIP": { + "parameters": [ + { + "name": "ip", + "type": "string" + }, + { + "name": "operand", + "type": "int" + } + ], + "output": { + "type": "string", + "value": "[concat(split(parameters('ip'), '.')[0], '.' ,split(parameters('ip'), '.')[1], '.' ,split(parameters('ip'), '.')[2], '.', add(int(split(parameters('ip'), '.')[3]), parameters('operand')))]" + } + } + } + } + ] + } + } + } + ], + "outputs": { + "deploymentOutput": { + "type": "array", + "value": "[parameters('vmNames')]", + "metadata": { + "description": "VM deployment outputs" + } + } + } + } + } + } + ], + "functions": [ + ], + "outputs": { + "virtualMachinesResourceId": { + "type": "array", + "copy": { + "count": "[length(variables('vmNames'))]", + "input": "[resourceId('Microsoft.Compute/virtualMachines', variables('vmNames')[copyIndex()])]" + }, + "metadata": { + "description": "The Resource Id(s) of the VM(s)." + } + }, + "virtualMachinesResourceGroup": { + "type": "string", + "value": "[resourceGroup().name]", + "metadata": { + "description": "The name of the Resource Group the VM(s) was/were created in." + } + }, + "virtualMachinesName": { + "type": "array", + "value": "[variables('vmNames')]", + "metadata": { + "description": "The Names of the VMs." + } + }, + "deploymentCount": { + "type": "int", + "value": "[if(equals(mod(length(variables('vmNames')), parameters('maxNumberOfVmsPerDeployment')), 0), div(length(variables('vmNames')), parameters('maxNumberOfVmsPerDeployment') ), add(div(length(variables('vmNames')), parameters('maxNumberOfVmsPerDeployment') ),1))]", + "metadata": { + "description": "The number of VM deployments." + } + } + } +} \ No newline at end of file diff --git a/arm/Microsoft.Compute/virtualMachines/parameters/parameters.json b/arm/Microsoft.Compute/virtualMachines/parameters/parameters.json new file mode 100644 index 0000000000..ec345f2a28 --- /dev/null +++ b/arm/Microsoft.Compute/virtualMachines/parameters/parameters.json @@ -0,0 +1,87 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "vmNamePrefix": { + "value": "iacs" + }, + "vmNumberOfInstances": { + "value": 2 + }, + "vmInitialNumber": { + "value": 0 + }, + // "managedServiceIdentity": { + // "value": "SystemAssigned" + // }, + "imageReference": { + "value": { + "publisher": "MicrosoftWindowsServer", + "offer": "WindowsServer", + "sku": "2016-Datacenter", + "version": "latest" + } + }, + "osDisk": { + "value": { + "createOption": "fromImage", + "diskSizeGB": "128", + "managedDisk": { + "storageAccountType": "Premium_LRS" + } + } + }, + "adminUsername": { + "value": "localAdminUser" + }, + "adminPassword": { + "reference": { + "keyVault": { + "id": "/subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2/resourceGroups/dependencies-rg/providers/Microsoft.KeyVault/vaults/sxx-az-kv-weu-x-004" + }, + "secretName": "adminPassword" + } + }, + "nicConfigurations": { + "value": [ + { + "nicSuffix": "-nic-01", + "ipConfigurations": [ + { + "name": "ipconfig1", + "subnetId": "/subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2/resourceGroups/dependencies-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-weu-x-002/subnets/sxx-az-subnet-weu-x-001", + // "enablePublicIP": true, + // "publicIpNameSuffix": "-pip-01" + } + ] + } + ] + } + // "diagnosticSettingName": { + // "value": "testsetting" + // }, + // "workspaceId": { + // "value": "/subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2/resourcegroups/dependencies-rg/providers/microsoft.operationalinsights/workspaces/sxx-az-la-weu-x-003" + // }, + // "diagnosticStorageAccountId": { + // "value": "/subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2/resourceGroups/dependencies-rg/providers/Microsoft.Storage/storageAccounts/sxxazsaweux003" + // }, + // "enableWindowsMMAAgent": { + // "value": true + // }, + // "bootDiagnosticStorageAccountName": { + // "value": "sxxazsaweux003" + // } + // "roleAssignments": { + // "value": [ + // { + // "roleDefinitionIdOrName": "Desktop Virtualization User", + // "principalIds": [ + // "12345678-1234-1234-1234-123456789012", // object 1 + // "78945612-1234-1234-1234-123456789012" // object 2 + // ] + // } + // ] + // } + } +} \ No newline at end of file diff --git a/arm/Microsoft.Compute/virtualMachines/readme.md b/arm/Microsoft.Compute/virtualMachines/readme.md new file mode 100644 index 0000000000..18c73a6e45 --- /dev/null +++ b/arm/Microsoft.Compute/virtualMachines/readme.md @@ -0,0 +1,474 @@ +# Virtual Machines + +This module deploys one or multiple Virtual Machines. + + +## Resource types + +|Resource Type|ApiVersion| +|:--|:--| +| `Microsoft.Compute/availabilitySets` | 2020-12-01 | +| `Microsoft.Compute/proximityPlacementGroups` | 2020-12-01 | +| `Microsoft.Resources/deployments` | 2020-06-01 | + +## Parameters + +| Parameter Name | Type | Default Value | Possible values | Description | +| :-- | :-- | :-- | :-- | :-- | +| `adminPassword` | securestring | | | Required. When specifying a Windows Virtual Machine, this value should be passed | +| `adminUsername` | securestring | | | Required. Administrator username | +| `allowExtensionOperations` | bool | True | | Optional. Specifies whether extension operations should be allowed on the virtual machine. This may only be set to False when no extensions are present on the virtual machine. | +| `availabilitySetFaultDomain` | int | 2 | | Optional. The number of fault domains to use. | +| `availabilitySetName` | string | | | Optional. Creates an availability set with the given name and adds the VMs to it. Cannot be used in combination with availability zone nor scale set. | +| `availabilitySetNames` | array | System.Object[] | | Optional. Name(s) of the availability set(s). If no explicit names are provided, availability set name(s) will be generated based on the availabilitySetName, vmNumberOfInstances and maxNumberOfVmsPerAvSet parameters. | +| `availabilitySetSku` | string | Aligned | | Optional. Sku of the availability set. Use 'Aligned' for virtual machines with managed disks and 'Classic' for virtual machines with unmanaged disks. | +| `availabilitySetUpdateDomain` | int | 5 | | Optional. The number of update domains to use. | +| `availabilityZone` | int | 0 | System.Object[] | Optional. If set to 1, 2 or 3, the availability zone for all VMs is hardcoded to that value. If zero, then the automatic algorithm will be used to give every VM in a different zone (up to three zones). Cannot be used in combination with availability set nor scale set. | +| `backupPolicyName` | string | DefaultPolicy | | Optional. Backup policy the VMs should be using for backup. | +| `backupVaultName` | string | | | Optional. Recovery service vault name to add VMs to backup. | +| `backupVaultResourceGroup` | string | | | Optional. Resource group of the backup recovery service vault. | +| `baseTime` | string | [utcNow('u')] | | Generated. Do not provide a value! This date value is used to generate a registration token. | +| `bootDiagnosticStorageAccountName` | string | | | Optional. Storage account used to store boot diagnostic information. Boot diagnostics will be disabled if no value is provided. | +| `bootDiagnosticStorageAccountUri` | string | .blob.core.windows.net/ | | Optional. Storage account boot diagnostic base URI. | +| `certificatesToBeInstalled` | array | System.Object[] | | Optional. Specifies set of certificates that should be installed onto the virtual machine. | +| `cseManagedIdentity` | object | | | Optional. A managed identity to use for the CSE. | +| `cseStorageAccountKey` | string | | | Optional. The storage key of the storage account to access for the CSE script(s). | +| `cseStorageAccountName` | string | | | Optional. The name of the storage account to access for the CSE script(s). | +| `cuaId` | string | | | Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered | +| `customData` | string | | | Optional. Custom data associated to the VM, this value will be automatically converted into base64 to account for the expected VM format. | +| `dataDisks` | array | System.Object[] | | Optional. Specifies the data disks. | +| `dedicatedHostId` | string | | | Optional. Specifies resource Id about the dedicated host that the virtual machine resides in. | +| `diagnosticLogsRetentionInDays` | int | 365 | | Optional. Specifies the number of days that logs will be kept for; a value of 0 will retain data indefinitely. | +| `diagnosticSettingName` | string | service | | Optional. The name of the Diagnostic setting. | +| `diagnosticStorageAccountId` | string | | | Optional. Resource identifier of the Diagnostic Storage Account. | +| `diskEncryptionVolumeType` | string | All | System.Object[] | Optional. Type of the volume OS or Data to perform encryption operation | +| `diskKeyEncryptionAlgorithm` | string | RSA-OAEP | System.Object[] | Optional. Specifies disk key encryption algorithm. | +| `domainJoinOptions` | int | 3 | | Optional. Set of bit flags that define the join options. Default value of 3 is a combination of NETSETUP_JOIN_DOMAIN (0x00000001) & NETSETUP_ACCT_CREATE (0x00000002) i.e. will join the domain and create the account on the domain. For more information see https://msdn.microsoft.com/en-us/library/aa392154(v=vs.85).aspx | +| `domainJoinOU` | string | | | Optional. Specifies an organizational unit (OU) for the domain account. Enter the full distinguished name of the OU in quotation marks. Example: "OU=testOU; DC=domain; DC=Domain; DC=com" | +| `domainJoinPassword` | securestring | | | Optional. Required if domainName is specified. Password of the user specified in domainJoinUser parameter | +| `domainJoinRestart` | bool | False | | Optional. Controls the restart of vm after executing domain join | +| `domainJoinUser` | string | | | Optional. Mandatory if domainName is specified. User used for the join to the domain. Format: username@domainFQDN | +| `domainName` | string | | | Optional. Specifies the FQDN the of the domain the VM will be joined to. Currently implemented for Windows VMs only | +| `dscConfiguration` | object | | | Optional. The DSC configuration object | +| `enableEvictionPolicy` | bool | False | | Optional. Specifies the eviction policy for the low priority virtual machine. Will result in 'Deallocate' eviction policy. | +| `enableLinuxDependencyAgent` | bool | False | | Optional. Specifies if Azure Dependency Agent for Linux VM should be enabled. Requires LinuxMMAAgent to be enabled. | +| `enableLinuxDiskEncryption` | bool | False | | Optional. Specifies if Linux VM disks should be encrypted. If enabled, boot diagnostics must be enabled as well. | +| `enableLinuxMMAAgent` | bool | False | | Optional. Specifies if MMA agent for Linux VM should be enabled. | +| `enableMicrosoftAntiMalware` | bool | False | | Optional. Enables Microsoft Windows Defender AV. | +| `enableNetworkWatcherLinux` | bool | False | | Optional. Specifies if Azure Network Watcher Agent for Linux VM should be enabled. | +| `enableNetworkWatcherWindows` | bool | False | | Optional. Specifies if Azure Network Watcher Agent for Windows VM should be enabled. | +| `enableServerSideEncryption` | bool | False | | Optional. Specifies if Windows VM disks should be encrypted with Server-side encryption + Customer managed Key. | +| `enableWindowsDependencyAgent` | bool | False | | Optional. Specifies if Azure Dependency Agent for Windows VM should be enabled. Requires WindowsMMAAgent to be enabled. | +| `enableWindowsDiskEncryption` | bool | False | | Optional. Specifies if Windows VM disks should be encrypted. If enabled, boot diagnostics must be enabled as well. | +| `enableWindowsMMAAgent` | bool | False | | Optional. Specifies if MMA agent for Windows VM should be enabled. | +| `eventHubAuthorizationRuleId` | string | | | Optional. Resource ID of the event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | +| `eventHubName` | string | | | Optional. Name of the event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. | +| `forceUpdateTag` | string | 1.0 | | Optional. Pass in an unique value like a GUID everytime the operation needs to be force run | +| `imageReference` | object | | | Optional. OS image reference. In case of marketplace images, it's the combination of the publisher, offer, sku, version attributes. In case of custom images it's the resource ID of the custom image. | +| `keyEncryptionKeyURL` | string | | | Optional. URL of the KeyEncryptionKey used to encrypt the volume encryption key | +| `keyVaultId` | string | | | Optional. Resource identifier of the Key Vault instance where the Key Encryption Key (KEK) resides | +| `keyVaultUri` | string | | | Optional. URL of the Key Vault instance where the Key Encryption Key (KEK) resides | +| `licenseType` | string | | System.Object[] | Optional. Specifies that the image or disk that is being used was licensed on-premises. This element is only used for images that contain the Windows Server operating system. | +| `linuxConfiguration` | object | | | Optional. Specifies the Linux operating system settings on the virtual machine. | +| `location` | string | [resourceGroup().location] | | Optional. Location for all resources. | +| `managedServiceIdentity` | string | None | None, SystemAssigned, UserAssigned, SystemAssigned, UserAssigned, UserAssigned, SystemAssigned | Optional. The type of identity used for the virtual machine. The type 'SystemAssigned, UserAssigned' includes both an implicitly created identity and a set of user assigned identities. The type 'None' (default) will remove any identities from the virtual machine. | +| `lockForDeletion` | bool | False | | Optional. Switch to lock VM from deletion. | +| `maxNumberOfVmsPerAvSet` | int | 200 | | Optional. The maximum number of VMs allowed in an availability set. The template will create additional availability sets if the number of VMs to be deployed exceeds this quota. | +| `maxNumberOfVmsPerDeployment` | int | 50 | | Optional. The maximum number of VMs allowed in a single deployment. The template will create additional deployments if the number of VMs to be deployed exceeds this quota. | +| `maxPriceForLowPriorityVm` | string | | | Optional. Specifies the maximum price you are willing to pay for a low priority VM/VMSS. This price is in US Dollars. | +| `microsoftAntiMalwareSettings` | object | | | Optional. Settings for Microsoft Windows Defender AV extension. | +| `nicConfigurations` | array | | | Required. Configures NICs and PIPs. | +| `osDisk` | object | | | Required. Specifies the OS disk. | +| `plan` | object | | | Optional. Specifies information about the marketplace image used to create the virtual machine. This element is only used for marketplace images. Before you can use a marketplace image from an API, you must enable the image for programmatic use. | +| `proximityPlacementGroupName` | string | | | Optional. Creates an proximity placement group and adds the VMs to it. | +| `proximityPlacementGroupType` | string | Standard | System.Object[] | Optional. Specifies the type of the proximity placement group. | +| `resizeOSDisk` | bool | False | | Optional. Should the OS partition be resized to occupy full OS VHD before splitting system volume | +| `roleAssignments` | array | System.Object[] | | Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' | +| `sasTokenValidityLength` | string | PT8H | | Optional. SAS token validity length to use to download files from storage accounts. Usage: 'PT8H' - valid for 8 hours; 'P5D' - valid for 5 days; 'P1Y' - valid for 1 year. When not provided, the SAS token will be valid for 8 hours. | +| `tags` | object | | | Optional. Tags of the resource. | +| `ultraSSDEnabled` | bool | False | | Optional. The flag that enables or disables a capability to have one or more managed data disks with UltraSSD_LRS storage account type on the VM or VMSS. Managed disks with storage account type UltraSSD_LRS can be added to a virtual machine or virtual machine scale set only if this property is enabled. | +| `useAvailabilityZone` | bool | False | | Optional. Creates an availability zone and adds the VMs to it. Cannot be used in combination with availability set nor scale set. | +| `userAssignedIdentities` | object | | | Optional. Mandatory if 'managedServiceIdentity' contains 'UserAssigned'. The list of user identities associated with the Virtual Machine. | +| `vmComputerNames` | object | | | Optional. Specifies the VM computer names for the VMs. If the VM name is not in the object as key the VM name is used as computer name. Be aware of the maximum size of 15 characters and limitations regarding special characters for the computer name. Once set it can't be changed via template. | +| `vmComputerNamesTransformation` | string | none | | Optional. Specifies whether the computer names should be transformed. The transformation is performed on all computer names. Available transformations are 'none' (Default), 'uppercase' and 'lowercase'. | +| `vmInitialNumber` | int | 1 | | Optional. If no explicit values were provided in the vmNames parameter, this parameter will be used to generate VM names, using the vmNamePrefix and the vmNumberOfInstances values. | +| `vmNamePrefix` | string | [take(toLower(uniqueString(resourceGroup().name)),10)] | | Optional. If no explicit values were provided in the vmNames parameter, this prefix will be used in combination with the vmNumberOfInstances and the vmInitialNumber parameters to create unique VM names. You should use a unique prefix to reduce name collisions in Active Directory. If no value is provided, a 10 character long unique string will be generated based on the Resource Group's name. | +| `vmNames` | array | System.Object[] | | Optional. Name(s) of the virtual machine(s). If no explicit names are provided, VM name(s) will be generated based on the vmNamePrefix, vmNumberOfInstances and vmInitialNumber parameters. | +| `vmNumberOfInstances` | int | 1 | | Optional. If no explicit values were provided in the vmNames parameter, this parameter will be used to generate VM names, using the vmNamePrefix and the vmInitialNumber values. | +| `vmPriority` | string | Regular | System.Object[] | Optional. Specifies the priority for the virtual machine. | +| `vmSize` | string | Standard_D2s_v3 | | Optional. Specifies the size for the VMs | +| `windowsConfiguration` | object | | | Optional. Specifies Windows operating system settings on the virtual machine. | +| `windowsScriptExtensionCommandToExecute` | securestring | | | Optional. Specifies the command that should be run on a Windows VM. | +| `windowsScriptExtensionFileData` | array | System.Object[] | | Optional. Array of objects that specifies URIs and the storageAccountId of the scripts that need to be downloaded and run by the Custom Script Extension on a Windows VM. | +| `workspaceId` | string | | | Optional. Resource identifier of Log Analytics. | + +### Parameter Usage: `imageReference` + +#### Marketplace images + +```json +"imageReference": { + "value": { + "publisher": "MicrosoftWindowsServer", + "offer": "WindowsServer", + "sku": "2016-Datacenter", + "version": "latest" + } +} +``` + +#### Custom images + +```json +"imageReference": { + "value": { + "id": "/subscriptions/12345-6789-1011-1213-15161718/resourceGroups/rg-name/providers/Microsoft.Compute/images/imagename" + } +} +``` + +### Parameter Usage: `plan` + +```json +"plan": { + "value": { + "name": "qvsa-25", + "product": "qualys-virtual-scanner", + "publisher": "qualysguard" + } +} +``` + +### Parameter Usage: `osDisk` + +```json + "osDisk": { + "value": { + "createOption": "fromImage", + "diskSizeGB": "128", + "managedDisk": { + "storageAccountType": "Premium_LRS" + } + } +} +``` + +### Parameter Usage: `dataDisks` + +```json +"dataDisks": { + "value": [{ + "caching": "ReadOnly", + "createOption": "Empty", + "diskSizeGB": "256", + "managedDisk": { + "storageAccountType": "Premium_LRS" + } + }, + { + "caching": "ReadOnly", + "createOption": "Empty", + "diskSizeGB": "128", + "managedDisk": { + "storageAccountType": "Premium_LRS" + } + }] +} +``` + +### Parameter Usage: `windowsConfiguration` + +To set the time zone of a VM with the timeZone parameter inside windowsConfiguration, use the following PS command to get the correct options: + +```powershell +Get-TimeZone -ListAvailable | Select Id +``` + +```json +"windowsConfiguration": { + "provisionVMAgent": "boolean", + "enableAutomaticUpdates": "boolean", + "timeZone": "string", + "additionalUnattendContent": [ + { + "passName": "OobeSystem", + "componentName": "Microsoft-Windows-Shell-Setup", + "settingName": "string", + "content": "string" + } + ], + "winRM": { + "listeners": [ + { + "protocol": "string", + "certificateUrl": "string" + } + ] + } +} +``` + +### Parameter Usage: `linuxConfiguration` + +```json +"linuxConfiguration": { + "disablePasswordAuthentication": "boolean", + "ssh": { + "publicKeys": [ + { + "path": "string", + "keyData": "string" + } + ] + }, + "provisionVMAgent": "boolean" + }, + "secrets": [ + { + "sourceVault": { + "id": "string" + }, + "vaultCertificates": [ + { + "certificateUrl": "string", + "certificateStore": "string" + } + ] + } + ], + "allowExtensionOperations": "boolean", + "requireGuestProvisionSignal": "boolean" +} +``` + +### Parameter Usage: `nicConfigurations` + +The field `nicSuffix` and `subnetId` are mandatory. If `enablePublicIP` is set to true, then `publicIpNameSuffix` is also mandatory. Each IP config needs to have the mandatory field `name`. + +```json +"value": [{ + "nicSuffix": "-nic-01", + "enableIPForwarding": false, + "enableAcceleratedNetworking": false, + "dnsServers": [ + "8.8.8.8" + ], + "ipConfigurations": [{ + "name": "ipconfig1", + "vmIPAddress": "", + "subnetId": "/subscriptions/12345678-1234-1234-1234-123456789012/resourceGroups/rgName/providers/Microsoft.Network/virtualNetworks/vnetName/subnets/subnetName", + "enablePublicIP": true, + "publicIpNameSuffix": "-pip-01", + "publicIPPrefixId": "/subscriptions/12345678-1234-1234-1234-123456789012/resourceGroups/rgName/providers/Microsoft.Network/publicIPPrefixes/pippfx-europe", + "loadBalancerBackendAddressPools": "", + "applicationSecurityGroups": "" + }, + { + "name": "ipconfig2", + "vmIPAddress": "", + "subnetId": "/subscriptions/12345678-1234-1234-1234-123456789012/resourceGroups/rgName/providers/Microsoft.Network/virtualNetworks/vnetName/subnets/subnetName", + "enablePublicIP": false, + "publicIpNameSuffix": "", + "loadBalancerBackendAddressPools": "", + "applicationSecurityGroups": "" + } + ] +}, +{ + "nicSuffix": "-nic-02", + "enableIPForwarding": false, + "enableAcceleratedNetworking": false, + "dnsServers": [ + "8.8.8.8" + ], + "ipConfigurations": [{ + "name": "ipconfig1", + "vmIPAddress": "", + "subnetId": "/subscriptions/12345678-1234-1234-1234-123456789012/resourceGroups/rgName/providers/Microsoft.Network/virtualNetworks/vnetName/subnets/subnetName", + "enablePublicIP": true, + "publicIpNameSuffix": "-pip-02", + "loadBalancerBackendPoolId": "", + "applicationSecurityGroupId": "" + }] +} +] + +### Parameter Usage: `microsoftAntiMalwareSettings` + +```json +"microsoftAntiMalwareSettings": { + "AntimalwareEnabled": true, + "Exclusions": { + "Extensions": ".log;.ldf", + "Paths": "D:\\IISlogs;D:\\DatabaseLogs", + "Processes": "mssence.svc" + }, + "RealtimeProtectionEnabled": true, + "ScheduledScanSettings": { + "isEnabled": "true", + "scanType": "Quick", + "day": "7", + "time": "120" + } +} +``` + +### Parameter Usage: `windowsScriptExtensionFileData` + +```json +"windowsScriptExtensionFileData": { + "value": [ + //storage accounts with SAS token requirement + { + "uri": "https://storageAccount.blob.core.windows.net/wvdscripts/File1.ps1", + "storageAccountId": "/subscriptions/12345678-1234-1234-1234-123456789012/resourceGroups/rgName/providers/Microsoft.Storage/storageAccounts/storageAccountName" + }, + { + "uri": "https://storageAccount.blob.core.windows.net/wvdscripts/File2.ps1", + "storageAccountId": "/subscriptions/12345678-1234-1234-1234-123456789012/resourceGroups/rgName/providers/Microsoft.Storage/storageAccounts/storageAccountName" + }, + //storage account with public container (no SAS token is required) OR other public URL (not a storage account) + { + "uri": "https://github.com/myProject/File3.ps1", + "storageAccountId": "" + } + ] +} +``` + +### Parameter Usage: `windowsScriptExtensionFileData` with native storage account key support + +```json +"windowsScriptExtensionFileData": { + "value": [ + { + "https://mystorageaccount.blob.core.windows.net/wvdscripts/testscript.ps1" + } + ] +}, +"windowsScriptExtensionCommandToExecute": { + "value": "powershell -ExecutionPolicy Unrestricted -File testscript.ps1" +}, +"cseStorageAccountName": { + "value": "mystorageaccount" +}, +"cseStorageAccountKey": { + "value": "MyPlaceholder" +} +``` + +### Parameter Usage: `dscConfiguration` + +```json +"dscConfiguration": { + "value": { + "settings": { + "wmfVersion": "latest", + "configuration": { + "url": "http://validURLToConfigLocation", + "script": "ConfigurationScript.ps1", + "function": "ConfigurationFunction" + }, + "configurationArguments": { + "argument1": "Value1", + "argument2": "Value2" + }, + "configurationData": { + "url": "https://foo.psd1" + }, + "privacy": { + "dataCollection": "enable" + }, + "advancedOptions": { + "forcePullAndApply": false, + "downloadMappings": { + "specificDependencyKey": "https://myCustomDependencyLocation" + } + } + }, + "protectedSettings": { + "configurationArguments": { + "mySecret": "MyPlaceholder" + }, + "configurationUrlSasToken": "MyPlaceholder", + "configurationDataUrlSasToken": "MyPlaceholder" + } + } +} +``` + +### Parameter Usage: `roleAssignments` + +```json +"roleAssignments": { + "value": [ + { + "roleDefinitionIdOrName": "Desktop Virtualization User", + "principalIds": [ + "12345678-1234-1234-1234-123456789012", // object 1 + "78945612-1234-1234-1234-123456789012" // object 2 + ] + }, + { + "roleDefinitionIdOrName": "Reader", + "principalIds": [ + "12345678-1234-1234-1234-123456789012", // object 1 + "78945612-1234-1234-1234-123456789012" // object 2 + ] + }, + { + "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", + "principalIds": [ + "12345678-1234-1234-1234-123456789012" // object 1 + ] + } + ] +} +``` + +### Parameter Usage: `tags` + +Tag names and tag values can be provided as needed. A tag can be left without a value. + +```json +"tags": { + "value": { + "Environment": "Non-Prod", + "Contact": "test.user@testcompany.com", + "PurchaseOrder": "1234", + "CostCenter": "7890", + "ServiceName": "DeploymentValidation", + "Role": "DeploymentValidation" + } +} +``` + +## Outputs + +| Output Name | Type | Description | +| :-- | :-- | :-- | +| `deploymentCount` | int | The number of VM deployments. | +| `virtualMachinesName` | array | The Names of the VMs. | +| `virtualMachinesResourceGroup` | string | The name of the Resource Group the VM(s) was/were created in. | +| `virtualMachinesResourceId` | array | The Resource Id(s) of the VM(s). | + +## Considerations + +**NOTE**: Since some time in the beginning of _2021_, [new limits regarding deployment sizes](https://docs.microsoft.com/en-us/azure/azure-resource-manager/templates/error-job-size-exceeded) were put into place and restrict the number of VMs you can deploy with this module. +Tests that deployed only VMs with only one NIC each, without any extra resources such as DataDisks, public IPs or VM extensions, showed the maximum number of VMs you can deploy is about **`700`**. However, this number may be less depending on the amount of additional resources you want to deploy in one go. +The reason for this restriction is twofold: +- One the one hand, the deployment is restrictd by a limitation of the storage table used by the resource manager to store deployment-metadata in. This forces us to split the deployments into smaller chunks to archieve higher numbers. The metadata is a blackbox we're unable to influence for the most part and results into an `InternalSystemLimitations` error if exceeded. +- The second restriction is the `800` deployments per resource group limit. Cutting the deployments into chunks allows a large number of deployments to run concurrently, but as a side-effect the deployment-garbage-collection automatic deletions aren't processed fast enough to reduce the total number. + +## Additional resources + +- [Overview of Windows virtual machines in Azure](https://docs.microsoft.com/en-us/azure/virtual-machines/windows/overview) +- [Microsoft.Compute virtualMachines template reference](https://docs.microsoft.com/en-us/azure/templates/microsoft.compute/allversions) +- [Use tags to organize your Azure resources](https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-using-tags) +- [PowerShell DSC Extension](https://docs.microsoft.com/en-us/azure/virtual-machines/extensions/dsc-windows#extension-schema) +- [Use tags to organize your Azure resources](https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-using-tags) +- [Azure Resource Manager template reference](https://docs.microsoft.com/en-us/azure/templates/) +- [Deployments](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Resources/2020-06-01/deployments) +- [ProximityPlacementGroups](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Compute/2020-12-01/proximityPlacementGroups) +- [Availability Sets](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Compute/2020-12-01/availabilitySets) +- [Deployment Quota Exceeded](https://docs.microsoft.com/en-us/azure/azure-resource-manager/templates/deployment-quota-exceeded) \ No newline at end of file diff --git a/arm/Microsoft.Consumption/budgets/deploy.json b/arm/Microsoft.Consumption/budgets/deploy.json new file mode 100644 index 0000000000..0b3cf4033d --- /dev/null +++ b/arm/Microsoft.Consumption/budgets/deploy.json @@ -0,0 +1,115 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "budgetName": { + "type": "string", + "minLength": 1, + "metadata": { + "description": "Required. The name of the budget." + } + }, + "category": { + "type": "string", + "defaultValue": "Cost", + "allowedValues": [ "Cost", "Usage" ], + "metadata": { + "description": "Optional. The category of the budget, whether the budget tracks cost or usage." + } + }, + "amount": { + "type": "int", + "metadata": { + "description": "Required. The total amount of cost to track with the budget." + } + }, + "resetPeriod": { + "type": "string", + "defaultValue": "Monthly", + "allowedValues": [ "Monthly", "Quarterly", "Annually", "BillingMonth", "BillingQuarter", "BillingAnnual" ], + "metadata": { + "description": "Optional. The time covered by a budget. Tracking of the amount will be reset based on the time grain. BillingMonth, BillingQuarter, and BillingAnnual are only supported by WD customers." + } + }, + "startDate": { + "type": "string", + "defaultValue": "[concat(utcNow('yyyy'), '-', utcNow('MM'), '-01T00:00:00Z')]", + "metadata": { + "description": "Optional. The start date for the budget. Start date should be the first day of the month and cannot be in the past (except for the current month)." + } + }, + "endDate": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. The end date for the budget. If not provided, it will default to 10 years from the start date." + } + }, + "alertPercentage": { + "type": "int", + "metadata": { + "description": "Required. Alert % must be between 1 and 1000." + } + }, + "contactEmails": { + "type": "array", + "defaultValue": [], + "metadata": { + "description": "Optional. List of email addresses that will receive the alert." + } + }, + "actionGroups": { + "type": "array", + "defaultValue": [], + "metadata": { + "description": "Optional. List of fully qualified action group resource IDs that will receive the alert." + } + } + }, + "variables": {}, + "resources": [ + { + "name": "[parameters('budgetName')]", + "type": "Microsoft.Consumption/budgets", + "apiVersion": "2019-10-01", + "properties": { + "category": "[parameters('category')]", + "amount": "[parameters('amount')]", + "timeGrain": "[parameters('resetPeriod')]", + "timePeriod": { + "startDate": "[parameters('startDate')]", + "endDate": "[parameters('endDate')]" + }, + "notifications": { + "actual_GreaterThan_Percentage": { + "enabled": true, + "operator": "GreaterThan", + "threshold": "[parameters('alertPercentage')]", + "contactEmails": "[parameters('contactEmails')]", + "contactRoles": [], + "contactGroups": "[parameters('actionGroups')]", + "thresholdType": "Actual" + } + } + } + } + ], + "functions": [ + ], + "outputs": { + "budgetName": { + "type": "string", + "value": "[parameters('budgetName')]", + "metadata": { + "description": "The name of the budget." + } + }, + "budgetResourceId": { + "type": "string", + "value": "[resourceId('Microsoft.Consumption/budgets', parameters('budgetName'))]", + "metadata": { + "description": "The Resource Id of the budget." + } + } + } +} \ No newline at end of file diff --git a/arm/Microsoft.Consumption/budgets/parameters/parameters.json b/arm/Microsoft.Consumption/budgets/parameters/parameters.json new file mode 100644 index 0000000000..f67fe8983c --- /dev/null +++ b/arm/Microsoft.Consumption/budgets/parameters/parameters.json @@ -0,0 +1,20 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "budgetName": { + "value": "MyBudget01" + }, + "amount": { + "value": 500 + }, + "alertPercentage": { + "value": 100 + }, + "contactEmails": { + "value": [ + "dummy@contoso.com" + ] + } + } +} \ No newline at end of file diff --git a/arm/Microsoft.Consumption/budgets/readme.md b/arm/Microsoft.Consumption/budgets/readme.md new file mode 100644 index 0000000000..5a86775615 --- /dev/null +++ b/arm/Microsoft.Consumption/budgets/readme.md @@ -0,0 +1,39 @@ +# Budgets + +This module deploys budgets for subscriptions. + +## Resource types + +| Resource Type | Api Version | +| :-- | :-- | +| `Microsoft.Consumption/budgets` | 2019-10-01 | + +## Parameters + +| Parameter Name | Type | Description | DefaultValue | Possible values | +| :-- | :-- | :-- | :-- | :-- | +| `budgetName` | string | Required. The name of the budget. | | | +| `category` | string | Optional. The category of the budget, whether the budget tracks cost or usage. | "Cost" | "Cost", "Usage" | +| `amount` | int | Required. The total amount of cost to track with the budget. | | | +| `resetPeriod` | string | Optional. The time covered by a budget. Tracking of the amount will be reset based on the time grain. BillingMonth, BillingQuarter, and BillingAnnual are only supported by WD customers. | "Monthly" | "Monthly", "Quarterly", "Annually", "BillingMonth", "BillingQuarter", "BillingAnnual" | +| `startDate` | string | Optional. Optional. The start date for the budget. Start date should be the first day of the month and cannot be in the past (except for the current month). | --01T00:00:00Z | | +| `endDate` | string | Optional. The end date for the budget. If not provided, it will default to 10 years from the start date. | "" | | +| `alertPercentage` | int | Required. Alert % must be between 1 and 1000. | | | +| `contactEmails` | array | Optional. List of email addresses that will receive the alert. | | | +| `actionGroups` | array | Optional. List of fully qualified action group resource IDs that will receive the alert. | | | + +## Outputs + +| Output Name | Type | Description | +| :-- | :-- | :-- | +| `budgetName` | string | The name of the budget. | +| `budgetResourceId` | string | The Resource Id of the budget. | + +## Considerations + +*N/A* + +## Additional resources + +- [Tutorial: Create and manage Azure budgets](https://docs.microsoft.com/en-us/azure/cost-management-billing/costs/tutorial-acm-create-budgets) +- [Microsoft.Consumption/budgets template reference](https://docs.microsoft.com/en-us/azure/templates/microsoft.consumption/2019-10-01/budgets) \ No newline at end of file diff --git a/arm/Microsoft.ContainerInstance/containerGroups/deploy.json b/arm/Microsoft.ContainerInstance/containerGroups/deploy.json new file mode 100644 index 0000000000..74f5e8fd33 --- /dev/null +++ b/arm/Microsoft.ContainerInstance/containerGroups/deploy.json @@ -0,0 +1,217 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "containergroupname": { + "type": "string", + "metadata": { + "description": "Required. Name for the container group." + } + }, + "containername": { + "type": "string", + "metadata": { + "description": "Required. Name for the container." + } + }, + "image": { + "type": "string", + "metadata": { + "description": "Required. Name of the image." + } + }, + "ports": { + "type": "array", + "metadata": { + "description": "Optional. Port to open on the container and the public IP address." + }, + "defaultValue": [ + { + "name": "Tcp", + "value": "443" + } + ] + }, + "cpuCores": { + "type": "string", + "metadata": { + "description": "Optional. The number of CPU cores to allocate to the container." + }, + "defaultValue": "1.0" + }, + "memoryInGB": { + "type": "string", + "metadata": { + "description": "Optional. The amount of memory to allocate to the container in gigabytes." + }, + "defaultValue": "1.5" + }, + "osType": { + "type": "string", + "metadata": { + "description": "Optional. The operating system type required by the containers in the container group. - Windows or Linux." + }, + "defaultValue": "Linux" + }, + "restartPolicy": { + "type": "string", + "metadata": { + "description": "Optional. Restart policy for all containers within the container group. - Always: Always restart. OnFailure: Restart on failure. Never: Never restart. - Always, OnFailure, Never" + }, + "defaultValue": "Always" + }, + "ipAddressType": { + "type": "string", + "metadata": { + "description": "Optional. Specifies if the IP is exposed to the public internet or private VNET. - Public or Private" + }, + "defaultValue": "Public" + }, + "imageRegistryCredentials": { + "type": "array", + "defaultValue": [ + ], + "metadata": { + "description": "Optional. The image registry credentials by which the container group is created from." + } + }, + "environmentVariables": { + "type": "array", + "defaultValue": [ + ], + "metadata": { + "description": "Optional. Envrionment variables of the container group." + } + }, + "location": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "Optional. Location for all Resources." + } + }, + "lockForDeletion": { + "type": "bool", + "defaultValue": false, + "metadata": { + "description": "Optional. Switch to lock resource from deletion." + } + }, + "tags": { + "type": "object", + "defaultValue": { + }, + "metadata": { + "description": "Optional. Tags of the resource." + } + }, + "cuaId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered" + } + } + }, + "variables": { + + }, + "resources": [ + { + "condition": "[not(empty(parameters('cuaId')))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-06-01", + "name": "[concat('pid-', parameters('cuaId'))]", + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [ + ] + } + } + }, + { + "name": "[parameters('containergroupname')]", + "type": "Microsoft.ContainerInstance/containerGroups", + "apiVersion": "2019-12-01", + "location": "[parameters('location')]", + "tags": "[parameters('tags')]", + "dependsOn": [], + "properties": { + "containers": [ + { + "name": "[parameters('containername')]", + "properties": { + "command": [], + "image": "[parameters('image')]", + "ports": "[parameters('ports')]", + "resources": { + "requests": { + "cpu": "[parameters('cpuCores')]", + "memoryInGB": "[parameters('memoryInGB')]" + } + }, + "environmentVariables": "[parameters('environmentVariables')]" + } + } + ], + "imageRegistryCredentials": "[parameters('imageRegistryCredentials')]", + "restartPolicy": "[parameters('restartPolicy')]", + "osType": "[parameters('osType')]", + "ipAddress": { + "type": "[parameters('ipAddressType')]", + "ports": "[parameters('ports')]" + } + }, + "resources": [ + { + "type": "providers/locks", + "apiVersion": "2016-09-01", + "condition": "[parameters('lockForDeletion')]", + "name": "Microsoft.Authorization/containerGroupDoNotDelete", + "dependsOn": [ + "[concat('Microsoft.ContainerInstance/containerGroups/', parameters('containergroupname'))]" + ], + "comments": "Resource lock", + "properties": { + "level": "CannotDelete" + } + } + ] + } + ], + "functions": [ + ], + "outputs": { + "containerGroupName": { + "type": "string", + "value": "[parameters('containergroupname')]", + "metadata": { + "description": "The Name of the resource" + } + }, + "containerGroupResourceId": { + "type": "string", + "value": "[resourceId('Microsoft.ContainerInstance/containerGroups',parameters('containergroupname'))]", + "metadata": { + "description": "The Resource Id of the resource" + } + }, + "containerGroupResourceGroup": { + "type": "string", + "value": "[resourceGroup().name]", + "metadata": { + "description": "The name of the Resource Group the resource resides" + } + }, + "containerGroupIPv4Address": { + "type": "string", + "value": "[reference(resourceId('Microsoft.ContainerInstance/containerGroups/', parameters('containergroupname'))).ipAddress.ip]", + "metadata": { + "description": "The public IP of the resource" + } + } + } +} diff --git a/arm/Microsoft.ContainerInstance/containerGroups/parameters/parameters.json b/arm/Microsoft.ContainerInstance/containerGroups/parameters/parameters.json new file mode 100644 index 0000000000..095568647d --- /dev/null +++ b/arm/Microsoft.ContainerInstance/containerGroups/parameters/parameters.json @@ -0,0 +1,47 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "containergroupName": { + "value": "sxx-az-acg-weu-x-001" + }, + "containerName": { + "value": "sxx-az-aci-weu-x-001" + }, + "image": { + "value": "microsoft/aci-helloworld" + }, + "ports": { + "value": [ + { + "protocol": "Tcp", + "port": "80" + }, + { + "protocol": "Tcp", + "port": "443" + } + ] + } + // "environmentVariables": { + // "value": [ + // { + // "name": "", + // "secureValue": "" + // }, + // { + // "name": "", + // "value": "" + // } + // ] + // }, + // "imageRegistryCredentials": { + // "value": [ + // { + // "server": "sxxazacrx001.azurecr.io", + // "username": "sxxazacrx001" + // } + // ] + // } + } +} diff --git a/arm/Microsoft.ContainerInstance/containerGroups/readme.md b/arm/Microsoft.ContainerInstance/containerGroups/readme.md new file mode 100644 index 0000000000..12cfb8364d --- /dev/null +++ b/arm/Microsoft.ContainerInstance/containerGroups/readme.md @@ -0,0 +1,92 @@ +# ContainerInstances + +### Container groups in Azure Container Instances + +The top-level resource in Azure Container Instances is the container group. A container group is a collection of containers that get scheduled on the same host machine. The containers in a container group share a lifecycle, resources, local network, and storage volumes. It's similar in concept to a pod in Kubernetes. + +## Resource types + +| Resource Type | Api Version | +| :-- | :-- | +| `Microsoft.Resources/deployments` | 2018-02-01 | +| `Microsoft.ContainerInstance/containerGroups` | 2019-12-01 | +| `providers/locks` | 2016-09-01 | + +### Resource dependency + +The following resources are required to be able to deploy this resource. + +## Parameters + +| Parameter Name | Type | Description | DefaultValue | Allowed Values | +| :-- | :-- | :-- | :-- | :-- | +| `containergroupname` | string | Required. Name for the container group. | | | +| `containername` | string | Required. Name for the container. | | | +| `cpuCores` | string | Optional. The number of CPU cores to allocate to the container. | 1.0 | | +| `cuaId` | string | Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered | | | +| `environmentVariables` | array | Optional. Envrionment variables of the container group. | System.Object[] | | +| `image` | string | Required. Name of the image. | | | +| `imageRegistryCredentials` | array | Optional. The image registry credentials by which the container group is created from. | System.Object[] | | +| `ipAddressType` | string | Optional. Specifies if the IP is exposed to the public internet or private VNET. - Public or Private | Public | | +| `location` | string | Optional. Location for all Resources. | [resourceGroup().location] | | +| `lockForDeletion` | bool | Optional. Switch to lock resource from deletion. | False | | +| `memoryInGB` | string | Optional. The amount of memory to allocate to the container in gigabytes. | 1.5 | | +| `osType` | string | Optional. The operating system type required by the containers in the container group. - Windows or Linux. | Linux | | +| `ports` | array | Optional. Port to open on the container and the public IP address. | System.Object[] | | +| `restartPolicy` | string | Optional. Restart policy for all containers within the container group. - Always: Always restart. OnFailure: Restart on failure. Never: Never restart. - Always, OnFailure, Never | Always | | +| `tags` | object | Optional. Tags of the resource. | | | + +### Parameter Usage: `imageRegistryCredentials` + +The image registry credentials by which the container group is created from. + +```json + "imageRegistryCredentials": { + "value": [ + { + "server": "sxxazacrx001.azurecr.io", + "username": "sxxazacrx001" + } + ] + } +``` + +### Parameter Usage: `tags` + +Tag names and tag values can be provided as needed. A tag can be left without a value. + +```json +"tags": { + "value": { + "Environment": "Non-Prod", + "Contact": "test.user@testcompany.com", + "PurchaseOrder": "1234", + "CostCenter": "7890", + "ServiceName": "DeploymentValidation", + "Role": "DeploymentValidation" + } +} +``` + +## Outputs + +| Output Name | Type | Description | +| :-- | :-- | :-- | +| `containerGroupIPv4Address` | string | | +| `containerGroupName` | string | The Name of the resource | +| `containerGroupResourceGroup` | string | The name of the Resource Group the resource resides | +| `containerGroupResourceId` | string | The Resource Id of the resource | + +### References + +#### Template references + +- [Deployments](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Resources/2018-02-01/deployments) +- [ContainerGroups](https://docs.microsoft.com/en-us/azure/templates/Microsoft.ContainerInstance/2019-12-01/containerGroups) + +## Considerations + +## Additional resources + +- [Deployments](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Resources/2020-06-01/deployments) +- [ContainerGroups](https://docs.microsoft.com/en-us/azure/templates/Microsoft.ContainerInstance/2019-12-01/containerGroups) diff --git a/arm/Microsoft.ContainerRegistry/registries/deploy.json b/arm/Microsoft.ContainerRegistry/registries/deploy.json new file mode 100644 index 0000000000..1514ff65e2 --- /dev/null +++ b/arm/Microsoft.ContainerRegistry/registries/deploy.json @@ -0,0 +1,510 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "acrName": { + "type": "string", + "minLength": 5, + "maxLength": 50, + "metadata": { + "description": "Required. Name of your Azure Container Registry" + } + }, + "acrAdminUserEnabled": { + "type": "bool", + "defaultValue": false, + "metadata": { + "description": "Optional. Enable admin user that have push / pull permission to the registry." + } + }, + "location": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "Optional. Location for all resources." + } + }, + "roleAssignments": { + "defaultValue": [ + ], + "type": "array", + "metadata": { + "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or it's fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'" + } + }, + "privateEndpoints": { + "type": "array", + "defaultValue": [], + "metadata": { + "description": "Optional. Configuration Details for private endpoints." + } + }, + "acrSku": { + "type": "string", + "metadata": { + "description": "Optional. Tier of your Azure Container Registry." + }, + "defaultValue": "Basic", + "allowedValues": [ + "Basic", + "Standard", + "Premium" + ] + }, + "quarantinePolicyStatus": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. The value that indicates whether the policy is enabled or not." + } + }, + "trustPolicyStatus": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. The value that indicates whether the policy is enabled or not." + } + }, + "retentionPolicyStatus": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. The value that indicates whether the policy is enabled or not." + } + }, + "retentionPolicyDays": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. The number of days to retain an untagged manifest after which it gets purged." + } + }, + "dataEndpointEnabled": { + "type": "bool", + "defaultValue": false, + "metadata": { + "description": "Optional. Enable a single data endpoint per region for serving data. Not relevant in case of disabled public access." + } + }, + "publicNetworkAccess": { + "type": "string", + "defaultValue": "Enabled", + "metadata": { + "description": "Optional. Whether or not public network access is allowed for the container registry. - Enabled or Disabled" + } + }, + "networkRuleBypassOptions": { + "type": "string", + "defaultValue": "AzureServices", + "metadata": { + "description": "Optional. Whether to allow trusted Azure services to access a network restricted registry. Not relevant in case of public access. - AzureServices or None" + } + }, + "lockForDeletion": { + "type": "bool", + "defaultValue": false, + "metadata": { + "description": "Optional. Switch to lock containter registry from deletion." + } + }, + "tags": { + "type": "object", + "defaultValue": { + }, + "metadata": { + "description": "Optional. Tags of the resource." + } + }, + "cuaId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered" + } + }, + // Diagnostic Settings + "diagnosticSettingName": { + "type": "string", + "defaultValue": "service", + "metadata": { + "description": "Optional. The name of the Diagnostic setting." + } + }, + "diagnosticLogsRetentionInDays": { + "type": "int", + "defaultValue": 365, + "minValue": 0, + "maxValue": 365, + "metadata": { + "description": "Optional. Specifies the number of days that logs will be kept for; a value of 0 will retain data indefinitely." + } + }, + "diagnosticStorageAccountId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Resource identifier of the Diagnostic Storage Account." + } + }, + "workspaceId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Resource identifier of Log Analytics." + } + }, + "eventHubAuthorizationRuleId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Resource ID of the event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." + } + }, + "eventHubName": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Name of the event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category." + } + } + }, + "variables": { + "cleanAcrName": "[replace(tolower(parameters('acrName')), '-', '')]", + "builtInRoleNames": { + "AcrDelete": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", + "AcrImageSigner": "/providers/Microsoft.Authorization/roleDefinitions/6cef56e8-d556-48e5-a04f-b8e64114680f", + "AcrPull": "/providers/Microsoft.Authorization/roleDefinitions/7f951dda-4ed3-4680-a7ca-43fe172d538d", + "AcrPush": "/providers/Microsoft.Authorization/roleDefinitions/8311e382-0749-4cb8-b61a-304f252e45ec", + "AcrQuarantineReader": "/providers/Microsoft.Authorization/roleDefinitions/cdda3590-29a3-44f6-95f2-9f980659eb04", + "AcrQuarantineWriter": "/providers/Microsoft.Authorization/roleDefinitions/c8d4ff99-41c3-41a8-9f60-21dfdad59608", + "Contributor": "/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c", + "Log Analytics Contributor": "/providers/Microsoft.Authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293", + "Log Analytics Reader": "/providers/Microsoft.Authorization/roleDefinitions/73c42c96-874c-492b-b04d-ab87d138a893", + "Managed Application Contributor Role": "/providers/Microsoft.Authorization/roleDefinitions/641177b8-a67a-45b9-a033-47bc880bb21e", + "Managed Application Operator Role": "/providers/Microsoft.Authorization/roleDefinitions/c7393b34-138c-406f-901b-d8cf2b17e6ae", + "Managed Applications Reader": "/providers/Microsoft.Authorization/roleDefinitions/b9331d33-8a36-4f8c-b097-4f54124fdb44", + "Monitoring Contributor": "/providers/Microsoft.Authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "Monitoring Metrics Publisher": "/providers/Microsoft.Authorization/roleDefinitions/3913510d-42f4-4e42-8a64-420c390055eb", + "Monitoring Reader": "/providers/Microsoft.Authorization/roleDefinitions/43d0d8ad-25c7-4714-9337-8ba259a9fe05", + "Owner": "/providers/Microsoft.Authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635", + "Reader": "/providers/Microsoft.Authorization/roleDefinitions/acdd72a7-3385-48ef-bd42-f606fba81ae7", + "Resource Policy Contributor": "/providers/Microsoft.Authorization/roleDefinitions/36243c78-bf99-498c-9df9-86d9f8d28608", + "User Access Administrator": "/providers/Microsoft.Authorization/roleDefinitions/18d7d88d-d35e-4fb5-a5c3-7773c20a72d9" + }, + "diagnosticsMetrics": [ + { + "category": "AllMetrics", + "timeGrain": null, + "enabled": true, + "retentionPolicy": { + "enabled": true, + "days": "[parameters('diagnosticLogsRetentionInDays')]" + } + } + ], + "diagnosticsLogs": [ + { + "category": "ContainerRegistryRepositoryEvents", + "enabled": true, + "retentionPolicy": { + "enabled": true, + "days": "[parameters('diagnosticLogsRetentionInDays')]" + } + }, + { + "category": "ContainerRegistryLoginEvents", + "enabled": true, + "retentionPolicy": { + "enabled": true, + "days": "[parameters('diagnosticLogsRetentionInDays')]" + } + } + ] + }, + "resources": [ + { + "condition": "[not(empty(parameters('cuaId')))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-06-01", + "name": "[concat('pid-', parameters('cuaId'))]", + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [ + ] + } + } + }, + { + "name": "[variables('cleanAcrName')]", + "type": "Microsoft.ContainerRegistry/registries", + "apiVersion": "2020-11-01-preview", + "location": "[parameters('location')]", + "comments": "Container registry for storing docker images", + "tags": "[parameters('tags')]", + "sku": { + "name": "[parameters('acrSku')]" + }, + "properties": { + "adminUserEnabled": "[parameters('acrAdminUserEnabled')]", + "policies": { + "quarantinePolicy": { + "status": "[if(empty(parameters('quarantinePolicyStatus')), json('null'), parameters('quarantinePolicyStatus'))]" + }, + "trustPolicy": { + "type": "Notary", + "status": "[if(empty(parameters('trustPolicyStatus')), json('null'), parameters('trustPolicyStatus'))]" + }, + "retentionPolicy": { + "days": "[if(empty(parameters('retentionPolicyDays')), json('null'), parameters('retentionPolicyDays'))]", + "status": "[if(empty(parameters('retentionPolicyStatus')), json('null'), parameters('retentionPolicyStatus'))]" + } + }, + "dataEndpointEnabled": "[parameters('dataEndpointEnabled')]", + "publicNetworkAccess": "[parameters('publicNetworkAccess')]", + "networkRuleBypassOptions": "[parameters('networkRuleBypassOptions')]" + }, + "resources": [ + { + "type": "providers/locks", + "apiVersion": "2016-09-01", + "condition": "[parameters('lockForDeletion')]", + "name": "Microsoft.Authorization/azureContainerRegistryDoNotDelete", + "dependsOn": [ + "[resourceId('Microsoft.ContainerRegistry/registries', variables('cleanAcrName'))]" + ], + "comments": "Resource lock on the Container Registry", + "properties": { + "level": "CannotDelete" + } + }, + // Diagnostic settings + { + "type": "Microsoft.ContainerRegistry/registries/providers/diagnosticsettings", + "apiVersion": "2017-05-01-preview", + "name": "[concat(variables('cleanAcrName'), '/Microsoft.Insights/', parameters('diagnosticSettingName'))]", + "condition": "[or(not(empty(parameters('diagnosticStorageAccountId'))),not(empty(parameters('workspaceId'))),not(empty(parameters('eventHubAuthorizationRuleId'))),not(empty(parameters('eventHubName'))))]", + "dependsOn": [ + "[concat('Microsoft.ContainerRegistry/registries/', variables('cleanAcrName'))]" + ], + "properties": { + "storageAccountId": "[if(empty(parameters('diagnosticStorageAccountId')), json('null'), parameters('diagnosticStorageAccountId'))]", + "workspaceId": "[if(empty(parameters('workspaceId')), json('null'), parameters('workspaceId'))]", + "eventHubAuthorizationRuleId": "[if(empty(parameters('eventHubAuthorizationRuleId')), json('null'), parameters('eventHubAuthorizationRuleId'))]", + "eventHubName": "[if(empty(parameters('eventHubName')), json('null'), parameters('eventHubName'))]", + "metrics": "[if(and(empty(parameters('diagnosticStorageAccountId')), empty(parameters('workspaceId')), empty(parameters('eventHubAuthorizationRuleId')), empty(parameters('eventHubName'))), json('null'), variables('diagnosticsMetrics'))]", + "logs": "[if(and(empty(parameters('diagnosticStorageAccountId')), empty(parameters('workspaceId')), empty(parameters('eventHubAuthorizationRuleId')), empty(parameters('eventHubName'))), json('null'), variables('diagnosticsLogs'))]" + } + } + ] + }, + // ACR RBAC + { + "name": "[concat('AcrRbacDeplCopy-', copyIndex())]", + "apiVersion": "2020-06-01", + "type": "Microsoft.Resources/deployments", + "condition": "[not(empty(parameters('roleAssignments')))]", + "dependsOn": [ + "[variables('cleanAcrName')]" + ], + "copy": { + "name": "AcrRbacDeplCopy", + "count": "[length(parameters('roleAssignments'))]" + }, + "properties": { + "mode": "Incremental", + "expressionEvaluationOptions": { + "scope": "inner" + }, + "parameters": { + "roleAssignment": { + "value": "[parameters('roleAssignments')[copyIndex()]]" + }, + "builtInRoleNames": { + "value": "[variables('builtInRoleNames')]" + }, + "cleanAcrName": { + "value": "[variables('cleanAcrName')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "roleAssignment": { + "type": "object" + }, + "builtInRoleNames": { + "type": "object" + }, + "cleanAcrName": { + "type": "string" + } + }, + "resources": [ + { + "type": "Microsoft.ContainerRegistry/registries/providers/roleAssignments", + "apiVersion": "2020-04-01-preview", + "name": "[concat(parameters('cleanAcrName'), '/Microsoft.Authorization/', guid(parameters('cleanAcrName'), array(parameters('roleAssignment').principalIds)[copyIndex('AcrInnerRbacCopy')], parameters('roleAssignment').roleDefinitionIdOrName ))]", + "dependsOn": [ + ], + "copy": { + "name": "AcrInnerRbacCopy", + "count": "[length(parameters('roleAssignment').principalIds)]" + }, + "properties": { + "roleDefinitionId": "[if(contains(parameters('builtInRoleNames'), parameters('roleAssignment').roleDefinitionIdOrName ), parameters('builtInRoleNames')[parameters('roleAssignment').roleDefinitionIdOrName] , parameters('roleAssignment').roleDefinitionIdOrName )]", + "principalId": "[array(parameters('roleAssignment').principalIds)[copyIndex()]]" + } + } + ] + } + } + }, + // Private Endpoints + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-06-01", + "name": "[concat(uniqueString(deployment().name, parameters('location')), '-ContainerRegistry-PrivateEndpoints','-',copyIndex())]", + "condition": "[not(empty(parameters('privateEndpoints')))]", + "dependsOn": [ + "[variables('cleanAcrName')]" + ], + "copy": { + "name": "privateEndpointsCopy", + "count": "[length(parameters('privateEndpoints'))]" + }, + "properties": { + "mode": "Incremental", + "expressionEvaluationOptions": { + "scope": "inner" + }, + "parameters": { + "privateEndpointResourceId": { + "value": "[resourceId('Microsoft.ContainerRegistry/registries', variables('cleanAcrName'))]" + }, + "privateEndpointVnetLocation": { + "value": "[if(empty(parameters('privateEndpoints')),'dummy',reference(split(parameters('privateEndpoints')[copyIndex()].subnetResourceId,'/subnets/')[0],'2020-06-01', 'Full').location)]" + }, + "privateEndpoint": { + "value": "[parameters('privateEndpoints')[copyIndex()]]" + }, + "tags": { + "value": "[parameters('tags')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "privateEndpointResourceId": { + "type": "string" + }, + "privateEndpointVnetLocation": { + "type": "string" + }, + "privateEndpoint": { + "type": "object" + }, + "tags": { + "type": "object" + } + }, + "variables": { + "privateEndpointResourceName": "[last(split(parameters('privateEndpointResourceId'),'/'))]", + "privateEndpoint": { + "name": "[if(contains(parameters('privateEndpoint'), 'name'),if(empty(parameters('privateEndpoint').name),concat(variables('privateEndpointResourceName'),'-',parameters('privateEndpoint').service),parameters('privateEndpoint').name),concat(variables('privateEndpointResourceName'),'-',parameters('privateEndpoint').service))]", + "subnetResourceId": "[parameters('privateEndpoint').subnetResourceId]", + "service": [ + "[parameters('privateEndpoint').service]" + ], + "privateDnsZoneResourceIds": "[if(contains(parameters('privateEndpoint'), 'privateDnsZoneResourceIds'),if(empty(parameters('privateEndpoint').privateDnsZoneResourceIds),createArray(),parameters('privateEndpoint').privateDnsZoneResourceIds),createArray())]", + "customDnsConfigs": "[if(contains(parameters('privateEndpoint'), 'customDnsConfigs'),if(empty(parameters('privateEndpoint').customDnsConfigs),json('null'),parameters('privateEndpoint').customDnsConfigs),json('null'))]" + } + }, + "resources": [ + { + "type": "Microsoft.Network/privateEndpoints", + "apiVersion": "2020-05-01", + "name": "[variables('privateEndpoint').name]", + "location": "[parameters('privateEndpointVnetLocation')]", + "tags": "[parameters('tags')]", + "properties": { + "privateLinkServiceConnections": [ + { + "name": "[variables('privateEndpoint').name]", + "properties": { + "privateLinkServiceId": "[parameters('privateEndpointResourceId')]", + "groupIds": "[variables('privateEndpoint').service]" + } + } + ], + "manualPrivateLinkServiceConnections": [], + "subnet": { + "id": "[variables('privateEndpoint').subnetResourceId]" + }, + "customDnsConfigs": "[variables('privateEndpoint').customDnsConfigs]" + } + }, + { + "type": "Microsoft.Network/privateEndpoints/privateDnsZoneGroups", + "apiVersion": "2020-05-01", + "condition": "[not(empty(variables('privateEndpoint').privateDnsZoneResourceIds))]", + "name": "[concat(variables('privateEndpoint').name, '/default')]", + "dependsOn": [ + "[resourceId('Microsoft.Network/privateEndpoints', variables('privateEndpoint').name)]" + ], + "properties": { + "copy": [ + { + "name": "privateDnsZoneConfigs", + "count": "[length(variables('privateEndpoint').privateDnsZoneResourceIds)]", + "input": { + "name": "[last(split(variables('privateEndpoint').privateDnsZoneResourceIds[copyIndex('privateDnsZoneConfigs')],'/'))]", + "properties": { + "privateDnsZoneId": "[variables('privateEndpoint').privateDnsZoneResourceIds[copyIndex('privateDnsZoneConfigs')]]" + } + } + } + ] + } + } + ] + } + } + } + ], + "functions": [], + "outputs": { + "acrName": { + "type": "string", + "value": "[variables('cleanAcrName')]", + "metadata": { + "description": "The Name of the Azure Container Registry." + } + }, + "acrLoginServer": { + "value": "[reference(resourceId('Microsoft.ContainerRegistry/registries',variables('cleanAcrName')),'2019-05-01').loginServer]", + "type": "string", + "metadata": { + "description": "The reference to the Azure Container Registry." + } + }, + "acrResourceGroup": { + "value": "[resourceGroup().name]", + "type": "string", + "metadata": { + "description": "The name of the Resource Group the Azure Container Registry was created in." + } + }, + "acrResourceId": { + "value": "[resourceId('Microsoft.ContainerRegistry/registries',variables('cleanAcrName'))]", + "type": "string", + "metadata": { + "description": "The Resource Id of the Azure Container Registry." + } + } + } +} \ No newline at end of file diff --git a/arm/Microsoft.ContainerRegistry/registries/parameters/parameters.json b/arm/Microsoft.ContainerRegistry/registries/parameters/parameters.json new file mode 100644 index 0000000000..23411af574 --- /dev/null +++ b/arm/Microsoft.ContainerRegistry/registries/parameters/parameters.json @@ -0,0 +1,34 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "acrName": { + "value": "acrservices001" + }, + "acrAdminUserEnabled": { + "value": false + } + // "acrSku": { + // "value": "Premium" + // }, + // "dataEndpointEnabled": { + // "value": false + // }, + // "publicNetworkAccess": { + // "value": "Disabled" + // }, + // "networkRuleBypassOptions": { + // "value": "AzureServices" + // }, + // // Diagnostic Settings + // "diagnosticSettingName": { + // "value": "test" + // }, + // "diagnosticLogsRetentionInDays": { + // "value": 7 + // }, + // "workspaceId": { + // "value": "/subscriptions/xxx-xxx-xxx-xxx-xxx/resourcegroups/iacs/providers/Microsoft.OperationalInsights/workspaces/xxx" + // } + } +} \ No newline at end of file diff --git a/arm/Microsoft.ContainerRegistry/registries/readme.md b/arm/Microsoft.ContainerRegistry/registries/readme.md new file mode 100644 index 0000000000..72122a7cfb --- /dev/null +++ b/arm/Microsoft.ContainerRegistry/registries/readme.md @@ -0,0 +1,122 @@ +# ContainerRegistry + +Azure Container Registry is a managed, private Docker registry service based on the open-source Docker Registry 2.0. Create and maintain Azure container registries to store and manage your private Docker container images and related artifacts. + +## Resource types + +| Resource Type | Api Version | +| :-- | :-- | +| `Microsoft.Resources/deployments` | 2020-06-01 | +| `Microsoft.ContainerRegistry/registries` | 2020-11-01-preview | +| `Microsoft.ContainerRegistry/registries/providers/roleAssignments` | 2020-04-01-preview | +| `Microsoft.ContainerRegistry/registries/providers/diagnosticsettings` | 2017-05-01-preview | +| `Microsoft.Network/privateEndpoints/privateDnsZoneGroups` | 2020-05-01 | +| `Microsoft.Network/privateEndpoints` | 2020-05-01 | +| `providers/locks` | 2016-09-01 | + +## Parameters + +| Parameter Name | Type | Description | DefaultValue | Allowed Values | +| :-- | :-- | :-- | :-- | :-- | +| `acrName` | string | Required. Name of the container registry. | | | +| `acrAdminUserEnabled` | bool | Required. The value that indicates whether the admin user is enabled. | false | true, false | +| `location` | string | Optional. Location for all Resources. | [resourceGroup().location] | | +| `roleAssignments` | array | Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' | System.Object[] | | +| `privateEndpoints` | array | System.Object[] | | Optional. Configuration Details for private endpoints. | +| `acrSku` | enum | Required. The SKU name of the container registry. Required for registry creation. | Basic | Classic, Basic, Standard, Premium | +| `quarantinePolicyStatus` | string | Optional. The value that indicates whether the policy is enabled or not. | | Enabled, Disabled | +| `trustPolicyStatus` | string | Optional. The value that indicates whether the policy is enabled or not. | | Enabled, Disabled | +| `retentionPolicyStatus` | string | Optional. The value that indicates whether the policy is enabled or not.| | Enabled, Disabled | +| `retentionPolicyDays` | string | Optional. The number of days to retain an untagged manifest after which it gets purged. | | | +| `dataEndpointEnabled` | bool | Optional. Enable a single data endpoint per region for serving data. Not relevant in case of disabled public access. | false | true, false | +| `publicNetworkAccess` | string | Optional. Whether or not public network access is allowed for the container registry. | Enabled | Enabled, Disabled | +| `networkRuleBypassOptions` | string | Optional. Whether to allow trusted Azure services to access a network restricted registry. Not relevant in case of public access. | AzureServices | AzureServices, None | +| `lockForDeletion` | bool | Optional. Switch to lock resource from deletion. | False | | +| `tags` | object | Optional. Tags of the resource. | | | +| `cuaId` | string | Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered | | | +| `diagnosticSettingName` | string | Optional. The name of the Diagnostic setting. | service | | +| `diagnosticLogsRetentionInDays` | int | Optional. Specifies the number of days that logs will be kept for; a value of 0 will retain data indefinitely. | 365 | | +| `diagnosticStorageAccountId` | string | Optional. Resource identifier of the Diagnostic Storage Account. | | | +| `workspaceId` | string | Optional. Resource identifier of Log Analytics. | | +| `eventHubAuthorizationRuleId` | string | Optional. Resource ID of the event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | | | +| `eventHubName` | string | Optional. Name of the event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. | | | + +### Parameter Usage: `imageRegistryCredentials` + +The image registry credentials by which the container group is created from. + +```json + "acrName": { + "value": { + "server": "acrx001", + } + }, + "acrAdminUserEnabled": { + "value": false + } +``` + +### Parameter Usage: `privateEndpoints` + +To use Private Endpoint the following dependencies must be deployed: + +- Destination subnet must be created with the following configuration option - `"privateEndpointNetworkPolicies": "Disabled"`. Setting this option acknowledges that NSG rules are not applied to Private Endpoints (this capability is coming soon). A full example is available in the Virtual Network Module. + +- Although not strictly required, it is highly recommened to first create a private DNS Zone to host Private Endpoint DNS records. See [Azure Private Endpoint DNS configuration](https://docs.microsoft.com/en-us/azure/private-link/private-endpoint-dns) for more information. + +```json +"privateEndpoints": { + "value": [ + // Example showing all available fields + { + "name": "sxx-az-sa-cac-y-123-pe", // Optional: Name will be automatically generated if one is not provided here + "subnetResourceId": "/subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-weu-x-001/subnets/sxx-az-subnet-weu-x-001", + "service": "vault", + "privateDnsZoneResourceIds": [ // Optional: No DNS record will be created if a private DNS zone Resource ID is not specified + "/subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2/resourceGroups/validation-rg/providers/Microsoft.Network/privateDnsZones/privatelink.vaultcore.azure.net" + ], + "customDnsConfigs": [ // Optional + { + "fqdn": "customname.test.local", + "ipAddresses": [ + "10.10.10.10" + ] + } + ] + } + ] +} +``` + +### Parameter Usage: `tags` + +Tag names and tag values can be provided as needed. A tag can be left without a value. + +```json +"tags": { + "value": { + "Environment": "Non-Prod", + "Contact": "test.user@testcompany.com", + "PurchaseOrder": "1234", + "CostCenter": "7890", + "ServiceName": "DeploymentValidation", + "Role": "DeploymentValidation" + } +} +``` + +## Outputs + +| Output Name | Type | Description | +| :-- | :-- | :-- | +| `acrName` | string | The Name of the Azure Container Registry. | +| `acrLoginServer` | string | The reference to the Azure Container Registry login server. | +| `acrResourceGroup` | string | The name of the Resource Group the Azure Container Registry was created in. | +| `acrResourceId` | string | The Resource Id of the Azure Container Registry. | + +## Considerations + +## Additional resources + +- [Deployments](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Resources/2018-02-01/deployments) +- [ContainerRegistry](https://docs.microsoft.com/en-us/azure/templates/microsoft.containerregistry/2019-05-01/registries) diff --git a/arm/Microsoft.ContainerService/managedClusters/deploy.json b/arm/Microsoft.ContainerService/managedClusters/deploy.json new file mode 100644 index 0000000000..afc06ee560 --- /dev/null +++ b/arm/Microsoft.ContainerService/managedClusters/deploy.json @@ -0,0 +1,779 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.1", + "parameters": { + "aksClusterName": { + "type": "string", + "metadata": { + "description": "Required. Specifies the name of the AKS cluster." + } + }, + "location": { + "defaultValue": "[resourceGroup().location]", + "type": "string", + "metadata": { + "description": "Optional. Specifies the location of AKS cluster. It picks up Resource Group's location by default." + } + }, + "aksClusterDnsPrefix": { + "defaultValue": "[parameters('aksClusterName')]", + "type": "string", + "metadata": { + "description": "Optional. Specifies the DNS prefix specified when creating the managed cluster." + } + }, + "identity": { + "type": "object", + "defaultValue": { "type": "SystemAssigned" }, + "metadata": { + "description": "Optional. The identity of the managed cluster." + } + }, + "aksClusterNetworkPlugin": { + "defaultValue": "", + "type": "string", + "allowedValues": [ + "", + "azure", + "kubenet" + ], + "metadata": { + "description": "Optional. Specifies the network plugin used for building Kubernetes network. - azure or kubenet." + } + }, + "aksClusterNetworkPolicy": { + "defaultValue": "", + "type": "string", + "allowedValues": [ + "", + "azure", + "calico" + ], + "metadata": { + "description": "Optional. Specifies the network policy used for building Kubernetes network. - calico or azure" + } + }, + "aksClusterPodCidr": { + "defaultValue": "", + "type": "string", + "metadata": { + "description": "Optional. Specifies the CIDR notation IP range from which to assign pod IPs when kubenet is used." + } + }, + "aksClusterServiceCidr": { + "defaultValue": "", + "type": "string", + "metadata": { + "description": "Optional. A CIDR notation IP range from which to assign service cluster IPs. It must not overlap with any Subnet IP ranges." + } + }, + "aksClusterDnsServiceIP": { + "defaultValue": "", + "type": "string", + "metadata": { + "description": "Optional. Specifies the IP address assigned to the Kubernetes DNS service. It must be within the Kubernetes service address range specified in serviceCidr." + } + }, + "aksClusterDockerBridgeCidr": { + "defaultValue": "", + "type": "string", + "metadata": { + "description": "Optional. Specifies the CIDR notation IP range assigned to the Docker bridge network. It must not overlap with any Subnet IP ranges or the Kubernetes service address range." + } + }, + "aksClusterLoadBalancerSku": { + "defaultValue": "standard", + "type": "string", + "allowedValues": [ + "basic", + "standard" + ], + "metadata": { + "description": "Optional. Specifies the sku of the load balancer used by the virtual machine scale sets used by nodepools." + } + }, + "managedOutboundIPCount": { + "defaultValue": 0, + "type": "int", + "metadata": { + "description": "Optional. Outbound IP Count for the Load balancer." + } + }, + "aksClusterOutboundType": { + "defaultValue": "loadBalancer", + "type": "string", + "allowedValues": [ + "loadBalancer", + "userDefinedRouting" + ], + "metadata": { + "description": "Optional. Specifies outbound (egress) routing method. - loadBalancer or userDefinedRouting." + } + }, + "aksClusterSkuTier": { + "type": "string", + "defaultValue": "Free", + "allowedValues": [ + "Free", + "Paid" + ], + "metadata": { + "description": "Optional. Tier of a managed cluster SKU. - Free or Paid" + } + }, + "aksClusterKubernetesVersion": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Version of Kubernetes specified when creating the managed cluster." + } + }, + "aksClusterAdminUsername": { + "defaultValue": "azureuser", + "type": "string", + "metadata": { + "description": "Optional. Specifies the administrator username of Linux virtual machines." + } + }, + "aksClusterSshPublicKey": { + "defaultValue": "", + "type": "string", + "metadata": { + "description": "Optional. Specifies the SSH RSA public key string for the Linux nodes." + } + }, + "aksServicePrincipalProfile": { + "defaultValue": {}, + "type": "object", + "metadata": { + "description": "Optional. Information about a service principal identity for the cluster to use for manipulating Azure APIs." + } + }, + "aadProfileClientAppID": { + "defaultValue": "", + "type": "string", + "metadata": { + "description": "Optional. The client AAD application ID." + } + }, + "aadProfileServerAppID": { + "defaultValue": "", + "type": "string", + "metadata": { + "description": "Optional. The server AAD application ID." + } + }, + "aadProfileServerAppSecret": { + "defaultValue": "", + "type": "string", + "metadata": { + "description": "Optional. The server AAD application secret." + } + }, + "aadProfileTenantId": { + "defaultValue": "[subscription().tenantId]", + "type": "string", + "metadata": { + "description": "Optional. Specifies the tenant id of the Azure Active Directory used by the AKS cluster for authentication." + } + }, + "aadProfileAdminGroupObjectIDs": { + "defaultValue": [], + "type": "array", + "metadata": { + "description": "Optional. Specifies the AAD group object IDs that will have admin role of the cluster." + } + }, + "aadProfileManaged": { + "defaultValue": true, + "type": "bool", + "metadata": { + "description": "Optional. Specifies whether to enable managed AAD integration." + } + }, + "aadProfileEnableAzureRBAC": { + "defaultValue": true, + "type": "bool", + "metadata": { + "description": "Optional. Specifies whether to enable Azure RBAC for Kubernetes authorization." + } + }, + "nodeResourceGroup": { + "defaultValue": "[concat(resourceGroup().name,'_aks_', parameters('aksClusterName'), '_nodes')]", + "type": "string", + "metadata": { + "description": "Optional. Name of the resource group containing agent pool nodes." + } + }, + "aksClusterEnablePrivateCluster": { + "defaultValue": false, + "type": "bool", + "metadata": { + "description": "Optional. Specifies whether to create the cluster as a private cluster or not." + } + }, + "primaryAgentPoolProfile": { + "type": "array", + "metadata": { + "description": "Required. Properties of the primary agent pool." + } + }, + "additionalAgentPools": { + "defaultValue": [], + "type": "array", + "metadata": { + "description": "Optional. Define one or multiple node pools" + } + }, + "httpApplicationRoutingEnabled": { + "type": "bool", + "defaultValue": false, + "metadata": { + "description": "Optional. Specifies whether the httpApplicationRouting add-on is enabled or not." + } + }, + "aciConnectorLinuxEnabled": { + "type": "bool", + "defaultValue": false, + "metadata": { + "description": "Optional. Specifies whether the aciConnectorLinux add-on is enabled or not." + } + }, + "azurePolicyEnabled": { + "type": "bool", + "defaultValue": true, + "metadata": { + "description": "Optional. Specifies whether the azurepolicy add-on is enabled or not." + } + }, + "azurePolicyVersion": { + "type": "string", + "defaultValue": "v2", + "metadata": { + "description": "Optional. Specifies the azure policy version to use." + } + }, + "kubeDashboardEnabled": { + "type": "bool", + "defaultValue": false, + "metadata": { + "description": "Optional. Specifies whether the kubeDashboard add-on is enabled or not." + } + }, + "autoScalerProfileScanInterval": { + "type": "string", + "defaultValue": "10s", + "metadata": { + "description": "Optional. Specifies the scan interval of the auto-scaler of the AKS cluster." + } + }, + "autoScalerProfileScaleDownDelayAfterAdd": { + "type": "string", + "defaultValue": "10m", + "metadata": { + "description": "Optional. Specifies the scale down delay after add of the auto-scaler of the AKS cluster." + } + }, + "autoScalerProfileScaleDownDelayAfterDelete": { + "type": "string", + "defaultValue": "20s", + "metadata": { + "description": "Optional. Specifies the scale down delay after delete of the auto-scaler of the AKS cluster." + } + }, + "autoScalerProfileScaleDownDelayAfterFailure": { + "type": "string", + "defaultValue": "3m", + "metadata": { + "description": "Optional. Specifies scale down delay after failure of the auto-scaler of the AKS cluster." + } + }, + "autoScalerProfileScaleDownUnneededTime": { + "type": "string", + "defaultValue": "10m", + "metadata": { + "description": "Optional. Specifies the scale down unneeded time of the auto-scaler of the AKS cluster." + } + }, + "autoScalerProfileScaleDownUnreadyTime": { + "type": "string", + "defaultValue": "20m", + "metadata": { + "description": "Optional. Specifies the scale down unready time of the auto-scaler of the AKS cluster." + } + }, + "autoScalerProfileUtilizationThreshold": { + "type": "string", + "defaultValue": "0.5", + "metadata": { + "description": "Optional. Specifies the utilization threshold of the auto-scaler of the AKS cluster." + } + }, + "autoScalerProfileMaxGracefulTerminationSec": { + "type": "string", + "defaultValue": "600", + "metadata": { + "description": "Optional. Specifies the max graceful termination time interval in seconds for the auto-scaler of the AKS cluster." + } + }, + "diagnosticSettingName": { + "type": "string", + "defaultValue": "service", + "metadata": { + "description": "Optional. Resource identifier of the Diagnostic Storage Account." + } + }, + "diagnosticStorageAccountId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Resource identifier of the Diagnostic Storage Account." + } + }, + "workspaceId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Resource identifier of Log Analytics." + } + }, + "omsAgentEnabled": { + "type": "bool", + "defaultValue": true, + "metadata": { + "description": "Optional. Specifies whether the OMS agent is enabled." + } + }, + "eventHubAuthorizationRuleId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Resource ID of the event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." + } + }, + "eventHubName": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Name of the event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category." + } + }, + "diagnosticLogsRetentionInDays": { + "type": "int", + "defaultValue": 365, + "minValue": 0, + "maxValue": 365, + "metadata": { + "description": "Optional. Specifies the number of days that logs will be kept for; a value of 0 will retain data indefinitely." + } + }, + "cuaId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered" + } + }, + "roleAssignments": { + "defaultValue": [], + "type": "array", + "metadata": { + "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'" + } + }, + "lockForDeletion": { + "defaultValue": false, + "type": "bool", + "metadata": { + "description": "Optional. Switch to lock Key Vault from deletion." + } + }, + "tags": { + "type": "object", + "defaultValue": {}, + "metadata": { + "description": "Optional. Tags of the resource." + } + } + }, + "variables": { + "aksClusterLinuxProfile": { + "adminUsername": "[parameters('aksClusterAdminUsername')]", + "ssh": { + "publicKeys": [ + { + "keyData": "[parameters('aksClusterSshPublicKey')]" + } + ] + } + }, + "diagnosticsMetrics": [ + { + "category": "AllMetrics", + "timeGrain": null, + "enabled": true, + "retentionPolicy": { + "enabled": true, + "days": "[parameters('diagnosticLogsRetentionInDays')]" + } + } + ], + "diagnosticsLogs": [ + { + "category": "kube-apiserver", + "enabled": true, + "retentionPolicy": { + "enabled": true, + "days": "[parameters('diagnosticLogsRetentionInDays')]" + } + }, + { + "category": "kube-audit", + "enabled": true, + "retentionPolicy": { + "enabled": true, + "days": "[parameters('diagnosticLogsRetentionInDays')]" + } + }, + { + "category": "kube-controller-manager", + "enabled": true, + "retentionPolicy": { + "enabled": true, + "days": "[parameters('diagnosticLogsRetentionInDays')]" + } + }, + { + "category": "kube-scheduler", + "enabled": true, + "retentionPolicy": { + "enabled": true, + "days": "[parameters('diagnosticLogsRetentionInDays')]" + } + }, + { + "category": "cluster-autoscaler", + "enabled": true, + "retentionPolicy": { + "enabled": true, + "days": "[parameters('diagnosticLogsRetentionInDays')]" + } + } + ], + "lbProfile": { + "managedOutboundIPs": { + "count": "[parameters('managedOutboundIPCount')]" + }, + "effectiveOutboundIPs": [ + ] + }, + "builtInRoleNames": { + "Azure Kubernetes Service Cluster Admin Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '0ab0b1a8-8aac-4efd-b8c2-3ee1fb270be8')]", + "Azure Kubernetes Service Cluster User Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4abbcc35-e782-43d8-92c5-2d3f1bd2253f')]", + "Azure Kubernetes Service Contributor Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ed7f3fbd-7b88-4dd4-9017-9adb7ce333f8')]", + "Azure Kubernetes Service RBAC Admin": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '3498e952-d568-435e-9b2c-8d77e338d7f7')]", + "Azure Kubernetes Service RBAC Cluster Admin": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b1ff04bb-8a4e-4dc4-8eb5-8693973ce19b')]", + "Azure Kubernetes Service RBAC Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '7f6c6a51-bcf8-42ba-9220-52d62157d7db')]", + "Azure Kubernetes Service RBAC Writer": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'a7ffa36f-339b-4b5c-8bdf-e2c188b2c0eb')]", + "Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "Log Analytics Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]", + "Log Analytics Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '73c42c96-874c-492b-b04d-ab87d138a893')]", + "Managed Application Contributor Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '641177b8-a67a-45b9-a033-47bc880bb21e')]", + "Managed Application Operator Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')]", + "Managed Applications Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')]", + "Monitoring Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')]", + "Monitoring Metrics Publisher": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '3913510d-42f4-4e42-8a64-420c390055eb')]", + "Monitoring Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')]", + "Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", + "Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", + "Resource Policy Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '36243c78-bf99-498c-9df9-86d9f8d28608')]", + "User Access Administrator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" + } + }, + "resources": [ + { + "condition": "[not(empty(parameters('cuaId')))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-06-01", + "name": "[concat('pid-', parameters('cuaId'))]", + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [] + } + } + }, + // Cluster + { + "type": "Microsoft.ContainerService/managedClusters", + "apiVersion": "2021-05-01", + "name": "[parameters('aksClusterName')]", + "location": "[parameters('location')]", + "tags": "[if(empty(parameters('tags')), json('null'), parameters('tags'))]", + "identity": "[parameters('identity')]", + "dependsOn": [], + "properties": { + "kubernetesVersion": "[if(empty(parameters('aksClusterKubernetesVersion')), json('null'), parameters('aksClusterKubernetesVersion'))]", + "dnsPrefix": "[parameters('aksClusterDnsPrefix')]", + "agentPoolProfiles": "[parameters('primaryAgentPoolProfile')]", + "sku": { + "name": "Basic", + "tier": "[parameters('aksClusterSkuTier')]" + }, + "linuxProfile": "[if(empty(parameters('aksClusterSshPublicKey')), json('null'), variables('aksClusterLinuxProfile'))]", + "servicePrincipalProfile": "[if(empty(parameters('aksServicePrincipalProfile')), json('null'), parameters('aksServicePrincipalProfile'))]", + "addonProfiles": { + "httpApplicationRouting": { + "enabled": "[parameters('httpApplicationRoutingEnabled')]" + }, + "omsagent": { + "enabled": "[and(parameters('omsAgentEnabled'), not(empty(parameters('workspaceId'))))]", + "config": { + "logAnalyticsWorkspaceResourceID": "[if(not(empty(parameters('workspaceId'))), parameters('workspaceId'), json('null'))]" + } + }, + "aciConnectorLinux": { + "enabled": "[parameters('aciConnectorLinuxEnabled')]" + }, + "azurepolicy": { + "enabled": "[parameters('azurePolicyEnabled')]", + "config": { + "version": "[parameters('azurePolicyVersion')]" + } + }, + "kubeDashboard": { + "enabled": "[parameters('kubeDashboardEnabled')]" + } + }, + "enableRBAC": "[parameters('aadProfileEnableAzureRBAC')]", + "nodeResourceGroup": "[parameters('nodeResourceGroup')]", + "networkProfile": { + "networkPlugin": "[if(empty(parameters('aksClusterNetworkPlugin')), json('null'), parameters('aksClusterNetworkPlugin'))]", + "networkPolicy": "[if(empty(parameters('aksClusterNetworkPolicy')), json('null'), parameters('aksClusterNetworkPolicy'))]", + "podCidr": "[if(empty(parameters('aksClusterPodCidr')), json('null'), parameters('aksClusterPodCidr'))]", + "serviceCidr": "[if(empty(parameters('aksClusterServiceCidr')), json('null'), parameters('aksClusterServiceCidr'))]", + "dnsServiceIP": "[if(empty(parameters('aksClusterDnsServiceIP')), json('null'), parameters('aksClusterDnsServiceIP'))]", + "dockerBridgeCidr": "[if(empty(parameters('aksClusterDockerBridgeCidr')), json('null'), parameters('aksClusterDockerBridgeCidr'))]", + "outboundType": "[parameters('aksClusterOutboundType')]", + "loadBalancerSku": "[parameters('aksClusterLoadBalancerSku')]", + "loadBalancerProfile": "[if(equals(parameters('managedOutboundIPCount'), 0), json('null'), variables('lbProfile'))]" + }, + "aadProfile": { + "clientAppId": "[parameters('aadProfileClientAppID')]", + "serverAppId": "[parameters('aadProfileServerAppID')]", + "serverAppSecret": "[parameters('aadProfileServerAppSecret')]", + "managed": "[parameters('aadProfileManaged')]", + "enableAzureRBAC": "[parameters('aadProfileEnableAzureRBAC')]", + "adminGroupObjectIDs": "[parameters('aadProfileAdminGroupObjectIDs')]", + "tenantID": "[parameters('aadProfileTenantId')]" + }, + "autoScalerProfile": { + "scan-interval": "[parameters('autoScalerProfileScanInterval')]", + "scale-down-delay-after-add": "[parameters('autoScalerProfileScaleDownDelayAfterAdd')]", + "scale-down-delay-after-delete": "[parameters('autoScalerProfileScaleDownDelayAfterDelete')]", + "scale-down-delay-after-failure": "[parameters('autoScalerProfileScaleDownDelayAfterFailure')]", + "scale-down-unneeded-time": "[parameters('autoScalerProfileScaleDownUnneededTime')]", + "scale-down-unready-time": "[parameters('autoScalerProfileScaleDownUnreadyTime')]", + "scale-down-utilization-threshold": "[parameters('autoScalerProfileUtilizationThreshold')]", + "max-graceful-termination-sec": "[parameters('autoScalerProfileMaxGracefulTerminationSec')]" + }, + "apiServerAccessProfile": { + "enablePrivateCluster": "[parameters('aksClusterEnablePrivateCluster')]" + }, + "resources": [ + { + "type": "providers/locks", + "apiVersion": "2016-09-01", + "condition": "[parameters('lockForDeletion')]", + "name": "Microsoft.Authorization/aksDoNotDelete", + "dependsOn": [ + "[concat('Microsoft.ContainerService/managedClusters/', parameters('aksClusterName'))]" + ], + "comments": "Resource lock on Azure Kubernetes Service", + "properties": { + "level": "CannotDelete" + } + } + ] + } + }, + // Diagnostic Settings + { + "type": "Microsoft.ContainerService/managedClusters/providers/diagnosticsettings", + "apiVersion": "2017-05-01-preview", + "name": "[concat(parameters('aksClusterName'), '/Microsoft.Insights/', parameters('diagnosticSettingName'))]", + "location": "[parameters('location')]", + "condition": "[not(empty(parameters('workspaceId')))]", + "dependsOn": [ + "[concat('Microsoft.ContainerService/managedClusters/', parameters('aksClusterName'))]" + ], + "properties": { + "name": "diagnostics", + "storageAccountId": "[if(empty(parameters('diagnosticStorageAccountId')), json('null'), parameters('diagnosticStorageAccountId'))]", + "eventHubAuthorizationRuleId": "[if(empty(parameters('eventHubAuthorizationRuleId')), json('null'), parameters('eventHubAuthorizationRuleId'))]", + "eventHubName": "[if(empty(parameters('eventHubName')), json('null'), parameters('eventHubName'))]", + "workspaceId": "[if(empty(parameters('workspaceId')), json('null'), parameters('workspaceId'))]", + "metrics": "[if(empty(parameters('workspaceId')), json('null'), variables('diagnosticsMetrics'))]", + "logs": "[if(empty(parameters('workspaceId')), json('null'), variables('diagnosticsLogs'))]" + } + }, + // Additional Node Pools + { + "type": "Microsoft.Resources/deployments", + "name": "[concat('anp-',deployment().name, copyIndex('agentPoolProfiles'))]", + "apiVersion": "2020-06-01", + "condition": "[not(empty(parameters('additionalAgentPools')))]", + "dependsOn": [ + "[parameters('aksClusterName')]" + ], + "copy": { + "name": "agentPoolProfiles", + "count": "[length(parameters('additionalAgentPools'))]" + }, + "properties": { + "mode": "Incremental", + "expressionEvaluationOptions": { + "scope": "inner" + }, + "parameters": { + "nodePoolName": { + "value": "[parameters('additionalAgentPools')[copyIndex('agentPoolProfiles')].name]" + }, + "nodePoolProperties": { + "value": "[parameters('additionalAgentPools')[copyIndex('agentPoolProfiles')].properties]" + }, + "aksClusterName": { + "value": "[parameters('aksClusterName')]" + }, + "location": { + "value": "[parameters('location')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "nodePoolName": { + "type": "string" + }, + "nodePoolProperties": { + "type": "object" + }, + "aksClusterName": { + "type": "string" + }, + "location": { + "type": "string" + } + }, + "resources": [ + { + "type": "Microsoft.ContainerService/managedClusters/agentPools", + "name": "[concat(parameters('aksClusterName'), '/', parameters('nodePoolName'))]", + "apiVersion": "2021-05-01", + "location": "[parameters('location')]", + "properties": "[parameters('nodePoolProperties')]" + } + ] + } + } + }, + // RBAC + { + "type": "Microsoft.Resources/deployments", + "name": "[concat('rbac-',deployment().name, copyIndex())]", + "apiVersion": "2020-06-01", + "condition": "[not(empty(parameters('roleAssignments')))]", + "dependsOn": [ + "[parameters('aksClusterName')]" + ], + "copy": { + "name": "rbacDeplCopy", + "count": "[length(parameters('roleAssignments'))]" + }, + "properties": { + "mode": "Incremental", + "expressionEvaluationOptions": { + "scope": "inner" + }, + "parameters": { + "roleAssignment": { + "value": "[parameters('roleAssignments')[copyIndex()]]" + }, + "builtInRoleNames": { + "value": "[variables('builtInRoleNames')]" + }, + "aksClusterName": { + "value": "[parameters('aksClusterName')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "roleAssignment": { + "type": "object" + }, + "builtInRoleNames": { + "type": "object" + }, + "aksClusterName": { + "type": "string" + } + }, + "resources": [ + { + "type": "Microsoft.ContainerService/managedClusters/providers/roleAssignments", + "apiVersion": "2018-09-01-preview", + "name": "[concat(parameters('aksClusterName'), '/Microsoft.Authorization/', guid(uniqueString(concat(parameters('aksClusterName'), array(parameters('roleAssignment').principalIds)[copyIndex('innerRbacCopy')], parameters('roleAssignment').roleDefinitionIdOrName ) )))]", + "dependsOn": [ + ], + "copy": { + "name": "innerRbacCopy", + "count": "[length(parameters('roleAssignment').principalIds)]" + }, + "properties": { + "roleDefinitionId": "[if(contains(parameters('builtInRoleNames'), parameters('roleAssignment').roleDefinitionIdOrName ), parameters('builtInRoleNames')[parameters('roleAssignment').roleDefinitionIdOrName] , parameters('roleAssignment').roleDefinitionIdOrName )]", + "principalId": "[array(parameters('roleAssignment').principalIds)[copyIndex()]]" + } + } + ] + } + } + } + ], + "functions": [ + ], + "outputs": { + "azureKubernetesServiceResourceId": { + "type": "string", + "value": "[resourceId('Microsoft.ContainerService/managedClusters', parameters('aksClusterName'))]", + "metadata": { + "description": "The Resource Id of the Azure Kubernetes Service." + } + }, + "azureKubernetesServiceResourceGroup": { + "type": "string", + "value": "[resourceGroup().name]", + "metadata": { + "description": "The name of the Resource Group the Azure Kubernetes Service was created in." + } + }, + "azureKubernetesServiceName": { + "type": "string", + "value": "[parameters('aksClusterName')]", + "metadata": { + "description": "The Name of the Azure Kubernetes Service." + } + }, + "controlPlaneFQDN": { + "type": "string", + "value": "[if(parameters('aksClusterEnablePrivateCluster'), reference(parameters('aksClusterName')).privateFQDN, reference(parameters('aksClusterName')).fqdn)]", + "metadata": { + "description": "The FQDN of the Azure Kubernetes Service." + } + } + } +} diff --git a/arm/Microsoft.ContainerService/managedClusters/parameters/parameters.json b/arm/Microsoft.ContainerService/managedClusters/parameters/parameters.json new file mode 100644 index 0000000000..7a6b72b7a8 --- /dev/null +++ b/arm/Microsoft.ContainerService/managedClusters/parameters/parameters.json @@ -0,0 +1,135 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "aksClusterName": { + "value": "testcluster2431" + }, + "primaryAgentPoolProfile": { + "value": [ + { + "name": "agentpool", + "osDiskSizeGB": 0, + "count": 1, + "enableAutoScaling": true, + "minCount": 1, + "maxCount": 3, + "vmSize": "Standard_DS2_v2", + "osType": "Linux", + "storageProfile": "ManagedDisks", + "type": "VirtualMachineScaleSets", + "mode": "System", + "maxPods": 110, + "availabilityZones": [ + "1", + "2", + "3" + ] + } + ] + } + // "aksClusterEnablePrivateCluster": { + // "value": true + // } + // "aksClusterNetworkPlugin": { + // "value": "azure" + // }, + // "aksClusterNetworkPolicy": { + // "value": "azure" + // }, + // "aksClusterPodCidr": { + // "value": "10.244.0.0/16" + // }, + // "aksClusterServiceCidr": { + // "value": "10.2.0.0/16" + // }, + // "aksClusterDnsServiceIP": { + // "value": "10.2.0.10" + // }, + // "aksClusterDockerBridgeCidr": { + // "value": "172.17.0.1/16" + // }, + // "aksClusterOutboundType": { + // "value": "loadBalancer" + // }, + // "aksClusterKubernetesVersion": { + // "value": "1.20.5" + // }, + // "identity": { + // "value": { + // "type": "SystemAssigned" + // } + // }, + // "aadProfileManaged": { + // "value": true + // }, + // "aadProfileEnableAzureRBAC": { + // "value": true + // }, + // "aadProfileAdminGroupObjectIDs": { + // "value": [] + // }, + // "additionalAgentPools": { + // "value": [ + // { + // "name": "userpool1", + // "properties": { + // "vmSize": "Standard_DS2_v2", + // "osDiskSizeGB": 128, + // "count": 2, + // "osType": "Linux", + // "maxCount": 5, + // "minCount": 1, + // "enableAutoScaling": true, + // "scaleSetPriority": "Regular", + // "scaleSetEvictionPolicy": "Delete", + // "nodeLabels": {}, + // "nodeTaints": [ + // "CriticalAddonsOnly=true:NoSchedule" + // ], + // "type": "VirtualMachineScaleSets", + // "availabilityZones": [ + // "1", + // "2", + // "3" + // ], + // "minPods": 2, + // "maxPods": 12, + // "storageProfile": "ManagedDisks", + // "mode": "User", + // "vnetSubnetID": "/subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2/resourceGroups/dependencies-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-weu-x-005/subnets/sxx-az-subnet-weu-x-002" + // } + // }, + // { + // "name": "userpool2", + // "properties": { + // "vmSize": "Standard_DS2_v2", + // "osDiskSizeGB": 128, + // "count": 2, + // "osType": "Linux", + // "maxCount": 5, + // "minCount": 1, + // "enableAutoScaling": true, + // "scaleSetPriority": "Regular", + // "scaleSetEvictionPolicy": "Delete", + // "nodeLabels": {}, + // "nodeTaints": [ + // "CriticalAddonsOnly=true:NoSchedule" + // ], + // "type": "VirtualMachineScaleSets", + // "availabilityZones": [ + // "1", + // "2", + // "3" + // ], + // "minPods": 2, + // "maxPods": 12, + // "storageProfile": "ManagedDisks", + // "mode": "User", + // "vnetSubnetID": "/subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2/resourceGroups/dependencies-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-weu-x-005/subnets/sxx-az-subnet-weu-x-003" + // } + // } + // ] + // } + } +} \ No newline at end of file diff --git a/arm/Microsoft.ContainerService/managedClusters/readme.md b/arm/Microsoft.ContainerService/managedClusters/readme.md new file mode 100644 index 0000000000..79f2d4af90 --- /dev/null +++ b/arm/Microsoft.ContainerService/managedClusters/readme.md @@ -0,0 +1,240 @@ +# AzureKubernetesService + +This module deploys Azure Kubernetes Cluster (AKS). + + +## Resource types + +| Resource Type | Api Version | +| :-- | :-- | +| `Microsoft.ContainerService/managedClusters/agentPools` | 2021-05-01 | +| `Microsoft.ContainerService/managedClusters/providers/diagnosticsettings` | 2017-05-01-preview | +| `Microsoft.ContainerService/managedClusters/providers/roleAssignments` | 2018-09-01-preview | +| `Microsoft.ContainerService/managedClusters` | 2021-05-01 | +| `Microsoft.Resources/deployments` | 2020-06-01 | + + +## Parameters + +| Parameter Name | Type | Default Value | Possible values | Description | +| :-- | :-- | :-- | :-- | :-- | +| `aksClusterName` | string | | | Required. Specifies the name of the AKS cluster. | +| `location` | string | [resourceGroup().location] | | Optional. Specifies the location of AKS cluster. It picks up Resource Group's location by default. | +| `aksClusterDnsPrefix` | string | [parameters('aksClusterName')] | | Optional. Specifies the DNS prefix specified when creating the managed cluster. | +| `identity` | object | { "type": "SystemAssigned" } | | Optional. The identity of the managed cluster. | +| `aksClusterNetworkPlugin` | string | "" | "", azure, kubenet | Optional. Specifies the network plugin used for building Kubernetes network. - azure or kubenet. | +| `aksClusterNetworkPolicy` | string | "" | "", azure, calico | Optional. Specifies the network policy used for building Kubernetes network. - calico or azure | +| `aksClusterPodCidr` | string | "" | | Optional. Specifies the CIDR notation IP range from which to assign pod IPs when kubenet is used. | +| `aksClusterServiceCidr` | string | "" | | Optional. A CIDR notation IP range from which to assign service cluster IPs. It must not overlap with any Subnet IP ranges. | +| `aksClusterDnsServiceIP` | string | "" | | Optional. Specifies the IP address assigned to the Kubernetes DNS service. It must be within the Kubernetes service address range specified in serviceCidr. | +| `aksClusterDockerBridgeCidr` | string | "" | | Optional. Specifies the CIDR notation IP range assigned to the Docker bridge network. It must not overlap with any Subnet IP ranges or the Kubernetes service address range. | +| `aksClusterLoadBalancerSku` | string | standard | basic, standard | Optional. Specifies the sku of the load balancer used by the virtual machine scale sets used by nodepools. | +| `managedOutboundIPCount` | int | 0 | | Optional. Outbound IP Count for the Load balancer. | +| `aksClusterOutboundType` | string | loadBalancer | loadBalancer, userDefinedRouting | Optional. Specifies outbound (egress) routing method. - loadBalancer or userDefinedRouting. | +| `aksClusterSkuTier` | string | Free | Free, Paid | Optional. Tier of a managed cluster SKU. - Free or Paid | +| `aksClusterKubernetesVersion` | string | "" | | Optional. Version of Kubernetes specified when creating the managed cluster. | +| `aksClusterAdminUsername` | string | azureuser | | Optional. Specifies the administrator username of Linux virtual machines. | +| `aksClusterSshPublicKey` | string | | | Optional. Specifies the SSH RSA public key string for the Linux nodes. | +| `aksServicePrincipalProfile` | object | {} | | Optional. Information about a service principal identity for the cluster to use for manipulating Azure APIs. | +| `aadProfileClientAppID` | string | "" | | Optional. The client AAD application ID. | +| `aadProfileServerAppID` | string | "" | | Optional. The server AAD application ID. | +| `aadProfileServerAppSecret` | string | "" | | Optional. The server AAD application secret. | +| `aadProfileTenantId` | string | [subscription().tenantId] | | Optional. Specifies the tenant id of the Azure Active Directory used by the AKS cluster for authentication. | +| `aadProfileAdminGroupObjectIDs` | array | System.Object[] | | Optional. Specifies the AAD group object IDs that will have admin role of the cluster. | +| `aadProfileManaged` | bool | True | | Optional. Specifies whether to enable managed AAD integration. | +| `aadProfileEnableAzureRBAC` | bool | True | | Optional. Specifies whether to enable Azure RBAC for Kubernetes authorization. | +| `nodeResourceGroup` | string | concat(resourceGroup().name, '_aks_nodes') | | Optional. Name of the resource group containing agent pool nodes. | +| `aksClusterEnablePrivateCluster` | bool | False | | Optional. Specifies whether to create the cluster as a private cluster or not. | +| `primaryAgentPoolProfile` | array | | | Required. Properties of the primary agent pool. | +| `additionalAgentPools` | array | System.Object[] | | Optional. Define one or multiple node pools. | +| `httpApplicationRoutingEnabled` | bool | False | | Optional. Specifies whether the httpApplicationRouting add-on is enabled or not. | +| `aciConnectorLinuxEnabled` | bool | False | | Optional. Specifies whether the aciConnectorLinux add-on is enabled or not. | +| `azurePolicyEnabled` | bool | True | | Optional. Specifies whether the azurepolicy add-on is enabled or not. | +| `azurePolicyVersion` | string | v2 | | Optional. Specifies the azure policy version to use. | +| `kubeDashboardEnabled` | bool | False | | Optional. Specifies whether the kubeDashboard add-on is enabled or not. | +| `autoScalerProfileScanInterval` | string | 10s | | Optional. Specifies the scan interval of the auto-scaler of the AKS cluster. | +| `autoScalerProfileScaleDownDelayAfterAdd` | string | 10m | | Optional. Specifies the scale down delay after add of the auto-scaler of the AKS cluster. | +| `autoScalerProfileScaleDownDelayAfterDelete` | string | 20s | | Optional. Specifies the scale down delay after delete of the auto-scaler of the AKS cluster. | +| `autoScalerProfileScaleDownDelayAfterFailure` | string | 3m | | Optional. Specifies scale down delay after failure of the auto-scaler of the AKS cluster. | +| `autoScalerProfileScaleDownUnneededTime` | string | 10m | | Optional. Specifies the scale down unneeded time of the auto-scaler of the AKS cluster. | +| `autoScalerProfileScaleDownUnreadyTime` | string | 20m | | Optional. Specifies the scale down unready time of the auto-scaler of the AKS cluster. | +| `autoScalerProfileUtilizationThreshold` | string | 0.5 | | Optional. Specifies the utilization threshold of the auto-scaler of the AKS cluster. | +| `autoScalerProfileMaxGracefulTerminationSec` | string | 600 | | Optional. Specifies the max graceful termination time interval in seconds for the auto-scaler of the AKS cluster. | +| `diagnosticSettingName` | string | service | | Optional. The name of the Diagnostic setting. | +| `diagnosticStorageAccountId` | string | "" | | Optional. Resource identifier of the Diagnostic Storage Account. | +| `workspaceId` | string | "" | | Optional. Resource identifier of Log Analytics. | +| `omsAgentEnabled` | bool | True | | Optional. Specifies whether the OMS agent is enabled. | +| `eventHubAuthorizationRuleId` | string | "" | | Optional. Resource ID of the event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | +| `eventHubName` | string | "" | | Optional. Name of the event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. | +| `diagnosticLogsRetentionInDays` | int | 365 | | Optional. Specifies the number of days that logs will be kept for; a value of 0 will retain data indefinitely. | +| `cuaId` | string | "" | | Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered. | +| `roleAssignments` | array | System.Object[] | | Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' | +| `lockForDeletion` | bool | False | | Optional. Switch to lock Key Vault from deletion. | +| `tags` | object | {} | | Optional. Tags of the resource. | + + +### Parameter Usage: `tags` + +Tag names and tag values can be provided as needed. A tag can be left without a value. + +```json +"tags": { + "value": { + "Environment": "Non-Prod", + "Contact": "test.user@testcompany.com", + "PurchaseOrder": "1234", + "CostCenter": "7890", + "ServiceName": "DeploymentValidation", + "Role": "DeploymentValidation" + } +} +``` + + +### Parameter Usage: `identity` + +See also https://docs.microsoft.com/en-us/azure/templates/microsoft.containerservice/managedclusters?tabs=json#managedclusteridentity-object + +```json +"identity": { + "value": { + "type": "string", + "userAssignedIdentities": {} + } +} +``` + + +### Parameter Usage: `aksServicePrincipalProfile` + +See also https://docs.microsoft.com/en-us/azure/templates/microsoft.containerservice/managedclusters?tabs=json#managedclusterserviceprincipalprofile-object + +```json +"aksServicePrincipalProfile": { + "value": { + "clientId": "string", + "secret": "string" + } +} +``` + + +### Parameter Usage: `primaryAgentPoolProfile` + +Provide values for primary agent pool as needed. +For available properties check https://docs.microsoft.com/en-us/azure/templates/microsoft.containerservice/managedclusters?tabs=json#managedclusteragentpoolprofile-object + +```json +"primaryAgentPoolProfile": { + "value": [ + { + "name": "poolname", + "vmSize": "Standard_DS3_v2", + "osDiskSizeGB": 128, + "count": 2, + "osType": "Linux", + "maxCount": 5, + "minCount": 1, + "enableAutoScaling": true, + "scaleSetPriority": "Regular", + "scaleSetEvictionPolicy": "Delete", + "nodeLabels": {}, + "nodeTaints": [ + "CriticalAddonsOnly=true:NoSchedule" + ], + "type": "VirtualMachineScaleSets", + "availabilityZones": [ + "1", + "2", + "3" + ], + "maxPods": 30, + "storageProfile": "ManagedDisks", + "mode": "System", + "vnetSubnetID": "/subscriptions/XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX/resourceGroups/myRg/providers/Microsoft.Network/virtualNetworks/myVnet/subnets/mySubnet", + "tags": { + "Owner": "abc.def@contoso.com", + "BusinessUnit": "IaCs", + "Environment": "PROD", + "Region": "USEast" + } + } + ] +} +``` + + +### Parameter Usage: `additionalAgentPools` + +For available properties check https://docs.microsoft.com/en-us/azure/templates/microsoft.containerservice/managedclusters/agentpools?tabs=json#managedclusteragentpoolprofileproperties-object + +```json +"additionalAgentPools": { + "value": [ + { + "name": "pool1", + "properties": { + "vmSize": "Standard_DS3_v2", + "osDiskSizeGB": 128, + "count": 2, + "osType": "Linux", + "maxCount": 5, + "minCount": 1, + "enableAutoScaling": true, + "scaleSetPriority": "Regular", + "scaleSetEvictionPolicy": "Delete", + "nodeLabels": {}, + "nodeTaints": [ + "CriticalAddonsOnly=true:NoSchedule" + ], + "type": "VirtualMachineScaleSets", + "availabilityZones": [ + "1", + "2", + "3" + ], + "maxPods": 30, + "storageProfile": "ManagedDisks", + "mode": "System", + "vnetSubnetID": "/subscriptions/XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX/resourceGroups/myRg/providers/Microsoft.Network/virtualNetworks/myVnet/subnets/mySubnet", + "tags": { + "Owner": "abc.def@contoso.com", + "BusinessUnit": "IaCs", + "Environment": "PROD", + "Region": "USEast" + } + } + }, + { + "name": "pool2", + "properties": { + "..." + } + } + ] + } +``` + + +## Outputs + +| Output Name | Type | Description | +| :-- | :-- | :-- | +| `azureKubernetesServiceName` | string | The Name of the Azure Kubernetes Service. | +| `azureKubernetesServiceResourceGroup` | string | The name of the Resource Group the Azure Kubernetes Service was created in. | +| `azureKubernetesServiceResourceId` | string | The Resource Id of the Azure Kubernetes Service. | +| `controlPlaneFQDN` | string | The FQDN of the Azure Kubernetes Service. | + + +## Considerations + +- *None* + + +## Additional resources + +- [Use tags to organize your Azure resources](https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-using-tags) +- [Azure Resource Manager template reference](https://docs.microsoft.com/en-us/azure/templates/) +- [ManagedClusters](https://docs.microsoft.com/en-us/azure/templates/Microsoft.ContainerService/2020-11-01/managedClusters) +- [ManagedClusters/providers/diagnosticsettings](https://docs.microsoft.com/en-us/azure/templates/Microsoft.ContainerService/2017-05-01-preview/managedClusters/providers/diagnosticsettings) +- [Deployments](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Resources/2020-06-01/deployments) \ No newline at end of file diff --git a/arm/Microsoft.DataFactory/factories/deploy.json b/arm/Microsoft.DataFactory/factories/deploy.json new file mode 100644 index 0000000000..de25c748bc --- /dev/null +++ b/arm/Microsoft.DataFactory/factories/deploy.json @@ -0,0 +1,569 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "dataFactoryName": { + "type": "string", + "metadata": { + "description": "Required. The name of the Azure Factory to create" + } + }, + "location": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "Optional. Location for all Resources." + } + }, + "publicNetworkAccess": { + "type": "bool", + "defaultValue": true, + "metadata": { + "description": "Optional. Enable or disable public network access." + } + }, + "gitConfigureLater": { + "type": "bool", + "defaultValue": true, + "metadata": { + "description": "Optional. Boolean to define whether or not to configure git during template deployment." + } + }, + "gitRepoType": { + "type": "string", + "defaultValue": "FactoryVSTSConfiguration", + "metadata": { + "description": "Optional. Repo type - can be 'FactoryVSTSConfiguration' or 'FactoryGitHubConfiguration'. Default is 'FactoryVSTSConfiguration'." + } + }, + "gitAccountName": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. The account name." + } + }, + "gitProjectName": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. The project name. Only relevant for 'FactoryVSTSConfiguration'." + } + }, + "gitRepositoryName": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. The repository name." + } + }, + "gitCollaborationBranch": { + "type": "string", + "defaultValue": "main", + "metadata": { + "description": "Optional. The collaboration branch name. Default is 'main'." + } + }, + "gitRootFolder": { + "type": "string", + "defaultValue": "/", + "metadata": { + "description": "Optional. The root folder path name. Default is '/'." + } + }, + "vNetEnabled": { + "defaultValue": false, + "type": "bool", + "metadata": { + "description": "Optional. Enable or disable managed virtual networks and related to that AutoResolveIntegrationRuntime." + } + }, + "roleAssignments": { + "defaultValue": [ + ], + "type": "array", + "metadata": { + "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or it's fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + } + }, + "lockForDeletion": { + "type": "bool", + "defaultValue": false, + "metadata": { + "description": "Optional. Switch to lock resource from deletion." + } + }, + "diagnosticSettingName": { + "type": "string", + "defaultValue": "service", + "metadata": { + "description": "Optional. The name of the Diagnostic setting." + } + }, + "diagnosticLogsRetentionInDays": { + "type": "int", + "defaultValue": 365, + "minValue": 0, + "maxValue": 365, + "metadata": { + "description": "Optional. Specifies the number of days that logs will be kept for; a value of 0 will retain data indefinitely." + } + }, + "diagnosticStorageAccountId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Resource identifier of the Diagnostic Storage Account." + } + }, + "workspaceId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Resource identifier of Log Analytics." + } + }, + "eventHubAuthorizationRuleId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Resource ID of the event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." + } + }, + "eventHubName": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Name of the event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category." + } + }, + "privateEndpoints": { + "type": "array", + "defaultValue": [], + "metadata": { + "description": "Optional. Configuration Details for private endpoints." + } + }, + "tags": { + "type": "object", + "defaultValue": { + }, + "metadata": { + "description": "Optional. Tags of the resource." + } + }, + "cuaId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered" + } + } + }, + "variables": { + "version": "V2", + "builtInRoleNames": { + "Contributor": "/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c", + "Data Factory Contributor": "/providers/Microsoft.Authorization/roleDefinitions/673868aa-7521-48a0-acc6-0f60742d39f5", + "Log Analytics Contributor": "/providers/Microsoft.Authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293", + "Log Analytics Reader": "/providers/Microsoft.Authorization/roleDefinitions/73c42c96-874c-492b-b04d-ab87d138a893", + "Managed Application Contributor Role": "/providers/Microsoft.Authorization/roleDefinitions/641177b8-a67a-45b9-a033-47bc880bb21e", + "Managed Application Operator Role": "/providers/Microsoft.Authorization/roleDefinitions/c7393b34-138c-406f-901b-d8cf2b17e6ae", + "Managed Applications Reader": "/providers/Microsoft.Authorization/roleDefinitions/b9331d33-8a36-4f8c-b097-4f54124fdb44", + "masterreader": "/providers/Microsoft.Authorization/roleDefinitions/a48d7796-14b4-4889-afef-fbb65a93e5a2", + "Monitoring Contributor": "/providers/Microsoft.Authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "Monitoring Metrics Publisher": "/providers/Microsoft.Authorization/roleDefinitions/3913510d-42f4-4e42-8a64-420c390055eb", + "Monitoring Reader": "/providers/Microsoft.Authorization/roleDefinitions/43d0d8ad-25c7-4714-9337-8ba259a9fe05", + "Owner": "/providers/Microsoft.Authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635", + "Reader": "/providers/Microsoft.Authorization/roleDefinitions/acdd72a7-3385-48ef-bd42-f606fba81ae7", + "Resource Policy Contributor": "/providers/Microsoft.Authorization/roleDefinitions/36243c78-bf99-498c-9df9-86d9f8d28608", + "User Access Administrator": "/providers/Microsoft.Authorization/roleDefinitions/18d7d88d-d35e-4fb5-a5c3-7773c20a72d9" + }, + "diagnosticsMetrics": [ + { + "category": "AllMetrics", + "timeGrain": null, + "enabled": true, + "retentionPolicy": { + "enabled": true, + "days": "[parameters('diagnosticLogsRetentionInDays')]" + } + } + ], + "diagnosticsLogs": [ + { + "category": "ActivityRuns", + "enabled": true, + "retentionPolicy": { + "enabled": true, + "days": "[parameters('diagnosticLogsRetentionInDays')]" + } + }, + { + "category": "PipelineRuns", + "enabled": true, + "retentionPolicy": { + "enabled": true, + "days": "[parameters('diagnosticLogsRetentionInDays')]" + } + }, + { + "category": "TriggerRuns", + "enabled": true, + "retentionPolicy": { + "enabled": true, + "days": "[parameters('diagnosticLogsRetentionInDays')]" + } + }, + { + "category": "SSISPackageEventMessages", + "enabled": true, + "retentionPolicy": { + "enabled": true, + "days": "[parameters('diagnosticLogsRetentionInDays')]" + } + }, + { + "category": "SSISPackageExecutableStatistics", + "enabled": true, + "retentionPolicy": { + "enabled": true, + "days": "[parameters('diagnosticLogsRetentionInDays')]" + } + }, + { + "category": "SSISPackageEventMessageContext", + "enabled": true, + "retentionPolicy": { + "enabled": true, + "days": "[parameters('diagnosticLogsRetentionInDays')]" + } + }, + { + "category": "SSISPackageExecutionComponentPhases", + "enabled": true, + "retentionPolicy": { + "enabled": true, + "days": "[parameters('diagnosticLogsRetentionInDays')]" + } + }, + { + "category": "SSISPackageExecutionDataStatistics", + "enabled": true, + "retentionPolicy": { + "enabled": true, + "days": "[parameters('diagnosticLogsRetentionInDays')]" + } + }, + { + "category": "SSISIntegrationRuntimeLogs", + "enabled": true, + "retentionPolicy": { + "enabled": true, + "days": "[parameters('diagnosticLogsRetentionInDays')]" + } + } + ] + }, + "resources": [ + // CUA ID + { + "condition": "[not(empty(parameters('cuaId')))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-06-01", + "name": "[concat('pid-', parameters('cuaId'))]", + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [ + ] + } + } + }, + // Data Factory + { + "condition": "[equals(variables('version'), 'V2')]", + "type": "Microsoft.DataFactory/factories", + "apiVersion": "2018-06-01", + "name": "[parameters('dataFactoryName')]", + "location": "[parameters('location')]", + "tags": "[parameters('tags')]", + "identity": { + "type": "SystemAssigned" //Currently the only available option + }, + "properties": { + "repoConfiguration": "[if(bool(parameters('gitConfigureLater')), json('null'), json(concat('{\"type\": \"', parameters('gitRepoType'), '\",','\"accountName\": \"', parameters('gitAccountName'), '\",','\"repositoryName\": \"', parameters('gitRepositoryName'), '\",', if(equals(parameters('gitRepoType'), 'FactoryVSTSConfiguration'), concat('\"projectName\": \"', parameters('gitProjectName'), '\",'), ''),'\"collaborationBranch\": \"', parameters('gitCollaborationBranch'), '\",','\"rootFolder\": \"', parameters('gitRootFolder'), '\"}')))]", + "publicNetworkAccess": "[if(bool(parameters('publicNetworkAccess')), 'Enabled', 'Disabled')]" + }, + "resources": [ + // Managed Virtual Network + { + "condition": "[and(equals(variables('version'), 'V2'), parameters('vNetEnabled'))]", + "name": "[concat(parameters('dataFactoryName'), '/default')]", + "type": "Microsoft.DataFactory/factories/managedVirtualNetworks", + "apiVersion": "2018-06-01", + "properties": {}, + "dependsOn": [ + "[concat('Microsoft.DataFactory/factories/', parameters('dataFactoryName'))]" + ] + }, + { + "condition": "[and(equals(variables('version'), 'V2'), parameters('vNetEnabled'))]", + "name": "[concat(parameters('dataFactoryName'), '/AutoResolveIntegrationRuntime')]", + "type": "Microsoft.DataFactory/factories/integrationRuntimes", + "apiVersion": "2018-06-01", + "properties": { + "type": "Managed", + "managedVirtualNetwork": { + "referenceName": "default", + "type": "ManagedVirtualNetworkReference" + }, + "typeProperties": { + "computeProperties": { + "location": "AutoResolve" + } + } + }, + "dependsOn": [ + "[concat('Microsoft.DataFactory/factories/', parameters('dataFactoryName'))]", + "[concat('Microsoft.DataFactory/factories/', parameters('dataFactoryName'), '/managedVirtualNetworks/default')]" + ] + }, + // Lock + { + "type": "providers/locks", + "apiVersion": "2016-09-01", + "condition": "[parameters('lockForDeletion')]", + "name": "Microsoft.Authorization/dataFactoryDoNotDelete", + "dependsOn": [ + "[concat('Microsoft.DataFactory/factories/', parameters('dataFactoryName'))]" + ], + "comments": "Resource lock", + "properties": { + "level": "CannotDelete" + } + }, + // Diagnostic Settings + { + "type": "Microsoft.DataFactory/factories/providers/diagnosticsettings", + "apiVersion": "2017-05-01-preview", + "name": "[concat(parameters('dataFactoryName'), '/Microsoft.Insights/', parameters('diagnosticSettingName'))]", + "condition": "[or(not(empty(parameters('diagnosticStorageAccountId'))),not(empty(parameters('workspaceId'))),not(empty(parameters('eventHubAuthorizationRuleId'))),not(empty(parameters('eventHubName'))))]", + "dependsOn": [ + "[concat('Microsoft.DataFactory/factories/', parameters('dataFactoryName'))]" + ], + "properties": { + "storageAccountId": "[if(empty(parameters('diagnosticStorageAccountId')), json('null'), parameters('diagnosticStorageAccountId'))]", + "workspaceId": "[if(empty(parameters('workspaceId')), json('null'), parameters('workspaceId'))]", + "eventHubAuthorizationRuleId": "[if(empty(parameters('eventHubAuthorizationRuleId')), json('null'), parameters('eventHubAuthorizationRuleId'))]", + "eventHubName": "[if(empty(parameters('eventHubName')), json('null'), parameters('eventHubName'))]", + "metrics": "[if(and(empty(parameters('diagnosticStorageAccountId')), empty(parameters('workspaceId')), empty(parameters('eventHubAuthorizationRuleId')), empty(parameters('eventHubName'))), json('null'), variables('diagnosticsMetrics'))]", + "logs": "[if(and(empty(parameters('diagnosticStorageAccountId')), empty(parameters('workspaceId')), empty(parameters('eventHubAuthorizationRuleId')), empty(parameters('eventHubName'))), json('null'), variables('diagnosticsLogs'))]" + } + } + ] + }, + // RBAC + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-06-01", + "name": "[concat(uniqueString(deployment().name, parameters('location')), '-DataFactory-Rbac-', copyIndex())]", + "condition": "[not(empty(parameters('roleAssignments')))]", + "dependsOn": [ + "[parameters('dataFactoryName')]" + ], + "copy": { + "name": "dataFactoryRbacDeplCopy", + "count": "[length(parameters('roleAssignments'))]" + }, + "properties": { + "mode": "Incremental", + "expressionEvaluationOptions": { + "scope": "inner" + }, + "parameters": { + "roleAssignment": { + "value": "[parameters('roleAssignments')[copyIndex()]]" + }, + "builtInRoleNames": { + "value": "[variables('builtInRoleNames')]" + }, + "dataFactoryName": { + "value": "[parameters('dataFactoryName')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "roleAssignment": { + "type": "object" + }, + "builtInRoleNames": { + "type": "object" + }, + "dataFactoryName": { + "type": "string" + } + }, + "resources": [ + { + "type": "Microsoft.DataFactory/factories/providers/roleAssignments", + "apiVersion": "2020-04-01-preview", + "name": "[concat(parameters('dataFactoryName'), '/Microsoft.Authorization/', guid(parameters('dataFactoryName'), array(parameters('roleAssignment').principalIds)[copyIndex('dataFactoryInnerRbacCopy')], parameters('roleAssignment').roleDefinitionIdOrName ))]", + "dependsOn": [ + ], + "copy": { + "name": "dataFactoryInnerRbacCopy", + "count": "[length(parameters('roleAssignment').principalIds)]" + }, + "properties": { + "roleDefinitionId": "[if(contains(parameters('builtInRoleNames'), parameters('roleAssignment').roleDefinitionIdOrName ), parameters('builtInRoleNames')[parameters('roleAssignment').roleDefinitionIdOrName] , parameters('roleAssignment').roleDefinitionIdOrName )]", + "principalId": "[array(parameters('roleAssignment').principalIds)[copyIndex()]]" + } + } + ] + } + } + }, + // Private Endpoints + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-06-01", + "name": "[concat(uniqueString(deployment().name, parameters('location')), '-DataFactory-PrivateEndpoints','-',copyIndex())]", + "condition": "[not(empty(parameters('privateEndpoints')))]", + "dependsOn": [ + "[parameters('dataFactoryName')]" + ], + "copy": { + "name": "privateEndpointsCopy", + "count": "[length(parameters('privateEndpoints'))]" + }, + "properties": { + "mode": "Incremental", + "expressionEvaluationOptions": { + "scope": "inner" + }, + "parameters": { + "privateEndpointResourceId": { + "value": "[resourceId('Microsoft.DataFactory/factories/', parameters('dataFactoryName'))]" + }, + "privateEndpointVnetLocation": { + "value": "[if(empty(parameters('privateEndpoints')),'dummy',reference(split(parameters('privateEndpoints')[copyIndex()].subnetResourceId,'/subnets/')[0],'2020-06-01', 'Full').location)]" + }, + "privateEndpoint": { + "value": "[parameters('privateEndpoints')[copyIndex()]]" + }, + "tags": { + "value": "[parameters('tags')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "privateEndpointResourceId": { + "type": "string" + }, + "privateEndpointVnetLocation": { + "type": "string" + }, + "privateEndpoint": { + "type": "object" + }, + "tags": { + "type": "object" + } + }, + "variables": { + "privateEndpointResourceName": "[last(split(parameters('privateEndpointResourceId'),'/'))]", + "privateEndpoint": { + "name": "[if(contains(parameters('privateEndpoint'), 'name'),if(empty(parameters('privateEndpoint').name),concat(variables('privateEndpointResourceName'),'-',parameters('privateEndpoint').service),parameters('privateEndpoint').name),concat(variables('privateEndpointResourceName'),'-',parameters('privateEndpoint').service))]", + "subnetResourceId": "[parameters('privateEndpoint').subnetResourceId]", + "service": [ + "[parameters('privateEndpoint').service]" + ], + "privateDnsZoneResourceIds": "[if(contains(parameters('privateEndpoint'), 'privateDnsZoneResourceIds'),if(empty(parameters('privateEndpoint').privateDnsZoneResourceIds),createArray(),parameters('privateEndpoint').privateDnsZoneResourceIds),createArray())]", + "customDnsConfigs": "[if(contains(parameters('privateEndpoint'), 'customDnsConfigs'),if(empty(parameters('privateEndpoint').customDnsConfigs),json('null'),parameters('privateEndpoint').customDnsConfigs),json('null'))]" + } + }, + "resources": [ + { + "type": "Microsoft.Network/privateEndpoints", + "apiVersion": "2020-05-01", + "name": "[variables('privateEndpoint').name]", + "location": "[parameters('privateEndpointVnetLocation')]", + "tags": "[parameters('tags')]", + "properties": { + "privateLinkServiceConnections": [ + { + "name": "[variables('privateEndpoint').name]", + "properties": { + "privateLinkServiceId": "[parameters('privateEndpointResourceId')]", + "groupIds": "[variables('privateEndpoint').service]" + } + } + ], + "manualPrivateLinkServiceConnections": [], + "subnet": { + "id": "[variables('privateEndpoint').subnetResourceId]" + }, + "customDnsConfigs": "[variables('privateEndpoint').customDnsConfigs]" + } + }, + { + "type": "Microsoft.Network/privateEndpoints/privateDnsZoneGroups", + "apiVersion": "2020-05-01", + "condition": "[not(empty(variables('privateEndpoint').privateDnsZoneResourceIds))]", + "name": "[concat(variables('privateEndpoint').name, '/default')]", + "dependsOn": [ + "[resourceId('Microsoft.Network/privateEndpoints', variables('privateEndpoint').name)]" + ], + "properties": { + "copy": [ + { + "name": "privateDnsZoneConfigs", + "count": "[length(variables('privateEndpoint').privateDnsZoneResourceIds)]", + "input": { + "name": "[last(split(variables('privateEndpoint').privateDnsZoneResourceIds[copyIndex('privateDnsZoneConfigs')],'/'))]", + "properties": { + "privateDnsZoneId": "[variables('privateEndpoint').privateDnsZoneResourceIds[copyIndex('privateDnsZoneConfigs')]]" + } + } + } + ] + } + } + ] + } + } + } + ], + "functions": [ + ], + "outputs": { + "dataFactoryName": { + "type": "string", + "value": "[parameters('dataFactoryName')]", + "metadata": { + "description": "The Name of the Azure Data Factory instance" + } + }, + "dataFactoryResourceId": { + "type": "string", + "value": "[resourceId('Microsoft.DataFactory/factories',parameters('dataFactoryName'))]", + "metadata": { + "description": "The Resource Id of the Data factory" + } + }, + "dataFactoryResourceGroup": { + "type": "string", + "value": "[resourceGroup().name]", + "metadata": { + "description": "The name of the Resource Group with the Data factory" + } + } + } +} diff --git a/arm/Microsoft.DataFactory/factories/parameters/parameters.json b/arm/Microsoft.DataFactory/factories/parameters/parameters.json new file mode 100644 index 0000000000..affd53c573 --- /dev/null +++ b/arm/Microsoft.DataFactory/factories/parameters/parameters.json @@ -0,0 +1,72 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "dataFactoryName": { + "value": "sxxazdfweux044" + }, + "publicNetworkAccess": { + "value": true + }, + "gitConfigureLater": { + "value": true + } + // "gitRepoType": { + // "value": "FactoryVSTSConfiguration" + // }, + // "gitAccountName": { + // "value": "xxx" + // }, + // "gitProjectName": { + // "value": "xxx" + // }, + // "gitRepositoryName": { + // "value": "xxx" + // }, + // "gitCollaborationBranch": { + // "value": "main" + // }, + // "gitRootFolder": { + // "value": "/" + // }, + // "vNetEnabled": { + // "value": true + // }, + // "roleAssignments": { + // "value": [ + // { + // "roleDefinitionIdOrName": "Contributor", + // "principalIds": [ + // "xxx-xxx-xxx-xxx-xxx" + // ] + // } + // ] + // }, + // "privateEndpoints": { + // "value": [ + // { + // "name": "sxx-az-sa-cac-y-123-pe", + // "subnetResourceId": "/subscriptions/xxx-xxx-xxx-xxx-xxx/resourceGroups/iacs/providers/Microsoft.Network/virtualNetworks/str-test-vnet/subnets/default", + // "service": "dataFactory", + // "privateDnsZoneResourceIds": [ + // "/subscriptions/xxx-xxx-xxx-xxx-xxx/resourceGroups/iacs/providers/Microsoft.Network/privateDnsZones/privatelink.datafactory.azure.net" + // ] + // }, + // { + // "name": "sxx-az-sa-cac-y-124-pe", + // "subnetResourceId": "/subscriptions/xxx-xxx-xxx-xxx-xxx/resourceGroups/iacs/providers/Microsoft.Network/virtualNetworks/str-test-vnet/subnets/default", + // "service": "portal", + // "privateDnsZoneResourceIds": [ + // "/subscriptions/xxx-xxx-xxx-xxx-xxx/resourceGroups/iacs/providers/Microsoft.Network/privateDnsZones/privatelink.azure.com" + // ] + // } + // ] + // } + // "diagnosticLogsRetentionInDays": { + // "value": 1 + // }, + // "diagnosticStorageAccountId": { + // "value": "/subscriptions/xxx-xxx-xxx-xxx-xxx/resourceGroups/dependencies-rg/providers/Microsoft.Storage/storageAccounts/sxxazsaweux003" + // } + } +} \ No newline at end of file diff --git a/arm/Microsoft.DataFactory/factories/readme.md b/arm/Microsoft.DataFactory/factories/readme.md new file mode 100644 index 0000000000..4218bb785f --- /dev/null +++ b/arm/Microsoft.DataFactory/factories/readme.md @@ -0,0 +1,162 @@ +# DataFactory + +## Resource types + +| Resource Type | Api Version | +|:--|:--| +| `Microsoft.Resources/deployments` | 2020-06-01 | +| `Microsoft.DataFactory/factories` | 2018-06-01 | +| `Microsoft.DataFactory/factories/managedVirtualNetworks` | 2018-06-01 | +| `Microsoft.DataFactory/factories/integrationRuntimes` | 2018-06-01 | +| `Microsoft.DataFactory/factories/providers/diagnosticsettings` | 2017-05-01-preview | +| `Microsoft.DataFactory/factories/providers/roleAssignments` | 2020-04-01-preview | +| `providers/locks` | 2016-09-01 | +| `Microsoft.Network/privateEndpoints/privateDnsZoneGroups` | 2020-05-01 | +| `Microsoft.Network/privateEndpoints` | 2020-05-01 | + + +### Resource dependency + +The following resources are required to be able to deploy this resource. + +Only V2 is currently supported, not V1. + +If you enable git Repository the repository including branch has to exist beforehand. + + +## Parameters + +| Parameter Name | Type | Description | DefaultValue | Possible values | +| :-- | :-- | :-- | :-- | :-- | +| `dataFactoryName` | string | Required. The name of the Azure Factory to create | | | +| `location` | string | Optional. Location for all Resources. | [resourceGroup().location] | | +| `publicNetworkAccess` | bool | Optional. Enable or disable public network access. | true | | +| `gitConfigureLater` | bool | Optional. Boolean to define whether or not to configure git during template deployment. | true | | +| `gitRepoType` | string |Optional. Repo type - can be 'FactoryVSTSConfiguration' or 'FactoryGitHubConfiguration'. Default is 'FactoryVSTSConfiguration'. | FactoryVSTSConfiguration | | +| `gitAccountName` | string | Optional. The account name. | "" | | +| `gitProjectName` | string | Optional. The project name. Only relevant for 'FactoryVSTSConfiguration'. | "" | | +| `gitRepositoryName` | string | Optional. The repository name. | "" | | +| `gitCollaborationBranch` | string | Optional. The collaboration branch name. Default is 'main'. | main | | +| `gitRootFolder` | string | Optional. The root folder path name. Default is '/'. | / | | +| `vNetEnabled` | bool | Optional. Enable or disable managed virtual networks and related to that AutoResolveIntegrationRuntime. | false | | +| `roleAssignments` | string | Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or it's fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' | | +| `lockForDeletion` | bool | Optional. Switch to lock resource from deletion. | false | | +| `diagnosticSettingName` | string | Optional. The name of the Diagnostic setting. | service | | +| `diagnosticLogsRetentionInDays` | int | Optional. Specifies the number of days that logs will be kept for; a value of 0 will retain data indefinitely. | 365 | | +| `diagnosticStorageAccountId` | string | Optional. Resource identifier of the Diagnostic Storage Account. | | | +| `workspaceId` | string | Optional. Resource identifier of Log Analytics. | | +| `eventHubAuthorizationRuleId` | string | Optional. Resource ID of the event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | | | +| `eventHubName` | string | Optional. Name of the event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. | | | +| `privateEndpoints` | array | System.Object[] | | Optional. Configuration Details for private endpoints. | +| `tags` | object | Optional. Tags of the resource. | {} | | +| `cuaId` | string | Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered | | | + + + +### Parameter Usage: `roleAssignments` + +```json +"roleAssignments": { + "value": [ + { + "roleDefinitionIdOrName": "Contributor", + "principalIds": [ + "12345678-1234-1234-1234-123456789012", // object 1 + "78945612-1234-1234-1234-123456789012" // object 2 + ] + }, + { + "roleDefinitionIdOrName": "Reader", + "principalIds": [ + "12345678-1234-1234-1234-123456789012", // object 1 + "78945612-1234-1234-1234-123456789012" // object 2 + ] + }, + ] +} +``` + + +### Parameter Usage: `tags` + +Tag names and tag values can be provided as needed. A tag can be left without a value. + +```json +"tags": { + "value": { + "Environment": "Non-Prod", + "Contact": "test.user@testcompany.com", + "PurchaseOrder": "1234", + "CostCenter": "7890", + "ServiceName": "DeploymentValidation", + "Role": "DeploymentValidation" + } +} +``` + + +### Parameter Usage: `privateEndpoints` + +To use Private Endpoint the following dependencies must be deployed: + +- Destination subnet must be created with the following configuration option - `"privateEndpointNetworkPolicies": "Disabled"`. Setting this option acknowledges that NSG rules are not applied to Private Endpoints (this capability is coming soon). A full example is available in the Virtual Network Module. + +- Although not strictly required, it is highly recommened to first create a private DNS Zone to host Private Endpoint DNS records. See [Azure Private Endpoint DNS configuration](https://docs.microsoft.com/en-us/azure/private-link/private-endpoint-dns) for more information. + +- Azure Data Factory supports two different private endpoints + - `portal`: `privatelink.azure.com` + - `dataFactory`: `privatelink.datafactory.azure.net` + +- You can still access the Azure Data Factory portal through a public network after you create private endpoint for portal. + +```json +"privateEndpoints": { + "value": [ + // Example showing all available fields + { + "name": "sxx-az-sa-cac-y-123-pe", // Optional: Name will be automatically generated if one is not provided here + "subnetResourceId": "/subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-weu-x-001/subnets/sxx-az-subnet-weu-x-001", + "service": "dataFactory", + "privateDnsZoneResourceIds": [ // Optional: No DNS record will be created if a private DNS zone Resource ID is not specified + "/subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2/resourceGroups/validation-rg/providers/Microsoft.Network/privateDnsZones/privatelink.datafactory.azure.net" + ], + "customDnsConfigs": [ // Optional + { + "fqdn": "customname.test.local", + "ipAddresses": [ + "10.10.10.10" + ] + } + ] + }, + // Example showing only mandatory fields + { + "subnetResourceId": "/subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-weu-x-001/subnets/sxx-az-subnet-weu-x-001", + "service": "portal" + } + ] +} +``` + + +## Outputs + +| Output Name | Type | Description | +| :-- | :-- | :-- | +| `dataFactoryName` | string | The Name of the Azure Data Factory instance | +| `dataFactoryResourceGroup` | string | The name of the Resource Group with the Data factory | +| `dataFactoryResourceId` | string | The Resource Id of the Data factory | + +### References + +### Template references + +- [Deployments](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Resources/2018-02-01/deployments) +- [Data Factory]https://docs.microsoft.com/en-us/azure/templates/microsoft.datafactory/2018-06-01/factories) + +## Considerations + +## Additional resources + +- [Data Factory Resources](https://docs.microsoft.com/en-us/azure/templates/microsoft.datafactory/allversions) +- [Documentation](https://docs.microsoft.com/en-us/azure/data-factory/) \ No newline at end of file diff --git a/arm/Microsoft.Databricks/workspaces/deploy.json b/arm/Microsoft.Databricks/workspaces/deploy.json new file mode 100644 index 0000000000..e12c4f94f4 --- /dev/null +++ b/arm/Microsoft.Databricks/workspaces/deploy.json @@ -0,0 +1,377 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "workspaceName": { + "type": "string", + "metadata": { + "description": "Required. The name of the Azure Databricks workspace to create" + } + }, + "managedResourceGroupId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. The managed resource group Id" + } + }, + "pricingTier": { + "type": "string", + "allowedValues": [ + "trial", + "standard", + "premium" + ], + "defaultValue": "premium", + "metadata": { + "description": "Optional. The pricing tier of workspace" + } + }, + "location": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "Optional. Location for all Resources." + } + }, + "roleAssignments": { + "defaultValue": [ + ], + "type": "array", + "metadata": { + "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or it's fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + } + }, + "workspaceParameters": { + "type": "object", + "defaultValue": {}, + "metadata": { + "description": "Optional. The workspace's custom parameters." + } + }, + "diagnosticSettingName": { + "type": "string", + "defaultValue": "service", + "metadata": { + "description": "Optional. The name of the Diagnostic setting." + } + }, + "diagnosticLogsRetentionInDays": { + "type": "int", + "defaultValue": 365, + "minValue": 0, + "maxValue": 365, + "metadata": { + "description": "Optional. Specifies the number of days that logs will be kept for; a value of 0 will retain data indefinitely." + } + }, + "diagnosticStorageAccountId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Resource identifier of the Diagnostic Storage Account." + } + }, + "workspaceId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Resource identifier of Log Analytics." + } + }, + "eventHubAuthorizationRuleId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Resource ID of the event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." + } + }, + "eventHubName": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Name of the event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category." + } + }, + "lockForDeletion": { + "type": "bool", + "defaultValue": false, + "metadata": { + "description": "Optional. Switch to lock Key Vault from deletion." + } + }, + "tags": { + "type": "object", + "defaultValue": { + }, + "metadata": { + "description": "Optional. Tags of the resource." + } + }, + "cuaId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered" + } + } + }, + "variables": { + "diagnosticsMetrics": [], + "diagnosticsLogs": [ + { + "category": "dbfs", + "enabled": true, + "retentionPolicy": { + "enabled": true, + "days": "[parameters('diagnosticLogsRetentionInDays')]" + } + }, + { + "category": "clusters", + "enabled": true, + "retentionPolicy": { + "enabled": true, + "days": "[parameters('diagnosticLogsRetentionInDays')]" + } + }, + { + "category": "accounts", + "enabled": true, + "retentionPolicy": { + "enabled": true, + "days": "[parameters('diagnosticLogsRetentionInDays')]" + } + }, + { + "category": "jobs", + "enabled": true, + "retentionPolicy": { + "enabled": true, + "days": "[parameters('diagnosticLogsRetentionInDays')]" + } + }, + { + "category": "notebook", + "enabled": true, + "retentionPolicy": { + "enabled": true, + "days": "[parameters('diagnosticLogsRetentionInDays')]" + } + }, + { + "category": "ssh", + "enabled": true, + "retentionPolicy": { + "enabled": true, + "days": "[parameters('diagnosticLogsRetentionInDays')]" + } + }, + { + "category": "workspace", + "enabled": true, + "retentionPolicy": { + "enabled": true, + "days": "[parameters('diagnosticLogsRetentionInDays')]" + } + }, + { + "category": "secrets", + "enabled": true, + "retentionPolicy": { + "enabled": true, + "days": "[parameters('diagnosticLogsRetentionInDays')]" + } + }, + { + "category": "sqlPermissions", + "enabled": true, + "retentionPolicy": { + "enabled": true, + "days": "[parameters('diagnosticLogsRetentionInDays')]" + } + }, + { + "category": "instancePools", + "enabled": true, + "retentionPolicy": { + "enabled": true, + "days": "[parameters('diagnosticLogsRetentionInDays')]" + } + } + ], + "managedResourceGroupName": "[concat(parameters('workspaceName'),'-','rg')]", + "managedResourceGroupId": "[concat(subscription().id, '/resourceGroups/', variables('managedResourceGroupName'))]", + "builtInRoleNames": { + "Azure Service Deploy Release Management Contributor": "/providers/Microsoft.Authorization/roleDefinitions/21d96096-b162-414a-8302-d8354f9d91b2", + "Contributor": "/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c", + "Log Analytics Contributor": "/providers/Microsoft.Authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293", + "Log Analytics Reader": "/providers/Microsoft.Authorization/roleDefinitions/73c42c96-874c-492b-b04d-ab87d138a893", + "Managed Application Contributor Role": "/providers/Microsoft.Authorization/roleDefinitions/641177b8-a67a-45b9-a033-47bc880bb21e", + "Managed Application Operator Role": "/providers/Microsoft.Authorization/roleDefinitions/c7393b34-138c-406f-901b-d8cf2b17e6ae", + "Managed Applications Reader": "/providers/Microsoft.Authorization/roleDefinitions/b9331d33-8a36-4f8c-b097-4f54124fdb44", + "masterreader": "/providers/Microsoft.Authorization/roleDefinitions/a48d7796-14b4-4889-afef-fbb65a93e5a2", + "Monitoring Contributor": "/providers/Microsoft.Authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "Monitoring Metrics Publisher": "/providers/Microsoft.Authorization/roleDefinitions/3913510d-42f4-4e42-8a64-420c390055eb", + "Monitoring Reader": "/providers/Microsoft.Authorization/roleDefinitions/43d0d8ad-25c7-4714-9337-8ba259a9fe05", + "Owner": "/providers/Microsoft.Authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635", + "Reader": "/providers/Microsoft.Authorization/roleDefinitions/acdd72a7-3385-48ef-bd42-f606fba81ae7", + "Resource Policy Contributor": "/providers/Microsoft.Authorization/roleDefinitions/36243c78-bf99-498c-9df9-86d9f8d28608", + "User Access Administrator": "/providers/Microsoft.Authorization/roleDefinitions/18d7d88d-d35e-4fb5-a5c3-7773c20a72d9" + } + }, + "resources": [ + { + "condition": "[not(empty(parameters('cuaId')))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-06-01", + "name": "[concat('pid-', parameters('cuaId'))]", + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [ + ] + } + } + }, + // Databricks Workspace + { + "type": "Microsoft.Databricks/workspaces", + "apiVersion": "2018-04-01", + "name": "[parameters('workspaceName')]", + "location": "[parameters('location')]", + "tags": "[parameters('tags')]", + "sku": { + "name": "[parameters('pricingTier')]" + }, + "properties": { + "ManagedResourceGroupId": "[if(empty(parameters('managedResourceGroupId')), variables('managedResourceGroupId'), parameters('managedResourceGroupId'))]", + "parameters": "[parameters('workspaceParameters')]" + }, + "resources": [ + // Lock + { + "type": "providers/locks", + "apiVersion": "2016-09-01", + "condition": "[parameters('lockForDeletion')]", + "name": "Microsoft.Authorization/databrickDoNotDelete", + "dependsOn": [ + "[concat('Microsoft.Databricks/workspaces/', parameters('workspaceName'))]" + ], + "comments": "Resource lock", + "properties": { + "level": "CannotDelete" + } + }, + // Diagnostic settings + { + "type": "Microsoft.Databricks/workspaces/providers/diagnosticsettings", + "apiVersion": "2017-05-01-preview", + "name": "[concat(parameters('workspaceName'), '/Microsoft.Insights/', parameters('diagnosticSettingName'))]", + "condition": "[or(not(empty(parameters('diagnosticStorageAccountId'))),not(empty(parameters('workspaceId'))),not(empty(parameters('eventHubAuthorizationRuleId'))),not(empty(parameters('eventHubName'))))]", + "dependsOn": [ + "[concat('Microsoft.Databricks/workspaces/', parameters('workspaceName'))]" + ], + "properties": { + "storageAccountId": "[if(empty(parameters('diagnosticStorageAccountId')), json('null'), parameters('diagnosticStorageAccountId'))]", + "workspaceId": "[if(empty(parameters('workspaceId')), json('null'), parameters('workspaceId'))]", + "eventHubAuthorizationRuleId": "[if(empty(parameters('eventHubAuthorizationRuleId')), json('null'), parameters('eventHubAuthorizationRuleId'))]", + "eventHubName": "[if(empty(parameters('eventHubName')), json('null'), parameters('eventHubName'))]", + "metrics": "[if(and(empty(parameters('diagnosticStorageAccountId')), empty(parameters('workspaceId')), empty(parameters('eventHubAuthorizationRuleId')), empty(parameters('eventHubName'))), json('null'), variables('diagnosticsMetrics'))]", + "logs": "[if(and(empty(parameters('diagnosticStorageAccountId')), empty(parameters('workspaceId')), empty(parameters('eventHubAuthorizationRuleId')), empty(parameters('eventHubName'))), json('null'), variables('diagnosticsLogs'))]" + } + } + ] + }, + // RBAC + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-06-01", + "name": "[concat(uniqueString(deployment().name, parameters('location')), '-Databricks-Workspace-Rbac-', copyIndex())]", + "condition": "[not(empty(parameters('roleAssignments')))]", + "dependsOn": [ + "[parameters('workspaceName')]" + ], + "copy": { + "name": "databricksRbacDeplCopy", + "count": "[length(parameters('roleAssignments'))]" + }, + "properties": { + "mode": "Incremental", + "expressionEvaluationOptions": { + "scope": "inner" + }, + "parameters": { + "roleAssignment": { + "value": "[parameters('roleAssignments')[copyIndex()]]" + }, + "builtInRoleNames": { + "value": "[variables('builtInRoleNames')]" + }, + "databricksWorkspaceName": { + "value": "[parameters('workspaceName')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "roleAssignment": { + "type": "object" + }, + "builtInRoleNames": { + "type": "object" + }, + "databricksWorkspaceName": { + "type": "string" + } + }, + "resources": [ + { + "type": "Microsoft.Databricks/workspaces/providers/roleAssignments", + "apiVersion": "2020-04-01-preview", + "name": "[concat(parameters('databricksWorkspaceName'), '/Microsoft.Authorization/', guid(parameters('databricksWorkspaceName'), array(parameters('roleAssignment').principalIds)[copyIndex('databricksInnerRbacCopy')], parameters('roleAssignment').roleDefinitionIdOrName ))]", + "dependsOn": [ + ], + "copy": { + "name": "databricksInnerRbacCopy", + "count": "[length(parameters('roleAssignment').principalIds)]" + }, + "properties": { + "roleDefinitionId": "[if(contains(parameters('builtInRoleNames'), parameters('roleAssignment').roleDefinitionIdOrName ), parameters('builtInRoleNames')[parameters('roleAssignment').roleDefinitionIdOrName] , parameters('roleAssignment').roleDefinitionIdOrName )]", + "principalId": "[array(parameters('roleAssignment').principalIds)[copyIndex()]]" + } + } + ] + } + } + } + ], + "functions": [ + ], + "outputs": { + "databrickName": { + "type": "string", + "value": "[parameters('workspaceName')]", + "metadata": { + "description": "The Name of the Azure Databricks" + } + }, + "databrickResourceId": { + "type": "string", + "value": "[resourceId('Microsoft.Databricks/workspaces',parameters('workspaceName'))]", + "metadata": { + "description": "The Resource Id of the Azure Databricks" + } + }, + "databrickResourceGroup": { + "type": "string", + "value": "[resourceGroup().name]", + "metadata": { + "description": "The name of the Resource Group with the Azure Databricks" + } + } + } +} diff --git a/arm/Microsoft.Databricks/workspaces/parameters/parameters.json b/arm/Microsoft.Databricks/workspaces/parameters/parameters.json new file mode 100644 index 0000000000..6302d7d245 --- /dev/null +++ b/arm/Microsoft.Databricks/workspaces/parameters/parameters.json @@ -0,0 +1,53 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "workspaceName": { + "value": "sxx-az-adb-weu-x-001" + } + // "pricingTier": { + // "value": "premium" + // }, + // "location": { + // "value": "westeurope" + // }, + // "roleAssignments": { + // "value": [ + // { + // "roleDefinitionIdOrName": "Contributor", + // "principalIds": [ + // "3f57dd49-0e2b-4723-a5a5-8ffde4e2cb02" + // ] + // } + // ] + // }, + // "workspaceParameters": { + // "value": { + // "amlWorkspaceId": { + // "value": "/subscriptions/5f16aec9-df80-46b4-9a12-9fa0d301b578/resourceGroups/adls-databricks/providers/Microsoft.MachineLearningServices/workspaces/test-mlr-workspace" + // }, + // "customVirtualNetworkId": { + // "value": "/subscriptions/5f16aec9-df80-46b4-9a12-9fa0d301b578/resourceGroups/adls-databricks/providers/Microsoft.Network/virtualNetworks/test-vnet" + // }, + // "customPublicSubnetName": { + // "value": "dbs-public" + // }, + // "customPrivateSubnetName": { + // "value": "dbs-private" + // }, + // "enableNoPublicIp": { + // "value": true + // } + // } + // }, + // "diagnosticsSettingsName": { + // "value": "TestSetting" + // }, + // "diagnosticLogsRetentionInDays": { + // "value": 7 + // }, + // "workspaceId": { + // "value": "/subscriptions/5f16aec9-df80-46b4-9a12-9fa0d301b578/resourcegroups/adls-databricks/providers/microsoft.operationalinsights/workspaces/test-log-analytics-workspace-xx" + // } + } +} \ No newline at end of file diff --git a/arm/Microsoft.Databricks/workspaces/readme.md b/arm/Microsoft.Databricks/workspaces/readme.md new file mode 100644 index 0000000000..7e3b89aaa1 --- /dev/null +++ b/arm/Microsoft.Databricks/workspaces/readme.md @@ -0,0 +1,136 @@ +# Azure Databricks + +## Resource types + +|Resource Type|Api Version| +|:--|:--| +|`Microsoft.Resources/deployments`|2020-06-01| +|`Microsoft.Databricks/workspaces`|2018-04-01| +|`providers/locks`|2016-09-01| +|`Microsoft.Databricks/workspaces/providers/diagnosticsettings`|2017-05-01-preview| +|`Microsoft.Databricks/workspaces/providers/roleAssignments`|2020-04-01-preview| + + +### Resource dependency + +The following resources are required to be able to deploy this resource. + +## Parameters + +| Parameter Name | Type | Description | DefaultValue | Possible values | +| :-- | :-- | :-- | :-- | :-- | +| `cuaId` | string | Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered | | | +| `diagnosticSettingName` | string | Optional. The name of the Diagnostic setting. | | | +| `diagnosticLogsRetentionInDays` | int | Optional. Specifies the number of days that logs will be kept for; a value of 0 will retain data indefinitely. | 365 | | +| `diagnosticStorageAccountId` | string | Optional. Resource identifier of the Diagnostic Storage Account. | | | +| `eventHubAuthorizationRuleId` | string | Optional. Resource ID of the event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | | | +| `eventHubName` | string | Optional. Name of the event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. | | | +| `location` | string | Optional. Location for all Resources. | [resourceGroup().location] | | +| `roleAssignments` | string | Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or it's fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' | | +| `lockForDeletion` | bool | Optional. Switch to lock Key Vault from deletion. | False | | +| `managedResourceGroupId` | string | Optional. The managed resource group Id | | | +| `pricingTier` | string | Optional. The pricing tier of workspace | premium | System.Object[] | +| `tags` | object | Optional. Tags of the resource. | | | +| `workspaceId` | string | Optional. Resource identifier of Log Analytics. | | | +| `workspaceName` | string | Required. The name of the Azure Databricks workspace to create. | | | +| `workspaceParameters` | string | Optional. The workspace's custom parameters. | | | + + + + +### Parameter Usage: `roleAssignments` + +```json +"roleAssignments": { + "value": [ + { + "roleDefinitionIdOrName": "Contributor", + "principalIds": [ + "12345678-1234-1234-1234-123456789012", // object 1 + "78945612-1234-1234-1234-123456789012" // object 2 + ] + }, + { + "roleDefinitionIdOrName": "Reader", + "principalIds": [ + "12345678-1234-1234-1234-123456789012", // object 1 + "78945612-1234-1234-1234-123456789012" // object 2 + ] + }, + ] +} +``` + +### Parameter Usage: `customPublicSubnetName` and `customPrivateSubnetName` + +- Require Network Security Groups attached to the subnets + - The rule don't have to be set, they are set through the deployment + +- The two subnets also need the delegation to service `Microsoft.Databricks/workspaces` + + +### Parameter Usage: `workspaceParameters` + +- Include only those elements (e.g. amlWorkspaceId) as object if specified, otherwise remove it + +```json +"workspaceParameters": { + "value": { + "amlWorkspaceId": { + "value": "/subscriptions/xxx/resourceGroups/xxx/providers/Microsoft.MachineLearningServices/workspaces/xxx" + }, + "customVirtualNetworkId": { + "value": "/subscriptions/xxx/resourceGroups/xxx/providers/Microsoft.Network/virtualNetworks/xxx" + }, + "customPublicSubnetName": { + "value": "xxx" + }, + "customPrivateSubnetName": { + "value": "xxx" + }, + "enableNoPublicIp": { + "value": true + } + } + } +``` + + +### Parameter Usage: `tags` + +Tag names and tag values can be provided as needed. A tag can be left without a value. + +```json +"tags": { + "value": { + "Environment": "Non-Prod", + "Contact": "test.user@testcompany.com", + "PurchaseOrder": "1234", + "CostCenter": "7890", + "ServiceName": "DeploymentValidation", + "Role": "DeploymentValidation" + } +} +``` + +## Outputs + +| Output Name | Type | Description | +| :-- | :-- | :-- | +| `databrickName` | string | The Name of the Azure Databricks | +| `databrickResourceGroup` | string | The name of the Resource Group with the Azure Databricks | +| `databrickResourceId` | string | The Resource Id of the Azure Databricks | + +### References + +### Template references + +- [Deployments](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Resources/2018-02-01/deployments) +- [Workspaces](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Databricks/2018-04-01/workspaces) + +## Considerations + +## Additional resources + +- [Deployments](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Resources/2018-02-01/deployments) +- [Workspaces](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Databricks/2018-04-01/workspaces) \ No newline at end of file diff --git a/arm/Microsoft.DesktopVirtualization/applicationGroupApplications/deploy.json b/arm/Microsoft.DesktopVirtualization/applicationGroupApplications/deploy.json new file mode 100644 index 0000000000..95904f735e --- /dev/null +++ b/arm/Microsoft.DesktopVirtualization/applicationGroupApplications/deploy.json @@ -0,0 +1,101 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "applications": { + "type": "array", + "minLength": 1, + "metadata": { + "description": "Required. List of applications to be created in the Application Group." + } + }, + "location": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "Optional. Location for all resources." + } + }, + "appGroupName": { + "type": "string", + "minLength": 1, + "metadata": { + "description": "Required. Name of the Application Group to create the application(s) in." + } + }, + "cuaId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered" + } + } + }, + "variables": { + }, + "resources": [ + { + "condition": "[not(empty(parameters('cuaId')))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-06-01", + "name": "[concat('pid-', parameters('cuaId'))]", + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [ + ] + } + } + }, + { + "type": "Microsoft.DesktopVirtualization/applicationGroups/applications", + "apiVersion": "2019-12-10-preview", + "copy": { + "name": "appCopy", + "count": "[length(parameters('applications'))]" + }, + "name": "[concat(parameters('appGroupName'), '/', parameters('applications')[copyIndex()].name)]", + "location": "[parameters('location')]", + "properties": { + "description": "[parameters('applications')[copyIndex()].description]", + "friendlyName": "[parameters('applications')[copyIndex()].friendlyName]", + "filePath": "[parameters('applications')[copyIndex()].filePath]", + "commandLineSetting": "[parameters('applications')[copyIndex()].commandLineSetting]", + "commandLineArguments": "[parameters('applications')[copyIndex()].commandLineArguments]", + "showInPortal": "[parameters('applications')[copyIndex()].showInPortal]", + "iconPath": "[parameters('applications')[copyIndex()].iconPath]", + "iconIndex": "[parameters('applications')[copyIndex()].iconIndex]" + } + } + ], + "functions": [ + ], + "outputs": { + "applicationResourceIds": { + "type": "array", + "metadata": { + "description": "The list of the application resourceIds deployed." + }, + "copy": { + "count": "[length(parameters('applications'))]", + "input": "[resourceId('Microsoft.DesktopVirtualization/applicationGroups/applications', parameters('appGroupName'), parameters('applications')[copyIndex()].name)]" + } + }, + "applicationResourceGroup": { + "type": "string", + "value": "[resourceGroup().name]", + "metadata": { + "description": "The name of the Resource Group the WVD Applications were created in." + } + }, + "appGroupName": { + "type": "string", + "value": "[parameters('appGroupName')]", + "metadata": { + "description": "The Name of the Application Group to register the Application(s) in." + } + } + } +} diff --git a/arm/Microsoft.DesktopVirtualization/applicationGroupApplications/parameters/parameters.json b/arm/Microsoft.DesktopVirtualization/applicationGroupApplications/parameters/parameters.json new file mode 100644 index 0000000000..710525131b --- /dev/null +++ b/arm/Microsoft.DesktopVirtualization/applicationGroupApplications/parameters/parameters.json @@ -0,0 +1,38 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "applications": { + "value": [ + { + "name": "notepad", + "description": "Notepad by ARM template", + "friendlyName": "Notepad", + "filePath": "C:\\Windows\\System32\\notepad.exe", + "commandLineSetting": "DoNotAllow", + "commandLineArguments": "", + "showInPortal": true, + "iconPath": "C:\\Windows\\System32\\notepad.exe", + "iconIndex": 0 + }, + { + "name": "wordpad", + "description": "WordPad by ARM template 2", + "friendlyName": "WordPad", + "filePath": "C:\\Program Files\\Windows NT\\Accessories\\wordpad.exe", + "commandLineSetting": "DoNotAllow", + "commandLineArguments": "", + "showInPortal": true, + "iconPath": "C:\\Program Files\\Windows NT\\Accessories\\wordpad.exe", + "iconIndex": 0 + } + ] + }, + "location": { + "value": "eastus" + }, + "appGroupName": { + "value": "sxx-az-wvdag-weu-x-001" + } + } +} diff --git a/arm/Microsoft.DesktopVirtualization/applicationGroupApplications/readme.md b/arm/Microsoft.DesktopVirtualization/applicationGroupApplications/readme.md new file mode 100644 index 0000000000..67c05453dc --- /dev/null +++ b/arm/Microsoft.DesktopVirtualization/applicationGroupApplications/readme.md @@ -0,0 +1,70 @@ +# WVD Applications + +This module deploys WVD Applications. + + + +## Resource types + +|Resource Type|ApiVersion| +|:--|:--| +|`Microsoft.Resources/deployments`|2018-02-01| +|`Microsoft.DesktopVirtualization/applicationGroups/applications`|2019-12-10-preview| + + +## Parameters + +| Parameter Name | Type | Description | DefaultValue | Possible values | +| :-- | :-- | :-- | :-- | :-- | +| `appGroupName` | string | Required. Name of the Application Group to create the application(s) in. | | | +| `applications` | array | Required. List of applications to be created in the Application Group. | | | +| `cuaId` | string | Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered | | | +| `location` | string | Optional. Location for all resources. | [resourceGroup().location] | | + +### Parameter Usage: `applications` + +```json +"applications": { + "value": [ + { + "name": "notepad", + "description": "Notepad by ARM template", + "friendlyName": "Notepad", + "filePath": "C:\\Windows\\System32\\notepad.exe", + "commandLineSetting": "DoNotAllow", + "commandLineArguments": "", + "showInPortal": true, + "iconPath": "C:\\Windows\\System32\\notepad.exe", + "iconIndex": 0 + }, + { + "name": "wordpad", + "description": "WordPad by ARM template 2", + "friendlyName": "WordPad", + "filePath": "C:\\Program Files\\Windows NT\\Accessories\\wordpad.exe", + "commandLineSetting": "DoNotAllow", + "commandLineArguments": "", + "showInPortal": true, + "iconPath": "C:\\Program Files\\Windows NT\\Accessories\\wordpad.exe", + "iconIndex": 0 + } + ] +} + +## Outputs + +| Output Name | Type | Description | +| :-- | :-- | :-- | +| `appGroupName` | string | The Name of the Application Group to register the Application(s) in. | +| `applicationResourceGroup` | string | The name of the Resource Group the WVD Applications were created in. | +| `applicationResourceIds` | array | The list of the application resourceIds deployed. | + + +## Considerations + +*N/A* + +## Additional resources + +- [What is Windows Virtual Desktop?](https://docs.microsoft.com/en-us/azure/virtual-desktop/overview) +- [Windows Virtual Desktop environment](https://docs.microsoft.com/en-us/azure/virtual-desktop/environment-setup) diff --git a/arm/Microsoft.DesktopVirtualization/applicationgroups/deploy.json b/arm/Microsoft.DesktopVirtualization/applicationgroups/deploy.json new file mode 100644 index 0000000000..af580c37b7 --- /dev/null +++ b/arm/Microsoft.DesktopVirtualization/applicationgroups/deploy.json @@ -0,0 +1,472 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "appGroupName": { + "type": "string", + "minLength": 1, + "metadata": { + "description": "Required. Name of the Application Group to create this application in." + } + }, + "location": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "Optional. Location for all resources." + } + }, + "appGroupType": { + "allowedValues": [ + "RemoteApp", + "Desktop" + ], + "type": "string", + "metadata": { + "description": "Required. The type of the Application Group to be created. Allowed values: RemoteApp or Desktop" + } + }, + "hostpoolName": { + "type": "string", + "metadata": { + "description": "Required. Name of the Host Pool to be linked to this Application Group." + } + }, + "appGroupFriendlyName": { + "defaultValue": "", + "type": "string", + "metadata": { + "description": "Optional. The friendly name of the Application Group to be created." + } + }, + "appGroupDescription": { + "defaultValue": "", + "type": "string", + "metadata": { + "description": "Optional. The description of the Application Group to be created." + } + }, + "roleAssignments": { + "defaultValue": [ + ], + "type": "array", + "metadata": { + "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalIds' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or it's fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'" + } + }, + "diagnosticLogsRetentionInDays": { + "type": "int", + "defaultValue": 365, + "minValue": 0, + "maxValue": 365, + "metadata": { + "description": "Optional. Specifies the number of days that logs will be kept for; a value of 0 will retain data indefinitely." + } + }, + "diagnosticStorageAccountId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Resource identifier of the Diagnostic Storage Account." + } + }, + "workspaceId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Resource identifier of Log Analytics." + } + }, + "eventHubAuthorizationRuleId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Resource ID of the event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." + } + }, + "eventHubName": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Name of the event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category." + } + }, + "lockForDeletion": { + "type": "bool", + "defaultValue": false, + "metadata": { + "description": "Optional. Switch to lock Resource from deletion." + } + }, + "tags": { + "type": "object", + "defaultValue": { + }, + "metadata": { + "description": "Optional. Tags of the resource." + } + }, + "cuaId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered" + } + } + }, + "variables": { + "diagnosticsMetrics": [ + ], + "diagnosticsLogs": [ + { + "category": "Checkpoint", + "enabled": true, + "retentionPolicy": { + "enabled": true, + "days": "[parameters('diagnosticLogsRetentionInDays')]" + } + }, + { + "category": "Error", + "enabled": true, + "retentionPolicy": { + "enabled": true, + "days": "[parameters('diagnosticLogsRetentionInDays')]" + } + }, + { + "category": "Management", + "enabled": true, + "retentionPolicy": { + "enabled": true, + "days": "[parameters('diagnosticLogsRetentionInDays')]" + } + } + ], + "builtInRoleNames": { + "AcrDelete": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", + "AcrImageSigner": "/providers/Microsoft.Authorization/roleDefinitions/6cef56e8-d556-48e5-a04f-b8e64114680f", + "AcrPull": "/providers/Microsoft.Authorization/roleDefinitions/7f951dda-4ed3-4680-a7ca-43fe172d538d", + "AcrPush": "/providers/Microsoft.Authorization/roleDefinitions/8311e382-0749-4cb8-b61a-304f252e45ec", + "AcrQuarantineReader": "/providers/Microsoft.Authorization/roleDefinitions/cdda3590-29a3-44f6-95f2-9f980659eb04", + "AcrQuarantineWriter": "/providers/Microsoft.Authorization/roleDefinitions/c8d4ff99-41c3-41a8-9f60-21dfdad59608", + "API Management Service Contributor": "/providers/Microsoft.Authorization/roleDefinitions/312a565d-c81f-4fd8-895a-4e21e48d571c", + "API Management Service Operator Role": "/providers/Microsoft.Authorization/roleDefinitions/e022efe7-f5ba-4159-bbe4-b44f577e9b61", + "API Management Service Reader Role": "/providers/Microsoft.Authorization/roleDefinitions/71522526-b88f-4d52-b57f-d31fc3546d0d", + "App Configuration Data Owner": "/providers/Microsoft.Authorization/roleDefinitions/5ae67dd6-50cb-40e7-96ff-dc2bfa4b606b", + "App Configuration Data Reader": "/providers/Microsoft.Authorization/roleDefinitions/516239f1-63e1-4d78-a4de-a74fb236a071", + "Application Insights Component Contributor": "/providers/Microsoft.Authorization/roleDefinitions/ae349356-3a1b-4a5e-921d-050484c6347e", + "Application Insights Snapshot Debugger": "/providers/Microsoft.Authorization/roleDefinitions/08954f03-6346-4c2e-81c0-ec3a5cfae23b", + "Attestation Contributor": "/providers/Microsoft.Authorization/roleDefinitions/bbf86eb8-f7b4-4cce-96e4-18cddf81d86e", + "Attestation Reader": "/providers/Microsoft.Authorization/roleDefinitions/fd1bd22b-8476-40bc-a0bc-69b95687b9f3", + "Automation Job Operator": "/providers/Microsoft.Authorization/roleDefinitions/4fe576fe-1146-4730-92eb-48519fa6bf9f", + "Automation Operator": "/providers/Microsoft.Authorization/roleDefinitions/d3881f73-407a-4167-8283-e981cbba0404", + "Automation Runbook Operator": "/providers/Microsoft.Authorization/roleDefinitions/5fb5aef8-1081-4b8e-bb16-9d5d0385bab5", + "Avere Contributor": "/providers/Microsoft.Authorization/roleDefinitions/4f8fab4f-1852-4a58-a46a-8eaf358af14a", + "Avere Operator": "/providers/Microsoft.Authorization/roleDefinitions/c025889f-8102-4ebf-b32c-fc0c6f0c6bd9", + "Azure Connected Machine Onboarding": "/providers/Microsoft.Authorization/roleDefinitions/b64e21ea-ac4e-4cdf-9dc9-5b892992bee7", + "Azure Connected Machine Resource Administrator": "/providers/Microsoft.Authorization/roleDefinitions/cd570a14-e51a-42ad-bac8-bafd67325302", + "Azure Digital Twins Owner (Preview)": "/providers/Microsoft.Authorization/roleDefinitions/bcd981a7-7f74-457b-83e1-cceb9e632ffe", + "Azure Digital Twins Reader (Preview)": "/providers/Microsoft.Authorization/roleDefinitions/d57506d4-4c8d-48b1-8587-93c323f6a5a3", + "Azure Event Hubs Data Owner": "/providers/Microsoft.Authorization/roleDefinitions/f526a384-b230-433a-b45c-95f59c4a2dec", + "Azure Event Hubs Data Receiver": "/providers/Microsoft.Authorization/roleDefinitions/a638d3c7-ab3a-418d-83e6-5f17a39d4fde", + "Azure Event Hubs Data Sender": "/providers/Microsoft.Authorization/roleDefinitions/2b629674-e913-4c01-ae53-ef4638d8f975", + "Azure Kubernetes Service Cluster Admin Role": "/providers/Microsoft.Authorization/roleDefinitions/0ab0b1a8-8aac-4efd-b8c2-3ee1fb270be8", + "Azure Kubernetes Service Cluster User Role": "/providers/Microsoft.Authorization/roleDefinitions/4abbcc35-e782-43d8-92c5-2d3f1bd2253f", + "Azure Kubernetes Service Contributor Role": "/providers/Microsoft.Authorization/roleDefinitions/ed7f3fbd-7b88-4dd4-9017-9adb7ce333f8", + "Azure Maps Data Contributor": "/providers/Microsoft.Authorization/roleDefinitions/8f5e0ce6-4f7b-4dcf-bddf-e6f48634a204", + "Azure Maps Data Reader": "/providers/Microsoft.Authorization/roleDefinitions/423170ca-a8f6-4b0f-8487-9e4eb8f49bfa", + "Azure Sentinel Contributor": "/providers/Microsoft.Authorization/roleDefinitions/ab8e14d6-4a74-4a29-9ba8-549422addade", + "Azure Sentinel Reader": "/providers/Microsoft.Authorization/roleDefinitions/8d289c81-5878-46d4-8554-54e1e3d8b5cb", + "Azure Sentinel Responder": "/providers/Microsoft.Authorization/roleDefinitions/3e150937-b8fe-4cfb-8069-0eaf05ecd056", + "Azure Service Bus Data Owner": "/providers/Microsoft.Authorization/roleDefinitions/090c5cfd-751d-490a-894a-3ce6f1109419", + "Azure Service Bus Data Receiver": "/providers/Microsoft.Authorization/roleDefinitions/4f6d3b9b-027b-4f4c-9142-0e5a2a2247e0", + "Azure Service Bus Data Sender": "/providers/Microsoft.Authorization/roleDefinitions/69a216fc-b8fb-44d8-bc22-1f3c2cd27a39", + "Azure Stack Registration Owner": "/providers/Microsoft.Authorization/roleDefinitions/6f12a6df-dd06-4f3e-bcb1-ce8be600526a", + "Backup Contributor": "/providers/Microsoft.Authorization/roleDefinitions/5e467623-bb1f-42f4-a55d-6e525e11384b", + "Backup Operator": "/providers/Microsoft.Authorization/roleDefinitions/00c29273-979b-4161-815c-10b084fb9324", + "Backup Reader": "/providers/Microsoft.Authorization/roleDefinitions/a795c7a0-d4a2-40c1-ae25-d81f01202912", + "Billing Reader": "/providers/Microsoft.Authorization/roleDefinitions/fa23ad8b-c56e-40d8-ac0c-ce449e1d2c64", + "BizTalk Contributor": "/providers/Microsoft.Authorization/roleDefinitions/5e3c6656-6cfa-4708-81fe-0de47ac73342", + "Blockchain Member Node Access (Preview)": "/providers/Microsoft.Authorization/roleDefinitions/31a002a1-acaf-453e-8a5b-297c9ca1ea24", + "Blueprint Contributor": "/providers/Microsoft.Authorization/roleDefinitions/41077137-e803-4205-871c-5a86e6a753b4", + "Blueprint Operator": "/providers/Microsoft.Authorization/roleDefinitions/437d2ced-4a38-4302-8479-ed2bcb43d090", + "CDN Endpoint Contributor": "/providers/Microsoft.Authorization/roleDefinitions/426e0c7f-0c7e-4658-b36f-ff54d6c29b45", + "CDN Endpoint Reader": "/providers/Microsoft.Authorization/roleDefinitions/871e35f6-b5c1-49cc-a043-bde969a0f2cd", + "CDN Profile Contributor": "/providers/Microsoft.Authorization/roleDefinitions/ec156ff8-a8d1-4d15-830c-5b80698ca432", + "CDN Profile Reader": "/providers/Microsoft.Authorization/roleDefinitions/8f96442b-4075-438f-813d-ad51ab4019af", + "Classic Network Contributor": "/providers/Microsoft.Authorization/roleDefinitions/b34d265f-36f7-4a0d-a4d4-e158ca92e90f", + "Classic Storage Account Contributor": "/providers/Microsoft.Authorization/roleDefinitions/86e8f5dc-a6e9-4c67-9d15-de283e8eac25", + "Classic Storage Account Key Operator Service Role": "/providers/Microsoft.Authorization/roleDefinitions/985d6b00-f706-48f5-a6fe-d0ca12fb668d", + "Classic Virtual Machine Contributor": "/providers/Microsoft.Authorization/roleDefinitions/d73bb868-a0df-4d4d-bd69-98a00b01fccb", + "ClearDB MySQL DB Contributor": "/providers/Microsoft.Authorization/roleDefinitions/9106cda0-8a86-4e81-b686-29a22c54effe", + "Cognitive Services Contributor": "/providers/Microsoft.Authorization/roleDefinitions/25fbc0a9-bd7c-42a3-aa1a-3b75d497ee68", + "Cognitive Services Custom Vision Contributor": "/providers/Microsoft.Authorization/roleDefinitions/c1ff6cc2-c111-46fe-8896-e0ef812ad9f3", + "Cognitive Services Custom Vision Deployment": "/providers/Microsoft.Authorization/roleDefinitions/5c4089e1-6d96-4d2f-b296-c1bc7137275f", + "Cognitive Services Custom Vision Labeler": "/providers/Microsoft.Authorization/roleDefinitions/88424f51-ebe7-446f-bc41-7fa16989e96c", + "Cognitive Services Custom Vision Reader": "/providers/Microsoft.Authorization/roleDefinitions/93586559-c37d-4a6b-ba08-b9f0940c2d73", + "Cognitive Services Custom Vision Trainer": "/providers/Microsoft.Authorization/roleDefinitions/0a5ae4ab-0d65-4eeb-be61-29fc9b54394b", + "Cognitive Services Data Reader (Preview)": "/providers/Microsoft.Authorization/roleDefinitions/b59867f0-fa02-499b-be73-45a86b5b3e1c", + "Cognitive Services QnA Maker Editor": "/providers/Microsoft.Authorization/roleDefinitions/f4cc2bf9-21be-47a1-bdf1-5c5804381025", + "Cognitive Services QnA Maker Reader": "/providers/Microsoft.Authorization/roleDefinitions/466ccd10-b268-4a11-b098-b4849f024126", + "Cognitive Services User": "/providers/Microsoft.Authorization/roleDefinitions/a97b65f3-24c7-4388-baec-2e87135dc908", + "Contributor": "/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c", + "Cosmos DB Account Reader Role": "/providers/Microsoft.Authorization/roleDefinitions/fbdf93bf-df7d-467e-a4d2-9458aa1360c8", + "Cosmos DB Operator": "/providers/Microsoft.Authorization/roleDefinitions/230815da-be43-4aae-9cb4-875f7bd000aa", + "CosmosBackupOperator": "/providers/Microsoft.Authorization/roleDefinitions/db7b14f2-5adf-42da-9f96-f2ee17bab5cb", + "Cost Management Contributor": "/providers/Microsoft.Authorization/roleDefinitions/434105ed-43f6-45c7-a02f-909b2ba83430", + "Cost Management Reader": "/providers/Microsoft.Authorization/roleDefinitions/72fafb9e-0641-4937-9268-a91bfd8191a3", + "Data Box Contributor": "/providers/Microsoft.Authorization/roleDefinitions/add466c9-e687-43fc-8d98-dfcf8d720be5", + "Data Box Reader": "/providers/Microsoft.Authorization/roleDefinitions/028f4ed7-e2a9-465e-a8f4-9c0ffdfdc027", + "Data Factory Contributor": "/providers/Microsoft.Authorization/roleDefinitions/673868aa-7521-48a0-acc6-0f60742d39f5", + "Data Lake Analytics Developer": "/providers/Microsoft.Authorization/roleDefinitions/47b7735b-770e-4598-a7da-8b91488b4c88", + "Data Purger": "/providers/Microsoft.Authorization/roleDefinitions/150f5e0c-0603-4f03-8c7f-cf70034c4e90", + "Desktop Virtualization User": "/providers/Microsoft.Authorization/roleDefinitions/1d18fff3-a72a-46b5-b4a9-0b38a3cd7e63", + "DevTest Labs User": "/providers/Microsoft.Authorization/roleDefinitions/76283e04-6283-4c54-8f91-bcf1374a3c64", + "DNS Zone Contributor": "/providers/Microsoft.Authorization/roleDefinitions/befefa01-2a29-4197-83a8-272ff33ce314", + "DocumentDB Account Contributor": "/providers/Microsoft.Authorization/roleDefinitions/5bd9cd88-fe45-4216-938b-f97437e15450", + "EventGrid EventSubscription Contributor": "/providers/Microsoft.Authorization/roleDefinitions/428e0ff0-5e57-4d9c-a221-2c70d0e0a443", + "EventGrid EventSubscription Reader": "/providers/Microsoft.Authorization/roleDefinitions/2414bbcf-6497-4faf-8c65-045460748405", + "Experimentation Administrator": "/providers/Microsoft.Authorization/roleDefinitions/7f646f1b-fa08-80eb-a33b-edd6ce5c915c", + "Experimentation Contributor": "/providers/Microsoft.Authorization/roleDefinitions/7f646f1b-fa08-80eb-a22b-edd6ce5c915c", + "Experimentation Reader": "/providers/Microsoft.Authorization/roleDefinitions/49632ef5-d9ac-41f4-b8e7-bbe587fa74a1", + "FHIR Data Contributor": "/providers/Microsoft.Authorization/roleDefinitions/5a1fc7df-4bf1-4951-a576-89034ee01acd", + "FHIR Data Exporter": "/providers/Microsoft.Authorization/roleDefinitions/3db33094-8700-4567-8da5-1501d4e7e843", + "FHIR Data Reader": "/providers/Microsoft.Authorization/roleDefinitions/4c8d0bbc-75d3-4935-991f-5f3c56d81508", + "FHIR Data Writer": "/providers/Microsoft.Authorization/roleDefinitions/3f88fce4-5892-4214-ae73-ba5294559913", + "Graph Owner": "/providers/Microsoft.Authorization/roleDefinitions/b60367af-1334-4454-b71e-769d9a4f83d9", + "HDInsight Cluster Operator": "/providers/Microsoft.Authorization/roleDefinitions/61ed4efc-fab3-44fd-b111-e24485cc132a", + "HDInsight Domain Services Contributor": "/providers/Microsoft.Authorization/roleDefinitions/8d8d5a11-05d3-4bda-a417-a08778121c7c", + "Hierarchy Settings Administrator": "/providers/Microsoft.Authorization/roleDefinitions/350f8d15-c687-4448-8ae1-157740a3936d", + "Hybrid Server Onboarding": "/providers/Microsoft.Authorization/roleDefinitions/5d1e5ee4-7c68-4a71-ac8b-0739630a3dfb", + "Hybrid Server Resource Administrator": "/providers/Microsoft.Authorization/roleDefinitions/48b40c6e-82e0-4eb3-90d5-19e40f49b624", + "Integration Service Environment Contributor": "/providers/Microsoft.Authorization/roleDefinitions/a41e2c5b-bd99-4a07-88f4-9bf657a760b8", + "Integration Service Environment Developer": "/providers/Microsoft.Authorization/roleDefinitions/c7aa55d3-1abb-444a-a5ca-5e51e485d6ec", + "Intelligent Systems Account Contributor": "/providers/Microsoft.Authorization/roleDefinitions/03a6d094-3444-4b3d-88af-7477090a9e5e", + "Key Vault Contributor": "/providers/Microsoft.Authorization/roleDefinitions/f25e0fa2-a7c8-4377-a976-54943a77a395", + "Knowledge Consumer": "/providers/Microsoft.Authorization/roleDefinitions/ee361c5d-f7b5-4119-b4b6-892157c8f64c", + "Kubernetes Cluster - Azure Arc Onboarding": "/providers/Microsoft.Authorization/roleDefinitions/34e09817-6cbe-4d01-b1a2-e0eac5743d41", + "Lab Creator": "/providers/Microsoft.Authorization/roleDefinitions/b97fb8bc-a8b2-4522-a38b-dd33c7e65ead", + "Log Analytics Contributor": "/providers/Microsoft.Authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293", + "Log Analytics Reader": "/providers/Microsoft.Authorization/roleDefinitions/73c42c96-874c-492b-b04d-ab87d138a893", + "Logic App Contributor": "/providers/Microsoft.Authorization/roleDefinitions/87a39d53-fc1b-424a-814c-f7e04687dc9e", + "Logic App Operator": "/providers/Microsoft.Authorization/roleDefinitions/515c2055-d9d4-4321-b1b9-bd0c9a0f79fe", + "Managed Application Contributor Role": "/providers/Microsoft.Authorization/roleDefinitions/641177b8-a67a-45b9-a033-47bc880bb21e", + "Managed Application Operator Role": "/providers/Microsoft.Authorization/roleDefinitions/c7393b34-138c-406f-901b-d8cf2b17e6ae", + "Managed Applications Reader": "/providers/Microsoft.Authorization/roleDefinitions/b9331d33-8a36-4f8c-b097-4f54124fdb44", + "Managed Identity Contributor": "/providers/Microsoft.Authorization/roleDefinitions/e40ec5ca-96e0-45a2-b4ff-59039f2c2b59", + "Managed Identity Operator": "/providers/Microsoft.Authorization/roleDefinitions/f1a07417-d97a-45cb-824c-7a7467783830", + "Managed Services Registration assignment Delete ": "/providers/Microsoft.Authorization/roleDefinitions/91c1777a-f3dc-4fae-b103-61d183457e46", + "Management Group Contributor": "/providers/Microsoft.Authorization/roleDefinitions/5d58bcaf-24a5-4b20-bdb6-eed9f69fbe4c", + "Management Group Reader": "/providers/Microsoft.Authorization/roleDefinitions/ac63b705-f282-497d-ac71-919bf39d939d", + "Marketplace Admin": "/providers/Microsoft.Authorization/roleDefinitions/dd920d6d-f481-47f1-b461-f338c46b2d9f", + "Monitoring Contributor": "/providers/Microsoft.Authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "Monitoring Metrics Publisher": "/providers/Microsoft.Authorization/roleDefinitions/3913510d-42f4-4e42-8a64-420c390055eb", + "Monitoring Reader": "/providers/Microsoft.Authorization/roleDefinitions/43d0d8ad-25c7-4714-9337-8ba259a9fe05", + "Network Contributor": "/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7", + "New Relic APM Account Contributor": "/providers/Microsoft.Authorization/roleDefinitions/5d28c62d-5b37-4476-8438-e587778df237", + "Object Understanding Account Owner": "/providers/Microsoft.Authorization/roleDefinitions/4dd61c23-6743-42fe-a388-d8bdd41cb745", + "Owner": "/providers/Microsoft.Authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635", + "Policy Insights Data Writer (Preview)": "/providers/Microsoft.Authorization/roleDefinitions/66bb4e9e-b016-4a94-8249-4c0511c2be84", + "Private DNS Zone Contributor": "/providers/Microsoft.Authorization/roleDefinitions/b12aa53e-6015-4669-85d0-8515ebb3ae7f", + "Reader": "/providers/Microsoft.Authorization/roleDefinitions/acdd72a7-3385-48ef-bd42-f606fba81ae7", + "Reader and Data Access": "/providers/Microsoft.Authorization/roleDefinitions/c12c1c16-33a1-487b-954d-41c89c60f349", + "Redis Cache Contributor": "/providers/Microsoft.Authorization/roleDefinitions/e0f68234-74aa-48ed-b826-c38b57376e17", + "Remote Rendering Administrator": "/providers/Microsoft.Authorization/roleDefinitions/3df8b902-2a6f-47c7-8cc5-360e9b272a7e", + "Remote Rendering Client": "/providers/Microsoft.Authorization/roleDefinitions/d39065c4-c120-43c9-ab0a-63eed9795f0a", + "Resource Policy Contributor": "/providers/Microsoft.Authorization/roleDefinitions/36243c78-bf99-498c-9df9-86d9f8d28608", + "Scheduler Job Collections Contributor": "/providers/Microsoft.Authorization/roleDefinitions/188a0f2f-5c9e-469b-ae67-2aa5ce574b94", + "Search Service Contributor": "/providers/Microsoft.Authorization/roleDefinitions/7ca78c08-252a-4471-8644-bb5ff32d4ba0", + "Security Admin": "/providers/Microsoft.Authorization/roleDefinitions/fb1c8493-542b-48eb-b624-b4c8fea62acd", + "Security Assessment Contributor": "/providers/Microsoft.Authorization/roleDefinitions/612c2aa1-cb24-443b-ac28-3ab7272de6f5", + "Security Manager (Legacy)": "/providers/Microsoft.Authorization/roleDefinitions/e3d13bf0-dd5a-482e-ba6b-9b8433878d10", + "Security Reader": "/providers/Microsoft.Authorization/roleDefinitions/39bc4728-0917-49c7-9d2c-d95423bc2eb4", + "SignalR AccessKey Reader": "/providers/Microsoft.Authorization/roleDefinitions/04165923-9d83-45d5-8227-78b77b0a687e", + "SignalR Contributor": "/providers/Microsoft.Authorization/roleDefinitions/8cf5e20a-e4b2-4e9d-b3a1-5ceb692c2761", + "Site Recovery Contributor": "/providers/Microsoft.Authorization/roleDefinitions/6670b86e-a3f7-4917-ac9b-5d6ab1be4567", + "Site Recovery Operator": "/providers/Microsoft.Authorization/roleDefinitions/494ae006-db33-4328-bf46-533a6560a3ca", + "Site Recovery Reader": "/providers/Microsoft.Authorization/roleDefinitions/dbaa88c4-0c30-4179-9fb3-46319faa6149", + "Spatial Anchors Account Contributor": "/providers/Microsoft.Authorization/roleDefinitions/8bbe83f1-e2a6-4df7-8cb4-4e04d4e5c827", + "Spatial Anchors Account Owner": "/providers/Microsoft.Authorization/roleDefinitions/70bbe301-9835-447d-afdd-19eb3167307c", + "Spatial Anchors Account Reader": "/providers/Microsoft.Authorization/roleDefinitions/5d51204f-eb77-4b1c-b86a-2ec626c49413", + "SQL DB Contributor": "/providers/Microsoft.Authorization/roleDefinitions/9b7fa17d-e63e-47b0-bb0a-15c516ac86ec", + "SQL Managed Instance Contributor": "/providers/Microsoft.Authorization/roleDefinitions/4939a1f6-9ae0-4e48-a1e0-f2cbe897382d", + "SQL Security Manager": "/providers/Microsoft.Authorization/roleDefinitions/056cd41c-7e88-42e1-933e-88ba6a50c9c3", + "SQL Server Contributor": "/providers/Microsoft.Authorization/roleDefinitions/6d8ee4ec-f05a-4a1d-8b00-a9b17e38b437", + "Storage Account Contributor": "/providers/Microsoft.Authorization/roleDefinitions/17d1049b-9a84-46fb-8f53-869881c3d3ab", + "Storage Account Key Operator Service Role": "/providers/Microsoft.Authorization/roleDefinitions/81a9662b-bebf-436f-a333-f67b29880f12", + "Storage Blob Data Contributor": "/providers/Microsoft.Authorization/roleDefinitions/ba92f5b4-2d11-453d-a403-e96b0029c9fe", + "Storage Blob Data Owner": "/providers/Microsoft.Authorization/roleDefinitions/b7e6dc6d-f1e8-4753-8033-0f276bb0955b", + "Storage Blob Data Reader": "/providers/Microsoft.Authorization/roleDefinitions/2a2b9908-6ea1-4ae2-8e65-a410df84e7d1", + "Storage Blob Delegator": "/providers/Microsoft.Authorization/roleDefinitions/db58b8e5-c6ad-4a2a-8342-4190687cbf4a", + "Storage File Data SMB Share Contributor": "/providers/Microsoft.Authorization/roleDefinitions/0c867c2a-1d8c-454a-a3db-ab2ea1bdc8bb", + "Storage File Data SMB Share Elevated Contributor": "/providers/Microsoft.Authorization/roleDefinitions/a7264617-510b-434b-a828-9731dc254ea7", + "Storage File Data SMB Share Reader": "/providers/Microsoft.Authorization/roleDefinitions/aba4ae5f-2193-4029-9191-0cb91df5e314", + "Storage Queue Data Contributor": "/providers/Microsoft.Authorization/roleDefinitions/974c5e8b-45b9-4653-ba55-5f855dd0fb88", + "Storage Queue Data Message Processor": "/providers/Microsoft.Authorization/roleDefinitions/8a0f0c08-91a1-4084-bc3d-661d67233fed", + "Storage Queue Data Message Sender": "/providers/Microsoft.Authorization/roleDefinitions/c6a89b2d-59bc-44d0-9896-0f6e12d7b80a", + "Storage Queue Data Reader": "/providers/Microsoft.Authorization/roleDefinitions/19e7f393-937e-4f77-808e-94535e297925", + "Support Request Contributor": "/providers/Microsoft.Authorization/roleDefinitions/cfd33db0-3dd1-45e3-aa9d-cdbdf3b6f24e", + "Tag Contributor": "/providers/Microsoft.Authorization/roleDefinitions/4a9ae827-6dc8-4573-8ac7-8239d42aa03f", + "Traffic Manager Contributor": "/providers/Microsoft.Authorization/roleDefinitions/a4b10055-b0c7-44c2-b00f-c7b5b3550cf7", + "User Access Administrator": "/providers/Microsoft.Authorization/roleDefinitions/18d7d88d-d35e-4fb5-a5c3-7773c20a72d9", + "Virtual Machine Administrator Login": "/providers/Microsoft.Authorization/roleDefinitions/1c0163c0-47e6-4577-8991-ea5c82e286e4", + "Virtual Machine Contributor": "/providers/Microsoft.Authorization/roleDefinitions/9980e02c-c2be-4d73-94e8-173b1dc7cf3c", + "Virtual Machine User Login": "/providers/Microsoft.Authorization/roleDefinitions/fb879df8-f326-4884-b1cf-06f3ad86be52", + "Web Plan Contributor": "/providers/Microsoft.Authorization/roleDefinitions/2cc479cb-7b4d-49a8-b449-8c00fd0f0a4b", + "Website Contributor": "/providers/Microsoft.Authorization/roleDefinitions/de139f84-1756-47ae-9be6-808fbbe84772", + "Workbook Contributor": "/providers/Microsoft.Authorization/roleDefinitions/e8ddcd69-c73f-4f9f-9844-4100522f16ad", + "Workbook Reader": "/providers/Microsoft.Authorization/roleDefinitions/b279062a-9be3-42a0-92ae-8b3cf002ec4d" + } + }, + "resources": [ + { + "condition": "[not(empty(parameters('cuaId')))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-06-01", + "name": "[concat('pid-', parameters('cuaId'))]", + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [ + ] + } + } + }, + { + "type": "Microsoft.DesktopVirtualization/applicationgroups", + "apiVersion": "2020-11-02-preview", + "name": "[parameters('appGroupName')]", + "location": "[parameters('location')]", + "tags": "[parameters('tags')]", + "properties": { + "hostpoolarmpath": "[resourceId('Microsoft.DesktopVirtualization/hostpools/', parameters('hostpoolName'))]", + "friendlyName": "[parameters('appGroupFriendlyName')]", + "description": "[parameters('appGroupDescription')]", + "applicationGroupType": "[parameters('appGroupType')]" + }, + "resources": [ + { + "type": "providers/locks", + "apiVersion": "2016-09-01", + "condition": "[parameters('lockForDeletion')]", + "name": "Microsoft.Authorization/hostPoolDoNotDelete", + "dependsOn": [ + "[concat('Microsoft.DesktopVirtualization/applicationgroups/', parameters('appGroupName'))]" + ], + "comments": "Resource lock on the WVD Workspace", + "properties": { + "level": "CannotDelete" + } + }, + { + "type": "Microsoft.DesktopVirtualization/applicationgroups/providers/diagnosticsettings", + "apiVersion": "2017-05-01-preview", + "name": "[concat(parameters('appGroupName'), '/Microsoft.Insights/service')]", + "location": "[parameters('location')]", + "condition": "[or(not(empty(parameters('diagnosticStorageAccountId'))),not(empty(parameters('workspaceId'))),not(empty(parameters('eventHubAuthorizationRuleId'))),not(empty(parameters('eventHubName'))))]", + "dependsOn": [ + "[concat('Microsoft.DesktopVirtualization/applicationgroups/', parameters('appGroupName'))]" + ], + "properties": { + "storageAccountId": "[if(empty(parameters('diagnosticStorageAccountId')), json('null'), parameters('diagnosticStorageAccountId'))]", + "workspaceId": "[if(empty(parameters('workspaceId')), json('null'), parameters('workspaceId'))]", + "eventHubAuthorizationRuleId": "[if(empty(parameters('eventHubAuthorizationRuleId')), json('null'), parameters('eventHubAuthorizationRuleId'))]", + "eventHubName": "[if(empty(parameters('eventHubName')), json('null'), parameters('eventHubName'))]", + "metrics": "[if(and(empty(parameters('diagnosticStorageAccountId')), empty(parameters('workspaceId')), empty(parameters('eventHubAuthorizationRuleId')), empty(parameters('eventHubName'))), json('null'), variables('diagnosticsMetrics'))]", + "logs": "[if(and(empty(parameters('diagnosticStorageAccountId')), empty(parameters('workspaceId')), empty(parameters('eventHubAuthorizationRuleId')), empty(parameters('eventHubName'))), json('null'), variables('diagnosticsLogs'))]" + } + } + ] + }, + { + "name": "[concat('rbac-',deployment().name, copyIndex())]", + "apiVersion": "2020-06-01", + "type": "Microsoft.Resources/deployments", + "condition": "[not(empty(parameters('roleAssignments')))]", + "dependsOn": [ + "[parameters('appGroupName')]" + ], + "copy": { + "name": "rbacDeplCopy", + "count": "[length(parameters('roleAssignments'))]" + }, + "properties": { + "mode": "Incremental", + "expressionEvaluationOptions": { + "scope": "inner" + }, + "parameters": { + "roleAssignment": { + "value": "[parameters('roleAssignments')[copyIndex()]]" + }, + "builtInRoleNames": { + "value": "[variables('builtInRoleNames')]" + }, + "appGroupName": { + "value": "[parameters('appGroupName')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "roleAssignment": { + "type": "object" + }, + "builtInRoleNames": { + "type": "object" + }, + "appGroupName": { + "type": "string" + } + }, + "resources": [ + { + "type": "Microsoft.DesktopVirtualization/applicationgroups/providers/roleAssignments", + "apiVersion": "2018-09-01-preview", + "name": "[concat(parameters('appGroupName'), '/Microsoft.Authorization/', guid(parameters('appGroupName'), array(parameters('roleAssignment').principalIds)[copyIndex('innerRbacCopy')], parameters('roleAssignment').roleDefinitionIdOrName ))]", + "dependsOn": [ + ], + "copy": { + "name": "innerRbacCopy", + "count": "[length(parameters('roleAssignment').principalIds)]" + }, + "properties": { + "roleDefinitionId": "[if(contains(parameters('builtInRoleNames'), parameters('roleAssignment').roleDefinitionIdOrName ), parameters('builtInRoleNames')[parameters('roleAssignment').roleDefinitionIdOrName] , parameters('roleAssignment').roleDefinitionIdOrName )]", + "principalId": "[array(parameters('roleAssignment').principalIds)[copyIndex()]]" + } + } + ] + } + } + } + ], + "functions": [ + ], + "outputs": { + "appGroupResourceId": { + "type": "string", + "value": "[resourceId('Microsoft.DesktopVirtualization/applicationGroups', parameters('appGroupName'))]", + "metadata": { + "description": "The Resource ID of the Application Group deployed." + } + }, + "appGroupResourceGroup": { + "type": "string", + "value": "[resourceGroup().name]", + "metadata": { + "description": "The name of the Resource Group the WVD Application Group was created in." + } + }, + "appGroupName": { + "type": "string", + "value": "[parameters('appGroupName')]", + "metadata": { + "description": "The Name of the Application Group." + } + } + } +} diff --git a/arm/Microsoft.DesktopVirtualization/applicationgroups/parameters/parameters.json b/arm/Microsoft.DesktopVirtualization/applicationgroups/parameters/parameters.json new file mode 100644 index 0000000000..f9186d2067 --- /dev/null +++ b/arm/Microsoft.DesktopVirtualization/applicationgroups/parameters/parameters.json @@ -0,0 +1,35 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "appGroupName": { + "value": "sxx-az-wvdag-weu-x-001" + }, + "location": { + "value": "eastus" + }, + "appGroupType": { + "value": "RemoteApp" + }, + "hostpoolName": { + "value": "sxx-az-wvdhp-weu-x-001" + }, + "appGroupFriendlyName": { + "value": "Remote Applications 1" + }, + "appGroupDescription": { + "value": "This is my first Remote Applications bundle" + } + // "roleAssignments": { + // "value": [ + // { + // "roleDefinitionIdOrName": "Desktop Virtualization User", + // "principalIds": [ + // "12345678-1234-1234-1234-123456789012", // object 1 + // "78945612-1234-1234-1234-123456789012" // object 2 + // ] + // } + // ] + // } + } +} diff --git a/arm/Microsoft.DesktopVirtualization/applicationgroups/readme.md b/arm/Microsoft.DesktopVirtualization/applicationgroups/readme.md new file mode 100644 index 0000000000..710b00359e --- /dev/null +++ b/arm/Microsoft.DesktopVirtualization/applicationgroups/readme.md @@ -0,0 +1,97 @@ +# WVD Application Groups + +This module deploys WVD Application Groups, with resource lock and diagnostics configuration. + +## Resource types + +|Resource Type|ApiVersion| +|:--|:--| +|`Microsoft.Resources/deployments`|2018-02-01| +|`Microsoft.DesktopVirtualization/applicationgroups`|2019-12-10-preview| +|`providers/locks`|2016-09-01| +|`Microsoft.DesktopVirtualization/applicationgroups/providers/diagnosticsettings`|2017-05-01-preview| +|`Microsoft.DesktopVirtualization/applicationgroups/providers/roleAssignments`|2018-09-01-preview| + +## Parameters + +| Parameter Name | Type | Description | DefaultValue | Possible values | +| :-- | :-- | :-- | :-- | :-- | +| `appGroupDescription` | string | Optional. The description of the Application Group to be created. | | | +| `appGroupFriendlyName` | string | Optional. The friendly name of the Application Group to be created. | | | +| `appGroupName` | string | Required. Name of the Application Group to create this application in. | | | +| `appGroupType` | string | Required. The type of the Application Group to be created. Allowed values: RemoteApp or Desktop | | System.Object[] | +| `cuaId` | string | Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered | | | +| `diagnosticLogsRetentionInDays` | int | Optional. Specifies the number of days that logs will be kept for; a value of 0 will retain data indefinitely. | 365 | | +| `diagnosticStorageAccountId` | string | Optional. Resource identifier of the Diagnostic Storage Account. | | | +| `eventHubAuthorizationRuleId` | string | Optional. Resource ID of the event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | | | +| `eventHubName` | string | Optional. Name of the event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. | | | +| `hostpoolName` | string | Required. Name of the Host Pool to be linked to this Application Group. | | | +| `location` | string | Optional. Location for all resources. | [resourceGroup().location] | | +| `lockForDeletion` | bool | Optional. Switch to lock Resource from deletion. | False | | +| `roleAssignments` | array | Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalIds' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or it's fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' | System.Object[] | | +| `tags` | object | Optional. Tags of the resource. | | | +| `workspaceId` | string | Optional. Resource identifier of Log Analytics. | | | + +### Parameter Usage: `roleAssignments` + +```json +"roleAssignments": { + "value": [ + { + "roleDefinitionIdOrName": "Desktop Virtualization User", + "principalIds": [ + "12345678-1234-1234-1234-123456789012", // object 1 + "78945612-1234-1234-1234-123456789012" // object 2 + ] + }, + { + "roleDefinitionIdOrName": "Reader", + "principalIds": [ + "12345678-1234-1234-1234-123456789012", // object 1 + "78945612-1234-1234-1234-123456789012" // object 2 + ] + }, + { + "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", + "principalIds": [ + "12345678-1234-1234-1234-123456789012" // object 1 + ] + } + ] +} +``` + +### Parameter Usage: `tags` + +Tag names and tag values can be provided as needed. A tag can be left without a value. + +```json +"tags": { + "value": { + "Environment": "Non-Prod", + "Contact": "test.user@testcompany.com", + "PurchaseOrder": "1234", + "CostCenter": "7890", + "ServiceName": "DeploymentValidation", + "Role": "DeploymentValidation" + } +} +``` + +## Outputs + +| Output Name | Type | Description | +| :-- | :-- | :-- | +| `appGroupName` | string | The Name of the Application Group. | +| `appGroupResourceGroup` | string | The name of the Resource Group the WVD Application Group was created in. | +| `appGroupResourceId` | string | The Resource ID of the Application Group deployed. | + +## Considerations + +*N/A* + +## Additional resources + +- [What is Windows Virtual Desktop?](https://docs.microsoft.com/en-us/azure/virtual-desktop/overview) +- [Windows Virtual Desktop environment](https://docs.microsoft.com/en-us/azure/virtual-desktop/environment-setup) +- [Use tags to organize your Azure resources](https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-using-tags) \ No newline at end of file diff --git a/arm/Microsoft.DesktopVirtualization/hostpools/deploy.json b/arm/Microsoft.DesktopVirtualization/hostpools/deploy.json new file mode 100644 index 0000000000..49ed72d958 --- /dev/null +++ b/arm/Microsoft.DesktopVirtualization/hostpools/deploy.json @@ -0,0 +1,355 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "hostPoolName": { + "type": "string", + "minLength": 1, + "metadata": { + "description": "Required. Name of the Host Pool" + } + }, + "location": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "Optional. Location for all resources." + } + }, + "hostpoolFriendlyName": { + "defaultValue": "", + "type": "string", + "metadata": { + "description": "Optional. The friendly name of the Host Pool to be created." + } + }, + "hostpoolDescription": { + "defaultValue": "", + "type": "string", + "metadata": { + "description": "Optional. The description of the Host Pool to be created." + } + }, + "hostpoolType": { + "defaultValue": "Pooled", + "allowedValues": [ + "Personal", + "Pooled" + ], + "type": "string", + "metadata": { + "description": "Optional. Set this parameter to Personal if you would like to enable Persistent Desktop experience. Defaults to Pooled." + } + }, + "personalDesktopAssignmentType": { + "defaultValue": "", + "allowedValues": [ + "Automatic", + "Direct", + "" + ], + "type": "string", + "metadata": { + "description": "Optional. Set the type of assignment for a Personal Host Pool type" + } + }, + "loadBalancerType": { + "defaultValue": "BreadthFirst", + "allowedValues": [ + "BreadthFirst", + "DepthFirst", + "Persistent" + ], + "type": "string", + "metadata": { + "description": "Optional. Type of load balancer algorithm." + } + }, + "maxSessionLimit": { + "defaultValue": 99999, + "type": "int", + "metadata": { + "description": "Optional. Maximum number of sessions." + } + }, + "customRdpProperty": { + "defaultValue": "audiocapturemode:i:1;audiomode:i:0;drivestoredirect:s:;redirectclipboard:i:1;redirectcomports:i:1;redirectprinters:i:1;redirectsmartcards:i:1;screen mode id:i:2;", + "type": "string", + "metadata": { + "description": "Optional. Host Pool RDP properties" + } + }, + "validationEnviroment": { + "defaultValue": false, + "type": "bool", + "metadata": { + "description": "Optional. Whether to use validation enviroment. When set to true, the Host Pool will be deployed in a validation 'ring' (environment) that receives all the new features (might be less stable). Ddefaults to false that stands for the stable, production-ready environment." + } + }, + "vmTemplate": { + "type": "object", + "defaultValue": { + }, + "metadata": { + "description": "Optional. The necessary information for adding more VMs to this Host Pool." + } + }, + "tokenValidityLength": { + "defaultValue": "PT8H", + "type": "string", + "metadata": { + "description": "Optional. Host Pool token validity length. Usage: 'PT8H' - valid for 8 hours; 'P5D' - valid for 5 days; 'P1Y' - valid for 1 year. When not provided, the token will be valid for 8 hours." + } + }, + "baseTime": { + "type": "string", + "defaultValue": "[utcNow('u')]", + "metadata": { + "description": "Generated. Do not provide a value! This date value is used to generate a registration token." + } + }, + "diagnosticLogsRetentionInDays": { + "type": "int", + "defaultValue": 365, + "minValue": 0, + "maxValue": 365, + "metadata": { + "description": "Optional. Specifies the number of days that logs will be kept for; a value of 0 will retain data indefinitely." + } + }, + "diagnosticStorageAccountId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Resource identifier of the Diagnostic Storage Account." + } + }, + "workspaceId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Resource identifier of Log Analytics." + } + }, + "eventHubAuthorizationRuleId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Resource ID of the event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." + } + }, + "eventHubName": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Name of the event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category." + } + }, + "lockForDeletion": { + "type": "bool", + "defaultValue": false, + "metadata": { + "description": "Optional. Switch to lock Resource from deletion." + } + }, + "tags": { + "type": "object", + "defaultValue": { + }, + "metadata": { + "description": "Optional. Tags of the resource." + } + }, + "cuaId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered" + } + }, + "startVMOnConnect": { + "type": "bool", + "defaultValue": false, + "metadata": { + "description": "Optional. Enable Start VM on connect to allow users to start the virtual machine from a deallocated state. Important: Custom RBAC role required to power manage VMs." + } + }, + "validationEnvironment": { + "type": "bool", + "defaultValue": false, + "metadata": { + "description": "Optional. Validation host pool allows you to test service changes before they are deployed to production." + } + } + }, + "variables": { + "diagnosticsMetrics": [ + ], + "diagnosticsLogs": [ + { + "category": "Checkpoint", + "enabled": true, + "retentionPolicy": { + "enabled": true, + "days": "[parameters('diagnosticLogsRetentionInDays')]" + } + }, + { + "category": "Error", + "enabled": true, + "retentionPolicy": { + "enabled": true, + "days": "[parameters('diagnosticLogsRetentionInDays')]" + } + }, + { + "category": "Management", + "enabled": true, + "retentionPolicy": { + "enabled": true, + "days": "[parameters('diagnosticLogsRetentionInDays')]" + } + }, + { + "category": "Connection", + "enabled": true, + "retentionPolicy": { + "enabled": true, + "days": "[parameters('diagnosticLogsRetentionInDays')]" + } + }, + { + "category": "HostRegistration", + "enabled": true, + "retentionPolicy": { + "enabled": true, + "days": "[parameters('diagnosticLogsRetentionInDays')]" + } + }, + { + "category": "AgentHealthStatus", + "enabled": true, + "retentionPolicy": { + "enabled": true, + "days": "[parameters('diagnosticLogsRetentionInDays')]" + } + } + ], + "tokenExpirationTime": "[dateTimeAdd(parameters('baseTime'), parameters('tokenValidityLength'))]" + }, + "resources": [ + { + "condition": "[not(empty(parameters('cuaId')))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-06-01", + "name": "[concat('pid-', parameters('cuaId'))]", + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [ + ] + } + } + }, + { + "type": "Microsoft.DesktopVirtualization/hostpools", + "apiVersion": "2020-11-02-preview", + "name": "[parameters('hostpoolName')]", + "location": "[parameters('location')]", + "tags": "[parameters('tags')]", + "properties": { + "friendlyName": "[parameters('hostpoolFriendlyName')]", + "description": "[parameters('hostpoolDescription')]", + "hostpoolType": "[parameters('hostpoolType')]", + "customRdpProperty": "[parameters('customRdpProperty')]", + "personalDesktopAssignmentType": "[parameters('personalDesktopAssignmentType')]", + "maxSessionLimit": "[parameters('maxSessionLimit')]", + "loadBalancerType": "[parameters('loadBalancerType')]", + "validationEnviroment": "[parameters('validationEnviroment')]", + "startVMOnConnect": "[parameters('startVMOnConnect')]", + "validationEnvironment": "[parameters('validationEnvironment')]", + "registrationInfo": { + "expirationTime": "[variables('tokenExpirationTime')]", + "token": null, + "registrationTokenOperation": "Update" + // "resetToken": false + }, + "vmTemplate": "[if(not(empty(parameters('vmTemplate'))), json('null'),string(parameters('vmTemplate')))]" + }, + "resources": [ + { + "type": "providers/locks", + "apiVersion": "2016-09-01", + "condition": "[parameters('lockForDeletion')]", + "name": "Microsoft.Authorization/hostPoolDoNotDelete", + "dependsOn": [ + "[concat('Microsoft.DesktopVirtualization/hostpools/', parameters('hostPoolName'))]" + ], + "comments": "Resource lock on Host Pool", + "properties": { + "level": "CannotDelete" + } + }, + { + "type": "Microsoft.DesktopVirtualization/hostpools/providers/diagnosticsettings", + "apiVersion": "2017-05-01-preview", + "name": "[concat(parameters('hostPoolName'), '/Microsoft.Insights/diagnosticsetting')]", + "location": "[parameters('location')]", + "condition": "[or(not(empty(parameters('diagnosticStorageAccountId'))),not(empty(parameters('workspaceId'))),not(empty(parameters('eventHubAuthorizationRuleId'))),not(empty(parameters('eventHubName'))))]", + "dependsOn": [ + "[concat('Microsoft.DesktopVirtualization/hostpools/', parameters('hostPoolName'))]" + ], + "properties": { + "storageAccountId": "[if(empty(parameters('diagnosticStorageAccountId')), json('null'), parameters('diagnosticStorageAccountId'))]", + "workspaceId": "[if(empty(parameters('workspaceId')), json('null'), parameters('workspaceId'))]", + "eventHubAuthorizationRuleId": "[if(empty(parameters('eventHubAuthorizationRuleId')), json('null'), parameters('eventHubAuthorizationRuleId'))]", + "eventHubName": "[if(empty(parameters('eventHubName')), json('null'), parameters('eventHubName'))]", + "metrics": "[if(and(empty(parameters('diagnosticStorageAccountId')), empty(parameters('workspaceId')), empty(parameters('eventHubAuthorizationRuleId')), empty(parameters('eventHubName'))), json('null'), variables('diagnosticsMetrics'))]", + "logs": "[if(and(empty(parameters('diagnosticStorageAccountId')), empty(parameters('workspaceId')), empty(parameters('eventHubAuthorizationRuleId')), empty(parameters('eventHubName'))), json('null'), variables('diagnosticsLogs'))]" + } + } + ] + } + ], + "functions": [ + ], + "outputs": { + "hostPoolResourceId": { + "type": "string", + "value": "[resourceId('Microsoft.DesktopVirtualization/hostpools', parameters('hostPoolName'))]", + "metadata": { + "description": "The Resource Id of the Host Pool." + } + }, + "hostPoolResourceGroup": { + "type": "string", + "value": "[resourceGroup().name]", + "metadata": { + "description": "The name of the Resource Group the Host Pool was created in." + } + }, + "hostPoolName": { + "type": "string", + "value": "[parameters('hostPoolName')]", + "metadata": { + "description": "The Name of the Host Pool." + } + }, + "tokenExpirationTime": { + "type": "string", + "value": "[dateTimeAdd(parameters('baseTime'), parameters('tokenValidityLength'))]", + "metadata": { + "description": "The expiration time of the Host Pool registration token." + } + }, + "hostpoolToken": { + "type": "string", + "value": "[reference(parameters('hostpoolName')).registrationInfo.token]", + "metadata": { + "description": "The token that has to be used to register a VM to the Host Pool." + } + } + } +} diff --git a/arm/Microsoft.DesktopVirtualization/hostpools/parameters/parameters.json b/arm/Microsoft.DesktopVirtualization/hostpools/parameters/parameters.json new file mode 100644 index 0000000000..8e27a2f372 --- /dev/null +++ b/arm/Microsoft.DesktopVirtualization/hostpools/parameters/parameters.json @@ -0,0 +1,55 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "hostpoolName": { + "value": "sxx-az-wvdhp-weu-x-001" + }, + "location": { + "value": "eastus" + }, + "hostpoolFriendlyName": { + "value": "WVDv2" + }, + "hostpoolDescription": { + "value": "My first WVD Host Pool" + }, + "hostpoolType": { + "value": "Pooled" + }, + "personalDesktopAssignmentType": { + "value": "Automatic" + }, + "maxSessionLimit": { + "value": 99999 + }, + "loadBalancerType": { + "value": "BreadthFirst" + }, + "customRdpProperty": { + "value": "audiocapturemode:i:1;audiomode:i:0;drivestoredirect:s:;redirectclipboard:i:1;redirectcomports:i:1;redirectprinters:i:1;redirectsmartcards:i:1;screen mode id:i:2;" + }, + "vmTemplate": { + "value": { + "domain": "domainname.onmicrosoft.com", + "galleryImageOffer": "office-365", + "galleryImagePublisher": "microsoftwindowsdesktop", + "galleryImageSKU": "20h1-evd-o365pp", + "imageType": "Gallery", + "imageUri": null, + "customImageId": null, + "namePrefix": "wvdv2", + "osDiskType": "StandardSSD_LRS", + "useManagedDisks": true, + "vmSize": { + "id": "Standard_D2s_v3", + "cores": 2, + "ram": 8 + } + } + }, + "validationEnviroment": { + "value": false + } + } +} diff --git a/arm/Microsoft.DesktopVirtualization/hostpools/readme.md b/arm/Microsoft.DesktopVirtualization/hostpools/readme.md new file mode 100644 index 0000000000..ab28aa28e1 --- /dev/null +++ b/arm/Microsoft.DesktopVirtualization/hostpools/readme.md @@ -0,0 +1,113 @@ +# WVD HostPools + +This module deploys WVD Host Pools, with resource lock and diagnostics configuration. + + +## Resource types + +|Resource Type|ApiVersion| +|:--|:--| +|`Microsoft.DesktopVirtualization/hostpools`|2019-12-10-preview| +|`Microsoft.DesktopVirtualization/hostpools/providers/diagnosticsettings`|2017-05-01-preview| +|`providers/locks`|2016-09-01| +|`Microsoft.Resources/deployments`|2018-02-01| + + +## Parameters + +| Parameter Name | Type | Default Value | Possible values | Description | +| :- | :- | :- | :- | :- | +| `hostPoolName` | string | | | Required. Name of the Host Pool +| `location` | string | `[resourceGroup().location]` | | Optional. Location for all resources. +| `hostpoolFriendlyName` | string | "" | | Optional. The friendly name of the Host Pool to be created. +| `hostpoolDescription` | string | "" | | Optional. The description of the Host Pool to be created. +| `hostpoolType` | string | `Pooled` | "Personal", "Pooled" | Optional. Set this parameter to Personal if you would like to enable Persistent Desktop experience. Defaults to Pooled. +| `personalDesktopAssignmentType` | string | "" | "Automatic", "Direct", "" | Optional. Set the type of assignment for a Personal Host Pool type +| `loadBalancerType` | string | `true` | "BreadthFirst", "DepthFirst", "Persistent" | Optional. Type of load balancer algorithm. +| `maxSessionLimit` | int | `99999` | | Optional. Maximum number of sessions. | +| `customRdpProperty` | string | `audiocapturemode:i:1; audiomode:i:0; drivestoredirect:s:; redirectclipboard:i:1; redirectcomports:i:1; redirectprinters:i:1; redirectsmartcards:i:1; screen mode id:i:2;` | [Supported Remote desktop RDP file settings](https://docs.microsoft.com/en-us/windows-server/remote/remote-desktop-services/clients/rdp-files?context=/azure/virtual-desktop/context/context) | Optional. Host Pool RDP properties +| `validationEnviroment` | bool | `false` | | Optional. Whether to use validation enviroment. When set to true, the Host Pool will be deployed in a validation 'ring' (environment) that receives all the new features (might be less stable). Ddefaults to false that stands for the stable, production-ready environment. +| `vmTemplate` | object | {} | Complex structure, see below. | Optional. The necessary information for adding more VMs to this Host Pool +| `tokenValidityLength` | string | `PT8H` | Duration in ISO 8601 format. E.g. PT8H, P1Y, P5D | Optional. Host Pool token validity length. Usage: 'PT8H' - valid for 8 hours; 'P5D' - valid for 5 days; 'P1Y' - valid for 1 year. When not provided, the token will be valid for 8 hours. +| `baseTime` | string | `utcNow('u')` | | Generated. Do not provide a value! This date value is used to generate a registration token. +| `diagnosticLogsRetentionInDays` | int | `365` | | Optional. Specifies the number of days that logs will be kept for; a value of 0 will retain data indefinitely. +| `diagnosticStorageAccountId` | string | "" | | Optional. Resource identifier of the Diagnostic Storage Account. +| `workspaceId` | string | "" | | Optional. Resource identifier of Log Analytics. +| `eventHubAuthorizationRuleId` | string | "" | | Optional. Resource ID of the event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. +| `eventHubName` | string | "" | | Optional. Name of the event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. +| `lockForDeletion` | bool | `true` | | Optional. Switch to lock the resource from deletion. +| `tags` | object | {} | Complex structure, see below. | Optional. Tags of the resource. +| `cuaId` | string | "" | | Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered +| `startVMOnConnect` | bool | `false` | | Optional. Enable Start VM on connect to allow users to start the virtual machine from a deallocated state. Important: Custom RBAC role required to power manage VMs +| `validationEnvironment` | bool | `false` | | Optional. Validation host pool allows you to test service changes before they are deployed to production + +### Parameter Usage: `vmTemplate` + +The below parameter object is converted to an in-line string when handed over to the resource deployment, since that only takes strings. + +```json +"vmTemplate": { + "value": { + "domain": ".com", + "galleryImageOffer": "office-365", + "galleryImagePublisher": "microsoftwindowsdesktop", + "galleryImageSKU": "19h2-evd-o365pp", + "imageType": "Gallery", + "imageUri": null, + "customImageId": null, + "namePrefix": "wvdv2", + "osDiskType": "StandardSSD_LRS", + "useManagedDisks": true, + "vmSize": { + "id": "Standard_D2s_v3", + "cores": 2, + "ram": 8 + } + } +} +``` + +### Parameter Usage: `customRdpProperty` + +```json +"customRdpProperty": { + "value": "audiocapturemode:i:1;audiomode:i:0;drivestoredirect:s:;redirectclipboard:i:1;redirectcomports:i:1;redirectprinters:i:1;redirectsmartcards:i:1;screen mode id:i:2;" +} +``` + +### Parameter Usage: `tags` + +Tag names and tag values can be provided as needed. A tag can be left without a value. + +```json +"tags": { + "value": { + "Environment": "Non-Prod", + "Contact": "test.user@testcompany.com", + "PurchaseOrder": "1234", + "CostCenter": "7890", + "ServiceName": "DeploymentValidation", + "Role": "DeploymentValidation" + } +} +``` + +## Outputs + +| Output Name | Type | Description | +| :-- | :-- | :-- | +| `hostPoolName` | string | The Name of the Host Pool. | +| `hostPoolResourceGroup` | string | The name of the Resource Group the Host Pool was created in. | +| `hostPoolResourceId` | string | The Resource Id of the Host Pool. | +| `hostpoolToken` | string | The token that has to be used to register a VM to the Host Pool. | +| `tokenExpirationTime` | string | The expiration time of the Host Pool registration token. | + +## Considerations + +*N/A* + +## Additional resources + +- [What is Windows Virtual Desktop?](https://docs.microsoft.com/en-us/azure/virtual-desktop/overview) +- [Windows Virtual Desktop environment](https://docs.microsoft.com/en-us/azure/virtual-desktop/environment-setup) +- [Use tags to organize your Azure resources](https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-using-tags) \ No newline at end of file diff --git a/arm/Microsoft.DesktopVirtualization/workspaces/deploy.json b/arm/Microsoft.DesktopVirtualization/workspaces/deploy.json new file mode 100644 index 0000000000..6653b52a16 --- /dev/null +++ b/arm/Microsoft.DesktopVirtualization/workspaces/deploy.json @@ -0,0 +1,225 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "workSpaceName": { + "type": "String", + "metadata": { + "description": "Required. The name of the workspace to be attach to new Application Group." + } + }, + "location": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "Optional. Location for all resources." + } + }, + "appGroupResourceIds": { + "defaultValue": [ + ], + "type": "array", + "metadata": { + "description": "Required. Resource IDs fo the existing Application groups this workspace will group together." + } + }, + "workspaceFriendlyName": { + "defaultValue": "", + "type": "string", + "metadata": { + "description": "Optional. The friendly name of the Workspace to be created." + } + }, + "workspaceDescription": { + "defaultValue": "", + "type": "string", + "metadata": { + "description": "Optional. The description of the Workspace to be created." + } + }, + "diagnosticLogsRetentionInDays": { + "type": "int", + "defaultValue": 365, + "minValue": 0, + "maxValue": 365, + "metadata": { + "description": "Optional. Specifies the number of days that logs will be kept for; a value of 0 will retain data indefinitely." + } + }, + "diagnosticStorageAccountId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Resource identifier of the Diagnostic Storage Account." + } + }, + "workspaceId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Resource identifier of Log Analytics." + } + }, + "eventHubAuthorizationRuleId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Resource ID of the event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." + } + }, + "eventHubName": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Name of the event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category." + } + }, + "lockForDeletion": { + "type": "bool", + "defaultValue": false, + "metadata": { + "description": "Optional. Switch to lock Resource from deletion." + } + }, + "tags": { + "type": "object", + "defaultValue": { + }, + "metadata": { + "description": "Optional. Tags of the resource." + } + }, + "cuaId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered" + } + } + }, + "variables": { + "diagnosticsMetrics": [ + ], + "diagnosticsLogs": [ + { + "category": "Checkpoint", + "enabled": true, + "retentionPolicy": { + "enabled": true, + "days": "[parameters('diagnosticLogsRetentionInDays')]" + } + }, + { + "category": "Error", + "enabled": true, + "retentionPolicy": { + "enabled": true, + "days": "[parameters('diagnosticLogsRetentionInDays')]" + } + }, + { + "category": "Management", + "enabled": true, + "retentionPolicy": { + "enabled": true, + "days": "[parameters('diagnosticLogsRetentionInDays')]" + } + }, + { + "category": "Feed", + "enabled": true, + "retentionPolicy": { + "enabled": true, + "days": "[parameters('diagnosticLogsRetentionInDays')]" + } + } + ] + }, + "resources": [ + { + "condition": "[not(empty(parameters('cuaId')))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-06-01", + "name": "[concat('pid-', parameters('cuaId'))]", + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [ + ] + } + } + }, + { + "type": "Microsoft.DesktopVirtualization/workspaces", + "apiVersion": "2020-11-02-preview", + "name": "[parameters('workSpaceName')]", + "location": "[parameters('location')]", + "tags": "[parameters('tags')]", + "properties": { + "applicationGroupReferences": "[parameters('appGroupResourceIds')]", + "description": "[parameters('workspaceDescription')]", + "friendlyName": "[parameters('workspaceFriendlyName')]" + }, + "resources": [ + { + "type": "providers/locks", + "apiVersion": "2016-09-01", + "condition": "[parameters('lockForDeletion')]", + "name": "Microsoft.Authorization/hostPoolDoNotDelete", + "dependsOn": [ + "[concat('Microsoft.DesktopVirtualization/workspaces/', parameters('workSpaceName'))]" + ], + "comments": "Resource lock on the WVD Workspace", + "properties": { + "level": "CannotDelete" + } + }, + { + "type": "Microsoft.DesktopVirtualization/workspaces/providers/diagnosticsettings", + "apiVersion": "2017-05-01-preview", + "name": "[concat(parameters('workSpaceName'), '/Microsoft.Insights/service')]", + "location": "[parameters('location')]", + "condition": "[or(not(empty(parameters('diagnosticStorageAccountId'))),not(empty(parameters('workspaceId'))),not(empty(parameters('eventHubAuthorizationRuleId'))),not(empty(parameters('eventHubName'))))]", + "dependsOn": [ + "[concat('Microsoft.DesktopVirtualization/workspaces/', parameters('workSpaceName'))]" + ], + "properties": { + "storageAccountId": "[if(empty(parameters('diagnosticStorageAccountId')), json('null'), parameters('diagnosticStorageAccountId'))]", + "workspaceId": "[if(empty(parameters('workspaceId')), json('null'), parameters('workspaceId'))]", + "eventHubAuthorizationRuleId": "[if(empty(parameters('eventHubAuthorizationRuleId')), json('null'), parameters('eventHubAuthorizationRuleId'))]", + "eventHubName": "[if(empty(parameters('eventHubName')), json('null'), parameters('eventHubName'))]", + "metrics": "[if(and(empty(parameters('diagnosticStorageAccountId')), empty(parameters('workspaceId')), empty(parameters('eventHubAuthorizationRuleId')), empty(parameters('eventHubName'))), json('null'), variables('diagnosticsMetrics'))]", + "logs": "[if(and(empty(parameters('diagnosticStorageAccountId')), empty(parameters('workspaceId')), empty(parameters('eventHubAuthorizationRuleId')), empty(parameters('eventHubName'))), json('null'), variables('diagnosticsLogs'))]" + } + } + ] + } + ], + "functions": [ + ], + "outputs": { + "workspaceResourceId": { + "type": "string", + "value": "[resourceId('Microsoft.DesktopVirtualization/workspaces', parameters('workSpaceName'))]", + "metadata": { + "description": "The Resource Id of the WVD Workspace." + } + }, + "workspaceResourceGroup": { + "type": "string", + "value": "[resourceGroup().name]", + "metadata": { + "description": "The name of the Resource Group the WVD Workspace was created in." + } + }, + "workspaceName": { + "type": "string", + "value": "[parameters('workSpaceName')]", + "metadata": { + "description": "The Name of the Workspace." + } + } + } +} diff --git a/arm/Microsoft.DesktopVirtualization/workspaces/parameters/parameters.json b/arm/Microsoft.DesktopVirtualization/workspaces/parameters/parameters.json new file mode 100644 index 0000000000..57ee08322b --- /dev/null +++ b/arm/Microsoft.DesktopVirtualization/workspaces/parameters/parameters.json @@ -0,0 +1,23 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "workSpaceName": { + "value": "sxx-az-wvdws-weu-x-001" + }, + "location": { + "value": "eastus" + }, + "appGroupResourceIds": { + "value": [ + "/subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2/resourceGroups/validation-rg/providers/Microsoft.DesktopVirtualization/applicationgroups/sxx-az-wvdag-weu-x-001" + ] + }, + "workspaceFriendlyName": { + "value": "My first WVD Workspace" + }, + "workspaceDescription": { + "value": "This is my first WVD Workspace" + } + } +} \ No newline at end of file diff --git a/arm/Microsoft.DesktopVirtualization/workspaces/readme.md b/arm/Microsoft.DesktopVirtualization/workspaces/readme.md new file mode 100644 index 0000000000..c3c7e8b75d --- /dev/null +++ b/arm/Microsoft.DesktopVirtualization/workspaces/readme.md @@ -0,0 +1,67 @@ +# WVD Workspaces + +This module deploys WVD Workspaces, with resource lock and diagnostic configuration. + + + +## Resource types + +|Resource Type|ApiVersion| +|:--|:--| +|`Microsoft.DesktopVirtualization/workspaces`|2019-12-10-preview| +|`Microsoft.DesktopVirtualization/workspaces/providers/diagnosticsettings`|2017-05-01-preview| +|`Microsoft.Resources/deployments`|2018-02-01| +|`providers/locks`|2016-09-01| + +## Parameters + +| Parameter Name | Type | Description | DefaultValue | Possible values | +| :-- | :-- | :-- | :-- | :-- | +| `appGroupResourceIds` | array | Required. Resource IDs fo the existing Application groups this workspace will group together. | System.Object[] | | +| `cuaId` | string | Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered | | | +| `diagnosticLogsRetentionInDays` | int | Optional. Specifies the number of days that logs will be kept for; a value of 0 will retain data indefinitely. | 365 | | +| `diagnosticStorageAccountId` | string | Optional. Resource identifier of the Diagnostic Storage Account. | | | +| `eventHubAuthorizationRuleId` | string | Optional. Resource ID of the event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | | | +| `eventHubName` | string | Optional. Name of the event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. | | | +| `location` | string | Optional. Location for all resources. | [resourceGroup().location] | | +| `lockForDeletion` | bool | Optional. Switch to lock Resource from deletion. | False | | +| `tags` | object | Optional. Tags of the resource. | | | +| `workspaceDescription` | string | Optional. The description of the Workspace to be created. | | | +| `workspaceFriendlyName` | string | Optional. The friendly name of the Workspace to be created. | | | +| `workspaceId` | string | Optional. Resource identifier of Log Analytics. | | | +| `workSpaceName` | String | Required. The name of the workspace to be attach to new Application Group. | | | + +### Parameter Usage: `tags` + +Tag names and tag values can be provided as needed. A tag can be left without a value. + +```json +"tags": { + "value": { + "Environment": "Non-Prod", + "Contact": "test.user@testcompany.com", + "PurchaseOrder": "1234", + "CostCenter": "7890", + "ServiceName": "DeploymentValidation", + "Role": "DeploymentValidation" + } +} +``` + +## Outputs + +| Output Name | Type | Description | +| :-- | :-- | :-- | +| `workspaceName` | string | The Name of the Workspace. | +| `workspaceResourceGroup` | string | The name of the Resource Group the WVD Workspace was created in. | +| `workspaceResourceId` | string | The Resource Id of the WVD Workspace. | + +## Considerations + +*N/A* + +## Additional resources + +- [What is Windows Virtual Desktop?](https://docs.microsoft.com/en-us/azure/virtual-desktop/overview) +- [Windows Virtual Desktop environment](https://docs.microsoft.com/en-us/azure/virtual-desktop/environment-setup) +- [Use tags to organize your Azure resources](https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-using-tags) \ No newline at end of file diff --git a/arm/Microsoft.DesktopVirtualization/wvdScalingScheduler/deploy.json b/arm/Microsoft.DesktopVirtualization/wvdScalingScheduler/deploy.json new file mode 100644 index 0000000000..cfdd1a9c90 --- /dev/null +++ b/arm/Microsoft.DesktopVirtualization/wvdScalingScheduler/deploy.json @@ -0,0 +1,231 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "logicAppName": { + "type": "string", + "metadata": { + "description": "Required. The name of the logic app to create." + } + }, + "cuaId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered" + } + }, + "webhookURI": { + "type": "string", + "metadata": { + "description": "Required. Webhook URI of Logic App" + } + }, + "location": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "Required. Location for all resources." + } + }, + "recurrenceInterval": { + "type": "int", + "metadata": { + "description": "Required. Specifies the recurrence interval of the job in minutes" + } + }, + "actionSettingsBody": { + "type": "object", + "metadata": { + "description": "Optional. Specifies the body in Action settings ('Note': Input should be in json format)" + } + }, + "diagnosticLogsRetentionInDays": { + "type": "int", + "defaultValue": 365, + "minValue": 0, + "maxValue": 365, + "metadata": { + "description": "Optional. Specifies the number of days that logs will be kept for; a value of 0 will retain data indefinitely." + } + }, + "diagnosticStorageAccountId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Resource identifier of the Diagnostic Storage Account." + } + }, + "workspaceId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Resource identifier of Log Analytics." + } + }, + "eventHubAuthorizationRuleId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Resource ID of the event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." + } + }, + "eventHubName": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Name of the event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category." + } + }, + "lockForDeletion": { + "type": "bool", + "defaultValue": false, + "metadata": { + "description": "Optional. Switch to lock Logic App from deletion." + } + }, + "tags": { + "type": "object", + "defaultValue": { + }, + "metadata": { + "description": "Optional. Tags of the Logic App resource." + } + } + }, + "variables": { + "diagnosticsMetrics": [ + { + "category": "AllMetrics", + "timeGrain": null, + "enabled": true, + "retentionPolicy": { + "enabled": true, + "days": "[parameters('diagnosticLogsRetentionInDays')]" + } + } + ], + "diagnosticsLogs": [ + { + "category": "WorkflowRuntime", + "enabled": true, + "retentionPolicy": { + "enabled": true, + "days": "[parameters('diagnosticLogsRetentionInDays')]" + } + } + ] + }, + "resources": [ + { + "condition": "[not(empty(parameters('cuaId')))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-06-01", + "name": "[concat('pid-', parameters('cuaId'))]", + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [ + ] + } + } + }, + { + "type": "Microsoft.Logic/workflows", + "apiVersion": "2019-05-01", + "name": "[parameters('logicAppName')]", + "location": "[parameters('location')]", + "tags": "[parameters('tags')]", + "properties": { + "state": "Enabled", + "definition": { + "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", + "actions": { + "HTTP": { + "type": "Http", + "inputs": { + "method": "POST", + "uri": "[parameters('webhookURI')]", + "body": "[parameters('actionSettingsBody')]" + } + } + }, + "contentVersion": "1.0.0.0", + "outputs": { + }, + "parameters": { + }, + "triggers": { + "Recurrence": { + "recurrence": { + "frequency": "Minute", + "interval": "[parameters('recurrenceInterval')]" + }, + "type": "Recurrence" + } + } + } + }, + "resources": [ + { + "type": "Microsoft.Logic/workflows/providers/locks", + "apiVersion": "2016-09-01", + "condition": "[parameters('lockForDeletion')]", + "name": "[concat(parameters('logicAppName'), '/Microsoft.Authorization/logicAppDoNotDelete')]", + "dependsOn": [ + "[concat('Microsoft.Logic/workflows/', parameters('logicAppName'))]" + ], + "comments": "Resource lock on Logic App", + "properties": { + "level": "CannotDelete" + } + }, + { + "type": "Microsoft.Logic/workflows/providers/diagnosticsettings", + "apiVersion": "2017-05-01-preview", + "name": "[concat(parameters('logicAppName'), '/Microsoft.Insights/service')]", + "condition": "[or(not(empty(parameters('diagnosticStorageAccountId'))),not(empty(parameters('workspaceId'))),not(empty(parameters('eventHubAuthorizationRuleId'))),not(empty(parameters('eventHubName'))))]", + "location": "[parameters('location')]", + "dependsOn": [ + "[concat('Microsoft.Logic/workflows/', parameters('logicAppName'))]" + ], + "properties": { + "storageAccountId": "[if(empty(parameters('diagnosticStorageAccountId')), json('null'), parameters('diagnosticStorageAccountId'))]", + "workspaceId": "[if(empty(parameters('workspaceId')), json('null'), parameters('workspaceId'))]", + "eventHubAuthorizationRuleId": "[if(empty(parameters('eventHubAuthorizationRuleId')), json('null'), parameters('eventHubAuthorizationRuleId'))]", + "eventHubName": "[if(empty(parameters('eventHubName')), json('null'), parameters('eventHubName'))]", + "metrics": "[if(and(empty(parameters('diagnosticStorageAccountId')), empty(parameters('workspaceId')), empty(parameters('eventHubAuthorizationRuleId')), empty(parameters('eventHubName'))), json('null'), variables('diagnosticsMetrics'))]", + "logs": "[if(and(empty(parameters('diagnosticStorageAccountId')), empty(parameters('workspaceId')), empty(parameters('eventHubAuthorizationRuleId')), empty(parameters('eventHubName'))), json('null'), variables('diagnosticsLogs'))]" + } + } + ] + } + ], + "functions": [ + ], + "outputs": { + "logicAppResourceId": { + "type": "string", + "value": "[resourceId('Microsoft.Logic/workflows', parameters('logicAppName'))]", + "metadata": { + "description": "The Resource Id of the Logic App." + } + }, + "logicAppResourceGroup": { + "type": "string", + "value": "[resourceGroup().name]", + "metadata": { + "description": "The Resource Group the Logic App was deployed to." + } + }, + "logicAppName": { + "type": "string", + "value": "[parameters('logicAppName')]", + "metadata": { + "description": "The Name of the Log App." + } + } + } +} \ No newline at end of file diff --git a/arm/Microsoft.DesktopVirtualization/wvdScalingScheduler/parameters/parameters.json b/arm/Microsoft.DesktopVirtualization/wvdScalingScheduler/parameters/parameters.json new file mode 100644 index 0000000000..4179a22419 --- /dev/null +++ b/arm/Microsoft.DesktopVirtualization/wvdScalingScheduler/parameters/parameters.json @@ -0,0 +1,44 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "LogicAppName": { + "value": "sxx-az-wvdss-weu-x-001" + }, + // "webhookURI": { + // "reference": { + // "keyVault": { + // "id": "/subscriptions/[subscriptionId]/resourceGroups/[wvd-mgmt-rg]/providers/Microsoft.KeyVault/vaults/[keyVaultName]" + // }, + // "secretName": "WVDAutoScaleWebhook-Uri" + // } + // }, + "webhookURI": { + "value": "https://testStringForValidation.com" + }, + "actionSettingsBody": { + "value": { + "HostPoolName": "[HostPoolName]", + "LAWorkspaceName": "[LAWorkspaceName]", + "LimitSecondsToForceLogOffUser": "[LimitSecondsToForceLogOffUser]", + "EndPeakTime": "[EndPeakTime]", + "BeginPeakTime": "[BeginPeakTime]", + "UtcOffset": "[UtcOffset]", + "LogOffMessageBody": "[LogOffMessageBody]", + "LogOffMessageTitle": "[LogOffMessageTitle]", + "MinimumNumberOfRDSH": 1, + "SessionThresholdPerCPU": 1, + "ResourceGroupName": "[ResourceGroupName]" + } + }, + "recurrenceInterval": { + "value": 15 + }, + "tags": { + "value": { + "Type": "LogicApp", + "Purpose": "Scaling" + } + } + } +} \ No newline at end of file diff --git a/arm/Microsoft.DesktopVirtualization/wvdScalingScheduler/readme.md b/arm/Microsoft.DesktopVirtualization/wvdScalingScheduler/readme.md new file mode 100644 index 0000000000..589478f0cf --- /dev/null +++ b/arm/Microsoft.DesktopVirtualization/wvdScalingScheduler/readme.md @@ -0,0 +1,193 @@ +# WvdScaling Scheduler + +This module deploys an Azure Logic App Workflow for WVD. +It uses a Http-REST action to invoke a webhook + +## Resource types + +|Resource Type|Api Version| +|:--|:--| +|`Microsoft.Logic/workflows`|2019-05-01| +|`Microsoft.Logic/workflows/providers/locks`|2016-09-01| +|`Microsoft.Logic/workflows/providers/diagnosticsettings`|2017-05-01-preview| +|`Microsoft.Resources/deployments`|2020-06-01| + +## Parameters + +| Parameter Name | Type | Description | DefaultValue | Possible values | +| :-- | :-- | :-- | :-- | :-- | +| `actionSettingsBody` | object | Optional. Specifies the body in Action settings ('Note': Input should be in json format) | | | +| `diagnosticLogsRetentionInDays` | int | Optional. Specifies the number of days that logs will be kept for; a value of 0 will retain data indefinitely. | 365 | | +| `diagnosticStorageAccountId` | string | Optional. Resource identifier of the Diagnostic Storage Account. | | | +| `eventHubAuthorizationRuleId` | string | Optional. Resource ID of the event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | | | +| `eventHubName` | string | Optional. Name of the event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. | | | +| `location` | string | Required. Location for all resources. | [resourceGroup().location] | | +| `lockForDeletion` | bool | Optional. Switch to lock Logic App from deletion. | False | | +| `logicAppName` | string | Required. The name of the logic app to create. | | | +| `recurrenceInterval` | int | Required. Specifies the recurrence interval of the job in minutes | | | +| `tags` | object | Optional. Tags of the Logic App resource. | | | +| `webhookURI` | string | Required. Webhook URI of Logic App | | | +| `workspaceId` | string | Optional. Resource identifier of Log Analytics. | | | +| `cuaId` | string | Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered | | | + +### Parameter Usage: `logicAppName` + +The name of the logic app to create. + +```json +"logicAppName": { + "value": "wvdScalingApp" +} +``` + +### Parameter Usage: `location` + +Location for all resources. + +```json +"location": { + "value": "westeurope" +} +``` + +### Parameter Usage: `webhookURI` + +Webhook URI of Logic App. + +```json +"webhookURI": { + "value": "https://s2events.azure-automation.net/webhooks?token=MyPlaceholder" +} +``` + +### Parameter Usage: `recurrenceInterval` + +Specifies the recurrence interval of the job in minutes. + +```json +"recurrenceInterval": { + "value": 15 +} +``` + +### Parameter Usage: `actionSettingsBody` + +Specifies the body in Action settings ('Note': Input should be in json format). Contains the data send to the AutomationAccount runbook + +```json +"actionSettingsBody": { + "value": { + "HostPoolName": "[HostPoolName]", // Required. Name of the host pool to scale + "AutomationAccountName": "[AutomationAccountName]", // Required. Name of the automation account running the scaling runbook + "LimitSecondsToForceLogOffUser": "[LimitSecondsToForceLogOffUser]", // Required. Time the user gets to save progress before being logged off + "EndPeakTime": "[EndPeakTime]", // Required. Desired end time for downscaling + "BeginPeakTime": "[BeginPeakTime]", // Required. Desired start time for upscaling + "UtcOffset": "[UtcOffset]", // Required. Offset of the host pool location relative to the automation account location + "LogOffMessageBody": "[LogOffMessageBody]", // Required. Message for the Log-Off popup + "LogOffMessageTitle": "[LogOffMessageTitle]", // Required. Title for the Log-Off popup + "MinimumNumberOfRDSH": 1, // Required. Minimum number of hosts to keep always running + "SessionThresholdPerCPU": 1, // Required. Desired sessions per CPU. Used to calculate scaling demand + "subscriptionid": "", // Optional. Subscription of the target host pool + "AADTenantId": "", // Optional. TenantId of the target host pool + "ConnectionAssetName": "", // Optional. Name of the automation account runAs connection + "HostPoolResourceGroup": "", // Optional. Resource group of the target host pool + "MaintenanceTagName": "", // Optional. Tag for host pools to exclude from scaling + } +} +``` + +### Parameter Usage: `diagnosticLogsRetentionInDays` + +Specifies the number of days that logs will be kept for; a value of 0 will retain data indefinitely. + +```json +"diagnosticLogsRetentionInDays": { + "value": 30 +} +``` + +### Parameter Usage: `diagnosticStorageAccountId` + +Resource identifier of the Diagnostic Storage Account. + +```json +"diagnosticStorageAccountId": { + "value": "/subscriptions/396826c76-d304-46d8-a0f6-718dbded536c/resourceGroups/Base-RG/providers/Microsoft.Storage/storageAccounts/sharedSA" +} +``` + +### Parameter Usage: `workspaceId` + +Resource identifier of Log Analytics. + +```json +"workspaceId": { + "value": "/subscriptions/396826c76-d304-46d8-a0f6-718dbded536c/resourceGroups/Base-RG/providers/microsoft.operationalinsights/workspaces/my-sbx-eu-la" +} +``` + +### Parameter Usage: `eventHubAuthorizationRuleId` + +Resource ID of the event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. + +```json +"eventHubAuthorizationRuleId": { + "value": "/subscriptions/396826c76-d304-46d8-a0f6-718dbded536c/resourceGroups/Base-RG/providers/Microsoft.EventHub/namespaces/my-sbx-02-eh/authorizationRules/myRule" +} +``` + +### Parameter Usage: `eventHubName` + +Name of the event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. + +```json +"eventHubName": { + "value": "myEventHub" +} +``` + +### Parameter Usage: `lockForDeletion` + +Switch to lock Logic App from deletion. + +```json +"lockForDeletion": { + "value": true +} +``` + +### Parameter Usage: `tags` + +Tag names and tag values can be provided as needed. A tag can be left without a value. + +```json +"tags": { + "value": { + "Environment": "Non-Prod", + "Contact": "test.user@testcompany.com", + "PurchaseOrder": "1234", + "CostCenter": "7890", + "ServiceName": "DeploymentValidation", + "Role": "DeploymentValidation" + } +} +``` + +## Outputs + +| Output Name | Type | Description | +| :-- | :-- | :-- | +| `logicAppName` | string | The Name of the Log App. | +| `logicAppResourceGroup` | string | The Resource Group the Logic App was deployed to. | +| `logicAppResourceId` | string | The Resource Id of the Logic App. | + +## Considerations + +*N/A* + +## Additional resources + +- [Use tags to organize your Azure resources](https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-using-tags) +- [Azure Resource Manager template reference](https://docs.microsoft.com/en-us/azure/templates/) +- [Deployments](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Resources/2020-06-01/deployments) +- [WorkfloWs](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Logic/2019-05-01/workflows) \ No newline at end of file diff --git a/arm/Microsoft.EventGrid/topics/deploy.json b/arm/Microsoft.EventGrid/topics/deploy.json new file mode 100644 index 0000000000..6e074a3b17 --- /dev/null +++ b/arm/Microsoft.EventGrid/topics/deploy.json @@ -0,0 +1,582 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "eventGridTopicName": { + "type": "string", + "metadata": { + "description": "Required. The name of the Event Grid Topic" + } + }, + "location": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "Optional. Location for all Resources." + } + }, + "publicNetworkAccess": { + "type": "string", + "defaultValue": "Enabled", + "metadata": { + "description": "Optional. Determines if traffic is allowed over public network." + } + }, + "inboundIpRules": { + "defaultValue":[], + "type": "array", + "metadata": { + "description": "Optional. Array of IPs to whitelist." + } + }, + "diagnosticLogsRetentionInDays": { + "type": "int", + "defaultValue": 365, + "minValue": 0, + "maxValue": 365, + "metadata": { + "description": "Optional. Specifies the number of days that logs will be kept for; a value of 0 will retain data indefinitely." + } + }, + "diagnosticStorageAccountId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Resource identifier of the Diagnostic Storage Account." + } + }, + "workspaceId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Resource identifier of Log Analytics." + } + }, + "eventHubAuthorizationRuleId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Resource ID of the event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." + } + }, + "eventHubName": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Name of the event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category." + } + }, + "privateEndpoints": { + "type": "array", + "defaultValue": [], + "metadata": { + "description": "Optional. Configuration Details for private endpoints." + } + }, + "roleAssignments": { + "defaultValue": [ + ], + "type": "array", + "metadata": { + "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'" + } + }, + "lockForDeletion": { + "type": "bool", + "defaultValue": false, + "metadata": { + "description": "Optional. Switch to lock Event Grid from deletion." + } + }, + "tags": { + "type": "object", + "defaultValue": { + }, + "metadata": { + "description": "Optional. Tags of the resource." + } + }, + "cuaId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered" + } + } + }, + "variables": { + "eventGridName": "[parameters('eventGridTopicName')]", + "eventGridResourceId": "[resourceId('Microsoft.EventGrid/topics',variables('eventGridName'))]", + "eventGridApiVersion": "[providers('Microsoft.EventGrid','topics').apiVersions[0]]", + "diagnosticsMetrics": [ + { + "category": "AllMetrics", + "timeGrain": null, + "enabled": true, + "retentionPolicy": { + "enabled": true, + "days": "[parameters('diagnosticLogsRetentionInDays')]" + } + } + ], + "diagnosticsLogs": [ + { + "category": "DeliveryFailures", + "enabled": true, + "retentionPolicy": { + "enabled": true, + "days": "[parameters('diagnosticLogsRetentionInDays')]" + } + }, + { + "category": "PublishFailures", + "enabled": true, + "retentionPolicy": { + "enabled": true, + "days": "[parameters('diagnosticLogsRetentionInDays')]" + } + } + ], + "builtInRoleNames": { + "AcrDelete": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c2f4ef07-c644-48eb-af81-4b1b4947fb11')]", + "AcrImageSigner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '6cef56e8-d556-48e5-a04f-b8e64114680f')]", + "AcrPull": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '7f951dda-4ed3-4680-a7ca-43fe172d538d')]", + "AcrPush": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8311e382-0749-4cb8-b61a-304f252e45ec')]", + "AcrQuarantineReader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'cdda3590-29a3-44f6-95f2-9f980659eb04')]", + "AcrQuarantineWriter": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c8d4ff99-41c3-41a8-9f60-21dfdad59608')]", + "API Management Service Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '312a565d-c81f-4fd8-895a-4e21e48d571c')]", + "API Management Service Operator Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'e022efe7-f5ba-4159-bbe4-b44f577e9b61')]", + "API Management Service Reader Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '71522526-b88f-4d52-b57f-d31fc3546d0d')]", + "App Configuration Data Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5ae67dd6-50cb-40e7-96ff-dc2bfa4b606b')]", + "App Configuration Data Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '516239f1-63e1-4d78-a4de-a74fb236a071')]", + "Application Insights Component Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ae349356-3a1b-4a5e-921d-050484c6347e')]", + "Application Insights Snapshot Debugger": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '08954f03-6346-4c2e-81c0-ec3a5cfae23b')]", + "Attestation Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'bbf86eb8-f7b4-4cce-96e4-18cddf81d86e')]", + "Attestation Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'fd1bd22b-8476-40bc-a0bc-69b95687b9f3')]", + "Automation Job Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4fe576fe-1146-4730-92eb-48519fa6bf9f')]", + "Automation Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'd3881f73-407a-4167-8283-e981cbba0404')]", + "Automation Runbook Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5fb5aef8-1081-4b8e-bb16-9d5d0385bab5')]", + "Avere Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4f8fab4f-1852-4a58-a46a-8eaf358af14a')]", + "Avere Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c025889f-8102-4ebf-b32c-fc0c6f0c6bd9')]", + "Azure Connected Machine Onboarding": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b64e21ea-ac4e-4cdf-9dc9-5b892992bee7')]", + "Azure Connected Machine Resource Administrator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'cd570a14-e51a-42ad-bac8-bafd67325302')]", + "Azure Digital Twins Owner (Preview)": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'bcd981a7-7f74-457b-83e1-cceb9e632ffe')]", + "Azure Digital Twins Reader (Preview)": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'd57506d4-4c8d-48b1-8587-93c323f6a5a3')]", + "Azure Event Hubs Data Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'f526a384-b230-433a-b45c-95f59c4a2dec')]", + "Azure Event Hubs Data Receiver": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'a638d3c7-ab3a-418d-83e6-5f17a39d4fde')]", + "Azure Event Hubs Data Sender": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '2b629674-e913-4c01-ae53-ef4638d8f975')]", + "Azure Kubernetes Service Cluster Admin Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '0ab0b1a8-8aac-4efd-b8c2-3ee1fb270be8')]", + "Azure Kubernetes Service Cluster User Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4abbcc35-e782-43d8-92c5-2d3f1bd2253f')]", + "Azure Kubernetes Service Contributor Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ed7f3fbd-7b88-4dd4-9017-9adb7ce333f8')]", + "Azure Maps Data Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8f5e0ce6-4f7b-4dcf-bddf-e6f48634a204')]", + "Azure Maps Data Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '423170ca-a8f6-4b0f-8487-9e4eb8f49bfa')]", + "Azure Sentinel Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ab8e14d6-4a74-4a29-9ba8-549422addade')]", + "Azure Sentinel Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8d289c81-5878-46d4-8554-54e1e3d8b5cb')]", + "Azure Sentinel Responder": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '3e150937-b8fe-4cfb-8069-0eaf05ecd056')]", + "Azure Service Bus Data Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '090c5cfd-751d-490a-894a-3ce6f1109419')]", + "Azure Service Bus Data Receiver": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4f6d3b9b-027b-4f4c-9142-0e5a2a2247e0')]", + "Azure Service Bus Data Sender": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '69a216fc-b8fb-44d8-bc22-1f3c2cd27a39')]", + "Azure Stack Registration Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '6f12a6df-dd06-4f3e-bcb1-ce8be600526a')]", + "Backup Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5e467623-bb1f-42f4-a55d-6e525e11384b')]", + "Backup Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '00c29273-979b-4161-815c-10b084fb9324')]", + "Backup Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'a795c7a0-d4a2-40c1-ae25-d81f01202912')]", + "Billing Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'fa23ad8b-c56e-40d8-ac0c-ce449e1d2c64')]", + "BizTalk Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5e3c6656-6cfa-4708-81fe-0de47ac73342')]", + "Blockchain Member Node Access (Preview)": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '31a002a1-acaf-453e-8a5b-297c9ca1ea24')]", + "Blueprint Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '41077137-e803-4205-871c-5a86e6a753b4')]", + "Blueprint Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '437d2ced-4a38-4302-8479-ed2bcb43d090')]", + "CDN Endpoint Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '426e0c7f-0c7e-4658-b36f-ff54d6c29b45')]", + "CDN Endpoint Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '871e35f6-b5c1-49cc-a043-bde969a0f2cd')]", + "CDN Profile Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ec156ff8-a8d1-4d15-830c-5b80698ca432')]", + "CDN Profile Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8f96442b-4075-438f-813d-ad51ab4019af')]", + "Classic Network Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b34d265f-36f7-4a0d-a4d4-e158ca92e90f')]", + "Classic Storage Account Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '86e8f5dc-a6e9-4c67-9d15-de283e8eac25')]", + "Classic Storage Account Key Operator Service Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '985d6b00-f706-48f5-a6fe-d0ca12fb668d')]", + "Classic Virtual Machine Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'd73bb868-a0df-4d4d-bd69-98a00b01fccb')]", + "ClearDB MySQL DB Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '9106cda0-8a86-4e81-b686-29a22c54effe')]", + "Cognitive Services Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '25fbc0a9-bd7c-42a3-aa1a-3b75d497ee68')]", + "Cognitive Services Custom Vision Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c1ff6cc2-c111-46fe-8896-e0ef812ad9f3')]", + "Cognitive Services Custom Vision Deployment": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5c4089e1-6d96-4d2f-b296-c1bc7137275f')]", + "Cognitive Services Custom Vision Labeler": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '88424f51-ebe7-446f-bc41-7fa16989e96c')]", + "Cognitive Services Custom Vision Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '93586559-c37d-4a6b-ba08-b9f0940c2d73')]", + "Cognitive Services Custom Vision Trainer": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '0a5ae4ab-0d65-4eeb-be61-29fc9b54394b')]", + "Cognitive Services Data Reader (Preview)": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b59867f0-fa02-499b-be73-45a86b5b3e1c')]", + "Cognitive Services QnA Maker Editor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'f4cc2bf9-21be-47a1-bdf1-5c5804381025')]", + "Cognitive Services QnA Maker Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '466ccd10-b268-4a11-b098-b4849f024126')]", + "Cognitive Services User": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'a97b65f3-24c7-4388-baec-2e87135dc908')]", + "Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "Cosmos DB Account Reader Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'fbdf93bf-df7d-467e-a4d2-9458aa1360c8')]", + "Cosmos DB Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '230815da-be43-4aae-9cb4-875f7bd000aa')]", + "CosmosBackupOperator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'db7b14f2-5adf-42da-9f96-f2ee17bab5cb')]", + "Cost Management Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '434105ed-43f6-45c7-a02f-909b2ba83430')]", + "Cost Management Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '72fafb9e-0641-4937-9268-a91bfd8191a3')]", + "Data Box Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'add466c9-e687-43fc-8d98-dfcf8d720be5')]", + "Data Box Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '028f4ed7-e2a9-465e-a8f4-9c0ffdfdc027')]", + "Data Factory Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '673868aa-7521-48a0-acc6-0f60742d39f5')]", + "Data Lake Analytics Developer": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '47b7735b-770e-4598-a7da-8b91488b4c88')]", + "Data Purger": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '150f5e0c-0603-4f03-8c7f-cf70034c4e90')]", + "Desktop Virtualization User": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '1d18fff3-a72a-46b5-b4a9-0b38a3cd7e63')]", + "DevTest Labs User": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '76283e04-6283-4c54-8f91-bcf1374a3c64')]", + "DNS Zone Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'befefa01-2a29-4197-83a8-272ff33ce314')]", + "DocumentDB Account Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5bd9cd88-fe45-4216-938b-f97437e15450')]", + "EventGrid EventSubscription Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '428e0ff0-5e57-4d9c-a221-2c70d0e0a443')]", + "EventGrid EventSubscription Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '2414bbcf-6497-4faf-8c65-045460748405')]", + "Experimentation Administrator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '7f646f1b-fa08-80eb-a33b-edd6ce5c915c')]", + "Experimentation Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '7f646f1b-fa08-80eb-a22b-edd6ce5c915c')]", + "Experimentation Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '49632ef5-d9ac-41f4-b8e7-bbe587fa74a1')]", + "FHIR Data Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5a1fc7df-4bf1-4951-a576-89034ee01acd')]", + "FHIR Data Exporter": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '3db33094-8700-4567-8da5-1501d4e7e843')]", + "FHIR Data Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4c8d0bbc-75d3-4935-991f-5f3c56d81508')]", + "FHIR Data Writer": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '3f88fce4-5892-4214-ae73-ba5294559913')]", + "Graph Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b60367af-1334-4454-b71e-769d9a4f83d9')]", + "HDInsight Cluster Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '61ed4efc-fab3-44fd-b111-e24485cc132a')]", + "HDInsight Domain Services Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8d8d5a11-05d3-4bda-a417-a08778121c7c')]", + "Hierarchy Settings Administrator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '350f8d15-c687-4448-8ae1-157740a3936d')]", + "Hybrid Server Onboarding": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5d1e5ee4-7c68-4a71-ac8b-0739630a3dfb')]", + "Hybrid Server Resource Administrator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '48b40c6e-82e0-4eb3-90d5-19e40f49b624')]", + "Integration Service Environment Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'a41e2c5b-bd99-4a07-88f4-9bf657a760b8')]", + "Integration Service Environment Developer": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c7aa55d3-1abb-444a-a5ca-5e51e485d6ec')]", + "Intelligent Systems Account Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '03a6d094-3444-4b3d-88af-7477090a9e5e')]", + "Key Vault Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'f25e0fa2-a7c8-4377-a976-54943a77a395')]", + "Knowledge Consumer": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ee361c5d-f7b5-4119-b4b6-892157c8f64c')]", + "Kubernetes Cluster - Azure Arc Onboarding": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '34e09817-6cbe-4d01-b1a2-e0eac5743d41')]", + "Lab Creator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b97fb8bc-a8b2-4522-a38b-dd33c7e65ead')]", + "Log Analytics Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]", + "Log Analytics Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '73c42c96-874c-492b-b04d-ab87d138a893')]", + "Logic App Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '87a39d53-fc1b-424a-814c-f7e04687dc9e')]", + "Logic App Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '515c2055-d9d4-4321-b1b9-bd0c9a0f79fe')]", + "Managed Application Contributor Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '641177b8-a67a-45b9-a033-47bc880bb21e')]", + "Managed Application Operator Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')]", + "Managed Applications Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')]", + "Managed Identity Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'e40ec5ca-96e0-45a2-b4ff-59039f2c2b59')]", + "Managed Identity Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'f1a07417-d97a-45cb-824c-7a7467783830')]", + "Managed Services Registration assignment Delete ": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '91c1777a-f3dc-4fae-b103-61d183457e46')]", + "Management Group Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5d58bcaf-24a5-4b20-bdb6-eed9f69fbe4c')]", + "Management Group Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ac63b705-f282-497d-ac71-919bf39d939d')]", + "Marketplace Admin": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'dd920d6d-f481-47f1-b461-f338c46b2d9f')]", + "Monitoring Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')]", + "Monitoring Metrics Publisher": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '3913510d-42f4-4e42-8a64-420c390055eb')]", + "Monitoring Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')]", + "Network Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", + "New Relic APM Account Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5d28c62d-5b37-4476-8438-e587778df237')]", + "Object Understanding Account Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4dd61c23-6743-42fe-a388-d8bdd41cb745')]", + "Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", + "Policy Insights Data Writer (Preview)": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '66bb4e9e-b016-4a94-8249-4c0511c2be84')]", + "Private DNS Zone Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", + "Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", + "Reader and Data Access": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c12c1c16-33a1-487b-954d-41c89c60f349')]", + "Redis Cache Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'e0f68234-74aa-48ed-b826-c38b57376e17')]", + "Remote Rendering Administrator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '3df8b902-2a6f-47c7-8cc5-360e9b272a7e')]", + "Remote Rendering Client": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'd39065c4-c120-43c9-ab0a-63eed9795f0a')]", + "Resource Policy Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '36243c78-bf99-498c-9df9-86d9f8d28608')]", + "Scheduler Job Collections Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '188a0f2f-5c9e-469b-ae67-2aa5ce574b94')]", + "Search Service Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '7ca78c08-252a-4471-8644-bb5ff32d4ba0')]", + "Security Admin": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'fb1c8493-542b-48eb-b624-b4c8fea62acd')]", + "Security Assessment Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '612c2aa1-cb24-443b-ac28-3ab7272de6f5')]", + "Security Manager (Legacy)": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'e3d13bf0-dd5a-482e-ba6b-9b8433878d10')]", + "Security Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '39bc4728-0917-49c7-9d2c-d95423bc2eb4')]", + "SignalR AccessKey Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '04165923-9d83-45d5-8227-78b77b0a687e')]", + "SignalR Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8cf5e20a-e4b2-4e9d-b3a1-5ceb692c2761')]", + "Site Recovery Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '6670b86e-a3f7-4917-ac9b-5d6ab1be4567')]", + "Site Recovery Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '494ae006-db33-4328-bf46-533a6560a3ca')]", + "Site Recovery Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'dbaa88c4-0c30-4179-9fb3-46319faa6149')]", + "Spatial Anchors Account Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8bbe83f1-e2a6-4df7-8cb4-4e04d4e5c827')]", + "Spatial Anchors Account Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '70bbe301-9835-447d-afdd-19eb3167307c')]", + "Spatial Anchors Account Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5d51204f-eb77-4b1c-b86a-2ec626c49413')]", + "SQL DB Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '9b7fa17d-e63e-47b0-bb0a-15c516ac86ec')]", + "SQL Managed Instance Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4939a1f6-9ae0-4e48-a1e0-f2cbe897382d')]", + "SQL Security Manager": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '056cd41c-7e88-42e1-933e-88ba6a50c9c3')]", + "SQL Server Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '6d8ee4ec-f05a-4a1d-8b00-a9b17e38b437')]", + "Storage Account Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '17d1049b-9a84-46fb-8f53-869881c3d3ab')]", + "Storage Account Key Operator Service Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '81a9662b-bebf-436f-a333-f67b29880f12')]", + "Storage Blob Data Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ba92f5b4-2d11-453d-a403-e96b0029c9fe')]", + "Storage Blob Data Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b7e6dc6d-f1e8-4753-8033-0f276bb0955b')]", + "Storage Blob Data Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '2a2b9908-6ea1-4ae2-8e65-a410df84e7d1')]", + "Storage Blob Delegator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'db58b8e5-c6ad-4a2a-8342-4190687cbf4a')]", + "Storage File Data SMB Share Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '0c867c2a-1d8c-454a-a3db-ab2ea1bdc8bb')]", + "Storage File Data SMB Share Elevated Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'a7264617-510b-434b-a828-9731dc254ea7')]", + "Storage File Data SMB Share Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'aba4ae5f-2193-4029-9191-0cb91df5e314')]", + "Storage Queue Data Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '974c5e8b-45b9-4653-ba55-5f855dd0fb88')]", + "Storage Queue Data Message Processor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8a0f0c08-91a1-4084-bc3d-661d67233fed')]", + "Storage Queue Data Message Sender": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c6a89b2d-59bc-44d0-9896-0f6e12d7b80a')]", + "Storage Queue Data Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '19e7f393-937e-4f77-808e-94535e297925')]", + "Support Request Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'cfd33db0-3dd1-45e3-aa9d-cdbdf3b6f24e')]", + "Tag Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4a9ae827-6dc8-4573-8ac7-8239d42aa03f')]", + "Traffic Manager Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'a4b10055-b0c7-44c2-b00f-c7b5b3550cf7')]", + "User Access Administrator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]", + "Virtual Machine Administrator Login": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '1c0163c0-47e6-4577-8991-ea5c82e286e4')]", + "Virtual Machine Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c')]", + "Virtual Machine User Login": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'fb879df8-f326-4884-b1cf-06f3ad86be52')]", + "Web Plan Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '2cc479cb-7b4d-49a8-b449-8c00fd0f0a4b')]", + "Website Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'de139f84-1756-47ae-9be6-808fbbe84772')]", + "Workbook Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'e8ddcd69-c73f-4f9f-9844-4100522f16ad')]", + "Workbook Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b279062a-9be3-42a0-92ae-8b3cf002ec4d')]" + } + }, + "resources": [ + { + "condition": "[not(empty(parameters('cuaId')))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-06-01", + "name": "[concat('pid-', parameters('cuaId'))]", + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [] + } + } + }, + { + "type": "Microsoft.EventGrid/topics", + "apiVersion": "2020-06-01", + "name": "[variables('eventGridName')]", + "location": "[parameters('location')]", + "tags": "[parameters('tags')]", + "properties": { + "publicNetworkAccess": "[parameters('publicNetworkAccess')]", + "inboundIpRules": "[if(empty(parameters('inboundIpRules')), json('null'), parameters('inboundIpRules'))]" + }, + "resources":[ + { + "type": "providers/locks", + "apiVersion": "2016-09-01", + "condition": "[parameters('lockForDeletion')]", + "name": "Microsoft.Authorization/eventGridTopicDoNotDelete", + "dependsOn": [ + "[concat('Microsoft.EventGrid/topics/', parameters('eventGridTopicName'))]" + ], + "comments": "Resource lock on the Event Grid Topic", + "properties": { + "level": "CannotDelete" + } + }, + { + "type": "Microsoft.EventGrid/topics/providers/diagnosticsettings", + "apiVersion": "2017-05-01-preview", + "name": "[concat(parameters('eventGridTopicName'), '/Microsoft.Insights/service')]", + "location": "[parameters('location')]", + "condition": "[or(not(empty(parameters('diagnosticStorageAccountId'))),not(empty(parameters('workspaceId'))),not(empty(parameters('eventHubAuthorizationRuleId'))),not(empty(parameters('eventHubName'))))]", + "dependsOn": [ + "[concat('Microsoft.EventGrid/topics/', variables('eventGridName'))]" + ], + "properties": { + "storageAccountId": "[if(empty(parameters('diagnosticStorageAccountId')), json('null'), parameters('diagnosticStorageAccountId'))]", + "workspaceId": "[if(empty(parameters('workspaceId')), json('null'), parameters('workspaceId'))]", + "eventHubAuthorizationRuleId": "[if(empty(parameters('eventHubAuthorizationRuleId')), json('null'), parameters('eventHubAuthorizationRuleId'))]", + "eventHubName": "[if(empty(parameters('eventHubName')), json('null'), parameters('eventHubName'))]", + "metrics": "[if(and(empty(parameters('diagnosticStorageAccountId')), empty(parameters('workspaceId')), empty(parameters('eventHubAuthorizationRuleId')), empty(parameters('eventHubName'))), json('null'), variables('diagnosticsMetrics'))]", + "logs": "[if(and(empty(parameters('diagnosticStorageAccountId')), empty(parameters('workspaceId')), empty(parameters('eventHubAuthorizationRuleId')), empty(parameters('eventHubName'))), json('null'), variables('diagnosticsLogs'))]" + } + } + ] + }, + // Private Endpoints + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-06-01", + "name": "[concat(uniqueString(deployment().name, parameters('location')), '-EventGrid-PrivateEndpoints','-',copyIndex())]", + "condition": "[not(empty(parameters('privateEndpoints')))]", + "dependsOn": [ + "[variables('eventGridName')]" + ], + "copy": { + "name": "privateEndpointsCopy", + "count": "[length(parameters('privateEndpoints'))]" + }, + "properties": { + "mode": "Incremental", + "expressionEvaluationOptions": { + "scope": "inner" + }, + "parameters": { + "privateEndpointResourceId": { + "value": "[resourceId('Microsoft.EventGrid/topics', variables('eventGridName'))]" + }, + "privateEndpointVnetLocation": { + "value": "[if(empty(parameters('privateEndpoints')),'dummy',reference(split(parameters('privateEndpoints')[copyIndex()].subnetResourceId,'/subnets/')[0],'2020-06-01', 'Full').location)]" + }, + "privateEndpoint": { + "value": "[parameters('privateEndpoints')[copyIndex()]]" + }, + "tags": { + "value": "[parameters('tags')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "privateEndpointResourceId": { + "type": "string" + }, + "privateEndpointVnetLocation": { + "type": "string" + }, + "privateEndpoint": { + "type": "object" + }, + "tags": { + "type": "object" + } + }, + "variables": { + "privateEndpointResourceName": "[last(split(parameters('privateEndpointResourceId'),'/'))]", + "privateEndpoint": { + "name": "[if(contains(parameters('privateEndpoint'), 'name'),if(empty(parameters('privateEndpoint').name),concat(variables('privateEndpointResourceName'),'-',parameters('privateEndpoint').service),parameters('privateEndpoint').name),concat(variables('privateEndpointResourceName'),'-',parameters('privateEndpoint').service))]", + "subnetResourceId": "[parameters('privateEndpoint').subnetResourceId]", + "service": [ + "[parameters('privateEndpoint').service]" + ], + "privateDnsZoneResourceIds": "[if(contains(parameters('privateEndpoint'), 'privateDnsZoneResourceIds'),if(empty(parameters('privateEndpoint').privateDnsZoneResourceIds),createArray(),parameters('privateEndpoint').privateDnsZoneResourceIds),createArray())]", + "customDnsConfigs": "[if(contains(parameters('privateEndpoint'), 'customDnsConfigs'),if(empty(parameters('privateEndpoint').customDnsConfigs),json('null'),parameters('privateEndpoint').customDnsConfigs),json('null'))]" + } + }, + "resources": [ + { + "type": "Microsoft.Network/privateEndpoints", + "apiVersion": "2020-05-01", + "name": "[variables('privateEndpoint').name]", + "location": "[parameters('privateEndpointVnetLocation')]", + "tags": "[parameters('tags')]", + "properties": { + "privateLinkServiceConnections": [ + { + "name": "[variables('privateEndpoint').name]", + "properties": { + "privateLinkServiceId": "[parameters('privateEndpointResourceId')]", + "groupIds": "[variables('privateEndpoint').service]" + } + } + ], + "manualPrivateLinkServiceConnections": [], + "subnet": { + "id": "[variables('privateEndpoint').subnetResourceId]" + }, + "customDnsConfigs": "[variables('privateEndpoint').customDnsConfigs]" + } + }, + { + "type": "Microsoft.Network/privateEndpoints/privateDnsZoneGroups", + "apiVersion": "2020-05-01", + "condition": "[not(empty(variables('privateEndpoint').privateDnsZoneResourceIds))]", + "name": "[concat(variables('privateEndpoint').name, '/default')]", + "dependsOn": [ + "[resourceId('Microsoft.Network/privateEndpoints', variables('privateEndpoint').name)]" + ], + "properties": { + "copy": [ + { + "name": "privateDnsZoneConfigs", + "count": "[length(variables('privateEndpoint').privateDnsZoneResourceIds)]", + "input": { + "name": "[last(split(variables('privateEndpoint').privateDnsZoneResourceIds[copyIndex('privateDnsZoneConfigs')],'/'))]", + "properties": { + "privateDnsZoneId": "[variables('privateEndpoint').privateDnsZoneResourceIds[copyIndex('privateDnsZoneConfigs')]]" + } + } + } + ] + } + } + ] + } + } + }, + { + "name": "[concat('rbac-',deployment().name, copyIndex())]", + "apiVersion": "2020-06-01", + "type": "Microsoft.Resources/deployments", + "condition": "[not(empty(parameters('roleAssignments')))]", + "dependsOn": [ + "[parameters('eventGridTopicName')]" + ], + "copy": { + "name": "rbacDeplCopy", + "count": "[length(parameters('roleAssignments'))]" + }, + "properties": { + "mode": "Incremental", + "expressionEvaluationOptions": { + "scope": "inner" + }, + "parameters": { + "roleAssignment": { + "value": "[parameters('roleAssignments')[copyIndex()]]" + }, + "builtInRoleNames": { + "value": "[variables('builtInRoleNames')]" + }, + "eventGridTopicName": { + "value": "[parameters('eventGridTopicName')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "roleAssignment": { + "type": "object" + }, + "builtInRoleNames": { + "type": "object" + }, + "eventGridTopicName": { + "type": "string" + } + }, + "resources": [ + { + "type": "Microsoft.EventGrid/topics/providers/roleAssignments", + "apiVersion": "2018-09-01-preview", + "name": "[concat(parameters('eventGridTopicName'), '/Microsoft.Authorization/', guid(uniqueString(concat(parameters('eventGridTopicName'), array(parameters('roleAssignment').principalIds)[copyIndex('innerRbacCopy')], parameters('roleAssignment').roleDefinitionIdOrName ) )))]", + "dependsOn": [ + ], + "copy": { + "name": "innerRbacCopy", + "count": "[length(parameters('roleAssignment').principalIds)]" + }, + "properties": { + "roleDefinitionId": "[if(contains(parameters('builtInRoleNames'), parameters('roleAssignment').roleDefinitionIdOrName ), parameters('builtInRoleNames')[parameters('roleAssignment').roleDefinitionIdOrName] , parameters('roleAssignment').roleDefinitionIdOrName )]", + "principalId": "[array(parameters('roleAssignment').principalIds)[copyIndex()]]" + } + } + ] + } + } + } + ], + "functions": [ + ], + "outputs": { + "eventGridName": { + "type": "string", + "value": "[variables('eventGridName')]", + "metadata": { + "description": "The Name of the Event Grid Topic" + } + }, + "eventGridResourceId": { + "type": "string", + "value": "[variables('eventGridResourceId')]", + "metadata": { + "description": "The Resource Id of the Event Grid" + } + }, + "eventGridResourceGroup": { + "type": "string", + "value": "[resourceGroup().name]", + "metadata": { + "description": "The name of the Resource Group with the Event Grid" + } + }, + "eventGridAccessKey": { + "type": "securestring", + "value": "[listKeys(variables('eventGridResourceId'), variables('eventGridApiVersion')).key1]", + "metadata": { + "description": "The Access Key for the Event Grid." + } + } + } +} diff --git a/arm/Microsoft.EventGrid/topics/parameters/parameters.json b/arm/Microsoft.EventGrid/topics/parameters/parameters.json new file mode 100644 index 0000000000..a47efd0852 --- /dev/null +++ b/arm/Microsoft.EventGrid/topics/parameters/parameters.json @@ -0,0 +1,9 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "eventGridTopicName": { + "value": "sxx-az-egtn-weu-x-001" + } + } +} \ No newline at end of file diff --git a/arm/Microsoft.EventGrid/topics/readme.md b/arm/Microsoft.EventGrid/topics/readme.md new file mode 100644 index 0000000000..739fcbb8f1 --- /dev/null +++ b/arm/Microsoft.EventGrid/topics/readme.md @@ -0,0 +1,136 @@ +# Event Grid + +This module deploys Event Grid + +## Resource Types + +| Resource Type | Api Version | +| :-- | :-- | +| `Microsoft.EventGrid/topics/providers/diagnosticsettings` | 2017-05-01-preview | +| `Microsoft.EventGrid/topics/providers/roleAssignments` | 2018-09-01-preview | +| `Microsoft.EventGrid/topics` | [variables('eventGridApiVersion')] | +| `Microsoft.Network/privateEndpoints/privateDnsZoneGroups` | 2020-05-01 | +| `Microsoft.Network/privateEndpoints` | 2020-05-01 | +| `Microsoft.Resources/deployments` | 2020-06-01 | +| `providers/locks` | 2016-09-01 | + +## Parameters + +| Parameter Name | Type | Description | DefaultValue | Possible values | +| :-- | :-- | :-- | :-- | :-- | +| `cuaId` | string | Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered | | | +| `diagnosticLogsRetentionInDays` | int | Optional. Specifies the number of days that logs will be kept for; a value of 0 will retain data indefinitely. | 365 | | +| `diagnosticStorageAccountId` | string | Optional. Resource identifier of the Diagnostic Storage Account. | | | +| `eventGridTopicName` | string | Required. The name of the Event Grid Topic | | | +| `eventHubAuthorizationRuleId` | string | Optional. Resource ID of the event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | | | +| `eventHubName` | string | Optional. Name of the event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. | | | +| `inboundIpRules` | array | Optional. Array of IPs to whitelist. | System.Object[] | | +| `location` | string | Optional. Location for all Resources. | [resourceGroup().location] | | +| `lockForDeletion` | bool | Optional. Switch to lock Key Vault from deletion. | False | | +| `publicNetworkAccess` | string | | Enabled | | +| `privateEndpoints` | array | System.Object[] | | Optional. Configuration Details for private endpoints. | +| `roleAssignments` | array | Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' | System.Object[] | | +| `tags` | object | Optional. Tags of the resource. | | | +| `workspaceId` | string | Optional. Resource identifier of Log Analytics. | | | + + +### Parameter Usage: `privateEndpoints` + +To use Private Endpoint the following dependencies must be deployed: + +- Destination subnet must be created with the following configuration option - `"privateEndpointNetworkPolicies": "Disabled"`. Setting this option acknowledges that NSG rules are not applied to Private Endpoints (this capability is coming soon). A full example is available in the Virtual Network Module. + +- Although not strictly required, it is highly recommened to first create a private DNS Zone to host Private Endpoint DNS records. See [Azure Private Endpoint DNS configuration](https://docs.microsoft.com/en-us/azure/private-link/private-endpoint-dns) for more information. + +```json +"privateEndpoints": { + "value": [ + // Example showing all available fields + { + "name": "sxx-az-sa-cac-y-123-pe", // Optional: Name will be automatically generated if one is not provided here + "subnetResourceId": "/subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-weu-x-001/subnets/sxx-az-subnet-weu-x-001", + "service": "vault", + "privateDnsZoneResourceIds": [ // Optional: No DNS record will be created if a private DNS zone Resource ID is not specified + "/subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2/resourceGroups/validation-rg/providers/Microsoft.Network/privateDnsZones/privatelink.vaultcore.azure.net" + ], + "customDnsConfigs": [ // Optional + { + "fqdn": "customname.test.local", + "ipAddresses": [ + "10.10.10.10" + ] + } + ] + } + ] +} +``` + +### Parameter Usage: `roleAssignments` + +```json +"roleAssignments": { + "value": [ + { + "roleDefinitionIdOrName": "Desktop Virtualization User", + "principalIds": [ + "12345678-1234-1234-1234-123456789012", // object 1 + "78945612-1234-1234-1234-123456789012" // object 2 + ] + }, + { + "roleDefinitionIdOrName": "Reader", + "principalIds": [ + "12345678-1234-1234-1234-123456789012", // object 1 + "78945612-1234-1234-1234-123456789012" // object 2 + ] + }, + { + "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", + "principalIds": [ + "12345678-1234-1234-1234-123456789012" // object 1 + ] + } + ] +} +``` + +### Parameter Usage: `tags` + +Tag names and tag values can be provided as needed. A tag can be left without a value. + +```json +"tags": { + "value": { + "Environment": "Non-Prod", + "Contact": "test.user@testcompany.com", + "PurchaseOrder": "1234", + "CostCenter": "7890", + "ServiceName": "DeploymentValidation", + "Role": "DeploymentValidation" + } +} +``` + +## Outputs + +| Output Name | Type | Description | +| :-- | :-- | :-- | +| `eventGridAccessKey` | securestring | The Access Key for the Event Grid. | +| `eventGridName` | string | The Name of the Event Grid Topic | +| `eventGridResourceGroup` | string | The name of the Resource Group with the Event Grid | +| `eventGridResourceId` | string | The Resource Id of the Event Grid | + +### Scripts + +- There are no Scripts for this Module. + +## Considerations + +- There are no deployment considerations for this Module. + +## Additional resources + +- [What is Event Grid](https://docs.microsoft.com/en-us/azure/event-grid/overview) +- [Microsoft.EventGrid/topic template reference](https://docs.microsoft.com/en-us/azure/templates/microsoft.eventgrid/topics) +- [Use tags to organize your Azure resources](https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-using-tags) diff --git a/arm/Microsoft.EventHub/namespaceEventHubs/deploy.json b/arm/Microsoft.EventHub/namespaceEventHubs/deploy.json new file mode 100644 index 0000000000..e3785ac884 --- /dev/null +++ b/arm/Microsoft.EventHub/namespaceEventHubs/deploy.json @@ -0,0 +1,457 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "namespaceName": { + "type": "string", + "metadata": { + "description": "Required. The name of the EventHub namespace" + } + }, + "location": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "Optional. Location for all resources." + } + }, + "eventHubName": { + "type": "string", + "metadata": { + "description": "Required. The name of the EventHub" + } + }, + "authorizationRules": { + "type": "array", + "defaultValue": [ + { + "name": "RootManageSharedAccessKey", + "properties": { + "rights": [ + "Listen", + "Manage", + "Send" + ] + } + } + ], + "metadata": { + "description": "Optional. Authorization Rules for the Event Hub" + } + }, + "eventHubConfiguration": { + "type": "object", + "defaultValue": { + "properties": { + "messageRetentionInDays": 1, + "partitionCount": 2, + "status": "Active" + }, + "consumerGroups": [ + { + "name": "$Default" + } + ] + }, + "metadata": { + "description": "Optional. Object to configure all properties of an Event Hub instance" + } + }, + "lockForDeletion": { + "type": "bool", + "defaultValue": false, + "metadata": { + "description": "Optional. Switch to lock Event Hub from deletion." + } + }, + "roleAssignments": { + "defaultValue": [ + ], + "type": "array", + "metadata": { + "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'" + } + }, + "tags": { + "type": "object", + "defaultValue": { + }, + "metadata": { + "description": "Optional. Tags of the resource." + } + }, + "cuaId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered" + } + } + }, + "variables": { + "eventHubId": "[resourceId('Microsoft.EventHub/Namespaces/eventhubs', parameters('namespaceName'), parameters('eventHubName'))]", + "defaultSASKeyName": "RootManageSharedAccessKey", + "authRuleResourceId": "[resourceId('Microsoft.EventHub/namespaces/authorizationRules', parameters('namespaceName'), variables('defaultSASKeyName'))]", + "builtInRoleNames": { + "AcrDelete": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c2f4ef07-c644-48eb-af81-4b1b4947fb11')]", + "AcrImageSigner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '6cef56e8-d556-48e5-a04f-b8e64114680f')]", + "AcrPull": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '7f951dda-4ed3-4680-a7ca-43fe172d538d')]", + "AcrPush": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8311e382-0749-4cb8-b61a-304f252e45ec')]", + "AcrQuarantineReader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'cdda3590-29a3-44f6-95f2-9f980659eb04')]", + "AcrQuarantineWriter": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c8d4ff99-41c3-41a8-9f60-21dfdad59608')]", + "API Management Service Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '312a565d-c81f-4fd8-895a-4e21e48d571c')]", + "API Management Service Operator Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'e022efe7-f5ba-4159-bbe4-b44f577e9b61')]", + "API Management Service Reader Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '71522526-b88f-4d52-b57f-d31fc3546d0d')]", + "App Configuration Data Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5ae67dd6-50cb-40e7-96ff-dc2bfa4b606b')]", + "App Configuration Data Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '516239f1-63e1-4d78-a4de-a74fb236a071')]", + "Application Insights Component Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ae349356-3a1b-4a5e-921d-050484c6347e')]", + "Application Insights Snapshot Debugger": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '08954f03-6346-4c2e-81c0-ec3a5cfae23b')]", + "Attestation Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'bbf86eb8-f7b4-4cce-96e4-18cddf81d86e')]", + "Attestation Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'fd1bd22b-8476-40bc-a0bc-69b95687b9f3')]", + "Automation Job Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4fe576fe-1146-4730-92eb-48519fa6bf9f')]", + "Automation Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'd3881f73-407a-4167-8283-e981cbba0404')]", + "Automation Runbook Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5fb5aef8-1081-4b8e-bb16-9d5d0385bab5')]", + "Avere Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4f8fab4f-1852-4a58-a46a-8eaf358af14a')]", + "Avere Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c025889f-8102-4ebf-b32c-fc0c6f0c6bd9')]", + "Azure Connected Machine Onboarding": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b64e21ea-ac4e-4cdf-9dc9-5b892992bee7')]", + "Azure Connected Machine Resource Administrator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'cd570a14-e51a-42ad-bac8-bafd67325302')]", + "Azure Digital Twins Owner (Preview)": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'bcd981a7-7f74-457b-83e1-cceb9e632ffe')]", + "Azure Digital Twins Reader (Preview)": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'd57506d4-4c8d-48b1-8587-93c323f6a5a3')]", + "Azure Event Hubs Data Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'f526a384-b230-433a-b45c-95f59c4a2dec')]", + "Azure Event Hubs Data Receiver": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'a638d3c7-ab3a-418d-83e6-5f17a39d4fde')]", + "Azure Event Hubs Data Sender": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '2b629674-e913-4c01-ae53-ef4638d8f975')]", + "Azure Kubernetes Service Cluster Admin Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '0ab0b1a8-8aac-4efd-b8c2-3ee1fb270be8')]", + "Azure Kubernetes Service Cluster User Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4abbcc35-e782-43d8-92c5-2d3f1bd2253f')]", + "Azure Kubernetes Service Contributor Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ed7f3fbd-7b88-4dd4-9017-9adb7ce333f8')]", + "Azure Maps Data Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8f5e0ce6-4f7b-4dcf-bddf-e6f48634a204')]", + "Azure Maps Data Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '423170ca-a8f6-4b0f-8487-9e4eb8f49bfa')]", + "Azure Sentinel Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ab8e14d6-4a74-4a29-9ba8-549422addade')]", + "Azure Sentinel Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8d289c81-5878-46d4-8554-54e1e3d8b5cb')]", + "Azure Sentinel Responder": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '3e150937-b8fe-4cfb-8069-0eaf05ecd056')]", + "Azure Service Bus Data Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '090c5cfd-751d-490a-894a-3ce6f1109419')]", + "Azure Service Bus Data Receiver": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4f6d3b9b-027b-4f4c-9142-0e5a2a2247e0')]", + "Azure Service Bus Data Sender": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '69a216fc-b8fb-44d8-bc22-1f3c2cd27a39')]", + "Azure Stack Registration Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '6f12a6df-dd06-4f3e-bcb1-ce8be600526a')]", + "Backup Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5e467623-bb1f-42f4-a55d-6e525e11384b')]", + "Backup Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '00c29273-979b-4161-815c-10b084fb9324')]", + "Backup Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'a795c7a0-d4a2-40c1-ae25-d81f01202912')]", + "Billing Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'fa23ad8b-c56e-40d8-ac0c-ce449e1d2c64')]", + "BizTalk Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5e3c6656-6cfa-4708-81fe-0de47ac73342')]", + "Blockchain Member Node Access (Preview)": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '31a002a1-acaf-453e-8a5b-297c9ca1ea24')]", + "Blueprint Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '41077137-e803-4205-871c-5a86e6a753b4')]", + "Blueprint Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '437d2ced-4a38-4302-8479-ed2bcb43d090')]", + "CDN Endpoint Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '426e0c7f-0c7e-4658-b36f-ff54d6c29b45')]", + "CDN Endpoint Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '871e35f6-b5c1-49cc-a043-bde969a0f2cd')]", + "CDN Profile Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ec156ff8-a8d1-4d15-830c-5b80698ca432')]", + "CDN Profile Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8f96442b-4075-438f-813d-ad51ab4019af')]", + "Classic Network Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b34d265f-36f7-4a0d-a4d4-e158ca92e90f')]", + "Classic Storage Account Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '86e8f5dc-a6e9-4c67-9d15-de283e8eac25')]", + "Classic Storage Account Key Operator Service Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '985d6b00-f706-48f5-a6fe-d0ca12fb668d')]", + "Classic Virtual Machine Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'd73bb868-a0df-4d4d-bd69-98a00b01fccb')]", + "ClearDB MySQL DB Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '9106cda0-8a86-4e81-b686-29a22c54effe')]", + "Cognitive Services Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '25fbc0a9-bd7c-42a3-aa1a-3b75d497ee68')]", + "Cognitive Services Custom Vision Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c1ff6cc2-c111-46fe-8896-e0ef812ad9f3')]", + "Cognitive Services Custom Vision Deployment": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5c4089e1-6d96-4d2f-b296-c1bc7137275f')]", + "Cognitive Services Custom Vision Labeler": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '88424f51-ebe7-446f-bc41-7fa16989e96c')]", + "Cognitive Services Custom Vision Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '93586559-c37d-4a6b-ba08-b9f0940c2d73')]", + "Cognitive Services Custom Vision Trainer": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '0a5ae4ab-0d65-4eeb-be61-29fc9b54394b')]", + "Cognitive Services Data Reader (Preview)": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b59867f0-fa02-499b-be73-45a86b5b3e1c')]", + "Cognitive Services QnA Maker Editor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'f4cc2bf9-21be-47a1-bdf1-5c5804381025')]", + "Cognitive Services QnA Maker Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '466ccd10-b268-4a11-b098-b4849f024126')]", + "Cognitive Services User": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'a97b65f3-24c7-4388-baec-2e87135dc908')]", + "Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "Cosmos DB Account Reader Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'fbdf93bf-df7d-467e-a4d2-9458aa1360c8')]", + "Cosmos DB Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '230815da-be43-4aae-9cb4-875f7bd000aa')]", + "CosmosBackupOperator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'db7b14f2-5adf-42da-9f96-f2ee17bab5cb')]", + "Cost Management Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '434105ed-43f6-45c7-a02f-909b2ba83430')]", + "Cost Management Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '72fafb9e-0641-4937-9268-a91bfd8191a3')]", + "Data Box Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'add466c9-e687-43fc-8d98-dfcf8d720be5')]", + "Data Box Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '028f4ed7-e2a9-465e-a8f4-9c0ffdfdc027')]", + "Data Factory Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '673868aa-7521-48a0-acc6-0f60742d39f5')]", + "Data Lake Analytics Developer": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '47b7735b-770e-4598-a7da-8b91488b4c88')]", + "Data Purger": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '150f5e0c-0603-4f03-8c7f-cf70034c4e90')]", + "Desktop Virtualization User": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '1d18fff3-a72a-46b5-b4a9-0b38a3cd7e63')]", + "DevTest Labs User": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '76283e04-6283-4c54-8f91-bcf1374a3c64')]", + "DNS Zone Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'befefa01-2a29-4197-83a8-272ff33ce314')]", + "DocumentDB Account Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5bd9cd88-fe45-4216-938b-f97437e15450')]", + "EventGrid EventSubscription Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '428e0ff0-5e57-4d9c-a221-2c70d0e0a443')]", + "EventGrid EventSubscription Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '2414bbcf-6497-4faf-8c65-045460748405')]", + "Experimentation Administrator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '7f646f1b-fa08-80eb-a33b-edd6ce5c915c')]", + "Experimentation Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '7f646f1b-fa08-80eb-a22b-edd6ce5c915c')]", + "Experimentation Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '49632ef5-d9ac-41f4-b8e7-bbe587fa74a1')]", + "FHIR Data Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5a1fc7df-4bf1-4951-a576-89034ee01acd')]", + "FHIR Data Exporter": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '3db33094-8700-4567-8da5-1501d4e7e843')]", + "FHIR Data Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4c8d0bbc-75d3-4935-991f-5f3c56d81508')]", + "FHIR Data Writer": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '3f88fce4-5892-4214-ae73-ba5294559913')]", + "Graph Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b60367af-1334-4454-b71e-769d9a4f83d9')]", + "HDInsight Cluster Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '61ed4efc-fab3-44fd-b111-e24485cc132a')]", + "HDInsight Domain Services Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8d8d5a11-05d3-4bda-a417-a08778121c7c')]", + "Hierarchy Settings Administrator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '350f8d15-c687-4448-8ae1-157740a3936d')]", + "Hybrid Server Onboarding": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5d1e5ee4-7c68-4a71-ac8b-0739630a3dfb')]", + "Hybrid Server Resource Administrator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '48b40c6e-82e0-4eb3-90d5-19e40f49b624')]", + "Integration Service Environment Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'a41e2c5b-bd99-4a07-88f4-9bf657a760b8')]", + "Integration Service Environment Developer": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c7aa55d3-1abb-444a-a5ca-5e51e485d6ec')]", + "Intelligent Systems Account Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '03a6d094-3444-4b3d-88af-7477090a9e5e')]", + "Key Vault Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'f25e0fa2-a7c8-4377-a976-54943a77a395')]", + "Knowledge Consumer": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ee361c5d-f7b5-4119-b4b6-892157c8f64c')]", + "Kubernetes Cluster - Azure Arc Onboarding": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '34e09817-6cbe-4d01-b1a2-e0eac5743d41')]", + "Lab Creator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b97fb8bc-a8b2-4522-a38b-dd33c7e65ead')]", + "Log Analytics Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]", + "Log Analytics Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '73c42c96-874c-492b-b04d-ab87d138a893')]", + "Logic App Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '87a39d53-fc1b-424a-814c-f7e04687dc9e')]", + "Logic App Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '515c2055-d9d4-4321-b1b9-bd0c9a0f79fe')]", + "Managed Application Contributor Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '641177b8-a67a-45b9-a033-47bc880bb21e')]", + "Managed Application Operator Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')]", + "Managed Applications Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')]", + "Managed Identity Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'e40ec5ca-96e0-45a2-b4ff-59039f2c2b59')]", + "Managed Identity Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'f1a07417-d97a-45cb-824c-7a7467783830')]", + "Managed Services Registration assignment Delete ": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '91c1777a-f3dc-4fae-b103-61d183457e46')]", + "Management Group Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5d58bcaf-24a5-4b20-bdb6-eed9f69fbe4c')]", + "Management Group Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ac63b705-f282-497d-ac71-919bf39d939d')]", + "Marketplace Admin": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'dd920d6d-f481-47f1-b461-f338c46b2d9f')]", + "Monitoring Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')]", + "Monitoring Metrics Publisher": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '3913510d-42f4-4e42-8a64-420c390055eb')]", + "Monitoring Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')]", + "Network Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", + "New Relic APM Account Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5d28c62d-5b37-4476-8438-e587778df237')]", + "Object Understanding Account Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4dd61c23-6743-42fe-a388-d8bdd41cb745')]", + "Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", + "Policy Insights Data Writer (Preview)": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '66bb4e9e-b016-4a94-8249-4c0511c2be84')]", + "Private DNS Zone Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", + "Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", + "Reader and Data Access": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c12c1c16-33a1-487b-954d-41c89c60f349')]", + "Redis Cache Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'e0f68234-74aa-48ed-b826-c38b57376e17')]", + "Remote Rendering Administrator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '3df8b902-2a6f-47c7-8cc5-360e9b272a7e')]", + "Remote Rendering Client": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'd39065c4-c120-43c9-ab0a-63eed9795f0a')]", + "Resource Policy Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '36243c78-bf99-498c-9df9-86d9f8d28608')]", + "Scheduler Job Collections Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '188a0f2f-5c9e-469b-ae67-2aa5ce574b94')]", + "Search Service Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '7ca78c08-252a-4471-8644-bb5ff32d4ba0')]", + "Security Admin": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'fb1c8493-542b-48eb-b624-b4c8fea62acd')]", + "Security Assessment Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '612c2aa1-cb24-443b-ac28-3ab7272de6f5')]", + "Security Manager (Legacy)": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'e3d13bf0-dd5a-482e-ba6b-9b8433878d10')]", + "Security Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '39bc4728-0917-49c7-9d2c-d95423bc2eb4')]", + "SignalR AccessKey Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '04165923-9d83-45d5-8227-78b77b0a687e')]", + "SignalR Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8cf5e20a-e4b2-4e9d-b3a1-5ceb692c2761')]", + "Site Recovery Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '6670b86e-a3f7-4917-ac9b-5d6ab1be4567')]", + "Site Recovery Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '494ae006-db33-4328-bf46-533a6560a3ca')]", + "Site Recovery Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'dbaa88c4-0c30-4179-9fb3-46319faa6149')]", + "Spatial Anchors Account Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8bbe83f1-e2a6-4df7-8cb4-4e04d4e5c827')]", + "Spatial Anchors Account Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '70bbe301-9835-447d-afdd-19eb3167307c')]", + "Spatial Anchors Account Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5d51204f-eb77-4b1c-b86a-2ec626c49413')]", + "SQL DB Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '9b7fa17d-e63e-47b0-bb0a-15c516ac86ec')]", + "SQL Managed Instance Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4939a1f6-9ae0-4e48-a1e0-f2cbe897382d')]", + "SQL Security Manager": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '056cd41c-7e88-42e1-933e-88ba6a50c9c3')]", + "SQL Server Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '6d8ee4ec-f05a-4a1d-8b00-a9b17e38b437')]", + "Storage Account Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '17d1049b-9a84-46fb-8f53-869881c3d3ab')]", + "Storage Account Key Operator Service Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '81a9662b-bebf-436f-a333-f67b29880f12')]", + "Storage Blob Data Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ba92f5b4-2d11-453d-a403-e96b0029c9fe')]", + "Storage Blob Data Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b7e6dc6d-f1e8-4753-8033-0f276bb0955b')]", + "Storage Blob Data Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '2a2b9908-6ea1-4ae2-8e65-a410df84e7d1')]", + "Storage Blob Delegator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'db58b8e5-c6ad-4a2a-8342-4190687cbf4a')]", + "Storage File Data SMB Share Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '0c867c2a-1d8c-454a-a3db-ab2ea1bdc8bb')]", + "Storage File Data SMB Share Elevated Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'a7264617-510b-434b-a828-9731dc254ea7')]", + "Storage File Data SMB Share Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'aba4ae5f-2193-4029-9191-0cb91df5e314')]", + "Storage Queue Data Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '974c5e8b-45b9-4653-ba55-5f855dd0fb88')]", + "Storage Queue Data Message Processor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8a0f0c08-91a1-4084-bc3d-661d67233fed')]", + "Storage Queue Data Message Sender": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c6a89b2d-59bc-44d0-9896-0f6e12d7b80a')]", + "Storage Queue Data Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '19e7f393-937e-4f77-808e-94535e297925')]", + "Support Request Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'cfd33db0-3dd1-45e3-aa9d-cdbdf3b6f24e')]", + "Tag Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4a9ae827-6dc8-4573-8ac7-8239d42aa03f')]", + "Traffic Manager Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'a4b10055-b0c7-44c2-b00f-c7b5b3550cf7')]", + "User Access Administrator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]", + "Virtual Machine Administrator Login": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '1c0163c0-47e6-4577-8991-ea5c82e286e4')]", + "Virtual Machine Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c')]", + "Virtual Machine User Login": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'fb879df8-f326-4884-b1cf-06f3ad86be52')]", + "Web Plan Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '2cc479cb-7b4d-49a8-b449-8c00fd0f0a4b')]", + "Website Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'de139f84-1756-47ae-9be6-808fbbe84772')]", + "Workbook Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'e8ddcd69-c73f-4f9f-9844-4100522f16ad')]", + "Workbook Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b279062a-9be3-42a0-92ae-8b3cf002ec4d')]" + } + }, + "resources": [ + { + "condition": "[not(empty(parameters('cuaId')))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-06-01", + "name": "[concat('pid-', parameters('cuaId'))]", + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [ + ] + } + } + }, + { + "type": "Microsoft.EventHub/namespaces/eventhubs", + "apiVersion": "2017-04-01", + "name": "[concat(parameters('namespaceName'), '/', parameters('eventHubName'))]", + "location": "[parameters('location')]", + "tags": "[parameters('tags')]", + "dependsOn": [ + ], + "properties": "[parameters('eventHubConfiguration').properties]", + "resources": [ + { + "type": "Microsoft.EventHub/namespaces/eventhubs/providers/locks", + "apiVersion": "2016-09-01", + "condition": "[parameters('lockForDeletion')]", + "name": "[concat(parameters('namespaceName'), '/',parameters('eventHubName'), '/Microsoft.Authorization/evenHubDoNotDelete')]", + "dependsOn": [ + "[concat('Microsoft.EventHub/namespaces/', parameters('namespaceName'), '/eventhubs/', parameters('eventHubName'))]" + ], + "comments": "Resource lock on Event Hub", + "properties": { + "level": "CannotDelete" + } + } + ] + }, + { + "type": "Microsoft.EventHub/namespaces/eventhubs/consumergroups", + "apiVersion": "2017-04-01", + "name": "[concat(parameters('namespaceName'), '/',parameters('eventHubName'), '/', parameters('eventHubConfiguration').consumerGroups[copyIndex()].name)]", + "location": "[parameters('location')]", + "dependsOn": [ + "[variables('eventHubId')]" + ], + "copy": { + "name": "consumerGroups", + "count": "[length(parameters('eventHubConfiguration').consumerGroups)]" + } + }, + { + "type": "Microsoft.EventHub/namespaces/eventhubs/authorizationRules", + "apiVersion": "2017-04-01", + "name": "[concat(parameters('namespaceName'), '/', parameters('eventHubName'), '/', parameters('authorizationRules')[copyIndex()].name)]", + "condition": "[greater(length(parameters('authorizationRules')),0)]", + "location": "[parameters('location')]", + "dependsOn": [ + "[variables('eventHubId')]" + ], + "copy": { + "name": "authorizationRules", + "count": "[length(parameters('authorizationRules'))]" + }, + "properties": { + "rights": "[parameters('authorizationRules')[copyIndex()].properties.rights]" + } + }, + { + "name": "[concat('rbac-',deployment().name, copyIndex())]", + "apiVersion": "2020-06-01", + "type": "Microsoft.Resources/deployments", + "condition": "[not(empty(parameters('roleAssignments')))]", + "dependsOn": [ + "[parameters('eventHubName')]" + ], + "copy": { + "name": "rbacDeplCopy", + "count": "[length(parameters('roleAssignments'))]" + }, + "properties": { + "mode": "Incremental", + "expressionEvaluationOptions": { + "scope": "inner" + }, + "parameters": { + "roleAssignment": { + "value": "[parameters('roleAssignments')[copyIndex()]]" + }, + "builtInRoleNames": { + "value": "[variables('builtInRoleNames')]" + }, + "namespaceName":{ + "value": "[parameters('namespaceName')]" + }, + "eventHubName": { + "value": "[parameters('eventHubName')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "roleAssignment": { + "type": "object" + }, + "builtInRoleNames": { + "type": "object" + }, + "namespaceName": { + "type": "string" + }, + "eventHubName": { + "type": "string" + } + }, + "resources": [ + { + "type": "Microsoft.EventHub/namespaces/eventhubs/providers/roleAssignments", + "apiVersion": "2018-09-01-preview", + "name": "[concat(parameters('namespaceName'), '/', parameters('eventHubName'), '/Microsoft.Authorization/', guid(uniqueString(concat(parameters('eventHubName'), array(parameters('roleAssignment').principalIds)[copyIndex('innerRbacCopy')], parameters('roleAssignment').roleDefinitionIdOrName ) )))]", + "dependsOn": [ + ], + "copy": { + "name": "innerRbacCopy", + "count": "[length(parameters('roleAssignment').principalIds)]" + }, + "properties": { + "roleDefinitionId": "[if(contains(parameters('builtInRoleNames'), parameters('roleAssignment').roleDefinitionIdOrName ), parameters('builtInRoleNames')[parameters('roleAssignment').roleDefinitionIdOrName] , parameters('roleAssignment').roleDefinitionIdOrName )]", + "principalId": "[array(parameters('roleAssignment').principalIds)[copyIndex()]]" + } + } + ] + } + } + } + ], + "functions": [ + ], + "outputs": { + "namespaceName": { + "type": "string", + "value": "[parameters('namespaceName')]", + "metadata": { + "description": "The Name of the EventHub Namespace" + } + }, + "eventHubId": { + "type": "string", + "value": "[variables('eventHubId')]", + "metadata": { + "description": "The Resource Id of the EventHub Namespace" + } + }, + "namespaceResourceGroup": { + "type": "string", + "value": "[resourceGroup().name]", + "metadata": { + "description": "The name of the Resource Group with the EventHub Namespace" + } + }, + "authRuleResourceId": { + "type": "string", + "value": "[variables('authRuleResourceId')]", + "metadata": { + "description": "The Id of the authorization rule marked by the variable with the same name." + } + }, + "namespaceConnectionString": { + "type": "securestring", + "value": "[listkeys(variables('authRuleResourceId'), '2017-04-01').primaryConnectionString]", + "metadata": { + "description": "The connection string of the EventHub Namespace" + } + }, + "sharedAccessPolicyPrimaryKey": { + "type": "securestring", + "value": "[listkeys(variables('authRuleResourceId'), '2017-04-01').primaryKey]", + "metadata": { + "description": "The shared access policy primary key for the EventHub Namespace" + } + } + } +} diff --git a/arm/Microsoft.EventHub/namespaceEventHubs/parameters/parameters.json b/arm/Microsoft.EventHub/namespaceEventHubs/parameters/parameters.json new file mode 100644 index 0000000000..c7d4518273 --- /dev/null +++ b/arm/Microsoft.EventHub/namespaceEventHubs/parameters/parameters.json @@ -0,0 +1,39 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "namespaceName": { + "value": "sxx-az-evhns-weu-x-001" + }, + "eventHubName": { + "value": "sxx-az-evh-weu-x-001" + }, + "authorizationRules": { + "value": [ + { + "name": "RootManageSharedAccessKey", + "properties": { + "rights": ["Listen", "Manage", "Send"] + } + }, + { + "name": "SendListenAccess", + "properties": { + "rights": ["Listen", "Send"] + } + } + ] + } + // "roleAssignments": { + // "value": [ + // { + // "roleDefinitionIdOrName": "Desktop Virtualization User", + // "principalIds": [ + // "12345678-1234-1234-1234-123456789012", // object 1 + // "78945612-1234-1234-1234-123456789012" // object 2 + // ] + // } + // ] + // }, + } +} diff --git a/arm/Microsoft.EventHub/namespaceEventHubs/readme.md b/arm/Microsoft.EventHub/namespaceEventHubs/readme.md new file mode 100644 index 0000000000..314f9b98ce --- /dev/null +++ b/arm/Microsoft.EventHub/namespaceEventHubs/readme.md @@ -0,0 +1,183 @@ +# EventHubs + +This module deploys EventHub. + +## Resource types + +|Resource Type|ApiVersion| +|:--|:--| +|`Microsoft.Resources/deployments`|2018-02-01| +|`Microsoft.EventHub/namespaces/eventhubs`|2017-04-01| +|`Microsoft.EventHub/namespaces/eventhubs/consumergroups`|2017-04-01| +|`Microsoft.EventHub/namespaces/eventhubs/authorizationRules`|2017-04-01| +|`Microsoft.EventHub/namespaces/eventhubs/providers/locks`|2016-09-01| +|`Microsoft.EventHub/namespaces/eventhubs/providers/roleAssignments`|2018-09-01-preview| + +## Parameters + +| Parameter Name | Type | Description | DefaultValue | Possible values | +| :-- | :-- | :-- | :-- | :-- | +| `authorizationRules` | array | Optional. Authorization Rules for the Event Hub | System.Object[] | | +| `cuaId` | string | Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered | | | +| `eventHubConfiguration` | object | Optional. Object to configure all properties of an Event Hub instance | properties=; consumerGroups=System.Object[] | | +| `eventHubName` | string | Required. The name of the EventHub | | | +| `location` | string | Optional. Location for all resources. | [resourceGroup().location] | | +| `lockForDeletion` | bool | Optional. Switch to lock Event Hub from deletion. | False | | +| `namespaceName` | string | Required. The name of the EventHub namespace | | | +| `roleAssignments` | array | Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' | System.Object[] | | +| `tags` | object | Optional. Tags of the resource. | | | + +### Parameter Usage: `eventHubConfiguration` + +Default value: + +```json +"eventHubConfiguration": { + "value": { + "properties": { + "messageRetentionInDays": 1, + "partitionCount": 2, + "status": "Active", + "captureDescription": { + "enabled": false, + "encoding": "Avro", + "intervalInSeconds": 300, + "sizeLimitInBytes": 314572800, + "destination": { + "name": "EventHubArchive.AzureBlockBlob", + "properties": { + "storageAccountResourceId": "", + "blobContainer": "eventhub", + "archiveNameFormat": "{Namespace}/{EventHub}/{PartitionId}/{Year}/{Month}/{Day}/{Hour}/{Minute}/{Second}" + } + }, + "skipEmptyArchives": true + } + }, + "consumerGroups": [ + { + "name": "$Default" + } + ] + } +} +``` + +### Parameter Usage: `authorizationRules` + +Default value: + +```json +"authorizationRules": { + "value": [ + { + "name": "RootManageSharedAccessKey", + "properties": { + "rights": [ + "Listen", + "Manage", + "Send" + ] + } + } + ] +} +``` + +Example for 2 authorization rules: + +```json +"authorizationRules": { + "value": [ + { + "name": "RootManageSharedAccessKey", + "properties": { + "rights": [ + "Listen", + "Manage", + "Send" + ] + } + }, + { + "name": "AnotherKey", + "properties": { + "rights": [ + "Listen", + "Send" + ] + } + } + ] +} +``` + +### Parameter Usage: `roleAssignments` + +```json +"roleAssignments": { + "value": [ + { + "roleDefinitionIdOrName": "Desktop Virtualization User", + "principalIds": [ + "12345678-1234-1234-1234-123456789012", // object 1 + "78945612-1234-1234-1234-123456789012" // object 2 + ] + }, + { + "roleDefinitionIdOrName": "Reader", + "principalIds": [ + "12345678-1234-1234-1234-123456789012", // object 1 + "78945612-1234-1234-1234-123456789012" // object 2 + ] + }, + { + "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", + "principalIds": [ + "12345678-1234-1234-1234-123456789012" // object 1 + ] + } + ] +} +``` + +### Parameter Usage: `tags` + +Tag names and tag values can be provided as needed. A tag can be left without a value. + +```json +"tags": { + "value": { + "Environment": "Non-Prod", + "Contact": "test.user@testcompany.com", + "PurchaseOrder": "1234", + "CostCenter": "7890", + "ServiceName": "DeploymentValidation", + "Role": "DeploymentValidation" + } +} +``` + +## Outputs + +| Output Name | Type | Description | +| :-- | :-- | :-- | +| `authRuleResourceId` | string | The Id of the authorization rule marked by the variable with the same name. | +| `eventHubId` | string | The Resource Id of the EventHub Namespace | +| `namespaceConnectionString` | securestring | The connection string of the EventHub Namespace | +| `namespaceName` | string | The Name of the EventHub Namespace | +| `namespaceResourceGroup` | string | The name of the Resource Group with the EventHub Namespace | +| `sharedAccessPolicyPrimaryKey` | securestring | The shared access policy primary key for the EventHub Namespace | + +### Scripts + +- There is no Scripts for this Module + +## Considerations + +- There is no deployment considerations for this Module + +## Additional resources + +- [Microsoft EventHub template reference](https://docs.microsoft.com/en-us/azure/templates/microsoft.eventhub/allversions) +- [Use tags to organize your Azure resources](https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-using-tags) diff --git a/arm/Microsoft.EventHub/namespaces/deploy.json b/arm/Microsoft.EventHub/namespaces/deploy.json new file mode 100644 index 0000000000..e1eaf7e485 --- /dev/null +++ b/arm/Microsoft.EventHub/namespaces/deploy.json @@ -0,0 +1,772 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "namespaceName": { + "type": "string", + "defaultValue": "", + "maxLength": 50, + "metadata": { + "description": "Optional. The name of the EventHub namespace. If no name is provided, then unique name will be created." + } + }, + "location": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "Optional. Location for all resources." + } + }, + "skuName": { + "type": "string", + "defaultValue": "Standard", + "allowedValues": [ + "Basic", + "Standard" + ], + "metadata": { + "description": "Optional. EventHub Plan sku name" + } + }, + "skuCapacity": { + "type": "int", + "defaultValue": 1, + "minValue": 1, + "maxValue": 20, + "metadata": { + "description": "Optional. Event Hub Plan scale-out capacity of the resource" + } + }, + "zoneRedundant": { + "type": "bool", + "defaultValue": false, + "metadata": { + "description": "Optional. Switch to make the Event Hub Namespace zone redundant." + } + }, + "isAutoInflateEnabled": { + "type": "bool", + "defaultValue": false, + "metadata": { + "description": "Optional. Switch to enable the Auto Inflate feature of Event Hub." + } + }, + "maximumThroughputUnits": { + "type": "int", + "defaultValue": 1, + "minValue": 0, + "maxValue": 20, + "metadata": { + "description": "Optional. Upper limit of throughput units when AutoInflate is enabled, value should be within 0 to 20 throughput units." + } + }, + "partnerNamespaceId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. ARM Id of the Primary/Secondary eventhub namespace name, which is part of GEO DR pairing" + } + }, + "namespaceAlias": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. The Disaster Recovery configuration name" + } + }, + "authorizationRules": { + "type": "array", + "defaultValue": [ + { + "name": "RootManageSharedAccessKey", + "properties": { + "rights": [ + "Listen", + "Manage", + "Send" + ] + } + } + ], + "metadata": { + "description": "Optional. Authorization Rules for the Event Hub namespace" + } + }, + "privateEndpoints": { + "type": "array", + "defaultValue": [], + "metadata": { + "description": "Optional. Configuration Details for private endpoints." + } + }, + "networkAcls": { + "type": "object", + "defaultValue": { + }, + "metadata": { + "description": "Optional. Service endpoint object information" + } + }, + "vNetId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Virtual Network Id to lock down the Event Hub." + } + }, + "diagnosticLogsRetentionInDays": { + "type": "int", + "defaultValue": 365, + "minValue": 0, + "maxValue": 365, + "metadata": { + "description": "Optional. Specifies the number of days that logs will be kept for; a value of 0 will retain data indefinitely." + } + }, + "diagnosticStorageAccountId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Resource identifier of the Diagnostic Storage Account." + } + }, + "workspaceId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Resource identifier of Log Analytics." + } + }, + "lockForDeletion": { + "type": "bool", + "defaultValue": false, + "metadata": { + "description": "Optional. Switch to lock Key Vault from deletion." + } + }, + "roleAssignments": { + "defaultValue": [ + ], + "type": "array", + "metadata": { + "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'" + } + }, + "tags": { + "type": "object", + "defaultValue": { + }, + "metadata": { + "description": "Optional. Tags of the resource." + } + }, + "cuaId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered" + } + }, + "baseTime": { + "type": "string", + "defaultValue": "[utcNow('u')]", + "metadata": { + "description": "Generated. Do not provide a value! This date value is used to generate a SAS token to access the modules." + } + } + }, + + "variables": { + "moduleName": "EventHub Namespace", + "maxNameLength": 50, + "uniqueEventHubNamespaceUntrim": "[uniqueString(concat(variables('moduleName'),parameters('baseTime')))]", + "uniqueEventHubNamespace": "[if(greater(length(variables('uniqueEventHubNamespaceUntrim')),variables('maxNameLength')),substring(variables('uniqueEventHubNamespaceUntrim'),0,variables('maxNameLength')),variables('uniqueEventHubNamespaceUntrim'))]", + "namespaceName": "[if(empty(parameters('namespaceName')),variables('uniqueEventHubNamespace'),parameters('namespaceName'))]", + "namespaceResourceId": "[resourceId('Microsoft.EventHub/Namespaces', variables('namespaceName'))]", + "defaultAuthorizationRuleId": "[resourceId('Microsoft.EventHub/namespaces/AuthorizationRules', variables('namespaceName'), 'RootManageSharedAccessKey')]", + "defaultSASKeyName": "RootManageSharedAccessKey", + "authRuleResourceId": "[resourceId('Microsoft.EventHub/namespaces/authorizationRules', variables('namespaceName'), variables('defaultSASKeyName'))]", + "maximumThroughputUnits": "[if(not(parameters('isAutoInflateEnabled')), 0, parameters('maximumThroughputUnits'))]", + "deployServiceEndpoint": "[not(empty(parameters('networkAcls')))]", + "virtualNetworkRules": { + "copy": [ + { + "name": "virtualNetworkRules", + "count": "[if(not(variables('deployServiceEndpoint')), 0, length(parameters('networkAcls').virtualNetworkRules))]", + "input": { + "id": "[concat(parameters('vNetId'), '/subnets/', parameters('networkAcls').virtualNetworkRules[copyIndex('virtualNetworkRules')].subnet)]" + } + } + ] + }, + "emptyArray": [ + ], + "networkAcls": { + "bypass": "[if(not(variables('deployServiceEndpoint')), json('null'), parameters('networkAcls').bypass)]", + "defaultAction": "[if(not(variables('deployServiceEndpoint')), json('null'), parameters('networkAcls').defaultAction)]", + "virtualNetworkRules": "[if(not(variables('deployServiceEndpoint')), json('null'), if(equals(length(parameters('networkAcls').virtualNetworkRules), 0), variables('emptyArray'), variables('virtualNetworkRules').virtualNetworkRules))]", + "ipRules": "[if(not(variables('deployServiceEndpoint')), json('null'), if(equals(length(parameters('networkAcls').ipRules), 0), variables('emptyArray'), parameters('networkAcls').ipRules))]" + }, + "namespaceAlias": "[if(empty(parameters('namespaceAlias')), 'placeholder', parameters('namespaceAlias'))]", + "diagnosticsMetrics": [ + { + "category": "AllMetrics", + "timeGrain": null, + "enabled": true, + "retentionPolicy": { + "enabled": true, + "days": "[parameters('diagnosticLogsRetentionInDays')]" + } + } + ], + "diagnosticsLogs": [ + { + "category": "ArchiveLogs", + "enabled": true, + "retentionPolicy": { + "days": "[parameters('diagnosticLogsRetentionInDays')]", + "enabled": true + } + }, + { + "category": "OperationalLogs", + "enabled": true, + "retentionPolicy": { + "days": "[parameters('diagnosticLogsRetentionInDays')]", + "enabled": true + } + }, + { + "category": "AutoScaleLogs", + "enabled": true, + "retentionPolicy": { + "days": "[parameters('diagnosticLogsRetentionInDays')]", + "enabled": true + } + }, + { + "category": "KafkaCoordinatorLogs", + "enabled": true, + "retentionPolicy": { + "days": "[parameters('diagnosticLogsRetentionInDays')]", + "enabled": true + } + }, + { + "category": "KafkaUserErrorLogs", + "enabled": true, + "retentionPolicy": { + "days": "[parameters('diagnosticLogsRetentionInDays')]", + "enabled": true + } + }, + { + "category": "EventHubVNetConnectionEvent", + "enabled": true, + "retentionPolicy": { + "days": "[parameters('diagnosticLogsRetentionInDays')]", + "enabled": true + } + }, + { + "category": "CustomerManagedKeyUserLogs", + "enabled": true, + "retentionPolicy": { + "days": "[parameters('diagnosticLogsRetentionInDays')]", + "enabled": true + } + } + ], + "builtInRoleNames": { + "AcrDelete": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c2f4ef07-c644-48eb-af81-4b1b4947fb11')]", + "AcrImageSigner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '6cef56e8-d556-48e5-a04f-b8e64114680f')]", + "AcrPull": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '7f951dda-4ed3-4680-a7ca-43fe172d538d')]", + "AcrPush": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8311e382-0749-4cb8-b61a-304f252e45ec')]", + "AcrQuarantineReader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'cdda3590-29a3-44f6-95f2-9f980659eb04')]", + "AcrQuarantineWriter": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c8d4ff99-41c3-41a8-9f60-21dfdad59608')]", + "API Management Service Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '312a565d-c81f-4fd8-895a-4e21e48d571c')]", + "API Management Service Operator Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'e022efe7-f5ba-4159-bbe4-b44f577e9b61')]", + "API Management Service Reader Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '71522526-b88f-4d52-b57f-d31fc3546d0d')]", + "App Configuration Data Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5ae67dd6-50cb-40e7-96ff-dc2bfa4b606b')]", + "App Configuration Data Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '516239f1-63e1-4d78-a4de-a74fb236a071')]", + "Application Insights Component Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ae349356-3a1b-4a5e-921d-050484c6347e')]", + "Application Insights Snapshot Debugger": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '08954f03-6346-4c2e-81c0-ec3a5cfae23b')]", + "Attestation Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'bbf86eb8-f7b4-4cce-96e4-18cddf81d86e')]", + "Attestation Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'fd1bd22b-8476-40bc-a0bc-69b95687b9f3')]", + "Automation Job Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4fe576fe-1146-4730-92eb-48519fa6bf9f')]", + "Automation Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'd3881f73-407a-4167-8283-e981cbba0404')]", + "Automation Runbook Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5fb5aef8-1081-4b8e-bb16-9d5d0385bab5')]", + "Avere Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4f8fab4f-1852-4a58-a46a-8eaf358af14a')]", + "Avere Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c025889f-8102-4ebf-b32c-fc0c6f0c6bd9')]", + "Azure Connected Machine Onboarding": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b64e21ea-ac4e-4cdf-9dc9-5b892992bee7')]", + "Azure Connected Machine Resource Administrator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'cd570a14-e51a-42ad-bac8-bafd67325302')]", + "Azure Digital Twins Owner (Preview)": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'bcd981a7-7f74-457b-83e1-cceb9e632ffe')]", + "Azure Digital Twins Reader (Preview)": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'd57506d4-4c8d-48b1-8587-93c323f6a5a3')]", + "Azure Event Hubs Data Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'f526a384-b230-433a-b45c-95f59c4a2dec')]", + "Azure Event Hubs Data Receiver": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'a638d3c7-ab3a-418d-83e6-5f17a39d4fde')]", + "Azure Event Hubs Data Sender": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '2b629674-e913-4c01-ae53-ef4638d8f975')]", + "Azure Kubernetes Service Cluster Admin Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '0ab0b1a8-8aac-4efd-b8c2-3ee1fb270be8')]", + "Azure Kubernetes Service Cluster User Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4abbcc35-e782-43d8-92c5-2d3f1bd2253f')]", + "Azure Kubernetes Service Contributor Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ed7f3fbd-7b88-4dd4-9017-9adb7ce333f8')]", + "Azure Maps Data Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8f5e0ce6-4f7b-4dcf-bddf-e6f48634a204')]", + "Azure Maps Data Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '423170ca-a8f6-4b0f-8487-9e4eb8f49bfa')]", + "Azure Sentinel Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ab8e14d6-4a74-4a29-9ba8-549422addade')]", + "Azure Sentinel Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8d289c81-5878-46d4-8554-54e1e3d8b5cb')]", + "Azure Sentinel Responder": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '3e150937-b8fe-4cfb-8069-0eaf05ecd056')]", + "Azure Service Bus Data Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '090c5cfd-751d-490a-894a-3ce6f1109419')]", + "Azure Service Bus Data Receiver": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4f6d3b9b-027b-4f4c-9142-0e5a2a2247e0')]", + "Azure Service Bus Data Sender": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '69a216fc-b8fb-44d8-bc22-1f3c2cd27a39')]", + "Azure Stack Registration Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '6f12a6df-dd06-4f3e-bcb1-ce8be600526a')]", + "Backup Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5e467623-bb1f-42f4-a55d-6e525e11384b')]", + "Backup Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '00c29273-979b-4161-815c-10b084fb9324')]", + "Backup Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'a795c7a0-d4a2-40c1-ae25-d81f01202912')]", + "Billing Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'fa23ad8b-c56e-40d8-ac0c-ce449e1d2c64')]", + "BizTalk Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5e3c6656-6cfa-4708-81fe-0de47ac73342')]", + "Blockchain Member Node Access (Preview)": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '31a002a1-acaf-453e-8a5b-297c9ca1ea24')]", + "Blueprint Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '41077137-e803-4205-871c-5a86e6a753b4')]", + "Blueprint Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '437d2ced-4a38-4302-8479-ed2bcb43d090')]", + "CDN Endpoint Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '426e0c7f-0c7e-4658-b36f-ff54d6c29b45')]", + "CDN Endpoint Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '871e35f6-b5c1-49cc-a043-bde969a0f2cd')]", + "CDN Profile Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ec156ff8-a8d1-4d15-830c-5b80698ca432')]", + "CDN Profile Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8f96442b-4075-438f-813d-ad51ab4019af')]", + "Classic Network Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b34d265f-36f7-4a0d-a4d4-e158ca92e90f')]", + "Classic Storage Account Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '86e8f5dc-a6e9-4c67-9d15-de283e8eac25')]", + "Classic Storage Account Key Operator Service Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '985d6b00-f706-48f5-a6fe-d0ca12fb668d')]", + "Classic Virtual Machine Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'd73bb868-a0df-4d4d-bd69-98a00b01fccb')]", + "ClearDB MySQL DB Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '9106cda0-8a86-4e81-b686-29a22c54effe')]", + "Cognitive Services Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '25fbc0a9-bd7c-42a3-aa1a-3b75d497ee68')]", + "Cognitive Services Custom Vision Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c1ff6cc2-c111-46fe-8896-e0ef812ad9f3')]", + "Cognitive Services Custom Vision Deployment": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5c4089e1-6d96-4d2f-b296-c1bc7137275f')]", + "Cognitive Services Custom Vision Labeler": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '88424f51-ebe7-446f-bc41-7fa16989e96c')]", + "Cognitive Services Custom Vision Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '93586559-c37d-4a6b-ba08-b9f0940c2d73')]", + "Cognitive Services Custom Vision Trainer": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '0a5ae4ab-0d65-4eeb-be61-29fc9b54394b')]", + "Cognitive Services Data Reader (Preview)": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b59867f0-fa02-499b-be73-45a86b5b3e1c')]", + "Cognitive Services QnA Maker Editor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'f4cc2bf9-21be-47a1-bdf1-5c5804381025')]", + "Cognitive Services QnA Maker Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '466ccd10-b268-4a11-b098-b4849f024126')]", + "Cognitive Services User": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'a97b65f3-24c7-4388-baec-2e87135dc908')]", + "Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "Cosmos DB Account Reader Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'fbdf93bf-df7d-467e-a4d2-9458aa1360c8')]", + "Cosmos DB Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '230815da-be43-4aae-9cb4-875f7bd000aa')]", + "CosmosBackupOperator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'db7b14f2-5adf-42da-9f96-f2ee17bab5cb')]", + "Cost Management Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '434105ed-43f6-45c7-a02f-909b2ba83430')]", + "Cost Management Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '72fafb9e-0641-4937-9268-a91bfd8191a3')]", + "Data Box Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'add466c9-e687-43fc-8d98-dfcf8d720be5')]", + "Data Box Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '028f4ed7-e2a9-465e-a8f4-9c0ffdfdc027')]", + "Data Factory Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '673868aa-7521-48a0-acc6-0f60742d39f5')]", + "Data Lake Analytics Developer": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '47b7735b-770e-4598-a7da-8b91488b4c88')]", + "Data Purger": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '150f5e0c-0603-4f03-8c7f-cf70034c4e90')]", + "Desktop Virtualization User": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '1d18fff3-a72a-46b5-b4a9-0b38a3cd7e63')]", + "DevTest Labs User": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '76283e04-6283-4c54-8f91-bcf1374a3c64')]", + "DNS Zone Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'befefa01-2a29-4197-83a8-272ff33ce314')]", + "DocumentDB Account Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5bd9cd88-fe45-4216-938b-f97437e15450')]", + "EventGrid EventSubscription Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '428e0ff0-5e57-4d9c-a221-2c70d0e0a443')]", + "EventGrid EventSubscription Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '2414bbcf-6497-4faf-8c65-045460748405')]", + "Experimentation Administrator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '7f646f1b-fa08-80eb-a33b-edd6ce5c915c')]", + "Experimentation Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '7f646f1b-fa08-80eb-a22b-edd6ce5c915c')]", + "Experimentation Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '49632ef5-d9ac-41f4-b8e7-bbe587fa74a1')]", + "FHIR Data Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5a1fc7df-4bf1-4951-a576-89034ee01acd')]", + "FHIR Data Exporter": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '3db33094-8700-4567-8da5-1501d4e7e843')]", + "FHIR Data Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4c8d0bbc-75d3-4935-991f-5f3c56d81508')]", + "FHIR Data Writer": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '3f88fce4-5892-4214-ae73-ba5294559913')]", + "Graph Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b60367af-1334-4454-b71e-769d9a4f83d9')]", + "HDInsight Cluster Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '61ed4efc-fab3-44fd-b111-e24485cc132a')]", + "HDInsight Domain Services Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8d8d5a11-05d3-4bda-a417-a08778121c7c')]", + "Hierarchy Settings Administrator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '350f8d15-c687-4448-8ae1-157740a3936d')]", + "Hybrid Server Onboarding": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5d1e5ee4-7c68-4a71-ac8b-0739630a3dfb')]", + "Hybrid Server Resource Administrator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '48b40c6e-82e0-4eb3-90d5-19e40f49b624')]", + "Integration Service Environment Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'a41e2c5b-bd99-4a07-88f4-9bf657a760b8')]", + "Integration Service Environment Developer": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c7aa55d3-1abb-444a-a5ca-5e51e485d6ec')]", + "Intelligent Systems Account Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '03a6d094-3444-4b3d-88af-7477090a9e5e')]", + "Key Vault Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'f25e0fa2-a7c8-4377-a976-54943a77a395')]", + "Knowledge Consumer": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ee361c5d-f7b5-4119-b4b6-892157c8f64c')]", + "Kubernetes Cluster - Azure Arc Onboarding": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '34e09817-6cbe-4d01-b1a2-e0eac5743d41')]", + "Lab Creator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b97fb8bc-a8b2-4522-a38b-dd33c7e65ead')]", + "Log Analytics Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]", + "Log Analytics Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '73c42c96-874c-492b-b04d-ab87d138a893')]", + "Logic App Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '87a39d53-fc1b-424a-814c-f7e04687dc9e')]", + "Logic App Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '515c2055-d9d4-4321-b1b9-bd0c9a0f79fe')]", + "Managed Application Contributor Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '641177b8-a67a-45b9-a033-47bc880bb21e')]", + "Managed Application Operator Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')]", + "Managed Applications Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')]", + "Managed Identity Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'e40ec5ca-96e0-45a2-b4ff-59039f2c2b59')]", + "Managed Identity Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'f1a07417-d97a-45cb-824c-7a7467783830')]", + "Managed Services Registration assignment Delete ": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '91c1777a-f3dc-4fae-b103-61d183457e46')]", + "Management Group Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5d58bcaf-24a5-4b20-bdb6-eed9f69fbe4c')]", + "Management Group Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ac63b705-f282-497d-ac71-919bf39d939d')]", + "Marketplace Admin": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'dd920d6d-f481-47f1-b461-f338c46b2d9f')]", + "Monitoring Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')]", + "Monitoring Metrics Publisher": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '3913510d-42f4-4e42-8a64-420c390055eb')]", + "Monitoring Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')]", + "Network Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", + "New Relic APM Account Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5d28c62d-5b37-4476-8438-e587778df237')]", + "Object Understanding Account Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4dd61c23-6743-42fe-a388-d8bdd41cb745')]", + "Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", + "Policy Insights Data Writer (Preview)": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '66bb4e9e-b016-4a94-8249-4c0511c2be84')]", + "Private DNS Zone Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", + "Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", + "Reader and Data Access": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c12c1c16-33a1-487b-954d-41c89c60f349')]", + "Redis Cache Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'e0f68234-74aa-48ed-b826-c38b57376e17')]", + "Remote Rendering Administrator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '3df8b902-2a6f-47c7-8cc5-360e9b272a7e')]", + "Remote Rendering Client": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'd39065c4-c120-43c9-ab0a-63eed9795f0a')]", + "Resource Policy Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '36243c78-bf99-498c-9df9-86d9f8d28608')]", + "Scheduler Job Collections Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '188a0f2f-5c9e-469b-ae67-2aa5ce574b94')]", + "Search Service Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '7ca78c08-252a-4471-8644-bb5ff32d4ba0')]", + "Security Admin": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'fb1c8493-542b-48eb-b624-b4c8fea62acd')]", + "Security Assessment Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '612c2aa1-cb24-443b-ac28-3ab7272de6f5')]", + "Security Manager (Legacy)": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'e3d13bf0-dd5a-482e-ba6b-9b8433878d10')]", + "Security Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '39bc4728-0917-49c7-9d2c-d95423bc2eb4')]", + "SignalR AccessKey Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '04165923-9d83-45d5-8227-78b77b0a687e')]", + "SignalR Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8cf5e20a-e4b2-4e9d-b3a1-5ceb692c2761')]", + "Site Recovery Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '6670b86e-a3f7-4917-ac9b-5d6ab1be4567')]", + "Site Recovery Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '494ae006-db33-4328-bf46-533a6560a3ca')]", + "Site Recovery Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'dbaa88c4-0c30-4179-9fb3-46319faa6149')]", + "Spatial Anchors Account Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8bbe83f1-e2a6-4df7-8cb4-4e04d4e5c827')]", + "Spatial Anchors Account Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '70bbe301-9835-447d-afdd-19eb3167307c')]", + "Spatial Anchors Account Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5d51204f-eb77-4b1c-b86a-2ec626c49413')]", + "SQL DB Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '9b7fa17d-e63e-47b0-bb0a-15c516ac86ec')]", + "SQL Managed Instance Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4939a1f6-9ae0-4e48-a1e0-f2cbe897382d')]", + "SQL Security Manager": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '056cd41c-7e88-42e1-933e-88ba6a50c9c3')]", + "SQL Server Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '6d8ee4ec-f05a-4a1d-8b00-a9b17e38b437')]", + "Storage Account Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '17d1049b-9a84-46fb-8f53-869881c3d3ab')]", + "Storage Account Key Operator Service Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '81a9662b-bebf-436f-a333-f67b29880f12')]", + "Storage Blob Data Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ba92f5b4-2d11-453d-a403-e96b0029c9fe')]", + "Storage Blob Data Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b7e6dc6d-f1e8-4753-8033-0f276bb0955b')]", + "Storage Blob Data Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '2a2b9908-6ea1-4ae2-8e65-a410df84e7d1')]", + "Storage Blob Delegator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'db58b8e5-c6ad-4a2a-8342-4190687cbf4a')]", + "Storage File Data SMB Share Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '0c867c2a-1d8c-454a-a3db-ab2ea1bdc8bb')]", + "Storage File Data SMB Share Elevated Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'a7264617-510b-434b-a828-9731dc254ea7')]", + "Storage File Data SMB Share Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'aba4ae5f-2193-4029-9191-0cb91df5e314')]", + "Storage Queue Data Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '974c5e8b-45b9-4653-ba55-5f855dd0fb88')]", + "Storage Queue Data Message Processor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8a0f0c08-91a1-4084-bc3d-661d67233fed')]", + "Storage Queue Data Message Sender": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c6a89b2d-59bc-44d0-9896-0f6e12d7b80a')]", + "Storage Queue Data Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '19e7f393-937e-4f77-808e-94535e297925')]", + "Support Request Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'cfd33db0-3dd1-45e3-aa9d-cdbdf3b6f24e')]", + "Tag Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4a9ae827-6dc8-4573-8ac7-8239d42aa03f')]", + "Traffic Manager Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'a4b10055-b0c7-44c2-b00f-c7b5b3550cf7')]", + "User Access Administrator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]", + "Virtual Machine Administrator Login": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '1c0163c0-47e6-4577-8991-ea5c82e286e4')]", + "Virtual Machine Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c')]", + "Virtual Machine User Login": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'fb879df8-f326-4884-b1cf-06f3ad86be52')]", + "Web Plan Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '2cc479cb-7b4d-49a8-b449-8c00fd0f0a4b')]", + "Website Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'de139f84-1756-47ae-9be6-808fbbe84772')]", + "Workbook Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'e8ddcd69-c73f-4f9f-9844-4100522f16ad')]", + "Workbook Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b279062a-9be3-42a0-92ae-8b3cf002ec4d')]" + } + }, + "resources": [ + { + "condition": "[not(empty(parameters('cuaId')))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-06-01", + "name": "[concat('pid-', parameters('cuaId'))]", + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [ + ] + } + } + }, + { + "type": "Microsoft.EventHub/namespaces", + "apiVersion": "2017-04-01", + "name": "[variables('namespaceName')]", + "location": "[parameters('location')]", + "tags": "[parameters('tags')]", + "sku": { + "name": "[parameters('skuName')]", + "tier": "[parameters('skuName')]", + "capacity": "[parameters('skuCapacity')]" + }, + "properties": { + "zoneRedundant": "[parameters('zoneRedundant')]", + "isAutoInflateEnabled": "[parameters('isAutoInflateEnabled')]", + "maximumThroughputUnits": "[variables('maximumThroughputUnits')]", + "networkAcls": "[if(not(variables('deployServiceEndpoint')), json('null'), variables('networkAcls'))]" + }, + "resources": [ + { + "type": "providers/locks", + "apiVersion": "2016-09-01", + "condition": "[parameters('lockForDeletion')]", + "name": "Microsoft.Authorization/evenHubNamespaceDoNotDelete", + "dependsOn": [ + "[concat('Microsoft.EventHub/namespaces/', variables('namespaceName'))]" + ], + "comments": "Resource lock on Event Hub Namespace", + "properties": { + "level": "CannotDelete" + } + }, + { + "type": "Microsoft.EventHub/namespaces/providers/diagnosticsettings", + "apiVersion": "2017-05-01-preview", + "name": "[concat(variables('namespaceName'), '/Microsoft.Insights/service')]", + "condition": "[or(not(empty(parameters('diagnosticStorageAccountId'))),not(empty(parameters('workspaceId'))))]", + "location": "[parameters('location')]", + "dependsOn": [ + "[concat('Microsoft.EventHub/namespaces/', variables('namespaceName'))]" + ], + "properties": { + "storageAccountId": "[if(empty(parameters('diagnosticStorageAccountId')), json('null'), parameters('diagnosticStorageAccountId'))]", + "workspaceId": "[if(empty(parameters('workspaceId')), json('null'), parameters('workspaceId'))]", + "metrics": "[if(and(empty(parameters('diagnosticStorageAccountId')), empty(parameters('workspaceId'))), json('null'), variables('diagnosticsMetrics'))]", + "logs": "[if(and(empty(parameters('diagnosticStorageAccountId')), empty(parameters('workspaceId'))), json('null'), variables('diagnosticsLogs'))]" + } + } + ] + }, + { + "type": "Microsoft.EventHub/namespaces/disasterRecoveryConfigs", + "apiVersion": "2017-04-01", + "name": "[concat(variables('namespaceName'), '/', variables('namespaceAlias'))]", + "location": "[parameters('location')]", + + "condition": "[if(and(not(empty(parameters('partnerNamespaceId'))),not(empty(parameters('namespaceAlias')))), bool('true') , bool('false'))]", + "dependsOn": [ + "[variables('namespaceResourceId')]" + ], + "properties": { + "partnerNamespace": "[parameters('partnerNamespaceId')]" + } + }, + { + "type": "Microsoft.EventHub/namespaces/AuthorizationRules", + "apiVersion": "2017-04-01", + "name": "[concat(variables('namespaceName'),'/', parameters('authorizationRules')[copyIndex()].name)]", + "condition": "[greater(length(parameters('authorizationRules')),0)]", + "location": "[parameters('location')]", + "dependsOn": [ + "[variables('namespaceResourceId')]" + ], + "copy": { + "name": "authorizationRules", + "count": "[length(parameters('authorizationRules'))]" + }, + "properties": { + "rights": "[parameters('authorizationRules')[copyIndex()].properties.rights]" + } + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-06-01", + "name": "[concat(uniqueString(deployment().name, parameters('location')), '-EventHubNamepace-PrivateEndpoints','-',copyIndex())]", + "condition": "[not(empty(parameters('privateEndpoints')))]", + "dependsOn": [ + "[variables('namespaceName')]" + ], + "copy": { + "name": "privateEndpointsCopy", + "count": "[length(parameters('privateEndpoints'))]" + }, + "properties": { + "mode": "Incremental", + "expressionEvaluationOptions": { + "scope": "inner" + }, + "parameters": { + "privateEndpointResourceId": { + "value": "[resourceId('Microsoft.EventHub/namespaces/', variables('namespaceName'))]" + }, + "privateEndpointVnetLocation": { + "value": "[if(empty(parameters('privateEndpoints')),'dummy',reference(split(parameters('privateEndpoints')[copyIndex()].subnetResourceId,'/subnets/')[0],'2020-06-01', 'Full').location)]" + }, + "privateEndpoint": { + "value": "[parameters('privateEndpoints')[copyIndex()]]" + }, + "tags": { + "value": "[parameters('tags')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "privateEndpointResourceId": { + "type": "string" + }, + "privateEndpointVnetLocation": { + "type": "string" + }, + "privateEndpoint": { + "type": "object" + }, + "tags": { + "type": "object" + } + }, + "variables": { + "privateEndpointResourceName": "[last(split(parameters('privateEndpointResourceId'),'/'))]", + "privateEndpoint": { + "name": "[if(contains(parameters('privateEndpoint'), 'name'),if(empty(parameters('privateEndpoint').name),concat(variables('privateEndpointResourceName'),'-',parameters('privateEndpoint').service),parameters('privateEndpoint').name),concat(variables('privateEndpointResourceName'),'-',parameters('privateEndpoint').service))]", + "subnetResourceId": "[parameters('privateEndpoint').subnetResourceId]", + "service": [ + "[parameters('privateEndpoint').service]" + ], + "privateDnsZoneResourceIds": "[if(contains(parameters('privateEndpoint'), 'privateDnsZoneResourceIds'),if(empty(parameters('privateEndpoint').privateDnsZoneResourceIds),createArray(),parameters('privateEndpoint').privateDnsZoneResourceIds),createArray())]", + "customDnsConfigs": "[if(contains(parameters('privateEndpoint'), 'customDnsConfigs'),if(empty(parameters('privateEndpoint').customDnsConfigs),json('null'),parameters('privateEndpoint').customDnsConfigs),json('null'))]" + } + }, + "resources": [ + { + "type": "Microsoft.Network/privateEndpoints", + "apiVersion": "2020-05-01", + "name": "[variables('privateEndpoint').name]", + "location": "[parameters('privateEndpointVnetLocation')]", + "tags": "[parameters('tags')]", + "properties": { + "privateLinkServiceConnections": [ + { + "name": "[variables('privateEndpoint').name]", + "properties": { + "privateLinkServiceId": "[parameters('privateEndpointResourceId')]", + "groupIds": "[variables('privateEndpoint').service]" + } + } + ], + "manualPrivateLinkServiceConnections": [], + "subnet": { + "id": "[variables('privateEndpoint').subnetResourceId]" + }, + "customDnsConfigs": "[variables('privateEndpoint').customDnsConfigs]" + } + }, + { + "type": "Microsoft.Network/privateEndpoints/privateDnsZoneGroups", + "apiVersion": "2020-05-01", + "condition": "[not(empty(variables('privateEndpoint').privateDnsZoneResourceIds))]", + "name": "[concat(variables('privateEndpoint').name, '/default')]", + "dependsOn": [ + "[resourceId('Microsoft.Network/privateEndpoints', variables('privateEndpoint').name)]" + ], + "properties": { + "copy": [ + { + "name": "privateDnsZoneConfigs", + "count": "[length(variables('privateEndpoint').privateDnsZoneResourceIds)]", + "input": { + "name": "[last(split(variables('privateEndpoint').privateDnsZoneResourceIds[copyIndex('privateDnsZoneConfigs')],'/'))]", + "properties": { + "privateDnsZoneId": "[variables('privateEndpoint').privateDnsZoneResourceIds[copyIndex('privateDnsZoneConfigs')]]" + } + } + } + ] + } + } + ] + } + } + }, + { + "name": "[concat('rbac-',deployment().name, copyIndex())]", + "apiVersion": "2020-06-01", + "type": "Microsoft.Resources/deployments", + "condition": "[not(empty(parameters('roleAssignments')))]", + "dependsOn": [ + "[variables('namespaceName')]" + ], + "copy": { + "name": "rbacDeplCopy", + "count": "[length(parameters('roleAssignments'))]" + }, + "properties": { + "mode": "Incremental", + "expressionEvaluationOptions": { + "scope": "inner" + }, + "parameters": { + "roleAssignment": { + "value": "[parameters('roleAssignments')[copyIndex()]]" + }, + "builtInRoleNames": { + "value": "[variables('builtInRoleNames')]" + }, + "namespaceName": { + "value": "[variables('namespaceName')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "roleAssignment": { + "type": "object" + }, + "builtInRoleNames": { + "type": "object" + }, + "namespaceName": { + "type": "string" + } + }, + "resources": [ + { + "type": "Microsoft.EventHub/namespaces/providers/roleAssignments", + "apiVersion": "2018-09-01-preview", + "name": "[concat(parameters('namespaceName'), '/Microsoft.Authorization/', guid(uniqueString(concat(variables('namespaceName'), array(parameters('roleAssignment').principalIds)[copyIndex('innerRbacCopy')], parameters('roleAssignment').roleDefinitionIdOrName ) )))]", + "dependsOn": [ + ], + "copy": { + "name": "innerRbacCopy", + "count": "[length(parameters('roleAssignment').principalIds)]" + }, + "properties": { + "roleDefinitionId": "[if(contains(parameters('builtInRoleNames'), parameters('roleAssignment').roleDefinitionIdOrName ), parameters('builtInRoleNames')[parameters('roleAssignment').roleDefinitionIdOrName] , parameters('roleAssignment').roleDefinitionIdOrName )]", + "principalId": "[array(parameters('roleAssignment').principalIds)[copyIndex()]]" + } + } + ] + } + } + } + ], + "functions": [ + ], + "outputs": { + "namespaceName": { + "type": "string", + "value": "[variables('namespaceName')]", + "metadata": { + "description": "The Name of the EventHub Namespace" + } + }, + "namespaceResourceId": { + "type": "string", + "value": "[variables('namespaceResourceId')]", + "metadata": { + "description": "The Resource Id of the EventHub Namespace" + } + }, + "namespaceResourceGroup": { + "type": "string", + "value": "[resourceGroup().name]", + "metadata": { + "description": "The name of the Resource Group with the EventHub Namespace" + } + }, + "defaultAuthorizationRuleId": { + "type": "string", + "value": "[variables('defaultAuthorizationRuleId')]", + "metadata": { + "description": "The Id of the authorization rule marked by the variable with the same name." + } + }, + "namespaceConnectionString": { + "type": "securestring", + "value": "[listkeys(variables('authRuleResourceId'), '2017-04-01').primaryConnectionString]", + "metadata": { + "description": "The connection string of the EventHub Namespace" + } + }, + "sharedAccessPolicyPrimaryKey": { + "type": "securestring", + "value": "[listkeys(variables('authRuleResourceId'), '2017-04-01').primaryKey]", + "metadata": { + "description": "The shared access policy primary key for the EventHub Namespace" + } + } + } +} diff --git a/arm/Microsoft.EventHub/namespaces/parameters/parameters.json b/arm/Microsoft.EventHub/namespaces/parameters/parameters.json new file mode 100644 index 0000000000..a52ec87481 --- /dev/null +++ b/arm/Microsoft.EventHub/namespaces/parameters/parameters.json @@ -0,0 +1,43 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + //"namespaceName": { + // "value": "sxx-az-evhns-weu-x-001" + //}, + "authorizationRules": { + "value": [ + { + "name": "RootManageSharedAccessKey", + "properties": { + "rights": [ + "Listen", + "Manage", + "Send" + ] + } + }, + { + "name": "SendListenAccess", + "properties": { + "rights": [ + "Listen", + "Send" + ] + } + } + ] + } + // "roleAssignments": { + // "value": [ + // { + // "roleDefinitionIdOrName": "Desktop Virtualization User", + // "principalIds": [ + // "12345678-1234-1234-1234-123456789012", // object 1 + // "78945612-1234-1234-1234-123456789012" // object 2 + // ] + // } + // ] + // } + } +} \ No newline at end of file diff --git a/arm/Microsoft.EventHub/namespaces/readme.md b/arm/Microsoft.EventHub/namespaces/readme.md new file mode 100644 index 0000000000..e3d71c9f2e --- /dev/null +++ b/arm/Microsoft.EventHub/namespaces/readme.md @@ -0,0 +1,195 @@ +# EventHub Namespaces + +This module deploys EventHub Namespace. + +## Resource types + +|Resource Type|ApiVersion| +|:--|:--| +|`Microsoft.Resources/deployments`|2018-02-01| +|`Microsoft.EventHub/namespaces`|2017-04-01| +|`Microsoft.EventHub/namespaces/disasterRecoveryConfigs`|2017-04-01| +|`Microsoft.EventHub/namespaces/AuthorizationRules`|2017-04-01| +|`providers/locks`|2016-09-01| +|`Microsoft.EventHub/namespaces/providers/diagnosticsettings`|2017-05-01-preview| +|`Microsoft.EventHub/namespaces/providers/roleAssignments`|2018-09-01-preview| +|`Microsoft.Network/privateEndpoints`|2020-05-01| +|`Microsoft.Network/privateEndpoints/privateDnsZoneGroups`|2020-05-01| + +## Parameters + +| Parameter Name | Type | Description | DefaultValue | Possible values | +| :-- | :-- | :-- | :-- | :-- | +| `authorizationRules` | array | Optional. Authorization Rules for the Event Hub namespace | System.Object[] | | +| `cuaId` | string | Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered | | | +| `diagnosticLogsRetentionInDays` | int | Optional. Specifies the number of days that logs will be kept for; a value of 0 will retain data indefinitely. | 365 | | +| `diagnosticStorageAccountId` | string | Optional. Resource identifier of the Diagnostic Storage Account. | | | +| `isAutoInflateEnabled` | bool | Optional. Switch to enable the Auto Inflate feature of Event Hub. | False | | +| `location` | string | Optional. Location for all resources. | [resourceGroup().location] | | +| `lockForDeletion` | bool | Optional. Switch to lock Key Vault from deletion. | False | | +| `maximumThroughputUnits` | int | Optional. Upper limit of throughput units when AutoInflate is enabled, value should be within 0 to 20 throughput units. | 1 | | +| `namespaceAlias` | string | Optional. The Disaster Recovery configuration name | | | +| `namespaceName` | string | Optional. The name of the EventHub namespace. If no name is provided, then unique name will be created.| | | +| `networkAcls` | object | Optional. Service endpoint object information | | | +| `privateEndpoints` | array | System.Object[] | | Optional. Configuration Details for private endpoints. | +| `partnerNamespaceId` | string | Optional. ARM Id of the Primary/Secondary eventhub namespace name, which is part of GEO DR pairing | | | +| `roleAssignments` | array | Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' | System.Object[] | | +| `skuCapacity` | int | Optional. Event Hub Plan scale-out capacity of the resource | 1 | | +| `skuName` | string | Optional. EventHub Plan sku name | Standard | System.Object[] | +| `tags` | object | Optional. Tags of the resource. | | | +| `vNetId` | string | Optional. Virtual Network Id to lock down the Event Hub. | | | +| `workspaceId` | string | Optional. Resource identifier of Log Analytics. | | | +| `zoneRedundant` | bool | Optional. Switch to make the Event Hub Namespace zone redundant. | False | | +| `baseTime` | string | utcNow('u') | | Generated. Do not provide a value! This date value is used to generate a SAS token toaccess the modules. + +### Parameter Usage: `roleAssignments` + +```json +"roleAssignments": { + "value": [ + { + "roleDefinitionIdOrName": "Desktop Virtualization User", + "principalIds": [ + "12345678-1234-1234-1234-123456789012", // object 1 + "78945612-1234-1234-1234-123456789012" // object 2 + ] + }, + { + "roleDefinitionIdOrName": "Reader", + "principalIds": [ + "12345678-1234-1234-1234-123456789012", // object 1 + "78945612-1234-1234-1234-123456789012" // object 2 + ] + }, + { + "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", + "principalIds": [ + "12345678-1234-1234-1234-123456789012" // object 1 + ] + } + ] +} +``` + +### Parameter Usage: `tags` + +Tag names and tag values can be provided as needed. A tag can be left without a value. + +```json +"tags": { + "value": { + "Environment": "Non-Prod", + "Contact": "test.user@testcompany.com", + "PurchaseOrder": "1234", + "CostCenter": "7890", + "ServiceName": "DeploymentValidation", + "Role": "DeploymentValidation" + } +} +``` + +### Parameter Usage: `authorizationRules` + +Default value: + +```json +"authorizationRules": { + "value": [ + { + "name": "RootManageSharedAccessKey", + "properties": { + "rights": [ + "Listen", + "Manage", + "Send" + ] + } + } + ] +} +``` + +### Parameter Usage: `networkAcls` + +```json +"networkAcls": { + "value": { + "bypass": "AzureServices", + "defaultAction": "Deny", + "virtualNetworkRules": [ + { + "subnet": "sharedsvcs" + } + ], + "ipRules": [] + } +} +``` + +### Parameter Usage: `vNetId` + +```json +"vNetId": { + "value": "/subscriptions/00000000/resourceGroups/resourceGroup" +} +``` + +### Parameter Usage: `privateEndpoints` + +To use Private Endpoint the following dependencies must be deployed: + +- Destination subnet must be created with the following configuration option - `"privateEndpointNetworkPolicies": "Disabled"`. Setting this option acknowledges that NSG rules are not applied to Private Endpoints (this capability is coming soon). A full example is available in the Virtual Network Module. + +- Although not strictly required, it is highly recommened to first create a private DNS Zone to host Private Endpoint DNS records. See [Azure Private Endpoint DNS configuration](https://docs.microsoft.com/en-us/azure/private-link/private-endpoint-dns) for more information. + +```json +"privateEndpoints": { + "value": [ + // Example showing all available fields + { + "name": "sxx-az-sa-cac-y-123-pe", // Optional: Name will be automatically generated if one is not provided here + "subnetResourceId": "/subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-weu-x-001/subnets/sxx-az-subnet-weu-x-001", + "service": "blob", + "privateDnsZoneResourceIds": [ // Optional: No DNS record will be created if a private DNS zone Resource ID is not specified + "/subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2/resourceGroups/validation-rg/providers/Microsoft.Network/privateDnsZones/privatelink.blob.core.windows.net" + ], + "customDnsConfigs": [ // Optional + { + "fqdn": "customname.test.local", + "ipAddresses": [ + "10.10.10.10" + ] + } + ] + }, + // Example showing only mandatory fields + { + "subnetResourceId": "/subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-weu-x-001/subnets/sxx-az-subnet-weu-x-001", + "service": "file" + } + ] +} +``` +## Outputs + +| Output Name | Type | Description | +| :-- | :-- | :-- | +| `defaultAuthorizationRuleId` | string | The Id of the authorization rule marked by the variable with the same name. | +| `namespaceConnectionString` | securestring | The connection string of the EventHub Namespace | +| `namespaceName` | string | The Name of the EventHub Namespace | +| `namespaceResourceGroup` | string | The name of the Resource Group with the EventHub Namespace | +| `namespaceResourceId` | string | The Resource Id of the EventHub Namespace | +| `sharedAccessPolicyPrimaryKey` | securestring | The shared access policy primary key for the EventHub Namespace | + +### Scripts + +- There is no Scripts for this Module + +## Considerations + +- There is no deployment considerations for this Module + +## Additional resources + +- [Microsoft EventHub template reference](https://docs.microsoft.com/en-us/azure/templates/microsoft.eventhub/allversions) +- [Use tags to organize your Azure resources](https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-using-tags) diff --git a/arm/Microsoft.HealthBot/healthBots/deploy.json b/arm/Microsoft.HealthBot/healthBots/deploy.json new file mode 100644 index 0000000000..ee1c8d088f --- /dev/null +++ b/arm/Microsoft.HealthBot/healthBots/deploy.json @@ -0,0 +1,363 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "azureHealthBotName": { + "type": "string", + "metadata": { + "description": "Required. Name of the resource" + } + }, + "sku": { + "type": "string", + "defaultValue": "F0", + "metadata": { + "description": "Optional. The resource model definition representing SKU." + } + }, + "location": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "Optional. Location for all resources." + } + }, + "lockForDeletion": { + "type": "bool", + "defaultValue": false, + "metadata": { + "description": "Optional. Switch to lock resource from deletion." + } + }, + "roleAssignments": { + "defaultValue": [ + ], + "type": "array", + "metadata": { + "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'" + } + }, + "tags": { + "type": "object", + "defaultValue": { + }, + "metadata": { + "description": "Optional. Tags of the resource." + } + }, + "cuaId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered" + } + } + }, + "variables": { + "builtInRoleNames": { + "AcrDelete": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c2f4ef07-c644-48eb-af81-4b1b4947fb11')]", + "AcrImageSigner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '6cef56e8-d556-48e5-a04f-b8e64114680f')]", + "AcrPull": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '7f951dda-4ed3-4680-a7ca-43fe172d538d')]", + "AcrPush": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8311e382-0749-4cb8-b61a-304f252e45ec')]", + "AcrQuarantineReader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'cdda3590-29a3-44f6-95f2-9f980659eb04')]", + "AcrQuarantineWriter": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c8d4ff99-41c3-41a8-9f60-21dfdad59608')]", + "API Management Service Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '312a565d-c81f-4fd8-895a-4e21e48d571c')]", + "API Management Service Operator Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'e022efe7-f5ba-4159-bbe4-b44f577e9b61')]", + "API Management Service Reader Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '71522526-b88f-4d52-b57f-d31fc3546d0d')]", + "App Configuration Data Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5ae67dd6-50cb-40e7-96ff-dc2bfa4b606b')]", + "App Configuration Data Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '516239f1-63e1-4d78-a4de-a74fb236a071')]", + "Application Insights Component Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ae349356-3a1b-4a5e-921d-050484c6347e')]", + "Application Insights Snapshot Debugger": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '08954f03-6346-4c2e-81c0-ec3a5cfae23b')]", + "Attestation Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'bbf86eb8-f7b4-4cce-96e4-18cddf81d86e')]", + "Attestation Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'fd1bd22b-8476-40bc-a0bc-69b95687b9f3')]", + "Automation Job Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4fe576fe-1146-4730-92eb-48519fa6bf9f')]", + "Automation Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'd3881f73-407a-4167-8283-e981cbba0404')]", + "Automation Runbook Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5fb5aef8-1081-4b8e-bb16-9d5d0385bab5')]", + "Avere Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4f8fab4f-1852-4a58-a46a-8eaf358af14a')]", + "Avere Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c025889f-8102-4ebf-b32c-fc0c6f0c6bd9')]", + "Azure Connected Machine Onboarding": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b64e21ea-ac4e-4cdf-9dc9-5b892992bee7')]", + "Azure Connected Machine Resource Administrator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'cd570a14-e51a-42ad-bac8-bafd67325302')]", + "Azure Digital Twins Owner (Preview)": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'bcd981a7-7f74-457b-83e1-cceb9e632ffe')]", + "Azure Digital Twins Reader (Preview)": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'd57506d4-4c8d-48b1-8587-93c323f6a5a3')]", + "Azure Event Hubs Data Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'f526a384-b230-433a-b45c-95f59c4a2dec')]", + "Azure Event Hubs Data Receiver": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'a638d3c7-ab3a-418d-83e6-5f17a39d4fde')]", + "Azure Event Hubs Data Sender": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '2b629674-e913-4c01-ae53-ef4638d8f975')]", + "Azure Kubernetes Service Cluster Admin Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '0ab0b1a8-8aac-4efd-b8c2-3ee1fb270be8')]", + "Azure Kubernetes Service Cluster User Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4abbcc35-e782-43d8-92c5-2d3f1bd2253f')]", + "Azure Kubernetes Service Contributor Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ed7f3fbd-7b88-4dd4-9017-9adb7ce333f8')]", + "Azure Maps Data Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8f5e0ce6-4f7b-4dcf-bddf-e6f48634a204')]", + "Azure Maps Data Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '423170ca-a8f6-4b0f-8487-9e4eb8f49bfa')]", + "Azure Sentinel Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ab8e14d6-4a74-4a29-9ba8-549422addade')]", + "Azure Sentinel Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8d289c81-5878-46d4-8554-54e1e3d8b5cb')]", + "Azure Sentinel Responder": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '3e150937-b8fe-4cfb-8069-0eaf05ecd056')]", + "Azure Service Bus Data Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '090c5cfd-751d-490a-894a-3ce6f1109419')]", + "Azure Service Bus Data Receiver": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4f6d3b9b-027b-4f4c-9142-0e5a2a2247e0')]", + "Azure Service Bus Data Sender": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '69a216fc-b8fb-44d8-bc22-1f3c2cd27a39')]", + "Azure Stack Registration Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '6f12a6df-dd06-4f3e-bcb1-ce8be600526a')]", + "Backup Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5e467623-bb1f-42f4-a55d-6e525e11384b')]", + "Backup Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '00c29273-979b-4161-815c-10b084fb9324')]", + "Backup Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'a795c7a0-d4a2-40c1-ae25-d81f01202912')]", + "Billing Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'fa23ad8b-c56e-40d8-ac0c-ce449e1d2c64')]", + "BizTalk Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5e3c6656-6cfa-4708-81fe-0de47ac73342')]", + "Blockchain Member Node Access (Preview)": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '31a002a1-acaf-453e-8a5b-297c9ca1ea24')]", + "Blueprint Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '41077137-e803-4205-871c-5a86e6a753b4')]", + "Blueprint Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '437d2ced-4a38-4302-8479-ed2bcb43d090')]", + "CDN Endpoint Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '426e0c7f-0c7e-4658-b36f-ff54d6c29b45')]", + "CDN Endpoint Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '871e35f6-b5c1-49cc-a043-bde969a0f2cd')]", + "CDN Profile Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ec156ff8-a8d1-4d15-830c-5b80698ca432')]", + "CDN Profile Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8f96442b-4075-438f-813d-ad51ab4019af')]", + "Classic Network Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b34d265f-36f7-4a0d-a4d4-e158ca92e90f')]", + "Classic Storage Account Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '86e8f5dc-a6e9-4c67-9d15-de283e8eac25')]", + "Classic Storage Account Key Operator Service Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '985d6b00-f706-48f5-a6fe-d0ca12fb668d')]", + "Classic Virtual Machine Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'd73bb868-a0df-4d4d-bd69-98a00b01fccb')]", + "ClearDB MySQL DB Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '9106cda0-8a86-4e81-b686-29a22c54effe')]", + "Cognitive Services Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '25fbc0a9-bd7c-42a3-aa1a-3b75d497ee68')]", + "Cognitive Services Custom Vision Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c1ff6cc2-c111-46fe-8896-e0ef812ad9f3')]", + "Cognitive Services Custom Vision Deployment": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5c4089e1-6d96-4d2f-b296-c1bc7137275f')]", + "Cognitive Services Custom Vision Labeler": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '88424f51-ebe7-446f-bc41-7fa16989e96c')]", + "Cognitive Services Custom Vision Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '93586559-c37d-4a6b-ba08-b9f0940c2d73')]", + "Cognitive Services Custom Vision Trainer": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '0a5ae4ab-0d65-4eeb-be61-29fc9b54394b')]", + "Cognitive Services Data Reader (Preview)": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b59867f0-fa02-499b-be73-45a86b5b3e1c')]", + "Cognitive Services QnA Maker Editor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'f4cc2bf9-21be-47a1-bdf1-5c5804381025')]", + "Cognitive Services QnA Maker Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '466ccd10-b268-4a11-b098-b4849f024126')]", + "Cognitive Services User": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'a97b65f3-24c7-4388-baec-2e87135dc908')]", + "Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "Cosmos DB Account Reader Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'fbdf93bf-df7d-467e-a4d2-9458aa1360c8')]", + "Cosmos DB Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '230815da-be43-4aae-9cb4-875f7bd000aa')]", + "CosmosBackupOperator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'db7b14f2-5adf-42da-9f96-f2ee17bab5cb')]", + "Cost Management Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '434105ed-43f6-45c7-a02f-909b2ba83430')]", + "Cost Management Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '72fafb9e-0641-4937-9268-a91bfd8191a3')]", + "Data Box Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'add466c9-e687-43fc-8d98-dfcf8d720be5')]", + "Data Box Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '028f4ed7-e2a9-465e-a8f4-9c0ffdfdc027')]", + "Data Factory Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '673868aa-7521-48a0-acc6-0f60742d39f5')]", + "Data Lake Analytics Developer": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '47b7735b-770e-4598-a7da-8b91488b4c88')]", + "Data Purger": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '150f5e0c-0603-4f03-8c7f-cf70034c4e90')]", + "Desktop Virtualization User": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '1d18fff3-a72a-46b5-b4a9-0b38a3cd7e63')]", + "DevTest Labs User": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '76283e04-6283-4c54-8f91-bcf1374a3c64')]", + "DNS Zone Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'befefa01-2a29-4197-83a8-272ff33ce314')]", + "DocumentDB Account Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5bd9cd88-fe45-4216-938b-f97437e15450')]", + "EventGrid EventSubscription Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '428e0ff0-5e57-4d9c-a221-2c70d0e0a443')]", + "EventGrid EventSubscription Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '2414bbcf-6497-4faf-8c65-045460748405')]", + "Experimentation Administrator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '7f646f1b-fa08-80eb-a33b-edd6ce5c915c')]", + "Experimentation Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '7f646f1b-fa08-80eb-a22b-edd6ce5c915c')]", + "Experimentation Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '49632ef5-d9ac-41f4-b8e7-bbe587fa74a1')]", + "FHIR Data Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5a1fc7df-4bf1-4951-a576-89034ee01acd')]", + "FHIR Data Exporter": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '3db33094-8700-4567-8da5-1501d4e7e843')]", + "FHIR Data Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4c8d0bbc-75d3-4935-991f-5f3c56d81508')]", + "FHIR Data Writer": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '3f88fce4-5892-4214-ae73-ba5294559913')]", + "Graph Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b60367af-1334-4454-b71e-769d9a4f83d9')]", + "HDInsight Cluster Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '61ed4efc-fab3-44fd-b111-e24485cc132a')]", + "HDInsight Domain Services Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8d8d5a11-05d3-4bda-a417-a08778121c7c')]", + "Hierarchy Settings Administrator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '350f8d15-c687-4448-8ae1-157740a3936d')]", + "Hybrid Server Onboarding": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5d1e5ee4-7c68-4a71-ac8b-0739630a3dfb')]", + "Hybrid Server Resource Administrator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '48b40c6e-82e0-4eb3-90d5-19e40f49b624')]", + "Integration Service Environment Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'a41e2c5b-bd99-4a07-88f4-9bf657a760b8')]", + "Integration Service Environment Developer": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c7aa55d3-1abb-444a-a5ca-5e51e485d6ec')]", + "Intelligent Systems Account Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '03a6d094-3444-4b3d-88af-7477090a9e5e')]", + "Key Vault Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'f25e0fa2-a7c8-4377-a976-54943a77a395')]", + "Knowledge Consumer": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ee361c5d-f7b5-4119-b4b6-892157c8f64c')]", + "Kubernetes Cluster - Azure Arc Onboarding": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '34e09817-6cbe-4d01-b1a2-e0eac5743d41')]", + "Lab Creator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b97fb8bc-a8b2-4522-a38b-dd33c7e65ead')]", + "Log Analytics Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]", + "Log Analytics Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '73c42c96-874c-492b-b04d-ab87d138a893')]", + "Logic App Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '87a39d53-fc1b-424a-814c-f7e04687dc9e')]", + "Logic App Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '515c2055-d9d4-4321-b1b9-bd0c9a0f79fe')]", + "Managed Application Contributor Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '641177b8-a67a-45b9-a033-47bc880bb21e')]", + "Managed Application Operator Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')]", + "Managed Applications Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')]", + "Managed Identity Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'e40ec5ca-96e0-45a2-b4ff-59039f2c2b59')]", + "Managed Identity Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'f1a07417-d97a-45cb-824c-7a7467783830')]", + "Managed Services Registration assignment Delete ": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '91c1777a-f3dc-4fae-b103-61d183457e46')]", + "Management Group Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5d58bcaf-24a5-4b20-bdb6-eed9f69fbe4c')]", + "Management Group Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ac63b705-f282-497d-ac71-919bf39d939d')]", + "Marketplace Admin": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'dd920d6d-f481-47f1-b461-f338c46b2d9f')]", + "Monitoring Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')]", + "Monitoring Metrics Publisher": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '3913510d-42f4-4e42-8a64-420c390055eb')]", + "Monitoring Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')]", + "Network Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", + "New Relic APM Account Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5d28c62d-5b37-4476-8438-e587778df237')]", + "Object Understanding Account Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4dd61c23-6743-42fe-a388-d8bdd41cb745')]", + "Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", + "Policy Insights Data Writer (Preview)": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '66bb4e9e-b016-4a94-8249-4c0511c2be84')]", + "Private DNS Zone Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", + "Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", + "Reader and Data Access": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c12c1c16-33a1-487b-954d-41c89c60f349')]", + "Redis Cache Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'e0f68234-74aa-48ed-b826-c38b57376e17')]", + "Remote Rendering Administrator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '3df8b902-2a6f-47c7-8cc5-360e9b272a7e')]", + "Remote Rendering Client": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'd39065c4-c120-43c9-ab0a-63eed9795f0a')]", + "Resource Policy Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '36243c78-bf99-498c-9df9-86d9f8d28608')]", + "Scheduler Job Collections Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '188a0f2f-5c9e-469b-ae67-2aa5ce574b94')]", + "Search Service Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '7ca78c08-252a-4471-8644-bb5ff32d4ba0')]", + "Security Admin": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'fb1c8493-542b-48eb-b624-b4c8fea62acd')]", + "Security Assessment Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '612c2aa1-cb24-443b-ac28-3ab7272de6f5')]", + "Security Manager (Legacy)": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'e3d13bf0-dd5a-482e-ba6b-9b8433878d10')]", + "Security Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '39bc4728-0917-49c7-9d2c-d95423bc2eb4')]", + "SignalR AccessKey Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '04165923-9d83-45d5-8227-78b77b0a687e')]", + "SignalR Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8cf5e20a-e4b2-4e9d-b3a1-5ceb692c2761')]", + "Site Recovery Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '6670b86e-a3f7-4917-ac9b-5d6ab1be4567')]", + "Site Recovery Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '494ae006-db33-4328-bf46-533a6560a3ca')]", + "Site Recovery Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'dbaa88c4-0c30-4179-9fb3-46319faa6149')]", + "Spatial Anchors Account Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8bbe83f1-e2a6-4df7-8cb4-4e04d4e5c827')]", + "Spatial Anchors Account Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '70bbe301-9835-447d-afdd-19eb3167307c')]", + "Spatial Anchors Account Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5d51204f-eb77-4b1c-b86a-2ec626c49413')]", + "SQL DB Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '9b7fa17d-e63e-47b0-bb0a-15c516ac86ec')]", + "SQL Managed Instance Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4939a1f6-9ae0-4e48-a1e0-f2cbe897382d')]", + "SQL Security Manager": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '056cd41c-7e88-42e1-933e-88ba6a50c9c3')]", + "SQL Server Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '6d8ee4ec-f05a-4a1d-8b00-a9b17e38b437')]", + "Storage Account Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '17d1049b-9a84-46fb-8f53-869881c3d3ab')]", + "Storage Account Key Operator Service Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '81a9662b-bebf-436f-a333-f67b29880f12')]", + "Storage Blob Data Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ba92f5b4-2d11-453d-a403-e96b0029c9fe')]", + "Storage Blob Data Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b7e6dc6d-f1e8-4753-8033-0f276bb0955b')]", + "Storage Blob Data Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '2a2b9908-6ea1-4ae2-8e65-a410df84e7d1')]", + "Storage Blob Delegator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'db58b8e5-c6ad-4a2a-8342-4190687cbf4a')]", + "Storage File Data SMB Share Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '0c867c2a-1d8c-454a-a3db-ab2ea1bdc8bb')]", + "Storage File Data SMB Share Elevated Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'a7264617-510b-434b-a828-9731dc254ea7')]", + "Storage File Data SMB Share Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'aba4ae5f-2193-4029-9191-0cb91df5e314')]", + "Storage Queue Data Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '974c5e8b-45b9-4653-ba55-5f855dd0fb88')]", + "Storage Queue Data Message Processor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8a0f0c08-91a1-4084-bc3d-661d67233fed')]", + "Storage Queue Data Message Sender": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c6a89b2d-59bc-44d0-9896-0f6e12d7b80a')]", + "Storage Queue Data Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '19e7f393-937e-4f77-808e-94535e297925')]", + "Support Request Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'cfd33db0-3dd1-45e3-aa9d-cdbdf3b6f24e')]", + "Tag Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4a9ae827-6dc8-4573-8ac7-8239d42aa03f')]", + "Traffic Manager Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'a4b10055-b0c7-44c2-b00f-c7b5b3550cf7')]", + "User Access Administrator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]", + "Virtual Machine Administrator Login": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '1c0163c0-47e6-4577-8991-ea5c82e286e4')]", + "Virtual Machine Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c')]", + "Virtual Machine User Login": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'fb879df8-f326-4884-b1cf-06f3ad86be52')]", + "Web Plan Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '2cc479cb-7b4d-49a8-b449-8c00fd0f0a4b')]", + "Website Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'de139f84-1756-47ae-9be6-808fbbe84772')]", + "Workbook Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'e8ddcd69-c73f-4f9f-9844-4100522f16ad')]", + "Workbook Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b279062a-9be3-42a0-92ae-8b3cf002ec4d')]" + } + }, + "resources": [ + { + "condition": "[not(empty(parameters('cuaId')))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-06-01", + "name": "[concat('pid-', parameters('cuaId'))]", + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [ + ] + } + } + }, + { + "apiVersion": "2020-12-08", + "name": "[parameters('azureHealthBotName')]", + "location": "[parameters('location')]", + "type": "Microsoft.HealthBot/healthBots", + "tags": "[parameters('tags')]", + "sku": { + "name": "[parameters('sku')]" + }, + "properties": {}, + "resources": [ + { + "type": "providers/locks", + "apiVersion": "2016-09-01", + "condition": "[parameters('lockForDeletion')]", + "name": "Microsoft.Authorization/azureHealthBotDoNotDelete", + "dependsOn": [ + "[concat('Microsoft.HealthBot/healthBots/', parameters('azureHealthBotName'))]" + ], + "comments": "Resource lock on resource", + "properties": { + "level": "CannotDelete" + } + } + ] + }, + { + "name": "[concat('rbac-',deployment().name, copyIndex())]", + "apiVersion": "2020-06-01", + "type": "Microsoft.Resources/deployments", + "condition": "[not(empty(parameters('roleAssignments')))]", + "dependsOn": [ + "[parameters('azureHealthBotName')]" + ], + "copy": { + "name": "rbacDeplCopy", + "count": "[length(parameters('roleAssignments'))]" + }, + "properties": { + "mode": "Incremental", + "expressionEvaluationOptions": { + "scope": "inner" + }, + "parameters": { + "roleAssignment": { + "value": "[parameters('roleAssignments')[copyIndex()]]" + }, + "builtInRoleNames": { + "value": "[variables('builtInRoleNames')]" + }, + "azureHealthBotName": { + "value": "[parameters('azureHealthBotName')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "roleAssignment": { + "type": "object" + }, + "builtInRoleNames": { + "type": "object" + }, + "azureHealthBotName": { + "type": "string" + } + }, + "resources": [ + { + "type": "Microsoft.Network/bastionHosts/providers/roleAssignments", + "apiVersion": "2018-09-01-preview", + "name": "[concat(parameters('azureHealthBotName'), '/Microsoft.Authorization/', guid(uniqueString(concat(parameters('azureHealthBotName'), array(parameters('roleAssignment').principalIds)[copyIndex('innerRbacCopy')], parameters('roleAssignment').roleDefinitionIdOrName ) )))]", + "dependsOn": [ + ], + "copy": { + "name": "innerRbacCopy", + "count": "[length(parameters('roleAssignment').principalIds)]" + }, + "properties": { + "roleDefinitionId": "[if(contains(parameters('builtInRoleNames'), parameters('roleAssignment').roleDefinitionIdOrName ), parameters('builtInRoleNames')[parameters('roleAssignment').roleDefinitionIdOrName] , parameters('roleAssignment').roleDefinitionIdOrName )]", + "principalId": "[array(parameters('roleAssignment').principalIds)[copyIndex()]]" + } + } + ] + } + } + } + ], + "functions": [ + ], + "outputs": { + "azureHealthBotResourceGroup": { + "type": "string", + "value": "[resourceGroup().name]", + "metadata": { + "description": "The Resource Group the resource was deployed." + } + }, + "azureHealthBotName": { + "type": "string", + "value": "[parameters('azureHealthBotName')]", + "metadata": { + "description": "The name of the resource." + } + }, + "azureHealthBotResourceId": { + "type": "string", + "value": "[resourceId('Microsoft.HealthBot/healthBots', parameters('azureHealthBotName'))]", + "metadata": { + "description": "The Resource ID of the resource." + } + } + } +} \ No newline at end of file diff --git a/arm/Microsoft.HealthBot/healthBots/parameters/parameters.json b/arm/Microsoft.HealthBot/healthBots/parameters/parameters.json new file mode 100644 index 0000000000..a4ecfd2c20 --- /dev/null +++ b/arm/Microsoft.HealthBot/healthBots/parameters/parameters.json @@ -0,0 +1,9 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "azureHealthBotName": { + "value": "sxx-az-ahb-x-001" + } + } +} diff --git a/arm/Microsoft.HealthBot/healthBots/readme.md b/arm/Microsoft.HealthBot/healthBots/readme.md new file mode 100644 index 0000000000..64d5dcc3ec --- /dev/null +++ b/arm/Microsoft.HealthBot/healthBots/readme.md @@ -0,0 +1,90 @@ +# Azure Health Bot + +This module deploys an Azure Health Bot. + +## Resource Types + +| Resource Type | Api Version | +| :-- | :-- | +| `Microsoft.HealthBot/healthBots` | 2020-12-08 | +| `Microsoft.Network/bastionHosts/providers/roleAssignments` | 2018-09-01-preview | +| `Microsoft.Resources/deployments` | 2020-06-01 | +| `providers/locks` | 2016-09-01 | + +## Parameters + +| Parameter Name | Type | Description | DefaultValue | Possible values | +| :-- | :-- | :-- | :-- | :-- | +| `azureHealthBotName` | string | Required. Name of the resource | | | +| `cuaId` | string | Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered | | | +| `location` | string | Optional. Location for all resources. | [resourceGroup().location] | | +| `lockForDeletion` | bool | Optional. Switch to lock resource from deletion. | False | | +| `roleAssignments` | array | Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' | System.Object[] | | +| `sku` | string | Optional. The resource model definition representing SKU. | F0 | | +| `tags` | object | Optional. Tags of the resource. | | | + +### Parameter Usage: `tags` + +Tag names and tag values can be provided as needed. A tag can be left without a value. + +```json +"tags": { + "value": { + "Environment": "Non-Prod", + "Contact": "test.user@testcompany.com", + "PurchaseOrder": "1234", + "CostCenter": "7890", + "ServiceName": "DeploymentValidation", + "Role": "DeploymentValidation" + } +} +``` + +### Parameter Usage: `roleAssignments` + +```json +"roleAssignments": { + "value": [ + { + "roleDefinitionIdOrName": "Desktop Virtualization User", + "principalIds": [ + "12345678-1234-1234-1234-123456789012", // object 1 + "78945612-1234-1234-1234-123456789012" // object 2 + ] + }, + { + "roleDefinitionIdOrName": "Reader", + "principalIds": [ + "12345678-1234-1234-1234-123456789012", // object 1 + "78945612-1234-1234-1234-123456789012" // object 2 + ] + }, + { + "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", + "principalIds": [ + "12345678-1234-1234-1234-123456789012" // object 1 + ] + } + ] +} +``` + +## Outputs + +| Output Name | Type | Description | +| :-- | :-- | :-- | +| `azureHealthBotName` | string | The name of the resource. | +| `azureHealthBotResourceGroup` | string | The Resource Group the resource was deployed. | +| `azureHealthBotResourceId` | string | The Resource ID of the resource. | + +## Considerations + +*N/A* + +## Additional resources + +- [Use tags to organize your Azure resources](https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-using-tags) +- [Azure Resource Manager template reference](https://docs.microsoft.com/en-us/azure/templates/) +- [Deployments](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Resources/2020-06-01/deployments) +- [HealtHBots](https://docs.microsoft.com/en-us/azure/templates/Microsoft.HealthBot/2020-12-08/healthBots) +- [Deployments](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Resources/2020-06-01/deployments) diff --git a/arm/Microsoft.Insights/actionGroups/deploy.json b/arm/Microsoft.Insights/actionGroups/deploy.json new file mode 100644 index 0000000000..19a3bcb300 --- /dev/null +++ b/arm/Microsoft.Insights/actionGroups/deploy.json @@ -0,0 +1,437 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "actionGroupName": { + "type": "string", + "metadata": { + "description": "Required. The name of the action group." + } + }, + "groupShortName": { + "type": "string", + "metadata": { + "description": "Required. The short name of the action group." + } + }, + "enabled": { + "type": "bool", + "defaultValue": true, + "metadata": { + "description": "Optional. Indicates whether this action group is enabled. If an action group is not enabled, then none of its receivers will receive communications." + } + }, + "roleAssignments": { + "defaultValue": [ + ], + "type": "array", + "metadata": { + "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'" + } + }, + "emailReceivers": { + "type": "array", + "defaultValue": [ + ], + "metadata": { + "description": "Optional. The list of email receivers that are part of this action group." + } + }, + "smsReceivers": { + "type": "array", + "defaultValue": [ + ], + "metadata": { + "description": "Optional. The list of SMS receivers that are part of this action group." + } + }, + "webhookReceivers": { + "type": "array", + "defaultValue": [ + ], + "metadata": { + "description": "Optional. The list of webhook receivers that are part of this action group." + } + }, + "itsmReceivers": { + "type": "array", + "defaultValue": [ + ], + "metadata": { + "description": "Optional. The list of ITSM receivers that are part of this action group." + } + }, + "azureAppPushReceivers": { + "type": "array", + "defaultValue": [ + ], + "metadata": { + "description": "Optional. The list of AzureAppPush receivers that are part of this action group." + } + }, + "automationRunbookReceivers": { + "type": "array", + "defaultValue": [ + ], + "metadata": { + "description": "Optional. The list of AutomationRunbook receivers that are part of this action group." + } + }, + "voiceReceivers": { + "type": "array", + "defaultValue": [ + ], + "metadata": { + "description": "Optional. The list of voice receivers that are part of this action group." + } + }, + "logicAppReceivers": { + "type": "array", + "defaultValue": [ + ], + "metadata": { + "description": "Optional. The list of logic app receivers that are part of this action group." + } + }, + "azureFunctionReceivers": { + "type": "array", + "defaultValue": [ + ], + "metadata": { + "description": "Optional. The list of function receivers that are part of this action group." + } + }, + "armRoleReceivers": { + "type": "array", + "defaultValue": [ + ], + "metadata": { + "description": "Optional. The list of ARM role receivers that are part of this action group. Roles are Azure RBAC roles and only built-in roles are supported." + } + }, + "tags": { + "type": "object", + "defaultValue": { + }, + "metadata": { + "description": "Optional. Tags of the resource." + } + }, + "cuaId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered" + } + }, + "location": { + "type": "string", + "defaultValue": "global", + "metadata": { + "description": "Optional. Location for all resources." + } + } + }, + "variables": { + "builtInRoleNames": { + "AcrDelete": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c2f4ef07-c644-48eb-af81-4b1b4947fb11')]", + "AcrImageSigner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '6cef56e8-d556-48e5-a04f-b8e64114680f')]", + "AcrPull": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '7f951dda-4ed3-4680-a7ca-43fe172d538d')]", + "AcrPush": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8311e382-0749-4cb8-b61a-304f252e45ec')]", + "AcrQuarantineReader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'cdda3590-29a3-44f6-95f2-9f980659eb04')]", + "AcrQuarantineWriter": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c8d4ff99-41c3-41a8-9f60-21dfdad59608')]", + "API Management Service Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '312a565d-c81f-4fd8-895a-4e21e48d571c')]", + "API Management Service Operator Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'e022efe7-f5ba-4159-bbe4-b44f577e9b61')]", + "API Management Service Reader Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '71522526-b88f-4d52-b57f-d31fc3546d0d')]", + "App Configuration Data Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5ae67dd6-50cb-40e7-96ff-dc2bfa4b606b')]", + "App Configuration Data Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '516239f1-63e1-4d78-a4de-a74fb236a071')]", + "Application Insights Component Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ae349356-3a1b-4a5e-921d-050484c6347e')]", + "Application Insights Snapshot Debugger": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '08954f03-6346-4c2e-81c0-ec3a5cfae23b')]", + "Attestation Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'bbf86eb8-f7b4-4cce-96e4-18cddf81d86e')]", + "Attestation Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'fd1bd22b-8476-40bc-a0bc-69b95687b9f3')]", + "Automation Job Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4fe576fe-1146-4730-92eb-48519fa6bf9f')]", + "Automation Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'd3881f73-407a-4167-8283-e981cbba0404')]", + "Automation Runbook Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5fb5aef8-1081-4b8e-bb16-9d5d0385bab5')]", + "Avere Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4f8fab4f-1852-4a58-a46a-8eaf358af14a')]", + "Avere Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c025889f-8102-4ebf-b32c-fc0c6f0c6bd9')]", + "Azure Connected Machine Onboarding": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b64e21ea-ac4e-4cdf-9dc9-5b892992bee7')]", + "Azure Connected Machine Resource Administrator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'cd570a14-e51a-42ad-bac8-bafd67325302')]", + "Azure Digital Twins Owner (Preview)": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'bcd981a7-7f74-457b-83e1-cceb9e632ffe')]", + "Azure Digital Twins Reader (Preview)": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'd57506d4-4c8d-48b1-8587-93c323f6a5a3')]", + "Azure Event Hubs Data Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'f526a384-b230-433a-b45c-95f59c4a2dec')]", + "Azure Event Hubs Data Receiver": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'a638d3c7-ab3a-418d-83e6-5f17a39d4fde')]", + "Azure Event Hubs Data Sender": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '2b629674-e913-4c01-ae53-ef4638d8f975')]", + "Azure Kubernetes Service Cluster Admin Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '0ab0b1a8-8aac-4efd-b8c2-3ee1fb270be8')]", + "Azure Kubernetes Service Cluster User Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4abbcc35-e782-43d8-92c5-2d3f1bd2253f')]", + "Azure Kubernetes Service Contributor Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ed7f3fbd-7b88-4dd4-9017-9adb7ce333f8')]", + "Azure Maps Data Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8f5e0ce6-4f7b-4dcf-bddf-e6f48634a204')]", + "Azure Maps Data Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '423170ca-a8f6-4b0f-8487-9e4eb8f49bfa')]", + "Azure Sentinel Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ab8e14d6-4a74-4a29-9ba8-549422addade')]", + "Azure Sentinel Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8d289c81-5878-46d4-8554-54e1e3d8b5cb')]", + "Azure Sentinel Responder": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '3e150937-b8fe-4cfb-8069-0eaf05ecd056')]", + "Azure Service Bus Data Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '090c5cfd-751d-490a-894a-3ce6f1109419')]", + "Azure Service Bus Data Receiver": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4f6d3b9b-027b-4f4c-9142-0e5a2a2247e0')]", + "Azure Service Bus Data Sender": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '69a216fc-b8fb-44d8-bc22-1f3c2cd27a39')]", + "Azure Stack Registration Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '6f12a6df-dd06-4f3e-bcb1-ce8be600526a')]", + "Backup Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5e467623-bb1f-42f4-a55d-6e525e11384b')]", + "Backup Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '00c29273-979b-4161-815c-10b084fb9324')]", + "Backup Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'a795c7a0-d4a2-40c1-ae25-d81f01202912')]", + "Billing Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'fa23ad8b-c56e-40d8-ac0c-ce449e1d2c64')]", + "BizTalk Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5e3c6656-6cfa-4708-81fe-0de47ac73342')]", + "Blockchain Member Node Access (Preview)": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '31a002a1-acaf-453e-8a5b-297c9ca1ea24')]", + "Blueprint Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '41077137-e803-4205-871c-5a86e6a753b4')]", + "Blueprint Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '437d2ced-4a38-4302-8479-ed2bcb43d090')]", + "CDN Endpoint Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '426e0c7f-0c7e-4658-b36f-ff54d6c29b45')]", + "CDN Endpoint Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '871e35f6-b5c1-49cc-a043-bde969a0f2cd')]", + "CDN Profile Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ec156ff8-a8d1-4d15-830c-5b80698ca432')]", + "CDN Profile Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8f96442b-4075-438f-813d-ad51ab4019af')]", + "Classic Network Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b34d265f-36f7-4a0d-a4d4-e158ca92e90f')]", + "Classic Storage Account Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '86e8f5dc-a6e9-4c67-9d15-de283e8eac25')]", + "Classic Storage Account Key Operator Service Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '985d6b00-f706-48f5-a6fe-d0ca12fb668d')]", + "Classic Virtual Machine Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'd73bb868-a0df-4d4d-bd69-98a00b01fccb')]", + "ClearDB MySQL DB Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '9106cda0-8a86-4e81-b686-29a22c54effe')]", + "Cognitive Services Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '25fbc0a9-bd7c-42a3-aa1a-3b75d497ee68')]", + "Cognitive Services Custom Vision Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c1ff6cc2-c111-46fe-8896-e0ef812ad9f3')]", + "Cognitive Services Custom Vision Deployment": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5c4089e1-6d96-4d2f-b296-c1bc7137275f')]", + "Cognitive Services Custom Vision Labeler": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '88424f51-ebe7-446f-bc41-7fa16989e96c')]", + "Cognitive Services Custom Vision Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '93586559-c37d-4a6b-ba08-b9f0940c2d73')]", + "Cognitive Services Custom Vision Trainer": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '0a5ae4ab-0d65-4eeb-be61-29fc9b54394b')]", + "Cognitive Services Data Reader (Preview)": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b59867f0-fa02-499b-be73-45a86b5b3e1c')]", + "Cognitive Services QnA Maker Editor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'f4cc2bf9-21be-47a1-bdf1-5c5804381025')]", + "Cognitive Services QnA Maker Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '466ccd10-b268-4a11-b098-b4849f024126')]", + "Cognitive Services User": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'a97b65f3-24c7-4388-baec-2e87135dc908')]", + "Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "Cosmos DB Account Reader Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'fbdf93bf-df7d-467e-a4d2-9458aa1360c8')]", + "Cosmos DB Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '230815da-be43-4aae-9cb4-875f7bd000aa')]", + "CosmosBackupOperator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'db7b14f2-5adf-42da-9f96-f2ee17bab5cb')]", + "Cost Management Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '434105ed-43f6-45c7-a02f-909b2ba83430')]", + "Cost Management Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '72fafb9e-0641-4937-9268-a91bfd8191a3')]", + "Data Box Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'add466c9-e687-43fc-8d98-dfcf8d720be5')]", + "Data Box Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '028f4ed7-e2a9-465e-a8f4-9c0ffdfdc027')]", + "Data Factory Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '673868aa-7521-48a0-acc6-0f60742d39f5')]", + "Data Lake Analytics Developer": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '47b7735b-770e-4598-a7da-8b91488b4c88')]", + "Data Purger": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '150f5e0c-0603-4f03-8c7f-cf70034c4e90')]", + "Desktop Virtualization User": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '1d18fff3-a72a-46b5-b4a9-0b38a3cd7e63')]", + "DevTest Labs User": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '76283e04-6283-4c54-8f91-bcf1374a3c64')]", + "DNS Zone Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'befefa01-2a29-4197-83a8-272ff33ce314')]", + "DocumentDB Account Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5bd9cd88-fe45-4216-938b-f97437e15450')]", + "EventGrid EventSubscription Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '428e0ff0-5e57-4d9c-a221-2c70d0e0a443')]", + "EventGrid EventSubscription Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '2414bbcf-6497-4faf-8c65-045460748405')]", + "Experimentation Administrator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '7f646f1b-fa08-80eb-a33b-edd6ce5c915c')]", + "Experimentation Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '7f646f1b-fa08-80eb-a22b-edd6ce5c915c')]", + "Experimentation Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '49632ef5-d9ac-41f4-b8e7-bbe587fa74a1')]", + "FHIR Data Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5a1fc7df-4bf1-4951-a576-89034ee01acd')]", + "FHIR Data Exporter": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '3db33094-8700-4567-8da5-1501d4e7e843')]", + "FHIR Data Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4c8d0bbc-75d3-4935-991f-5f3c56d81508')]", + "FHIR Data Writer": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '3f88fce4-5892-4214-ae73-ba5294559913')]", + "Graph Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b60367af-1334-4454-b71e-769d9a4f83d9')]", + "HDInsight Cluster Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '61ed4efc-fab3-44fd-b111-e24485cc132a')]", + "HDInsight Domain Services Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8d8d5a11-05d3-4bda-a417-a08778121c7c')]", + "Hierarchy Settings Administrator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '350f8d15-c687-4448-8ae1-157740a3936d')]", + "Hybrid Server Onboarding": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5d1e5ee4-7c68-4a71-ac8b-0739630a3dfb')]", + "Hybrid Server Resource Administrator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '48b40c6e-82e0-4eb3-90d5-19e40f49b624')]", + "Integration Service Environment Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'a41e2c5b-bd99-4a07-88f4-9bf657a760b8')]", + "Integration Service Environment Developer": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c7aa55d3-1abb-444a-a5ca-5e51e485d6ec')]", + "Intelligent Systems Account Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '03a6d094-3444-4b3d-88af-7477090a9e5e')]", + "Key Vault Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'f25e0fa2-a7c8-4377-a976-54943a77a395')]", + "Knowledge Consumer": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ee361c5d-f7b5-4119-b4b6-892157c8f64c')]", + "Kubernetes Cluster - Azure Arc Onboarding": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '34e09817-6cbe-4d01-b1a2-e0eac5743d41')]", + "Lab Creator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b97fb8bc-a8b2-4522-a38b-dd33c7e65ead')]", + "Log Analytics Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]", + "Log Analytics Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '73c42c96-874c-492b-b04d-ab87d138a893')]", + "Logic App Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '87a39d53-fc1b-424a-814c-f7e04687dc9e')]", + "Logic App Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '515c2055-d9d4-4321-b1b9-bd0c9a0f79fe')]", + "Managed Application Contributor Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '641177b8-a67a-45b9-a033-47bc880bb21e')]", + "Managed Application Operator Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')]", + "Managed Applications Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')]", + "Managed Identity Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'e40ec5ca-96e0-45a2-b4ff-59039f2c2b59')]", + "Managed Identity Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'f1a07417-d97a-45cb-824c-7a7467783830')]", + "Managed Services Registration assignment Delete ": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '91c1777a-f3dc-4fae-b103-61d183457e46')]", + "Management Group Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5d58bcaf-24a5-4b20-bdb6-eed9f69fbe4c')]", + "Management Group Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ac63b705-f282-497d-ac71-919bf39d939d')]", + "Marketplace Admin": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'dd920d6d-f481-47f1-b461-f338c46b2d9f')]", + "Monitoring Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')]", + "Monitoring Metrics Publisher": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '3913510d-42f4-4e42-8a64-420c390055eb')]", + "Monitoring Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')]", + "Network Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", + "New Relic APM Account Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5d28c62d-5b37-4476-8438-e587778df237')]", + "Object Understanding Account Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4dd61c23-6743-42fe-a388-d8bdd41cb745')]", + "Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", + "Policy Insights Data Writer (Preview)": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '66bb4e9e-b016-4a94-8249-4c0511c2be84')]", + "Private DNS Zone Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", + "Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", + "Reader and Data Access": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c12c1c16-33a1-487b-954d-41c89c60f349')]", + "Redis Cache Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'e0f68234-74aa-48ed-b826-c38b57376e17')]", + "Remote Rendering Administrator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '3df8b902-2a6f-47c7-8cc5-360e9b272a7e')]", + "Remote Rendering Client": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'd39065c4-c120-43c9-ab0a-63eed9795f0a')]", + "Resource Policy Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '36243c78-bf99-498c-9df9-86d9f8d28608')]", + "Scheduler Job Collections Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '188a0f2f-5c9e-469b-ae67-2aa5ce574b94')]", + "Search Service Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '7ca78c08-252a-4471-8644-bb5ff32d4ba0')]", + "Security Admin": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'fb1c8493-542b-48eb-b624-b4c8fea62acd')]", + "Security Assessment Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '612c2aa1-cb24-443b-ac28-3ab7272de6f5')]", + "Security Manager (Legacy)": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'e3d13bf0-dd5a-482e-ba6b-9b8433878d10')]", + "Security Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '39bc4728-0917-49c7-9d2c-d95423bc2eb4')]", + "SignalR AccessKey Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '04165923-9d83-45d5-8227-78b77b0a687e')]", + "SignalR Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8cf5e20a-e4b2-4e9d-b3a1-5ceb692c2761')]", + "Site Recovery Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '6670b86e-a3f7-4917-ac9b-5d6ab1be4567')]", + "Site Recovery Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '494ae006-db33-4328-bf46-533a6560a3ca')]", + "Site Recovery Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'dbaa88c4-0c30-4179-9fb3-46319faa6149')]", + "Spatial Anchors Account Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8bbe83f1-e2a6-4df7-8cb4-4e04d4e5c827')]", + "Spatial Anchors Account Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '70bbe301-9835-447d-afdd-19eb3167307c')]", + "Spatial Anchors Account Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5d51204f-eb77-4b1c-b86a-2ec626c49413')]", + "SQL DB Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '9b7fa17d-e63e-47b0-bb0a-15c516ac86ec')]", + "SQL Managed Instance Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4939a1f6-9ae0-4e48-a1e0-f2cbe897382d')]", + "SQL Security Manager": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '056cd41c-7e88-42e1-933e-88ba6a50c9c3')]", + "SQL Server Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '6d8ee4ec-f05a-4a1d-8b00-a9b17e38b437')]", + "Storage Account Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '17d1049b-9a84-46fb-8f53-869881c3d3ab')]", + "Storage Account Key Operator Service Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '81a9662b-bebf-436f-a333-f67b29880f12')]", + "Storage Blob Data Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ba92f5b4-2d11-453d-a403-e96b0029c9fe')]", + "Storage Blob Data Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b7e6dc6d-f1e8-4753-8033-0f276bb0955b')]", + "Storage Blob Data Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '2a2b9908-6ea1-4ae2-8e65-a410df84e7d1')]", + "Storage Blob Delegator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'db58b8e5-c6ad-4a2a-8342-4190687cbf4a')]", + "Storage File Data SMB Share Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '0c867c2a-1d8c-454a-a3db-ab2ea1bdc8bb')]", + "Storage File Data SMB Share Elevated Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'a7264617-510b-434b-a828-9731dc254ea7')]", + "Storage File Data SMB Share Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'aba4ae5f-2193-4029-9191-0cb91df5e314')]", + "Storage Queue Data Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '974c5e8b-45b9-4653-ba55-5f855dd0fb88')]", + "Storage Queue Data Message Processor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8a0f0c08-91a1-4084-bc3d-661d67233fed')]", + "Storage Queue Data Message Sender": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c6a89b2d-59bc-44d0-9896-0f6e12d7b80a')]", + "Storage Queue Data Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '19e7f393-937e-4f77-808e-94535e297925')]", + "Support Request Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'cfd33db0-3dd1-45e3-aa9d-cdbdf3b6f24e')]", + "Tag Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4a9ae827-6dc8-4573-8ac7-8239d42aa03f')]", + "Traffic Manager Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'a4b10055-b0c7-44c2-b00f-c7b5b3550cf7')]", + "User Access Administrator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]", + "Virtual Machine Administrator Login": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '1c0163c0-47e6-4577-8991-ea5c82e286e4')]", + "Virtual Machine Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c')]", + "Virtual Machine User Login": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'fb879df8-f326-4884-b1cf-06f3ad86be52')]", + "Web Plan Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '2cc479cb-7b4d-49a8-b449-8c00fd0f0a4b')]", + "Website Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'de139f84-1756-47ae-9be6-808fbbe84772')]", + "Workbook Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'e8ddcd69-c73f-4f9f-9844-4100522f16ad')]", + "Workbook Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b279062a-9be3-42a0-92ae-8b3cf002ec4d')]" + } + }, + "resources": [ + { + "condition": "[not(empty(parameters('cuaId')))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-06-01", + "name": "[concat('pid-', parameters('cuaId'))]", + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [ + ] + } + } + }, + { + "name": "[parameters('actionGroupName')]", + "type": "microsoft.insights/actionGroups", + "apiVersion": "2019-06-01", + "location": "[parameters('location')]", + "tags": "[parameters('tags')]", + "properties": { + "groupShortName": "[parameters('groupShortName')]", + "enabled": "[parameters('enabled')]", + "emailReceivers": "[if(empty(parameters('emailReceivers')), json('null'), parameters('emailReceivers'))]", + "smsReceivers": "[if(empty(parameters('smsReceivers')), json('null'), parameters('smsReceivers'))]", + "webhookReceivers": "[if(empty(parameters('webhookReceivers')), json('null'), parameters('webhookReceivers'))]", + "itsmReceivers": "[if(empty(parameters('itsmReceivers')), json('null'), parameters('itsmReceivers'))]", + "azureAppPushReceivers": "[if(empty(parameters('azureAppPushReceivers')), json('null'), parameters('azureAppPushReceivers'))]", + "automationRunbookReceivers": "[if(empty(parameters('automationRunbookReceivers')), json('null'), parameters('automationRunbookReceivers'))]", + "voiceReceivers": "[if(empty(parameters('voiceReceivers')), json('null'), parameters('voiceReceivers'))]", + "logicAppReceivers": "[if(empty(parameters('logicAppReceivers')), json('null'), parameters('logicAppReceivers'))]", + "azureFunctionReceivers": "[if(empty(parameters('azureFunctionReceivers')), json('null'), parameters('azureFunctionReceivers'))]", + "armRoleReceivers": "[if(empty(parameters('armRoleReceivers')), json('null'), parameters('armRoleReceivers'))]" + } + }, + { + "name": "[concat('rbac-',deployment().name, copyIndex())]", + "apiVersion": "2020-06-01", + "type": "Microsoft.Resources/deployments", + "condition": "[not(empty(parameters('roleAssignments')))]", + "dependsOn": [ + "[parameters('actionGroupName')]" + ], + "copy": { + "name": "rbacDeplCopy", + "count": "[length(parameters('roleAssignments'))]" + }, + "properties": { + "mode": "Incremental", + "expressionEvaluationOptions": { + "scope": "inner" + }, + "parameters": { + "roleAssignment": { + "value": "[parameters('roleAssignments')[copyIndex()]]" + }, + "builtInRoleNames": { + "value": "[variables('builtInRoleNames')]" + }, + "actionGroupName": { + "value": "[parameters('actionGroupName')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "roleAssignment": { + "type": "object" + }, + "builtInRoleNames": { + "type": "object" + }, + "actionGroupName": { + "type": "string" + } + }, + "resources": [ + { + "type": "microsoft.insights/actionGroups/providers/roleAssignments", + "apiVersion": "2018-09-01-preview", + "name": "[concat(parameters('actionGroupName'), '/Microsoft.Authorization/', guid(uniqueString(concat(parameters('actionGroupName'), array(parameters('roleAssignment').principalIds)[copyIndex('innerRbacCopy')], parameters('roleAssignment').roleDefinitionIdOrName ) )))]", + "dependsOn": [ + ], + "copy": { + "name": "innerRbacCopy", + "count": "[length(parameters('roleAssignment').principalIds)]" + }, + "properties": { + "roleDefinitionId": "[if(contains(parameters('builtInRoleNames'), parameters('roleAssignment').roleDefinitionIdOrName ), parameters('builtInRoleNames')[parameters('roleAssignment').roleDefinitionIdOrName] , parameters('roleAssignment').roleDefinitionIdOrName )]", + "principalId": "[array(parameters('roleAssignment').principalIds)[copyIndex()]]" + } + } + ] + } + } + } + ], + "functions": [ + ], + "outputs": { + "deploymentResourceGroup": { + "type": "string", + "value": "[resourceGroup().name]", + "metadata": { + "description": "The name of the Resource Group the Action Group was created in." + } + }, + "actionGroupName": { + "type": "string", + "value": "[parameters('actionGroupName')]", + "metadata": { + "description": "The Name of the Azure Action Group." + } + }, + "actionGroupResourceId": { + "type": "string", + "value": "[resourceId('Microsoft.insights/actionGroups',parameters('actionGroupName'))]", + "metadata": { + "description": "The Resource Ids of the Action Group deployed." + } + } + } +} \ No newline at end of file diff --git a/arm/Microsoft.Insights/actionGroups/parameters/parameters.json b/arm/Microsoft.Insights/actionGroups/parameters/parameters.json new file mode 100644 index 0000000000..f1924cbaa6 --- /dev/null +++ b/arm/Microsoft.Insights/actionGroups/parameters/parameters.json @@ -0,0 +1,46 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "actionGroupName": { + "value": "sxx-az-ag-weu-x-001" + }, + "groupShortName":{ + "value": "azagweux001" + }, + // "roleAssignments": { + // "value": [ + // { + // "roleDefinitionIdOrName": "Desktop Virtualization User", + // "principalIds": [ + // "12345678-1234-1234-1234-123456789012", // object 1 + // "78945612-1234-1234-1234-123456789012" // object 2 + // ] + // } + // ] + // }, + "emailReceivers":{ + "value":[ + { + "name": "TestUser_-EmailAction-", + "emailAddress": "test.user@testcompany.com", + "useCommonAlertSchema": true + }, + { + "name": "TestUser2", + "emailAddress": "test.user2@testcompany.com", + "useCommonAlertSchema": true + } + ] + }, + "smsReceivers":{ + "value": [ + { + "name": "TestUser_-SMSAction-", + "countryCode": "1", + "phoneNumber": "2345678901" + } + ] + } + } +} \ No newline at end of file diff --git a/arm/Microsoft.Insights/actionGroups/readme.md b/arm/Microsoft.Insights/actionGroups/readme.md new file mode 100644 index 0000000000..929e242d12 --- /dev/null +++ b/arm/Microsoft.Insights/actionGroups/readme.md @@ -0,0 +1,141 @@ +# Action Group +This module deploys an Action Group + + +## Resource Types + +|Resource Type|Api Version| +|:--|:--| +|`Microsoft.Resources/deployments`|2018-02-01| +|`microsoft.insights/actionGroups`|2019-06-01| +|`microsoft.insights/actionGroups/providers/roleAssignments`|2018-09-01-preview|  + + +## Parameters + +| Parameter Name | Type | Default Value | Possible values | Description | +| :------------------------------- | :----- | :--------------------------- | :---------------------------- | :----------------------------------------------------------- | +| `actionGroupName` | string | | | Required. The name of the action group. | +| `groupShortName` | string | | | Required. The short name of the action group. | +| `enabled` | bool | true | true, false | Optional. Indicates whether this action group is enabled. If an action group is not enabled, then none of its receivers will receive communications. | +| `roleAssignments` | array | [] | Complex structure, see below. | Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or it's fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' +| `emailReceivers` | array | [] | Array of complex structures, see below. | Optional. The list of email receivers that are part of this action group. | +| `smsReceivers` | array | [] | Array of complex structures, see below. | Optional. The list of SMS receivers that are part of this action group. | +| `webhookReceivers` | array | [] | Array of complex structures, see below. | Optional. The list of webhook receivers that are part of this action group. | +| `itsmReceivers` | array | [] | Array of complex structures, see below. | Optional. The list of ITSM receivers that are part of this action group. | +| `azureAppPushReceivers` | array | [] | Array of complex structures, see below. | Optional. The list of AzureAppPush receivers that are part of this action group. | +| `automationRunbookReceivers` | array | [] | Array of complex structures, see below. | Optional. The list of AutomationRunbook receivers that are part of this action group. | +| `voiceReceivers` | array | [] | Array of complex structures, see below. | Optional. The list of voice receivers. **Only US numbers supported at the moment** | +| `logicAppReceivers` | array | [] | Array of complex structures, see below. | Optional. The list of logic app receivers that are part of this action group. | +| `azureFunctionReceivers` | array | [] | Array of complex structures, see below. | Optional. The list of Azure Function receivers that are part of this action group. | +| `armRoleReceivers` | array | [] | Array of complex structures, see below. | Optional. The list of ARM role receivers that are part of this action group. Roles are Azure RBAC roles and only built-in roles are supported. | +| `tags` | object | {} | Complex structure, see below. | Optional. Tags of the Action Group resource. | +| `cuaId` | string | {} | Complex structure, see below. | Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered. | +| `location` | string | global | Complex structure, see below. | Optional. Location for all resources. | + +### Parameter Usage: receivers + +See [Documentation](https://docs.microsoft.com/en-us/azure/templates/microsoft.insights/2019-06-01/actiongroups) for description of parameters usage and syntax. + +Example: +```json +"emailReceivers":{ + "value":[ + { + "name": "TestUser_-EmailAction-", + "emailAddress": "test.user@testcompany.com", + "useCommonAlertSchema": true + }, + { + "name": "TestUser2", + "emailAddress": "test.user2@testcompany.com", + "useCommonAlertSchema": true + } + ] +}, +"smsReceivers":{ + "value": [ + { + "name": "TestUser_-SMSAction-", + "countryCode": "1", + "phoneNumber": "2345678901" + } + ] +} +``` + +### Parameter Usage: `roleAssignments` + +```json +"roleAssignments": { + "value": [ + { + "roleDefinitionIdOrName": "Desktop Virtualization User", + "principalIds": [ + "12345678-1234-1234-1234-123456789012", // object 1 + "78945612-1234-1234-1234-123456789012" // object 2 + ] + }, + { + "roleDefinitionIdOrName": "Reader", + "principalIds": [ + "12345678-1234-1234-1234-123456789012", // object 1 + "78945612-1234-1234-1234-123456789012" // object 2 + ] + }, + { + "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", + "principalIds": [ + "12345678-1234-1234-1234-123456789012" // object 1 + ] + } + ] +} +``` + +### Parameter Usage: `tags` + +Tag names and tag values can be provided as needed. A tag can be left without a value. + +```json +"tags": { + "value": { + "Environment": "Non-Prod", + "Contact": "test.user@testcompany.com", + "PurchaseOrder": "1234", + "CostCenter": "112244", + "ServiceName": "DeploymentValidation", + "Role": "DeploymentValidation" + } +} +``` + +### Additional notes on parameters +- Receiver name must be unique across the ActionGroup +- Email, SMS, Azure App push and Voice can be grouped in the same Action. To do so, the `name` field of the receivers must be in the `RecName_-ActionType-` format where: + - _RecName_ is the name you want to give to the Action + - _ActionType_ is one of the action types that can be grouped together. Possible values are: + - EmailAction + - SMSAction + - AzureAppAction + - VoiceAction +- To understand the impact of the `useCommonAlertSchema` field, see [here](https://docs.microsoft.com/en-us/azure/azure-monitor/platform/alerts-common-schema) + + +## Outputs + +| Output Name | Type | Description | +| :-- | :-- | :-- | +| `actionGroupName` | string | The Name of the Azure Action Group. | +| `actionGroupResourceId` | string | The Resource Ids of the Action Group deployed. | +| `deploymentResourceGroup` | string | The name of the Resource Group the Action Group was created in. | + +## Considerations + +*N/A* + +## Additional resources + +- [Alerts in Azure](https://docs.microsoft.com/en-us/azure/azure-monitor/platform/alerts-overview) +- [Template reference](https://docs.microsoft.com/en-us/azure/templates/microsoft.insights/2019-06-01/actiongroups) +- [Azure monitor documentation](https://docs.microsoft.com/en-us/azure/azure-monitor/) \ No newline at end of file diff --git a/arm/Microsoft.Insights/activityLogAlerts/deploy.json b/arm/Microsoft.Insights/activityLogAlerts/deploy.json new file mode 100644 index 0000000000..5b3b942741 --- /dev/null +++ b/arm/Microsoft.Insights/activityLogAlerts/deploy.json @@ -0,0 +1,375 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "alertName": { + "type": "string", + "metadata": { + "description": "Required. The name of the Alert." + } + }, + "alertDescription": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Description of the alert." + } + }, + "location": { + "type": "string", + "defaultValue": "global", + "metadata": { + "description": "Optional. Location for all resources." + } + }, + "enabled": { + "type": "bool", + "defaultValue": true, + "metadata": { + "description": "Optional. Indicates whether this alert is enabled." + } + }, + "scopes": { + "type": "array", + "metadata": { + "description": "Required. the list of resource id's that this metric alert is scoped to." + } + }, + "actions": { + "type": "array", + "defaultValue": [ + ], + "metadata": { + "description": "Optional. The list of actions to take when alert triggers." + } + }, + "conditions": { + "type": "array", + "metadata": { + "description": "Required. The condition that will cause this alert to activate. Array of objects" + } + }, + "roleAssignments": { + "defaultValue": [ + ], + "type": "array", + "metadata": { + "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'" + } + }, + "tags": { + "type": "object", + "defaultValue": { + }, + "metadata": { + "description": "Optional. Tags of the resource." + } + }, + "cuaId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered" + } + } + }, + "variables": { + "builtInRoleNames": { + "AcrDelete": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c2f4ef07-c644-48eb-af81-4b1b4947fb11')]", + "AcrImageSigner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '6cef56e8-d556-48e5-a04f-b8e64114680f')]", + "AcrPull": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '7f951dda-4ed3-4680-a7ca-43fe172d538d')]", + "AcrPush": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8311e382-0749-4cb8-b61a-304f252e45ec')]", + "AcrQuarantineReader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'cdda3590-29a3-44f6-95f2-9f980659eb04')]", + "AcrQuarantineWriter": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c8d4ff99-41c3-41a8-9f60-21dfdad59608')]", + "API Management Service Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '312a565d-c81f-4fd8-895a-4e21e48d571c')]", + "API Management Service Operator Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'e022efe7-f5ba-4159-bbe4-b44f577e9b61')]", + "API Management Service Reader Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '71522526-b88f-4d52-b57f-d31fc3546d0d')]", + "App Configuration Data Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5ae67dd6-50cb-40e7-96ff-dc2bfa4b606b')]", + "App Configuration Data Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '516239f1-63e1-4d78-a4de-a74fb236a071')]", + "Application Insights Component Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ae349356-3a1b-4a5e-921d-050484c6347e')]", + "Application Insights Snapshot Debugger": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '08954f03-6346-4c2e-81c0-ec3a5cfae23b')]", + "Attestation Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'bbf86eb8-f7b4-4cce-96e4-18cddf81d86e')]", + "Attestation Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'fd1bd22b-8476-40bc-a0bc-69b95687b9f3')]", + "Automation Job Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4fe576fe-1146-4730-92eb-48519fa6bf9f')]", + "Automation Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'd3881f73-407a-4167-8283-e981cbba0404')]", + "Automation Runbook Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5fb5aef8-1081-4b8e-bb16-9d5d0385bab5')]", + "Avere Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4f8fab4f-1852-4a58-a46a-8eaf358af14a')]", + "Avere Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c025889f-8102-4ebf-b32c-fc0c6f0c6bd9')]", + "Azure Connected Machine Onboarding": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b64e21ea-ac4e-4cdf-9dc9-5b892992bee7')]", + "Azure Connected Machine Resource Administrator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'cd570a14-e51a-42ad-bac8-bafd67325302')]", + "Azure Digital Twins Owner (Preview)": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'bcd981a7-7f74-457b-83e1-cceb9e632ffe')]", + "Azure Digital Twins Reader (Preview)": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'd57506d4-4c8d-48b1-8587-93c323f6a5a3')]", + "Azure Event Hubs Data Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'f526a384-b230-433a-b45c-95f59c4a2dec')]", + "Azure Event Hubs Data Receiver": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'a638d3c7-ab3a-418d-83e6-5f17a39d4fde')]", + "Azure Event Hubs Data Sender": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '2b629674-e913-4c01-ae53-ef4638d8f975')]", + "Azure Kubernetes Service Cluster Admin Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '0ab0b1a8-8aac-4efd-b8c2-3ee1fb270be8')]", + "Azure Kubernetes Service Cluster User Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4abbcc35-e782-43d8-92c5-2d3f1bd2253f')]", + "Azure Kubernetes Service Contributor Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ed7f3fbd-7b88-4dd4-9017-9adb7ce333f8')]", + "Azure Maps Data Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8f5e0ce6-4f7b-4dcf-bddf-e6f48634a204')]", + "Azure Maps Data Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '423170ca-a8f6-4b0f-8487-9e4eb8f49bfa')]", + "Azure Sentinel Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ab8e14d6-4a74-4a29-9ba8-549422addade')]", + "Azure Sentinel Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8d289c81-5878-46d4-8554-54e1e3d8b5cb')]", + "Azure Sentinel Responder": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '3e150937-b8fe-4cfb-8069-0eaf05ecd056')]", + "Azure Service Bus Data Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '090c5cfd-751d-490a-894a-3ce6f1109419')]", + "Azure Service Bus Data Receiver": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4f6d3b9b-027b-4f4c-9142-0e5a2a2247e0')]", + "Azure Service Bus Data Sender": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '69a216fc-b8fb-44d8-bc22-1f3c2cd27a39')]", + "Azure Stack Registration Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '6f12a6df-dd06-4f3e-bcb1-ce8be600526a')]", + "Backup Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5e467623-bb1f-42f4-a55d-6e525e11384b')]", + "Backup Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '00c29273-979b-4161-815c-10b084fb9324')]", + "Backup Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'a795c7a0-d4a2-40c1-ae25-d81f01202912')]", + "Billing Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'fa23ad8b-c56e-40d8-ac0c-ce449e1d2c64')]", + "BizTalk Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5e3c6656-6cfa-4708-81fe-0de47ac73342')]", + "Blockchain Member Node Access (Preview)": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '31a002a1-acaf-453e-8a5b-297c9ca1ea24')]", + "Blueprint Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '41077137-e803-4205-871c-5a86e6a753b4')]", + "Blueprint Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '437d2ced-4a38-4302-8479-ed2bcb43d090')]", + "CDN Endpoint Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '426e0c7f-0c7e-4658-b36f-ff54d6c29b45')]", + "CDN Endpoint Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '871e35f6-b5c1-49cc-a043-bde969a0f2cd')]", + "CDN Profile Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ec156ff8-a8d1-4d15-830c-5b80698ca432')]", + "CDN Profile Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8f96442b-4075-438f-813d-ad51ab4019af')]", + "Classic Network Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b34d265f-36f7-4a0d-a4d4-e158ca92e90f')]", + "Classic Storage Account Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '86e8f5dc-a6e9-4c67-9d15-de283e8eac25')]", + "Classic Storage Account Key Operator Service Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '985d6b00-f706-48f5-a6fe-d0ca12fb668d')]", + "Classic Virtual Machine Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'd73bb868-a0df-4d4d-bd69-98a00b01fccb')]", + "ClearDB MySQL DB Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '9106cda0-8a86-4e81-b686-29a22c54effe')]", + "Cognitive Services Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '25fbc0a9-bd7c-42a3-aa1a-3b75d497ee68')]", + "Cognitive Services Custom Vision Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c1ff6cc2-c111-46fe-8896-e0ef812ad9f3')]", + "Cognitive Services Custom Vision Deployment": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5c4089e1-6d96-4d2f-b296-c1bc7137275f')]", + "Cognitive Services Custom Vision Labeler": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '88424f51-ebe7-446f-bc41-7fa16989e96c')]", + "Cognitive Services Custom Vision Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '93586559-c37d-4a6b-ba08-b9f0940c2d73')]", + "Cognitive Services Custom Vision Trainer": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '0a5ae4ab-0d65-4eeb-be61-29fc9b54394b')]", + "Cognitive Services Data Reader (Preview)": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b59867f0-fa02-499b-be73-45a86b5b3e1c')]", + "Cognitive Services QnA Maker Editor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'f4cc2bf9-21be-47a1-bdf1-5c5804381025')]", + "Cognitive Services QnA Maker Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '466ccd10-b268-4a11-b098-b4849f024126')]", + "Cognitive Services User": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'a97b65f3-24c7-4388-baec-2e87135dc908')]", + "Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "Cosmos DB Account Reader Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'fbdf93bf-df7d-467e-a4d2-9458aa1360c8')]", + "Cosmos DB Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '230815da-be43-4aae-9cb4-875f7bd000aa')]", + "CosmosBackupOperator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'db7b14f2-5adf-42da-9f96-f2ee17bab5cb')]", + "Cost Management Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '434105ed-43f6-45c7-a02f-909b2ba83430')]", + "Cost Management Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '72fafb9e-0641-4937-9268-a91bfd8191a3')]", + "Data Box Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'add466c9-e687-43fc-8d98-dfcf8d720be5')]", + "Data Box Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '028f4ed7-e2a9-465e-a8f4-9c0ffdfdc027')]", + "Data Factory Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '673868aa-7521-48a0-acc6-0f60742d39f5')]", + "Data Lake Analytics Developer": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '47b7735b-770e-4598-a7da-8b91488b4c88')]", + "Data Purger": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '150f5e0c-0603-4f03-8c7f-cf70034c4e90')]", + "Desktop Virtualization User": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '1d18fff3-a72a-46b5-b4a9-0b38a3cd7e63')]", + "DevTest Labs User": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '76283e04-6283-4c54-8f91-bcf1374a3c64')]", + "DNS Zone Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'befefa01-2a29-4197-83a8-272ff33ce314')]", + "DocumentDB Account Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5bd9cd88-fe45-4216-938b-f97437e15450')]", + "EventGrid EventSubscription Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '428e0ff0-5e57-4d9c-a221-2c70d0e0a443')]", + "EventGrid EventSubscription Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '2414bbcf-6497-4faf-8c65-045460748405')]", + "Experimentation Administrator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '7f646f1b-fa08-80eb-a33b-edd6ce5c915c')]", + "Experimentation Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '7f646f1b-fa08-80eb-a22b-edd6ce5c915c')]", + "Experimentation Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '49632ef5-d9ac-41f4-b8e7-bbe587fa74a1')]", + "FHIR Data Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5a1fc7df-4bf1-4951-a576-89034ee01acd')]", + "FHIR Data Exporter": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '3db33094-8700-4567-8da5-1501d4e7e843')]", + "FHIR Data Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4c8d0bbc-75d3-4935-991f-5f3c56d81508')]", + "FHIR Data Writer": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '3f88fce4-5892-4214-ae73-ba5294559913')]", + "Graph Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b60367af-1334-4454-b71e-769d9a4f83d9')]", + "HDInsight Cluster Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '61ed4efc-fab3-44fd-b111-e24485cc132a')]", + "HDInsight Domain Services Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8d8d5a11-05d3-4bda-a417-a08778121c7c')]", + "Hierarchy Settings Administrator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '350f8d15-c687-4448-8ae1-157740a3936d')]", + "Hybrid Server Onboarding": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5d1e5ee4-7c68-4a71-ac8b-0739630a3dfb')]", + "Hybrid Server Resource Administrator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '48b40c6e-82e0-4eb3-90d5-19e40f49b624')]", + "Integration Service Environment Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'a41e2c5b-bd99-4a07-88f4-9bf657a760b8')]", + "Integration Service Environment Developer": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c7aa55d3-1abb-444a-a5ca-5e51e485d6ec')]", + "Intelligent Systems Account Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '03a6d094-3444-4b3d-88af-7477090a9e5e')]", + "Key Vault Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'f25e0fa2-a7c8-4377-a976-54943a77a395')]", + "Knowledge Consumer": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ee361c5d-f7b5-4119-b4b6-892157c8f64c')]", + "Kubernetes Cluster - Azure Arc Onboarding": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '34e09817-6cbe-4d01-b1a2-e0eac5743d41')]", + "Lab Creator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b97fb8bc-a8b2-4522-a38b-dd33c7e65ead')]", + "Log Analytics Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]", + "Log Analytics Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '73c42c96-874c-492b-b04d-ab87d138a893')]", + "Logic App Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '87a39d53-fc1b-424a-814c-f7e04687dc9e')]", + "Logic App Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '515c2055-d9d4-4321-b1b9-bd0c9a0f79fe')]", + "Managed Application Contributor Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '641177b8-a67a-45b9-a033-47bc880bb21e')]", + "Managed Application Operator Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')]", + "Managed Applications Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')]", + "Managed Identity Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'e40ec5ca-96e0-45a2-b4ff-59039f2c2b59')]", + "Managed Identity Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'f1a07417-d97a-45cb-824c-7a7467783830')]", + "Managed Services Registration assignment Delete ": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '91c1777a-f3dc-4fae-b103-61d183457e46')]", + "Management Group Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5d58bcaf-24a5-4b20-bdb6-eed9f69fbe4c')]", + "Management Group Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ac63b705-f282-497d-ac71-919bf39d939d')]", + "Marketplace Admin": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'dd920d6d-f481-47f1-b461-f338c46b2d9f')]", + "Monitoring Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')]", + "Monitoring Metrics Publisher": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '3913510d-42f4-4e42-8a64-420c390055eb')]", + "Monitoring Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')]", + "Network Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", + "New Relic APM Account Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5d28c62d-5b37-4476-8438-e587778df237')]", + "Object Understanding Account Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4dd61c23-6743-42fe-a388-d8bdd41cb745')]", + "Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", + "Policy Insights Data Writer (Preview)": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '66bb4e9e-b016-4a94-8249-4c0511c2be84')]", + "Private DNS Zone Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", + "Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", + "Reader and Data Access": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c12c1c16-33a1-487b-954d-41c89c60f349')]", + "Redis Cache Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'e0f68234-74aa-48ed-b826-c38b57376e17')]", + "Remote Rendering Administrator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '3df8b902-2a6f-47c7-8cc5-360e9b272a7e')]", + "Remote Rendering Client": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'd39065c4-c120-43c9-ab0a-63eed9795f0a')]", + "Resource Policy Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '36243c78-bf99-498c-9df9-86d9f8d28608')]", + "Scheduler Job Collections Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '188a0f2f-5c9e-469b-ae67-2aa5ce574b94')]", + "Search Service Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '7ca78c08-252a-4471-8644-bb5ff32d4ba0')]", + "Security Admin": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'fb1c8493-542b-48eb-b624-b4c8fea62acd')]", + "Security Assessment Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '612c2aa1-cb24-443b-ac28-3ab7272de6f5')]", + "Security Manager (Legacy)": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'e3d13bf0-dd5a-482e-ba6b-9b8433878d10')]", + "Security Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '39bc4728-0917-49c7-9d2c-d95423bc2eb4')]", + "SignalR AccessKey Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '04165923-9d83-45d5-8227-78b77b0a687e')]", + "SignalR Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8cf5e20a-e4b2-4e9d-b3a1-5ceb692c2761')]", + "Site Recovery Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '6670b86e-a3f7-4917-ac9b-5d6ab1be4567')]", + "Site Recovery Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '494ae006-db33-4328-bf46-533a6560a3ca')]", + "Site Recovery Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'dbaa88c4-0c30-4179-9fb3-46319faa6149')]", + "Spatial Anchors Account Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8bbe83f1-e2a6-4df7-8cb4-4e04d4e5c827')]", + "Spatial Anchors Account Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '70bbe301-9835-447d-afdd-19eb3167307c')]", + "Spatial Anchors Account Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5d51204f-eb77-4b1c-b86a-2ec626c49413')]", + "SQL DB Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '9b7fa17d-e63e-47b0-bb0a-15c516ac86ec')]", + "SQL Managed Instance Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4939a1f6-9ae0-4e48-a1e0-f2cbe897382d')]", + "SQL Security Manager": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '056cd41c-7e88-42e1-933e-88ba6a50c9c3')]", + "SQL Server Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '6d8ee4ec-f05a-4a1d-8b00-a9b17e38b437')]", + "Storage Account Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '17d1049b-9a84-46fb-8f53-869881c3d3ab')]", + "Storage Account Key Operator Service Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '81a9662b-bebf-436f-a333-f67b29880f12')]", + "Storage Blob Data Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ba92f5b4-2d11-453d-a403-e96b0029c9fe')]", + "Storage Blob Data Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b7e6dc6d-f1e8-4753-8033-0f276bb0955b')]", + "Storage Blob Data Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '2a2b9908-6ea1-4ae2-8e65-a410df84e7d1')]", + "Storage Blob Delegator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'db58b8e5-c6ad-4a2a-8342-4190687cbf4a')]", + "Storage File Data SMB Share Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '0c867c2a-1d8c-454a-a3db-ab2ea1bdc8bb')]", + "Storage File Data SMB Share Elevated Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'a7264617-510b-434b-a828-9731dc254ea7')]", + "Storage File Data SMB Share Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'aba4ae5f-2193-4029-9191-0cb91df5e314')]", + "Storage Queue Data Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '974c5e8b-45b9-4653-ba55-5f855dd0fb88')]", + "Storage Queue Data Message Processor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8a0f0c08-91a1-4084-bc3d-661d67233fed')]", + "Storage Queue Data Message Sender": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c6a89b2d-59bc-44d0-9896-0f6e12d7b80a')]", + "Storage Queue Data Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '19e7f393-937e-4f77-808e-94535e297925')]", + "Support Request Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'cfd33db0-3dd1-45e3-aa9d-cdbdf3b6f24e')]", + "Tag Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4a9ae827-6dc8-4573-8ac7-8239d42aa03f')]", + "Traffic Manager Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'a4b10055-b0c7-44c2-b00f-c7b5b3550cf7')]", + "User Access Administrator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]", + "Virtual Machine Administrator Login": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '1c0163c0-47e6-4577-8991-ea5c82e286e4')]", + "Virtual Machine Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c')]", + "Virtual Machine User Login": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'fb879df8-f326-4884-b1cf-06f3ad86be52')]", + "Web Plan Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '2cc479cb-7b4d-49a8-b449-8c00fd0f0a4b')]", + "Website Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'de139f84-1756-47ae-9be6-808fbbe84772')]", + "Workbook Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'e8ddcd69-c73f-4f9f-9844-4100522f16ad')]", + "Workbook Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b279062a-9be3-42a0-92ae-8b3cf002ec4d')]" + } + }, + "resources": [ + { + "condition": "[not(empty(parameters('cuaId')))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-06-01", + "name": "[concat('pid-', parameters('cuaId'))]", + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [ + ] + } + } + }, + { + "name": "[parameters('alertName')]", + "type": "Microsoft.Insights/ActivityLogAlerts", + "location": "[parameters('location')]", + "apiVersion": "2017-04-01", + "tags": "[parameters('tags')]", + "properties": { + "scopes": "[parameters('scopes')]", + "condition": { + "allOf": "[parameters('conditions')]" + }, + "actions": { + "actionGroups": "[parameters('actions')]" + }, + "enabled": "[parameters('enabled')]", + "description": "[parameters('alertDescription')]" + } + }, + { + "name": "[concat('rbac-',deployment().name, copyIndex())]", + "apiVersion": "2020-06-01", + "type": "Microsoft.Resources/deployments", + "condition": "[not(empty(parameters('roleAssignments')))]", + "dependsOn": [ + "[parameters('alertName')]" + ], + "copy": { + "name": "rbacDeplCopy", + "count": "[length(parameters('roleAssignments'))]" + }, + "properties": { + "mode": "Incremental", + "expressionEvaluationOptions": { + "scope": "inner" + }, + "parameters": { + "roleAssignment": { + "value": "[parameters('roleAssignments')[copyIndex()]]" + }, + "builtInRoleNames": { + "value": "[variables('builtInRoleNames')]" + }, + "alertName": { + "value": "[parameters('alertName')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "roleAssignment": { + "type": "object" + }, + "builtInRoleNames": { + "type": "object" + }, + "alertName": { + "type": "string" + } + }, + "resources": [ + { + "type": "Microsoft.Insights/ActivityLogAlerts/providers/roleAssignments", + "apiVersion": "2018-09-01-preview", + "name": "[concat(parameters('alertName'), '/Microsoft.Authorization/', guid(uniqueString(concat(parameters('alertName'), array(parameters('roleAssignment').principalIds)[copyIndex('innerRbacCopy')], parameters('roleAssignment').roleDefinitionIdOrName ) )))]", + "dependsOn": [ + ], + "copy": { + "name": "innerRbacCopy", + "count": "[length(parameters('roleAssignment').principalIds)]" + }, + "properties": { + "roleDefinitionId": "[if(contains(parameters('builtInRoleNames'), parameters('roleAssignment').roleDefinitionIdOrName ), parameters('builtInRoleNames')[parameters('roleAssignment').roleDefinitionIdOrName] , parameters('roleAssignment').roleDefinitionIdOrName )]", + "principalId": "[array(parameters('roleAssignment').principalIds)[copyIndex()]]" + } + } + ] + } + } + } + ], + "functions": [ + ], + "outputs": { + "deploymentResourceGroup": { + "type": "string", + "value": "[resourceGroup().name]", + "metadata": { + "description": "The name of the Resource Group the Alert was created in." + } + }, + "alertName": { + "type": "string", + "value": "[parameters('alertName')]", + "metadata": { + "description": "The Name of the Alert." + } + }, + "activityLogAlertResourceId": { + "type": "string", + "value": "[resourceId('Microsoft.Insights/activityLogAlerts',parameters('alertName'))]", + "metadata": { + "description": "The Resource Id of the Alert deployed." + } + } + } +} \ No newline at end of file diff --git a/arm/Microsoft.Insights/activityLogAlerts/parameters/parameters.json b/arm/Microsoft.Insights/activityLogAlerts/parameters/parameters.json new file mode 100644 index 0000000000..f8183d7f29 --- /dev/null +++ b/arm/Microsoft.Insights/activityLogAlerts/parameters/parameters.json @@ -0,0 +1,45 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "alertName": { + "value": "sxx-az-ala-weu-x-001" + }, + "scopes": { + "value": [ + "/subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2" + ] + }, + "conditions": { + "value": [{ + "field": "category", + "equals": "Administrative" + }, + { + "field": "resourceType", + "equals": "microsoft.compute/virtualmachines" + }, + { + "field": "operationName", + "equals": "Microsoft.Compute/virtualMachines/performMaintenance/action" + } + ] + }, + "actions": { + "value": [{ + "actionGroupId": "/subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2/resourceGroups/dependencies-rg/providers/microsoft.insights/actiongroups/sxx-az-ag-weu-x-003" + }] + } + // "roleAssignments": { + // "value": [ + // { + // "roleDefinitionIdOrName": "Desktop Virtualization User", + // "principalIds": [ + // "12345678-1234-1234-1234-123456789012", // object 1 + // "78945612-1234-1234-1234-123456789012" // object 2 + // ] + // } + // ] + // }, + } +} \ No newline at end of file diff --git a/arm/Microsoft.Insights/activityLogAlerts/readme.md b/arm/Microsoft.Insights/activityLogAlerts/readme.md new file mode 100644 index 0000000000..3bbe50680e --- /dev/null +++ b/arm/Microsoft.Insights/activityLogAlerts/readme.md @@ -0,0 +1,184 @@ +# Activity Log Alert +This module deploys an Alert based on Activity Log + + +## Resource Types + +|Resource Type|Api Version| +|:--|:--| +|`Microsoft.Resources/deployments`|2018-02-01| +|`Microsoft.Insights/ActivityLogAlerts`|2017-04-01| +|`Microsoft.Insights/ActivityLogAlerts/providers/roleAssignments`|2018-09-01-preview| + +## Parameters + +| Parameter Name | Type | Description | DefaultValue | Possible values | +| :-- | :-- | :-- | :-- | :-- | +| `actions` | array | Optional. The list of actions to take when alert triggers. | System.Object[] | | +| `alertDescription` | string | Optional. Description of the alert. | | | +| `alertName` | string | Required. The name of the Alert. | | | +| `conditions` | array | Required. The condition that will cause this alert to activate. Array of objects | | | +| `cuaId` | string | Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered | | | +| `enabled` | bool | Optional. Indicates whether this alert is enabled. | True | | +| `location` | string | Optional. Location for all resources. | global | | +| `roleAssignments` | array | Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' | System.Object[] | | +| `scopes` | array | Required. the list of resource id's that this metric alert is scoped to. | | | +| `tags` | object | Optional. Tags of the resource. | | | + + +### Parameter Usage: actions + +```json +"actions": { + "value": [ + { + "actionGroupId": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/rgName/providers/microsoft.insights/actiongroups/ActionGroupName", + "webhookProperties": {} + } + ] +} +``` +`webhookProperties` is optional. + +### Parameter Usage: conditions +**Conditions can also be combined with logical operators `allOf` and `anyOf`** + +```json +{ + "field": "string", + "equals": "string", + "containsAny": "array" +} +``` +Each condition can specify only one field between `equals` and `containsAny`. + +| Parameter Name | Type | Possible values | Description | +| :-- | :-- | :-- | :-- | +| `field` | string | `resourceId`,
`category`,
`caller`,
`level`,
`operationName`,
`resourceGroup`,
`resourceProvider`,
`status`,
`subStatus`,
`resourceType`,
or anything beginning with `properties.` | Required. The name of the field that this condition will examine. | +| `equals` | string | | Optional (Alternative to `containsAny`). The value to confront with. | +| `containsAny` | array of strings | | Optional (Alternative to `equals`). Condition will be satisfied if value of the field in the event is within one of the specified here. | + + +**Sample** + +```json +"conditions":{ + "value": [ + { + "field": "category", + "equals": "Administrative" + }, + { + "field": "resourceType", + "equals": "microsoft.compute/virtualmachines" + }, + { + "field": "operationName", + "equals": "Microsoft.Compute/virtualMachines/performMaintenance/action" + } + ] +} +``` +**Sample 2** + +```json +"conditions":{ + "value": [ + { + "field": "category", + "equals": "ServiceHealth" + }, + { + "anyOf": [ + { + "field": "properties.incidentType", + "equals": "Incident" + }, + { + "field": "properties.incidentType", + "equals": "Maintenance" + } + ] + }, + { + "field": "properties.impactedServices[*].ServiceName", + "containsAny": [ + "Action Groups", + "Activity Logs & Alerts" + ] + }, + { + "field": "properties.impactedServices[*].ImpactedRegions[*].RegionName", + "containsAny": [ + "West Europe", + "Global" + ] + } + ] +} +``` + +### Parameter Usage: `roleAssignments` + +```json +"roleAssignments": { + "value": [ + { + "roleDefinitionIdOrName": "Desktop Virtualization User", + "principalIds": [ + "12345678-1234-1234-1234-123456789012", // object 1 + "78945612-1234-1234-1234-123456789012" // object 2 + ] + }, + { + "roleDefinitionIdOrName": "Reader", + "principalIds": [ + "12345678-1234-1234-1234-123456789012", // object 1 + "78945612-1234-1234-1234-123456789012" // object 2 + ] + }, + { + "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", + "principalIds": [ + "12345678-1234-1234-1234-123456789012" // object 1 + ] + } + ] +} +``` + +### Parameter Usage: `tags` + +Tag names and tag values can be provided as needed. A tag can be left without a value. + +```json +"tags": { + "value": { + "Environment": "Non-Prod", + "Contact": "test.user@testcompany.com", + "PurchaseOrder": "1234", + "CostCenter": "7890", + "ServiceName": "DeploymentValidation", + "Role": "DeploymentValidation" + } +} +``` + +## Outputs + +| Output Name | Type | Description | +| :-- | :-- | :-- | +| `activityLogAlertResourceId` | string | The Resource Id of the Alert deployed. | +| `alertName` | string | The Name of the Alert. | +| `deploymentResourceGroup` | string | The name of the Resource Group the Alert was created in. | + +## Considerations + +*N/A* + +## Additional resources + +- [Activity Log alerts](https://docs.microsoft.com/en-us/azure/azure-monitor/platform/activity-log-alerts) +- [Template reference](https://docs.microsoft.com/en-us/azure/templates/microsoft.insights/2017-04-01/activitylogalerts) +- [Service Health notification properties](https://docs.microsoft.com/en-us/azure/service-health/service-health-notifications-properties) +- [Azure monitor documentation](https://docs.microsoft.com/en-us/azure/azure-monitor/) \ No newline at end of file diff --git a/arm/Microsoft.Insights/components/deploy.json b/arm/Microsoft.Insights/components/deploy.json new file mode 100644 index 0000000000..1e010bf90f --- /dev/null +++ b/arm/Microsoft.Insights/components/deploy.json @@ -0,0 +1,239 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "appInsightsName": { + "type": "string", + "metadata": { + "description": "Required. Name of the Application Insights" + } + }, + "appInsightsType": { + "type": "string", + "allowedValues": [ + "web", + "java", + "other" + ], + "defaultValue": "web", + "metadata": { + "description": "Optional. Application type" + } + }, + "appInsightsWorkspaceResourceId": { + "type": "string", + "metadata": { + "description": "Required. Resource Id of the log analytics workspace which the data will be ingested to. This property is required to create an application with this API version. Applications from older versions will not have this property." + } + }, + "appInsightsPublicNetworkAccessForIngestion": { + "type": "string", + "defaultValue": "Enabled", + "allowedValues": [ + "Enabled", + "Disabled" + ], + "metadata": { + "description": "Optional. The network access type for accessing Application Insights ingestion. - Enabled or Disabled" + } + }, + "appInsightsPublicNetworkAccessForQuery": { + "type": "string", + "defaultValue": "Enabled", + "allowedValues": [ + "Enabled", + "Disabled" + ], + "metadata": { + "description": "Optional. The network access type for accessing Application Insights query. - Enabled or Disabled" + } + }, + "location": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "Optional. Location for all Resources" + } + }, + "roleAssignments": { + "defaultValue": [ + ], + "type": "array", + "metadata": { + "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or it's fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + } + }, + "tags": { + "type": "object", + "defaultValue": {}, + "metadata": { + "description": "Optional. Tags of the resource." + } + }, + "cuaId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered" + } + } + }, + // Variables + "variables": { + "appInsightsresourceId": "[resourceId('Microsoft.Insights/components',parameters('appInsightsName'))]", + "builtInRoleNames": { + "Application Insights Component Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ae349356-3a1b-4a5e-921d-050484c6347e')]", + "Application Insights Snapshot Debugger": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '08954f03-6346-4c2e-81c0-ec3a5cfae23b')]", + "Contributor": "/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c", + "Data Purger": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '150f5e0c-0603-4f03-8c7f-cf70034c4e90')]", + "Log Analytics Contributor": "/providers/Microsoft.Authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293", + "Log Analytics Reader": "/providers/Microsoft.Authorization/roleDefinitions/73c42c96-874c-492b-b04d-ab87d138a893", + "Managed Application Contributor Role": "/providers/Microsoft.Authorization/roleDefinitions/641177b8-a67a-45b9-a033-47bc880bb21e", + "Managed Application Operator Role": "/providers/Microsoft.Authorization/roleDefinitions/c7393b34-138c-406f-901b-d8cf2b17e6ae", + "Managed Applications Reader": "/providers/Microsoft.Authorization/roleDefinitions/b9331d33-8a36-4f8c-b097-4f54124fdb44", + "Monitoring Contributor": "/providers/Microsoft.Authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "Monitoring Metrics Publisher": "/providers/Microsoft.Authorization/roleDefinitions/3913510d-42f4-4e42-8a64-420c390055eb", + "Monitoring Reader": "/providers/Microsoft.Authorization/roleDefinitions/43d0d8ad-25c7-4714-9337-8ba259a9fe05", + "Owner": "/providers/Microsoft.Authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635", + "Reader": "/providers/Microsoft.Authorization/roleDefinitions/acdd72a7-3385-48ef-bd42-f606fba81ae7", + "Resource Policy Contributor": "/providers/Microsoft.Authorization/roleDefinitions/36243c78-bf99-498c-9df9-86d9f8d28608", + "User Access Administrator": "/providers/Microsoft.Authorization/roleDefinitions/18d7d88d-d35e-4fb5-a5c3-7773c20a72d9" + } + }, + // Resources + "resources": [ + // CUA ID + { + "condition": "[not(empty(parameters('cuaId')))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-06-01", + "name": "[concat('pid-', parameters('cuaId'))]", + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [] + } + } + }, + // Application Insights + { + "type": "Microsoft.Insights/components", + "apiVersion": "2020-02-02-preview", + "name": "[parameters('appInsightsName')]", + "location": "[parameters('location')]", + "tags": "[parameters('tags')]", + "properties": { + "ApplicationId": "[parameters('appInsightsName')]", + "Application_Type": "[parameters('appInsightsType')]", + "WorkspaceResourceId": "[parameters('appInsightsWorkspaceResourceId')]", + "publicNetworkAccessForIngestion": "[parameters('appInsightsPublicNetworkAccessForIngestion')]", + "publicNetworkAccessForQuery": "[parameters('appInsightsPublicNetworkAccessForQuery')]" + } + }, + // RBAC + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-06-01", + "name": "[concat(uniqueString(deployment().name, parameters('location')), '-ApplicationInsights-Rbac-', copyIndex())]", + "condition": "[not(empty(parameters('roleAssignments')))]", + "dependsOn": [ + "[parameters('appInsightsName')]" + ], + "copy": { + "name": "applicationInsightsRbacDeplCopy", + "count": "[length(parameters('roleAssignments'))]" + }, + "properties": { + "mode": "Incremental", + "expressionEvaluationOptions": { + "scope": "inner" + }, + "parameters": { + "roleAssignment": { + "value": "[parameters('roleAssignments')[copyIndex()]]" + }, + "builtInRoleNames": { + "value": "[variables('builtInRoleNames')]" + }, + "appInsightsName": { + "value": "[parameters('appInsightsName')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "roleAssignment": { + "type": "object" + }, + "builtInRoleNames": { + "type": "object" + }, + "appInsightsName": { + "type": "string" + } + }, + "resources": [ + { + "type": "Microsoft.Insights/components/providers/roleAssignments", + "apiVersion": "2020-04-01-preview", + "name": "[concat(parameters('appInsightsName'), '/Microsoft.Authorization/', guid(parameters('appInsightsName'), array(parameters('roleAssignment').principalIds)[copyIndex('applicationInsightsInnerRbacCopy')], parameters('roleAssignment').roleDefinitionIdOrName ))]", + "dependsOn": [ + ], + "copy": { + "name": "applicationInsightsInnerRbacCopy", + "count": "[length(parameters('roleAssignment').principalIds)]" + }, + "properties": { + "roleDefinitionId": "[if(contains(parameters('builtInRoleNames'), parameters('roleAssignment').roleDefinitionIdOrName ), parameters('builtInRoleNames')[parameters('roleAssignment').roleDefinitionIdOrName] , parameters('roleAssignment').roleDefinitionIdOrName )]", + "principalId": "[array(parameters('roleAssignment').principalIds)[copyIndex()]]" + } + } + ] + } + } + } + ], + // Functions + "functions": [], + // Outputs + "outputs": { + "appInsightsName": { + "type": "string", + "value": "[parameters('appInsightsName')]", + "metadata": { + "description": "Application Insights Resource Name" + } + }, + "appInsightsResourceId": { + "type": "string", + "value": "[resourceId('Microsoft.Insights/components',parameters('appInsightsName'))]", + "metadata": { + "description": "Application Insights Resource Id" + } + }, + "appInsightsResourceGroup": { + "type": "string", + "value": "[resourceGroup().name]", + "metadata": { + "description": "Application Insights ResourceGroup" + } + }, + "appInsightsKey": { + "type": "string", + "value": "[reference(variables('appInsightsresourceId'),'2018-05-01-preview').instrumentationKey]", + "metadata": { + "description": "Application Insights Resource Instrumentation Key" + } + }, + "appInsightsAppId": { + "type": "string", + "value": "[reference(variables('appInsightsresourceId'),'2018-05-01-preview').AppId]", + "metadata": { + "description": "Application Insights Application Id" + } + } + } +} \ No newline at end of file diff --git a/arm/Microsoft.Insights/components/parameters/parameters.json b/arm/Microsoft.Insights/components/parameters/parameters.json new file mode 100644 index 0000000000..cba5952017 --- /dev/null +++ b/arm/Microsoft.Insights/components/parameters/parameters.json @@ -0,0 +1,28 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "appInsightsName": { + "value": "test-az-appi-weu-x-02" + }, + "appInsightsWorkspaceResourceId": { + "value": "/subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2/resourceGroups/dependencies-rg/providers/Microsoft.OperationalInsights/workspaces/sxx-az-la-weu-x-003" + } + // "appInsightsPublicNetworkAccessForIngestion": { + // "value": "Disabled" + // }, + // "appInsightsPublicNetworkAccessForQuery": { + // "value": "Disabled" + // }, + // "roleAssignments": { + // "value": [ + // { + // "roleDefinitionIdOrName": "User Access Administrator", + // "principalIds": [ + // "xxx-xxx-xxx-xxx-xxx" + // ] + // } + // ] + // } + } +} \ No newline at end of file diff --git a/arm/Microsoft.Insights/components/readme.md b/arm/Microsoft.Insights/components/readme.md new file mode 100644 index 0000000000..b732ca44ae --- /dev/null +++ b/arm/Microsoft.Insights/components/readme.md @@ -0,0 +1,95 @@ +# Application Insights + +## Resource Types + +| Resource Type | Api Version | +| :-- | :-- | +| `Microsoft.Resources/deployments` | 2020-06-01 | +| `Microsoft.Insights/components` | 2020-02-02-preview | +| `Microsoft.Insights/components/providers/roleAssignments` | 2020-04-01-preview | + + + +### Resource dependency + +The following resources are required to be able to deploy this resource. + +## Parameters + +| Parameter Name | Type | Description | DefaultValue | Possible values | +| :-- | :-- | :-- | :-- | :-- | +| `appInsightsName` | string | Required. Name of the Application Insights | | | +| `appInsightsType` | string | Optional. Application type | web | System.Object[] | +| `appInsightsWorkspaceResourceId` | string | Required. Resource Id of the log analytics workspace which the data will be ingested to. This property is required to create an application with this API version. Applications from older versions will not have this property | | | +| `appInsightsPublicNetworkAccessForIngestion` | string | Optional. The network access type for accessing Application Insights ingestion | Enabled | Enabled, Disabled | +| `appInsightsPublicNetworkAccessForQuery` | string | Optional. The network access type for accessing Application Insights query | Enabled | Enabled, Disabled | +| `location` | string | Optional. Location for all Resources | [resourceGroup().location] | | +| `roleAssignments` | string | Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or it's fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' | | +| `tags` | object | Optional. Tags of the resource. | | | +| `cuaId` | string | Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered | | | + + +### Parameter Usage: `roleAssignments` + +```json +"roleAssignments": { + "value": [ + { + "roleDefinitionIdOrName": "Contributor", + "principalIds": [ + "12345678-1234-1234-1234-123456789012", // object 1 + "78945612-1234-1234-1234-123456789012" // object 2 + ] + }, + { + "roleDefinitionIdOrName": "Reader", + "principalIds": [ + "12345678-1234-1234-1234-123456789012", // object 1 + "78945612-1234-1234-1234-123456789012" // object 2 + ] + } + ] +} +``` + +### Parameter Usage: `tags` + +Tag names and tag values can be provided as needed. A tag can be left without a value. + +```json +"tags": { + "value": { + "Environment": "Non-Prod", + "Contact": "test.user@testcompany.com", + "PurchaseOrder": "1234", + "CostCenter": "7890", + "ServiceName": "DeploymentValidation", + "Role": "DeploymentValidation" + } +} +``` + +## Outputs + +| Output Name | Type | Description | +| :-- | :-- | :-- | +| `appInsightsAppId` | string | Application Insights Application Id | +| `appInsightsKey` | string | Application Insights Resource Instrumentation Key | +| `appInsightsName` | string | Application Insights Resource Name | +| `appInsightsResourceGroup` | string | Application Insights ResourceGroup | +| `appInsightsResourceId` | string | Application Insights Resource Id | + +### References + +### Template references + +- [Deployments](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Resources/2018-02-01/deployments) +- [Components](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Insights/[variables('appInsightsApiVersion')]/components) + + +## Considerations + +## Additional resources + +- [Deployments](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Resources/2018-02-01/deployments) +- [Components](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Insights/[variables('appInsightsApiVersion')]/components) \ No newline at end of file diff --git a/arm/Microsoft.Insights/diagnosticSettings/deploy.json b/arm/Microsoft.Insights/diagnosticSettings/deploy.json new file mode 100644 index 0000000000..156a4f1c3a --- /dev/null +++ b/arm/Microsoft.Insights/diagnosticSettings/deploy.json @@ -0,0 +1,158 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "diagnosticsName": { + "type": "string", + "minLength": 1, + "metadata": { + "description": "Required. Name of the ActivityLog diagnostic settings." + } + }, + "diagnosticLogsRetentionInDays": { + "type": "int", + "defaultValue": 365, + "minValue": 0, + "maxValue": 365, + "metadata": { + "description": "Optional. Specifies the number of days that logs will be kept for; a value of 0 will retain data indefinitely." + } + }, + "diagnosticStorageAccountId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Resource identifier of the Diagnostic Storage Account." + } + }, + "location": { + "type": "string", + "defaultValue": "global", + "metadata": { + "description": "Optional. Location for all resources." + } + }, + "workspaceId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Resource identifier of Log Analytics." + } + }, + "eventHubAuthorizationRuleId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Resource ID of the event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." + } + }, + "eventHubName": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Name of the event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category." + } + } + }, + "variables": { + "diagnosticsLogs": [ + { + "category": "Administrative", + "enabled": true, + "retentionPolicy": { + "enabled": true, + "days": "[parameters('diagnosticLogsRetentionInDays')]" + } + }, + { + "category": "Security", + "enabled": true, + "retentionPolicy": { + "enabled": true, + "days": "[parameters('diagnosticLogsRetentionInDays')]" + } + }, + { + "category": "ServiceHealth", + "enabled": true, + "retentionPolicy": { + "enabled": true, + "days": "[parameters('diagnosticLogsRetentionInDays')]" + } + }, + { + "category": "Alert", + "enabled": true, + "retentionPolicy": { + "enabled": true, + "days": "[parameters('diagnosticLogsRetentionInDays')]" + } + }, + { + "category": "Recommendation", + "enabled": true, + "retentionPolicy": { + "enabled": true, + "days": "[parameters('diagnosticLogsRetentionInDays')]" + } + }, + { + "category": "Policy", + "enabled": true, + "retentionPolicy": { + "enabled": true, + "days": "[parameters('diagnosticLogsRetentionInDays')]" + } + }, + { + "category": "Autoscale", + "enabled": true, + "retentionPolicy": { + "enabled": true, + "days": "[parameters('diagnosticLogsRetentionInDays')]" + } + }, + { + "category": "ResourceHealth", + "enabled": true, + "retentionPolicy": { + "enabled": true, + "days": "[parameters('diagnosticLogsRetentionInDays')]" + } + } + ] + }, + "resources": [ + { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[parameters('diagnosticsName')]", + "apiVersion": "2017-05-01-preview", + "location": "[parameters('location')]", + "properties": { + "storageAccountId": "[if(empty(parameters('diagnosticStorageAccountId')), json('null'), parameters('diagnosticStorageAccountId'))]", + "workspaceId": "[if(empty(parameters('workspaceId')), json('null'), parameters('workspaceId'))]", + "eventHubAuthorizationRuleId": "[if(empty(parameters('eventHubAuthorizationRuleId')), json('null'), parameters('eventHubAuthorizationRuleId'))]", + "eventHubName": "[if(empty(parameters('eventHubName')), json('null'), parameters('eventHubName'))]", + "logs": "[if(and(empty(parameters('diagnosticStorageAccountId')), empty(parameters('workspaceId')), empty(parameters('eventHubAuthorizationRuleId')), empty(parameters('eventHubName'))), json('null'), variables('diagnosticsLogs'))]" + } + } + ], + "functions": [ + ], + "outputs": { + "diagnosticsName": { + "type": "string", + "value": "[parameters('diagnosticsName')]", + "metadata": { + "description": "The Name of the Diagnostics." + } + }, + "diagnosticResourceId": { + "type": "string", + "value": "[resourceId('Microsoft.Insights/diagnosticSettings',parameters('diagnosticsName'))]", + "metadata": { + "description": "The Resource Ids of the Diagnostics." + } + } + } +} \ No newline at end of file diff --git a/arm/Microsoft.Insights/diagnosticSettings/parameters/parameters.json b/arm/Microsoft.Insights/diagnosticSettings/parameters/parameters.json new file mode 100644 index 0000000000..f1cf8ed9da --- /dev/null +++ b/arm/Microsoft.Insights/diagnosticSettings/parameters/parameters.json @@ -0,0 +1,12 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "diagnosticsName": { + "value": "sxx-az-diag-weu-x-001" + }, + "workspaceId": { + "value": "/subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2/resourcegroups/dependencies-rg/providers/microsoft.operationalinsights/workspaces/sxx-az-la-weu-x-003" + } + } +} \ No newline at end of file diff --git a/arm/Microsoft.Insights/diagnosticSettings/readme.md b/arm/Microsoft.Insights/diagnosticSettings/readme.md new file mode 100644 index 0000000000..bded25275c --- /dev/null +++ b/arm/Microsoft.Insights/diagnosticSettings/readme.md @@ -0,0 +1,39 @@ +# ActivityLog + +This module deploys a subscription wide export of the ActivityLog. + +## Resource Types + +|Resource Type|Api Version| +|:--|:--| +|`Microsoft.Insights/diagnosticSettings`|2017-05-01-preview| + + +## Parameters + +| Parameter Name | Type | Description | DefaultValue | Possible values | +| :-- | :-- | :-- | :-- | :-- | +| `diagnosticLogsRetentionInDays` | int | Optional. Specifies the number of days that logs will be kept for; a value of 0 will retain data indefinitely. | 365 | | +| `diagnosticsName` | string | Required. Name of the ActivityLog diagnostic settings. | | | +| `diagnosticStorageAccountId` | string | Optional. Resource identifier of the Diagnostic Storage Account. | | | +| `eventHubAuthorizationRuleId` | string | Optional. Resource ID of the event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | | | +| `eventHubName` | string | Optional. Name of the event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. | | | +| `location` | string | Optional. Location for all resources. | global | | +| `workspaceId` | string | Optional. Resource identifier of Log Analytics. | | | + + +## Outputs + +| Output Name | Type | Description | +| :-- | :-- | :-- | +| `diagnosticResourceId` | string | The Resource Ids of the Diagnostics. | +| `diagnosticsName` | string | The Name of the Diagnostics. | + +## Considerations + +*N/A* + +## Additional resources + +- [Collect Azure Activity log with diagnostic settings (preview)](https://docs.microsoft.com/en-us/azure/azure-monitor/platform/diagnostic-settings-subscription) +- [Microsoft.Insights template reference](https://docs.microsoft.com/en-us/azure/templates/microsoft.insights/allversions) \ No newline at end of file diff --git a/arm/Microsoft.Insights/metricAlerts/deploy.json b/arm/Microsoft.Insights/metricAlerts/deploy.json new file mode 100644 index 0000000000..d3da7d3c44 --- /dev/null +++ b/arm/Microsoft.Insights/metricAlerts/deploy.json @@ -0,0 +1,457 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "alertName": { + "type": "string", + "metadata": { + "description": "Required. The name of the Alert." + } + }, + "alertDescription": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Description of the alert." + } + }, + "location": { + "type": "string", + "defaultValue": "global", + "metadata": { + "description": "Optional. Location for all resources." + } + }, + "enabled": { + "type": "bool", + "defaultValue": true, + "metadata": { + "description": "Optional. Indicates whether this alert is enabled." + } + }, + "severity": { + "type": "int", + "allowedValues": [ + 0, + 1, + 2, + 3, + 4 + ], + "defaultValue": 3, + "metadata": { + "description": "Optional. The severity of the alert." + } + }, + "evaluationFrequency": { + "type": "string", + "allowedValues": [ + "PT1M", + "PT5M", + "PT15M", + "PT30M", + "PT1H" + ], + "defaultValue": "PT5M", + "metadata": { + "description": "Optional. how often the metric alert is evaluated represented in ISO 8601 duration format." + } + }, + "windowSize": { + "type": "string", + "allowedValues": [ + "PT1M", + "PT5M", + "PT15M", + "PT30M", + "PT1H", + "PT6H", + "PT12H", + "P1D" + ], + "defaultValue": "PT15M", + "metadata": { + "description": "Optional. the period of time (in ISO 8601 duration format) that is used to monitor alert activity based on the threshold." + } + }, + "scopes": { + "type": "array", + "metadata": { + "description": "Required. the list of resource id's that this metric alert is scoped to." + } + }, + "targetResourceType": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. The resource type of the target resource(s) on which the alert is created/updated. Mandatory for MultipleResourceMultipleMetricCriteria." + } + }, + "targetResourceRegion": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. The region of the target resource(s) on which the alert is created/updated. Mandatory for MultipleResourceMultipleMetricCriteria." + } + }, + "autoMitigate": { + "type": "bool", + "defaultValue": true, + "metadata": { + "description": "Optional. The flag that indicates whether the alert should be auto resolved or not." + } + }, + "actions": { + "type": "array", + "defaultValue": [ + ], + "metadata": { + "description": "Optional. The list of actions to take when alert triggers." + } + }, + "alertCriteriaType": { + "type": "string", + "defaultValue": "Microsoft.Azure.Monitor.MultipleResourceMultipleMetricCriteria", + "allowedValues": [ + "Microsoft.Azure.Monitor.SingleResourceMultipleMetricCriteria", + "Microsoft.Azure.Monitor.MultipleResourceMultipleMetricCriteria" + ], + "metadata": { + "description": "Optional. Maps to the 'odata.type' field. Specifies the type of the alert criteria." + } + }, + "criterias": { + "type": "array", + "metadata": { + "description": "Required. Criterias to trigger the alert. Array of 'Microsoft.Azure.Monitor.SingleResourceMultipleMetricCriteria' or 'Microsoft.Azure.Monitor.MultipleResourceMultipleMetricCriteria' objects" + } + }, + "roleAssignments": { + "defaultValue": [ + ], + "type": "array", + "metadata": { + "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'" + } + }, + "tags": { + "type": "object", + "defaultValue": { + }, + "metadata": { + "description": "Optional. Tags of the resource." + } + }, + "cuaId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered" + } + } + }, + "variables": { + "builtInRoleNames": { + "AcrDelete": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c2f4ef07-c644-48eb-af81-4b1b4947fb11')]", + "AcrImageSigner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '6cef56e8-d556-48e5-a04f-b8e64114680f')]", + "AcrPull": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '7f951dda-4ed3-4680-a7ca-43fe172d538d')]", + "AcrPush": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8311e382-0749-4cb8-b61a-304f252e45ec')]", + "AcrQuarantineReader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'cdda3590-29a3-44f6-95f2-9f980659eb04')]", + "AcrQuarantineWriter": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c8d4ff99-41c3-41a8-9f60-21dfdad59608')]", + "API Management Service Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '312a565d-c81f-4fd8-895a-4e21e48d571c')]", + "API Management Service Operator Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'e022efe7-f5ba-4159-bbe4-b44f577e9b61')]", + "API Management Service Reader Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '71522526-b88f-4d52-b57f-d31fc3546d0d')]", + "App Configuration Data Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5ae67dd6-50cb-40e7-96ff-dc2bfa4b606b')]", + "App Configuration Data Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '516239f1-63e1-4d78-a4de-a74fb236a071')]", + "Application Insights Component Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ae349356-3a1b-4a5e-921d-050484c6347e')]", + "Application Insights Snapshot Debugger": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '08954f03-6346-4c2e-81c0-ec3a5cfae23b')]", + "Attestation Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'bbf86eb8-f7b4-4cce-96e4-18cddf81d86e')]", + "Attestation Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'fd1bd22b-8476-40bc-a0bc-69b95687b9f3')]", + "Automation Job Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4fe576fe-1146-4730-92eb-48519fa6bf9f')]", + "Automation Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'd3881f73-407a-4167-8283-e981cbba0404')]", + "Automation Runbook Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5fb5aef8-1081-4b8e-bb16-9d5d0385bab5')]", + "Avere Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4f8fab4f-1852-4a58-a46a-8eaf358af14a')]", + "Avere Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c025889f-8102-4ebf-b32c-fc0c6f0c6bd9')]", + "Azure Connected Machine Onboarding": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b64e21ea-ac4e-4cdf-9dc9-5b892992bee7')]", + "Azure Connected Machine Resource Administrator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'cd570a14-e51a-42ad-bac8-bafd67325302')]", + "Azure Digital Twins Owner (Preview)": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'bcd981a7-7f74-457b-83e1-cceb9e632ffe')]", + "Azure Digital Twins Reader (Preview)": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'd57506d4-4c8d-48b1-8587-93c323f6a5a3')]", + "Azure Event Hubs Data Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'f526a384-b230-433a-b45c-95f59c4a2dec')]", + "Azure Event Hubs Data Receiver": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'a638d3c7-ab3a-418d-83e6-5f17a39d4fde')]", + "Azure Event Hubs Data Sender": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '2b629674-e913-4c01-ae53-ef4638d8f975')]", + "Azure Kubernetes Service Cluster Admin Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '0ab0b1a8-8aac-4efd-b8c2-3ee1fb270be8')]", + "Azure Kubernetes Service Cluster User Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4abbcc35-e782-43d8-92c5-2d3f1bd2253f')]", + "Azure Kubernetes Service Contributor Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ed7f3fbd-7b88-4dd4-9017-9adb7ce333f8')]", + "Azure Maps Data Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8f5e0ce6-4f7b-4dcf-bddf-e6f48634a204')]", + "Azure Maps Data Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '423170ca-a8f6-4b0f-8487-9e4eb8f49bfa')]", + "Azure Sentinel Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ab8e14d6-4a74-4a29-9ba8-549422addade')]", + "Azure Sentinel Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8d289c81-5878-46d4-8554-54e1e3d8b5cb')]", + "Azure Sentinel Responder": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '3e150937-b8fe-4cfb-8069-0eaf05ecd056')]", + "Azure Service Bus Data Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '090c5cfd-751d-490a-894a-3ce6f1109419')]", + "Azure Service Bus Data Receiver": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4f6d3b9b-027b-4f4c-9142-0e5a2a2247e0')]", + "Azure Service Bus Data Sender": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '69a216fc-b8fb-44d8-bc22-1f3c2cd27a39')]", + "Azure Stack Registration Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '6f12a6df-dd06-4f3e-bcb1-ce8be600526a')]", + "Backup Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5e467623-bb1f-42f4-a55d-6e525e11384b')]", + "Backup Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '00c29273-979b-4161-815c-10b084fb9324')]", + "Backup Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'a795c7a0-d4a2-40c1-ae25-d81f01202912')]", + "Billing Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'fa23ad8b-c56e-40d8-ac0c-ce449e1d2c64')]", + "BizTalk Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5e3c6656-6cfa-4708-81fe-0de47ac73342')]", + "Blockchain Member Node Access (Preview)": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '31a002a1-acaf-453e-8a5b-297c9ca1ea24')]", + "Blueprint Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '41077137-e803-4205-871c-5a86e6a753b4')]", + "Blueprint Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '437d2ced-4a38-4302-8479-ed2bcb43d090')]", + "CDN Endpoint Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '426e0c7f-0c7e-4658-b36f-ff54d6c29b45')]", + "CDN Endpoint Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '871e35f6-b5c1-49cc-a043-bde969a0f2cd')]", + "CDN Profile Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ec156ff8-a8d1-4d15-830c-5b80698ca432')]", + "CDN Profile Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8f96442b-4075-438f-813d-ad51ab4019af')]", + "Classic Network Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b34d265f-36f7-4a0d-a4d4-e158ca92e90f')]", + "Classic Storage Account Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '86e8f5dc-a6e9-4c67-9d15-de283e8eac25')]", + "Classic Storage Account Key Operator Service Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '985d6b00-f706-48f5-a6fe-d0ca12fb668d')]", + "Classic Virtual Machine Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'd73bb868-a0df-4d4d-bd69-98a00b01fccb')]", + "ClearDB MySQL DB Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '9106cda0-8a86-4e81-b686-29a22c54effe')]", + "Cognitive Services Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '25fbc0a9-bd7c-42a3-aa1a-3b75d497ee68')]", + "Cognitive Services Custom Vision Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c1ff6cc2-c111-46fe-8896-e0ef812ad9f3')]", + "Cognitive Services Custom Vision Deployment": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5c4089e1-6d96-4d2f-b296-c1bc7137275f')]", + "Cognitive Services Custom Vision Labeler": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '88424f51-ebe7-446f-bc41-7fa16989e96c')]", + "Cognitive Services Custom Vision Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '93586559-c37d-4a6b-ba08-b9f0940c2d73')]", + "Cognitive Services Custom Vision Trainer": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '0a5ae4ab-0d65-4eeb-be61-29fc9b54394b')]", + "Cognitive Services Data Reader (Preview)": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b59867f0-fa02-499b-be73-45a86b5b3e1c')]", + "Cognitive Services QnA Maker Editor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'f4cc2bf9-21be-47a1-bdf1-5c5804381025')]", + "Cognitive Services QnA Maker Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '466ccd10-b268-4a11-b098-b4849f024126')]", + "Cognitive Services User": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'a97b65f3-24c7-4388-baec-2e87135dc908')]", + "Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "Cosmos DB Account Reader Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'fbdf93bf-df7d-467e-a4d2-9458aa1360c8')]", + "Cosmos DB Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '230815da-be43-4aae-9cb4-875f7bd000aa')]", + "CosmosBackupOperator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'db7b14f2-5adf-42da-9f96-f2ee17bab5cb')]", + "Cost Management Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '434105ed-43f6-45c7-a02f-909b2ba83430')]", + "Cost Management Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '72fafb9e-0641-4937-9268-a91bfd8191a3')]", + "Data Box Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'add466c9-e687-43fc-8d98-dfcf8d720be5')]", + "Data Box Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '028f4ed7-e2a9-465e-a8f4-9c0ffdfdc027')]", + "Data Factory Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '673868aa-7521-48a0-acc6-0f60742d39f5')]", + "Data Lake Analytics Developer": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '47b7735b-770e-4598-a7da-8b91488b4c88')]", + "Data Purger": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '150f5e0c-0603-4f03-8c7f-cf70034c4e90')]", + "Desktop Virtualization User": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '1d18fff3-a72a-46b5-b4a9-0b38a3cd7e63')]", + "DevTest Labs User": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '76283e04-6283-4c54-8f91-bcf1374a3c64')]", + "DNS Zone Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'befefa01-2a29-4197-83a8-272ff33ce314')]", + "DocumentDB Account Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5bd9cd88-fe45-4216-938b-f97437e15450')]", + "EventGrid EventSubscription Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '428e0ff0-5e57-4d9c-a221-2c70d0e0a443')]", + "EventGrid EventSubscription Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '2414bbcf-6497-4faf-8c65-045460748405')]", + "Experimentation Administrator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '7f646f1b-fa08-80eb-a33b-edd6ce5c915c')]", + "Experimentation Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '7f646f1b-fa08-80eb-a22b-edd6ce5c915c')]", + "Experimentation Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '49632ef5-d9ac-41f4-b8e7-bbe587fa74a1')]", + "FHIR Data Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5a1fc7df-4bf1-4951-a576-89034ee01acd')]", + "FHIR Data Exporter": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '3db33094-8700-4567-8da5-1501d4e7e843')]", + "FHIR Data Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4c8d0bbc-75d3-4935-991f-5f3c56d81508')]", + "FHIR Data Writer": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '3f88fce4-5892-4214-ae73-ba5294559913')]", + "Graph Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b60367af-1334-4454-b71e-769d9a4f83d9')]", + "HDInsight Cluster Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '61ed4efc-fab3-44fd-b111-e24485cc132a')]", + "HDInsight Domain Services Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8d8d5a11-05d3-4bda-a417-a08778121c7c')]", + "Hierarchy Settings Administrator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '350f8d15-c687-4448-8ae1-157740a3936d')]", + "Hybrid Server Onboarding": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5d1e5ee4-7c68-4a71-ac8b-0739630a3dfb')]", + "Hybrid Server Resource Administrator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '48b40c6e-82e0-4eb3-90d5-19e40f49b624')]", + "Integration Service Environment Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'a41e2c5b-bd99-4a07-88f4-9bf657a760b8')]", + "Integration Service Environment Developer": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c7aa55d3-1abb-444a-a5ca-5e51e485d6ec')]", + "Intelligent Systems Account Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '03a6d094-3444-4b3d-88af-7477090a9e5e')]", + "Key Vault Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'f25e0fa2-a7c8-4377-a976-54943a77a395')]", + "Knowledge Consumer": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ee361c5d-f7b5-4119-b4b6-892157c8f64c')]", + "Kubernetes Cluster - Azure Arc Onboarding": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '34e09817-6cbe-4d01-b1a2-e0eac5743d41')]", + "Lab Creator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b97fb8bc-a8b2-4522-a38b-dd33c7e65ead')]", + "Log Analytics Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]", + "Log Analytics Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '73c42c96-874c-492b-b04d-ab87d138a893')]", + "Logic App Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '87a39d53-fc1b-424a-814c-f7e04687dc9e')]", + "Logic App Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '515c2055-d9d4-4321-b1b9-bd0c9a0f79fe')]", + "Managed Application Contributor Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '641177b8-a67a-45b9-a033-47bc880bb21e')]", + "Managed Application Operator Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')]", + "Managed Applications Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')]", + "Managed Identity Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'e40ec5ca-96e0-45a2-b4ff-59039f2c2b59')]", + "Managed Identity Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'f1a07417-d97a-45cb-824c-7a7467783830')]", + "Managed Services Registration assignment Delete ": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '91c1777a-f3dc-4fae-b103-61d183457e46')]", + "Management Group Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5d58bcaf-24a5-4b20-bdb6-eed9f69fbe4c')]", + "Management Group Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ac63b705-f282-497d-ac71-919bf39d939d')]", + "Marketplace Admin": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'dd920d6d-f481-47f1-b461-f338c46b2d9f')]", + "Monitoring Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')]", + "Monitoring Metrics Publisher": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '3913510d-42f4-4e42-8a64-420c390055eb')]", + "Monitoring Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')]", + "Network Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", + "New Relic APM Account Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5d28c62d-5b37-4476-8438-e587778df237')]", + "Object Understanding Account Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4dd61c23-6743-42fe-a388-d8bdd41cb745')]", + "Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", + "Policy Insights Data Writer (Preview)": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '66bb4e9e-b016-4a94-8249-4c0511c2be84')]", + "Private DNS Zone Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", + "Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", + "Reader and Data Access": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c12c1c16-33a1-487b-954d-41c89c60f349')]", + "Redis Cache Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'e0f68234-74aa-48ed-b826-c38b57376e17')]", + "Remote Rendering Administrator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '3df8b902-2a6f-47c7-8cc5-360e9b272a7e')]", + "Remote Rendering Client": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'd39065c4-c120-43c9-ab0a-63eed9795f0a')]", + "Resource Policy Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '36243c78-bf99-498c-9df9-86d9f8d28608')]", + "Scheduler Job Collections Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '188a0f2f-5c9e-469b-ae67-2aa5ce574b94')]", + "Search Service Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '7ca78c08-252a-4471-8644-bb5ff32d4ba0')]", + "Security Admin": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'fb1c8493-542b-48eb-b624-b4c8fea62acd')]", + "Security Assessment Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '612c2aa1-cb24-443b-ac28-3ab7272de6f5')]", + "Security Manager (Legacy)": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'e3d13bf0-dd5a-482e-ba6b-9b8433878d10')]", + "Security Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '39bc4728-0917-49c7-9d2c-d95423bc2eb4')]", + "SignalR AccessKey Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '04165923-9d83-45d5-8227-78b77b0a687e')]", + "SignalR Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8cf5e20a-e4b2-4e9d-b3a1-5ceb692c2761')]", + "Site Recovery Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '6670b86e-a3f7-4917-ac9b-5d6ab1be4567')]", + "Site Recovery Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '494ae006-db33-4328-bf46-533a6560a3ca')]", + "Site Recovery Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'dbaa88c4-0c30-4179-9fb3-46319faa6149')]", + "Spatial Anchors Account Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8bbe83f1-e2a6-4df7-8cb4-4e04d4e5c827')]", + "Spatial Anchors Account Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '70bbe301-9835-447d-afdd-19eb3167307c')]", + "Spatial Anchors Account Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5d51204f-eb77-4b1c-b86a-2ec626c49413')]", + "SQL DB Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '9b7fa17d-e63e-47b0-bb0a-15c516ac86ec')]", + "SQL Managed Instance Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4939a1f6-9ae0-4e48-a1e0-f2cbe897382d')]", + "SQL Security Manager": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '056cd41c-7e88-42e1-933e-88ba6a50c9c3')]", + "SQL Server Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '6d8ee4ec-f05a-4a1d-8b00-a9b17e38b437')]", + "Storage Account Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '17d1049b-9a84-46fb-8f53-869881c3d3ab')]", + "Storage Account Key Operator Service Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '81a9662b-bebf-436f-a333-f67b29880f12')]", + "Storage Blob Data Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ba92f5b4-2d11-453d-a403-e96b0029c9fe')]", + "Storage Blob Data Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b7e6dc6d-f1e8-4753-8033-0f276bb0955b')]", + "Storage Blob Data Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '2a2b9908-6ea1-4ae2-8e65-a410df84e7d1')]", + "Storage Blob Delegator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'db58b8e5-c6ad-4a2a-8342-4190687cbf4a')]", + "Storage File Data SMB Share Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '0c867c2a-1d8c-454a-a3db-ab2ea1bdc8bb')]", + "Storage File Data SMB Share Elevated Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'a7264617-510b-434b-a828-9731dc254ea7')]", + "Storage File Data SMB Share Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'aba4ae5f-2193-4029-9191-0cb91df5e314')]", + "Storage Queue Data Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '974c5e8b-45b9-4653-ba55-5f855dd0fb88')]", + "Storage Queue Data Message Processor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8a0f0c08-91a1-4084-bc3d-661d67233fed')]", + "Storage Queue Data Message Sender": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c6a89b2d-59bc-44d0-9896-0f6e12d7b80a')]", + "Storage Queue Data Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '19e7f393-937e-4f77-808e-94535e297925')]", + "Support Request Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'cfd33db0-3dd1-45e3-aa9d-cdbdf3b6f24e')]", + "Tag Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4a9ae827-6dc8-4573-8ac7-8239d42aa03f')]", + "Traffic Manager Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'a4b10055-b0c7-44c2-b00f-c7b5b3550cf7')]", + "User Access Administrator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]", + "Virtual Machine Administrator Login": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '1c0163c0-47e6-4577-8991-ea5c82e286e4')]", + "Virtual Machine Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c')]", + "Virtual Machine User Login": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'fb879df8-f326-4884-b1cf-06f3ad86be52')]", + "Web Plan Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '2cc479cb-7b4d-49a8-b449-8c00fd0f0a4b')]", + "Website Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'de139f84-1756-47ae-9be6-808fbbe84772')]", + "Workbook Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'e8ddcd69-c73f-4f9f-9844-4100522f16ad')]", + "Workbook Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b279062a-9be3-42a0-92ae-8b3cf002ec4d')]" + } + }, + "resources": [ + { + "condition": "[not(empty(parameters('cuaId')))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-06-01", + "name": "[concat('pid-', parameters('cuaId'))]", + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [ + ] + } + } + }, + { + "name": "[parameters('alertName')]", + "type": "Microsoft.Insights/metricAlerts", + "apiVersion": "2018-03-01", + "location": "[parameters('location')]", + "tags": "[parameters('tags')]", + "properties": { + "description": "[parameters('alertDescription')]", + "severity": "[parameters('severity')]", + "enabled": "[parameters('enabled')]", + "scopes": "[parameters('scopes')]", + "evaluationFrequency": "[parameters('evaluationFrequency')]", + "windowSize": "[parameters('windowSize')]", + "targetResourceType": "[parameters('targetResourceType')]", + "targetResourceRegion": "[parameters('targetResourceRegion')]", + "criteria": { + "odata.type": "[parameters('alertCriteriaType')]", + "allOf": "[parameters('criterias')]" + }, + "autoMitigate": "[parameters('autoMitigate')]", + "actions": "[parameters('actions')]" + } + }, + { + "name": "[concat('rbac-',deployment().name, copyIndex())]", + "apiVersion": "2020-06-01", + "type": "Microsoft.Resources/deployments", + "condition": "[not(empty(parameters('roleAssignments')))]", + "dependsOn": [ + "[parameters('alertName')]" + ], + "copy": { + "name": "rbacDeplCopy", + "count": "[length(parameters('roleAssignments'))]" + }, + "properties": { + "mode": "Incremental", + "expressionEvaluationOptions": { + "scope": "inner" + }, + "parameters": { + "roleAssignment": { + "value": "[parameters('roleAssignments')[copyIndex()]]" + }, + "builtInRoleNames": { + "value": "[variables('builtInRoleNames')]" + }, + "alertName": { + "value": "[parameters('alertName')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "roleAssignment": { + "type": "object" + }, + "builtInRoleNames": { + "type": "object" + }, + "alertName": { + "type": "string" + } + }, + "resources": [ + { + "type": "Microsoft.Insights/metricAlerts/providers/roleAssignments", + "apiVersion": "2020-03-01-preview", + "name": "[concat(parameters('alertName'), '/Microsoft.Authorization/', guid(uniqueString(concat(parameters('alertName'), array(parameters('roleAssignment').principalIds)[copyIndex('innerRbacCopy')], parameters('roleAssignment').roleDefinitionIdOrName ) )))]", + "dependsOn": [ + ], + "copy": { + "name": "innerRbacCopy", + "count": "[length(parameters('roleAssignment').principalIds)]" + }, + "properties": { + "roleDefinitionId": "[if(contains(parameters('builtInRoleNames'), parameters('roleAssignment').roleDefinitionIdOrName ), parameters('builtInRoleNames')[parameters('roleAssignment').roleDefinitionIdOrName] , parameters('roleAssignment').roleDefinitionIdOrName )]", + "principalId": "[array(parameters('roleAssignment').principalIds)[copyIndex()]]" + } + } + ] + } + } + } + ], + "functions": [ + ], + "outputs": { + "alertName": { + "type": "string", + "value": "[parameters('alertName')]", + "metadata": { + "description": "The name of the created database." + } + }, + "deploymentResourceGroup": { + "type": "string", + "value": "[resourceGroup().name]", + "metadata": { + "description": "The name of the Resource Group the Resource was created in." + } + }, + "metricAlertResourceId": { + "type": "string", + "value": "[resourceId('Microsoft.Insights/metricAlerts',parameters('alertName'))]", + "metadata": { + "description": "The Resource Id of the Alert deployed." + } + } + } +} \ No newline at end of file diff --git a/arm/Microsoft.Insights/metricAlerts/parameters/parameters.json b/arm/Microsoft.Insights/metricAlerts/parameters/parameters.json new file mode 100644 index 0000000000..ca22e5d018 --- /dev/null +++ b/arm/Microsoft.Insights/metricAlerts/parameters/parameters.json @@ -0,0 +1,53 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "alertName": { + "value": "sxx-az-alrt-weu-x-001" + }, + "scopes": { + "value": [ + "/subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2/resourceGroups/validation-rg/providers/Microsoft.Compute/virtualMachines/sxxazvmweux01" + ] + }, + "windowSize": { + "value": "PT15M" + }, + "actions": { + "value": [{ + "actionGroupId": "/subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2/resourceGroups/dependencies-rg/providers/microsoft.insights/actiongroups/sxx-az-ag-weu-x-003" + }] + }, + "targetResourceType": { + "value": "microsoft.compute/virtualmachines" + }, + "targetResourceRegion": { + "value": "westeurope" + }, + "criterias": { + "value": [{ + "criterionType": "StaticThresholdCriterion", + "metricName": "Percentage CPU", + "metricNamespace": "microsoft.compute/virtualmachines", + "name": "HighCPU", + "operator": "GreaterThan", + "threshold": "90", + "timeAggregation": "Average" + }] + }, + "alertCriteriaType": { + "value": "Microsoft.Azure.Monitor.MultipleResourceMultipleMetricCriteria" + } + // "roleAssignments": { + // "value": [ + // { + // "roleDefinitionIdOrName": "Desktop Virtualization User", + // "principalIds": [ + // "12345678-1234-1234-1234-123456789012", // object 1 + // "78945612-1234-1234-1234-123456789012" // object 2 + // ] + // } + // ] + // } + } +} \ No newline at end of file diff --git a/arm/Microsoft.Insights/metricAlerts/readme.md b/arm/Microsoft.Insights/metricAlerts/readme.md new file mode 100644 index 0000000000..e1cafad869 --- /dev/null +++ b/arm/Microsoft.Insights/metricAlerts/readme.md @@ -0,0 +1,167 @@ +# Metric Alert +This module deploys an Alert based on metrics + +## Resource types + +|Resource Type|ApiVersion| +|:--|:--| +|`Microsoft.Resources/deployments`|2018-02-01| +|`Microsoft.Insights/metricAlerts`|2018-03-01| +|`Microsoft.Insights/metricAlerts/providers/roleAssignments`|2018-09-01-preview| + +## Parameters + +| Parameter Name | Type | Description | DefaultValue | Possible values | +| :-- | :-- | :-- | :-- | :-- | +| `actions` | array | Optional. The list of actions to take when alert triggers. | System.Object[] | | +| `alertCriteriaType` | string | Optional. Maps to the 'odata.type' field. Specifies the type of the alert criteria. | Microsoft.Azure.Monitor.MultipleResourceMultipleMetricCriteria | System.Object[] | +| `alertDescription` | string | Optional. Description of the alert. | | | +| `alertName` | string | Required. The name of the Alert. | | | +| `autoMitigate` | bool | Optional. The flag that indicates whether the alert should be auto resolved or not. | True | | +| `criterias` | array | Required. Criterias to trigger the alert. Array of 'Microsoft.Azure.Monitor.SingleResourceMultipleMetricCriteria' or 'Microsoft.Azure.Monitor. MultipleResourceMultipleMetricCriteria' objects | | | +| `cuaId` | string | Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered | | | +| `enabled` | bool | Optional. Indicates whether this alert is enabled. | True | | +| `evaluationFrequency` | string | Optional. how often the metric alert is evaluated represented in ISO 8601 duration format. | PT5M | System.Object[] | +| `location` | string | Optional. Location for all resources. | global | | +| `roleAssignments` | array | Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' | System.Object[] | | +| `scopes` | array | Required. the list of resource id's that this metric alert is scoped to. | | | +| `severity` | int | Optional. The severity of the alert. | 3 | System.Object[] | +| `tags` | object | Optional. Tags of the resource. | | | +| `targetResourceRegion` | string | Optional. The region of the target resource(s) on which the alert is created/updated. Mandatory for MultipleResourceMultipleMetricCriteria. | | | +| `targetResourceType` | string | Optional. The resource type of the target resource(s) on which the alert is created/updated. Mandatory for MultipleResourceMultipleMetricCriteria. | | | +| `windowSize` | string | Optional. the period of time (in ISO 8601 duration format) that is used to monitor alert activity based on the threshold. | PT15M | System.Object[] | + +### Parameter Usage: actions + +```json +"actions": { + "value": [ + { + "actionGroupId": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/rgName/providers/microsoft.insights/actiongroups/ActionGroupName", + "webhookProperties": {} + } + ] +} +``` +`webhookProperties` is optional. + +### Parameter Usage: criterias + +**SingleResourceMultipleMetricCriteria** +```json +{ + "criterionType": "string", + "dimensions": [], + "metricName": "string", + "metricNamespace": "string", + "name": "string", + "operator": "string", + "threshold": "integer", + "timeAggregation": "string" +} +``` + +**MultipleResourceMultipleMetricCriteria** +```json +{ + "criterionType": "string", + "dimensions": [], + "metricName": "string", + "metricNamespace": "string", + "name": "string", + "operator": "string", + "threshold": "integer", + "timeAggregation": "string", + "alertSensitivity": "string", + "failingPeriods": { + "minFailingPeriodsToAlert": "integer", + "numberOfEvaluationPeriods": "integer" + }, + "ignoreDataBefore": "string" +} +``` + +**Sample** +The following sample can be use both for Single and Multiple criterias. The other parameters are optional. +```json +"criterias":{ + "value": [ + { + "criterionType": "StaticThresholdCriterion", + "metricName": "Percentage CPU", + "metricNamespace": "microsoft.compute/virtualmachines", + "name": "HighCPU", + "operator": "GreaterThan", + "threshold": "90", + "timeAggregation": "Average" + } + ] +} +``` + +### Parameter Usage: `roleAssignments` + +```json +"roleAssignments": { + "value": [ + { + "roleDefinitionIdOrName": "Desktop Virtualization User", + "principalIds": [ + "12345678-1234-1234-1234-123456789012", // object 1 + "78945612-1234-1234-1234-123456789012" // object 2 + ] + }, + { + "roleDefinitionIdOrName": "Reader", + "principalIds": [ + "12345678-1234-1234-1234-123456789012", // object 1 + "78945612-1234-1234-1234-123456789012" // object 2 + ] + }, + { + "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", + "principalIds": [ + "12345678-1234-1234-1234-123456789012" // object 1 + ] + } + ] +} +``` + +### Parameter Usage: `tags` + +Tag names and tag values can be provided as needed. A tag can be left without a value. + +```json +"tags": { + "value": { + "Environment": "Non-Prod", + "Contact": "test.user@testcompany.com", + "PurchaseOrder": "1234", + "CostCenter": "7890", + "ServiceName": "DeploymentValidation", + "Role": "DeploymentValidation" + } +} +``` + +### Additional notes on parameters +- When using MultipleResourceMultipleMetricCriteria criteria type, some parameters becomes mandatory (see above) +- MultipleResourceMultipleMetricCriteria is suggested, as additional scopes can be added later +- It's not possible to convert from SingleResourceMultipleMetricCriteria to MultipleResourceMultipleMetricCriteria. Delete and re-create the alert. + +## Outputs + +| Output Name | Type | Description | +| :-- | :-- | :-- | +| `alertName` | string | The name of the created database. | +| `deploymentResourceGroup` | string | The name of the Resource Group the Resource was created in. | +| `metricAlertResourceId` | string | The Resource Id of the Alert deployed. | + +## Considerations + +## Additional resources + +- [Metric alerts](https://docs.microsoft.com/en-us/azure/azure-monitor/platform/alerts-metric-overview) +- [Template reference](hhttps://docs.microsoft.com/en-us/azure/templates/microsoft.insights/2018-03-01/metricalerts) +- [Azure monitor documentation](https://docs.microsoft.com/en-us/azure/azure-monitor/) \ No newline at end of file diff --git a/arm/Microsoft.Insights/privateLinkScopes/deploy.json b/arm/Microsoft.Insights/privateLinkScopes/deploy.json new file mode 100644 index 0000000000..a32b28e1a6 --- /dev/null +++ b/arm/Microsoft.Insights/privateLinkScopes/deploy.json @@ -0,0 +1,377 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "privateLinkScopeName": { + "type": "string", + "minLength": 1, + "metadata": { + "description": "Required. Name of the Private Link Scope." + } + }, + "location": { + "type": "string", + "defaultValue": "global", + "metadata": { + "description": "Optional. The location of the Private Link Scope. Should be global." + } + }, + "lockForDeletion": { + "type": "bool", + "defaultValue": false, + "metadata": { + "description": "Optional. Switch to lock Private Link Scope from deletion." + } + }, + "roleAssignments": { + "defaultValue": [], + "type": "array", + "metadata": { + "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'" + } + }, + "scopedResources": { + "type": "array", + "defaultValue": [], + "metadata": { + "description": "Optional. Configuration Details for Azure Monitor Resources." + } + }, + "privateEndpoints": { + "type": "array", + "defaultValue": [], + "metadata": { + "description": "Optional. Configuration Details for private endpoints." + } + }, + "tags": { + "type": "object", + "defaultValue": {}, + "metadata": { + "description": "Optional. Resource tags." + } + }, + "cuaId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered" + } + } + }, + "variables": { + "builtInRoleNames": { + "Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "Log Analytics Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]", + "Log Analytics Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '73c42c96-874c-492b-b04d-ab87d138a893')]", + "Managed Application Contributor Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '641177b8-a67a-45b9-a033-47bc880bb21e')]", + "Managed Application Operator Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')]", + "Managed Applications Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')]", + "Monitoring Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')]", + "Monitoring Metrics Publisher": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '3913510d-42f4-4e42-8a64-420c390055eb')]", + "Monitoring Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')]", + "Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", + "Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", + "Resource Policy Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '36243c78-bf99-498c-9df9-86d9f8d28608')]", + "User Access Administrator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" + } + }, + "resources": [ + { + "condition": "[not(empty(parameters('cuaId')))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-06-01", + "name": "[concat('pid-', parameters('cuaId'))]", + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [ + ] + } + } + }, + { + "type": "Microsoft.Insights/privateLinkScopes", + "apiVersion": "2019-10-17-preview", + "name": "[parameters('privateLinkScopeName')]", + "location": "[parameters('location')]", + "tags": "[parameters('tags')]", + "properties": {}, + "resources": [ + { + "type": "providers/locks", + "apiVersion": "2016-09-01", + "condition": "[parameters('lockForDeletion')]", + "name": "Microsoft.Authorization/privateLinkScopeDoNotDelete", + "dependsOn": [ + "[concat('Microsoft.Insights/privateLinkScopes/', parameters('privateLinkScopeName'))]" + ], + "comments": "Resource lock on Private Link Scope", + "properties": { + "level": "CannotDelete" + } + } + ] + }, + // Scoped Resources + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-06-01", + "condition": "[not(empty(parameters('scopedResources')))]", + "name": "[concat('scopedResources','-',copyIndex())]", + "copy": { + "name": "scopedResourcesCopy", + "count": "[length(parameters('scopedResources'))]" + }, + "dependsOn": [ + "[parameters('privateLinkScopeName')]" + ], + "properties": { + "mode": "Incremental", + "expressionEvaluationOptions": { + "scope": "inner" + }, + "parameters": { + "privateLinkScopeName": { + "value": "[parameters('privateLinkScopeName')]" + }, + "scopedResource": { + "value": "[parameters('scopedResources')[copyIndex()]]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "privateLinkScopeName": { + "type": "string" + }, + "scopedResource": { + "type": "object" + } + }, + "variables": { + "scopedResourceName": "[last(split(parameters('scopedResource').linkedResourceId,'/'))]", + "scopedResource": { + "name": "[concat(parameters('privateLinkScopeName'),'/scoped-', variables('scopedResourceName'), '-', guid(uniqueString(concat(parameters('privateLinkScopeName'), parameters('scopedResource').linkedResourceId) )))]", + "linkedResourceId": "[parameters('scopedResource').linkedResourceId]" + } + }, + "resources": [ + { + "type": "microsoft.insights/privatelinkscopes/scopedresources", + "apiVersion": "2019-10-17-preview", + "name": "[variables('scopedResource').name]", + "properties": { + "linkedResourceId": "[variables('scopedResource').linkedResourceId]" + } + } + ] + } + } + }, + // Private Endpoints + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-06-01", + "condition": "[not(empty(parameters('privateEndpoints')))]", + "name": "[concat('privateEndpoints','-',copyIndex())]", + "copy": { + "name": "privateEndpointsCopy", + "count": "[length(parameters('privateEndpoints'))]" + }, + "dependsOn": [ + "[parameters('privateLinkScopeName')]", + "scopedResourcesCopy" + ], + "properties": { + "mode": "Incremental", + "expressionEvaluationOptions": { + "scope": "inner" + }, + "parameters": { + "privateEndpointResourceId": { + "value": "[resourceId('Microsoft.Insights/privateLinkScopes/', parameters('privateLinkScopeName'))]" + }, + "privateEndpointVnetLocation": { + "value": "[if(empty(parameters('privateEndpoints')),'dummy',reference(split(parameters('privateEndpoints')[copyIndex()].subnetResourceId,'/subnets/')[0],'2020-06-01', 'Full').location)]" + }, + "privateEndpoint": { + "value": "[parameters('privateEndpoints')[copyIndex()]]" + }, + "tags": { + "value": "[parameters('tags')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "privateEndpointResourceId": { + "type": "string" + }, + "privateEndpointVnetLocation": { + "type": "string" + }, + "privateEndpoint": { + "type": "object" + }, + "tags": { + "type": "object" + } + }, + "variables": { + "privateEndpointResourceName": "[last(split(parameters('privateEndpointResourceId'),'/'))]", + "privateEndpoint": { + "name": "[if(contains(parameters('privateEndpoint'), 'name'),if(empty(parameters('privateEndpoint').name),concat(variables('privateEndpointResourceName'),'-',parameters('privateEndpoint').service),parameters('privateEndpoint').name),concat(variables('privateEndpointResourceName'),'-',parameters('privateEndpoint').service))]", + "subnetResourceId": "[parameters('privateEndpoint').subnetResourceId]", + "service": [ + "[parameters('privateEndpoint').service]" + ], + "privateDnsZoneResourceIds": "[if(contains(parameters('privateEndpoint'), 'privateDnsZoneResourceIds'),if(empty(parameters('privateEndpoint').privateDnsZoneResourceIds),createArray(),parameters('privateEndpoint').privateDnsZoneResourceIds),createArray())]", + "customDnsConfigs": "[if(contains(parameters('privateEndpoint'), 'customDnsConfigs'),if(empty(parameters('privateEndpoint').customDnsConfigs),json('null'),parameters('privateEndpoint').customDnsConfigs),json('null'))]" + } + }, + "resources": [ + { + "type": "Microsoft.Network/privateEndpoints", + "apiVersion": "2020-05-01", + "name": "[variables('privateEndpoint').name]", + "location": "[parameters('privateEndpointVnetLocation')]", + "tags": "[parameters('tags')]", + "properties": { + "privateLinkServiceConnections": [ + { + "name": "[variables('privateEndpoint').name]", + "properties": { + "privateLinkServiceId": "[parameters('privateEndpointResourceId')]", + "groupIds": "[variables('privateEndpoint').service]" + } + } + ], + "manualPrivateLinkServiceConnections": [], + "subnet": { + "id": "[variables('privateEndpoint').subnetResourceId]" + }, + "customDnsConfigs": "[variables('privateEndpoint').customDnsConfigs]" + } + }, + { + "type": "Microsoft.Network/privateEndpoints/privateDnsZoneGroups", + "apiVersion": "2020-05-01", + "condition": "[not(empty(variables('privateEndpoint').privateDnsZoneResourceIds))]", + "name": "[concat(variables('privateEndpoint').name, '/default')]", + "dependsOn": [ + "[resourceId('Microsoft.Network/privateEndpoints', variables('privateEndpoint').name)]" + ], + "properties": { + "copy": [ + { + "name": "privateDnsZoneConfigs", + "count": "[length(variables('privateEndpoint').privateDnsZoneResourceIds)]", + "input": { + "name": "[last(split(variables('privateEndpoint').privateDnsZoneResourceIds[copyIndex('privateDnsZoneConfigs')],'/'))]", + "properties": { + "privateDnsZoneId": "[variables('privateEndpoint').privateDnsZoneResourceIds[copyIndex('privateDnsZoneConfigs')]]" + } + } + } + ] + } + } + ] + } + } + }, + // Role Assignments + { + "name": "[concat('rbac-',deployment().name, copyIndex())]", + "apiVersion": "2020-06-01", + "type": "Microsoft.Resources/deployments", + "condition": "[not(empty(parameters('roleAssignments')))]", + "dependsOn": [ + "[parameters('privateLinkScopeName')]" + ], + "copy": { + "name": "rbacDeplCopy", + "count": "[length(parameters('roleAssignments'))]" + }, + "properties": { + "mode": "Incremental", + "expressionEvaluationOptions": { + "scope": "inner" + }, + "parameters": { + "roleAssignment": { + "value": "[parameters('roleAssignments')[copyIndex()]]" + }, + "builtInRoleNames": { + "value": "[variables('builtInRoleNames')]" + }, + "privateLinkScopeName": { + "value": "[parameters('privateLinkScopeName')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "roleAssignment": { + "type": "object" + }, + "builtInRoleNames": { + "type": "object" + }, + "privateLinkScopeName": { + "type": "string" + } + }, + "resources": [ + { + "type": "Microsoft.Insights/privateLinkScopes/providers/roleAssignments", + "apiVersion": "2018-09-01-preview", + "name": "[concat(parameters('privateLinkScopeName'), '/Microsoft.Authorization/', guid(uniqueString(concat(parameters('privateLinkScopeName'), array(parameters('roleAssignment').principalIds)[copyIndex('innerRbacCopy')], parameters('roleAssignment').roleDefinitionIdOrName ) )))]", + "dependsOn": [ + ], + "copy": { + "name": "innerRbacCopy", + "count": "[length(parameters('roleAssignment').principalIds)]" + }, + "properties": { + "roleDefinitionId": "[if(contains(parameters('builtInRoleNames'), parameters('roleAssignment').roleDefinitionIdOrName ), parameters('builtInRoleNames')[parameters('roleAssignment').roleDefinitionIdOrName] , parameters('roleAssignment').roleDefinitionIdOrName )]", + "principalId": "[array(parameters('roleAssignment').principalIds)[copyIndex()]]" + } + } + ] + } + } + } + ], + "functions": [ + ], + "outputs": { + "privateLinkScopeResourceId": { + "type": "string", + "value": "[resourceId('Microsoft.Insights/privateLinkScopes', parameters('privateLinkScopeName'))]", + "metadata": { + "description": "The Resource Id of the Private Link Scope." + } + }, + "privateLinkScopeResourceGroup": { + "type": "string", + "value": "[resourceGroup().name]", + "metadata": { + "description": "The name of the Resource Group the Private Link Scope was created in." + } + }, + "privateLinkScopeName": { + "type": "string", + "value": "[parameters('privateLinkScopeName')]", + "metadata": { + "description": "The Name of the Private Link Scope." + } + } + } +} diff --git a/arm/Microsoft.Insights/privateLinkScopes/parameters/parameters.json b/arm/Microsoft.Insights/privateLinkScopes/parameters/parameters.json new file mode 100644 index 0000000000..50c12bee1c --- /dev/null +++ b/arm/Microsoft.Insights/privateLinkScopes/parameters/parameters.json @@ -0,0 +1,44 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "privateLinkScopeName": { + "value": "test-az-pls-weu-x-001" + } + // "scopedResources": { + // "value": [ + // { + // "linkedResourceId": "/subscriptions/xxx-xxx-xxx-xxx-xxx/resourceGroups/xxx/providers/Microsoft.OperationalInsights/workspaces/testlaw" + // }, + // { + // "linkedResourceId": "/subscriptions/xxx-xxx-xxx-xxx-xxx/resourceGroups/xxx/providers/microsoft.insights/components/testai" + // } + // ] + // }, + // "privateEndpoints": { + // "value": [ + // { + // "name": "test-az-sa-cac-y-123-pe", + // "subnetResourceId": "/subscriptions/xxx-xxx-xxx-xxx-xxx/resourceGroups/xxx/providers/Microsoft.Network/virtualNetworks/testvnet/subnets/testnet", + // "service": "azuremonitor", + // "privateDnsZoneResourceIds": [ + // "/subscriptions/xxx-xxx-xxx-xxx-xxx/resourceGroups/xxx/providers/Microsoft.Network/privateDnsZones/privatelink.agentsvc.azure-automation.net", + // "/subscriptions/xxx-xxx-xxx-xxx-xxx/resourceGroups/xxx/providers/Microsoft.Network/privateDnsZones/privatelink.monitor.azure.com", + // "/subscriptions/xxx-xxx-xxx-xxx-xxx/resourceGroups/xxx/providers/Microsoft.Network/privateDnsZones/privatelink.ods.opinsights.azure.com", + // "/subscriptions/xxx-xxx-xxx-xxx-xxx/resourceGroups/xxx/providers/Microsoft.Network/privateDnsZones/privatelink.oms.opinsights.azure.com" + // ] + // } + // ] + // }, + // "roleAssignments": { + // "value": [ + // { + // "roleDefinitionIdOrName": "User Access Administrator", + // "principalIds": [ + // "xxx-xxx-xxx-xxx-xxx" + // ] + // } + // ] + // } + } +} \ No newline at end of file diff --git a/arm/Microsoft.Insights/privateLinkScopes/readme.md b/arm/Microsoft.Insights/privateLinkScopes/readme.md new file mode 100644 index 0000000000..98af156710 --- /dev/null +++ b/arm/Microsoft.Insights/privateLinkScopes/readme.md @@ -0,0 +1,148 @@ +# Azure Monitor Private Link Scope + +This module deploys Azure Monitor Private Link Scope + +## Resource types + +| Resource Type | Api Version | +| :-- | :-- | +| `Microsoft.Insights/privateLinkScopes` | 2019-10-17-preview | +| `microsoft.insights/privatelinkscopes/scopedresources` | 2019-10-17-preview | +| `Microsoft.Network/privateEndpoints` | 2020-05-01 | +| `Microsoft.Network/privateEndpoints/privateDnsZoneGroups` | 2020-05-01 | +| `Microsoft.Insights/privateLinkScopes/providers/roleAssignments` | 2018-09-01-preview | +| `Microsoft.Resources/deployments` | 2020-06-01 | +| `providers/locks` | 2016-09-01 | + +## Parameters + +| Parameter Name | Type | Default Value | Possible values | Description | +| :- | :- | :- | :- | :- | +| `privateLinkScopeName` | string | | | Required. Name of the Private Link Scope. +| `location` | string | `[resourceGroup().location]` | | Optional. Location for all resources. +| `lockForDeletion` | bool | `true` | | Optional. Switch to lock Private Link Scope from deletion. +| `roleAssignments` | array | [] | Complex structure, see below. | Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or it's fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' +| `scopedResources` | array | [] | Complex structure, see below. | Optional. Configuration Details for Azure Monitor Resources. +| `privateEndpoints` | array | System.Object[] | Complex structure, see below. | Optional. Configuration Details for private endpoints. | +| `tags` | object | {} | Complex structure, see below. | Optional. Tags of the Azure Key Vault resource. +| `cuaId` | string | "" | | Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered. + +### Parameter Usage: `roleAssignments` + +```json +"roleAssignments": { + "value": [ + { + "roleDefinitionIdOrName": "Desktop Virtualization User", + "principalIds": [ + "12345678-1234-1234-1234-123456789012", // object 1 + "78945612-1234-1234-1234-123456789012" // object 2 + ] + }, + { + "roleDefinitionIdOrName": "Reader", + "principalIds": [ + "12345678-1234-1234-1234-123456789012", // object 1 + "78945612-1234-1234-1234-123456789012" // object 2 + ] + }, + { + "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", + "principalIds": [ + "12345678-1234-1234-1234-123456789012" // object 1 + ] + } + ] +} +``` + +### Parameter Usage: `scopedResources` + +```json +"scopedResources": { + "value": [ + { + "linkedResourceId": "/subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2/resourcegroups/prd-monitoring-rg/providers/microsoft.operationalinsights/workspaces/z1-prd-law-01" + } + ] +} +``` + +### Parameter Usage: `privateEndpoints` + +To use Private Endpoints the following dependencies must be deployed: + +- Destination subnet must be created with the following configuration option - `"privateEndpointNetworkPolicies": "Disabled"`. Setting this option acknowledges that NSG rules are not applied to Private Endpoints (this capability is coming soon). A full example is available in the Virtual Network Module. + +- Although not strictly required, it is highly recommended to first create a private DNS Zone to host Private Endpoint DNS records. See [Azure Private Endpoint DNS configuration](https://docs.microsoft.com/en-us/azure/private-link/private-endpoint-dns) for more information. + +```json +"privateEndpoints": { + "value": [ + // Example showing all available fields + { + "name": "sxx-az-sa-cac-y-123-pe", // Optional: Name will be automatically generated if one is not provided here + "subnetResourceId": "/subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-weu-x-001/subnets/sxx-az-subnet-weu-x-001", + "service": "azuremonitor", + "privateDnsZoneResourceIds": [ // Optional: No DNS record will be created if a private DNS zone Resource ID is not specified + "/subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2/resourceGroups/validation-rg/providers/Microsoft.Network/privateDnsZones/privatelink.agentsvc.azure-automation.net", + "/subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2/resourceGroups/validation-rg/providers/Microsoft.Network/privateDnsZones/privatelink.monitor.azure.com", + "/subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2/resourceGroups/validation-rg/providers/Microsoft.Network/privateDnsZones/privatelink.ods.opinsights.azure.com", + "/subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2/resourceGroups/validation-rg/providers/Microsoft.Network/privateDnsZones/privatelink.oms.opinsights.azure.com" + ], + "customDnsConfigs": [ // Optional + { + "fqdn": "customname.test.local", + "ipAddresses": [ + "10.10.10.10" + ] + } + ] + }, + // Example showing only mandatory fields + { + "subnetResourceId": "/subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-weu-x-001/subnets/sxx-az-subnet-weu-x-001", + "service": "azuremonitor" + } + ] +} +``` + +### Parameter Usage: `tags` + +Tag names and tag values can be provided as needed. A tag can be left without a value. + +```json +"tags": { + "value": { + "Environment": "Non-Prod", + "Contact": "test.user@testcompany.com", + "PurchaseOrder": "1234", + "CostCenter": "7890", + "ServiceName": "DeploymentValidation", + "Role": "DeploymentValidation" + } +} +``` + +## Outputs + +| Output Name | Type | Description | +| :-- | :-- | :-- | +| `privateLinkScopeResourceId` | string | The Resource Id of the Private Link Scope. | +| `privateLinkScopeResourceGroup` | string | The name of the Resource Group the Private Link Scope was created in. | +| `privateLinkScopeName` | string | The Name of the Private Link Scope. | + +## Considerations + +**N/A* + +## Additional resources + +- [Azure Monitor Private Link Scope Documentation](https://docs.microsoft.com/en-us/azure/azure-monitor/platform/private-link-security) +- [Microsoft.Insights privateLinkScopes template reference](https://docs.microsoft.com/en-us/azure/templates/microsoft.insights/privatelinkscopes) +- [Microsoft.Insights privateLinkScopes scopedResources template reference](https://docs.microsoft.com/en-us/azure/templates/microsoft.insights/privatelinkscopes/scopedresources) +- [Microsoft.Network privateEndpoints template reference](https://docs.microsoft.com/en-us/azure/templates/microsoft.network/privateendpoints) +- [Microsoft.Network privateEndpoints privateDnsZoneGroups template reference](https://docs.microsoft.com/en-us/azure/templates/microsoft.network/privateendpoints/privatednszonegroups) +- [Use tags to organize your Azure resources](https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-using-tags) +- [Deployments](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Resources/2020-06-01/deployments) \ No newline at end of file diff --git a/arm/Microsoft.Insights/scheduledQueryRules/deploy.json b/arm/Microsoft.Insights/scheduledQueryRules/deploy.json new file mode 100644 index 0000000000..0213ccf569 --- /dev/null +++ b/arm/Microsoft.Insights/scheduledQueryRules/deploy.json @@ -0,0 +1,309 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "alertName": { + "type": "string", + "metadata": { + "description": "Required. The name of the Alert." + } + }, + "location": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "Optional. Location for all resources." + } + }, + "alertDescription": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Description of the alert." + } + }, + "enabled": { + "type": "string", + "defaultValue": "true", + "allowedValues": [ + "true", + "false" + ], + "metadata": { + "description": "Optional. Indicates whether this alert is enabled." + } + }, + "workspaceResourceId": { + "type": "string", + "metadata": { + "description": "Required. Resource ID of the Log Analytics workspace where the query needs to be executed" + } + }, + "severity": { + "type": "int", + "allowedValues": [ + 0, + 1, + 2, + 3, + 4 + ], + "defaultValue": 3, + "metadata": { + "description": "Optional. The severity of the alert." + } + }, + "evaluationFrequency": { + "type": "int", + "allowedValues": [ + 5, + 10, + 15, + 30, + 45, + 60, + 120, + 180, + 240, + 300, + 360, + 1440 + ], + "defaultValue": 5, + "metadata": { + "description": "Optional. How often the metric alert is evaluated (in minutes)." + } + }, + "windowSize": { + "type": "int", + "allowedValues": [ + 5, + 10, + 15, + 30, + 45, + 60, + 120, + 180, + 240, + 300, + 360, + 1440, + 2880 + ], + "defaultValue": 60, + "metadata": { + "description": "Optional. The period of time (in minutes) that is used to monitor alert activity based on the threshold." + } + }, + "authorizedResources": { + "type": "array", + "defaultValue": [ + ], + "metadata": { + "description": "Optional. The list of resource id's referenced in the query." + } + }, + "query": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. The query to execute" + } + }, + "metricResultCountThresholdOperator": { + "type": "string", + "defaultValue": "GreaterThan", + "allowedValues": [ + "GreaterThan", + "Equal", + "LessThan" + ], + "metadata": { + "description": "Optional. Operator of threshold breaches to trigger the alert." + } + }, + "metricResultCountThreshold": { + "type": "int", + "minValue": 0, + "maxValue": 10000, + "defaultValue": 0, + "metadata": { + "description": "Optional. Operator for metric or number of result evaluation." + } + }, + "metricColumn": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Variable (column) on which the query result will be grouped and then evaluated for trigger condition. Use comma to specify more than one. Leave empty to use \"Number of results\" type of alert logic" + } + }, + "breachesThresholdOperator": { + "type": "string", + "defaultValue": "GreaterThan", + "allowedValues": [ + "GreaterThan", + "Equal", + "LessThan" + ], + "metadata": { + "description": "Optional. If `metricColumn` is specified, operator for the breaches count evaluation to trigger the alert. Not used if using result count trigger." + } + }, + "breachesTriggerType": { + "type": "string", + "defaultValue": "Consecutive", + "allowedValues": [ + "Consecutive", + "Total" + ], + "metadata": { + "description": "Optional. Type of aggregation of threadshold violation" + } + }, + "breachesThreshold": { + "type": "int", + "defaultValue": 3, + "minValue": 0, + "maxValue": 10000, + "metadata": { + "description": "Optional. Number of threadshold violation to trigger the alert" + } + }, + "actions": { + "type": "array", + "defaultValue": [ + ], + "metadata": { + "description": "Optional. The list of actions to take when alert triggers." + } + }, + "criterias": { + "type": "array", + "defaultValue": [ + ], + "metadata": { + "description": "Optional. The list of action alert creterias." + } + }, + "odataType": { + "type": "string", + "defaultValue": "AlertingAction", + "allowedValues": [ + "AlertingAction", + "LogToMetricAction" + ], + "metadata": { + "description": "Optional. Type of the alert criteria." + } + }, + "suppressForMinutes": { + "type": "int", + "defaultValue": 0, + "metadata": { + "description": "Optional. Suppress Alert for (in minutes)." + } + }, + "tags": { + "type": "object", + "defaultValue": { + }, + "metadata": { + "description": "Optional. Tags of the resource." + } + }, + "cuaId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered" + } + } + }, + "variables": { + "metricTrigger": { + "metricColumn": "[parameters('metricColumn')]", + "metricTriggerType": "[parameters('breachesTriggerType')]", + "threshold": "[parameters('breachesThreshold')]", + "thresholdOperator": "[parameters('breachesThresholdOperator')]" + } + }, + "resources": [ + { + "condition": "[not(empty(parameters('cuaId')))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-06-01", + "name": "[concat('pid-', parameters('cuaId'))]", + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [ + ] + } + } + }, + { + "name": "[parameters('alertName')]", + "type": "microsoft.insights/scheduledQueryRules", + "apiVersion": "2018-04-16", + "location": "[parameters('location')]", + "tags": "[parameters('tags')]", + "properties": { + "description": "[parameters('alertDescription')]", + "enabled": "[parameters('enabled')]", + "source": { + "query": "[parameters('query')]", + "authorizedResources": "[parameters('authorizedResources')]", + "dataSourceId": "[parameters('workspaceResourceId')]", + "queryType": "ResultCount" + }, + "schedule": { + "frequencyInMinutes": "[parameters('evaluationFrequency')]", + "timeWindowInMinutes": "[parameters('windowSize')]" + }, + "action": { + "severity": "[parameters('severity')]", + "aznsAction": { + "actionGroup": "[parameters('actions')]" + }, + "throttlingInMin": "[parameters('suppressForMinutes')]", + "trigger": { + "thresholdOperator": "[parameters('metricResultCountThresholdOperator')]", + "threshold": "[parameters('metricResultCountThreshold')]", + "metricTrigger": "[if(empty(parameters('metricColumn')),json('null'),variables('metricTrigger'))]" + }, + "criteria": "[parameters('criterias')]", + "odata.type": "[concat('Microsoft.WindowsAzure.Management.Monitoring.Alerts.Models.Microsoft.AppInsights.Nexus.DataContracts.Resources.ScheduledQueryRules.', parameters('odataType'))]" + } + } + } + ], + "functions": [ + ], + "outputs": { + "deploymentName": { + "type": "string", + "value": "[parameters('alertName')]", + "metadata": { + "description": "The Deployment Name." + } + }, + "deploymentResourceGroup": { + "type": "string", + "value": "[resourceGroup().name]", + "metadata": { + "description": "The name of the Resource Group the Resource was created in." + } + }, + "queryAlertResourceId": { + "type": "string", + "value": "[resourceId('Microsoft.Insights/metricAlerts',parameters('alertName'))]", + "metadata": { + "description": "The Resource Id of the Alert deployed." + } + } + } +} \ No newline at end of file diff --git a/arm/Microsoft.Insights/scheduledQueryRules/parameters/parameters.json b/arm/Microsoft.Insights/scheduledQueryRules/parameters/parameters.json new file mode 100644 index 0000000000..651337fe17 --- /dev/null +++ b/arm/Microsoft.Insights/scheduledQueryRules/parameters/parameters.json @@ -0,0 +1,27 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "alertName": { + "value": "myAlert01" + }, + "workspaceResourceId": { + "value": "/subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2/resourceGroups/artifacts-rg/providers/Microsoft.OperationalInsights/workspaces/myLogAnalytics01" + }, + "query": { + "value": "Perf | where ObjectName == \"LogicalDisk\" | where CounterName == \"% Free Space\" | where InstanceName <> \"HarddiskVolume1\" and InstanceName <> \"_Total\" | summarize AggregatedValue = min(CounterValue) by Computer, InstanceName, bin(TimeGenerated,5m)" + }, + "breachesThresholdOperator": { + "value": "LessThan" + }, + "metricColumn": { + "value": "Computer,InstanceName" + }, + "breachesTriggerType": { + "value": "Total" + }, + "breachesThreshold": { + "value": 3 + } + } +} \ No newline at end of file diff --git a/arm/Microsoft.Insights/scheduledQueryRules/readme.md b/arm/Microsoft.Insights/scheduledQueryRules/readme.md new file mode 100644 index 0000000000..429bed75c2 --- /dev/null +++ b/arm/Microsoft.Insights/scheduledQueryRules/readme.md @@ -0,0 +1,70 @@ +# Scheduled Query Rules +This module deploys an Alert based on metrics + +## Resource types + +|Resource Type|ApiVersion| +|:--|:--| +|`Microsoft.Resources/deployments`|2018-02-01| +|`microsoft.insights/scheduledQueryRules`|2018-04-16| + +## Parameters + +| Parameter Name | Type | Description | DefaultValue | Possible values | +| :-- | :-- | :-- | :-- | :-- | +| `actions` | array | Optional. The list of actions to take when alert triggers. | System.Object[] | | +| `alertDescription` | string | Optional. Description of the alert. | | | +| `alertName` | string | Required. The name of the Alert. | | | +| `authorizedResources` | array | Optional. The list of resource id's referenced in the query. | System.Object[] | | +| `breachesThreshold` | int | Optional. Number of threadshold violation to trigger the alert | 3 | | +| `breachesThresholdOperator` | string | Optional. If `metricColumn` is specified, operator for the breaches count evaluation to trigger the alert. Not used if using result count trigger. | GreaterThan | System.Object[] | +| `breachesTriggerType` | string | Optional. Type of aggregation of threadshold violation | Consecutive | System.Object[] | +| `criterias` | array | Optional. The list of action alert creterias. | System.Object[] | | +| `cuaId` | string | Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered | | | +| `enabled` | string | Optional. Indicates whether this alert is enabled. | true | System.Object[] | +| `evaluationFrequency` | int | Optional. How often the metric alert is evaluated (in minutes). | 5 | System.Object[] | +| `location` | string | Optional. Location for all resources. | [resourceGroup().location] | | +| `metricColumn` | string | Optional. Variable (column) on which the query result will be grouped and then evaluated for trigger condition. Use comma to specify more than one. Leave empty to use "Number of results" type of alert logic | | | +| `metricResultCountThreshold` | int | Optional. Operator for metric or number of result evaluation. | 0 | | +| `metricResultCountThresholdOperator` | string | Optional. Operator of threshold breaches to trigger the alert. | GreaterThan | System.Object[] | +| `odataType` | string | Optional. Type of the alert criteria. | AlertingAction | System.Object[] | +| `query` | string | Optional. The query to execute | | | +| `severity` | int | Optional. The severity of the alert. | 3 | System.Object[] | +| `suppressForMinutes` | int | Optional. Suppress Alert for (in minutes). | 0 | | +| `tags` | object | Optional. Tags of the resource. | | | +| `windowSize` | int | Optional. The period of time (in minutes) that is used to monitor alert activity based on the threshold. | 60 | System.Object[] | +| `workspaceResourceId` | string | Required. Resource ID of the Log Analytics workspace where the query needs to be executed | | | + + +### Parameter Usage: `tags` + +Tag names and tag values can be provided as needed. A tag can be left without a value. + +```json +"tags": { + "value": { + "Environment": "Non-Prod", + "Contact": "test.user@testcompany.com", + "PurchaseOrder": "1234", + "CostCenter": "7890", + "ServiceName": "DeploymentValidation", + "Role": "DeploymentValidation" + } +} +``` + +## Outputs + +| Output Name | Type | Description | +| :-- | :-- | :-- | +| `deploymentName` | string | The Deployment Name. | +| `deploymentResourceGroup` | string | The name of the Resource Group the Resource was created in. | +| `queryAlertResourceId` | string | The Resource Id of the Alert deployed. | + +## Considerations + +## Additional resources +- [Log query based alerts](https://docs.microsoft.com/en-us/azure/azure-monitor/platform/alerts-unified-log) +- [Template reference](https://docs.microsoft.com/en-us/azure/templates/microsoft.insights/2018-04-16/scheduledqueryrules) +- [Kusto language](https://docs.microsoft.com/en-us/azure/kusto/query/) +- [Azure monitor documentation](https://docs.microsoft.com/en-us/azure/azure-monitor/) \ No newline at end of file diff --git a/arm/Microsoft.KeyVault/vaults/.bicep/nested_name_location_KeyVault_PrivateEndpoints.bicep b/arm/Microsoft.KeyVault/vaults/.bicep/nested_name_location_KeyVault_PrivateEndpoints.bicep new file mode 100644 index 0000000000..4a16ebcc28 --- /dev/null +++ b/arm/Microsoft.KeyVault/vaults/.bicep/nested_name_location_KeyVault_PrivateEndpoints.bicep @@ -0,0 +1,52 @@ +param privateEndpointResourceId string +param privateEndpointVnetLocation string +param privateEndpoint object +param tags object + +var privateEndpointResourceName = last(split(privateEndpointResourceId, '/')) +var privateEndpoint_var = { + name: (contains(privateEndpoint, 'name') ? (empty(privateEndpoint.name) ? '${privateEndpointResourceName}-${privateEndpoint.service}' : privateEndpoint.name) : '${privateEndpointResourceName}-${privateEndpoint.service}') + subnetResourceId: privateEndpoint.subnetResourceId + service: [ + privateEndpoint.service + ] + privateDnsZoneResourceIds: (contains(privateEndpoint, 'privateDnsZoneResourceIds') ? (empty(privateEndpoint.privateDnsZoneResourceIds) ? createArray() : privateEndpoint.privateDnsZoneResourceIds) : createArray()) + customDnsConfigs: (contains(privateEndpoint, 'customDnsConfigs') ? (empty(privateEndpoint.customDnsConfigs) ? json('null') : privateEndpoint.customDnsConfigs) : json('null')) +} + +resource privateEndpoint_name 'Microsoft.Network/privateEndpoints@2020-05-01' = { + name: privateEndpoint_var.name + location: privateEndpointVnetLocation + tags: tags + properties: { + privateLinkServiceConnections: [ + { + name: privateEndpoint_var.name + properties: { + privateLinkServiceId: privateEndpointResourceId + groupIds: privateEndpoint_var.service + } + } + ] + manualPrivateLinkServiceConnections: [] + subnet: { + id: privateEndpoint_var.subnetResourceId + } + customDnsConfigs: privateEndpoint_var.customDnsConfigs + } +} + +resource privateEndpoint_name_default 'Microsoft.Network/privateEndpoints/privateDnsZoneGroups@2020-05-01' = if (!empty(privateEndpoint_var.privateDnsZoneResourceIds)) { + name: '${privateEndpoint_var.name}/default' + properties: { + privateDnsZoneConfigs: [for j in range(0, length(privateEndpoint_var.privateDnsZoneResourceIds)): { + name: last(split(privateEndpoint_var.privateDnsZoneResourceIds[j], '/')) + properties: { + privateDnsZoneId: privateEndpoint_var.privateDnsZoneResourceIds[j] + } + }] + } + dependsOn: [ + privateEndpoint_name + ] +} \ No newline at end of file diff --git a/arm/Microsoft.KeyVault/vaults/.bicep/nested_rbac_name.bicep b/arm/Microsoft.KeyVault/vaults/.bicep/nested_rbac_name.bicep new file mode 100644 index 0000000000..102fd302d2 --- /dev/null +++ b/arm/Microsoft.KeyVault/vaults/.bicep/nested_rbac_name.bicep @@ -0,0 +1,12 @@ +param roleAssignment object +param builtInRoleNames object +param keyVaultName string + +resource keyVaultName_Microsoft_Authorization_keyVaultName_roleAssignment_principalIds_innerRbacCopy_roleAssignment_roleDefinitionIdOrName 'Microsoft.KeyVault/vaults/providers/roleAssignments@2018-09-01-preview' = [for i in range(0, length(roleAssignment.principalIds)): { + name: '${keyVaultName}/Microsoft.Authorization/${guid(uniqueString(concat(keyVaultName, array(roleAssignment.principalIds)[i], roleAssignment.roleDefinitionIdOrName)))}' + properties: { + roleDefinitionId: (contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName) + principalId: array(roleAssignment.principalIds)[i] + } + dependsOn: [] +}] \ No newline at end of file diff --git a/arm/Microsoft.KeyVault/vaults/deploy.bicep b/arm/Microsoft.KeyVault/vaults/deploy.bicep new file mode 100644 index 0000000000..ad4c72bf66 --- /dev/null +++ b/arm/Microsoft.KeyVault/vaults/deploy.bicep @@ -0,0 +1,277 @@ +@description('Optional. Name of the Key Vault. If no name is provided, then unique name will be created.') +@maxLength(24) +param keyVaultName string = '' + +@description('Optional. Location for all resources.') +param location string = resourceGroup().location + +@description('Optional. Array of access policies object') +param accessPolicies array = [] + +@description('Optional. All secrets [{"secretName":"","secretValue":""} wrapped in a secure object]') +@secure() +param secretsObject object = { + secrets: [] +} + +@description('Optional. All keys [{"keyName":"","keyType":"","keyOps":"","keySize":"","curvename":""} wrapped in a secure object]') +@secure() +param keysObject object = { + keys: [] +} + +@description('Optional. Specifies if the vault is enabled for deployment by script or compute') +@allowed([ + true + false +]) +param enableVaultForDeployment bool = true + +@description('Optional. Specifies if the vault is enabled for a template deployment') +@allowed([ + true + false +]) +param enableVaultForTemplateDeployment bool = true + +@description('Optional. Specifies if the azure platform has access to the vault for enabling disk encryption scenarios.') +@allowed([ + true + false +]) +param enableVaultForDiskEncryption bool = true + +@description('Optional. Switch to enable/disable Key Vault\'s soft delete feature.') +param enableSoftDelete bool = true + +@description('Optional. softDelete data retention days. It accepts >=7 and <=90.') +param softDeleteRetentionInDays int = 90 + +@description('Optional. Property that controls how data actions are authorized. When true, the key vault will use Role Based Access Control (RBAC) for authorization of data actions, and the access policies specified in vault properties will be ignored (warning: this is a preview feature). When false, the key vault will use the access policies specified in vault properties, and any policy stored on Azure Resource Manager will be ignored. If null or not specified, the vault is created with the default value of false. Note that management actions are always authorized with RBAC.') +param enableRbacAuthorization bool = false + +@description('Optional. The vault\'s create mode to indicate whether the vault need to be recovered or not. - recover or default.') +param createMode string = 'default' + +@description('Optional. Provide \'true\' to enable Key Vault\'s purge protection feature.') +param enablePurgeProtection bool = false + +@description('Optional. Specifies the SKU for the vault') +@allowed([ + 'Premium' + 'Standard' +]) +param vaultSku string = 'Premium' + +@description('Optional. Service endpoint object information') +param networkAcls object = {} + +@description('Optional. Virtual Network resource identifier, if networkAcls is passed, this value must be passed as well') +param vNetId string = '' + +@description('Optional. The name of the Diagnostic setting.') +param diagnosticSettingName string = 'service' + +@description('Optional. Specifies the number of days that logs will be kept for; a value of 0 will retain data indefinitely.') +@minValue(0) +@maxValue(365) +param diagnosticLogsRetentionInDays int = 365 + +@description('Optional. Resource identifier of the Diagnostic Storage Account.') +param diagnosticStorageAccountId string = '' + +@description('Optional. Resource identifier of Log Analytics.') +param workspaceId string = '' + +@description('Optional. Resource ID of the event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to.') +param eventHubAuthorizationRuleId string = '' + +@description('Optional. Name of the event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category.') +param eventHubName string = '' + +@description('Optional. Switch to lock Key Vault from deletion.') +param lockForDeletion bool = false + +@description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'') +param roleAssignments array = [] + +@description('Optional. Configuration Details for private endpoints.') +param privateEndpoints array = [] + +@description('Optional. Resource tags.') +param tags object = {} + +@description('Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered') +param cuaId string = '' + +@description('Generated. Do not provide a value! This date value is used to generate a SAS token to access the modules.') +param baseTime string = utcNow('u') + +var moduleName = 'Key Vault' +var maxNameLength = 24 +var uniqueKeyVaultNameUntrim = uniqueString(concat(moduleName, baseTime)) +var uniqueKeyVaultName = ((length(uniqueKeyVaultNameUntrim) > maxNameLength) ? substring(uniqueKeyVaultNameUntrim, 0, maxNameLength) : uniqueKeyVaultNameUntrim) +var keyVaultName_var = (empty(keyVaultName) ? uniqueKeyVaultName : keyVaultName) +var deployServiceEndpoint = (!empty(networkAcls)) +var virtualNetworkRules = { + virtualNetworkRules: [for j in range(0, ((!deployServiceEndpoint) ? 0 : length(networkAcls.virtualNetworkRules))): { + id: '${vNetId}/subnets/${networkAcls.virtualNetworkRules[j].subnet}' + }] +} +var networkAcls_var = { + bypass: ((!deployServiceEndpoint) ? json('null') : networkAcls.bypass) + defaultAction: ((!deployServiceEndpoint) ? json('null') : networkAcls.defaultAction) + virtualNetworkRules: ((!deployServiceEndpoint) ? json('null') : ((length(networkAcls.virtualNetworkRules) == 0) ? emptyArray : virtualNetworkRules.virtualNetworkRules)) + ipRules: ((!deployServiceEndpoint) ? json('null') : ((length(networkAcls.ipRules) == 0) ? emptyArray : networkAcls.ipRules)) +} +var emptyArray = [] +var diagnosticsMetrics = [ + { + category: 'AllMetrics' + timeGrain: null + enabled: true + retentionPolicy: { + enabled: true + days: diagnosticLogsRetentionInDays + } + } +] +var diagnosticsLogs = [ + { + category: 'AuditEvent' + enabled: true + retentionPolicy: { + enabled: true + days: diagnosticLogsRetentionInDays + } + } +] +var builtInRoleNames = { + Owner: '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635' + Contributor: '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c' + Reader: '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/acdd72a7-3385-48ef-bd42-f606fba81ae7' + 'Key Vault Administrator (preview)': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/00482a5a-887f-4fb3-b363-3b7fe8e74483' + 'Key Vault Certificates Officer (preview)': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/a4417e6f-fecd-4de8-b567-7b0420556985' + 'Key Vault Contributor': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/f25e0fa2-a7c8-4377-a976-54943a77a395' + 'Key Vault Crypto Officer (preview)': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/14b46e9e-c2b7-41b4-b07b-48a6ebf60603' + 'Key Vault Crypto Service Encryption User (preview)': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/e147488a-f6f5-4113-8e2d-b22465e65bf6' + 'Key Vault Crypto User (preview)': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/12338af0-0e69-4776-bea7-57ae8d297424' + 'Key Vault Reader (preview)': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/21090545-7ca7-4776-b22c-e363652d74d2' + 'Key Vault Secrets Officer (preview)': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/b86a8fe4-44ce-4948-aee5-eccb2c155cd7' + 'Key Vault Secrets User (preview)': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/4633458b-17de-408a-b874-0445c86b69e6' + 'Log Analytics Contributor': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293' + 'Log Analytics Reader': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/73c42c96-874c-492b-b04d-ab87d138a893' + 'Managed Application Contributor Role': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/641177b8-a67a-45b9-a033-47bc880bb21e' + 'Managed Application Operator Role': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/c7393b34-138c-406f-901b-d8cf2b17e6ae' + 'Managed Applications Reader': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/b9331d33-8a36-4f8c-b097-4f54124fdb44' + 'Monitoring Contributor': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa' + 'Monitoring Metrics Publisher': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/3913510d-42f4-4e42-8a64-420c390055eb' + 'Monitoring Reader': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/43d0d8ad-25c7-4714-9337-8ba259a9fe05' + 'Resource Policy Contributor': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/36243c78-bf99-498c-9df9-86d9f8d28608' + 'User Access Administrator': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/18d7d88d-d35e-4fb5-a5c3-7773c20a72d9' + 'Azure Service Deploy Release Management Contributor': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/21d96096-b162-414a-8302-d8354f9d91b2' + masterreader: '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/a48d7796-14b4-4889-afef-fbb65a93e5a2' +} + +resource keyVaultName_resource 'Microsoft.KeyVault/vaults@2019-09-01' = { + name: keyVaultName_var + location: location + tags: tags + properties: { + enabledForDeployment: enableVaultForDeployment + enabledForTemplateDeployment: enableVaultForTemplateDeployment + enabledForDiskEncryption: enableVaultForDiskEncryption + enableSoftDelete: enableSoftDelete + softDeleteRetentionInDays: softDeleteRetentionInDays + enableRbacAuthorization: enableRbacAuthorization + createMode: createMode + enablePurgeProtection: ((!enablePurgeProtection) ? json('null') : enablePurgeProtection) + tenantId: subscription().tenantId + accessPolicies: accessPolicies + sku: { + name: vaultSku + family: 'A' + } + networkAcls: ((!deployServiceEndpoint) ? json('null') : networkAcls_var) + } +} + +resource keyVaultName_Microsoft_Authorization_keyVaultDoNotDelete 'Microsoft.KeyVault/vaults/providers/locks@2016-09-01' = if (lockForDeletion) { + name: '${keyVaultName_var}/Microsoft.Authorization/keyVaultDoNotDelete' + properties: { + level: 'CannotDelete' + } + dependsOn: [ + keyVaultName_resource + ] +} + +resource keyVaultName_Microsoft_Insights_diagnosticSettingName 'Microsoft.KeyVault/vaults/providers/diagnosticsettings@2017-05-01-preview' = if ((!empty(diagnosticStorageAccountId)) || (!empty(workspaceId)) || (!empty(eventHubAuthorizationRuleId)) || (!empty(eventHubName))) { + name: '${keyVaultName_var}/Microsoft.Insights/${diagnosticSettingName}' + location: location + properties: { + storageAccountId: (empty(diagnosticStorageAccountId) ? json('null') : diagnosticStorageAccountId) + workspaceId: (empty(workspaceId) ? json('null') : workspaceId) + eventHubAuthorizationRuleId: (empty(eventHubAuthorizationRuleId) ? json('null') : eventHubAuthorizationRuleId) + eventHubName: (empty(eventHubName) ? json('null') : eventHubName) + metrics: ((empty(diagnosticStorageAccountId) && empty(workspaceId) && empty(eventHubAuthorizationRuleId) && empty(eventHubName)) ? json('null') : diagnosticsMetrics) + logs: ((empty(diagnosticStorageAccountId) && empty(workspaceId) && empty(eventHubAuthorizationRuleId) && empty(eventHubName)) ? json('null') : diagnosticsLogs) + } + dependsOn: [ + keyVaultName_resource + ] +} + +resource secretsObject_secrets_keyVaultName_secretEntity_keyVaultName_secretsObject_secrets_secretName 'Microsoft.KeyVault/vaults/secrets@2019-09-01' = [for i in range(0, length(secretsObject.secrets)): if (!empty(secretsObject.secrets)) { + name: (empty(secretsObject.secrets) ? '${keyVaultName_var}/secretEntity' : '${keyVaultName_var}/${secretsObject.secrets[i].secretName}') + properties: { + value: secretsObject.secrets[i].secretValue + } + dependsOn: [ + keyVaultName_resource + ] +}] + +resource keysObject_keys_keyVaultName_keyEntity_keyVaultName_keysObject_keys_keyName 'Microsoft.KeyVault/vaults/keys@2019-09-01' = [for i in range(0, length(keysObject.keys)): if (!empty(keysObject.keys)) { + name: (empty(keysObject.keys) ? '${keyVaultName_var}/keyEntity' : '${keyVaultName_var}/${keysObject.keys[i].keyName}') + location: location + properties: { + kty: keysObject.keys[i].keyType + keyOps: keysObject.keys[i].keyOps + keySize: keysObject.keys[i].keySize + curveName: keysObject.keys[i].curveName + } + dependsOn: [ + keyVaultName_resource + ] +}] + +module name_location_KeyVault_PrivateEndpoints './nested_name_location_KeyVault_PrivateEndpoints.bicep' = [for (item, i) in privateEndpoints: { + name: '${uniqueString(deployment().name, location)}-KeyVault-PrivateEndpoints-${i}' + params: { + privateEndpointResourceId: keyVaultName_resource.id + privateEndpointVnetLocation: (empty(privateEndpoints) ? 'dummy' : reference(split(item.subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location) + privateEndpoint: item + tags: tags + } + dependsOn: [ + keyVaultName_resource + ] +}] + +module rbac_name './nested_rbac_name.bicep' = [for (item, i) in roleAssignments: { + name: 'rbac-${deployment().name}${i}' + params: { + roleAssignment: item + builtInRoleNames: builtInRoleNames + keyVaultName: keyVaultName_var + } + dependsOn: [ + keyVaultName_resource + ] +}] + +output keyVaultResourceId string = keyVaultName_resource.id +output keyVaultResourceGroup string = resourceGroup().name +output keyVaultName string = keyVaultName_var +output keyVaultUrl string = reference(keyVaultName_resource.id, '2019-09-01').vaultUri diff --git a/arm/Microsoft.KeyVault/vaults/deploy.json b/arm/Microsoft.KeyVault/vaults/deploy.json new file mode 100644 index 0000000000..5ea746d658 --- /dev/null +++ b/arm/Microsoft.KeyVault/vaults/deploy.json @@ -0,0 +1,626 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "keyVaultName": { + "type": "string", + "defaultValue": "", + "maxLength": 24, + "metadata": { + "description": "Optional. Name of the Key Vault. If no name is provided, then unique name will be created." + } + }, + "location": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "Optional. Location for all resources." + } + }, + "accessPolicies": { + "type": "array", + "defaultValue": [ + ], + "metadata": { + "description": "Optional. Array of access policies object" + } + }, + "secretsObject": { + "type": "secureObject", + "defaultValue": { + "secrets": [ + ] + }, + "metadata": { + "description": "Optional. All secrets [{\"secretName\":\"\",\"secretValue\":\"\"} wrapped in a secure object]" + } + }, + "keysObject": { + "type": "secureObject", + "defaultValue": { + "keys": [ + ] + }, + "metadata": { + "description": "Optional. All keys [{\"keyName\":\"\",\"keyType\":\"\",\"keyOps\":\"\",\"keySize\":\"\",\"curvename\":\"\"} wrapped in a secure object]" + } + }, + "enableVaultForDeployment": { + "type": "bool", + "defaultValue": true, + "allowedValues": [ + true, + false + ], + "metadata": { + "description": "Optional. Specifies if the vault is enabled for deployment by script or compute" + } + }, + "enableVaultForTemplateDeployment": { + "type": "bool", + "defaultValue": true, + "allowedValues": [ + true, + false + ], + "metadata": { + "description": "Optional. Specifies if the vault is enabled for a template deployment" + } + }, + "enableVaultForDiskEncryption": { + "type": "bool", + "defaultValue": true, + "allowedValues": [ + true, + false + ], + "metadata": { + "description": "Optional. Specifies if the azure platform has access to the vault for enabling disk encryption scenarios." + } + }, + "enableSoftDelete": { + "type": "bool", + "defaultValue": true, + "metadata": { + "description": "Optional. Switch to enable/disable Key Vault's soft delete feature." + } + }, + "softDeleteRetentionInDays": { + "type": "int", + "defaultValue": 90, + "metadata": { + "description": "Optional. softDelete data retention days. It accepts >=7 and <=90." + } + }, + "enableRbacAuthorization": { + "type": "bool", + "defaultValue": false, + "metadata": { + "description": "Optional. Property that controls how data actions are authorized. When true, the key vault will use Role Based Access Control (RBAC) for authorization of data actions, and the access policies specified in vault properties will be ignored (warning: this is a preview feature). When false, the key vault will use the access policies specified in vault properties, and any policy stored on Azure Resource Manager will be ignored. If null or not specified, the vault is created with the default value of false. Note that management actions are always authorized with RBAC." + } + }, + "createMode": { + "type": "string", + "defaultValue": "default", + "metadata": { + "description": "Optional. The vault's create mode to indicate whether the vault need to be recovered or not. - recover or default." + } + }, + "enablePurgeProtection": { + "type": "bool", + "defaultValue": false, + "metadata": { + "description": "Optional. Provide 'true' to enable Key Vault's purge protection feature." + } + }, + "vaultSku": { + "type": "string", + "defaultValue": "Premium", + "allowedValues": [ + "Premium", + "Standard" + ], + "metadata": { + "description": "Optional. Specifies the SKU for the vault" + } + }, + "networkAcls": { + "type": "object", + "defaultValue": { + }, + "metadata": { + "description": "Optional. Service endpoint object information" + } + }, + "vNetId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Virtual Network resource identifier, if networkAcls is passed, this value must be passed as well" + } + }, + "diagnosticSettingName": { + "type": "string", + "defaultValue": "service", + "metadata": { + "description": "Optional. The name of the Diagnostic setting." + } + }, + "diagnosticLogsRetentionInDays": { + "type": "int", + "defaultValue": 365, + "minValue": 0, + "maxValue": 365, + "metadata": { + "description": "Optional. Specifies the number of days that logs will be kept for; a value of 0 will retain data indefinitely." + } + }, + "diagnosticStorageAccountId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Resource identifier of the Diagnostic Storage Account." + } + }, + "workspaceId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Resource identifier of Log Analytics." + } + }, + "eventHubAuthorizationRuleId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Resource ID of the event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." + } + }, + "eventHubName": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Name of the event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category." + } + }, + "lockForDeletion": { + "type": "bool", + "defaultValue": false, + "metadata": { + "description": "Optional. Switch to lock Key Vault from deletion." + } + }, + "roleAssignments": { + "defaultValue": [ + ], + "type": "array", + "metadata": { + "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'" + } + }, + "privateEndpoints": { + "type": "array", + "defaultValue": [], + "metadata": { + "description": "Optional. Configuration Details for private endpoints." + } + }, + "tags": { + "type": "object", + "defaultValue": { + }, + "metadata": { + "description": "Optional. Resource tags." + } + }, + "cuaId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered" + } + }, + "baseTime": { + "type": "string", + "defaultValue": "[utcNow('u')]", + "metadata": { + "description": "Generated. Do not provide a value! This date value is used to generate a SAS token to access the modules." + } + } + }, + + "variables": { + "moduleName": "Key Vault", + "maxNameLength": 24, + "uniqueKeyVaultNameUntrim": "[uniqueString(concat(variables('moduleName'),parameters('baseTime')))]", + "uniqueKeyVaultName": "[if(greater(length(variables('uniqueKeyVaultNameUntrim')),variables('maxNameLength')),substring(variables('uniqueKeyVaultNameUntrim'),0,variables('maxNameLength')),variables('uniqueKeyVaultNameUntrim'))]", + "keyVaultName": "[if(empty(parameters('keyVaultName')),variables('uniqueKeyVaultName'),parameters('keyVaultName'))]", + "deployServiceEndpoint": "[not(empty(parameters('networkAcls')))]", + "virtualNetworkRules": { + "copy": [ + { + "name": "virtualNetworkRules", + "count": "[if(not(variables('deployServiceEndpoint')), 0, length(parameters('networkAcls').virtualNetworkRules))]", + "input": { + "id": "[concat(parameters('vNetId'), '/subnets/', parameters('networkAcls').virtualNetworkRules[copyIndex('virtualNetworkRules')].subnet)]" + } + } + ] + }, + "networkAcls": { + "bypass": "[if(not(variables('deployServiceEndpoint')), json('null'), parameters('networkAcls').bypass)]", + "defaultAction": "[if(not(variables('deployServiceEndpoint')), json('null'), parameters('networkAcls').defaultAction)]", + "virtualNetworkRules": "[if(not(variables('deployServiceEndpoint')), json('null'), if(equals(length(parameters('networkAcls').virtualNetworkRules), 0), variables('emptyArray'), variables('virtualNetworkRules').virtualNetworkRules))]", + "ipRules": "[if(not(variables('deployServiceEndpoint')), json('null'), if(equals(length(parameters('networkAcls').ipRules), 0), variables('emptyArray'), parameters('networkAcls').ipRules))]" + }, + "emptyArray": [ + ], + "diagnosticsMetrics": [ + { + "category": "AllMetrics", + "timeGrain": null, + "enabled": true, + "retentionPolicy": { + "enabled": true, + "days": "[parameters('diagnosticLogsRetentionInDays')]" + } + } + ], + "diagnosticsLogs": [ + { + "category": "AuditEvent", + "enabled": true, + "retentionPolicy": { + "enabled": true, + "days": "[parameters('diagnosticLogsRetentionInDays')]" + } + } + ], + "builtInRoleNames": { + "Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", + "Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", + "Key Vault Administrator (preview)": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '00482a5a-887f-4fb3-b363-3b7fe8e74483')]", + "Key Vault Certificates Officer (preview)": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'a4417e6f-fecd-4de8-b567-7b0420556985')]", + "Key Vault Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'f25e0fa2-a7c8-4377-a976-54943a77a395')]", + "Key Vault Crypto Officer (preview)": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '14b46e9e-c2b7-41b4-b07b-48a6ebf60603')]", + "Key Vault Crypto Service Encryption User (preview)": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'e147488a-f6f5-4113-8e2d-b22465e65bf6')]", + "Key Vault Crypto User (preview)": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '12338af0-0e69-4776-bea7-57ae8d297424')]", + "Key Vault Reader (preview)": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '21090545-7ca7-4776-b22c-e363652d74d2')]", + "Key Vault Secrets Officer (preview)": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b86a8fe4-44ce-4948-aee5-eccb2c155cd7')]", + "Key Vault Secrets User (preview)": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4633458b-17de-408a-b874-0445c86b69e6')]", + "Log Analytics Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]", + "Log Analytics Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '73c42c96-874c-492b-b04d-ab87d138a893')]", + "Managed Application Contributor Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '641177b8-a67a-45b9-a033-47bc880bb21e')]", + "Managed Application Operator Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')]", + "Managed Applications Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')]", + "Monitoring Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')]", + "Monitoring Metrics Publisher": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '3913510d-42f4-4e42-8a64-420c390055eb')]", + "Monitoring Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')]", + "Resource Policy Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '36243c78-bf99-498c-9df9-86d9f8d28608')]", + "User Access Administrator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]", + "Azure Service Deploy Release Management Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '21d96096-b162-414a-8302-d8354f9d91b2')]", + "masterreader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'a48d7796-14b4-4889-afef-fbb65a93e5a2')]" + } + }, + "resources": [ + { + "condition": "[not(empty(parameters('cuaId')))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-06-01", + "name": "[concat('pid-', parameters('cuaId'))]", + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [ + ] + } + } + }, + // Key Vault + { + "type": "Microsoft.KeyVault/vaults", + "apiVersion": "2019-09-01", + "name": "[variables('keyVaultName')]", + "location": "[parameters('location')]", + "tags": "[parameters('tags')]", + "properties": { + "enabledForDeployment": "[parameters('enableVaultForDeployment')]", + "enabledForTemplateDeployment": "[parameters('enableVaultForTemplateDeployment')]", + "enabledForDiskEncryption": "[parameters('enableVaultForDiskEncryption')]", + "enableSoftDelete": "[parameters('enableSoftDelete')]", + "softDeleteRetentionInDays": "[parameters('softDeleteRetentionInDays')]", + "enableRbacAuthorization": "[parameters('enableRbacAuthorization')]", + "createMode": "[parameters('createMode')]", + "enablePurgeProtection": "[if(not(parameters('enablePurgeProtection')), json('null'), parameters('enablePurgeProtection'))]", + "tenantId": "[subscription().tenantId]", + "accessPolicies": "[parameters('accessPolicies')]", + "sku": { + "name": "[parameters('vaultSku')]", + "family": "A" + }, + "networkAcls": "[if(not(variables('deployServiceEndpoint')), json('null'), variables('networkAcls'))]" + }, + "resources": [ + { + "type": "providers/locks", + "apiVersion": "2016-09-01", + "condition": "[parameters('lockForDeletion')]", + "name": "Microsoft.Authorization/keyVaultDoNotDelete", + "dependsOn": [ + "[concat('Microsoft.KeyVault/vaults/', variables('keyVaultName'))]" + ], + "comments": "Resource lock on Azure Key Vault", + "properties": { + "level": "CannotDelete" + } + }, + { + "type": "Microsoft.KeyVault/vaults/providers/diagnosticsettings", + "apiVersion": "2017-05-01-preview", + "name": "[concat(variables('keyVaultName'), '/Microsoft.Insights/', parameters('diagnosticSettingName'))]", + "location": "[parameters('location')]", + "condition": "[or(not(empty(parameters('diagnosticStorageAccountId'))),not(empty(parameters('workspaceId'))),not(empty(parameters('eventHubAuthorizationRuleId'))),not(empty(parameters('eventHubName'))))]", + "dependsOn": [ + "[concat('Microsoft.KeyVault/vaults/', variables('keyVaultName'))]" + ], + "properties": { + "storageAccountId": "[if(empty(parameters('diagnosticStorageAccountId')), json('null'), parameters('diagnosticStorageAccountId'))]", + "workspaceId": "[if(empty(parameters('workspaceId')), json('null'), parameters('workspaceId'))]", + "eventHubAuthorizationRuleId": "[if(empty(parameters('eventHubAuthorizationRuleId')), json('null'), parameters('eventHubAuthorizationRuleId'))]", + "eventHubName": "[if(empty(parameters('eventHubName')), json('null'), parameters('eventHubName'))]", + "metrics": "[if(and(empty(parameters('diagnosticStorageAccountId')), empty(parameters('workspaceId')), empty(parameters('eventHubAuthorizationRuleId')), empty(parameters('eventHubName'))), json('null'), variables('diagnosticsMetrics'))]", + "logs": "[if(and(empty(parameters('diagnosticStorageAccountId')), empty(parameters('workspaceId')), empty(parameters('eventHubAuthorizationRuleId')), empty(parameters('eventHubName'))), json('null'), variables('diagnosticsLogs'))]" + } + } + ] + }, + // Key Vault Secrets + { + "type": "Microsoft.KeyVault/vaults/secrets", + "apiVersion": "2019-09-01", + "condition": "[not(empty(parameters('secretsObject').secrets))]", + "name": "[if(empty(parameters('secretsObject').secrets), concat(variables('keyVaultName'), '/', 'secretEntity'), concat(variables('keyVaultName'), '/', parameters('secretsObject').secrets[copyIndex()].secretName))]", + "properties": { + "value": "[parameters('secretsObject').secrets[copyIndex()].secretValue]" + }, + "dependsOn": [ + "[concat('Microsoft.KeyVault/vaults/', variables('keyVaultName'))]" + ], + "copy": { + "name": "secretsCopy", + "count": "[length(parameters('secretsObject').secrets)]" + } + }, + // Key Vault Keys + { + "type": "Microsoft.KeyVault/vaults/keys", + "apiVersion": "2019-09-01", + "condition": "[not(empty(parameters('keysObject').keys))]", + "name": "[if(empty(parameters('keysObject').keys), concat(variables('keyVaultName'), '/', 'keyEntity'), concat(variables('keyVaultName'), '/', parameters('keysObject').keys[copyIndex()].keyName))]", + "location": "[parameters('location')]", + "dependsOn": [ + "[resourceId('Microsoft.KeyVault/vaults', variables('keyVaultName'))]" + ], + "properties": { + "kty": "[parameters('keysObject').keys[copyIndex()].keyType]", + "keyOps": "[parameters('keysObject').keys[copyIndex()].keyOps]", + "keySize": "[parameters('keysObject').keys[copyIndex()].keySize]", + "curveName": "[parameters('keysObject').keys[copyIndex()].curveName]" + }, + "copy": { + "name": "keyCopy", + "count": "[length(parameters('keysObject').keys)]" + } + }, + // Private Endpoints + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-06-01", + "name": "[concat(uniqueString(deployment().name, parameters('location')), '-KeyVault-PrivateEndpoints','-',copyIndex())]", + "condition": "[not(empty(parameters('privateEndpoints')))]", + "dependsOn": [ + "[variables('keyVaultName')]" + ], + "copy": { + "name": "privateEndpointsCopy", + "count": "[length(parameters('privateEndpoints'))]" + }, + "properties": { + "mode": "Incremental", + "expressionEvaluationOptions": { + "scope": "inner" + }, + "parameters": { + "privateEndpointResourceId": { + "value": "[resourceId('Microsoft.KeyVault/vaults/', variables('keyVaultName'))]" + }, + "privateEndpointVnetLocation": { + "value": "[if(empty(parameters('privateEndpoints')),'dummy',reference(split(parameters('privateEndpoints')[copyIndex()].subnetResourceId,'/subnets/')[0],'2020-06-01', 'Full').location)]" + }, + "privateEndpoint": { + "value": "[parameters('privateEndpoints')[copyIndex()]]" + }, + "tags": { + "value": "[parameters('tags')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "privateEndpointResourceId": { + "type": "string" + }, + "privateEndpointVnetLocation": { + "type": "string" + }, + "privateEndpoint": { + "type": "object" + }, + "tags": { + "type": "object" + } + }, + "variables": { + "privateEndpointResourceName": "[last(split(parameters('privateEndpointResourceId'),'/'))]", + "privateEndpoint": { + "name": "[if(contains(parameters('privateEndpoint'), 'name'),if(empty(parameters('privateEndpoint').name),concat(variables('privateEndpointResourceName'),'-',parameters('privateEndpoint').service),parameters('privateEndpoint').name),concat(variables('privateEndpointResourceName'),'-',parameters('privateEndpoint').service))]", + "subnetResourceId": "[parameters('privateEndpoint').subnetResourceId]", + "service": [ + "[parameters('privateEndpoint').service]" + ], + "privateDnsZoneResourceIds": "[if(contains(parameters('privateEndpoint'), 'privateDnsZoneResourceIds'),if(empty(parameters('privateEndpoint').privateDnsZoneResourceIds),createArray(),parameters('privateEndpoint').privateDnsZoneResourceIds),createArray())]", + "customDnsConfigs": "[if(contains(parameters('privateEndpoint'), 'customDnsConfigs'),if(empty(parameters('privateEndpoint').customDnsConfigs),json('null'),parameters('privateEndpoint').customDnsConfigs),json('null'))]" + } + }, + "resources": [ + { + "type": "Microsoft.Network/privateEndpoints", + "apiVersion": "2020-05-01", + "name": "[variables('privateEndpoint').name]", + "location": "[parameters('privateEndpointVnetLocation')]", + "tags": "[parameters('tags')]", + "properties": { + "privateLinkServiceConnections": [ + { + "name": "[variables('privateEndpoint').name]", + "properties": { + "privateLinkServiceId": "[parameters('privateEndpointResourceId')]", + "groupIds": "[variables('privateEndpoint').service]" + } + } + ], + "manualPrivateLinkServiceConnections": [], + "subnet": { + "id": "[variables('privateEndpoint').subnetResourceId]" + }, + "customDnsConfigs": "[variables('privateEndpoint').customDnsConfigs]" + } + }, + { + "type": "Microsoft.Network/privateEndpoints/privateDnsZoneGroups", + "apiVersion": "2020-05-01", + "condition": "[not(empty(variables('privateEndpoint').privateDnsZoneResourceIds))]", + "name": "[concat(variables('privateEndpoint').name, '/default')]", + "dependsOn": [ + "[resourceId('Microsoft.Network/privateEndpoints', variables('privateEndpoint').name)]" + ], + "properties": { + "copy": [ + { + "name": "privateDnsZoneConfigs", + "count": "[length(variables('privateEndpoint').privateDnsZoneResourceIds)]", + "input": { + "name": "[last(split(variables('privateEndpoint').privateDnsZoneResourceIds[copyIndex('privateDnsZoneConfigs')],'/'))]", + "properties": { + "privateDnsZoneId": "[variables('privateEndpoint').privateDnsZoneResourceIds[copyIndex('privateDnsZoneConfigs')]]" + } + } + } + ] + } + } + ] + } + } + }, + // RBAC + { + "name": "[concat('rbac-',deployment().name, copyIndex())]", + "apiVersion": "2020-06-01", + "type": "Microsoft.Resources/deployments", + "condition": "[not(empty(parameters('roleAssignments')))]", + "dependsOn": [ + "[variables('keyVaultName')]" + ], + "copy": { + "name": "rbacDeplCopy", + "count": "[length(parameters('roleAssignments'))]" + }, + "properties": { + "mode": "Incremental", + "expressionEvaluationOptions": { + "scope": "inner" + }, + "parameters": { + "roleAssignment": { + "value": "[parameters('roleAssignments')[copyIndex()]]" + }, + "builtInRoleNames": { + "value": "[variables('builtInRoleNames')]" + }, + "keyVaultName": { + "value": "[variables('keyVaultName')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "roleAssignment": { + "type": "object" + }, + "builtInRoleNames": { + "type": "object" + }, + "keyVaultName": { + "type": "string" + } + }, + "resources": [ + { + "type": "Microsoft.KeyVault/vaults/providers/roleAssignments", + "apiVersion": "2018-09-01-preview", + "name": "[concat(parameters('keyVaultName'), '/Microsoft.Authorization/', guid(uniqueString(concat(parameters('keyVaultName'), array(parameters('roleAssignment').principalIds)[copyIndex('innerRbacCopy')], parameters('roleAssignment').roleDefinitionIdOrName ) )))]", + "dependsOn": [ + ], + "copy": { + "name": "innerRbacCopy", + "count": "[length(parameters('roleAssignment').principalIds)]" + }, + "properties": { + "roleDefinitionId": "[if(contains(parameters('builtInRoleNames'), parameters('roleAssignment').roleDefinitionIdOrName ), parameters('builtInRoleNames')[parameters('roleAssignment').roleDefinitionIdOrName] , parameters('roleAssignment').roleDefinitionIdOrName )]", + "principalId": "[array(parameters('roleAssignment').principalIds)[copyIndex()]]" + } + } + ] + } + } + } + ], + "functions": [ + ], + "outputs": { + "keyVaultResourceId": { + "type": "string", + "value": "[resourceId('Microsoft.KeyVault/vaults', variables('keyVaultName'))]", + "metadata": { + "description": "The Resource Id of the Key Vault." + } + }, + "keyVaultResourceGroup": { + "type": "string", + "value": "[resourceGroup().name]", + "metadata": { + "description": "The name of the Resource Group the Key Vault was created in." + } + }, + "keyVaultName": { + "type": "string", + "value": "[variables('keyVaultName')]", + "metadata": { + "description": "The Name of the Key Vault." + } + }, + "keyVaultUrl": { + "type": "string", + "value": "[reference(resourceId('Microsoft.KeyVault/vaults', variables('keyVaultName')),'2016-10-01').vaultUri]", + "metadata": { + "description": "The URL of the Key Vault." + } + } + } +} diff --git a/arm/Microsoft.KeyVault/vaults/parameters/parameters.json b/arm/Microsoft.KeyVault/vaults/parameters/parameters.json new file mode 100644 index 0000000000..fbcfd5abf6 --- /dev/null +++ b/arm/Microsoft.KeyVault/vaults/parameters/parameters.json @@ -0,0 +1,68 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "keyVaultName": { + "value": "sxx-az-kv-weu-x-001" + }, + "keysObject": { + "value": { + "keys": [ + { + "keyName": "keyRSA", + "keyType": "RSA", + "keyOps": [ + "encrypt", + "decrypt", + "sign", + "verify", + "wrapKey", + "unwrapKey" + ], + "keySize": "2048", + "curveName": "" + } + ] + } + }, + "accessPolicies": { + "value": [ + { + "tenantId": "", + "objectId": "", + "permissions": { + "certificates": ["All"], + "keys": ["All"], + "secrets": ["All"] + } + }, + { + "tenantId": "", + "objectId": "", + "permissions": { + "certificates": ["All"], + "keys": ["All"], + "secrets": ["All"] + } + } + ] + }, + "enableSoftDelete": { + "value": true + }, + "softDeleteRetentionInDays": { + "value": 7 + }, +// "networkAcls": { +// "value": { +// "bypass": "AzureServices", +// "defaultAction": "Deny", +// "virtualNetworkRules": [], +// "ipRules": [] +// } +// }, + "enableRbacAuthorization": { + "value": false + } + } +} \ No newline at end of file diff --git a/arm/Microsoft.KeyVault/vaults/readme.md b/arm/Microsoft.KeyVault/vaults/readme.md new file mode 100644 index 0000000000..7162fd5e79 --- /dev/null +++ b/arm/Microsoft.KeyVault/vaults/readme.md @@ -0,0 +1,245 @@ +# KeyVault + +[![Deploy to Azure](/docs/media/deploytoazure.svg?sanitize=true)]() + +[![Deploy To Azure US Gov](/docs/media/deploytoazuregov.svg?sanitize=true)]() + +[![Visualize](/docs/media/visualizebutton.svg?sanitize=true)]() + +## Resource types + +| Resource Type | Api Version | +| :-- | :-- | +| `Microsoft.KeyVault/vaults/keys` | 2019-09-01 | +| `Microsoft.KeyVault/vaults/providers/diagnosticsettings` | 2017-05-01-preview | +| `Microsoft.KeyVault/vaults/providers/roleAssignments` | 2018-09-01-preview | +| `Microsoft.KeyVault/vaults/secrets` | 2019-09-01 | +| `Microsoft.KeyVault/vaults` | 2019-09-01 | +| `Microsoft.Network/privateEndpoints/privateDnsZoneGroups` | 2020-05-01 | +| `Microsoft.Network/privateEndpoints` | 2020-05-01 | +| `Microsoft.Resources/deployments` | 2020-06-01 | +| `providers/locks` | 2016-09-01 | + +## Parameters + +| Parameter Name | Type | Default Value | Possible values | Description | +| :- | :- | :- | :- | :- | +| `keyVaultName` | string | | | Optional. Name of the Key Vault Name. If no name is provided, then unique name will be created.| +| `location` | string | `[resourceGroup().location]` | | Optional. Location for all resources. +| `accessPolicies` | object | `{}` | Complex structure, see below. | Optional. Access policies object +| `secretsObject` | object | `{}` | Complex structure, see below. | Optional. All secrets {\"secretName\":\"\",\"secretValue\":\"\"} wrapped in a secure object +| `keysObject` | object | `{}` | Complex structure, see below. | Optional. All secrets {\"secretName\":\"\",\"secretValue\":\"\"} wrapped in a secure object +| `enableVaultForDeployment` | bool | `true` | | Optional. Specifies if the vault is enabled for deployment by script or compute +| `enableVaultForTemplateDeployment` | bool | `true` | | Optional. Specifies if the vault is enabled for a template deployment +| `enableVaultForDiskEncryption` | bool | `true` | | Optional. Specifies if the azure platform has access to the vault for enabling disk encryption scenarios. +| `enableSoftDelete` | bool | `true` | | Optional. Switch to enable Key Vault's soft delete feature. +| `softDeleteRetentionInDays` | int | 90 | | Optional. softDelete data retention days. It accepts >=7 and <=90. +| `enableRbacAuthorization` | bool | `false` | | Optional. Property that controls how data actions are authorized. When true, the key vault will use Role Based Access Control (RBAC) for authorization of data actions, and the access policies specified in vault properties will be ignored (warning: this is a preview feature). When false, the key vault will use the access policies specified in vault properties, and any policy stored on Azure Resource Manager will be ignored. If null or not specified, the vault is created with the default value of false. Note that management actions are always authorized with RBAC. +| `createMode` | bool | `true` | | Optional. The vault's create mode to indicate whether the vault need to be recovered or not. - recover or default. +| `enablePurgeProtection` | bool | `false` | | Optional. Switch to enable Key Vault's purge protection feature. +| `vaultSku` | string | `Premium` | Premium, Standard |Optional. Specifies the SKU for the vault +| `vNetId` | string | "" | | Optional. Virtual Network Identifier used to create a service endpoint. +| `networkAcls` | object | {} | Complex structure, see below. | Optional. Network ACLs, this value contains IPs to whitelist and/or Subnet information. +| `diagnosticSettingName` | string | `service` | | Optional. The name of the Diagnostic setting. +| `diagnosticLogsRetentionInDays` | int | `365` | | Optional. Specifies the number of days that logs will be kept for; a value of 0 will retain data indefinitely. +| `diagnosticStorageAccountId` | string | "" | | Optional. Resource identifier of the Diagnostic Storage Account. +| `workspaceId` | string | "" | | Optional. Resource identifier of Log Analytics. +| `eventHubAuthorizationRuleId` | string | "" | | Optional. Resource ID of the event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. +| `eventHubName` | string | "" | | Optional. Name of the event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. +| `lockForDeletion` | bool | `true` | | Optional. Switch to lock Azure Key Vault from deletion. +| `roleAssignments` | array | [] | Complex structure, see below. | Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or it's fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' +| `privateEndpoints` | array | System.Object[] | | Optional. Configuration Details for private endpoints. | +| `tags` | object | {} | Complex structure, see below. | Optional. Tags of the Azure Key Vault resource. +| `cuaId` | string | "" | | Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered. +| `baseTime` | string | utcNow('u') | | Generated. Do not provide a value! This date value is used to generate a SAS token toaccess the modules. + +### Parameter Usage: `roleAssignments` + +```json +"roleAssignments": { + "value": [ + { + "roleDefinitionIdOrName": "Desktop Virtualization User", + "principalIds": [ + "12345678-1234-1234-1234-123456789012", // object 1 + "78945612-1234-1234-1234-123456789012" // object 2 + ] + }, + { + "roleDefinitionIdOrName": "Reader", + "principalIds": [ + "12345678-1234-1234-1234-123456789012", // object 1 + "78945612-1234-1234-1234-123456789012" // object 2 + ] + }, + { + "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", + "principalIds": [ + "12345678-1234-1234-1234-123456789012" // object 1 + ] + } + ] +} +``` + +### Parameter Usage: `tags` + +Tag names and tag values can be provided as needed. A tag can be left without a value. + +```json +"tags": { + "value": { + "Environment": "Non-Prod", + "Contact": "test.user@testcompany.com", + "PurchaseOrder": "1234", + "CostCenter": "7890", + "ServiceName": "DeploymentValidation", + "Role": "DeploymentValidation" + } +} +``` + +### Parameter Usage: `networkAcls` + +```json +"networkAcls": { + "value": { + "bypass": "AzureServices", + "defaultAction": "Deny", + "virtualNetworkRules": [ + { + "subnet": "sharedsvcs" + } + ], + "ipRules": [] + } +} +``` + +### Parameter Usage: `vNetId` + +```json +"vNetId": { + "value": "/subscriptions/00000000/resourceGroups/resourceGroup" +} +``` + +### Parameter Usage: `accessPolicies` + +```json +"accessPolicies": { + "value": [ + { + "tenantId": null, + "objectId": null, + "permissions": { + "certificates": [ + "All" + ], + "keys": [ + "All" + ], + "secrets": [ + "All" + ] + } + } + ] +} +``` + +### Parameter Usage: `secretsObject` + +```json +"secretsObject": { + "value": { + "secrets": [ + { + "secretName": "Secret--AzureAd--Domain", + "secretValue": "Some value" + } + ] + } +} +``` + +### Parameter Usage: `keysObject` + +```json +"keysObject": { + "value": { + "keys": [ + { + "keyName": "keyRSA", // The name of the key to be created + "keyType": "RSA", // The JsonWebKeyType of the key to be created + "keyOps": [ //The permitted JSON web key operations of the key to be created + "encrypt", + "decrypt", + "sign", + "verify", + "wrapKey", + "unwrapKey" + ], + "keySize": "2048", //The size in bits of the key to be created + "curveName": "" // The JsonWebKeyCurveName of the key to be created + } + ] + } +} +``` + +### Parameter Usage: `privateEndpoints` + +To use Private Endpoint the following dependencies must be deployed: + +- Destination subnet must be created with the following configuration option - `"privateEndpointNetworkPolicies": "Disabled"`. Setting this option acknowledges that NSG rules are not applied to Private Endpoints (this capability is coming soon). A full example is available in the Virtual Network Module. + +- Although not strictly required, it is highly recommened to first create a private DNS Zone to host Private Endpoint DNS records. See [Azure Private Endpoint DNS configuration](https://docs.microsoft.com/en-us/azure/private-link/private-endpoint-dns) for more information. + +```json +"privateEndpoints": { + "value": [ + // Example showing all available fields + { + "name": "sxx-az-sa-cac-y-123-pe", // Optional: Name will be automatically generated if one is not provided here + "subnetResourceId": "/subscriptions/xxxxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxx/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-weu-x-001/subnets/sxx-az-subnet-weu-x-001", + "service": "vault", + "privateDnsZoneResourceIds": [ // Optional: No DNS record will be created if a private DNS zone Resource ID is not specified + "/subscriptions/xxxxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxx/resourceGroups/validation-rg/providers/Microsoft.Network/privateDnsZones/privatelink.vaultcore.azure.net" + ], + "customDnsConfigs": [ // Optional + { + "fqdn": "customname.test.local", + "ipAddresses": [ + "10.10.10.10" + ] + } + ] + } + ] +} +``` + +## Outputs + +| Output Name | Type | Description | +| :-- | :-- | :-- | +| `keyVaultName` | string | The Name of the Key Vault. | +| `keyVaultResourceGroup` | string | The name of the Resource Group the Key Vault was created in. | +| `keyVaultResourceId` | string | The Resource Id of the Key Vault. | +| `keyVaultUrl` | string | The URL of the Key Vault. | + +## Considerations + +**N/A* + +## Additional resources + +- [What is Azure Key Vault?](https://docs.microsoft.com/en-us/azure/key-vault/key-vault-whatis) +- [Microsoft.KeyVault vaults template reference](https://docs.microsoft.com/en-us/azure/templates/microsoft.keyvault/2018-02-14/vaults) +- [Use tags to organize your Azure resources](https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-using-tags) +- [Deployments](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Resources/2020-06-01/deployments) +- [Vaults](https://docs.microsoft.com/en-us/azure/templates/Microsoft.KeyVault/2019-09-01/vaults) +- [Vaults](https://docs.microsoft.com/en-us/azure/templates/Microsoft.KeyVault/2019-09-01/vaults/secrets) +- [Vaults](https://docs.microsoft.com/en-us/azure/templates/Microsoft.KeyVault/2019-09-01/vaults/keys) +- [Deployments](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Resources/2020-06-01/deployments) \ No newline at end of file diff --git a/arm/Microsoft.MachineLearningServices/workspaces/workspaces/deploy.json b/arm/Microsoft.MachineLearningServices/workspaces/workspaces/deploy.json new file mode 100644 index 0000000000..b8a26deb0b --- /dev/null +++ b/arm/Microsoft.MachineLearningServices/workspaces/workspaces/deploy.json @@ -0,0 +1,497 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "workspaceName": { + "type": "string", + "metadata": { + "description": "Required. The name of the machine learning workspace." + } + }, + "location": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "Optional. Location for all resources." + } + }, + "sku": { + "type": "string", + "allowedValues": [ + "Basic", + "Enterprise" + ], + "metadata": { + "description": "Required. Specifies the sku, also referred as 'edition' of the Azure Machine Learning workspace." + } + }, + "associatedStorageAccountResourceId": { + "type": "string", + "metadata": { + "description": "Required. The resource id of the associated Storage Account." + } + }, + "associatedKeyVaultResourceId": { + "type": "string", + "metadata": { + "description": "Required. The resource id of the associated Key Vault." + } + }, + "associatedApplicationInsightsResourceId": { + "type": "string", + "metadata": { + "description": "Required. The resource id of the associated Application Insights." + } + }, + "associatedContainerRegistryResourceId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. The resource id of the associated Container Registry." + } + }, + "lockForDeletion": { + "type": "bool", + "defaultValue": false, + "metadata": { + "description": "Optional. Switch to lock Machine Learning Service from deletion." + } + }, + "hbiWorkspace": { + "type": "bool", + "defaultValue": false, + "metadata": { + "description": "Optional. The flag to signal HBI data in the workspace and reduce diagnostic data collected by the service." + } + }, + "allowPublicAccessWhenBehindVnet": { + "type": "bool", + "defaultValue": false, + "metadata": { + "description": "Optional. The flag to indicate whether to allow public access when behind VNet." + } + }, + "roleAssignments": { + "defaultValue": [ + ], + "type": "array", + "metadata": { + "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'" + } + }, + "privateEndpoints": { + "type": "array", + "defaultValue": [], + "metadata": { + "description": "Optional. Configuration Details for private endpoints." + } + }, + "tags": { + "type": "object", + "defaultValue": { + }, + "metadata": { + "description": "Optional. Resource tags." + } + }, + "cuaId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered" + } + }, + // Diagnostic Settings + "diagnosticSettingName": { + "type": "string", + "defaultValue": "service", + "metadata": { + "description": "Optional. The name of the Diagnostic setting." + } + }, + "diagnosticLogsRetentionInDays": { + "type": "int", + "defaultValue": 365, + "minValue": 0, + "maxValue": 365, + "metadata": { + "description": "Optional. Specifies the number of days that logs will be kept for; a value of 0 will retain data indefinitely." + } + }, + "diagnosticStorageAccountId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Resource identifier of the Diagnostic Storage Account." + } + }, + "workspaceId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Resource identifier of Log Analytics." + } + }, + "eventHubAuthorizationRuleId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Resource ID of the event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." + } + }, + "eventHubName": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Name of the event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category." + } + } + }, + + "variables": { + "diagnosticsMetrics": [ + { + "category": "AllMetrics", + "timeGrain": null, + "enabled": true, + "retentionPolicy": { + "enabled": true, + "days": "[parameters('diagnosticLogsRetentionInDays')]" + } + } + ], + "diagnosticsLogs": [ + { + "category": "AmlComputeClusterEvent", + "enabled": true, + "retentionPolicy": { + "enabled": true, + "days": "[parameters('diagnosticLogsRetentionInDays')]" + } + }, + { + "category": "AmlComputeClusterNodeEvent", + "enabled": true, + "retentionPolicy": { + "enabled": true, + "days": "[parameters('diagnosticLogsRetentionInDays')]" + } + }, + { + "category": "AmlComputeJobEvent", + "enabled": true, + "retentionPolicy": { + "enabled": true, + "days": "[parameters('diagnosticLogsRetentionInDays')]" + } + }, + { + "category": "AmlComputeCpuGpuUtilization", + "enabled": true, + "retentionPolicy": { + "enabled": true, + "days": "[parameters('diagnosticLogsRetentionInDays')]" + } + }, + { + "category": "AmlRunStatusChangedEvent", + "enabled": true, + "retentionPolicy": { + "enabled": true, + "days": "[parameters('diagnosticLogsRetentionInDays')]" + } + } + ], + "builtInRoleNames": { + "AzureML Metrics Writer (preview)": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '635dd51f-9968-44d3-b7fb-6d9a6bd613ae')]", + "Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "Log Analytics Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]", + "Log Analytics Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '73c42c96-874c-492b-b04d-ab87d138a893')]", + "Managed Application Contributor Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '641177b8-a67a-45b9-a033-47bc880bb21e')]", + "Managed Application Operator Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')]", + "Managed Applications Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')]", + "Monitoring Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')]", + "Monitoring Metrics Publisher": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '3913510d-42f4-4e42-8a64-420c390055eb')]", + "Monitoring Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')]", + "Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", + "Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", + "Resource Policy Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '36243c78-bf99-498c-9df9-86d9f8d28608')]", + "User Access Administrator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" + } + }, + "resources": [ + // CUA ID + { + "condition": "[not(empty(parameters('cuaId')))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-06-01", + "name": "[concat('pid-', parameters('cuaId'))]", + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [ + ] + } + } + }, + // Machine Learning Services + { + "type": "Microsoft.MachineLearningServices/workspaces", + "apiVersion": "2021-04-01", + "name": "[parameters('workspaceName')]", + "location": "[parameters('location')]", + "tags": "[parameters('tags')]", + "sku": { + "name": "[parameters('sku')]", + "tier": "[parameters('sku')]" + }, + "identity": { + "type": "systemAssigned" + }, + "properties": { + "friendlyName": "[parameters('workspaceName')]", + "storageAccount": "[parameters('associatedStorageAccountResourceId')]", + "keyVault": "[parameters('associatedKeyVaultResourceId')]", + "applicationInsights": "[parameters('associatedApplicationInsightsResourceId')]", + "containerRegistry": "[if(not(equals(parameters('associatedContainerRegistryResourceId'), '')), parameters('associatedContainerRegistryResourceId'), json('null'))]", + "hbiWorkspace": "[parameters('hbiWorkspace')]", + "allowPublicAccessWhenBehindVnet": "[parameters('allowPublicAccessWhenBehindVnet')]" + }, + "resources": [ + { + "type": "providers/locks", + "apiVersion": "2016-09-01", + "condition": "[parameters('lockForDeletion')]", + "name": "Microsoft.Authorization/machineLearningServicesDoNotDelete", + "dependsOn": [ + "[concat('Microsoft.MachineLearningServices/workspaces/', parameters('workspaceName'))]" + ], + "comments": "Resource lock on Azure Machine Learning Services", + "properties": { + "level": "CannotDelete" + } + }, + { + "type": "Microsoft.MachineLearningServices/workspaces/providers/diagnosticsettings", + "apiVersion": "2017-05-01-preview", + "name": "[concat(parameters('workspaceName'), '/Microsoft.Insights/', parameters('diagnosticSettingName'))]", + "location": "[parameters('location')]", + "condition": "[or(not(empty(parameters('diagnosticStorageAccountId'))),not(empty(parameters('workspaceId'))),not(empty(parameters('eventHubAuthorizationRuleId'))),not(empty(parameters('eventHubName'))))]", + "dependsOn": [ + "[concat('Microsoft.MachineLearningServices/workspaces/', parameters('workspaceName'))]" + ], + "properties": { + "storageAccountId": "[if(empty(parameters('diagnosticStorageAccountId')), json('null'), parameters('diagnosticStorageAccountId'))]", + "workspaceId": "[if(empty(parameters('workspaceId')), json('null'), parameters('workspaceId'))]", + "eventHubAuthorizationRuleId": "[if(empty(parameters('eventHubAuthorizationRuleId')), json('null'), parameters('eventHubAuthorizationRuleId'))]", + "eventHubName": "[if(empty(parameters('eventHubName')), json('null'), parameters('eventHubName'))]", + "metrics": "[if(and(empty(parameters('diagnosticStorageAccountId')), empty(parameters('workspaceId')), empty(parameters('eventHubAuthorizationRuleId')), empty(parameters('eventHubName'))), json('null'), variables('diagnosticsMetrics'))]", + "logs": "[if(and(empty(parameters('diagnosticStorageAccountId')), empty(parameters('workspaceId')), empty(parameters('eventHubAuthorizationRuleId')), empty(parameters('eventHubName'))), json('null'), variables('diagnosticsLogs'))]" + } + } + ] + }, + // Private Endpoints + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-06-01", + "name": "[concat(uniqueString(deployment().name, parameters('location')), '-ML-PrivateEndpoints','-',copyIndex())]", + "condition": "[not(empty(parameters('privateEndpoints')))]", + "dependsOn": [ + "[parameters('workspaceName')]" + ], + "copy": { + "name": "privateEndpointsCopy", + "count": "[length(parameters('privateEndpoints'))]" + }, + "properties": { + "mode": "Incremental", + "expressionEvaluationOptions": { + "scope": "inner" + }, + "parameters": { + "privateEndpointResourceId": { + "value": "[resourceId('Microsoft.MachineLearningServices/workspaces/', parameters('workspaceName'))]" + }, + "privateEndpointVnetLocation": { + "value": "[if(empty(parameters('privateEndpoints')),'dummy',reference(split(parameters('privateEndpoints')[copyIndex()].subnetResourceId,'/subnets/')[0],'2020-06-01', 'Full').location)]" + }, + "privateEndpoint": { + "value": "[parameters('privateEndpoints')[copyIndex()]]" + }, + "tags": { + "value": "[parameters('tags')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "privateEndpointResourceId": { + "type": "string" + }, + "privateEndpointVnetLocation": { + "type": "string" + }, + "privateEndpoint": { + "type": "object" + }, + "tags": { + "type": "object" + } + }, + "variables": { + "privateEndpointResourceName": "[last(split(parameters('privateEndpointResourceId'),'/'))]", + "privateEndpoint": { + "name": "[if(contains(parameters('privateEndpoint'), 'name'),if(empty(parameters('privateEndpoint').name),concat(variables('privateEndpointResourceName'),'-',parameters('privateEndpoint').service),parameters('privateEndpoint').name),concat(variables('privateEndpointResourceName'),'-',parameters('privateEndpoint').service))]", + "subnetResourceId": "[parameters('privateEndpoint').subnetResourceId]", + "service": [ + "[parameters('privateEndpoint').service]" + ], + "privateDnsZoneResourceIds": "[if(contains(parameters('privateEndpoint'), 'privateDnsZoneResourceIds'),if(empty(parameters('privateEndpoint').privateDnsZoneResourceIds),createArray(),parameters('privateEndpoint').privateDnsZoneResourceIds),createArray())]", + "customDnsConfigs": "[if(contains(parameters('privateEndpoint'), 'customDnsConfigs'),if(empty(parameters('privateEndpoint').customDnsConfigs),json('null'),parameters('privateEndpoint').customDnsConfigs),json('null'))]" + } + }, + "resources": [ + { + "type": "Microsoft.Network/privateEndpoints", + "apiVersion": "2020-05-01", + "name": "[variables('privateEndpoint').name]", + "location": "[parameters('privateEndpointVnetLocation')]", + "tags": "[parameters('tags')]", + "properties": { + "privateLinkServiceConnections": [ + { + "name": "[variables('privateEndpoint').name]", + "properties": { + "privateLinkServiceId": "[parameters('privateEndpointResourceId')]", + "groupIds": "[variables('privateEndpoint').service]" + } + } + ], + "manualPrivateLinkServiceConnections": [], + "subnet": { + "id": "[variables('privateEndpoint').subnetResourceId]" + }, + "customDnsConfigs": "[variables('privateEndpoint').customDnsConfigs]" + } + }, + { + "type": "Microsoft.Network/privateEndpoints/privateDnsZoneGroups", + "apiVersion": "2020-05-01", + "condition": "[not(empty(variables('privateEndpoint').privateDnsZoneResourceIds))]", + "name": "[concat(variables('privateEndpoint').name, '/default')]", + "dependsOn": [ + "[resourceId('Microsoft.Network/privateEndpoints', variables('privateEndpoint').name)]" + ], + "properties": { + "copy": [ + { + "name": "privateDnsZoneConfigs", + "count": "[length(variables('privateEndpoint').privateDnsZoneResourceIds)]", + "input": { + "name": "[last(split(variables('privateEndpoint').privateDnsZoneResourceIds[copyIndex('privateDnsZoneConfigs')],'/'))]", + "properties": { + "privateDnsZoneId": "[variables('privateEndpoint').privateDnsZoneResourceIds[copyIndex('privateDnsZoneConfigs')]]" + } + } + } + ] + } + } + ] + } + } + }, + // RBAC + { + "name": "[concat('rbac-',deployment().name, copyIndex())]", + "apiVersion": "2020-06-01", + "type": "Microsoft.Resources/deployments", + "condition": "[not(empty(parameters('roleAssignments')))]", + "dependsOn": [ + "[parameters('workspaceName')]" + ], + "copy": { + "name": "rbacDeplCopy", + "count": "[length(parameters('roleAssignments'))]" + }, + "properties": { + "mode": "Incremental", + "expressionEvaluationOptions": { + "scope": "inner" + }, + "parameters": { + "roleAssignment": { + "value": "[parameters('roleAssignments')[copyIndex()]]" + }, + "builtInRoleNames": { + "value": "[variables('builtInRoleNames')]" + }, + "workspaceName": { + "value": "[parameters('workspaceName')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "roleAssignment": { + "type": "object" + }, + "builtInRoleNames": { + "type": "object" + }, + "workspaceName": { + "type": "string" + } + }, + "resources": [ + { + "type": "Microsoft.MachineLearningServices/workspaces/providers/roleAssignments", + "apiVersion": "2018-09-01-preview", + "name": "[concat(parameters('workspaceName'), '/Microsoft.Authorization/', guid(uniqueString(concat(parameters('workspaceName'), array(parameters('roleAssignment').principalIds)[copyIndex('innerRbacCopy')], parameters('roleAssignment').roleDefinitionIdOrName ) )))]", + "dependsOn": [ + ], + "copy": { + "name": "innerRbacCopy", + "count": "[length(parameters('roleAssignment').principalIds)]" + }, + "properties": { + "roleDefinitionId": "[if(contains(parameters('builtInRoleNames'), parameters('roleAssignment').roleDefinitionIdOrName ), parameters('builtInRoleNames')[parameters('roleAssignment').roleDefinitionIdOrName] , parameters('roleAssignment').roleDefinitionIdOrName )]", + "principalId": "[array(parameters('roleAssignment').principalIds)[copyIndex()]]" + } + } + ] + } + } + } + ], + "functions": [ + ], + "outputs": { + "machineLearningServiceResourceId": { + "type": "string", + "value": "[resourceId('Microsoft.MachineLearningServices/workspaces', parameters('workspaceName'))]", + "metadata": { + "description": "The Resource Id of the Machine Learning Service workspace." + } + }, + "machineLearningServiceResourceGroup": { + "type": "string", + "value": "[resourceGroup().name]", + "metadata": { + "description": "The name of the Resource Group the Machine Learning Service workspace was created in." + } + }, + "machineLearningServiceName": { + "type": "string", + "value": "[parameters('workspaceName')]", + "metadata": { + "description": "The name of the Machine Learning Service workspace." + } + } + } +} \ No newline at end of file diff --git a/arm/Microsoft.MachineLearningServices/workspaces/workspaces/parameters/parameters.json b/arm/Microsoft.MachineLearningServices/workspaces/workspaces/parameters/parameters.json new file mode 100644 index 0000000000..254ab0f91d --- /dev/null +++ b/arm/Microsoft.MachineLearningServices/workspaces/workspaces/parameters/parameters.json @@ -0,0 +1,57 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "workspaceName": { + "value": "sxx-az-mls-weu-x-001" + }, + "sku": { + "value": "Basic" + }, + "associatedStorageAccountResourceId": { + "value": "/subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2/resourceGroups/dependencies-rg/providers/Microsoft.Storage/storageAccounts/sxxazsaweux003" + }, + "associatedKeyVaultResourceId": { + "value": "/subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2/resourceGroups/dependencies-rg/providers/Microsoft.KeyVault/vaults/sxx-az-kv-weu-x-004" + }, + "associatedApplicationInsightsResourceId": { + "value": "/subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2/resourceGroups/dependencies-rg/providers/Microsoft.Insights/components/test-az-appi-weu-x-02" + } + // "associatedContainerRegistryResourceId": { + // "value": "/subscriptions/xxx-xxx-xxx-xxx-xxx/resourcegroups/iacs/providers/Microsoft.ContainerRegistry/registries/acrtest2428" + // }, + // "roleAssignments": { + // "value": [ + // { + // "roleDefinitionIdOrName": "User Access Administrator", + // "principalIds": [ + // "xxx-xxx-xxx-xxx-xxx" + // ] + // } + // ] + // }, + // "privateEndpoints": { + // "value": [ + // { + // "name": "acrtestedp", + // "subnetResourceId": "/subscriptions/xxx-xxx-xxx-xxx-xxx/resourceGroups/iacs/providers/Microsoft.Network/virtualNetworks/acrtestvnet/subnets/default", + // "service": "amlworkspace", + // "privateDnsZoneResourceIds": [ + // "/subscriptions/xxx-xxx-xxx-xxx-xxx/resourcegroups/iacs/providers/Microsoft.Network/privateDnsZones/privatelink.api.azureml.ms", + // "/subscriptions/xxx-xxx-xxx-xxx-xxx/resourcegroups/iacs/providers/Microsoft.Network/privateDnsZones/privatelink.notebooks.azure.net" + // ] + // } + // ] + // }, + // // Diagnostic Settings + // "diagnosticSettingName": { + // "value": "testsetting" + // }, + // "diagnosticLogsRetentionInDays": { + // "value": 7 + // }, + // "workspaceId": { + // "value": "/subscriptions/xxx-xxx-xxx-xxx-xxx/resourceGroups/iacs/providers/Microsoft.OperationalInsights/workspaces/acrtest2428" + // } + } +} \ No newline at end of file diff --git a/arm/Microsoft.MachineLearningServices/workspaces/workspaces/readme.md b/arm/Microsoft.MachineLearningServices/workspaces/workspaces/readme.md new file mode 100644 index 0000000000..e78f792195 --- /dev/null +++ b/arm/Microsoft.MachineLearningServices/workspaces/workspaces/readme.md @@ -0,0 +1,133 @@ +# Machine Learning Services + +This module deploys a Machine Learning Services Workspace. + +## Resource types + +| Resource Type | Api Version | +| :-- | :-- | +| `Microsoft.Resources/deployments` | 2020-06-01 | +| `Microsoft.MachineLearningServices/workspaces` | 2021-04-01 | +| `providers/locks` | 2016-09-01 | +| `Microsoft.MachineLearningServices/workspaces/providers/diagnosticsettings` | 2017-05-01-preview | +| `Microsoft.Network/privateEndpoints` | 2020-05-01 | +| `Microsoft.Network/privateEndpoints/privateDnsZoneGroups` | 2020-05-01 | +| `Microsoft.MachineLearningServices/workspaces/providers/roleAssignments` | 2018-09-01-preview | + +## Parameters + +| Parameter Name | Type | Description | DefaultValue | Possible values | +| :-- | :-- | :-- | :-- | :-- | +| `workspaceName` | string | Required. The name of the machine learning workspace. | | | +| `location` | string | Optional. Location for all Resources. | [resourceGroup().location] | | +| `sku` | string | Required. Specifies the sku, also referred as 'edition' of the Azure Machine Learning workspace. | Basic | Basic, Enterprise | +| `associatedStorageAccountResourceId` | string | Required. The resource id of the associated Storage Account. | | | +| `associatedKeyVaultResourceId` | string | Required. The resource id of the associated Key Vault. | | | +| `associatedApplicationInsightsResourceId` | string | Required. The resource id of the associated Application Insights. | | | +| `associatedContainerRegistryResourceId` | string | Optional. The resource id of the associated Container Registry. | "" | | +| `hbiWorkspace` | bool | Optional. The flag to signal HBI data in the workspace and reduce diagnostic data collected by the service. | false | | +| `allowPublicAccessWhenBehindVnet` | bool | Optional. The flag to indicate whether to allow public access when behind VNet. | false | | +| `roleAssignments` | string | Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or it's fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' | | +| `privateEndpoints` | array | Optional. Configuration Details for private endpoints. | System.Object[] | | +| `lockForDeletion` | bool | Optional. Switch to lock resource from deletion. | false | | +| `tags` | object | Optional. Tags of the resource. | {} | | +| `cuaId` | string | Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered | | | +| `diagnosticSettingName` | string | Optional. The name of the Diagnostic setting. | service | | +| `diagnosticLogsRetentionInDays` | int | Optional. Specifies the number of days that logs will be kept for; a value of 0 will retain data indefinitely. | 365 | | +| `diagnosticStorageAccountId` | string | Optional. Resource identifier of the Diagnostic Storage Account. | "" | | +| `workspaceId` | string | Optional. Resource identifier of Log Analytics. | "" | | +| `eventHubAuthorizationRuleId` | string | Optional. Resource ID of the event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | "" | | +| `eventHubName` | string | Optional. Name of the event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. | "" | | + +### Parameter Usage: `roleAssignments` + +```json +"roleAssignments": { + "value": [ + { + "roleDefinitionIdOrName": "Desktop Virtualization User", + "principalIds": [ + "12345678-1234-1234-1234-123456789012", // object 1 + "78945612-1234-1234-1234-123456789012" // object 2 + ] + }, + { + "roleDefinitionIdOrName": "Reader", + "principalIds": [ + "12345678-1234-1234-1234-123456789012", // object 1 + "78945612-1234-1234-1234-123456789012" // object 2 + ] + }, + { + "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", + "principalIds": [ + "12345678-1234-1234-1234-123456789012" // object 1 + ] + } + ] +} +``` + +### Parameter Usage: `tags` + +Tag names and tag values can be provided as needed. A tag can be left without a value. + +```json +"tags": { + "value": { + "Environment": "Non-Prod", + "Contact": "test.user@testcompany.com", + "PurchaseOrder": "1234", + "CostCenter": "7890", + "ServiceName": "DeploymentValidation", + "Role": "DeploymentValidation" + } +} +``` + +### Parameter Usage: `privateEndpoints` + +To use Private Endpoint the following dependencies must be deployed: + +- Destination subnet must be created with the following configuration option - `"privateEndpointNetworkPolicies": "Disabled"`. Setting this option acknowledges that NSG rules are not applied to Private Endpoints (this capability is coming soon). A full example is available in the Virtual Network Module. + +- Although not strictly required, it is highly recommened to first create a private DNS Zone to host Private Endpoint DNS records. See [Azure Private Endpoint DNS configuration](https://docs.microsoft.com/en-us/azure/private-link/private-endpoint-dns) for more information. + +```json +"privateEndpoints": { + "value": [ + // Example showing all available fields + { + "name": "sxx-az-sa-cac-y-123-pe", // Optional: Name will be automatically generated if one is not provided here + "subnetResourceId": "/subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-weu-x-001/subnets/sxx-az-subnet-weu-x-001", + "service": "amlworkspace", + "privateDnsZoneResourceIds": [ // Optional: No DNS record will be created if a private DNS zone Resource ID is not specified + "/subscriptions/xxx-xxx-xxx-xxx-xxx/resourcegroups/iacs/providers/Microsoft.Network/privateDnsZones/privatelink.api.azureml.ms", + "/subscriptions/xxx-xxx-xxx-xxx-xxx/resourcegroups/iacs/providers/Microsoft.Network/privateDnsZones/privatelink.notebooks.azure.net" + ], + "customDnsConfigs": [ // Optional + { + "fqdn": "customname.test.local", + "ipAddresses": [ + "10.10.10.10" + ] + } + ] + } + ] +} +``` + +## Outputs + +| Output Name | Type | Description | +| :-- | :-- | :-- | +| `machineLearningServiceResourceId` | string | The Resource Id of the Machine Learning Service workspace. | +| `machineLearningServiceResourceGroup` | string | The name of the Resource Group the Machine Learning Service workspace was created in. | +| `machineLearningServiceName` | string | The name of the Machine Learning Service workspace. | + +## Considerations + +## Additional resources + +- [What is Azure Machine Learning?](https://docs.microsoft.com/en-us/azure/machine-learning/overview-what-is-azure-ml) \ No newline at end of file diff --git a/arm/Microsoft.ManagedIdentity/userAssignedIdentities/deploy.json b/arm/Microsoft.ManagedIdentity/userAssignedIdentities/deploy.json new file mode 100644 index 0000000000..3df8dbd3fa --- /dev/null +++ b/arm/Microsoft.ManagedIdentity/userAssignedIdentities/deploy.json @@ -0,0 +1,360 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "userMsiName": { + "type": "string", + "defaultValue": "[guid(resourceGroup().id)]", + "metadata": { + "description": "Optional. Name of the User Assigned Identity." + } + }, + "location": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "Optional. Location for all resources." + } + }, + "lockForDeletion": { + "type": "bool", + "defaultValue": false, + "metadata": { + "description": "Optional. Switch to lock Resource from deletion." + } + }, + "roleAssignments": { + "defaultValue": [ + ], + "type": "array", + "metadata": { + "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'" + } + }, + "tags": { + "type": "object", + "defaultValue": { + }, + "metadata": { + "description": "Optional. Tags of the resource." + } + }, + "cuaId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered" + } + } + }, + "variables": { + "builtInRoleNames": { + "AcrDelete": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c2f4ef07-c644-48eb-af81-4b1b4947fb11')]", + "AcrImageSigner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '6cef56e8-d556-48e5-a04f-b8e64114680f')]", + "AcrPull": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '7f951dda-4ed3-4680-a7ca-43fe172d538d')]", + "AcrPush": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8311e382-0749-4cb8-b61a-304f252e45ec')]", + "AcrQuarantineReader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'cdda3590-29a3-44f6-95f2-9f980659eb04')]", + "AcrQuarantineWriter": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c8d4ff99-41c3-41a8-9f60-21dfdad59608')]", + "API Management Service Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '312a565d-c81f-4fd8-895a-4e21e48d571c')]", + "API Management Service Operator Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'e022efe7-f5ba-4159-bbe4-b44f577e9b61')]", + "API Management Service Reader Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '71522526-b88f-4d52-b57f-d31fc3546d0d')]", + "App Configuration Data Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5ae67dd6-50cb-40e7-96ff-dc2bfa4b606b')]", + "App Configuration Data Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '516239f1-63e1-4d78-a4de-a74fb236a071')]", + "Application Insights Component Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ae349356-3a1b-4a5e-921d-050484c6347e')]", + "Application Insights Snapshot Debugger": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '08954f03-6346-4c2e-81c0-ec3a5cfae23b')]", + "Attestation Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'bbf86eb8-f7b4-4cce-96e4-18cddf81d86e')]", + "Attestation Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'fd1bd22b-8476-40bc-a0bc-69b95687b9f3')]", + "Automation Job Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4fe576fe-1146-4730-92eb-48519fa6bf9f')]", + "Automation Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'd3881f73-407a-4167-8283-e981cbba0404')]", + "Automation Runbook Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5fb5aef8-1081-4b8e-bb16-9d5d0385bab5')]", + "Avere Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4f8fab4f-1852-4a58-a46a-8eaf358af14a')]", + "Avere Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c025889f-8102-4ebf-b32c-fc0c6f0c6bd9')]", + "Azure Connected Machine Onboarding": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b64e21ea-ac4e-4cdf-9dc9-5b892992bee7')]", + "Azure Connected Machine Resource Administrator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'cd570a14-e51a-42ad-bac8-bafd67325302')]", + "Azure Digital Twins Owner (Preview)": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'bcd981a7-7f74-457b-83e1-cceb9e632ffe')]", + "Azure Digital Twins Reader (Preview)": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'd57506d4-4c8d-48b1-8587-93c323f6a5a3')]", + "Azure Event Hubs Data Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'f526a384-b230-433a-b45c-95f59c4a2dec')]", + "Azure Event Hubs Data Receiver": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'a638d3c7-ab3a-418d-83e6-5f17a39d4fde')]", + "Azure Event Hubs Data Sender": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '2b629674-e913-4c01-ae53-ef4638d8f975')]", + "Azure Kubernetes Service Cluster Admin Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '0ab0b1a8-8aac-4efd-b8c2-3ee1fb270be8')]", + "Azure Kubernetes Service Cluster User Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4abbcc35-e782-43d8-92c5-2d3f1bd2253f')]", + "Azure Kubernetes Service Contributor Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ed7f3fbd-7b88-4dd4-9017-9adb7ce333f8')]", + "Azure Maps Data Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8f5e0ce6-4f7b-4dcf-bddf-e6f48634a204')]", + "Azure Maps Data Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '423170ca-a8f6-4b0f-8487-9e4eb8f49bfa')]", + "Azure Sentinel Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ab8e14d6-4a74-4a29-9ba8-549422addade')]", + "Azure Sentinel Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8d289c81-5878-46d4-8554-54e1e3d8b5cb')]", + "Azure Sentinel Responder": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '3e150937-b8fe-4cfb-8069-0eaf05ecd056')]", + "Azure Service Bus Data Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '090c5cfd-751d-490a-894a-3ce6f1109419')]", + "Azure Service Bus Data Receiver": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4f6d3b9b-027b-4f4c-9142-0e5a2a2247e0')]", + "Azure Service Bus Data Sender": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '69a216fc-b8fb-44d8-bc22-1f3c2cd27a39')]", + "Azure Stack Registration Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '6f12a6df-dd06-4f3e-bcb1-ce8be600526a')]", + "Backup Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5e467623-bb1f-42f4-a55d-6e525e11384b')]", + "Backup Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '00c29273-979b-4161-815c-10b084fb9324')]", + "Backup Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'a795c7a0-d4a2-40c1-ae25-d81f01202912')]", + "Billing Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'fa23ad8b-c56e-40d8-ac0c-ce449e1d2c64')]", + "BizTalk Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5e3c6656-6cfa-4708-81fe-0de47ac73342')]", + "Blockchain Member Node Access (Preview)": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '31a002a1-acaf-453e-8a5b-297c9ca1ea24')]", + "Blueprint Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '41077137-e803-4205-871c-5a86e6a753b4')]", + "Blueprint Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '437d2ced-4a38-4302-8479-ed2bcb43d090')]", + "CDN Endpoint Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '426e0c7f-0c7e-4658-b36f-ff54d6c29b45')]", + "CDN Endpoint Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '871e35f6-b5c1-49cc-a043-bde969a0f2cd')]", + "CDN Profile Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ec156ff8-a8d1-4d15-830c-5b80698ca432')]", + "CDN Profile Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8f96442b-4075-438f-813d-ad51ab4019af')]", + "Classic Network Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b34d265f-36f7-4a0d-a4d4-e158ca92e90f')]", + "Classic Storage Account Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '86e8f5dc-a6e9-4c67-9d15-de283e8eac25')]", + "Classic Storage Account Key Operator Service Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '985d6b00-f706-48f5-a6fe-d0ca12fb668d')]", + "Classic Virtual Machine Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'd73bb868-a0df-4d4d-bd69-98a00b01fccb')]", + "ClearDB MySQL DB Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '9106cda0-8a86-4e81-b686-29a22c54effe')]", + "Cognitive Services Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '25fbc0a9-bd7c-42a3-aa1a-3b75d497ee68')]", + "Cognitive Services Custom Vision Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c1ff6cc2-c111-46fe-8896-e0ef812ad9f3')]", + "Cognitive Services Custom Vision Deployment": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5c4089e1-6d96-4d2f-b296-c1bc7137275f')]", + "Cognitive Services Custom Vision Labeler": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '88424f51-ebe7-446f-bc41-7fa16989e96c')]", + "Cognitive Services Custom Vision Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '93586559-c37d-4a6b-ba08-b9f0940c2d73')]", + "Cognitive Services Custom Vision Trainer": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '0a5ae4ab-0d65-4eeb-be61-29fc9b54394b')]", + "Cognitive Services Data Reader (Preview)": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b59867f0-fa02-499b-be73-45a86b5b3e1c')]", + "Cognitive Services QnA Maker Editor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'f4cc2bf9-21be-47a1-bdf1-5c5804381025')]", + "Cognitive Services QnA Maker Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '466ccd10-b268-4a11-b098-b4849f024126')]", + "Cognitive Services User": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'a97b65f3-24c7-4388-baec-2e87135dc908')]", + "Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "Cosmos DB Account Reader Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'fbdf93bf-df7d-467e-a4d2-9458aa1360c8')]", + "Cosmos DB Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '230815da-be43-4aae-9cb4-875f7bd000aa')]", + "CosmosBackupOperator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'db7b14f2-5adf-42da-9f96-f2ee17bab5cb')]", + "Cost Management Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '434105ed-43f6-45c7-a02f-909b2ba83430')]", + "Cost Management Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '72fafb9e-0641-4937-9268-a91bfd8191a3')]", + "Data Box Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'add466c9-e687-43fc-8d98-dfcf8d720be5')]", + "Data Box Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '028f4ed7-e2a9-465e-a8f4-9c0ffdfdc027')]", + "Data Factory Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '673868aa-7521-48a0-acc6-0f60742d39f5')]", + "Data Lake Analytics Developer": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '47b7735b-770e-4598-a7da-8b91488b4c88')]", + "Data Purger": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '150f5e0c-0603-4f03-8c7f-cf70034c4e90')]", + "Desktop Virtualization User": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '1d18fff3-a72a-46b5-b4a9-0b38a3cd7e63')]", + "DevTest Labs User": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '76283e04-6283-4c54-8f91-bcf1374a3c64')]", + "DNS Zone Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'befefa01-2a29-4197-83a8-272ff33ce314')]", + "DocumentDB Account Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5bd9cd88-fe45-4216-938b-f97437e15450')]", + "EventGrid EventSubscription Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '428e0ff0-5e57-4d9c-a221-2c70d0e0a443')]", + "EventGrid EventSubscription Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '2414bbcf-6497-4faf-8c65-045460748405')]", + "Experimentation Administrator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '7f646f1b-fa08-80eb-a33b-edd6ce5c915c')]", + "Experimentation Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '7f646f1b-fa08-80eb-a22b-edd6ce5c915c')]", + "Experimentation Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '49632ef5-d9ac-41f4-b8e7-bbe587fa74a1')]", + "FHIR Data Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5a1fc7df-4bf1-4951-a576-89034ee01acd')]", + "FHIR Data Exporter": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '3db33094-8700-4567-8da5-1501d4e7e843')]", + "FHIR Data Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4c8d0bbc-75d3-4935-991f-5f3c56d81508')]", + "FHIR Data Writer": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '3f88fce4-5892-4214-ae73-ba5294559913')]", + "Graph Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b60367af-1334-4454-b71e-769d9a4f83d9')]", + "HDInsight Cluster Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '61ed4efc-fab3-44fd-b111-e24485cc132a')]", + "HDInsight Domain Services Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8d8d5a11-05d3-4bda-a417-a08778121c7c')]", + "Hierarchy Settings Administrator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '350f8d15-c687-4448-8ae1-157740a3936d')]", + "Hybrid Server Onboarding": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5d1e5ee4-7c68-4a71-ac8b-0739630a3dfb')]", + "Hybrid Server Resource Administrator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '48b40c6e-82e0-4eb3-90d5-19e40f49b624')]", + "Integration Service Environment Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'a41e2c5b-bd99-4a07-88f4-9bf657a760b8')]", + "Integration Service Environment Developer": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c7aa55d3-1abb-444a-a5ca-5e51e485d6ec')]", + "Intelligent Systems Account Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '03a6d094-3444-4b3d-88af-7477090a9e5e')]", + "Key Vault Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'f25e0fa2-a7c8-4377-a976-54943a77a395')]", + "Knowledge Consumer": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ee361c5d-f7b5-4119-b4b6-892157c8f64c')]", + "Kubernetes Cluster - Azure Arc Onboarding": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '34e09817-6cbe-4d01-b1a2-e0eac5743d41')]", + "Lab Creator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b97fb8bc-a8b2-4522-a38b-dd33c7e65ead')]", + "Log Analytics Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]", + "Log Analytics Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '73c42c96-874c-492b-b04d-ab87d138a893')]", + "Logic App Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '87a39d53-fc1b-424a-814c-f7e04687dc9e')]", + "Logic App Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '515c2055-d9d4-4321-b1b9-bd0c9a0f79fe')]", + "Managed Application Contributor Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '641177b8-a67a-45b9-a033-47bc880bb21e')]", + "Managed Application Operator Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')]", + "Managed Applications Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')]", + "Managed Identity Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'e40ec5ca-96e0-45a2-b4ff-59039f2c2b59')]", + "Managed Identity Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'f1a07417-d97a-45cb-824c-7a7467783830')]", + "Managed Services Registration assignment Delete ": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '91c1777a-f3dc-4fae-b103-61d183457e46')]", + "Management Group Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5d58bcaf-24a5-4b20-bdb6-eed9f69fbe4c')]", + "Management Group Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ac63b705-f282-497d-ac71-919bf39d939d')]", + "Marketplace Admin": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'dd920d6d-f481-47f1-b461-f338c46b2d9f')]", + "Monitoring Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')]", + "Monitoring Metrics Publisher": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '3913510d-42f4-4e42-8a64-420c390055eb')]", + "Monitoring Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')]", + "Network Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", + "New Relic APM Account Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5d28c62d-5b37-4476-8438-e587778df237')]", + "Object Understanding Account Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4dd61c23-6743-42fe-a388-d8bdd41cb745')]", + "Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", + "Policy Insights Data Writer (Preview)": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '66bb4e9e-b016-4a94-8249-4c0511c2be84')]", + "Private DNS Zone Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", + "Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", + "Reader and Data Access": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c12c1c16-33a1-487b-954d-41c89c60f349')]", + "Redis Cache Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'e0f68234-74aa-48ed-b826-c38b57376e17')]", + "Remote Rendering Administrator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '3df8b902-2a6f-47c7-8cc5-360e9b272a7e')]", + "Remote Rendering Client": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'd39065c4-c120-43c9-ab0a-63eed9795f0a')]", + "Resource Policy Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '36243c78-bf99-498c-9df9-86d9f8d28608')]", + "Scheduler Job Collections Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '188a0f2f-5c9e-469b-ae67-2aa5ce574b94')]", + "Search Service Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '7ca78c08-252a-4471-8644-bb5ff32d4ba0')]", + "Security Admin": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'fb1c8493-542b-48eb-b624-b4c8fea62acd')]", + "Security Assessment Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '612c2aa1-cb24-443b-ac28-3ab7272de6f5')]", + "Security Manager (Legacy)": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'e3d13bf0-dd5a-482e-ba6b-9b8433878d10')]", + "Security Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '39bc4728-0917-49c7-9d2c-d95423bc2eb4')]", + "SignalR AccessKey Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '04165923-9d83-45d5-8227-78b77b0a687e')]", + "SignalR Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8cf5e20a-e4b2-4e9d-b3a1-5ceb692c2761')]", + "Site Recovery Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '6670b86e-a3f7-4917-ac9b-5d6ab1be4567')]", + "Site Recovery Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '494ae006-db33-4328-bf46-533a6560a3ca')]", + "Site Recovery Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'dbaa88c4-0c30-4179-9fb3-46319faa6149')]", + "Spatial Anchors Account Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8bbe83f1-e2a6-4df7-8cb4-4e04d4e5c827')]", + "Spatial Anchors Account Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '70bbe301-9835-447d-afdd-19eb3167307c')]", + "Spatial Anchors Account Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5d51204f-eb77-4b1c-b86a-2ec626c49413')]", + "SQL DB Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '9b7fa17d-e63e-47b0-bb0a-15c516ac86ec')]", + "SQL Managed Instance Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4939a1f6-9ae0-4e48-a1e0-f2cbe897382d')]", + "SQL Security Manager": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '056cd41c-7e88-42e1-933e-88ba6a50c9c3')]", + "SQL Server Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '6d8ee4ec-f05a-4a1d-8b00-a9b17e38b437')]", + "Storage Account Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '17d1049b-9a84-46fb-8f53-869881c3d3ab')]", + "Storage Account Key Operator Service Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '81a9662b-bebf-436f-a333-f67b29880f12')]", + "Storage Blob Data Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ba92f5b4-2d11-453d-a403-e96b0029c9fe')]", + "Storage Blob Data Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b7e6dc6d-f1e8-4753-8033-0f276bb0955b')]", + "Storage Blob Data Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '2a2b9908-6ea1-4ae2-8e65-a410df84e7d1')]", + "Storage Blob Delegator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'db58b8e5-c6ad-4a2a-8342-4190687cbf4a')]", + "Storage File Data SMB Share Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '0c867c2a-1d8c-454a-a3db-ab2ea1bdc8bb')]", + "Storage File Data SMB Share Elevated Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'a7264617-510b-434b-a828-9731dc254ea7')]", + "Storage File Data SMB Share Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'aba4ae5f-2193-4029-9191-0cb91df5e314')]", + "Storage Queue Data Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '974c5e8b-45b9-4653-ba55-5f855dd0fb88')]", + "Storage Queue Data Message Processor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8a0f0c08-91a1-4084-bc3d-661d67233fed')]", + "Storage Queue Data Message Sender": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c6a89b2d-59bc-44d0-9896-0f6e12d7b80a')]", + "Storage Queue Data Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '19e7f393-937e-4f77-808e-94535e297925')]", + "Support Request Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'cfd33db0-3dd1-45e3-aa9d-cdbdf3b6f24e')]", + "Tag Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4a9ae827-6dc8-4573-8ac7-8239d42aa03f')]", + "Traffic Manager Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'a4b10055-b0c7-44c2-b00f-c7b5b3550cf7')]", + "User Access Administrator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]", + "Virtual Machine Administrator Login": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '1c0163c0-47e6-4577-8991-ea5c82e286e4')]", + "Virtual Machine Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c')]", + "Virtual Machine User Login": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'fb879df8-f326-4884-b1cf-06f3ad86be52')]", + "Web Plan Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '2cc479cb-7b4d-49a8-b449-8c00fd0f0a4b')]", + "Website Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'de139f84-1756-47ae-9be6-808fbbe84772')]", + "Workbook Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'e8ddcd69-c73f-4f9f-9844-4100522f16ad')]", + "Workbook Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b279062a-9be3-42a0-92ae-8b3cf002ec4d')]" + } + }, + "resources": [ + { + "condition": "[not(empty(parameters('cuaId')))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-06-01", + "name": "[concat('pid-', parameters('cuaId'))]", + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [ + ] + } + } + }, + { + "type": "Microsoft.ManagedIdentity/userAssignedIdentities", + "name": "[parameters('userMsiName')]", + "apiVersion": "2018-11-30", + "location": "[parameters('location')]", + "tags": "[parameters('tags')]", + "resources": [ + { + "type": "providers/locks", + "apiVersion": "2016-09-01", + "condition": "[parameters('lockForDeletion')]", + "name": "Microsoft.Authorization/msiDoNotDelete", + "dependsOn": [ + "[concat('Microsoft.ManagedIdentity/userAssignedIdentities/', parameters('userMsiName'))]" + ], + "comments": "Resource lock on the MSI", + "properties": { + "level": "CannotDelete" + } + } + ] + }, + { + "name": "[concat('rbac-',deployment().name, copyIndex())]", + "apiVersion": "2020-06-01", + "type": "Microsoft.Resources/deployments", + "condition": "[not(empty(parameters('roleAssignments')))]", + "dependsOn": [ + "[parameters('userMsiName')]" + ], + "copy": { + "name": "rbacDeplCopy", + "count": "[length(parameters('roleAssignments'))]" + }, + "properties": { + "mode": "Incremental", + "expressionEvaluationOptions": { + "scope": "inner" + }, + "parameters": { + "roleAssignment": { + "value": "[parameters('roleAssignments')[copyIndex()]]" + }, + "builtInRoleNames": { + "value": "[variables('builtInRoleNames')]" + }, + "userMsiName": { + "value": "[parameters('userMsiName')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "roleAssignment": { + "type": "object" + }, + "builtInRoleNames": { + "type": "object" + }, + "userMsiName": { + "type": "string" + } + }, + "resources": [ + { + "type": "Microsoft.ManagedIdentity/userAssignedIdentities/providers/roleAssignments", + "apiVersion": "2020-04-01-preview", + "name": "[concat(parameters('userMsiName'), '/Microsoft.Authorization/', guid(uniqueString(concat(parameters('userMsiName'), array(parameters('roleAssignment').principalIds)[copyIndex('innerRbacCopy')], parameters('roleAssignment').roleDefinitionIdOrName ) )))]", + "dependsOn": [ + ], + "copy": { + "name": "innerRbacCopy", + "count": "[length(parameters('roleAssignment').principalIds)]" + }, + "properties": { + "roleDefinitionId": "[if(contains(parameters('builtInRoleNames'), parameters('roleAssignment').roleDefinitionIdOrName ), parameters('builtInRoleNames')[parameters('roleAssignment').roleDefinitionIdOrName] , parameters('roleAssignment').roleDefinitionIdOrName )]", + "principalId": "[array(parameters('roleAssignment').principalIds)[copyIndex()]]" + } + } + ] + } + } + } + ], + "functions": [ + ], + "outputs": { + "msiName": { + "type": "string", + "value": "[parameters('userMsiName')]", + "metadata": { + "description": "The name of the User Assigned Identity." + } + }, + "msiResourceId": { + "type": "string", + "value": "[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('userMsiName'))]", + "metadata": { + "description": "The Resource Id of the User Assigned Identity." + } + }, + "msiPrincipalId": { + "value": "[reference(resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('userMsiName'))).principalId]", + "type": "string", + "metadata": { + "description": "The Principal Id of the User Assigned Identity." + } + }, + "msiResourceGroup": { + "type": "string", + "value": "[resourceGroup().name]", + "metadata": { + "description": "The name of the Resource Group the User Assigned Identity was created in." + } + } + } +} diff --git a/arm/Microsoft.ManagedIdentity/userAssignedIdentities/parameters/parameters.json b/arm/Microsoft.ManagedIdentity/userAssignedIdentities/parameters/parameters.json new file mode 100644 index 0000000000..3c3cc2aa4d --- /dev/null +++ b/arm/Microsoft.ManagedIdentity/userAssignedIdentities/parameters/parameters.json @@ -0,0 +1,20 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "userMsiName": { + "value": "sxx-az-msi-weu-x-001" + } + // "roleAssignments": { + // "value": [ + // { + // "roleDefinitionIdOrName": "Desktop Virtualization User", + // "principalIds": [ + // "12345678-1234-1234-1234-123456789012", // object 1 + // "78945612-1234-1234-1234-123456789012" // object 2 + // ] + // } + // ] + // } + } +} diff --git a/arm/Microsoft.ManagedIdentity/userAssignedIdentities/readme.md b/arm/Microsoft.ManagedIdentity/userAssignedIdentities/readme.md new file mode 100644 index 0000000000..4b6fe0b925 --- /dev/null +++ b/arm/Microsoft.ManagedIdentity/userAssignedIdentities/readme.md @@ -0,0 +1,89 @@ +# User Assigned Identities + +This module deploys User Assigned Identities, with resource lock. + + +## Resource types + +|Resource Type|ApiVersion| +|:--|:--| +|`Microsoft.Resources/deployments`|2018-02-01| +|`Microsoft.ManagedIdentity/userAssignedIdentities`|2018-11-30| +|`providers/locks`|2016-09-01| +|`Microsoft.ManagedIdentity/userAssignedIdentities/providers/roleAssignments`|2018-09-01-preview| + +## Parameters + +| Parameter Name | Type | Description | DefaultValue | Possible values | +| :-- | :-- | :-- | :-- | :-- | +| `cuaId` | string | Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered | | | +| `location` | string | Optional. Location for all resources. | [resourceGroup().location] | | +| `lockForDeletion` | bool | Optional. Switch to lock Resource from deletion. | False | | +| `roleAssignments` | array | Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' | System.Object[] | | +| `tags` | object | Optional. Tags of the resource. | | | +| `userMsiName` | string | Optional. Name of the User Assigned Identity. | [guid(resourceGroup().id)] | | + +### Parameter Usage: `roleAssignments` + +```json +"roleAssignments": { + "value": [ + { + "roleDefinitionIdOrName": "Desktop Virtualization User", + "principalIds": [ + "12345678-1234-1234-1234-123456789012", // object 1 + "78945612-1234-1234-1234-123456789012" // object 2 + ] + }, + { + "roleDefinitionIdOrName": "Reader", + "principalIds": [ + "12345678-1234-1234-1234-123456789012", // object 1 + "78945612-1234-1234-1234-123456789012" // object 2 + ] + }, + { + "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", + "principalIds": [ + "12345678-1234-1234-1234-123456789012" // object 1 + ] + } + ] +} +``` + +### Parameter Usage: `tags` + +Tag names and tag values can be provided as needed. A tag can be left without a value. + +```json +"tags": { + "value": { + "Environment": "Non-Prod", + "Contact": "test.user@testcompany.com", + "PurchaseOrder": "1234", + "CostCenter": "7890", + "ServiceName": "DeploymentValidation", + "Role": "DeploymentValidation" + } +} +``` + +## Outputs + +| Output Name | Type | Description | +| :-- | :-- | :-- | +| `msiName` | string | The name of the User Assigned Identity. | +| `msiPrincipalId` | string | The Principal Id of the User Assigned Identity. | +| `msiResourceGroup` | string | The name of the Resource Group the User Assigned Identity was created in. | +| `msiResourceId` | string | The Resource Id of the User Assigned Identity. | + +## Considerations + +*N/A* + +## Additional resources + +- [What are managed identities for Azure resources?](https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/overview) +- [Microsoft.ManagedIdentity resource types](https://docs.microsoft.com/en-us/azure/templates/microsoft.managedidentity/allversions) +- [Use tags to organize your Azure resources](https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-using-tags) \ No newline at end of file diff --git a/arm/Microsoft.ManagedServices/registrationDefinitions/.attachments/LH.png b/arm/Microsoft.ManagedServices/registrationDefinitions/.attachments/LH.png new file mode 100644 index 0000000000000000000000000000000000000000..7124e77a0491cd8ec73b126c08c854366c6b3fc3 GIT binary patch literal 12856 zcmZv@1yq#Z_C8L7(%mH}DlI*9_aFiy-5^~??G`5wI>_5dL5m1)JL^W-di|pyh%oy&GPe>5Xz2z6pL5RO5<0z%bsPJMZWfP zp2mVccOqWF9y+2a{@I@kz8McB>jFHlv|J<31iVBO$l#0q4>O7!-&FgoD z$G0oa6Mt}j9oRHEV_z=5+Z{9!SRTcU6UwAil)r%-(}dephth`&sCpv_ZJ&_G-wjTCu!t#&r~{8H1`zzuTLNWDF05Tac2> zHHgvCfB*hn%iYqKrOfm8y{oU%o`@R^KJ?iv3|#WK!>(K5hKV&N*A1n~aOEh!C!|AG zZccLRD0yWYhFanFt#i&zuf8hXr#|0!0aJU$$Gjw^lf6`M>+-8u^jH3h)Gw}AtOp`u zFSv+^`kt~%_4#8NMe0+}B>3kFbIxKLnyAoS!YC5bh_jP^*D%MY6WMPWOF7`tDy>LsMQ()^)Z%d_LP90tZlU$t}aOLwPbKZ#*gR~6TM5w+G zsx5b|*@rL9?W@s(wYxs}m+z4l zIO;2@z+Wp0c0NNG>dIDQSvta}_i@oISg1(k%@Y#}&oA1Z6B+En!&pQ$p z+{5SN55ysF!Vj2bY^Q5gcx~fDU-_#vihbfKe`_q2)lK3r&DAXU<+*a-R|v=?%qSSW@wc%wu9DTf7t^>oGKr-xnJ8^@By=Ze=ooF^4|Z|HI!24U z(6;L&i?wHK%GuX%XkT#Gt{3iG!$h!hE@^__c3~Rfurp~Vc6{q-tA2S*QDloCH1h~o zo;1`;!!xU(-OqeUUW};>KWuv)btewdFVDClNn9e40ekIf9NV@=4?{mDCNR<2y%bGQ z;hl*Lzcwxz4Yl(jme9IG72!}Vmrm6vHdY(?@wT8JQ8CVzcUFI_m+N+0N|x+s6s(i5 zt~{&U51G%=naTKE_MBtLBR;u)ubzMMw|CrB3X-@}gZq}bwu--Z=Q-uy6ETUL?rO1@ zD!54+s(J5Uc{%(cESW<{W1Ml=nj{^#8ROLYZ;_CL37?QIkdBo{F(oUpiW)7fCtL|h z03Y>)f+u@0&M~w>uTJG^;e`|sP^cXH7E%cV8pky97$i<24P#NN4F$)`4I^+!%JbnY z#Qz;a5ThSi9L&#ZW*YuJ!yRG#P3T`Uozz&^N|FnCsi>IgtI~hBetTGu^)GZG^94Ph zjdkKDVZ4|G+$p}!7P7N4VS0uyUiAm~nRV9wz$QVa+>xpaG#q zt_D8P*nAKsqbS2Tr8>QD$GItzCH>FL5=-CkoZQ}I9FmnPxXNwCw?a5e;(JeDSrQQa zBQ{eLc^J!TFjx`BvWy0zr)GqJfIm|XBYH0K;Ufs8AHYXl*w8qz;%`g{=#|741Og)A z%7=%kw{_?ZZ@!xsIhI*HoZUO)oM+j@?!IVtLH+k&-`CSN)B#1F@4@5wPktTD7lMtS zBc)-5@I+t;gP5`7cXn+Fn444#<6FWMJYnw*^L1J-IoP=P~Y#6ZxVKtP3VTWO5uU<3l*NA(i$z&XGxOQebMT&m<`99|(&%CCk zKIC)y6-7J^`@7Jxh*{5Gbp+5 zAWD9RNt`$0z=MC{qlF8ihsK5DZXrz%VRk2b-TG}FW8|2e{1UbwFE$dN(OkyzAJZ_k zy8c)gc8++N?>w?$u4Z5eHJb09$x->Q_`F;vi`Ej?tyi&O=}gw^6C=VXuC5b-k+>%J z7c#jccC;RYzLj8R2nEyC$6VrteeDo1;V{C;$Vfy)#5N=$GxJfMcYuJKyStBOTgc1i zYMLtHch9-Eg|K9YyXh**%J7h3n5*0$;@fvhQQdt++NixqchEuNRL#B>=$7g%u(WOo z^gokl6Ngh;>MTFEOQ&_xuOr;K-;uve?>;7-Z=U}O_)K#Y( z>)?0gZx_O`F)=ZlUo-v6>)OG_&K~GWCu6Gm=y+{xhko z;)KX#+9yuoEoLnJI#Gio_fPwCk>`1arf<9r8E~tM?Dw?*&7@%I>FKg<9NgT54l8Uf zwPAz6{_-t)qOW2Pa-VS!Q2dR)Qdd>Qtz_h1BExQ~_4m2sy$pKMzrKEBJ*Qqq2s{we z>e%2i>FEYXQB{^2vXzPQr~LI&IgK8Caz~uhok8L{gzJ3lzT^z)iYx8liQSZcnH1-h z72v^g6Hnos)G+7iwNJ<=k(sm_BT8YyBJSvaqWl`t2}HL}5cuLOa0*>^Z7zj<%u3i$ zG6vuW`^h6Cnp=j~`y4C_!CaDM;`3Z}h48TM;~I4nW3QV&dt7FxJDioN0ehynh32fT z9AvVNQBqlY-qzbMIh|uB-lz`_kw=C1v8br%scPCGKM9VWo?g|N)Q(s=F~s-q`IbBD zL`GX`;C6|Q;+=<;L@c=vzl1Pd&~VkPWzEm{i(^>8p6-2%0v9rTey{#D6$KV>;?9+Q zd>VHsOi46YLK4!_uu8c^MYCZ7pdNwX~_h&(@`W**8 zKEBvzAjpB{*|s2@`EX2`QN%5QjZ6nmjY#yQ{zv6W(^VFTVky z$Rzi-q}mFgBqL*GW8>DZ#X*X@Z>SA7ylgf3gM;$FiVq6-HXcT6)2#E;a+=;YQSHBqwoo-&&X5qW5w& zXvk~Uj*8WhG*|b5Ki^ik`H&ehEJZ`+DPyCfSMSc^8{Id#-c>P)h*0m6{z|3(U(@y? z2pJkV@F$BY8V=fCFYwi_$TU1zxiv?d`9 zvqyz;5xoL0>Mag*Zy!^i?}}IUXvT`Z`nDor_d52&^j=rsRb0}`;l7WBXiW?KgAyMZ z$U|P`Gk>XbS(bU-xGgK-Lc(+3j-707?q*>Q@r$xmk%sLMfQ)c~XO`f4Wujr+`t-Ke z_$bUM>&#YgSTHgJhK^AN&CbTe_t$6N zg3SMCWAU^45coG1kb;h`q%%m)r7f3WLq%QP%K7`JblFq{C8hk#z+9YsxQAl;5xj5$v5TosCn;W=!?3J&qo;5l z2+D>GX(0knlFTtTTy>>Wn?}_n0h14IZ9RwZ32Y17K^I0xlTuTQXSdY0AeR38B2bTS z#m2Q9(N8RYZpu~^L4t7&%emH+*KYs-k|kFT_rQWOJi}=jeIXqY2&((ezkUhpao2n5 z4Az~nD)#x!IE?uG2xJ7j+(}zKS+XXoBn97rh>@`pRMlQ<3tw4TY2~|L&e&`d z_v@^@p_yVLg4Hbk>G}J2#g>(*;7o`Yf(6}Yey&!y+5%%B7IMT0i%{=%nZ;F#qQnrLC27St>I=c`o+}PJO(C za4<#Zxd1$QV-VWcvOhTI+{NL&k`)|8_gK0F1JV@q!$)f&q~wlVQ?t}pKE06I$z6mr z;E?5=Tm@WwWUu>k!K2dgCWq9fV1+>r2&2$qC;xESjg_B3tAW!j?F<>i+9_n`F5k6#lTj7tC*iZ>uxdu4-B)t39_4!uYNr5K%zd{EpZ~u(a^qe!T+3 z)fd1{Wi0?+$&CXR`Og?t6_ur>nBR(5zz93Lm$k3;^m^eB@=*Y-00X*%`~n^kJWK)x zjKwW~08>iAG-&=O4F5})|3ZNOKV1Mw0-PNn82+;(Mc6gQzoG*QC}30yU;zODwL<$p zk^hOv!Qedp|4IM<5v#ASzeH$K??A1g5&6Z#7Yru2S@!Yqc|c76kdiC!;0XZ&2x%R- zVcH=zHMI#J683NALMWlR1AziWZ58+n44d&^$0_mXfr^9?{_A-E!*$xRp%sJ=fdfzg zxm07``54kfkPm+tdA*6OsHhkl8%s(e0UkB#gn@#>$8o!LTTAo*8vwz`^!@*`CfMhY z<|C}w$X^j~P6}0NX=zVS&o^&Ie}BMTU0Jc7_movrQ=8clIwXmttZj2AtDADD|M(Hh ze-j59r$)4a6tNHNaI!^P+6PW_=+BnKtK-w=R|OxrEYRgR9UM@mXnphnS75E?rNVQm zt=e2$SzVQ0)D7GSa?>eA#YB0Ylaqr-9_=X^KWW@mY#7hmT#&|3*AX2CCiEj<{liMP z1oy2rZAUvi?$6|FgpL2$C>4^)1d?w1ate^6u0Cp+8k-OpYn-FIT+woQ(>%g(0hKk0 z`<)%u0st+NP^u|sDg~6g$p)0RjCY2uzxLmHHC0ZCE$2;RX3)>!r(t{9SX+nwymu2L zKhtbh{Ki5~PVU@#xsmi#6<94CiG;lKyFS}nwFLlGn96Kq&4geV>GDTY<6NBK?Ynov z@4y=B>X=@%cv!if*m-^<(38y}HUQBXHKo83rKXyF_{v&tug^~&)M?L${5k@7=-hU@ zh>qA@%R+rS|8JWJOjAvrWfdbYS3w>3$7JcRY^?}%cm>>K&<4!SDe(5*YP!@LA|3Qc zvbJqrbN$8!(&yKTiopBZbKMHVUbqsIrIl6tOyAJZ=7Wx>#f!^ob~Vv2bultp%!JjN z_LkH&MBn^;+&EgR`dzI8lBE7v2IbR7;+X~kj07%n|_BGkK>Hh|UG2K;q0@%r^hkiT3$(Z*hauTR21sYWN*Rwtwh7*QvLaN@p z(T+PG9UDtYPIliKW(LG)ihi7oB4sn((|P;$_(1@udfKwBw1Cju(}z3u6;9u74bi`O z^yedgN5)E`zrn2Q`28-|)x(olx^ucYcy>V#0+EVeINSq%T|4gbT3jXC|~tk;c6EU76PeUD?XK}KFz z*Vj8cJK5RUKE5(Q9yc&BFx$%(I z(*WqCvtE$>hPb2mcVZmyE3p@()n}bH)dJtlZ;cO>2-%{Si+?CP--!XpL+C z7S+LT>Xh7BDK!1kK_I^yzd~7E{R6u7-Oc6FJ^~Iq$zu4$@f?5z2iq`30Mu}jQBch6 zji$9nG|kiPe8=16+FrkG_5J9M$XhE=?0)|Lq`Q(S_$^LXAtw6^`bhCcRbD5z^j8 zhP-tX+so|3792T114o8|^QZuLv)Jt8uAra*WPzb1RDJ9zh@&GX89JKp1}GFtuo#L> z$Y8ls)Y_W6`M5`yJ^>2F?=;n!92+|<3zmZIDDB?S916siJ*E-;%j`63tY9&#N0V7h z)ZoPVVy9Z)fdJqVs7;%(O_uoAO$UPld2cMvcBhy2kFW)!fGiq*d7+n+v1=~gf|FL1Vs z_9k#Z8=nrXB@tMKl?H>o#50bTBN%@#dMy1y?fj5VAv(PvE9jB@N&2Oih|N&$JOJRf z$4jH5qkYmeo{S?Dnp;O$I(-czW%Z${ve} zoHpzH1QR9oxZ+&fA_s8!d)m)oEkL;=#k<{YG1tAJh%x|iD{G=6;(d};=;gqEYhgRf zm;P}YJq;`E&zj%!JRliNm{3fD zTJ#%*T+KD#QUWMJ4>WM>+Uqlwp7@|3t$1o)K0Ml)rMrT)3z9pgmI9*p<#KLNmG$EM z(lCw}`{GHVU-$sjK>SCOJ8R=F{#!<@!;5)#uJn3>sG~YBguLgXGegLVG+i_W=Ox)Lip_Npvf41 zZ^VA+^Ifm!Id^kU8(x`+%$6z<@ z%rdXG+}!DP?=v-81HY^s<3MhaTPyRK_T;Q65Nx))M+=Lcu~wBLDmF|2DA62qvV1}# zGU+=o-@lW$#&v%vsuT<}=d(EP5{BH;K0sh;g|eDV0Q{KLCWIf%1XG=BK8^1D4b&6? zz?RyAg6rtu;9zHGXKNdR*xz?L#PO?fb#UlMK)!*Xo%TkSVVOl<$zy5KTc)p`s`n!f zHH}OnmA`)ddYBn@l>VC$C{E&6A~4^{x9ZZTXnKJD)F>R^x9`rg))-uIS$^(Cj7zet zOEOuT)e;QILE&2ZScpiVBGgecPd+iSjml7IxUEZO>Ux{ix3s^r$e&|JBL*3{LbSbD zl*wxNoXBna_yKN0PzW3Z=YCgP^-cZ!8M0#0uj4|&O@^bI#&L9{Afu@{LhIaow2|%H zdV4lIthi8RCJP3Gm6acTd0Yk(6WetW_7|pKDJD1$+Qw>i*Cqk|!N?(~q9sA`^Wb`I zIuNGjW57_wZV`fJL)hF(Qxz3Z2^ww^g2{?mum5kVh<s!bp9wbz+~pT^(keL=^~1yiL~^)0#6LcaC_cvsjw(G(P*4t?unU zdAbc(3zKdmm9h`iKT!)4Bu)fVWXJ{ITZvx6`ZhRzA^NrAg{BTf<|{f8i4ib3B~9=3 z?->iQ&CwR-ju$R%9jN7i>^m8eD7~f%CD1jzq<=g4&Zu=IVMKpi^k#Kc{gc1EVN1#) zhfZuGT_*wUFM+Yp(DFQK&-p zNyv$Kr+$vaoSehyA7WF^1Gz-_;y1u(9zOBuDhBTQ*JPQwN0$P|*eB-glp;D0?V3<{ z2$Z5)-}))e2l%~na(M^1n^zi!?gsOUNfOwP{|TJtWb1A}$D56A3@Cx17m^s}w%h-R zR304k>Hv+gw9n7q#(Df+bUeQY8Ivst)lxD9qHk89gaY;hE6aqVMu(N9i}ySS-A+Hd zW~*L2lzCX4PX(*@uM;7xL4;D^lL> zH#h#BTa^*zYkT#}sOOs0o$V8FI9yd#)yGNu&AWFv?5J-)Y$j~g^HvXv)laXTUB5nV zp8$}#u<({w<)DaKRvwE$9?Qp}#2MNsf%r{(7X6$%uxpEb3fKHfos0yE^K+p0=LAE4 zmTU`f88v=Uul=<~W0a_xB-8Ibv~5;szf?>YU4qU37->{jSHJ6}7xnyQx7oOgCR2G& z{WS;76_5^TR^nPHOP?t0L|}7!-R)pUc*Ll0jt7--u>!rn7C3cXU7Z2Ie7)Atw|ZoO zRU745fP~)L->;ps?u|CO*yO=pW|w;w@!ibr(q?V0uE-86Rdl$^k%~i1R3WJjIV8zLjJ31n3d9Q z--*ua+Fzl7+g2Xa5TklSzdVv?h}+CX=A>9AOHlL1>LvAnqL02a#Jwrl z5W2z-RZ@;Rox#P9{`Q!1`w>pfe3qNl=wG@S{(lH8E(u=w74;vD=U{eyty{dm@)&An z%#9l~|LlcdYKN^7rY{-LlJAi|-BiI+50T~ z)mSFOv+&DY&y@6(5+mFceJd^PYMB6i?JJy7vGF04%-p=U6It4CB-CMR(Ks1eu$}>- zn7Z{sx3oH7~!_7Dw!5qhA_i6~KMz(8k3B*LDv6|FU{ z)EZW+EI+nw*tl^VC{N0G11xK2-+K_K7hlQ#7=~Yk|ta zZEZD0QPQ!kUP#o)sLVo89*4l)J?r%Z#{MgWXyE zlOq6wn}vsf4h`7%n&gnqVmJM^tywR>~umg zT{?+&qlr+X#Gc_~X}>D=o3ChLLgnF?<1%_eDeKL@B!$zDsK?rdL`LKK5QK(5lN}gD z7ZPqTk&W}u?fNQGyIGOhI?|p?T?944x2t@FD{$OmF$6_wr~HnmH*<7|@=n7>3+B zL|N&X`V!zU_IWXW`2|qy!?dvY;{+on#(22!AR-xWPmgZ#cjd9$E*!ac4{u2NBq9&m985LTm848CrAr_>n;3*RzFuVQ0#T5A45pa&iie-Rn^9U z^BmruCti4NBVk_WTq3+YD|cGImw^jqQQA55dBW#|ko~)YljMkACB`8rk&9>UuyTBW z%N6`5hvXvMz#8wb;~SuAT#J_+KQQ4X)B#Qqs|5&A7N}b|yc~X$ z>J+%!W?coh2!gGr`*CpIuHIy9V*rL{uIj z^}VFOAgZLtv> zvqa80^^FhnCh($Vf;ejY7A7hhG>|8wzQJHZ5DU0^s%);JG8I2cCNF*Z*4f}^VC(Fh z+4%j+3@dO?g-B;xv8P61{d?X!J`T#OLW3rTX$O7XirLqwTgdzl28bqxun`whu^u9x zW2Rp<=};H3Xu$(q;5#aUe-;z9Nqi@chuvzpMQD}5FgKQI02>MrfcUx)GeR`~lv>Fq z4GU>~?obF|YFVwkqzK@yPzN#-h9-*5Cb#E{cwdT2ZNjkOx=G72zr%@WBT@8#2MXodb+ zQtiXS3(Bhi+8K+QDA*TZqqWcF-U{23>u=?LPACCH}VpxN+MJ{QtMdu#Ff%jtrL zBV|*^DnbEpaGsZYt%HNixqL~wr4bDCc9t>`=qAh%;j^}ylGAa2K4)GRpo|Hup+?*$ zm_#YsBdNZ2dNPr>YvdP%g-Q)DrPq(sAQKEBHQnbum%YCbvNn zEX|^;y$gL49Cax)_8kKGYu4|OX$O_-GI=#kR-Seze4;V89qlxtCfpAVBOV1~p09ML zjE^FksS4ohM{9#6L9-J#9kBz82C5$dHzNiXjmK-dc@nSfwjkofi`0G#O2+%ziv=7> z->}JObz<1O1jLi3{hjsUIRfepm3CLRt>6XUFAujsg$8cEm~7vEvH6ay{`9bRMOQ?< zV5igjn|(#~&T`ayhsu6LG=(N?D0d)PDfk!VX=w%Lx2f=NiQ4Pqh+}UzHi!AHryts{ zqFjxXT7Tf?NSwH!X|O1zNC&N#82H5aMSFF*H&JQq*%}&A9C91}&B=wTLkTps|F|ch zyr5<+6%+hycYy#xg025)G6A4f(ySg9I3oB_?gu8#4$Nio&n*F#b=`^k)PbPeNs;n& z&RRrA*GN_?3fHf{IZic+nS5V?W;|O|R8c-kSocWb+7z$bG3$#L%sM(npF=X#{@4{u zKHqi$T7z(DM#u~ITc;?;7>C*z_hZcEczE9Ytl^kK-g^f+IzO(q`>+|NyMK5BIHW3Oz{~jPx1qSvkcAL&Y38-R`)-QIdETm#Kkp;}QKV`%wrQ>kg3~M|6BIYCD zL4NtMQ1{d`;arJfcBiojq3l2pxglPW(@tRrJ#QxgV5X^@R4`n!?i_Z{zBx_nPC2Jn zwT0kQy?2^wD%`WwJFuFX#is9&wIJwZFXYa+D5lz~syxtSIOS*-xy=+GV4NJmHd5;t zynjxYz<3dFlkGlx8(`4cflyldWt+b8v`}c^O@z_uM(^Ty4wvNS)lgD_sSz7F4f}fiMq#Cg3O~Z(oLdk_$*@%m2b8}h`Y3a6mT{sa&rsc1tTzXGu zp{a$&wGE`nuDys&fjljCccAMJ4Y5PU{w;t1c##IqrS#qrgfCiv`_|_^p*?fHHlI=6 z?FqAVQToBgvl@4+m zj=e#0zyg?$F_5p2&q-@D?^78n)SVgURh_rzR1myfbQk4kdsoh#zmq{ks^__iFP+BT zftAhL?yn&K%F7s^m9S8tB^GKEVRTeWDtw!Mtv}WB+IKK@aY*PT{WR<(5ju~JCb=m? z#7g#sQFFmmb$?lCie`_sc(8ujV;1k7q2NW&1lQ58_*wI-pBs$dWntKfaKS51PAA<< zIC!)F=IbA_u)UEzNa1makdVi-H1l&h>E8^(Q!V1e*mMqzK4P;R3>T7fQ%A|S;-|YR zv4TK{4YPg(yJgh#15uu5sC$JC;py*b3Wu?4xM*P2cMD@rukRn-xiF+<9*?uF=&>1FM*-&Ak1 zrU!BW8H%4{KqaQDU{D5$3C8BwPfSYh&8b-`$MJ*aelsTGU~M74ex`PeV^SiLg0bL) z$`JtBUOJ%%xZlczLn4w7C&rL|f(@iWCZ)9p@PQFU2PBkGrbKigGZV48{qH2Dkc4|I Z!SA%U;K$uDz<+z7D9eN8Dr8JU{~xPqXBz+j literal 0 HcmV?d00001 diff --git a/arm/Microsoft.ManagedServices/registrationDefinitions/deploy.json b/arm/Microsoft.ManagedServices/registrationDefinitions/deploy.json new file mode 100644 index 0000000000..df2bec0916 --- /dev/null +++ b/arm/Microsoft.ManagedServices/registrationDefinitions/deploy.json @@ -0,0 +1,161 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "registrationDefinitionName": { + "type": "string", + "metadata": { + "description": "Required. Specify a unique name for your offer/registration. i.e ' - - '" + } + }, + "registrationDescription": { + "type": "string", + "metadata": { + "description": "Required. Description of the offer/registration. i.e. 'Managed by '" + } + }, + "managedByTenantId": { + "type": "string", + "metadata": { + "description": "Required. Specify the tenant ID of the tenant which homes the principals you are delegating permissions to." + } + }, + "authorizations": { + "type": "array", + "metadata": { + "description": "Required. Specify an array of objects, containing object of Azure Active Directory principalId, a Azure roleDefinitionId, and an optional principalIdDisplayName. The roleDefinition specified is granted to the principalId in the provider's Active Directory and the principalIdDisplayName is visible to customers." + } + }, + "resourceGroupName": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Specify the name of the Resource Group to delegate access to. If not provided, delegation will be done on the targeted subscription." + } + } + }, + "variables": { + "registrationDefinitionId": "[guid(parameters('registrationDefinitionName'))]", + "assignmentId": "[ + if( + empty(parameters('resourceGroupName')), + guid( + concat( + parameters('managedByTenantId'), + subscription().subscriptionId + ) + ), + guid( + concat( + parameters('managedByTenantId'), + subscription().subscriptionId, + parameters('resourceGroupName') + ) + ) + ) + ]" + }, + "resources": [ + { + "type": "Microsoft.ManagedServices/registrationDefinitions", + "apiVersion": "2019-06-01", + "name": "[variables('registrationDefinitionId')]", + "properties": { + "registrationDefinitionName": "[parameters('registrationDefinitionName')]", + "description": "[parameters('registrationDescription')]", + "managedByTenantId": "[parameters('managedByTenantId')]", + "authorizations": "[parameters('authorizations')]" + } + }, + // Subscription deployment + { + "condition": "[empty(parameters('resourceGroupName'))]", + "type": "Microsoft.ManagedServices/registrationAssignments", + "apiVersion": "2019-06-01", + "name": "[variables('assignmentId')]", + "dependsOn": [ + "[resourceId('Microsoft.ManagedServices/registrationDefinitions/', variables('registrationDefinitionId'))]" + ], + "properties": { + "registrationDefinitionId": "[resourceId('Microsoft.ManagedServices/registrationDefinitions/', variables('registrationDefinitionId'))]" + } + }, + // Resource Group deployment + { + "condition": "[not(empty(parameters('resourceGroupName')))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2018-05-01", + "name": "[concat('rgAssignment-', guid(parameters('resourceGroupName')))]", + "resourceGroup": "[parameters('resourceGroupName')]", + "dependsOn": [ + "[resourceId('Microsoft.ManagedServices/registrationDefinitions/', variables('registrationDefinitionId'))]" + ], + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": {}, + "resources": [ + { + "type": "Microsoft.ManagedServices/registrationAssignments", + "apiVersion": "2019-06-01", + "name": "[variables('assignmentId')]", + "properties": { + "registrationDefinitionId": "[resourceId('Microsoft.ManagedServices/registrationDefinitions/', variables('registrationDefinitionId'))]" + } + } + ] + } + } + } + ], + "functions": [ + ], + "outputs": { + "registrationDefinitionName": { + "type": "string", + "value": "[parameters('registrationDefinitionName')]", + "metadata": { + "description": "The name of the offer/registration." + } + }, + "registrationDefinitionId": { + "type": "string", + "value": "[variables('registrationDefinitionId')]", + "metadata": { + "description": "The ID of the offer/registration." + } + }, + "assignmentId": { + "type": "string", + "value": "[variables('assignmentId')]", + "metadata": { + "description": "The ID of the resource delegation." + } + }, + "authorizations": { + "type": "array", + "value": "[parameters('authorizations')]", + "metadata": { + "description": "The resource delegation authorizations that were created." + } + }, + "subscriptionId": { + "condition": "[empty(parameters('resourceGroupName'))]", + "type": "string", + "value": "[subscription().id]", + "metadata": { + "description": "The ID of the subscription to which resource delegation authorizations were created." + } + }, + "resourceGroupId": { + "condition": "[not(empty(parameters('resourceGroupName')))]", + "type": "string", + "value": "[concat(subscription().id, '/resourceGroups/', parameters('resourceGroupName'))]", + "metadata": { + "description": "The ID of the Resource Group to which resource delegation authorizations were created." + } + } + } +} diff --git a/arm/Microsoft.ManagedServices/registrationDefinitions/parameters/parameters.json b/arm/Microsoft.ManagedServices/registrationDefinitions/parameters/parameters.json new file mode 100644 index 0000000000..b8f612c360 --- /dev/null +++ b/arm/Microsoft.ManagedServices/registrationDefinitions/parameters/parameters.json @@ -0,0 +1,35 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "registrationDefinitionName": { + "value": "Component Validation" + }, + "registrationDescription": { + "value": "Managed by CCoE" + }, + "managedByTenantId": { + "value": "83747c5c-1c32-4c6f-b391-bbdbcf9dd934" + }, + "authorizations": { + "value": [ + { + "principalId": "9d949eef-00d5-45d9-8586-56be91a13398", + "principalIdDisplayName": "MSX-Sub_ABC-Reader", + "roleDefinitionId": "acdd72a7-3385-48ef-bd42-f606fba81ae7" + + }, + { + "principalId": "06eb144f-1a10-4935-881b-757efd1d0b58", + "principalIdDisplayName": "MSX-Sub_ABC-Contributor", + "roleDefinitionId": "b24988ac-6180-42a0-ab88-20f7382dd24c" + }, + { + "principalId": "9cd792b0-dc7c-4551-84f8-dd87388030fb", + "principalIdDisplayName": "MSX-Sub_ABC-LHManagement", + "roleDefinitionId": "91c1777a-f3dc-4fae-b103-61d183457e46" + } + ] + } + } +} diff --git a/arm/Microsoft.ManagedServices/registrationDefinitions/parameters/rg-parameters.json b/arm/Microsoft.ManagedServices/registrationDefinitions/parameters/rg-parameters.json new file mode 100644 index 0000000000..269c7bdbf3 --- /dev/null +++ b/arm/Microsoft.ManagedServices/registrationDefinitions/parameters/rg-parameters.json @@ -0,0 +1,37 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "registrationDefinitionName": { + "value": "Component Validation" + }, + "registrationDescription": { + "value": "Managed by CCoE" + }, + "managedByTenantId": { + "value": "83747c5c-1c32-4c6f-b391-bbdbcf9dd934" + }, + "resourceGroupName": { + "value": "validation-rg" + }, + "authorizations": { + "value": [ + { + "principalId": "9d949eef-00d5-45d9-8586-56be91a13398", + "principalIdDisplayName": "MSX-Sub_ABC-Reader", + "roleDefinitionId": "acdd72a7-3385-48ef-bd42-f606fba81ae7" + }, + { + "principalId": "06eb144f-1a10-4935-881b-757efd1d0b58", + "principalIdDisplayName": "MSX-Sub_ABC-Contributor", + "roleDefinitionId": "b24988ac-6180-42a0-ab88-20f7382dd24c" + }, + { + "principalId": "9cd792b0-dc7c-4551-84f8-dd87388030fb", + "principalIdDisplayName": "MSX-Sub_ABC-LHManagement", + "roleDefinitionId": "91c1777a-f3dc-4fae-b103-61d183457e46" + } + ] + } + } +} diff --git a/arm/Microsoft.ManagedServices/registrationDefinitions/readme.md b/arm/Microsoft.ManagedServices/registrationDefinitions/readme.md new file mode 100644 index 0000000000..5fa01907f0 --- /dev/null +++ b/arm/Microsoft.ManagedServices/registrationDefinitions/readme.md @@ -0,0 +1,129 @@ +# Lighthouse + +This module deploys `registrationDefinitions` and `registrationAssignments` (often refered to as 'Lighthouse' or 'resource delegation') +on subscription or resource group scopes. This type of delegation is very similar to role assignments but here the principal that is +assigned a role is in a remote/managing Azure Active Directory tenant. The templates are run towards the tenant where +the Azure resources you want to delegate access to are, providing 'authorizations' (aka. access delegation) to principals in a +remote/managing tenant. + +![Lighthouse - Resource Group and Subscription delegation](./.attachments/LH.png) + +## Resource types + +| Resource Type | ApiVersion | +| :-------------------------------------------------- | :--------- | +| `Microsoft.ManagedServices/registrationDefinitions` | 2019-06-01 | +| `Microsoft.ManagedServices/registrationAssignments` | 2019-06-01 | +| `Microsoft.Resources/deployments` | 2018-05-01 | + +## Parameters + +| Parameter Name | Type | Default Value | Possible values | Description | +| :--------------------------- | :----- | :------------ | :---------------------------- | :---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| `registrationDefinitionName` | string | | | Required. Specify a unique name for your offer/registration. i.e '\ - \ - \' | +| `registrationDescription` | string | | | Required. Description of the offer/registration. i.e. 'Managed by \' | +| `managedByTenantId` | string | | GUID | Required. Specify the tenant ID of the tenant which homes the principals you are delegating permissions to. | +| `authorizations` | array | | Complex structure, see below. | Required. Specify an array of objects, containing object of Azure Active Directory principalId, a Azure roleDefinitionId, and an optional principalIdDisplayName. The roleDefinition specified is granted to the principalId in the provider's Active Directory and the principalIdDisplayName is visible to customers. | +| `resourceGroupName` | string | "" | | Optional. Specify the name of the Resource Group to delegate access to. If not provided, delegation will be done on the targeted subscription. | + +### Parameter Usage: `authorizations` + +| Parameter Name | Type | Default Value | Possible values | Description | +| :----------------------- | :----- | :------------ | :-------------- | :------------------------------------------------------------------------------------------ | +| `principalId` | string | | GUID | Required. The object ID of the principal in the managing tenant to delegate permissions to. | +| `principalIdDisplayName` | string | `principalId` | | Optional. A display name of the principal that is delegated permissions to. | +| `roleDefinitionId` | string | | GUID | Required. The role definition ID to delegate to the principal in the managing tenant. | + +```json +"authorizations": { + "value": [ + // Delegates 'Reader' to a group in managing tenant (managedByTenantId) + { + "principalId": "9d949eef-00d5-45d9-8586-56be91a13398", + "principalIdDisplayName": "Reader-Group", + "roleDefinitionId": "acdd72a7-3385-48ef-bd42-f606fba81ae7" + }, + // Delegates 'Contributor' to a group in managing tenant (managedByTenantId) + { + "principalId": "06eb144f-1a10-4935-881b-757efd1d0b58", + "roleDefinitionId": "b24988ac-6180-42a0-ab88-20f7382dd24c" + }, + // Delegates 'Managed Services Registration assignment Delete Role' to a group in managing tenant (managedByTenantId) + { + "principalId": "9cd792b0-dc7c-4551-84f8-dd87388030fb", + "principalIdDisplayName": "LighthouseManagement-Group", + "roleDefinitionId": "91c1777a-f3dc-4fae-b103-61d183457e46" + } + ] +} +``` + +## Outputs + +| Output Name | Type | Description | +| :--------------------------- | :----- | :------------------------------------------------------------------------------------- | +| `registrationDefinitionName` | string | The name of the offer/registration. | +| `registrationDefinitionId` | string | The ID of the offer/registration. | +| `assignmentId` | string | The ID of the resource delegation. | +| `authorizations` | array | The resource delegation authorizations that were created. | +| `subscriptionId` | string | The ID of the subscription to which resource delegation authorizations were created. | +| `resourceGroupId` | string | The ID of the Resource Group to which resource delegation authorizations were created. | + +## Considerations + +This module can be deployed both at subscription and resource group level: + +- To deploy the module at resource group level, provide a valid name of an existing Resource Group in the `resourceGroupName` parameter. +- To deploy the module at the subscription level, leave the `resourceGroupName` parameter empty. + +### Permissions required to create delegations + +This deployment must be done by a non-guest account in the customer's tenant which has a role with the `Microsoft.Authorization/roleAssignments/write` permission, +such as [`Owner`](https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#owner) for the subscription being onboarded (or which contains the resource groups that are being onboarded). + +If the subscription was created through the Cloud Solution Provider (CSP) program, any user who has the AdminAgent role in your service provider tenant can perform the deployment. + +**More info on this topic:** + +- [Deploy the Azure Resource Manager templates - Onboard a customer to Azure Lighthouse | Microsoft Docs](https://docs.microsoft.com/en-us/azure/lighthouse/how-to/onboard-customer#deploy-the-azure-resource-manager-templates) + +### Permissions required to remove delegations + +#### From customer side + +Users in the customer's tenant who have a role with the `Microsoft.Authorization/roleAssignments/write` permission, such as +[`Owner`](https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#owner) can remove service provider +access to that subscription (or to resource groups in that subscription). To do so, the user can go to the Service providers +page of the Azure portal and delete the delegation. + +#### From managing tenant side + +Users in a managing tenant can remove access to delegated resources if they were granted the +[`Managed Services Registration Assignment Delete Role`](https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#managed-services-registration-assignment-delete-role) +for the customer's resources. If this role was not assigned to any service provider users, the delegation can **only** be +removed by a user in the customer's tenant. + +**More info on this topic:** + +- [Service providers - Remove access to a delegation | Microsoft Docs](https://docs.microsoft.com/en-us/azure/lighthouse/how-to/remove-delegation#service-providers) + +### Limitations with Lighthouse and resource delegation + +There are a couple of limitations that you should be aware of with Lighthouse: + +- Only allows resource delegation within Azure Resource Manager. Excludes Azure Active Directory, Microsoft 365 and Dynamics 365. +- Only supports delegation of control plane permissions. Excludes data plane access. +- Only supports subscription and resource group scopes. Excludes tenant and management group delegations. +- Only supports built-in roles, with the exception of `Owner`. Excludes the use of custom roles. + +**More info on this topic:** + +- [Current limitations - Cross-tenant management experiences | Microsoft Docs](https://docs.microsoft.com/en-us/azure/lighthouse/concepts/cross-tenant-management-experience#current-limitations) +- [Troubleshooting - Onboard a customer to Azure Lighthouse | Microsoft Docs](https://docs.microsoft.com/en-us/azure/lighthouse/how-to/onboard-customer#troubleshooting) + +## Additional resources + +- [What is Azure Lighthouse? | Microsoft Docs](https://docs.microsoft.com/en-us/azure/lighthouse/overview) +- [Azure delegated resource management | Microsoft Docs](https://docs.microsoft.com/en-us/azure/lighthouse/concepts/azure-delegated-resource-management) +- [Cross-tenant management experiences | Microsoft Docs](https://docs.microsoft.com/en-us/azure/lighthouse/concepts/cross-tenant-management-experience) +- [Onboard a customer to Azure Lighthouse | Microsoft Docs](https://docs.microsoft.com/en-us/azure/lighthouse/how-to/onboard-customer) diff --git a/arm/Microsoft.Management/managementGroups/deploy.json b/arm/Microsoft.Management/managementGroups/deploy.json new file mode 100644 index 0000000000..da47866ea0 --- /dev/null +++ b/arm/Microsoft.Management/managementGroups/deploy.json @@ -0,0 +1,427 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/tenantDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "mgStructure": { + "type": "array", + "metadata": { + "description": "Required. The structure of the management groups" + } + } + }, + "functions": [], + "variables": { + "builtInRoleNames": { + "AcrDelete": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", + "AcrImageSigner": "/providers/Microsoft.Authorization/roleDefinitions/6cef56e8-d556-48e5-a04f-b8e64114680f", + "AcrPull": "/providers/Microsoft.Authorization/roleDefinitions/7f951dda-4ed3-4680-a7ca-43fe172d538d", + "AcrPush": "/providers/Microsoft.Authorization/roleDefinitions/8311e382-0749-4cb8-b61a-304f252e45ec", + "AcrQuarantineReader": "/providers/Microsoft.Authorization/roleDefinitions/cdda3590-29a3-44f6-95f2-9f980659eb04", + "AcrQuarantineWriter": "/providers/Microsoft.Authorization/roleDefinitions/c8d4ff99-41c3-41a8-9f60-21dfdad59608", + "API Management Service Contributor": "/providers/Microsoft.Authorization/roleDefinitions/312a565d-c81f-4fd8-895a-4e21e48d571c", + "API Management Service Operator Role": "/providers/Microsoft.Authorization/roleDefinitions/e022efe7-f5ba-4159-bbe4-b44f577e9b61", + "API Management Service Reader Role": "/providers/Microsoft.Authorization/roleDefinitions/71522526-b88f-4d52-b57f-d31fc3546d0d", + "App Configuration Data Owner": "/providers/Microsoft.Authorization/roleDefinitions/5ae67dd6-50cb-40e7-96ff-dc2bfa4b606b", + "App Configuration Data Reader": "/providers/Microsoft.Authorization/roleDefinitions/516239f1-63e1-4d78-a4de-a74fb236a071", + "Application Insights Component Contributor": "/providers/Microsoft.Authorization/roleDefinitions/ae349356-3a1b-4a5e-921d-050484c6347e", + "Application Insights Snapshot Debugger": "/providers/Microsoft.Authorization/roleDefinitions/08954f03-6346-4c2e-81c0-ec3a5cfae23b", + "Attestation Contributor": "/providers/Microsoft.Authorization/roleDefinitions/bbf86eb8-f7b4-4cce-96e4-18cddf81d86e", + "Attestation Reader": "/providers/Microsoft.Authorization/roleDefinitions/fd1bd22b-8476-40bc-a0bc-69b95687b9f3", + "Automation Job Operator": "/providers/Microsoft.Authorization/roleDefinitions/4fe576fe-1146-4730-92eb-48519fa6bf9f", + "Automation Operator": "/providers/Microsoft.Authorization/roleDefinitions/d3881f73-407a-4167-8283-e981cbba0404", + "Automation Runbook Operator": "/providers/Microsoft.Authorization/roleDefinitions/5fb5aef8-1081-4b8e-bb16-9d5d0385bab5", + "Avere Contributor": "/providers/Microsoft.Authorization/roleDefinitions/4f8fab4f-1852-4a58-a46a-8eaf358af14a", + "Avere Operator": "/providers/Microsoft.Authorization/roleDefinitions/c025889f-8102-4ebf-b32c-fc0c6f0c6bd9", + "Azure Connected Machine Onboarding": "/providers/Microsoft.Authorization/roleDefinitions/b64e21ea-ac4e-4cdf-9dc9-5b892992bee7", + "Azure Connected Machine Resource Administrator": "/providers/Microsoft.Authorization/roleDefinitions/cd570a14-e51a-42ad-bac8-bafd67325302", + "Azure Digital Twins Owner (Preview)": "/providers/Microsoft.Authorization/roleDefinitions/bcd981a7-7f74-457b-83e1-cceb9e632ffe", + "Azure Digital Twins Reader (Preview)": "/providers/Microsoft.Authorization/roleDefinitions/d57506d4-4c8d-48b1-8587-93c323f6a5a3", + "Azure Event Hubs Data Owner": "/providers/Microsoft.Authorization/roleDefinitions/f526a384-b230-433a-b45c-95f59c4a2dec", + "Azure Event Hubs Data Receiver": "/providers/Microsoft.Authorization/roleDefinitions/a638d3c7-ab3a-418d-83e6-5f17a39d4fde", + "Azure Event Hubs Data Sender": "/providers/Microsoft.Authorization/roleDefinitions/2b629674-e913-4c01-ae53-ef4638d8f975", + "Azure Kubernetes Service Cluster Admin Role": "/providers/Microsoft.Authorization/roleDefinitions/0ab0b1a8-8aac-4efd-b8c2-3ee1fb270be8", + "Azure Kubernetes Service Cluster User Role": "/providers/Microsoft.Authorization/roleDefinitions/4abbcc35-e782-43d8-92c5-2d3f1bd2253f", + "Azure Kubernetes Service Contributor Role": "/providers/Microsoft.Authorization/roleDefinitions/ed7f3fbd-7b88-4dd4-9017-9adb7ce333f8", + "Azure Maps Data Contributor": "/providers/Microsoft.Authorization/roleDefinitions/8f5e0ce6-4f7b-4dcf-bddf-e6f48634a204", + "Azure Maps Data Reader": "/providers/Microsoft.Authorization/roleDefinitions/423170ca-a8f6-4b0f-8487-9e4eb8f49bfa", + "Azure Sentinel Contributor": "/providers/Microsoft.Authorization/roleDefinitions/ab8e14d6-4a74-4a29-9ba8-549422addade", + "Azure Sentinel Reader": "/providers/Microsoft.Authorization/roleDefinitions/8d289c81-5878-46d4-8554-54e1e3d8b5cb", + "Azure Sentinel Responder": "/providers/Microsoft.Authorization/roleDefinitions/3e150937-b8fe-4cfb-8069-0eaf05ecd056", + "Azure Service Bus Data Owner": "/providers/Microsoft.Authorization/roleDefinitions/090c5cfd-751d-490a-894a-3ce6f1109419", + "Azure Service Bus Data Receiver": "/providers/Microsoft.Authorization/roleDefinitions/4f6d3b9b-027b-4f4c-9142-0e5a2a2247e0", + "Azure Service Bus Data Sender": "/providers/Microsoft.Authorization/roleDefinitions/69a216fc-b8fb-44d8-bc22-1f3c2cd27a39", + "Azure Stack Registration Owner": "/providers/Microsoft.Authorization/roleDefinitions/6f12a6df-dd06-4f3e-bcb1-ce8be600526a", + "Backup Contributor": "/providers/Microsoft.Authorization/roleDefinitions/5e467623-bb1f-42f4-a55d-6e525e11384b", + "Backup Operator": "/providers/Microsoft.Authorization/roleDefinitions/00c29273-979b-4161-815c-10b084fb9324", + "Backup Reader": "/providers/Microsoft.Authorization/roleDefinitions/a795c7a0-d4a2-40c1-ae25-d81f01202912", + "Billing Reader": "/providers/Microsoft.Authorization/roleDefinitions/fa23ad8b-c56e-40d8-ac0c-ce449e1d2c64", + "BizTalk Contributor": "/providers/Microsoft.Authorization/roleDefinitions/5e3c6656-6cfa-4708-81fe-0de47ac73342", + "Blockchain Member Node Access (Preview)": "/providers/Microsoft.Authorization/roleDefinitions/31a002a1-acaf-453e-8a5b-297c9ca1ea24", + "Blueprint Contributor": "/providers/Microsoft.Authorization/roleDefinitions/41077137-e803-4205-871c-5a86e6a753b4", + "Blueprint Operator": "/providers/Microsoft.Authorization/roleDefinitions/437d2ced-4a38-4302-8479-ed2bcb43d090", + "CDN Endpoint Contributor": "/providers/Microsoft.Authorization/roleDefinitions/426e0c7f-0c7e-4658-b36f-ff54d6c29b45", + "CDN Endpoint Reader": "/providers/Microsoft.Authorization/roleDefinitions/871e35f6-b5c1-49cc-a043-bde969a0f2cd", + "CDN Profile Contributor": "/providers/Microsoft.Authorization/roleDefinitions/ec156ff8-a8d1-4d15-830c-5b80698ca432", + "CDN Profile Reader": "/providers/Microsoft.Authorization/roleDefinitions/8f96442b-4075-438f-813d-ad51ab4019af", + "Classic Network Contributor": "/providers/Microsoft.Authorization/roleDefinitions/b34d265f-36f7-4a0d-a4d4-e158ca92e90f", + "Classic Storage Account Contributor": "/providers/Microsoft.Authorization/roleDefinitions/86e8f5dc-a6e9-4c67-9d15-de283e8eac25", + "Classic Storage Account Key Operator Service Role": "/providers/Microsoft.Authorization/roleDefinitions/985d6b00-f706-48f5-a6fe-d0ca12fb668d", + "Classic Virtual Machine Contributor": "/providers/Microsoft.Authorization/roleDefinitions/d73bb868-a0df-4d4d-bd69-98a00b01fccb", + "ClearDB MySQL DB Contributor": "/providers/Microsoft.Authorization/roleDefinitions/9106cda0-8a86-4e81-b686-29a22c54effe", + "Cognitive Services Contributor": "/providers/Microsoft.Authorization/roleDefinitions/25fbc0a9-bd7c-42a3-aa1a-3b75d497ee68", + "Cognitive Services Custom Vision Contributor": "/providers/Microsoft.Authorization/roleDefinitions/c1ff6cc2-c111-46fe-8896-e0ef812ad9f3", + "Cognitive Services Custom Vision Deployment": "/providers/Microsoft.Authorization/roleDefinitions/5c4089e1-6d96-4d2f-b296-c1bc7137275f", + "Cognitive Services Custom Vision Labeler": "/providers/Microsoft.Authorization/roleDefinitions/88424f51-ebe7-446f-bc41-7fa16989e96c", + "Cognitive Services Custom Vision Reader": "/providers/Microsoft.Authorization/roleDefinitions/93586559-c37d-4a6b-ba08-b9f0940c2d73", + "Cognitive Services Custom Vision Trainer": "/providers/Microsoft.Authorization/roleDefinitions/0a5ae4ab-0d65-4eeb-be61-29fc9b54394b", + "Cognitive Services Data Reader (Preview)": "/providers/Microsoft.Authorization/roleDefinitions/b59867f0-fa02-499b-be73-45a86b5b3e1c", + "Cognitive Services QnA Maker Editor": "/providers/Microsoft.Authorization/roleDefinitions/f4cc2bf9-21be-47a1-bdf1-5c5804381025", + "Cognitive Services QnA Maker Reader": "/providers/Microsoft.Authorization/roleDefinitions/466ccd10-b268-4a11-b098-b4849f024126", + "Cognitive Services User": "/providers/Microsoft.Authorization/roleDefinitions/a97b65f3-24c7-4388-baec-2e87135dc908", + "Contributor": "/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c", + "Cosmos DB Account Reader Role": "/providers/Microsoft.Authorization/roleDefinitions/fbdf93bf-df7d-467e-a4d2-9458aa1360c8", + "Cosmos DB Operator": "/providers/Microsoft.Authorization/roleDefinitions/230815da-be43-4aae-9cb4-875f7bd000aa", + "CosmosBackupOperator": "/providers/Microsoft.Authorization/roleDefinitions/db7b14f2-5adf-42da-9f96-f2ee17bab5cb", + "Cost Management Contributor": "/providers/Microsoft.Authorization/roleDefinitions/434105ed-43f6-45c7-a02f-909b2ba83430", + "Cost Management Reader": "/providers/Microsoft.Authorization/roleDefinitions/72fafb9e-0641-4937-9268-a91bfd8191a3", + "Data Box Contributor": "/providers/Microsoft.Authorization/roleDefinitions/add466c9-e687-43fc-8d98-dfcf8d720be5", + "Data Box Reader": "/providers/Microsoft.Authorization/roleDefinitions/028f4ed7-e2a9-465e-a8f4-9c0ffdfdc027", + "Data Factory Contributor": "/providers/Microsoft.Authorization/roleDefinitions/673868aa-7521-48a0-acc6-0f60742d39f5", + "Data Lake Analytics Developer": "/providers/Microsoft.Authorization/roleDefinitions/47b7735b-770e-4598-a7da-8b91488b4c88", + "Data Purger": "/providers/Microsoft.Authorization/roleDefinitions/150f5e0c-0603-4f03-8c7f-cf70034c4e90", + "Desktop Virtualization User": "/providers/Microsoft.Authorization/roleDefinitions/1d18fff3-a72a-46b5-b4a9-0b38a3cd7e63", + "DevTest Labs User": "/providers/Microsoft.Authorization/roleDefinitions/76283e04-6283-4c54-8f91-bcf1374a3c64", + "DNS Zone Contributor": "/providers/Microsoft.Authorization/roleDefinitions/befefa01-2a29-4197-83a8-272ff33ce314", + "DocumentDB Account Contributor": "/providers/Microsoft.Authorization/roleDefinitions/5bd9cd88-fe45-4216-938b-f97437e15450", + "EventGrid EventSubscription Contributor": "/providers/Microsoft.Authorization/roleDefinitions/428e0ff0-5e57-4d9c-a221-2c70d0e0a443", + "EventGrid EventSubscription Reader": "/providers/Microsoft.Authorization/roleDefinitions/2414bbcf-6497-4faf-8c65-045460748405", + "Experimentation Administrator": "/providers/Microsoft.Authorization/roleDefinitions/7f646f1b-fa08-80eb-a33b-edd6ce5c915c", + "Experimentation Contributor": "/providers/Microsoft.Authorization/roleDefinitions/7f646f1b-fa08-80eb-a22b-edd6ce5c915c", + "Experimentation Reader": "/providers/Microsoft.Authorization/roleDefinitions/49632ef5-d9ac-41f4-b8e7-bbe587fa74a1", + "FHIR Data Contributor": "/providers/Microsoft.Authorization/roleDefinitions/5a1fc7df-4bf1-4951-a576-89034ee01acd", + "FHIR Data Exporter": "/providers/Microsoft.Authorization/roleDefinitions/3db33094-8700-4567-8da5-1501d4e7e843", + "FHIR Data Reader": "/providers/Microsoft.Authorization/roleDefinitions/4c8d0bbc-75d3-4935-991f-5f3c56d81508", + "FHIR Data Writer": "/providers/Microsoft.Authorization/roleDefinitions/3f88fce4-5892-4214-ae73-ba5294559913", + "Graph Owner": "/providers/Microsoft.Authorization/roleDefinitions/b60367af-1334-4454-b71e-769d9a4f83d9", + "HDInsight Cluster Operator": "/providers/Microsoft.Authorization/roleDefinitions/61ed4efc-fab3-44fd-b111-e24485cc132a", + "HDInsight Domain Services Contributor": "/providers/Microsoft.Authorization/roleDefinitions/8d8d5a11-05d3-4bda-a417-a08778121c7c", + "Hierarchy Settings Administrator": "/providers/Microsoft.Authorization/roleDefinitions/350f8d15-c687-4448-8ae1-157740a3936d", + "Hybrid Server Onboarding": "/providers/Microsoft.Authorization/roleDefinitions/5d1e5ee4-7c68-4a71-ac8b-0739630a3dfb", + "Hybrid Server Resource Administrator": "/providers/Microsoft.Authorization/roleDefinitions/48b40c6e-82e0-4eb3-90d5-19e40f49b624", + "Integration Service Environment Contributor": "/providers/Microsoft.Authorization/roleDefinitions/a41e2c5b-bd99-4a07-88f4-9bf657a760b8", + "Integration Service Environment Developer": "/providers/Microsoft.Authorization/roleDefinitions/c7aa55d3-1abb-444a-a5ca-5e51e485d6ec", + "Intelligent Systems Account Contributor": "/providers/Microsoft.Authorization/roleDefinitions/03a6d094-3444-4b3d-88af-7477090a9e5e", + "Key Vault Contributor": "/providers/Microsoft.Authorization/roleDefinitions/f25e0fa2-a7c8-4377-a976-54943a77a395", + "Knowledge Consumer": "/providers/Microsoft.Authorization/roleDefinitions/ee361c5d-f7b5-4119-b4b6-892157c8f64c", + "Kubernetes Cluster - Azure Arc Onboarding": "/providers/Microsoft.Authorization/roleDefinitions/34e09817-6cbe-4d01-b1a2-e0eac5743d41", + "Lab Creator": "/providers/Microsoft.Authorization/roleDefinitions/b97fb8bc-a8b2-4522-a38b-dd33c7e65ead", + "Log Analytics Contributor": "/providers/Microsoft.Authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293", + "Log Analytics Reader": "/providers/Microsoft.Authorization/roleDefinitions/73c42c96-874c-492b-b04d-ab87d138a893", + "Logic App Contributor": "/providers/Microsoft.Authorization/roleDefinitions/87a39d53-fc1b-424a-814c-f7e04687dc9e", + "Logic App Operator": "/providers/Microsoft.Authorization/roleDefinitions/515c2055-d9d4-4321-b1b9-bd0c9a0f79fe", + "Managed Application Contributor Role": "/providers/Microsoft.Authorization/roleDefinitions/641177b8-a67a-45b9-a033-47bc880bb21e", + "Managed Application Operator Role": "/providers/Microsoft.Authorization/roleDefinitions/c7393b34-138c-406f-901b-d8cf2b17e6ae", + "Managed Applications Reader": "/providers/Microsoft.Authorization/roleDefinitions/b9331d33-8a36-4f8c-b097-4f54124fdb44", + "Managed Identity Contributor": "/providers/Microsoft.Authorization/roleDefinitions/e40ec5ca-96e0-45a2-b4ff-59039f2c2b59", + "Managed Identity Operator": "/providers/Microsoft.Authorization/roleDefinitions/f1a07417-d97a-45cb-824c-7a7467783830", + "Managed Services Registration assignment Delete ": "/providers/Microsoft.Authorization/roleDefinitions/91c1777a-f3dc-4fae-b103-61d183457e46", + "Management Group Contributor": "/providers/Microsoft.Authorization/roleDefinitions/5d58bcaf-24a5-4b20-bdb6-eed9f69fbe4c", + "Management Group Reader": "/providers/Microsoft.Authorization/roleDefinitions/ac63b705-f282-497d-ac71-919bf39d939d", + "Marketplace Admin": "/providers/Microsoft.Authorization/roleDefinitions/dd920d6d-f481-47f1-b461-f338c46b2d9f", + "Monitoring Contributor": "/providers/Microsoft.Authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "Monitoring Metrics Publisher": "/providers/Microsoft.Authorization/roleDefinitions/3913510d-42f4-4e42-8a64-420c390055eb", + "Monitoring Reader": "/providers/Microsoft.Authorization/roleDefinitions/43d0d8ad-25c7-4714-9337-8ba259a9fe05", + "Network Contributor": "/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7", + "New Relic APM Account Contributor": "/providers/Microsoft.Authorization/roleDefinitions/5d28c62d-5b37-4476-8438-e587778df237", + "Object Understanding Account Owner": "/providers/Microsoft.Authorization/roleDefinitions/4dd61c23-6743-42fe-a388-d8bdd41cb745", + "Owner": "/providers/Microsoft.Authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635", + "Policy Insights Data Writer (Preview)": "/providers/Microsoft.Authorization/roleDefinitions/66bb4e9e-b016-4a94-8249-4c0511c2be84", + "Private DNS Zone Contributor": "/providers/Microsoft.Authorization/roleDefinitions/b12aa53e-6015-4669-85d0-8515ebb3ae7f", + "Reader": "/providers/Microsoft.Authorization/roleDefinitions/acdd72a7-3385-48ef-bd42-f606fba81ae7", + "Reader and Data Access": "/providers/Microsoft.Authorization/roleDefinitions/c12c1c16-33a1-487b-954d-41c89c60f349", + "Redis Cache Contributor": "/providers/Microsoft.Authorization/roleDefinitions/e0f68234-74aa-48ed-b826-c38b57376e17", + "Remote Rendering Administrator": "/providers/Microsoft.Authorization/roleDefinitions/3df8b902-2a6f-47c7-8cc5-360e9b272a7e", + "Remote Rendering Client": "/providers/Microsoft.Authorization/roleDefinitions/d39065c4-c120-43c9-ab0a-63eed9795f0a", + "Resource Policy Contributor": "/providers/Microsoft.Authorization/roleDefinitions/36243c78-bf99-498c-9df9-86d9f8d28608", + "Scheduler Job Collections Contributor": "/providers/Microsoft.Authorization/roleDefinitions/188a0f2f-5c9e-469b-ae67-2aa5ce574b94", + "Search Service Contributor": "/providers/Microsoft.Authorization/roleDefinitions/7ca78c08-252a-4471-8644-bb5ff32d4ba0", + "Security Admin": "/providers/Microsoft.Authorization/roleDefinitions/fb1c8493-542b-48eb-b624-b4c8fea62acd", + "Security Assessment Contributor": "/providers/Microsoft.Authorization/roleDefinitions/612c2aa1-cb24-443b-ac28-3ab7272de6f5", + "Security Manager (Legacy)": "/providers/Microsoft.Authorization/roleDefinitions/e3d13bf0-dd5a-482e-ba6b-9b8433878d10", + "Security Reader": "/providers/Microsoft.Authorization/roleDefinitions/39bc4728-0917-49c7-9d2c-d95423bc2eb4", + "SignalR AccessKey Reader": "/providers/Microsoft.Authorization/roleDefinitions/04165923-9d83-45d5-8227-78b77b0a687e", + "SignalR Contributor": "/providers/Microsoft.Authorization/roleDefinitions/8cf5e20a-e4b2-4e9d-b3a1-5ceb692c2761", + "Site Recovery Contributor": "/providers/Microsoft.Authorization/roleDefinitions/6670b86e-a3f7-4917-ac9b-5d6ab1be4567", + "Site Recovery Operator": "/providers/Microsoft.Authorization/roleDefinitions/494ae006-db33-4328-bf46-533a6560a3ca", + "Site Recovery Reader": "/providers/Microsoft.Authorization/roleDefinitions/dbaa88c4-0c30-4179-9fb3-46319faa6149", + "Spatial Anchors Account Contributor": "/providers/Microsoft.Authorization/roleDefinitions/8bbe83f1-e2a6-4df7-8cb4-4e04d4e5c827", + "Spatial Anchors Account Owner": "/providers/Microsoft.Authorization/roleDefinitions/70bbe301-9835-447d-afdd-19eb3167307c", + "Spatial Anchors Account Reader": "/providers/Microsoft.Authorization/roleDefinitions/5d51204f-eb77-4b1c-b86a-2ec626c49413", + "SQL DB Contributor": "/providers/Microsoft.Authorization/roleDefinitions/9b7fa17d-e63e-47b0-bb0a-15c516ac86ec", + "SQL Managed Instance Contributor": "/providers/Microsoft.Authorization/roleDefinitions/4939a1f6-9ae0-4e48-a1e0-f2cbe897382d", + "SQL Security Manager": "/providers/Microsoft.Authorization/roleDefinitions/056cd41c-7e88-42e1-933e-88ba6a50c9c3", + "SQL Server Contributor": "/providers/Microsoft.Authorization/roleDefinitions/6d8ee4ec-f05a-4a1d-8b00-a9b17e38b437", + "Storage Account Contributor": "/providers/Microsoft.Authorization/roleDefinitions/17d1049b-9a84-46fb-8f53-869881c3d3ab", + "Storage Account Key Operator Service Role": "/providers/Microsoft.Authorization/roleDefinitions/81a9662b-bebf-436f-a333-f67b29880f12", + "Storage Blob Data Contributor": "/providers/Microsoft.Authorization/roleDefinitions/ba92f5b4-2d11-453d-a403-e96b0029c9fe", + "Storage Blob Data Owner": "/providers/Microsoft.Authorization/roleDefinitions/b7e6dc6d-f1e8-4753-8033-0f276bb0955b", + "Storage Blob Data Reader": "/providers/Microsoft.Authorization/roleDefinitions/2a2b9908-6ea1-4ae2-8e65-a410df84e7d1", + "Storage Blob Delegator": "/providers/Microsoft.Authorization/roleDefinitions/db58b8e5-c6ad-4a2a-8342-4190687cbf4a", + "Storage File Data SMB Share Contributor": "/providers/Microsoft.Authorization/roleDefinitions/0c867c2a-1d8c-454a-a3db-ab2ea1bdc8bb", + "Storage File Data SMB Share Elevated Contributor": "/providers/Microsoft.Authorization/roleDefinitions/a7264617-510b-434b-a828-9731dc254ea7", + "Storage File Data SMB Share Reader": "/providers/Microsoft.Authorization/roleDefinitions/aba4ae5f-2193-4029-9191-0cb91df5e314", + "Storage Queue Data Contributor": "/providers/Microsoft.Authorization/roleDefinitions/974c5e8b-45b9-4653-ba55-5f855dd0fb88", + "Storage Queue Data Message Processor": "/providers/Microsoft.Authorization/roleDefinitions/8a0f0c08-91a1-4084-bc3d-661d67233fed", + "Storage Queue Data Message Sender": "/providers/Microsoft.Authorization/roleDefinitions/c6a89b2d-59bc-44d0-9896-0f6e12d7b80a", + "Storage Queue Data Reader": "/providers/Microsoft.Authorization/roleDefinitions/19e7f393-937e-4f77-808e-94535e297925", + "Support Request Contributor": "/providers/Microsoft.Authorization/roleDefinitions/cfd33db0-3dd1-45e3-aa9d-cdbdf3b6f24e", + "Tag Contributor": "/providers/Microsoft.Authorization/roleDefinitions/4a9ae827-6dc8-4573-8ac7-8239d42aa03f", + "Traffic Manager Contributor": "/providers/Microsoft.Authorization/roleDefinitions/a4b10055-b0c7-44c2-b00f-c7b5b3550cf7", + "User Access Administrator": "/providers/Microsoft.Authorization/roleDefinitions/18d7d88d-d35e-4fb5-a5c3-7773c20a72d9", + "Virtual Machine Administrator Login": "/providers/Microsoft.Authorization/roleDefinitions/1c0163c0-47e6-4577-8991-ea5c82e286e4", + "Virtual Machine Contributor": "/providers/Microsoft.Authorization/roleDefinitions/9980e02c-c2be-4d73-94e8-173b1dc7cf3c", + "Virtual Machine User Login": "/providers/Microsoft.Authorization/roleDefinitions/fb879df8-f326-4884-b1cf-06f3ad86be52", + "Web Plan Contributor": "/providers/Microsoft.Authorization/roleDefinitions/2cc479cb-7b4d-49a8-b449-8c00fd0f0a4b", + "Website Contributor": "/providers/Microsoft.Authorization/roleDefinitions/de139f84-1756-47ae-9be6-808fbbe84772", + "Workbook Contributor": "/providers/Microsoft.Authorization/roleDefinitions/e8ddcd69-c73f-4f9f-9844-4100522f16ad", + "Workbook Reader": "/providers/Microsoft.Authorization/roleDefinitions/b279062a-9be3-42a0-92ae-8b3cf002ec4d" + } + }, + "resources": [ + { + "type": "Microsoft.Management/managementGroups", + "comments": "Fake deployment, used to specify a non-existent dependency. Never deployed", + "apiVersion": "2020-05-01", + "scope": "/", + "name": "noop", + "condition": false, + "properties": { + "details": { + "parent": { + "id": "" + } + } + } + }, + { + "copy": { + "name": "mgLoop", + "count": "[length(parameters('mgStructure'))]" + }, + + // excludes from creation the root management group that must pre-exist. + // This anyhow allows RBAC at this level to be created + "condition": "[ + not(equals( + parameters('mgStructure')[copyIndex('mgLoop')].parentId, + '/' + )) + ]", + + // if the element contains 'parentNotManagedInThisTemplate' with value true --> this is a top MG managed in this template + // Then -> The resource has no dependencies (noop used as a 'fake' dependency) + // Else -> get dependency from the parent ID + "dependson":[ + "[ + if( + and( + contains( + parameters('mgStructure')[copyIndex('mgLoop')], + 'parentNotManagedInThisTemplate' + ), + parameters('mgStructure')[copyIndex('mgLoop')].parentNotManagedInThisTemplate + ), + 'noop', + parameters('mgStructure')[copyIndex('mgLoop')].parentId + ) + ]" + ], + + "type": "Microsoft.Management/managementGroups", + "apiVersion": "2020-05-01", + "scope": "/", + "name": "[parameters('mgStructure')[copyIndex('mgLoop')].name]", + "properties": { + "displayName":"[ + if( + contains( + parameters('mgStructure')[copyIndex('mgLoop')], + 'displayName' + ), + parameters('mgStructure')[copyIndex('mgLoop')].displayName, + parameters('mgStructure')[copyIndex('mgLoop')].name + ) + ]", + "details": { + "parent": { + "id": "[concat( + '/providers/Microsoft.Management/managementGroups/', + parameters('mgStructure')[copyIndex('mgLoop')].parentId + )]" + } + } + } + }, + + // Management Group RBAC + { + "name": "[concat('MGRBAC-', if(empty(parameters('mgStructure')), 'dummy', copyIndex() ) )]", + "apiVersion": "2020-06-01", + "type": "Microsoft.Resources/deployments", + "condition": "[not(empty(parameters('mgStructure')))]", + "location": "[deployment().location]", + "dependsOn": [ + "mgLoop" + ], + "copy": { + "name": "MGRBACLoop", + "count": "[length(parameters('mgStructure'))]" + }, + "properties": { + "mode": "Incremental", + "expressionEvaluationOptions": { + "scope": "inner" + }, + "parameters": { + "MGConfig": { + "value": "[parameters('mgStructure')[copyIndex()]]" + }, + "builtInRoleNames": { + "value": "[variables('builtInRoleNames')]" + }, + "MGDeplLoop": { + "value": "[copyIndex('MGRBACLoop')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/tenantDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "MGConfig": { + "type": "object" + }, + "builtInRoleNames": { + "type": "object" + }, + "MGDeplLoop": { + "type": "int" + } + }, + "resources": [ + { + "name": "[concat('MGRbacDeplLoop-', parameters('MGDeplLoop'), '-', copyIndex('mgRBACDeplLoop'))]", + "apiVersion": "2020-06-01", + "type": "Microsoft.Resources/deployments", + "condition": "[not(empty(array(parameters('MGConfig').roleAssignments)))]", + "location": "[deployment().location]", + "dependsOn": [ + ], + "copy": { + "name": "mgRBACDeplLoop", + "count": "[ + if( + contains( + parameters('MGConfig'), + 'roleAssignments' + ), + length( + array( + parameters('MGConfig').roleAssignments + ) + ), + 0 + ) + ]" + }, + "properties": { + "mode": "Incremental", + "expressionEvaluationOptions": { + "scope": "inner" + }, + "parameters": { + "MGName": { + "value": "[parameters('MGConfig').name]" + }, + "roleAssignment": { + "value": "[array(parameters('MGConfig').roleAssignments)[copyIndex('mgRBACDeplLoop')]]" + }, + "builtInRoleNames": { + "value": "[parameters('builtInRoleNames')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/tenantDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "MGName": { + "type": "string" + }, + "roleAssignment": { + "type": "object" + }, + "builtInRoleNames": { + "type": "object" + } + }, + "resources": [ + { + "type": "Microsoft.Management/managementGroups/providers/roleAssignments", + "apiVersion": "2020-04-01-preview", + "name": "[ + concat( + parameters('MGName'), + '/Microsoft.Authorization/', + guid( + uniqueString( + concat( + parameters('MGName') , + array( + parameters('roleAssignment').principalIds + )[copyIndex('innerRbacCopy')], + parameters('roleAssignment').roleDefinitionIdOrName + ) + ) + ) + ) + ]", + + "copy": { + "name": "innerRbacCopy", + "count": "[length(parameters('roleAssignment').principalIds)]" + }, + "properties": { + "roleDefinitionId": "[ + if( + contains( + parameters('builtInRoleNames'), + parameters('roleAssignment').roleDefinitionIdOrName + ), + parameters('builtInRoleNames')[parameters('roleAssignment').roleDefinitionIdOrName], + parameters('roleAssignment').roleDefinitionIdOrName + ) + ]", + "principalId": "[ + array( + parameters('roleAssignment').principalIds + )[copyIndex('innerRbacCopy')]]" + } + } + ] + } + } + } + ] + } + } + } + ], + "outputs": { + "managementGroupCount": { + "type": "int", + "value": "[length(parameters('mgStructure'))]", + "metadata": { + "description": "Number of management groups considered in the deployment" + } + } + } +} diff --git a/arm/Microsoft.Management/managementGroups/parameters/parameters.json b/arm/Microsoft.Management/managementGroups/parameters/parameters.json new file mode 100644 index 0000000000..02dc4a7f4f --- /dev/null +++ b/arm/Microsoft.Management/managementGroups/parameters/parameters.json @@ -0,0 +1,29 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "mgStructure": { + "value": [ + { + "name":"root", + "parentId":"284a3525-0ec7-454c-8a03-90ed7e7a68ce", + "parentNotManagedInThisTemplate": true + }, + { + "name":"child1", + "displayName":"child1Description", + "parentId":"root" + }, + { + "name":"child2", + "parentId":"root" + }, + { + "name":"nephew1", + "parentId":"child1", + "parentNotManagedInThisTemplate": false + } + ] + } + } +} \ No newline at end of file diff --git a/arm/Microsoft.Management/managementGroups/readme.md b/arm/Microsoft.Management/managementGroups/readme.md new file mode 100644 index 0000000000..1baf9391db --- /dev/null +++ b/arm/Microsoft.Management/managementGroups/readme.md @@ -0,0 +1,128 @@ +# Management groups + +This template will prepare the Management group structure based on the provided parameter. + +This module has some known **limitations**: +- It's not possible to change the display name of the root management group (the one that has the tenant GUID as ID) +- It can't manage the Root (/) management group + +## Resource types + +|Resource Type|ApiVersion| +|:--|:--| +|`Microsoft.Management/managementGroups`|2020-05-01| +|`Microsoft.Resources/deployments`|2020-06-01| + +## Parameters + +| Parameter Name | Type | Default Value | Possible values | Description | +| :- | :- | :- | :- | :- | +| `mgStructure` | Array of objects | | Complex structure, see below | Required. The structure of the management groups | + +### Parameter Usage: mgStructure + +Describes the Management groups to be created. Each management group is represented by an element of the array + +``` json +"mgStructure": { + "value": [ + { + "name":"tst1", + "parentId":"test-mg", + "parentNotManagedInThisTemplate": true + }, + { + "name":"child1", + "parentId":"tst1", + "roleAssignments":[ + { + "roleDefinitionIdOrName": "Desktop Virtualization User", + "principalIds": [ + "12345567-890a-bcde-f012-456789000000", // object 1 + "12345567-890a-bcde-f012-456789000001" // object 2 + ] + } + ] + }, + { + "name":"child2", + "displayName": "anotherName", + "parentId":"tst1", + "parentNotManagedInThisTemplate": false + }, + { + "name":"nephew1", + "parentId":"child1", + "parentNotManagedInThisTemplate": false + } + ] +} + +``` + +| Parameter Name | Type | Default Value | Possible values | Description | +| :- | :- | :- | :- | :- | +| `name` | string | | | Mandatory. The ID of the Management group | +| `parentId` | string | | A MG name | Mandatory. The template will concatenate `/providers/Microsoft.Management/managementGroups/` to create the resource ID of the parent management group the deployed one is child of | +| `displayName` | string | `name` | | Optional. The display name of the management group. If not specified, the id (name) will be used | +| `parentNotManagedInThisTemplate` | bool | `false` | | Optional. `true` if the parent management group is existing and defined elsewhere, `false` if the parent MG is also managed in this template. This parameter is used to define the deployment sequence | +| `roleAssignments` | array | | | Optional. Array of role assignment objects | + + +### Parameter Usage: `roleAssignments` + +```json +"roleAssignments": [ + { + "roleDefinitionIdOrName": "Desktop Virtualization User", + "principalIds": [ + "12345678-1234-1234-1234-123456789012", // object 1 + "78945612-1234-1234-1234-123456789012" // object 2 + ] + }, + { + "roleDefinitionIdOrName": "Reader", + "principalIds": [ + "12345678-1234-1234-1234-123456789012", // object 1 + "78945612-1234-1234-1234-123456789012" // object 2 + ] + }, + { + "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", + "principalIds": [ + "12345678-1234-1234-1234-123456789012" // object 1 + ] + } +] +``` + +| Parameter Name | Type | Default Value | Possible values | Description | +| :- | :- | :- | :- | :- | +| `roleDefinitionIdOrName` | string | | | Mandatory. The name or the ID of the role to assign to the management group | +| `principalIds` | array | | | Mandatory. An array of principal IDs | + + +## Outputs + +| Output Name | Type | Description | +| :-- | :-- | :-- | +| `managementGroupCount` | int | Number of management groups considered in the deployment | + +## Considerations + +This template is using a **Tenant level deployment**, meaning the user/principal deploying it needs to have the [proper access](https://docs.microsoft.com/en-us/azure/azure-resource-manager/templates/deploy-to-tenant#required-access) + +> If owner access is excessive, the following rights roles will grant enough rights: +> **Automation Job Operator** at **tenant** level (scope '/')
+> **Management Group Contributor** at the top management group that needs to be managed +> +>> Consider using the following script:
+>> `$PrincipalID = ""`
+>> `$TopMGID = ""`
+>> `New-AzRoleAssignment -ObjectId $PrincipalID -Scope "/" -RoleDefinitionName "Automation Job Operator"`
+>> `New-AzRoleAssignment -ObjectId $PrincipalID -Scope "/providers/Microsoft.Management/managementGroups/$TopMGID" -RoleDefinitionName "Management Group Contributor"` + +## Additional resources + +- [Management group](https://docs.microsoft.com/en-us/azure/governance/management-groups/) +- [Template reference](https://docs.microsoft.com/en-us/azure/templates/microsoft.management/managementgroups) \ No newline at end of file diff --git a/arm/Microsoft.NetApp/netAppAccounts/deploy.json b/arm/Microsoft.NetApp/netAppAccounts/deploy.json new file mode 100644 index 0000000000..3499f4e876 --- /dev/null +++ b/arm/Microsoft.NetApp/netAppAccounts/deploy.json @@ -0,0 +1,757 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "netAppAccountName": { + "type": "string", + "metadata": { + "description": "Required. The name of the NetApp account." + } + }, + "domainName": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Fully Qualified Active Directory DNS Domain Name (e.g. 'contoso.com')" + } + }, + "domainJoinUser": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Required if domainName is specified. Username of Active Directory domain administrator, with permissions to create SMB server machine account in the AD domain." + } + }, + "domainJoinPassword": { + "type": "securestring", + "defaultValue": "", + "metadata": { + "description": "Optional. Required if domainName is specified. Password of the user specified in domainJoinUser parameter" + } + }, + "domainJoinOU": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Used only if domainName is specified. LDAP Path for the Organization Unit (OU) where SMB Server machine accounts will be created (i.e. 'OU=SecondLevel,OU=FirstLevel')." + } + }, + "dnsServers": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Required if domainName is specified. Comma separated list of DNS server IP addresses (IPv4 only) required for the Active Directory (AD) domain join and SMB authentication operations to succeed." + } + }, + "smbServerNamePrefix": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Required if domainName is specified. NetBIOS name of the SMB server. A computer account with this prefix will be registered in the AD and used to mount volumes" + } + }, + "capacityPools": { + "type": "array", + "metadata": { + "description": "Required. Capacity pools to create." + } + }, + "roleAssignments": { + "defaultValue": [ + ], + "type": "array", + "metadata": { + "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or it's fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'" + } + }, + "location": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "Optional. Location for all resources." + } + }, + "lockForDeletion": { + "type": "bool", + "defaultValue": false, + "metadata": { + "description": "Optional. Switch to lock all resources from deletion." + } + }, + "tags": { + "type": "object", + "defaultValue": { + }, + "metadata": { + "description": "Optional. Tags for all resources." + } + }, + "cuaId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered" + } + } + }, + "variables": { + "activeDirectoryConnectionProperties": [ + { + "username": "[if(empty(parameters('domainName')), json('null'), parameters('domainJoinUser'))]", + "password": "[if(empty(parameters('domainName')), json('null'), parameters('domainJoinPassword'))]", + "domain": "[if(empty(parameters('domainName')), json('null'), parameters('domainName'))]", + "dns": "[if(empty(parameters('domainName')), json('null'), parameters('dnsServers'))]", + "smbServerName": "[if(empty(parameters('domainName')), json('null'), parameters('smbServerNamePrefix'))]", + "organizationalUnit": "[if(empty(parameters('domainJoinOU')), json('null'), parameters('domainJoinOU'))]" + } + ], + "builtInRoleNames": { + "AcrDelete": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", + "AcrImageSigner": "/providers/Microsoft.Authorization/roleDefinitions/6cef56e8-d556-48e5-a04f-b8e64114680f", + "AcrPull": "/providers/Microsoft.Authorization/roleDefinitions/7f951dda-4ed3-4680-a7ca-43fe172d538d", + "AcrPush": "/providers/Microsoft.Authorization/roleDefinitions/8311e382-0749-4cb8-b61a-304f252e45ec", + "AcrQuarantineReader": "/providers/Microsoft.Authorization/roleDefinitions/cdda3590-29a3-44f6-95f2-9f980659eb04", + "AcrQuarantineWriter": "/providers/Microsoft.Authorization/roleDefinitions/c8d4ff99-41c3-41a8-9f60-21dfdad59608", + "API Management Service Contributor": "/providers/Microsoft.Authorization/roleDefinitions/312a565d-c81f-4fd8-895a-4e21e48d571c", + "API Management Service Operator Role": "/providers/Microsoft.Authorization/roleDefinitions/e022efe7-f5ba-4159-bbe4-b44f577e9b61", + "API Management Service Reader Role": "/providers/Microsoft.Authorization/roleDefinitions/71522526-b88f-4d52-b57f-d31fc3546d0d", + "App Configuration Data Owner": "/providers/Microsoft.Authorization/roleDefinitions/5ae67dd6-50cb-40e7-96ff-dc2bfa4b606b", + "App Configuration Data Reader": "/providers/Microsoft.Authorization/roleDefinitions/516239f1-63e1-4d78-a4de-a74fb236a071", + "Application Insights Component Contributor": "/providers/Microsoft.Authorization/roleDefinitions/ae349356-3a1b-4a5e-921d-050484c6347e", + "Application Insights Snapshot Debugger": "/providers/Microsoft.Authorization/roleDefinitions/08954f03-6346-4c2e-81c0-ec3a5cfae23b", + "Attestation Contributor": "/providers/Microsoft.Authorization/roleDefinitions/bbf86eb8-f7b4-4cce-96e4-18cddf81d86e", + "Attestation Reader": "/providers/Microsoft.Authorization/roleDefinitions/fd1bd22b-8476-40bc-a0bc-69b95687b9f3", + "Automation Job Operator": "/providers/Microsoft.Authorization/roleDefinitions/4fe576fe-1146-4730-92eb-48519fa6bf9f", + "Automation Operator": "/providers/Microsoft.Authorization/roleDefinitions/d3881f73-407a-4167-8283-e981cbba0404", + "Automation Runbook Operator": "/providers/Microsoft.Authorization/roleDefinitions/5fb5aef8-1081-4b8e-bb16-9d5d0385bab5", + "Avere Contributor": "/providers/Microsoft.Authorization/roleDefinitions/4f8fab4f-1852-4a58-a46a-8eaf358af14a", + "Avere Operator": "/providers/Microsoft.Authorization/roleDefinitions/c025889f-8102-4ebf-b32c-fc0c6f0c6bd9", + "Azure Connected Machine Onboarding": "/providers/Microsoft.Authorization/roleDefinitions/b64e21ea-ac4e-4cdf-9dc9-5b892992bee7", + "Azure Connected Machine Resource Administrator": "/providers/Microsoft.Authorization/roleDefinitions/cd570a14-e51a-42ad-bac8-bafd67325302", + "Azure Digital Twins Owner (Preview)": "/providers/Microsoft.Authorization/roleDefinitions/bcd981a7-7f74-457b-83e1-cceb9e632ffe", + "Azure Digital Twins Reader (Preview)": "/providers/Microsoft.Authorization/roleDefinitions/d57506d4-4c8d-48b1-8587-93c323f6a5a3", + "Azure Event Hubs Data Owner": "/providers/Microsoft.Authorization/roleDefinitions/f526a384-b230-433a-b45c-95f59c4a2dec", + "Azure Event Hubs Data Receiver": "/providers/Microsoft.Authorization/roleDefinitions/a638d3c7-ab3a-418d-83e6-5f17a39d4fde", + "Azure Event Hubs Data Sender": "/providers/Microsoft.Authorization/roleDefinitions/2b629674-e913-4c01-ae53-ef4638d8f975", + "Azure Kubernetes Service Cluster Admin Role": "/providers/Microsoft.Authorization/roleDefinitions/0ab0b1a8-8aac-4efd-b8c2-3ee1fb270be8", + "Azure Kubernetes Service Cluster User Role": "/providers/Microsoft.Authorization/roleDefinitions/4abbcc35-e782-43d8-92c5-2d3f1bd2253f", + "Azure Kubernetes Service Contributor Role": "/providers/Microsoft.Authorization/roleDefinitions/ed7f3fbd-7b88-4dd4-9017-9adb7ce333f8", + "Azure Maps Data Contributor": "/providers/Microsoft.Authorization/roleDefinitions/8f5e0ce6-4f7b-4dcf-bddf-e6f48634a204", + "Azure Maps Data Reader": "/providers/Microsoft.Authorization/roleDefinitions/423170ca-a8f6-4b0f-8487-9e4eb8f49bfa", + "Azure Sentinel Contributor": "/providers/Microsoft.Authorization/roleDefinitions/ab8e14d6-4a74-4a29-9ba8-549422addade", + "Azure Sentinel Reader": "/providers/Microsoft.Authorization/roleDefinitions/8d289c81-5878-46d4-8554-54e1e3d8b5cb", + "Azure Sentinel Responder": "/providers/Microsoft.Authorization/roleDefinitions/3e150937-b8fe-4cfb-8069-0eaf05ecd056", + "Azure Service Bus Data Owner": "/providers/Microsoft.Authorization/roleDefinitions/090c5cfd-751d-490a-894a-3ce6f1109419", + "Azure Service Bus Data Receiver": "/providers/Microsoft.Authorization/roleDefinitions/4f6d3b9b-027b-4f4c-9142-0e5a2a2247e0", + "Azure Service Bus Data Sender": "/providers/Microsoft.Authorization/roleDefinitions/69a216fc-b8fb-44d8-bc22-1f3c2cd27a39", + "Azure Stack Registration Owner": "/providers/Microsoft.Authorization/roleDefinitions/6f12a6df-dd06-4f3e-bcb1-ce8be600526a", + "Backup Contributor": "/providers/Microsoft.Authorization/roleDefinitions/5e467623-bb1f-42f4-a55d-6e525e11384b", + "Backup Operator": "/providers/Microsoft.Authorization/roleDefinitions/00c29273-979b-4161-815c-10b084fb9324", + "Backup Reader": "/providers/Microsoft.Authorization/roleDefinitions/a795c7a0-d4a2-40c1-ae25-d81f01202912", + "Billing Reader": "/providers/Microsoft.Authorization/roleDefinitions/fa23ad8b-c56e-40d8-ac0c-ce449e1d2c64", + "BizTalk Contributor": "/providers/Microsoft.Authorization/roleDefinitions/5e3c6656-6cfa-4708-81fe-0de47ac73342", + "Blockchain Member Node Access (Preview)": "/providers/Microsoft.Authorization/roleDefinitions/31a002a1-acaf-453e-8a5b-297c9ca1ea24", + "Blueprint Contributor": "/providers/Microsoft.Authorization/roleDefinitions/41077137-e803-4205-871c-5a86e6a753b4", + "Blueprint Operator": "/providers/Microsoft.Authorization/roleDefinitions/437d2ced-4a38-4302-8479-ed2bcb43d090", + "CDN Endpoint Contributor": "/providers/Microsoft.Authorization/roleDefinitions/426e0c7f-0c7e-4658-b36f-ff54d6c29b45", + "CDN Endpoint Reader": "/providers/Microsoft.Authorization/roleDefinitions/871e35f6-b5c1-49cc-a043-bde969a0f2cd", + "CDN Profile Contributor": "/providers/Microsoft.Authorization/roleDefinitions/ec156ff8-a8d1-4d15-830c-5b80698ca432", + "CDN Profile Reader": "/providers/Microsoft.Authorization/roleDefinitions/8f96442b-4075-438f-813d-ad51ab4019af", + "Classic Network Contributor": "/providers/Microsoft.Authorization/roleDefinitions/b34d265f-36f7-4a0d-a4d4-e158ca92e90f", + "Classic Storage Account Contributor": "/providers/Microsoft.Authorization/roleDefinitions/86e8f5dc-a6e9-4c67-9d15-de283e8eac25", + "Classic Storage Account Key Operator Service Role": "/providers/Microsoft.Authorization/roleDefinitions/985d6b00-f706-48f5-a6fe-d0ca12fb668d", + "Classic Virtual Machine Contributor": "/providers/Microsoft.Authorization/roleDefinitions/d73bb868-a0df-4d4d-bd69-98a00b01fccb", + "ClearDB MySQL DB Contributor": "/providers/Microsoft.Authorization/roleDefinitions/9106cda0-8a86-4e81-b686-29a22c54effe", + "Cognitive Services Contributor": "/providers/Microsoft.Authorization/roleDefinitions/25fbc0a9-bd7c-42a3-aa1a-3b75d497ee68", + "Cognitive Services Custom Vision Contributor": "/providers/Microsoft.Authorization/roleDefinitions/c1ff6cc2-c111-46fe-8896-e0ef812ad9f3", + "Cognitive Services Custom Vision Deployment": "/providers/Microsoft.Authorization/roleDefinitions/5c4089e1-6d96-4d2f-b296-c1bc7137275f", + "Cognitive Services Custom Vision Labeler": "/providers/Microsoft.Authorization/roleDefinitions/88424f51-ebe7-446f-bc41-7fa16989e96c", + "Cognitive Services Custom Vision Reader": "/providers/Microsoft.Authorization/roleDefinitions/93586559-c37d-4a6b-ba08-b9f0940c2d73", + "Cognitive Services Custom Vision Trainer": "/providers/Microsoft.Authorization/roleDefinitions/0a5ae4ab-0d65-4eeb-be61-29fc9b54394b", + "Cognitive Services Data Reader (Preview)": "/providers/Microsoft.Authorization/roleDefinitions/b59867f0-fa02-499b-be73-45a86b5b3e1c", + "Cognitive Services QnA Maker Editor": "/providers/Microsoft.Authorization/roleDefinitions/f4cc2bf9-21be-47a1-bdf1-5c5804381025", + "Cognitive Services QnA Maker Reader": "/providers/Microsoft.Authorization/roleDefinitions/466ccd10-b268-4a11-b098-b4849f024126", + "Cognitive Services User": "/providers/Microsoft.Authorization/roleDefinitions/a97b65f3-24c7-4388-baec-2e87135dc908", + "Contributor": "/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c", + "Cosmos DB Account Reader Role": "/providers/Microsoft.Authorization/roleDefinitions/fbdf93bf-df7d-467e-a4d2-9458aa1360c8", + "Cosmos DB Operator": "/providers/Microsoft.Authorization/roleDefinitions/230815da-be43-4aae-9cb4-875f7bd000aa", + "CosmosBackupOperator": "/providers/Microsoft.Authorization/roleDefinitions/db7b14f2-5adf-42da-9f96-f2ee17bab5cb", + "Cost Management Contributor": "/providers/Microsoft.Authorization/roleDefinitions/434105ed-43f6-45c7-a02f-909b2ba83430", + "Cost Management Reader": "/providers/Microsoft.Authorization/roleDefinitions/72fafb9e-0641-4937-9268-a91bfd8191a3", + "Data Box Contributor": "/providers/Microsoft.Authorization/roleDefinitions/add466c9-e687-43fc-8d98-dfcf8d720be5", + "Data Box Reader": "/providers/Microsoft.Authorization/roleDefinitions/028f4ed7-e2a9-465e-a8f4-9c0ffdfdc027", + "Data Factory Contributor": "/providers/Microsoft.Authorization/roleDefinitions/673868aa-7521-48a0-acc6-0f60742d39f5", + "Data Lake Analytics Developer": "/providers/Microsoft.Authorization/roleDefinitions/47b7735b-770e-4598-a7da-8b91488b4c88", + "Data Purger": "/providers/Microsoft.Authorization/roleDefinitions/150f5e0c-0603-4f03-8c7f-cf70034c4e90", + "Desktop Virtualization User": "/providers/Microsoft.Authorization/roleDefinitions/1d18fff3-a72a-46b5-b4a9-0b38a3cd7e63", + "DevTest Labs User": "/providers/Microsoft.Authorization/roleDefinitions/76283e04-6283-4c54-8f91-bcf1374a3c64", + "DNS Zone Contributor": "/providers/Microsoft.Authorization/roleDefinitions/befefa01-2a29-4197-83a8-272ff33ce314", + "DocumentDB Account Contributor": "/providers/Microsoft.Authorization/roleDefinitions/5bd9cd88-fe45-4216-938b-f97437e15450", + "EventGrid EventSubscription Contributor": "/providers/Microsoft.Authorization/roleDefinitions/428e0ff0-5e57-4d9c-a221-2c70d0e0a443", + "EventGrid EventSubscription Reader": "/providers/Microsoft.Authorization/roleDefinitions/2414bbcf-6497-4faf-8c65-045460748405", + "Experimentation Administrator": "/providers/Microsoft.Authorization/roleDefinitions/7f646f1b-fa08-80eb-a33b-edd6ce5c915c", + "Experimentation Contributor": "/providers/Microsoft.Authorization/roleDefinitions/7f646f1b-fa08-80eb-a22b-edd6ce5c915c", + "Experimentation Reader": "/providers/Microsoft.Authorization/roleDefinitions/49632ef5-d9ac-41f4-b8e7-bbe587fa74a1", + "FHIR Data Contributor": "/providers/Microsoft.Authorization/roleDefinitions/5a1fc7df-4bf1-4951-a576-89034ee01acd", + "FHIR Data Exporter": "/providers/Microsoft.Authorization/roleDefinitions/3db33094-8700-4567-8da5-1501d4e7e843", + "FHIR Data Reader": "/providers/Microsoft.Authorization/roleDefinitions/4c8d0bbc-75d3-4935-991f-5f3c56d81508", + "FHIR Data Writer": "/providers/Microsoft.Authorization/roleDefinitions/3f88fce4-5892-4214-ae73-ba5294559913", + "Graph Owner": "/providers/Microsoft.Authorization/roleDefinitions/b60367af-1334-4454-b71e-769d9a4f83d9", + "HDInsight Cluster Operator": "/providers/Microsoft.Authorization/roleDefinitions/61ed4efc-fab3-44fd-b111-e24485cc132a", + "HDInsight Domain Services Contributor": "/providers/Microsoft.Authorization/roleDefinitions/8d8d5a11-05d3-4bda-a417-a08778121c7c", + "Hierarchy Settings Administrator": "/providers/Microsoft.Authorization/roleDefinitions/350f8d15-c687-4448-8ae1-157740a3936d", + "Hybrid Server Onboarding": "/providers/Microsoft.Authorization/roleDefinitions/5d1e5ee4-7c68-4a71-ac8b-0739630a3dfb", + "Hybrid Server Resource Administrator": "/providers/Microsoft.Authorization/roleDefinitions/48b40c6e-82e0-4eb3-90d5-19e40f49b624", + "Integration Service Environment Contributor": "/providers/Microsoft.Authorization/roleDefinitions/a41e2c5b-bd99-4a07-88f4-9bf657a760b8", + "Integration Service Environment Developer": "/providers/Microsoft.Authorization/roleDefinitions/c7aa55d3-1abb-444a-a5ca-5e51e485d6ec", + "Intelligent Systems Account Contributor": "/providers/Microsoft.Authorization/roleDefinitions/03a6d094-3444-4b3d-88af-7477090a9e5e", + "Key Vault Contributor": "/providers/Microsoft.Authorization/roleDefinitions/f25e0fa2-a7c8-4377-a976-54943a77a395", + "Knowledge Consumer": "/providers/Microsoft.Authorization/roleDefinitions/ee361c5d-f7b5-4119-b4b6-892157c8f64c", + "Kubernetes Cluster - Azure Arc Onboarding": "/providers/Microsoft.Authorization/roleDefinitions/34e09817-6cbe-4d01-b1a2-e0eac5743d41", + "Lab Creator": "/providers/Microsoft.Authorization/roleDefinitions/b97fb8bc-a8b2-4522-a38b-dd33c7e65ead", + "Log Analytics Contributor": "/providers/Microsoft.Authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293", + "Log Analytics Reader": "/providers/Microsoft.Authorization/roleDefinitions/73c42c96-874c-492b-b04d-ab87d138a893", + "Logic App Contributor": "/providers/Microsoft.Authorization/roleDefinitions/87a39d53-fc1b-424a-814c-f7e04687dc9e", + "Logic App Operator": "/providers/Microsoft.Authorization/roleDefinitions/515c2055-d9d4-4321-b1b9-bd0c9a0f79fe", + "Managed Application Contributor Role": "/providers/Microsoft.Authorization/roleDefinitions/641177b8-a67a-45b9-a033-47bc880bb21e", + "Managed Application Operator Role": "/providers/Microsoft.Authorization/roleDefinitions/c7393b34-138c-406f-901b-d8cf2b17e6ae", + "Managed Applications Reader": "/providers/Microsoft.Authorization/roleDefinitions/b9331d33-8a36-4f8c-b097-4f54124fdb44", + "Managed Identity Contributor": "/providers/Microsoft.Authorization/roleDefinitions/e40ec5ca-96e0-45a2-b4ff-59039f2c2b59", + "Managed Identity Operator": "/providers/Microsoft.Authorization/roleDefinitions/f1a07417-d97a-45cb-824c-7a7467783830", + "Managed Services Registration assignment Delete ": "/providers/Microsoft.Authorization/roleDefinitions/91c1777a-f3dc-4fae-b103-61d183457e46", + "Management Group Contributor": "/providers/Microsoft.Authorization/roleDefinitions/5d58bcaf-24a5-4b20-bdb6-eed9f69fbe4c", + "Management Group Reader": "/providers/Microsoft.Authorization/roleDefinitions/ac63b705-f282-497d-ac71-919bf39d939d", + "Marketplace Admin": "/providers/Microsoft.Authorization/roleDefinitions/dd920d6d-f481-47f1-b461-f338c46b2d9f", + "Monitoring Contributor": "/providers/Microsoft.Authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "Monitoring Metrics Publisher": "/providers/Microsoft.Authorization/roleDefinitions/3913510d-42f4-4e42-8a64-420c390055eb", + "Monitoring Reader": "/providers/Microsoft.Authorization/roleDefinitions/43d0d8ad-25c7-4714-9337-8ba259a9fe05", + "Network Contributor": "/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7", + "New Relic APM Account Contributor": "/providers/Microsoft.Authorization/roleDefinitions/5d28c62d-5b37-4476-8438-e587778df237", + "Object Understanding Account Owner": "/providers/Microsoft.Authorization/roleDefinitions/4dd61c23-6743-42fe-a388-d8bdd41cb745", + "Owner": "/providers/Microsoft.Authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635", + "Policy Insights Data Writer (Preview)": "/providers/Microsoft.Authorization/roleDefinitions/66bb4e9e-b016-4a94-8249-4c0511c2be84", + "Private DNS Zone Contributor": "/providers/Microsoft.Authorization/roleDefinitions/b12aa53e-6015-4669-85d0-8515ebb3ae7f", + "Reader": "/providers/Microsoft.Authorization/roleDefinitions/acdd72a7-3385-48ef-bd42-f606fba81ae7", + "Reader and Data Access": "/providers/Microsoft.Authorization/roleDefinitions/c12c1c16-33a1-487b-954d-41c89c60f349", + "Redis Cache Contributor": "/providers/Microsoft.Authorization/roleDefinitions/e0f68234-74aa-48ed-b826-c38b57376e17", + "Remote Rendering Administrator": "/providers/Microsoft.Authorization/roleDefinitions/3df8b902-2a6f-47c7-8cc5-360e9b272a7e", + "Remote Rendering Client": "/providers/Microsoft.Authorization/roleDefinitions/d39065c4-c120-43c9-ab0a-63eed9795f0a", + "Resource Policy Contributor": "/providers/Microsoft.Authorization/roleDefinitions/36243c78-bf99-498c-9df9-86d9f8d28608", + "Scheduler Job Collections Contributor": "/providers/Microsoft.Authorization/roleDefinitions/188a0f2f-5c9e-469b-ae67-2aa5ce574b94", + "Search Service Contributor": "/providers/Microsoft.Authorization/roleDefinitions/7ca78c08-252a-4471-8644-bb5ff32d4ba0", + "Security Admin": "/providers/Microsoft.Authorization/roleDefinitions/fb1c8493-542b-48eb-b624-b4c8fea62acd", + "Security Assessment Contributor": "/providers/Microsoft.Authorization/roleDefinitions/612c2aa1-cb24-443b-ac28-3ab7272de6f5", + "Security Manager (Legacy)": "/providers/Microsoft.Authorization/roleDefinitions/e3d13bf0-dd5a-482e-ba6b-9b8433878d10", + "Security Reader": "/providers/Microsoft.Authorization/roleDefinitions/39bc4728-0917-49c7-9d2c-d95423bc2eb4", + "SignalR AccessKey Reader": "/providers/Microsoft.Authorization/roleDefinitions/04165923-9d83-45d5-8227-78b77b0a687e", + "SignalR Contributor": "/providers/Microsoft.Authorization/roleDefinitions/8cf5e20a-e4b2-4e9d-b3a1-5ceb692c2761", + "Site Recovery Contributor": "/providers/Microsoft.Authorization/roleDefinitions/6670b86e-a3f7-4917-ac9b-5d6ab1be4567", + "Site Recovery Operator": "/providers/Microsoft.Authorization/roleDefinitions/494ae006-db33-4328-bf46-533a6560a3ca", + "Site Recovery Reader": "/providers/Microsoft.Authorization/roleDefinitions/dbaa88c4-0c30-4179-9fb3-46319faa6149", + "Spatial Anchors Account Contributor": "/providers/Microsoft.Authorization/roleDefinitions/8bbe83f1-e2a6-4df7-8cb4-4e04d4e5c827", + "Spatial Anchors Account Owner": "/providers/Microsoft.Authorization/roleDefinitions/70bbe301-9835-447d-afdd-19eb3167307c", + "Spatial Anchors Account Reader": "/providers/Microsoft.Authorization/roleDefinitions/5d51204f-eb77-4b1c-b86a-2ec626c49413", + "SQL DB Contributor": "/providers/Microsoft.Authorization/roleDefinitions/9b7fa17d-e63e-47b0-bb0a-15c516ac86ec", + "SQL Managed Instance Contributor": "/providers/Microsoft.Authorization/roleDefinitions/4939a1f6-9ae0-4e48-a1e0-f2cbe897382d", + "SQL Security Manager": "/providers/Microsoft.Authorization/roleDefinitions/056cd41c-7e88-42e1-933e-88ba6a50c9c3", + "SQL Server Contributor": "/providers/Microsoft.Authorization/roleDefinitions/6d8ee4ec-f05a-4a1d-8b00-a9b17e38b437", + "Storage Account Contributor": "/providers/Microsoft.Authorization/roleDefinitions/17d1049b-9a84-46fb-8f53-869881c3d3ab", + "Storage Account Key Operator Service Role": "/providers/Microsoft.Authorization/roleDefinitions/81a9662b-bebf-436f-a333-f67b29880f12", + "Storage Blob Data Contributor": "/providers/Microsoft.Authorization/roleDefinitions/ba92f5b4-2d11-453d-a403-e96b0029c9fe", + "Storage Blob Data Owner": "/providers/Microsoft.Authorization/roleDefinitions/b7e6dc6d-f1e8-4753-8033-0f276bb0955b", + "Storage Blob Data Reader": "/providers/Microsoft.Authorization/roleDefinitions/2a2b9908-6ea1-4ae2-8e65-a410df84e7d1", + "Storage Blob Delegator": "/providers/Microsoft.Authorization/roleDefinitions/db58b8e5-c6ad-4a2a-8342-4190687cbf4a", + "Storage File Data SMB Share Contributor": "/providers/Microsoft.Authorization/roleDefinitions/0c867c2a-1d8c-454a-a3db-ab2ea1bdc8bb", + "Storage File Data SMB Share Elevated Contributor": "/providers/Microsoft.Authorization/roleDefinitions/a7264617-510b-434b-a828-9731dc254ea7", + "Storage File Data SMB Share Reader": "/providers/Microsoft.Authorization/roleDefinitions/aba4ae5f-2193-4029-9191-0cb91df5e314", + "Storage Queue Data Contributor": "/providers/Microsoft.Authorization/roleDefinitions/974c5e8b-45b9-4653-ba55-5f855dd0fb88", + "Storage Queue Data Message Processor": "/providers/Microsoft.Authorization/roleDefinitions/8a0f0c08-91a1-4084-bc3d-661d67233fed", + "Storage Queue Data Message Sender": "/providers/Microsoft.Authorization/roleDefinitions/c6a89b2d-59bc-44d0-9896-0f6e12d7b80a", + "Storage Queue Data Reader": "/providers/Microsoft.Authorization/roleDefinitions/19e7f393-937e-4f77-808e-94535e297925", + "Support Request Contributor": "/providers/Microsoft.Authorization/roleDefinitions/cfd33db0-3dd1-45e3-aa9d-cdbdf3b6f24e", + "Tag Contributor": "/providers/Microsoft.Authorization/roleDefinitions/4a9ae827-6dc8-4573-8ac7-8239d42aa03f", + "Traffic Manager Contributor": "/providers/Microsoft.Authorization/roleDefinitions/a4b10055-b0c7-44c2-b00f-c7b5b3550cf7", + "User Access Administrator": "/providers/Microsoft.Authorization/roleDefinitions/18d7d88d-d35e-4fb5-a5c3-7773c20a72d9", + "Virtual Machine Administrator Login": "/providers/Microsoft.Authorization/roleDefinitions/1c0163c0-47e6-4577-8991-ea5c82e286e4", + "Virtual Machine Contributor": "/providers/Microsoft.Authorization/roleDefinitions/9980e02c-c2be-4d73-94e8-173b1dc7cf3c", + "Virtual Machine User Login": "/providers/Microsoft.Authorization/roleDefinitions/fb879df8-f326-4884-b1cf-06f3ad86be52", + "Web Plan Contributor": "/providers/Microsoft.Authorization/roleDefinitions/2cc479cb-7b4d-49a8-b449-8c00fd0f0a4b", + "Website Contributor": "/providers/Microsoft.Authorization/roleDefinitions/de139f84-1756-47ae-9be6-808fbbe84772", + "Workbook Contributor": "/providers/Microsoft.Authorization/roleDefinitions/e8ddcd69-c73f-4f9f-9844-4100522f16ad", + "Workbook Reader": "/providers/Microsoft.Authorization/roleDefinitions/b279062a-9be3-42a0-92ae-8b3cf002ec4d" + } + }, + "resources": [ + // cuaId + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-06-01", + "name": "[concat('pid-', parameters('cuaId'))]", + "condition": "[not(empty(parameters('cuaId')))]", + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [ + ] + } + } + }, + // netapp account + { + "type": "Microsoft.NetApp/netAppAccounts", + "apiVersion": "2020-08-01", + "name": "[parameters('netAppAccountName')]", + "tags": "[parameters('tags')]", + "location": "[parameters('location')]", + "properties": { + "activeDirectories": "[if(empty(parameters('domainName')), json('null'), variables('activeDirectoryConnectionProperties'))]" + }, + "resources": [ + // netapp account lock + { + "type": "providers/locks", + "apiVersion": "2016-09-01", + "name": "Microsoft.Authorization/netAppAccountsDoNotDelete", + "condition": "[parameters('lockForDeletion')]", + "dependsOn": [ + "[concat('Microsoft.NetApp/netAppAccounts/', parameters('netAppAccountName'))]" + ], + "comments": "Resource lock.", + "properties": { + "level": "CannotDelete" + } + } + ] + }, + // netapp account RBAC loop + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-06-01", + "name": "[concat(uniqueString(deployment().name, parameters('location')), '-ANF-Account-Rbac-', copyIndex())]", + "condition": "[not(empty(parameters('roleAssignments')))]", + "dependsOn": [ + "[parameters('netAppAccountName')]" + ], + "copy": { + "name": "netAppRbacDeplLoop", + "count": "[length(parameters('roleAssignments'))]" + }, + "properties": { + "mode": "Incremental", + "expressionEvaluationOptions": { + "scope": "inner" + }, + "parameters": { + "roleAssignment": { + "value": "[parameters('roleAssignments')[copyIndex()]]" + }, + "builtInRoleNames": { + "value": "[variables('builtInRoleNames')]" + }, + "netAppAccountName": { + "value": "[parameters('netAppAccountName')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "roleAssignment": { + "type": "object" + }, + "builtInRoleNames": { + "type": "object" + }, + "netAppAccountName": { + "type": "string" + } + }, + "resources": [ + // netapp account RBAC + { + "type": "Microsoft.NetApp/netAppAccounts/providers/roleAssignments", + "apiVersion": "2020-04-01-preview", + "name": "[concat(parameters('netAppAccountName'), '/Microsoft.Authorization/', guid(parameters('netAppAccountName'), array(parameters('roleAssignment').principalIds)[copyIndex('netAppAccountInnerRbacCopy')], parameters('roleAssignment').roleDefinitionIdOrName ))]", + "dependsOn": [ + ], + "copy": { + "name": "netAppAccountInnerRbacCopy", + "count": "[length(parameters('roleAssignment').principalIds)]" + }, + "properties": { + "roleDefinitionId": "[if(contains(parameters('builtInRoleNames'), parameters('roleAssignment').roleDefinitionIdOrName ), parameters('builtInRoleNames')[parameters('roleAssignment').roleDefinitionIdOrName] , parameters('roleAssignment').roleDefinitionIdOrName )]", + "principalId": "[array(parameters('roleAssignment').principalIds)[copyIndex()]]" + } + } + ] + } + } + }, + // capacity pool + { + "type": "Microsoft.NetApp/netAppAccounts/capacityPools", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('netAppAccountName'), '/', if(empty(parameters('capacityPools')), 'dummy', parameters('capacityPools')[copyIndex()].poolName))]", + "condition": "[not(empty(parameters('capacityPools')))]", + "tags": "[parameters('tags')]", + "location": "[parameters('location')]", + "copy": { + "name": "capacityPoolLoop", + "count": "[length(parameters('capacityPools'))]" + }, + "dependsOn": [ + "[resourceId('Microsoft.NetApp/netAppAccounts', parameters('netAppAccountName'))]" + ], + "properties": { + "serviceLevel": "[parameters('capacityPools')[copyIndex()].poolServiceLevel]", + "size": "[parameters('capacityPools')[copyIndex()].poolSize]" + }, + "resources": [ + // capacity pool lock + { + "type": "providers/locks", + "apiVersion": "2016-09-01", + "name": "Microsoft.Authorization/capacityPoolsDoNotDelete", + "condition": "[parameters('lockForDeletion')]", + "dependsOn": [ + "[concat('Microsoft.NetApp/netAppAccounts/', parameters('netAppAccountName'), '/capacityPools/',if(empty(parameters('capacityPools')), 'dummy', parameters('capacityPools')[copyIndex()].poolName))]" + ], + "comments": "Resource lock.", + "properties": { + "level": "CannotDelete" + } + } + ] + }, + // capacity pool RBAC, volume, volume RBAC + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-06-01", + "name": "[concat(uniqueString(deployment().name, parameters('location')), '-ANF-CapPool-', if(empty(parameters('capacityPools')), 'dummy', copyIndex()) )]", + "condition": "[not(empty(parameters('capacityPools')))]", + "dependsOn": [ + "capacityPoolLoop" + ], + "copy": { + "name": "cpDeplLoop", + "count": "[length(parameters('capacityPools'))]", + "mode": "serial" + }, + "properties": { + "mode": "Incremental", + "expressionEvaluationOptions": { + "scope": "inner" + }, + "parameters": { + "netAppAccountName": { + "value": "[parameters('netAppAccountName')]" + }, + "location": { + "value": "[parameters('location')]" + }, + "lockForDeletion": { + "value": "[parameters('lockForDeletion')]" + }, + "tags": { + "value": "[parameters('tags')]" + }, + "capacityPool": { + "value": "[parameters('capacityPools')[copyIndex()]]" + }, + "builtInRoleNames": { + "value": "[variables('builtInRoleNames')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "netAppAccountName": { + "type": "string" + }, + "location": { + "type": "string" + }, + "lockForDeletion": { + "type": "bool" + }, + "tags": { + "type": "object" + }, + "capacityPool": { + "type": "object" + }, + "builtInRoleNames": { + "type": "object" + } + }, + "resources": [ + // capacity pool RBAC loop + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-06-01", + "name": "[concat(deployment().name, '-Rbac-', if(empty(parameters('capacityPool').roleAssignments),'dummy', copyIndex()) )]", + "condition": "[not(empty(array(parameters('capacityPool').roleAssignments)))]", + "dependsOn": [ + ], + "copy": { + "name": "cpRbacDeplLoop", + "count": "[length(array(parameters('capacityPool').roleAssignments))]" + }, + "properties": { + "mode": "Incremental", + "expressionEvaluationOptions": { + "scope": "inner" + }, + "parameters": { + "netAppAccountName": { + "value": "[parameters('netAppAccountName')]" + }, + "capacityPoolName": { + "value": "[parameters('capacityPool').poolName]" + }, + "roleAssignment": { + "value": "[array(parameters('capacityPool').roleAssignments)[copyIndex('cpRbacDeplLoop')]]" + }, + "builtInRoleNames": { + "value": "[parameters('builtInRoleNames')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "netAppAccountName": { + "type": "string" + }, + "capacityPoolName": { + "type": "string" + }, + "roleAssignment": { + "type": "object" + }, + "builtInRoleNames": { + "type": "object" + } + }, + "resources": [ + // capacity pool RBAC + { + "type": "Microsoft.NetApp/netAppAccounts/capacityPools/providers/roleAssignments", + "apiVersion": "2020-04-01-preview", + "name": "[concat(parameters('netAppAccountName'), '/', parameters('capacityPoolName'),'/Microsoft.Authorization/', if(empty(parameters('roleAssignment')), guid(parameters('netAppAccountName')), guid(parameters('netAppAccountName'), parameters('capacityPoolName'), array(parameters('roleAssignment').principalIds)[copyIndex('cpRbacLoop')], parameters('roleAssignment').roleDefinitionIdOrName )))]", + "condition": "[not(empty(parameters('roleAssignment')))]", + "copy": { + "name": "cpRbacLoop", + "count": "[length(parameters('roleAssignment').principalIds)]" + }, + "properties": { + "roleDefinitionId": "[if(contains(parameters('builtInRoleNames'), parameters('roleAssignment').roleDefinitionIdOrName ), parameters('builtInRoleNames')[parameters('roleAssignment').roleDefinitionIdOrName] , parameters('roleAssignment').roleDefinitionIdOrName )]", + "principalId": "[array(parameters('roleAssignment').principalIds)[copyIndex('cpRbacLoop')]]" + } + } + ] + } + } + }, + // volume + { + "type": "Microsoft.NetApp/netAppAccounts/capacityPools/volumes", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('netAppAccountName'), '/', parameters('capacityPool').poolName, '/', if(empty(parameters('capacityPool').volumes), 'dummy', parameters('capacityPool').volumes[copyIndex('volumeLoop')].poolVolumeName))]", + "condition": "[not(empty(parameters('capacityPool').volumes))]", + "tags": "[parameters('tags')]", + "location": "[parameters('location')]", + "copy": { + "name": "volumeLoop", + "count": "[length(parameters('capacityPool').volumes)]", + "mode": "serial" + }, + "dependsOn": [ + ], + "properties": { + "serviceLevel": "[parameters('capacityPool').poolServiceLevel]", + "creationToken": "[parameters('capacityPool').volumes[copyIndex('volumeLoop')].creationToken]", + "usageThreshold": "[parameters('capacityPool').volumes[copyIndex('volumeLoop')].poolVolumeQuota]", + "protocolTypes": "[parameters('capacityPool').volumes[copyIndex('volumeLoop')].protocolTypes]", + "subnetId": "[parameters('capacityPool').volumes[copyIndex('volumeLoop')].subnetId]", + "exportPolicy": "[if(not(contains(parameters('capacityPool').volumes[copyIndex('volumeLoop')], 'exportPolicy')), json('null'), parameters('capacityPool').volumes[copyIndex('volumeLoop')].exportPolicy)]" + }, + "resources": [ + // volume lock + { + "type": "providers/locks", + "apiVersion": "2016-09-01", + "name": "Microsoft.Authorization/volumesDoNotDelete", + "condition": "[parameters('lockForDeletion')]", + "dependsOn": [ + "[concat('Microsoft.NetApp/netAppAccounts/', parameters('netAppAccountName'), '/capacityPools/', parameters('capacityPool').poolName, '/volumes/', if(empty(parameters('capacityPool').volumes), 'dummy', parameters('capacityPool').volumes[copyIndex('volumeLoop')].poolVolumeName))]" + ], + "comments": "Resource lock.", + "properties": { + "level": "CannotDelete" + } + } + ] + }, + //volume loop + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-06-01", + "name": "[concat(deployment().name, '-Vol-', if(empty(array(parameters('capacityPool').volumes)), 'dummy', copyIndex()))]", + "condition": "[not(empty(array(parameters('capacityPool').volumes)))]", + "dependsOn": [ + "volumeLoop" + ], + "copy": { + "name": "volumeDeplLoop", + "count": "[length(array(parameters('capacityPool').volumes))]" + }, + "properties": { + "mode": "Incremental", + "expressionEvaluationOptions": { + "scope": "inner" + }, + "parameters": { + "netAppAccountName": { + "value": "[parameters('netAppAccountName')]" + }, + "capacityPoolName": { + "value": "[parameters('capacityPool').poolName]" + }, + "volume": { + "value": "[array(parameters('capacityPool').volumes)[copyIndex('volumeDeplLoop')]]" + }, + "builtInRoleNames": { + "value": "[parameters('builtInRoleNames')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "netAppAccountName": { + "type": "string" + }, + "capacityPoolName": { + "type": "string" + }, + "volume": { + "type": "object" + }, + "builtInRoleNames": { + "type": "object" + } + }, + "resources": [ + // volume RBAC loop + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-06-01", + "name": "[concat(deployment().name, '-Rbac-', if(empty(array(parameters('volume').roleAssignments)), 'dummy', copyIndex()))]", + "condition": "[not(empty(array(parameters('volume').roleAssignments)))]", + "dependsOn": [ + ], + "copy": { + "name": "volumeRbacDeplLoop", + "count": "[length(array(parameters('volume').roleAssignments))]" + }, + "properties": { + "mode": "Incremental", + "expressionEvaluationOptions": { + "scope": "inner" + }, + "parameters": { + "netAppAccountName": { + "value": "[parameters('netAppAccountName')]" + }, + "capacityPoolName": { + "value": "[parameters('capacityPoolName')]" + }, + "volumeName": { + "value": "[parameters('volume').poolVolumeName]" + }, + "roleAssignment": { + "value": "[array(parameters('volume').roleAssignments)[copyIndex('volumeRbacDeplLoop')]]" + }, + "builtInRoleNames": { + "value": "[parameters('builtInRoleNames')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "netAppAccountName": { + "type": "string" + }, + "capacityPoolName": { + "type": "string" + }, + "volumeName": { + "type": "string" + }, + "roleAssignment": { + "type": "object" + }, + "builtInRoleNames": { + "type": "object" + } + }, + "resources": [ + // volume RBAC + { + "type": "Microsoft.NetApp/netAppAccounts/capacityPools/volumes/providers/roleAssignments", + "apiVersion": "2020-04-01-preview", + "name": "[concat(parameters('netAppAccountName'), '/', parameters('capacityPoolName'), '/', parameters('volumeName'),'/Microsoft.Authorization/', if(empty(parameters('roleAssignment')), guid(parameters('netAppAccountName')), guid(parameters('netAppAccountName'), parameters('capacityPoolName'), parameters('volumeName'), array(parameters('roleAssignment').principalIds)[copyIndex('volumeRbacLoop')], parameters('roleAssignment').roleDefinitionIdOrName )))]", + "condition": "[not(empty(parameters('roleAssignment')))]", + "copy": { + "name": "volumeRbacLoop", + "count": "[length(parameters('roleAssignment').principalIds)]" + }, + "properties": { + "roleDefinitionId": "[if(contains(parameters('builtInRoleNames'), parameters('roleAssignment').roleDefinitionIdOrName ), parameters('builtInRoleNames')[parameters('roleAssignment').roleDefinitionIdOrName] , parameters('roleAssignment').roleDefinitionIdOrName )]", + "principalId": "[array(parameters('roleAssignment').principalIds)[copyIndex('volumeRbacLoop')]]" + } + } + ] + } + } + } + ] + } + } + } + ] + } + } + } + ], + "functions": [ + ], + "outputs": { + "netAppAccountName": { + "type": "string", + "value": "[parameters('netAppAccountName')]", + "metadata": { + "description": "The Name of the NetApp account deployed." + } + }, + "netAppAccountResourceGroup": { + "type": "string", + "value": "[resourceGroup().name]", + "metadata": { + "description": "The name of the Resource Group the NetApp account was created in." + } + }, + "netAppAccountResourceId": { + "type": "string", + "value": "[resourceId('Microsoft.NetApp/netAppAccounts',parameters('netAppAccountName'))]", + "metadata": { + "description": "The Resource Id of the NetApp account deployed." + } + } + } +} \ No newline at end of file diff --git a/arm/Microsoft.NetApp/netAppAccounts/parameters/parameters.json b/arm/Microsoft.NetApp/netAppAccounts/parameters/parameters.json new file mode 100644 index 0000000000..a26afd1b77 --- /dev/null +++ b/arm/Microsoft.NetApp/netAppAccounts/parameters/parameters.json @@ -0,0 +1,155 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "netAppAccountName": { + "value": "sxx-az-anf-weu-x-001" + }, + "domainName": { + "value": "" + }, + "domainJoinUser": { + "value": "" + }, + // "domainJoinPassword": { + // "reference": { + // "keyVault": { + // "id": "/subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2/resourceGroups/dependencies-rg/providers/Microsoft.KeyVault/vaults/sxx-az-kv-weu-x-004" + // }, + // "secretName": "adadmin-Password" + // } + // }, + "dnsServers": { + "value": "" + }, + "smbServerNamePrefix": { + "value": "" + }, + "domainJoinOU": { + "value": "" + }, + "capacityPools": { + "value": [ + { + "poolName": "sxx-az-anfcp-weu-x-001", + "poolServiceLevel": "Premium", + "poolSize": 4398046511104, + "volumes": [ + // NFS3 VOL + { + "poolVolumeName": "vol01-nfsv3", + "creationToken": "vol01-nfsv3", + "poolVolumeQuota": 107374182400, + "protocolTypes": [ + "NFSv3" + ], + "subnetId": "/subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2/resourceGroups/dependencies-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-weu-x-003/subnets/sxx-az-subnet-weu-x-004", + "roleAssignments": [ + // { + // "roleDefinitionIdOrName": "Reader", + // "principalIds": [ + // "56789123-1234-1234-1234-123456789012" // object 2 + // ] + // } + ] + }, + // NFS41 VOL + { + "poolVolumeName": "vol01-nfsv41", + "creationToken": "vol01-nfsv41", + "poolVolumeQuota": 107374182400, + "protocolTypes": [ + "NFSv4.1" + ], + "exportPolicy": { + "rules": [ + { + "ruleIndex": 1, + "unixReadOnly": false, + "unixReadWrite": true, + "nfsv3": false, + "nfsv41": true, + "allowedClients": "0.0.0.0/0" + } + ] + }, + "subnetId": "/subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2/resourceGroups/dependencies-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-weu-x-003/subnets/sxx-az-subnet-weu-x-004", + "roleAssignments": [ + // { + // "roleDefinitionIdOrName": "Reader", + // "principalIds": [ + // "12345678-1234-1234-1234-123456789012" // object 1 + // ] + // } + ] + } + // , + // SMB VOL (Requires enabling AD connection) + // { + // "poolVolumeName": "vol01-smb", + // "creationToken": "vol01-smb", + // "poolVolumeQuota": 107374182400, + // "protocolTypes": [ + // "CIFS" + // ], + // "subnetId": "/subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2/resourceGroups/dependencies-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-weu-x-003/subnets/sxx-az-subnet-weu-x-004", + // "roleAssignments": [ + // // { + // // "roleDefinitionIdOrName": "Reader", + // // "principalIds": [ + // // "78945612-1234-1234-1234-123456789012" // object 3 + // // ] + // // } + // ] + // } + ], + "roleAssignments": [ + // { + // "roleDefinitionIdOrName": "Reader", + // "principalIds": [ + // "12345678-1234-1234-1234-123456789012" // object 1 + // ] + // } + ] + }, + { + "poolName": "sxx-az-anfcp-weu-x-002", + "poolServiceLevel": "Premium", + "poolSize": 4398046511104, + "volumes": [], + "roleAssignments": [ + // { + // "roleDefinitionIdOrName": "Reader", + // "principalIds": [ + // "12345678-1234-1234-1234-123456789012" // object 1 + // ] + // } + ] + } + ] + }, + // "roleAssignments": { + // "value": [ + // { + // "roleDefinitionIdOrName": "Reader", + // "principalIds": [ + // "12345678-1234-1234-1234-123456789012" // object 1 + // ] + // } + // ] + // }, + "tags": { + "value": { + "Environment": "Non-Prod", + "Contact": "test.user@testcompany.com", + "PurchaseOrder": "1234", + "CostCenter": "7890", + "ServiceName": "DeploymentValidation", + "Role": "DeploymentValidation" + } + }, + "lockForDeletion": { + "value": false + } + } +} \ No newline at end of file diff --git a/arm/Microsoft.NetApp/netAppAccounts/readme.md b/arm/Microsoft.NetApp/netAppAccounts/readme.md new file mode 100644 index 0000000000..78f5bfc351 --- /dev/null +++ b/arm/Microsoft.NetApp/netAppAccounts/readme.md @@ -0,0 +1,196 @@ +# AzureNetAppFiles + +This template deploys Azure NetApp Files. + +## Resource types + +|Resource Type|ApiVersion| +|:--|:--| +|`Microsoft.Resources/deployments`|2020-06-01| +|`Microsoft.NetApp/netAppAccounts`|2020-08-01| +|`Microsoft.NetApp/netAppAccounts/capacityPools`|2020-08-01| +|`Microsoft.NetApp/netAppAccounts/capacityPools/volumes`|2020-08-01| +|`Microsoft.NetApp/netAppAccounts/providers/roleAssignments` | 2020-04-01-preview | +|`providers/locks`|2016-09-01| + +## Parameters + +| Parameter Name | Type | Description | DefaultValue | Possible values | +| :-- | :-- | :-- | :-- | :-- | +| `capacityPools` | array | Required. Capacity pools to create. | | Complex structure, see below. | +| `cuaId` | string | Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered. | `""` | | +| `dnsServers` | string | Optional. Required if domainName is specified. Comma separated list of DNS server IP addresses (IPv4 only) required for the Active Directory (AD) domain join and SMB authentication operations to succeed. | `""` | | +| `domainJoinOU` | string | Optional. Used only if domainName is specified. LDAP Path for the Organization Unit (OU) where SMB Server machine accounts will be created (i.e. `"OU=SecondLevel,OU=FirstLevel"`). | `""` | | +| `domainJoinPassword` | securestring | Optional. Required if domainName is specified. Password of the user specified in domainJoinUser parameter. | `""` | | +| `domainJoinUser` | string | Optional. Required if domainName is specified. Username of Active Directory domain administrator, with permissions to create SMB server machine account in the AD domain. | `""` | | +| `domainName` | string | Optional. Fully Qualified Active Directory DNS Domain Name (e.g. `"contoso.com"`). | `""` | | +| `location` | string | Optional. Location for all resources. | `"[resourceGroup().location]"` | | +| `lockForDeletion` | bool | Optional. Switch to lock all resources from deletion. | `false` | | +| `netAppAccountName` | string | Required. The name of the NetApp account. | | | +| `roleAssignments` | array | Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'.| `[]` | Complex structure, see below. | +| `smbServerNamePrefix` | string | Optional. Required if domainName is specified. NetBIOS name of the SMB server. A computer account with this prefix will be registered in the AD and used to mount volumes. | `""` | | +| `tags` | object | Optional. Tags of all resources. | `{}` | Complex structure, see below. | + +### Parameter Usage: `capacityPools` + +The `capacityPools` parameter accepts a JSON array of objects with the following properties: + +| Parameter Name | Type | Description | +| :-- | :-- | :-- | +|poolName | string | Required. The name of the capacity pool. | +|poolServiceLevel | string | Required. The service level of the file system. - Standard, Premium, Ultra | +|poolSize | int | Required. Provisioned size of the pool (in bytes). Allowed values are in 4TiB chunks (value must be multiply of 4398046511104). | +|volumes | array | Optional. Volumes to be created. | +|roleAssignments | array | Optional. RBAC can also be assigned at capacity pool level. | + +Here's an example of specifying a single capacity pool with no volumes, named "sxx-az-anfcp-weu-x-001", with Premium service level, 4TiB of size and Reader role assigned to two principal Ids. + +```json +"capacityPools": { + "value": [ + { + "poolName": "sxx-az-anfcp-weu-x-001", + "poolServiceLevel": "Premium", + "poolSize": 4398046511104, + "volumes": [], + "roleAssignments": [ + { + "roleDefinitionIdOrName": "Reader", + "principalIds": [ + "12345678-1234-1234-1234-123456789012" // object 1 + "78945612-1234-1234-1234-123456789012" // object 2 + ] + } + ] + } + ] +} +``` + +As part of the capacityPool parameter, the `volumes` parameter accepts a JSON array of objects with the following properties: + +| Parameter Name | Type | Description | +| :-- | :-- | :-- | +|poolVolumeName | string | Required. The name of the volume. | +|creationToken | string | Required. A unique file path for the volume. Used when creating mount targets. | +|poolVolumeQuota | int | Required. Maximum storage quota allowed for a file system in bytes. This is a soft quota used for alerting only. Minimum size is 100 GiB. Upper limit is 100TiB. Specified in bytes. | +|protocolTypes | array | Required. Set of protocol types - string | +|exportPolicy | object | Optional. Set of export policy rules for NFS volume types. You can create up to five export policy rules. | +|subnetId | string | Required. The Azure Resource URI for a delegated subnet. Must have the delegation Microsoft.NetApp/volumes. | +|roleAssignments | array | Optional. RBAC can also be assigned at capacity pool level. | + +Here's an example of specifying three volumes of different protocol types: NFSv3, NFSv4.1 and SMB (CIFS) named respectively "vol01-nfsv3", "vol01-nfsv41" and "vol01-smb". +Each having 100GB of storage quota and using the same delegated subnet. +The NTFSv4.1 volume also specifies one export policy rule allowing Read and Write access to the volume. + +```json +"volumes": [ + // NFS3 VOL + { + "poolVolumeName": "vol01-nfsv3", + "creationToken": "vol01-nfsv3", + "poolVolumeQuota": 107374182400, + "protocolTypes": [ + "NFSv3" + ], + "subnetId": "/subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2/resourceGroups/dependencies-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-weu-x-002/subnets/sxx-az-subnet-weu-x-004", + "roleAssignments": [] + }, + // NFS41 VOL + { + "poolVolumeName": "vol01-nfsv41", + "creationToken": "vol01-nfsv41", + "poolVolumeQuota": 107374182400, + "protocolTypes": [ + "NFSv4.1" + ], + "exportPolicy": { + "rules": [ + { + "ruleIndex": 1, + "unixReadOnly": false, + "unixReadWrite": true, + "nfsv3": false, + "nfsv41": true, + "allowedClients": "0.0.0.0/0" + } + ] + }, + "subnetId": "/subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2/resourceGroups/dependencies-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-weu-x-002/subnets/sxx-az-subnet-weu-x-004", + "roleAssignments": [] + }, + // SMB VOL (Requires AD connection) + { + "poolVolumeName": "vol01-smb", + "creationToken": "vol01-smb", + "poolVolumeQuota": 107374182400, + "protocolTypes": [ + "CIFS" + ], + "subnetId": "/subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2/resourceGroups/dependencies-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-weu-x-002/subnets/sxx-az-subnet-weu-x-004", + "roleAssignments": [] + } +] +``` + +### Parameter Usage: `roleAssignments` + +```json +"roleAssignments": { + "value": [ + { + "roleDefinitionIdOrName": "Reader", + "principalIds": [ + "12345678-1234-1234-1234-123456789012", // object 1 + "78945612-1234-1234-1234-123456789012" // object 2 + ] + }, + { + "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", + "principalIds": [ + "12345678-1234-1234-1234-123456789012" // object 1 + ] + } + ] +} +``` + +### Parameter Usage: `tags` + +Tag names and tag values can be provided as needed. A tag can be left without a value. + +```json +"tags": { + "value": { + "Environment": "Non-Prod", + "Contact": "test.user@testcompany.com", + "PurchaseOrder": "1234", + "CostCenter": "7890", + "ServiceName": "DeploymentValidation", + "Role": "DeploymentValidation" + } +} +``` + +## Outputs + +| Output Name | Type | Description | +| :-- | :-- | :-- | +| `netAppAccountResourceGroup` | string | The name of the Resource Group the NetApp account was created in. | +| `netAppAccountResourceId` | string | The Resource Id of the NetApp account deployed. | +| `netAppAccountName` | string | The Name of the NetApp account deployed. | + +## Considerations + +This module allows the generic deployment of SMB, NFSv3 and NFSv4.1 NetApp volumes. Please refer to the Archetype for additional scenarios, such as creating a dual-protocol (NFSv3 and SMB) volumes and configuring NFSv4.1 Kerberos encryption. + +## Additional resources + +- [Use tags to organize your Azure resources](https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-using-tags) +- [Azure Resource Manager template reference](https://docs.microsoft.com/en-us/azure/templates/) +- [Deployments](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Resources/2020-06-01/deployments) +- [NetAppAccountS](https://docs.microsoft.com/en-us/azure/templates/microsoft.netapp/2020-06-01/netappaccounts) +- [NetAppAccountS/capacityPoolS](https://docs.microsoft.com/en-us/azure/templates/microsoft.netapp/2020-06-01/netappaccounts/capacitypools) +- [NetAppAccountS/capacityPoolS/volumeS](https://docs.microsoft.com/en-us/azure/templates/microsoft.netapp/2020-06-01/netappaccounts/capacitypools/volumes) +- [Configure export policy for an NFS volume](https://docs.microsoft.com/en-us/azure/azure-netapp-files/azure-netapp-files-configure-export-policy) +- [Troubleshoot Azure NetApp Files Resource Provider errors](https://docs.microsoft.com/en-us/azure/azure-netapp-files/azure-netapp-files-troubleshoot-resource-provider-errors) diff --git a/arm/Microsoft.Network/applicationGateways/deploy.json b/arm/Microsoft.Network/applicationGateways/deploy.json new file mode 100644 index 0000000000..7d41c9002e --- /dev/null +++ b/arm/Microsoft.Network/applicationGateways/deploy.json @@ -0,0 +1,885 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "applicationGatewayName": { + "type": "string", + "metadata": { + "description": "Required. The name to be used for the Application Gateway." + } + }, + "sku": { + "type": "string", + "allowedValues": [ + "Standard_Small", + "Standard_Medium", + "Standard_Large", + "WAF_Medium", + "WAF_Large", + "Standard_v2", + "WAF_v2" + ], + "defaultValue": "WAF_Medium", + "metadata": { + "description": "Optional. The name of the SKU for the Application Gateway." + } + }, + "capacity": { + "type": "int", + "defaultValue": 2, + "minValue": 1, + "maxValue": 10, + "metadata": { + "description": "Optional. The number of Application instances to be configured." + } + }, + "http2Enabled": { + "type": "bool", + "defaultValue": true, + "metadata": { + "description": "Optional. Enables HTTP/2 support." + } + }, + "frontendPublicIpResourceId": { + "type": "string", + "metadata": { + "description": "Required. PublicIP Resource Id used in Public Frontend." + } + }, + "frontendPrivateIpAddress": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. The private IP within the Application Gateway subnet to be used as frontend private address.", + "limitations": "The IP must be available in the configured subnet. If empty, allocation method will be set to dynamic. Once a method (static or dynamic) has been configured, it cannot be changed" + } + }, + "vNetName": { + "type": "string", + "metadata": { + "description": "Required. The name of the Virtual Network where the Application Gateway will be deployed." + } + }, + "subnetName": { + "type": "string", + "metadata": { + "description": "Required. The name of Gateway Subnet Name where the Application Gateway will be deployed." + } + }, + "vNetResourceGroup": { + "type": "string", + "defaultValue": "[resourceGroup().name]", + "metadata": { + "description": "Optional. The name of the Virtual Network Resource Group where the Application Gateway will be deployed." + } + }, + "vNetSubscriptionId": { + "type": "string", + "defaultValue": "[subscription().subscriptionId]", + "metadata": { + "description": "Optional. The Subscription Id of the Virtual Network where the Application Gateway will be deployed." + } + }, + "managedIdentityResourceId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Resource Id of an User assigned managed identity which will be associated with the App Gateway." + } + }, + "gatewayIpConfigurationName": { + "type": "string", + "defaultValue": "gatewayIpConfiguration01", + "metadata": { + "description": "Optional. Application Gateway IP configuration name." + } + }, + "sslCertificateName": { + "type": "string", + "defaultValue": "sslCertificate01", + "metadata": { + "description": "Optional. SSL certificate reference name for a certificate stored in the Key Vault to configure the HTTPS listeners." + } + }, + "sslCertificateKeyVaultSecretId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Secret Id of the SSL certificate stored in the Key Vault that will be used to configure the HTTPS listeners." + } + }, + "backendPools": { + "type": "array", + "metadata": { + "description": "Required. The backend pools to be configured." + } + }, + "backendHttpConfigurations": { + "type": "array", + "metadata": { + "description": "Required. The backend HTTP settings to be configured. These HTTP settings will be used to rewrite the incoming HTTP requests for the backend pools." + } + }, + "probes": { + "type": "array", + "defaultValue": [ + ], + "metadata": { + "description": "Optional. The backend HTTP settings probes to be configured." + } + }, + "frontendHttpListeners": { + "type": "array", + "defaultValue": [ + ], + "metadata": { + "description": "Required. The frontend http listeners to be configured." + } + }, + "frontendHttpsListeners": { + "type": "array", + "defaultValue": [ + ], + "metadata": { + "description": "Required. The frontend https listeners to be configured." + } + }, + "frontendHttpRedirects": { + "type": "array", + "defaultValue": [ + ], + "metadata": { + "description": "Optional. The http redirects to be configured. Each redirect will route http traffic to a pre-defined frontEnd https listener." + } + }, + "routingRules": { + "type": "array", + "metadata": { + "description": "Required. The routing rules to be configured. These rules will be used to route requests from frontend listeners to backend pools using a backend HTTP configuration." + } + }, + "location": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "Optional. Location for all Resources." + } + }, + "diagnosticLogsRetentionInDays": { + "type": "int", + "defaultValue": 365, + "minValue": 0, + "maxValue": 365, + "metadata": { + "description": "Optional. Specifies the number of days that logs will be kept for; a value of 0 will retain data indefinitely." + } + }, + "diagnosticStorageAccountId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Resource identifier of the Diagnostic Storage Account." + } + }, + "workspaceId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Resource identifier of Log Analytics." + } + }, + "eventHubAuthorizationRuleId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Resource ID of the event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." + } + }, + "eventHubName": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Name of the event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category." + } + }, + "lockForDeletion": { + "type": "bool", + "defaultValue": false, + "metadata": { + "description": "Optional. Switch to lock Key Vault from deletion." + } + }, + "roleAssignments": { + "defaultValue": [ + ], + "type": "array", + "metadata": { + "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'" + } + }, + "tags": { + "type": "object", + "defaultValue": { + }, + "metadata": { + "description": "Optional. Tags of the resource." + } + }, + "cuaId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered." + } + } + }, + "variables": { + "diagnosticsMetrics": [ + { + "category": "AllMetrics", + "timeGrain": null, + "enabled": true, + "retentionPolicy": { + "enabled": true, + "days": "[parameters('diagnosticLogsRetentionInDays')]" + } + } + ], + "diagnosticsLogs": [ + { + "category": "ApplicationGatewayAccessLog", + "enabled": true, + "retentionPolicy": { + "enabled": true, + "days": "[parameters('diagnosticLogsRetentionInDays')]" + } + }, + { + "category": "ApplicationGatewayPerformanceLog", + "enabled": true, + "retentionPolicy": { + "enabled": true, + "days": "[parameters('diagnosticLogsRetentionInDays')]" + } + }, + { + "category": "ApplicationGatewayFirewallLog", + "enabled": true, + "retentionPolicy": { + "enabled": true, + "days": "[parameters('diagnosticLogsRetentionInDays')]" + } + } + ], + "applicationGatewayResourceId": "[resourceId('Microsoft.Network/applicationGateways', parameters('applicationGatewayName'))]", + "diagnosticSettingName": "[concat(parameters('applicationGatewayName'), '/','Microsoft.Insights/service')]", + "subnetResourceId": "[resourceId(parameters('vNetSubscriptionId'), parameters('vNetResourceGroup'), 'Microsoft.Network/virtualNetworks/subnets', parameters('vNetName'), parameters('subnetName'))]", + "frontendPublicIPConfigurationName": "public", + "frontendPrivateIPConfigurationName": "private", + "frontendPrivateIPDynamicConfiguration": { + "privateIPAllocationMethod": "Dynamic", + "subnet": { + "id": "[variables('subnetResourceId')]" + } + }, + "frontendPrivateIPStaticConfiguration": { + "privateIPAllocationMethod": "Static", + "privateIPAddress": "[parameters('frontendPrivateIPAddress')]", + "subnet": { + "id": "[variables('subnetResourceId')]" + } + }, + "backendPoolsCount": "[length(parameters('backendPools'))]", + "backendHttpConfigurationsCount": "[length(parameters('backendHttpConfigurations'))]", + "probesCount": "[length(parameters('probes'))]", + "frontendHttpListenersCount": "[length(parameters('frontendHttpListeners'))]", + "frontendHttpsListenersCount": "[length(parameters('frontendHttpsListeners'))]", + "frontendHttpRedirectsCount": "[length(parameters('frontendHttpRedirects'))]", + "frontendListenerhttpsCertificateObject": { + "Id": "[concat(variables('applicationGatewayResourceId'), '/sslCertificates/', parameters('sslCertificateName'))]" + }, + "routingRulesCount": "[length(parameters('routingRules'))]", + "redirectConfigurationsHttpRedirectNamePrefix": "httpRedirect", + "httpListenerhttpRedirectNamePrefix": "httpRedirect", + "requestRoutingRuleHttpRedirectNamePrefix": "httpRedirect", + "wafConfiguration": { + "enabled": true, + "firewallMode": "Detection", + "ruleSetType": "OWASP", + "ruleSetVersion": "3.0", + "disabledRuleGroups": [ + ], + "requestBodyCheck": true, + "maxRequestBodySizeInKb": "128" + }, + "sslCertificates": [ + { + "name": "[parameters('sslCertificateName')]", + "properties": { + "keyVaultSecretId": "[parameters('sslCertificateKeyVaultSecretId')]" + } + } + ], + "copy": [ + { + "name": "backendAddressPools", + "count": "[variables('backendPoolsCount')]", + "input": { + "name": "[parameters('backendPools')[copyIndex('backendAddressPools')].backendPoolName]", + "type": "Microsoft.Network/applicationGateways/backendAddressPools", + "properties": { + "backendAddresses": "[if(contains(parameters('backendPools')[copyIndex('backendAddressPools')], 'BackendAddresses'), parameters('backendPools')[copyIndex('backendAddressPools')].BackendAddresses, variables('emptyArray'))]" + } + } + }, + { + "name": "probes", + "count": "[variables('probesCount')]", + "input": { + "name": "[concat(parameters('probes')[copyIndex('probes')].backendHttpConfigurationName,'Probe')]", + "type": "Microsoft.Network/applicationGateways/probes", + "properties": { + "protocol": "[parameters('probes')[copyIndex('probes')].protocol]", + "host": "[parameters('probes')[copyIndex('probes')].host]", + "path": "[parameters('probes')[copyIndex('probes')].path]", + "interval": "[if(contains(parameters('probes')[copyIndex('probes')], 'interval'), parameters('probes')[copyIndex('probes')].interval, 30)]", + "timeout": "[if(contains(parameters('probes')[copyIndex('probes')], 'timeout'), parameters('probes')[copyIndex('probes')].timeout, 30)]", + "unhealthyThreshold": "[if(contains(parameters('probes')[copyIndex('probes')], 'timeout'), parameters('probes')[copyIndex('probes')].unhealthyThreshold, 3)]", + "minServers": "[if(contains(parameters('probes')[copyIndex('probes')], 'timeout'), parameters('probes')[copyIndex('probes')].minServers, 0)]", + "match": { + "body": "[if(contains(parameters('probes')[copyIndex('probes')], 'timeout'), parameters('probes')[copyIndex('probes')].body, '')]", + "statusCodes": "[parameters('probes')[copyIndex('probes')].statusCodes]" + } + } + } + }, + { + "name": "backendHttpConfigurations", + "count": "[variables('backendHttpConfigurationsCount')]", + "input": { + "name": "[parameters('backendHttpConfigurations')[copyIndex('backendHttpConfigurations')].backendHttpConfigurationName]", + "properties": { + "Port": "[parameters('backendHttpConfigurations')[copyIndex('backendHttpConfigurations')].port]", + "Protocol": "[parameters('backendHttpConfigurations')[copyIndex('backendHttpConfigurations')].protocol]", + "CookieBasedAffinity": "[parameters('backendHttpConfigurations')[copyIndex('backendHttpConfigurations')].cookieBasedAffinity]", + "pickHostNameFromBackendAddress": "[parameters('backendHttpConfigurations')[copyIndex('backendHttpConfigurations')].pickHostNameFromBackendAddress]", + "probeEnabled": "[parameters('backendHttpConfigurations')[copyIndex('backendHttpConfigurations')].probeEnabled]", + "probe": "[if(bool(parameters('backendHttpConfigurations')[copyIndex('backendHttpConfigurations')].probeEnabled), + createObject('id', concat(variables('applicationGatewayResourceId'), '/probes/', parameters('backendHttpConfigurations')[copyIndex('backendHttpConfigurations')].backendHttpConfigurationName, 'Probe')), + json('null') + )]" + } + } + }, + { + "name": "frontendHttpsPorts", + "count": "[if(equals(variables('frontendHttpsListenersCount'),0),1,variables('frontendHttpsListenersCount'))]", + "input": { + "name": "[if(equals(variables('frontendHttpsListenersCount'),0),'dummy',concat('port',parameters('frontendHttpsListeners')[copyIndex('frontendHttpsPorts')].port))]", + "properties": { + "Port": "[if(equals(variables('frontendHttpsListenersCount'),0),0,parameters('frontendHttpsListeners')[copyIndex('frontendHttpsPorts')].port)]" + } + } + }, + { + "name": "frontendHttpsListeners", + "count": "[variables('frontendHttpsListenersCount')]", + "input": { + "name": "[parameters('frontendHttpsListeners')[copyIndex('frontendHttpsListeners')].frontendListenerName]", + "properties": { + "FrontendIPConfiguration": { + "Id": "[concat(variables('applicationGatewayResourceId'),'/frontendIPConfigurations/',parameters('frontendHttpsListeners')[copyIndex('frontendHttpsListeners')].frontendIPType)]" + }, + "FrontendPort": { + "Id": "[concat(variables('applicationGatewayResourceId'),'/frontendPorts/',concat('port',parameters('frontendHttpsListeners')[copyIndex('frontendHttpsListeners')].port))]" + }, + "Protocol": "https", + "SslCertificate": "[variables('frontendListenerhttpsCertificateObject')]" + } + } + }, + { + "name": "frontendHttpPorts", + "count": "[if(equals(variables('frontendHttpListenersCount'),0),1,variables('frontendHttpListenersCount'))]", + "input": { + "name": "[if(equals(variables('frontendHttpListenersCount'),0),'dummy',concat('port',parameters('frontendHttpListeners')[copyIndex('frontendHttpPorts')].port))]", + "properties": { + "Port": "[if(equals(variables('frontendHttpListenersCount'),0),0,parameters('frontendHttpListeners')[copyIndex('frontendHttpPorts')].port)]" + } + } + }, + { + "name": "frontendHttpListeners", + "count": "[variables('frontendHttpListenersCount')]", + "input": { + "name": "[parameters('frontendHttpListeners')[copyIndex('frontendHttpListeners')].frontendListenerName]", + "properties": { + "FrontendIPConfiguration": { + "Id": "[concat(variables('applicationGatewayResourceId'),'/frontendIPConfigurations/',parameters('frontendHttpListeners')[copyIndex('frontendHttpListeners')].frontendIPType)]" + }, + "FrontendPort": { + "Id": "[concat(variables('applicationGatewayResourceId'),'/frontendPorts/',concat('port',parameters('frontendHttpListeners')[copyIndex('frontendHttpListeners')].port))]" + }, + "Protocol": "http" + } + } + }, + { + "name": "httpsRequestRoutingRules", + "count": "[variables('routingRulesCount')]", + "input": { + "name": "[concat(parameters('routingRules')[copyIndex('httpsRequestRoutingRules')].frontendListenerName,'-',concat(parameters('routingRules')[copyIndex('httpsRequestRoutingRules')].backendHttpConfigurationName),'-',concat(parameters('routingRules')[copyIndex('httpsRequestRoutingRules')].backendHttpConfigurationName))]", + "properties": { + "RuleType": "Basic", + "httpListener": { + "id": "[concat(variables('applicationGatewayResourceId'), '/httpListeners/', parameters('routingRules')[copyIndex('httpsRequestRoutingRules')].frontendListenerName)]" + }, + "backendAddressPool": { + "id": "[concat(variables('applicationGatewayResourceId'), '/backendAddressPools/', parameters('routingRules')[copyIndex('httpsRequestRoutingRules')].backendPoolName)]" + }, + "backendHttpSettings": { + "id": "[concat(variables('applicationGatewayResourceId'), '/backendHttpSettingsCollection/', parameters('routingRules')[copyIndex('httpsRequestRoutingRules')].backendHttpConfigurationName)]" + } + } + } + }, + { + "name": "frontendHttpRedirectPorts", + "count": "[if(equals(variables('frontendHttpRedirectsCount'),0),1,variables('frontendHttpRedirectsCount'))]", + "input": { + "name": "[if(equals(variables('frontendHttpRedirectsCount'),0),'dummy',concat('port',parameters('frontendHttpRedirects')[copyIndex('frontendHttpRedirectPorts')].port))]", + "properties": { + "Port": "[if(equals(variables('frontendHttpRedirectsCount'),0),0,parameters('frontendHttpRedirects')[copyIndex('frontendHttpRedirectPorts')].port)]" + } + } + }, + { + "name": "frontendHttpRedirects", + "count": "[if(equals(variables('frontendHttpRedirectsCount'),0),1,variables('frontendHttpRedirectsCount'))]", + "input": { + "name": "[if(equals(variables('frontendHttpRedirectsCount'),0),'dummy',concat(variables('httpListenerhttpRedirectNamePrefix'),parameters('frontendHttpRedirects')[copyIndex('frontendHttpRedirects')].port))]", + "properties": { + "FrontendIPConfiguration": { + "Id": "[if(equals(variables('frontendHttpRedirectsCount'),0),'dummy',concat(variables('applicationGatewayResourceId'),'/frontendIPConfigurations/',parameters('frontendHttpRedirects')[copyIndex('frontendHttpRedirects')].frontendIPType))]" + }, + "FrontendPort": { + "Id": "[if(equals(variables('frontendHttpRedirectsCount'),0),'dummy',concat(variables('applicationGatewayResourceId'),'/frontendPorts/',concat('port',parameters('frontendHttpRedirects')[copyIndex('frontendHttpRedirects')].port)))]" + }, + "Protocol": "http" + } + } + }, + { + "name": "httpRequestRoutingRules", + "count": "[if(equals(variables('frontendHttpRedirectsCount'),0),1,variables('frontendHttpRedirectsCount'))]", + "input": { + "name": "[if(equals(variables('frontendHttpRedirectsCount'),0),'dummy',concat(variables('requestRoutingRuleHttpRedirectNamePrefix'),parameters('frontendHttpRedirects')[copyIndex('httpRequestRoutingRules')].port,'-',parameters('frontendHttpRedirects')[copyIndex('httpRequestRoutingRules')].frontendListenerName))]", + "properties": { + "RuleType": "Basic", + "httpListener": { + "id": "[if(equals(variables('frontendHttpRedirectsCount'),0),'dummy',concat(variables('applicationGatewayResourceId'), '/httpListeners/', concat(variables('httpListenerhttpRedirectNamePrefix'),parameters('frontendHttpRedirects')[copyIndex('httpRequestRoutingRules')].port)))]" + }, + "redirectConfiguration": { + "id": "[if(equals(variables('frontendHttpRedirectsCount'),0),'dummy',concat(variables('applicationGatewayResourceId'), '/redirectConfigurations/', concat(variables('redirectConfigurationsHttpRedirectNamePrefix'),parameters('frontendHttpRedirects')[copyIndex('httpRequestRoutingRules')].port)))]" + } + } + } + }, + { + "name": "httpRedirectConfigurations", + "count": "[if(equals(variables('frontendHttpRedirectsCount'),0),1,variables('frontendHttpRedirectsCount'))]", + "input": { + "name": "[if(equals(variables('frontendHttpRedirectsCount'),0),'dummy',concat(variables('redirectConfigurationsHttpRedirectNamePrefix'),parameters('frontendHttpRedirects')[copyIndex('httpRedirectConfigurations')].port))]", + "properties": { + "redirectType": "Permanent", + "includePath": true, + "includeQueryString": true, + "requestRoutingRules": [ + { + "id": "[if(equals(variables('frontendHttpRedirectsCount'),0),'dummy',concat(variables('ApplicationGatewayResourceID'), '/requestRoutingRules/', concat(variables('requestRoutingRuleHttpRedirectNamePrefix'),parameters('frontendHttpRedirects')[copyIndex('httpRedirectConfigurations')].port,'-',parameters('frontendHttpRedirects')[copyIndex('httpRedirectConfigurations')].frontendListenerName)))]" + } + ], + "targetListener": { + "id": "[if(equals(variables('frontendHttpRedirectsCount'),0),'dummy',concat(variables('ApplicationGatewayResourceID'), '/httpListeners/', parameters('frontendHttpRedirects')[copyIndex('httpRedirectConfigurations')].frontendListenerName))]" + } + } + } + } + ], + "emptyArray": [ + ], + "frontendPorts": "[concat(if(empty(parameters('frontendHttpListeners')),variables('emptyArray'),variables('frontendHttpPorts')),if(empty(parameters('frontendHttpsListeners')),variables('emptyArray'),variables('frontendHttpsPorts')),if(empty(parameters('frontendHttpRedirects')),variables('emptyArray'),variables('frontendHttpRedirectPorts')))]", + "httpListeners": "[concat(if(empty(parameters('frontendHttpListeners')),variables('emptyArray'),variables('frontendHttpListeners')),if(empty(parameters('frontendHttpsListeners')),variables('emptyArray'),variables('frontendHttpsListeners')),if(empty(parameters('frontendHttpRedirects')),variables('emptyArray'),variables('frontendHttpRedirects')))]", + "redirectConfigurations": "[if(empty(parameters('frontendHttpRedirects')),variables('emptyArray'),variables('httpRedirectConfigurations'))]", + "requestRoutingRules": "[concat(variables('httpsRequestRoutingRules'),if(empty(parameters('frontendHttpRedirects')),variables('emptyArray'),variables('httpRequestRoutingRules')))]", + "identity": { + "type": "UserAssigned", + "userAssignedIdentities": { + "[parameters('managedIdentityResourceId')]": {} + } + }, + "builtInRoleNames": { + "AcrDelete": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c2f4ef07-c644-48eb-af81-4b1b4947fb11')]", + "AcrImageSigner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '6cef56e8-d556-48e5-a04f-b8e64114680f')]", + "AcrPull": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '7f951dda-4ed3-4680-a7ca-43fe172d538d')]", + "AcrPush": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8311e382-0749-4cb8-b61a-304f252e45ec')]", + "AcrQuarantineReader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'cdda3590-29a3-44f6-95f2-9f980659eb04')]", + "AcrQuarantineWriter": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c8d4ff99-41c3-41a8-9f60-21dfdad59608')]", + "API Management Service Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '312a565d-c81f-4fd8-895a-4e21e48d571c')]", + "API Management Service Operator Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'e022efe7-f5ba-4159-bbe4-b44f577e9b61')]", + "API Management Service Reader Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '71522526-b88f-4d52-b57f-d31fc3546d0d')]", + "App Configuration Data Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5ae67dd6-50cb-40e7-96ff-dc2bfa4b606b')]", + "App Configuration Data Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '516239f1-63e1-4d78-a4de-a74fb236a071')]", + "Application Insights Component Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ae349356-3a1b-4a5e-921d-050484c6347e')]", + "Application Insights Snapshot Debugger": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '08954f03-6346-4c2e-81c0-ec3a5cfae23b')]", + "Attestation Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'bbf86eb8-f7b4-4cce-96e4-18cddf81d86e')]", + "Attestation Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'fd1bd22b-8476-40bc-a0bc-69b95687b9f3')]", + "Automation Job Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4fe576fe-1146-4730-92eb-48519fa6bf9f')]", + "Automation Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'd3881f73-407a-4167-8283-e981cbba0404')]", + "Automation Runbook Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5fb5aef8-1081-4b8e-bb16-9d5d0385bab5')]", + "Avere Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4f8fab4f-1852-4a58-a46a-8eaf358af14a')]", + "Avere Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c025889f-8102-4ebf-b32c-fc0c6f0c6bd9')]", + "Azure Connected Machine Onboarding": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b64e21ea-ac4e-4cdf-9dc9-5b892992bee7')]", + "Azure Connected Machine Resource Administrator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'cd570a14-e51a-42ad-bac8-bafd67325302')]", + "Azure Digital Twins Owner (Preview)": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'bcd981a7-7f74-457b-83e1-cceb9e632ffe')]", + "Azure Digital Twins Reader (Preview)": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'd57506d4-4c8d-48b1-8587-93c323f6a5a3')]", + "Azure Event Hubs Data Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'f526a384-b230-433a-b45c-95f59c4a2dec')]", + "Azure Event Hubs Data Receiver": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'a638d3c7-ab3a-418d-83e6-5f17a39d4fde')]", + "Azure Event Hubs Data Sender": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '2b629674-e913-4c01-ae53-ef4638d8f975')]", + "Azure Kubernetes Service Cluster Admin Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '0ab0b1a8-8aac-4efd-b8c2-3ee1fb270be8')]", + "Azure Kubernetes Service Cluster User Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4abbcc35-e782-43d8-92c5-2d3f1bd2253f')]", + "Azure Kubernetes Service Contributor Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ed7f3fbd-7b88-4dd4-9017-9adb7ce333f8')]", + "Azure Maps Data Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8f5e0ce6-4f7b-4dcf-bddf-e6f48634a204')]", + "Azure Maps Data Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '423170ca-a8f6-4b0f-8487-9e4eb8f49bfa')]", + "Azure Sentinel Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ab8e14d6-4a74-4a29-9ba8-549422addade')]", + "Azure Sentinel Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8d289c81-5878-46d4-8554-54e1e3d8b5cb')]", + "Azure Sentinel Responder": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '3e150937-b8fe-4cfb-8069-0eaf05ecd056')]", + "Azure Service Bus Data Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '090c5cfd-751d-490a-894a-3ce6f1109419')]", + "Azure Service Bus Data Receiver": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4f6d3b9b-027b-4f4c-9142-0e5a2a2247e0')]", + "Azure Service Bus Data Sender": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '69a216fc-b8fb-44d8-bc22-1f3c2cd27a39')]", + "Azure Stack Registration Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '6f12a6df-dd06-4f3e-bcb1-ce8be600526a')]", + "Backup Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5e467623-bb1f-42f4-a55d-6e525e11384b')]", + "Backup Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '00c29273-979b-4161-815c-10b084fb9324')]", + "Backup Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'a795c7a0-d4a2-40c1-ae25-d81f01202912')]", + "Billing Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'fa23ad8b-c56e-40d8-ac0c-ce449e1d2c64')]", + "BizTalk Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5e3c6656-6cfa-4708-81fe-0de47ac73342')]", + "Blockchain Member Node Access (Preview)": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '31a002a1-acaf-453e-8a5b-297c9ca1ea24')]", + "Blueprint Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '41077137-e803-4205-871c-5a86e6a753b4')]", + "Blueprint Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '437d2ced-4a38-4302-8479-ed2bcb43d090')]", + "CDN Endpoint Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '426e0c7f-0c7e-4658-b36f-ff54d6c29b45')]", + "CDN Endpoint Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '871e35f6-b5c1-49cc-a043-bde969a0f2cd')]", + "CDN Profile Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ec156ff8-a8d1-4d15-830c-5b80698ca432')]", + "CDN Profile Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8f96442b-4075-438f-813d-ad51ab4019af')]", + "Classic Network Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b34d265f-36f7-4a0d-a4d4-e158ca92e90f')]", + "Classic Storage Account Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '86e8f5dc-a6e9-4c67-9d15-de283e8eac25')]", + "Classic Storage Account Key Operator Service Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '985d6b00-f706-48f5-a6fe-d0ca12fb668d')]", + "Classic Virtual Machine Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'd73bb868-a0df-4d4d-bd69-98a00b01fccb')]", + "ClearDB MySQL DB Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '9106cda0-8a86-4e81-b686-29a22c54effe')]", + "Cognitive Services Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '25fbc0a9-bd7c-42a3-aa1a-3b75d497ee68')]", + "Cognitive Services Custom Vision Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c1ff6cc2-c111-46fe-8896-e0ef812ad9f3')]", + "Cognitive Services Custom Vision Deployment": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5c4089e1-6d96-4d2f-b296-c1bc7137275f')]", + "Cognitive Services Custom Vision Labeler": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '88424f51-ebe7-446f-bc41-7fa16989e96c')]", + "Cognitive Services Custom Vision Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '93586559-c37d-4a6b-ba08-b9f0940c2d73')]", + "Cognitive Services Custom Vision Trainer": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '0a5ae4ab-0d65-4eeb-be61-29fc9b54394b')]", + "Cognitive Services Data Reader (Preview)": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b59867f0-fa02-499b-be73-45a86b5b3e1c')]", + "Cognitive Services QnA Maker Editor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'f4cc2bf9-21be-47a1-bdf1-5c5804381025')]", + "Cognitive Services QnA Maker Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '466ccd10-b268-4a11-b098-b4849f024126')]", + "Cognitive Services User": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'a97b65f3-24c7-4388-baec-2e87135dc908')]", + "Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "Cosmos DB Account Reader Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'fbdf93bf-df7d-467e-a4d2-9458aa1360c8')]", + "Cosmos DB Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '230815da-be43-4aae-9cb4-875f7bd000aa')]", + "CosmosBackupOperator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'db7b14f2-5adf-42da-9f96-f2ee17bab5cb')]", + "Cost Management Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '434105ed-43f6-45c7-a02f-909b2ba83430')]", + "Cost Management Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '72fafb9e-0641-4937-9268-a91bfd8191a3')]", + "Data Box Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'add466c9-e687-43fc-8d98-dfcf8d720be5')]", + "Data Box Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '028f4ed7-e2a9-465e-a8f4-9c0ffdfdc027')]", + "Data Factory Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '673868aa-7521-48a0-acc6-0f60742d39f5')]", + "Data Lake Analytics Developer": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '47b7735b-770e-4598-a7da-8b91488b4c88')]", + "Data Purger": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '150f5e0c-0603-4f03-8c7f-cf70034c4e90')]", + "Desktop Virtualization User": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '1d18fff3-a72a-46b5-b4a9-0b38a3cd7e63')]", + "DevTest Labs User": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '76283e04-6283-4c54-8f91-bcf1374a3c64')]", + "DNS Zone Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'befefa01-2a29-4197-83a8-272ff33ce314')]", + "DocumentDB Account Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5bd9cd88-fe45-4216-938b-f97437e15450')]", + "EventGrid EventSubscription Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '428e0ff0-5e57-4d9c-a221-2c70d0e0a443')]", + "EventGrid EventSubscription Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '2414bbcf-6497-4faf-8c65-045460748405')]", + "Experimentation Administrator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '7f646f1b-fa08-80eb-a33b-edd6ce5c915c')]", + "Experimentation Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '7f646f1b-fa08-80eb-a22b-edd6ce5c915c')]", + "Experimentation Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '49632ef5-d9ac-41f4-b8e7-bbe587fa74a1')]", + "FHIR Data Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5a1fc7df-4bf1-4951-a576-89034ee01acd')]", + "FHIR Data Exporter": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '3db33094-8700-4567-8da5-1501d4e7e843')]", + "FHIR Data Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4c8d0bbc-75d3-4935-991f-5f3c56d81508')]", + "FHIR Data Writer": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '3f88fce4-5892-4214-ae73-ba5294559913')]", + "Graph Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b60367af-1334-4454-b71e-769d9a4f83d9')]", + "HDInsight Cluster Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '61ed4efc-fab3-44fd-b111-e24485cc132a')]", + "HDInsight Domain Services Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8d8d5a11-05d3-4bda-a417-a08778121c7c')]", + "Hierarchy Settings Administrator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '350f8d15-c687-4448-8ae1-157740a3936d')]", + "Hybrid Server Onboarding": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5d1e5ee4-7c68-4a71-ac8b-0739630a3dfb')]", + "Hybrid Server Resource Administrator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '48b40c6e-82e0-4eb3-90d5-19e40f49b624')]", + "Integration Service Environment Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'a41e2c5b-bd99-4a07-88f4-9bf657a760b8')]", + "Integration Service Environment Developer": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c7aa55d3-1abb-444a-a5ca-5e51e485d6ec')]", + "Intelligent Systems Account Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '03a6d094-3444-4b3d-88af-7477090a9e5e')]", + "Key Vault Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'f25e0fa2-a7c8-4377-a976-54943a77a395')]", + "Knowledge Consumer": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ee361c5d-f7b5-4119-b4b6-892157c8f64c')]", + "Kubernetes Cluster - Azure Arc Onboarding": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '34e09817-6cbe-4d01-b1a2-e0eac5743d41')]", + "Lab Creator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b97fb8bc-a8b2-4522-a38b-dd33c7e65ead')]", + "Log Analytics Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]", + "Log Analytics Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '73c42c96-874c-492b-b04d-ab87d138a893')]", + "Logic App Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '87a39d53-fc1b-424a-814c-f7e04687dc9e')]", + "Logic App Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '515c2055-d9d4-4321-b1b9-bd0c9a0f79fe')]", + "Managed Application Contributor Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '641177b8-a67a-45b9-a033-47bc880bb21e')]", + "Managed Application Operator Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')]", + "Managed Applications Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')]", + "Managed Identity Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'e40ec5ca-96e0-45a2-b4ff-59039f2c2b59')]", + "Managed Identity Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'f1a07417-d97a-45cb-824c-7a7467783830')]", + "Managed Services Registration assignment Delete ": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '91c1777a-f3dc-4fae-b103-61d183457e46')]", + "Management Group Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5d58bcaf-24a5-4b20-bdb6-eed9f69fbe4c')]", + "Management Group Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ac63b705-f282-497d-ac71-919bf39d939d')]", + "Marketplace Admin": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'dd920d6d-f481-47f1-b461-f338c46b2d9f')]", + "Monitoring Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')]", + "Monitoring Metrics Publisher": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '3913510d-42f4-4e42-8a64-420c390055eb')]", + "Monitoring Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')]", + "Network Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", + "New Relic APM Account Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5d28c62d-5b37-4476-8438-e587778df237')]", + "Object Understanding Account Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4dd61c23-6743-42fe-a388-d8bdd41cb745')]", + "Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", + "Policy Insights Data Writer (Preview)": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '66bb4e9e-b016-4a94-8249-4c0511c2be84')]", + "Private DNS Zone Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", + "Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", + "Reader and Data Access": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c12c1c16-33a1-487b-954d-41c89c60f349')]", + "Redis Cache Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'e0f68234-74aa-48ed-b826-c38b57376e17')]", + "Remote Rendering Administrator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '3df8b902-2a6f-47c7-8cc5-360e9b272a7e')]", + "Remote Rendering Client": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'd39065c4-c120-43c9-ab0a-63eed9795f0a')]", + "Resource Policy Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '36243c78-bf99-498c-9df9-86d9f8d28608')]", + "Scheduler Job Collections Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '188a0f2f-5c9e-469b-ae67-2aa5ce574b94')]", + "Search Service Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '7ca78c08-252a-4471-8644-bb5ff32d4ba0')]", + "Security Admin": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'fb1c8493-542b-48eb-b624-b4c8fea62acd')]", + "Security Assessment Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '612c2aa1-cb24-443b-ac28-3ab7272de6f5')]", + "Security Manager (Legacy)": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'e3d13bf0-dd5a-482e-ba6b-9b8433878d10')]", + "Security Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '39bc4728-0917-49c7-9d2c-d95423bc2eb4')]", + "SignalR AccessKey Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '04165923-9d83-45d5-8227-78b77b0a687e')]", + "SignalR Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8cf5e20a-e4b2-4e9d-b3a1-5ceb692c2761')]", + "Site Recovery Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '6670b86e-a3f7-4917-ac9b-5d6ab1be4567')]", + "Site Recovery Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '494ae006-db33-4328-bf46-533a6560a3ca')]", + "Site Recovery Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'dbaa88c4-0c30-4179-9fb3-46319faa6149')]", + "Spatial Anchors Account Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8bbe83f1-e2a6-4df7-8cb4-4e04d4e5c827')]", + "Spatial Anchors Account Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '70bbe301-9835-447d-afdd-19eb3167307c')]", + "Spatial Anchors Account Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5d51204f-eb77-4b1c-b86a-2ec626c49413')]", + "SQL DB Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '9b7fa17d-e63e-47b0-bb0a-15c516ac86ec')]", + "SQL Managed Instance Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4939a1f6-9ae0-4e48-a1e0-f2cbe897382d')]", + "SQL Security Manager": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '056cd41c-7e88-42e1-933e-88ba6a50c9c3')]", + "SQL Server Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '6d8ee4ec-f05a-4a1d-8b00-a9b17e38b437')]", + "Storage Account Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '17d1049b-9a84-46fb-8f53-869881c3d3ab')]", + "Storage Account Key Operator Service Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '81a9662b-bebf-436f-a333-f67b29880f12')]", + "Storage Blob Data Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ba92f5b4-2d11-453d-a403-e96b0029c9fe')]", + "Storage Blob Data Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b7e6dc6d-f1e8-4753-8033-0f276bb0955b')]", + "Storage Blob Data Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '2a2b9908-6ea1-4ae2-8e65-a410df84e7d1')]", + "Storage Blob Delegator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'db58b8e5-c6ad-4a2a-8342-4190687cbf4a')]", + "Storage File Data SMB Share Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '0c867c2a-1d8c-454a-a3db-ab2ea1bdc8bb')]", + "Storage File Data SMB Share Elevated Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'a7264617-510b-434b-a828-9731dc254ea7')]", + "Storage File Data SMB Share Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'aba4ae5f-2193-4029-9191-0cb91df5e314')]", + "Storage Queue Data Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '974c5e8b-45b9-4653-ba55-5f855dd0fb88')]", + "Storage Queue Data Message Processor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8a0f0c08-91a1-4084-bc3d-661d67233fed')]", + "Storage Queue Data Message Sender": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c6a89b2d-59bc-44d0-9896-0f6e12d7b80a')]", + "Storage Queue Data Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '19e7f393-937e-4f77-808e-94535e297925')]", + "Support Request Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'cfd33db0-3dd1-45e3-aa9d-cdbdf3b6f24e')]", + "Tag Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4a9ae827-6dc8-4573-8ac7-8239d42aa03f')]", + "Traffic Manager Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'a4b10055-b0c7-44c2-b00f-c7b5b3550cf7')]", + "User Access Administrator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]", + "Virtual Machine Administrator Login": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '1c0163c0-47e6-4577-8991-ea5c82e286e4')]", + "Virtual Machine Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c')]", + "Virtual Machine User Login": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'fb879df8-f326-4884-b1cf-06f3ad86be52')]", + "Web Plan Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '2cc479cb-7b4d-49a8-b449-8c00fd0f0a4b')]", + "Website Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'de139f84-1756-47ae-9be6-808fbbe84772')]", + "Workbook Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'e8ddcd69-c73f-4f9f-9844-4100522f16ad')]", + "Workbook Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b279062a-9be3-42a0-92ae-8b3cf002ec4d')]" + } + }, + "resources": [ + { + "condition": "[not(empty(parameters('cuaId')))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-06-01", + "name": "[concat('pid-', parameters('cuaId'))]", + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [ + ] + } + } + }, + { + "type": "Microsoft.Network/applicationGateways", + "name": "[parameters('applicationGatewayName')]", + "apiVersion": "2020-07-01", + "location": "[parameters('location')]", + "identity": "[if(empty(parameters('managedIdentityResourceId')), json('null'), variables('identity'))]", + "tags": "[parameters('tags')]", + "dependsOn": [ + ], + "properties": { + "sku": { + "name": "[parameters('sku')]", + "tier": "[if(endsWith(parameters('sku'),'v2'),parameters('sku'),substring(parameters('sku'),0,indexOf(parameters('sku'),'_')))]", + "capacity": "[parameters('capacity')]" + }, + "gatewayIPConfigurations": [ + { + "name": "[parameters('gatewayIpConfigurationName')]", + "properties": { + "subnet": { + "id": "[variables('subnetResourceId')]" + } + } + } + ], + "frontendIPConfigurations": [ + { + "name": "[variables('frontendPrivateIPConfigurationName')]", + "type": "Microsoft.Network/applicationGateways/frontendIPConfigurations", + "properties": "[if(empty(parameters('frontendPrivateIPAddress')),variables('frontendPrivateIPDynamicConfiguration'),variables('frontendPrivateIPStaticConfiguration'))]" + }, + { + "name": "[variables('frontendPublicIPConfigurationName')]", + "properties": { + "PublicIPAddress": { + "id": "[parameters('frontendPublicIpResourceId')]" + } + } + } + ], + "sslCertificates": "[if(empty(parameters('sslCertificateKeyVaultSecretId')), json('null'), variables('sslCertificates'))]", + "backendAddressPools": "[variables('backendAddressPools')]", + "probes": "[variables('probes')]", + "backendHttpSettingsCollection": "[variables('backendHttpConfigurations')]", + "frontendPorts": "[variables('frontendPorts')]", + "httpListeners": "[variables('httpListeners')]", + "redirectConfigurations": "[variables('redirectConfigurations')]", + "requestRoutingRules": "[variables('requestRoutingRules')]", + "enableHttp2": "[parameters('http2Enabled')]", + "webApplicationFirewallConfiguration": "[if(startsWith(parameters('sku'),'WAF'), variables('wafConfiguration'),json('null'))]" + }, + "resources": [ + { + "type": "providers/locks", + "apiVersion": "2016-09-01", + "condition": "[parameters('lockForDeletion')]", + "name": "Microsoft.Authorization/appGatewaysDoNotDelete", + "dependsOn": [ + "[concat('Microsoft.Network/applicationGateways/', parameters('applicationGatewayName'))]" + ], + "comments": "Resource lock on Application Gateway", + "properties": { + "level": "CannotDelete" + } + }, + { + "type": "Microsoft.Network/applicationGateways/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "condition": "[or(not(empty(parameters('diagnosticStorageAccountId'))),not(empty(parameters('workspaceId'))),not(empty(parameters('eventHubAuthorizationRuleId'))),not(empty(parameters('eventHubName'))))]", + "name": "[variables('diagnosticSettingName')]", + "dependsOn": [ + "[variables('applicationGatewayResourceId')]" + ], + "properties": { + "storageAccountId": "[if(empty(parameters('diagnosticStorageAccountId')), json('null'), parameters('diagnosticStorageAccountId'))]", + "workspaceId": "[if(empty(parameters('workspaceId')), json('null'), parameters('workspaceId'))]", + "eventHubAuthorizationRuleId": "[if(empty(parameters('eventHubAuthorizationRuleId')), json('null'), parameters('eventHubAuthorizationRuleId'))]", + "eventHubName": "[if(empty(parameters('eventHubName')), json('null'), parameters('eventHubName'))]", + "metrics": "[if(and(empty(parameters('diagnosticStorageAccountId')), empty(parameters('workspaceId')), empty(parameters('eventHubAuthorizationRuleId')), empty(parameters('eventHubName'))), json('null'), variables('diagnosticsMetrics'))]", + "logs": "[if(and(empty(parameters('diagnosticStorageAccountId')), empty(parameters('workspaceId')), empty(parameters('eventHubAuthorizationRuleId')), empty(parameters('eventHubName'))), json('null'), variables('diagnosticsLogs'))]" + } + } + ] + }, + { + "name": "[concat('rbac-',deployment().name, copyIndex())]", + "apiVersion": "2020-06-01", + "type": "Microsoft.Resources/deployments", + "condition": "[not(empty(parameters('roleAssignments')))]", + "dependsOn": [ + "[parameters('applicationGatewayName')]" + ], + "copy": { + "name": "rbacDeplCopy", + "count": "[length(parameters('roleAssignments'))]" + }, + "properties": { + "mode": "Incremental", + "expressionEvaluationOptions": { + "scope": "inner" + }, + "parameters": { + "roleAssignment": { + "value": "[parameters('roleAssignments')[copyIndex()]]" + }, + "builtInRoleNames": { + "value": "[variables('builtInRoleNames')]" + }, + "applicationGatewayName": { + "value": "[parameters('applicationGatewayName')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "roleAssignment": { + "type": "object" + }, + "builtInRoleNames": { + "type": "object" + }, + "applicationGatewayName": { + "type": "string" + } + }, + "resources": [ + { + "type": "Microsoft.Network/applicationGateways/providers/roleAssignments", + "apiVersion": "2018-09-01-preview", + "name": "[concat(parameters('applicationGatewayName'), '/Microsoft.Authorization/', guid(uniqueString(concat(parameters('applicationGatewayName'), array(parameters('roleAssignment').principalIds)[copyIndex('innerRbacCopy')], parameters('roleAssignment').roleDefinitionIdOrName ) )))]", + "dependsOn": [ + ], + "copy": { + "name": "innerRbacCopy", + "count": "[length(parameters('roleAssignment').principalIds)]" + }, + "properties": { + "roleDefinitionId": "[if(contains(parameters('builtInRoleNames'), parameters('roleAssignment').roleDefinitionIdOrName ), parameters('builtInRoleNames')[parameters('roleAssignment').roleDefinitionIdOrName] , parameters('roleAssignment').roleDefinitionIdOrName )]", + "principalId": "[array(parameters('roleAssignment').principalIds)[copyIndex()]]" + } + } + ] + } + } + } + ], + "functions": [ + ], + "outputs": { + "applicationGatewayName": { + "type": "string", + "value": "[parameters('applicationGatewayName')]", + "metadata": { + "description": "The Application Gateway Name" + } + }, + "applicationGatewayResourceId": { + "type": "string", + "value": "[variables('applicationGatewayResourceId')]", + "metadata": { + "description": "The Resource Id of the Application Gateway" + } + }, + "applicationGatewayResourceGroup": { + "type": "string", + "value": "[resourceGroup().name]", + "metadata": { + "description": "The name of the Resource Group with the Application Gateway" + } + } + } +} diff --git a/arm/Microsoft.Network/applicationGateways/parameters/parameters.json b/arm/Microsoft.Network/applicationGateways/parameters/parameters.json new file mode 100644 index 0000000000..e9827b939e --- /dev/null +++ b/arm/Microsoft.Network/applicationGateways/parameters/parameters.json @@ -0,0 +1,145 @@ +{ + "$schema": "http://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "applicationGatewayName": { + "value": "sxx-az-apgw-weu-x-002" + }, + "sku": { + "value": "WAF_v2" + }, + "vNetName": { + "value": "sxx-az-vnet-weu-x-003" + }, + "subnetName": { + "value": "sxx-az-subnet-weu-x-003" + }, + "vNetResourceGroup": { + "value": "dependencies-rg" + }, + "frontendPrivateIpAddress": { + "value": "10.1.2.6" + }, + "frontendpublicIpResourceId": { + "value": "/subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2/resourceGroups/dependencies-rg/providers/Microsoft.Network/publicIPAddresses/sxx-az-pip-weu-x-003" + }, + "managedIdentityResourceId":{ + "value": "/subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2/resourceGroups/dependencies-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/sxx-az-msi-weu-x-002" + }, + "sslCertificateKeyVaultSecretId": { + "value": "https://sxx-az-kv-weu-x-004.vault.azure.net/secrets/applicationGatewaySslCertificate/b664f0004c734e838c42091705b001b6" + }, + "backendPools": { + "value": [ + { + "backendPoolName": "appServiceBackendPool", + "backendAddresses": [ + { + "fqdn": "aghapp.azurewebsites.net" + } + ] + }, + { + "backendPoolName": "privateVmBackendPool", + "backendAddresses": [ + { + "ipAddress": "10.0.0.4" + } + ] + } + ] + }, + "backendHttpConfigurations": { + "value": [ + { + "backendHttpConfigurationName": "appServiceBackendHttpsSetting", + "port": 443, + "protocol": "https", + "cookieBasedAffinity": "Disabled", + "pickHostNameFromBackendAddress": true, + "probeEnabled": false + }, + { + "backendHttpConfigurationName": "privateVmHttpSetting", + "port": 80, + "protocol": "http", + "cookieBasedAffinity": "Disabled", + "pickHostNameFromBackendAddress": false, + "probeEnabled": true + } + ] + }, + "probes":{ + "value": [ + { + "backendHttpConfigurationName": "privateVmHttpSetting", + "protocol": "http", + "host": "10.0.0.4", + "path": "/", + "interval": 60, + "timeout": 15, + "unhealthyThreshold": 5, + "minServers": 3, + "body": "", + "statusCodes": [ + "200", + "401" + ] + } + ] + }, + "frontendHttpsListeners": { + "value": [ + { + "frontendListenerName": "public443", + "frontendIPType": "Public", + "port": 443 + }, + { + "frontendListenerName": "private4433", + "frontendIPType": "Private", + "port": 4433 + } + ] + }, + "frontendHttpRedirects": { + "value": [ + { + "frontendIPType": "Public", + "port": 80, + "frontendListenerName": "public443" + }, + { + "frontendIPType": "Private", + "port": 8080, + "frontendListenerName": "private4433" + } + ] + }, + "routingRules": { + "value": [ + { + "frontendListenerName": "public443", + "backendPoolName": "appServiceBackendPool", + "backendHttpConfigurationName": "appServiceBackendHttpsSetting" + }, + { + "frontendListenerName": "private4433", + "backendPoolName": "privateVmBackendPool", + "backendHttpConfigurationName": "privateVmHttpSetting" + } + ] + }, + // "roleAssignments": { + // "value": [ + // { + // "roleDefinitionIdOrName": "Contributor", + // "principalIds": [ + // "12345678-1234-1234-1234-123456789012", // object 1 + // "78945612-1234-1234-1234-123456789012" // object 2 + // ] + // } + // ] + // }, + } +} \ No newline at end of file diff --git a/arm/Microsoft.Network/applicationGateways/readme.md b/arm/Microsoft.Network/applicationGateways/readme.md new file mode 100644 index 0000000000000000000000000000000000000000..293b9be4027906abc68aefb1dfa9727796cb9357 GIT binary patch literal 45106 zcmeI5ZF3Yi636Fts_r{%ZC;S1&KLtBB=_cgKoaV>gu*6yL8Z>m-~?=fZ76c&tKZ%K zr*^M2nwcH#u1(o6HD&MaJhWOZ{kvPOmgax|{j?fYtJO;#&#V1vyV|Ud^?6twRNsZ~ zyVVk-|53GD9qFEv>Xn|@om^Y5p6S^m-Epk5F9J>I?dr^q{!_-GXmLk- znWL=Ks}tIvR&6Cy(p%AmALsC03x}g>{q(+(uD;I$Zm8?NK7SIQuf(azH|OGAsKL8x z=>i?)+&K56YNPs>YPhYM9;&W~)t=huYW0KaeyqN9sPn&7%j#48eeOv2y$p0-iy}P; z=`HKqzMg-oK1vDn*X?R8(C7Pst{jPrQHAWUSJ$eQ>MP0gTJ>f4zoP$8-L0TX|K?75 z5BHxx_sHeB%3T$g^abkiLcb4G6XV-@M&$l>;QQHFx{b`5KqoBqkS z1Jx#412jI`eJ}KB>iXssfun%1)JmZBH^W)G_PgxIe)zqkE5~|vRBZ)noB9MHem1oo zoO3G!hSL&qYw<9Yw;9ld6+(NYR-$=*Bt2#KH)Yj!21(Z~3uo>IzR-aC(ll;Q+nyiJ z4HEd+B;W|y6VgtE^JDo%oBBKnh%b`{G#*N0m<4rh@p?iBUE_A;Ec~gaAJjZ^7Uc{y z1_^v95;zNll+bXTejUn(rQ*Y&}&b#Mxpfd45-B&RW z=0sF>-j?JxXY#INuWL7**M*jVv+rT|%rs2F^;;8yw8em;M2>OD^MvOevHNkeq6Ivna51yS) zi}BQR9X>XSn#D#;jDg++ePwYrMn}*@e^K^}i6)C2^9=fo(GxL;rk2WU`%;vMS{w!5 z7j5m~`O7GQ5{&lMtAs{3&hhxI7jCG}mK=-YJofxDT$gY)+%rhv;!2F~#A==%M?mdxh#9PNZXO^OSP72Cc%FSR? zv6_P}h_WBPT}}yrkn8$eWYo>w{%~O&@;<8sy@>!^kZ>(xB7gdGi+Yl&yPga=(}GYXB3$iKa#d#T!E+kRGJA+ z;KIHCMPxoaJ4j#_36x;8k6sCl)SkD^&_56snVEki6o3Y-wPixw*Y~@^CYd1{LXAb; z%Ix`?Z2WHU8yNSyZMHFRn~mQ&Ee8w!OyBVsn74$pQJB3R-f21qq?$mw!MR1NE z?pD@u9r+oF3pm0qckzTDZd|z?H|x(x;NGNW#NnZYAKp#vjQsHj2)1Za=`tXN-y#%9uGAN-j4d>J5%G=5= z$GKB3K{j(>Am6-c*8y!91vzz$M&I6Z56$0*cmruapO%21g12v_9aVqTccOkHA=5Qr z)HoIs$Wcu$B)Fyo(-X$SNWT~d5E0;x!Rv49K_B0_5{&jqrG!R`^F8%H=E`jxz9Y+L zGw68PjNP$Q+dAjt@w|M>YtEmy#o^Y4Tde1^(-JHuRxiUWUbK?+S$vO~-J9SE?otZr zxSe`|;d+_G`ZhI6V4ScmZcI-wBDc8RlIZ!U+-z`^&^^fstL!zvKVYp4dIX<{xZYr` z^Byw%&Lse5)wU*r;rv0?f6or*5jS8X#Z416!#rAF zdk@zyp9D%U+E=R*8YTAps47D`<;`Z#yK&xT9|xrOwfJ!TvPqx>qkVNMp)n2T59NFA zhuJ86iu>|rS7mc|g8$Cin2pS%puDnpyZi0<$FYQw${^>peMDZC+YSfB+3=igtQ}YW zF>`MI_oluPt*ehy%wJFW*{s!f@WcCh+;DwX36x;8k7fyt={N^5wnGCbXPlnShSj6( zHh+3@woedaBqd-^D;>Q%*=v2 z_K(TyH!IFPc6?p)&EUsYte0oOQr?y#+pK;uUO3Z+^OQaww6FSF4!OQ~-t4=>{1dzK z}driEv&Y5q}rPqgcDo!YYm&nf2MW`EdT5M!i^4_Io1d&3)v4)KgxWJzqPG zwRy%Fu`;X6Z~FF6mC8C3cF?iCbUbGELT8!NPWc+_{fE%sKh`>cnQzt4*@b}Yj(Lt* zasEQ(;jgo5Y$wFQnAHa7tWwP_Y#xQ{io><}?Kv%vy4lK9%Rze_YEEt$(Q)59(&FWH zPV3q6@LJD`%XgJ9diXBn%M+0x;^$F*%ZEeeWl@Ad&&<;|hi6OzB^d3KRSAtW4#zCl zp)4{!#D@C$tOw{K= zoNRnsLtuLWxCF@}W{uBtJ%x|ta~t`p1n1DkRJo*CCBQfkugmw-Vl-xZ05Ics;_5g+e6vb65!h%SKsKlD;+zcx9zyzy+&(!s>In}dt1@sz3OJ@RoBAq>DyXa zdQ-=e{%-61mcEfueOu9S&TZ*)OP^os?<<|>_lo#6ANYOez0zJ}ftwBWHEHFxy&dQH z==uD)+w*#famAS-IcB)zGi!L-Aj0U_$i`Qz@oes?$60v8sh4XwYVPaCbz%X{Od5J5 zJ_{onP?2)V$`#*T4=nkpu`sU)wzU5YR`|< zOHbzV*o_m)o6T?UvJh*E#XS}^U;X74W*9N|wfS)Ua!CNp{48(q+v?wX(+l=%Ul_#3 zlpoOO^9kxWXGf(w!A@b-Z5@|Isw@T`Bj9Vg%hqJZ{U*wBo<3cV!8xMW#Q6j9&zp~! zMXz&X`UG##VrX?AuPt5=U24*A>vM~W&3CTc?yl)v)3Og1x4dr-cbWvi%%VpLjZ&Qd zAe1m#-k8GGEI6NzV(_~c5RQKg*3;3UTX{U-v(p2N5(bPf+UJJnXOnfKU|D^FaqjH;b!ICqZ?(dz&CJ*+!ul0xPmq7w0 z811V^35_#?4GuFUdY<$9Y#t?J@Yl%Gc#R{JQ)SFr2eO zlRb!Y#MvsAuB+e?4I%efrqO?$jAo;{nM`8>^1jGeWKD^!Zy~>M zBg^MX-?#`R{x-t#Yw-UM!kKaBQ{#}e_@8i>*J&K~tFrgK+w~{4>waJTDL?C`Zc1gOnb{rW?8f?0_-`omt3c?u6#LpI;Bo|{&eKc`;(rSk_AV6f{m;#nZ1_$gw4EY4s=5`bG!dqK>c}ck+PA z8hAd@70*P6_hF-v`g9sk9x96x{|m&CfxM$WZF^j6hrXJaG*}mPFL;fSM=aZ(xVDv}DQaAnXQSJ^^}F$s z_o$}Ua~fEz`TNgpX`V89b@!hBw!Qd$C$@T-G`f0^_rdnQlb$^rJskToYZj(y*!0fx z(Ve*k_a6Fwd-+)UjQH(*{dFwg$@EXReeUidlud@_vxy#Do~l{L(s}l71$<8Qj+J_A zDk{e+VLxQJ+1eF*W<~FFo5mUMRU=YPDRB5UtR%rRv^Nm({vo3@oz9EEv-`<-%kIxk zvqR&c(~%A9Qs@zk>HWzkt$w8I+_BaeUDMI8XKw1Q72TKO%&G9%<*%mqpA9baRWy!; z_ILR(#fm$TnwQewet8+}F}SXt%9}f_ZeyK^bo(i` zc}r<)d+(UnuIC*0OC{YU+2nGgpl9dhv`Z$XJ)dlDv|`6b3ofhkMF{b~^qnnzb}g5T zBdtm2eWIhiedh1EC4O2iiT=JA`Ei7vCpOw;vPhprD(54al&gr+cIl*N&juU5R38HF~(Nc-l>krEY0=g4^1$ zz|Tzo=J$UcMj+P%za#CBu&f%^^O9FuJuK(IKgXeT_DFy-JWMY?UTt#H&d2qsd|0n` zZv1mzJv2{0!GGhO9YgDXjIF;wYS#(VbyJs4ID2atSA)3S zvsD{$WhHx%uzwGGAzQ2#{e`Ya3?@c_#3Zbol+|f6jqjHKVZvG6t#{M^FW!b@>U5Z|Y|3{M^Ms`PfC0&o`y`|(6Iv!`U z`#D2Rn)ziV^cKCxGs&0a^(=n8YtU$(S-g~T3SPUBym=cb(%aJA;OlEnz0Yo_O_~QS z1v(g8u@9u>_N|9lf9XD~vEMA7H8*SR@bkJ?2u!ctf#e5j^R;|A%{-^yc6f_>Vyp^T zXn}ew@Dv)r-@1cr7Oh=9YjS$+nzi8RysqWEH~UV0#%hONA{S(IY9GiMGMyduVbnoi zXr_Kyc>rHbw30n*GxSK>G$=aN-szpTcBHeUt4~CyttIO1aHM&h&(yy?cj22b&f1Y4 zw!BYfsK|=NYLF$0B{RFVthPLmHo&eet8G0uYB{trc8&f0%+|GgoAp&HF zEm3Cv3Cbn4_&i9=>iu)Dka!o&s(@SPtrWv&FO&9KEJ??ts92VaUrVl*H3wF#UjGN_ C>1!?k literal 0 HcmV?d00001 diff --git a/arm/Microsoft.Network/applicationSecurityGroups/deploy.json b/arm/Microsoft.Network/applicationSecurityGroups/deploy.json new file mode 100644 index 0000000000..f2ff6a45f3 --- /dev/null +++ b/arm/Microsoft.Network/applicationSecurityGroups/deploy.json @@ -0,0 +1,354 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "applicationSecurityGroupName": { + "type": "string", + "metadata": { + "description": "Required. Name of the Application Security Group." + } + }, + "location": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "Optional. Location for all resources." + } + }, + "lockForDeletion": { + "type": "bool", + "defaultValue": false, + "metadata": { + "description": "Optional. Switch to lock Virtual Network from deletion." + } + }, + "roleAssignments": { + "defaultValue": [ + ], + "type": "array", + "metadata": { + "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'" + } + }, + "tags": { + "type": "object", + "defaultValue": { + }, + "metadata": { + "description": "Optional. Tags of the resource." + } + }, + "cuaId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered" + } + } + }, + "variables": { + "builtInRoleNames": { + "AcrDelete": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c2f4ef07-c644-48eb-af81-4b1b4947fb11')]", + "AcrImageSigner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '6cef56e8-d556-48e5-a04f-b8e64114680f')]", + "AcrPull": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '7f951dda-4ed3-4680-a7ca-43fe172d538d')]", + "AcrPush": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8311e382-0749-4cb8-b61a-304f252e45ec')]", + "AcrQuarantineReader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'cdda3590-29a3-44f6-95f2-9f980659eb04')]", + "AcrQuarantineWriter": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c8d4ff99-41c3-41a8-9f60-21dfdad59608')]", + "API Management Service Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '312a565d-c81f-4fd8-895a-4e21e48d571c')]", + "API Management Service Operator Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'e022efe7-f5ba-4159-bbe4-b44f577e9b61')]", + "API Management Service Reader Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '71522526-b88f-4d52-b57f-d31fc3546d0d')]", + "App Configuration Data Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5ae67dd6-50cb-40e7-96ff-dc2bfa4b606b')]", + "App Configuration Data Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '516239f1-63e1-4d78-a4de-a74fb236a071')]", + "Application Insights Component Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ae349356-3a1b-4a5e-921d-050484c6347e')]", + "Application Insights Snapshot Debugger": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '08954f03-6346-4c2e-81c0-ec3a5cfae23b')]", + "Attestation Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'bbf86eb8-f7b4-4cce-96e4-18cddf81d86e')]", + "Attestation Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'fd1bd22b-8476-40bc-a0bc-69b95687b9f3')]", + "Automation Job Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4fe576fe-1146-4730-92eb-48519fa6bf9f')]", + "Automation Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'd3881f73-407a-4167-8283-e981cbba0404')]", + "Automation Runbook Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5fb5aef8-1081-4b8e-bb16-9d5d0385bab5')]", + "Avere Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4f8fab4f-1852-4a58-a46a-8eaf358af14a')]", + "Avere Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c025889f-8102-4ebf-b32c-fc0c6f0c6bd9')]", + "Azure Connected Machine Onboarding": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b64e21ea-ac4e-4cdf-9dc9-5b892992bee7')]", + "Azure Connected Machine Resource Administrator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'cd570a14-e51a-42ad-bac8-bafd67325302')]", + "Azure Digital Twins Owner (Preview)": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'bcd981a7-7f74-457b-83e1-cceb9e632ffe')]", + "Azure Digital Twins Reader (Preview)": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'd57506d4-4c8d-48b1-8587-93c323f6a5a3')]", + "Azure Event Hubs Data Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'f526a384-b230-433a-b45c-95f59c4a2dec')]", + "Azure Event Hubs Data Receiver": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'a638d3c7-ab3a-418d-83e6-5f17a39d4fde')]", + "Azure Event Hubs Data Sender": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '2b629674-e913-4c01-ae53-ef4638d8f975')]", + "Azure Kubernetes Service Cluster Admin Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '0ab0b1a8-8aac-4efd-b8c2-3ee1fb270be8')]", + "Azure Kubernetes Service Cluster User Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4abbcc35-e782-43d8-92c5-2d3f1bd2253f')]", + "Azure Kubernetes Service Contributor Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ed7f3fbd-7b88-4dd4-9017-9adb7ce333f8')]", + "Azure Maps Data Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8f5e0ce6-4f7b-4dcf-bddf-e6f48634a204')]", + "Azure Maps Data Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '423170ca-a8f6-4b0f-8487-9e4eb8f49bfa')]", + "Azure Sentinel Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ab8e14d6-4a74-4a29-9ba8-549422addade')]", + "Azure Sentinel Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8d289c81-5878-46d4-8554-54e1e3d8b5cb')]", + "Azure Sentinel Responder": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '3e150937-b8fe-4cfb-8069-0eaf05ecd056')]", + "Azure Service Bus Data Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '090c5cfd-751d-490a-894a-3ce6f1109419')]", + "Azure Service Bus Data Receiver": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4f6d3b9b-027b-4f4c-9142-0e5a2a2247e0')]", + "Azure Service Bus Data Sender": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '69a216fc-b8fb-44d8-bc22-1f3c2cd27a39')]", + "Azure Stack Registration Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '6f12a6df-dd06-4f3e-bcb1-ce8be600526a')]", + "Backup Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5e467623-bb1f-42f4-a55d-6e525e11384b')]", + "Backup Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '00c29273-979b-4161-815c-10b084fb9324')]", + "Backup Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'a795c7a0-d4a2-40c1-ae25-d81f01202912')]", + "Billing Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'fa23ad8b-c56e-40d8-ac0c-ce449e1d2c64')]", + "BizTalk Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5e3c6656-6cfa-4708-81fe-0de47ac73342')]", + "Blockchain Member Node Access (Preview)": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '31a002a1-acaf-453e-8a5b-297c9ca1ea24')]", + "Blueprint Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '41077137-e803-4205-871c-5a86e6a753b4')]", + "Blueprint Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '437d2ced-4a38-4302-8479-ed2bcb43d090')]", + "CDN Endpoint Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '426e0c7f-0c7e-4658-b36f-ff54d6c29b45')]", + "CDN Endpoint Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '871e35f6-b5c1-49cc-a043-bde969a0f2cd')]", + "CDN Profile Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ec156ff8-a8d1-4d15-830c-5b80698ca432')]", + "CDN Profile Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8f96442b-4075-438f-813d-ad51ab4019af')]", + "Classic Network Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b34d265f-36f7-4a0d-a4d4-e158ca92e90f')]", + "Classic Storage Account Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '86e8f5dc-a6e9-4c67-9d15-de283e8eac25')]", + "Classic Storage Account Key Operator Service Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '985d6b00-f706-48f5-a6fe-d0ca12fb668d')]", + "Classic Virtual Machine Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'd73bb868-a0df-4d4d-bd69-98a00b01fccb')]", + "ClearDB MySQL DB Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '9106cda0-8a86-4e81-b686-29a22c54effe')]", + "Cognitive Services Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '25fbc0a9-bd7c-42a3-aa1a-3b75d497ee68')]", + "Cognitive Services Custom Vision Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c1ff6cc2-c111-46fe-8896-e0ef812ad9f3')]", + "Cognitive Services Custom Vision Deployment": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5c4089e1-6d96-4d2f-b296-c1bc7137275f')]", + "Cognitive Services Custom Vision Labeler": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '88424f51-ebe7-446f-bc41-7fa16989e96c')]", + "Cognitive Services Custom Vision Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '93586559-c37d-4a6b-ba08-b9f0940c2d73')]", + "Cognitive Services Custom Vision Trainer": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '0a5ae4ab-0d65-4eeb-be61-29fc9b54394b')]", + "Cognitive Services Data Reader (Preview)": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b59867f0-fa02-499b-be73-45a86b5b3e1c')]", + "Cognitive Services QnA Maker Editor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'f4cc2bf9-21be-47a1-bdf1-5c5804381025')]", + "Cognitive Services QnA Maker Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '466ccd10-b268-4a11-b098-b4849f024126')]", + "Cognitive Services User": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'a97b65f3-24c7-4388-baec-2e87135dc908')]", + "Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "Cosmos DB Account Reader Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'fbdf93bf-df7d-467e-a4d2-9458aa1360c8')]", + "Cosmos DB Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '230815da-be43-4aae-9cb4-875f7bd000aa')]", + "CosmosBackupOperator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'db7b14f2-5adf-42da-9f96-f2ee17bab5cb')]", + "Cost Management Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '434105ed-43f6-45c7-a02f-909b2ba83430')]", + "Cost Management Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '72fafb9e-0641-4937-9268-a91bfd8191a3')]", + "Data Box Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'add466c9-e687-43fc-8d98-dfcf8d720be5')]", + "Data Box Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '028f4ed7-e2a9-465e-a8f4-9c0ffdfdc027')]", + "Data Factory Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '673868aa-7521-48a0-acc6-0f60742d39f5')]", + "Data Lake Analytics Developer": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '47b7735b-770e-4598-a7da-8b91488b4c88')]", + "Data Purger": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '150f5e0c-0603-4f03-8c7f-cf70034c4e90')]", + "Desktop Virtualization User": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '1d18fff3-a72a-46b5-b4a9-0b38a3cd7e63')]", + "DevTest Labs User": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '76283e04-6283-4c54-8f91-bcf1374a3c64')]", + "DNS Zone Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'befefa01-2a29-4197-83a8-272ff33ce314')]", + "DocumentDB Account Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5bd9cd88-fe45-4216-938b-f97437e15450')]", + "EventGrid EventSubscription Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '428e0ff0-5e57-4d9c-a221-2c70d0e0a443')]", + "EventGrid EventSubscription Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '2414bbcf-6497-4faf-8c65-045460748405')]", + "Experimentation Administrator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '7f646f1b-fa08-80eb-a33b-edd6ce5c915c')]", + "Experimentation Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '7f646f1b-fa08-80eb-a22b-edd6ce5c915c')]", + "Experimentation Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '49632ef5-d9ac-41f4-b8e7-bbe587fa74a1')]", + "FHIR Data Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5a1fc7df-4bf1-4951-a576-89034ee01acd')]", + "FHIR Data Exporter": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '3db33094-8700-4567-8da5-1501d4e7e843')]", + "FHIR Data Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4c8d0bbc-75d3-4935-991f-5f3c56d81508')]", + "FHIR Data Writer": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '3f88fce4-5892-4214-ae73-ba5294559913')]", + "Graph Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b60367af-1334-4454-b71e-769d9a4f83d9')]", + "HDInsight Cluster Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '61ed4efc-fab3-44fd-b111-e24485cc132a')]", + "HDInsight Domain Services Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8d8d5a11-05d3-4bda-a417-a08778121c7c')]", + "Hierarchy Settings Administrator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '350f8d15-c687-4448-8ae1-157740a3936d')]", + "Hybrid Server Onboarding": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5d1e5ee4-7c68-4a71-ac8b-0739630a3dfb')]", + "Hybrid Server Resource Administrator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '48b40c6e-82e0-4eb3-90d5-19e40f49b624')]", + "Integration Service Environment Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'a41e2c5b-bd99-4a07-88f4-9bf657a760b8')]", + "Integration Service Environment Developer": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c7aa55d3-1abb-444a-a5ca-5e51e485d6ec')]", + "Intelligent Systems Account Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '03a6d094-3444-4b3d-88af-7477090a9e5e')]", + "Key Vault Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'f25e0fa2-a7c8-4377-a976-54943a77a395')]", + "Knowledge Consumer": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ee361c5d-f7b5-4119-b4b6-892157c8f64c')]", + "Kubernetes Cluster - Azure Arc Onboarding": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '34e09817-6cbe-4d01-b1a2-e0eac5743d41')]", + "Lab Creator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b97fb8bc-a8b2-4522-a38b-dd33c7e65ead')]", + "Log Analytics Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]", + "Log Analytics Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '73c42c96-874c-492b-b04d-ab87d138a893')]", + "Logic App Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '87a39d53-fc1b-424a-814c-f7e04687dc9e')]", + "Logic App Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '515c2055-d9d4-4321-b1b9-bd0c9a0f79fe')]", + "Managed Application Contributor Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '641177b8-a67a-45b9-a033-47bc880bb21e')]", + "Managed Application Operator Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')]", + "Managed Applications Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')]", + "Managed Identity Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'e40ec5ca-96e0-45a2-b4ff-59039f2c2b59')]", + "Managed Identity Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'f1a07417-d97a-45cb-824c-7a7467783830')]", + "Managed Services Registration assignment Delete ": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '91c1777a-f3dc-4fae-b103-61d183457e46')]", + "Management Group Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5d58bcaf-24a5-4b20-bdb6-eed9f69fbe4c')]", + "Management Group Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ac63b705-f282-497d-ac71-919bf39d939d')]", + "Marketplace Admin": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'dd920d6d-f481-47f1-b461-f338c46b2d9f')]", + "Monitoring Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')]", + "Monitoring Metrics Publisher": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '3913510d-42f4-4e42-8a64-420c390055eb')]", + "Monitoring Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')]", + "Network Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", + "New Relic APM Account Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5d28c62d-5b37-4476-8438-e587778df237')]", + "Object Understanding Account Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4dd61c23-6743-42fe-a388-d8bdd41cb745')]", + "Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", + "Policy Insights Data Writer (Preview)": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '66bb4e9e-b016-4a94-8249-4c0511c2be84')]", + "Private DNS Zone Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", + "Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", + "Reader and Data Access": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c12c1c16-33a1-487b-954d-41c89c60f349')]", + "Redis Cache Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'e0f68234-74aa-48ed-b826-c38b57376e17')]", + "Remote Rendering Administrator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '3df8b902-2a6f-47c7-8cc5-360e9b272a7e')]", + "Remote Rendering Client": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'd39065c4-c120-43c9-ab0a-63eed9795f0a')]", + "Resource Policy Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '36243c78-bf99-498c-9df9-86d9f8d28608')]", + "Scheduler Job Collections Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '188a0f2f-5c9e-469b-ae67-2aa5ce574b94')]", + "Search Service Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '7ca78c08-252a-4471-8644-bb5ff32d4ba0')]", + "Security Admin": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'fb1c8493-542b-48eb-b624-b4c8fea62acd')]", + "Security Assessment Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '612c2aa1-cb24-443b-ac28-3ab7272de6f5')]", + "Security Manager (Legacy)": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'e3d13bf0-dd5a-482e-ba6b-9b8433878d10')]", + "Security Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '39bc4728-0917-49c7-9d2c-d95423bc2eb4')]", + "SignalR AccessKey Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '04165923-9d83-45d5-8227-78b77b0a687e')]", + "SignalR Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8cf5e20a-e4b2-4e9d-b3a1-5ceb692c2761')]", + "Site Recovery Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '6670b86e-a3f7-4917-ac9b-5d6ab1be4567')]", + "Site Recovery Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '494ae006-db33-4328-bf46-533a6560a3ca')]", + "Site Recovery Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'dbaa88c4-0c30-4179-9fb3-46319faa6149')]", + "Spatial Anchors Account Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8bbe83f1-e2a6-4df7-8cb4-4e04d4e5c827')]", + "Spatial Anchors Account Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '70bbe301-9835-447d-afdd-19eb3167307c')]", + "Spatial Anchors Account Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5d51204f-eb77-4b1c-b86a-2ec626c49413')]", + "SQL DB Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '9b7fa17d-e63e-47b0-bb0a-15c516ac86ec')]", + "SQL Managed Instance Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4939a1f6-9ae0-4e48-a1e0-f2cbe897382d')]", + "SQL Security Manager": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '056cd41c-7e88-42e1-933e-88ba6a50c9c3')]", + "SQL Server Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '6d8ee4ec-f05a-4a1d-8b00-a9b17e38b437')]", + "Storage Account Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '17d1049b-9a84-46fb-8f53-869881c3d3ab')]", + "Storage Account Key Operator Service Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '81a9662b-bebf-436f-a333-f67b29880f12')]", + "Storage Blob Data Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ba92f5b4-2d11-453d-a403-e96b0029c9fe')]", + "Storage Blob Data Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b7e6dc6d-f1e8-4753-8033-0f276bb0955b')]", + "Storage Blob Data Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '2a2b9908-6ea1-4ae2-8e65-a410df84e7d1')]", + "Storage Blob Delegator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'db58b8e5-c6ad-4a2a-8342-4190687cbf4a')]", + "Storage File Data SMB Share Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '0c867c2a-1d8c-454a-a3db-ab2ea1bdc8bb')]", + "Storage File Data SMB Share Elevated Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'a7264617-510b-434b-a828-9731dc254ea7')]", + "Storage File Data SMB Share Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'aba4ae5f-2193-4029-9191-0cb91df5e314')]", + "Storage Queue Data Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '974c5e8b-45b9-4653-ba55-5f855dd0fb88')]", + "Storage Queue Data Message Processor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8a0f0c08-91a1-4084-bc3d-661d67233fed')]", + "Storage Queue Data Message Sender": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c6a89b2d-59bc-44d0-9896-0f6e12d7b80a')]", + "Storage Queue Data Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '19e7f393-937e-4f77-808e-94535e297925')]", + "Support Request Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'cfd33db0-3dd1-45e3-aa9d-cdbdf3b6f24e')]", + "Tag Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4a9ae827-6dc8-4573-8ac7-8239d42aa03f')]", + "Traffic Manager Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'a4b10055-b0c7-44c2-b00f-c7b5b3550cf7')]", + "User Access Administrator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]", + "Virtual Machine Administrator Login": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '1c0163c0-47e6-4577-8991-ea5c82e286e4')]", + "Virtual Machine Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c')]", + "Virtual Machine User Login": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'fb879df8-f326-4884-b1cf-06f3ad86be52')]", + "Web Plan Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '2cc479cb-7b4d-49a8-b449-8c00fd0f0a4b')]", + "Website Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'de139f84-1756-47ae-9be6-808fbbe84772')]", + "Workbook Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'e8ddcd69-c73f-4f9f-9844-4100522f16ad')]", + "Workbook Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b279062a-9be3-42a0-92ae-8b3cf002ec4d')]" + } + }, + "resources": [ + { + "condition": "[not(empty(parameters('cuaId')))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-06-01", + "name": "[concat('pid-', parameters('cuaId'))]", + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [ + ] + } + } + }, + { + "type": "Microsoft.Network/applicationSecurityGroups", + "apiVersion": "2020-08-01", + "name": "[parameters('applicationSecurityGroupName')]", + "location": "[parameters('location')]", + "tags": "[parameters('tags')]", + "properties": { + }, + "resources": [ + { + "type": "providers/locks", + "apiVersion": "2016-09-01", + "condition": "[parameters('lockForDeletion')]", + "name": "Microsoft.Authorization/applicationSecurityGroupDoNotDelete", + "dependsOn": [ + "[resourceId('Microsoft.Network/applicationSecurityGroups/', parameters('applicationSecurityGroupName'))]" + ], + "comments": "Resource lock on Application Security Group", + "properties": { + "level": "CannotDelete" + } + } + ] + }, + { + "name": "[concat('rbac-',deployment().name, copyIndex())]", + "apiVersion": "2020-06-01", + "type": "Microsoft.Resources/deployments", + "condition": "[not(empty(parameters('roleAssignments')))]", + "dependsOn": [ + "[parameters('applicationSecurityGroupName')]" + ], + "copy": { + "name": "rbacDeplCopy", + "count": "[length(parameters('roleAssignments'))]" + }, + "properties": { + "mode": "Incremental", + "expressionEvaluationOptions": { + "scope": "inner" + }, + "parameters": { + "roleAssignment": { + "value": "[parameters('roleAssignments')[copyIndex()]]" + }, + "builtInRoleNames": { + "value": "[variables('builtInRoleNames')]" + }, + "applicationSecurityGroupName": { + "value": "[parameters('applicationSecurityGroupName')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "roleAssignment": { + "type": "object" + }, + "builtInRoleNames": { + "type": "object" + }, + "applicationSecurityGroupName": { + "type": "string" + } + }, + "resources": [ + { + "type": "Microsoft.Network/applicationSecurityGroups/providers/roleAssignments", + "apiVersion": "2018-09-01-preview", + "name": "[concat(parameters('applicationSecurityGroupName'), '/Microsoft.Authorization/', guid(uniqueString(concat(parameters('applicationSecurityGroupName'), array(parameters('roleAssignment').principalIds)[copyIndex('innerRbacCopy')], parameters('roleAssignment').roleDefinitionIdOrName ) )))]", + "dependsOn": [ + ], + "copy": { + "name": "innerRbacCopy", + "count": "[length(parameters('roleAssignment').principalIds)]" + }, + "properties": { + "roleDefinitionId": "[if(contains(parameters('builtInRoleNames'), parameters('roleAssignment').roleDefinitionIdOrName ), parameters('builtInRoleNames')[parameters('roleAssignment').roleDefinitionIdOrName] , parameters('roleAssignment').roleDefinitionIdOrName )]", + "principalId": "[array(parameters('roleAssignment').principalIds)[copyIndex()]]" + } + } + ] + } + } + } + ], + "functions": [ + ], + "outputs": { + "applicationSecurityGroupsResourceGroup": { + "type": "string", + "value": "[resourceGroup().name]", + "metadata": { + "description": "The name of the Resource Group the Application Security Groups were created in." + } + }, + "applicationSecurityGroupsResourceId": { + "type": "string", + "value": "[resourceId('Microsoft.Network/applicationSecurityGroups', parameters('applicationSecurityGroupName'))]", + "metadata": { + "description": "The Resource Ids of the Application Security Group deployed." + } + }, + "applicationSecurityGroupsName": { + "type": "string", + "value": "[parameters('applicationSecurityGroupName')]", + "metadata": { + "description": "The Name of the Application Security Group deployed." + } + } + } +} \ No newline at end of file diff --git a/arm/Microsoft.Network/applicationSecurityGroups/parameters/parameters.json b/arm/Microsoft.Network/applicationSecurityGroups/parameters/parameters.json new file mode 100644 index 0000000000..6d18a417d6 --- /dev/null +++ b/arm/Microsoft.Network/applicationSecurityGroups/parameters/parameters.json @@ -0,0 +1,20 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "applicationSecurityGroupName": { + "value": "sxx-az-asg-weu-x-001" + } + // "roleAssignments": { + // "value": [ + // { + // "roleDefinitionIdOrName": "Desktop Virtualization User", + // "principalIds": [ + // "12345678-1234-1234-1234-123456789012", // object 1 + // "78945612-1234-1234-1234-123456789012" // object 2 + // ] + // } + // ] + // } + } +} diff --git a/arm/Microsoft.Network/applicationSecurityGroups/readme.md b/arm/Microsoft.Network/applicationSecurityGroups/readme.md new file mode 100644 index 0000000000..96a1a6c153 --- /dev/null +++ b/arm/Microsoft.Network/applicationSecurityGroups/readme.md @@ -0,0 +1,87 @@ +# ApplicationSecurityGroups + +This module deploys Application Security Groups. + + +## Resource Types + +|Resource Type|Api Version|  +|:--|:--| +|`Microsoft.Resources/deployments`|2018-02-01| +|`Microsoft.Network/applicationSecurityGroups`|2020-08-01| +|`providers/locks`|2016-09-01| +|`Microsoft.Network/applicationSecurityGroups/providers/roleAssignments`|2018-09-01-preview| + +## Parameters + +| Parameter Name | Type | Description | DefaultValue | Possible values | +| :-- | :-- | :-- | :-- | :-- | +| `applicationSecurityGroupName` | string | Required. Name of the Application Security Group. | | | +| `cuaId` | string | Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered | | | +| `location` | string | Optional. Location for all resources. | [resourceGroup().location] | | +| `lockForDeletion` | bool | Optional. Switch to lock Virtual Network from deletion. | False | | +| `roleAssignments` | array | Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' | System.Object[] | | +| `tags` | object | Optional. Tags of the resource. | | | + +### Parameter Usage: `tags` + +Tag names and tag values can be provided as needed. A tag can be left without a value. + +```json +"tags": { + "value": { + "Environment": "Non-Prod", + "Contact": "test.user@testcompany.com", + "PurchaseOrder": "1234", + "CostCenter": "7890", + "ServiceName": "DeploymentValidation", + "Role": "DeploymentValidation" + } +} +``` + +### Parameter Usage: `roleAssignments` + +```json +"roleAssignments": { + "value": [ + { + "roleDefinitionIdOrName": "Desktop Virtualization User", + "principalIds": [ + "12345678-1234-1234-1234-123456789012", // object 1 + "78945612-1234-1234-1234-123456789012" // object 2 + ] + }, + { + "roleDefinitionIdOrName": "Reader", + "principalIds": [ + "12345678-1234-1234-1234-123456789012", // object 1 + "78945612-1234-1234-1234-123456789012" // object 2 + ] + }, + { + "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", + "principalIds": [ + "12345678-1234-1234-1234-123456789012" // object 1 + ] + } + ] +} +``` + +## Outputs + +| Output Name | Type | Description | +| :-- | :-- | :-- | +| `applicationSecurityGroupsName` | string | The Name of the Application Security Group deployed. | +| `applicationSecurityGroupsResourceGroup` | string | The name of the Resource Group the Application Security Groups were created in. | +| `applicationSecurityGroupsResourceId` | string | The Resource Ids of the Application Security Group deployed. | + +## Considerations + +*N/A* + +## Additional resources + +- [Application Security Groups](https://docs.microsoft.com/en-us/azure/virtual-network/security-overview#application-security-groups) +- [Microsoft.Network applicationSecurityGroups template reference](https://docs.microsoft.com/en-us/azure/templates/microsoft.network/2018-08-01/applicationsecuritygroups) \ No newline at end of file diff --git a/arm/Microsoft.Network/azureFirewalls/deploy.json b/arm/Microsoft.Network/azureFirewalls/deploy.json new file mode 100644 index 0000000000..cd9a4faf97 --- /dev/null +++ b/arm/Microsoft.Network/azureFirewalls/deploy.json @@ -0,0 +1,664 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "azureFirewallName": { + "type": "string", + "metadata": { + "description": "Required. Name of the Azure Firewall." + } + }, + "azureSkuName": { + "type": "string", + "defaultValue": "AZFW_VNet", + "allowedValues": [ "AZFW_VNet", "AZFW_Hub" ], + "metadata": { + "description": "Optional. Name of an Azure Firewall SKU." + } + }, + "azureSkuTier": { + "type": "string", + "defaultValue": "Standard", + "allowedValues": [ "Standard", "Premium" ], + "metadata": { + "description": "Optional. Tier of an Azure Firewall." + } + }, + "enableDnsProxy": { + "type": "bool", + "defaultValue": false, + "metadata": { + "description": "Optional. Enable the preview feature for DNS proxy." + } + }, + "applicationRuleCollections": { + "type": "array", + "defaultValue": [], + "metadata": { + "description": "Optional. Collection of application rule collections used by Azure Firewall." + } + }, + "networkRuleCollections": { + "type": "array", + "defaultValue": [], + "metadata": { + "description": "Optional. Collection of network rule collections used by Azure Firewall." + } + }, + "natRuleCollections": { + "type": "array", + "defaultValue": [], + "metadata": { + "description": "Optional. Collection of NAT rule collections used by Azure Firewall." + } + }, + "vNetId": { + "type": "string", + "metadata": { + "description": "Required. Shared services Virtual Network resource Id" + } + }, + "azureFirewallPipName": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Specifies the name of the Public IP used by Azure Firewall. If it's not provided, a '-pip' suffix will be appended to the Firewall's name." + } + }, + "publicIPPrefixId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Resource Id of the Public IP Prefix object. This is only needed if you want your Public IPs created in a PIP Prefix." + } + }, + "diagnosticStorageAccountId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Diagnostic Storage Account resource identifier" + } + }, + "workspaceId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Log Analytics workspace resource identifier" + } + }, + "diagnosticLogsRetentionInDays": { + "type": "int", + "defaultValue": 365, + "minValue": 0, + "maxValue": 365, + "metadata": { + "description": "Optional. Specifies the number of days that logs will be kept for; a value of 0 will retain data indefinitely." + } + }, + "eventHubAuthorizationRuleId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Resource ID of the event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." + } + }, + "eventHubName": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Name of the event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category." + } + }, + "location": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "Optional. Location for all resources." + } + }, + "availabilityZones": { + "type": "array", + "defaultValue": [ + "1", + "2", + "3" + ], + "metadata": { + "description": "Optional. Zone numbers e.g. 1,2,3." + } + }, + "lockForDeletion": { + "type": "bool", + "defaultValue": false, + "metadata": { + "description": "Optional. Switch to lock the Firewall from deletion." + } + }, + "roleAssignments": { + "defaultValue": [ + ], + "type": "array", + "metadata": { + "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'" + } + }, + "tags": { + "type": "object", + "defaultValue": {}, + "metadata": { + "description": "Optional. Tags of the Automation Account resource." + } + }, + "cuaId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered" + } + } + }, + "variables": { + "publicIPPrefix": { + "id": "[parameters('publicIPPrefixId')]" + }, + "azureFirewallSubnetId": "[concat(parameters('vNetId'), '/subnets/AzureFirewallSubnet')]", + "azureFirewallPipName": "[if( empty(parameters('azureFirewallPipName')), concat(parameters('azureFirewallName'), '-pip'), parameters('azureFirewallPipName'))]", + "azureFirewallPipId": "[resourceId('Microsoft.Network/publicIPAddresses', variables('azureFirewallPipName'))]", + "diagnosticsMetrics": [ + { + "category": "AllMetrics", + "timeGrain": null, + "enabled": true, + "retentionPolicy": { + "enabled": true, + "days": "[parameters('diagnosticLogsRetentionInDays')]" + } + } + ], + "diagnosticsLogsAzureFirewall": [ + { + "category": "AzureFirewallApplicationRule", + "enabled": true, + "retentionPolicy": { + "enabled": true, + "days": "[parameters('diagnosticLogsRetentionInDays')]" + } + }, + { + "category": "AzureFirewallNetworkRule", + "enabled": true, + "retentionPolicy": { + "enabled": true, + "days": "[parameters('diagnosticLogsRetentionInDays')]" + } + }, + { + "category": "AzureFirewallDnsProxy", + "enabled": true, + "retentionPolicy": { + "enabled": true, + "days": "[parameters('diagnosticLogsRetentionInDays')]" + } + } + ], + "diagnosticsLogsPublicIp": [ + { + "category": "DDoSProtectionNotifications", + "enabled": true, + "retentionPolicy": { + "enabled": true, + "days": "[parameters('diagnosticLogsRetentionInDays')]" + } + }, + { + "category": "DDoSMitigationFlowLogs", + "enabled": true, + "retentionPolicy": { + "enabled": true, + "days": "[parameters('diagnosticLogsRetentionInDays')]" + } + }, + { + "category": "DDoSMitigationReports", + "enabled": true, + "retentionPolicy": { + "enabled": true, + "days": "[parameters('diagnosticLogsRetentionInDays')]" + } + } + ], + "builtInRoleNames": { + "AcrDelete": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c2f4ef07-c644-48eb-af81-4b1b4947fb11')]", + "AcrImageSigner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '6cef56e8-d556-48e5-a04f-b8e64114680f')]", + "AcrPull": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '7f951dda-4ed3-4680-a7ca-43fe172d538d')]", + "AcrPush": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8311e382-0749-4cb8-b61a-304f252e45ec')]", + "AcrQuarantineReader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'cdda3590-29a3-44f6-95f2-9f980659eb04')]", + "AcrQuarantineWriter": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c8d4ff99-41c3-41a8-9f60-21dfdad59608')]", + "API Management Service Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '312a565d-c81f-4fd8-895a-4e21e48d571c')]", + "API Management Service Operator Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'e022efe7-f5ba-4159-bbe4-b44f577e9b61')]", + "API Management Service Reader Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '71522526-b88f-4d52-b57f-d31fc3546d0d')]", + "App Configuration Data Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5ae67dd6-50cb-40e7-96ff-dc2bfa4b606b')]", + "App Configuration Data Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '516239f1-63e1-4d78-a4de-a74fb236a071')]", + "Application Insights Component Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ae349356-3a1b-4a5e-921d-050484c6347e')]", + "Application Insights Snapshot Debugger": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '08954f03-6346-4c2e-81c0-ec3a5cfae23b')]", + "Attestation Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'bbf86eb8-f7b4-4cce-96e4-18cddf81d86e')]", + "Attestation Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'fd1bd22b-8476-40bc-a0bc-69b95687b9f3')]", + "Automation Job Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4fe576fe-1146-4730-92eb-48519fa6bf9f')]", + "Automation Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'd3881f73-407a-4167-8283-e981cbba0404')]", + "Automation Runbook Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5fb5aef8-1081-4b8e-bb16-9d5d0385bab5')]", + "Avere Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4f8fab4f-1852-4a58-a46a-8eaf358af14a')]", + "Avere Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c025889f-8102-4ebf-b32c-fc0c6f0c6bd9')]", + "Azure Connected Machine Onboarding": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b64e21ea-ac4e-4cdf-9dc9-5b892992bee7')]", + "Azure Connected Machine Resource Administrator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'cd570a14-e51a-42ad-bac8-bafd67325302')]", + "Azure Digital Twins Owner (Preview)": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'bcd981a7-7f74-457b-83e1-cceb9e632ffe')]", + "Azure Digital Twins Reader (Preview)": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'd57506d4-4c8d-48b1-8587-93c323f6a5a3')]", + "Azure Event Hubs Data Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'f526a384-b230-433a-b45c-95f59c4a2dec')]", + "Azure Event Hubs Data Receiver": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'a638d3c7-ab3a-418d-83e6-5f17a39d4fde')]", + "Azure Event Hubs Data Sender": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '2b629674-e913-4c01-ae53-ef4638d8f975')]", + "Azure Kubernetes Service Cluster Admin Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '0ab0b1a8-8aac-4efd-b8c2-3ee1fb270be8')]", + "Azure Kubernetes Service Cluster User Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4abbcc35-e782-43d8-92c5-2d3f1bd2253f')]", + "Azure Kubernetes Service Contributor Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ed7f3fbd-7b88-4dd4-9017-9adb7ce333f8')]", + "Azure Maps Data Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8f5e0ce6-4f7b-4dcf-bddf-e6f48634a204')]", + "Azure Maps Data Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '423170ca-a8f6-4b0f-8487-9e4eb8f49bfa')]", + "Azure Sentinel Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ab8e14d6-4a74-4a29-9ba8-549422addade')]", + "Azure Sentinel Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8d289c81-5878-46d4-8554-54e1e3d8b5cb')]", + "Azure Sentinel Responder": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '3e150937-b8fe-4cfb-8069-0eaf05ecd056')]", + "Azure Service Bus Data Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '090c5cfd-751d-490a-894a-3ce6f1109419')]", + "Azure Service Bus Data Receiver": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4f6d3b9b-027b-4f4c-9142-0e5a2a2247e0')]", + "Azure Service Bus Data Sender": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '69a216fc-b8fb-44d8-bc22-1f3c2cd27a39')]", + "Azure Stack Registration Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '6f12a6df-dd06-4f3e-bcb1-ce8be600526a')]", + "Backup Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5e467623-bb1f-42f4-a55d-6e525e11384b')]", + "Backup Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '00c29273-979b-4161-815c-10b084fb9324')]", + "Backup Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'a795c7a0-d4a2-40c1-ae25-d81f01202912')]", + "Billing Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'fa23ad8b-c56e-40d8-ac0c-ce449e1d2c64')]", + "BizTalk Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5e3c6656-6cfa-4708-81fe-0de47ac73342')]", + "Blockchain Member Node Access (Preview)": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '31a002a1-acaf-453e-8a5b-297c9ca1ea24')]", + "Blueprint Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '41077137-e803-4205-871c-5a86e6a753b4')]", + "Blueprint Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '437d2ced-4a38-4302-8479-ed2bcb43d090')]", + "CDN Endpoint Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '426e0c7f-0c7e-4658-b36f-ff54d6c29b45')]", + "CDN Endpoint Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '871e35f6-b5c1-49cc-a043-bde969a0f2cd')]", + "CDN Profile Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ec156ff8-a8d1-4d15-830c-5b80698ca432')]", + "CDN Profile Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8f96442b-4075-438f-813d-ad51ab4019af')]", + "Classic Network Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b34d265f-36f7-4a0d-a4d4-e158ca92e90f')]", + "Classic Storage Account Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '86e8f5dc-a6e9-4c67-9d15-de283e8eac25')]", + "Classic Storage Account Key Operator Service Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '985d6b00-f706-48f5-a6fe-d0ca12fb668d')]", + "Classic Virtual Machine Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'd73bb868-a0df-4d4d-bd69-98a00b01fccb')]", + "ClearDB MySQL DB Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '9106cda0-8a86-4e81-b686-29a22c54effe')]", + "Cognitive Services Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '25fbc0a9-bd7c-42a3-aa1a-3b75d497ee68')]", + "Cognitive Services Custom Vision Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c1ff6cc2-c111-46fe-8896-e0ef812ad9f3')]", + "Cognitive Services Custom Vision Deployment": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5c4089e1-6d96-4d2f-b296-c1bc7137275f')]", + "Cognitive Services Custom Vision Labeler": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '88424f51-ebe7-446f-bc41-7fa16989e96c')]", + "Cognitive Services Custom Vision Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '93586559-c37d-4a6b-ba08-b9f0940c2d73')]", + "Cognitive Services Custom Vision Trainer": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '0a5ae4ab-0d65-4eeb-be61-29fc9b54394b')]", + "Cognitive Services Data Reader (Preview)": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b59867f0-fa02-499b-be73-45a86b5b3e1c')]", + "Cognitive Services QnA Maker Editor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'f4cc2bf9-21be-47a1-bdf1-5c5804381025')]", + "Cognitive Services QnA Maker Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '466ccd10-b268-4a11-b098-b4849f024126')]", + "Cognitive Services User": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'a97b65f3-24c7-4388-baec-2e87135dc908')]", + "Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "Cosmos DB Account Reader Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'fbdf93bf-df7d-467e-a4d2-9458aa1360c8')]", + "Cosmos DB Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '230815da-be43-4aae-9cb4-875f7bd000aa')]", + "CosmosBackupOperator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'db7b14f2-5adf-42da-9f96-f2ee17bab5cb')]", + "Cost Management Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '434105ed-43f6-45c7-a02f-909b2ba83430')]", + "Cost Management Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '72fafb9e-0641-4937-9268-a91bfd8191a3')]", + "Data Box Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'add466c9-e687-43fc-8d98-dfcf8d720be5')]", + "Data Box Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '028f4ed7-e2a9-465e-a8f4-9c0ffdfdc027')]", + "Data Factory Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '673868aa-7521-48a0-acc6-0f60742d39f5')]", + "Data Lake Analytics Developer": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '47b7735b-770e-4598-a7da-8b91488b4c88')]", + "Data Purger": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '150f5e0c-0603-4f03-8c7f-cf70034c4e90')]", + "Desktop Virtualization User": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '1d18fff3-a72a-46b5-b4a9-0b38a3cd7e63')]", + "DevTest Labs User": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '76283e04-6283-4c54-8f91-bcf1374a3c64')]", + "DNS Zone Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'befefa01-2a29-4197-83a8-272ff33ce314')]", + "DocumentDB Account Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5bd9cd88-fe45-4216-938b-f97437e15450')]", + "EventGrid EventSubscription Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '428e0ff0-5e57-4d9c-a221-2c70d0e0a443')]", + "EventGrid EventSubscription Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '2414bbcf-6497-4faf-8c65-045460748405')]", + "Experimentation Administrator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '7f646f1b-fa08-80eb-a33b-edd6ce5c915c')]", + "Experimentation Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '7f646f1b-fa08-80eb-a22b-edd6ce5c915c')]", + "Experimentation Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '49632ef5-d9ac-41f4-b8e7-bbe587fa74a1')]", + "FHIR Data Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5a1fc7df-4bf1-4951-a576-89034ee01acd')]", + "FHIR Data Exporter": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '3db33094-8700-4567-8da5-1501d4e7e843')]", + "FHIR Data Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4c8d0bbc-75d3-4935-991f-5f3c56d81508')]", + "FHIR Data Writer": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '3f88fce4-5892-4214-ae73-ba5294559913')]", + "Graph Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b60367af-1334-4454-b71e-769d9a4f83d9')]", + "HDInsight Cluster Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '61ed4efc-fab3-44fd-b111-e24485cc132a')]", + "HDInsight Domain Services Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8d8d5a11-05d3-4bda-a417-a08778121c7c')]", + "Hierarchy Settings Administrator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '350f8d15-c687-4448-8ae1-157740a3936d')]", + "Hybrid Server Onboarding": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5d1e5ee4-7c68-4a71-ac8b-0739630a3dfb')]", + "Hybrid Server Resource Administrator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '48b40c6e-82e0-4eb3-90d5-19e40f49b624')]", + "Integration Service Environment Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'a41e2c5b-bd99-4a07-88f4-9bf657a760b8')]", + "Integration Service Environment Developer": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c7aa55d3-1abb-444a-a5ca-5e51e485d6ec')]", + "Intelligent Systems Account Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '03a6d094-3444-4b3d-88af-7477090a9e5e')]", + "Key Vault Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'f25e0fa2-a7c8-4377-a976-54943a77a395')]", + "Knowledge Consumer": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ee361c5d-f7b5-4119-b4b6-892157c8f64c')]", + "Kubernetes Cluster - Azure Arc Onboarding": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '34e09817-6cbe-4d01-b1a2-e0eac5743d41')]", + "Lab Creator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b97fb8bc-a8b2-4522-a38b-dd33c7e65ead')]", + "Log Analytics Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]", + "Log Analytics Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '73c42c96-874c-492b-b04d-ab87d138a893')]", + "Logic App Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '87a39d53-fc1b-424a-814c-f7e04687dc9e')]", + "Logic App Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '515c2055-d9d4-4321-b1b9-bd0c9a0f79fe')]", + "Managed Application Contributor Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '641177b8-a67a-45b9-a033-47bc880bb21e')]", + "Managed Application Operator Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')]", + "Managed Applications Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')]", + "Managed Identity Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'e40ec5ca-96e0-45a2-b4ff-59039f2c2b59')]", + "Managed Identity Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'f1a07417-d97a-45cb-824c-7a7467783830')]", + "Managed Services Registration assignment Delete ": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '91c1777a-f3dc-4fae-b103-61d183457e46')]", + "Management Group Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5d58bcaf-24a5-4b20-bdb6-eed9f69fbe4c')]", + "Management Group Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ac63b705-f282-497d-ac71-919bf39d939d')]", + "Marketplace Admin": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'dd920d6d-f481-47f1-b461-f338c46b2d9f')]", + "Monitoring Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')]", + "Monitoring Metrics Publisher": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '3913510d-42f4-4e42-8a64-420c390055eb')]", + "Monitoring Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')]", + "Network Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", + "New Relic APM Account Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5d28c62d-5b37-4476-8438-e587778df237')]", + "Object Understanding Account Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4dd61c23-6743-42fe-a388-d8bdd41cb745')]", + "Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", + "Policy Insights Data Writer (Preview)": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '66bb4e9e-b016-4a94-8249-4c0511c2be84')]", + "Private DNS Zone Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", + "Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", + "Reader and Data Access": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c12c1c16-33a1-487b-954d-41c89c60f349')]", + "Redis Cache Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'e0f68234-74aa-48ed-b826-c38b57376e17')]", + "Remote Rendering Administrator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '3df8b902-2a6f-47c7-8cc5-360e9b272a7e')]", + "Remote Rendering Client": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'd39065c4-c120-43c9-ab0a-63eed9795f0a')]", + "Resource Policy Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '36243c78-bf99-498c-9df9-86d9f8d28608')]", + "Scheduler Job Collections Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '188a0f2f-5c9e-469b-ae67-2aa5ce574b94')]", + "Search Service Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '7ca78c08-252a-4471-8644-bb5ff32d4ba0')]", + "Security Admin": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'fb1c8493-542b-48eb-b624-b4c8fea62acd')]", + "Security Assessment Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '612c2aa1-cb24-443b-ac28-3ab7272de6f5')]", + "Security Manager (Legacy)": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'e3d13bf0-dd5a-482e-ba6b-9b8433878d10')]", + "Security Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '39bc4728-0917-49c7-9d2c-d95423bc2eb4')]", + "SignalR AccessKey Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '04165923-9d83-45d5-8227-78b77b0a687e')]", + "SignalR Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8cf5e20a-e4b2-4e9d-b3a1-5ceb692c2761')]", + "Site Recovery Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '6670b86e-a3f7-4917-ac9b-5d6ab1be4567')]", + "Site Recovery Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '494ae006-db33-4328-bf46-533a6560a3ca')]", + "Site Recovery Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'dbaa88c4-0c30-4179-9fb3-46319faa6149')]", + "Spatial Anchors Account Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8bbe83f1-e2a6-4df7-8cb4-4e04d4e5c827')]", + "Spatial Anchors Account Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '70bbe301-9835-447d-afdd-19eb3167307c')]", + "Spatial Anchors Account Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5d51204f-eb77-4b1c-b86a-2ec626c49413')]", + "SQL DB Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '9b7fa17d-e63e-47b0-bb0a-15c516ac86ec')]", + "SQL Managed Instance Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4939a1f6-9ae0-4e48-a1e0-f2cbe897382d')]", + "SQL Security Manager": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '056cd41c-7e88-42e1-933e-88ba6a50c9c3')]", + "SQL Server Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '6d8ee4ec-f05a-4a1d-8b00-a9b17e38b437')]", + "Storage Account Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '17d1049b-9a84-46fb-8f53-869881c3d3ab')]", + "Storage Account Key Operator Service Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '81a9662b-bebf-436f-a333-f67b29880f12')]", + "Storage Blob Data Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ba92f5b4-2d11-453d-a403-e96b0029c9fe')]", + "Storage Blob Data Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b7e6dc6d-f1e8-4753-8033-0f276bb0955b')]", + "Storage Blob Data Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '2a2b9908-6ea1-4ae2-8e65-a410df84e7d1')]", + "Storage Blob Delegator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'db58b8e5-c6ad-4a2a-8342-4190687cbf4a')]", + "Storage File Data SMB Share Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '0c867c2a-1d8c-454a-a3db-ab2ea1bdc8bb')]", + "Storage File Data SMB Share Elevated Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'a7264617-510b-434b-a828-9731dc254ea7')]", + "Storage File Data SMB Share Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'aba4ae5f-2193-4029-9191-0cb91df5e314')]", + "Storage Queue Data Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '974c5e8b-45b9-4653-ba55-5f855dd0fb88')]", + "Storage Queue Data Message Processor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8a0f0c08-91a1-4084-bc3d-661d67233fed')]", + "Storage Queue Data Message Sender": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c6a89b2d-59bc-44d0-9896-0f6e12d7b80a')]", + "Storage Queue Data Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '19e7f393-937e-4f77-808e-94535e297925')]", + "Support Request Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'cfd33db0-3dd1-45e3-aa9d-cdbdf3b6f24e')]", + "Tag Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4a9ae827-6dc8-4573-8ac7-8239d42aa03f')]", + "Traffic Manager Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'a4b10055-b0c7-44c2-b00f-c7b5b3550cf7')]", + "User Access Administrator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]", + "Virtual Machine Administrator Login": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '1c0163c0-47e6-4577-8991-ea5c82e286e4')]", + "Virtual Machine Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c')]", + "Virtual Machine User Login": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'fb879df8-f326-4884-b1cf-06f3ad86be52')]", + "Web Plan Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '2cc479cb-7b4d-49a8-b449-8c00fd0f0a4b')]", + "Website Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'de139f84-1756-47ae-9be6-808fbbe84772')]", + "Workbook Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'e8ddcd69-c73f-4f9f-9844-4100522f16ad')]", + "Workbook Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b279062a-9be3-42a0-92ae-8b3cf002ec4d')]" + } + }, + "resources": [ + { + "condition": "[not(empty(parameters('cuaId')))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-06-01", + "name": "[concat('pid-', parameters('cuaId'))]", + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [ + ] + } + } + }, + { + "name": "[variables('azureFirewallPipName')]", + "type": "Microsoft.Network/publicIPAddresses", + "apiVersion": "2020-08-01", + "location": "[parameters('location')]", + "tags": "[parameters('tags')]", + "sku": { + "name": "Standard" + }, + "zones": "[parameters('availabilityZones')]", + "properties": { + "publicIPAllocationMethod": "Static", + "publicIPAddressVersion": "IPv4", + "publicIPPrefix": "[if(not(empty(parameters('publicIPPrefixId'))), variables('publicIPPrefix'), json('null'))]" + }, + "resources": [ + { + "type": "providers/locks", + "apiVersion": "2016-09-01", + "condition": "[parameters('lockForDeletion')]", + "name": "Microsoft.Authorization/publicIpDoNotDelete", + "dependsOn": [ + "[concat('Microsoft.Network/publicIPAddresses/', variables('azureFirewallPipName'))]" + ], + "comments": "Resource lock on Public IP", + "properties": { + "level": "CannotDelete" + } + }, + { + "type": "Microsoft.Network/publicIPAddresses/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "location": "[parameters('location')]", + "name": "[concat(variables('azureFirewallPipName'), '/Microsoft.Insights/service')]", + "condition": "[or(not(empty(parameters('diagnosticStorageAccountId'))),not(empty(parameters('workspaceId'))),not(empty(parameters('eventHubAuthorizationRuleId'))),not(empty(parameters('eventHubName'))))]", + "dependsOn": [ + "[concat('Microsoft.Network/publicIPAddresses/', variables('azureFirewallPipName'))]" + ], + "properties": { + "storageAccountId": "[if(empty(parameters('diagnosticStorageAccountId')), json('null'), parameters('diagnosticStorageAccountId'))]", + "workspaceId": "[if(empty(parameters('workspaceId')), json('null'), parameters('workspaceId'))]", + "eventHubAuthorizationRuleId": "[if(empty(parameters('eventHubAuthorizationRuleId')), json('null'), parameters('eventHubAuthorizationRuleId'))]", + "eventHubName": "[if(empty(parameters('eventHubName')), json('null'), parameters('eventHubName'))]", + "metrics": "[if(and(empty(parameters('diagnosticStorageAccountId')), empty(parameters('workspaceId')), empty(parameters('eventHubAuthorizationRuleId')), empty(parameters('eventHubName'))), json('null'), variables('diagnosticsMetrics'))]", + "logs": "[if(and(empty(parameters('diagnosticStorageAccountId')), empty(parameters('workspaceId')), empty(parameters('eventHubAuthorizationRuleId')), empty(parameters('eventHubName'))), json('null'), variables('diagnosticsLogsPublicIp'))]" + } + } + ] + }, + { + "type": "Microsoft.Network/azureFirewalls", + "apiVersion": "2020-08-01", + "name": "[parameters('azureFirewallName')]", + "location": "[parameters('location')]", + "zones": "[if(equals(length(parameters('availabilityZones')), 0), json('null'), parameters('availabilityZones'))]", + "dependsOn": [ + "[resourceId('Microsoft.Network/publicIPAddresses', variables('azureFirewallPipName'))]" + ], + "tags": "[parameters('tags')]", + "properties": { + "threatIntelMode": "Deny", + "ipConfigurations": [ + { + "name": "IpConf", + "properties": { + "subnet": { + "id": "[variables('azureFirewallSubnetId')]" + }, + "publicIPAddress": { + "id": "[variables('azureFirewallPipId')]" + } + } + } + ], + "sku": { + "name": "[parameters('azureSkuName')]", + "tier": "[parameters('azureSkuTier')]" + }, + "additionalProperties": { + "Network.DNS.EnableProxy": "[parameters('enableDnsProxy')]" + }, + "applicationRuleCollections": "[parameters('applicationRuleCollections')]", + "natRuleCollections": "[parameters('natRuleCollections')]", + "networkRuleCollections": "[parameters('networkRuleCollections')]" + }, + "resources": [ + { + "type": "providers/locks", + "apiVersion": "2016-09-01", + "condition": "[parameters('lockForDeletion')]", + "name": "Microsoft.Authorization/azureFirewallDoNotDelete", + "dependsOn": [ + "[concat('Microsoft.Network/azureFirewalls/', parameters('azureFirewallName'))]" + ], + "comments": "Resource lock on Azure Firewall", + "properties": { + "level": "CannotDelete" + } + }, + { + "type": "Microsoft.Network/azureFirewalls/providers/diagnosticsettings", + "name": "[concat(parameters('azureFirewallName'), '/Microsoft.Insights/service')]", + "apiVersion": "2016-09-01", + "location": "[parameters('location')]", + "condition": "[or(not(empty(parameters('diagnosticStorageAccountId'))),not(empty(parameters('workspaceId'))),not(empty(parameters('eventHubAuthorizationRuleId'))),not(empty(parameters('eventHubName'))))]", + "dependsOn": [ + "[concat('Microsoft.Network/azureFirewalls/', parameters('azureFirewallName'))]" + ], + "properties": { + "storageAccountId": "[if(empty(parameters('diagnosticStorageAccountId')), json('null'), parameters('diagnosticStorageAccountId'))]", + "workspaceId": "[if(empty(parameters('workspaceId')), json('null'), parameters('workspaceId'))]", + "eventHubAuthorizationRuleId": "[if(empty(parameters('eventHubAuthorizationRuleId')), json('null'), parameters('eventHubAuthorizationRuleId'))]", + "eventHubName": "[if(empty(parameters('eventHubName')), json('null'), parameters('eventHubName'))]", + "metrics": "[if(and(empty(parameters('diagnosticStorageAccountId')), empty(parameters('workspaceId')), empty(parameters('eventHubAuthorizationRuleId')), empty(parameters('eventHubName'))), json('null'), variables('diagnosticsMetrics'))]", + "logs": "[if(and(empty(parameters('diagnosticStorageAccountId')), empty(parameters('workspaceId')), empty(parameters('eventHubAuthorizationRuleId')), empty(parameters('eventHubName'))), json('null'), variables('diagnosticsLogsAzureFirewall'))]" + } + } + ] + }, + { + "name": "[concat('rbac-',deployment().name, copyIndex())]", + "apiVersion": "2020-06-01", + "type": "Microsoft.Resources/deployments", + "condition": "[not(empty(parameters('roleAssignments')))]", + "dependsOn": [ + "[parameters('azureFirewallName')]" + ], + "copy": { + "name": "rbacDeplCopy", + "count": "[length(parameters('roleAssignments'))]" + }, + "properties": { + "mode": "Incremental", + "expressionEvaluationOptions": { + "scope": "inner" + }, + "parameters": { + "roleAssignment": { + "value": "[parameters('roleAssignments')[copyIndex()]]" + }, + "builtInRoleNames": { + "value": "[variables('builtInRoleNames')]" + }, + "azureFirewallName": { + "value": "[parameters('azureFirewallName')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "roleAssignment": { + "type": "object" + }, + "builtInRoleNames": { + "type": "object" + }, + "azureFirewallName": { + "type": "string" + } + }, + "resources": [ + { + "type": "Microsoft.Network/azureFirewalls/providers/roleAssignments", + "apiVersion": "2018-09-01-preview", + "name": "[concat(parameters('azureFirewallName'), '/Microsoft.Authorization/', guid(uniqueString(concat(parameters('azureFirewallName'), array(parameters('roleAssignment').principalIds)[copyIndex('innerRbacCopy')], parameters('roleAssignment').roleDefinitionIdOrName ) )))]", + "dependsOn": [ + ], + "copy": { + "name": "innerRbacCopy", + "count": "[length(parameters('roleAssignment').principalIds)]" + }, + "properties": { + "roleDefinitionId": "[if(contains(parameters('builtInRoleNames'), parameters('roleAssignment').roleDefinitionIdOrName ), parameters('builtInRoleNames')[parameters('roleAssignment').roleDefinitionIdOrName] , parameters('roleAssignment').roleDefinitionIdOrName )]", + "principalId": "[array(parameters('roleAssignment').principalIds)[copyIndex()]]" + } + } + ] + } + } + } + ], + "functions": [ + ], + "outputs": { + "azureFirewallResourceId": { + "type": "string", + "value": "[resourceId('Microsoft.Network/azureFirewalls', parameters('azureFirewallName'))]", + "metadata": { + "description": "The Resource Id of the Azure Firewall." + } + }, + "azureFirewallName": { + "type": "string", + "value": "[parameters('azureFirewallName')]", + "metadata": { + "description": "The Name of the Azure Firewall." + } + }, + "azureFirewallResourceGroup": { + "type": "string", + "value": "[resourceGroup().name]", + "metadata": { + "description": "The name of the Resource Group the Azure Firewall was created in." + } + }, + "azureFirewallPrivateIp": { + "type": "string", + "value": "[reference(resourceId('Microsoft.Network/azureFirewalls', parameters('azureFirewallName'))).ipConfigurations[0].properties.privateIPAddress]", + "metadata": { + "description": "The private IP of the Azure Firewall." + } + }, + "azureFirewallPublicIp": { + "type": "string", + "value": "[reference(resourceId('Microsoft.Network/publicIPAddresses', variables('azureFirewallPipName'))).ipAddress]", + "metadata": { + "description": "The public IP of the Azure Firewall." + } + }, + "applicationRuleCollections": { + "type": "array", + "value": "[parameters('applicationRuleCollections')]", + "metadata": { + "description": "List of Application Rule Collections." + } + }, + "networkRuleCollections": { + "type": "array", + "value": "[parameters('networkRuleCollections')]", + "metadata": { + "description": "List of Network Rule Collections." + } + }, + "natRuleCollections": { + "type": "array", + "value": "[parameters('natRuleCollections')]", + "metadata": { + "description": "Collection of NAT rule collections used by Azure Firewall." + } + } + } +} \ No newline at end of file diff --git a/arm/Microsoft.Network/azureFirewalls/parameters/parameters.json b/arm/Microsoft.Network/azureFirewalls/parameters/parameters.json new file mode 100644 index 0000000000..c77f0897cb --- /dev/null +++ b/arm/Microsoft.Network/azureFirewalls/parameters/parameters.json @@ -0,0 +1,104 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "azureFirewallName": { + "value": "sxx-az-azfw-weu-x-001" + }, + "availabilityZones": { + "value": [ + "1", + "2", + "3" + ] + }, + "applicationRuleCollections": { + "value": [ + { + "name": "allow-app-rules", + "properties": { + "priority": 100, + "action": { + "type": "allow" + }, + "rules": [ + { + "name": "allow-ase-tags", + "sourceAddresses": [ + "*" + ], + "protocols": [ + { + "protocolType": "HTTP", + "port": "80" + }, + { + "protocolType": "HTTPS", + "port": "443" + } + ], + "fqdnTags": [ + "AppServiceEnvironment", + "WindowsUpdate" + ] + }, + { + "name": "allow-ase-management", + "sourceAddresses": [ + "*" + ], + "protocols": [ + { + "protocolType": "HTTP", + "port": "80" + }, + { + "protocolType": "HTTPS", + "port": "443" + } + ], + "targetFqdns": [ + "management.azure.com" + ] + } + ] + } + } + ] + }, + "networkRuleCollections": { + "value": [ + { + "name": "allow-network-rules", + "properties": { + "priority": 100, + "action": { + "type": "allow" + }, + "rules": [ + { + "name": "allow-ntp", + "sourceAddresses": [ + "*" + ], + "destinationAddresses": [ + "*" + ], + "destinationPorts": [ + "123", + "12000" + ], + "protocols": [ + "Any" + ] + } + ] + } + } + ] + }, + "vNetId": { + "value": "/subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-weu-x-004" + } + } +} \ No newline at end of file diff --git a/arm/Microsoft.Network/azureFirewalls/readme.md b/arm/Microsoft.Network/azureFirewalls/readme.md new file mode 100644 index 0000000000..4f72aab2c8 --- /dev/null +++ b/arm/Microsoft.Network/azureFirewalls/readme.md @@ -0,0 +1,112 @@ +# AzureFirewall + +This module deploys Azure Firewall. + +## Resource types + +|Resource Type|Api Version| +|:--|:--| +|`Microsoft.Network/publicIPAddresses`|2020-08-01| +|`Microsoft.Network/publicIPAddresses/providers/diagnosticSettings`|2017-05-01-preview| +|`Microsoft.Network/azureFirewalls`|2020-08-01| +|`Microsoft.Resources/deployments`|2019-10-01| +|`Microsoft.Network/azureFirewalls/providers/diagnosticsettings`|2016-09-01| +|`Microsoft.Network/azureFirewalls/providers/roleAssignments`|2018-09-01-preview| +| `providers/locks` | 2016-09-01 | + +## Parameters + +| Parameter Name | Type | Default Value | Possible values | Description | +|---|---|---|---|---| +| `azureFirewallName` | string | | | Required. Name of the Azure Firewall. | +| `azureSkuName` | string | `AZFW_VNet` | `AZFW_VNet`, `AZFW_Hub` | Optional. Name of an Azure Firewall SKU. | +| `azureSkuTier` | string | `Standard` | `Standard`, `Premium` | Optional. Tier of an Azure Firewall. | +| `enableDnsProxy` | bool | `true` | | Optional. Enable the preview feature for DNS proxy. | +| `applicationRuleCollections` | array | [] | | Optional. Collection of application rule collections used by Azure Firewall. | +| `networkRuleCollections` | array | [] | | Optional. Collection of network rule collections used by Azure Firewall. | +| `natRuleCollections` | array | [] | | Optional. Collection of NAT rule collections used by Azure Firewall. | +| `vNetId` | string | | | Required. Shared services Virtual Network resource Id | +| `azureFirewallPipName` | string | | | Optional. Specifies the name of the Public IP used by Azure Firewall. If it's not provided, a '-pip' suffix will be appended to the Firewall's name. | +| `publicIPPrefixId` | string | | | Optional. Resource Id of the Public IP Prefix object. This is only needed if you want your Public IPs created in a PIP Prefix. | +| `diagnosticStorageAccountId` | string | | | Required. Diagnostic Storage Account resource identifier | +| `workspaceId` | string | | | Required. Log Analytics workspace resource identifier | +| `diagnosticLogsRetentionInDays` | int | `365` | | Optional. Specifies the number of days that logs will be kept for; a value of 0 will retain data indefinitely. | +| `roleAssignments` | array | [] | Complex structure, see below. | Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or it's fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' | +| `lockForDeletion` | bool | false | | Optional. Switch to lock the Firewall from deletion. | +| `tags` | object | {} | Complex structure, see below. | Optional. Tags of the Azure Key Vault resource. | +| `cuaId` | string | "" | | Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered. | +| `eventHubAuthorizationRuleId` | string | | | Optional. Resource ID of the event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | +| `eventHubName` | string | | | Optional. Name of the event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. | +| `location` | string | resourceGroup().location | | Optional. Location for all resources. | +| `availabilityZones` | array | ["1","2","3"] | | Optional. Availability Zones for deployment. | + +### Parameter Usage: `roleAssignments` + +```json +"roleAssignments": { + "value": [ + { + "roleDefinitionIdOrName": "Desktop Virtualization User", + "principalIds": [ + "12345678-1234-1234-1234-123456789012", // object 1 + "78945612-1234-1234-1234-123456789012" // object 2 + ] + }, + { + "roleDefinitionIdOrName": "Reader", + "principalIds": [ + "12345678-1234-1234-1234-123456789012", // object 1 + "78945612-1234-1234-1234-123456789012" // object 2 + ] + }, + { + "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", + "principalIds": [ + "12345678-1234-1234-1234-123456789012" // object 1 + ] + } + ] +} +``` + +### Parameter Usage: `tags` + +Tag names and tag values can be provided as needed. A tag can be left without a value. + +```json +"tags": { + "value": { + "Environment": "Non-Prod", + "Contact": "test.user@testcompany.com", + "PurchaseOrder": "1234", + "CostCenter": "7890", + "ServiceName": "DeploymentValidation", + "Role": "DeploymentValidation" + } +} + +``` + +## Outputs + +| Output Name | Type | Description | +| :-- | :-- | :-- | +| `applicationRuleCollections` | array | List of Application Rule Collections. | +| `azureFirewallName` | string | The Name of the Azure Firewall. | +| `azureFirewallPrivateIp` | string | The private IP of the Azure Firewall. | +| `azureFirewallPublicIp` | string | The public IP of the Azure Firewall. | +| `azureFirewallResourceGroup` | string | The name of the Resource Group the Azure Firewall was created in. | +| `azureFirewallResourceId` | string | The Resource Id of the Azure Firewall. | +| `natRuleCollections` | array | Optional. Collection of NAT rule collections used by Azure Firewall. | +| `networkRuleCollections` | array | List of Network Rule Collections. | + +## Considerations + +The `applicationRuleCollections` parameter accepts a JSON Array of AzureFirewallApplicationRule objects. + +The `networkRuleCollections` parameter accepts a JSON Array of AzureFirewallNetworkRuleCollection objects. + +## Additional resources + +- [Microsoft.Network azureFirewalls template reference](https://docs.microsoft.com/en-us/azure/templates/microsoft.network/2020-05-01/azurefirewalls) +- [Use tags to organize your Azure resources](https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-using-tags) diff --git a/arm/Microsoft.Network/bastionHosts/deploy.json b/arm/Microsoft.Network/bastionHosts/deploy.json new file mode 100644 index 0000000000..6541c97b6f --- /dev/null +++ b/arm/Microsoft.Network/bastionHosts/deploy.json @@ -0,0 +1,550 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "azureBastionName": { + "type": "string", + "metadata": { + "description": "Required. Name of the Azure Bastion resource" + } + }, + "location": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "Optional. Location for all resources." + } + }, + "vNetId": { + "type": "string", + "metadata": { + "description": "Required. Shared services Virtual Network resource identifier" + } + }, + "azureBastionPipName": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Specifies the name of the Public IP used by Azure Bastion. If it's not provided, a '-pip' suffix will be appended to the Bastion's name." + } + }, + "publicIPPrefixId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Resource Id of the Public IP Prefix object. This is only needed if you want your Public IPs created in a PIP Prefix." + } + }, + "domainNameLabel": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. DNS name of the Public IP resource. A region specific suffix will be appended to it, e.g.: your-DNS-name.westeurope.cloudapp.azure.com" + } + }, + "diagnosticLogsRetentionInDays": { + "type": "int", + "defaultValue": 365, + "minValue": 0, + "maxValue": 365, + "metadata": { + "description": "Optional. Specifies the number of days that logs will be kept for; a value of 0 will retain data indefinitely." + } + }, + "diagnosticStorageAccountId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Resource identifier of the Diagnostic Storage Account." + } + }, + "workspaceId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Resource identifier of Log Analytics." + } + }, + "eventHubAuthorizationRuleId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Resource ID of the event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." + } + }, + "eventHubName": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Name of the event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category." + } + }, + "lockForDeletion": { + "type": "bool", + "defaultValue": false, + "metadata": { + "description": "Optional. Switch to lock Key Vault from deletion." + } + }, + "roleAssignments": { + "defaultValue": [ + ], + "type": "array", + "metadata": { + "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'" + } + }, + "tags": { + "type": "object", + "defaultValue": { + }, + "metadata": { + "description": "Optional. Tags of the resource." + } + }, + "cuaId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered" + } + } + }, + "variables": { + "azureBastionPipName": "[if( empty(parameters('azureBastionPipName')), concat(parameters('azureBastionName'), '-pip'), parameters('azureBastionPipName'))]", + "publicIPPrefix": { + "id": "[parameters('publicIPPrefixId')]" + }, + "diagnosticsMetrics": [ + { + "category": "AllMetrics", + "timeGrain": null, + "enabled": true, + "retentionPolicy": { + "enabled": true, + "days": "[parameters('diagnosticLogsRetentionInDays')]" + } + } + ], + "publicIpDiagnosticsLogs": [ + { + "category": "DDoSProtectionNotifications", + "enabled": true, + "retentionPolicy": { + "enabled": true, + "days": "[parameters('diagnosticLogsRetentionInDays')]" + } + }, + { + "category": "DDoSMitigationFlowLogs", + "enabled": true, + "retentionPolicy": { + "enabled": true, + "days": "[parameters('diagnosticLogsRetentionInDays')]" + } + }, + { + "category": "DDoSMitigationReports", + "enabled": true, + "retentionPolicy": { + "enabled": true, + "days": "[parameters('diagnosticLogsRetentionInDays')]" + } + } + ], + "azureBastionDiagnosticsLogs": [ + { + "category": "BastionAuditLogs", + "enabled": true, + "retentionPolicy": { + "enabled": true, + "days": "[parameters('diagnosticLogsRetentionInDays')]" + } + } + ], + "builtInRoleNames": { + "AcrDelete": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c2f4ef07-c644-48eb-af81-4b1b4947fb11')]", + "AcrImageSigner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '6cef56e8-d556-48e5-a04f-b8e64114680f')]", + "AcrPull": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '7f951dda-4ed3-4680-a7ca-43fe172d538d')]", + "AcrPush": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8311e382-0749-4cb8-b61a-304f252e45ec')]", + "AcrQuarantineReader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'cdda3590-29a3-44f6-95f2-9f980659eb04')]", + "AcrQuarantineWriter": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c8d4ff99-41c3-41a8-9f60-21dfdad59608')]", + "API Management Service Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '312a565d-c81f-4fd8-895a-4e21e48d571c')]", + "API Management Service Operator Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'e022efe7-f5ba-4159-bbe4-b44f577e9b61')]", + "API Management Service Reader Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '71522526-b88f-4d52-b57f-d31fc3546d0d')]", + "App Configuration Data Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5ae67dd6-50cb-40e7-96ff-dc2bfa4b606b')]", + "App Configuration Data Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '516239f1-63e1-4d78-a4de-a74fb236a071')]", + "Application Insights Component Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ae349356-3a1b-4a5e-921d-050484c6347e')]", + "Application Insights Snapshot Debugger": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '08954f03-6346-4c2e-81c0-ec3a5cfae23b')]", + "Attestation Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'bbf86eb8-f7b4-4cce-96e4-18cddf81d86e')]", + "Attestation Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'fd1bd22b-8476-40bc-a0bc-69b95687b9f3')]", + "Automation Job Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4fe576fe-1146-4730-92eb-48519fa6bf9f')]", + "Automation Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'd3881f73-407a-4167-8283-e981cbba0404')]", + "Automation Runbook Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5fb5aef8-1081-4b8e-bb16-9d5d0385bab5')]", + "Avere Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4f8fab4f-1852-4a58-a46a-8eaf358af14a')]", + "Avere Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c025889f-8102-4ebf-b32c-fc0c6f0c6bd9')]", + "Azure Connected Machine Onboarding": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b64e21ea-ac4e-4cdf-9dc9-5b892992bee7')]", + "Azure Connected Machine Resource Administrator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'cd570a14-e51a-42ad-bac8-bafd67325302')]", + "Azure Digital Twins Owner (Preview)": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'bcd981a7-7f74-457b-83e1-cceb9e632ffe')]", + "Azure Digital Twins Reader (Preview)": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'd57506d4-4c8d-48b1-8587-93c323f6a5a3')]", + "Azure Event Hubs Data Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'f526a384-b230-433a-b45c-95f59c4a2dec')]", + "Azure Event Hubs Data Receiver": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'a638d3c7-ab3a-418d-83e6-5f17a39d4fde')]", + "Azure Event Hubs Data Sender": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '2b629674-e913-4c01-ae53-ef4638d8f975')]", + "Azure Kubernetes Service Cluster Admin Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '0ab0b1a8-8aac-4efd-b8c2-3ee1fb270be8')]", + "Azure Kubernetes Service Cluster User Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4abbcc35-e782-43d8-92c5-2d3f1bd2253f')]", + "Azure Kubernetes Service Contributor Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ed7f3fbd-7b88-4dd4-9017-9adb7ce333f8')]", + "Azure Maps Data Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8f5e0ce6-4f7b-4dcf-bddf-e6f48634a204')]", + "Azure Maps Data Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '423170ca-a8f6-4b0f-8487-9e4eb8f49bfa')]", + "Azure Sentinel Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ab8e14d6-4a74-4a29-9ba8-549422addade')]", + "Azure Sentinel Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8d289c81-5878-46d4-8554-54e1e3d8b5cb')]", + "Azure Sentinel Responder": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '3e150937-b8fe-4cfb-8069-0eaf05ecd056')]", + "Azure Service Bus Data Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '090c5cfd-751d-490a-894a-3ce6f1109419')]", + "Azure Service Bus Data Receiver": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4f6d3b9b-027b-4f4c-9142-0e5a2a2247e0')]", + "Azure Service Bus Data Sender": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '69a216fc-b8fb-44d8-bc22-1f3c2cd27a39')]", + "Azure Stack Registration Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '6f12a6df-dd06-4f3e-bcb1-ce8be600526a')]", + "Backup Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5e467623-bb1f-42f4-a55d-6e525e11384b')]", + "Backup Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '00c29273-979b-4161-815c-10b084fb9324')]", + "Backup Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'a795c7a0-d4a2-40c1-ae25-d81f01202912')]", + "Billing Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'fa23ad8b-c56e-40d8-ac0c-ce449e1d2c64')]", + "BizTalk Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5e3c6656-6cfa-4708-81fe-0de47ac73342')]", + "Blockchain Member Node Access (Preview)": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '31a002a1-acaf-453e-8a5b-297c9ca1ea24')]", + "Blueprint Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '41077137-e803-4205-871c-5a86e6a753b4')]", + "Blueprint Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '437d2ced-4a38-4302-8479-ed2bcb43d090')]", + "CDN Endpoint Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '426e0c7f-0c7e-4658-b36f-ff54d6c29b45')]", + "CDN Endpoint Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '871e35f6-b5c1-49cc-a043-bde969a0f2cd')]", + "CDN Profile Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ec156ff8-a8d1-4d15-830c-5b80698ca432')]", + "CDN Profile Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8f96442b-4075-438f-813d-ad51ab4019af')]", + "Classic Network Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b34d265f-36f7-4a0d-a4d4-e158ca92e90f')]", + "Classic Storage Account Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '86e8f5dc-a6e9-4c67-9d15-de283e8eac25')]", + "Classic Storage Account Key Operator Service Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '985d6b00-f706-48f5-a6fe-d0ca12fb668d')]", + "Classic Virtual Machine Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'd73bb868-a0df-4d4d-bd69-98a00b01fccb')]", + "ClearDB MySQL DB Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '9106cda0-8a86-4e81-b686-29a22c54effe')]", + "Cognitive Services Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '25fbc0a9-bd7c-42a3-aa1a-3b75d497ee68')]", + "Cognitive Services Custom Vision Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c1ff6cc2-c111-46fe-8896-e0ef812ad9f3')]", + "Cognitive Services Custom Vision Deployment": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5c4089e1-6d96-4d2f-b296-c1bc7137275f')]", + "Cognitive Services Custom Vision Labeler": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '88424f51-ebe7-446f-bc41-7fa16989e96c')]", + "Cognitive Services Custom Vision Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '93586559-c37d-4a6b-ba08-b9f0940c2d73')]", + "Cognitive Services Custom Vision Trainer": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '0a5ae4ab-0d65-4eeb-be61-29fc9b54394b')]", + "Cognitive Services Data Reader (Preview)": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b59867f0-fa02-499b-be73-45a86b5b3e1c')]", + "Cognitive Services QnA Maker Editor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'f4cc2bf9-21be-47a1-bdf1-5c5804381025')]", + "Cognitive Services QnA Maker Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '466ccd10-b268-4a11-b098-b4849f024126')]", + "Cognitive Services User": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'a97b65f3-24c7-4388-baec-2e87135dc908')]", + "Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "Cosmos DB Account Reader Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'fbdf93bf-df7d-467e-a4d2-9458aa1360c8')]", + "Cosmos DB Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '230815da-be43-4aae-9cb4-875f7bd000aa')]", + "CosmosBackupOperator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'db7b14f2-5adf-42da-9f96-f2ee17bab5cb')]", + "Cost Management Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '434105ed-43f6-45c7-a02f-909b2ba83430')]", + "Cost Management Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '72fafb9e-0641-4937-9268-a91bfd8191a3')]", + "Data Box Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'add466c9-e687-43fc-8d98-dfcf8d720be5')]", + "Data Box Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '028f4ed7-e2a9-465e-a8f4-9c0ffdfdc027')]", + "Data Factory Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '673868aa-7521-48a0-acc6-0f60742d39f5')]", + "Data Lake Analytics Developer": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '47b7735b-770e-4598-a7da-8b91488b4c88')]", + "Data Purger": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '150f5e0c-0603-4f03-8c7f-cf70034c4e90')]", + "Desktop Virtualization User": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '1d18fff3-a72a-46b5-b4a9-0b38a3cd7e63')]", + "DevTest Labs User": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '76283e04-6283-4c54-8f91-bcf1374a3c64')]", + "DNS Zone Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'befefa01-2a29-4197-83a8-272ff33ce314')]", + "DocumentDB Account Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5bd9cd88-fe45-4216-938b-f97437e15450')]", + "EventGrid EventSubscription Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '428e0ff0-5e57-4d9c-a221-2c70d0e0a443')]", + "EventGrid EventSubscription Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '2414bbcf-6497-4faf-8c65-045460748405')]", + "Experimentation Administrator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '7f646f1b-fa08-80eb-a33b-edd6ce5c915c')]", + "Experimentation Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '7f646f1b-fa08-80eb-a22b-edd6ce5c915c')]", + "Experimentation Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '49632ef5-d9ac-41f4-b8e7-bbe587fa74a1')]", + "FHIR Data Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5a1fc7df-4bf1-4951-a576-89034ee01acd')]", + "FHIR Data Exporter": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '3db33094-8700-4567-8da5-1501d4e7e843')]", + "FHIR Data Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4c8d0bbc-75d3-4935-991f-5f3c56d81508')]", + "FHIR Data Writer": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '3f88fce4-5892-4214-ae73-ba5294559913')]", + "Graph Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b60367af-1334-4454-b71e-769d9a4f83d9')]", + "HDInsight Cluster Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '61ed4efc-fab3-44fd-b111-e24485cc132a')]", + "HDInsight Domain Services Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8d8d5a11-05d3-4bda-a417-a08778121c7c')]", + "Hierarchy Settings Administrator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '350f8d15-c687-4448-8ae1-157740a3936d')]", + "Hybrid Server Onboarding": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5d1e5ee4-7c68-4a71-ac8b-0739630a3dfb')]", + "Hybrid Server Resource Administrator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '48b40c6e-82e0-4eb3-90d5-19e40f49b624')]", + "Integration Service Environment Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'a41e2c5b-bd99-4a07-88f4-9bf657a760b8')]", + "Integration Service Environment Developer": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c7aa55d3-1abb-444a-a5ca-5e51e485d6ec')]", + "Intelligent Systems Account Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '03a6d094-3444-4b3d-88af-7477090a9e5e')]", + "Key Vault Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'f25e0fa2-a7c8-4377-a976-54943a77a395')]", + "Knowledge Consumer": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ee361c5d-f7b5-4119-b4b6-892157c8f64c')]", + "Kubernetes Cluster - Azure Arc Onboarding": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '34e09817-6cbe-4d01-b1a2-e0eac5743d41')]", + "Lab Creator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b97fb8bc-a8b2-4522-a38b-dd33c7e65ead')]", + "Log Analytics Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]", + "Log Analytics Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '73c42c96-874c-492b-b04d-ab87d138a893')]", + "Logic App Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '87a39d53-fc1b-424a-814c-f7e04687dc9e')]", + "Logic App Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '515c2055-d9d4-4321-b1b9-bd0c9a0f79fe')]", + "Managed Application Contributor Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '641177b8-a67a-45b9-a033-47bc880bb21e')]", + "Managed Application Operator Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')]", + "Managed Applications Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')]", + "Managed Identity Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'e40ec5ca-96e0-45a2-b4ff-59039f2c2b59')]", + "Managed Identity Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'f1a07417-d97a-45cb-824c-7a7467783830')]", + "Managed Services Registration assignment Delete ": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '91c1777a-f3dc-4fae-b103-61d183457e46')]", + "Management Group Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5d58bcaf-24a5-4b20-bdb6-eed9f69fbe4c')]", + "Management Group Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ac63b705-f282-497d-ac71-919bf39d939d')]", + "Marketplace Admin": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'dd920d6d-f481-47f1-b461-f338c46b2d9f')]", + "Monitoring Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')]", + "Monitoring Metrics Publisher": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '3913510d-42f4-4e42-8a64-420c390055eb')]", + "Monitoring Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')]", + "Network Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", + "New Relic APM Account Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5d28c62d-5b37-4476-8438-e587778df237')]", + "Object Understanding Account Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4dd61c23-6743-42fe-a388-d8bdd41cb745')]", + "Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", + "Policy Insights Data Writer (Preview)": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '66bb4e9e-b016-4a94-8249-4c0511c2be84')]", + "Private DNS Zone Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", + "Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", + "Reader and Data Access": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c12c1c16-33a1-487b-954d-41c89c60f349')]", + "Redis Cache Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'e0f68234-74aa-48ed-b826-c38b57376e17')]", + "Remote Rendering Administrator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '3df8b902-2a6f-47c7-8cc5-360e9b272a7e')]", + "Remote Rendering Client": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'd39065c4-c120-43c9-ab0a-63eed9795f0a')]", + "Resource Policy Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '36243c78-bf99-498c-9df9-86d9f8d28608')]", + "Scheduler Job Collections Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '188a0f2f-5c9e-469b-ae67-2aa5ce574b94')]", + "Search Service Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '7ca78c08-252a-4471-8644-bb5ff32d4ba0')]", + "Security Admin": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'fb1c8493-542b-48eb-b624-b4c8fea62acd')]", + "Security Assessment Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '612c2aa1-cb24-443b-ac28-3ab7272de6f5')]", + "Security Manager (Legacy)": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'e3d13bf0-dd5a-482e-ba6b-9b8433878d10')]", + "Security Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '39bc4728-0917-49c7-9d2c-d95423bc2eb4')]", + "SignalR AccessKey Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '04165923-9d83-45d5-8227-78b77b0a687e')]", + "SignalR Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8cf5e20a-e4b2-4e9d-b3a1-5ceb692c2761')]", + "Site Recovery Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '6670b86e-a3f7-4917-ac9b-5d6ab1be4567')]", + "Site Recovery Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '494ae006-db33-4328-bf46-533a6560a3ca')]", + "Site Recovery Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'dbaa88c4-0c30-4179-9fb3-46319faa6149')]", + "Spatial Anchors Account Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8bbe83f1-e2a6-4df7-8cb4-4e04d4e5c827')]", + "Spatial Anchors Account Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '70bbe301-9835-447d-afdd-19eb3167307c')]", + "Spatial Anchors Account Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5d51204f-eb77-4b1c-b86a-2ec626c49413')]", + "SQL DB Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '9b7fa17d-e63e-47b0-bb0a-15c516ac86ec')]", + "SQL Managed Instance Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4939a1f6-9ae0-4e48-a1e0-f2cbe897382d')]", + "SQL Security Manager": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '056cd41c-7e88-42e1-933e-88ba6a50c9c3')]", + "SQL Server Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '6d8ee4ec-f05a-4a1d-8b00-a9b17e38b437')]", + "Storage Account Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '17d1049b-9a84-46fb-8f53-869881c3d3ab')]", + "Storage Account Key Operator Service Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '81a9662b-bebf-436f-a333-f67b29880f12')]", + "Storage Blob Data Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ba92f5b4-2d11-453d-a403-e96b0029c9fe')]", + "Storage Blob Data Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b7e6dc6d-f1e8-4753-8033-0f276bb0955b')]", + "Storage Blob Data Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '2a2b9908-6ea1-4ae2-8e65-a410df84e7d1')]", + "Storage Blob Delegator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'db58b8e5-c6ad-4a2a-8342-4190687cbf4a')]", + "Storage File Data SMB Share Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '0c867c2a-1d8c-454a-a3db-ab2ea1bdc8bb')]", + "Storage File Data SMB Share Elevated Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'a7264617-510b-434b-a828-9731dc254ea7')]", + "Storage File Data SMB Share Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'aba4ae5f-2193-4029-9191-0cb91df5e314')]", + "Storage Queue Data Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '974c5e8b-45b9-4653-ba55-5f855dd0fb88')]", + "Storage Queue Data Message Processor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8a0f0c08-91a1-4084-bc3d-661d67233fed')]", + "Storage Queue Data Message Sender": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c6a89b2d-59bc-44d0-9896-0f6e12d7b80a')]", + "Storage Queue Data Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '19e7f393-937e-4f77-808e-94535e297925')]", + "Support Request Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'cfd33db0-3dd1-45e3-aa9d-cdbdf3b6f24e')]", + "Tag Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4a9ae827-6dc8-4573-8ac7-8239d42aa03f')]", + "Traffic Manager Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'a4b10055-b0c7-44c2-b00f-c7b5b3550cf7')]", + "User Access Administrator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]", + "Virtual Machine Administrator Login": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '1c0163c0-47e6-4577-8991-ea5c82e286e4')]", + "Virtual Machine Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c')]", + "Virtual Machine User Login": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'fb879df8-f326-4884-b1cf-06f3ad86be52')]", + "Web Plan Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '2cc479cb-7b4d-49a8-b449-8c00fd0f0a4b')]", + "Website Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'de139f84-1756-47ae-9be6-808fbbe84772')]", + "Workbook Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'e8ddcd69-c73f-4f9f-9844-4100522f16ad')]", + "Workbook Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b279062a-9be3-42a0-92ae-8b3cf002ec4d')]" + } + }, + "resources": [ + { + "condition": "[not(empty(parameters('cuaId')))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-06-01", + "name": "[concat('pid-', parameters('cuaId'))]", + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [ + ] + } + } + }, + { + "type": "Microsoft.Network/publicIPAddresses", + "apiVersion": "2020-08-01", + "name": "[variables('azureBastionPipName')]", + "location": "[parameters('location')]", + "tags": "[parameters('tags')]", + "sku": { + "name": "Standard" + }, + "properties": { + "publicIPAllocationMethod": "Static", + "publicIPPrefix": "[if(not(empty(parameters('publicIPPrefixId'))), variables('publicIPPrefix'), json('null'))]", + "dnsSettings": "[if(not(empty(parameters('domainNameLabel'))), json(concat('{\"domainNameLabel\": \"', parameters('domainNameLabel'), '\"}')), json('null'))]" + }, + "resources": [ + { + "type": "providers/locks", + "apiVersion": "2016-09-01", + "condition": "[parameters('lockForDeletion')]", + "name": "Microsoft.Authorization/publicIpDoNotDelete", + "dependsOn": [ + "[concat('Microsoft.Network/publicIPAddresses/', variables('azureBastionPipName'))]" + ], + "comments": "Resource lock on Public IP", + "properties": { + "level": "CannotDelete" + } + }, + { + "type": "Microsoft.Network/publicIPAddresses/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "location": "[parameters('location')]", + "name": "[concat(variables('azureBastionPipName'), '/Microsoft.Insights/service')]", + "condition": "[or(not(empty(parameters('diagnosticStorageAccountId'))),not(empty(parameters('workspaceId'))),not(empty(parameters('eventHubAuthorizationRuleId'))),not(empty(parameters('eventHubName'))))]", + "dependsOn": [ + "[concat('Microsoft.Network/publicIPAddresses/', variables('azureBastionPipName'))]" + ], + "properties": { + "storageAccountId": "[if(empty(parameters('diagnosticStorageAccountId')), json('null'), parameters('diagnosticStorageAccountId'))]", + "workspaceId": "[if(empty(parameters('workspaceId')), json('null'), parameters('workspaceId'))]", + "eventHubAuthorizationRuleId": "[if(empty(parameters('eventHubAuthorizationRuleId')), json('null'), parameters('eventHubAuthorizationRuleId'))]", + "eventHubName": "[if(empty(parameters('eventHubName')), json('null'), parameters('eventHubName'))]", + "metrics": "[if(and(empty(parameters('diagnosticStorageAccountId')), empty(parameters('workspaceId')), empty(parameters('eventHubAuthorizationRuleId')), empty(parameters('eventHubName'))), json('null'), variables('diagnosticsMetrics'))]", + "logs": "[if(and(empty(parameters('diagnosticStorageAccountId')), empty(parameters('workspaceId')), empty(parameters('eventHubAuthorizationRuleId')), empty(parameters('eventHubName'))), json('null'), variables('publicIpDiagnosticsLogs'))]" + } + } + ] + }, + { + "type": "Microsoft.Network/bastionHosts", + "name": "[parameters('azureBastionName')]", + "apiVersion": "2020-08-01", + "location": "[parameters('location')]", + "tags": "[parameters('tags')]", + "dependsOn": [ + "[concat('Microsoft.Network/publicIPAddresses/', variables('azureBastionPipName'))]" + ], + "properties": { + "ipConfigurations": [ + { + "name": "IpConf", + "properties": { + "subnet": { + "id": "[concat(parameters('vNetId'), '/subnets/AzureBastionSubnet')]" + }, + "publicIPAddress": { + "id": "[resourceId('Microsoft.Network/publicIPAddresses', concat(variables('azureBastionPipName')))]" + } + } + } + ] + }, + "resources": [ + { + "type": "providers/locks", + "apiVersion": "2016-09-01", + "condition": "[parameters('lockForDeletion')]", + "name": "Microsoft.Authorization/azureBastionDoNotDelete", + "dependsOn": [ + "[concat('Microsoft.Network/bastionHosts/', parameters('azureBastionName'))]" + ], + "comments": "Resource lock on Azure Bastion", + "properties": { + "level": "CannotDelete" + } + }, + { + "type": "Microsoft.Network/bastionHosts/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "location": "[parameters('location')]", + "name": "[concat(parameters('azureBastionName'), '/Microsoft.Insights/service')]", + "condition": "[or(not(empty(parameters('diagnosticStorageAccountId'))),not(empty(parameters('workspaceId'))),not(empty(parameters('eventHubAuthorizationRuleId'))),not(empty(parameters('eventHubName'))))]", + "dependsOn": [ + "[concat('Microsoft.Network/bastionHosts/', parameters('azureBastionName'))]" + ], + "properties": { + "storageAccountId": "[if(empty(parameters('diagnosticStorageAccountId')), json('null'), parameters('diagnosticStorageAccountId'))]", + "workspaceId": "[if(empty(parameters('workspaceId')), json('null'), parameters('workspaceId'))]", + "eventHubAuthorizationRuleId": "[if(empty(parameters('eventHubAuthorizationRuleId')), json('null'), parameters('eventHubAuthorizationRuleId'))]", + "eventHubName": "[if(empty(parameters('eventHubName')), json('null'), parameters('eventHubName'))]", + "logs": "[if(and(empty(parameters('diagnosticStorageAccountId')), empty(parameters('workspaceId')), empty(parameters('eventHubAuthorizationRuleId')), empty(parameters('eventHubName'))), json('null'), variables('azureBastionDiagnosticsLogs'))]" + } + } + ] + }, + { + "name": "[concat('rbac-',deployment().name, copyIndex())]", + "apiVersion": "2020-06-01", + "type": "Microsoft.Resources/deployments", + "condition": "[not(empty(parameters('roleAssignments')))]", + "dependsOn": [ + "[parameters('azureBastionName')]" + ], + "copy": { + "name": "rbacDeplCopy", + "count": "[length(parameters('roleAssignments'))]" + }, + "properties": { + "mode": "Incremental", + "expressionEvaluationOptions": { + "scope": "inner" + }, + "parameters": { + "roleAssignment": { + "value": "[parameters('roleAssignments')[copyIndex()]]" + }, + "builtInRoleNames": { + "value": "[variables('builtInRoleNames')]" + }, + "azureBastionName": { + "value": "[parameters('azureBastionName')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "roleAssignment": { + "type": "object" + }, + "builtInRoleNames": { + "type": "object" + }, + "azureBastionName": { + "type": "string" + } + }, + "resources": [ + { + "type": "Microsoft.Network/bastionHosts/providers/roleAssignments", + "apiVersion": "2018-09-01-preview", + "name": "[concat(parameters('azureBastionName'), '/Microsoft.Authorization/', guid(uniqueString(concat(parameters('azureBastionName'), array(parameters('roleAssignment').principalIds)[copyIndex('innerRbacCopy')], parameters('roleAssignment').roleDefinitionIdOrName ) )))]", + "dependsOn": [ + ], + "copy": { + "name": "innerRbacCopy", + "count": "[length(parameters('roleAssignment').principalIds)]" + }, + "properties": { + "roleDefinitionId": "[if(contains(parameters('builtInRoleNames'), parameters('roleAssignment').roleDefinitionIdOrName ), parameters('builtInRoleNames')[parameters('roleAssignment').roleDefinitionIdOrName] , parameters('roleAssignment').roleDefinitionIdOrName )]", + "principalId": "[array(parameters('roleAssignment').principalIds)[copyIndex()]]" + } + } + ] + } + } + } + ], + "functions": [ + ], + "outputs": { + "azureBastionResourceGroup": { + "type": "string", + "value": "[resourceGroup().name]", + "metadata": { + "description": "The Resource Group the Azure Bastion was deployed." + } + }, + "azureBastionName": { + "type": "string", + "value": "[parameters('azureBastionName')]", + "metadata": { + "description": "The Name of the Azure Bastion." + } + }, + "azureBastionResourceId": { + "type": "string", + "value": "[resourceId('Microsoft.Network/bastionHosts', parameters('azureBastionName'))]", + "metadata": { + "description": "The Resource Id of the Azure Bastion." + } + } + } +} \ No newline at end of file diff --git a/arm/Microsoft.Network/bastionHosts/parameters/parameters.json b/arm/Microsoft.Network/bastionHosts/parameters/parameters.json new file mode 100644 index 0000000000..08be55ef1a --- /dev/null +++ b/arm/Microsoft.Network/bastionHosts/parameters/parameters.json @@ -0,0 +1,26 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "azureBastionName": { + "value": "sxx-az-bas-weu-x-001" + }, + "vNetId": { + "value": "/subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2/resourceGroups/dependencies-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-weu-x-002" + }, + "azureBastionPipName": { + "value": "sxx-az-baspip-weu-x-001-pip" + } + // "roleAssignments": { + // "value": [ + // { + // "roleDefinitionIdOrName": "Desktop Virtualization User", + // "principalIds": [ + // "12345678-1234-1234-1234-123456789012", // object 1 + // "78945612-1234-1234-1234-123456789012" // object 2 + // ] + // } + // ] + // }, + } +} \ No newline at end of file diff --git a/arm/Microsoft.Network/bastionHosts/readme.md b/arm/Microsoft.Network/bastionHosts/readme.md new file mode 100644 index 0000000000..bda0b13998 --- /dev/null +++ b/arm/Microsoft.Network/bastionHosts/readme.md @@ -0,0 +1,100 @@ +# AzureBastion + +This module deploys an Azure Bastion. + +## Resource Types + +|Resource Type|Api Version| +|:--|:--| +|`Microsoft.Resources/deployments`|2018-02-01| +|`Microsoft.Network/publicIPAddresses`|2020-08-01| +|`Microsoft.Network/bastionHosts`|2020-08-01| +|`providers/locks`|2016-09-01| +|`Microsoft.Network/publicIPAddresses/providers/diagnosticSettings`|2017-05-01-preview| +|`Microsoft.Network/bastionHosts/providers/diagnosticSettings`|2017-05-01-preview| +|`Microsoft.Network/bastionHosts/providers/roleAssignments` |2018-09-01-preview| + +## Parameters + +| Parameter Name | Type | Description | DefaultValue | Possible values | +| :-- | :-- | :-- | :-- | :-- | +| `azureBastionName` | string | Required. Name of the Azure Bastion resource | | | +| `azureBastionPipName` | string | Optional. Specifies the name of the Public IP used by Azure Bastion. If it's not provided, a '-pip' suffix will be appended to the Bastion's name. | | | +| `cuaId` | string | Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered | | | +| `diagnosticLogsRetentionInDays` | int | Optional. Specifies the number of days that logs will be kept for; a value of 0 will retain data indefinitely. | 365 | | +| `diagnosticStorageAccountId` | string | Optional. Resource identifier of the Diagnostic Storage Account. | | | +| `domainNameLabel` | string | Optional. DNS name of the Public IP resource. A region specific suffix will be appended to it, e.g.: your-DNS-name.westeurope.cloudapp.azure.com | | | +| `eventHubAuthorizationRuleId` | string | Optional. Resource ID of the event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | | | +| `eventHubName` | string | Optional. Name of the event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. | | | +| `location` | string | Optional. Location for all resources. | [resourceGroup().location] | | +| `lockForDeletion` | bool | Optional. Switch to lock Key Vault from deletion. | False | | +| `publicIPPrefixId` | string | Optional. Resource Id of the Public IP Prefix object. This is only needed if you want your Public IPs created in a PIP Prefix. | | | +| `roleAssignments` | array | Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' | System.Object[] | | +| `tags` | object | Optional. Tags of the resource. | | | +| `vNetId` | string | Required. Shared services Virtual Network resource identifier | | | +| `workspaceId` | string | Optional. Resource identifier of Log Analytics. | | | + +### Parameter Usage: `tags` + +Tag names and tag values can be provided as needed. A tag can be left without a value. + +```json +"tags": { + "value": { + "Environment": "Non-Prod", + "Contact": "test.user@testcompany.com", + "PurchaseOrder": "1234", + "CostCenter": "7890", + "ServiceName": "DeploymentValidation", + "Role": "DeploymentValidation" + } +} +``` + +### Parameter Usage: `roleAssignments` + +```json +"roleAssignments": { + "value": [ + { + "roleDefinitionIdOrName": "Desktop Virtualization User", + "principalIds": [ + "12345678-1234-1234-1234-123456789012", // object 1 + "78945612-1234-1234-1234-123456789012" // object 2 + ] + }, + { + "roleDefinitionIdOrName": "Reader", + "principalIds": [ + "12345678-1234-1234-1234-123456789012", // object 1 + "78945612-1234-1234-1234-123456789012" // object 2 + ] + }, + { + "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", + "principalIds": [ + "12345678-1234-1234-1234-123456789012" // object 1 + ] + } + ] +} +``` + +## Outputs + +| Output Name | Type | Description | +| :-- | :-- | :-- | +| `azureBastionName` | string | The Name of the Azure Bastion. | +| `azureBastionResourceGroup` | string | The Resource Group the Azure Bastion was deployed. | +| `azureBastionResourceId` | string | The Resource Id of the Azure Bastion. | + +## Considerations + +*N/A* + +## Additional resources + +- [Microsoft.Network bastionHosts template reference](https://docs.microsoft.com/en-us/azure/templates/microsoft.network/2019-09-01/bastionhosts) +- [What is Azure Bastion?](https://docs.microsoft.com/en-us/azure/bastion/bastion-overview) +- [Public IP address prefix](https://docs.microsoft.com/en-us/azure/virtual-network/public-ip-address-prefix) +- [Use tags to organize your Azure resources](https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-using-tags) diff --git a/arm/Microsoft.Network/connections/deploy.json b/arm/Microsoft.Network/connections/deploy.json new file mode 100644 index 0000000000..25475ccf57 --- /dev/null +++ b/arm/Microsoft.Network/connections/deploy.json @@ -0,0 +1,229 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "connectionName": { + "type": "string", + "metadata": { + "description": "Required. Remote connection name" + } + }, + "vpnSharedKey": { + "type": "string", + "metadata": { + "description": "Required. Specifies a VPN shared key. The same value has to be specified on both Virtual Network Gateways" + } + }, + "remoteEntityName": { + "type": "string", + "metadata": { + "description": "Required. Specifies the remote Virtual Network Gateway/ExpressRoute" + } + }, + "localVirtualNetworkGatewayName": { + "type": "string", + "metadata": { + "description": "Required. Specifies the local Virtual Network Gateway name" + } + }, + "location": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "Optional. Location for all resources." + } + }, + "virtualNetworkGatewayConnectionType": { + "type": "string", + "defaultValue": "Ipsec", + "allowedValues": [ + "Ipsec", + "VNet2VNet", + "ExpressRoute", + "VPNClient" + ], + "metadata": { + "description": "Optional. Gateway connection type." + } + }, + "remoteEntityResourceGroup": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Remote Virtual Network Gateway/ExpressRoute resource group name" + } + }, + "remoteEntitySubscriptionId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Remote Virtual Network Gateway/ExpressRoute Subscription Id" + } + }, + "enableBgp": { + "type": "bool", + "defaultValue": false, + "metadata": { + "description": "Optional. Value to specify if BGP is enabled or not" + } + }, + "usePolicyBasedTrafficSelectors": { + "type": "bool", + "defaultValue": false, + "metadata": { + "description": "Optional. Enable policy-based traffic selectors" + } + }, + "customIPSecPolicy": { + "type": "object", + "defaultValue": { + "saLifeTimeSeconds": 0, + "saDataSizeKilobytes": 0, + "ipsecEncryption": "", + "ipsecIntegrity": "", + "ikeEncryption": "", + "ikeIntegrity": "", + "dhGroup": "", + "pfsGroup": "" + }, + "metadata": { + "description": "Optional. The IPSec Policies to be considered by this connection" + } + }, + "routingWeight": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. The weight added to routes learned from this BGP speaker." + } + }, + "lockForDeletion": { + "type": "bool", + "defaultValue": false, + "metadata": { + "description": "Optional. Switch to lock Connection from deletion." + } + }, + "tags": { + "type": "object", + "defaultValue": { + }, + "metadata": { + "description": "Optional. Tags of the resource." + } + }, + "cuaId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered" + } + } + }, + "variables": { + "localVirtualNetworkGatewayId": "[resourceId(resourceGroup().name ,'Microsoft.Network/virtualNetworkGateways', parameters('localVirtualNetworkGatewayName'))]", + "remoteEntitySubscriptionId": "[if(empty(parameters('remoteEntitySubscriptionId')), subscription().subscriptionId, parameters('remoteEntitySubscriptionId'))]", + "remoteEntityResourceGroup": "[if(empty(parameters('remoteEntityResourceGroup')), resourceGroup().name, parameters('remoteEntityResourceGroup'))]", + "virtualNetworkGateway2Id": { + "id": "[resourceId(variables('remoteEntitySubscriptionId'), variables('remoteEntityResourceGroup') ,'Microsoft.Network/virtualNetworkGateways', parameters('remoteEntityName'))]" + }, + "localNetworkGateway2Id": { + "id": "[resourceId(variables('remoteEntitySubscriptionId'), variables('remoteEntityResourceGroup') ,'Microsoft.Network/localNetworkGateways', parameters('remoteEntityName'))]" + }, + "peer": { + "id": "[resourceId(variables('remoteEntitySubscriptionId'), variables('remoteEntityResourceGroup') ,'Microsoft.Network/expressRouteCircuits', parameters('remoteEntityName'))]" + }, + "emptyArray": [ + ], + "customIPSecPolicy": [ + { + "saLifeTimeSeconds": "[parameters('customIPSecPolicy').saLifeTimeSeconds]", + "saDataSizeKilobytes": "[parameters('customIPSecPolicy').saDataSizeKilobytes]", + "ipsecEncryption": "[parameters('customIPSecPolicy').ipsecEncryption]", + "ipsecIntegrity": "[parameters('customIPSecPolicy').ipsecIntegrity]", + "ikeEncryption": "[parameters('customIPSecPolicy').ikeEncryption]", + "ikeIntegrity": "[parameters('customIPSecPolicy').ikeIntegrity]", + "dhGroup": "[parameters('customIPSecPolicy').dhGroup]", + "pfsGroup": "[parameters('customIPSecPolicy').pfsGroup]" + } + ] + }, + "resources": [ + { + "condition": "[not(empty(parameters('cuaId')))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-06-01", + "name": "[concat('pid-', parameters('cuaId'))]", + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [ + ] + } + } + }, + { + "name": "[parameters('connectionName')]", + "type": "Microsoft.Network/connections", + "apiVersion": "2020-08-01", + "location": "[parameters('location')]", + "tags": "[parameters('tags')]", + "properties": { + "virtualNetworkGateway1": { + "id": "[variables('localVirtualNetworkGatewayId')]" + }, + "virtualNetworkGateway2": "[if(equals(parameters('virtualNetworkGatewayConnectionType'), 'VNet2VNet'), variables('virtualNetworkGateway2Id'), json('null'))]", + "localNetworkGateway2": "[if(equals(parameters('virtualNetworkGatewayConnectionType'), 'Ipsec'), variables('localNetworkGateway2Id'), json('null'))]", + "peer": "[if(equals(parameters('virtualNetworkGatewayConnectionType'), 'ExpressRoute'), variables('peer'), json('null'))]", + "enableBgp": "[parameters('enableBgp')]", + "connectionType": "[parameters('virtualNetworkGatewayConnectionType')]", + "routingWeight": "[parameters('routingWeight')]", + "sharedKey": "[parameters('vpnSharedKey')]", + "usePolicyBasedTrafficSelectors": "[parameters('usePolicyBasedTrafficSelectors')]", + "ipsecPolicies": "[if(empty(parameters('customIPSecPolicy').ipsecEncryption), variables('emptyArray') , variables('customIPSecPolicy'))]" + }, + "resources": [ + { + "type": "providers/locks", + "apiVersion": "2016-09-01", + "condition": "[parameters('lockForDeletion')]", + "name": "Microsoft.Authorization/connectionDoNotDelete", + "dependsOn": [ + "[concat('Microsoft.Network/connections/', parameters('connectionName'))]" + ], + "comments": "Resource lock on Connection", + "properties": { + "level": "CannotDelete" + } + } + ] + } + ], + "functions": [ + ], + "outputs": { + "remoteConnectionResourceGroup": { + "type": "string", + "value": "[resourceGroup().name]", + "metadata": { + "description": "The Resource Group deployed it." + } + }, + "connectionName": { + "type": "string", + "value": "[parameters('connectionName')]", + "metadata": { + "description": "The Name of the Virtual Network Gateway Connection." + } + }, + "remoteConnectionResourceId": { + "type": "string", + "value": "[resourceId('Microsoft.Network/connections', parameters('connectionName'))]", + "metadata": { + "description": "The Resource Id of the Virtual Network Gateway Connection." + } + } + } +} \ No newline at end of file diff --git a/arm/Microsoft.Network/connections/parameters/parameters.json b/arm/Microsoft.Network/connections/parameters/parameters.json new file mode 100644 index 0000000000..aebe8665ff --- /dev/null +++ b/arm/Microsoft.Network/connections/parameters/parameters.json @@ -0,0 +1,32 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "connectionName": { + "value": "sxx-az-vnetgwc-weu-x-001" + }, + "localVirtualNetworkGatewayName": { + "value": "sxx-az-vnet-vpn-gw-weu-p-001" + }, + "vpnSharedKey": { + "reference": { + "keyVault": { + "id": "/subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2/resourceGroups/dependencies-rg/providers/Microsoft.KeyVault/vaults/sxx-az-kv-weu-x-004" + }, + "secretName": "vpnSharedKey" + } + }, + "remoteEntityName": { + "value": "sxx-az-lng-weu-x-001" + }, + "remoteEntityResourceGroup": { + "value": "" + }, + "remoteEntitySubscriptionId": { + "value": "" + }, + "enableBgp": { + "value": true + } + } +} diff --git a/arm/Microsoft.Network/connections/readme.md b/arm/Microsoft.Network/connections/readme.md new file mode 100644 index 0000000000..db572c7cdf --- /dev/null +++ b/arm/Microsoft.Network/connections/readme.md @@ -0,0 +1,102 @@ +# VirtualNetworkGatewayConnection + +This template deploys Virtual Network Gateway Connection. + + +## Resource types + +|Resource Type|ApiVersion| +|:--|:--| +|`Microsoft.Resources/deployments`|2018-02-01| +|`Microsoft.Network/connections`|2020-08-01| +|`providers/locks`|2016-09-01| + +## Parameters + +| Parameter Name | Type | Description | DefaultValue | Possible values | +| :-- | :-- | :-- | :-- | :-- | +| `connectionName` | string | Required. Remote connection name | | | +| `cuaId` | string | Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered | | | +| `customIPSecPolicy` | object | Optional. The IPSec Policies to be considered by this connection | @{saLifeTimeSeconds=0; saDataSizeKilobytes=0; ipsecEncryption=; ipsecIntegrity=; ikeEncryption=; ikeIntegrity=; dhGroup=; pfsGroup=} | | +| `enableBgp` | bool | Optional. Value to specify if BGP is enabled or not | False | | +| `localVirtualNetworkGatewayName` | string | Required. Specifies the local Virtual Network Gateway name | | | +| `location` | string | Optional. Location for all resources. | [resourceGroup().location] | | +| `lockForDeletion` | bool | Optional. Switch to lock Connection from deletion. | False | | +| `remoteEntityName` | string | Required. Specifies the remote Virtual Network Gateway/ExpressRoute | | | +| `remoteEntityResourceGroup` | string | Optional. Remote Virtual Network Gateway/ExpressRoute resource group name | | | +| `remoteEntitySubscriptionId` | string | Optional. Remote Virtual Network Gateway/ExpressRoute Subscription Id | | | +| `routingWeight` | string | Optional. The weight added to routes learned from this BGP speaker. | | | +| `tags` | object | Optional. Tags of the resource. | | | +| `usePolicyBasedTrafficSelectors` | bool | Optional. Enable policy-based traffic selectors | False | | +| `virtualNetworkGatewayConnectionType` | string | Optional. Gateway connection type. | Ipsec | System.Object[] | +| `vpnSharedKey` | string | Required. Specifies a VPN shared key. The same value has to be specified on both Virtual Network Gateways | | | + +### Parameter Usage: `customIPSecPolicy` + +If ipsecEncryption parameter is empty, customIPSecPolicy will not be deployed. The parameter file should look like below. + +```json +"customIPSecPolicy": { + "value": { + "saLifeTimeSeconds": 0, + "saDataSizeKilobytes": 0, + "ipsecEncryption": "", + "ipsecIntegrity": "", + "ikeEncryption": "", + "ikeIntegrity": "", + "dhGroup": "", + "pfsGroup": "" + } +}, +``` + +Format of the full customIPSecPolicy parameter in parameter file. + +```json +"customIPSecPolicy": { + "value": { + "saLifeTimeSeconds": 28800, + "saDataSizeKilobytes": 102400000, + "ipsecEncryption": "AES256", + "ipsecIntegrity": "SHA256", + "ikeEncryption": "AES256", + "ikeIntegrity": "SHA256", + "dhGroup": "DHGroup14", + "pfsGroup": "None" + } +}, +``` + +### Parameter Usage: `tags` + +Tag names and tag values can be provided as needed. A tag can be left without a value. + +```json +"tags": { + "value": { + "Environment": "Non-Prod", + "Contact": "test.user@testcompany.com", + "PurchaseOrder": "1234", + "CostCenter": "7890", + "ServiceName": "DeploymentValidation", + "Role": "DeploymentValidation" + } +} +``` + +## Outputs + +| Output Name | Type | Description | +| :-- | :-- | :-- | +| `connectionName` | string | The Name of the Virtual Network Gateway Connection. | +| `remoteConnectionResourceGroup` | string | The Resource Group deployed it. | +| `remoteConnectionResourceId` | string | The Resource Id of the Virtual Network Gateway Connection. | + +## Considerations + +*N/A* + +## Additional resources + +- [Microsoft.Network connections template reference](https://docs.microsoft.com/en-us/azure/templates/microsoft.network/2018-11-01/connections) +- [Use tags to organize your Azure resources](https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-using-tags) diff --git a/arm/Microsoft.Network/ddosProtectionPlans/deploy.json b/arm/Microsoft.Network/ddosProtectionPlans/deploy.json new file mode 100644 index 0000000000..b33b04f546 --- /dev/null +++ b/arm/Microsoft.Network/ddosProtectionPlans/deploy.json @@ -0,0 +1,356 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "ddosProtectionPlanName": { + "type": "string", + "defaultValue": "", + "minLength": 1, + "metadata": { + "description": "Required. Name of the DDoS protection plan to assign the VNET to." + } + }, + "location": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "Optional. Location for all resources." + } + }, + "lockForDeletion": { + "type": "bool", + "defaultValue": false, + "metadata": { + "description": "Optional. Switch to lock DDoS protection plan from deletion." + } + }, + "roleAssignments": { + "defaultValue": [ + ], + "type": "array", + "metadata": { + "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'" + } + }, + "tags": { + "type": "object", + "defaultValue": { + }, + "metadata": { + "description": "Optional. Tags of the resource." + } + }, + "cuaId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered" + } + } + }, + "variables": { + "builtInRoleNames": { + "AcrDelete": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c2f4ef07-c644-48eb-af81-4b1b4947fb11')]", + "AcrImageSigner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '6cef56e8-d556-48e5-a04f-b8e64114680f')]", + "AcrPull": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '7f951dda-4ed3-4680-a7ca-43fe172d538d')]", + "AcrPush": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8311e382-0749-4cb8-b61a-304f252e45ec')]", + "AcrQuarantineReader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'cdda3590-29a3-44f6-95f2-9f980659eb04')]", + "AcrQuarantineWriter": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c8d4ff99-41c3-41a8-9f60-21dfdad59608')]", + "API Management Service Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '312a565d-c81f-4fd8-895a-4e21e48d571c')]", + "API Management Service Operator Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'e022efe7-f5ba-4159-bbe4-b44f577e9b61')]", + "API Management Service Reader Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '71522526-b88f-4d52-b57f-d31fc3546d0d')]", + "App Configuration Data Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5ae67dd6-50cb-40e7-96ff-dc2bfa4b606b')]", + "App Configuration Data Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '516239f1-63e1-4d78-a4de-a74fb236a071')]", + "Application Insights Component Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ae349356-3a1b-4a5e-921d-050484c6347e')]", + "Application Insights Snapshot Debugger": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '08954f03-6346-4c2e-81c0-ec3a5cfae23b')]", + "Attestation Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'bbf86eb8-f7b4-4cce-96e4-18cddf81d86e')]", + "Attestation Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'fd1bd22b-8476-40bc-a0bc-69b95687b9f3')]", + "Automation Job Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4fe576fe-1146-4730-92eb-48519fa6bf9f')]", + "Automation Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'd3881f73-407a-4167-8283-e981cbba0404')]", + "Automation Runbook Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5fb5aef8-1081-4b8e-bb16-9d5d0385bab5')]", + "Avere Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4f8fab4f-1852-4a58-a46a-8eaf358af14a')]", + "Avere Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c025889f-8102-4ebf-b32c-fc0c6f0c6bd9')]", + "Azure Connected Machine Onboarding": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b64e21ea-ac4e-4cdf-9dc9-5b892992bee7')]", + "Azure Connected Machine Resource Administrator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'cd570a14-e51a-42ad-bac8-bafd67325302')]", + "Azure Digital Twins Owner (Preview)": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'bcd981a7-7f74-457b-83e1-cceb9e632ffe')]", + "Azure Digital Twins Reader (Preview)": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'd57506d4-4c8d-48b1-8587-93c323f6a5a3')]", + "Azure Event Hubs Data Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'f526a384-b230-433a-b45c-95f59c4a2dec')]", + "Azure Event Hubs Data Receiver": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'a638d3c7-ab3a-418d-83e6-5f17a39d4fde')]", + "Azure Event Hubs Data Sender": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '2b629674-e913-4c01-ae53-ef4638d8f975')]", + "Azure Kubernetes Service Cluster Admin Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '0ab0b1a8-8aac-4efd-b8c2-3ee1fb270be8')]", + "Azure Kubernetes Service Cluster User Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4abbcc35-e782-43d8-92c5-2d3f1bd2253f')]", + "Azure Kubernetes Service Contributor Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ed7f3fbd-7b88-4dd4-9017-9adb7ce333f8')]", + "Azure Maps Data Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8f5e0ce6-4f7b-4dcf-bddf-e6f48634a204')]", + "Azure Maps Data Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '423170ca-a8f6-4b0f-8487-9e4eb8f49bfa')]", + "Azure Sentinel Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ab8e14d6-4a74-4a29-9ba8-549422addade')]", + "Azure Sentinel Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8d289c81-5878-46d4-8554-54e1e3d8b5cb')]", + "Azure Sentinel Responder": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '3e150937-b8fe-4cfb-8069-0eaf05ecd056')]", + "Azure Service Bus Data Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '090c5cfd-751d-490a-894a-3ce6f1109419')]", + "Azure Service Bus Data Receiver": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4f6d3b9b-027b-4f4c-9142-0e5a2a2247e0')]", + "Azure Service Bus Data Sender": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '69a216fc-b8fb-44d8-bc22-1f3c2cd27a39')]", + "Azure Stack Registration Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '6f12a6df-dd06-4f3e-bcb1-ce8be600526a')]", + "Backup Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5e467623-bb1f-42f4-a55d-6e525e11384b')]", + "Backup Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '00c29273-979b-4161-815c-10b084fb9324')]", + "Backup Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'a795c7a0-d4a2-40c1-ae25-d81f01202912')]", + "Billing Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'fa23ad8b-c56e-40d8-ac0c-ce449e1d2c64')]", + "BizTalk Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5e3c6656-6cfa-4708-81fe-0de47ac73342')]", + "Blockchain Member Node Access (Preview)": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '31a002a1-acaf-453e-8a5b-297c9ca1ea24')]", + "Blueprint Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '41077137-e803-4205-871c-5a86e6a753b4')]", + "Blueprint Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '437d2ced-4a38-4302-8479-ed2bcb43d090')]", + "CDN Endpoint Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '426e0c7f-0c7e-4658-b36f-ff54d6c29b45')]", + "CDN Endpoint Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '871e35f6-b5c1-49cc-a043-bde969a0f2cd')]", + "CDN Profile Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ec156ff8-a8d1-4d15-830c-5b80698ca432')]", + "CDN Profile Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8f96442b-4075-438f-813d-ad51ab4019af')]", + "Classic Network Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b34d265f-36f7-4a0d-a4d4-e158ca92e90f')]", + "Classic Storage Account Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '86e8f5dc-a6e9-4c67-9d15-de283e8eac25')]", + "Classic Storage Account Key Operator Service Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '985d6b00-f706-48f5-a6fe-d0ca12fb668d')]", + "Classic Virtual Machine Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'd73bb868-a0df-4d4d-bd69-98a00b01fccb')]", + "ClearDB MySQL DB Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '9106cda0-8a86-4e81-b686-29a22c54effe')]", + "Cognitive Services Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '25fbc0a9-bd7c-42a3-aa1a-3b75d497ee68')]", + "Cognitive Services Custom Vision Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c1ff6cc2-c111-46fe-8896-e0ef812ad9f3')]", + "Cognitive Services Custom Vision Deployment": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5c4089e1-6d96-4d2f-b296-c1bc7137275f')]", + "Cognitive Services Custom Vision Labeler": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '88424f51-ebe7-446f-bc41-7fa16989e96c')]", + "Cognitive Services Custom Vision Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '93586559-c37d-4a6b-ba08-b9f0940c2d73')]", + "Cognitive Services Custom Vision Trainer": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '0a5ae4ab-0d65-4eeb-be61-29fc9b54394b')]", + "Cognitive Services Data Reader (Preview)": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b59867f0-fa02-499b-be73-45a86b5b3e1c')]", + "Cognitive Services QnA Maker Editor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'f4cc2bf9-21be-47a1-bdf1-5c5804381025')]", + "Cognitive Services QnA Maker Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '466ccd10-b268-4a11-b098-b4849f024126')]", + "Cognitive Services User": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'a97b65f3-24c7-4388-baec-2e87135dc908')]", + "Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "Cosmos DB Account Reader Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'fbdf93bf-df7d-467e-a4d2-9458aa1360c8')]", + "Cosmos DB Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '230815da-be43-4aae-9cb4-875f7bd000aa')]", + "CosmosBackupOperator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'db7b14f2-5adf-42da-9f96-f2ee17bab5cb')]", + "Cost Management Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '434105ed-43f6-45c7-a02f-909b2ba83430')]", + "Cost Management Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '72fafb9e-0641-4937-9268-a91bfd8191a3')]", + "Data Box Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'add466c9-e687-43fc-8d98-dfcf8d720be5')]", + "Data Box Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '028f4ed7-e2a9-465e-a8f4-9c0ffdfdc027')]", + "Data Factory Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '673868aa-7521-48a0-acc6-0f60742d39f5')]", + "Data Lake Analytics Developer": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '47b7735b-770e-4598-a7da-8b91488b4c88')]", + "Data Purger": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '150f5e0c-0603-4f03-8c7f-cf70034c4e90')]", + "Desktop Virtualization User": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '1d18fff3-a72a-46b5-b4a9-0b38a3cd7e63')]", + "DevTest Labs User": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '76283e04-6283-4c54-8f91-bcf1374a3c64')]", + "DNS Zone Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'befefa01-2a29-4197-83a8-272ff33ce314')]", + "DocumentDB Account Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5bd9cd88-fe45-4216-938b-f97437e15450')]", + "EventGrid EventSubscription Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '428e0ff0-5e57-4d9c-a221-2c70d0e0a443')]", + "EventGrid EventSubscription Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '2414bbcf-6497-4faf-8c65-045460748405')]", + "Experimentation Administrator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '7f646f1b-fa08-80eb-a33b-edd6ce5c915c')]", + "Experimentation Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '7f646f1b-fa08-80eb-a22b-edd6ce5c915c')]", + "Experimentation Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '49632ef5-d9ac-41f4-b8e7-bbe587fa74a1')]", + "FHIR Data Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5a1fc7df-4bf1-4951-a576-89034ee01acd')]", + "FHIR Data Exporter": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '3db33094-8700-4567-8da5-1501d4e7e843')]", + "FHIR Data Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4c8d0bbc-75d3-4935-991f-5f3c56d81508')]", + "FHIR Data Writer": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '3f88fce4-5892-4214-ae73-ba5294559913')]", + "Graph Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b60367af-1334-4454-b71e-769d9a4f83d9')]", + "HDInsight Cluster Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '61ed4efc-fab3-44fd-b111-e24485cc132a')]", + "HDInsight Domain Services Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8d8d5a11-05d3-4bda-a417-a08778121c7c')]", + "Hierarchy Settings Administrator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '350f8d15-c687-4448-8ae1-157740a3936d')]", + "Hybrid Server Onboarding": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5d1e5ee4-7c68-4a71-ac8b-0739630a3dfb')]", + "Hybrid Server Resource Administrator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '48b40c6e-82e0-4eb3-90d5-19e40f49b624')]", + "Integration Service Environment Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'a41e2c5b-bd99-4a07-88f4-9bf657a760b8')]", + "Integration Service Environment Developer": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c7aa55d3-1abb-444a-a5ca-5e51e485d6ec')]", + "Intelligent Systems Account Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '03a6d094-3444-4b3d-88af-7477090a9e5e')]", + "Key Vault Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'f25e0fa2-a7c8-4377-a976-54943a77a395')]", + "Knowledge Consumer": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ee361c5d-f7b5-4119-b4b6-892157c8f64c')]", + "Kubernetes Cluster - Azure Arc Onboarding": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '34e09817-6cbe-4d01-b1a2-e0eac5743d41')]", + "Lab Creator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b97fb8bc-a8b2-4522-a38b-dd33c7e65ead')]", + "Log Analytics Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]", + "Log Analytics Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '73c42c96-874c-492b-b04d-ab87d138a893')]", + "Logic App Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '87a39d53-fc1b-424a-814c-f7e04687dc9e')]", + "Logic App Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '515c2055-d9d4-4321-b1b9-bd0c9a0f79fe')]", + "Managed Application Contributor Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '641177b8-a67a-45b9-a033-47bc880bb21e')]", + "Managed Application Operator Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')]", + "Managed Applications Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')]", + "Managed Identity Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'e40ec5ca-96e0-45a2-b4ff-59039f2c2b59')]", + "Managed Identity Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'f1a07417-d97a-45cb-824c-7a7467783830')]", + "Managed Services Registration assignment Delete ": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '91c1777a-f3dc-4fae-b103-61d183457e46')]", + "Management Group Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5d58bcaf-24a5-4b20-bdb6-eed9f69fbe4c')]", + "Management Group Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ac63b705-f282-497d-ac71-919bf39d939d')]", + "Marketplace Admin": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'dd920d6d-f481-47f1-b461-f338c46b2d9f')]", + "Monitoring Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')]", + "Monitoring Metrics Publisher": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '3913510d-42f4-4e42-8a64-420c390055eb')]", + "Monitoring Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')]", + "Network Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", + "New Relic APM Account Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5d28c62d-5b37-4476-8438-e587778df237')]", + "Object Understanding Account Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4dd61c23-6743-42fe-a388-d8bdd41cb745')]", + "Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", + "Policy Insights Data Writer (Preview)": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '66bb4e9e-b016-4a94-8249-4c0511c2be84')]", + "Private DNS Zone Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", + "Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", + "Reader and Data Access": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c12c1c16-33a1-487b-954d-41c89c60f349')]", + "Redis Cache Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'e0f68234-74aa-48ed-b826-c38b57376e17')]", + "Remote Rendering Administrator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '3df8b902-2a6f-47c7-8cc5-360e9b272a7e')]", + "Remote Rendering Client": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'd39065c4-c120-43c9-ab0a-63eed9795f0a')]", + "Resource Policy Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '36243c78-bf99-498c-9df9-86d9f8d28608')]", + "Scheduler Job Collections Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '188a0f2f-5c9e-469b-ae67-2aa5ce574b94')]", + "Search Service Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '7ca78c08-252a-4471-8644-bb5ff32d4ba0')]", + "Security Admin": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'fb1c8493-542b-48eb-b624-b4c8fea62acd')]", + "Security Assessment Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '612c2aa1-cb24-443b-ac28-3ab7272de6f5')]", + "Security Manager (Legacy)": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'e3d13bf0-dd5a-482e-ba6b-9b8433878d10')]", + "Security Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '39bc4728-0917-49c7-9d2c-d95423bc2eb4')]", + "SignalR AccessKey Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '04165923-9d83-45d5-8227-78b77b0a687e')]", + "SignalR Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8cf5e20a-e4b2-4e9d-b3a1-5ceb692c2761')]", + "Site Recovery Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '6670b86e-a3f7-4917-ac9b-5d6ab1be4567')]", + "Site Recovery Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '494ae006-db33-4328-bf46-533a6560a3ca')]", + "Site Recovery Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'dbaa88c4-0c30-4179-9fb3-46319faa6149')]", + "Spatial Anchors Account Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8bbe83f1-e2a6-4df7-8cb4-4e04d4e5c827')]", + "Spatial Anchors Account Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '70bbe301-9835-447d-afdd-19eb3167307c')]", + "Spatial Anchors Account Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5d51204f-eb77-4b1c-b86a-2ec626c49413')]", + "SQL DB Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '9b7fa17d-e63e-47b0-bb0a-15c516ac86ec')]", + "SQL Managed Instance Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4939a1f6-9ae0-4e48-a1e0-f2cbe897382d')]", + "SQL Security Manager": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '056cd41c-7e88-42e1-933e-88ba6a50c9c3')]", + "SQL Server Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '6d8ee4ec-f05a-4a1d-8b00-a9b17e38b437')]", + "Storage Account Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '17d1049b-9a84-46fb-8f53-869881c3d3ab')]", + "Storage Account Key Operator Service Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '81a9662b-bebf-436f-a333-f67b29880f12')]", + "Storage Blob Data Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ba92f5b4-2d11-453d-a403-e96b0029c9fe')]", + "Storage Blob Data Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b7e6dc6d-f1e8-4753-8033-0f276bb0955b')]", + "Storage Blob Data Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '2a2b9908-6ea1-4ae2-8e65-a410df84e7d1')]", + "Storage Blob Delegator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'db58b8e5-c6ad-4a2a-8342-4190687cbf4a')]", + "Storage File Data SMB Share Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '0c867c2a-1d8c-454a-a3db-ab2ea1bdc8bb')]", + "Storage File Data SMB Share Elevated Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'a7264617-510b-434b-a828-9731dc254ea7')]", + "Storage File Data SMB Share Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'aba4ae5f-2193-4029-9191-0cb91df5e314')]", + "Storage Queue Data Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '974c5e8b-45b9-4653-ba55-5f855dd0fb88')]", + "Storage Queue Data Message Processor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8a0f0c08-91a1-4084-bc3d-661d67233fed')]", + "Storage Queue Data Message Sender": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c6a89b2d-59bc-44d0-9896-0f6e12d7b80a')]", + "Storage Queue Data Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '19e7f393-937e-4f77-808e-94535e297925')]", + "Support Request Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'cfd33db0-3dd1-45e3-aa9d-cdbdf3b6f24e')]", + "Tag Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4a9ae827-6dc8-4573-8ac7-8239d42aa03f')]", + "Traffic Manager Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'a4b10055-b0c7-44c2-b00f-c7b5b3550cf7')]", + "User Access Administrator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]", + "Virtual Machine Administrator Login": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '1c0163c0-47e6-4577-8991-ea5c82e286e4')]", + "Virtual Machine Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c')]", + "Virtual Machine User Login": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'fb879df8-f326-4884-b1cf-06f3ad86be52')]", + "Web Plan Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '2cc479cb-7b4d-49a8-b449-8c00fd0f0a4b')]", + "Website Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'de139f84-1756-47ae-9be6-808fbbe84772')]", + "Workbook Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'e8ddcd69-c73f-4f9f-9844-4100522f16ad')]", + "Workbook Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b279062a-9be3-42a0-92ae-8b3cf002ec4d')]" + } + }, + "resources": [ + { + "condition": "[not(empty(parameters('cuaId')))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-06-01", + "name": "[concat('pid-', parameters('cuaId'))]", + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [ + ] + } + } + }, + { + "type": "Microsoft.Network/ddosProtectionPlans", + "apiVersion": "2020-08-01", + "name": "[parameters('ddosProtectionPlanName')]", + "location": "[parameters('location')]", + "tags": "[parameters('tags')]", + "properties": { + }, + "resources": [ + { + "type": "providers/locks", + "apiVersion": "2016-09-01", + "condition": "[parameters('lockForDeletion')]", + "name": "Microsoft.Authorization/ddosProtectionPlankDoNotDelete", + "dependsOn": [ + "[resourceId('Microsoft.Network/ddosProtectionPlans/', parameters('ddosProtectionPlanName'))]" + ], + "comments": "Resource lock on DDoS protection plan", + "properties": { + "level": "CannotDelete" + } + } + ] + }, + { + "name": "[concat('rbac-',deployment().name, copyIndex())]", + "apiVersion": "2020-06-01", + "type": "Microsoft.Resources/deployments", + "condition": "[not(empty(parameters('roleAssignments')))]", + "dependsOn": [ + "[parameters('ddosProtectionPlanName')]" + ], + "copy": { + "name": "rbacDeplCopy", + "count": "[length(parameters('roleAssignments'))]" + }, + "properties": { + "mode": "Incremental", + "expressionEvaluationOptions": { + "scope": "inner" + }, + "parameters": { + "roleAssignment": { + "value": "[parameters('roleAssignments')[copyIndex()]]" + }, + "builtInRoleNames": { + "value": "[variables('builtInRoleNames')]" + }, + "ddosProtectionPlanName": { + "value": "[parameters('ddosProtectionPlanName')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "roleAssignment": { + "type": "object" + }, + "builtInRoleNames": { + "type": "object" + }, + "ddosProtectionPlanName": { + "type": "string" + } + }, + "resources": [ + { + "type": "Microsoft.Network/ddosProtectionPlans/providers/roleAssignments", + "apiVersion": "2018-09-01-preview", + "name": "[concat(parameters('ddosProtectionPlanName'), '/Microsoft.Authorization/', guid(uniqueString(concat(parameters('ddosProtectionPlanName'), array(parameters('roleAssignment').principalIds)[copyIndex('innerRbacCopy')], parameters('roleAssignment').roleDefinitionIdOrName ) )))]", + "dependsOn": [ + ], + "copy": { + "name": "innerRbacCopy", + "count": "[length(parameters('roleAssignment').principalIds)]" + }, + "properties": { + "roleDefinitionId": "[if(contains(parameters('builtInRoleNames'), parameters('roleAssignment').roleDefinitionIdOrName ), parameters('builtInRoleNames')[parameters('roleAssignment').roleDefinitionIdOrName] , parameters('roleAssignment').roleDefinitionIdOrName )]", + "principalId": "[array(parameters('roleAssignment').principalIds)[copyIndex()]]" + } + } + ] + } + } + } + ], + "functions": [ + ], + "outputs": { + "ddosProtectionPlanResourceGroup": { + "type": "string", + "value": "[resourceGroup().name]", + "metadata": { + "description": "The name of the Resource Group the DDoS Protection Plan was created in." + } + }, + "ddosProtectionPlanResourceId": { + "type": "string", + "value": "[resourceId('Microsoft.Network/ddosProtectionPlans', parameters('ddosProtectionPlanName'))]", + "metadata": { + "description": "The Resource id of the DDoS Protection Plan deployed." + } + }, + "ddosProtectionPlanName": { + "type": "string", + "value": "[parameters('ddosProtectionPlanName')]", + "metadata": { + "description": "The name of the DDoS Protection Plan deployed." + } + } + } +} \ No newline at end of file diff --git a/arm/Microsoft.Network/ddosProtectionPlans/parameters/parameters.json b/arm/Microsoft.Network/ddosProtectionPlans/parameters/parameters.json new file mode 100644 index 0000000000..9eed17d911 --- /dev/null +++ b/arm/Microsoft.Network/ddosProtectionPlans/parameters/parameters.json @@ -0,0 +1,20 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "ddosProtectionPlanName": { + "value": "sxx-az-ddos-weu-x-001" + } + // "roleAssignments": { + // "value": [ + // { + // "roleDefinitionIdOrName": "Desktop Virtualization User", + // "principalIds": [ + // "12345678-1234-1234-1234-123456789012", // object 1 + // "78945612-1234-1234-1234-123456789012" // object 2 + // ] + // } + // ] + // } + } +} \ No newline at end of file diff --git a/arm/Microsoft.Network/ddosProtectionPlans/readme.md b/arm/Microsoft.Network/ddosProtectionPlans/readme.md new file mode 100644 index 0000000000..e324e107fb --- /dev/null +++ b/arm/Microsoft.Network/ddosProtectionPlans/readme.md @@ -0,0 +1,89 @@ +# DDoS Protection Plans + +This template deploys a DDoS protection plan. + + +## Resource types + +|Resource Type|Api Version| +|:--|:--| +|`Microsoft.Resources/deployments`|2018-02-01| +|`Microsoft.Network/ddosProtectionPlans`|2020-08-01| +|`providers/locks`|2016-09-01| +|`Microsoft.Network/ddosProtectionPlans/providers/roleAssignments`|2018-09-01-preview| + +## Parameters + +| Parameter Name | Type | Description | DefaultValue | Possible values | +| :-- | :-- | :-- | :-- | :-- | +| `cuaId` | string | Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered | | | +| `ddosProtectionPlanName` | string | Required. Name of the DDoS protection plan to assign the VNET to. | | | +| `location` | string | Optional. Location for all resources. | [resourceGroup().location] | | +| `lockForDeletion` | bool | Optional. Switch to lock DDoS protection plan from deletion. | False | | +| `roleAssignments` | array | Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' | System.Object[] | | +| `tags` | object | Optional. Tags of the resource. | | | + +### Parameter Usage: `roleAssignments` + +```json +"roleAssignments": { + "value": [ + { + "roleDefinitionIdOrName": "Desktop Virtualization User", + "principalIds": [ + "12345678-1234-1234-1234-123456789012", // object 1 + "78945612-1234-1234-1234-123456789012" // object 2 + ] + }, + { + "roleDefinitionIdOrName": "Reader", + "principalIds": [ + "12345678-1234-1234-1234-123456789012", // object 1 + "78945612-1234-1234-1234-123456789012" // object 2 + ] + }, + { + "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", + "principalIds": [ + "12345678-1234-1234-1234-123456789012" // object 1 + ] + } + ] +} +``` + +### Parameter Usage: `tags` + +Tag names and tag values can be provided as needed. A tag can be left without a value. + +```json +"tags": { + "value": { + "Environment": "Non-Prod", + "Contact": "test.user@testcompany.com", + "PurchaseOrder": "1234", + "CostCenter": "7890", + "ServiceName": "DeploymentValidation", + "Role": "DeploymentValidation" + } +} +``` + +## Outputs + +| Output Name | Type | Description | +| :-- | :-- | :-- | +| `ddosProtectionPlanName` | string | The name of the DDoS Protection Plan deployed. | +| `ddosProtectionPlanResourceGroup` | string | The name of the Resource Group the DDoS Protection Plan was created in. | +| `ddosProtectionPlanResourceId` | string | The Resource id of the DDoS Protection Plan deployed. | + +## Considerations + +N/A + +## Additional resources + +- [Microsoft.Network ddosProtectionPlans template reference](https://docs.microsoft.com/en-us/azure/templates/microsoft.network/2019-04-01/ddosprotectionplans) +- [Manage Azure DDoS Protection Standard using the Azure portal](https://docs.microsoft.com/en-us/azure/virtual-network/manage-ddos-protection) +- [Azure DDoS Protection Standard overview](https://docs.microsoft.com/en-us/azure/virtual-network/ddos-protection-overview) +- [Use tags to organize your Azure resources](https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-using-tags) \ No newline at end of file diff --git a/arm/Microsoft.Network/expressRouteCircuits/deploy.json b/arm/Microsoft.Network/expressRouteCircuits/deploy.json new file mode 100644 index 0000000000..db25a018c7 --- /dev/null +++ b/arm/Microsoft.Network/expressRouteCircuits/deploy.json @@ -0,0 +1,558 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "circuitName": { + "type": "string", + "metadata": { + "description": "Required. This is the name of the ExpressRoute circuit" + } + }, + "serviceProviderName": { + "type": "string", + "metadata": { + "description": "Required. This is the name of the ExpressRoute Service Provider. It must exactly match one of the Service Providers from List ExpressRoute Service Providers API call." + } + }, + "peeringLocation": { + "type": "string", + "metadata": { + "description": "Required. This is the name of the peering location and not the ARM resource location. It must exactly match one of the available peering locations from List ExpressRoute Service Providers API call." + } + }, + "bandwidthInMbps": { + "type": "int", + "metadata": { + "description": "Required. This is the bandwidth in Mbps of the circuit being created. It must exactly match one of the available bandwidth offers List ExpressRoute Service Providers API call." + } + }, + "skuTier": { + "type": "string", + "defaultValue": "Standard", + "allowedValues": [ + "Standard", + "Premium" + ], + "metadata": { + "description": "Required. Chosen SKU Tier of ExpressRoute circuit. Choose from Premium or Standard SKU tiers." + } + }, + "skuFamily": { + "type": "string", + "defaultValue": "MeteredData", + "allowedValues": [ + "MeteredData", + "UnlimitedData" + ], + "metadata": { + "description": "Required. Chosen SKU family of ExpressRoute circuit. Choose from MeteredData or UnlimitedData SKU families." + } + }, + "peering": { + "type": "bool", + "defaultValue": false, + "allowedValues": [ + true, + false + ], + "metadata": { + "description": "Optional. Enabled BGP peering type for the Circuit." + } + }, + "peeringType": { + "type": "string", + "defaultValue": "AzurePrivatePeering", + "allowedValues": [ + "AzurePrivatePeering", + "MicrosoftPeering" + ], + "metadata": { + "description": "Optional. BGP peering type for the Circuit. Choose from AzurePrivatePeering, AzurePublicPeering or MicrosoftPeering." + } + }, + "sharedKey": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. The shared key for peering configuration. Router does MD5 hash comparison to validate the packets sent by BGP connection. This parameter is optional and can be removed from peering configuration if not required." + } + }, + "peerASN": { + "type": "int", + "defaultValue": 0, + "metadata": { + "description": "Optional. The autonomous system number of the customer/connectivity provider." + } + }, + "primaryPeerAddressPrefix": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. A /30 subnet used to configure IP addresses for interfaces on Link1." + } + }, + "secondaryPeerAddressPrefix": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. A /30 subnet used to configure IP addresses for interfaces on Link2." + } + }, + "vlanId": { + "type": "int", + "defaultValue": 0, + "metadata": { + "description": "Optional. Specifies the identifier that is used to identify the customer." + } + }, + "location": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "Optional. Location for all resources." + } + }, + "diagnosticLogsRetentionInDays": { + "type": "int", + "defaultValue": 365, + "minValue": 0, + "maxValue": 365, + "metadata": { + "description": "Optional. Specifies the number of days that logs will be kept for; a value of 0 will retain data indefinitely." + } + }, + "diagnosticStorageAccountId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Resource identifier of the Diagnostic Storage Account." + } + }, + "workspaceId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Resource identifier of Log Analytics." + } + }, + "eventHubAuthorizationRuleId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Resource ID of the event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." + } + }, + "eventHubName": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Name of the event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category." + } + }, + "lockForDeletion": { + "type": "bool", + "defaultValue": false, + "metadata": { + "description": "Optional. Switch to lock ExpressRoute Circuit from deletion." + } + }, + "roleAssignments": { + "defaultValue": [ + ], + "type": "array", + "metadata": { + "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'" + } + }, + "tags": { + "type": "object", + "defaultValue": { + }, + "metadata": { + "description": "Optional. Tags of the resource." + } + }, + "cuaId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered" + } + } + }, + "variables": { + "diagnosticsMetrics": [ + { + "category": "AllMetrics", + "timeGrain": null, + "enabled": true, + "retentionPolicy": { + "enabled": true, + "days": "[parameters('diagnosticLogsRetentionInDays')]" + } + } + ], + "diagnosticsLogs": [ + { + "category": "PeeringRouteLog", + "enabled": true, + "retentionPolicy": { + "enabled": true, + "days": "[parameters('diagnosticLogsRetentionInDays')]" + } + } + ], + "peeringConfiguration": [ + { + "name": "[parameters('peeringType')]", + "properties": { + "peeringType": "[parameters('peeringType')]", + "sharedKey": "[parameters('sharedKey')]", + "peerASN": "[parameters('peerASN')]", + "primaryPeerAddressPrefix": "[parameters('primaryPeerAddressPrefix')]", + "secondaryPeerAddressPrefix": "[parameters('secondaryPeerAddressPrefix')]", + "vlanId": "[parameters('vlanId')]" + } + } + ], + "builtInRoleNames": { + "AcrDelete": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c2f4ef07-c644-48eb-af81-4b1b4947fb11')]", + "AcrImageSigner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '6cef56e8-d556-48e5-a04f-b8e64114680f')]", + "AcrPull": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '7f951dda-4ed3-4680-a7ca-43fe172d538d')]", + "AcrPush": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8311e382-0749-4cb8-b61a-304f252e45ec')]", + "AcrQuarantineReader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'cdda3590-29a3-44f6-95f2-9f980659eb04')]", + "AcrQuarantineWriter": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c8d4ff99-41c3-41a8-9f60-21dfdad59608')]", + "API Management Service Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '312a565d-c81f-4fd8-895a-4e21e48d571c')]", + "API Management Service Operator Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'e022efe7-f5ba-4159-bbe4-b44f577e9b61')]", + "API Management Service Reader Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '71522526-b88f-4d52-b57f-d31fc3546d0d')]", + "App Configuration Data Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5ae67dd6-50cb-40e7-96ff-dc2bfa4b606b')]", + "App Configuration Data Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '516239f1-63e1-4d78-a4de-a74fb236a071')]", + "Application Insights Component Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ae349356-3a1b-4a5e-921d-050484c6347e')]", + "Application Insights Snapshot Debugger": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '08954f03-6346-4c2e-81c0-ec3a5cfae23b')]", + "Attestation Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'bbf86eb8-f7b4-4cce-96e4-18cddf81d86e')]", + "Attestation Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'fd1bd22b-8476-40bc-a0bc-69b95687b9f3')]", + "Automation Job Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4fe576fe-1146-4730-92eb-48519fa6bf9f')]", + "Automation Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'd3881f73-407a-4167-8283-e981cbba0404')]", + "Automation Runbook Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5fb5aef8-1081-4b8e-bb16-9d5d0385bab5')]", + "Avere Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4f8fab4f-1852-4a58-a46a-8eaf358af14a')]", + "Avere Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c025889f-8102-4ebf-b32c-fc0c6f0c6bd9')]", + "Azure Connected Machine Onboarding": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b64e21ea-ac4e-4cdf-9dc9-5b892992bee7')]", + "Azure Connected Machine Resource Administrator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'cd570a14-e51a-42ad-bac8-bafd67325302')]", + "Azure Digital Twins Owner (Preview)": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'bcd981a7-7f74-457b-83e1-cceb9e632ffe')]", + "Azure Digital Twins Reader (Preview)": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'd57506d4-4c8d-48b1-8587-93c323f6a5a3')]", + "Azure Event Hubs Data Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'f526a384-b230-433a-b45c-95f59c4a2dec')]", + "Azure Event Hubs Data Receiver": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'a638d3c7-ab3a-418d-83e6-5f17a39d4fde')]", + "Azure Event Hubs Data Sender": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '2b629674-e913-4c01-ae53-ef4638d8f975')]", + "Azure Kubernetes Service Cluster Admin Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '0ab0b1a8-8aac-4efd-b8c2-3ee1fb270be8')]", + "Azure Kubernetes Service Cluster User Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4abbcc35-e782-43d8-92c5-2d3f1bd2253f')]", + "Azure Kubernetes Service Contributor Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ed7f3fbd-7b88-4dd4-9017-9adb7ce333f8')]", + "Azure Maps Data Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8f5e0ce6-4f7b-4dcf-bddf-e6f48634a204')]", + "Azure Maps Data Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '423170ca-a8f6-4b0f-8487-9e4eb8f49bfa')]", + "Azure Sentinel Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ab8e14d6-4a74-4a29-9ba8-549422addade')]", + "Azure Sentinel Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8d289c81-5878-46d4-8554-54e1e3d8b5cb')]", + "Azure Sentinel Responder": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '3e150937-b8fe-4cfb-8069-0eaf05ecd056')]", + "Azure Service Bus Data Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '090c5cfd-751d-490a-894a-3ce6f1109419')]", + "Azure Service Bus Data Receiver": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4f6d3b9b-027b-4f4c-9142-0e5a2a2247e0')]", + "Azure Service Bus Data Sender": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '69a216fc-b8fb-44d8-bc22-1f3c2cd27a39')]", + "Azure Stack Registration Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '6f12a6df-dd06-4f3e-bcb1-ce8be600526a')]", + "Backup Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5e467623-bb1f-42f4-a55d-6e525e11384b')]", + "Backup Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '00c29273-979b-4161-815c-10b084fb9324')]", + "Backup Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'a795c7a0-d4a2-40c1-ae25-d81f01202912')]", + "Billing Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'fa23ad8b-c56e-40d8-ac0c-ce449e1d2c64')]", + "BizTalk Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5e3c6656-6cfa-4708-81fe-0de47ac73342')]", + "Blockchain Member Node Access (Preview)": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '31a002a1-acaf-453e-8a5b-297c9ca1ea24')]", + "Blueprint Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '41077137-e803-4205-871c-5a86e6a753b4')]", + "Blueprint Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '437d2ced-4a38-4302-8479-ed2bcb43d090')]", + "CDN Endpoint Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '426e0c7f-0c7e-4658-b36f-ff54d6c29b45')]", + "CDN Endpoint Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '871e35f6-b5c1-49cc-a043-bde969a0f2cd')]", + "CDN Profile Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ec156ff8-a8d1-4d15-830c-5b80698ca432')]", + "CDN Profile Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8f96442b-4075-438f-813d-ad51ab4019af')]", + "Classic Network Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b34d265f-36f7-4a0d-a4d4-e158ca92e90f')]", + "Classic Storage Account Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '86e8f5dc-a6e9-4c67-9d15-de283e8eac25')]", + "Classic Storage Account Key Operator Service Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '985d6b00-f706-48f5-a6fe-d0ca12fb668d')]", + "Classic Virtual Machine Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'd73bb868-a0df-4d4d-bd69-98a00b01fccb')]", + "ClearDB MySQL DB Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '9106cda0-8a86-4e81-b686-29a22c54effe')]", + "Cognitive Services Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '25fbc0a9-bd7c-42a3-aa1a-3b75d497ee68')]", + "Cognitive Services Custom Vision Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c1ff6cc2-c111-46fe-8896-e0ef812ad9f3')]", + "Cognitive Services Custom Vision Deployment": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5c4089e1-6d96-4d2f-b296-c1bc7137275f')]", + "Cognitive Services Custom Vision Labeler": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '88424f51-ebe7-446f-bc41-7fa16989e96c')]", + "Cognitive Services Custom Vision Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '93586559-c37d-4a6b-ba08-b9f0940c2d73')]", + "Cognitive Services Custom Vision Trainer": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '0a5ae4ab-0d65-4eeb-be61-29fc9b54394b')]", + "Cognitive Services Data Reader (Preview)": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b59867f0-fa02-499b-be73-45a86b5b3e1c')]", + "Cognitive Services QnA Maker Editor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'f4cc2bf9-21be-47a1-bdf1-5c5804381025')]", + "Cognitive Services QnA Maker Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '466ccd10-b268-4a11-b098-b4849f024126')]", + "Cognitive Services User": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'a97b65f3-24c7-4388-baec-2e87135dc908')]", + "Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "Cosmos DB Account Reader Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'fbdf93bf-df7d-467e-a4d2-9458aa1360c8')]", + "Cosmos DB Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '230815da-be43-4aae-9cb4-875f7bd000aa')]", + "CosmosBackupOperator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'db7b14f2-5adf-42da-9f96-f2ee17bab5cb')]", + "Cost Management Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '434105ed-43f6-45c7-a02f-909b2ba83430')]", + "Cost Management Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '72fafb9e-0641-4937-9268-a91bfd8191a3')]", + "Data Box Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'add466c9-e687-43fc-8d98-dfcf8d720be5')]", + "Data Box Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '028f4ed7-e2a9-465e-a8f4-9c0ffdfdc027')]", + "Data Factory Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '673868aa-7521-48a0-acc6-0f60742d39f5')]", + "Data Lake Analytics Developer": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '47b7735b-770e-4598-a7da-8b91488b4c88')]", + "Data Purger": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '150f5e0c-0603-4f03-8c7f-cf70034c4e90')]", + "Desktop Virtualization User": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '1d18fff3-a72a-46b5-b4a9-0b38a3cd7e63')]", + "DevTest Labs User": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '76283e04-6283-4c54-8f91-bcf1374a3c64')]", + "DNS Zone Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'befefa01-2a29-4197-83a8-272ff33ce314')]", + "DocumentDB Account Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5bd9cd88-fe45-4216-938b-f97437e15450')]", + "EventGrid EventSubscription Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '428e0ff0-5e57-4d9c-a221-2c70d0e0a443')]", + "EventGrid EventSubscription Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '2414bbcf-6497-4faf-8c65-045460748405')]", + "Experimentation Administrator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '7f646f1b-fa08-80eb-a33b-edd6ce5c915c')]", + "Experimentation Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '7f646f1b-fa08-80eb-a22b-edd6ce5c915c')]", + "Experimentation Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '49632ef5-d9ac-41f4-b8e7-bbe587fa74a1')]", + "FHIR Data Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5a1fc7df-4bf1-4951-a576-89034ee01acd')]", + "FHIR Data Exporter": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '3db33094-8700-4567-8da5-1501d4e7e843')]", + "FHIR Data Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4c8d0bbc-75d3-4935-991f-5f3c56d81508')]", + "FHIR Data Writer": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '3f88fce4-5892-4214-ae73-ba5294559913')]", + "Graph Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b60367af-1334-4454-b71e-769d9a4f83d9')]", + "HDInsight Cluster Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '61ed4efc-fab3-44fd-b111-e24485cc132a')]", + "HDInsight Domain Services Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8d8d5a11-05d3-4bda-a417-a08778121c7c')]", + "Hierarchy Settings Administrator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '350f8d15-c687-4448-8ae1-157740a3936d')]", + "Hybrid Server Onboarding": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5d1e5ee4-7c68-4a71-ac8b-0739630a3dfb')]", + "Hybrid Server Resource Administrator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '48b40c6e-82e0-4eb3-90d5-19e40f49b624')]", + "Integration Service Environment Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'a41e2c5b-bd99-4a07-88f4-9bf657a760b8')]", + "Integration Service Environment Developer": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c7aa55d3-1abb-444a-a5ca-5e51e485d6ec')]", + "Intelligent Systems Account Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '03a6d094-3444-4b3d-88af-7477090a9e5e')]", + "Key Vault Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'f25e0fa2-a7c8-4377-a976-54943a77a395')]", + "Knowledge Consumer": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ee361c5d-f7b5-4119-b4b6-892157c8f64c')]", + "Kubernetes Cluster - Azure Arc Onboarding": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '34e09817-6cbe-4d01-b1a2-e0eac5743d41')]", + "Lab Creator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b97fb8bc-a8b2-4522-a38b-dd33c7e65ead')]", + "Log Analytics Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]", + "Log Analytics Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '73c42c96-874c-492b-b04d-ab87d138a893')]", + "Logic App Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '87a39d53-fc1b-424a-814c-f7e04687dc9e')]", + "Logic App Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '515c2055-d9d4-4321-b1b9-bd0c9a0f79fe')]", + "Managed Application Contributor Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '641177b8-a67a-45b9-a033-47bc880bb21e')]", + "Managed Application Operator Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')]", + "Managed Applications Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')]", + "Managed Identity Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'e40ec5ca-96e0-45a2-b4ff-59039f2c2b59')]", + "Managed Identity Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'f1a07417-d97a-45cb-824c-7a7467783830')]", + "Managed Services Registration assignment Delete ": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '91c1777a-f3dc-4fae-b103-61d183457e46')]", + "Management Group Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5d58bcaf-24a5-4b20-bdb6-eed9f69fbe4c')]", + "Management Group Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ac63b705-f282-497d-ac71-919bf39d939d')]", + "Marketplace Admin": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'dd920d6d-f481-47f1-b461-f338c46b2d9f')]", + "Monitoring Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')]", + "Monitoring Metrics Publisher": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '3913510d-42f4-4e42-8a64-420c390055eb')]", + "Monitoring Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')]", + "Network Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", + "New Relic APM Account Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5d28c62d-5b37-4476-8438-e587778df237')]", + "Object Understanding Account Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4dd61c23-6743-42fe-a388-d8bdd41cb745')]", + "Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", + "Policy Insights Data Writer (Preview)": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '66bb4e9e-b016-4a94-8249-4c0511c2be84')]", + "Private DNS Zone Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", + "Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", + "Reader and Data Access": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c12c1c16-33a1-487b-954d-41c89c60f349')]", + "Redis Cache Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'e0f68234-74aa-48ed-b826-c38b57376e17')]", + "Remote Rendering Administrator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '3df8b902-2a6f-47c7-8cc5-360e9b272a7e')]", + "Remote Rendering Client": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'd39065c4-c120-43c9-ab0a-63eed9795f0a')]", + "Resource Policy Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '36243c78-bf99-498c-9df9-86d9f8d28608')]", + "Scheduler Job Collections Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '188a0f2f-5c9e-469b-ae67-2aa5ce574b94')]", + "Search Service Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '7ca78c08-252a-4471-8644-bb5ff32d4ba0')]", + "Security Admin": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'fb1c8493-542b-48eb-b624-b4c8fea62acd')]", + "Security Assessment Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '612c2aa1-cb24-443b-ac28-3ab7272de6f5')]", + "Security Manager (Legacy)": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'e3d13bf0-dd5a-482e-ba6b-9b8433878d10')]", + "Security Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '39bc4728-0917-49c7-9d2c-d95423bc2eb4')]", + "SignalR AccessKey Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '04165923-9d83-45d5-8227-78b77b0a687e')]", + "SignalR Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8cf5e20a-e4b2-4e9d-b3a1-5ceb692c2761')]", + "Site Recovery Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '6670b86e-a3f7-4917-ac9b-5d6ab1be4567')]", + "Site Recovery Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '494ae006-db33-4328-bf46-533a6560a3ca')]", + "Site Recovery Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'dbaa88c4-0c30-4179-9fb3-46319faa6149')]", + "Spatial Anchors Account Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8bbe83f1-e2a6-4df7-8cb4-4e04d4e5c827')]", + "Spatial Anchors Account Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '70bbe301-9835-447d-afdd-19eb3167307c')]", + "Spatial Anchors Account Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5d51204f-eb77-4b1c-b86a-2ec626c49413')]", + "SQL DB Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '9b7fa17d-e63e-47b0-bb0a-15c516ac86ec')]", + "SQL Managed Instance Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4939a1f6-9ae0-4e48-a1e0-f2cbe897382d')]", + "SQL Security Manager": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '056cd41c-7e88-42e1-933e-88ba6a50c9c3')]", + "SQL Server Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '6d8ee4ec-f05a-4a1d-8b00-a9b17e38b437')]", + "Storage Account Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '17d1049b-9a84-46fb-8f53-869881c3d3ab')]", + "Storage Account Key Operator Service Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '81a9662b-bebf-436f-a333-f67b29880f12')]", + "Storage Blob Data Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ba92f5b4-2d11-453d-a403-e96b0029c9fe')]", + "Storage Blob Data Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b7e6dc6d-f1e8-4753-8033-0f276bb0955b')]", + "Storage Blob Data Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '2a2b9908-6ea1-4ae2-8e65-a410df84e7d1')]", + "Storage Blob Delegator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'db58b8e5-c6ad-4a2a-8342-4190687cbf4a')]", + "Storage File Data SMB Share Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '0c867c2a-1d8c-454a-a3db-ab2ea1bdc8bb')]", + "Storage File Data SMB Share Elevated Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'a7264617-510b-434b-a828-9731dc254ea7')]", + "Storage File Data SMB Share Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'aba4ae5f-2193-4029-9191-0cb91df5e314')]", + "Storage Queue Data Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '974c5e8b-45b9-4653-ba55-5f855dd0fb88')]", + "Storage Queue Data Message Processor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8a0f0c08-91a1-4084-bc3d-661d67233fed')]", + "Storage Queue Data Message Sender": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c6a89b2d-59bc-44d0-9896-0f6e12d7b80a')]", + "Storage Queue Data Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '19e7f393-937e-4f77-808e-94535e297925')]", + "Support Request Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'cfd33db0-3dd1-45e3-aa9d-cdbdf3b6f24e')]", + "Tag Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4a9ae827-6dc8-4573-8ac7-8239d42aa03f')]", + "Traffic Manager Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'a4b10055-b0c7-44c2-b00f-c7b5b3550cf7')]", + "User Access Administrator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]", + "Virtual Machine Administrator Login": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '1c0163c0-47e6-4577-8991-ea5c82e286e4')]", + "Virtual Machine Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c')]", + "Virtual Machine User Login": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'fb879df8-f326-4884-b1cf-06f3ad86be52')]", + "Web Plan Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '2cc479cb-7b4d-49a8-b449-8c00fd0f0a4b')]", + "Website Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'de139f84-1756-47ae-9be6-808fbbe84772')]", + "Workbook Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'e8ddcd69-c73f-4f9f-9844-4100522f16ad')]", + "Workbook Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b279062a-9be3-42a0-92ae-8b3cf002ec4d')]" + } + }, + "resources": [ + { + "condition": "[not(empty(parameters('cuaId')))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-06-01", + "name": "[concat('pid-', parameters('cuaId'))]", + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [ + ] + } + } + }, + { + "type": "Microsoft.Network/expressRouteCircuits", + "apiVersion": "2020-08-01", + "name": "[parameters('circuitName')]", + "location": "[parameters('location')]", + "tags": "[parameters('tags')]", + "sku": { + "name": "[concat(parameters('skuTier'),'_', parameters('skuFamily'))]", + "tier": "[parameters('skuTier')]", + "family": "[parameters('skuFamily')]" + }, + "properties": { + "serviceProviderProperties": { + "serviceProviderName": "[parameters('serviceProviderName')]", + "peeringLocation": "[parameters('peeringLocation')]", + "bandwidthInMbps": "[parameters('bandwidthInMbps')]" + }, + "peerings": "[if(parameters('peering'), variables('peeringConfiguration'), json('null'))]" + }, + "resources": [ + { + "type": "providers/locks", + "apiVersion": "2016-09-01", + "condition": "[parameters('lockForDeletion')]", + "name": "Microsoft.Authorization/expressRouteCircuitDoNotDelete", + "dependsOn": [ + "[concat('Microsoft.Network/expressRouteCircuits/', parameters('circuitName'))]" + ], + "comments": "Resource lock on Azure ExpressRoute Circuit", + "properties": { + "level": "CannotDelete" + } + }, + { + "type": "Microsoft.Network/expressRouteCircuits/providers/diagnosticsettings", + "apiVersion": "2017-05-01-preview", + "name": "[concat(parameters('circuitName'), '/Microsoft.Insights/service')]", + "location": "[parameters('location')]", + "condition": "[or(not(empty(parameters('diagnosticStorageAccountId'))),not(empty(parameters('workspaceId'))),not(empty(parameters('eventHubAuthorizationRuleId'))),not(empty(parameters('eventHubName'))))]", + "dependsOn": [ + "[concat('Microsoft.Network/expressRouteCircuits/', parameters('circuitName'))]" + ], + "properties": { + "storageAccountId": "[if(empty(parameters('diagnosticStorageAccountId')), json('null'), parameters('diagnosticStorageAccountId'))]", + "workspaceId": "[if(empty(parameters('workspaceId')), json('null'), parameters('workspaceId'))]", + "eventHubAuthorizationRuleId": "[if(empty(parameters('eventHubAuthorizationRuleId')), json('null'), parameters('eventHubAuthorizationRuleId'))]", + "eventHubName": "[if(empty(parameters('eventHubName')), json('null'), parameters('eventHubName'))]", + "metrics": "[if(and(empty(parameters('diagnosticStorageAccountId')), empty(parameters('workspaceId')), empty(parameters('eventHubAuthorizationRuleId')), empty(parameters('eventHubName'))), json('null'), variables('diagnosticsMetrics'))]", + "logs": "[if(and(empty(parameters('diagnosticStorageAccountId')), empty(parameters('workspaceId')), empty(parameters('eventHubAuthorizationRuleId')), empty(parameters('eventHubName'))), json('null'), variables('diagnosticsLogs'))]" + } + } + ] + }, + { + "name": "[concat('rbac-',deployment().name, copyIndex())]", + "apiVersion": "2020-06-01", + "type": "Microsoft.Resources/deployments", + "condition": "[not(empty(parameters('roleAssignments')))]", + "dependsOn": [ + "[parameters('circuitName')]" + ], + "copy": { + "name": "rbacDeplCopy", + "count": "[length(parameters('roleAssignments'))]" + }, + "properties": { + "mode": "Incremental", + "expressionEvaluationOptions": { + "scope": "inner" + }, + "parameters": { + "roleAssignment": { + "value": "[parameters('roleAssignments')[copyIndex()]]" + }, + "builtInRoleNames": { + "value": "[variables('builtInRoleNames')]" + }, + "circuitName": { + "value": "[parameters('circuitName')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "roleAssignment": { + "type": "object" + }, + "builtInRoleNames": { + "type": "object" + }, + "circuitName": { + "type": "string" + } + }, + "resources": [ + { + "type": "Microsoft.Network/expressRouteCircuits/providers/roleAssignments", + "apiVersion": "2018-09-01-preview", + "name": "[concat(parameters('circuitName'), '/Microsoft.Authorization/', guid(uniqueString(concat(parameters('circuitName'), array(parameters('roleAssignment').principalIds)[copyIndex('innerRbacCopy')], parameters('roleAssignment').roleDefinitionIdOrName ) )))]", + "dependsOn": [ + ], + "copy": { + "name": "innerRbacCopy", + "count": "[length(parameters('roleAssignment').principalIds)]" + }, + "properties": { + "roleDefinitionId": "[if(contains(parameters('builtInRoleNames'), parameters('roleAssignment').roleDefinitionIdOrName ), parameters('builtInRoleNames')[parameters('roleAssignment').roleDefinitionIdOrName] , parameters('roleAssignment').roleDefinitionIdOrName )]", + "principalId": "[array(parameters('roleAssignment').principalIds)[copyIndex()]]" + } + } + ] + } + } + } + ], + "functions": [ + ], + "outputs": { + "expressRouteCircuitResourceId": { + "type": "string", + "value": "[resourceId('Microsoft.Network/expressRouteCircuits', parameters('circuitName'))]", + "metadata": { + "description": "The Resource Id of the ExpressRoute Circuits." + } + }, + "expressRouteCircuitResourceGroup": { + "type": "string", + "value": "[resourceGroup().name]", + "metadata": { + "description": "The name of the Resource Group the ExpressRoute Circuits was created in." + } + }, + "expressRouteCircuitName": { + "type": "string", + "value": "[parameters('circuitName')]", + "metadata": { + "description": "The Name of the ExpressRoute Circuits.." + } + }, + "expressRouteCircuitServiceKey": { + "type": "string", + "value": "[reference(resourceId('Microsoft.Network/expressRouteCircuits', parameters('circuitName')),'2020-05-01').serviceKey]", + "metadata": { + "description": "The URL of the Key Vault." + } + } + } +} \ No newline at end of file diff --git a/arm/Microsoft.Network/expressRouteCircuits/parameters/parameters.json b/arm/Microsoft.Network/expressRouteCircuits/parameters/parameters.json new file mode 100644 index 0000000000..147779fa36 --- /dev/null +++ b/arm/Microsoft.Network/expressRouteCircuits/parameters/parameters.json @@ -0,0 +1,35 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "circuitName": { + "value": "sxx-az-erc-weu-x-001" + }, + "serviceProviderName": { + "value": "Equinix" + }, + "peeringLocation": { + "value": "Amsterdam" + }, + "bandwidthInMbps": { + "value": 50 + }, + "skuTier": { + "value": "Standard" + }, + "skuFamily": { + "value": "MeteredData" + } + // "roleAssignments": { + // "value": [ + // { + // "roleDefinitionIdOrName": "Desktop Virtualization User", + // "principalIds": [ + // "12345678-1234-1234-1234-123456789012", // object 1 + // "78945612-1234-1234-1234-123456789012" // object 2 + // ] + // } + // ] + // }, + } + } \ No newline at end of file diff --git a/arm/Microsoft.Network/expressRouteCircuits/readme.md b/arm/Microsoft.Network/expressRouteCircuits/readme.md new file mode 100644 index 0000000000..005d5df722 --- /dev/null +++ b/arm/Microsoft.Network/expressRouteCircuits/readme.md @@ -0,0 +1,105 @@ +# ExpressRoute Circuit + +This template deploys a ExrepressRoute Circuit. + + +## Resource types + +|Resource Type|ApiVersion| +|:--|:--| +|`Microsoft.Resources/deployments`|2018-02-01| +|`Microsoft.Network/expressRouteCircuits`|2020-08-01| +|`providers/locks`|2016-09-01| +|`Microsoft.Network/expressRouteCircuits/providers/diagnosticsettings`|2017-05-01-preview| +|`Microsoft.Network/expressRouteCircuits/providers/roleAssignments`|2018-09-01-preview| + +## Parameters + +| Parameter Name | Type | Description | DefaultValue | Possible values | +| :-- | :-- | :-- | :-- | :-- | +| `bandwidthInMbps` | int | Required. This is the bandwidth in Mbps of the circuit being created. It must exactly match one of the available bandwidth offers List ExpressRoute Service Providers API call. | | | +| `circuitName` | string | Required. This is the name of the ExpressRoute circuit | | | +| `cuaId` | string | Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered | | | +| `diagnosticLogsRetentionInDays` | int | Optional. Specifies the number of days that logs will be kept for; a value of 0 will retain data indefinitely. | 365 | | +| `diagnosticStorageAccountId` | string | Optional. Resource identifier of the Diagnostic Storage Account. | | | +| `eventHubAuthorizationRuleId` | string | Optional. Resource ID of the event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | | | +| `eventHubName` | string | Optional. Name of the event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. | | | +| `location` | string | Optional. Location for all resources. | [resourceGroup().location] | | +| `lockForDeletion` | bool | Optional. Switch to lock ExpressRoute Circuit from deletion. | False | | +| `peerASN` | int | Optional. The autonomous system number of the customer/connectivity provider. | 0 | | +| `peering` | bool | Optional. Enabled BGP peering type for the Circuit. | False | System.Object[] | +| `peeringLocation` | string | Required. This is the name of the peering location and not the ARM resource location. It must exactly match one of the available peering locations from List ExpressRoute Service Providers API call. | | | +| `peeringType` | string | Optional. BGP peering type for the Circuit. Choose from AzurePrivatePeering, AzurePublicPeering or MicrosoftPeering. | AzurePrivatePeering | System.Object[] | +| `primaryPeerAddressPrefix` | string | Optional. A /30 subnet used to configure IP addresses for interfaces on Link1. | | | +| `roleAssignments` | array | Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' | System.Object[] | | +| `secondaryPeerAddressPrefix` | string | Optional. A /30 subnet used to configure IP addresses for interfaces on Link2. | | | +| `serviceProviderName` | string | Required. This is the name of the ExpressRoute Service Provider. It must exactly match one of the Service Providers from List ExpressRoute Service Providers API call. | | | +| `sharedKey` | string | Optional. The shared key for peering configuration. Router does MD5 hash comparison to validate the packets sent by BGP connection. This parameter is optional and can be removed from peering configuration if not required. | | | +| `skuFamily` | string | Required. Chosen SKU family of ExpressRoute circuit. Choose from MeteredData or UnlimitedData SKU families. | MeteredData | System.Object[] | +| `skuTier` | string | Required. Chosen SKU Tier of ExpressRoute circuit. Choose from Premium or Standard SKU tiers. | Standard | System.Object[] | +| `tags` | object | Optional. Tags of the resource. | | | +| `vlanId` | int | Optional. Specifies the identifier that is used to identify the customer. | 0 | | +| `workspaceId` | string | Optional. Resource identifier of Log Analytics. | | | + +### Parameter Usage: `roleAssignments` + +```json +"roleAssignments": { + "value": [ + { + "roleDefinitionIdOrName": "Desktop Virtualization User", + "principalIds": [ + "12345678-1234-1234-1234-123456789012", // object 1 + "78945612-1234-1234-1234-123456789012" // object 2 + ] + }, + { + "roleDefinitionIdOrName": "Reader", + "principalIds": [ + "12345678-1234-1234-1234-123456789012", // object 1 + "78945612-1234-1234-1234-123456789012" // object 2 + ] + }, + { + "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", + "principalIds": [ + "12345678-1234-1234-1234-123456789012" // object 1 + ] + } + ] +} +``` + +### Parameter Usage: `tags` + +Tag names and tag values can be provided as needed. A tag can be left without a value. + +```json +"tags": { + "value": { + "Environment": "Non-Prod", + "Contact": "test.user@testcompany.com", + "PurchaseOrder": "1234", + "CostCenter": "7890", + "ServiceName": "DeploymentValidation", + "Role": "DeploymentValidation" + } +} +``` + +## Outputs + +| Output Name | Type | Description | +| :-- | :-- | :-- | +| `expressRouteCircuitName` | string | The Name of the ExpressRoute Circuits.. | +| `expressRouteCircuitResourceGroup` | string | The name of the Resource Group the ExpressRoute Circuits was created in. | +| `expressRouteCircuitResourceId` | string | The Resource Id of the ExpressRoute Circuits. | +| `expressRouteCircuitServiceKey` | string | The URL of the Key Vault. | + +## Considerations + +## Additional resources + +- [Microsoft.Network ExpressRoute template reference](https://docs.microsoft.com/en-us/azure/templates/microsoft.network/2019-09-01/expressroutecircuits) +- [What is Azure ExpressRoute?](https://docs.microsoft.com/de-de/azure/expressroute/) +- [Use tags to organize your Azure resources](https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-using-tags) diff --git a/arm/Microsoft.Network/ipGroups/deploy.json b/arm/Microsoft.Network/ipGroups/deploy.json new file mode 100644 index 0000000000..c47018d309 --- /dev/null +++ b/arm/Microsoft.Network/ipGroups/deploy.json @@ -0,0 +1,364 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "ipGroupName": { + "type": "string", + "minLength": 1, + "metadata": { + "description": "Required. The name of the ipGroups." + } + }, + "location": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "Optional. Location for all resources." + } + }, + "ipAddresses": { + "type": "array", + "defaultValue": [ + ], + "metadata": { + "description": "Optional. IpAddresses/IpAddressPrefixes in the IpGroups resource." + } + }, + "lockForDeletion": { + "type": "bool", + "defaultValue": false, + "metadata": { + "description": "Optional. Switch to lock IP Groups from deletion." + } + }, + "roleAssignments": { + "defaultValue": [ + ], + "type": "array", + "metadata": { + "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'" + } + }, + "tags": { + "type": "object", + "defaultValue": { + }, + "metadata": { + "description": "Optional. Resource tags." + } + }, + "cuaId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered" + } + } + }, + "variables": { + "builtInRoleNames": { + "AcrDelete": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c2f4ef07-c644-48eb-af81-4b1b4947fb11')]", + "AcrImageSigner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '6cef56e8-d556-48e5-a04f-b8e64114680f')]", + "AcrPull": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '7f951dda-4ed3-4680-a7ca-43fe172d538d')]", + "AcrPush": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8311e382-0749-4cb8-b61a-304f252e45ec')]", + "AcrQuarantineReader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'cdda3590-29a3-44f6-95f2-9f980659eb04')]", + "AcrQuarantineWriter": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c8d4ff99-41c3-41a8-9f60-21dfdad59608')]", + "API Management Service Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '312a565d-c81f-4fd8-895a-4e21e48d571c')]", + "API Management Service Operator Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'e022efe7-f5ba-4159-bbe4-b44f577e9b61')]", + "API Management Service Reader Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '71522526-b88f-4d52-b57f-d31fc3546d0d')]", + "App Configuration Data Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5ae67dd6-50cb-40e7-96ff-dc2bfa4b606b')]", + "App Configuration Data Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '516239f1-63e1-4d78-a4de-a74fb236a071')]", + "Application Insights Component Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ae349356-3a1b-4a5e-921d-050484c6347e')]", + "Application Insights Snapshot Debugger": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '08954f03-6346-4c2e-81c0-ec3a5cfae23b')]", + "Attestation Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'bbf86eb8-f7b4-4cce-96e4-18cddf81d86e')]", + "Attestation Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'fd1bd22b-8476-40bc-a0bc-69b95687b9f3')]", + "Automation Job Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4fe576fe-1146-4730-92eb-48519fa6bf9f')]", + "Automation Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'd3881f73-407a-4167-8283-e981cbba0404')]", + "Automation Runbook Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5fb5aef8-1081-4b8e-bb16-9d5d0385bab5')]", + "Avere Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4f8fab4f-1852-4a58-a46a-8eaf358af14a')]", + "Avere Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c025889f-8102-4ebf-b32c-fc0c6f0c6bd9')]", + "Azure Connected Machine Onboarding": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b64e21ea-ac4e-4cdf-9dc9-5b892992bee7')]", + "Azure Connected Machine Resource Administrator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'cd570a14-e51a-42ad-bac8-bafd67325302')]", + "Azure Digital Twins Owner (Preview)": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'bcd981a7-7f74-457b-83e1-cceb9e632ffe')]", + "Azure Digital Twins Reader (Preview)": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'd57506d4-4c8d-48b1-8587-93c323f6a5a3')]", + "Azure Event Hubs Data Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'f526a384-b230-433a-b45c-95f59c4a2dec')]", + "Azure Event Hubs Data Receiver": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'a638d3c7-ab3a-418d-83e6-5f17a39d4fde')]", + "Azure Event Hubs Data Sender": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '2b629674-e913-4c01-ae53-ef4638d8f975')]", + "Azure Kubernetes Service Cluster Admin Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '0ab0b1a8-8aac-4efd-b8c2-3ee1fb270be8')]", + "Azure Kubernetes Service Cluster User Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4abbcc35-e782-43d8-92c5-2d3f1bd2253f')]", + "Azure Kubernetes Service Contributor Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ed7f3fbd-7b88-4dd4-9017-9adb7ce333f8')]", + "Azure Maps Data Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8f5e0ce6-4f7b-4dcf-bddf-e6f48634a204')]", + "Azure Maps Data Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '423170ca-a8f6-4b0f-8487-9e4eb8f49bfa')]", + "Azure Sentinel Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ab8e14d6-4a74-4a29-9ba8-549422addade')]", + "Azure Sentinel Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8d289c81-5878-46d4-8554-54e1e3d8b5cb')]", + "Azure Sentinel Responder": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '3e150937-b8fe-4cfb-8069-0eaf05ecd056')]", + "Azure Service Bus Data Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '090c5cfd-751d-490a-894a-3ce6f1109419')]", + "Azure Service Bus Data Receiver": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4f6d3b9b-027b-4f4c-9142-0e5a2a2247e0')]", + "Azure Service Bus Data Sender": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '69a216fc-b8fb-44d8-bc22-1f3c2cd27a39')]", + "Azure Stack Registration Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '6f12a6df-dd06-4f3e-bcb1-ce8be600526a')]", + "Backup Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5e467623-bb1f-42f4-a55d-6e525e11384b')]", + "Backup Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '00c29273-979b-4161-815c-10b084fb9324')]", + "Backup Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'a795c7a0-d4a2-40c1-ae25-d81f01202912')]", + "Billing Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'fa23ad8b-c56e-40d8-ac0c-ce449e1d2c64')]", + "BizTalk Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5e3c6656-6cfa-4708-81fe-0de47ac73342')]", + "Blockchain Member Node Access (Preview)": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '31a002a1-acaf-453e-8a5b-297c9ca1ea24')]", + "Blueprint Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '41077137-e803-4205-871c-5a86e6a753b4')]", + "Blueprint Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '437d2ced-4a38-4302-8479-ed2bcb43d090')]", + "CDN Endpoint Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '426e0c7f-0c7e-4658-b36f-ff54d6c29b45')]", + "CDN Endpoint Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '871e35f6-b5c1-49cc-a043-bde969a0f2cd')]", + "CDN Profile Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ec156ff8-a8d1-4d15-830c-5b80698ca432')]", + "CDN Profile Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8f96442b-4075-438f-813d-ad51ab4019af')]", + "Classic Network Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b34d265f-36f7-4a0d-a4d4-e158ca92e90f')]", + "Classic Storage Account Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '86e8f5dc-a6e9-4c67-9d15-de283e8eac25')]", + "Classic Storage Account Key Operator Service Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '985d6b00-f706-48f5-a6fe-d0ca12fb668d')]", + "Classic Virtual Machine Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'd73bb868-a0df-4d4d-bd69-98a00b01fccb')]", + "ClearDB MySQL DB Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '9106cda0-8a86-4e81-b686-29a22c54effe')]", + "Cognitive Services Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '25fbc0a9-bd7c-42a3-aa1a-3b75d497ee68')]", + "Cognitive Services Custom Vision Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c1ff6cc2-c111-46fe-8896-e0ef812ad9f3')]", + "Cognitive Services Custom Vision Deployment": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5c4089e1-6d96-4d2f-b296-c1bc7137275f')]", + "Cognitive Services Custom Vision Labeler": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '88424f51-ebe7-446f-bc41-7fa16989e96c')]", + "Cognitive Services Custom Vision Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '93586559-c37d-4a6b-ba08-b9f0940c2d73')]", + "Cognitive Services Custom Vision Trainer": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '0a5ae4ab-0d65-4eeb-be61-29fc9b54394b')]", + "Cognitive Services Data Reader (Preview)": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b59867f0-fa02-499b-be73-45a86b5b3e1c')]", + "Cognitive Services QnA Maker Editor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'f4cc2bf9-21be-47a1-bdf1-5c5804381025')]", + "Cognitive Services QnA Maker Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '466ccd10-b268-4a11-b098-b4849f024126')]", + "Cognitive Services User": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'a97b65f3-24c7-4388-baec-2e87135dc908')]", + "Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "Cosmos DB Account Reader Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'fbdf93bf-df7d-467e-a4d2-9458aa1360c8')]", + "Cosmos DB Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '230815da-be43-4aae-9cb4-875f7bd000aa')]", + "CosmosBackupOperator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'db7b14f2-5adf-42da-9f96-f2ee17bab5cb')]", + "Cost Management Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '434105ed-43f6-45c7-a02f-909b2ba83430')]", + "Cost Management Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '72fafb9e-0641-4937-9268-a91bfd8191a3')]", + "Data Box Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'add466c9-e687-43fc-8d98-dfcf8d720be5')]", + "Data Box Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '028f4ed7-e2a9-465e-a8f4-9c0ffdfdc027')]", + "Data Factory Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '673868aa-7521-48a0-acc6-0f60742d39f5')]", + "Data Lake Analytics Developer": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '47b7735b-770e-4598-a7da-8b91488b4c88')]", + "Data Purger": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '150f5e0c-0603-4f03-8c7f-cf70034c4e90')]", + "Desktop Virtualization User": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '1d18fff3-a72a-46b5-b4a9-0b38a3cd7e63')]", + "DevTest Labs User": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '76283e04-6283-4c54-8f91-bcf1374a3c64')]", + "DNS Zone Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'befefa01-2a29-4197-83a8-272ff33ce314')]", + "DocumentDB Account Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5bd9cd88-fe45-4216-938b-f97437e15450')]", + "EventGrid EventSubscription Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '428e0ff0-5e57-4d9c-a221-2c70d0e0a443')]", + "EventGrid EventSubscription Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '2414bbcf-6497-4faf-8c65-045460748405')]", + "Experimentation Administrator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '7f646f1b-fa08-80eb-a33b-edd6ce5c915c')]", + "Experimentation Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '7f646f1b-fa08-80eb-a22b-edd6ce5c915c')]", + "Experimentation Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '49632ef5-d9ac-41f4-b8e7-bbe587fa74a1')]", + "FHIR Data Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5a1fc7df-4bf1-4951-a576-89034ee01acd')]", + "FHIR Data Exporter": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '3db33094-8700-4567-8da5-1501d4e7e843')]", + "FHIR Data Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4c8d0bbc-75d3-4935-991f-5f3c56d81508')]", + "FHIR Data Writer": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '3f88fce4-5892-4214-ae73-ba5294559913')]", + "Graph Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b60367af-1334-4454-b71e-769d9a4f83d9')]", + "HDInsight Cluster Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '61ed4efc-fab3-44fd-b111-e24485cc132a')]", + "HDInsight Domain Services Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8d8d5a11-05d3-4bda-a417-a08778121c7c')]", + "Hierarchy Settings Administrator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '350f8d15-c687-4448-8ae1-157740a3936d')]", + "Hybrid Server Onboarding": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5d1e5ee4-7c68-4a71-ac8b-0739630a3dfb')]", + "Hybrid Server Resource Administrator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '48b40c6e-82e0-4eb3-90d5-19e40f49b624')]", + "Integration Service Environment Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'a41e2c5b-bd99-4a07-88f4-9bf657a760b8')]", + "Integration Service Environment Developer": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c7aa55d3-1abb-444a-a5ca-5e51e485d6ec')]", + "Intelligent Systems Account Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '03a6d094-3444-4b3d-88af-7477090a9e5e')]", + "Key Vault Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'f25e0fa2-a7c8-4377-a976-54943a77a395')]", + "Knowledge Consumer": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ee361c5d-f7b5-4119-b4b6-892157c8f64c')]", + "Kubernetes Cluster - Azure Arc Onboarding": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '34e09817-6cbe-4d01-b1a2-e0eac5743d41')]", + "Lab Creator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b97fb8bc-a8b2-4522-a38b-dd33c7e65ead')]", + "Log Analytics Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]", + "Log Analytics Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '73c42c96-874c-492b-b04d-ab87d138a893')]", + "Logic App Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '87a39d53-fc1b-424a-814c-f7e04687dc9e')]", + "Logic App Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '515c2055-d9d4-4321-b1b9-bd0c9a0f79fe')]", + "Managed Application Contributor Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '641177b8-a67a-45b9-a033-47bc880bb21e')]", + "Managed Application Operator Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')]", + "Managed Applications Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')]", + "Managed Identity Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'e40ec5ca-96e0-45a2-b4ff-59039f2c2b59')]", + "Managed Identity Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'f1a07417-d97a-45cb-824c-7a7467783830')]", + "Managed Services Registration assignment Delete ": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '91c1777a-f3dc-4fae-b103-61d183457e46')]", + "Management Group Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5d58bcaf-24a5-4b20-bdb6-eed9f69fbe4c')]", + "Management Group Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ac63b705-f282-497d-ac71-919bf39d939d')]", + "Marketplace Admin": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'dd920d6d-f481-47f1-b461-f338c46b2d9f')]", + "Monitoring Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')]", + "Monitoring Metrics Publisher": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '3913510d-42f4-4e42-8a64-420c390055eb')]", + "Monitoring Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')]", + "Network Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", + "New Relic APM Account Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5d28c62d-5b37-4476-8438-e587778df237')]", + "Object Understanding Account Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4dd61c23-6743-42fe-a388-d8bdd41cb745')]", + "Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", + "Policy Insights Data Writer (Preview)": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '66bb4e9e-b016-4a94-8249-4c0511c2be84')]", + "Private DNS Zone Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", + "Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", + "Reader and Data Access": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c12c1c16-33a1-487b-954d-41c89c60f349')]", + "Redis Cache Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'e0f68234-74aa-48ed-b826-c38b57376e17')]", + "Remote Rendering Administrator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '3df8b902-2a6f-47c7-8cc5-360e9b272a7e')]", + "Remote Rendering Client": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'd39065c4-c120-43c9-ab0a-63eed9795f0a')]", + "Resource Policy Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '36243c78-bf99-498c-9df9-86d9f8d28608')]", + "Scheduler Job Collections Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '188a0f2f-5c9e-469b-ae67-2aa5ce574b94')]", + "Search Service Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '7ca78c08-252a-4471-8644-bb5ff32d4ba0')]", + "Security Admin": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'fb1c8493-542b-48eb-b624-b4c8fea62acd')]", + "Security Assessment Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '612c2aa1-cb24-443b-ac28-3ab7272de6f5')]", + "Security Manager (Legacy)": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'e3d13bf0-dd5a-482e-ba6b-9b8433878d10')]", + "Security Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '39bc4728-0917-49c7-9d2c-d95423bc2eb4')]", + "SignalR AccessKey Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '04165923-9d83-45d5-8227-78b77b0a687e')]", + "SignalR Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8cf5e20a-e4b2-4e9d-b3a1-5ceb692c2761')]", + "Site Recovery Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '6670b86e-a3f7-4917-ac9b-5d6ab1be4567')]", + "Site Recovery Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '494ae006-db33-4328-bf46-533a6560a3ca')]", + "Site Recovery Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'dbaa88c4-0c30-4179-9fb3-46319faa6149')]", + "Spatial Anchors Account Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8bbe83f1-e2a6-4df7-8cb4-4e04d4e5c827')]", + "Spatial Anchors Account Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '70bbe301-9835-447d-afdd-19eb3167307c')]", + "Spatial Anchors Account Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5d51204f-eb77-4b1c-b86a-2ec626c49413')]", + "SQL DB Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '9b7fa17d-e63e-47b0-bb0a-15c516ac86ec')]", + "SQL Managed Instance Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4939a1f6-9ae0-4e48-a1e0-f2cbe897382d')]", + "SQL Security Manager": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '056cd41c-7e88-42e1-933e-88ba6a50c9c3')]", + "SQL Server Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '6d8ee4ec-f05a-4a1d-8b00-a9b17e38b437')]", + "Storage Account Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '17d1049b-9a84-46fb-8f53-869881c3d3ab')]", + "Storage Account Key Operator Service Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '81a9662b-bebf-436f-a333-f67b29880f12')]", + "Storage Blob Data Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ba92f5b4-2d11-453d-a403-e96b0029c9fe')]", + "Storage Blob Data Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b7e6dc6d-f1e8-4753-8033-0f276bb0955b')]", + "Storage Blob Data Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '2a2b9908-6ea1-4ae2-8e65-a410df84e7d1')]", + "Storage Blob Delegator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'db58b8e5-c6ad-4a2a-8342-4190687cbf4a')]", + "Storage File Data SMB Share Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '0c867c2a-1d8c-454a-a3db-ab2ea1bdc8bb')]", + "Storage File Data SMB Share Elevated Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'a7264617-510b-434b-a828-9731dc254ea7')]", + "Storage File Data SMB Share Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'aba4ae5f-2193-4029-9191-0cb91df5e314')]", + "Storage Queue Data Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '974c5e8b-45b9-4653-ba55-5f855dd0fb88')]", + "Storage Queue Data Message Processor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8a0f0c08-91a1-4084-bc3d-661d67233fed')]", + "Storage Queue Data Message Sender": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c6a89b2d-59bc-44d0-9896-0f6e12d7b80a')]", + "Storage Queue Data Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '19e7f393-937e-4f77-808e-94535e297925')]", + "Support Request Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'cfd33db0-3dd1-45e3-aa9d-cdbdf3b6f24e')]", + "Tag Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4a9ae827-6dc8-4573-8ac7-8239d42aa03f')]", + "Traffic Manager Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'a4b10055-b0c7-44c2-b00f-c7b5b3550cf7')]", + "User Access Administrator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]", + "Virtual Machine Administrator Login": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '1c0163c0-47e6-4577-8991-ea5c82e286e4')]", + "Virtual Machine Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c')]", + "Virtual Machine User Login": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'fb879df8-f326-4884-b1cf-06f3ad86be52')]", + "Web Plan Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '2cc479cb-7b4d-49a8-b449-8c00fd0f0a4b')]", + "Website Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'de139f84-1756-47ae-9be6-808fbbe84772')]", + "Workbook Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'e8ddcd69-c73f-4f9f-9844-4100522f16ad')]", + "Workbook Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b279062a-9be3-42a0-92ae-8b3cf002ec4d')]" + } + }, + "resources": [ + { + "condition": "[not(empty(parameters('cuaId')))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-06-01", + "name": "[concat('pid-', parameters('cuaId'))]", + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [ + ] + } + } + }, + { + "type": "Microsoft.Network/ipGroups", + "apiVersion": "2020-08-01", + "name": "[parameters('ipGroupName')]", + "location": "[parameters('location')]", + "tags": "[parameters('tags')]", + "properties": { + "ipAddresses": "[parameters('ipAddresses')]" + }, + "resources": [ + { + "type": "providers/locks", + "apiVersion": "2016-09-01", + "condition": "[parameters('lockForDeletion')]", + "name": "Microsoft.Authorization/ipGroupsDoNotDelete", + "dependsOn": [ + "[concat('Microsoft.Network/ipGroups/', parameters('ipGroupName'))]" + ], + "comments": "Resource lock on IP Groups", + "properties": { + "level": "CannotDelete" + } + } + ] + }, + { + "name": "[concat('rbac-',deployment().name, copyIndex())]", + "apiVersion": "2020-06-01", + "type": "Microsoft.Resources/deployments", + "condition": "[not(empty(parameters('roleAssignments')))]", + "dependsOn": [ + "[parameters('ipGroupName')]" + ], + "copy": { + "name": "rbacDeplCopy", + "count": "[length(parameters('roleAssignments'))]" + }, + "properties": { + "mode": "Incremental", + "expressionEvaluationOptions": { + "scope": "inner" + }, + "parameters": { + "roleAssignment": { + "value": "[parameters('roleAssignments')[copyIndex()]]" + }, + "builtInRoleNames": { + "value": "[variables('builtInRoleNames')]" + }, + "ipGroupName": { + "value": "[parameters('ipGroupName')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "roleAssignment": { + "type": "object" + }, + "builtInRoleNames": { + "type": "object" + }, + "ipGroupName": { + "type": "string" + } + }, + "resources": [ + { + "type": "Microsoft.Network/ipGroups/providers/roleAssignments", + "apiVersion": "2018-09-01-preview", + "name": "[concat(parameters('ipGroupName'), '/Microsoft.Authorization/', guid(uniqueString(concat(parameters('ipGroupName'), array(parameters('roleAssignment').principalIds)[copyIndex('innerRbacCopy')], parameters('roleAssignment').roleDefinitionIdOrName ) )))]", + "dependsOn": [ + ], + "copy": { + "name": "innerRbacCopy", + "count": "[length(parameters('roleAssignment').principalIds)]" + }, + "properties": { + "roleDefinitionId": "[if(contains(parameters('builtInRoleNames'), parameters('roleAssignment').roleDefinitionIdOrName ), parameters('builtInRoleNames')[parameters('roleAssignment').roleDefinitionIdOrName] , parameters('roleAssignment').roleDefinitionIdOrName )]", + "principalId": "[array(parameters('roleAssignment').principalIds)[copyIndex()]]" + } + } + ] + } + } + } + ], + "functions": [ + ], + "outputs": { + "ipGroupsResourceId": { + "type": "string", + "value": "[resourceId('Microsoft.Network/ipGroups', parameters('ipGroupName'))]", + "metadata": { + "description": "The Resource Id of the IP Group." + } + }, + "ipGroupsResourceGroup": { + "type": "string", + "value": "[resourceGroup().name]", + "metadata": { + "description": "The name of the Resource Group the IP Group was created in." + } + }, + "ipGroupName": { + "type": "string", + "value": "[parameters('ipGroupName')]", + "metadata": { + "description": "The Name of the IP Group." + } + } + } +} diff --git a/arm/Microsoft.Network/ipGroups/parameters/parameters.json b/arm/Microsoft.Network/ipGroups/parameters/parameters.json new file mode 100644 index 0000000000..5fec145ec8 --- /dev/null +++ b/arm/Microsoft.Network/ipGroups/parameters/parameters.json @@ -0,0 +1,15 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "ipGroupName": { + "value": "iacsGroup-servers" + }, + "ipAddresses": { + "value": [ + "10.0.0.1", + "10.0.0.2" + ] + } + } +} \ No newline at end of file diff --git a/arm/Microsoft.Network/ipGroups/readme.md b/arm/Microsoft.Network/ipGroups/readme.md new file mode 100644 index 0000000000..d077f2a948 --- /dev/null +++ b/arm/Microsoft.Network/ipGroups/readme.md @@ -0,0 +1,88 @@ +# KeyVault + +This module deploys an IP Group, with resource lock. + +## Resource types + +|Resource Type|ApiVersion| +|:--|:--| +|`Microsoft.Network/ipGroups`|2020-08-01| +|`Microsoft.Resources/deployments`|2020-06-01| +|`providers/locks`|2016-09-01| +|`Microsoft.Network/ipGroups/providers/roleAssignments`|2018-09-01-preview| + +## Parameters + +| Parameter Name | Type | Default Value | Possible values | Description | +| :- | :- | :- | :- | :- | +| `ipGroupName` | string | | | Required. The name of the ipGroups. +| `location` | string | `[resourceGroup().location]` | | Optional. Location for all resources. +| `ipAddresses` | array | `[]` | | Optional. IpAddresses/IpAddressPrefixes in the IpGroups resource. +| `lockForDeletion` | bool | `true` | | Optional. Switch to lock Azure Key Vault from deletion. +| `roleAssignments` | array | [] | Complex structure, see below. | Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or it's fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' +| `tags` | object | {} | Complex structure, see below. | Optional. Tags of the Azure Key Vault resource. +| `cuaId` | string | "" | | Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered. + +### Parameter Usage: `roleAssignments` + +```json +"roleAssignments": { + "value": [ + { + "roleDefinitionIdOrName": "Desktop Virtualization User", + "principalIds": [ + "12345678-1234-1234-1234-123456789012", // object 1 + "78945612-1234-1234-1234-123456789012" // object 2 + ] + }, + { + "roleDefinitionIdOrName": "Reader", + "principalIds": [ + "12345678-1234-1234-1234-123456789012", // object 1 + "78945612-1234-1234-1234-123456789012" // object 2 + ] + }, + { + "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", + "principalIds": [ + "12345678-1234-1234-1234-123456789012" // object 1 + ] + } + ] +} +``` + +### Parameter Usage: `tags` + +Tag names and tag values can be provided as needed. A tag can be left without a value. + +```json +"tags": { + "value": { + "Environment": "Non-Prod", + "Contact": "test.user@testcompany.com", + "PurchaseOrder": "1234", + "CostCenter": "7890", + "ServiceName": "DeploymentValidation", + "Role": "DeploymentValidation" + } +} +``` + +## Outputs + +| Output Name | Type | Description | +| :-- | :-- | :-- | +| `ipGroupsResourceId` | string | The Resource Id of the IP Group. | +| `ipGroupsResourceGroup` | string | The name of the Resource Group the IP Group was created in. | +| `ipGroupName` | string | The Name of the IP Group. | + +## Considerations + +*N/A* + +## Additional resources + +- [IP Groups in Azure Firewall](https://docs.microsoft.com/en-us/azure/firewall/ip-groups) +- [Microsoft.Network ipGroups template reference](https://docs.microsoft.com/en-us/azure/templates/microsoft.network/2020-05-01/ipgroups) +- [Use tags to organize your Azure resources](https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-using-tags) \ No newline at end of file diff --git a/arm/Microsoft.Network/loadBalancers/deploy.json b/arm/Microsoft.Network/loadBalancers/deploy.json new file mode 100644 index 0000000000..10bdc548ee --- /dev/null +++ b/arm/Microsoft.Network/loadBalancers/deploy.json @@ -0,0 +1,543 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "loadBalancerName": { + "type": "string", + "metadata": { + "description": "Required. The Proximity Placement Groups Name" + } + }, + "location": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "Optional. Location for all resources." + } + }, + "loadBalancerSku": { + "type": "string", + "defaultValue": "Standard", + "allowedValues": ["Basic", "Standard"], + "metadata": { + "description": "Optional. Name of a load balancer SKU." + } + }, + "frontendIPConfigurations": { + "type": "array", + "minLength": 1, + "metadata": { + "description": "Required. Array of objects containing all frontend IP configurations" + } + }, + "backendAddressPools": { + "type": "array", + "minLength": 1, + "metadata": { + "description": "Required. Collection of backend address pools used by a load balancer." + } + }, + "loadBalancingRules": { + "type": "array", + "minLength": 1, + "metadata": { + "description": "Required. Array of objects containing all load balancing rules" + } + }, + "probes": { + "type": "array", + "minLength": 1, + "metadata": { + "description": "Required. Array of objects containing all probes, these are references in the load balancing rules" + } + }, + "diagnosticLogsRetentionInDays": { + "type": "int", + "defaultValue": 365, + "minValue": 0, + "maxValue": 365, + "metadata": { + "description": "Optional. Specifies the number of days that logs will be kept for; a value of 0 will retain data indefinitely." + } + }, + "diagnosticStorageAccountId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Resource identifier of the Diagnostic Storage Account." + } + }, + "workspaceId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Resource identifier of Log Analytics." + } + }, + "eventHubAuthorizationRuleId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Resource ID of the event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." + } + }, + "eventHubName": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Name of the event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category." + } + }, + "lockForDeletion": { + "type": "bool", + "defaultValue": false, + "metadata": { + "description": "Optional. Switch to lock resource from deletion." + } + }, + "roleAssignments": { + "defaultValue": [ + ], + "type": "array", + "metadata": { + "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'" + } + }, + "tags": { + "type": "object", + "defaultValue": { + }, + "metadata": { + "description": "Optional. Tags of the resource." + } + }, + "cuaId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered" + } + } + }, + "variables": { + "frontends": { + "copy": [ + { + "name": "subnets", + "count": "[length(parameters('frontendIPConfigurations'))]", + "input": { + "id": "[parameters('frontendIPConfigurations')[copyIndex('subnets')].properties.subnetId]" + } + }, + { + "name": "publicIPAddresses", + "count": "[length(parameters('frontendIPConfigurations'))]", + "input": { + "id": "[parameters('frontendIPConfigurations')[copyIndex('publicIPAddresses')].properties.publicIPAddressId]" + } + } + ] + }, + "frontendIPConfigurations": { + "copy": [ + { + "name": "frontendIPConfigurations", + "count": "[length(parameters('frontendIPConfigurations'))]", + "input": { + "name": "[parameters('frontendIPConfigurations')[copyIndex('frontendIPConfigurations')].name]", + "properties": { + "subnet": "[if(empty(parameters('frontendIPConfigurations')[copyIndex('frontendIPConfigurations')].properties.subnetId), json('null'), variables('frontends').subnets[copyIndex('frontendIPConfigurations')])]", + "publicIPAddress": "[if(empty(parameters('frontendIPConfigurations')[copyIndex('frontendIPConfigurations')].properties.publicIPAddressId), json('null'), variables('frontends').publicIPAddresses[copyIndex('frontendIPConfigurations')])]", + "privateIPAddress": "[if(empty(parameters('frontendIPConfigurations')[copyIndex('frontendIPConfigurations')].properties.privateIPAddress), json('null'), parameters('frontendIPConfigurations')[copyIndex('frontendIPConfigurations')].properties.privateIPAddress)]", + "privateIPAllocationMethod": "[if(empty(parameters('frontendIPConfigurations')[copyIndex('frontendIPConfigurations')].properties.subnetId), json('null'), if(empty(parameters('frontendIPConfigurations')[copyIndex('frontendIPConfigurations')].properties.privateIPAddress), 'Dynamic', 'Static'))]" + } + } + } + ] + }, + "loadBalancingRules": { + "copy": [ + { + "name": "loadBalancingRules", + "count": "[length(parameters('loadBalancingRules'))]", + "input": { + "name": "[parameters('loadBalancingRules')[copyIndex('loadBalancingRules')].name]", + "properties": { + "frontendIPConfiguration": { + "id": "[resourceId('Microsoft.Network/loadBalancers/frontendIPConfigurations', parameters('loadBalancerName'), parameters('loadBalancingRules')[copyIndex('loadBalancingRules')].properties.frontendIPConfigurationName)]" + }, + "backendAddressPool": { + "id": "[resourceId('Microsoft.Network/loadBalancers/backendAddressPools', parameters('loadBalancerName'), parameters('loadBalancingRules')[copyIndex('loadBalancingRules')].properties.backendAddressPoolName)]" + }, + "frontendPort": "[parameters('loadBalancingRules')[copyIndex('loadBalancingRules')].properties.frontendPort]", + "backendPort": "[parameters('loadBalancingRules')[copyIndex('loadBalancingRules')].properties.backendPort]", + "enableFloatingIP": "[parameters('loadBalancingRules')[copyIndex('loadBalancingRules')].properties.enableFloatingIP]", + "idleTimeoutInMinutes": "[parameters('loadBalancingRules')[copyIndex('loadBalancingRules')].properties.idleTimeoutInMinutes]", + "protocol": "[parameters('loadBalancingRules')[copyIndex('loadBalancingRules')].properties.protocol]", + "enableDestinationServiceEndpoint": "[if(contains(parameters('loadBalancingRules')[copyIndex('loadBalancingRules')].properties, 'enableDestinationServiceEndpoint'), parameters('loadBalancingRules')[copyIndex('loadBalancingRules')].properties.enableDestinationServiceEndpoint, 'false')]", + "enableTcpReset": "[if(contains(parameters('loadBalancingRules')[copyIndex('loadBalancingRules')].properties, 'enableTcpReset'), parameters('loadBalancingRules')[copyIndex('loadBalancingRules')].properties.enableTcpReset, 'false')]", + "loadDistribution": "[if(contains(parameters('loadBalancingRules')[copyIndex('loadBalancingRules')].properties, 'loadDistribution'), parameters('loadBalancingRules')[copyIndex('loadBalancingRules')].properties.loadDistribution, 'Default')]", + "disableOutboundSnat": "[if(contains(parameters('loadBalancingRules')[copyIndex('loadBalancingRules')].properties, 'disableOutboundSnat'), parameters('loadBalancingRules')[copyIndex('loadBalancingRules')].properties.disableOutboundSnat, 'false')]", + "probe": { + "id": "[concat(resourceId('Microsoft.Network/loadBalancers', parameters('loadBalancerName')), '/probes/', parameters('loadBalancingRules')[copyIndex('loadBalancingRules')].properties.probeName)]" + } + } + } + } + ] + }, + "probes": { + "copy": [ + { + "name": "probes", + "count": "[length(parameters('probes'))]", + "input": { + "name": "[parameters('probes')[copyIndex('probes')].name]", + "properties": { + "protocol": "[parameters('probes')[copyIndex('probes')].properties.protocol]", + "requestPath": "[if(equals(tolower(parameters('probes')[copyIndex('probes')].properties.protocol), 'tcp'), json('null'), parameters('probes')[copyIndex('probes')].properties.requestPath)]", + "port": "[parameters('probes')[copyIndex('probes')].properties.port]", + "intervalInSeconds": "[parameters('probes')[copyIndex('probes')].properties.intervalInSeconds]", + "numberOfProbes": "[parameters('probes')[copyIndex('probes')].properties.numberOfProbes]" + } + } + } + ] + }, + "diagnosticsMetrics": [ + { + "category": "AllMetrics", + "timeGrain": null, + "enabled": true, + "retentionPolicy": { + "enabled": true, + "days": "[parameters('diagnosticLogsRetentionInDays')]" + } + } + ], + "builtInRoleNames": { + "AcrDelete": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c2f4ef07-c644-48eb-af81-4b1b4947fb11')]", + "AcrImageSigner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '6cef56e8-d556-48e5-a04f-b8e64114680f')]", + "AcrPull": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '7f951dda-4ed3-4680-a7ca-43fe172d538d')]", + "AcrPush": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8311e382-0749-4cb8-b61a-304f252e45ec')]", + "AcrQuarantineReader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'cdda3590-29a3-44f6-95f2-9f980659eb04')]", + "AcrQuarantineWriter": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c8d4ff99-41c3-41a8-9f60-21dfdad59608')]", + "API Management Service Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '312a565d-c81f-4fd8-895a-4e21e48d571c')]", + "API Management Service Operator Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'e022efe7-f5ba-4159-bbe4-b44f577e9b61')]", + "API Management Service Reader Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '71522526-b88f-4d52-b57f-d31fc3546d0d')]", + "App Configuration Data Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5ae67dd6-50cb-40e7-96ff-dc2bfa4b606b')]", + "App Configuration Data Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '516239f1-63e1-4d78-a4de-a74fb236a071')]", + "Application Insights Component Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ae349356-3a1b-4a5e-921d-050484c6347e')]", + "Application Insights Snapshot Debugger": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '08954f03-6346-4c2e-81c0-ec3a5cfae23b')]", + "Attestation Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'bbf86eb8-f7b4-4cce-96e4-18cddf81d86e')]", + "Attestation Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'fd1bd22b-8476-40bc-a0bc-69b95687b9f3')]", + "Automation Job Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4fe576fe-1146-4730-92eb-48519fa6bf9f')]", + "Automation Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'd3881f73-407a-4167-8283-e981cbba0404')]", + "Automation Runbook Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5fb5aef8-1081-4b8e-bb16-9d5d0385bab5')]", + "Avere Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4f8fab4f-1852-4a58-a46a-8eaf358af14a')]", + "Avere Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c025889f-8102-4ebf-b32c-fc0c6f0c6bd9')]", + "Azure Connected Machine Onboarding": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b64e21ea-ac4e-4cdf-9dc9-5b892992bee7')]", + "Azure Connected Machine Resource Administrator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'cd570a14-e51a-42ad-bac8-bafd67325302')]", + "Azure Digital Twins Owner (Preview)": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'bcd981a7-7f74-457b-83e1-cceb9e632ffe')]", + "Azure Digital Twins Reader (Preview)": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'd57506d4-4c8d-48b1-8587-93c323f6a5a3')]", + "Azure Event Hubs Data Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'f526a384-b230-433a-b45c-95f59c4a2dec')]", + "Azure Event Hubs Data Receiver": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'a638d3c7-ab3a-418d-83e6-5f17a39d4fde')]", + "Azure Event Hubs Data Sender": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '2b629674-e913-4c01-ae53-ef4638d8f975')]", + "Azure Kubernetes Service Cluster Admin Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '0ab0b1a8-8aac-4efd-b8c2-3ee1fb270be8')]", + "Azure Kubernetes Service Cluster User Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4abbcc35-e782-43d8-92c5-2d3f1bd2253f')]", + "Azure Kubernetes Service Contributor Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ed7f3fbd-7b88-4dd4-9017-9adb7ce333f8')]", + "Azure Maps Data Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8f5e0ce6-4f7b-4dcf-bddf-e6f48634a204')]", + "Azure Maps Data Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '423170ca-a8f6-4b0f-8487-9e4eb8f49bfa')]", + "Azure Sentinel Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ab8e14d6-4a74-4a29-9ba8-549422addade')]", + "Azure Sentinel Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8d289c81-5878-46d4-8554-54e1e3d8b5cb')]", + "Azure Sentinel Responder": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '3e150937-b8fe-4cfb-8069-0eaf05ecd056')]", + "Azure Service Bus Data Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '090c5cfd-751d-490a-894a-3ce6f1109419')]", + "Azure Service Bus Data Receiver": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4f6d3b9b-027b-4f4c-9142-0e5a2a2247e0')]", + "Azure Service Bus Data Sender": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '69a216fc-b8fb-44d8-bc22-1f3c2cd27a39')]", + "Azure Stack Registration Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '6f12a6df-dd06-4f3e-bcb1-ce8be600526a')]", + "Backup Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5e467623-bb1f-42f4-a55d-6e525e11384b')]", + "Backup Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '00c29273-979b-4161-815c-10b084fb9324')]", + "Backup Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'a795c7a0-d4a2-40c1-ae25-d81f01202912')]", + "Billing Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'fa23ad8b-c56e-40d8-ac0c-ce449e1d2c64')]", + "BizTalk Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5e3c6656-6cfa-4708-81fe-0de47ac73342')]", + "Blockchain Member Node Access (Preview)": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '31a002a1-acaf-453e-8a5b-297c9ca1ea24')]", + "Blueprint Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '41077137-e803-4205-871c-5a86e6a753b4')]", + "Blueprint Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '437d2ced-4a38-4302-8479-ed2bcb43d090')]", + "CDN Endpoint Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '426e0c7f-0c7e-4658-b36f-ff54d6c29b45')]", + "CDN Endpoint Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '871e35f6-b5c1-49cc-a043-bde969a0f2cd')]", + "CDN Profile Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ec156ff8-a8d1-4d15-830c-5b80698ca432')]", + "CDN Profile Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8f96442b-4075-438f-813d-ad51ab4019af')]", + "Classic Network Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b34d265f-36f7-4a0d-a4d4-e158ca92e90f')]", + "Classic Storage Account Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '86e8f5dc-a6e9-4c67-9d15-de283e8eac25')]", + "Classic Storage Account Key Operator Service Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '985d6b00-f706-48f5-a6fe-d0ca12fb668d')]", + "Classic Virtual Machine Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'd73bb868-a0df-4d4d-bd69-98a00b01fccb')]", + "ClearDB MySQL DB Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '9106cda0-8a86-4e81-b686-29a22c54effe')]", + "Cognitive Services Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '25fbc0a9-bd7c-42a3-aa1a-3b75d497ee68')]", + "Cognitive Services Custom Vision Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c1ff6cc2-c111-46fe-8896-e0ef812ad9f3')]", + "Cognitive Services Custom Vision Deployment": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5c4089e1-6d96-4d2f-b296-c1bc7137275f')]", + "Cognitive Services Custom Vision Labeler": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '88424f51-ebe7-446f-bc41-7fa16989e96c')]", + "Cognitive Services Custom Vision Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '93586559-c37d-4a6b-ba08-b9f0940c2d73')]", + "Cognitive Services Custom Vision Trainer": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '0a5ae4ab-0d65-4eeb-be61-29fc9b54394b')]", + "Cognitive Services Data Reader (Preview)": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b59867f0-fa02-499b-be73-45a86b5b3e1c')]", + "Cognitive Services QnA Maker Editor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'f4cc2bf9-21be-47a1-bdf1-5c5804381025')]", + "Cognitive Services QnA Maker Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '466ccd10-b268-4a11-b098-b4849f024126')]", + "Cognitive Services User": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'a97b65f3-24c7-4388-baec-2e87135dc908')]", + "Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "Cosmos DB Account Reader Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'fbdf93bf-df7d-467e-a4d2-9458aa1360c8')]", + "Cosmos DB Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '230815da-be43-4aae-9cb4-875f7bd000aa')]", + "CosmosBackupOperator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'db7b14f2-5adf-42da-9f96-f2ee17bab5cb')]", + "Cost Management Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '434105ed-43f6-45c7-a02f-909b2ba83430')]", + "Cost Management Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '72fafb9e-0641-4937-9268-a91bfd8191a3')]", + "Data Box Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'add466c9-e687-43fc-8d98-dfcf8d720be5')]", + "Data Box Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '028f4ed7-e2a9-465e-a8f4-9c0ffdfdc027')]", + "Data Factory Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '673868aa-7521-48a0-acc6-0f60742d39f5')]", + "Data Lake Analytics Developer": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '47b7735b-770e-4598-a7da-8b91488b4c88')]", + "Data Purger": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '150f5e0c-0603-4f03-8c7f-cf70034c4e90')]", + "Desktop Virtualization User": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '1d18fff3-a72a-46b5-b4a9-0b38a3cd7e63')]", + "DevTest Labs User": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '76283e04-6283-4c54-8f91-bcf1374a3c64')]", + "DNS Zone Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'befefa01-2a29-4197-83a8-272ff33ce314')]", + "DocumentDB Account Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5bd9cd88-fe45-4216-938b-f97437e15450')]", + "EventGrid EventSubscription Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '428e0ff0-5e57-4d9c-a221-2c70d0e0a443')]", + "EventGrid EventSubscription Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '2414bbcf-6497-4faf-8c65-045460748405')]", + "Experimentation Administrator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '7f646f1b-fa08-80eb-a33b-edd6ce5c915c')]", + "Experimentation Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '7f646f1b-fa08-80eb-a22b-edd6ce5c915c')]", + "Experimentation Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '49632ef5-d9ac-41f4-b8e7-bbe587fa74a1')]", + "FHIR Data Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5a1fc7df-4bf1-4951-a576-89034ee01acd')]", + "FHIR Data Exporter": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '3db33094-8700-4567-8da5-1501d4e7e843')]", + "FHIR Data Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4c8d0bbc-75d3-4935-991f-5f3c56d81508')]", + "FHIR Data Writer": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '3f88fce4-5892-4214-ae73-ba5294559913')]", + "Graph Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b60367af-1334-4454-b71e-769d9a4f83d9')]", + "HDInsight Cluster Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '61ed4efc-fab3-44fd-b111-e24485cc132a')]", + "HDInsight Domain Services Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8d8d5a11-05d3-4bda-a417-a08778121c7c')]", + "Hierarchy Settings Administrator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '350f8d15-c687-4448-8ae1-157740a3936d')]", + "Hybrid Server Onboarding": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5d1e5ee4-7c68-4a71-ac8b-0739630a3dfb')]", + "Hybrid Server Resource Administrator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '48b40c6e-82e0-4eb3-90d5-19e40f49b624')]", + "Integration Service Environment Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'a41e2c5b-bd99-4a07-88f4-9bf657a760b8')]", + "Integration Service Environment Developer": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c7aa55d3-1abb-444a-a5ca-5e51e485d6ec')]", + "Intelligent Systems Account Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '03a6d094-3444-4b3d-88af-7477090a9e5e')]", + "Key Vault Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'f25e0fa2-a7c8-4377-a976-54943a77a395')]", + "Knowledge Consumer": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ee361c5d-f7b5-4119-b4b6-892157c8f64c')]", + "Kubernetes Cluster - Azure Arc Onboarding": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '34e09817-6cbe-4d01-b1a2-e0eac5743d41')]", + "Lab Creator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b97fb8bc-a8b2-4522-a38b-dd33c7e65ead')]", + "Log Analytics Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]", + "Log Analytics Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '73c42c96-874c-492b-b04d-ab87d138a893')]", + "Logic App Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '87a39d53-fc1b-424a-814c-f7e04687dc9e')]", + "Logic App Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '515c2055-d9d4-4321-b1b9-bd0c9a0f79fe')]", + "Managed Application Contributor Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '641177b8-a67a-45b9-a033-47bc880bb21e')]", + "Managed Application Operator Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')]", + "Managed Applications Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')]", + "Managed Identity Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'e40ec5ca-96e0-45a2-b4ff-59039f2c2b59')]", + "Managed Identity Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'f1a07417-d97a-45cb-824c-7a7467783830')]", + "Managed Services Registration assignment Delete ": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '91c1777a-f3dc-4fae-b103-61d183457e46')]", + "Management Group Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5d58bcaf-24a5-4b20-bdb6-eed9f69fbe4c')]", + "Management Group Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ac63b705-f282-497d-ac71-919bf39d939d')]", + "Marketplace Admin": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'dd920d6d-f481-47f1-b461-f338c46b2d9f')]", + "Monitoring Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')]", + "Monitoring Metrics Publisher": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '3913510d-42f4-4e42-8a64-420c390055eb')]", + "Monitoring Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')]", + "Network Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", + "New Relic APM Account Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5d28c62d-5b37-4476-8438-e587778df237')]", + "Object Understanding Account Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4dd61c23-6743-42fe-a388-d8bdd41cb745')]", + "Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", + "Policy Insights Data Writer (Preview)": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '66bb4e9e-b016-4a94-8249-4c0511c2be84')]", + "Private DNS Zone Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", + "Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", + "Reader and Data Access": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c12c1c16-33a1-487b-954d-41c89c60f349')]", + "Redis Cache Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'e0f68234-74aa-48ed-b826-c38b57376e17')]", + "Remote Rendering Administrator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '3df8b902-2a6f-47c7-8cc5-360e9b272a7e')]", + "Remote Rendering Client": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'd39065c4-c120-43c9-ab0a-63eed9795f0a')]", + "Resource Policy Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '36243c78-bf99-498c-9df9-86d9f8d28608')]", + "Scheduler Job Collections Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '188a0f2f-5c9e-469b-ae67-2aa5ce574b94')]", + "Search Service Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '7ca78c08-252a-4471-8644-bb5ff32d4ba0')]", + "Security Admin": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'fb1c8493-542b-48eb-b624-b4c8fea62acd')]", + "Security Assessment Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '612c2aa1-cb24-443b-ac28-3ab7272de6f5')]", + "Security Manager (Legacy)": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'e3d13bf0-dd5a-482e-ba6b-9b8433878d10')]", + "Security Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '39bc4728-0917-49c7-9d2c-d95423bc2eb4')]", + "SignalR AccessKey Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '04165923-9d83-45d5-8227-78b77b0a687e')]", + "SignalR Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8cf5e20a-e4b2-4e9d-b3a1-5ceb692c2761')]", + "Site Recovery Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '6670b86e-a3f7-4917-ac9b-5d6ab1be4567')]", + "Site Recovery Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '494ae006-db33-4328-bf46-533a6560a3ca')]", + "Site Recovery Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'dbaa88c4-0c30-4179-9fb3-46319faa6149')]", + "Spatial Anchors Account Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8bbe83f1-e2a6-4df7-8cb4-4e04d4e5c827')]", + "Spatial Anchors Account Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '70bbe301-9835-447d-afdd-19eb3167307c')]", + "Spatial Anchors Account Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5d51204f-eb77-4b1c-b86a-2ec626c49413')]", + "SQL DB Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '9b7fa17d-e63e-47b0-bb0a-15c516ac86ec')]", + "SQL Managed Instance Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4939a1f6-9ae0-4e48-a1e0-f2cbe897382d')]", + "SQL Security Manager": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '056cd41c-7e88-42e1-933e-88ba6a50c9c3')]", + "SQL Server Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '6d8ee4ec-f05a-4a1d-8b00-a9b17e38b437')]", + "Storage Account Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '17d1049b-9a84-46fb-8f53-869881c3d3ab')]", + "Storage Account Key Operator Service Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '81a9662b-bebf-436f-a333-f67b29880f12')]", + "Storage Blob Data Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ba92f5b4-2d11-453d-a403-e96b0029c9fe')]", + "Storage Blob Data Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b7e6dc6d-f1e8-4753-8033-0f276bb0955b')]", + "Storage Blob Data Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '2a2b9908-6ea1-4ae2-8e65-a410df84e7d1')]", + "Storage Blob Delegator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'db58b8e5-c6ad-4a2a-8342-4190687cbf4a')]", + "Storage File Data SMB Share Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '0c867c2a-1d8c-454a-a3db-ab2ea1bdc8bb')]", + "Storage File Data SMB Share Elevated Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'a7264617-510b-434b-a828-9731dc254ea7')]", + "Storage File Data SMB Share Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'aba4ae5f-2193-4029-9191-0cb91df5e314')]", + "Storage Queue Data Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '974c5e8b-45b9-4653-ba55-5f855dd0fb88')]", + "Storage Queue Data Message Processor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8a0f0c08-91a1-4084-bc3d-661d67233fed')]", + "Storage Queue Data Message Sender": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c6a89b2d-59bc-44d0-9896-0f6e12d7b80a')]", + "Storage Queue Data Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '19e7f393-937e-4f77-808e-94535e297925')]", + "Support Request Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'cfd33db0-3dd1-45e3-aa9d-cdbdf3b6f24e')]", + "Tag Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4a9ae827-6dc8-4573-8ac7-8239d42aa03f')]", + "Traffic Manager Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'a4b10055-b0c7-44c2-b00f-c7b5b3550cf7')]", + "User Access Administrator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]", + "Virtual Machine Administrator Login": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '1c0163c0-47e6-4577-8991-ea5c82e286e4')]", + "Virtual Machine Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c')]", + "Virtual Machine User Login": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'fb879df8-f326-4884-b1cf-06f3ad86be52')]", + "Web Plan Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '2cc479cb-7b4d-49a8-b449-8c00fd0f0a4b')]", + "Website Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'de139f84-1756-47ae-9be6-808fbbe84772')]", + "Workbook Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'e8ddcd69-c73f-4f9f-9844-4100522f16ad')]", + "Workbook Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b279062a-9be3-42a0-92ae-8b3cf002ec4d')]" + } + }, + "resources": [ + { + "condition": "[not(empty(parameters('cuaId')))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-06-01", + "name": "[concat('pid-', parameters('cuaId'))]", + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [ + ] + } + } + }, + { + "name": "[parameters('loadBalancerName')]", + "type": "Microsoft.Network/loadBalancers", + "apiVersion": "2020-08-01", + "location": "[parameters('location')]", + "tags": "[parameters('tags')]", + "sku": { + "name": "[parameters('loadBalancerSku')]" + }, + "properties": { + "frontendIPConfigurations": "[variables('frontendIPConfigurations').frontendIPConfigurations]", + "backendAddressPools": "[parameters('backendAddressPools')]", + "loadBalancingRules": "[variables('loadBalancingRules').loadBalancingRules]", + "probes": "[variables('probes').probes]" + }, + "resources": [ + { + "type": "providers/locks", + "apiVersion": "2020-05-01", + "condition": "[parameters('lockForDeletion')]", + "name": "Microsoft.Authorization/loadBalancerDoNotDelete", + "dependsOn": [ + "[concat('Microsoft.Network/loadBalancers/', parameters('loadBalancerName'))]" + ], + "comments": "Resource lock.", + "properties": { + "level": "CannotDelete" + } + } + ] + }, + { + "type": "Microsoft.Network/loadBalancers/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "location": "[parameters('location')]", + "name": "[concat(parameters('loadBalancerName'), '/Microsoft.Insights/service')]", + "condition": "[or(not(empty(parameters('diagnosticStorageAccountId'))),not(empty(parameters('workspaceId'))),not(empty(parameters('eventHubAuthorizationRuleId'))),not(empty(parameters('eventHubName'))))]", + "dependsOn": [ + "[parameters('loadBalancerName')]" + ], + "properties": { + "storageAccountId": "[if(empty(parameters('diagnosticStorageAccountId')), json('null'), parameters('diagnosticStorageAccountId'))]", + "workspaceId": "[if(empty(parameters('workspaceId')), json('null'), parameters('workspaceId'))]", + "metrics": "[if(and(empty(parameters('diagnosticStorageAccountId')), empty(parameters('workspaceId')), empty(parameters('eventHubAuthorizationRuleId')), empty(parameters('eventHubName'))), json('null'), variables('diagnosticsMetrics'))]" + } + }, + { + "name": "[concat('rbac-',deployment().name, copyIndex())]", + "apiVersion": "2020-06-01", + "type": "Microsoft.Resources/deployments", + "condition": "[not(empty(parameters('roleAssignments')))]", + "dependsOn": [ + "[parameters('loadBalancerName')]" + ], + "copy": { + "name": "rbacDeplCopy", + "count": "[length(parameters('roleAssignments'))]" + }, + "properties": { + "mode": "Incremental", + "expressionEvaluationOptions": { + "scope": "inner" + }, + "parameters": { + "roleAssignment": { + "value": "[parameters('roleAssignments')[copyIndex()]]" + }, + "builtInRoleNames": { + "value": "[variables('builtInRoleNames')]" + }, + "loadBalancerName": { + "value": "[parameters('loadBalancerName')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "roleAssignment": { + "type": "object" + }, + "builtInRoleNames": { + "type": "object" + }, + "loadBalancerName": { + "type": "string" + } + }, + "resources": [ + { + "type": "Microsoft.Network/loadBalancers/providers/roleAssignments", + "apiVersion": "2018-09-01-preview", + "name": "[concat(parameters('loadBalancerName'), '/Microsoft.Authorization/', guid(uniqueString(concat(parameters('loadBalancerName'), array(parameters('roleAssignment').principalIds)[copyIndex('innerRbacCopy')], parameters('roleAssignment').roleDefinitionIdOrName ) )))]", + "dependsOn": [], + "copy": { + "name": "innerRbacCopy", + "count": "[length(parameters('roleAssignment').principalIds)]" + }, + "properties": { + "roleDefinitionId": "[if(contains(parameters('builtInRoleNames'), parameters('roleAssignment').roleDefinitionIdOrName ), parameters('builtInRoleNames')[parameters('roleAssignment').roleDefinitionIdOrName] , parameters('roleAssignment').roleDefinitionIdOrName )]", + "principalId": "[array(parameters('roleAssignment').principalIds)[copyIndex()]]" + } + } + ] + } + } + } + ], + "functions": [ + ], + "outputs": { + "loadBalancerName": { + "type": "string", + "value": "[parameters('loadBalancerName')]", + "metadata": { + "description": "The Name of the Load Balancer." + } + }, + "loadBalancerResourceId": { + "type": "string", + "value": "[resourceId('Microsoft.Network/loadBalancers', parameters('loadBalancerName'))]", + "metadata": { + "description": "The Resource ID of the Load Balancer." + } + }, + "loadBalancerResourceGroup": { + "type": "string", + "value": "[resourceGroup().name]", + "metadata": { + "description": "The resource Group name in which the reosurce is created." + } + } + } +} \ No newline at end of file diff --git a/arm/Microsoft.Network/loadBalancers/parameters/parameters.json b/arm/Microsoft.Network/loadBalancers/parameters/parameters.json new file mode 100644 index 0000000000..28f8c5d026 --- /dev/null +++ b/arm/Microsoft.Network/loadBalancers/parameters/parameters.json @@ -0,0 +1,87 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "loadBalancerName": { + "value": "sxx-az-lb-x-001" + }, + "frontendIPConfigurations": { + "value": [{ + "name": "publicIPConfig", + "properties": { + "publicIPAddressId": "/subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2/resourceGroups/dependencies-rg/providers/Microsoft.Network/publicIPAddresses/sxx-az-pip-weu-x-003", + "subnetId": "", + "privateIPAddress": "" + } + } + // { + // "name": "privateIPConfigDynamic", + // "properties": { + // "publicIPAddressId": "", + // "subnetId": "/subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-weu-x-001/subnets/sxx-az-subnet-x-001", + // "privateIPAddress": "" + // } + // } + // { + // "name": "privateIPConfigStatic", + // "properties": { + // "publicIPAddressId": "", + // "subnetId": "/subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-weu-x-001/subnets/sxx-az-subnet-x-001", + // "privateIPAddress": "X.X.X.X" + // } + // } + ] + }, + "backendAddressPools": { + "value": [{ + "name": "backendAddressPool" + }] + }, + "loadBalancingRules": { + "value": [{ + "name": "publicIPLBRule", + "properties": { + "frontendIPConfigurationName": "publicIPConfig", + "frontendPort": 80, + "backendPort": 80, + "enableFloatingIP": false, + "idleTimeoutInMinutes": 5, + "protocol": "TCP", + "enableTcpReset": false, + "loadDistribution": "Default", + "disableOutboundSnat": false, + "probeName": "probe", + "backendAddressPoolName": "backendAddressPool" + } + } + // { + // "name": "privateIPLBRule", + // "properties": { + // "frontendIPConfigurationName": "privateIPConfig", + // "frontendPort": 80, + // "backendPort": 80, + // "enableFloatingIP": false, + // "idleTimeoutInMinutes": 5, + // "protocol": "TCP", + // "enableTcpReset": false, + // "loadDistribution": false, + // "disableOutboundSnat": false, + // "probeName": "probe" + // } + // } + ] + }, + "probes": { + "value": [{ + "name": "probe", + "properties": { + "protocol": "TCP", + "port": 80, + "requestPath": "/", + "intervalInSeconds": 10, + "numberOfProbes": 5 + } + }] + } + } +} \ No newline at end of file diff --git a/arm/Microsoft.Network/loadBalancers/readme.md b/arm/Microsoft.Network/loadBalancers/readme.md new file mode 100644 index 0000000000..918979def2 --- /dev/null +++ b/arm/Microsoft.Network/loadBalancers/readme.md @@ -0,0 +1,227 @@ +# LoadBalancer + +This module deploys a Load Balancer + +## Resource types + +|Resource Type|ApiVersion| +|:--|:--| +|`Microsoft.Resources/deployments`|2018-02-01| +|`Microsoft.Network/loadBalancers`|2020-08-01| +|`Microsoft.Network/loadBalancers/providers/diagnosticSettings`|2017-05-01-preview| +|`providers/locks`|2016-09-01| +|`Microsoft.Network/loadBalancers/providers/roleAssignments`|2018-09-01-preview| + +## Parameters + +| Parameter Name | Type | Description | DefaultValue | Possible values | +| :-- | :-- | :-- | :-- | :-- | +| `backendAddressPools` | array | Required. Collection of backend address pools used by a load balancer. | | | +| `cuaId` | string | Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered | | | +| `diagnosticLogsRetentionInDays` | int | Optional. Specifies the number of days that logs will be kept for; a value of 0 will retain data indefinitely. | 365 | | +| `diagnosticStorageAccountId` | string | Optional. Resource identifier of the Diagnostic Storage Account. | | | +| `eventHubAuthorizationRuleId` | string | Optional. Resource ID of the event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | | | +| `eventHubName` | string | Optional. Name of the event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. | | | +| `frontendIPConfigurations` | array | Required. Array of objects containing all frontend IP configurations | | | +| `loadBalancerName` | string | Required. The Proximity Placement Groups Name | | | +| `loadBalancingRules` | array | Required. Array of objects containing all load balancing rules | | | +| `loadBalancerSku` | string | Optional. Name of a load balancer SKU. | "Standard" | "Basic", "Standard" | +| `location` | string | Optional. Location for all resources. | [resourceGroup().location] | | +| `lockForDeletion` | bool | Optional. Switch to lock resource from deletion. | False | | +| `probes` | array | Required. Array of objects containing all probes, these are references in the load balancing rules | | | +| `roleAssignments` | array | Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' | System.Object[] | | +| `tags` | object | Optional. Tags of the resource. | | | +| `workspaceId` | string | Optional. Resource identifier of Log Analytics. | | | + +### Parameter Usage: `frontendIPConfigurations` + +```json +"frontendIPConfigurations": { + "value": [ + { + "name": "p_hub-bfw-server-feip", + "properties": { + "publicIPAddressId": "[reference(variables('deploymentPIP-VPN')).outputs.publicIPAddressResourceId.value]", + "subnetId": "", + "privateIPAddress": "" + } + } + ] +} +``` + +### Parameter Usage: `backendAddressPools` + +```json +"backendAddressPools": { + "value": [ + { + "name": "p_hub-bfw-server-bepool", + "properties": { + "loadBalancerBackendAddresses": [ + { + "name": "iacs-sh-main-pd-01-euw-rg-network_awefwa01p-nic-int-01ipconfig-internal", + "properties": { + "virtualNetwork": { + "id": "[reference(variables('deploymentVNET')).outputs.vNetResourceId.value]" + }, + "ipAddress": "172.22.232.5" + } + }, + { + "name": "iacs-sh-main-pd-01-euw-rg-network_awefwa01p-ha-nic-int-01ipconfig-internal", + "properties": { + "virtualNetwork": { + "id": "[reference(variables('deploymentVNET')).outputs.vNetResourceId.value]" + }, + "ipAddress": "172.22.232.6" + } + } + ] + } + } + ] +} +``` + +### Parameter Usage: `loadBalancingRules` + +```json +"loadBalancingRules": { +"value": [ + { + "name": "p_hub-bfw-server-IPSEC-IKE-lbrule", + "properties": { + "frontendIPConfigurationName": "p_hub-bfw-server-feip", + "backendAddressPoolName": "p_hub-bfw-server-bepool", + "protocol": "Udp", + "frontendPort": 500, + "backendPort": 500, + "enableFloatingIP": false, + "idleTimeoutInMinutes": 5, + "probeName": "p_hub-bfw-server-tcp-65001-probe" + } + }, + { + "name": "p_hub-bfw-server-IPSEC-NATT-lbrule", + "properties": { + "frontendIPConfigurationName": "p_hub-bfw-server-feip", + "backendAddressPoolName": "p_hub-bfw-server-bepool", + "protocol": "Udp", + "frontendPort": 4500, + "backendPort": 4500, + "enableFloatingIP": false, + "idleTimeoutInMinutes": 5, + "probeName": "p_hub-bfw-server-tcp-65001-probe" + } + }, + { + "name": "p_hub-bfw-server-TINA-UDP-lbrule", + "properties": { + "frontendIPConfigurationName": "p_hub-bfw-server-feip", + "backendAddressPoolName": "p_hub-bfw-server-bepool", + "protocol": "Udp", + "frontendPort": 691, + "backendPort": 691, + "enableFloatingIP": false, + "idleTimeoutInMinutes": 5, + "probeName": "p_hub-bfw-server-tcp-65001-probe" + } + }, + { + "name": "p_hub-bfw-server-TINA-TCP-lbrule", + "properties": { + "frontendIPConfigurationName": "p_hub-bfw-server-feip", + "backendAddressPoolName": "p_hub-bfw-server-bepool", + "protocol": "Tcp", + "frontendPort": 691, + "backendPort": 691, + "enableFloatingIP": false, + "idleTimeoutInMinutes": 5, + "probeName": "p_hub-bfw-server-tcp-65001-probe" + } + } +] +} +``` + +### Parameter Usage: `probes` + +```json +"probes": { + "value": [ + { + "name": "p_hub-bfw-server-tcp-65001-probe", + "properties": { + "protocol": "Tcp", + "port": 65001, + "intervalInSeconds": 5, + "numberOfProbes": 2 + } + } + ] +} +``` + +### Parameter Usage: `roleAssignments` + +```json +"roleAssignments": { + "value": [ + { + "roleDefinitionIdOrName": "Desktop Virtualization User", + "principalIds": [ + "12345678-1234-1234-1234-123456789012", // object 1 + "78945612-1234-1234-1234-123456789012" // object 2 + ] + }, + { + "roleDefinitionIdOrName": "Reader", + "principalIds": [ + "12345678-1234-1234-1234-123456789012", // object 1 + "78945612-1234-1234-1234-123456789012" // object 2 + ] + }, + { + "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", + "principalIds": [ + "12345678-1234-1234-1234-123456789012" // object 1 + ] + } + ] +} +``` + +### Parameter Usage: `tags` + +Tag names and tag values can be provided as needed. A tag can be left without a value. + +```json +"tags": { + "value": { + "Environment": "Non-Prod", + "Contact": "test.user@testcompany.com", + "PurchaseOrder": "1234", + "CostCenter": "7890", + "ServiceName": "DeploymentValidation", + "Role": "DeploymentValidation" + } +} +``` + +## Outputs + +| Output Name | Type | Description | +| :-- | :-- | :-- | +| `loadBalancerName` | string | The Name of the Load Balancer. | +| `loadBalancerResourceGroup` | string | The resource Group name in which the reosurce is created. | +| `loadBalancerResourceId` | string | The Resource ID of the Load Balancer. | + +## Considerations + +*N/A* + +## Additional resources + +- [Microsoft.Network loadBalancers template reference](https://docs.microsoft.com/en-us/azure/templates/microsoft.network/2020-05-01/loadbalancers) +- [What is Azure Load Balancer?](https://docs.microsoft.com/en-us/azure/load-balancer/load-balancer-overview) \ No newline at end of file diff --git a/arm/Microsoft.Network/localNetworkGateways/deploy.json b/arm/Microsoft.Network/localNetworkGateways/deploy.json new file mode 100644 index 0000000000..80c1add4a0 --- /dev/null +++ b/arm/Microsoft.Network/localNetworkGateways/deploy.json @@ -0,0 +1,406 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "localNetworkGatewayName": { + "type": "string", + "minLength": 1, + "metadata": { + "description": "Required. Name of the Local Network Gateway" + } + }, + "location": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "Optional. Location for all resources." + } + }, + "localAddressPrefixes": { + "type": "array", + "metadata": { + "description": "Required. List of the local (on-premises) IP address ranges" + } + }, + "localGatewayPublicIpAddress": { + "type": "string", + "metadata": { + "description": "Required. Public IP of the local gateway" + } + }, + "localAsn": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. The BGP speaker's ASN. Not providing this value will automatically disable BGP on this Local Network Gateway resource." + } + }, + "localBgpPeeringAddress": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. The BGP peering address and BGP identifier of this BGP speaker. Not providing this value will automatically disable BGP on this Local Network Gateway resource." + } + }, + "localPeerWeight": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. The weight added to routes learned from this BGP speaker. This will only take effect if both the localAsn and the localBgpPeeringAddress values are provided." + } + }, + "lockForDeletion": { + "type": "bool", + "defaultValue": false, + "metadata": { + "description": "Optional. Switch to lock Local Network Gateway from deletion." + } + }, + "roleAssignments": { + "defaultValue": [ + ], + "type": "array", + "metadata": { + "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'" + } + }, + "tags": { + "type": "object", + "defaultValue": { + }, + "metadata": { + "description": "Optional. Tags of the resource." + } + }, + "cuaId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered" + } + }, + "fqdn": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. FQDN of local network gateway." + } + } + }, + "variables": { + "bgpSettings": { + "asn": "[parameters('localAsn')]", + "bgpPeeringAddress": "[parameters('localBgpPeeringAddress')]", + "peerWeight": "[if(empty(parameters('localPeerWeight')), '0', parameters('localPeerWeight'))]" + }, + "builtInRoleNames": { + "AcrDelete": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c2f4ef07-c644-48eb-af81-4b1b4947fb11')]", + "AcrImageSigner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '6cef56e8-d556-48e5-a04f-b8e64114680f')]", + "AcrPull": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '7f951dda-4ed3-4680-a7ca-43fe172d538d')]", + "AcrPush": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8311e382-0749-4cb8-b61a-304f252e45ec')]", + "AcrQuarantineReader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'cdda3590-29a3-44f6-95f2-9f980659eb04')]", + "AcrQuarantineWriter": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c8d4ff99-41c3-41a8-9f60-21dfdad59608')]", + "API Management Service Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '312a565d-c81f-4fd8-895a-4e21e48d571c')]", + "API Management Service Operator Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'e022efe7-f5ba-4159-bbe4-b44f577e9b61')]", + "API Management Service Reader Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '71522526-b88f-4d52-b57f-d31fc3546d0d')]", + "App Configuration Data Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5ae67dd6-50cb-40e7-96ff-dc2bfa4b606b')]", + "App Configuration Data Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '516239f1-63e1-4d78-a4de-a74fb236a071')]", + "Application Insights Component Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ae349356-3a1b-4a5e-921d-050484c6347e')]", + "Application Insights Snapshot Debugger": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '08954f03-6346-4c2e-81c0-ec3a5cfae23b')]", + "Attestation Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'bbf86eb8-f7b4-4cce-96e4-18cddf81d86e')]", + "Attestation Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'fd1bd22b-8476-40bc-a0bc-69b95687b9f3')]", + "Automation Job Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4fe576fe-1146-4730-92eb-48519fa6bf9f')]", + "Automation Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'd3881f73-407a-4167-8283-e981cbba0404')]", + "Automation Runbook Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5fb5aef8-1081-4b8e-bb16-9d5d0385bab5')]", + "Avere Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4f8fab4f-1852-4a58-a46a-8eaf358af14a')]", + "Avere Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c025889f-8102-4ebf-b32c-fc0c6f0c6bd9')]", + "Azure Connected Machine Onboarding": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b64e21ea-ac4e-4cdf-9dc9-5b892992bee7')]", + "Azure Connected Machine Resource Administrator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'cd570a14-e51a-42ad-bac8-bafd67325302')]", + "Azure Digital Twins Owner (Preview)": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'bcd981a7-7f74-457b-83e1-cceb9e632ffe')]", + "Azure Digital Twins Reader (Preview)": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'd57506d4-4c8d-48b1-8587-93c323f6a5a3')]", + "Azure Event Hubs Data Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'f526a384-b230-433a-b45c-95f59c4a2dec')]", + "Azure Event Hubs Data Receiver": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'a638d3c7-ab3a-418d-83e6-5f17a39d4fde')]", + "Azure Event Hubs Data Sender": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '2b629674-e913-4c01-ae53-ef4638d8f975')]", + "Azure Kubernetes Service Cluster Admin Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '0ab0b1a8-8aac-4efd-b8c2-3ee1fb270be8')]", + "Azure Kubernetes Service Cluster User Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4abbcc35-e782-43d8-92c5-2d3f1bd2253f')]", + "Azure Kubernetes Service Contributor Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ed7f3fbd-7b88-4dd4-9017-9adb7ce333f8')]", + "Azure Maps Data Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8f5e0ce6-4f7b-4dcf-bddf-e6f48634a204')]", + "Azure Maps Data Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '423170ca-a8f6-4b0f-8487-9e4eb8f49bfa')]", + "Azure Sentinel Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ab8e14d6-4a74-4a29-9ba8-549422addade')]", + "Azure Sentinel Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8d289c81-5878-46d4-8554-54e1e3d8b5cb')]", + "Azure Sentinel Responder": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '3e150937-b8fe-4cfb-8069-0eaf05ecd056')]", + "Azure Service Bus Data Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '090c5cfd-751d-490a-894a-3ce6f1109419')]", + "Azure Service Bus Data Receiver": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4f6d3b9b-027b-4f4c-9142-0e5a2a2247e0')]", + "Azure Service Bus Data Sender": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '69a216fc-b8fb-44d8-bc22-1f3c2cd27a39')]", + "Azure Stack Registration Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '6f12a6df-dd06-4f3e-bcb1-ce8be600526a')]", + "Backup Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5e467623-bb1f-42f4-a55d-6e525e11384b')]", + "Backup Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '00c29273-979b-4161-815c-10b084fb9324')]", + "Backup Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'a795c7a0-d4a2-40c1-ae25-d81f01202912')]", + "Billing Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'fa23ad8b-c56e-40d8-ac0c-ce449e1d2c64')]", + "BizTalk Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5e3c6656-6cfa-4708-81fe-0de47ac73342')]", + "Blockchain Member Node Access (Preview)": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '31a002a1-acaf-453e-8a5b-297c9ca1ea24')]", + "Blueprint Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '41077137-e803-4205-871c-5a86e6a753b4')]", + "Blueprint Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '437d2ced-4a38-4302-8479-ed2bcb43d090')]", + "CDN Endpoint Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '426e0c7f-0c7e-4658-b36f-ff54d6c29b45')]", + "CDN Endpoint Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '871e35f6-b5c1-49cc-a043-bde969a0f2cd')]", + "CDN Profile Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ec156ff8-a8d1-4d15-830c-5b80698ca432')]", + "CDN Profile Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8f96442b-4075-438f-813d-ad51ab4019af')]", + "Classic Network Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b34d265f-36f7-4a0d-a4d4-e158ca92e90f')]", + "Classic Storage Account Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '86e8f5dc-a6e9-4c67-9d15-de283e8eac25')]", + "Classic Storage Account Key Operator Service Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '985d6b00-f706-48f5-a6fe-d0ca12fb668d')]", + "Classic Virtual Machine Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'd73bb868-a0df-4d4d-bd69-98a00b01fccb')]", + "ClearDB MySQL DB Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '9106cda0-8a86-4e81-b686-29a22c54effe')]", + "Cognitive Services Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '25fbc0a9-bd7c-42a3-aa1a-3b75d497ee68')]", + "Cognitive Services Custom Vision Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c1ff6cc2-c111-46fe-8896-e0ef812ad9f3')]", + "Cognitive Services Custom Vision Deployment": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5c4089e1-6d96-4d2f-b296-c1bc7137275f')]", + "Cognitive Services Custom Vision Labeler": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '88424f51-ebe7-446f-bc41-7fa16989e96c')]", + "Cognitive Services Custom Vision Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '93586559-c37d-4a6b-ba08-b9f0940c2d73')]", + "Cognitive Services Custom Vision Trainer": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '0a5ae4ab-0d65-4eeb-be61-29fc9b54394b')]", + "Cognitive Services Data Reader (Preview)": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b59867f0-fa02-499b-be73-45a86b5b3e1c')]", + "Cognitive Services QnA Maker Editor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'f4cc2bf9-21be-47a1-bdf1-5c5804381025')]", + "Cognitive Services QnA Maker Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '466ccd10-b268-4a11-b098-b4849f024126')]", + "Cognitive Services User": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'a97b65f3-24c7-4388-baec-2e87135dc908')]", + "Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "Cosmos DB Account Reader Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'fbdf93bf-df7d-467e-a4d2-9458aa1360c8')]", + "Cosmos DB Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '230815da-be43-4aae-9cb4-875f7bd000aa')]", + "CosmosBackupOperator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'db7b14f2-5adf-42da-9f96-f2ee17bab5cb')]", + "Cost Management Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '434105ed-43f6-45c7-a02f-909b2ba83430')]", + "Cost Management Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '72fafb9e-0641-4937-9268-a91bfd8191a3')]", + "Data Box Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'add466c9-e687-43fc-8d98-dfcf8d720be5')]", + "Data Box Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '028f4ed7-e2a9-465e-a8f4-9c0ffdfdc027')]", + "Data Factory Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '673868aa-7521-48a0-acc6-0f60742d39f5')]", + "Data Lake Analytics Developer": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '47b7735b-770e-4598-a7da-8b91488b4c88')]", + "Data Purger": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '150f5e0c-0603-4f03-8c7f-cf70034c4e90')]", + "Desktop Virtualization User": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '1d18fff3-a72a-46b5-b4a9-0b38a3cd7e63')]", + "DevTest Labs User": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '76283e04-6283-4c54-8f91-bcf1374a3c64')]", + "DNS Zone Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'befefa01-2a29-4197-83a8-272ff33ce314')]", + "DocumentDB Account Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5bd9cd88-fe45-4216-938b-f97437e15450')]", + "EventGrid EventSubscription Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '428e0ff0-5e57-4d9c-a221-2c70d0e0a443')]", + "EventGrid EventSubscription Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '2414bbcf-6497-4faf-8c65-045460748405')]", + "Experimentation Administrator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '7f646f1b-fa08-80eb-a33b-edd6ce5c915c')]", + "Experimentation Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '7f646f1b-fa08-80eb-a22b-edd6ce5c915c')]", + "Experimentation Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '49632ef5-d9ac-41f4-b8e7-bbe587fa74a1')]", + "FHIR Data Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5a1fc7df-4bf1-4951-a576-89034ee01acd')]", + "FHIR Data Exporter": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '3db33094-8700-4567-8da5-1501d4e7e843')]", + "FHIR Data Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4c8d0bbc-75d3-4935-991f-5f3c56d81508')]", + "FHIR Data Writer": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '3f88fce4-5892-4214-ae73-ba5294559913')]", + "Graph Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b60367af-1334-4454-b71e-769d9a4f83d9')]", + "HDInsight Cluster Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '61ed4efc-fab3-44fd-b111-e24485cc132a')]", + "HDInsight Domain Services Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8d8d5a11-05d3-4bda-a417-a08778121c7c')]", + "Hierarchy Settings Administrator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '350f8d15-c687-4448-8ae1-157740a3936d')]", + "Hybrid Server Onboarding": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5d1e5ee4-7c68-4a71-ac8b-0739630a3dfb')]", + "Hybrid Server Resource Administrator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '48b40c6e-82e0-4eb3-90d5-19e40f49b624')]", + "Integration Service Environment Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'a41e2c5b-bd99-4a07-88f4-9bf657a760b8')]", + "Integration Service Environment Developer": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c7aa55d3-1abb-444a-a5ca-5e51e485d6ec')]", + "Intelligent Systems Account Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '03a6d094-3444-4b3d-88af-7477090a9e5e')]", + "Key Vault Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'f25e0fa2-a7c8-4377-a976-54943a77a395')]", + "Knowledge Consumer": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ee361c5d-f7b5-4119-b4b6-892157c8f64c')]", + "Kubernetes Cluster - Azure Arc Onboarding": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '34e09817-6cbe-4d01-b1a2-e0eac5743d41')]", + "Lab Creator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b97fb8bc-a8b2-4522-a38b-dd33c7e65ead')]", + "Log Analytics Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]", + "Log Analytics Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '73c42c96-874c-492b-b04d-ab87d138a893')]", + "Logic App Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '87a39d53-fc1b-424a-814c-f7e04687dc9e')]", + "Logic App Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '515c2055-d9d4-4321-b1b9-bd0c9a0f79fe')]", + "Managed Application Contributor Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '641177b8-a67a-45b9-a033-47bc880bb21e')]", + "Managed Application Operator Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')]", + "Managed Applications Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')]", + "Managed Identity Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'e40ec5ca-96e0-45a2-b4ff-59039f2c2b59')]", + "Managed Identity Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'f1a07417-d97a-45cb-824c-7a7467783830')]", + "Managed Services Registration assignment Delete ": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '91c1777a-f3dc-4fae-b103-61d183457e46')]", + "Management Group Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5d58bcaf-24a5-4b20-bdb6-eed9f69fbe4c')]", + "Management Group Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ac63b705-f282-497d-ac71-919bf39d939d')]", + "Marketplace Admin": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'dd920d6d-f481-47f1-b461-f338c46b2d9f')]", + "Monitoring Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')]", + "Monitoring Metrics Publisher": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '3913510d-42f4-4e42-8a64-420c390055eb')]", + "Monitoring Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')]", + "Network Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", + "New Relic APM Account Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5d28c62d-5b37-4476-8438-e587778df237')]", + "Object Understanding Account Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4dd61c23-6743-42fe-a388-d8bdd41cb745')]", + "Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", + "Policy Insights Data Writer (Preview)": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '66bb4e9e-b016-4a94-8249-4c0511c2be84')]", + "Private DNS Zone Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", + "Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", + "Reader and Data Access": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c12c1c16-33a1-487b-954d-41c89c60f349')]", + "Redis Cache Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'e0f68234-74aa-48ed-b826-c38b57376e17')]", + "Remote Rendering Administrator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '3df8b902-2a6f-47c7-8cc5-360e9b272a7e')]", + "Remote Rendering Client": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'd39065c4-c120-43c9-ab0a-63eed9795f0a')]", + "Resource Policy Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '36243c78-bf99-498c-9df9-86d9f8d28608')]", + "Scheduler Job Collections Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '188a0f2f-5c9e-469b-ae67-2aa5ce574b94')]", + "Search Service Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '7ca78c08-252a-4471-8644-bb5ff32d4ba0')]", + "Security Admin": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'fb1c8493-542b-48eb-b624-b4c8fea62acd')]", + "Security Assessment Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '612c2aa1-cb24-443b-ac28-3ab7272de6f5')]", + "Security Manager (Legacy)": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'e3d13bf0-dd5a-482e-ba6b-9b8433878d10')]", + "Security Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '39bc4728-0917-49c7-9d2c-d95423bc2eb4')]", + "SignalR AccessKey Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '04165923-9d83-45d5-8227-78b77b0a687e')]", + "SignalR Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8cf5e20a-e4b2-4e9d-b3a1-5ceb692c2761')]", + "Site Recovery Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '6670b86e-a3f7-4917-ac9b-5d6ab1be4567')]", + "Site Recovery Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '494ae006-db33-4328-bf46-533a6560a3ca')]", + "Site Recovery Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'dbaa88c4-0c30-4179-9fb3-46319faa6149')]", + "Spatial Anchors Account Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8bbe83f1-e2a6-4df7-8cb4-4e04d4e5c827')]", + "Spatial Anchors Account Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '70bbe301-9835-447d-afdd-19eb3167307c')]", + "Spatial Anchors Account Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5d51204f-eb77-4b1c-b86a-2ec626c49413')]", + "SQL DB Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '9b7fa17d-e63e-47b0-bb0a-15c516ac86ec')]", + "SQL Managed Instance Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4939a1f6-9ae0-4e48-a1e0-f2cbe897382d')]", + "SQL Security Manager": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '056cd41c-7e88-42e1-933e-88ba6a50c9c3')]", + "SQL Server Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '6d8ee4ec-f05a-4a1d-8b00-a9b17e38b437')]", + "Storage Account Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '17d1049b-9a84-46fb-8f53-869881c3d3ab')]", + "Storage Account Key Operator Service Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '81a9662b-bebf-436f-a333-f67b29880f12')]", + "Storage Blob Data Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ba92f5b4-2d11-453d-a403-e96b0029c9fe')]", + "Storage Blob Data Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b7e6dc6d-f1e8-4753-8033-0f276bb0955b')]", + "Storage Blob Data Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '2a2b9908-6ea1-4ae2-8e65-a410df84e7d1')]", + "Storage Blob Delegator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'db58b8e5-c6ad-4a2a-8342-4190687cbf4a')]", + "Storage File Data SMB Share Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '0c867c2a-1d8c-454a-a3db-ab2ea1bdc8bb')]", + "Storage File Data SMB Share Elevated Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'a7264617-510b-434b-a828-9731dc254ea7')]", + "Storage File Data SMB Share Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'aba4ae5f-2193-4029-9191-0cb91df5e314')]", + "Storage Queue Data Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '974c5e8b-45b9-4653-ba55-5f855dd0fb88')]", + "Storage Queue Data Message Processor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8a0f0c08-91a1-4084-bc3d-661d67233fed')]", + "Storage Queue Data Message Sender": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c6a89b2d-59bc-44d0-9896-0f6e12d7b80a')]", + "Storage Queue Data Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '19e7f393-937e-4f77-808e-94535e297925')]", + "Support Request Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'cfd33db0-3dd1-45e3-aa9d-cdbdf3b6f24e')]", + "Tag Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4a9ae827-6dc8-4573-8ac7-8239d42aa03f')]", + "Traffic Manager Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'a4b10055-b0c7-44c2-b00f-c7b5b3550cf7')]", + "User Access Administrator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]", + "Virtual Machine Administrator Login": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '1c0163c0-47e6-4577-8991-ea5c82e286e4')]", + "Virtual Machine Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c')]", + "Virtual Machine User Login": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'fb879df8-f326-4884-b1cf-06f3ad86be52')]", + "Web Plan Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '2cc479cb-7b4d-49a8-b449-8c00fd0f0a4b')]", + "Website Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'de139f84-1756-47ae-9be6-808fbbe84772')]", + "Workbook Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'e8ddcd69-c73f-4f9f-9844-4100522f16ad')]", + "Workbook Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b279062a-9be3-42a0-92ae-8b3cf002ec4d')]" + } + }, + "resources": [ + { + "condition": "[not(empty(parameters('cuaId')))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-06-01", + "name": "[concat('pid-', parameters('cuaId'))]", + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [ + ] + } + } + }, + { + "type": "Microsoft.Network/localNetworkGateways", + "apiVersion": "2020-08-01", + "name": "[parameters('localNetworkGatewayName')]", + "location": "[parameters('location')]", + "tags": "[parameters('tags')]", + "properties": { + "localNetworkAddressSpace": { + "addressPrefixes": "[parameters('localAddressPrefixes')]" + }, + "fqdn": "[if(not(empty(parameters('fqdn'))), json('null'), parameters('fqdn'))]", + "gatewayIpAddress": "[parameters('localGatewayPublicIpAddress')]", + "bgpSettings": "[if(and(not(empty(parameters('localAsn'))), not(empty(parameters('localBgpPeeringAddress')))),variables('bgpSettings'), json('null'))]" + }, + "resources": [ + { + "type": "providers/locks", + "apiVersion": "2016-09-01", + "condition": "[parameters('lockForDeletion')]", + "name": "Microsoft.Authorization/localNetworkGatewayDoNotDelete", + "dependsOn": [ + "[concat('Microsoft.Network/localNetworkGateways/', parameters('localNetworkGatewayName'))]" + ], + "comments": "Resource lock on Local Network Gateway", + "properties": { + "level": "CannotDelete" + } + } + ] + }, + { + "name": "[concat('rbac-',deployment().name, copyIndex())]", + "apiVersion": "2020-06-01", + "type": "Microsoft.Resources/deployments", + "condition": "[not(empty(parameters('roleAssignments')))]", + "dependsOn": [ + "[parameters('localNetworkGatewayName')]" + ], + "copy": { + "name": "rbacDeplCopy", + "count": "[length(parameters('roleAssignments'))]" + }, + "properties": { + "mode": "Incremental", + "expressionEvaluationOptions": { + "scope": "inner" + }, + "parameters": { + "roleAssignment": { + "value": "[parameters('roleAssignments')[copyIndex()]]" + }, + "builtInRoleNames": { + "value": "[variables('builtInRoleNames')]" + }, + "localNetworkGatewayName": { + "value": "[parameters('localNetworkGatewayName')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "roleAssignment": { + "type": "object" + }, + "builtInRoleNames": { + "type": "object" + }, + "localNetworkGatewayName": { + "type": "string" + } + }, + "resources": [ + { + "type": "Microsoft.Network/localNetworkGateways/providers/roleAssignments", + "apiVersion": "2020-03-01-preview", + "name": "[concat(parameters('localNetworkGatewayName'), '/Microsoft.Authorization/', guid(uniqueString(concat(parameters('localNetworkGatewayName'), array(parameters('roleAssignment').principalIds)[copyIndex('innerRbacCopy')], parameters('roleAssignment').roleDefinitionIdOrName ) )))]", + "dependsOn": [ + ], + "copy": { + "name": "innerRbacCopy", + "count": "[length(parameters('roleAssignment').principalIds)]" + }, + "properties": { + "roleDefinitionId": "[if(contains(parameters('builtInRoleNames'), parameters('roleAssignment').roleDefinitionIdOrName ), parameters('builtInRoleNames')[parameters('roleAssignment').roleDefinitionIdOrName] , parameters('roleAssignment').roleDefinitionIdOrName )]", + "principalId": "[array(parameters('roleAssignment').principalIds)[copyIndex()]]" + } + } + ] + } + } + } + ], + "functions": [ + ], + "outputs": { + "localNetworkGatewayResourceId": { + "type": "string", + "value": "[resourceId('Microsoft.Network/localNetworkGateways', parameters('localNetworkGatewayName'))]", + "metadata": { + "description": "The Resource Id of the Local Network Gateway." + } + }, + "localNetworkGatewayResourceGroup": { + "type": "string", + "value": "[resourceGroup().name]", + "metadata": { + "description": "The name of the Resource Group the Local Network Gateway was created in." + } + }, + "localNetworkGatewayName": { + "type": "string", + "value": "[parameters('localNetworkGatewayName')]", + "metadata": { + "description": "The Name of the Local Network Gateway." + } + } + } +} diff --git a/arm/Microsoft.Network/localNetworkGateways/parameters/parameters.json b/arm/Microsoft.Network/localNetworkGateways/parameters/parameters.json new file mode 100644 index 0000000000..128074c82c --- /dev/null +++ b/arm/Microsoft.Network/localNetworkGateways/parameters/parameters.json @@ -0,0 +1,37 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "localNetworkGatewayName": { + "value": "sxx-az-lng-weu-x-001" + }, + "localAddressPrefixes": { + "value": [ + "192.168.1.0/24" + ] + }, + "localGatewayPublicIpAddress": { + "value": "8.8.8.8" + }, + "localAsn": { + "value": "65123" + }, + "localBgpPeeringAddress": { + "value": "192.168.1.5" + }, + "fqdn": { + "value": "abc" + } + // "roleAssignments": { + // "value": [ + // { + // "roleDefinitionIdOrName": "Desktop Virtualization User", + // "principalIds": [ + // "12345678-1234-1234-1234-123456789012", // object 1 + // "78945612-1234-1234-1234-123456789012" // object 2 + // ] + // } + // ] + // } + } +} \ No newline at end of file diff --git a/arm/Microsoft.Network/localNetworkGateways/readme.md b/arm/Microsoft.Network/localNetworkGateways/readme.md new file mode 100644 index 0000000000..37d5dcc62d --- /dev/null +++ b/arm/Microsoft.Network/localNetworkGateways/readme.md @@ -0,0 +1,92 @@ +# Local Network Gateway + +This module deploys Local Network Gateway, with resource lock. + +## Resource types + +|Resource Type|ApiVersion| +|:--|:--| +|`Microsoft.Resources/deployments`|2018-02-01| +|`Microsoft.Network/localNetworkGateways`|2020-08-01| +|`providers/locks`|2016-09-01| +|`Microsoft.Network/localNetworkGateways/providers/roleAssignments`|2018-09-01-preview| + +## Parameters + +| Parameter Name | Type | Description | DefaultValue | Possible values | +| :-- | :-- | :-- | :-- | :-- | +| `cuaId` | string | Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered | | | +| `localAddressPrefixes` | array | Required. List of the local (on-premises) IP address ranges | | | +| `localAsn` | string | Optional. The BGP speaker's ASN. Not providing this value will automatically disable BGP on this Local Network Gateway resource. | | | +| `localBgpPeeringAddress` | string | Optional. The BGP peering address and BGP identifier of this BGP speaker. Not providing this value will automatically disable BGP on this Local Network Gateway resource. | | | +| `localGatewayPublicIpAddress` | string | Required. Public IP of the local gateway | | | +| `localNetworkGatewayName` | string | Required. Name of the Local Network Gateway | | | +| `localPeerWeight` | string | Optional. The weight added to routes learned from this BGP speaker. This will only take effect if both the localAsn and the localBgpPeeringAddress values are provided. | | | +| `location` | string | Optional. Location for all resources. | [resourceGroup().location] | | +| `lockForDeletion` | bool | Optional. Switch to lock Local Network Gateway from deletion. | False | | +| `roleAssignments` | array | Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' | System.Object[] | | +| `tags` | object | Optional. Tags of the resource. | | | +| `fqdn` | string | Optional. FQDN for local gateway (on-prem gateway). | | | + +### Parameter Usage: `roleAssignments` + +```json +"roleAssignments": { + "value": [ + { + "roleDefinitionIdOrName": "Desktop Virtualization User", + "principalIds": [ + "12345678-1234-1234-1234-123456789012", // object 1 + "78945612-1234-1234-1234-123456789012" // object 2 + ] + }, + { + "roleDefinitionIdOrName": "Reader", + "principalIds": [ + "12345678-1234-1234-1234-123456789012", // object 1 + "78945612-1234-1234-1234-123456789012" // object 2 + ] + }, + { + "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", + "principalIds": [ + "12345678-1234-1234-1234-123456789012" // object 1 + ] + } + ] +} +``` + +### Parameter Usage: `tags` + +Tag names and tag values can be provided as needed. A tag can be left without a value. + +```json +"tags": { + "value": { + "Environment": "Non-Prod", + "Contact": "test.user@testcompany.com", + "PurchaseOrder": "1234", + "CostCenter": "7890", + "ServiceName": "DeploymentValidation", + "Role": "DeploymentValidation" + } +} +``` + +## Outputs + +| Output Name | Type | Description | +| :-- | :-- | :-- | +| `localNetworkGatewayName` | string | The Name of the Local Network Gateway. | +| `localNetworkGatewayResourceGroup` | string | The name of the Resource Group the Local Network Gateway was created in. | +| `localNetworkGatewayResourceId` | string | The Resource Id of the Local Network Gateway. | + +## Considerations + +*N/A* + +## Additional resources + +- [What is VPN Gateway?](https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-vpngateways) +- [Use tags to organize your Azure resources](https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-using-tags) \ No newline at end of file diff --git a/arm/Microsoft.Network/natGateways/deploy.json b/arm/Microsoft.Network/natGateways/deploy.json new file mode 100644 index 0000000000..5f82c0b886 --- /dev/null +++ b/arm/Microsoft.Network/natGateways/deploy.json @@ -0,0 +1,558 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "natGatewayName": { + "type": "string", + "metadata": { + "description": "Required. Name of the Azure Bastion resource" + } + }, + "idleTimeoutInMinutes": { + "type": "int", + "defaultValue": 5, + "metadata": { + "description": "Optional. The idle timeout of the nat gateway." + } + }, + "natGatewayPublicIpAddress": { + "type": "bool", + "defaultValue": false, + "metadata": { + "description": "Optional. Use to have a new Public IP Address created for the NAT Gateway." + } + }, + "natGatewayPipName": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Specifies the name of the Public IP used by the NAT Gateway. If it's not provided, a '-pip' suffix will be appended to the Bastion's name." + } + }, + "natGatewayPublicIPPrefixId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Resource Id of the Public IP Prefix object. This is only needed if you want your Public IPs created in a PIP Prefix." + } + }, + "natGatewayDomainNameLabel": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. DNS name of the Public IP resource. A region specific suffix will be appended to it, e.g.: your-DNS-name.westeurope.cloudapp.azure.com" + } + }, + "publicIpAddresses": { + "type": "array", + "defaultValue": [], + "metadata": { + "description": "Optional. Existing Public IP Address resource names to use for the NAT Gateway." + } + }, + "publicIpPrefixes": { + "type": "array", + "defaultValue": [], + "metadata": { + "description": "Optional. Existing Public IP Prefixes resource names to use for the NAT Gateway." + } + }, + "zones": { + "type": "array", + "defaultValue": [], + "metadata": { + "description": "Optional. A list of availability zones denoting the zone in which Nat Gateway should be deployed." + } + }, + "location": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "Optional. Location for all resources." + } + }, + "diagnosticLogsRetentionInDays": { + "type": "int", + "defaultValue": 365, + "minValue": 0, + "maxValue": 365, + "metadata": { + "description": "Optional. Specifies the number of days that logs will be kept for; a value of 0 will retain data indefinitely." + } + }, + "diagnosticStorageAccountId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Resource identifier of the Diagnostic Storage Account." + } + }, + "workspaceId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Resource identifier of Log Analytics." + } + }, + "eventHubAuthorizationRuleId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Resource ID of the event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." + } + }, + "eventHubName": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Name of the event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category." + } + }, + "lockForDeletion": { + "type": "bool", + "defaultValue": false, + "metadata": { + "description": "Optional. Switch to lock resource from deletion." + } + }, + "roleAssignments": { + "defaultValue": [ + ], + "type": "array", + "metadata": { + "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'" + } + }, + "tags": { + "type": "object", + "defaultValue": {}, + "metadata": { + "description": "Optional. Tags for the resource." + } + }, + "cuaId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered" + } + } + }, + "variables": { + "natGatewayPipName": "[if( empty(parameters('natGatewayPipName')), concat(parameters('natGatewayName'), '-pip'), parameters('natGatewayPipName'))]", + "natGatewayPublicIPPrefix": { + "id": "[parameters('natGatewayPublicIPPrefixId')]" + }, + "diagnosticsMetrics": [ + { + "category": "AllMetrics", + "timeGrain": null, + "enabled": true, + "retentionPolicy": { + "enabled": true, + "days": "[parameters('diagnosticLogsRetentionInDays')]" + } + } + ], + "publicIpDiagnosticsLogs": [ + { + "category": "DDoSProtectionNotifications", + "enabled": true, + "retentionPolicy": { + "enabled": true, + "days": "[parameters('diagnosticLogsRetentionInDays')]" + } + }, + { + "category": "DDoSMitigationFlowLogs", + "enabled": true, + "retentionPolicy": { + "enabled": true, + "days": "[parameters('diagnosticLogsRetentionInDays')]" + } + }, + { + "category": "DDoSMitigationReports", + "enabled": true, + "retentionPolicy": { + "enabled": true, + "days": "[parameters('diagnosticLogsRetentionInDays')]" + } + } + ], + "natGatewayProperties": { + "idleTimeoutInMinutes": "[parameters('idleTimeoutInMinutes')]", + "copy": [ + { + "name": "publicIpAddresses", + "count": "[length(parameters('publicIpAddresses'))]", + "input": { + "id": "[resourceId('Microsoft.Network/publicIPAddresses', parameters('publicIpAddresses')[copyIndex('publicIpAddresses')])]" + } + } + ], + "copy": [ + { + "name": "publicIpPrefixes", + "count": "[length(parameters('publicIpPrefixes'))]", + "input": { + "id": "[resourceId('Microsoft.Network/publicIPPrefixes', parameters('publicIpPrefixes')[copyIndex('publicIpPrefixes')])]" + } + } + ] + }, + "builtInRoleNames": { + "AcrDelete": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c2f4ef07-c644-48eb-af81-4b1b4947fb11')]", + "AcrImageSigner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '6cef56e8-d556-48e5-a04f-b8e64114680f')]", + "AcrPull": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '7f951dda-4ed3-4680-a7ca-43fe172d538d')]", + "AcrPush": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8311e382-0749-4cb8-b61a-304f252e45ec')]", + "AcrQuarantineReader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'cdda3590-29a3-44f6-95f2-9f980659eb04')]", + "AcrQuarantineWriter": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c8d4ff99-41c3-41a8-9f60-21dfdad59608')]", + "API Management Service Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '312a565d-c81f-4fd8-895a-4e21e48d571c')]", + "API Management Service Operator Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'e022efe7-f5ba-4159-bbe4-b44f577e9b61')]", + "API Management Service Reader Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '71522526-b88f-4d52-b57f-d31fc3546d0d')]", + "App Configuration Data Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5ae67dd6-50cb-40e7-96ff-dc2bfa4b606b')]", + "App Configuration Data Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '516239f1-63e1-4d78-a4de-a74fb236a071')]", + "Application Insights Component Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ae349356-3a1b-4a5e-921d-050484c6347e')]", + "Application Insights Snapshot Debugger": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '08954f03-6346-4c2e-81c0-ec3a5cfae23b')]", + "Attestation Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'bbf86eb8-f7b4-4cce-96e4-18cddf81d86e')]", + "Attestation Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'fd1bd22b-8476-40bc-a0bc-69b95687b9f3')]", + "Automation Job Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4fe576fe-1146-4730-92eb-48519fa6bf9f')]", + "Automation Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'd3881f73-407a-4167-8283-e981cbba0404')]", + "Automation Runbook Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5fb5aef8-1081-4b8e-bb16-9d5d0385bab5')]", + "Avere Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4f8fab4f-1852-4a58-a46a-8eaf358af14a')]", + "Avere Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c025889f-8102-4ebf-b32c-fc0c6f0c6bd9')]", + "Azure Connected Machine Onboarding": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b64e21ea-ac4e-4cdf-9dc9-5b892992bee7')]", + "Azure Connected Machine Resource Administrator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'cd570a14-e51a-42ad-bac8-bafd67325302')]", + "Azure Digital Twins Owner (Preview)": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'bcd981a7-7f74-457b-83e1-cceb9e632ffe')]", + "Azure Digital Twins Reader (Preview)": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'd57506d4-4c8d-48b1-8587-93c323f6a5a3')]", + "Azure Event Hubs Data Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'f526a384-b230-433a-b45c-95f59c4a2dec')]", + "Azure Event Hubs Data Receiver": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'a638d3c7-ab3a-418d-83e6-5f17a39d4fde')]", + "Azure Event Hubs Data Sender": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '2b629674-e913-4c01-ae53-ef4638d8f975')]", + "Azure Kubernetes Service Cluster Admin Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '0ab0b1a8-8aac-4efd-b8c2-3ee1fb270be8')]", + "Azure Kubernetes Service Cluster User Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4abbcc35-e782-43d8-92c5-2d3f1bd2253f')]", + "Azure Kubernetes Service Contributor Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ed7f3fbd-7b88-4dd4-9017-9adb7ce333f8')]", + "Azure Maps Data Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8f5e0ce6-4f7b-4dcf-bddf-e6f48634a204')]", + "Azure Maps Data Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '423170ca-a8f6-4b0f-8487-9e4eb8f49bfa')]", + "Azure Sentinel Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ab8e14d6-4a74-4a29-9ba8-549422addade')]", + "Azure Sentinel Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8d289c81-5878-46d4-8554-54e1e3d8b5cb')]", + "Azure Sentinel Responder": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '3e150937-b8fe-4cfb-8069-0eaf05ecd056')]", + "Azure Service Bus Data Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '090c5cfd-751d-490a-894a-3ce6f1109419')]", + "Azure Service Bus Data Receiver": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4f6d3b9b-027b-4f4c-9142-0e5a2a2247e0')]", + "Azure Service Bus Data Sender": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '69a216fc-b8fb-44d8-bc22-1f3c2cd27a39')]", + "Azure Stack Registration Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '6f12a6df-dd06-4f3e-bcb1-ce8be600526a')]", + "Backup Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5e467623-bb1f-42f4-a55d-6e525e11384b')]", + "Backup Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '00c29273-979b-4161-815c-10b084fb9324')]", + "Backup Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'a795c7a0-d4a2-40c1-ae25-d81f01202912')]", + "Billing Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'fa23ad8b-c56e-40d8-ac0c-ce449e1d2c64')]", + "BizTalk Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5e3c6656-6cfa-4708-81fe-0de47ac73342')]", + "Blockchain Member Node Access (Preview)": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '31a002a1-acaf-453e-8a5b-297c9ca1ea24')]", + "Blueprint Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '41077137-e803-4205-871c-5a86e6a753b4')]", + "Blueprint Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '437d2ced-4a38-4302-8479-ed2bcb43d090')]", + "CDN Endpoint Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '426e0c7f-0c7e-4658-b36f-ff54d6c29b45')]", + "CDN Endpoint Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '871e35f6-b5c1-49cc-a043-bde969a0f2cd')]", + "CDN Profile Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ec156ff8-a8d1-4d15-830c-5b80698ca432')]", + "CDN Profile Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8f96442b-4075-438f-813d-ad51ab4019af')]", + "Classic Network Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b34d265f-36f7-4a0d-a4d4-e158ca92e90f')]", + "Classic Storage Account Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '86e8f5dc-a6e9-4c67-9d15-de283e8eac25')]", + "Classic Storage Account Key Operator Service Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '985d6b00-f706-48f5-a6fe-d0ca12fb668d')]", + "Classic Virtual Machine Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'd73bb868-a0df-4d4d-bd69-98a00b01fccb')]", + "ClearDB MySQL DB Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '9106cda0-8a86-4e81-b686-29a22c54effe')]", + "Cognitive Services Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '25fbc0a9-bd7c-42a3-aa1a-3b75d497ee68')]", + "Cognitive Services Custom Vision Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c1ff6cc2-c111-46fe-8896-e0ef812ad9f3')]", + "Cognitive Services Custom Vision Deployment": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5c4089e1-6d96-4d2f-b296-c1bc7137275f')]", + "Cognitive Services Custom Vision Labeler": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '88424f51-ebe7-446f-bc41-7fa16989e96c')]", + "Cognitive Services Custom Vision Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '93586559-c37d-4a6b-ba08-b9f0940c2d73')]", + "Cognitive Services Custom Vision Trainer": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '0a5ae4ab-0d65-4eeb-be61-29fc9b54394b')]", + "Cognitive Services Data Reader (Preview)": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b59867f0-fa02-499b-be73-45a86b5b3e1c')]", + "Cognitive Services QnA Maker Editor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'f4cc2bf9-21be-47a1-bdf1-5c5804381025')]", + "Cognitive Services QnA Maker Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '466ccd10-b268-4a11-b098-b4849f024126')]", + "Cognitive Services User": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'a97b65f3-24c7-4388-baec-2e87135dc908')]", + "Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "Cosmos DB Account Reader Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'fbdf93bf-df7d-467e-a4d2-9458aa1360c8')]", + "Cosmos DB Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '230815da-be43-4aae-9cb4-875f7bd000aa')]", + "CosmosBackupOperator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'db7b14f2-5adf-42da-9f96-f2ee17bab5cb')]", + "Cost Management Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '434105ed-43f6-45c7-a02f-909b2ba83430')]", + "Cost Management Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '72fafb9e-0641-4937-9268-a91bfd8191a3')]", + "Data Box Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'add466c9-e687-43fc-8d98-dfcf8d720be5')]", + "Data Box Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '028f4ed7-e2a9-465e-a8f4-9c0ffdfdc027')]", + "Data Factory Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '673868aa-7521-48a0-acc6-0f60742d39f5')]", + "Data Lake Analytics Developer": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '47b7735b-770e-4598-a7da-8b91488b4c88')]", + "Data Purger": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '150f5e0c-0603-4f03-8c7f-cf70034c4e90')]", + "Desktop Virtualization User": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '1d18fff3-a72a-46b5-b4a9-0b38a3cd7e63')]", + "DevTest Labs User": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '76283e04-6283-4c54-8f91-bcf1374a3c64')]", + "DNS Zone Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'befefa01-2a29-4197-83a8-272ff33ce314')]", + "DocumentDB Account Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5bd9cd88-fe45-4216-938b-f97437e15450')]", + "EventGrid EventSubscription Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '428e0ff0-5e57-4d9c-a221-2c70d0e0a443')]", + "EventGrid EventSubscription Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '2414bbcf-6497-4faf-8c65-045460748405')]", + "Experimentation Administrator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '7f646f1b-fa08-80eb-a33b-edd6ce5c915c')]", + "Experimentation Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '7f646f1b-fa08-80eb-a22b-edd6ce5c915c')]", + "Experimentation Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '49632ef5-d9ac-41f4-b8e7-bbe587fa74a1')]", + "FHIR Data Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5a1fc7df-4bf1-4951-a576-89034ee01acd')]", + "FHIR Data Exporter": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '3db33094-8700-4567-8da5-1501d4e7e843')]", + "FHIR Data Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4c8d0bbc-75d3-4935-991f-5f3c56d81508')]", + "FHIR Data Writer": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '3f88fce4-5892-4214-ae73-ba5294559913')]", + "Graph Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b60367af-1334-4454-b71e-769d9a4f83d9')]", + "HDInsight Cluster Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '61ed4efc-fab3-44fd-b111-e24485cc132a')]", + "HDInsight Domain Services Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8d8d5a11-05d3-4bda-a417-a08778121c7c')]", + "Hierarchy Settings Administrator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '350f8d15-c687-4448-8ae1-157740a3936d')]", + "Hybrid Server Onboarding": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5d1e5ee4-7c68-4a71-ac8b-0739630a3dfb')]", + "Hybrid Server Resource Administrator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '48b40c6e-82e0-4eb3-90d5-19e40f49b624')]", + "Integration Service Environment Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'a41e2c5b-bd99-4a07-88f4-9bf657a760b8')]", + "Integration Service Environment Developer": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c7aa55d3-1abb-444a-a5ca-5e51e485d6ec')]", + "Intelligent Systems Account Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '03a6d094-3444-4b3d-88af-7477090a9e5e')]", + "Key Vault Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'f25e0fa2-a7c8-4377-a976-54943a77a395')]", + "Knowledge Consumer": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ee361c5d-f7b5-4119-b4b6-892157c8f64c')]", + "Kubernetes Cluster - Azure Arc Onboarding": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '34e09817-6cbe-4d01-b1a2-e0eac5743d41')]", + "Lab Creator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b97fb8bc-a8b2-4522-a38b-dd33c7e65ead')]", + "Log Analytics Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]", + "Log Analytics Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '73c42c96-874c-492b-b04d-ab87d138a893')]", + "Logic App Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '87a39d53-fc1b-424a-814c-f7e04687dc9e')]", + "Logic App Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '515c2055-d9d4-4321-b1b9-bd0c9a0f79fe')]", + "Managed Application Contributor Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '641177b8-a67a-45b9-a033-47bc880bb21e')]", + "Managed Application Operator Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')]", + "Managed Applications Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')]", + "Managed Identity Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'e40ec5ca-96e0-45a2-b4ff-59039f2c2b59')]", + "Managed Identity Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'f1a07417-d97a-45cb-824c-7a7467783830')]", + "Managed Services Registration assignment Delete ": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '91c1777a-f3dc-4fae-b103-61d183457e46')]", + "Management Group Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5d58bcaf-24a5-4b20-bdb6-eed9f69fbe4c')]", + "Management Group Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ac63b705-f282-497d-ac71-919bf39d939d')]", + "Marketplace Admin": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'dd920d6d-f481-47f1-b461-f338c46b2d9f')]", + "Monitoring Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')]", + "Monitoring Metrics Publisher": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '3913510d-42f4-4e42-8a64-420c390055eb')]", + "Monitoring Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')]", + "Network Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", + "New Relic APM Account Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5d28c62d-5b37-4476-8438-e587778df237')]", + "Object Understanding Account Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4dd61c23-6743-42fe-a388-d8bdd41cb745')]", + "Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", + "Policy Insights Data Writer (Preview)": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '66bb4e9e-b016-4a94-8249-4c0511c2be84')]", + "Private DNS Zone Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", + "Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", + "Reader and Data Access": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c12c1c16-33a1-487b-954d-41c89c60f349')]", + "Redis Cache Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'e0f68234-74aa-48ed-b826-c38b57376e17')]", + "Remote Rendering Administrator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '3df8b902-2a6f-47c7-8cc5-360e9b272a7e')]", + "Remote Rendering Client": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'd39065c4-c120-43c9-ab0a-63eed9795f0a')]", + "Resource Policy Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '36243c78-bf99-498c-9df9-86d9f8d28608')]", + "Scheduler Job Collections Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '188a0f2f-5c9e-469b-ae67-2aa5ce574b94')]", + "Search Service Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '7ca78c08-252a-4471-8644-bb5ff32d4ba0')]", + "Security Admin": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'fb1c8493-542b-48eb-b624-b4c8fea62acd')]", + "Security Assessment Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '612c2aa1-cb24-443b-ac28-3ab7272de6f5')]", + "Security Manager (Legacy)": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'e3d13bf0-dd5a-482e-ba6b-9b8433878d10')]", + "Security Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '39bc4728-0917-49c7-9d2c-d95423bc2eb4')]", + "SignalR AccessKey Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '04165923-9d83-45d5-8227-78b77b0a687e')]", + "SignalR Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8cf5e20a-e4b2-4e9d-b3a1-5ceb692c2761')]", + "Site Recovery Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '6670b86e-a3f7-4917-ac9b-5d6ab1be4567')]", + "Site Recovery Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '494ae006-db33-4328-bf46-533a6560a3ca')]", + "Site Recovery Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'dbaa88c4-0c30-4179-9fb3-46319faa6149')]", + "Spatial Anchors Account Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8bbe83f1-e2a6-4df7-8cb4-4e04d4e5c827')]", + "Spatial Anchors Account Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '70bbe301-9835-447d-afdd-19eb3167307c')]", + "Spatial Anchors Account Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5d51204f-eb77-4b1c-b86a-2ec626c49413')]", + "SQL DB Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '9b7fa17d-e63e-47b0-bb0a-15c516ac86ec')]", + "SQL Managed Instance Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4939a1f6-9ae0-4e48-a1e0-f2cbe897382d')]", + "SQL Security Manager": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '056cd41c-7e88-42e1-933e-88ba6a50c9c3')]", + "SQL Server Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '6d8ee4ec-f05a-4a1d-8b00-a9b17e38b437')]", + "Storage Account Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '17d1049b-9a84-46fb-8f53-869881c3d3ab')]", + "Storage Account Key Operator Service Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '81a9662b-bebf-436f-a333-f67b29880f12')]", + "Storage Blob Data Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ba92f5b4-2d11-453d-a403-e96b0029c9fe')]", + "Storage Blob Data Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b7e6dc6d-f1e8-4753-8033-0f276bb0955b')]", + "Storage Blob Data Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '2a2b9908-6ea1-4ae2-8e65-a410df84e7d1')]", + "Storage Blob Delegator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'db58b8e5-c6ad-4a2a-8342-4190687cbf4a')]", + "Storage File Data SMB Share Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '0c867c2a-1d8c-454a-a3db-ab2ea1bdc8bb')]", + "Storage File Data SMB Share Elevated Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'a7264617-510b-434b-a828-9731dc254ea7')]", + "Storage File Data SMB Share Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'aba4ae5f-2193-4029-9191-0cb91df5e314')]", + "Storage Queue Data Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '974c5e8b-45b9-4653-ba55-5f855dd0fb88')]", + "Storage Queue Data Message Processor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8a0f0c08-91a1-4084-bc3d-661d67233fed')]", + "Storage Queue Data Message Sender": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c6a89b2d-59bc-44d0-9896-0f6e12d7b80a')]", + "Storage Queue Data Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '19e7f393-937e-4f77-808e-94535e297925')]", + "Support Request Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'cfd33db0-3dd1-45e3-aa9d-cdbdf3b6f24e')]", + "Tag Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4a9ae827-6dc8-4573-8ac7-8239d42aa03f')]", + "Traffic Manager Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'a4b10055-b0c7-44c2-b00f-c7b5b3550cf7')]", + "User Access Administrator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]", + "Virtual Machine Administrator Login": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '1c0163c0-47e6-4577-8991-ea5c82e286e4')]", + "Virtual Machine Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c')]", + "Virtual Machine User Login": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'fb879df8-f326-4884-b1cf-06f3ad86be52')]", + "Web Plan Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '2cc479cb-7b4d-49a8-b449-8c00fd0f0a4b')]", + "Website Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'de139f84-1756-47ae-9be6-808fbbe84772')]", + "Workbook Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'e8ddcd69-c73f-4f9f-9844-4100522f16ad')]", + "Workbook Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b279062a-9be3-42a0-92ae-8b3cf002ec4d')]" + } + }, + "resources": [ + { + "condition": "[not(empty(parameters('cuaId')))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-06-01", + "name": "[concat('pid-', parameters('cuaId'))]", + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [] + } + } + }, + { + "condition": "[parameters('natGatewayPublicIpAddress')]", + "type": "Microsoft.Network/publicIPAddresses", + "apiVersion": "2020-08-01", + "name": "[variables('natGatewayPipName')]", + "location": "[parameters('location')]", + "tags": "[parameters('tags')]", + "sku": { + "name": "Standard" + }, + "properties": { + "publicIPAllocationMethod": "Static", + "publicIPPrefix": "[if(not(empty(parameters('natGatewayPublicIPPrefixId'))), variables('natGatewayPublicIPPrefix'), json('null'))]", + "dnsSettings": "[if(not(empty(parameters('natGatewayDomainNameLabel'))), json(concat('{\"domainNameLabel\": \"', parameters('natGatewayDomainNameLabel'), '\"}')), json('null'))]" + }, + "resources": [ + { + "type": "providers/locks", + "apiVersion": "2016-09-01", + "condition": "[parameters('lockForDeletion')]", + "name": "Microsoft.Authorization/publicIpDoNotDelete", + "dependsOn": [ + "[concat('Microsoft.Network/publicIPAddresses/', variables('natGatewayPipName'))]" + ], + "comments": "Resource lock on Public IP", + "properties": { + "level": "CannotDelete" + } + }, + { + "type": "Microsoft.Network/publicIPAddresses/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "location": "[parameters('location')]", + "name": "[concat(variables('natGatewayPipName'), '/Microsoft.Insights/service')]", + "condition": "[or(not(empty(parameters('diagnosticStorageAccountId'))),not(empty(parameters('workspaceId'))),not(empty(parameters('eventHubAuthorizationRuleId'))),not(empty(parameters('eventHubName'))))]", + "dependsOn": [ + "[concat('Microsoft.Network/publicIPAddresses/', variables('natGatewayPipName'))]" + ], + "properties": { + "storageAccountId": "[if(empty(parameters('diagnosticStorageAccountId')), json('null'), parameters('diagnosticStorageAccountId'))]", + "workspaceId": "[if(empty(parameters('workspaceId')), json('null'), parameters('workspaceId'))]", + "eventHubAuthorizationRuleId": "[if(empty(parameters('eventHubAuthorizationRuleId')), json('null'), parameters('eventHubAuthorizationRuleId'))]", + "eventHubName": "[if(empty(parameters('eventHubName')), json('null'), parameters('eventHubName'))]", + "metrics": "[if(and(empty(parameters('diagnosticStorageAccountId')), empty(parameters('workspaceId')), empty(parameters('eventHubAuthorizationRuleId')), empty(parameters('eventHubName'))), json('null'), variables('diagnosticsMetrics'))]", + "logs": "[if(and(empty(parameters('diagnosticStorageAccountId')), empty(parameters('workspaceId')), empty(parameters('eventHubAuthorizationRuleId')), empty(parameters('eventHubName'))), json('null'), variables('publicIpDiagnosticsLogs'))]" + } + } + ] + }, + { + "name": "[parameters('natGatewayName')]", + "type": "Microsoft.Network/natGateways", + "apiVersion": "2020-08-01", + "location": "[parameters('location')]", + "tags": "[parameters('tags')]", + "sku": { + "name": "Standard" + }, + "properties": "[variables('natGatewayProperties')]", + "zones": "[parameters('zones')]", + "resources": [ + { + "type": "providers/locks", + "apiVersion": "2016-09-01", + "condition": "[parameters('lockForDeletion')]", + "name": "Microsoft.Authorization/natGatewaysDoNotDelete", + "dependsOn": [ + "[concat('Microsoft.Network/natGateways/', parameters('natGatewayName'))]" + ], + "comments": "Resource lock.", + "properties": { + "level": "CannotDelete" + } + } + ] + }, + { + "name": "[concat('rbac-',deployment().name, copyIndex())]", + "apiVersion": "2020-06-01", + "type": "Microsoft.Resources/deployments", + "condition": "[not(empty(parameters('roleAssignments')))]", + "dependsOn": [ + "[parameters('natGatewayName')]" + ], + "copy": { + "name": "rbacDeplCopy", + "count": "[length(parameters('roleAssignments'))]" + }, + "properties": { + "mode": "Incremental", + "expressionEvaluationOptions": { + "scope": "inner" + }, + "parameters": { + "roleAssignment": { + "value": "[parameters('roleAssignments')[copyIndex()]]" + }, + "builtInRoleNames": { + "value": "[variables('builtInRoleNames')]" + }, + "natGatewayName": { + "value": "[parameters('natGatewayName')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "roleAssignment": { + "type": "object" + }, + "builtInRoleNames": { + "type": "object" + }, + "natGatewayName": { + "type": "string" + } + }, + "resources": [ + { + "type": "Microsoft.Network/bastionHosts/providers/roleAssignments", + "apiVersion": "2018-09-01-preview", + "name": "[concat(parameters('natGatewayName'), '/Microsoft.Authorization/', guid(uniqueString(concat(parameters('natGatewayName'), array(parameters('roleAssignment').principalIds)[copyIndex('innerRbacCopy')], parameters('roleAssignment').roleDefinitionIdOrName ) )))]", + "dependsOn": [ + ], + "copy": { + "name": "innerRbacCopy", + "count": "[length(parameters('roleAssignment').principalIds)]" + }, + "properties": { + "roleDefinitionId": "[if(contains(parameters('builtInRoleNames'), parameters('roleAssignment').roleDefinitionIdOrName ), parameters('builtInRoleNames')[parameters('roleAssignment').roleDefinitionIdOrName] , parameters('roleAssignment').roleDefinitionIdOrName )]", + "principalId": "[array(parameters('roleAssignment').principalIds)[copyIndex()]]" + } + } + ] + } + } + } + ], + "functions": [], + "outputs": { + "natGatewayName": { + "type": "string", + "value": "[parameters('natGatewayName')]", + "metadata": { + "description": "The Name of the Load Balancer." + } + }, + "natGatewayResourceId": { + "type": "string", + "value": "[resourceId('Microsoft.Network/natGateways', parameters('natGatewayName'))]", + "metadata": { + "description": "The Resource ID of the Load Balancer." + } + }, + "natGatewayResourceGroup": { + "type": "string", + "value": "[resourceGroup().name]", + "metadata": { + "description": "The resource Group name in which the reosurce is created." + } + } + } +} \ No newline at end of file diff --git a/arm/Microsoft.Network/natGateways/parameters/parameters.json b/arm/Microsoft.Network/natGateways/parameters/parameters.json new file mode 100644 index 0000000000..c1577988e4 --- /dev/null +++ b/arm/Microsoft.Network/natGateways/parameters/parameters.json @@ -0,0 +1,12 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "natGatewayName": { + "value": "sxx-az-ngw-weu-x-001" + }, + "natGatewayPublicIpAddress": { + "value": true + } + } +} \ No newline at end of file diff --git a/arm/Microsoft.Network/natGateways/readme.md b/arm/Microsoft.Network/natGateways/readme.md new file mode 100644 index 0000000000..09473219a2 --- /dev/null +++ b/arm/Microsoft.Network/natGateways/readme.md @@ -0,0 +1,116 @@ +# NAT Gateway + +This module deploys a NAT Gateway. + +## Resource types + +| Resource Type | Api Version | +| :-- | :-- | +| `Microsoft.Network/bastionHosts/providers/roleAssignments` | 2018-09-01-preview | +| `Microsoft.Network/natGateways` | 2020-08-01 | +| `Microsoft.Network/publicIPAddresses/providers/diagnosticSettings` | 2017-05-01-preview | +| `Microsoft.Network/publicIPAddresses` | 2020-08-01 | +| `Microsoft.Resources/deployments` | 2020-06-01 | +| `providers/locks` | 2016-09-01 | + +### Resource dependency + +The following resources are required to be able to deploy this resource. + +## Parameters + +| Parameter Name | Type | Description | DefaultValue | Possible values | +| :-- | :-- | :-- | :-- | :-- | +| `cuaId` | string | Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered | | | +| `diagnosticLogsRetentionInDays` | int | Optional. Specifies the number of days that logs will be kept for; a value of 0 will retain data indefinitely. | 365 | | +| `diagnosticStorageAccountId` | string | Optional. Resource identifier of the Diagnostic Storage Account. | | | +| `eventHubAuthorizationRuleId` | string | Optional. Resource ID of the event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | | | +| `eventHubName` | string | Optional. Name of the event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. | | | +| `idleTimeoutInMinutes` | int | Optional. The idle timeout of the nat gateway. | 5 | | +| `location` | string | Optional. Location for all resources. | [resourceGroup().location] | | +| `lockForDeletion` | bool | Optional. Switch to lock resource from deletion. | False | | +| `natGatewayDomainNameLabel` | string | Optional. DNS name of the Public IP resource. A region specific suffix will be appended to it, e.g.: your-DNS-name.westeurope.cloudapp.azure.com | | | +| `natGatewayName` | string | Required. Name of the Azure Bastion resource | | | +| `natGatewayPipName` | string | Optional. Specifies the name of the Public IP used by the NAT Gateway. If it's not provided, a '-pip' suffix will be appended to the Bastion's name. | | | +| `natGatewayPublicIpAddress` | bool | Optional. Use to have a new Public IP Address created for the NAT Gateway. | False | | +| `natGatewayPublicIPPrefixId` | string | Optional. Resource Id of the Public IP Prefix object. This is only needed if you want your Public IPs created in a PIP Prefix. | | | +| `publicIpAddresses` | array | Optional. Existing Public IP Address resource names to use for the NAT Gateway. | System.Object[] | | +| `publicIpPrefixes` | array | Optional. Existing Public IP Prefixes resource names to use for the NAT Gateway. | System.Object[] | | +| `roleAssignments` | array | Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' | System.Object[] | | +| `tags` | object | Optional. Tags for the resource. | | | +| `workspaceId` | string | Optional. Resource identifier of Log Analytics. | | | +| `zones` | array | Optional. A list of availability zones denoting the zone in which Nat Gateway should be deployed. | System.Object[] | | + +### Parameter Usage: `roleAssignments` + +```json +"roleAssignments": { + "value": [ + { + "roleDefinitionIdOrName": "Desktop Virtualization User", + "principalIds": [ + "12345678-1234-1234-1234-123456789012", // object 1 + "78945612-1234-1234-1234-123456789012" // object 2 + ] + }, + { + "roleDefinitionIdOrName": "Reader", + "principalIds": [ + "12345678-1234-1234-1234-123456789012", // object 1 + "78945612-1234-1234-1234-123456789012" // object 2 + ] + }, + { + "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", + "principalIds": [ + "12345678-1234-1234-1234-123456789012" // object 1 + ] + } + ] +} +``` + +### Parameter Usage: `tags` + +Tag names and tag values can be provided as needed. A tag can be left without a value. + +```json +"tags": { + "value": { + "Environment": "Non-Prod", + "Contact": "test.user@testcompany.com", + "PurchaseOrder": "1234", + "CostCenter": "7890", + "ServiceName": "DeploymentValidation", + "Role": "DeploymentValidation" + } +} +``` + +## Outputs + +| Output Name | Type | Description | +| :-- | :-- | :-- | +| `natGatewayName` | string | The Name of the Load Balancer. | +| `natGatewayResourceGroup` | string | The resource Group name in which the reosurce is created. | +| `natGatewayResourceId` | string | The Resource ID of the Load Balancer. | + +## Considerations + +*N/A* + +### References + +#### Template references + +- [Deployments](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Resources/2020-06-01/deployments) +- [PublicIPAddresses](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Network/2020-05-01/publicIPAddresses) +- [NatGateways](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Network/2020-05-01/natGateways) +- [Deployments](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Resources/2020-06-01/deployments) + +## Additional resources + +- [Deployments](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Resources/2020-06-01/deployments) +- [PublicIPAddresses](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Network/2020-05-01/publicIPAddresses) +- [NatGateways](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Network/2020-05-01/natGateways) +- [Deployments](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Resources/2020-06-01/deployments) diff --git a/arm/Microsoft.Network/networkSecurityGroups/deploy.json b/arm/Microsoft.Network/networkSecurityGroups/deploy.json new file mode 100644 index 0000000000..0d8bf87d86 --- /dev/null +++ b/arm/Microsoft.Network/networkSecurityGroups/deploy.json @@ -0,0 +1,534 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "networkSecurityGroupName": { + "type": "string", + "metadata": { + "description": "Required. Name of the Network Security Group." + } + }, + "location": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "Optional. Location for all resources." + } + }, + "networkSecurityGroupSecurityRules": { + "type": "array", + "defaultValue": [ + ], + "metadata": { + "description": "Optional. Array of Security Rules to deploy to the Network Security Group. When not provided, an NSG including only the built-in roles will be deployed." + } + }, + "flowLogEnabled": { + "type": "bool", + "defaultValue": false, + "metadata": { + "description": "Optional. If the flow log should be enabled" + } + }, + "networkWatcherName": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Name of the network watcher resource. Must be in the resource group where the Flow log will be created and same region as the NSG" + } + }, + "retentionEnabled": { + "type": "bool", + "defaultValue": true, + "metadata": { + "description": "Optional. If the flow log retention should be enabled" + } + }, + "logFormatVersion": { + "type": "int", + "defaultValue": 2, + "allowedValues": [ + 1, + 2 + ], + "metadata": { + "description": "Optional. The flow log format version" + } + }, + "flowLogName": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Name of the NSG flow log. If empty, no flow log will be deployed." + } + }, + "flowLogworkspaceId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Resource identifier of Log Analytics for the flow logs." + } + }, + "flowAnalyticsEnabled": { + "type": "bool", + "defaultValue": false, + "metadata": { + "description": "Optional. Enables/disables flow analytics. If Flow Analytics was previously enabled, workspaceResourceID is mandatory (even when disabling it)" + } + }, + "flowLogIntervalInMinutes": { + "type": "int", + "allowedValues": [ + 10, + 60 + ], + "defaultValue": 60, + "metadata": { + "description": "Optional. The interval in minutes which would decide how frequently TA service should do flow analytics." + } + }, + "diagnosticStorageAccountId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Resource identifier of the Diagnostic Storage Account." + } + }, + "diagnosticLogsRetentionInDays": { + "type": "int", + "defaultValue": 365, + "minValue": 0, + "maxValue": 365, + "metadata": { + "description": "Optional. Specifies the number of days that logs will be kept for; a value of 0 will retain data indefinitely." + } + }, + "workspaceId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Resource identifier of Log Analytics." + } + }, + "eventHubAuthorizationRuleId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Resource ID of the event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." + } + }, + "eventHubName": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Name of the event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category." + } + }, + "lockForDeletion": { + "type": "bool", + "defaultValue": false, + "metadata": { + "description": "Optional. Switch to lock NSG from deletion." + } + }, + "roleAssignments": { + "defaultValue": [ + ], + "type": "array", + "metadata": { + "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'" + } + }, + "tags": { + "type": "object", + "defaultValue": { + }, + "metadata": { + "description": "Optional. Tags of the NSG resource." + } + }, + "cuaId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered" + } + }, + "networkwatcherResourceGroup": { + "type": "string", + "defaultValue": "NetworkWatcherRG", + "metadata": { + "description": "Required. Resource Group Name of the network watcher in whcih the NSG flow log would be created." + } + } + }, + "variables": { + "emptyArray": [ + ], + "nsgResourceGroup": "[resourceGroup().name]", + "flowLogName": "[if(not(empty(parameters('flowLogName'))), concat(parameters('networkWatcherName'),'/', parameters('flowLogName')), 'dummy/dummy')]", + "flowAnalyticsConfig": { + "networkWatcherFlowAnalyticsConfiguration": { + "enabled": "[parameters('flowAnalyticsEnabled')]", + "workspaceResourceId": "[parameters('flowLogworkspaceId')]", + "trafficAnalyticsInterval": "[parameters('flowLogIntervalInMinutes')]" + } + }, + "diagnosticsMetrics": [ + ], + "diagnosticsLogs": [ + { + "category": "NetworkSecurityGroupEvent", + "enabled": true, + "retentionPolicy": { + "days": "[parameters('diagnosticLogsRetentionInDays')]", + "enabled": true + } + }, + { + "category": "NetworkSecurityGroupRuleCounter", + "enabled": true, + "retentionPolicy": { + "days": "[parameters('diagnosticLogsRetentionInDays')]", + "enabled": true + } + } + ], + "builtInRoleNames": { + "Avere Cluster Create": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'a7b1b19a-0e83-4fe5-935c-faaefbfd18c3')]", + "Avere Cluster Runtime Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'e078ab98-ef3a-4c9a-aba7-12f5172b45d0')]", + "Avere Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4f8fab4f-1852-4a58-a46a-8eaf358af14a')]", + "Avere Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c025889f-8102-4ebf-b32c-fc0c6f0c6bd9')]", + "Azure Service Deploy Release Management Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '21d96096-b162-414a-8302-d8354f9d91b2')]", + "CAL-Custom-Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '7b266cd7-0bba-4ae2-8423-90ede5e1e898')]", + "Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "Log Analytics Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]", + "Log Analytics Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '73c42c96-874c-492b-b04d-ab87d138a893')]", + "Managed Application Contributor Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '641177b8-a67a-45b9-a033-47bc880bb21e')]", + "Managed Application Operator Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')]", + "Managed Applications Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')]", + "masterreader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'a48d7796-14b4-4889-afef-fbb65a93e5a2')]", + "Monitoring Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')]", + "Monitoring Metrics Publisher": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '3913510d-42f4-4e42-8a64-420c390055eb')]", + "Monitoring Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')]", + "Network Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", + "Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", + "Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", + "Resource Policy Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '36243c78-bf99-498c-9df9-86d9f8d28608')]", + "SQL Managed Instance Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4939a1f6-9ae0-4e48-a1e0-f2cbe897382d')]", + "User Access Administrator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]", + "Virtual Machine Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c')]" + } + }, + "resources": [ + { + "condition": "[not(empty(parameters('cuaId')))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-06-01", + "name": "[concat('pid-', parameters('cuaId'))]", + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [ + ] + } + } + }, + { + "type": "Microsoft.Network/networkSecurityGroups", + "apiVersion": "2020-08-01", + "name": "[parameters('networkSecurityGroupName')]", + "location": "[parameters('location')]", + "tags": "[parameters('tags')]", + "dependsOn": [ + ], + "properties": { + "copy": [ + { + "name": "securityRules", + "count": "[length(parameters('networkSecurityGroupSecurityRules'))]", + "input": { + "name": "[parameters('networkSecurityGroupSecurityRules')[copyIndex('securityRules')].name]", + "properties": { + "description": "[if(contains(parameters('networkSecurityGroupSecurityRules')[copyIndex('securityRules')].properties,'description'),parameters('networkSecurityGroupSecurityRules')[copyIndex('securityRules')].properties.description,'')]", + "protocol": "[parameters('networkSecurityGroupSecurityRules')[copyIndex('securityRules')].properties.protocol]", + "sourcePortRange": "[if(contains(parameters('networkSecurityGroupSecurityRules')[copyIndex('securityRules')].properties,'sourcePortRange'),parameters('networkSecurityGroupSecurityRules')[copyIndex('securityRules')].properties.sourcePortRange,'')]", + "destinationPortRange": "[if(contains(parameters('networkSecurityGroupSecurityRules')[copyIndex('securityRules')].properties,'destinationPortRange'),parameters('networkSecurityGroupSecurityRules')[copyIndex('securityRules')].properties.destinationPortRange,'')]", + "sourceAddressPrefix": "[if(contains(parameters('networkSecurityGroupSecurityRules')[copyIndex('securityRules')].properties,'sourceAddressPrefix'),parameters('networkSecurityGroupSecurityRules')[copyIndex('securityRules')].properties.sourceAddressPrefix,'')]", + "destinationAddressPrefix": "[if(contains(parameters('networkSecurityGroupSecurityRules')[copyIndex('securityRules')].properties,'destinationAddressPrefix'),parameters('networkSecurityGroupSecurityRules')[copyIndex('securityRules')].properties.destinationAddressPrefix,'')]", + "access": "[parameters('networkSecurityGroupSecurityRules')[copyIndex('securityRules')].properties.access]", + "priority": "[int(parameters('networkSecurityGroupSecurityRules')[copyIndex('securityRules')].properties.priority)]", + "direction": "[parameters('networkSecurityGroupSecurityRules')[copyIndex('securityRules')].properties.direction]", + "sourcePortRanges": "[if(contains(parameters('networkSecurityGroupSecurityRules')[copyIndex('securityRules')].properties,'sourcePortRanges'),parameters('networkSecurityGroupSecurityRules')[copyIndex('securityRules')].properties.sourcePortRanges,json('null'))]", + "destinationPortRanges": "[if(contains(parameters('networkSecurityGroupSecurityRules')[copyIndex('securityRules')].properties,'destinationPortRanges'),parameters('networkSecurityGroupSecurityRules')[copyIndex('securityRules')].properties.destinationPortRanges,json('null'))]", + "sourceAddressPrefixes": "[if(contains(parameters('networkSecurityGroupSecurityRules')[copyIndex('securityRules')].properties,'sourceAddressPrefixes'),parameters('networkSecurityGroupSecurityRules')[copyIndex('securityRules')].properties.sourceAddressPrefixes,json('null'))]", + "destinationAddressPrefixes": "[if(contains(parameters('networkSecurityGroupSecurityRules')[copyIndex('securityRules')].properties,'destinationAddressPrefixes'),parameters('networkSecurityGroupSecurityRules')[copyIndex('securityRules')].properties.destinationAddressPrefixes,json('null'))]", + "sourceApplicationSecurityGroups": "[if(and(contains(parameters('networkSecurityGroupSecurityRules')[copyIndex('securityRules')].properties,'sourceApplicationSecurityGroupIds'),not(empty(parameters('networkSecurityGroupSecurityRules')[copyIndex('securityRules')].properties.sourceApplicationSecurityGroupIds))),concat(variables('emptyArray'),array(json(concat('{\"id\": \"',parameters('networkSecurityGroupSecurityRules')[copyIndex('securityRules')].properties.sourceApplicationSecurityGroupIds[0],'\", \"location\": \"',parameters('location'),'\"}')))),json('null'))]", + "destinationApplicationSecurityGroups": "[if(and(contains(parameters('networkSecurityGroupSecurityRules')[copyIndex('securityRules')].properties,'destinationApplicationSecurityGroupIds'),not(empty(parameters('networkSecurityGroupSecurityRules')[copyIndex('securityRules')].properties.destinationApplicationSecurityGroupIds))),concat(variables('emptyArray'),array(json(concat('{\"id\": \"',parameters('networkSecurityGroupSecurityRules')[copyIndex('securityRules')].properties.destinationApplicationSecurityGroupIds[0],'\", \"location\": \"',parameters('location'),'\"}')))),json('null'))]" + } + } + } + ] + }, + "resources": [ + { + "type": "providers/locks", + "apiVersion": "2016-09-01", + "condition": "[parameters('lockForDeletion')]", + "name": "Microsoft.Authorization/networkSecurityGroupDoNotDelete", + "dependsOn": [ + "[concat('Microsoft.Network/networkSecurityGroups/', parameters('networkSecurityGroupName'))]" + ], + "comments": "Resource lock on Network Security Group", + "properties": { + "level": "CannotDelete" + } + }, + { + "type": "Microsoft.Network/networkSecurityGroups/providers/diagnosticsettings", + "apiVersion": "2017-05-01-preview", + "name": "[concat(parameters('networkSecurityGroupName'), '/Microsoft.Insights/service')]", + "location": "[parameters('location')]", + "condition": "[or(not(empty(parameters('diagnosticStorageAccountId'))),not(empty(parameters('workspaceId'))),not(empty(parameters('eventHubAuthorizationRuleId'))),not(empty(parameters('eventHubName'))))]", + "dependsOn": [ + "[concat('Microsoft.Network/networkSecurityGroups/', parameters('networkSecurityGroupName'))]" + ], + "properties": { + "storageAccountId": "[if(empty(parameters('diagnosticStorageAccountId')), json('null'), parameters('diagnosticStorageAccountId'))]", + "workspaceId": "[if(empty(parameters('workspaceId')), json('null'), parameters('workspaceId'))]", + "eventHubAuthorizationRuleId": "[if(empty(parameters('eventHubAuthorizationRuleId')), json('null'), parameters('eventHubAuthorizationRuleId'))]", + "eventHubName": "[if(empty(parameters('eventHubName')), json('null'), parameters('eventHubName'))]", + "metrics": "[if(and(empty(parameters('diagnosticStorageAccountId')), empty(parameters('workspaceId')), empty(parameters('eventHubAuthorizationRuleId')), empty(parameters('eventHubName'))), json('null'), variables('diagnosticsMetrics'))]", + "logs": "[if(and(empty(parameters('diagnosticStorageAccountId')), empty(parameters('workspaceId')), empty(parameters('eventHubAuthorizationRuleId')), empty(parameters('eventHubName'))), json('null'), variables('diagnosticsLogs'))]" + } + } + ] + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-06-01", + "name": "deployFlowLogs", + "condition": "[not(empty(parameters('flowLogName')))]", + "resourceGroup": "[parameters('networkwatcherResourceGroup')]", + "dependsOn": [ + "[concat('Microsoft.Network/networkSecurityGroups/', parameters('networkSecurityGroupName'))]" + ], + "properties": { + "mode": "Incremental", + "expressionEvaluationOptions": { + "scope": "inner" + }, + "parameters": { + "location": { + "value": "[parameters('location')]" + }, + "nsgResourceGroup": { + "value": "[variables('nsgResourceGroup')]" + }, + "networkSecurityGroupName": { + "value": "[parameters('networkSecurityGroupName')]" + }, + "flowLogName": { + "value": "[variables('flowLogName')]" + }, + "flowLogEnabled": { + "value": "[parameters('flowLogEnabled')]" + }, + "retentionEnabled": { + "value": "[parameters('retentionEnabled')]" + }, + "logFormatVersion": { + "value": "[parameters('logFormatVersion')]" + }, + "diagnosticStorageAccountId": { + "value": "[parameters('diagnosticStorageAccountId')]" + }, + "diagnosticLogsRetentionInDays":{ + "value": "[parameters('diagnosticLogsRetentionInDays')]" + }, + "tags": { + "value": "[parameters('tags')]" + }, + "flowLogworkspaceId": { + "value": "[parameters('flowLogworkspaceId')]" + }, + "flowAnalyticsConfig": { + "value": "[variables('flowAnalyticsConfig')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + + "location": { + "type": "string" + }, + "networkSecurityGroupName": { + "type": "string" + }, + "flowLogName": { + "type": "string" + }, + "flowLogEnabled": { + "type": "bool" + }, + "retentionEnabled": { + "type": "bool" + }, + "logFormatVersion": { + "type": "int" + }, + "diagnosticStorageAccountId": { + "type": "string" + }, + "diagnosticLogsRetentionInDays":{ + "type": "int" + }, + "tags": { + "type": "object" + }, + "flowLogworkspaceId": { + "type": "string" + }, + "flowAnalyticsConfig": { + "type": "object" + }, + "nsgResourceGroup": { + "type": "string" + } + }, + "resources": [ + { + "name": "[parameters('flowLogName')]", + "type": "Microsoft.Network/networkWatchers/flowLogs", + "apiVersion": "2020-05-01", + "location": "[parameters('location')]", + "tags": "[parameters('tags')]", + "properties": { + "targetResourceId": "[resourceId(parameters('nsgResourceGroup'),'Microsoft.Network/networkSecurityGroups', parameters('networkSecurityGroupName'))]", + "storageId": "[parameters('diagnosticStorageAccountId')]", + "enabled": "[parameters('flowLogEnabled')]", + "retentionPolicy": { + "days": "[parameters('diagnosticLogsRetentionInDays')]", + "enabled": "[parameters('retentionEnabled')]" + }, + "format": { + "type": "JSON", + "version": "[parameters('logFormatVersion')]" + }, + "flowAnalyticsConfiguration": "[if(empty(parameters('flowLogworkspaceId')),json('null'),parameters('flowAnalyticsConfig'))]" + } + } + ] + } + } + }, + + { + "name": "[concat('rbac-',deployment().name, copyIndex())]", + "apiVersion": "2020-06-01", + "type": "Microsoft.Resources/deployments", + "condition": "[not(empty(parameters('roleAssignments')))]", + "dependsOn": [ + "[parameters('networkSecurityGroupName')]" + ], + "copy": { + "name": "rbacDeplCopy", + "count": "[length(parameters('roleAssignments'))]" + }, + "properties": { + "mode": "Incremental", + "expressionEvaluationOptions": { + "scope": "inner" + }, + "parameters": { + "roleAssignment": { + "value": "[parameters('roleAssignments')[copyIndex()]]" + }, + "builtInRoleNames": { + "value": "[variables('builtInRoleNames')]" + }, + "networkSecurityGroupName": { + "value": "[parameters('networkSecurityGroupName')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "roleAssignment": { + "type": "object" + }, + "builtInRoleNames": { + "type": "object" + }, + "networkSecurityGroupName": { + "type": "string" + } + }, + "resources": [ + { + "type": "Microsoft.Network/networkSecurityGroups/providers/roleAssignments", + "apiVersion": "2020-03-01-preview", + "name": "[concat(parameters('networkSecurityGroupName'), '/Microsoft.Authorization/', guid(uniqueString(concat(parameters('networkSecurityGroupName'), array(parameters('roleAssignment').principalIds)[copyIndex('innerRbacCopy')], parameters('roleAssignment').roleDefinitionIdOrName ) )))]", + "dependsOn": [ + ], + "copy": { + "name": "innerRbacCopy", + "count": "[length(parameters('roleAssignment').principalIds)]" + }, + "properties": { + "roleDefinitionId": "[if(contains(parameters('builtInRoleNames'), parameters('roleAssignment').roleDefinitionIdOrName ), parameters('builtInRoleNames')[parameters('roleAssignment').roleDefinitionIdOrName] , parameters('roleAssignment').roleDefinitionIdOrName )]", + "principalId": "[array(parameters('roleAssignment').principalIds)[copyIndex()]]" + } + } + ] + } + } + } + ], + "functions": [ + ], + "outputs": { + "networkSecurityGroupsResourceGroup": { + "type": "string", + "value": "[resourceGroup().name]", + "metadata": { + "description": "The name of the Resource Group the Network Security Groups were created in." + } + }, + "networkSecurityGroupsResourceId": { + "type": "string", + "value": "[resourceId('Microsoft.Network/networkSecurityGroups', parameters('networkSecurityGroupName'))]", + "metadata": { + "description": "The Resource Ids of the Network Security Group deployed." + } + }, + "networkSecurityGroupsName": { + "type": "string", + "value": "[parameters('networkSecurityGroupName')]", + "metadata": { + "description": "The Name of the Network Security Group deployed." + } + }, + "flowLogResourceId": { + "type": "string", + "condition": "[parameters('flowLogEnabled')]", + "value": "[concat(resourceId('Microsoft.Network/networkWatchers',parameters('networkWatcherName')),'/flowLogs/Microsoft.Network',resourceGroup().name, parameters('networkSecurityGroupName'))]", + "metadata": { + "description": "The Resource Ids of the Network Security Group deployed." + } + }, + "flowLogName": { + "type": "string", + "condition": "[parameters('flowLogEnabled')]", + "value": "[variables('flowLogName')]", + "metadata": { + "description": "The Name of the FlowLog deployed." + } + } + } +} \ No newline at end of file diff --git a/arm/Microsoft.Network/networkSecurityGroups/parameters/parameters.json b/arm/Microsoft.Network/networkSecurityGroups/parameters/parameters.json new file mode 100644 index 0000000000..d9c0611f86 --- /dev/null +++ b/arm/Microsoft.Network/networkSecurityGroups/parameters/parameters.json @@ -0,0 +1,117 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "networkSecurityGroupName": { + "value": "sxx-az-nsg-weu-x-001" + }, + "networkwatcherResourceGroup":{ + "value": "NetworkWatcherRG" + }, + "networkSecurityGroupSecurityRules": { + "value": [{ + "name": "Specific", + "properties": { + "description": "Tests specific IPs and ports", + "protocol": "*", + "sourcePortRange": "*", + "destinationPortRange": "8080", + "sourceAddressPrefix": "*", + "destinationAddressPrefix": "*", + "access": "Allow", + "priority": 100, + "direction": "Inbound" + } + }, + { + "name": "Ranges", + "properties": { + "description": "Tests Ranges", + "protocol": "*", + "access": "Allow", + "priority": 101, + "direction": "Inbound", + "sourcePortRanges": [ + "80", + "81" + ], + "destinationPortRanges": [ + "90", + "91" + ], + "sourceAddressPrefixes": [ + "10.0.0.0/16", + "10.1.0.0/16" + ], + "destinationAddressPrefixes": [ + "10.2.0.0/16", + "10.3.0.0/16" + ] + } + }, + { + "name": "Port_8082", + "properties": { + "description": "Allow inbound access on TCP 8082", + "protocol": "*", + "sourcePortRange": "*", + "destinationPortRange": "8082", + "access": "Allow", + "priority": 102, + "direction": "Inbound", + "sourceApplicationSecurityGroupIds": [ + "/subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2/resourceGroups/dependencies-rg/providers/Microsoft.Network/applicationSecurityGroups/sxx-az-asg-weu-x-003" + ], + "destinationApplicationSecurityGroupIds": [ + "/subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2/resourceGroups/dependencies-rg/providers/Microsoft.Network/applicationSecurityGroups/sxx-az-asg-weu-x-003" + ] + } + } + ] + }, + // "networkWatcherName": { + // "value": "NetworkWatcher_westeurope" + // }, + "diagnosticStorageAccountId": { + "value": "/subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2/resourceGroups/dependencies-rg/providers/Microsoft.Storage/storageAccounts/sxxazsaweux003" + }, + "retentionEnabled": { + "value": false + }, + // "flowLogName": { + // "value": "sxx-az-fl-weu-001" + // }, + // "flowLogworkspaceId": { + // "value": "/subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2/resourcegroups/dependencies-rg/providers/microsoft.operationalinsights/workspaces/sxx-az-la-weu-x-003" + // }, + // "flowLogEnabled": { + // "value": false + // }, + // "logFormatVersion": { + // "value": 2 + // }, + // "flowLogIntervalInMinutes": { + // "value": 10 + // }, + "diagnosticLogsRetentionInDays": { + "value": 7 + }, + // "flowAnalyticsEnabled": { + // "value": false + // }, + "workspaceId": { + "value": "/subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2/resourcegroups/dependencies-rg/providers/microsoft.operationalinsights/workspaces/sxx-az-la-weu-x-003" + } + // "roleAssignments": { + // "value": [ + // { + // "roleDefinitionIdOrName": "Desktop Virtualization User", + // "principalIds": [ + // "12345678-1234-1234-1234-123456789012", // object 1 + // "78945612-1234-1234-1234-123456789012" // object 2 + // ] + // } + // ] + // } + } +} \ No newline at end of file diff --git a/arm/Microsoft.Network/networkSecurityGroups/readme.md b/arm/Microsoft.Network/networkSecurityGroups/readme.md new file mode 100644 index 0000000000..d9b00ada02 --- /dev/null +++ b/arm/Microsoft.Network/networkSecurityGroups/readme.md @@ -0,0 +1,192 @@ +# NetworkSecurityGroups + +This template deploys a Network Security Groups (NSG) with optional security rules. + +## Resource types + +|Resource Type|ApiVersion| +|:--|:--| +|`Microsoft.Resources/deployments`|2018-02-01| +|`Microsoft.Network/networkSecurityGroups`|2020-08-01| +|`providers/locks`|2016-09-01| +|`Microsoft.Network/networkSecurityGroups/providers/diagnosticsettings`|2017-05-01-preview| +|`Microsoft.Network/networkSecurityGroups/providers/roleAssignments`|2018-09-01-preview| +|`Microsoft.Network/networkWatchers/flowLogs`|2020-05-01| + +## Parameters + +| Parameter Name | Type | Description | DefaultValue | Possible values | +| :-- | :-- | :-- | :-- | :-- | +| `cuaId` | string | Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered | | | +| `diagnosticLogsRetentionInDays` | int | Optional. Specifies the number of days that logs will be kept for; a value of 0 will retain data indefinitely. | 365 | | +| `diagnosticStorageAccountId` | string | Optional. Resource identifier of the Diagnostic Storage Account. | | | +| `eventHubAuthorizationRuleId` | string | Optional. Resource ID of the event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | | | +| `eventHubName` | string | Optional. Name of the event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. | | | +| `location` | string | Optional. Location for all resources. | [resourceGroup().location] | | +| `lockForDeletion` | bool | Optional. Switch to lock NSG from deletion. | False | | +| `networkSecurityGroupName` | string | Required. Name of the Network Security Group. | | | +| `networkSecurityGroupSecurityRules` | array | Optional. Array of Security Rules to deploy to the Network Security Group. When not provided, an NSG including only the built-in roles will be deployed. | System.Object[] | | +| `roleAssignments` | array | Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' | System.Object[] | | +| `tags` | object | Optional. Tags of the NSG resource. | | | +| `workspaceId` | string | Optional. Resource identifier of Log Analytics. | | | +| `flowAnalyticsEnabled`| bool | Optional. Enables/disables flow analytics. If Flow Analytics was previously enabled, workspaceResourceID is mandatory (even when disabling it) | false | | +| `flowLogEnabled` | bool | Optional. If the flow log should be enabled | false | | +| `flowLogIntervalInMinutes` | int | Optional. The interval in minutes which would decide how frequently TA service should do flow analytics | 60 | 10,60 | +| `flowLogName` | string | Optional. Name of the NSG flow log. If empty, no flow log will be deployed. | | | +| `flowLogworkspaceId` | string | Optional. Resource identifier of Log Analytics for the flow logs. | | | +| `logFormatVersion` | int | Optional. The flow log format version | 2 | | +| `networkWatcherName`| string | Optional. Name of the network watcher resource. Must be in the resource group where the Flow log will be created and same region as the NSG | | | +| `retentionEnabled`| bool | Optional. If the flow log retention should be enabled | true | | +| `networkwatcherResourceGroup`| string | Required. Resource Group Name of the network watcher in whcih the NSG flow log would be created. | NetworkWatcherRG | | + +### Parameter Usage: `networkSecurityGroupSecurityRules` + +The `networkSecurityGroupSecurityRules` parameter accepts a JSON Array of `securityRule` to deploy to the Network Security Group (NSG). + +Note that in case of using ASGs (Application Security Groups) - `sourceApplicationSecurityGroupIds` and `destinationApplicationSecurityGroupIds` properties - both the NSG and the ASG(s) have to be in the same Azure region. Currently an NSG can only handle one source and one destination ASG. +Here's an example of specifying a couple security rules: + +```json +"networkSecurityGroupSecurityRules": { + "value": [ + { + "name": "Port_8080", + "properties": { + "description": "Allow inbound access on TCP 8080", + "protocol": "*", + "sourcePortRange": "*", + "destinationPortRange": "8080", + "sourceAddressPrefix": "*", + "destinationAddressPrefix": "*", + "access": "Allow", + "priority": 100, + "direction": "Inbound", + "sourcePortRanges": [], + "destinationPortRanges": [], + "sourceAddressPrefixes": [], + "destinationAddressPrefixes": [], + "sourceApplicationSecurityGroupIds": [], + "destinationApplicationSecurityGroupIds": [] + } + }, + { + "name": "Port_8081", + "properties": { + "description": "Allow inbound access on TCP 8081", + "protocol": "*", + "sourcePortRange": "*", + "destinationPortRange": "8081", + "sourceAddressPrefix": "*", + "destinationAddressPrefix": "*", + "access": "Allow", + "priority": 101, + "direction": "Inbound", + "sourcePortRanges": [], + "destinationPortRanges": [], + "sourceAddressPrefixes": [], + "destinationAddressPrefixes": [], + "sourceApplicationSecurityGroupIds": [], + "destinationApplicationSecurityGroupIds": [] + } + }, + { + "name": "Port_8082", + "properties": { + "description": "Allow inbound access on TCP 8082", + "protocol": "*", + "sourcePortRange": "*", + "destinationPortRange": "8082", + "sourceAddressPrefix": "", + "destinationAddressPrefix": "", + "access": "Allow", + "priority": 102, + "direction": "Inbound", + "sourcePortRanges": [], + "destinationPortRanges": [], + "sourceAddressPrefixes": [], + "destinationAddressPrefixes": [], + //sourceApplicationSecurityGroupIds currently only supports 1 ID ! + "sourceApplicationSecurityGroupIds": [ + "/subscriptions/12345678-1234-1234-1234-123456789012/resourceGroups//providers/Microsoft.Network/applicationSecurityGroups/" + ], + //destinationApplicationSecurityGroupIds currently only supports 1 ID ! + "destinationApplicationSecurityGroupIds": [ + "/subscriptions/12345678-1234-1234-1234-123456789012/resourceGroups//providers/Microsoft.Network/applicationSecurityGroups/" + ] + } + } + ] +} +``` + +### Parameter Usage: `roleAssignments` + +```json +"roleAssignments": { + "value": [ + { + "roleDefinitionIdOrName": "Desktop Virtualization User", + "principalIds": [ + "12345678-1234-1234-1234-123456789012", // object 1 + "78945612-1234-1234-1234-123456789012" // object 2 + ] + }, + { + "roleDefinitionIdOrName": "Reader", + "principalIds": [ + "12345678-1234-1234-1234-123456789012", // object 1 + "78945612-1234-1234-1234-123456789012" // object 2 + ] + }, + { + "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", + "principalIds": [ + "12345678-1234-1234-1234-123456789012" // object 1 + ] + } + ] +} +``` + +### Parameter Usage: `tags` + +Tag names and tag values can be provided as needed. A tag can be left without a value. + +```json +"tags": { + "value": { + "Environment": "Non-Prod", + "Contact": "test.user@testcompany.com", + "PurchaseOrder": "1234", + "CostCenter": "7890", + "ServiceName": "DeploymentValidation", + "Role": "DeploymentValidation" + } +} +``` + +## Outputs + +| Output Name | Type | Description | +| :-- | :-- | :-- | +| `networkSecurityGroupsName` | string | The Name of the Network Security Group deployed. | +| `networkSecurityGroupsResourceGroup` | string | The name of the Resource Group the Network Security Groups were created in. | +| `networkSecurityGroupsResourceId` | string | The Resource Ids of the Network Security Group deployed. | +| `flowLogName` | string | The Name of the FlowLog deployed | +| `flowLogResourceId` | string | The Resource Ids of the Network Security Group deployed. | + +## Considerations + +When specifying the Security Rules for the Network Security Group (NSG) with the `networkSecurityGroupSecurityRules` parameter, pass in the Security Rules as a JSON Array in the same format as would be used for the `securityRules` property of the `Microsoft.Network/networkSecurityGroups` resource provider in an ARM Template. + +If Flow Logs traffic analytic has ever been enabled for the considered Network Security Group, even when disabling it WorkspaceResourceId must be specified targeting an existing Log Analytics workspace.
+If no Log Analytics Workspace exists or you don't want it to remain stored in the Flow Log configuration, delete the Flow Log resource. + +## Additional resources + +- [Azure Network Security Groups](https://docs.microsoft.com/en-us/azure/virtual-network/security-overview) +- [Microsoft.Network networkSecurityGroups template reference](https://docs.microsoft.com/en-us/azure/templates/microsoft.network/2018-11-01/networksecuritygroups) +- [Microsoft.Network networkSecurityGroups/securityRules template reference](https://docs.microsoft.com/en-us/azure/templates/microsoft.network/2018-11-01/networksecuritygroups/securityrules) +- [Azure Flow Logs](https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-nsg-flow-logging-overview) +- [Microsoft.Network networkWatchers/flowLogs template reference](https://docs.microsoft.com/en-us/azure/templates/microsoft.network/2019-11-01/networkwatchers/flowlogs) +- [Use tags to organize your Azure resources](https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-using-tags) \ No newline at end of file diff --git a/arm/Microsoft.Network/networkWatcherFlowLogs/deploy.json b/arm/Microsoft.Network/networkWatcherFlowLogs/deploy.json new file mode 100644 index 0000000000..3b0e3cc901 --- /dev/null +++ b/arm/Microsoft.Network/networkWatcherFlowLogs/deploy.json @@ -0,0 +1,180 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "location": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "Optional. Location for all resources." + } + }, + "tags": { + "type": "object", + "defaultValue": {}, + "metadata": { + "description": "Optional. Tags of the resource." + } + }, + "networkWatcherName": { + "type": "string", + "metadata": { + "description": "Required. Name of the network watcher resource. Must be in the resource group where the Flow log will be created and same region as the NSG" + } + }, + "networkSecurityGroupResourceId": { + "type": "string", + "metadata": { + "description": "Required. Resource ID of the NSG that must be enabled for Flow Logs." + } + }, + "diagnosticStorageAccountId": { + "type": "string", + "metadata": { + "description": "Required. Resource identifier of the Diagnostic Storage Account." + } + }, + "retentionEnabled": { + "type": "bool", + "defaultValue": true, + "metadata": { + "description": "Optional. If the flow log retention should be enabled" + } + }, + "flowLogEnabled": { + "type": "bool", + "defaultValue": true, + "metadata": { + "description": "Optional. If the flow log should be enabled" + } + }, + "logFormatVersion": { + "type": "int", + "defaultValue": 2, + "allowedValues": [ + 1, + 2 + ], + "metadata": { + "description": "Optional. The flow log format version" + } + }, + "flowAnalyticsEnabled": { + "type": "bool", + "defaultValue": false, + "metadata": { + "description": "Optional. Enables/disables flow analytics. If Flow Analytics was previously enabled, workspaceResourceID is mandatory (even when disabling it)" + } + }, + "workspaceResourceId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Resource identifier of Log Analytics." + } + }, + "flowLogIntervalInMinutes": { + "type": "int", + "allowedValues": [ + 10, + 60 + ], + "defaultValue": 60, + "metadata": { + "description": "Optional. The interval in minutes which would decide how frequently TA service should do flow analytics." + } + }, + "retentionInDays": { + "type": "int", + "defaultValue": 365, + "minValue": 0, + "maxValue": 365, + "metadata": { + "description": "Optional. Specifies the number of days that logs will be kept for; a value of 0 will retain data indefinitely." + } + }, + "cuaId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered" + } + } + }, + "variables": { + "nsgName": "[split(parameters('networkSecurityGroupResourceId'),'/')[8]]", + "nsgResourceGroupName": "[split(parameters('networkSecurityGroupResourceId'),'/')[4]]", + //"flowLogName": "[concat(parameters('networkWatcherName'),'/Microsoft.Network',variables('nsgResourceGroupName'), variables('nsgName'))]", # "retro-compatibility" name. May go over 80 char limit. + "flowLogName": "[concat(parameters('networkWatcherName'),'/',uniqueString(variables('nsgName')))]", + "flowAnalyticsConfig": { + "networkWatcherFlowAnalyticsConfiguration": { + "enabled": "[parameters('flowAnalyticsEnabled')]", + "workspaceResourceId": "[parameters('workspaceResourceId')]", + "trafficAnalyticsInterval": "[parameters('flowLogIntervalInMinutes')]" + } + } + }, + "resources": [ + { + "condition": "[not(empty(parameters('cuaId')))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-06-01", + "name": "[concat('pid-', parameters('cuaId'))]", + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [ + ] + } + } + }, + { + "name": "[variables('flowLogName')]", + "type": "Microsoft.Network/networkWatchers/flowLogs", + "apiVersion": "2020-05-01", + "location": "[parameters('location')]", + "tags": "[parameters('tags')]", + "properties": { + "targetResourceId": "[parameters('networkSecurityGroupResourceId')]", + "storageId": "[parameters('diagnosticStorageAccountId')]", + "enabled": "[parameters('flowLogEnabled')]", + "retentionPolicy": { + "days": "[parameters('retentionInDays')]", + "enabled": "[parameters('retentionEnabled')]" + }, + "format": { + "type": "JSON", + "version": "[parameters('logFormatVersion')]" + }, + "flowAnalyticsConfiguration": "[if(empty(parameters('workspaceResourceId')),json('null'),variables('flowAnalyticsConfig'))]" + } + } + ], + "functions": [ + ], + "outputs": { + "deploymentResourceGroup": { + "type": "string", + "value": "[resourceGroup().name]", + "metadata": { + "description": "The name of the Resource Group the Network Security Groups were created in." + } + }, + "flowLogResourceId": { + "type": "string", + "value": "[concat(resourceId('Microsoft.Network/networkWatchers',parameters('networkWatcherName')),'/flowLogs/Microsoft.Network',variables('nsgResourceGroupName'), variables('nsgName'))]", + "metadata": { + "description": "The Resource Ids of the Network Security Group deployed." + } + }, + "flowLogName": { + "type": "string", + "value": "[variables('flowLogName')]", + "metadata": { + "description": "The Name of the FlowLog deployed." + } + } + } +} \ No newline at end of file diff --git a/arm/Microsoft.Network/networkWatcherFlowLogs/parameters/parameters.json b/arm/Microsoft.Network/networkWatcherFlowLogs/parameters/parameters.json new file mode 100644 index 0000000000..a334e96616 --- /dev/null +++ b/arm/Microsoft.Network/networkWatcherFlowLogs/parameters/parameters.json @@ -0,0 +1,36 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "networkWatcherName": { + "value": "NetworkWatcher_westeurope" + }, + "networkSecurityGroupResourceId": { + "value": "/subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2/resourceGroups/dependencies-rg/providers/Microsoft.Network/networkSecurityGroups/sxx-az-nsg-weu-x-003" + }, + "diagnosticStorageAccountId": { + "value": "/subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2/resourceGroups/dependencies-rg/providers/Microsoft.Storage/storageAccounts/sxxazsaweux003" + }, + "retentionEnabled": { + "value": false + }, + "flowLogEnabled": { + "value": true + }, + "logFormatVersion": { + "value": 2 + }, + "flowLogIntervalInMinutes": { + "value": 10 + }, + "retentionInDays": { + "value": 8 + }, + "flowAnalyticsEnabled": { + "value": false + }, + "workspaceResourceId": { + "value": "/subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2/resourcegroups/dependencies-rg/providers/microsoft.operationalinsights/workspaces/sxx-az-la-weu-x-003" + } + } +} diff --git a/arm/Microsoft.Network/networkWatcherFlowLogs/readme.md b/arm/Microsoft.Network/networkWatcherFlowLogs/readme.md new file mode 100644 index 0000000000..3510db24ab --- /dev/null +++ b/arm/Microsoft.Network/networkWatcherFlowLogs/readme.md @@ -0,0 +1,65 @@ +# NSG Flow Logs + +This module controls the Network Security Group Flow Logs and analytics settings +**Note: this module must be run on the Resource Group where Network Watcher is deployed** + +## Resource types + +|Resource Type|Api Version| +|:--|:--| +|`Microsoft.Network/networkWatchers/flowLogs`|2019-11-01| +|`Microsoft.Resources/deployments`|2020-06-01| + +## Parameters + +| Parameter Name | Type | Default Value | Possible values | Description | +| :------------------------------- | :----- | :--------------------------- | :---------------------------- | :----------------------------------------------------------- | +| `networkWatcherName` | string | | | Required. The name of the Network Watcher in the same region as the NSG. | +| `networkSecurityGroupResourceId` | string | | | Required. The Resource ID of the NSG that FlowLog must be configured | +| `diagnosticStorageAccountId` | string | | | Required. Resource ID of the storage account which is used to store the flow log. | +| `location` | string | `[resourceGroup().location]` | Azure Regions | Optional. Must be the same location as the NSG. | +| `tags` | object | {} | Complex structure, see below. | Optional. Tags of the FlowLog resource. | +| `retentionEnabled` | bool | true | true, false | Optional. Flag to enable/disable retention. Storage v2 must be specified if enabled. | +| `flowLogEnabled` | bool | true | true, false | Optional. Flag to enable/disable flow logging. | +| `logFormatVersion` | int | 2 | 1, 2 | Optional. The version (revision) of the flow log. | +| `flowAnalyticsEnabled` | bool | false | true, false | Optional. Flag to enable/disable traffic analytics. | +| `workspaceResourceId` | string | "" | | Optional. Resource Id of the attached Log Analytics. is Mandatory if flowAnalyticsEnabled=true or flowLogs has ever been enabled | +| `flowLogIntervalInMinutes` | int | 60 | 10, 60 | Optional. The interval in minutes which would decide how frequently TA service should do flow analytics | +| `retentionInDays` | int | 365 | 0..365 | Optional. Number of days to retain flow log records. | +| `cuaId` | string | | | Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered | + +### Parameter Usage: `tags` + +Tag names and tag values can be provided as needed. A tag can be left without a value. + +```json +"tags": { + "value": { + "Environment": "Non-Prod", + "Contact": "test.user@testcompany.com", + "PurchaseOrder": "1234", + "CostCenter": "7890", + "ServiceName": "DeploymentValidation", + "Role": "DeploymentValidation" + } +} +``` + +## Outputs + +| Output Name | Type | Description | +| :-- | :-- | :-- | +| `deploymentResourceGroup` | string | The name of the Resource Group the Network Security Groups were created in. | +| `flowLogName` | string | The Name of the FlowLog deployed. | +| `flowLogResourceId` | string | The Resource Ids of the Network Security Group deployed. | + +## Considerations + +If Flow Logs traffic analytic has ever been enabled for the considered Network Security Group, even when disabling it WorkspaceResourceId must be specified targeting an existing Log Analytics workspace.
+If no Log Analytics Workspace exists or you don't want it to remain stored in the Flow Log configuration, delete the Flow Log resource + +## Additional resources + +- [Azure Flow Logs](https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-nsg-flow-logging-overview) +- [Microsoft.Network networkWatchers/flowLogs template reference](https://docs.microsoft.com/en-us/azure/templates/microsoft.network/2019-11-01/networkwatchers/flowlogs) +- [Use tags to organize your Azure resources](https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-using-tags) \ No newline at end of file diff --git a/arm/Microsoft.Network/networkWatchers/deploy.json b/arm/Microsoft.Network/networkWatchers/deploy.json new file mode 100644 index 0000000000..6377479a56 --- /dev/null +++ b/arm/Microsoft.Network/networkWatchers/deploy.json @@ -0,0 +1,137 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "networkWatcherName": { + "type": "string", + "defaultValue": "", + "minLength": 1, + "metadata": { + "description": "Required. Name of the Network Watcher resource (hidden)" + } + }, + "location": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "Optional. Location for all resources." + } + }, + "monitors": { + "type": "array", + "defaultValue": [], + "metadata": { + "description": "Optional. Array that contains the monitors" + } + }, + "workspaceResourceId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Specify the Workspace Resource ID" + } + }, + "tags": { + "type": "object", + "defaultValue": { + }, + "metadata": { + "description": "Optional. Tags of the resource." + } + }, + "cuaId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered" + } + } + }, + "variables": { + "outputs": [ + { + "type": "Workspace", + "workspaceSettings": { + "workspaceResourceId": "[parameters('workspaceResourceId')]" + } + } + ] + }, + "resources": [ + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-06-01", + "condition": "[not(empty(parameters('cuaId')))]", + "name": "[concat('pid-', parameters('cuaId'))]", + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [ + ] + } + } + }, + { + "type": "Microsoft.Network/networkWatchers", + "apiVersion": "2020-08-01", + "location": "[parameters('location')]", + "name": "[parameters('networkWatcherName')]", + "properties": { + }, + "resources": [ + ] + }, + { + "type": "Microsoft.Network/networkWatchers/connectionMonitors", + "apiVersion": "2020-05-01", + "name": "[if(empty(parameters('monitors')), 'dummy/dummy', concat(parameters('networkWatcherName'),'/', parameters('monitors')[copyIndex()].connectionMonitorName))]", + "location": "[parameters('location')]", + "copy": { + "name": "monitorLoop", + "count": "[length(parameters('monitors'))]" + }, + "condition": "[not(empty(parameters('monitors')))]", + "dependsOn": [ + "[concat('Microsoft.Network/networkWatchers/', parameters('networkWatcherName'))]" + ], + "tags": "[parameters('tags')]", + "properties": { + //"source": "[parameters('source')]", + //"destination": "[parameters('destination')]", + //"autoStart": "[parameters('enableAutoStart')]", + //"monitoringIntervalInSeconds": "[parameters('monitoringIntervalInSeconds')]", + "endpoints": "[if(empty(parameters('monitors')), json('null'), parameters('monitors')[copyIndex()].endpoints)]", + "testConfigurations": "[if(empty(parameters('monitors')), json('null'), parameters('monitors')[copyIndex()].testConfigurations)]", + "testGroups": "[if(empty(parameters('monitors')), json('null'), parameters('monitors')[copyIndex()].testGroups)]", + "outputs": "[if(empty(parameters('workspaceResourceId')), json('null'), variables('outputs'))]" + } + } + ], + "functions": [ + ], + "outputs": { + "networkWatcherResourceGroup": { + "type": "string", + "value": "[resourceGroup().name]", + "metadata": { + "description": "The name of the Resource Group the Network Watcher was created in." + } + }, + "networkWatcherResourceId": { + "type": "string", + "value": "[resourceId('Microsoft.Network/networkWatchers', parameters('networkWatcherName'))]", + "metadata": { + "description": "The Resource id of the Network Watcher deployed." + } + }, + "networkWatcherName": { + "type": "string", + "value": "[parameters('networkWatcherName')]", + "metadata": { + "description": "The name of the Network Watcher deployed." + } + } + } +} \ No newline at end of file diff --git a/arm/Microsoft.Network/networkWatchers/parameters/parameters.json b/arm/Microsoft.Network/networkWatchers/parameters/parameters.json new file mode 100644 index 0000000000..8694778f56 --- /dev/null +++ b/arm/Microsoft.Network/networkWatchers/parameters/parameters.json @@ -0,0 +1,9 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "networkWatcherName": { + "value": "sxx-az-nw-weu-x-001" + } + } +} \ No newline at end of file diff --git a/arm/Microsoft.Network/networkWatchers/readme.md b/arm/Microsoft.Network/networkWatchers/readme.md new file mode 100644 index 0000000000..b1f7ea8103 --- /dev/null +++ b/arm/Microsoft.Network/networkWatchers/readme.md @@ -0,0 +1,116 @@ +# Network Watcher + +This template deploys Network Watcher. + + +## Resource types + +|Resource Type|ApiVersion| +|:--|:--| +|`Microsoft.Resources/deployments`|2018-02-01| +|`Microsoft.Network/networkWatchers`|2020-08-01| +|`Microsoft.Network/networkWatchers/connectionMonitors`|2019-11-01| + +## Parameters + +| Parameter Name | Type | Default Value | Possible values | Description | +| :- | :- | :-| :-| :-| +| `networkWatcherName` | string | | Required. Name of the Network Watcher resource (hidden) +| `location` | string | `[resourceGroup().location]` | | Optional. Location for all resources. +| `monitors` | array | [] | complex structure see below | Optional. Array that contains the monitors| +| `workspaceResourceId` | string | "" | ID of Workspace Resource| Optional. Specify the Workspace Resource ID. If not specified a default workspace will be created | +| `tags`| object | {} | Complex structure, see below. | Optional. Tags of the Virtual Network Gateway resource. | +| `cuaId` | string | {} | | Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered" | + +## Outputs + +| Output Name | Type | Description | +| :-- | :-- | :-- | +| `networkWatcherName` | string | The name of the Network Watcher deployed. | +| `networkWatcherResourceGroup` | string | The name of the Resource Group the Network Watcher was created in. | +| `networkWatcherResourceId` | string | The Resource id of the Network Watcher deployed. | + +## Considerations + +N/A + +### Parameter Usage: `monitors` + +Montiors specifies the Connection monitors in an array in the following structure. + +Important note: the parameter ``name`` must include the ``resource name`` AND ``resource group`` inside brackets (). e.g ``"name": "myVm01(my-rg-01)"``. This parameter is under ``monitors/value/endpoints/name`` and ``monitors/value/testGroups/name``. See example below for full structure. + +```json +"monitors": { + "value": [ + { + "connectionMonitorName": "my-connection-monitor01", + "workspaceResourceId": { + "value": "[variables('workspaceId')]" + }, + "endpoints": [ + { + "name": "endpoint01", + "resourceId": "/subscriptions/111111-222222-33333-4444-5555555/resourceGroups/my-rg-01/providers/Microsoft.Compute/virtualMachines/myVm01" + }, + { + "name": "myonpremvm.contoso.com", + "address": "10.10.10.10" + } + ], + "testConfigurations": [ + { + "name": "ICMP", + "testFrequencySec": 60, + "protocol": "Icmp", + "icmpConfiguration": { + "disableTraceRoute": false + }, + "successThreshold": { + "checksFailedPercent": 1, + "roundTripTimeMs": 70 + } + } + ], + "testGroups": [ + { + "name": "myTestGroup01", + "disable": false, + "testConfigurations": [ + "ICMP" + ], + "sources": [ + "myVm01(my-rg-01)" + ], + "destinations": [ + "myonpremvm.contoso.com" + ] + } + ] + } + ] +} +``` + +### Parameter Usage: `tags` + +Tag names and tag values can be provided as needed. A tag can be left without a value. + +```json +"tags": { + "value": { + "Environment": "Non-Prod", + "Contact": "test.user@testcompany.com", + "PurchaseOrder": "1234", + "CostCenter": "7890", + "ServiceName": "DeploymentValidation", + "Role": "DeploymentValidation" + } +} +``` + +## Additional resources + +- [Microsoft.Network networkWatchers template reference](https://docs.microsoft.com/en-us/azure/templates/microsoft.network/2019-04-01/networkwatchers) +- [What is Azure Network Watcher?](https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-monitoring-overview) +- [Network Connectivity Monitoring with Connection Monitor (Preview)](https://docs.microsoft.com/en-us/azure/network-watcher/connection-monitor-preview) \ No newline at end of file diff --git a/arm/Microsoft.Network/privateDnsZones/deploy.json b/arm/Microsoft.Network/privateDnsZones/deploy.json new file mode 100644 index 0000000000..44b4292e7e --- /dev/null +++ b/arm/Microsoft.Network/privateDnsZones/deploy.json @@ -0,0 +1,201 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "privateDnsZoneName": { + "type": "string", + "metadata": { + "description": "Required. Private DNS zone name." + } + }, + "vnetLinks": { + "type": "array", + "defaultValue": [], + "metadata": { + "description": "Optional. Array of custom objects describing vNet links of the DNS zone. Each object should contain properties 'vnetResourceId' and 'registrationEnabled'. The 'vnetResourceId' is a resource Id of a vNet to link, 'registrationEnabled' (bool) enables automatic DNS registration in the zone for the linked vNet." + } + }, + "location": { + "type": "string", + "defaultValue": "global", + "metadata": { + "description": "Optional. The location of the PrivateDNSZone. Should be global." + } + }, + "roleAssignments": { + "defaultValue": [ + ], + "type": "array", + "metadata": { + "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'" + } + }, + "tags": { + "type": "object", + "defaultValue": { + }, + "metadata": { + "description": "Optional. Tags of the resource." + } + }, + "cuaId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered" + } + } + }, + "variables": { + "builtInRoleNames": { + "Avere Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4f8fab4f-1852-4a58-a46a-8eaf358af14a')]", + "Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "Log Analytics Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]", + "Log Analytics Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '73c42c96-874c-492b-b04d-ab87d138a893')]", + "Managed Application Contributor Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '641177b8-a67a-45b9-a033-47bc880bb21e')]", + "Managed Application Operator Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')]", + "Managed Applications Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')]", + "Monitoring Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')]", + "Monitoring Metrics Publisher": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '3913510d-42f4-4e42-8a64-420c390055eb')]", + "Monitoring Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')]", + "Network Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", + "Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", + "Private DNS Zone Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", + "Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", + "Resource Policy Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '36243c78-bf99-498c-9df9-86d9f8d28608')]", + "User Access Administrator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" + } + }, + "resources": [ + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-06-01", + "name": "[concat('pid-', parameters('cuaId'))]", + "condition": "[not(empty(parameters('cuaId')))]", + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [ + ] + } + } + }, + { + "type": "Microsoft.Network/privateDnsZones", + "apiVersion": "2018-09-01", + "name": "[parameters('privateDnsZoneName')]", + "location": "[parameters('location')]", + "tags": "[parameters('tags')]" + }, + { + "type": "Microsoft.Network/privateDnsZones/virtualNetworkLinks", + "apiVersion": "2018-09-01", + "name": "[concat(parameters('privateDnsZoneName'), '/', if(empty(parameters('vnetLinks')), 'dummy', last(split(parameters('vnetLinks')[copyIndex()].vnetResourceId,'/'))))]", + "condition": "[not(empty(parameters('vnetLinks')))]", + "location": "[parameters('location')]", + "tags": "[parameters('tags')]", + "dependsOn": [ + "[parameters('privateDnsZoneName')]" + ], + "copy": { + "name": "vnetLinksCopy", + "count": "[length(parameters('vnetLinks'))]" + }, + "properties": { + "registrationEnabled": "[parameters('vnetLinks')[copyIndex()].registrationEnabled]", + "virtualNetwork": { + "id": "[parameters('vnetLinks')[copyIndex()].vnetResourceId]" + } + } + }, + { + "name": "[concat('rbac-',deployment().name, copyIndex())]", + "apiVersion": "2020-06-01", + "type": "Microsoft.Resources/deployments", + "condition": "[not(empty(parameters('roleAssignments')))]", + "dependsOn": [ + "[parameters('privateDnsZoneName')]" + ], + "copy": { + "name": "rbacDeplCopy", + "count": "[length(parameters('roleAssignments'))]" + }, + "properties": { + "mode": "Incremental", + "expressionEvaluationOptions": { + "scope": "inner" + }, + "parameters": { + "roleAssignment": { + "value": "[parameters('roleAssignments')[copyIndex()]]" + }, + "builtInRoleNames": { + "value": "[variables('builtInRoleNames')]" + }, + "privateDnsZoneName": { + "value": "[parameters('privateDnsZoneName')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "roleAssignment": { + "type": "object" + }, + "builtInRoleNames": { + "type": "object" + }, + "privateDnsZoneName": { + "type": "string" + } + }, + "resources": [ + { + "type": "Microsoft.Network/privateDnsZones/providers/roleAssignments", + "apiVersion": "2020-03-01-preview", + "name": "[concat(parameters('privateDnsZoneName'), '/Microsoft.Authorization/', guid(uniqueString(concat(parameters('privateDnsZoneName'), array(parameters('roleAssignment').principalIds)[copyIndex('innerRbacCopy')], parameters('roleAssignment').roleDefinitionIdOrName ) )))]", + "dependsOn": [ + ], + "copy": { + "name": "innerRbacCopy", + "count": "[length(parameters('roleAssignment').principalIds)]" + }, + "properties": { + "roleDefinitionId": "[if(contains(parameters('builtInRoleNames'), parameters('roleAssignment').roleDefinitionIdOrName ), parameters('builtInRoleNames')[parameters('roleAssignment').roleDefinitionIdOrName] , parameters('roleAssignment').roleDefinitionIdOrName )]", + "principalId": "[array(parameters('roleAssignment').principalIds)[copyIndex()]]" + } + } + ] + } + } + } + ], + "functions": [ + ], + "outputs": { + "privateDnsZoneResourceGroup": { + "type": "string", + "value": "[resourceGroup().name]", + "metadata": { + "description": "The name of the Resource Group the resources was deployed to." + } + }, + "privateDnsZoneName": { + "type": "string", + "value": "[parameters('privateDnsZoneName')]", + "metadata": { + "description": "The Name of the private DNS zone." + } + }, + "privateDnsZoneResourceId": { + "type": "string", + "value": "[resourceId('Microsoft.Network/privateDnsZones', parameters('privateDnsZoneName'))]", + "metadata": { + "description": "The Resource Id of the private DNS zone." + } + } + } +} diff --git a/arm/Microsoft.Network/privateDnsZones/parameters/parameters.json b/arm/Microsoft.Network/privateDnsZones/parameters/parameters.json new file mode 100644 index 0000000000..b7de621f39 --- /dev/null +++ b/arm/Microsoft.Network/privateDnsZones/parameters/parameters.json @@ -0,0 +1,27 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "privateDnsZoneName": { + "value": "test.local" + } + // "vnetLinks": { + // "value": [ + // { + // "vnetResourceId": "/subscriptions/xxx-xxx-xxx-xxx-xxx/resourceGroups/xxx/providers/Microsoft.Network/virtualNetworks/testvnet", + // "registrationEnabled": false + // } + // ] + // }, + // "roleAssignments": { + // "value": [ + // { + // "roleDefinitionIdOrName": "User Access Administrator", + // "principalIds": [ + // "xxx-xxx-xxx-xxx-xxx" + // ] + // } + // ] + // } + } +} \ No newline at end of file diff --git a/arm/Microsoft.Network/privateDnsZones/readme.md b/arm/Microsoft.Network/privateDnsZones/readme.md new file mode 100644 index 0000000000000000000000000000000000000000..8c93410d40f0a263304448a6078f028c950f1062 GIT binary patch literal 8604 zcmeI2TW?cG5XbkqQoqBIc?cj9H-VPRQ(Zs^sU=a8@=%22OYC48?9@)6q2;T${r`46 z*>iQA2&z_~$UZ*1voo`E-`V{A*R_y^oiGdI@HX_qNf?GlVG`!ymoU|Hs9#@)ui^*D z-8eE0r&=-4Z=c%_uY_SP2r#?}$Khy!Eei)4;e8s;BE)flS|)nW!k$*XUr^jQ$9gT) z(S*jCFy?vtvxc`U>@VQ5z;}4 z_7BBbUOS0D*U#;R%+{m4hY{aUS^&~59~-T=QnP!s&##Fr=j?nH{xTGvk+?jHzVR+f z>QG}d&0t^dV|Z0Bj@sOBnnB`2;l&rG`tC<;Jw4f>kLEp(G566jg|f%(M0&j_9sC*j z`F`<}>U<`>8@x%e=y{KXV;((cEJ>b-dt!@0GB?uNQ*nMG-^7Ma;~tC>zJ|7ZXGAH3 zKrR>gZj(>v$CKv`M7bB9O0I6LbMZuMoXA>?-|gHE;ABJN548@+X_VMZBR}iCr#0xJ zqZz}}7hKx?IO^|ucp~Vhih?&Ht`tdqJQG&K?|R0%%^Ih|mwT*i|L??@D}Hg>-g<(F~`vEFkFvfC3JyEux{Fgres z-1VcTfng6_$q8CE>fF|iCVei8l5Ve#sjBH+@t^lKI4SO?n!7Stiur-_T_<~D)5Vbp zpPvaEx%n}{vD!YJg(QAj{mT;Yk?x~)54!E(flxH&S2FXB=DBwPDpwYQtsfp00 z+eq10oI|UbOfE^%&?oEzM zBkjyGXkGo&5nc8PhOuh66j9n5X|@|O@<5f)DBOuQ@J+a@Y&%d*bVq;d`rOlaU%z^S zxu-gYvA&*tJ@4ytSL3{IMtj0T_9R`4es2^@w>9gQ{vy28yvM>6A+YvCt??+3_l{<- z+h44z>aUo&m&Jg$(h4U6_%6qC- z=UI5H{STz`BArYW^0B-ePs~@S+o=}Ekt1x)B|*H+*F7F7QZ&hDI3lCRpvTdptU@5V zAou;~g{$DVb4yQaz@O)U2tpjQ$O=S~n8h#r4Y}c)#L1L_m+_Z{>(b9OddCf|q&oE4 z4Q){kSv6sM9B9n-&_tu`=YE>98Z#e_oM(#>z9YBQs;A&BUgg$ReyP?Wc6876nYV0k z@ae|C*HOxoIMS+tZ^bC|N1V@ulRx0R^0WCDg?Wc7uJTcTCThDSU88Bk+frnjO9Op< zbK1+-tVFHfOMmO<@5_Ic*AX9!_Vz?04-J&Q=&*R&zpM_oKC%uupB>32o3xnM?aQd? z5AoZ)-F^QuF~lo}rn9=^tcxeh*M7>_;*?jZFg?})J68rF-XF_Do)`SJSW(%zlKgqG zkJ{O%TzStIF|Iy#x?lRUrP^vM+*Ymit?IJ7v6JK@>*sTIza0L4>_C}4W{Ng#?J!@P zWWtiS9;aM>wjy<^J}|>W9o4$ADkt@PY%S%(th&tARpZxH?1X&Pi*?)=?SFpSUp@c- z7tUkPJ*2ptm|UXoK?JDX4X3v)?q95EjZ)Q zEdt+Af1DN%;wh@5F~?WLK>vyxkWBq>>v>SQ@^0rOr=5Dsb-CJiwpv!MuM1l`k4_eK zE?pt->3fEKri?RDzSxP?HC29necMv!$va?l$9z5AR8H0#+8;I0EPSsw8{>@2Z5LqY@bggX=-1^}lcUMG&8zn!JQXGPcV6{7 zb*d4+t8+O%7q6Td5A^gCcQgK7affYO9%J5btbVlbY86Q@6k9uv-^II${LEEvCE$c! zQMvB|O|*zbM^Mly8P#s`KRUhv8hHD;nVPm zeVO}AGZuPwsWk&#$7jdkRPz^_!5-&Ye|EE9quoY!KMU73X|+BFvUm}GGXIXkBgGkXU1;om^upgn zetqm6dH9s8sqk~XLIH>!$#SrErq4_s1My>x&GjTlIk@iIs6YEv8cytfs3%LUZNh8Y zt*`$xyYkT-`^=14QcKu1y}(nMjR)Z{JYRVSYnk)Xq%WmKU()J$FEsvImVkn|B3fH! zk84EUH#UDHKY0!(iw3f8YEK86#|&TPaT?2_rb1YwStW;{1>bFb9veH5-%Du^+8N!| zE(cn-&^=K=r@Xo?THl{eV%LH(xf^96H-cT`r7l2`~zCS+0gjW zV|Hp*G=`W*+H)?;n3JQIl|;KQd*EpFOBgP(*JfsR+S2-n;(_ghJrmmtu5HZ5MtaT^ ztC&$_6F9otV(cUBf&bw?@HLmd5ijs;`#Bc+d}rU1xgABIVp7DBy?Az_wfJSJEFya@ zHRk&ewS_*DRSr`VeFm1_#{HXWLOzaVXwthCPi|r4K=J~M93AXH1yw%vtODv8=_iyb`&U|Aw)NX7rHPhS(vbxRw@=W$i*MVPAZhcc9M7JEnVA(&#|@;Wx8r)an(x z(i6SgU1ZmG$j=E~$$4wOqBkF@KHaG}F74Je@8!4#AF=Dl{&(>(c!Fo@+#p8S2VPmLSjA^j$~10kuej`dxYY@K8n zf_T#b!5&R`p?ho~HhX&F)%>;Q#c0GxZ|My5LNX7`H=Ijjw-v|RJur9}Df?hiBs&u^ zHr5!Lc#Q-}?fQnj@eH-D+e*5V8$In7qrpnP?rG|*cP&Jo-rhS)W;gbJA@x$=5MK6E z6Z*p*VBHzLFRfGEj!d|xF_%uJ=R3fwoUv2?k0-p-&1I+e1wC2P6N+G=saerkS?2xv z?>0&|z^9X0uCVwceYm4eC(y3IDysF-CwYB_zceQuT2X4u+&|JRj1|@!CfDPfa|K1un aHkV2dzpmFWPkB34H;#UJ?r=sUvi|^e6&rg1 literal 0 HcmV?d00001 diff --git a/arm/Microsoft.Network/publicIPAddresses/deploy.json b/arm/Microsoft.Network/publicIPAddresses/deploy.json new file mode 100644 index 0000000000..fdf645600e --- /dev/null +++ b/arm/Microsoft.Network/publicIPAddresses/deploy.json @@ -0,0 +1,486 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "publicIPAddressesName": { + "type": "string", + "metadata": { + "description": "Required. The name of the Public IP Address" + } + }, + "publicIPPrefixId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Resource Id of the Public IP Prefix object. This is only needed if you want your Public IPs created in a PIP Prefix." + } + }, + "publicIPAllocationMethod": { + "type": "string", + "defaultValue": "Dynamic", + "metadata": { + "description": "Optional. The public IP address allocation method. - Static or Dynamic." + } + }, + "skuName": { + "type": "string", + "defaultValue": "Basic", + "metadata": { + "description": "Optional. Public IP Address sku Name" + } + }, + "skuTier": { + "type": "string", + "defaultValue": "Regional", + "metadata": { + "description": "Optional. Public IP Address pricing tier" + } + }, + "diagnosticLogsRetentionInDays": { + "type": "int", + "defaultValue": 365, + "minValue": 0, + "maxValue": 365, + "metadata": { + "description": "Optional. Specifies the number of days that logs will be kept for; a value of 0 will retain data indefinitely." + } + }, + "diagnosticStorageAccountId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Resource identifier of the Diagnostic Storage Account." + } + }, + "workspaceId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Resource identifier of Log Analytics." + } + }, + "eventHubAuthorizationRuleId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Resource ID of the event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." + } + }, + "eventHubName": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Name of the event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category." + } + }, + "lockForDeletion": { + "type": "bool", + "defaultValue": false, + "metadata": { + "description": "Optional. Switch to lock resource from deletion." + } + }, + "location": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "Optional. Location for all resources." + } + }, + "roleAssignments": { + "defaultValue": [], + "type": "array", + "metadata": { + "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'" + } + }, + "cuaId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered" + } + }, + "tags": { + "type": "object", + "defaultValue": { + }, + "metadata": { + "description": "Optional. Tags of the resource." + } + } + }, + "variables": { + "diagnosticsMetrics": [ + { + "category": "AllMetrics", + "timeGrain": null, + "enabled": true, + "retentionPolicy": { + "enabled": true, + "days": "[parameters('diagnosticLogsRetentionInDays')]" + } + } + ], + "diagnosticsLogs": [ + { + "category": "DDoSProtectionNotifications", + "enabled": true, + "retentionPolicy": { + "enabled": true, + "days": "[parameters('diagnosticLogsRetentionInDays')]" + } + }, + { + "category": "DDoSMitigationFlowLogs", + "enabled": true, + "retentionPolicy": { + "enabled": true, + "days": "[parameters('diagnosticLogsRetentionInDays')]" + } + }, + { + "category": "DDoSMitigationReports", + "enabled": true, + "retentionPolicy": { + "enabled": true, + "days": "[parameters('diagnosticLogsRetentionInDays')]" + } + } + ], + "publicIPPrefix": { + "id": "[parameters('publicIPPrefixId')]" + }, + "builtInRoleNames": { + "AcrDelete": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c2f4ef07-c644-48eb-af81-4b1b4947fb11')]", + "AcrImageSigner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '6cef56e8-d556-48e5-a04f-b8e64114680f')]", + "AcrPull": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '7f951dda-4ed3-4680-a7ca-43fe172d538d')]", + "AcrPush": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8311e382-0749-4cb8-b61a-304f252e45ec')]", + "AcrQuarantineReader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'cdda3590-29a3-44f6-95f2-9f980659eb04')]", + "AcrQuarantineWriter": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c8d4ff99-41c3-41a8-9f60-21dfdad59608')]", + "API Management Service Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '312a565d-c81f-4fd8-895a-4e21e48d571c')]", + "API Management Service Operator Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'e022efe7-f5ba-4159-bbe4-b44f577e9b61')]", + "API Management Service Reader Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '71522526-b88f-4d52-b57f-d31fc3546d0d')]", + "App Configuration Data Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5ae67dd6-50cb-40e7-96ff-dc2bfa4b606b')]", + "App Configuration Data Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '516239f1-63e1-4d78-a4de-a74fb236a071')]", + "Application Insights Component Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ae349356-3a1b-4a5e-921d-050484c6347e')]", + "Application Insights Snapshot Debugger": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '08954f03-6346-4c2e-81c0-ec3a5cfae23b')]", + "Attestation Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'bbf86eb8-f7b4-4cce-96e4-18cddf81d86e')]", + "Attestation Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'fd1bd22b-8476-40bc-a0bc-69b95687b9f3')]", + "Automation Job Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4fe576fe-1146-4730-92eb-48519fa6bf9f')]", + "Automation Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'd3881f73-407a-4167-8283-e981cbba0404')]", + "Automation Runbook Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5fb5aef8-1081-4b8e-bb16-9d5d0385bab5')]", + "Avere Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4f8fab4f-1852-4a58-a46a-8eaf358af14a')]", + "Avere Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c025889f-8102-4ebf-b32c-fc0c6f0c6bd9')]", + "Azure Connected Machine Onboarding": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b64e21ea-ac4e-4cdf-9dc9-5b892992bee7')]", + "Azure Connected Machine Resource Administrator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'cd570a14-e51a-42ad-bac8-bafd67325302')]", + "Azure Digital Twins Owner (Preview)": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'bcd981a7-7f74-457b-83e1-cceb9e632ffe')]", + "Azure Digital Twins Reader (Preview)": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'd57506d4-4c8d-48b1-8587-93c323f6a5a3')]", + "Azure Event Hubs Data Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'f526a384-b230-433a-b45c-95f59c4a2dec')]", + "Azure Event Hubs Data Receiver": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'a638d3c7-ab3a-418d-83e6-5f17a39d4fde')]", + "Azure Event Hubs Data Sender": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '2b629674-e913-4c01-ae53-ef4638d8f975')]", + "Azure Kubernetes Service Cluster Admin Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '0ab0b1a8-8aac-4efd-b8c2-3ee1fb270be8')]", + "Azure Kubernetes Service Cluster User Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4abbcc35-e782-43d8-92c5-2d3f1bd2253f')]", + "Azure Kubernetes Service Contributor Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ed7f3fbd-7b88-4dd4-9017-9adb7ce333f8')]", + "Azure Maps Data Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8f5e0ce6-4f7b-4dcf-bddf-e6f48634a204')]", + "Azure Maps Data Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '423170ca-a8f6-4b0f-8487-9e4eb8f49bfa')]", + "Azure Sentinel Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ab8e14d6-4a74-4a29-9ba8-549422addade')]", + "Azure Sentinel Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8d289c81-5878-46d4-8554-54e1e3d8b5cb')]", + "Azure Sentinel Responder": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '3e150937-b8fe-4cfb-8069-0eaf05ecd056')]", + "Azure Service Bus Data Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '090c5cfd-751d-490a-894a-3ce6f1109419')]", + "Azure Service Bus Data Receiver": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4f6d3b9b-027b-4f4c-9142-0e5a2a2247e0')]", + "Azure Service Bus Data Sender": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '69a216fc-b8fb-44d8-bc22-1f3c2cd27a39')]", + "Azure Stack Registration Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '6f12a6df-dd06-4f3e-bcb1-ce8be600526a')]", + "Backup Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5e467623-bb1f-42f4-a55d-6e525e11384b')]", + "Backup Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '00c29273-979b-4161-815c-10b084fb9324')]", + "Backup Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'a795c7a0-d4a2-40c1-ae25-d81f01202912')]", + "Billing Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'fa23ad8b-c56e-40d8-ac0c-ce449e1d2c64')]", + "BizTalk Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5e3c6656-6cfa-4708-81fe-0de47ac73342')]", + "Blockchain Member Node Access (Preview)": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '31a002a1-acaf-453e-8a5b-297c9ca1ea24')]", + "Blueprint Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '41077137-e803-4205-871c-5a86e6a753b4')]", + "Blueprint Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '437d2ced-4a38-4302-8479-ed2bcb43d090')]", + "CDN Endpoint Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '426e0c7f-0c7e-4658-b36f-ff54d6c29b45')]", + "CDN Endpoint Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '871e35f6-b5c1-49cc-a043-bde969a0f2cd')]", + "CDN Profile Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ec156ff8-a8d1-4d15-830c-5b80698ca432')]", + "CDN Profile Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8f96442b-4075-438f-813d-ad51ab4019af')]", + "Classic Network Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b34d265f-36f7-4a0d-a4d4-e158ca92e90f')]", + "Classic Storage Account Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '86e8f5dc-a6e9-4c67-9d15-de283e8eac25')]", + "Classic Storage Account Key Operator Service Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '985d6b00-f706-48f5-a6fe-d0ca12fb668d')]", + "Classic Virtual Machine Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'd73bb868-a0df-4d4d-bd69-98a00b01fccb')]", + "ClearDB MySQL DB Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '9106cda0-8a86-4e81-b686-29a22c54effe')]", + "Cognitive Services Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '25fbc0a9-bd7c-42a3-aa1a-3b75d497ee68')]", + "Cognitive Services Custom Vision Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c1ff6cc2-c111-46fe-8896-e0ef812ad9f3')]", + "Cognitive Services Custom Vision Deployment": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5c4089e1-6d96-4d2f-b296-c1bc7137275f')]", + "Cognitive Services Custom Vision Labeler": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '88424f51-ebe7-446f-bc41-7fa16989e96c')]", + "Cognitive Services Custom Vision Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '93586559-c37d-4a6b-ba08-b9f0940c2d73')]", + "Cognitive Services Custom Vision Trainer": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '0a5ae4ab-0d65-4eeb-be61-29fc9b54394b')]", + "Cognitive Services Data Reader (Preview)": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b59867f0-fa02-499b-be73-45a86b5b3e1c')]", + "Cognitive Services QnA Maker Editor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'f4cc2bf9-21be-47a1-bdf1-5c5804381025')]", + "Cognitive Services QnA Maker Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '466ccd10-b268-4a11-b098-b4849f024126')]", + "Cognitive Services User": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'a97b65f3-24c7-4388-baec-2e87135dc908')]", + "Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "Cosmos DB Account Reader Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'fbdf93bf-df7d-467e-a4d2-9458aa1360c8')]", + "Cosmos DB Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '230815da-be43-4aae-9cb4-875f7bd000aa')]", + "CosmosBackupOperator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'db7b14f2-5adf-42da-9f96-f2ee17bab5cb')]", + "Cost Management Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '434105ed-43f6-45c7-a02f-909b2ba83430')]", + "Cost Management Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '72fafb9e-0641-4937-9268-a91bfd8191a3')]", + "Data Box Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'add466c9-e687-43fc-8d98-dfcf8d720be5')]", + "Data Box Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '028f4ed7-e2a9-465e-a8f4-9c0ffdfdc027')]", + "Data Factory Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '673868aa-7521-48a0-acc6-0f60742d39f5')]", + "Data Lake Analytics Developer": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '47b7735b-770e-4598-a7da-8b91488b4c88')]", + "Data Purger": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '150f5e0c-0603-4f03-8c7f-cf70034c4e90')]", + "Desktop Virtualization User": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '1d18fff3-a72a-46b5-b4a9-0b38a3cd7e63')]", + "DevTest Labs User": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '76283e04-6283-4c54-8f91-bcf1374a3c64')]", + "DNS Zone Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'befefa01-2a29-4197-83a8-272ff33ce314')]", + "DocumentDB Account Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5bd9cd88-fe45-4216-938b-f97437e15450')]", + "EventGrid EventSubscription Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '428e0ff0-5e57-4d9c-a221-2c70d0e0a443')]", + "EventGrid EventSubscription Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '2414bbcf-6497-4faf-8c65-045460748405')]", + "Experimentation Administrator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '7f646f1b-fa08-80eb-a33b-edd6ce5c915c')]", + "Experimentation Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '7f646f1b-fa08-80eb-a22b-edd6ce5c915c')]", + "Experimentation Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '49632ef5-d9ac-41f4-b8e7-bbe587fa74a1')]", + "FHIR Data Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5a1fc7df-4bf1-4951-a576-89034ee01acd')]", + "FHIR Data Exporter": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '3db33094-8700-4567-8da5-1501d4e7e843')]", + "FHIR Data Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4c8d0bbc-75d3-4935-991f-5f3c56d81508')]", + "FHIR Data Writer": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '3f88fce4-5892-4214-ae73-ba5294559913')]", + "Graph Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b60367af-1334-4454-b71e-769d9a4f83d9')]", + "HDInsight Cluster Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '61ed4efc-fab3-44fd-b111-e24485cc132a')]", + "HDInsight Domain Services Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8d8d5a11-05d3-4bda-a417-a08778121c7c')]", + "Hierarchy Settings Administrator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '350f8d15-c687-4448-8ae1-157740a3936d')]", + "Hybrid Server Onboarding": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5d1e5ee4-7c68-4a71-ac8b-0739630a3dfb')]", + "Hybrid Server Resource Administrator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '48b40c6e-82e0-4eb3-90d5-19e40f49b624')]", + "Integration Service Environment Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'a41e2c5b-bd99-4a07-88f4-9bf657a760b8')]", + "Integration Service Environment Developer": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c7aa55d3-1abb-444a-a5ca-5e51e485d6ec')]", + "Intelligent Systems Account Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '03a6d094-3444-4b3d-88af-7477090a9e5e')]", + "Key Vault Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'f25e0fa2-a7c8-4377-a976-54943a77a395')]", + "Knowledge Consumer": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ee361c5d-f7b5-4119-b4b6-892157c8f64c')]", + "Kubernetes Cluster - Azure Arc Onboarding": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '34e09817-6cbe-4d01-b1a2-e0eac5743d41')]", + "Lab Creator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b97fb8bc-a8b2-4522-a38b-dd33c7e65ead')]", + "Log Analytics Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]", + "Log Analytics Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '73c42c96-874c-492b-b04d-ab87d138a893')]", + "Logic App Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '87a39d53-fc1b-424a-814c-f7e04687dc9e')]", + "Logic App Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '515c2055-d9d4-4321-b1b9-bd0c9a0f79fe')]", + "Managed Application Contributor Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '641177b8-a67a-45b9-a033-47bc880bb21e')]", + "Managed Application Operator Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')]", + "Managed Applications Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')]", + "Managed Identity Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'e40ec5ca-96e0-45a2-b4ff-59039f2c2b59')]", + "Managed Identity Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'f1a07417-d97a-45cb-824c-7a7467783830')]", + "Managed Services Registration assignment Delete ": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '91c1777a-f3dc-4fae-b103-61d183457e46')]", + "Management Group Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5d58bcaf-24a5-4b20-bdb6-eed9f69fbe4c')]", + "Management Group Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ac63b705-f282-497d-ac71-919bf39d939d')]", + "Marketplace Admin": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'dd920d6d-f481-47f1-b461-f338c46b2d9f')]", + "Monitoring Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')]", + "Monitoring Metrics Publisher": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '3913510d-42f4-4e42-8a64-420c390055eb')]", + "Monitoring Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')]", + "Network Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", + "New Relic APM Account Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5d28c62d-5b37-4476-8438-e587778df237')]", + "Object Understanding Account Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4dd61c23-6743-42fe-a388-d8bdd41cb745')]", + "Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", + "Policy Insights Data Writer (Preview)": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '66bb4e9e-b016-4a94-8249-4c0511c2be84')]", + "Private DNS Zone Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", + "Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", + "Reader and Data Access": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c12c1c16-33a1-487b-954d-41c89c60f349')]", + "Redis Cache Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'e0f68234-74aa-48ed-b826-c38b57376e17')]", + "Remote Rendering Administrator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '3df8b902-2a6f-47c7-8cc5-360e9b272a7e')]", + "Remote Rendering Client": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'd39065c4-c120-43c9-ab0a-63eed9795f0a')]", + "Resource Policy Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '36243c78-bf99-498c-9df9-86d9f8d28608')]", + "Scheduler Job Collections Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '188a0f2f-5c9e-469b-ae67-2aa5ce574b94')]", + "Search Service Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '7ca78c08-252a-4471-8644-bb5ff32d4ba0')]", + "Security Admin": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'fb1c8493-542b-48eb-b624-b4c8fea62acd')]", + "Security Assessment Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '612c2aa1-cb24-443b-ac28-3ab7272de6f5')]", + "Security Manager (Legacy)": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'e3d13bf0-dd5a-482e-ba6b-9b8433878d10')]", + "Security Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '39bc4728-0917-49c7-9d2c-d95423bc2eb4')]", + "SignalR AccessKey Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '04165923-9d83-45d5-8227-78b77b0a687e')]", + "SignalR Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8cf5e20a-e4b2-4e9d-b3a1-5ceb692c2761')]", + "Site Recovery Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '6670b86e-a3f7-4917-ac9b-5d6ab1be4567')]", + "Site Recovery Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '494ae006-db33-4328-bf46-533a6560a3ca')]", + "Site Recovery Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'dbaa88c4-0c30-4179-9fb3-46319faa6149')]", + "Spatial Anchors Account Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8bbe83f1-e2a6-4df7-8cb4-4e04d4e5c827')]", + "Spatial Anchors Account Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '70bbe301-9835-447d-afdd-19eb3167307c')]", + "Spatial Anchors Account Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5d51204f-eb77-4b1c-b86a-2ec626c49413')]", + "SQL DB Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '9b7fa17d-e63e-47b0-bb0a-15c516ac86ec')]", + "SQL Managed Instance Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4939a1f6-9ae0-4e48-a1e0-f2cbe897382d')]", + "SQL Security Manager": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '056cd41c-7e88-42e1-933e-88ba6a50c9c3')]", + "SQL Server Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '6d8ee4ec-f05a-4a1d-8b00-a9b17e38b437')]", + "Storage Account Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '17d1049b-9a84-46fb-8f53-869881c3d3ab')]", + "Storage Account Key Operator Service Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '81a9662b-bebf-436f-a333-f67b29880f12')]", + "Storage Blob Data Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ba92f5b4-2d11-453d-a403-e96b0029c9fe')]", + "Storage Blob Data Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b7e6dc6d-f1e8-4753-8033-0f276bb0955b')]", + "Storage Blob Data Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '2a2b9908-6ea1-4ae2-8e65-a410df84e7d1')]", + "Storage Blob Delegator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'db58b8e5-c6ad-4a2a-8342-4190687cbf4a')]", + "Storage File Data SMB Share Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '0c867c2a-1d8c-454a-a3db-ab2ea1bdc8bb')]", + "Storage File Data SMB Share Elevated Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'a7264617-510b-434b-a828-9731dc254ea7')]", + "Storage File Data SMB Share Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'aba4ae5f-2193-4029-9191-0cb91df5e314')]", + "Storage Queue Data Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '974c5e8b-45b9-4653-ba55-5f855dd0fb88')]", + "Storage Queue Data Message Processor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8a0f0c08-91a1-4084-bc3d-661d67233fed')]", + "Storage Queue Data Message Sender": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c6a89b2d-59bc-44d0-9896-0f6e12d7b80a')]", + "Storage Queue Data Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '19e7f393-937e-4f77-808e-94535e297925')]", + "Support Request Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'cfd33db0-3dd1-45e3-aa9d-cdbdf3b6f24e')]", + "Tag Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4a9ae827-6dc8-4573-8ac7-8239d42aa03f')]", + "Traffic Manager Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'a4b10055-b0c7-44c2-b00f-c7b5b3550cf7')]", + "User Access Administrator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]", + "Virtual Machine Administrator Login": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '1c0163c0-47e6-4577-8991-ea5c82e286e4')]", + "Virtual Machine Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c')]", + "Virtual Machine User Login": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'fb879df8-f326-4884-b1cf-06f3ad86be52')]", + "Web Plan Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '2cc479cb-7b4d-49a8-b449-8c00fd0f0a4b')]", + "Website Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'de139f84-1756-47ae-9be6-808fbbe84772')]", + "Workbook Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'e8ddcd69-c73f-4f9f-9844-4100522f16ad')]", + "Workbook Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b279062a-9be3-42a0-92ae-8b3cf002ec4d')]" + } + }, + "resources": [ + { + "condition": "[not(empty(parameters('cuaId')))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-06-01", + "name": "[concat('pid-', parameters('cuaId'))]", + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [ + ] + } + } + }, + { + "type": "Microsoft.Network/publicIPAddresses", + "apiVersion": "2020-08-01", + "name": "[parameters('publicIPAddressesName')]", + "location": "[parameters('location')]", + "tags": "[parameters('tags')]", + "sku": { + "name": "[parameters('skuName')]", + "tier": "[parameters('skuTier')]" + }, + "properties": { + "publicIPAddressVersion": "IPv4", + "publicIPAllocationMethod": "[parameters('publicIPAllocationMethod')]", + "publicIPPrefix": "[if(not(empty(parameters('publicIPPrefixId'))), variables('publicIPPrefix'), json('null'))]", + "idleTimeoutInMinutes": 4, + "ipTags": [ + ] + }, + "resources": [ + { + "type": "providers/locks", + "apiVersion": "2016-09-01", + "condition": "[parameters('lockForDeletion')]", + "name": "Microsoft.Authorization/publicIPAddressDoNotDelete", + "dependsOn": [ + "[resourceId('Microsoft.Network/publicIPAddresses/', parameters('publicIPAddressesName'))]" + ], + "comments": "Resource lock", + "properties": { + "level": "CannotDelete" + } + }, + { + "type": "Microsoft.Network/publicIPAddresses/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[concat(parameters('publicIPAddressesName'), '/Microsoft.Insights/service')]", + "location": "[parameters('location')]", + "condition": "[or(not(empty(parameters('diagnosticStorageAccountId'))),not(empty(parameters('workspaceId'))),not(empty(parameters('eventHubAuthorizationRuleId'))),not(empty(parameters('eventHubName'))))]", + "dependsOn": [ + "[concat('Microsoft.Network/publicIPAddresses/', parameters('publicIPAddressesName'))]" + ], + "properties": { + "storageAccountId": "[if(empty(parameters('diagnosticStorageAccountId')), json('null'), parameters('diagnosticStorageAccountId'))]", + "workspaceId": "[if(empty(parameters('workspaceId')), json('null'), parameters('workspaceId'))]", + "eventHubAuthorizationRuleId": "[if(empty(parameters('eventHubAuthorizationRuleId')), json('null'), parameters('eventHubAuthorizationRuleId'))]", + "eventHubName": "[if(empty(parameters('eventHubName')), json('null'), parameters('eventHubName'))]", + "metrics": "[if(and(empty(parameters('diagnosticStorageAccountId')), empty(parameters('workspaceId')), empty(parameters('eventHubAuthorizationRuleId')), empty(parameters('eventHubName'))), json('null'), variables('diagnosticsMetrics'))]", + "logs": "[if(and(empty(parameters('diagnosticStorageAccountId')), empty(parameters('workspaceId')), empty(parameters('eventHubAuthorizationRuleId')), empty(parameters('eventHubName'))), json('null'), variables('diagnosticsLogs'))]" + } + } + ] + }, + { + "name": "[concat('rbac-',deployment().name, copyIndex())]", + "apiVersion": "2020-06-01", + "type": "Microsoft.Resources/deployments", + "condition": "[not(empty(parameters('roleAssignments')))]", + "dependsOn": [ + "[parameters('publicIPAddressesName')]" + ], + "copy": { + "name": "rbacDeplCopy", + "count": "[length(parameters('roleAssignments'))]" + }, + "properties": { + "mode": "Incremental", + "expressionEvaluationOptions": { + "scope": "inner" + }, + "parameters": { + "roleAssignment": { + "value": "[parameters('roleAssignments')[copyIndex()]]" + }, + "builtInRoleNames": { + "value": "[variables('builtInRoleNames')]" + }, + "publicIPAddressesName": { + "value": "[parameters('publicIPAddressesName')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "roleAssignment": { + "type": "object" + }, + "builtInRoleNames": { + "type": "object" + }, + "publicIPAddressesName": { + "type": "string" + } + }, + "resources": [ + { + "type": "Microsoft.Network/publicIPAddresses/providers/roleAssignments", + "apiVersion": "2020-03-01-preview", + "name": "[concat(parameters('publicIPAddressesName'), '/Microsoft.Authorization/', guid(uniqueString(concat(parameters('publicIPAddressesName'), array(parameters('roleAssignment').principalIds)[copyIndex('innerRbacCopy')], parameters('roleAssignment').roleDefinitionIdOrName ) )))]", + "dependsOn": [ + ], + "copy": { + "name": "innerRbacCopy", + "count": "[length(parameters('roleAssignment').principalIds)]" + }, + "properties": { + "roleDefinitionId": "[if(contains(parameters('builtInRoleNames'), parameters('roleAssignment').roleDefinitionIdOrName ), parameters('builtInRoleNames')[parameters('roleAssignment').roleDefinitionIdOrName] , parameters('roleAssignment').roleDefinitionIdOrName )]", + "principalId": "[array(parameters('roleAssignment').principalIds)[copyIndex()]]" + } + } + ] + } + } + } + ], + "functions": [ + ], + "outputs": { + "publicIPAddressResourceGroup": { + "type": "string", + "value": "[resourceGroup().name]", + "metadata": { + "description": "The name of the Resource Group the resources was deployed to." + } + }, + "publicIPAddressName": { + "type": "string", + "value": "[parameters('publicIPAddressesName')]", + "metadata": { + "description": "The name of the resource deployed." + } + }, + "publicIPAddressResourceId": { + "type": "string", + "value": "[resourceId('Microsoft.Network/publicIPAddresses', parameters('publicIPAddressesName'))]", + "metadata": { + "description": "The Resource id of the resource deployed." + } + } + } +} \ No newline at end of file diff --git a/arm/Microsoft.Network/publicIPAddresses/parameters/parameters.json b/arm/Microsoft.Network/publicIPAddresses/parameters/parameters.json new file mode 100644 index 0000000000..1859f064af --- /dev/null +++ b/arm/Microsoft.Network/publicIPAddresses/parameters/parameters.json @@ -0,0 +1,18 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "publicIPAddressesName": { + "value": "sxx-az-pip-weu-x-001" + }, + "skuName": { + "value": "Standard" + }, + "publicIPAllocationMethod": { + "value": "Static" + }, + "workspaceId": { + "value": "/subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2/resourcegroups/dependencies-rg/providers/microsoft.operationalinsights/workspaces/sxx-az-la-weu-x-003" + } + } +} \ No newline at end of file diff --git a/arm/Microsoft.Network/publicIPAddresses/readme.md b/arm/Microsoft.Network/publicIPAddresses/readme.md new file mode 100644 index 0000000000000000000000000000000000000000..2bba892ac11df61f68e937f09ac3a5b4569278b1 GIT binary patch literal 9224 zcmeI2Yfl?T6o%(>rT&K%`H(~^x7?Ffl}Kn(q$VJs?FSSI+n9s`hT0}6E&1zh-)D}G zXS_S+q7wBMS!?gkJ#eoP{T0R-g0> z@3XKSUPc-F8avRnE1q)=9)mD1$-AO{pfRW6Q1?BJ9BBSoxDyt_Vt6F#3%cifam=+$ z|CQzs!+X){hkemL&a8#4nwD}t@PdPJ%lRCO)=_vTZIBfG=cBY8ameL-5a&PsNOGb} zQ;r=;)e3K9Gpsy}76$>tc;8b`F5$x{+x?M*vyoyqYSxv_+@IHF*|Nmwa3BenBpFCT z_UT@CYc^#yX~7y8FQeR$1){j?3Hztx$k+^T)m90Y$OHP`OByUz$+qgEZ!*^}qN3Q?T;b~X1zmKZ9|TlzhT8W|_hg}2B&X!mYB0&N^Q z)hHJjP0I_Hy|=7UDegPs+)`%S(Y?(E*+^~PL88@617w|3+cV8$^O*~rkfRurxI29$@-o&})vu>o1 z%%%(9N!L>RekTox+jUWb2Kmr@wW9lFX>_Vyw+&Vqj%b&xvLQ=#Wz#(&eNT7z3mjsT zp5#7^$i-UZXb@}kZB#4LCOVL)iZMd8xDED22P|0}^~0CCYw1e(aJma>CBkerRvKy~ z(i=~ns`yOIAZt$-`eRr8iw*CF2jTwc{$fjRXg(`}VPHvC=;-+*TI}lh!XJ57Kw8Ty z_{Xf9?C3ULR$o0sS7A~z(3#8T+LjOl;tUhtN|Ux`g66kT&%N-gcsW|u)kCyiho(e^ zd(t&al2qc4Eckw!G(?8U<5)>J{AR3E6-+Cz))O^WhJg^)l6^p|;pKgd&W^qljgmBj zXcxE=LQEUCLHI)VEooB8HjcjJbIX%;yRxogS!|liQ0WPb zk|i0DV!MQP!HX%~qrDg<7!8u~rLKiMnjBMbGnm z%J4R7KRl1xvIY~A9;2>LTfNjF(~+_fv*&PROY^YPZt8)iNP8%XVJ|a=wgjho3aIBTXFvmNV>|D%5JHo<@;Zn^ zk(I24+|uODx>3(WmM^I;)?@|t%ej1R-I6^o+N;m(c>glXZPJu2zm3A|Kl5 zm-g_iO174=t4f@y#;GZZfRCai(`0TgWXv97{~Gc8 zwI{cnK zv$`Isy{)^J#yrvq4Q*}xw)Oj1*F&}QyeN4sLN;VwR*SAO;+#;K^21gruc8B;wVaHx zd$qjX%o6nzGwMI+*Z0p)r4zf}&PZ;gPubSyY^om=UB65glSHJ|kkkx@SF#LiEBj31 z3p|-+CnY3D*a?vJ=9$=9%IloXYNCF!Ryr?p`UzaB-LGR8a^8N6T8~P5X=IO6;S0~D zif+}N+&7l?0`ty4qs{2sGrBI#Z1A@gnEKq2LAavVgdSG^ZHQrtZE0fs`HUb zm7wo}E#jMWD`C-3E}YI)WcBI2V-X&O{AT(naG`73}rZ%xR%l6QNAJ(q>c4+> zmGtk+PUW0%er}qU6Y{)lV?M;}VQUq=_O@qLIesX=@;&)pB=4zLbeDZ20w1cZi{D}R z$n7YLznN{mYrOch#LpL|?>Z*yFWY_in^X48R*_v+B64DW_La`Jwxv1RH&1jflCe&+ z(t8!E5l+q0KC55j%pQsTJ-_7WTqoOs{x!|cuRUF-rtH+47gfPciIc33)*GS%^<7=) zPF;cR^Zre>97fIUbkxrDN;8QQ#Z$9j4a>xLcqz-r;c zSQXHu_6@%(?{`S9*s(?VbPaXc5yb z-?cTP3G4lRde;ACU^?2nYWBqZPk}Wj{Zpf?f$8fg;0-2qI6F?ORIs+~@KT1e>}UUD V;Cvz90phJZqSLHTc=_+(/providers/Microsoft.Network/trafficManagerProfiles//azureEndpoints/", + "name": "MyEndpoint001", + "type": "Microsoft.Network/trafficManagerProfiles/azureEndpoints", + "properties": + { + "endpointStatus": "Enabled", + "endpointMonitorStatus": "CheckingEndpoint", + "targetResourceId": "/subscriptions/12345678-1234-1234-1234-123456789012/resourceGroups//providers/Microsoft.Network/publicIPAddresses/", + "target": "my-pip-001.eastus.cloudapp.azure.com", + "weight": 1, + "priority": 1, + "endpointLocation": "East US" + } + } + ] +} +``` + +### Parameter Usage: `roleAssignments` + +```json +"roleAssignments": { + "value": [ + { + "roleDefinitionIdOrName": "Desktop Virtualization User", + "principalIds": [ + "12345678-1234-1234-1234-123456789012", // object 1 + "78945612-1234-1234-1234-123456789012" // object 2 + ] + }, + { + "roleDefinitionIdOrName": "Reader", + "principalIds": [ + "12345678-1234-1234-1234-123456789012", // object 1 + "78945612-1234-1234-1234-123456789012" // object 2 + ] + }, + { + "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", + "principalIds": [ + "12345678-1234-1234-1234-123456789012" // object 1 + ] + } + ] +} +``` + +### Parameter Usage: `tags` + +Tag names and tag values can be provided as needed. A tag can be left without a value. + +```json +"tags": { + "value": { + "Environment": "Non-Prod", + "Contact": "test.user@testcompany.com", + "PurchaseOrder": "1234", + "CostCenter": "7890", + "ServiceName": "DeploymentValidation", + "Role": "DeploymentValidation" + } +} +``` +## Outputs + +| Output Name | Type | Description | +| :- | :- | +| `trafficManagerResourceId` | string | The Resource Id of the Traffic Manager. +| `trafficManagerResourceGroup` | string | The name of the Resource Group the Traffic Manager was created in. +| `trafficManagerName` | string | The Name of the Traffic Manager. + +## Considerations + +*N/A* + +## Additional resources + +- [What is Traffic Manager?](https://docs.microsoft.com/en-us/azure/traffic-manager/traffic-manager-overview) +- [Microsoft.Network/trafficmanagerprofiles template reference](https://docs.microsoft.com/en-us/azure/templates/microsoft.network/2018-04-01/trafficmanagerprofiles) +- [Use tags to organize your Azure resources](https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-using-tags) \ No newline at end of file diff --git a/arm/Microsoft.Network/virtualNetworkGateways/deploy.json b/arm/Microsoft.Network/virtualNetworkGateways/deploy.json new file mode 100644 index 0000000000..8eba0d056f --- /dev/null +++ b/arm/Microsoft.Network/virtualNetworkGateways/deploy.json @@ -0,0 +1,774 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "virtualNetworkGatewayName": { + "type": "string", + "metadata": { + "description": "Required. Specifies the Virtual Network Gateway name." + } + }, + "location": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "Optional. Location for all resources." + } + }, + "gatewayPipName": { + "type": "array", + "defaultValue": "", + "metadata": { + "description": "Optional. Specifies the name of the Public IP used by the Virtual Network Gateway. If it's not provided, a '-pip' suffix will be appended to the gateway's name." + } + }, + "publicIPPrefixId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Resource Id of the Public IP Prefix object. This is only needed if you want your Public IPs created in a PIP Prefix." + } + }, + "domainNameLabel": { + "type": "array", + "defaultValue": [ + ], + "metadata": { + "description": "Optional. DNS name(s) of the Public IP resource(s). If you enabled active-active configuration, you need to provide 2 DNS names, if you want to use this feature. A region specific suffix will be appended to it, e.g.: your-DNS-name.westeurope.cloudapp.azure.com" + } + }, + "virtualNetworkGatewayType": { + "type": "string", + "allowedValues": [ + "Vpn", + "ExpressRoute" + ], + "metadata": { + "description": "Required. Specifies the gateway type. E.g. VPN, ExpressRoute" + } + }, + "virtualNetworkGatewaySku": { + "type": "string", + "allowedValues": [ + "Basic", + "VpnGw1", + "VpnGw2", + "VpnGw3", + "VpnGw1AZ", + "VpnGw2AZ", + "VpnGw3AZ", + "ErGw1AZ", + "ErGw2AZ", + "ErGw3AZ" + ], + "metadata": { + "description": "Required. The Sku of the Gateway." + } + }, + "vpnType": { + "type": "string", + "allowedValues": [ + "PolicyBased", + "RouteBased" + ], + "defaultValue": "RouteBased", + "metadata": { + "description": "Required. Specifies the VPN type" + } + }, + "vpnGatewayGeneration": { + "type": "string", + "allowedValues": [ + "Generation1", + "Generation2" + ], + "defaultValue": "Generation1", + "metadata": { + "description": "Optional. Specifies the VPN GW generation." + } + }, + "vNetId": { + "type": "string", + "metadata": { + "description": "Required. Virtual Network resource Id" + } + }, + "activeActive": { + "type": "bool", + "defaultValue": true, + "metadata": { + "description": "Optional. Value to specify if the Gateway should be deployed in active-active or active-passive configuration" + } + }, + "enableBgp": { + "type": "bool", + "defaultValue": true, + "metadata": { + "description": "Optional. Value to specify if BGP is enabled or not" + } + }, + "asn": { + "type": "int", + "defaultValue": 65815, + "metadata": { + "description": "Optional. ASN value" + } + }, + "vpnClientAddressPoolPrefix": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. The IP address range from which VPN clients will receive an IP address when connected. Range specified must not overlap with on-premise network." + } + }, + "clientRootCertData": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Client root certificate data used to authenticate VPN clients." + } + }, + "clientRevokedCertThumbprint": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Thumbprint of the revoked certificate. This would revoke VPN client certificates matching this thumbprint from connecting to the VNet." + } + }, + "diagnosticLogsRetentionInDays": { + "type": "int", + "defaultValue": 365, + "minValue": 0, + "maxValue": 365, + "metadata": { + "description": "Optional. Specifies the number of days that logs will be kept for; a value of 0 will retain data indefinitely." + } + }, + "diagnosticStorageAccountId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Required. Resource identifier of the Diagnostic Storage Account." + } + }, + "workspaceId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Required. Resource identifier of Log Analytics." + } + }, + "eventHubAuthorizationRuleId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Resource ID of the event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." + } + }, + "eventHubName": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Name of the event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category." + } + }, + "roleAssignments": { + "defaultValue": [ + ], + "type": "array", + "metadata": { + "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'" + } + }, + "lockForDeletion": { + "type": "bool", + "defaultValue": false, + "metadata": { + "description": "Optional. Switch to lock Virtual Network Gateway from deletion." + } + }, + "tags": { + "type": "object", + "defaultValue": { + }, + "metadata": { + "description": "Optional. Tags of the resource." + } + }, + "cuaId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered" + } + } + }, + "variables": { + "zoneRedundantSkus": [ + "VpnGw1AZ", + "VpnGw2AZ", + "VpnGw3AZ", + "ErGw1AZ", + "ErGw2AZ", + "ErGw3AZ" + ], + "gatewayPipSku": "[if(contains(variables('zoneRedundantSkus'), parameters('virtualNetworkGatewaySku')), 'Standard', 'Basic')]", + "gatewayPipAllocationMethod": "[if(contains(variables('zoneRedundantSkus'), parameters('virtualNetworkGatewaySku')), 'Static', 'Dynamic')]", + "gatewaySubnetId": "[concat(parameters('vNetId'), '/subnets/GatewaySubnet')]", + + "gatewayPipName1": "[if( equals(length(parameters('gatewayPipName')),0), concat(parameters('virtualNetworkGatewayName'), '-pip1'), parameters('gatewayPipName')[0])]", + "gatewayPipName2": "[if( variables('activeActive'), if (equals(length(parameters('gatewayPipName')),1), concat(parameters('virtualNetworkGatewayName'), '-pip2'), parameters('gatewayPipName')[1]), '')]", + "gatewayPipName": "[if( not(empty(variables('gatewayPipName2'))), createArray(variables('gatewayPipName1'), variables('gatewayPipName2')), createArray(variables('gatewayPipName1')))]", + "gatewayPipId1": "[resourceId('Microsoft.Network/publicIPAddresses', variables('gatewayPipName1'))]", + "gatewayPipId2": "[if( variables('activeActive'), resourceId('Microsoft.Network/publicIPAddresses', variables('gatewayPipName2')), resourceId('Microsoft.Network/publicIPAddresses', variables('gatewayPipName1')))]", + "enableBgp": "[if(equals(parameters('virtualNetworkGatewayType'), 'ExpressRoute'), bool('false'), parameters('enableBgp'))]", + "vpnType": "[if(equals(parameters('virtualNetworkGatewayType'), 'ExpressRoute'), 'PolicyBased', parameters('vpnType'))]", + "activeActive": "[if(equals(parameters('virtualNetworkGatewayType'), 'ExpressRoute'), bool('false'), parameters('activeActive'))]", + "bgpSettings": { + "asn": "[parameters('asn')]" + }, + "publicIPPrefix": { + "id": "[parameters('publicIPPrefixId')]" + }, + "activePassiveIpConfiguration": [ + { + "properties": { + "privateIPAllocationMethod": "Dynamic", + "subnet": { + "id": "[variables('gatewaySubnetId')]" + }, + "publicIPAddress": { + "id": "[variables('gatewayPipId1')]" + } + }, + "name": "vNetGatewayConfig1" + } + ], + "activeActiveIpConfiguration": [ + { + "properties": { + "privateIPAllocationMethod": "Dynamic", + "subnet": { + "id": "[variables('gatewaySubnetId')]" + }, + "publicIPAddress": { + "id": "[variables('gatewayPipId1')]" + } + }, + "name": "vNetGatewayConfig1" + }, + { + "properties": { + "privateIPAllocationMethod": "Dynamic", + "subnet": { + "id": "[variables('gatewaySubnetId')]" + }, + "publicIPAddress": { + "id": "[variables('gatewayPipId2')]" + } + }, + "name": "vNetGatewayConfig2" + } + ], + "vpnClientRootCertificates": [ + { + "name": "RootCert1", + "properties": { + "PublicCertData": "[parameters('clientRootCertData')]" + } + } + ], + "vpmClientRevokedCertificates": [ + { + "name": "RevokedCert1", + "properties": { + "Thumbprint": "[parameters('clientRevokedCertThumbprint')]" + } + } + ], + "vpnClientConfiguration": { + "vpnClientAddressPool": { + "addressPrefixes": [ + "[parameters('vpnClientAddressPoolPrefix')]" + ] + }, + "vpnClientRootCertificates": "[if(empty(parameters('clientRootCertData')), json('null'), variables('vpnClientRootCertificates'))]", + "vpnClientRevokedCertificates": "[if(empty(parameters('clientRevokedCertThumbprint')), json('null'), variables('vpmClientRevokedCertificates'))]" + }, + "diagnosticsMetrics": [ + { + "category": "AllMetrics", + "timeGrain": null, + "enabled": true, + "retentionPolicy": { + "enabled": true, + "days": "[parameters('diagnosticLogsRetentionInDays')]" + } + } + ], + "publicIpDiagnosticsLogs": [ + { + "category": "DDoSProtectionNotifications", + "enabled": true, + "retentionPolicy": { + "enabled": true, + "days": "[parameters('diagnosticLogsRetentionInDays')]" + } + }, + { + "category": "DDoSMitigationFlowLogs", + "enabled": true, + "retentionPolicy": { + "enabled": true, + "days": "[parameters('diagnosticLogsRetentionInDays')]" + } + }, + { + "category": "DDoSMitigationReports", + "enabled": true, + "retentionPolicy": { + "enabled": true, + "days": "[parameters('diagnosticLogsRetentionInDays')]" + } + } + ], + "virtualNetworkGatewayDiagnosticsLogs": [ + { + "category": "GatewayDiagnosticLog", + "enabled": true, + "retentionPolicy": { + "enabled": true, + "days": "[parameters('diagnosticLogsRetentionInDays')]" + } + }, + { + "category": "TunnelDiagnosticLog", + "enabled": true, + "retentionPolicy": { + "enabled": true, + "days": "[parameters('diagnosticLogsRetentionInDays')]" + } + }, + { + "category": "RouteDiagnosticLog", + "enabled": true, + "retentionPolicy": { + "enabled": true, + "days": "[parameters('diagnosticLogsRetentionInDays')]" + } + }, + { + "category": "IKEDiagnosticLog", + "enabled": true, + "retentionPolicy": { + "enabled": true, + "days": "[parameters('diagnosticLogsRetentionInDays')]" + } + }, + { + "category": "P2SDiagnosticLog", + "enabled": true, + "retentionPolicy": { + "enabled": true, + "days": "[parameters('diagnosticLogsRetentionInDays')]" + } + } + ], + "builtInRoleNames": { + "AcrDelete": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c2f4ef07-c644-48eb-af81-4b1b4947fb11')]", + "AcrImageSigner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '6cef56e8-d556-48e5-a04f-b8e64114680f')]", + "AcrPull": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '7f951dda-4ed3-4680-a7ca-43fe172d538d')]", + "AcrPush": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8311e382-0749-4cb8-b61a-304f252e45ec')]", + "AcrQuarantineReader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'cdda3590-29a3-44f6-95f2-9f980659eb04')]", + "AcrQuarantineWriter": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c8d4ff99-41c3-41a8-9f60-21dfdad59608')]", + "API Management Service Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '312a565d-c81f-4fd8-895a-4e21e48d571c')]", + "API Management Service Operator Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'e022efe7-f5ba-4159-bbe4-b44f577e9b61')]", + "API Management Service Reader Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '71522526-b88f-4d52-b57f-d31fc3546d0d')]", + "App Configuration Data Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5ae67dd6-50cb-40e7-96ff-dc2bfa4b606b')]", + "App Configuration Data Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '516239f1-63e1-4d78-a4de-a74fb236a071')]", + "Application Insights Component Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ae349356-3a1b-4a5e-921d-050484c6347e')]", + "Application Insights Snapshot Debugger": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '08954f03-6346-4c2e-81c0-ec3a5cfae23b')]", + "Attestation Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'bbf86eb8-f7b4-4cce-96e4-18cddf81d86e')]", + "Attestation Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'fd1bd22b-8476-40bc-a0bc-69b95687b9f3')]", + "Automation Job Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4fe576fe-1146-4730-92eb-48519fa6bf9f')]", + "Automation Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'd3881f73-407a-4167-8283-e981cbba0404')]", + "Automation Runbook Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5fb5aef8-1081-4b8e-bb16-9d5d0385bab5')]", + "Avere Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4f8fab4f-1852-4a58-a46a-8eaf358af14a')]", + "Avere Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c025889f-8102-4ebf-b32c-fc0c6f0c6bd9')]", + "Azure Connected Machine Onboarding": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b64e21ea-ac4e-4cdf-9dc9-5b892992bee7')]", + "Azure Connected Machine Resource Administrator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'cd570a14-e51a-42ad-bac8-bafd67325302')]", + "Azure Digital Twins Owner (Preview)": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'bcd981a7-7f74-457b-83e1-cceb9e632ffe')]", + "Azure Digital Twins Reader (Preview)": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'd57506d4-4c8d-48b1-8587-93c323f6a5a3')]", + "Azure Event Hubs Data Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'f526a384-b230-433a-b45c-95f59c4a2dec')]", + "Azure Event Hubs Data Receiver": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'a638d3c7-ab3a-418d-83e6-5f17a39d4fde')]", + "Azure Event Hubs Data Sender": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '2b629674-e913-4c01-ae53-ef4638d8f975')]", + "Azure Kubernetes Service Cluster Admin Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '0ab0b1a8-8aac-4efd-b8c2-3ee1fb270be8')]", + "Azure Kubernetes Service Cluster User Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4abbcc35-e782-43d8-92c5-2d3f1bd2253f')]", + "Azure Kubernetes Service Contributor Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ed7f3fbd-7b88-4dd4-9017-9adb7ce333f8')]", + "Azure Maps Data Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8f5e0ce6-4f7b-4dcf-bddf-e6f48634a204')]", + "Azure Maps Data Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '423170ca-a8f6-4b0f-8487-9e4eb8f49bfa')]", + "Azure Sentinel Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ab8e14d6-4a74-4a29-9ba8-549422addade')]", + "Azure Sentinel Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8d289c81-5878-46d4-8554-54e1e3d8b5cb')]", + "Azure Sentinel Responder": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '3e150937-b8fe-4cfb-8069-0eaf05ecd056')]", + "Azure Service Bus Data Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '090c5cfd-751d-490a-894a-3ce6f1109419')]", + "Azure Service Bus Data Receiver": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4f6d3b9b-027b-4f4c-9142-0e5a2a2247e0')]", + "Azure Service Bus Data Sender": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '69a216fc-b8fb-44d8-bc22-1f3c2cd27a39')]", + "Azure Stack Registration Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '6f12a6df-dd06-4f3e-bcb1-ce8be600526a')]", + "Backup Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5e467623-bb1f-42f4-a55d-6e525e11384b')]", + "Backup Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '00c29273-979b-4161-815c-10b084fb9324')]", + "Backup Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'a795c7a0-d4a2-40c1-ae25-d81f01202912')]", + "Billing Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'fa23ad8b-c56e-40d8-ac0c-ce449e1d2c64')]", + "BizTalk Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5e3c6656-6cfa-4708-81fe-0de47ac73342')]", + "Blockchain Member Node Access (Preview)": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '31a002a1-acaf-453e-8a5b-297c9ca1ea24')]", + "Blueprint Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '41077137-e803-4205-871c-5a86e6a753b4')]", + "Blueprint Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '437d2ced-4a38-4302-8479-ed2bcb43d090')]", + "CDN Endpoint Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '426e0c7f-0c7e-4658-b36f-ff54d6c29b45')]", + "CDN Endpoint Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '871e35f6-b5c1-49cc-a043-bde969a0f2cd')]", + "CDN Profile Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ec156ff8-a8d1-4d15-830c-5b80698ca432')]", + "CDN Profile Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8f96442b-4075-438f-813d-ad51ab4019af')]", + "Classic Network Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b34d265f-36f7-4a0d-a4d4-e158ca92e90f')]", + "Classic Storage Account Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '86e8f5dc-a6e9-4c67-9d15-de283e8eac25')]", + "Classic Storage Account Key Operator Service Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '985d6b00-f706-48f5-a6fe-d0ca12fb668d')]", + "Classic Virtual Machine Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'd73bb868-a0df-4d4d-bd69-98a00b01fccb')]", + "ClearDB MySQL DB Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '9106cda0-8a86-4e81-b686-29a22c54effe')]", + "Cognitive Services Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '25fbc0a9-bd7c-42a3-aa1a-3b75d497ee68')]", + "Cognitive Services Custom Vision Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c1ff6cc2-c111-46fe-8896-e0ef812ad9f3')]", + "Cognitive Services Custom Vision Deployment": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5c4089e1-6d96-4d2f-b296-c1bc7137275f')]", + "Cognitive Services Custom Vision Labeler": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '88424f51-ebe7-446f-bc41-7fa16989e96c')]", + "Cognitive Services Custom Vision Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '93586559-c37d-4a6b-ba08-b9f0940c2d73')]", + "Cognitive Services Custom Vision Trainer": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '0a5ae4ab-0d65-4eeb-be61-29fc9b54394b')]", + "Cognitive Services Data Reader (Preview)": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b59867f0-fa02-499b-be73-45a86b5b3e1c')]", + "Cognitive Services QnA Maker Editor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'f4cc2bf9-21be-47a1-bdf1-5c5804381025')]", + "Cognitive Services QnA Maker Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '466ccd10-b268-4a11-b098-b4849f024126')]", + "Cognitive Services User": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'a97b65f3-24c7-4388-baec-2e87135dc908')]", + "Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "Cosmos DB Account Reader Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'fbdf93bf-df7d-467e-a4d2-9458aa1360c8')]", + "Cosmos DB Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '230815da-be43-4aae-9cb4-875f7bd000aa')]", + "CosmosBackupOperator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'db7b14f2-5adf-42da-9f96-f2ee17bab5cb')]", + "Cost Management Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '434105ed-43f6-45c7-a02f-909b2ba83430')]", + "Cost Management Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '72fafb9e-0641-4937-9268-a91bfd8191a3')]", + "Data Box Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'add466c9-e687-43fc-8d98-dfcf8d720be5')]", + "Data Box Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '028f4ed7-e2a9-465e-a8f4-9c0ffdfdc027')]", + "Data Factory Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '673868aa-7521-48a0-acc6-0f60742d39f5')]", + "Data Lake Analytics Developer": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '47b7735b-770e-4598-a7da-8b91488b4c88')]", + "Data Purger": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '150f5e0c-0603-4f03-8c7f-cf70034c4e90')]", + "Desktop Virtualization User": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '1d18fff3-a72a-46b5-b4a9-0b38a3cd7e63')]", + "DevTest Labs User": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '76283e04-6283-4c54-8f91-bcf1374a3c64')]", + "DNS Zone Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'befefa01-2a29-4197-83a8-272ff33ce314')]", + "DocumentDB Account Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5bd9cd88-fe45-4216-938b-f97437e15450')]", + "EventGrid EventSubscription Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '428e0ff0-5e57-4d9c-a221-2c70d0e0a443')]", + "EventGrid EventSubscription Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '2414bbcf-6497-4faf-8c65-045460748405')]", + "Experimentation Administrator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '7f646f1b-fa08-80eb-a33b-edd6ce5c915c')]", + "Experimentation Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '7f646f1b-fa08-80eb-a22b-edd6ce5c915c')]", + "Experimentation Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '49632ef5-d9ac-41f4-b8e7-bbe587fa74a1')]", + "FHIR Data Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5a1fc7df-4bf1-4951-a576-89034ee01acd')]", + "FHIR Data Exporter": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '3db33094-8700-4567-8da5-1501d4e7e843')]", + "FHIR Data Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4c8d0bbc-75d3-4935-991f-5f3c56d81508')]", + "FHIR Data Writer": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '3f88fce4-5892-4214-ae73-ba5294559913')]", + "Graph Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b60367af-1334-4454-b71e-769d9a4f83d9')]", + "HDInsight Cluster Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '61ed4efc-fab3-44fd-b111-e24485cc132a')]", + "HDInsight Domain Services Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8d8d5a11-05d3-4bda-a417-a08778121c7c')]", + "Hierarchy Settings Administrator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '350f8d15-c687-4448-8ae1-157740a3936d')]", + "Hybrid Server Onboarding": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5d1e5ee4-7c68-4a71-ac8b-0739630a3dfb')]", + "Hybrid Server Resource Administrator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '48b40c6e-82e0-4eb3-90d5-19e40f49b624')]", + "Integration Service Environment Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'a41e2c5b-bd99-4a07-88f4-9bf657a760b8')]", + "Integration Service Environment Developer": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c7aa55d3-1abb-444a-a5ca-5e51e485d6ec')]", + "Intelligent Systems Account Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '03a6d094-3444-4b3d-88af-7477090a9e5e')]", + "Key Vault Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'f25e0fa2-a7c8-4377-a976-54943a77a395')]", + "Knowledge Consumer": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ee361c5d-f7b5-4119-b4b6-892157c8f64c')]", + "Kubernetes Cluster - Azure Arc Onboarding": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '34e09817-6cbe-4d01-b1a2-e0eac5743d41')]", + "Lab Creator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b97fb8bc-a8b2-4522-a38b-dd33c7e65ead')]", + "Log Analytics Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]", + "Log Analytics Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '73c42c96-874c-492b-b04d-ab87d138a893')]", + "Logic App Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '87a39d53-fc1b-424a-814c-f7e04687dc9e')]", + "Logic App Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '515c2055-d9d4-4321-b1b9-bd0c9a0f79fe')]", + "Managed Application Contributor Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '641177b8-a67a-45b9-a033-47bc880bb21e')]", + "Managed Application Operator Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')]", + "Managed Applications Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')]", + "Managed Identity Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'e40ec5ca-96e0-45a2-b4ff-59039f2c2b59')]", + "Managed Identity Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'f1a07417-d97a-45cb-824c-7a7467783830')]", + "Managed Services Registration assignment Delete ": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '91c1777a-f3dc-4fae-b103-61d183457e46')]", + "Management Group Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5d58bcaf-24a5-4b20-bdb6-eed9f69fbe4c')]", + "Management Group Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ac63b705-f282-497d-ac71-919bf39d939d')]", + "Marketplace Admin": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'dd920d6d-f481-47f1-b461-f338c46b2d9f')]", + "Monitoring Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')]", + "Monitoring Metrics Publisher": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '3913510d-42f4-4e42-8a64-420c390055eb')]", + "Monitoring Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')]", + "Network Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", + "New Relic APM Account Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5d28c62d-5b37-4476-8438-e587778df237')]", + "Object Understanding Account Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4dd61c23-6743-42fe-a388-d8bdd41cb745')]", + "Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", + "Policy Insights Data Writer (Preview)": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '66bb4e9e-b016-4a94-8249-4c0511c2be84')]", + "Private DNS Zone Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", + "Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", + "Reader and Data Access": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c12c1c16-33a1-487b-954d-41c89c60f349')]", + "Redis Cache Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'e0f68234-74aa-48ed-b826-c38b57376e17')]", + "Remote Rendering Administrator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '3df8b902-2a6f-47c7-8cc5-360e9b272a7e')]", + "Remote Rendering Client": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'd39065c4-c120-43c9-ab0a-63eed9795f0a')]", + "Resource Policy Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '36243c78-bf99-498c-9df9-86d9f8d28608')]", + "Scheduler Job Collections Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '188a0f2f-5c9e-469b-ae67-2aa5ce574b94')]", + "Search Service Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '7ca78c08-252a-4471-8644-bb5ff32d4ba0')]", + "Security Admin": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'fb1c8493-542b-48eb-b624-b4c8fea62acd')]", + "Security Assessment Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '612c2aa1-cb24-443b-ac28-3ab7272de6f5')]", + "Security Manager (Legacy)": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'e3d13bf0-dd5a-482e-ba6b-9b8433878d10')]", + "Security Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '39bc4728-0917-49c7-9d2c-d95423bc2eb4')]", + "SignalR AccessKey Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '04165923-9d83-45d5-8227-78b77b0a687e')]", + "SignalR Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8cf5e20a-e4b2-4e9d-b3a1-5ceb692c2761')]", + "Site Recovery Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '6670b86e-a3f7-4917-ac9b-5d6ab1be4567')]", + "Site Recovery Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '494ae006-db33-4328-bf46-533a6560a3ca')]", + "Site Recovery Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'dbaa88c4-0c30-4179-9fb3-46319faa6149')]", + "Spatial Anchors Account Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8bbe83f1-e2a6-4df7-8cb4-4e04d4e5c827')]", + "Spatial Anchors Account Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '70bbe301-9835-447d-afdd-19eb3167307c')]", + "Spatial Anchors Account Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5d51204f-eb77-4b1c-b86a-2ec626c49413')]", + "SQL DB Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '9b7fa17d-e63e-47b0-bb0a-15c516ac86ec')]", + "SQL Managed Instance Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4939a1f6-9ae0-4e48-a1e0-f2cbe897382d')]", + "SQL Security Manager": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '056cd41c-7e88-42e1-933e-88ba6a50c9c3')]", + "SQL Server Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '6d8ee4ec-f05a-4a1d-8b00-a9b17e38b437')]", + "Storage Account Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '17d1049b-9a84-46fb-8f53-869881c3d3ab')]", + "Storage Account Key Operator Service Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '81a9662b-bebf-436f-a333-f67b29880f12')]", + "Storage Blob Data Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ba92f5b4-2d11-453d-a403-e96b0029c9fe')]", + "Storage Blob Data Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b7e6dc6d-f1e8-4753-8033-0f276bb0955b')]", + "Storage Blob Data Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '2a2b9908-6ea1-4ae2-8e65-a410df84e7d1')]", + "Storage Blob Delegator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'db58b8e5-c6ad-4a2a-8342-4190687cbf4a')]", + "Storage File Data SMB Share Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '0c867c2a-1d8c-454a-a3db-ab2ea1bdc8bb')]", + "Storage File Data SMB Share Elevated Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'a7264617-510b-434b-a828-9731dc254ea7')]", + "Storage File Data SMB Share Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'aba4ae5f-2193-4029-9191-0cb91df5e314')]", + "Storage Queue Data Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '974c5e8b-45b9-4653-ba55-5f855dd0fb88')]", + "Storage Queue Data Message Processor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8a0f0c08-91a1-4084-bc3d-661d67233fed')]", + "Storage Queue Data Message Sender": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c6a89b2d-59bc-44d0-9896-0f6e12d7b80a')]", + "Storage Queue Data Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '19e7f393-937e-4f77-808e-94535e297925')]", + "Support Request Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'cfd33db0-3dd1-45e3-aa9d-cdbdf3b6f24e')]", + "Tag Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4a9ae827-6dc8-4573-8ac7-8239d42aa03f')]", + "Traffic Manager Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'a4b10055-b0c7-44c2-b00f-c7b5b3550cf7')]", + "User Access Administrator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]", + "Virtual Machine Administrator Login": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '1c0163c0-47e6-4577-8991-ea5c82e286e4')]", + "Virtual Machine Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c')]", + "Virtual Machine User Login": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'fb879df8-f326-4884-b1cf-06f3ad86be52')]", + "Web Plan Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '2cc479cb-7b4d-49a8-b449-8c00fd0f0a4b')]", + "Website Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'de139f84-1756-47ae-9be6-808fbbe84772')]", + "Workbook Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'e8ddcd69-c73f-4f9f-9844-4100522f16ad')]", + "Workbook Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b279062a-9be3-42a0-92ae-8b3cf002ec4d')]" + } + }, + "resources": [ + { + "condition": "[not(empty(parameters('cuaId')))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-06-01", + "name": "[concat('pid-', parameters('cuaId'))]", + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [ + ] + } + } + }, + { + "type": "Microsoft.Network/publicIPAddresses", + "apiVersion": "2020-08-01", + "name": "[variables('gatewayPipName')[copyindex()]]", + "location": "[parameters('location')]", + "tags": "[parameters('tags')]", + "copy": { + "name": "pipCopy", + "count": "[length(variables('gatewayPipName'))]", + "mode": "Serial" + }, + "sku": { + "name": "[variables('gatewayPipSku')]" + }, + "properties": { + "publicIPAllocationMethod": "[variables('gatewayPipAllocationMethod')]", + "publicIPPrefix": "[if(not(empty(parameters('publicIPPrefixId'))), variables('publicIPPrefix'), json('null'))]", + "dnsSettings": "[if(equals(length(variables('gatewayPipName')),length(parameters('domainNameLabel'))), json(concat('{\"domainNameLabel\": \"', parameters('domainNameLabel')[copyindex()], '\"}')), json('null'))]" + }, + "resources": [ + { + "type": "providers/locks", + "apiVersion": "2016-09-01", + "condition": "[parameters('lockForDeletion')]", + "name": "Microsoft.Authorization/publicIpDoNotDelete", + "dependsOn": [ + "[concat('Microsoft.Network/publicIPAddresses/', variables('gatewayPipName')[copyindex()])]" + ], + "comments": "Resource lock on Public IP", + "properties": { + "level": "CannotDelete" + } + }, + { + "type": "Microsoft.Network/publicIPAddresses/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "location": "[parameters('location')]", + "name": "[concat(variables('gatewayPipName')[copyindex()], '/Microsoft.Insights/service')]", + "condition": "[or(not(empty(parameters('diagnosticStorageAccountId'))),not(empty(parameters('workspaceId'))),not(empty(parameters('eventHubAuthorizationRuleId'))),not(empty(parameters('eventHubName'))))]", + "dependsOn": [ + "[concat('Microsoft.Network/publicIPAddresses/', variables('gatewayPipName')[copyindex()])]" + ], + "properties": { + "storageAccountId": "[if(empty(parameters('diagnosticStorageAccountId')), json('null'), parameters('diagnosticStorageAccountId'))]", + "workspaceId": "[if(empty(parameters('workspaceId')), json('null'), parameters('workspaceId'))]", + "eventHubAuthorizationRuleId": "[if(empty(parameters('eventHubAuthorizationRuleId')), json('null'), parameters('eventHubAuthorizationRuleId'))]", + "eventHubName": "[if(empty(parameters('eventHubName')), json('null'), parameters('eventHubName'))]", + "metrics": "[if(and(empty(parameters('diagnosticStorageAccountId')), empty(parameters('workspaceId')), empty(parameters('eventHubAuthorizationRuleId')), empty(parameters('eventHubName'))), json('null'), variables('diagnosticsMetrics'))]", + "logs": "[if(and(empty(parameters('diagnosticStorageAccountId')), empty(parameters('workspaceId')), empty(parameters('eventHubAuthorizationRuleId')), empty(parameters('eventHubName'))), json('null'), variables('publicIpDiagnosticsLogs'))]" + } + + } + ] + }, + { + "type": "Microsoft.Network/virtualNetworkGateways", + "apiVersion": "2020-08-01", + "name": "[parameters('virtualNetworkGatewayName')]", + "location": "[parameters('location')]", + "tags": "[parameters('tags')]", + "dependsOn": [ + "pipCopy" + ], + "properties": { + "ipConfigurations": "[if(variables('activeActive'), variables('activeActiveIpConfiguration'), variables('activePassiveIpConfiguration'))]", + "activeActive": "[variables('activeActive')]", + "enableBgp": "[variables('enableBgp')]", + "bgpSettings": "[if(equals(parameters('virtualNetworkGatewayType'), 'ExpressRoute'), json('null'), variables('bgpSettings'))]", + "sku": { + "name": "[parameters('virtualNetworkGatewaySku')]", + "tier": "[parameters('virtualNetworkGatewaySku')]" + }, + "gatewayType": "[parameters('virtualNetworkGatewayType')]", + "vpnType": "[variables('vpnType')]", + "vpnClientConfiguration": "[if(empty(parameters('vpnClientAddressPoolPrefix')), json('null'), variables('vpnClientConfiguration'))]" + }, + "resources": [ + { + "type": "providers/locks", + "apiVersion": "2016-09-01", + "condition": "[parameters('lockForDeletion')]", + "name": "Microsoft.Authorization/virtualNetworkGatewayDoNotDelete", + "dependsOn": [ + "[concat('Microsoft.Network/virtualNetworkGateways/', parameters('virtualNetworkGatewayName'))]" + ], + "comments": "Resource lock on Virtual Network Gateway", + "properties": { + "level": "CannotDelete" + } + }, + { + "type": "Microsoft.Network/virtualNetworkGateways/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "location": "[parameters('location')]", + "name": "[concat(parameters('virtualNetworkGatewayName'), '/Microsoft.Insights/service')]", + "condition": "[or(not(empty(parameters('diagnosticStorageAccountId'))),not(empty(parameters('workspaceId'))),not(empty(parameters('eventHubAuthorizationRuleId'))),not(empty(parameters('eventHubName'))))]", + "dependsOn": [ + "[concat('Microsoft.Network/virtualNetworkGateways/', parameters('virtualNetworkGatewayName'))]" + ], + "properties": { + "storageAccountId": "[if(empty(parameters('diagnosticStorageAccountId')), json('null'), parameters('diagnosticStorageAccountId'))]", + "workspaceId": "[if(empty(parameters('workspaceId')), json('null'), parameters('workspaceId'))]", + "eventHubAuthorizationRuleId": "[if(empty(parameters('eventHubAuthorizationRuleId')), json('null'), parameters('eventHubAuthorizationRuleId'))]", + "eventHubName": "[if(empty(parameters('eventHubName')), json('null'), parameters('eventHubName'))]", + "metrics": "[if(and(empty(parameters('diagnosticStorageAccountId')), empty(parameters('workspaceId'))), json('null'), variables('diagnosticsMetrics'))]", + "logs": "[if(and(empty(parameters('diagnosticStorageAccountId')), empty(parameters('workspaceId'))), json('null'), variables('virtualNetworkGatewayDiagnosticsLogs'))]" + } + } + ] + }, + { + "name": "[concat('rbac-',deployment().name, copyIndex())]", + "apiVersion": "2020-06-01", + "type": "Microsoft.Resources/deployments", + "condition": "[not(empty(parameters('roleAssignments')))]", + "dependsOn": [ + "[parameters('virtualNetworkGatewayName')]" + ], + "copy": { + "name": "rbacDeplCopy", + "count": "[length(parameters('roleAssignments'))]" + }, + "properties": { + "mode": "Incremental", + "expressionEvaluationOptions": { + "scope": "inner" + }, + "parameters": { + "roleAssignment": { + "value": "[parameters('roleAssignments')[copyIndex()]]" + }, + "builtInRoleNames": { + "value": "[variables('builtInRoleNames')]" + }, + "virtualNetworkGatewayName": { + "value": "[parameters('virtualNetworkGatewayName')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "roleAssignment": { + "type": "object" + }, + "builtInRoleNames": { + "type": "object" + }, + "virtualNetworkGatewayName": { + "type": "string" + } + }, + "resources": [ + { + "type": "Microsoft.Network/virtualNetworkGateways/providers/roleAssignments", + "apiVersion": "2020-04-01-preview", + "name": "[concat(parameters('virtualNetworkGatewayName'), '/Microsoft.Authorization/', guid(uniqueString(concat(parameters('virtualNetworkGatewayName'), array(parameters('roleAssignment').principalIds)[copyIndex('innerRbacCopy')], parameters('roleAssignment').roleDefinitionIdOrName ) )))]", + "dependsOn": [ + ], + "copy": { + "name": "innerRbacCopy", + "count": "[length(parameters('roleAssignment').principalIds)]" + }, + "properties": { + "roleDefinitionId": "[if(contains(parameters('builtInRoleNames'), parameters('roleAssignment').roleDefinitionIdOrName ), parameters('builtInRoleNames')[parameters('roleAssignment').roleDefinitionIdOrName] , parameters('roleAssignment').roleDefinitionIdOrName )]", + "principalId": "[array(parameters('roleAssignment').principalIds)[copyIndex()]]" + } + } + ] + } + } + } + ], + "functions": [ + ], + "outputs": { + "virtualNetworkGatewayResourceGroup": { + "type": "string", + "value": "[resourceGroup().name]", + "metadata": { + "description": "The Resource Group the Virtual Network Gateway was deployed." + } + }, + "virtualNetworkGatewayName": { + "type": "string", + "value": "[parameters('virtualNetworkGatewayName')]", + "metadata": { + "description": "The Name of the Virtual Network Gateway." + } + }, + "virtualNetworkGatewayResourceId": { + "type": "string", + "value": "[resourceId('Microsoft.Network/virtualNetworkGateways', parameters('virtualNetworkGatewayName'))]", + "metadata": { + "description": "The Resource Id of the Virtual Network Gateway." + } + }, + "activeActive": { + "type": "bool", + "value": "[variables('activeActive')]", + "metadata": { + "description": "Shows if the VNet gateway is configured in active-active mode." + } + } + } +} \ No newline at end of file diff --git a/arm/Microsoft.Network/virtualNetworkGateways/parameters/er.parameters.json b/arm/Microsoft.Network/virtualNetworkGateways/parameters/er.parameters.json new file mode 100644 index 0000000000..c682a54f17 --- /dev/null +++ b/arm/Microsoft.Network/virtualNetworkGateways/parameters/er.parameters.json @@ -0,0 +1,59 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "virtualNetworkGatewayName": { + "value": "acf-sb-ccoe-np-01-euw-vnet-validate-01-ergw-01" + }, + "gatewayPipName": { + "value": [ + "acf-sb-ccoe-np-01-euw-vnet-validate-01-ergw-01-pip-s-01" + ] + }, + "publicIPPrefixId": { + "value": "/subscriptions/12345678-1234-1234-1234-123456789012/resourceGroups/dependencies-rg/providers/Microsoft.Network/publicIPPrefixes/acf-sb-ccoe-np-01-euw-pippfx-01" + }, + "domainNameLabel": { + "value": [ + "acfsbccoenp01euw-ergw-01-pip-s-01" + ] + }, + "virtualNetworkGatewayType": { + "value": "ExpressRoute" + }, + "virtualNetworkGatewaySku": { + "value": "ErGw1AZ" + }, + "vNetId": { + "value": "/subscriptions/12345678-1234-1234-1234-123456789012/resourceGroups/dependencies-rg/providers/Microsoft.Network/virtualNetworks/acf-sb-ccoe-np-01-euw-vnet-validate-01" + }, + "diagnosticLogsRetentionInDays": { + "value": 365 + }, + "diagnosticStorageAccountId": { + "value": "/subscriptions/12345678-1234-1234-1234-123456789012/resourceGroups/dependencies-rg/providers/Microsoft.Storage/storageAccounts/acfsbccoenp1validate02" + }, + "workspaceId": { + "value": "/subscriptions/12345678-1234-1234-1234-123456789012/resourceGroups/dependencies-rg/providers/Microsoft.OperationalInsights/workspaces/acf-sb-ccoe-np-01-euw-loganalytics-validate-01" + }, + "eventHubAuthorizationRuleId": { + "value": "/subscriptions/12345678-1234-1234-1234-123456789012/resourceGroups/dependencies-rg/providers/Microsoft.EventHub/namespaces/acf-sb-ccoe-np-01-euw-evhns-logging-np-01/AuthorizationRules/RootManageSharedAccessKey" + }, + "eventHubName": { + "value": "acf-sb-ccoe-np-01-euw-evh-logging-np-01" + }, + "lockForDeletion": { + "value": false + }, + "tags": { + "value": { + "Environment": "Validation", + "Contact": "test.user@testcompany.com", + "PurchaseOrder": "", + "CostCenter": "", + "ServiceName": "DeploymentValidation", + "Role": "DeploymentValidation" + } + } + } +} \ No newline at end of file diff --git a/arm/Microsoft.Network/virtualNetworkGateways/parameters/parameters.json b/arm/Microsoft.Network/virtualNetworkGateways/parameters/parameters.json new file mode 100644 index 0000000000..75a8238a6f --- /dev/null +++ b/arm/Microsoft.Network/virtualNetworkGateways/parameters/parameters.json @@ -0,0 +1,47 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "virtualNetworkGatewayName": { + "value": "sxx-az-vnet-vpn-gw-weu-p-001" + }, + "gatewayPipName": { + "value": ["sxx-az-vnet-vpn-gw-weu-p-001-pip-03"] + }, + "publicIPPrefixId": { + "value": "/subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2/resourceGroups/dependencies-rg/providers/Microsoft.Network/publicIPPrefixes/sxx-az-pippfx-weu-x-003" + }, + "domainNameLabel": { + "value": ["sxx-az-vnet-vpn-gw-weu-p-001-pip-03"] + }, + "virtualNetworkGatewayType": { + "value": "Vpn" + }, + "virtualNetworkGatewaySku": { + "value": "VpnGw1AZ" + }, + "vpnType": { + "value": "RouteBased" + }, + "vpnGatewayGeneration": { + "value": "Generation2" + }, + "activeActive": { + "value": false + }, + "vNetId": { + "value": "/subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-weu-x-004" + } + // "roleAssignments": { + // "value": [ + // { + // "roleDefinitionIdOrName": "Desktop Virtualization User", + // "principalIds": [ + // "12345678-1234-1234-1234-123456789012", // object 1 + // "78945612-1234-1234-1234-123456789012" // object 2 + // ] + // } + // ] + // } + } +} diff --git a/arm/Microsoft.Network/virtualNetworkGateways/readme.md b/arm/Microsoft.Network/virtualNetworkGateways/readme.md new file mode 100644 index 0000000000..776831d647 --- /dev/null +++ b/arm/Microsoft.Network/virtualNetworkGateways/readme.md @@ -0,0 +1,144 @@ +# VirtualNetworkGateway + +This module deploys a Virtual Network Gateway. + + +## Resource types + +|Resource Type|ApiVersion| +|:--|:--| +|`Microsoft.Resources/deployments`|2018-02-01| +|`Microsoft.Network/publicIPAddresses`|2020-08-01| +|`Microsoft.Network/virtualNetworkGateways`|2020-08-01| +|`Microsoft.Network/publicIPAddresses/providers/diagnosticSettings`|2017-05-01-preview| +|`providers/locks`|2016-09-01| +|`Microsoft.Network/virtualNetworkGateways/providers/diagnosticSettings`|2017-05-01-preview| +|`Microsoft.Network/virtualNetworkGateways/providers/roleAssignments`|2018-09-01-preview| + +## Parameters + +| Parameter Name | Type | Description | DefaultValue | Possible values | +| :-- | :-- | :-- | :-- | :-- | +| `activeActive` | bool | Optional. Value to specify if the Gateway should be deployed in active-active or active-passive configuration | True | | +| `asn` | int | Optional. ASN value | 65815 | | +| `clientRevokedCertThumbprint` | string | Optional. Thumbprint of the revoked certificate. This would revoke VPN client certificates matching this thumbprint from connecting to the VNet. | | | +| `clientRootCertData` | string | Optional. Client root certificate data used to authenticate VPN clients. | | | +| `cuaId` | string | Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered | | | +| `diagnosticLogsRetentionInDays` | int | Optional. Specifies the number of days that logs will be kept for; a value of 0 will retain data indefinitely. | 365 | | +| `diagnosticStorageAccountId` | string | Required. Resource identifier of the Diagnostic Storage Account. | | | +| `domainNameLabel` | array | Optional. DNS name(s) of the Public IP resource(s). If you enabled active-active configuration, you need to provide 2 DNS names, if you want to use this feature. A region specific suffix will be appended to it, e.g.: your-DNS-name.westeurope.cloudapp.azure.com | System.Object[] | | +| `enableBgp` | bool | Optional. Value to specify if BGP is enabled or not | True | | +| `eventHubAuthorizationRuleId` | string | Optional. Resource ID of the event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | | | +| `eventHubName` | string | Optional. Name of the event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. | | | +| `gatewayPipName` | array | Optional. Specifies the name of the Public IP used by the Virtual Network Gateway. If it's not provided, a '-pip' suffix will be appended to the gateway's name. | | | +| `location` | string | Optional. Location for all resources. | [resourceGroup().location] | | +| `lockForDeletion` | bool | Optional. Switch to lock Virtual Network Gateway from deletion. | False | | +| `publicIPPrefixId` | string | Optional. Resource Id of the Public IP Prefix object. This is only needed if you want your Public IPs created in a PIP Prefix. | | | +| `roleAssignments` | array | Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' | System.Object[] | | +| `tags` | object | Optional. Tags of the resource. | | | +| `virtualNetworkGatewayName` | string | Required. Specifies the Virtual Network Gateway name. | | | +| `virtualNetworkGatewaySku` | string | Required. The Sku of the Gateway. | | System.Object[] | +| `virtualNetworkGatewayType` | string | Required. Specifies the gateway type. E.g. VPN, ExpressRoute | | System.Object[] | +| `vNetId` | string | Required. Virtual Network resource Id | | | +| `vpnClientAddressPoolPrefix` | string | Optional. The IP address range from which VPN clients will receive an IP address when connected. Range specified must not overlap with on-premise network. | | | +| `vpnGatewayGeneration` | string | Optional. Specifies the VPN GW generation. | Generation1 | System.Object[] | +| `vpnType` | string | Required. Specifies the VPN type | RouteBased | System.Object[] | +| `workspaceId` | string | Required. Resource identifier of Log Analytics. | | | + +### Parameter Usage: `subnets` + +The `subnets` parameter accepts a JSON Array of `subnet` objects to deploy to the Virtual Network. + +Here's an example of specifying a couple Subnets to deploy: + +```json +"subnets": { + "value": [ + { + "name": "app", + "properties": { + "addressPrefix": "10.1.0.0/24", + "networkSecurityGroup": { + "id": "[resourceId('Microsoft.Network/networkSecurityGroups', 'app-nsg')]" + }, + "routeTable": { + "id": "[resourceId('Microsoft.Network/routeTables', 'app-udr')]" + } + } + }, + { + "name": "data", + "properties": { + "addressPrefix": "10.1.1.0/24" + } + } + ] +} +``` + +### Parameter Usage: `roleAssignments` + +```json +"roleAssignments": { + "value": [ + { + "roleDefinitionIdOrName": "Desktop Virtualization User", + "principalIds": [ + "12345678-1234-1234-1234-123456789012", // object 1 + "78945612-1234-1234-1234-123456789012" // object 2 + ] + }, + { + "roleDefinitionIdOrName": "Reader", + "principalIds": [ + "12345678-1234-1234-1234-123456789012", // object 1 + "78945612-1234-1234-1234-123456789012" // object 2 + ] + }, + { + "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", + "principalIds": [ + "12345678-1234-1234-1234-123456789012" // object 1 + ] + } + ] +} +``` + +### Parameter Usage: `tags` + +Tag names and tag values can be provided as needed. A tag can be left without a value. + +```json +"tags": { + "value": { + "Environment": "Non-Prod", + "Contact": "test.user@testcompany.com", + "PurchaseOrder": "1234", + "CostCenter": "7890", + "ServiceName": "DeploymentValidation", + "Role": "DeploymentValidation" + } +} +``` + +## Outputs + +| Output Name | Type | Description | +| :-- | :-- | :-- | +| `activeActive` | bool | Shows if the VNet gateway is configured in active-active mode. | +| `virtualNetworkGatewayName` | string | The Name of the Virtual Network Gateway. | +| `virtualNetworkGatewayResourceGroup` | string | The Resource Group the Virtual Network Gateway was deployed. | +| `virtualNetworkGatewayResourceId` | string | The Resource Id of the Virtual Network Gateway. | + +## Considerations + +*N/A* + +## Additional resources + +- [Microsoft.Network virtualNetworkGateways template reference](https://docs.microsoft.com/en-us/azure/templates/microsoft.network/2018-11-01/virtualnetworkgateways) +- [What is VPN Gateway?](https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-vpngateways) +- [ExpressRoute virtual network gateway and FastPath](https://docs.microsoft.com/en-us/azure/expressroute/expressroute-about-virtual-network-gateways) +- [Public IP address prefix](https://docs.microsoft.com/en-us/azure/virtual-network/public-ip-address-prefix) +- [Use tags to organize your Azure resources](https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-using-tags) diff --git a/arm/Microsoft.Network/virtualNetworkPeerings/deploy.json b/arm/Microsoft.Network/virtualNetworkPeerings/deploy.json new file mode 100644 index 0000000000..cc63eb0694 --- /dev/null +++ b/arm/Microsoft.Network/virtualNetworkPeerings/deploy.json @@ -0,0 +1,166 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "peeringName": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Required if not using remoteVirtualNetworksProperties. The Name of the virtual network peering resource." + } + }, + "cuaId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered" + } + }, + "location": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "Optional. Location for all resources." + } + }, + "localVnetName": { + "type": "string", + "metadata": { + "description": "Required. The Name of the Virtual Network to add the peering to." + } + }, + "remoteVirtualNetworkId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Required if not using remoteVirtualNetworksProperties. The Resource Id of the remote virtual network. The remove virtual network can be in the same or different region." + } + }, + "allowVirtualNetworkAccess": { + "type": "bool", + "defaultValue": true, + "metadata": { + "description": "Optional. Whether the VMs in the local virtual network space would be able to access the VMs in remote virtual network space." + } + }, + "allowForwardedTraffic": { + "type": "bool", + "defaultValue": true, + "metadata": { + "description": "Optional. Whether the forwarded traffic from the VMs in the local virtual network will be allowed/disallowed in remote virtual network." + } + }, + "allowGatewayTransit": { + "type": "bool", + "defaultValue": false, + "metadata": { + "description": "Optional. If gateway links can be used in remote virtual networking to link to this virtual network." + } + }, + "useRemoteGateways": { + "type": "bool", + "defaultValue": true, + "metadata": { + "description": "Optional. If remote gateways can be used on this virtual network. If the flag is set to true, and allowGatewayTransit on remote peering is also true, virtual network will use gateways of remote virtual network for transit. Only one peering can have this flag set to true. This flag cannot be set if virtual network already has a gateway." + } + }, + "remoteVirtualNetworksProperties": { + "type": "array", + "defaultValue": [], + "metadata": { + "description": "Optional. Required when not using remoteVirtualNetworkId (i.e. Single Peering deployment). Array containing multiple objects for different VNETs to peer with. Format: Object of remoteVirtualNetwork:Id (string-required), allowVirtualNetworkAccess (bool-optional-default-true), allowForwardedTraffic (bool-optional-default-true), allowGatewayTransit (bool-optional-default-false), useRemoteGateways (bool-optional-default-true)." + } + } + }, + "variables": { + "localToRemotePeeringName": "[concat(parameters('localVnetName'),'/', if(empty(parameters('peeringName')),'tempValue',parameters('peeringName')))]", + "peeringResourceIdsToOutput": { + "copy": [ + { + "name": "peeringResourceIdsOutput", + "count": "[length(parameters('remoteVirtualNetworksProperties'))]", + "input": "[resourceId('Microsoft.Network/virtualNetworks/virtualNetworkPeerings', parameters('localVnetName'), concat(parameters('localVnetName'),'-', last(split(parameters('remoteVirtualNetworksProperties')[copyIndex('peeringResourceIdsOutput')].remoteVirtualNetwork.Id,'/'))))]" + } + ] + } + }, + "resources": [ + { + "condition": "[not(empty(parameters('cuaId')))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-06-01", + "name": "[concat('pid-', parameters('cuaId'))]", + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [ + ] + } + } + }, + { + "condition": "[not(empty(parameters('remoteVirtualNetworkId')))]", + "comments": "Deployment of VNET Peering to a single VNET", + "type": "Microsoft.Network/virtualNetworks/virtualNetworkPeerings", + "apiVersion": "2020-05-01", + "name": "[variables('localToRemotePeeringName')]", + "location": "[parameters('location')]", + "properties": { + "allowVirtualNetworkAccess": "[parameters('allowVirtualNetworkAccess')]", + "allowForwardedTraffic": "[parameters('allowForwardedTraffic')]", + "allowGatewayTransit": "[parameters('allowGatewayTransit')]", + "useRemoteGateways": "[parameters('useRemoteGateways')]", + "remoteVirtualNetwork": { + "id": "[parameters('remoteVirtualNetworkId')]" + } + } + }, + { + "condition": "[not(empty(parameters('remoteVirtualNetworksProperties')))]", + "comments": "Deployment of VNET Peering for multiple VNETs", + "type": "Microsoft.Network/virtualNetworks/virtualNetworkPeerings", + "apiVersion": "2020-05-01", + "copy": { + "count": "[length(parameters('remoteVirtualNetworksProperties'))]", + "name": "peering-counter" + }, + "name": "[concat(parameters('localVnetName'),'/',concat(parameters('localVnetName'),'-', last(split(parameters('remoteVirtualNetworksProperties')[copyIndex('peering-counter')].remoteVirtualNetwork.id,'/'))))]", + "location": "[parameters('location')]", + "properties": "[parameters('remoteVirtualNetworksProperties')[copyIndex('peering-counter')]]" + } + ], + "functions": [ + ], + "outputs": { + "virtualNetworkPeeringResourceGroup": { + "type": "string", + "value": "[resourceGroup().name]", + "metadata": { + "description": "The Resource Group the vNet Peering was deployed to." + } + }, + "virtualNetworkPeeringName": { + "type": "string", + "value": "[parameters('peeringName')]", + "metadata": { + "description": "The Name of the vNet Peering." + } + }, + "virtualNetworkPeeringResourceId": { + "type": "string", + "value": "[resourceId('Microsoft.Network/virtualNetworks/virtualNetworkPeerings', parameters('localVnetName'), parameters('peeringName'))]", + "metadata": { + "description": "The Resource Id of the vNet Peering." + } + }, + "virtualNetworkPeeringResourceIds": { + "type": "array", + "value": "[variables('peeringResourceIdsToOutput').peeringResourceIdsOutput]", + "metadata": { + "description": "The Resource Ids of the vNet Peering." + } + } + } +} diff --git a/arm/Microsoft.Network/virtualNetworkPeerings/parameters/parameters.json b/arm/Microsoft.Network/virtualNetworkPeerings/parameters/parameters.json new file mode 100644 index 0000000000..9346b24d5f --- /dev/null +++ b/arm/Microsoft.Network/virtualNetworkPeerings/parameters/parameters.json @@ -0,0 +1,27 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "peeringName": { + "value": "sxx-az-peering-weu-x-002-sxx-az-peering-weu-x-003" + }, + "localVnetName": { + "value": "sxx-az-vnet-weu-x-002" + }, + "remoteVirtualNetworkId": { + "value": "/subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2/resourceGroups/dependencies-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-weu-x-003" + }, + "allowVirtualNetworkAccess": { + "value": true + }, + "allowForwardedTraffic": { + "value": true + }, + "allowGatewayTransit": { + "value": false + }, + "useRemoteGateways": { + "value": false + } + } +} \ No newline at end of file diff --git a/arm/Microsoft.Network/virtualNetworkPeerings/readme.md b/arm/Microsoft.Network/virtualNetworkPeerings/readme.md new file mode 100644 index 0000000000..a8d2d14fd3 --- /dev/null +++ b/arm/Microsoft.Network/virtualNetworkPeerings/readme.md @@ -0,0 +1,67 @@ +# VirtualNetworkPeering + +This template deploys Virtual Network Peering. + + +## Resource types + +|Resource Type|ApiVersion| +|:--|:--| +|`Microsoft.Network/virtualNetworks/virtualNetworkPeerings`|2020-05-01| +|`Microsoft.Resources/deployments`|2020-06-01| + +## Parameters + +| Parameter Name | Type | Description | DefaultValue | Possible values | +| :-- | :-- | :-- | :-- | :-- | +| `remoteVirtualNetworksProperties` | Array | Optional. Required when not using remoteVirtualNetworkId (i.e. Single Peering deployment). Array containing multiple objects for different VNETs to peer with. Format: Object of remoteVirtualNetwork:Id (string-required), allowVirtualNetworkAccess (bool-optional-default-true), allowForwardedTraffic (bool-optional-default-true), allowGatewayTransit (bool-optional-default-false), useRemoteGateways (bool-optional-default-true). | [] | See [Considerations](readme.md##considerations) | +| `allowForwardedTraffic` | bool | Optional. Whether the forwarded traffic from the VMs in the local virtual network will be allowed/disallowed in remote virtual network. | True | | +| `allowGatewayTransit` | bool | Optional. If gateway links can be used in remote virtual networking to link to this virtual network. | False | | +| `allowVirtualNetworkAccess` | bool | Optional. Whether the VMs in the local virtual network space would be able to access the VMs in remote virtual network space. | True | | +| `localVnetName` | string | Required. The Name of the Virtual Network to add the peering to. | | | +| `location` | string | Optional. Location for all resources. | [resourceGroup().location] | | +| `peeringName` | string | Optional. Required if not using remoteVirtualNetworksProperties. The Name of the virtual network peering resource. | | | +| `remoteVirtualNetworkId` | string |Optional. Required if not using remoteVirtualNetworksProperties. The Resource Id of the remote virtual network. The remove virtual network can be in the same or different region. | | | +| `useRemoteGateways` | bool | Optional. If remote gateways can be used on this virtual network. If the flag is set to true, and allowGatewayTransit on remote peering is also true, virtual network will use gateways of remote virtual network for transit. Only one peering can have this flag set to true. This flag cannot be set if virtual network already has a gateway. | True | | +| `cuaId` | string | Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered | | | + +## Outputs + +| Output Name | Type | Description | +| :-- | :-- | :-- | +| `virtualNetworkPeeringName` | string | The Name of the vNet Peering. | +| `virtualNetworkPeeringResourceId` | string | The Resource Id of the vNet Peering. | +| `virtualNetworkPeeringResourceGroup` | string | The Resource Group the vNet Peering was deployed to. | +| `virtualNetworkPeeringResourceIds` | array | Array of vNet Peering Resource Ids of the vNet Peering. Only available if using remoteVirtualNetworksProperties | + +## Considerations + +- The `remoteVirtualNetworksProperties` allows you to create peering with multiple virtual networks at the same time, each with its own unique configurations for `allowForwardedTraffic`, `allowGatewayTransit`, `allowVirtualNetworkAccess` and `useRemoteGateways`. However this parameter cannot be used in conjuction with `remoteVirtualNetworkId` or other parameters in the template. + + Example: + ```json + "remoteVirtualNetworksProperties": { + "value": [ + { + "remoteVirtualNetwork": { + "id": "/subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2/resourceGroups/dependencies-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-weu-x-002" + }, + "allowVirtualNetworkAccess": true, + "allowForwardedTraffic": true + }, + { + "remoteVirtualNetwork": { + "id": "/subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2/resourceGroups/dependencies-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-weu-x-005" + }, + "allowVirtualNetworkAccess": true, + "allowForwardedTraffic": true, + "allowGatewayTransit": false, + "useRemoteGateways": false + } + ] + } + ``` + +## Additional resources + +- [Microsoft.Network virtualNetworks/virtualNetworkPeerings template reference](https://docs.microsoft.com/en-us/azure/templates/microsoft.network/2019-04-01/virtualnetworks/virtualnetworkpeerings) diff --git a/arm/Microsoft.Network/virtualNetworks/deploy.json b/arm/Microsoft.Network/virtualNetworks/deploy.json new file mode 100644 index 0000000000..826ec3e5e0 --- /dev/null +++ b/arm/Microsoft.Network/virtualNetworks/deploy.json @@ -0,0 +1,521 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "vNetName": { + "type": "string", + "metadata": { + "description": "Required. The Virtual Network (vNet) Name." + } + }, + "location": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "Optional. Location for all resources." + } + }, + "vNetAddressPrefixes": { + "type": "array", + "metadata": { + "description": "Required. An Array of 1 or more IP Address Prefixes for the Virtual Network." + } + }, + "subnets": { + "type": "array", + "minLength": 1, + "metadata": { + "description": "Required. An Array of subnets to deploy to the Virual Network." + } + }, + "dnsServers": { + "type": "array", + "defaultValue": [ + ], + "metadata": { + "description": "Optional. DNS Servers associated to the Virtual Network." + } + }, + "ddosProtectionPlanId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Resource Id of the DDoS protection plan to assign the VNET to. If it's left blank, DDoS protection will not be configured. If it's provided, the VNET created by this template will be attached to the referenced DDoS protection plan. The DDoS protection plan can exist in the same or in a different subscription." + } + }, + "diagnosticLogsRetentionInDays": { + "type": "int", + "defaultValue": 365, + "minValue": 0, + "maxValue": 365, + "metadata": { + "description": "Optional. Specifies the number of days that logs will be kept for; a value of 0 will retain data indefinitely." + } + }, + "diagnosticStorageAccountId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Resource identifier of the Diagnostic Storage Account." + } + }, + "workspaceId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Resource identifier of Log Analytics." + } + }, + "eventHubAuthorizationRuleId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Resource ID of the event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." + } + }, + "eventHubName": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Name of the event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category." + } + }, + "lockForDeletion": { + "type": "bool", + "defaultValue": false, + "metadata": { + "description": "Optional. Switch to lock Virtual Network from deletion." + } + }, + "roleAssignments": { + "defaultValue": [ + ], + "type": "array", + "metadata": { + "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'" + } + }, + "tags": { + "type": "object", + "defaultValue": { + }, + "metadata": { + "description": "Optional. Tags of the resource." + } + }, + "cuaId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered" + } + } + }, + "variables": { + "subnetNamesToOutput": { + "copy": [ + { + "name": "subnetNamesOutput", + "count": "[length(parameters('subnets'))]", + "input": "[parameters('subnets')[copyIndex('subnetNamesOutput')].name]" + } + ] + }, + "subnetIdsToOutput": { + "copy": [ + { + "name": "subnetIdsOutput", + "count": "[length(parameters('subnets'))]", + "input": "[resourceId('Microsoft.Network/virtualNetworks/subnets', parameters('vNetName'), parameters('subnets')[copyIndex('subnetIdsOutput')].name)]" + } + ] + }, + "dnsServers": { + "dnsServers": "[array(parameters('dnsServers'))]" + }, + "ddosProtectionPlan": { + "id": "[parameters('ddosProtectionPlanId')]" + }, + "diagnosticsMetrics": [ + { + "category": "AllMetrics", + "timeGrain": null, + "enabled": true, + "retentionPolicy": { + "enabled": true, + "days": "[parameters('diagnosticLogsRetentionInDays')]" + } + } + ], + "diagnosticsLogs": [ + { + "category": "VMProtectionAlerts", + "enabled": true, + "retentionPolicy": { + "enabled": true, + "days": "[parameters('diagnosticLogsRetentionInDays')]" + } + } + ], + "builtInRoleNames": { + "AcrDelete": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c2f4ef07-c644-48eb-af81-4b1b4947fb11')]", + "AcrImageSigner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '6cef56e8-d556-48e5-a04f-b8e64114680f')]", + "AcrPull": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '7f951dda-4ed3-4680-a7ca-43fe172d538d')]", + "AcrPush": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8311e382-0749-4cb8-b61a-304f252e45ec')]", + "AcrQuarantineReader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'cdda3590-29a3-44f6-95f2-9f980659eb04')]", + "AcrQuarantineWriter": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c8d4ff99-41c3-41a8-9f60-21dfdad59608')]", + "API Management Service Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '312a565d-c81f-4fd8-895a-4e21e48d571c')]", + "API Management Service Operator Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'e022efe7-f5ba-4159-bbe4-b44f577e9b61')]", + "API Management Service Reader Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '71522526-b88f-4d52-b57f-d31fc3546d0d')]", + "App Configuration Data Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5ae67dd6-50cb-40e7-96ff-dc2bfa4b606b')]", + "App Configuration Data Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '516239f1-63e1-4d78-a4de-a74fb236a071')]", + "Application Insights Component Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ae349356-3a1b-4a5e-921d-050484c6347e')]", + "Application Insights Snapshot Debugger": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '08954f03-6346-4c2e-81c0-ec3a5cfae23b')]", + "Attestation Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'bbf86eb8-f7b4-4cce-96e4-18cddf81d86e')]", + "Attestation Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'fd1bd22b-8476-40bc-a0bc-69b95687b9f3')]", + "Automation Job Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4fe576fe-1146-4730-92eb-48519fa6bf9f')]", + "Automation Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'd3881f73-407a-4167-8283-e981cbba0404')]", + "Automation Runbook Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5fb5aef8-1081-4b8e-bb16-9d5d0385bab5')]", + "Avere Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4f8fab4f-1852-4a58-a46a-8eaf358af14a')]", + "Avere Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c025889f-8102-4ebf-b32c-fc0c6f0c6bd9')]", + "Azure Connected Machine Onboarding": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b64e21ea-ac4e-4cdf-9dc9-5b892992bee7')]", + "Azure Connected Machine Resource Administrator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'cd570a14-e51a-42ad-bac8-bafd67325302')]", + "Azure Digital Twins Owner (Preview)": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'bcd981a7-7f74-457b-83e1-cceb9e632ffe')]", + "Azure Digital Twins Reader (Preview)": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'd57506d4-4c8d-48b1-8587-93c323f6a5a3')]", + "Azure Event Hubs Data Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'f526a384-b230-433a-b45c-95f59c4a2dec')]", + "Azure Event Hubs Data Receiver": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'a638d3c7-ab3a-418d-83e6-5f17a39d4fde')]", + "Azure Event Hubs Data Sender": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '2b629674-e913-4c01-ae53-ef4638d8f975')]", + "Azure Kubernetes Service Cluster Admin Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '0ab0b1a8-8aac-4efd-b8c2-3ee1fb270be8')]", + "Azure Kubernetes Service Cluster User Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4abbcc35-e782-43d8-92c5-2d3f1bd2253f')]", + "Azure Kubernetes Service Contributor Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ed7f3fbd-7b88-4dd4-9017-9adb7ce333f8')]", + "Azure Maps Data Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8f5e0ce6-4f7b-4dcf-bddf-e6f48634a204')]", + "Azure Maps Data Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '423170ca-a8f6-4b0f-8487-9e4eb8f49bfa')]", + "Azure Sentinel Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ab8e14d6-4a74-4a29-9ba8-549422addade')]", + "Azure Sentinel Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8d289c81-5878-46d4-8554-54e1e3d8b5cb')]", + "Azure Sentinel Responder": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '3e150937-b8fe-4cfb-8069-0eaf05ecd056')]", + "Azure Service Bus Data Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '090c5cfd-751d-490a-894a-3ce6f1109419')]", + "Azure Service Bus Data Receiver": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4f6d3b9b-027b-4f4c-9142-0e5a2a2247e0')]", + "Azure Service Bus Data Sender": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '69a216fc-b8fb-44d8-bc22-1f3c2cd27a39')]", + "Azure Stack Registration Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '6f12a6df-dd06-4f3e-bcb1-ce8be600526a')]", + "Backup Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5e467623-bb1f-42f4-a55d-6e525e11384b')]", + "Backup Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '00c29273-979b-4161-815c-10b084fb9324')]", + "Backup Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'a795c7a0-d4a2-40c1-ae25-d81f01202912')]", + "Billing Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'fa23ad8b-c56e-40d8-ac0c-ce449e1d2c64')]", + "BizTalk Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5e3c6656-6cfa-4708-81fe-0de47ac73342')]", + "Blockchain Member Node Access (Preview)": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '31a002a1-acaf-453e-8a5b-297c9ca1ea24')]", + "Blueprint Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '41077137-e803-4205-871c-5a86e6a753b4')]", + "Blueprint Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '437d2ced-4a38-4302-8479-ed2bcb43d090')]", + "CDN Endpoint Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '426e0c7f-0c7e-4658-b36f-ff54d6c29b45')]", + "CDN Endpoint Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '871e35f6-b5c1-49cc-a043-bde969a0f2cd')]", + "CDN Profile Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ec156ff8-a8d1-4d15-830c-5b80698ca432')]", + "CDN Profile Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8f96442b-4075-438f-813d-ad51ab4019af')]", + "Classic Network Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b34d265f-36f7-4a0d-a4d4-e158ca92e90f')]", + "Classic Storage Account Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '86e8f5dc-a6e9-4c67-9d15-de283e8eac25')]", + "Classic Storage Account Key Operator Service Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '985d6b00-f706-48f5-a6fe-d0ca12fb668d')]", + "Classic Virtual Machine Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'd73bb868-a0df-4d4d-bd69-98a00b01fccb')]", + "ClearDB MySQL DB Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '9106cda0-8a86-4e81-b686-29a22c54effe')]", + "Cognitive Services Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '25fbc0a9-bd7c-42a3-aa1a-3b75d497ee68')]", + "Cognitive Services Custom Vision Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c1ff6cc2-c111-46fe-8896-e0ef812ad9f3')]", + "Cognitive Services Custom Vision Deployment": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5c4089e1-6d96-4d2f-b296-c1bc7137275f')]", + "Cognitive Services Custom Vision Labeler": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '88424f51-ebe7-446f-bc41-7fa16989e96c')]", + "Cognitive Services Custom Vision Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '93586559-c37d-4a6b-ba08-b9f0940c2d73')]", + "Cognitive Services Custom Vision Trainer": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '0a5ae4ab-0d65-4eeb-be61-29fc9b54394b')]", + "Cognitive Services Data Reader (Preview)": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b59867f0-fa02-499b-be73-45a86b5b3e1c')]", + "Cognitive Services QnA Maker Editor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'f4cc2bf9-21be-47a1-bdf1-5c5804381025')]", + "Cognitive Services QnA Maker Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '466ccd10-b268-4a11-b098-b4849f024126')]", + "Cognitive Services User": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'a97b65f3-24c7-4388-baec-2e87135dc908')]", + "Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "Cosmos DB Account Reader Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'fbdf93bf-df7d-467e-a4d2-9458aa1360c8')]", + "Cosmos DB Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '230815da-be43-4aae-9cb4-875f7bd000aa')]", + "CosmosBackupOperator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'db7b14f2-5adf-42da-9f96-f2ee17bab5cb')]", + "Cost Management Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '434105ed-43f6-45c7-a02f-909b2ba83430')]", + "Cost Management Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '72fafb9e-0641-4937-9268-a91bfd8191a3')]", + "Data Box Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'add466c9-e687-43fc-8d98-dfcf8d720be5')]", + "Data Box Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '028f4ed7-e2a9-465e-a8f4-9c0ffdfdc027')]", + "Data Factory Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '673868aa-7521-48a0-acc6-0f60742d39f5')]", + "Data Lake Analytics Developer": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '47b7735b-770e-4598-a7da-8b91488b4c88')]", + "Data Purger": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '150f5e0c-0603-4f03-8c7f-cf70034c4e90')]", + "Desktop Virtualization User": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '1d18fff3-a72a-46b5-b4a9-0b38a3cd7e63')]", + "DevTest Labs User": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '76283e04-6283-4c54-8f91-bcf1374a3c64')]", + "DNS Zone Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'befefa01-2a29-4197-83a8-272ff33ce314')]", + "DocumentDB Account Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5bd9cd88-fe45-4216-938b-f97437e15450')]", + "EventGrid EventSubscription Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '428e0ff0-5e57-4d9c-a221-2c70d0e0a443')]", + "EventGrid EventSubscription Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '2414bbcf-6497-4faf-8c65-045460748405')]", + "Experimentation Administrator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '7f646f1b-fa08-80eb-a33b-edd6ce5c915c')]", + "Experimentation Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '7f646f1b-fa08-80eb-a22b-edd6ce5c915c')]", + "Experimentation Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '49632ef5-d9ac-41f4-b8e7-bbe587fa74a1')]", + "FHIR Data Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5a1fc7df-4bf1-4951-a576-89034ee01acd')]", + "FHIR Data Exporter": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '3db33094-8700-4567-8da5-1501d4e7e843')]", + "FHIR Data Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4c8d0bbc-75d3-4935-991f-5f3c56d81508')]", + "FHIR Data Writer": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '3f88fce4-5892-4214-ae73-ba5294559913')]", + "Graph Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b60367af-1334-4454-b71e-769d9a4f83d9')]", + "HDInsight Cluster Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '61ed4efc-fab3-44fd-b111-e24485cc132a')]", + "HDInsight Domain Services Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8d8d5a11-05d3-4bda-a417-a08778121c7c')]", + "Hierarchy Settings Administrator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '350f8d15-c687-4448-8ae1-157740a3936d')]", + "Hybrid Server Onboarding": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5d1e5ee4-7c68-4a71-ac8b-0739630a3dfb')]", + "Hybrid Server Resource Administrator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '48b40c6e-82e0-4eb3-90d5-19e40f49b624')]", + "Integration Service Environment Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'a41e2c5b-bd99-4a07-88f4-9bf657a760b8')]", + "Integration Service Environment Developer": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c7aa55d3-1abb-444a-a5ca-5e51e485d6ec')]", + "Intelligent Systems Account Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '03a6d094-3444-4b3d-88af-7477090a9e5e')]", + "Key Vault Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'f25e0fa2-a7c8-4377-a976-54943a77a395')]", + "Knowledge Consumer": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ee361c5d-f7b5-4119-b4b6-892157c8f64c')]", + "Kubernetes Cluster - Azure Arc Onboarding": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '34e09817-6cbe-4d01-b1a2-e0eac5743d41')]", + "Lab Creator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b97fb8bc-a8b2-4522-a38b-dd33c7e65ead')]", + "Log Analytics Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]", + "Log Analytics Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '73c42c96-874c-492b-b04d-ab87d138a893')]", + "Logic App Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '87a39d53-fc1b-424a-814c-f7e04687dc9e')]", + "Logic App Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '515c2055-d9d4-4321-b1b9-bd0c9a0f79fe')]", + "Managed Application Contributor Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '641177b8-a67a-45b9-a033-47bc880bb21e')]", + "Managed Application Operator Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')]", + "Managed Applications Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')]", + "Managed Identity Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'e40ec5ca-96e0-45a2-b4ff-59039f2c2b59')]", + "Managed Identity Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'f1a07417-d97a-45cb-824c-7a7467783830')]", + "Managed Services Registration assignment Delete ": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '91c1777a-f3dc-4fae-b103-61d183457e46')]", + "Management Group Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5d58bcaf-24a5-4b20-bdb6-eed9f69fbe4c')]", + "Management Group Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ac63b705-f282-497d-ac71-919bf39d939d')]", + "Marketplace Admin": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'dd920d6d-f481-47f1-b461-f338c46b2d9f')]", + "Monitoring Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')]", + "Monitoring Metrics Publisher": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '3913510d-42f4-4e42-8a64-420c390055eb')]", + "Monitoring Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')]", + "Network Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", + "New Relic APM Account Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5d28c62d-5b37-4476-8438-e587778df237')]", + "Object Understanding Account Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4dd61c23-6743-42fe-a388-d8bdd41cb745')]", + "Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", + "Policy Insights Data Writer (Preview)": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '66bb4e9e-b016-4a94-8249-4c0511c2be84')]", + "Private DNS Zone Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", + "Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", + "Reader and Data Access": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c12c1c16-33a1-487b-954d-41c89c60f349')]", + "Redis Cache Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'e0f68234-74aa-48ed-b826-c38b57376e17')]", + "Remote Rendering Administrator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '3df8b902-2a6f-47c7-8cc5-360e9b272a7e')]", + "Remote Rendering Client": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'd39065c4-c120-43c9-ab0a-63eed9795f0a')]", + "Resource Policy Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '36243c78-bf99-498c-9df9-86d9f8d28608')]", + "Scheduler Job Collections Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '188a0f2f-5c9e-469b-ae67-2aa5ce574b94')]", + "Search Service Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '7ca78c08-252a-4471-8644-bb5ff32d4ba0')]", + "Security Admin": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'fb1c8493-542b-48eb-b624-b4c8fea62acd')]", + "Security Assessment Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '612c2aa1-cb24-443b-ac28-3ab7272de6f5')]", + "Security Manager (Legacy)": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'e3d13bf0-dd5a-482e-ba6b-9b8433878d10')]", + "Security Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '39bc4728-0917-49c7-9d2c-d95423bc2eb4')]", + "SignalR AccessKey Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '04165923-9d83-45d5-8227-78b77b0a687e')]", + "SignalR Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8cf5e20a-e4b2-4e9d-b3a1-5ceb692c2761')]", + "Site Recovery Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '6670b86e-a3f7-4917-ac9b-5d6ab1be4567')]", + "Site Recovery Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '494ae006-db33-4328-bf46-533a6560a3ca')]", + "Site Recovery Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'dbaa88c4-0c30-4179-9fb3-46319faa6149')]", + "Spatial Anchors Account Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8bbe83f1-e2a6-4df7-8cb4-4e04d4e5c827')]", + "Spatial Anchors Account Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '70bbe301-9835-447d-afdd-19eb3167307c')]", + "Spatial Anchors Account Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5d51204f-eb77-4b1c-b86a-2ec626c49413')]", + "SQL DB Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '9b7fa17d-e63e-47b0-bb0a-15c516ac86ec')]", + "SQL Managed Instance Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4939a1f6-9ae0-4e48-a1e0-f2cbe897382d')]", + "SQL Security Manager": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '056cd41c-7e88-42e1-933e-88ba6a50c9c3')]", + "SQL Server Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '6d8ee4ec-f05a-4a1d-8b00-a9b17e38b437')]", + "Storage Account Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '17d1049b-9a84-46fb-8f53-869881c3d3ab')]", + "Storage Account Key Operator Service Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '81a9662b-bebf-436f-a333-f67b29880f12')]", + "Storage Blob Data Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ba92f5b4-2d11-453d-a403-e96b0029c9fe')]", + "Storage Blob Data Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b7e6dc6d-f1e8-4753-8033-0f276bb0955b')]", + "Storage Blob Data Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '2a2b9908-6ea1-4ae2-8e65-a410df84e7d1')]", + "Storage Blob Delegator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'db58b8e5-c6ad-4a2a-8342-4190687cbf4a')]", + "Storage File Data SMB Share Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '0c867c2a-1d8c-454a-a3db-ab2ea1bdc8bb')]", + "Storage File Data SMB Share Elevated Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'a7264617-510b-434b-a828-9731dc254ea7')]", + "Storage File Data SMB Share Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'aba4ae5f-2193-4029-9191-0cb91df5e314')]", + "Storage Queue Data Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '974c5e8b-45b9-4653-ba55-5f855dd0fb88')]", + "Storage Queue Data Message Processor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8a0f0c08-91a1-4084-bc3d-661d67233fed')]", + "Storage Queue Data Message Sender": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c6a89b2d-59bc-44d0-9896-0f6e12d7b80a')]", + "Storage Queue Data Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '19e7f393-937e-4f77-808e-94535e297925')]", + "Support Request Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'cfd33db0-3dd1-45e3-aa9d-cdbdf3b6f24e')]", + "Tag Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4a9ae827-6dc8-4573-8ac7-8239d42aa03f')]", + "Traffic Manager Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'a4b10055-b0c7-44c2-b00f-c7b5b3550cf7')]", + "User Access Administrator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]", + "Virtual Machine Administrator Login": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '1c0163c0-47e6-4577-8991-ea5c82e286e4')]", + "Virtual Machine Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c')]", + "Virtual Machine User Login": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'fb879df8-f326-4884-b1cf-06f3ad86be52')]", + "Web Plan Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '2cc479cb-7b4d-49a8-b449-8c00fd0f0a4b')]", + "Website Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'de139f84-1756-47ae-9be6-808fbbe84772')]", + "Workbook Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'e8ddcd69-c73f-4f9f-9844-4100522f16ad')]", + "Workbook Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b279062a-9be3-42a0-92ae-8b3cf002ec4d')]" + } + }, + "resources": [ + { + "condition": "[not(empty(parameters('cuaId')))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-06-01", + "name": "[concat('pid-', parameters('cuaId'))]", + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [ + ] + } + } + }, + { + "type": "Microsoft.Network/virtualNetworks", + "apiVersion": "2020-08-01", + "name": "[parameters('vNetName')]", + "location": "[parameters('location')]", + "tags": "[parameters('tags')]", + "properties": { + "addressSpace": { + "addressPrefixes": "[parameters('vNetAddressPrefixes')]" + }, + "ddosProtectionPlan": "[if(not(empty(parameters('ddosProtectionPlanId'))), variables('ddosProtectionPlan'), json('null'))]", + "dhcpOptions": "[if(empty(parameters('dnsServers')), json('null'), variables('dnsServers'))]", + "enableDdosProtection": "[not(empty(parameters('ddosProtectionPlanId')))]", + "copy": [ + { + "name": "subnets", + "count": "[length(parameters('subnets'))]", + "input": { + "name": "[parameters('subnets')[copyIndex('subnets')].name]", + "properties": { + "addressPrefix": "[parameters('subnets')[copyIndex('subnets')].addressPrefix]", + "networkSecurityGroup": "[if(contains(parameters('subnets')[copyIndex('subnets')], 'networkSecurityGroupName'), if(empty(parameters('subnets')[copyIndex('subnets')].networkSecurityGroupName), json('null'), json(concat('{\"id\": \"', resourceId('Microsoft.Network/networkSecurityGroups', parameters('subnets')[copyIndex('subnets')].networkSecurityGroupName), '\"}'))), json('null'))]", + "routeTable": "[if(contains(parameters('subnets')[copyIndex('subnets')], 'routeTableName'), if(empty(parameters('subnets')[copyIndex('subnets')].routeTableName), json('null'), json(concat('{\"id\": \"', resourceId('Microsoft.Network/routeTables', parameters('subnets')[copyIndex('subnets')].routeTableName), '\"}'))), json('null'))]", + "serviceEndpoints": "[if(contains(parameters('subnets')[copyIndex('subnets')], 'serviceEndpoints'), if(empty(parameters('subnets')[copyIndex('subnets')].serviceEndpoints), json('null'), parameters('subnets')[copyIndex('subnets')].serviceEndpoints), json('null'))]", + "delegations": "[if(contains(parameters('subnets')[copyIndex('subnets')], 'delegations'), if(empty(parameters('subnets')[copyIndex('subnets')].delegations), json('null'), parameters('subnets')[copyIndex('subnets')].delegations), json('null'))]", + "natGateway": "[if(contains(parameters('subnets')[copyIndex('subnets')], 'natGatewayName'), if(empty(parameters('subnets')[copyIndex('subnets')].natGatewayName), json('null'), json(concat('{\"id\": \"', resourceId('Microsoft.Network/natGateways', parameters('subnets')[copyIndex('subnets')].natGatewayName), '\"}'))), json('null'))]", + "privateEndpointNetworkPolicies": "[if(contains(parameters('subnets')[copyIndex('subnets')], 'privateEndpointNetworkPolicies'), if(empty(parameters('subnets')[copyIndex('subnets')].privateEndpointNetworkPolicies), json('null'), parameters('subnets')[copyIndex('subnets')].privateEndpointNetworkPolicies), json('null'))]", + "privateLinkServiceNetworkPolicies": "[if(contains(parameters('subnets')[copyIndex('subnets')], 'privateLinkServiceNetworkPolicies'), if(empty(parameters('subnets')[copyIndex('subnets')].privateLinkServiceNetworkPolicies), json('null'), parameters('subnets')[copyIndex('subnets')].privateLinkServiceNetworkPolicies), json('null'))]" + } + } + } + ] + }, + "resources": [ + { + "type": "providers/locks", + "apiVersion": "2016-09-01", + "condition": "[parameters('lockForDeletion')]", + "name": "Microsoft.Authorization/virtualNetworkDoNotDelete", + "dependsOn": [ + "[resourceId('Microsoft.Network/virtualNetworks/', parameters('vNetName'))]" + ], + "comments": "Resource lock on virtual network", + "properties": { + "level": "CannotDelete" + } + }, + { + "type": "Microsoft.Network/virtualNetworks/providers/diagnosticsettings", + "apiVersion": "2017-05-01-preview", + "name": "[concat(parameters('vNetName'), '/Microsoft.Insights/service')]", + "location": "[parameters('location')]", + "condition": "[or(not(empty(parameters('diagnosticStorageAccountId'))),not(empty(parameters('workspaceId'))),not(empty(parameters('eventHubAuthorizationRuleId'))),not(empty(parameters('eventHubName'))))]", + "dependsOn": [ + "[concat('Microsoft.Network/virtualNetworks/', parameters('vNetName'))]" + ], + "properties": { + "storageAccountId": "[if(empty(parameters('diagnosticStorageAccountId')), json('null'), parameters('diagnosticStorageAccountId'))]", + "workspaceId": "[if(empty(parameters('workspaceId')), json('null'), parameters('workspaceId'))]", + "eventHubAuthorizationRuleId": "[if(empty(parameters('eventHubAuthorizationRuleId')), json('null'), parameters('eventHubAuthorizationRuleId'))]", + "eventHubName": "[if(empty(parameters('eventHubName')), json('null'), parameters('eventHubName'))]", + "metrics": "[if(and(empty(parameters('diagnosticStorageAccountId')), empty(parameters('workspaceId')), empty(parameters('eventHubAuthorizationRuleId')), empty(parameters('eventHubName'))), json('null'), variables('diagnosticsMetrics'))]", + "logs": "[if(and(empty(parameters('diagnosticStorageAccountId')), empty(parameters('workspaceId')), empty(parameters('eventHubAuthorizationRuleId')), empty(parameters('eventHubName'))), json('null'), variables('diagnosticsLogs'))]" + } + } + ] + }, + { + "name": "[concat('rbac-',deployment().name, copyIndex())]", + "apiVersion": "2020-06-01", + "type": "Microsoft.Resources/deployments", + "condition": "[not(empty(parameters('roleAssignments')))]", + "dependsOn": [ + "[parameters('vNetName')]" + ], + "copy": { + "name": "rbacDeplCopy", + "count": "[length(parameters('roleAssignments'))]" + }, + "properties": { + "mode": "Incremental", + "expressionEvaluationOptions": { + "scope": "inner" + }, + "parameters": { + "roleAssignment": { + "value": "[parameters('roleAssignments')[copyIndex()]]" + }, + "builtInRoleNames": { + "value": "[variables('builtInRoleNames')]" + }, + "vNetName": { + "value": "[parameters('vNetName')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "roleAssignment": { + "type": "object" + }, + "builtInRoleNames": { + "type": "object" + }, + "vNetName": { + "type": "string" + } + }, + "resources": [ + { + "type": "Microsoft.Network/virtualNetworks/providers/roleAssignments", + "apiVersion": "2020-04-01-preview", + "name": "[concat(parameters('vNetName'), '/Microsoft.Authorization/', guid(uniqueString(concat(parameters('vNetName'), array(parameters('roleAssignment').principalIds)[copyIndex('innerRbacCopy')], parameters('roleAssignment').roleDefinitionIdOrName ) )))]", + "dependsOn": [ + ], + "copy": { + "name": "innerRbacCopy", + "count": "[length(parameters('roleAssignment').principalIds)]" + }, + "properties": { + "roleDefinitionId": "[if(contains(parameters('builtInRoleNames'), parameters('roleAssignment').roleDefinitionIdOrName ), parameters('builtInRoleNames')[parameters('roleAssignment').roleDefinitionIdOrName] , parameters('roleAssignment').roleDefinitionIdOrName )]", + "principalId": "[array(parameters('roleAssignment').principalIds)[copyIndex()]]" + } + } + ] + } + } + } + ], + "functions": [ + ], + "outputs": { + "virtualNetworkResourceGroup": { + "type": "string", + "value": "[resourceGroup().name]", + "metadata": { + "description": "The name of the Resource Group the Virtual Network was created in." + } + }, + "virtualNetworkResourceId": { + "type": "string", + "value": "[resourceId('Microsoft.Network/virtualNetworks', parameters('vNetName'))]", + "metadata": { + "description": "The Resource id of the Virtual Network deployed." + } + }, + "virtualNetworkName": { + "type": "string", + "value": "[parameters('vNetName')]", + "metadata": { + "description": "The name of the Virtual Network deployed." + } + }, + "subnetNames": { + "type": "array", + "value": "[variables('subnetNamesToOutput').subnetNamesOutput]", + "metadata": { + "description": "The Names of the Subnets deployed to the Virtual Network." + } + }, + "subnetIds": { + "type": "array", + "value": "[variables('subnetIdsToOutput').subnetIdsOutput]", + "metadata": { + "description": "The Resource Ids of the Subnets deployed to the Virtual Network." + } + } + } +} \ No newline at end of file diff --git a/arm/Microsoft.Network/virtualNetworks/parameters/parameters.json b/arm/Microsoft.Network/virtualNetworks/parameters/parameters.json new file mode 100644 index 0000000000..21d5f0c917 --- /dev/null +++ b/arm/Microsoft.Network/virtualNetworks/parameters/parameters.json @@ -0,0 +1,122 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "vnetName": { + "value": "sxx-az-vnet-weu-x-001" + }, + "vnetAddressPrefixes": { + "value": ["10.0.0.0/16"] + }, + "subnets": { + "value": [{ + "name": "GatewaySubnet", + "addressPrefix": "10.0.255.0/24" + }, + { + "name": "sxx-az-subnet-weu-x-001", + "addressPrefix": "10.0.0.0/24", + "networkSecurityGroupName": "", + "routeTableName": "", + "serviceEndpoints": [{ + "service": "Microsoft.EventHub" + }, + { + "service": "Microsoft.Sql" + }, + { + "service": "Microsoft.Storage" + }, + { + "service": "Microsoft.KeyVault" + } + ], + "delegations": [] + }, + { + "name": "sxx-az-subnet-weu-x-002", + "addressPrefix": "10.0.1.0/24", + "networkSecurityGroupName": "", + "routeTableName": "", + "serviceEndpoints": [{ + "service": "Microsoft.EventHub" + }, + { + "service": "Microsoft.Sql" + }, + { + "service": "Microsoft.Storage" + }, + { + "service": "Microsoft.KeyVault" + } + ], + "delegations": [] + }, + { + "name": "sxx-az-subnet-weu-x-003", + "addressPrefix": "10.0.2.0/24", + "networkSecurityGroupName": "", + "routeTableName": "", + "serviceEndpoints": [], + "delegations": [{ + "name": "sqlMiDel", + "properties": { + "serviceName": "Microsoft.Sql/managedInstances" + } + }] + }, + { + "name": "sxx-az-subnet-weu-x-004", + "addressPrefix": "10.0.3.0/24", + "networkSecurityGroupName": "", + "routeTableName": "", + "serviceEndpoints": [], + "delegations": [{ + "name": "netappDel", + "properties": { + "serviceName": "Microsoft.Netapp/volumes" + } + }] + }, + { + "name": "AzureFirewallSubnet", + "addressPrefix": "10.0.4.0/24", + "networkSecurityGroupName": "", + "routeTableName": "", + "serviceEndpoints": [], + "delegations": [] + }, + { + "name": "AzureBastionSubnet", + "addressPrefix": "10.0.5.0/24", + "networkSecurityGroupName": "", + "routeTableName": "", + "serviceEndpoints": [], + "delegations": [] + }, + { + "name": "sxx-az-subnet-weu-x-005", + "addressPrefix": "10.0.6.0/24", + "networkSecurityGroupName": "", + "routeTableName": "", + "serviceEndpoints": [], + "delegations": [], + "privateEndpointNetworkPolicies": "Disabled", // This property must be set to disabled for subnets that contain private endpoints. It confirms that NSGs rules will not apply to private endpoints (currently not supported). Default Value when not specified is "Enabled". + "privateLinkServiceNetworkPolicies": "Enabled" + } + ] + } + // "roleAssignments": { + // "value": [ + // { + // "roleDefinitionIdOrName": "Desktop Virtualization User", + // "principalIds": [ + // "12345678-1234-1234-1234-123456789012", // object 1 + // "78945612-1234-1234-1234-123456789012" // object 2 + // ] + // } + // ] + // } + } +} \ No newline at end of file diff --git a/arm/Microsoft.Network/virtualNetworks/readme.md b/arm/Microsoft.Network/virtualNetworks/readme.md new file mode 100644 index 0000000000..f441326bf7 --- /dev/null +++ b/arm/Microsoft.Network/virtualNetworks/readme.md @@ -0,0 +1,165 @@ +# Virtual Network + +This template deploys a Virtual Network (vNet) with 2 optional Subnets. + + +## Resource types + +|Resource Type|ApiVersion| +|:--|:--| +|`Microsoft.Resources/deployments`|2018-02-01| +|`Microsoft.Network/virtualNetworks`|2020-08-01| +|`providers/locks`|2016-09-01| +|`Microsoft.Network/virtualNetworks/providers/diagnosticsettings`|2017-05-01-preview| +|`Microsoft.Network/virtualNetworks/providers/roleAssignments`|2018-09-01-preview| + +## Parameters + +| Parameter Name | Type | Description | DefaultValue | Possible values | +| :-- | :-- | :-- | :-- | :-- | +| `cuaId` | string | Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered | | | +| `ddosProtectionPlanId` | string | Optional. Resource Id of the DDoS protection plan to assign the VNET to. If it's left blank, DDoS protection will not be configured. If it's provided, the VNET created by this template will be attached to the referenced DDoS protection plan. The DDoS protection plan can exist in the same or in a different subscription. | | | +| `diagnosticLogsRetentionInDays` | int | Optional. Specifies the number of days that logs will be kept for; a value of 0 will retain data indefinitely. | 365 | | +| `diagnosticStorageAccountId` | string | Optional. Resource identifier of the Diagnostic Storage Account. | | | +| `dnsServers` | array | Optional. DNS Servers associated to the Virtual Network. | System.Object[] | | +| `eventHubAuthorizationRuleId` | string | Optional. Resource ID of the event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | | | +| `eventHubName` | string | Optional. Name of the event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. | | | +| `location` | string | Optional. Location for all resources. | [resourceGroup().location] | | +| `lockForDeletion` | bool | Optional. Switch to lock Virtual Network from deletion. | False | | +| `roleAssignments` | array | Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' | System.Object[] | | +| `subnets` | array | Required. An Array of subnets to deploy to the Virual Network. | | | +| `tags` | object | Optional. Tags of the resource. | | | +| `vNetAddressPrefixes` | array | Required. An Array of 1 or more IP Address Prefixes for the Virtual Network. | | | +| `vNetName` | string | Required. The Virtual Network (vNet) Name. | | | +| `workspaceId` | string | Optional. Resource identifier of Log Analytics. | | | + +### Parameter Usage: `vNetAddressPrefixes` + +The `vNetAddressPrefixes` parameter accepts a JSON Array of string values containing the IP Address Prefixes for the Virtual Network (vNet). + +Here's an example of specifying a single Address Prefix: + +```json +"vNetAddressPrefixes": { + "value": [ + "10.1.0.0/16" + ] +} +``` + +### Parameter Usage: `subnets` + +The `subnets` parameter accepts a JSON Array of `subnet` objects to deploy to the Virtual Network. + +Here's an example of specifying a couple Subnets to deploy: + +```json +"subnets": { + "value": [ + { + "name": "GatewaySubnet", + "addressPrefix": "10.0.255.0/24", + "networkSecurityGroupName": "nsgName1", + "routeTableName": "UdrName1", + "delegations": [], + "natGateway": "", // Name of the NAT Gateway to use for the subnet. + "serviceEndpoints": [ + { + "service": "Microsoft.EventHub" + }, + { + "service": "Microsoft.Sql" + }, + { + "service": "Microsoft.Storage" + }, + { + "service": "Microsoft.KeyVault" + } + ] + }, + { + "name": "examplePrivateEndpointSubnet", + "addressPrefix": "10.0.200.0/24", + "networkSecurityGroupName": "nsgName2", + "routeTableName": "UdrName2", + "delegations": [], + "natGateway": "", // Name of the NAT Gateway to use for the subnet. + "serviceEndpoints": [], + "privateEndpointNetworkPolicies": "Disabled" // This property must be set to disabled for subnets that contain private endpoints. Default Value when not specified is "Enabled". + }, + { + "name": "data", + "addressPrefix": "10.1.1.0/24" + } + ] +} +``` + +### Parameter Usage: `roleAssignments` + +```json +"roleAssignments": { + "value": [ + { + "roleDefinitionIdOrName": "Desktop Virtualization User", + "principalIds": [ + "12345678-1234-1234-1234-123456789012", // object 1 + "78945612-1234-1234-1234-123456789012" // object 2 + ] + }, + { + "roleDefinitionIdOrName": "Reader", + "principalIds": [ + "12345678-1234-1234-1234-123456789012", // object 1 + "78945612-1234-1234-1234-123456789012" // object 2 + ] + }, + { + "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", + "principalIds": [ + "12345678-1234-1234-1234-123456789012" // object 1 + ] + } + ] +} +``` + +### Parameter Usage: `tags` + +Tag names and tag values can be provided as needed. A tag can be left without a value. + +```json +"tags": { + "value": { + "Environment": "Non-Prod", + "Contact": "test.user@testcompany.com", + "PurchaseOrder": "1234", + "CostCenter": "7890", + "ServiceName": "DeploymentValidation", + "Role": "DeploymentValidation" + } +} +``` + +## Outputs + +| Output Name | Type | Description | +| :-- | :-- | :-- | +| `subnetIds` | array | The Resource Ids of the Subnets deployed to the Virtual Network. | +| `subnetNames` | array | The Names of the Subnets deployed to the Virtual Network. | +| `virtualNetworkName` | string | The name of the Virtual Network deployed. | +| `virtualNetworkResourceGroup` | string | The name of the Resource Group the Virtual Network was created in. | +| `virtualNetworkResourceId` | string | The Resource id of the Virtual Network deployed. | + +## Considerations + +When defining the Subnets to deploy using the `subnets` parameter, the JSON format to pass it must match the Subnet object that is normally passed in to the `subnets` property of a `virtualNetwork` within an ARM Template. + +The network security group and route table resources must reside in the same resource group as the virtual network. + +## Additional resources + +- [Microsoft.Network virtualNetworks template reference](https://docs.microsoft.com/en-us/azure/templates/microsoft.network/2019-04-01/virtualnetworks) +- [What is Azure Virtual Network?](https://docs.microsoft.com/en-us/azure/virtual-network/virtual-networks-overview) +- [Use tags to organize your Azure resources](https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-using-tags) diff --git a/arm/Microsoft.Network/virtualWans/deploy.json b/arm/Microsoft.Network/virtualWans/deploy.json new file mode 100644 index 0000000000..6f8a714864 --- /dev/null +++ b/arm/Microsoft.Network/virtualWans/deploy.json @@ -0,0 +1,487 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "location": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "Optional. Location where all resources will be created." + } + }, + "wanName": { + "type": "string", + "metadata": { + "description": "Required. Name of the Virtual Wan." + } + }, + "wanSku": { + "type": "string", + "defaultValue": "Standard", + "metadata": { + "description": "Optional. Sku of the Virtual Wan." + }, + "allowedValues": [ + "Standard", + "Basic" + ] + }, + "hubName": { + "type": "string", + "defaultValue": "SampleVirtualHub", + "metadata": { + "description": "Optional. Name of the Virtual Hub. A virtual hub is created inside a virtual wan." + } + }, + "vpnGatewayName": { + "type": "string", + "defaultValue": "SampleVpnGateway", + "metadata": { + "description": "Optional. Name of the Vpn Gateway. A vpn gateway is created inside a virtual hub." + } + }, + "vpnSiteName": { + "type": "string", + "defaultValue": "SampleVpnSite", + "metadata": { + "description": "Optional. Name of the vpnsite. A vpnsite represents the on-premise vpn device. A public ip address is mandatory for a vpn site creation." + } + }, + "connectionName": { + "type": "string", + "defaultValue": "SampleVpnsiteVpnGwConnection", + "metadata": { + "description": "Optional. Name of the vpnconnection. A vpn connection is established between a vpnsite and a vpn gateway." + } + }, + "vpnsiteAddressspaceList": { + "type": "array", + "defaultValue": [ + ], + "metadata": { + "description": "Optional. A list of static routes corresponding to the vpn site. These are configured on the vpn gateway." + } + }, + "vpnsitePublicIPAddress": { + "type": "string", + "metadata": { + "description": "Required. he public IP address of a vpn site." + } + }, + "vpnsiteBgpAsn": { + "type": "int", + "metadata": { + "description": "Required. The bgp asn number of a vpnsite." + } + }, + "vpnsiteBgpPeeringAddress": { + "type": "string", + "metadata": { + "description": "Required. The bgp peer IP address of a vpnsite." + } + }, + "addressPrefix": { + "type": "string", + "defaultValue": "192.168.0.0/24", + "metadata": { + "description": "Optional. The hub address prefix. This address prefix will be used as the address prefix for the hub vnet" + } + }, + "enableBgp": { + "type": "string", + "defaultValue": "false", + "metadata": { + "description": "Optional. his needs to be set to true if BGP needs to enabled on the vpn connection." + }, + "allowedValues": [ + "true", + "false" + ] + }, + "roleAssignments": { + "defaultValue": [ + ], + "type": "array", + "metadata": { + "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'" + } + }, + "tags": { + "type": "object", + "defaultValue": { + }, + "metadata": { + "description": "Optional. Tags of the resource." + } + }, + "cuaId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered" + } + } + }, + "variables": { + "builtInRoleNames": { + "AcrDelete": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c2f4ef07-c644-48eb-af81-4b1b4947fb11')]", + "AcrImageSigner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '6cef56e8-d556-48e5-a04f-b8e64114680f')]", + "AcrPull": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '7f951dda-4ed3-4680-a7ca-43fe172d538d')]", + "AcrPush": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8311e382-0749-4cb8-b61a-304f252e45ec')]", + "AcrQuarantineReader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'cdda3590-29a3-44f6-95f2-9f980659eb04')]", + "AcrQuarantineWriter": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c8d4ff99-41c3-41a8-9f60-21dfdad59608')]", + "API Management Service Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '312a565d-c81f-4fd8-895a-4e21e48d571c')]", + "API Management Service Operator Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'e022efe7-f5ba-4159-bbe4-b44f577e9b61')]", + "API Management Service Reader Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '71522526-b88f-4d52-b57f-d31fc3546d0d')]", + "App Configuration Data Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5ae67dd6-50cb-40e7-96ff-dc2bfa4b606b')]", + "App Configuration Data Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '516239f1-63e1-4d78-a4de-a74fb236a071')]", + "Application Insights Component Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ae349356-3a1b-4a5e-921d-050484c6347e')]", + "Application Insights Snapshot Debugger": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '08954f03-6346-4c2e-81c0-ec3a5cfae23b')]", + "Attestation Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'bbf86eb8-f7b4-4cce-96e4-18cddf81d86e')]", + "Attestation Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'fd1bd22b-8476-40bc-a0bc-69b95687b9f3')]", + "Automation Job Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4fe576fe-1146-4730-92eb-48519fa6bf9f')]", + "Automation Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'd3881f73-407a-4167-8283-e981cbba0404')]", + "Automation Runbook Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5fb5aef8-1081-4b8e-bb16-9d5d0385bab5')]", + "Avere Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4f8fab4f-1852-4a58-a46a-8eaf358af14a')]", + "Avere Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c025889f-8102-4ebf-b32c-fc0c6f0c6bd9')]", + "Azure Connected Machine Onboarding": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b64e21ea-ac4e-4cdf-9dc9-5b892992bee7')]", + "Azure Connected Machine Resource Administrator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'cd570a14-e51a-42ad-bac8-bafd67325302')]", + "Azure Digital Twins Owner (Preview)": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'bcd981a7-7f74-457b-83e1-cceb9e632ffe')]", + "Azure Digital Twins Reader (Preview)": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'd57506d4-4c8d-48b1-8587-93c323f6a5a3')]", + "Azure Event Hubs Data Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'f526a384-b230-433a-b45c-95f59c4a2dec')]", + "Azure Event Hubs Data Receiver": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'a638d3c7-ab3a-418d-83e6-5f17a39d4fde')]", + "Azure Event Hubs Data Sender": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '2b629674-e913-4c01-ae53-ef4638d8f975')]", + "Azure Kubernetes Service Cluster Admin Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '0ab0b1a8-8aac-4efd-b8c2-3ee1fb270be8')]", + "Azure Kubernetes Service Cluster User Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4abbcc35-e782-43d8-92c5-2d3f1bd2253f')]", + "Azure Kubernetes Service Contributor Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ed7f3fbd-7b88-4dd4-9017-9adb7ce333f8')]", + "Azure Maps Data Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8f5e0ce6-4f7b-4dcf-bddf-e6f48634a204')]", + "Azure Maps Data Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '423170ca-a8f6-4b0f-8487-9e4eb8f49bfa')]", + "Azure Sentinel Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ab8e14d6-4a74-4a29-9ba8-549422addade')]", + "Azure Sentinel Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8d289c81-5878-46d4-8554-54e1e3d8b5cb')]", + "Azure Sentinel Responder": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '3e150937-b8fe-4cfb-8069-0eaf05ecd056')]", + "Azure Service Bus Data Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '090c5cfd-751d-490a-894a-3ce6f1109419')]", + "Azure Service Bus Data Receiver": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4f6d3b9b-027b-4f4c-9142-0e5a2a2247e0')]", + "Azure Service Bus Data Sender": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '69a216fc-b8fb-44d8-bc22-1f3c2cd27a39')]", + "Azure Stack Registration Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '6f12a6df-dd06-4f3e-bcb1-ce8be600526a')]", + "Backup Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5e467623-bb1f-42f4-a55d-6e525e11384b')]", + "Backup Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '00c29273-979b-4161-815c-10b084fb9324')]", + "Backup Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'a795c7a0-d4a2-40c1-ae25-d81f01202912')]", + "Billing Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'fa23ad8b-c56e-40d8-ac0c-ce449e1d2c64')]", + "BizTalk Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5e3c6656-6cfa-4708-81fe-0de47ac73342')]", + "Blockchain Member Node Access (Preview)": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '31a002a1-acaf-453e-8a5b-297c9ca1ea24')]", + "Blueprint Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '41077137-e803-4205-871c-5a86e6a753b4')]", + "Blueprint Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '437d2ced-4a38-4302-8479-ed2bcb43d090')]", + "CDN Endpoint Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '426e0c7f-0c7e-4658-b36f-ff54d6c29b45')]", + "CDN Endpoint Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '871e35f6-b5c1-49cc-a043-bde969a0f2cd')]", + "CDN Profile Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ec156ff8-a8d1-4d15-830c-5b80698ca432')]", + "CDN Profile Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8f96442b-4075-438f-813d-ad51ab4019af')]", + "Classic Network Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b34d265f-36f7-4a0d-a4d4-e158ca92e90f')]", + "Classic Storage Account Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '86e8f5dc-a6e9-4c67-9d15-de283e8eac25')]", + "Classic Storage Account Key Operator Service Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '985d6b00-f706-48f5-a6fe-d0ca12fb668d')]", + "Classic Virtual Machine Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'd73bb868-a0df-4d4d-bd69-98a00b01fccb')]", + "ClearDB MySQL DB Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '9106cda0-8a86-4e81-b686-29a22c54effe')]", + "Cognitive Services Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '25fbc0a9-bd7c-42a3-aa1a-3b75d497ee68')]", + "Cognitive Services Custom Vision Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c1ff6cc2-c111-46fe-8896-e0ef812ad9f3')]", + "Cognitive Services Custom Vision Deployment": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5c4089e1-6d96-4d2f-b296-c1bc7137275f')]", + "Cognitive Services Custom Vision Labeler": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '88424f51-ebe7-446f-bc41-7fa16989e96c')]", + "Cognitive Services Custom Vision Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '93586559-c37d-4a6b-ba08-b9f0940c2d73')]", + "Cognitive Services Custom Vision Trainer": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '0a5ae4ab-0d65-4eeb-be61-29fc9b54394b')]", + "Cognitive Services Data Reader (Preview)": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b59867f0-fa02-499b-be73-45a86b5b3e1c')]", + "Cognitive Services QnA Maker Editor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'f4cc2bf9-21be-47a1-bdf1-5c5804381025')]", + "Cognitive Services QnA Maker Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '466ccd10-b268-4a11-b098-b4849f024126')]", + "Cognitive Services User": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'a97b65f3-24c7-4388-baec-2e87135dc908')]", + "Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "Cosmos DB Account Reader Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'fbdf93bf-df7d-467e-a4d2-9458aa1360c8')]", + "Cosmos DB Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '230815da-be43-4aae-9cb4-875f7bd000aa')]", + "CosmosBackupOperator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'db7b14f2-5adf-42da-9f96-f2ee17bab5cb')]", + "Cost Management Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '434105ed-43f6-45c7-a02f-909b2ba83430')]", + "Cost Management Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '72fafb9e-0641-4937-9268-a91bfd8191a3')]", + "Data Box Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'add466c9-e687-43fc-8d98-dfcf8d720be5')]", + "Data Box Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '028f4ed7-e2a9-465e-a8f4-9c0ffdfdc027')]", + "Data Factory Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '673868aa-7521-48a0-acc6-0f60742d39f5')]", + "Data Lake Analytics Developer": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '47b7735b-770e-4598-a7da-8b91488b4c88')]", + "Data Purger": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '150f5e0c-0603-4f03-8c7f-cf70034c4e90')]", + "Desktop Virtualization User": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '1d18fff3-a72a-46b5-b4a9-0b38a3cd7e63')]", + "DevTest Labs User": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '76283e04-6283-4c54-8f91-bcf1374a3c64')]", + "DNS Zone Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'befefa01-2a29-4197-83a8-272ff33ce314')]", + "DocumentDB Account Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5bd9cd88-fe45-4216-938b-f97437e15450')]", + "EventGrid EventSubscription Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '428e0ff0-5e57-4d9c-a221-2c70d0e0a443')]", + "EventGrid EventSubscription Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '2414bbcf-6497-4faf-8c65-045460748405')]", + "Experimentation Administrator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '7f646f1b-fa08-80eb-a33b-edd6ce5c915c')]", + "Experimentation Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '7f646f1b-fa08-80eb-a22b-edd6ce5c915c')]", + "Experimentation Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '49632ef5-d9ac-41f4-b8e7-bbe587fa74a1')]", + "FHIR Data Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5a1fc7df-4bf1-4951-a576-89034ee01acd')]", + "FHIR Data Exporter": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '3db33094-8700-4567-8da5-1501d4e7e843')]", + "FHIR Data Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4c8d0bbc-75d3-4935-991f-5f3c56d81508')]", + "FHIR Data Writer": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '3f88fce4-5892-4214-ae73-ba5294559913')]", + "Graph Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b60367af-1334-4454-b71e-769d9a4f83d9')]", + "HDInsight Cluster Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '61ed4efc-fab3-44fd-b111-e24485cc132a')]", + "HDInsight Domain Services Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8d8d5a11-05d3-4bda-a417-a08778121c7c')]", + "Hierarchy Settings Administrator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '350f8d15-c687-4448-8ae1-157740a3936d')]", + "Hybrid Server Onboarding": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5d1e5ee4-7c68-4a71-ac8b-0739630a3dfb')]", + "Hybrid Server Resource Administrator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '48b40c6e-82e0-4eb3-90d5-19e40f49b624')]", + "Integration Service Environment Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'a41e2c5b-bd99-4a07-88f4-9bf657a760b8')]", + "Integration Service Environment Developer": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c7aa55d3-1abb-444a-a5ca-5e51e485d6ec')]", + "Intelligent Systems Account Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '03a6d094-3444-4b3d-88af-7477090a9e5e')]", + "Key Vault Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'f25e0fa2-a7c8-4377-a976-54943a77a395')]", + "Knowledge Consumer": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ee361c5d-f7b5-4119-b4b6-892157c8f64c')]", + "Kubernetes Cluster - Azure Arc Onboarding": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '34e09817-6cbe-4d01-b1a2-e0eac5743d41')]", + "Lab Creator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b97fb8bc-a8b2-4522-a38b-dd33c7e65ead')]", + "Log Analytics Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]", + "Log Analytics Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '73c42c96-874c-492b-b04d-ab87d138a893')]", + "Logic App Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '87a39d53-fc1b-424a-814c-f7e04687dc9e')]", + "Logic App Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '515c2055-d9d4-4321-b1b9-bd0c9a0f79fe')]", + "Managed Application Contributor Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '641177b8-a67a-45b9-a033-47bc880bb21e')]", + "Managed Application Operator Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')]", + "Managed Applications Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')]", + "Managed Identity Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'e40ec5ca-96e0-45a2-b4ff-59039f2c2b59')]", + "Managed Identity Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'f1a07417-d97a-45cb-824c-7a7467783830')]", + "Managed Services Registration assignment Delete ": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '91c1777a-f3dc-4fae-b103-61d183457e46')]", + "Management Group Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5d58bcaf-24a5-4b20-bdb6-eed9f69fbe4c')]", + "Management Group Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ac63b705-f282-497d-ac71-919bf39d939d')]", + "Marketplace Admin": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'dd920d6d-f481-47f1-b461-f338c46b2d9f')]", + "Monitoring Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')]", + "Monitoring Metrics Publisher": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '3913510d-42f4-4e42-8a64-420c390055eb')]", + "Monitoring Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')]", + "Network Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", + "New Relic APM Account Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5d28c62d-5b37-4476-8438-e587778df237')]", + "Object Understanding Account Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4dd61c23-6743-42fe-a388-d8bdd41cb745')]", + "Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", + "Policy Insights Data Writer (Preview)": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '66bb4e9e-b016-4a94-8249-4c0511c2be84')]", + "Private DNS Zone Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", + "Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", + "Reader and Data Access": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c12c1c16-33a1-487b-954d-41c89c60f349')]", + "Redis Cache Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'e0f68234-74aa-48ed-b826-c38b57376e17')]", + "Remote Rendering Administrator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '3df8b902-2a6f-47c7-8cc5-360e9b272a7e')]", + "Remote Rendering Client": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'd39065c4-c120-43c9-ab0a-63eed9795f0a')]", + "Resource Policy Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '36243c78-bf99-498c-9df9-86d9f8d28608')]", + "Scheduler Job Collections Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '188a0f2f-5c9e-469b-ae67-2aa5ce574b94')]", + "Search Service Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '7ca78c08-252a-4471-8644-bb5ff32d4ba0')]", + "Security Admin": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'fb1c8493-542b-48eb-b624-b4c8fea62acd')]", + "Security Assessment Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '612c2aa1-cb24-443b-ac28-3ab7272de6f5')]", + "Security Manager (Legacy)": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'e3d13bf0-dd5a-482e-ba6b-9b8433878d10')]", + "Security Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '39bc4728-0917-49c7-9d2c-d95423bc2eb4')]", + "SignalR AccessKey Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '04165923-9d83-45d5-8227-78b77b0a687e')]", + "SignalR Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8cf5e20a-e4b2-4e9d-b3a1-5ceb692c2761')]", + "Site Recovery Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '6670b86e-a3f7-4917-ac9b-5d6ab1be4567')]", + "Site Recovery Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '494ae006-db33-4328-bf46-533a6560a3ca')]", + "Site Recovery Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'dbaa88c4-0c30-4179-9fb3-46319faa6149')]", + "Spatial Anchors Account Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8bbe83f1-e2a6-4df7-8cb4-4e04d4e5c827')]", + "Spatial Anchors Account Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '70bbe301-9835-447d-afdd-19eb3167307c')]", + "Spatial Anchors Account Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5d51204f-eb77-4b1c-b86a-2ec626c49413')]", + "SQL DB Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '9b7fa17d-e63e-47b0-bb0a-15c516ac86ec')]", + "SQL Managed Instance Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4939a1f6-9ae0-4e48-a1e0-f2cbe897382d')]", + "SQL Security Manager": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '056cd41c-7e88-42e1-933e-88ba6a50c9c3')]", + "SQL Server Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '6d8ee4ec-f05a-4a1d-8b00-a9b17e38b437')]", + "Storage Account Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '17d1049b-9a84-46fb-8f53-869881c3d3ab')]", + "Storage Account Key Operator Service Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '81a9662b-bebf-436f-a333-f67b29880f12')]", + "Storage Blob Data Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ba92f5b4-2d11-453d-a403-e96b0029c9fe')]", + "Storage Blob Data Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b7e6dc6d-f1e8-4753-8033-0f276bb0955b')]", + "Storage Blob Data Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '2a2b9908-6ea1-4ae2-8e65-a410df84e7d1')]", + "Storage Blob Delegator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'db58b8e5-c6ad-4a2a-8342-4190687cbf4a')]", + "Storage File Data SMB Share Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '0c867c2a-1d8c-454a-a3db-ab2ea1bdc8bb')]", + "Storage File Data SMB Share Elevated Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'a7264617-510b-434b-a828-9731dc254ea7')]", + "Storage File Data SMB Share Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'aba4ae5f-2193-4029-9191-0cb91df5e314')]", + "Storage Queue Data Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '974c5e8b-45b9-4653-ba55-5f855dd0fb88')]", + "Storage Queue Data Message Processor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8a0f0c08-91a1-4084-bc3d-661d67233fed')]", + "Storage Queue Data Message Sender": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c6a89b2d-59bc-44d0-9896-0f6e12d7b80a')]", + "Storage Queue Data Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '19e7f393-937e-4f77-808e-94535e297925')]", + "Support Request Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'cfd33db0-3dd1-45e3-aa9d-cdbdf3b6f24e')]", + "Tag Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4a9ae827-6dc8-4573-8ac7-8239d42aa03f')]", + "Traffic Manager Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'a4b10055-b0c7-44c2-b00f-c7b5b3550cf7')]", + "User Access Administrator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]", + "Virtual Machine Administrator Login": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '1c0163c0-47e6-4577-8991-ea5c82e286e4')]", + "Virtual Machine Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c')]", + "Virtual Machine User Login": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'fb879df8-f326-4884-b1cf-06f3ad86be52')]", + "Web Plan Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '2cc479cb-7b4d-49a8-b449-8c00fd0f0a4b')]", + "Website Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'de139f84-1756-47ae-9be6-808fbbe84772')]", + "Workbook Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'e8ddcd69-c73f-4f9f-9844-4100522f16ad')]", + "Workbook Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b279062a-9be3-42a0-92ae-8b3cf002ec4d')]" + } + }, + "resources": [ + { + "condition": "[not(empty(parameters('cuaId')))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-06-01", + "name": "[concat('pid-', parameters('cuaId'))]", + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [ + ] + } + } + }, + { + "type": "Microsoft.Network/virtualWans", + "apiVersion": "2020-08-01", + "name": "[parameters('wanname')]", + "location": "[parameters('location')]", + "tags": "[parameters('tags')]", + "properties": { + "type": "[parameters('wansku')]" + } + }, + { + "type": "Microsoft.Network/virtualHubs", + "apiVersion": "2020-08-01", + "name": "[parameters('hubname')]", + "location": "[parameters('location')]", + "dependsOn": [ + "[concat('Microsoft.Network/virtualWans/', parameters('wanname'))]" + ], + "properties": { + "addressPrefix": "[parameters('addressPrefix')]", + "virtualWan": { + "id": "[resourceId('Microsoft.Network/virtualWans',parameters('wanname'))]" + } + } + }, + { + "type": "Microsoft.Network/vpnSites", + "apiVersion": "2020-08-01", + "name": "[parameters('vpnsitename')]", + "location": "[parameters('location')]", + "dependsOn": [ + "[concat('Microsoft.Network/virtualWans/', parameters('wanname'))]" + ], + "properties": { + "addressSpace": { + "addressPrefixes": "[parameters('vpnsiteAddressspaceList')]" + }, + "bgpProperties": { + "asn": "[parameters('vpnsiteBgpAsn')]", + "bgpPeeringAddress": "[parameters('vpnsiteBgpPeeringAddress')]", + "peerWeight": 0 + }, + "deviceProperties": { + "linkSpeedInMbps": 0 + }, + "ipAddress": "[parameters('vpnsitePublicIPAddress')]", + "virtualWan": { + "id": "[resourceId('Microsoft.Network/virtualWans',parameters('wanname'))]" + } + } + }, + { + "type": "Microsoft.Network/vpnGateways", + "apiVersion": "2020-08-01", + "name": "[parameters('vpngatewayname')]", + "location": "[parameters('location')]", + "dependsOn": [ + "[concat('Microsoft.Network/virtualHubs/', parameters('hubname'))]", + "[concat('Microsoft.Network/vpnSites/', parameters('vpnsitename'))]" + ], + "properties": { + "connections": [ + { + "name": "[parameters('connectionName')]", + "properties": { + "connectionBandwidth": 10, + "enableBgp": "[parameters('enableBgp')]", + "remoteVpnSite": { + "id": "[resourceId('Microsoft.Network/vpnSites', parameters('vpnsitename'))]" + } + } + } + ], + "virtualHub": { + "id": "[resourceId('Microsoft.Network/virtualHubs',parameters('hubname'))]" + }, + "bgpSettings": { + "asn": 65515 + } + } + }, + { + "name": "[concat('rbac-',deployment().name, copyIndex())]", + "apiVersion": "2020-06-01", + "type": "Microsoft.Resources/deployments", + "condition": "[not(empty(parameters('roleAssignments')))]", + "dependsOn": [ + "[parameters('wanName')]" + ], + "copy": { + "name": "rbacDeplCopy", + "count": "[length(parameters('roleAssignments'))]" + }, + "properties": { + "mode": "Incremental", + "expressionEvaluationOptions": { + "scope": "inner" + }, + "parameters": { + "roleAssignment": { + "value": "[parameters('roleAssignments')[copyIndex()]]" + }, + "builtInRoleNames": { + "value": "[variables('builtInRoleNames')]" + }, + "wanName": { + "value": "[parameters('wanName')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "roleAssignment": { + "type": "object" + }, + "builtInRoleNames": { + "type": "object" + }, + "wanName": { + "type": "string" + } + }, + "resources": [ + { + "type": "Microsoft.Network/virtualWans/providers/roleAssignments", + "apiVersion": "2020-04-01-preview", + "name": "[concat(parameters('wanName'), '/Microsoft.Authorization/', guid(uniqueString(concat(parameters('wanName'), array(parameters('roleAssignment').principalIds)[copyIndex('innerRbacCopy')], parameters('roleAssignment').roleDefinitionIdOrName ) )))]", + "dependsOn": [ + ], + "copy": { + "name": "innerRbacCopy", + "count": "[length(parameters('roleAssignment').principalIds)]" + }, + "properties": { + "roleDefinitionId": "[if(contains(parameters('builtInRoleNames'), parameters('roleAssignment').roleDefinitionIdOrName ), parameters('builtInRoleNames')[parameters('roleAssignment').roleDefinitionIdOrName] , parameters('roleAssignment').roleDefinitionIdOrName )]", + "principalId": "[array(parameters('roleAssignment').principalIds)[copyIndex()]]" + } + } + ] + } + } + } + ], + "functions": [ + ], + "outputs": { + "wanName": { + "type": "string", + "value": "[parameters('wanName')]", + "metadata": { + "description": "The name of the WAN." + } + }, + "wanNameResourceId": { + "type": "string", + "value": "[resourceId('Microsoft.Network/virtualWans', parameters('wanName'))]", + "metadata": { + "description": "The Reeosurce ID of the WAN." + } + }, + "wanNameResourceGroup": { + "type": "string", + "value": "[resourceGroup().name]", + "metadata": { + "description": "The Resource Group in which the resource is created." + } + } + } +} \ No newline at end of file diff --git a/arm/Microsoft.Network/virtualWans/parameters/parameters.json b/arm/Microsoft.Network/virtualWans/parameters/parameters.json new file mode 100644 index 0000000000..c196568dcc --- /dev/null +++ b/arm/Microsoft.Network/virtualWans/parameters/parameters.json @@ -0,0 +1,32 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "wanName": { + "value": "sxx-az-vw-weu-x-001" + }, + "vpnsiteAddressspaceList": { + "value": [] + }, + "vpnsitePublicIPAddress": { + "value": "1.2.3.4" + }, + "vpnsiteBgpAsn": { + "value": 65010 + }, + "vpnsiteBgpPeeringAddress": { + "value": "1.1.1.1" + } + // "roleAssignments": { + // "value": [ + // { + // "roleDefinitionIdOrName": "Desktop Virtualization User", + // "principalIds": [ + // "12345678-1234-1234-1234-123456789012", // object 1 + // "78945612-1234-1234-1234-123456789012" // object 2 + // ] + // } + // ] + // } + } +} diff --git a/arm/Microsoft.Network/virtualWans/readme.md b/arm/Microsoft.Network/virtualWans/readme.md new file mode 100644 index 0000000000..c9600f7807 --- /dev/null +++ b/arm/Microsoft.Network/virtualWans/readme.md @@ -0,0 +1,99 @@ +# Virtual Wan + +This template deploys Virtual Wan + + +## Resource types + +|ResourceType|ApiVersion| +|:--|:--| +|`Microsoft.Resources/deployments`|2018-02-01| +|`Microsoft.Network/virtualWans`|2020-08-01| +|`Microsoft.Network/virtualHubs`|2020-08-01| +|`Microsoft.Network/vpnSites`|2020-08-01| +|`Microsoft.Network/vpnGateways`|2020-08-01| +|`Microsoft.Network/virtualWans/providers/roleAssignments`|2018-09-01-preview| + +## Parameters + +| Parameter Name | Type | Default Value | Possible values | Description | +| :- | :- | :- | :- | :- | +| `wanName` | string | | | Required. Name given for the Route Table. +| `location` | string | `[resourceGroup().location]` | | Optional. Location for all resources. +| `wanSku` | string | Standard | | Optional. Sku of the Virtual Wan. +| `hubName` | string | SampleVirtualHub | | Optional. Name of the Virtual Hub. A virtual hub is created inside a virtual wan. +| `vpnGatewayName` | string | SampleVpnGateway | | Optional. Name of the Vpn Gateway. A vpn gateway is created inside a virtual hub. +| `vpnSiteName` | string | SampleVpnSite | | Optional. Name of the vpnsite. A vpnsite represents the on-premise vpn device. A public ip address is mandatory for a vpn site creation. +| `connectionName` | string | SampleVpnsiteVpnGwConnection | | Optional. Name of the vpnconnection. A vpn connection is established between a vpnsite and a vpn gateway. +| `vpnsiteAddressspaceList` | array | [] | | Optional. A list of static routes corresponding to the vpn site. These are configured on the vpn gateway. +| `vpnsitePublicIPAddress` | string | | | Required. he public IP address of a vpn site. +| `vpnsiteBgpAsn` | int | | | Required. The bgp asn number of a vpnsite. +| `vpnsiteBgpPeeringAddress` | string | | | Required. The bgp peer IP address of a vpnsite. +| `addressPrefix` | string | 192.168.0.0/24 | | Optional. The hub address prefix. This address prefix will be used as the address prefix for the hub vnet +| `enableBgp` | string | false | | Optional. his needs to be set to true if BGP needs to enabled on the vpn connection. +| `roleAssignments` | array | [] | Complex structure, see below. | Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or it's fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' +| `tags` | object | {} | Complex structure, see below. | Optional. Tags of the Virtual Wan resource. +| `cuaId` | string | "" | | Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered. + +### Parameter Usage: `roleAssignments` + +```json +"roleAssignments": { + "value": [ + { + "roleDefinitionIdOrName": "Desktop Virtualization User", + "principalIds": [ + "12345678-1234-1234-1234-123456789012", // object 1 + "78945612-1234-1234-1234-123456789012" // object 2 + ] + }, + { + "roleDefinitionIdOrName": "Reader", + "principalIds": [ + "12345678-1234-1234-1234-123456789012", // object 1 + "78945612-1234-1234-1234-123456789012" // object 2 + ] + }, + { + "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", + "principalIds": [ + "12345678-1234-1234-1234-123456789012" // object 1 + ] + } + ] +} +``` + +### Parameter Usage: `tags` + +Tag names and tag values can be provided as needed. A tag can be left without a value. + +```json +"tags": { + "value": { + "Environment": "Non-Prod", + "Contact": "test.user@testcompany.com", + "PurchaseOrder": "1234", + "CostCenter": "7890", + "ServiceName": "DeploymentValidation", + "Role": "DeploymentValidation" + } +} +``` + +## Outputs + +| Output Name | Type | Description | +| :-- | :-- | :-- | +| `wanName` | string | The name of the WAN. | +| `wanNameResourceGroup` | string | The Resource Group in which the resource is created. | +| `wanNameResourceId` | string | The Reeosurce ID of the WAN. | + +## Considerations + +- Please note that this module is using a customized removal step. Instead of using a global removal step (Modules\ARM\.global\PipelineTemplates\pipeline.jobs.remove.yml), the module has its own, customized removal, located in the module's 'Pipeline' folder: (Modules\ARM\VirtualWan\Pipeline\pipeline.jobs.remove.VirtualWAN.yml) + +## Additional resources + +- [Microsoft.Network virtualWans template reference](https://docs.microsoft.com/en-us/azure/templates/microsoft.network/2019-09-01/virtualwans) +- [About Azure Virtual Wan](https://docs.microsoft.com/en-us/azure/virtual-wan/virtual-wan-about) \ No newline at end of file diff --git a/arm/Microsoft.OperationalInsights/workspaces/deploy.json b/arm/Microsoft.OperationalInsights/workspaces/deploy.json new file mode 100644 index 0000000000..bcb6fb5f88 --- /dev/null +++ b/arm/Microsoft.OperationalInsights/workspaces/deploy.json @@ -0,0 +1,1268 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "logAnalyticsWorkspaceName": { + "type": "string", + "metadata": { + "description": "Required. Name of the Log Analytics workspace" + } + }, + "location": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "Optional. Location for all resources." + } + }, + "serviceTier": { + "type": "string", + "defaultValue": "PerGB2018", + "allowedValues": [ + "Free", + "Standalone", + "PerNode", + "PerGB2018" + ], + "metadata": { + "description": "Required. Service Tier: PerGB2018, Free, Standalone, PerGB or PerNode" + } + }, + "solutions": { + "type": "array", + "defaultValue": [], + "metadata": { + "description": "Optional. LAW solutions from the gallery." + } + }, + "dataRetention": { + "type": "int", + "defaultValue": 365, + "minValue": 0, + "maxValue": 730, + "metadata": { + "description": "Required. Number of days data will be retained for" + } + }, + "dailyQuotaGb": { + "type": "int", + "defaultValue": -1, + "minValue": -1, + "metadata": { + "description": "Optional. The workspace daily quota for ingestion." + } + }, + "publicNetworkAccessForIngestion": { + "type": "string", + "defaultValue": "Enabled", + "allowedValues": [ + "Enabled", + "Disabled" + ], + "metadata": { + "description": "Optional. The network access type for accessing Log Analytics ingestion." + } + }, + "publicNetworkAccessForQuery": { + "type": "string", + "defaultValue": "Enabled", + "allowedValues": [ + "Enabled", + "Disabled" + ], + "metadata": { + "description": "Optional. The network access type for accessing Log Analytics query." + } + }, + "diagnosticStorageAccountId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Log Analytics workspace resource identifier" + } + }, + "activityLogAdditionalSubscriptionIDs": { + "type": "array", + "defaultValue": [ + ], + "metadata": { + "description": "Optional. List of additional Subscription IDs to collect Activity logs from. The subscription holding the Log Analytics workspace is added by default. The user/SPN/managed identity has to have reader access on the subscription you'd like to collect Activity logs from." + } + }, + "automationAccountId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Automation Account resource identifier, value used to create a LinkedService between Log Analytics and an Automation Account." + } + }, + "useResourcePermissions": { + "type": "bool", + "defaultValue": false, + "metadata": { + "description": "Optional. Set to 'true' to use resource or workspace permissions and 'false' (or leave empty) to require workspace permissions." + } + }, + "lockForDeletion": { + "type": "bool", + "defaultValue": false, + "metadata": { + "description": "Optional. Switch to lock storage from deletion." + } + }, + "roleAssignments": { + "defaultValue": [ + ], + "type": "array", + "metadata": { + "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'" + } + }, + "tags": { + "type": "object", + "defaultValue": { + }, + "metadata": { + "description": "Optional. Tags of the resource." + } + }, + "cuaId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered" + } + } + }, + "variables": { + "diagnosticStorageAccountName": "[if(not(empty(parameters('diagnosticStorageAccountId'))), split(parameters('diagnosticStorageAccountId'), '/')[8], 'placeholder')]", + "logAnalyticsSearchVersion": 1, + "builtInRoleNames": { + "Azure Sentinel Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ab8e14d6-4a74-4a29-9ba8-549422addade')]", + "Azure Sentinel Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8d289c81-5878-46d4-8554-54e1e3d8b5cb')]", + "Azure Sentinel Responder": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '3e150937-b8fe-4cfb-8069-0eaf05ecd056')]", + "Contributor": "/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c", + "Data Purger": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '150f5e0c-0603-4f03-8c7f-cf70034c4e90')]", + "Log Analytics Contributor": "/providers/Microsoft.Authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293", + "Log Analytics Reader": "/providers/Microsoft.Authorization/roleDefinitions/73c42c96-874c-492b-b04d-ab87d138a893", + "Managed Application Contributor Role": "/providers/Microsoft.Authorization/roleDefinitions/641177b8-a67a-45b9-a033-47bc880bb21e", + "Managed Application Operator Role": "/providers/Microsoft.Authorization/roleDefinitions/c7393b34-138c-406f-901b-d8cf2b17e6ae", + "Managed Applications Reader": "/providers/Microsoft.Authorization/roleDefinitions/b9331d33-8a36-4f8c-b097-4f54124fdb44", + "Monitoring Contributor": "/providers/Microsoft.Authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "Monitoring Metrics Publisher": "/providers/Microsoft.Authorization/roleDefinitions/3913510d-42f4-4e42-8a64-420c390055eb", + "Monitoring Reader": "/providers/Microsoft.Authorization/roleDefinitions/43d0d8ad-25c7-4714-9337-8ba259a9fe05", + "Owner": "/providers/Microsoft.Authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635", + "Reader": "/providers/Microsoft.Authorization/roleDefinitions/acdd72a7-3385-48ef-bd42-f606fba81ae7", + "Resource Policy Contributor": "/providers/Microsoft.Authorization/roleDefinitions/36243c78-bf99-498c-9df9-86d9f8d28608", + "Security Admin": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'fb1c8493-542b-48eb-b624-b4c8fea62acd')]", + "Security Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '39bc4728-0917-49c7-9d2c-d95423bc2eb4')]", + "User Access Administrator": "/providers/Microsoft.Authorization/roleDefinitions/18d7d88d-d35e-4fb5-a5c3-7773c20a72d9" + } + }, + "resources": [ + { + "condition": "[not(empty(parameters('cuaId')))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-06-01", + "name": "[concat('pid-', parameters('cuaId'))]", + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [ + ] + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces", + "apiVersion": "2020-08-01", + "location": "[parameters('location')]", + "name": "[parameters('logAnalyticsWorkspaceName')]", + "tags": "[parameters('tags')]", + "properties": { + "features": { + "searchVersion": "[variables('logAnalyticsSearchVersion')]", + "enableLogAccessUsingOnlyResourcePermissions": "[parameters('useResourcePermissions')]" + }, + "sku": { + "name": "[parameters('serviceTier')]" + }, + "retentionInDays": "[parameters('dataRetention')]", + "workspaceCapping": { + "dailyQuotaGb": "[parameters('dailyQuotaGb')]" + }, + "publicNetworkAccessForIngestion": "[parameters('publicNetworkAccessForIngestion')]", + "publicNetworkAccessForQuery": "[parameters('publicNetworkAccessForQuery')]" + }, + "resources": [ + { + "apiVersion": "2020-03-01-preview", + "name": "VMSSQueries", + "type": "savedSearches", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', parameters('logAnalyticsWorkspaceName'))]" + ], + "properties": { + "etag": "*", + "DisplayName": "VMSS Instance Count", + "Category": "VDC Saved Searches", + "Query": "Event | where Source == \"ServiceFabricNodeBootstrapAgent\" | summarize AggregatedValue = count() by Computer" + } + }, + { + "apiVersion": "2020-03-01-preview", + "name": "AzureFirewallThreatDeny", + "type": "savedSearches", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', parameters('logAnalyticsWorkspaceName'))]" + ], + "properties": { + "etag": "*", + "DisplayName": "Azure Threat Deny", + "Category": "VDC Saved Searches", + "Query": "AzureDiagnostics | where ResourceType == 'AZUREFIREWALLS' and msg_s contains 'Deny'" + } + }, + { + "apiVersion": "2020-03-01-preview", + "type": "datasources", + "kind": "AzureActivityLog", + "name": "[subscription().subscriptionId]", + "location": "[parameters('location')]", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', parameters('logAnalyticsWorkspaceName'))]" + ], + "properties": { + "linkedResourceId": "[concat(subscription().Id, '/providers/microsoft.insights/eventTypes/management')]" + } + }, + { + "apiVersion": "2020-03-01-preview", + "type": "datasources", + "name": "applicationEvent", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', parameters('logAnalyticsWorkspaceName'))]" + ], + "kind": "WindowsEvent", + "properties": { + "eventLogName": "Application", + "eventTypes": [ + { + "eventType": "Error" + }, + { + "eventType": "Warning" + }, + { + "eventType": "Information" + } + ] + } + }, + { + "apiVersion": "2020-03-01-preview", + "type": "datasources", + "name": "systemEvent", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', parameters('logAnalyticsWorkspaceName'))]" + ], + "kind": "WindowsEvent", + "properties": { + "eventLogName": "System", + "eventTypes": [ + { + "eventType": "Error" + }, + { + "eventType": "Warning" + }, + { + "eventType": "Information" + } + ] + } + }, + { + "apiVersion": "2020-03-01-preview", + "type": "datasources", + "name": "windowsPerfCounter1", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', parameters('logAnalyticsWorkspaceName'))]" + ], + "kind": "WindowsPerformanceCounter", + "properties": { + "objectName": "Processor", + "instanceName": "*", + "intervalSeconds": 60, + "counterName": "% Processor Time" + } + }, + { + "apiVersion": "2020-03-01-preview", + "type": "datasources", + "name": "windowsPerfCounter2", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', parameters('logAnalyticsWorkspaceName'))]" + ], + "kind": "WindowsPerformanceCounter", + "properties": { + "objectName": "Processor", + "instanceName": "*", + "intervalSeconds": 60, + "counterName": "% Privileged Time" + } + }, + { + "apiVersion": "2020-03-01-preview", + "type": "datasources", + "name": "windowsPerfCounter3", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', parameters('logAnalyticsWorkspaceName'))]" + ], + "kind": "WindowsPerformanceCounter", + "properties": { + "objectName": "Processor", + "instanceName": "*", + "intervalSeconds": 60, + "counterName": "% User Time" + } + }, + { + "apiVersion": "2020-03-01-preview", + "type": "datasources", + "name": "windowsPerfCounter4", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', parameters('logAnalyticsWorkspaceName'))]" + ], + "kind": "WindowsPerformanceCounter", + "properties": { + "objectName": "Processor", + "instanceName": "*", + "intervalSeconds": 60, + "counterName": "Processor Frequency" + } + }, + { + "apiVersion": "2020-03-01-preview", + "type": "datasources", + "name": "windowsPerfCounter5", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', parameters('logAnalyticsWorkspaceName'))]" + ], + "kind": "WindowsPerformanceCounter", + "properties": { + "objectName": "Process", + "instanceName": "*", + "intervalSeconds": 60, + "counterName": "Thread Count" + } + }, + { + "apiVersion": "2020-03-01-preview", + "type": "datasources", + "name": "windowsPerfCounter6", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', parameters('logAnalyticsWorkspaceName'))]" + ], + "kind": "WindowsPerformanceCounter", + "properties": { + "objectName": "Process", + "instanceName": "*", + "intervalSeconds": 60, + "counterName": "Handle Count" + } + }, + { + "apiVersion": "2020-03-01-preview", + "type": "datasources", + "name": "windowsPerfCounter7", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', parameters('logAnalyticsWorkspaceName'))]" + ], + "kind": "WindowsPerformanceCounter", + "properties": { + "objectName": "System", + "instanceName": "*", + "intervalSeconds": 60, + "counterName": "System Up Time" + } + }, + { + "apiVersion": "2020-03-01-preview", + "type": "datasources", + "name": "windowsPerfCounter8", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', parameters('logAnalyticsWorkspaceName'))]" + ], + "kind": "WindowsPerformanceCounter", + "properties": { + "objectName": "System", + "instanceName": "*", + "intervalSeconds": 60, + "counterName": "Context Switches/sec" + } + }, + { + "apiVersion": "2020-03-01-preview", + "type": "datasources", + "name": "windowsPerfCounter9", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', parameters('logAnalyticsWorkspaceName'))]" + ], + "kind": "WindowsPerformanceCounter", + "properties": { + "objectName": "System", + "instanceName": "*", + "intervalSeconds": 60, + "counterName": "Processor Queue Length" + } + }, + { + "apiVersion": "2020-03-01-preview", + "type": "datasources", + "name": "windowsPerfCounter10", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', parameters('logAnalyticsWorkspaceName'))]" + ], + "kind": "WindowsPerformanceCounter", + "properties": { + "objectName": "System", + "instanceName": "*", + "intervalSeconds": 60, + "counterName": "Processes" + } + }, + { + "apiVersion": "2020-03-01-preview", + "type": "datasources", + "name": "windowsPerfCounter11", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', parameters('logAnalyticsWorkspaceName'))]" + ], + "kind": "WindowsPerformanceCounter", + "properties": { + "objectName": "Memory", + "instanceName": "*", + "intervalSeconds": 60, + "counterName": "% Committed Bytes In Use" + } + }, + { + "apiVersion": "2020-03-01-preview", + "type": "datasources", + "name": "windowsPerfCounter12", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', parameters('logAnalyticsWorkspaceName'))]" + ], + "kind": "WindowsPerformanceCounter", + "properties": { + "objectName": "Memory", + "instanceName": "*", + "intervalSeconds": 60, + "counterName": "Available MBytes" + } + }, + { + "apiVersion": "2020-03-01-preview", + "type": "datasources", + "name": "windowsPerfCounter13", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', parameters('logAnalyticsWorkspaceName'))]" + ], + "kind": "WindowsPerformanceCounter", + "properties": { + "objectName": "Memory", + "instanceName": "*", + "intervalSeconds": 60, + "counterName": "Available Bytes" + } + }, + { + "apiVersion": "2020-03-01-preview", + "type": "datasources", + "name": "windowsPerfCounter14", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', parameters('logAnalyticsWorkspaceName'))]" + ], + "kind": "WindowsPerformanceCounter", + "properties": { + "objectName": "Memory", + "instanceName": "*", + "intervalSeconds": 60, + "counterName": "Committed Bytes" + } + }, + { + "apiVersion": "2020-03-01-preview", + "type": "datasources", + "name": "windowsPerfCounter15", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', parameters('logAnalyticsWorkspaceName'))]" + ], + "kind": "WindowsPerformanceCounter", + "properties": { + "objectName": "Memory", + "instanceName": "*", + "intervalSeconds": 60, + "counterName": "Cache Bytes" + } + }, + { + "apiVersion": "2020-03-01-preview", + "type": "datasources", + "name": "windowsPerfCounter16", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', parameters('logAnalyticsWorkspaceName'))]" + ], + "kind": "WindowsPerformanceCounter", + "properties": { + "objectName": "Memory", + "instanceName": "*", + "intervalSeconds": 60, + "counterName": "Pool Paged Bytes" + } + }, + { + "apiVersion": "2020-03-01-preview", + "type": "datasources", + "name": "windowsPerfCounter17", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', parameters('logAnalyticsWorkspaceName'))]" + ], + "kind": "WindowsPerformanceCounter", + "properties": { + "objectName": "Memory", + "instanceName": "*", + "intervalSeconds": 60, + "counterName": "Pool Nonpaged Bytes" + } + }, + { + "apiVersion": "2020-03-01-preview", + "type": "datasources", + "name": "windowsPerfCounter18", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', parameters('logAnalyticsWorkspaceName'))]" + ], + "kind": "WindowsPerformanceCounter", + "properties": { + "objectName": "Memory", + "instanceName": "*", + "intervalSeconds": 60, + "counterName": "Pages/sec" + } + }, + { + "apiVersion": "2020-03-01-preview", + "type": "datasources", + "name": "windowsPerfCounter19", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', parameters('logAnalyticsWorkspaceName'))]" + ], + "kind": "WindowsPerformanceCounter", + "properties": { + "objectName": "Memory", + "instanceName": "*", + "intervalSeconds": 60, + "counterName": "Page Faults/sec" + } + }, + { + "apiVersion": "2020-03-01-preview", + "type": "datasources", + "name": "windowsPerfCounter20", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', parameters('logAnalyticsWorkspaceName'))]" + ], + "kind": "WindowsPerformanceCounter", + "properties": { + "objectName": "Process", + "instanceName": "*", + "intervalSeconds": 60, + "counterName": "Working Set" + } + }, + { + "apiVersion": "2020-03-01-preview", + "type": "datasources", + "name": "windowsPerfCounter21", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', parameters('logAnalyticsWorkspaceName'))]" + ], + "kind": "WindowsPerformanceCounter", + "properties": { + "objectName": "Process", + "instanceName": "*", + "intervalSeconds": 60, + "counterName": "Working Set - Private" + } + }, + { + "apiVersion": "2020-03-01-preview", + "type": "datasources", + "name": "windowsPerfCounter22", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', parameters('logAnalyticsWorkspaceName'))]" + ], + "kind": "WindowsPerformanceCounter", + "properties": { + "objectName": "LogicalDisk", + "instanceName": "*", + "intervalSeconds": 60, + "counterName": "% Disk Time" + } + }, + { + "apiVersion": "2020-03-01-preview", + "type": "datasources", + "name": "windowsPerfCounter23", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', parameters('logAnalyticsWorkspaceName'))]" + ], + "kind": "WindowsPerformanceCounter", + "properties": { + "objectName": "LogicalDisk", + "instanceName": "*", + "intervalSeconds": 60, + "counterName": "% Disk Read Time" + } + }, + { + "apiVersion": "2020-03-01-preview", + "type": "datasources", + "name": "windowsPerfCounter24", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', parameters('logAnalyticsWorkspaceName'))]" + ], + "kind": "WindowsPerformanceCounter", + "properties": { + "objectName": "LogicalDisk", + "instanceName": "*", + "intervalSeconds": 60, + "counterName": "% Disk Write Time" + } + }, + { + "apiVersion": "2020-03-01-preview", + "type": "datasources", + "name": "windowsPerfCounter25", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', parameters('logAnalyticsWorkspaceName'))]" + ], + "kind": "WindowsPerformanceCounter", + "properties": { + "objectName": "LogicalDisk", + "instanceName": "*", + "intervalSeconds": 60, + "counterName": "% Idle Time" + } + }, + { + "apiVersion": "2020-03-01-preview", + "type": "datasources", + "name": "windowsPerfCounter26", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', parameters('logAnalyticsWorkspaceName'))]" + ], + "kind": "WindowsPerformanceCounter", + "properties": { + "objectName": "LogicalDisk", + "instanceName": "*", + "intervalSeconds": 60, + "counterName": "Disk Bytes/sec" + } + }, + { + "apiVersion": "2020-03-01-preview", + "type": "datasources", + "name": "windowsPerfCounter27", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', parameters('logAnalyticsWorkspaceName'))]" + ], + "kind": "WindowsPerformanceCounter", + "properties": { + "objectName": "LogicalDisk", + "instanceName": "*", + "intervalSeconds": 60, + "counterName": "Disk Read Bytes/sec" + } + }, + { + "apiVersion": "2020-03-01-preview", + "type": "datasources", + "name": "windowsPerfCounter28", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', parameters('logAnalyticsWorkspaceName'))]" + ], + "kind": "WindowsPerformanceCounter", + "properties": { + "objectName": "LogicalDisk", + "instanceName": "*", + "intervalSeconds": 60, + "counterName": "Disk Write Bytes/sec" + } + }, + { + "apiVersion": "2020-03-01-preview", + "type": "datasources", + "name": "windowsPerfCounter29", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', parameters('logAnalyticsWorkspaceName'))]" + ], + "kind": "WindowsPerformanceCounter", + "properties": { + "objectName": "LogicalDisk", + "instanceName": "*", + "intervalSeconds": 60, + "counterName": "Disk Transfers/sec" + } + }, + { + "apiVersion": "2020-03-01-preview", + "type": "datasources", + "name": "windowsPerfCounter30", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', parameters('logAnalyticsWorkspaceName'))]" + ], + "kind": "WindowsPerformanceCounter", + "properties": { + "objectName": "LogicalDisk", + "instanceName": "*", + "intervalSeconds": 60, + "counterName": "Disk Reads/sec" + } + }, + { + "apiVersion": "2020-03-01-preview", + "type": "datasources", + "name": "windowsPerfCounter31", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', parameters('logAnalyticsWorkspaceName'))]" + ], + "kind": "WindowsPerformanceCounter", + "properties": { + "objectName": "LogicalDisk", + "instanceName": "*", + "intervalSeconds": 60, + "counterName": "Disk Writes/sec" + } + }, + { + "apiVersion": "2020-03-01-preview", + "type": "datasources", + "name": "windowsPerfCounter32", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', parameters('logAnalyticsWorkspaceName'))]" + ], + "kind": "WindowsPerformanceCounter", + "properties": { + "objectName": "LogicalDisk", + "instanceName": "*", + "intervalSeconds": 60, + "counterName": "Avg. Disk sec/Transfer" + } + }, + { + "apiVersion": "2020-03-01-preview", + "type": "datasources", + "name": "windowsPerfCounter33", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', parameters('logAnalyticsWorkspaceName'))]" + ], + "kind": "WindowsPerformanceCounter", + "properties": { + "objectName": "LogicalDisk", + "instanceName": "*", + "intervalSeconds": 60, + "counterName": "Avg. Disk sec/Read" + } + }, + { + "apiVersion": "2020-03-01-preview", + "type": "datasources", + "name": "windowsPerfCounter34", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', parameters('logAnalyticsWorkspaceName'))]" + ], + "kind": "WindowsPerformanceCounter", + "properties": { + "objectName": "LogicalDisk", + "instanceName": "*", + "intervalSeconds": 60, + "counterName": "Avg. Disk sec/Write" + } + }, + { + "apiVersion": "2020-03-01-preview", + "type": "datasources", + "name": "windowsPerfCounter35", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', parameters('logAnalyticsWorkspaceName'))]" + ], + "kind": "WindowsPerformanceCounter", + "properties": { + "objectName": "LogicalDisk", + "instanceName": "*", + "intervalSeconds": 60, + "counterName": "Avg. Disk Queue Length" + } + }, + { + "apiVersion": "2020-03-01-preview", + "type": "datasources", + "name": "windowsPerfCounter36", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', parameters('logAnalyticsWorkspaceName'))]" + ], + "kind": "WindowsPerformanceCounter", + "properties": { + "objectName": "LogicalDisk", + "instanceName": "*", + "intervalSeconds": 60, + "counterName": "Avg. Disk Write Queue Length" + } + }, + { + "apiVersion": "2020-03-01-preview", + "type": "datasources", + "name": "windowsPerfCounter37", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', parameters('logAnalyticsWorkspaceName'))]" + ], + "kind": "WindowsPerformanceCounter", + "properties": { + "objectName": "LogicalDisk", + "instanceName": "*", + "intervalSeconds": 60, + "counterName": "% Free Space" + } + }, + { + "apiVersion": "2020-03-01-preview", + "type": "datasources", + "name": "windowsPerfCounter38", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', parameters('logAnalyticsWorkspaceName'))]" + ], + "kind": "WindowsPerformanceCounter", + "properties": { + "objectName": "LogicalDisk", + "instanceName": "*", + "intervalSeconds": 60, + "counterName": "Free Megabytes" + } + }, + { + "apiVersion": "2020-03-01-preview", + "type": "datasources", + "name": "windowsPerfCounter39", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', parameters('logAnalyticsWorkspaceName'))]" + ], + "kind": "WindowsPerformanceCounter", + "properties": { + "objectName": "Network Interface", + "instanceName": "*", + "intervalSeconds": 60, + "counterName": "Bytes Total/sec" + } + }, + { + "apiVersion": "2020-03-01-preview", + "type": "datasources", + "name": "windowsPerfCounter40", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', parameters('logAnalyticsWorkspaceName'))]" + ], + "kind": "WindowsPerformanceCounter", + "properties": { + "objectName": "Network Interface", + "instanceName": "*", + "intervalSeconds": 60, + "counterName": "Bytes Sent/sec" + } + }, + { + "apiVersion": "2020-03-01-preview", + "type": "datasources", + "name": "windowsPerfCounter41", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', parameters('logAnalyticsWorkspaceName'))]" + ], + "kind": "WindowsPerformanceCounter", + "properties": { + "objectName": "Network Interface", + "instanceName": "*", + "intervalSeconds": 60, + "counterName": "Bytes Received/sec" + } + }, + { + "apiVersion": "2020-03-01-preview", + "type": "datasources", + "name": "windowsPerfCounter42", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', parameters('logAnalyticsWorkspaceName'))]" + ], + "kind": "WindowsPerformanceCounter", + "properties": { + "objectName": "Network Interface", + "instanceName": "*", + "intervalSeconds": 60, + "counterName": "Packets/sec" + } + }, + { + "apiVersion": "2020-03-01-preview", + "type": "datasources", + "name": "windowsPerfCounter43", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', parameters('logAnalyticsWorkspaceName'))]" + ], + "kind": "WindowsPerformanceCounter", + "properties": { + "objectName": "Network Interface", + "instanceName": "*", + "intervalSeconds": 60, + "counterName": "Packets Sent/sec" + } + }, + { + "apiVersion": "2020-03-01-preview", + "type": "datasources", + "name": "windowsPerfCounter44", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', parameters('logAnalyticsWorkspaceName'))]" + ], + "kind": "WindowsPerformanceCounter", + "properties": { + "objectName": "Network Interface", + "instanceName": "*", + "intervalSeconds": 60, + "counterName": "Packets Received/sec" + } + }, + { + "apiVersion": "2020-03-01-preview", + "type": "datasources", + "name": "windowsPerfCounter45", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', parameters('logAnalyticsWorkspaceName'))]" + ], + "kind": "WindowsPerformanceCounter", + "properties": { + "objectName": "Network Interface", + "instanceName": "*", + "intervalSeconds": 60, + "counterName": "Packets Outbound Errors" + } + }, + { + "apiVersion": "2020-03-01-preview", + "type": "datasources", + "name": "windowsPerfCounter46", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', parameters('logAnalyticsWorkspaceName'))]" + ], + "kind": "WindowsPerformanceCounter", + "properties": { + "objectName": "Network Interface", + "instanceName": "*", + "intervalSeconds": 60, + "counterName": "Packets Received Errors" + } + }, + { + "apiVersion": "2020-03-01-preview", + "type": "datasources", + "name": "sampleIISLog1", + "condition": false, + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', parameters('logAnalyticsWorkspaceName'))]" + ], + "kind": "IISLogs", + "properties": { + "state": "OnPremiseEnabled" + } + }, + { + "apiVersion": "2020-03-01-preview", + "type": "datasources", + "name": "sampleSyslog1", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', parameters('logAnalyticsWorkspaceName'))]" + ], + "kind": "LinuxSyslog", + "properties": { + "syslogName": "kern", + "syslogSeverities": [ + { + "severity": "emerg" + }, + { + "severity": "alert" + }, + { + "severity": "crit" + }, + { + "severity": "err" + }, + { + "severity": "warning" + } + ] + } + }, + { + "apiVersion": "2020-03-01-preview", + "type": "datasources", + "name": "sampleSyslogCollection1", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', parameters('logAnalyticsWorkspaceName'))]" + ], + "kind": "LinuxSyslogCollection", + "properties": { + "state": "Enabled" + } + }, + { + "apiVersion": "2020-03-01-preview", + "type": "datasources", + "name": "sampleLinuxPerf1", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', parameters('logAnalyticsWorkspaceName'))]" + ], + "kind": "LinuxPerformanceObject", + "properties": { + "performanceCounters": [ + { + "counterName": "% Used Inodes" + }, + { + "counterName": "Free Megabytes" + }, + { + "counterName": "% Used Space" + }, + { + "counterName": "Disk Transfers/sec" + }, + { + "counterName": "Disk Reads/sec" + }, + { + "counterName": "Disk Writes/sec" + } + ], + "objectName": "Logical Disk", + "instanceName": "*", + "intervalSeconds": 10 + } + }, + { + "apiVersion": "2020-03-01-preview", + "type": "datasources", + "name": "sampleLinuxPerfCollection1", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', parameters('logAnalyticsWorkspaceName'))]" + ], + "kind": "LinuxPerformanceCollection", + "properties": { + "state": "Enabled" + } + } + ] + }, + { + "type": "Microsoft.OperationalInsights/workspaces/datasources", + "apiVersion": "2020-03-01-preview", + "location": "[parameters('location')]", + "kind": "AzureActivityLog", + "name": "[concat(parameters('logAnalyticsWorkspaceName'), '/', if(empty(parameters('activityLogAdditionalSubscriptionIDs')),'placeholder',parameters('activityLogAdditionalSubscriptionIDs')[copyIndex()]))]", + "copy": { + "name": "subscriptionCopy", + "count": "[length(parameters('activityLogAdditionalSubscriptionIDs'))]" + }, + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', parameters('logAnalyticsWorkspaceName'))]" + ], + "properties": { + "linkedResourceId": "[concat('/subscriptions/', parameters('activityLogAdditionalSubscriptionIDs')[copyIndex()], '/providers/microsoft.insights/eventTypes/management')]" + } + }, + { + "name": "[concat(parameters('logAnalyticsWorkspaceName'), '/', variables('diagnosticStorageAccountName'))]", + "condition": "[not(empty(parameters('diagnosticStorageAccountId')))]", + "type": "Microsoft.OperationalInsights/workspaces/storageinsightconfigs", + "apiVersion": "2020-03-01-preview", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', parameters('logAnalyticsWorkspaceName'))]" + ], + "properties": { + "containers": [ + ], + "tables": [ + "WADWindowsEventLogsTable", + "WADETWEventTable", + "WADServiceFabric*EventTable", + "LinuxsyslogVer2v0" + ], + "storageAccount": { + "id": "[parameters('diagnosticStorageAccountId')]", + "key": "[if(empty(parameters('diagnosticStorageAccountId')), '', listKeys(parameters('diagnosticStorageAccountId'), '2016-12-01').keys[0].value)]" + } + } + }, + { + "condition": "[not(empty(parameters('solutions')))]", + "type": "Microsoft.OperationsManagement/solutions", + "apiVersion": "2015-11-01-preview", + "name": "[if(empty(parameters('solutions')),'dummy',concat(parameters('solutions')[copyIndex()], '(', parameters('logAnalyticsWorkspaceName'), ')'))]", + "location": "[parameters('location')]", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', parameters('logAnalyticsWorkspaceName'))]" + ], + "copy": { + "name": "solutionCopy", + "count": "[if(greater(length(parameters('solutions')),0),length(parameters('solutions')), 1)]", + "mode": "Serial" + }, + "properties": { + "workspaceResourceId": "[resourceId('Microsoft.OperationalInsights/workspaces', parameters('logAnalyticsWorkspaceName'))]" + }, + "plan": { + "name": "[if(empty(parameters('solutions')),'dummy',concat(parameters('solutions')[copyIndex()], '(', parameters('logAnalyticsWorkspaceName'), ')'))]", + "product": "[if(empty(parameters('solutions')),'dummy',concat('OMSGallery/', parameters('solutions')[copyIndex()]))]", + "promotionCode": "", + "publisher": "Microsoft" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/linkedServices", + "name": "[concat(parameters('logAnalyticsWorkspaceName'), '/' , 'Automation')]", + "apiVersion": "2020-03-01-preview", + "condition": "[not(empty(parameters('automationAccountId')))]", + "location": "[parameters('location')]", + "properties": { + "resourceId": "[parameters('automationAccountId')]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/locks", + "apiVersion": "2016-09-01", + "condition": "[parameters('lockForDeletion')]", + "name": "[concat(parameters('logAnalyticsWorkspaceName'), '/Microsoft.Authorization/logAnalyticsDoNotDelete')]", + "dependsOn": [ + "[parameters('logAnalyticsWorkspaceName')]" + ], + "comments": "Resource lock on Log Analytics", + "properties": { + "level": "CannotDelete" + } + }, + { + "name": "[concat('rbac-',deployment().name, copyIndex())]", + "apiVersion": "2020-06-01", + "type": "Microsoft.Resources/deployments", + "condition": "[not(empty(parameters('roleAssignments')))]", + "dependsOn": [ + "[parameters('logAnalyticsWorkspaceName')]" + ], + "copy": { + "name": "rbacDeplCopy", + "count": "[length(parameters('roleAssignments'))]" + }, + "properties": { + "mode": "Incremental", + "expressionEvaluationOptions": { + "scope": "inner" + }, + "parameters": { + "roleAssignment": { + "value": "[parameters('roleAssignments')[copyIndex()]]" + }, + "builtInRoleNames": { + "value": "[variables('builtInRoleNames')]" + }, + "logAnalyticsWorkspaceName": { + "value": "[parameters('logAnalyticsWorkspaceName')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "roleAssignment": { + "type": "object" + }, + "builtInRoleNames": { + "type": "object" + }, + "logAnalyticsWorkspaceName": { + "type": "string" + } + }, + "resources": [ + { + "type": "Microsoft.OperationalInsights/workspaces/providers/roleAssignments", + "apiVersion": "2020-03-01-preview", + "name": "[concat(parameters('logAnalyticsWorkspaceName'), '/Microsoft.Authorization/', guid(uniqueString(concat(parameters('logAnalyticsWorkspaceName'), array(parameters('roleAssignment').principalIds)[copyIndex('innerRbacCopy')], parameters('roleAssignment').roleDefinitionIdOrName ) )))]", + "dependsOn": [ + ], + "copy": { + "name": "innerRbacCopy", + "count": "[length(parameters('roleAssignment').principalIds)]" + }, + "properties": { + "roleDefinitionId": "[if(contains(parameters('builtInRoleNames'), parameters('roleAssignment').roleDefinitionIdOrName ), parameters('builtInRoleNames')[parameters('roleAssignment').roleDefinitionIdOrName] , parameters('roleAssignment').roleDefinitionIdOrName )]", + "principalId": "[array(parameters('roleAssignment').principalIds)[copyIndex()]]" + } + } + ] + } + } + } + ], + "functions": [ + ], + "outputs": { + "logAnalyticsResourceId": { + "type": "string", + "value": "[resourceId('Microsoft.OperationalInsights/workspaces', parameters('logAnalyticsWorkspaceName'))]", + "metadata": { + "description": "The Resource Id of the Log Analytics workspace deployed." + } + }, + "logAnalyticsResourceGroup": { + "type": "string", + "value": "[resourceGroup().name]", + "metadata": { + "description": "The Resource Group log analytics was deployed to." + } + }, + "logAnalyticsName": { + "type": "string", + "value": "[parameters('logAnalyticsWorkspaceName')]", + "metadata": { + "description": "The Name of the Log Analytics workspace deployed." + } + }, + "logAnalyticsWorkspaceId": { + "type": "string", + "value": "[reference(resourceId('Microsoft.OperationalInsights/workspaces', parameters('logAnalyticsWorkspaceName')), '2015-03-20').customerId]", + "metadata": { + "description": "The Workspace Id for Log Analytics." + } + }, + "logAnalyticsPrimarySharedKey": { + "type": "securestring", + "value": "[listKeys(resourceId('Microsoft.OperationalInsights/workspaces', parameters('logAnalyticsWorkspaceName')), '2015-03-20').primarySharedKey]", + "metadata": { + "description": "The Primary Shared Key for Log Analytics." + } + } + } +} diff --git a/arm/Microsoft.OperationalInsights/workspaces/parameters/parameters.json b/arm/Microsoft.OperationalInsights/workspaces/parameters/parameters.json new file mode 100644 index 0000000000..98d193129e --- /dev/null +++ b/arm/Microsoft.OperationalInsights/workspaces/parameters/parameters.json @@ -0,0 +1,61 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "logAnalyticsWorkspaceName": { + "value": "test-az-la-weu-x-001" + }, + "publicNetworkAccessForIngestion": { + "value": "Disabled" + }, + "publicNetworkAccessForQuery": { + "value": "Disabled" + }, + "dailyQuotaGb": { + "value": 10 + }, + // "solutions": { + // "value": [ + // "Updates", + // "AzureAutomation", + // "AntiMalware", + // "SQLAssessment", + // "Security", + // "SecurityCenterFree", + // "ChangeTracking", + // "KeyVaultAnalytics", + // "AzureSQLAnalytics", + // "ServiceMap", + // "AgentHealthAssessment", + // "AlertManagement", + // "AzureActivity", + // "AzureAppGatewayAnalytics", + // "AzureCdnCoreAnalytics", + // "AzureDataFactoryAnalytics", + // "AzureNSGAnalytics", + // "Containers", + // "InfrastructureInsights", + // "LogicAppsManagement", + // "NetworkMonitoring", + // "ServiceFabric", + // "VMInsights", + // "WaaSUpdateInsights", + // "WireData2" + // ] + // }, + "useResourcePermissions": { + "value": true + } + // "roleAssignments": { + // "value": [ + // { + // "roleDefinitionIdOrName": "Desktop Virtualization User", + // "principalIds": [ + // "12345678-1234-1234-1234-123456789012", // object 1 + // "78945612-1234-1234-1234-123456789012" // object 2 + // ] + // } + // ] + // } + } +} diff --git a/arm/Microsoft.OperationalInsights/workspaces/readme.md b/arm/Microsoft.OperationalInsights/workspaces/readme.md new file mode 100644 index 0000000000..85db3b3a67 --- /dev/null +++ b/arm/Microsoft.OperationalInsights/workspaces/readme.md @@ -0,0 +1,140 @@ +# LogAnalytics + +This template deploys Log Analytics. + +## Resource types + +|ResourceType|ApiVersion| +|:--|:--| +|`Microsoft.Resources/deployments`|2018-02-01| +|`Microsoft.OperationalInsights/workspaces`|2017-03-15-preview| +|`Microsoft.OperationalInsights/workspaces/datasources`|2015-11-01-preview| +|`Microsoft.OperationalInsights/workspaces/storageinsightconfigs`|2015-03-20| +|`Microsoft.OperationsManagement/solutions`|2015-11-01-preview| +|`Microsoft.OperationalInsights/workspaces/linkedServices`|2015-11-01-preview| +|`Microsoft.OperationalInsights/workspaces/providers/locks`|2016-09-01| +|`savedSearches`|2017-03-15-preview| +|`datasources`|2015-11-01-preview| +|`Microsoft.OperationalInsights/workspaces/providers/roleAssignments`|2018-09-01-preview| + +## Parameters + +| Parameter Name | Type | Description | DefaultValue | Possible values | +| :-- | :-- | :-- | :-- | :-- | +| `activityLogAdditionalSubscriptionIDs` | array | Optional. List of additional Subscription IDs to collect Activity logs from. The subscription holding the Log Analytics workspace is added by default. The user/SPN/managed identity has to have reader access on the subscription you'd like to collect Activity logs from. | System.Object[] | | +| `automationAccountId` | string | Optional. Automation Account resource identifier, value used to create a LinkedService between Log Analytics and an Automation Account. | | | +| `cuaId` | string | Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered | | | +| `dataRetention` | int | Required. Number of days data will be retained for | 365 | | +| `dailyQuotaGb` | int | Optional. The workspace daily quota for ingestion. | -1 (i.e. no quota) | | +| `publicNetworkAccessForIngestion` | string | Optional. The network access type for accessing Log Analytics ingestion. | Enabled | Enabled, Disabled | +| `publicNetworkAccessForQuery` | string | Optional. The network access type for accessing Log Analytics query. | Enabled | Enabled, Disabled | +| `diagnosticStorageAccountId` | string | Optional. Log Analytics workspace resource identifier | | | +| `location` | string | Optional. Location for all resources. | [resourceGroup().location] | | +| `lockForDeletion` | bool | Optional. Switch to lock storage from deletion. | False | | +| `logAnalyticsWorkspaceName` | string | Required. Name of the Log Analytics workspace | | | +| `roleAssignments` | array | Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' | System.Object[] | | +| `serviceTier` | string | Required. Service Tier: PerGB2018, Free, Standalone, PerGB or PerNode | PerGB2018 | System.Object[] | +| `solutions` | array | Optional. LAW solutions from the gallery. | [] | "Updates", "AzureAutomation", ... (see below) | +| `tags` | object | Optional. Tags of the resource. | | | +| `useResourcePermissions` | bool | Optional. Set to 'true' to use resource or workspace permissions and 'false' (or leave empty) to require workspace permissions. | False | true, false | + +### Parameter Usage: `solutions` + +```json +"solutions": { + "value": [ + "AgentHealthAssessment", + "AlertManagement", + "AntiMalware", + "AzureActivity", + //"AzureAppGatewayAnalytics", + "AzureAutomation", + "AzureCdnCoreAnalytics", + "AzureDataFactoryAnalytics", + "AzureNSGAnalytics", + "AzureSQLAnalytics", + "ChangeTracking", + "Containers", + "InfrastructureInsights", + "KeyVaultAnalytics", + "LogicAppsManagement", + "NetworkMonitoring", + "Security", + "SecurityCenterFree", + "ServiceFabric", + "ServiceMap", + "SQLAssessment", + "Updates", + "VMInsights", + "WireData2", + "WaaSUpdateInsights" + ] +} +``` + +### Parameter Usage: `roleAssignments` + +```json +"roleAssignments": { + "value": [ + { + "roleDefinitionIdOrName": "Desktop Virtualization User", + "principalIds": [ + "12345678-1234-1234-1234-123456789012", // object 1 + "78945612-1234-1234-1234-123456789012" // object 2 + ] + }, + { + "roleDefinitionIdOrName": "Reader", + "principalIds": [ + "12345678-1234-1234-1234-123456789012", // object 1 + "78945612-1234-1234-1234-123456789012" // object 2 + ] + }, + { + "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", + "principalIds": [ + "12345678-1234-1234-1234-123456789012" // object 1 + ] + } + ] +} +``` + +### Parameter Usage: `tags` + +Tag names and tag values can be provided as needed. A tag can be left without a value. + +```json +"tags": { + "value": { + "Environment": "Non-Prod", + "Contact": "test.user@testcompany.com", + "PurchaseOrder": "1234", + "CostCenter": "7890", + "ServiceName": "DeploymentValidation", + "Role": "DeploymentValidation" + } +} +``` + +## Outputs + +| Output Name | Type | Description | +| :-- | :-- | :-- | +| `logAnalyticsPrimarySharedKey` | securestring | The Primary Shared Key for Log Analytics. | +| `logAnalyticsWorkspaceId` | string | The Workspace Id for Log Analytics. | +| `logAnalyticsName` | string | The Name of the Log Analytics workspace deployed. | +| `logAnalyticsResourceGroup` | string | The Resource Group log analytics was deployed to. | +| `logAnalyticsResourceId` | string | The Resource Id of the Log Analytics workspace deployed. | + +## Considerations + +*N/A* + +## Additional resources + +- [Microsoft.OperationalInsights workspaces template reference](https://docs.microsoft.com/en-us/azure/templates/microsoft.operationalinsights/2015-11-01-preview/workspaces) +- [Microsoft.OperationalManagement solutions template reference](https://docs.microsoft.com/en-us/azure/templates/microsoft.operationsmanagement/2015-11-01-preview/solutions) +- [Use tags to organize your Azure resources](https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-using-tags) +- [Manage access to log data and workspaces in Azure Monitor](https://docs.microsoft.com/en-us/azure/azure-monitor/logs/manage-access) diff --git a/arm/Microsoft.RecoveryServices/vaults/deploy.json b/arm/Microsoft.RecoveryServices/vaults/deploy.json new file mode 100644 index 0000000000..563eb9509f --- /dev/null +++ b/arm/Microsoft.RecoveryServices/vaults/deploy.json @@ -0,0 +1,645 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "recoveryVaultName": { + "type": "string", + "minLength": 1, + "metadata": { + "description": "Required. Name of the Azure Recovery Service Vault" + } + }, + "enableCRR": { + "type": "bool", + "defaultValue": true, + "metadata": { + "description": "Optional. Enable CRR (Works if vault has not registered any backup instance)" + } + }, + "vaultStorageType": { + "type": "string", + "defaultValue": "GeoRedundant", + "allowedValues": [ + "LocallyRedundant", + "GeoRedundant" + ], + "metadata": { + "description": "Optional. Change Vault Storage Type (Works if vault has not registered any backup instance)" + } + }, + "cuaId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered" + } + }, + "location": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "Optional. Location for all resources." + } + }, + "backupPolicies": { + "type": "array", + "defaultValue": [ + ], + "metadata": { + "description": "Optional. List of all backup policies." + } + }, + "protectionContainers": { + "type": "array", + "minLength": 0, + "defaultValue": [ + ], + "metadata": { + "description": "Optional. List of all protection containers." + } + }, + "diagnosticLogsRetentionInDays": { + "type": "int", + "defaultValue": 365, + "minValue": 0, + "maxValue": 365, + "metadata": { + "description": "Optional. Specifies the number of days that logs will be kept for; a value of 0 will retain data indefinitely." + } + }, + "diagnosticStorageAccountId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Resource identifier of the Diagnostic Storage Account." + } + }, + "workspaceId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Resource identifier of Log Analytics." + } + }, + "eventHubAuthorizationRuleId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Resource ID of the event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." + } + }, + "eventHubName": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Name of the event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category." + } + }, + "roleAssignments": { + "defaultValue": [ + ], + "type": "array", + "metadata": { + "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'" + } + }, + "lockForDeletion": { + "type": "bool", + "defaultValue": false, + "metadata": { + "description": "Optional. Switch to lock Recovery Service Vault from deletion." + } + }, + "tags": { + "type": "object", + "defaultValue": { + }, + "metadata": { + "description": "Optional. Tags of the Recovery Service Vault resource." + } + } + }, + "variables": { + "dummyProtectionContainers": { + "name": "dummyValue" + }, + "dummyPolicy": { + "name": "dummyValue" + }, + "protectionContainers": "[if(greater(length(parameters('protectionContainers')),0),parameters('protectionContainers'), array(variables('dummyProtectionContainers')))]", + "protectionPolicy": "[if(greater(length(parameters('backupPolicies')),0),parameters('backupPolicies'), array(variables('dummyPolicy')))]", + "diagnosticsLogs": [ + { + "category": "AzureBackupReport", + "enabled": true, + "retentionPolicy": { + "days": "[parameters('diagnosticLogsRetentionInDays')]", + "enabled": true + } + }, + { + "category": "CoreAzureBackup", + "enabled": true, + "retentionPolicy": { + "days": "[parameters('diagnosticLogsRetentionInDays')]", + "enabled": true + } + }, + { + "category": "AddonAzureBackupJobs", + "enabled": true, + "retentionPolicy": { + "days": "[parameters('diagnosticLogsRetentionInDays')]", + "enabled": true + } + }, + { + "category": "AddonAzureBackupAlerts", + "enabled": true, + "retentionPolicy": { + "days": "[parameters('diagnosticLogsRetentionInDays')]", + "enabled": true + } + }, + { + "category": "AddonAzureBackupPolicy", + "enabled": true, + "retentionPolicy": { + "days": "[parameters('diagnosticLogsRetentionInDays')]", + "enabled": true + } + }, + { + "category": "AddonAzureBackupStorage", + "enabled": true, + "retentionPolicy": { + "days": "[parameters('diagnosticLogsRetentionInDays')]", + "enabled": true + } + }, + { + "category": "AddonAzureBackupProtectedInstance", + "enabled": true, + "retentionPolicy": { + "days": "[parameters('diagnosticLogsRetentionInDays')]", + "enabled": true + } + }, + { + "category": "AzureSiteRecoveryJobs", + "enabled": true, + "retentionPolicy": { + "days": "[parameters('diagnosticLogsRetentionInDays')]", + "enabled": true + } + }, + { + "category": "AzureSiteRecoveryEvents", + "enabled": true, + "retentionPolicy": { + "days": "[parameters('diagnosticLogsRetentionInDays')]", + "enabled": true + } + }, + { + "category": "AzureSiteRecoveryReplicatedItems", + "enabled": true, + "retentionPolicy": { + "days": "[parameters('diagnosticLogsRetentionInDays')]", + "enabled": true + } + }, + { + "category": "AzureSiteRecoveryReplicationStats", + "enabled": true, + "retentionPolicy": { + "days": "[parameters('diagnosticLogsRetentionInDays')]", + "enabled": true + } + }, + { + "category": "AzureSiteRecoveryRecoveryPoints", + "enabled": true, + "retentionPolicy": { + "days": "[parameters('diagnosticLogsRetentionInDays')]", + "enabled": true + } + }, + { + "category": "AzureSiteRecoveryReplicationDataUploadRate", + "enabled": true, + "retentionPolicy": { + "days": "[parameters('diagnosticLogsRetentionInDays')]", + "enabled": true + } + }, + { + "category": "AzureSiteRecoveryProtectedDiskDataChurn", + "enabled": true, + "retentionPolicy": { + "days": "[parameters('diagnosticLogsRetentionInDays')]", + "enabled": true + } + } + ], + "builtInRoleNames": { + "AcrDelete": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c2f4ef07-c644-48eb-af81-4b1b4947fb11')]", + "AcrImageSigner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '6cef56e8-d556-48e5-a04f-b8e64114680f')]", + "AcrPull": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '7f951dda-4ed3-4680-a7ca-43fe172d538d')]", + "AcrPush": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8311e382-0749-4cb8-b61a-304f252e45ec')]", + "AcrQuarantineReader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'cdda3590-29a3-44f6-95f2-9f980659eb04')]", + "AcrQuarantineWriter": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c8d4ff99-41c3-41a8-9f60-21dfdad59608')]", + "API Management Service Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '312a565d-c81f-4fd8-895a-4e21e48d571c')]", + "API Management Service Operator Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'e022efe7-f5ba-4159-bbe4-b44f577e9b61')]", + "API Management Service Reader Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '71522526-b88f-4d52-b57f-d31fc3546d0d')]", + "App Configuration Data Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5ae67dd6-50cb-40e7-96ff-dc2bfa4b606b')]", + "App Configuration Data Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '516239f1-63e1-4d78-a4de-a74fb236a071')]", + "Application Insights Component Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ae349356-3a1b-4a5e-921d-050484c6347e')]", + "Application Insights Snapshot Debugger": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '08954f03-6346-4c2e-81c0-ec3a5cfae23b')]", + "Attestation Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'bbf86eb8-f7b4-4cce-96e4-18cddf81d86e')]", + "Attestation Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'fd1bd22b-8476-40bc-a0bc-69b95687b9f3')]", + "Automation Job Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4fe576fe-1146-4730-92eb-48519fa6bf9f')]", + "Automation Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'd3881f73-407a-4167-8283-e981cbba0404')]", + "Automation Runbook Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5fb5aef8-1081-4b8e-bb16-9d5d0385bab5')]", + "Avere Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4f8fab4f-1852-4a58-a46a-8eaf358af14a')]", + "Avere Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c025889f-8102-4ebf-b32c-fc0c6f0c6bd9')]", + "Azure Connected Machine Onboarding": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b64e21ea-ac4e-4cdf-9dc9-5b892992bee7')]", + "Azure Connected Machine Resource Administrator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'cd570a14-e51a-42ad-bac8-bafd67325302')]", + "Azure Digital Twins Owner (Preview)": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'bcd981a7-7f74-457b-83e1-cceb9e632ffe')]", + "Azure Digital Twins Reader (Preview)": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'd57506d4-4c8d-48b1-8587-93c323f6a5a3')]", + "Azure Event Hubs Data Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'f526a384-b230-433a-b45c-95f59c4a2dec')]", + "Azure Event Hubs Data Receiver": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'a638d3c7-ab3a-418d-83e6-5f17a39d4fde')]", + "Azure Event Hubs Data Sender": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '2b629674-e913-4c01-ae53-ef4638d8f975')]", + "Azure Kubernetes Service Cluster Admin Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '0ab0b1a8-8aac-4efd-b8c2-3ee1fb270be8')]", + "Azure Kubernetes Service Cluster User Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4abbcc35-e782-43d8-92c5-2d3f1bd2253f')]", + "Azure Kubernetes Service Contributor Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ed7f3fbd-7b88-4dd4-9017-9adb7ce333f8')]", + "Azure Maps Data Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8f5e0ce6-4f7b-4dcf-bddf-e6f48634a204')]", + "Azure Maps Data Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '423170ca-a8f6-4b0f-8487-9e4eb8f49bfa')]", + "Azure Sentinel Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ab8e14d6-4a74-4a29-9ba8-549422addade')]", + "Azure Sentinel Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8d289c81-5878-46d4-8554-54e1e3d8b5cb')]", + "Azure Sentinel Responder": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '3e150937-b8fe-4cfb-8069-0eaf05ecd056')]", + "Azure Service Bus Data Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '090c5cfd-751d-490a-894a-3ce6f1109419')]", + "Azure Service Bus Data Receiver": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4f6d3b9b-027b-4f4c-9142-0e5a2a2247e0')]", + "Azure Service Bus Data Sender": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '69a216fc-b8fb-44d8-bc22-1f3c2cd27a39')]", + "Azure Stack Registration Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '6f12a6df-dd06-4f3e-bcb1-ce8be600526a')]", + "Backup Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5e467623-bb1f-42f4-a55d-6e525e11384b')]", + "Backup Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '00c29273-979b-4161-815c-10b084fb9324')]", + "Backup Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'a795c7a0-d4a2-40c1-ae25-d81f01202912')]", + "Billing Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'fa23ad8b-c56e-40d8-ac0c-ce449e1d2c64')]", + "BizTalk Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5e3c6656-6cfa-4708-81fe-0de47ac73342')]", + "Blockchain Member Node Access (Preview)": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '31a002a1-acaf-453e-8a5b-297c9ca1ea24')]", + "Blueprint Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '41077137-e803-4205-871c-5a86e6a753b4')]", + "Blueprint Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '437d2ced-4a38-4302-8479-ed2bcb43d090')]", + "CDN Endpoint Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '426e0c7f-0c7e-4658-b36f-ff54d6c29b45')]", + "CDN Endpoint Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '871e35f6-b5c1-49cc-a043-bde969a0f2cd')]", + "CDN Profile Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ec156ff8-a8d1-4d15-830c-5b80698ca432')]", + "CDN Profile Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8f96442b-4075-438f-813d-ad51ab4019af')]", + "Classic Network Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b34d265f-36f7-4a0d-a4d4-e158ca92e90f')]", + "Classic Storage Account Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '86e8f5dc-a6e9-4c67-9d15-de283e8eac25')]", + "Classic Storage Account Key Operator Service Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '985d6b00-f706-48f5-a6fe-d0ca12fb668d')]", + "Classic Virtual Machine Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'd73bb868-a0df-4d4d-bd69-98a00b01fccb')]", + "ClearDB MySQL DB Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '9106cda0-8a86-4e81-b686-29a22c54effe')]", + "Cognitive Services Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '25fbc0a9-bd7c-42a3-aa1a-3b75d497ee68')]", + "Cognitive Services Custom Vision Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c1ff6cc2-c111-46fe-8896-e0ef812ad9f3')]", + "Cognitive Services Custom Vision Deployment": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5c4089e1-6d96-4d2f-b296-c1bc7137275f')]", + "Cognitive Services Custom Vision Labeler": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '88424f51-ebe7-446f-bc41-7fa16989e96c')]", + "Cognitive Services Custom Vision Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '93586559-c37d-4a6b-ba08-b9f0940c2d73')]", + "Cognitive Services Custom Vision Trainer": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '0a5ae4ab-0d65-4eeb-be61-29fc9b54394b')]", + "Cognitive Services Data Reader (Preview)": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b59867f0-fa02-499b-be73-45a86b5b3e1c')]", + "Cognitive Services QnA Maker Editor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'f4cc2bf9-21be-47a1-bdf1-5c5804381025')]", + "Cognitive Services QnA Maker Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '466ccd10-b268-4a11-b098-b4849f024126')]", + "Cognitive Services User": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'a97b65f3-24c7-4388-baec-2e87135dc908')]", + "Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "Cosmos DB Account Reader Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'fbdf93bf-df7d-467e-a4d2-9458aa1360c8')]", + "Cosmos DB Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '230815da-be43-4aae-9cb4-875f7bd000aa')]", + "CosmosBackupOperator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'db7b14f2-5adf-42da-9f96-f2ee17bab5cb')]", + "Cost Management Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '434105ed-43f6-45c7-a02f-909b2ba83430')]", + "Cost Management Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '72fafb9e-0641-4937-9268-a91bfd8191a3')]", + "Data Box Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'add466c9-e687-43fc-8d98-dfcf8d720be5')]", + "Data Box Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '028f4ed7-e2a9-465e-a8f4-9c0ffdfdc027')]", + "Data Factory Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '673868aa-7521-48a0-acc6-0f60742d39f5')]", + "Data Lake Analytics Developer": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '47b7735b-770e-4598-a7da-8b91488b4c88')]", + "Data Purger": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '150f5e0c-0603-4f03-8c7f-cf70034c4e90')]", + "Desktop Virtualization User": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '1d18fff3-a72a-46b5-b4a9-0b38a3cd7e63')]", + "DevTest Labs User": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '76283e04-6283-4c54-8f91-bcf1374a3c64')]", + "DNS Zone Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'befefa01-2a29-4197-83a8-272ff33ce314')]", + "DocumentDB Account Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5bd9cd88-fe45-4216-938b-f97437e15450')]", + "EventGrid EventSubscription Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '428e0ff0-5e57-4d9c-a221-2c70d0e0a443')]", + "EventGrid EventSubscription Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '2414bbcf-6497-4faf-8c65-045460748405')]", + "Experimentation Administrator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '7f646f1b-fa08-80eb-a33b-edd6ce5c915c')]", + "Experimentation Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '7f646f1b-fa08-80eb-a22b-edd6ce5c915c')]", + "Experimentation Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '49632ef5-d9ac-41f4-b8e7-bbe587fa74a1')]", + "FHIR Data Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5a1fc7df-4bf1-4951-a576-89034ee01acd')]", + "FHIR Data Exporter": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '3db33094-8700-4567-8da5-1501d4e7e843')]", + "FHIR Data Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4c8d0bbc-75d3-4935-991f-5f3c56d81508')]", + "FHIR Data Writer": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '3f88fce4-5892-4214-ae73-ba5294559913')]", + "Graph Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b60367af-1334-4454-b71e-769d9a4f83d9')]", + "HDInsight Cluster Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '61ed4efc-fab3-44fd-b111-e24485cc132a')]", + "HDInsight Domain Services Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8d8d5a11-05d3-4bda-a417-a08778121c7c')]", + "Hierarchy Settings Administrator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '350f8d15-c687-4448-8ae1-157740a3936d')]", + "Hybrid Server Onboarding": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5d1e5ee4-7c68-4a71-ac8b-0739630a3dfb')]", + "Hybrid Server Resource Administrator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '48b40c6e-82e0-4eb3-90d5-19e40f49b624')]", + "Integration Service Environment Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'a41e2c5b-bd99-4a07-88f4-9bf657a760b8')]", + "Integration Service Environment Developer": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c7aa55d3-1abb-444a-a5ca-5e51e485d6ec')]", + "Intelligent Systems Account Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '03a6d094-3444-4b3d-88af-7477090a9e5e')]", + "Key Vault Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'f25e0fa2-a7c8-4377-a976-54943a77a395')]", + "Knowledge Consumer": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ee361c5d-f7b5-4119-b4b6-892157c8f64c')]", + "Kubernetes Cluster - Azure Arc Onboarding": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '34e09817-6cbe-4d01-b1a2-e0eac5743d41')]", + "Lab Creator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b97fb8bc-a8b2-4522-a38b-dd33c7e65ead')]", + "Log Analytics Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]", + "Log Analytics Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '73c42c96-874c-492b-b04d-ab87d138a893')]", + "Logic App Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '87a39d53-fc1b-424a-814c-f7e04687dc9e')]", + "Logic App Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '515c2055-d9d4-4321-b1b9-bd0c9a0f79fe')]", + "Managed Application Contributor Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '641177b8-a67a-45b9-a033-47bc880bb21e')]", + "Managed Application Operator Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')]", + "Managed Applications Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')]", + "Managed Identity Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'e40ec5ca-96e0-45a2-b4ff-59039f2c2b59')]", + "Managed Identity Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'f1a07417-d97a-45cb-824c-7a7467783830')]", + "Managed Services Registration assignment Delete ": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '91c1777a-f3dc-4fae-b103-61d183457e46')]", + "Management Group Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5d58bcaf-24a5-4b20-bdb6-eed9f69fbe4c')]", + "Management Group Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ac63b705-f282-497d-ac71-919bf39d939d')]", + "Marketplace Admin": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'dd920d6d-f481-47f1-b461-f338c46b2d9f')]", + "Monitoring Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')]", + "Monitoring Metrics Publisher": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '3913510d-42f4-4e42-8a64-420c390055eb')]", + "Monitoring Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')]", + "Network Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", + "New Relic APM Account Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5d28c62d-5b37-4476-8438-e587778df237')]", + "Object Understanding Account Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4dd61c23-6743-42fe-a388-d8bdd41cb745')]", + "Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", + "Policy Insights Data Writer (Preview)": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '66bb4e9e-b016-4a94-8249-4c0511c2be84')]", + "Private DNS Zone Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", + "Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", + "Reader and Data Access": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c12c1c16-33a1-487b-954d-41c89c60f349')]", + "Redis Cache Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'e0f68234-74aa-48ed-b826-c38b57376e17')]", + "Remote Rendering Administrator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '3df8b902-2a6f-47c7-8cc5-360e9b272a7e')]", + "Remote Rendering Client": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'd39065c4-c120-43c9-ab0a-63eed9795f0a')]", + "Resource Policy Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '36243c78-bf99-498c-9df9-86d9f8d28608')]", + "Scheduler Job Collections Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '188a0f2f-5c9e-469b-ae67-2aa5ce574b94')]", + "Search Service Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '7ca78c08-252a-4471-8644-bb5ff32d4ba0')]", + "Security Admin": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'fb1c8493-542b-48eb-b624-b4c8fea62acd')]", + "Security Assessment Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '612c2aa1-cb24-443b-ac28-3ab7272de6f5')]", + "Security Manager (Legacy)": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'e3d13bf0-dd5a-482e-ba6b-9b8433878d10')]", + "Security Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '39bc4728-0917-49c7-9d2c-d95423bc2eb4')]", + "SignalR AccessKey Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '04165923-9d83-45d5-8227-78b77b0a687e')]", + "SignalR Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8cf5e20a-e4b2-4e9d-b3a1-5ceb692c2761')]", + "Site Recovery Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '6670b86e-a3f7-4917-ac9b-5d6ab1be4567')]", + "Site Recovery Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '494ae006-db33-4328-bf46-533a6560a3ca')]", + "Site Recovery Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'dbaa88c4-0c30-4179-9fb3-46319faa6149')]", + "Spatial Anchors Account Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8bbe83f1-e2a6-4df7-8cb4-4e04d4e5c827')]", + "Spatial Anchors Account Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '70bbe301-9835-447d-afdd-19eb3167307c')]", + "Spatial Anchors Account Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5d51204f-eb77-4b1c-b86a-2ec626c49413')]", + "SQL DB Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '9b7fa17d-e63e-47b0-bb0a-15c516ac86ec')]", + "SQL Managed Instance Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4939a1f6-9ae0-4e48-a1e0-f2cbe897382d')]", + "SQL Security Manager": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '056cd41c-7e88-42e1-933e-88ba6a50c9c3')]", + "SQL Server Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '6d8ee4ec-f05a-4a1d-8b00-a9b17e38b437')]", + "Storage Account Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '17d1049b-9a84-46fb-8f53-869881c3d3ab')]", + "Storage Account Key Operator Service Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '81a9662b-bebf-436f-a333-f67b29880f12')]", + "Storage Blob Data Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ba92f5b4-2d11-453d-a403-e96b0029c9fe')]", + "Storage Blob Data Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b7e6dc6d-f1e8-4753-8033-0f276bb0955b')]", + "Storage Blob Data Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '2a2b9908-6ea1-4ae2-8e65-a410df84e7d1')]", + "Storage Blob Delegator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'db58b8e5-c6ad-4a2a-8342-4190687cbf4a')]", + "Storage File Data SMB Share Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '0c867c2a-1d8c-454a-a3db-ab2ea1bdc8bb')]", + "Storage File Data SMB Share Elevated Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'a7264617-510b-434b-a828-9731dc254ea7')]", + "Storage File Data SMB Share Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'aba4ae5f-2193-4029-9191-0cb91df5e314')]", + "Storage Queue Data Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '974c5e8b-45b9-4653-ba55-5f855dd0fb88')]", + "Storage Queue Data Message Processor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8a0f0c08-91a1-4084-bc3d-661d67233fed')]", + "Storage Queue Data Message Sender": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c6a89b2d-59bc-44d0-9896-0f6e12d7b80a')]", + "Storage Queue Data Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '19e7f393-937e-4f77-808e-94535e297925')]", + "Support Request Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'cfd33db0-3dd1-45e3-aa9d-cdbdf3b6f24e')]", + "Tag Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4a9ae827-6dc8-4573-8ac7-8239d42aa03f')]", + "Traffic Manager Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'a4b10055-b0c7-44c2-b00f-c7b5b3550cf7')]", + "User Access Administrator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]", + "Virtual Machine Administrator Login": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '1c0163c0-47e6-4577-8991-ea5c82e286e4')]", + "Virtual Machine Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c')]", + "Virtual Machine User Login": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'fb879df8-f326-4884-b1cf-06f3ad86be52')]", + "Web Plan Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '2cc479cb-7b4d-49a8-b449-8c00fd0f0a4b')]", + "Website Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'de139f84-1756-47ae-9be6-808fbbe84772')]", + "Workbook Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'e8ddcd69-c73f-4f9f-9844-4100522f16ad')]", + "Workbook Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b279062a-9be3-42a0-92ae-8b3cf002ec4d')]" + } + }, + "resources": [ + { + "condition": "[not(empty(parameters('cuaId')))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-06-01", + "name": "[concat('pid-', parameters('cuaId'))]", + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [ + ] + } + } + }, + { + "name": "[parameters('recoveryVaultName')]", + "type": "Microsoft.RecoveryServices/vaults", + "apiVersion": "2020-10-01", + "location": "[parameters('location')]", + "tags": "[parameters('tags')]", + "sku": { + "name": "RS0", + "tier": "Standard" + }, + "properties": { + }, + "resources": [ + { + "type": "providers/locks", + "apiVersion": "2016-09-01", + "condition": "[parameters('lockForDeletion')]", + "name": "Microsoft.Authorization/recoveryServiceVaultDoNotDelete", + "dependsOn": [ + "[concat('Microsoft.RecoveryServices/vaults/', parameters('recoveryVaultName'))]" + ], + "comments": "Resource lock on Azure Recovery Service Vault", + "properties": { + "level": "CannotDelete" + } + }, + { + "type": "Microsoft.RecoveryServices/vaults/providers/diagnosticsettings", + "apiVersion": "2017-05-01-preview", + "name": "[concat(parameters('recoveryVaultName'), '/Microsoft.Insights/service')]", + "location": "[parameters('location')]", + "condition": "[or(not(empty(parameters('diagnosticStorageAccountId'))),not(empty(parameters('workspaceId'))),not(empty(parameters('eventHubAuthorizationRuleId'))),not(empty(parameters('eventHubName'))))]", + "dependsOn": [ + "[concat('Microsoft.RecoveryServices/vaults/', parameters('recoveryVaultName'))]" + ], + "properties": { + "storageAccountId": "[if(empty(parameters('diagnosticStorageAccountId')), json('null'), parameters('diagnosticStorageAccountId'))]", + "workspaceId": "[if(empty(parameters('workspaceId')), json('null'), parameters('workspaceId'))]", + "eventHubAuthorizationRuleId": "[if(empty(parameters('eventHubAuthorizationRuleId')), json('null'), parameters('eventHubAuthorizationRuleId'))]", + "eventHubName": "[if(empty(parameters('eventHubName')), json('null'), parameters('eventHubName'))]", + "logs": "[if(and(empty(parameters('diagnosticStorageAccountId')), empty(parameters('workspaceId')), empty(parameters('eventHubAuthorizationRuleId')), empty(parameters('eventHubName'))), json('null'), variables('diagnosticsLogs'))]" + } + } + ] + }, + { + "type": "Microsoft.RecoveryServices/vaults/backupstorageconfig", + "apiVersion": "2020-02-02", + "name": "[concat(parameters('recoveryVaultName'), '/vaultstorageconfig')]", + "dependsOn": [ + "[resourceId('Microsoft.RecoveryServices/vaults/', parameters('recoveryVaultName'))]" + ], + "properties": { + "StorageModelType": "[parameters('vaultStorageType')]", + "CrossRegionRestoreFlag": "[parameters('enableCRR')]" + } + }, + { + "condition": "[not(empty(array(parameters('backupPolicies'))))]", + "type": "Microsoft.Resources/deployments", + "name": "[concat('backupPolicies-', if(empty(parameters('backupPolicies')), 'dummy', copyIndex('policyCopy')))]", + "apiVersion": "2020-06-01", + "copy": { + "name": "policyCopy", + "count": "[if(not(empty(variables('protectionPolicy'))), length(variables('protectionPolicy')), 1)]" + }, + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [ + { + "type": "Microsoft.RecoveryServices/vaults/backupPolicies", + "name": "[concat(parameters('recoveryVaultName'), '/', variables('protectionPolicy')[copyIndex()].name)]", + "apiVersion": "2019-06-15", + "location": "[resourceGroup().location]", + "properties": "[variables('protectionPolicy')[copyIndex('policyCopy')].properties]" + } + ] + } + }, + "dependsOn": [ + "[resourceId('Microsoft.RecoveryServices/vaults', parameters('recoveryVaultName'))]" + ] + }, + { + "condition": "[not(empty(array(parameters('protectionContainers'))))]", + "type": "Microsoft.Resources/deployments", + "name": "[concat('protectionContainers-', if(empty(parameters('protectionContainers')), 'dummy', copyIndex('protectionContainers')))]", + "apiVersion": "2020-06-01", + "copy": { + "name": "protectionContainersCopy", + "count": "[if(not(empty(variables('protectionContainers'))), length(variables('protectionContainers')), 1)]" + }, + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [ + { + "type": "Microsoft.RecoveryServices/vaults/backupFabrics/protectionContainers", + "name": "[concat(parameters('recoveryVaultName'), '/protectionContainers/', variables('protectionContainers')[copyIndex()].name)]", + "apiVersion": "2016-12-01", + "location": "[resourceGroup().location]", + "properties": { + "sourceResourceId": "[if(empty(variables('protectionContainers')[copyIndex()].sourceResourceId), json('null'), variables('protectionContainers')[copyIndex()].sourceResourceId)]", + "friendlyName": "[if(empty(variables('protectionContainers')[copyIndex()].friendlyName), json('null'), variables('protectionContainers')[copyIndex()].friendlyName)]", + "backupManagementType": "[if(empty(variables('protectionContainers')[copyIndex()].backupManagementType), json('null'), variables('protectionContainers')[copyIndex()].backupManagementType)]", + "containerType": "[if(empty(variables('protectionContainers')[copyIndex()].containerType), json('null'), variables('protectionContainers')[copyIndex()].containerType)]" + } + } + ] + } + }, + "dependsOn": [ + "[resourceId('Microsoft.RecoveryServices/vaults', parameters('recoveryVaultName'))]" + ] + }, + { + "name": "[concat('rbac-',deployment().name, copyIndex())]", + "apiVersion": "2020-06-01", + "type": "Microsoft.Resources/deployments", + "condition": "[not(empty(parameters('roleAssignments')))]", + "dependsOn": [ + "[parameters('recoveryVaultName')]" + ], + "copy": { + "name": "rbacDeplCopy", + "count": "[length(parameters('roleAssignments'))]" + }, + "properties": { + "mode": "Incremental", + "expressionEvaluationOptions": { + "scope": "inner" + }, + "parameters": { + "roleAssignment": { + "value": "[parameters('roleAssignments')[copyIndex()]]" + }, + "builtInRoleNames": { + "value": "[variables('builtInRoleNames')]" + }, + "recoveryVaultName": { + "value": "[parameters('recoveryVaultName')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "roleAssignment": { + "type": "object" + }, + "builtInRoleNames": { + "type": "object" + }, + "recoveryVaultName": { + "type": "string" + } + }, + "resources": [ + { + "type": "Microsoft.RecoveryServices/vaults/providers/roleAssignments", + "apiVersion": "2020-04-01-preview", + "name": "[concat(parameters('recoveryVaultName'), '/Microsoft.Authorization/', guid(uniqueString(concat(parameters('recoveryVaultName'), array(parameters('roleAssignment').principalIds)[copyIndex('innerRbacCopy')], parameters('roleAssignment').roleDefinitionIdOrName ) )))]", + "dependsOn": [ + ], + "copy": { + "name": "innerRbacCopy", + "count": "[length(parameters('roleAssignment').principalIds)]" + }, + "properties": { + "roleDefinitionId": "[if(contains(parameters('builtInRoleNames'), parameters('roleAssignment').roleDefinitionIdOrName ), parameters('builtInRoleNames')[parameters('roleAssignment').roleDefinitionIdOrName] , parameters('roleAssignment').roleDefinitionIdOrName )]", + "principalId": "[array(parameters('roleAssignment').principalIds)[copyIndex()]]" + } + } + ] + } + } + } + ], + "functions": [ + ], + "outputs": { + "recoveryServicesVaultResourceId": { + "type": "string", + "value": "[resourceId('Microsoft.RecoveryServices/vaults', parameters('recoveryVaultName'))]", + "metadata": { + "description": "The Resource Id of the Recovery Services Vault." + } + }, + "recoveryServicesVaultResourceGroup": { + "type": "string", + "value": "[resourceGroup().name]", + "metadata": { + "description": "The Resource Group the Recovery Services Vault was deployed to." + } + }, + "recoveryServicesVaultName": { + "type": "string", + "value": "[parameters('recoveryVaultName')]", + "metadata": { + "description": "The Name of the Recovery Services Vault." + } + } + } +} diff --git a/arm/Microsoft.RecoveryServices/vaults/parameters/parameters.json b/arm/Microsoft.RecoveryServices/vaults/parameters/parameters.json new file mode 100644 index 0000000000..19f12ecef7 --- /dev/null +++ b/arm/Microsoft.RecoveryServices/vaults/parameters/parameters.json @@ -0,0 +1,250 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "recoveryVaultName": { + "value": "ProfilesBackupVault" + }, + "diagnosticLogsRetentionInDays": { + "value": 365 + }, + "lockForDeletion": { + "value": false + }, + "backupPolicies": { + "value": [ + { + "name": "VMpolicy", + "type": "Microsoft.RecoveryServices/vaults/backupPolicies", + "properties": { + "backupManagementType": "AzureIaasVM", + "instantRPDetails": {}, + "schedulePolicy": { + "schedulePolicyType": "SimpleSchedulePolicy", + "scheduleRunFrequency": "Daily", + "scheduleRunTimes": [ + "2019-11-07T07:00:00Z" + ], + "scheduleWeeklyFrequency": 0 + }, + "retentionPolicy": { + "retentionPolicyType": "LongTermRetentionPolicy", + "dailySchedule": { + "retentionTimes": [ + "2019-11-07T07:00:00Z" + ], + "retentionDuration": { + "count": 180, + "durationType": "Days" + } + }, + "weeklySchedule": { + "daysOfTheWeek": [ + "Sunday" + ], + "retentionTimes": [ + "2019-11-07T07:00:00Z" + ], + "retentionDuration": { + "count": 12, + "durationType": "Weeks" + } + }, + "monthlySchedule": { + "retentionScheduleFormatType": "Weekly", + "retentionScheduleWeekly": { + "daysOfTheWeek": [ + "Sunday" + ], + "weeksOfTheMonth": [ + "First" + ] + }, + "retentionTimes": [ + "2019-11-07T07:00:00Z" + ], + "retentionDuration": { + "count": 60, + "durationType": "Months" + } + }, + "yearlySchedule": { + "retentionScheduleFormatType": "Weekly", + "monthsOfYear": [ + "January" + ], + "retentionScheduleWeekly": { + "daysOfTheWeek": [ + "Sunday" + ], + "weeksOfTheMonth": [ + "First" + ] + }, + "retentionTimes": [ + "2019-11-07T07:00:00Z" + ], + "retentionDuration": { + "count": 10, + "durationType": "Years" + } + } + }, + "instantRpRetentionRangeInDays": 2, + "timeZone": "UTC", + "protectedItemsCount": 0 + } + }, + { + "name": "sqlpolicy", + "type": "Microsoft.RecoveryServices/vaults/backupPolicies", + "properties": { + "backupManagementType": "AzureWorkload", + "workLoadType": "SQLDataBase", + "settings": { + "timeZone": "UTC", + "issqlcompression": true, + "isCompression": true + }, + "subProtectionPolicy": [ + { + "policyType": "Full", + "schedulePolicy": { + "schedulePolicyType": "SimpleSchedulePolicy", + "scheduleRunFrequency": "Weekly", + "scheduleRunDays": [ + "Sunday" + ], + "scheduleRunTimes": [ + "2019-11-07T22:00:00Z" + ], + "scheduleWeeklyFrequency": 0 + }, + "retentionPolicy": { + "retentionPolicyType": "LongTermRetentionPolicy", + "weeklySchedule": { + "daysOfTheWeek": [ + "Sunday" + ], + "retentionTimes": [ + "2019-11-07T22:00:00Z" + ], + "retentionDuration": { + "count": 104, + "durationType": "Weeks" + } + }, + "monthlySchedule": { + "retentionScheduleFormatType": "Weekly", + "retentionScheduleWeekly": { + "daysOfTheWeek": [ + "Sunday" + ], + "weeksOfTheMonth": [ + "First" + ] + }, + "retentionTimes": [ + "2019-11-07T22:00:00Z" + ], + "retentionDuration": { + "count": 60, + "durationType": "Months" + } + }, + "yearlySchedule": { + "retentionScheduleFormatType": "Weekly", + "monthsOfYear": [ + "January" + ], + "retentionScheduleWeekly": { + "daysOfTheWeek": [ + "Sunday" + ], + "weeksOfTheMonth": [ + "First" + ] + }, + "retentionTimes": [ + "2019-11-07T22:00:00Z" + ], + "retentionDuration": { + "count": 10, + "durationType": "Years" + } + } + } + }, + { + "policyType": "Differential", + "schedulePolicy": { + "schedulePolicyType": "SimpleSchedulePolicy", + "scheduleRunFrequency": "Weekly", + "scheduleRunDays": [ + "Monday" + ], + "scheduleRunTimes": [ + "2017-03-07T02:00:00Z" + ], + "scheduleWeeklyFrequency": 0 + }, + "retentionPolicy": { + "retentionPolicyType": "SimpleRetentionPolicy", + "retentionDuration": { + "count": 30, + "durationType": "Days" + } + } + }, + { + "policyType": "Log", + "schedulePolicy": { + "schedulePolicyType": "LogSchedulePolicy", + "scheduleFrequencyInMins": 120 + }, + "retentionPolicy": { + "retentionPolicyType": "SimpleRetentionPolicy", + "retentionDuration": { + "count": 15, + "durationType": "Days" + } + } + } + ], + "protectedItemsCount": 0 + } + }, + { + "name": "filesharepolicy", + "type": "Microsoft.RecoveryServices/vaults/backupPolicies", + "properties": { + "backupManagementType": "AzureStorage", + "workloadType": "AzureFileShare", + "schedulePolicy": { + "schedulePolicyType": "SimpleSchedulePolicy", + "scheduleRunFrequency": "Daily", + "scheduleRunTimes": [ + "2019-11-07T04:30:00Z" + ], + "scheduleWeeklyFrequency": 0 + }, + "retentionPolicy": { + "retentionPolicyType": "LongTermRetentionPolicy", + "dailySchedule": { + "retentionTimes": [ + "2019-11-07T04:30:00Z" + ], + "retentionDuration": { + "count": 30, + "durationType": "Days" + } + } + }, + "timeZone": "UTC", + "protectedItemsCount": 0 + } + } + ] + } + } +} \ No newline at end of file diff --git a/arm/Microsoft.RecoveryServices/vaults/readme.md b/arm/Microsoft.RecoveryServices/vaults/readme.md new file mode 100644 index 0000000000..9f2f483802 --- /dev/null +++ b/arm/Microsoft.RecoveryServices/vaults/readme.md @@ -0,0 +1,341 @@ +# RecoveryServicesVaults + +This module deploys Recovery Service Vault, with resource lock. + + +## Resource types + +|Resource Type|ApiVersion| +|:--|:--| +|`Microsoft.RecoveryServices/vaults`|2020-10-01| +|`Microsoft.RecoveryServices/vaults/backupstorageconfig` | 2020-02-02 | +|`Microsoft.Resources/deployments`|2019-10-01| +|`providers/locks`|2016-09-01| +|`Microsoft.RecoveryServices/vaults/providers/diagnosticsettings`|2017-05-01-preview| +|`Microsoft.RecoveryServices/vaults/backupPolicies`|2019-05-13| +|`Microsoft.RecoveryServices/vaults/backupFabrics/protectionContainers`|2016-12-01| +|`Microsoft.RecoveryServices/vaults/providers/roleAssignments`|2018-09-01-preview| + +## Parameters + +| Parameter Name | Type | Description | DefaultValue | Possible values | +| :-- | :-- | :-- | :-- | :-- | +| `backupPolicies` | array | Optional. List of all backup policies. | System.Object[] | | +| `diagnosticLogsRetentionInDays` | int | Optional. Specifies the number of days that logs will be kept for; a value of 0 will retain data indefinitely. | 365 | | +| `diagnosticStorageAccountId` | string | Optional. Resource identifier of the Diagnostic Storage Account. | | | +| `eventHubAuthorizationRuleId` | string | Optional. Resource ID of the event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | | | +| `eventHubName` | string | Optional. Name of the event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. | | | +| `location` | string | Optional. Location for all resources. | [resourceGroup().location] | | +| `lockForDeletion` | bool | Optional. Switch to lock Recovery Service Vault from deletion. | False | | +| `protectionContainers` | array | Optional. List of all protection containers. | System.Object[] | | +| `recoveryVaultName` | string | Required. Name of the Azure Recovery Service Vault | | | +| `enableCRR` | bool | Optional. Enable CRR (Works if vault has not registered any backup instance) | True | | +| `vaultStorageType` | string | Optional. Change Vault Storage Type (Works if vault has not registered any backup instance) | GeoRedundant | System.Object[] | +| `roleAssignments` | array | Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' | System.Object[] | | +| `tags` | object | Optional. Tags of the Recovery Service Vault resource. | | | +| `workspaceId` | string | Optional. Resource identifier of Log Analytics. | | | +| `cuaId` | string | Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered | | | + +### Parameter Usage: `roleAssignments` + +```json +"roleAssignments": { + "value": [ + { + "roleDefinitionIdOrName": "Desktop Virtualization User", + "principalIds": [ + "12345678-1234-1234-1234-123456789012", // object 1 + "78945612-1234-1234-1234-123456789012" // object 2 + ] + }, + { + "roleDefinitionIdOrName": "Reader", + "principalIds": [ + "12345678-1234-1234-1234-123456789012", // object 1 + "78945612-1234-1234-1234-123456789012" // object 2 + ] + }, + { + "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", + "principalIds": [ + "12345678-1234-1234-1234-123456789012" // object 1 + ] + } + ] +} +``` + +### Parameter Usage: `tags` + +Tag names and tag values can be provided as needed. A tag can be left without a value. + +```json +"tags": { + "value": { + "Environment": "Non-Prod", + "Contact": "test.user@testcompany.com", + "PurchaseOrder": "1234", + "CostCenter": "7890", + "ServiceName": "DeploymentValidation", + "Role": "DeploymentValidation" + } +} +``` + +### Parameter Usage: `backupPolicies` + +Array of backup policies. They need to be properly formatted and can be VM backup policies, SQL on VM backup policies or fileshare policies. The following example shows all three types of backup policies. + +```json +"backupPolicies": { + "value": [ + { + "name": "VMpolicy", + "type": "Microsoft.RecoveryServices/vaults/backupPolicies", + "properties": { + "backupManagementType": "AzureIaasVM", + "instantRPDetails": {}, + "schedulePolicy": { + "schedulePolicyType": "SimpleSchedulePolicy", + "scheduleRunFrequency": "Daily", + "scheduleRunTimes": [ + "2019-11-07T07:00:00Z" + ], + "scheduleWeeklyFrequency": 0 + }, + "retentionPolicy": { + "retentionPolicyType": "LongTermRetentionPolicy", + "dailySchedule": { + "retentionTimes": [ + "2019-11-07T07:00:00Z" + ], + "retentionDuration": { + "count": 180, + "durationType": "Days" + } + }, + "weeklySchedule": { + "daysOfTheWeek": [ + "Sunday" + ], + "retentionTimes": [ + "2019-11-07T07:00:00Z" + ], + "retentionDuration": { + "count": 12, + "durationType": "Weeks" + } + }, + "monthlySchedule": { + "retentionScheduleFormatType": "Weekly", + "retentionScheduleWeekly": { + "daysOfTheWeek": [ + "Sunday" + ], + "weeksOfTheMonth": [ + "First" + ] + }, + "retentionTimes": [ + "2019-11-07T07:00:00Z" + ], + "retentionDuration": { + "count": 60, + "durationType": "Months" + } + }, + "yearlySchedule": { + "retentionScheduleFormatType": "Weekly", + "monthsOfYear": [ + "January" + ], + "retentionScheduleWeekly": { + "daysOfTheWeek": [ + "Sunday" + ], + "weeksOfTheMonth": [ + "First" + ] + }, + "retentionTimes": [ + "2019-11-07T07:00:00Z" + ], + "retentionDuration": { + "count": 10, + "durationType": "Years" + } + } + }, + "instantRpRetentionRangeInDays": 2, + "timeZone": "UTC", + "protectedItemsCount": 0 + } + }, + { + "name": "sqlpolicy", + "type": "Microsoft.RecoveryServices/vaults/backupPolicies", + "properties": { + "backupManagementType": "AzureWorkload", + "workLoadType": "SQLDataBase", + "settings": { + "timeZone": "UTC", + "issqlcompression": true, + "isCompression": true + }, + "subProtectionPolicy": [ + { + "policyType": "Full", + "schedulePolicy": { + "schedulePolicyType": "SimpleSchedulePolicy", + "scheduleRunFrequency": "Weekly", + "scheduleRunDays": [ + "Sunday" + ], + "scheduleRunTimes": [ + "2019-11-07T22:00:00Z" + ], + "scheduleWeeklyFrequency": 0 + }, + "retentionPolicy": { + "retentionPolicyType": "LongTermRetentionPolicy", + "weeklySchedule": { + "daysOfTheWeek": [ + "Sunday" + ], + "retentionTimes": [ + "2019-11-07T22:00:00Z" + ], + "retentionDuration": { + "count": 104, + "durationType": "Weeks" + } + }, + "monthlySchedule": { + "retentionScheduleFormatType": "Weekly", + "retentionScheduleWeekly": { + "daysOfTheWeek": [ + "Sunday" + ], + "weeksOfTheMonth": [ + "First" + ] + }, + "retentionTimes": [ + "2019-11-07T22:00:00Z" + ], + "retentionDuration": { + "count": 60, + "durationType": "Months" + } + }, + "yearlySchedule": { + "retentionScheduleFormatType": "Weekly", + "monthsOfYear": [ + "January" + ], + "retentionScheduleWeekly": { + "daysOfTheWeek": [ + "Sunday" + ], + "weeksOfTheMonth": [ + "First" + ] + }, + "retentionTimes": [ + "2019-11-07T22:00:00Z" + ], + "retentionDuration": { + "count": 10, + "durationType": "Years" + } + } + } + }, + { + "policyType": "Differential", + "schedulePolicy": { + "schedulePolicyType": "SimpleSchedulePolicy", + "scheduleRunFrequency": "Weekly", + "scheduleRunDays": [ + "Monday" + ], + "scheduleRunTimes": [ + "2017-03-07T02:00:00Z" + ], + "scheduleWeeklyFrequency": 0 + }, + "retentionPolicy": { + "retentionPolicyType": "SimpleRetentionPolicy", + "retentionDuration": { + "count": 30, + "durationType": "Days" + } + } + }, + { + "policyType": "Log", + "schedulePolicy": { + "schedulePolicyType": "LogSchedulePolicy", + "scheduleFrequencyInMins": 120 + }, + "retentionPolicy": { + "retentionPolicyType": "SimpleRetentionPolicy", + "retentionDuration": { + "count": 15, + "durationType": "Days" + } + } + } + ], + "protectedItemsCount": 0 + } + }, + { + "name": "filesharepolicy", + "type": "Microsoft.RecoveryServices/vaults/backupPolicies", + "properties": { + "backupManagementType": "AzureStorage", + "workloadType": "AzureFileShare", + "schedulePolicy": { + "schedulePolicyType": "SimpleSchedulePolicy", + "scheduleRunFrequency": "Daily", + "scheduleRunTimes": [ + "2019-11-07T04:30:00Z" + ], + "scheduleWeeklyFrequency": 0 + }, + "retentionPolicy": { + "retentionPolicyType": "LongTermRetentionPolicy", + "dailySchedule": { + "retentionTimes": [ + "2019-11-07T04:30:00Z" + ], + "retentionDuration": { + "count": 30, + "durationType": "Days" + } + } + }, + "timeZone": "UTC", + "protectedItemsCount": 0 + } + } + ] +} +``` + +## Outputs + +| Output Name | Type | Description | +| :-- | :-- | :-- | +| `recoveryServicesVaultName` | string | The Name of the Recovery Services Vault. | +| `recoveryServicesVaultResourceGroup` | string | The Resource Group the Recovery Services Vault was deployed to. | +| `recoveryServicesVaultResourceId` | string | The Resource Id of the Recovery Services Vault. | + +## Considerations + +## Additional resources + +- [Recovery Services vaults overview](https://docs.microsoft.com/en-us/azure/backup/backup-azure-recovery-services-vault-overview) +- [Microsoft.RecoveryServices vaults template reference](https://docs.microsoft.com/en-gb/azure/templates/microsoft.recoveryservices/allversions) +- [Use tags to organize your Azure resources](https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-using-tags) \ No newline at end of file diff --git a/arm/Microsoft.Resources/deploymentScripts/deploy.json b/arm/Microsoft.Resources/deploymentScripts/deploy.json new file mode 100644 index 0000000000..344a0d4fae --- /dev/null +++ b/arm/Microsoft.Resources/deploymentScripts/deploy.json @@ -0,0 +1,258 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "scriptName": { + "type": "string", + "metadata": { + "description": "Required. Display name of the script to be run." + } + }, + "userMsiName": { + "type": "string", + "metadata": { + "description": "Required. Name of the User Assigned Identity to be used to deploy Image Templates in Azure Image Builder." + } + }, + "userMsiResourceGroup": { + "type": "string", + "defaultValue": "[resourceGroup().name]", + "metadata": { + "description": "Optional. Resource group of the user assigned identity." + } + }, + "location": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "Optional. Location for all resources." + } + }, + "kind": { + "type": "string", + "allowedValues": [ + "AzurePowerShell", + "AzureCLI" + ], + "defaultValue": "AzurePowerShell", + "metadata": { + "description": "Optional. Type of the script. AzurePowerShell, AzureCLI." + } + }, + "azPowerShellVersion": { + "type": "string", + "defaultValue": "3.0", + "metadata": { + "description": "Optional. Azure PowerShell module version to be used." + } + }, + "azCliVersion": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Azure CLI module version to be used." + } + }, + "scriptContent": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Script body. Max length: 32000 characters. To run an external script, use primaryScriptURI instead." + } + }, + "primaryScriptUri": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Uri for the external script. This is the entry point for the external script. To run an internal script, use the scriptContent instead." + } + }, + "environmentVariables": { + "type": "array", + "defaultValue": [ + ], + "metadata": { + "description": "Optional. The environment variables to pass over to the script. Must have a 'name' and a 'value' or a 'secretValue' property." + } + }, + "supportingScriptUris": { + "type": "array", + "defaultValue": [ + ], + "metadata": { + "description": "Optional. List of supporting files for the external script (defined in primaryScriptUri). Does not work with internal scripts (code defined in scriptContent)." + } + }, + "arguments": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Command line arguments to pass to the script. Arguments are separated by spaces." + } + }, + "retentionInterval": { + "type": "string", + "defaultValue": "P1D", + "metadata": { + "description": "Optional. Interval for which the service retains the script resource after it reaches a terminal state. Resource will be deleted when this duration expires. Duration is based on ISO 8601 pattern (for example P7D means one week)." + } + }, + "runOnce": { + "type": "bool", + "defaultValue": false, + "metadata": { + "description": "Optional. When set to false, script will run every time the template is deployed. When set to true, the script will only run once." + } + }, + "cleanupPreference": { + "type": "string", + "allowedValues": [ + "Always", + "OnSuccess", + "OnExpiration" + ], + "defaultValue": "Always", + "metadata": { + "description": "Optional. The clean up preference when the script execution gets in a terminal state. Specify the preference on when to delete the deployment script resources. The default value is Always, which means the deployment script resources are deleted despite the terminal state (Succeeded, Failed, canceled)." + } + }, + "containerGroupName": { + "defaultValue": "", + "type": "string", + "metadata": { + "description": "Optional. Container group name, if not specified then the name will get auto-generated. Not specifying a 'containerGroupName' indicates the system to generate a unique name which might end up flagging an Azure Policy as non-compliant. Use 'containerGroupName' when you have an Azure Policy that expects a specific naming convention or when you want to fully control the name. 'containerGroupName' property must be between 1 and 63 characters long, must contain only lowercase letters, numbers, and dashes and it cannot start or end with a dash and consecutive dashes are not allowed." + } + }, + "timeout": { + "defaultValue": "PT1H", + "type": "string", + "metadata": { + "description": "Optional. Maximum allowed script execution time specified in ISO 8601 format. Default value is PT1H - 1 hour; 'PT30M' - 30 minutes; 'P5D' - 5 days; 'P1Y' 1 year." + } + }, + "baseTime": { + "type": "string", + "defaultValue": "[utcNow('yyyy-MM-dd-HH-mm-ss')]", + "metadata": { + "description": "Generated. Do not provide a value! This date value is used to make sure the script run every time the template is deployed." + } + }, + "lockForDeletion": { + "type": "bool", + "defaultValue": false, + "metadata": { + "description": "Optional. Switch to lock Resource from deletion." + } + }, + "tags": { + "type": "object", + "defaultValue": { + }, + "metadata": { + "description": "Optional. Tags of the resource." + } + }, + "cuaId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered" + } + } + }, + "variables": { + "containerSettings": { + "containerGroupName": "[parameters('containerGroupName')]" + } + }, + "resources": [ + // CUA on Subscription scope + { + "condition": "[not(empty(parameters('cuaId')))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-06-01", + "name": "[concat('pid-', parameters('cuaId'))]", + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [ + ] + } + } + }, + // DeploymentScript + { + "type": "Microsoft.Resources/deploymentScripts", + "apiVersion": "2019-10-01-preview", + "name": "[parameters('scriptName')]", + "location": "[parameters('location')]", + "tags": "[parameters('tags')]", + "dependsOn": [ + ], + "identity": { + "type": "UserAssigned", + "userAssignedIdentities": { + "[resourceId(parameters('userMsiResourceGroup'), 'Microsoft.ManagedIdentity/userAssignedIdentities', parameters('userMsiName'))]": { + } + } + }, + "kind": "[parameters('kind')]", + "properties": { + "azPowerShellVersion": "[if(equals(parameters('kind'), 'AzurePowerShell'), parameters('azPowerShellVersion'), json('null'))]", + "azCliVersion": "[if(equals(parameters('kind'), 'AzureCLI'), parameters('azCliVersion'), json('null'))]", + "containerSettings": "[if(empty(parameters('containerGroupName')), json('null'), variables('containerSettings'))]", + "arguments": "[parameters('arguments')]", // can pass an argument string, double quotes must be escaped + "environmentVariables": "[if(empty(parameters('environmentVariables')), json('null'), parameters('environmentVariables'))]", + "scriptContent": "[if(empty(parameters('scriptContent')), json('null'), parameters('scriptContent'))]", + "primaryScriptUri": "[if(empty(parameters('primaryScriptUri')), json('null'), parameters('primaryScriptUri'))]", + "supportingScriptUris": "[if(empty(parameters('supportingScriptUris')), json('null'), parameters('supportingScriptUris'))]", + "cleanupPreference": "[parameters('cleanupPreference')]", + "forceUpdateTag": "[if(parameters('runOnce'), resourceGroup().name, parameters('baseTime'))]", + "retentionInterval": "[parameters('retentionInterval')]", + "timeout": "[parameters('timeout')]" + }, + "resources": [ + { + "type": "providers/locks", + "apiVersion": "2016-09-01", + "condition": "[parameters('lockForDeletion')]", + "name": "Microsoft.Authorization/deploymentScriptDoNotDelete", + "dependsOn": [ + "[concat('Microsoft.Resources/deploymentScripts/', parameters('scriptName'))]" + ], + "comments": "Resource lock on the Deployment Script", + "properties": { + "level": "CannotDelete" + } + } + ] + } + ], + "functions": [ + ], + "outputs": { + "deploymentScriptResourceId": { + "type": "string", + "value": "[resourceId('Microsoft.Resources/deploymentScripts', parameters('scriptName'))]", + "metadata": { + "description": "The Resource Id of the Deployment Script." + } + }, + "deploymentScriptResourceGroup": { + "type": "string", + "value": "[resourceGroup().name]", + "metadata": { + "description": "The Resource Group the Deployment Script was deployed to." + } + }, + "deploymentScriptName": { + "type": "string", + "value": "[parameters('scriptName')]", + "metadata": { + "description": "The Name of the Deployment Script." + } + } + } +} \ No newline at end of file diff --git a/arm/Microsoft.Resources/deploymentScripts/parameters/parameters.json b/arm/Microsoft.Resources/deploymentScripts/parameters/parameters.json new file mode 100644 index 0000000000..41deb9f2a4 --- /dev/null +++ b/arm/Microsoft.Resources/deploymentScripts/parameters/parameters.json @@ -0,0 +1,36 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "scriptName": { + "value": "sxx-az-ds-weu-x-001" + }, + "userMsiName": { + "value": "sxx-az-msi-weu-x-002" + }, + "userMsiResourceGroup": { + "value": "dependencies-rg" + }, + "kind": { + "value": "AzurePowerShell" + }, + "azPowerShellVersion": { + "value": "3.0" + }, + "scriptContent": { + "value": "Write-Host 'Running PowerShell from template'" + }, + "retentionInterval": { + "value": "P1D" + }, + "runOnce": { + "value": false + }, + "cleanupPreference": { + "value": "Always" + }, + "timeout": { + "value": "PT30M" + } + } +} \ No newline at end of file diff --git a/arm/Microsoft.Resources/deploymentScripts/readme.md b/arm/Microsoft.Resources/deploymentScripts/readme.md new file mode 100644 index 0000000000..3f36ab9f05 --- /dev/null +++ b/arm/Microsoft.Resources/deploymentScripts/readme.md @@ -0,0 +1,72 @@ +# Deployment Scripts + +This module deploys Deployment Scripts. + +## Resource types + +|Resource Type|ApiVersion| +|:--|:--| +|`Microsoft.Resources/deployments`|2018-02-01| +|`providers/locks`|2016-09-01| +|`Microsoft.Resources/deploymentScripts`|2019-10-01-preview| + +## Parameters + +| Parameter Name | Type | Default Value | Possible values | Description | +| :- | :- | :- | :- | :- | +| `scriptName` | string | | | Required. Display name of the script to be run. +| `userMsiName` | string | "" | | Required. Name of the User Assigned Identity to be used to deploy Image Templates in Azure Image Builder. +| `userMsiResourceGroup` | string | `resourceGroup().name` | | Optional. Resource group of the user assigned identity. | +| `location` | string | `[resourceGroup().location]` | | Optional. Location for all resources. +| `kind` | string | AzurePowerShell | AzurePowerShell, AzureCLI | Optional. Type of the script. AzurePowerShell, AzureCLI. +| `azPowerShellVersion` | string | 3.0 | | Optional. Azure PowerShell module version to be used. +| `azCliVersion` | string | | | Optional. Azure CLI module version to be used. +| `scriptContent` | string | "" | | Optional. Script body. Max length: 32000 characters. To run an external script, use primaryScriptURI instead. +| `primaryScriptUri` | string | "" | | Optional. Uri for the external script. This is the entry point for the external script. To run an internal script, use the scriptContent instead. +| `environmentVariables` | array | [] | | Optional. The environment variables to pass over to the script. Must have a 'name' and a 'value' or a 'secretValue' property. +| `supportingScriptUris` | array | [] | | Optional. List of supporting files for the external script (defined in primaryScriptUri). Does not work with internal scripts (code defined in scriptContent). +| `arguments` | string | "" | | Optional. Command line arguments to pass to the script. Arguments are separated by spaces. +| `retentionInterval` | string | P1D | | Optional. Interval for which the service retains the script resource after it reaches a terminal state. Resource will be deleted when this duration expires. Duration is based on ISO 8601 pattern (for example P7D means one week). +| `runOnce` | bool | false | | Optional. When set to false, script will run every time the template is deployed. When set to true, the script will only run once. +| `cleanupPreference` | string | Always | Always, OnSuccess, OnExpiration | Optional. The clean up preference when the script execution gets in a terminal state. Specify the preference on when to delete the deployment script resources. The default value is Always, which means the deployment script resources are deleted despite the terminal state (Succeeded, Failed, canceled). +| `containerGroupName` | string | | | Optional. Container group name, if not specified then the name will get auto-generated. Not specifying a 'containerGroupName' indicates the system to generate a unique name which might end up flagging an Azure Policy as non-compliant. Use 'containerGroupName' when you have an Azure Policy that expects a specific naming convention or when you want to fully control the name. 'containerGroupName' property must be between 1 and 63 characters long, must contain only lowercase letters, numbers, and dashes and it cannot start or end with a dash and consecutive dashes are not allowed. +| `timeout` | string | PT1H | | Optional. Maximum allowed script execution time specified in ISO 8601 format. Default value is PT1H - 1 hour; 'PT30M' - 30 minutes; 'P5D' - 5 days; 'P1Y' 1 year. +| `baseTime` | string | `utcNow('yyyy-MM-dd-HH-mm-ss')` | | Generated. Do not provide a value! This date value is used to make sure the script run every time the template is deployed. +| `lockForDeletion` | bool | `true` | | Optional. Switch to lock Virtual Network Gateway from deletion. +| `tags` | object | {} | Complex structure, see below. | Optional. Tags of the Virtual Network Gateway resource. +| `cuaId` | string | "" | | Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered + +### Parameter Usage: `tags` + +Tag names and tag values can be provided as needed. A tag can be left without a value. + +```json +"tags": { + "value": { + "Environment": "Non-Prod", + "Contact": "test.user@testcompany.com", + "PurchaseOrder": "1234", + "CostCenter": "7890", + "ServiceName": "DeploymentValidation", + "Role": "DeploymentValidation" + } +} +``` + +## Outputs + +| Output Name | Type | Description | +| :-- | :-- | :-- | +| `deploymentScriptName` | string | The Name of the Deployment Script. | +| `deploymentScriptResourceGroup` | string | The Resource Group the Deployment Script was deployed to. | +| `deploymentScriptResourceId` | string | The Resource Id of the Deployment Script. | + +## Considerations + +This module requires a User Assigned Identity (MSI, managed service identity) to exist, and this MSI has to have contributor rights on the subscription - that allows the Deployment Script to create the required Storage Account and the Azure Container Instance. + +## Additional resources + +- [Tutorial: Use deployment scripts to create a self-signed certificate (Preview)](https://docs.microsoft.com/en-us/azure/azure-resource-manager/templates/template-tutorial-deployment-script) +- [Microsoft.Resources deploymentScripts template reference](https://docs.microsoft.com/en-us/azure/templates/microsoft.resources/2019-10-01-preview/deploymentscripts) +- [Use tags to organize your Azure resources](https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-using-tags) \ No newline at end of file diff --git a/arm/Microsoft.Resources/resourceGroups/deploy.json b/arm/Microsoft.Resources/resourceGroups/deploy.json new file mode 100644 index 0000000000..dc436aa017 --- /dev/null +++ b/arm/Microsoft.Resources/resourceGroups/deploy.json @@ -0,0 +1,344 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceGroupName": { + "type": "string", + "metadata": { + "description": "Required. The name of the Resource Group" + } + }, + "location": { + "type": "string", + "defaultValue": "[deployment().location]", + "metadata": { + "description": "Optional. Location of the Resource Group. It uses the deployment's location when not provided." + } + }, + "lockForDeletion": { + "type": "bool", + "defaultValue": false, + "metadata": { + "description": "Optional. Switch to lock storage from deletion." + } + }, + "roleAssignments": { + "defaultValue": [ + ], + "type": "array", + "metadata": { + "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'" + } + }, + "tags": { + "type": "object", + "defaultValue": { + }, + "metadata": { + "description": "Optional. Tags of the storage account resource." + } + } + }, + "variables": { + "builtInRoleNames": { + "AcrDelete": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c2f4ef07-c644-48eb-af81-4b1b4947fb11')]", + "AcrImageSigner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '6cef56e8-d556-48e5-a04f-b8e64114680f')]", + "AcrPull": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '7f951dda-4ed3-4680-a7ca-43fe172d538d')]", + "AcrPush": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8311e382-0749-4cb8-b61a-304f252e45ec')]", + "AcrQuarantineReader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'cdda3590-29a3-44f6-95f2-9f980659eb04')]", + "AcrQuarantineWriter": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c8d4ff99-41c3-41a8-9f60-21dfdad59608')]", + "API Management Service Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '312a565d-c81f-4fd8-895a-4e21e48d571c')]", + "API Management Service Operator Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'e022efe7-f5ba-4159-bbe4-b44f577e9b61')]", + "API Management Service Reader Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '71522526-b88f-4d52-b57f-d31fc3546d0d')]", + "App Configuration Data Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5ae67dd6-50cb-40e7-96ff-dc2bfa4b606b')]", + "App Configuration Data Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '516239f1-63e1-4d78-a4de-a74fb236a071')]", + "Application Insights Component Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ae349356-3a1b-4a5e-921d-050484c6347e')]", + "Application Insights Snapshot Debugger": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '08954f03-6346-4c2e-81c0-ec3a5cfae23b')]", + "Attestation Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'bbf86eb8-f7b4-4cce-96e4-18cddf81d86e')]", + "Attestation Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'fd1bd22b-8476-40bc-a0bc-69b95687b9f3')]", + "Automation Job Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4fe576fe-1146-4730-92eb-48519fa6bf9f')]", + "Automation Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'd3881f73-407a-4167-8283-e981cbba0404')]", + "Automation Runbook Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5fb5aef8-1081-4b8e-bb16-9d5d0385bab5')]", + "Avere Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4f8fab4f-1852-4a58-a46a-8eaf358af14a')]", + "Avere Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c025889f-8102-4ebf-b32c-fc0c6f0c6bd9')]", + "Azure Connected Machine Onboarding": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b64e21ea-ac4e-4cdf-9dc9-5b892992bee7')]", + "Azure Connected Machine Resource Administrator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'cd570a14-e51a-42ad-bac8-bafd67325302')]", + "Azure Digital Twins Owner (Preview)": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'bcd981a7-7f74-457b-83e1-cceb9e632ffe')]", + "Azure Digital Twins Reader (Preview)": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'd57506d4-4c8d-48b1-8587-93c323f6a5a3')]", + "Azure Event Hubs Data Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'f526a384-b230-433a-b45c-95f59c4a2dec')]", + "Azure Event Hubs Data Receiver": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'a638d3c7-ab3a-418d-83e6-5f17a39d4fde')]", + "Azure Event Hubs Data Sender": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '2b629674-e913-4c01-ae53-ef4638d8f975')]", + "Azure Kubernetes Service Cluster Admin Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '0ab0b1a8-8aac-4efd-b8c2-3ee1fb270be8')]", + "Azure Kubernetes Service Cluster User Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4abbcc35-e782-43d8-92c5-2d3f1bd2253f')]", + "Azure Kubernetes Service Contributor Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ed7f3fbd-7b88-4dd4-9017-9adb7ce333f8')]", + "Azure Maps Data Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8f5e0ce6-4f7b-4dcf-bddf-e6f48634a204')]", + "Azure Maps Data Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '423170ca-a8f6-4b0f-8487-9e4eb8f49bfa')]", + "Azure Sentinel Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ab8e14d6-4a74-4a29-9ba8-549422addade')]", + "Azure Sentinel Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8d289c81-5878-46d4-8554-54e1e3d8b5cb')]", + "Azure Sentinel Responder": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '3e150937-b8fe-4cfb-8069-0eaf05ecd056')]", + "Azure Service Bus Data Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '090c5cfd-751d-490a-894a-3ce6f1109419')]", + "Azure Service Bus Data Receiver": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4f6d3b9b-027b-4f4c-9142-0e5a2a2247e0')]", + "Azure Service Bus Data Sender": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '69a216fc-b8fb-44d8-bc22-1f3c2cd27a39')]", + "Azure Stack Registration Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '6f12a6df-dd06-4f3e-bcb1-ce8be600526a')]", + "Backup Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5e467623-bb1f-42f4-a55d-6e525e11384b')]", + "Backup Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '00c29273-979b-4161-815c-10b084fb9324')]", + "Backup Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'a795c7a0-d4a2-40c1-ae25-d81f01202912')]", + "Billing Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'fa23ad8b-c56e-40d8-ac0c-ce449e1d2c64')]", + "BizTalk Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5e3c6656-6cfa-4708-81fe-0de47ac73342')]", + "Blockchain Member Node Access (Preview)": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '31a002a1-acaf-453e-8a5b-297c9ca1ea24')]", + "Blueprint Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '41077137-e803-4205-871c-5a86e6a753b4')]", + "Blueprint Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '437d2ced-4a38-4302-8479-ed2bcb43d090')]", + "CDN Endpoint Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '426e0c7f-0c7e-4658-b36f-ff54d6c29b45')]", + "CDN Endpoint Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '871e35f6-b5c1-49cc-a043-bde969a0f2cd')]", + "CDN Profile Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ec156ff8-a8d1-4d15-830c-5b80698ca432')]", + "CDN Profile Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8f96442b-4075-438f-813d-ad51ab4019af')]", + "Classic Network Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b34d265f-36f7-4a0d-a4d4-e158ca92e90f')]", + "Classic Storage Account Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '86e8f5dc-a6e9-4c67-9d15-de283e8eac25')]", + "Classic Storage Account Key Operator Service Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '985d6b00-f706-48f5-a6fe-d0ca12fb668d')]", + "Classic Virtual Machine Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'd73bb868-a0df-4d4d-bd69-98a00b01fccb')]", + "ClearDB MySQL DB Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '9106cda0-8a86-4e81-b686-29a22c54effe')]", + "Cognitive Services Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '25fbc0a9-bd7c-42a3-aa1a-3b75d497ee68')]", + "Cognitive Services Custom Vision Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c1ff6cc2-c111-46fe-8896-e0ef812ad9f3')]", + "Cognitive Services Custom Vision Deployment": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5c4089e1-6d96-4d2f-b296-c1bc7137275f')]", + "Cognitive Services Custom Vision Labeler": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '88424f51-ebe7-446f-bc41-7fa16989e96c')]", + "Cognitive Services Custom Vision Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '93586559-c37d-4a6b-ba08-b9f0940c2d73')]", + "Cognitive Services Custom Vision Trainer": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '0a5ae4ab-0d65-4eeb-be61-29fc9b54394b')]", + "Cognitive Services Data Reader (Preview)": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b59867f0-fa02-499b-be73-45a86b5b3e1c')]", + "Cognitive Services QnA Maker Editor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'f4cc2bf9-21be-47a1-bdf1-5c5804381025')]", + "Cognitive Services QnA Maker Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '466ccd10-b268-4a11-b098-b4849f024126')]", + "Cognitive Services User": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'a97b65f3-24c7-4388-baec-2e87135dc908')]", + "Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "Cosmos DB Account Reader Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'fbdf93bf-df7d-467e-a4d2-9458aa1360c8')]", + "Cosmos DB Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '230815da-be43-4aae-9cb4-875f7bd000aa')]", + "CosmosBackupOperator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'db7b14f2-5adf-42da-9f96-f2ee17bab5cb')]", + "Cost Management Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '434105ed-43f6-45c7-a02f-909b2ba83430')]", + "Cost Management Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '72fafb9e-0641-4937-9268-a91bfd8191a3')]", + "Data Box Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'add466c9-e687-43fc-8d98-dfcf8d720be5')]", + "Data Box Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '028f4ed7-e2a9-465e-a8f4-9c0ffdfdc027')]", + "Data Factory Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '673868aa-7521-48a0-acc6-0f60742d39f5')]", + "Data Lake Analytics Developer": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '47b7735b-770e-4598-a7da-8b91488b4c88')]", + "Data Purger": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '150f5e0c-0603-4f03-8c7f-cf70034c4e90')]", + "Desktop Virtualization User": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '1d18fff3-a72a-46b5-b4a9-0b38a3cd7e63')]", + "DevTest Labs User": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '76283e04-6283-4c54-8f91-bcf1374a3c64')]", + "DNS Zone Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'befefa01-2a29-4197-83a8-272ff33ce314')]", + "DocumentDB Account Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5bd9cd88-fe45-4216-938b-f97437e15450')]", + "EventGrid EventSubscription Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '428e0ff0-5e57-4d9c-a221-2c70d0e0a443')]", + "EventGrid EventSubscription Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '2414bbcf-6497-4faf-8c65-045460748405')]", + "Experimentation Administrator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '7f646f1b-fa08-80eb-a33b-edd6ce5c915c')]", + "Experimentation Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '7f646f1b-fa08-80eb-a22b-edd6ce5c915c')]", + "Experimentation Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '49632ef5-d9ac-41f4-b8e7-bbe587fa74a1')]", + "FHIR Data Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5a1fc7df-4bf1-4951-a576-89034ee01acd')]", + "FHIR Data Exporter": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '3db33094-8700-4567-8da5-1501d4e7e843')]", + "FHIR Data Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4c8d0bbc-75d3-4935-991f-5f3c56d81508')]", + "FHIR Data Writer": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '3f88fce4-5892-4214-ae73-ba5294559913')]", + "Graph Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b60367af-1334-4454-b71e-769d9a4f83d9')]", + "HDInsight Cluster Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '61ed4efc-fab3-44fd-b111-e24485cc132a')]", + "HDInsight Domain Services Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8d8d5a11-05d3-4bda-a417-a08778121c7c')]", + "Hierarchy Settings Administrator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '350f8d15-c687-4448-8ae1-157740a3936d')]", + "Hybrid Server Onboarding": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5d1e5ee4-7c68-4a71-ac8b-0739630a3dfb')]", + "Hybrid Server Resource Administrator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '48b40c6e-82e0-4eb3-90d5-19e40f49b624')]", + "Integration Service Environment Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'a41e2c5b-bd99-4a07-88f4-9bf657a760b8')]", + "Integration Service Environment Developer": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c7aa55d3-1abb-444a-a5ca-5e51e485d6ec')]", + "Intelligent Systems Account Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '03a6d094-3444-4b3d-88af-7477090a9e5e')]", + "Key Vault Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'f25e0fa2-a7c8-4377-a976-54943a77a395')]", + "Knowledge Consumer": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ee361c5d-f7b5-4119-b4b6-892157c8f64c')]", + "Kubernetes Cluster - Azure Arc Onboarding": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '34e09817-6cbe-4d01-b1a2-e0eac5743d41')]", + "Lab Creator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b97fb8bc-a8b2-4522-a38b-dd33c7e65ead')]", + "Log Analytics Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]", + "Log Analytics Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '73c42c96-874c-492b-b04d-ab87d138a893')]", + "Logic App Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '87a39d53-fc1b-424a-814c-f7e04687dc9e')]", + "Logic App Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '515c2055-d9d4-4321-b1b9-bd0c9a0f79fe')]", + "Managed Application Contributor Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '641177b8-a67a-45b9-a033-47bc880bb21e')]", + "Managed Application Operator Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')]", + "Managed Applications Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')]", + "Managed Identity Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'e40ec5ca-96e0-45a2-b4ff-59039f2c2b59')]", + "Managed Identity Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'f1a07417-d97a-45cb-824c-7a7467783830')]", + "Managed Services Registration assignment Delete ": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '91c1777a-f3dc-4fae-b103-61d183457e46')]", + "Management Group Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5d58bcaf-24a5-4b20-bdb6-eed9f69fbe4c')]", + "Management Group Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ac63b705-f282-497d-ac71-919bf39d939d')]", + "Marketplace Admin": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'dd920d6d-f481-47f1-b461-f338c46b2d9f')]", + "Monitoring Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')]", + "Monitoring Metrics Publisher": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '3913510d-42f4-4e42-8a64-420c390055eb')]", + "Monitoring Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')]", + "Network Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", + "New Relic APM Account Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5d28c62d-5b37-4476-8438-e587778df237')]", + "Object Understanding Account Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4dd61c23-6743-42fe-a388-d8bdd41cb745')]", + "Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", + "Policy Insights Data Writer (Preview)": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '66bb4e9e-b016-4a94-8249-4c0511c2be84')]", + "Private DNS Zone Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", + "Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", + "Reader and Data Access": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c12c1c16-33a1-487b-954d-41c89c60f349')]", + "Redis Cache Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'e0f68234-74aa-48ed-b826-c38b57376e17')]", + "Remote Rendering Administrator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '3df8b902-2a6f-47c7-8cc5-360e9b272a7e')]", + "Remote Rendering Client": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'd39065c4-c120-43c9-ab0a-63eed9795f0a')]", + "Resource Policy Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '36243c78-bf99-498c-9df9-86d9f8d28608')]", + "Scheduler Job Collections Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '188a0f2f-5c9e-469b-ae67-2aa5ce574b94')]", + "Search Service Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '7ca78c08-252a-4471-8644-bb5ff32d4ba0')]", + "Security Admin": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'fb1c8493-542b-48eb-b624-b4c8fea62acd')]", + "Security Assessment Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '612c2aa1-cb24-443b-ac28-3ab7272de6f5')]", + "Security Manager (Legacy)": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'e3d13bf0-dd5a-482e-ba6b-9b8433878d10')]", + "Security Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '39bc4728-0917-49c7-9d2c-d95423bc2eb4')]", + "SignalR AccessKey Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '04165923-9d83-45d5-8227-78b77b0a687e')]", + "SignalR Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8cf5e20a-e4b2-4e9d-b3a1-5ceb692c2761')]", + "Site Recovery Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '6670b86e-a3f7-4917-ac9b-5d6ab1be4567')]", + "Site Recovery Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '494ae006-db33-4328-bf46-533a6560a3ca')]", + "Site Recovery Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'dbaa88c4-0c30-4179-9fb3-46319faa6149')]", + "Spatial Anchors Account Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8bbe83f1-e2a6-4df7-8cb4-4e04d4e5c827')]", + "Spatial Anchors Account Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '70bbe301-9835-447d-afdd-19eb3167307c')]", + "Spatial Anchors Account Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5d51204f-eb77-4b1c-b86a-2ec626c49413')]", + "SQL DB Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '9b7fa17d-e63e-47b0-bb0a-15c516ac86ec')]", + "SQL Managed Instance Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4939a1f6-9ae0-4e48-a1e0-f2cbe897382d')]", + "SQL Security Manager": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '056cd41c-7e88-42e1-933e-88ba6a50c9c3')]", + "SQL Server Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '6d8ee4ec-f05a-4a1d-8b00-a9b17e38b437')]", + "Storage Account Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '17d1049b-9a84-46fb-8f53-869881c3d3ab')]", + "Storage Account Key Operator Service Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '81a9662b-bebf-436f-a333-f67b29880f12')]", + "Storage Blob Data Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ba92f5b4-2d11-453d-a403-e96b0029c9fe')]", + "Storage Blob Data Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b7e6dc6d-f1e8-4753-8033-0f276bb0955b')]", + "Storage Blob Data Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '2a2b9908-6ea1-4ae2-8e65-a410df84e7d1')]", + "Storage Blob Delegator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'db58b8e5-c6ad-4a2a-8342-4190687cbf4a')]", + "Storage File Data SMB Share Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '0c867c2a-1d8c-454a-a3db-ab2ea1bdc8bb')]", + "Storage File Data SMB Share Elevated Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'a7264617-510b-434b-a828-9731dc254ea7')]", + "Storage File Data SMB Share Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'aba4ae5f-2193-4029-9191-0cb91df5e314')]", + "Storage Queue Data Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '974c5e8b-45b9-4653-ba55-5f855dd0fb88')]", + "Storage Queue Data Message Processor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8a0f0c08-91a1-4084-bc3d-661d67233fed')]", + "Storage Queue Data Message Sender": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c6a89b2d-59bc-44d0-9896-0f6e12d7b80a')]", + "Storage Queue Data Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '19e7f393-937e-4f77-808e-94535e297925')]", + "Support Request Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'cfd33db0-3dd1-45e3-aa9d-cdbdf3b6f24e')]", + "Tag Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4a9ae827-6dc8-4573-8ac7-8239d42aa03f')]", + "Traffic Manager Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'a4b10055-b0c7-44c2-b00f-c7b5b3550cf7')]", + "User Access Administrator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]", + "Virtual Machine Administrator Login": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '1c0163c0-47e6-4577-8991-ea5c82e286e4')]", + "Virtual Machine Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c')]", + "Virtual Machine User Login": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'fb879df8-f326-4884-b1cf-06f3ad86be52')]", + "Web Plan Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '2cc479cb-7b4d-49a8-b449-8c00fd0f0a4b')]", + "Website Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'de139f84-1756-47ae-9be6-808fbbe84772')]", + "Workbook Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'e8ddcd69-c73f-4f9f-9844-4100522f16ad')]", + "Workbook Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b279062a-9be3-42a0-92ae-8b3cf002ec4d')]" + } + }, + "resources": [ + { + "type": "Microsoft.Resources/resourceGroups", + "apiVersion": "2019-05-01", + "location": "[parameters('location')]", + "name": "[parameters('resourceGroupName')]", + "tags": "[parameters('tags')]", + "properties": { + } + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-06-01", + "name": "[concat(parameters('resourceGroupName'), '-lock')]", + "resourceGroup": "[parameters('resourceGroupName')]", + "condition": "[parameters('lockForDeletion')]", + "dependsOn": [ + "[parameters('resourceGroupName')]" + ], + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + }, + "resources": [ + { + "name": "resourceGroupDoNotDelete", + "type": "Microsoft.Authorization/locks", + "apiVersion": "2016-09-01", + "comments": "Resource lock on Resource Group", + "properties": { + "level": "CanNotDelete" + } + } + ] + }, + "parameters": { + } + } + }, + { + "name": "[concat('rbac-',deployment().name, copyIndex())]", + "apiVersion": "2020-06-01", + "type": "Microsoft.Resources/deployments", + "condition": "[not(empty(parameters('roleAssignments')))]", + "resourceGroup": "[parameters('resourceGroupName')]", + "dependsOn": [ + "[parameters('resourceGroupName')]" + ], + "copy": { + "name": "rbacDeplCopy", + "count": "[length(parameters('roleAssignments'))]" + }, + "properties": { + "mode": "Incremental", + "expressionEvaluationOptions": { + "scope": "inner" + }, + "parameters": { + "roleAssignment": { + "value": "[parameters('roleAssignments')[copyIndex()]]" + }, + "builtInRoleNames": { + "value": "[variables('builtInRoleNames')]" + }, + "resourceGroupName": { + "value": "[parameters('resourceGroupName')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "roleAssignment": { + "type": "object" + }, + "builtInRoleNames": { + "type": "object" + }, + "resourceGroupName": { + "type": "string" + } + }, + "resources": [ + { + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2020-03-01-preview", + "name": "[concat(guid(uniqueString(concat(parameters('resourceGroupName'), array(parameters('roleAssignment').principalIds)[copyIndex('innerRbacCopy')], parameters('roleAssignment').roleDefinitionIdOrName ) )))]", + "dependsOn": [ + ], + "copy": { + "name": "innerRbacCopy", + "count": "[length(parameters('roleAssignment').principalIds)]" + }, + "properties": { + "roleDefinitionId": "[if(contains(parameters('builtInRoleNames'), parameters('roleAssignment').roleDefinitionIdOrName ), parameters('builtInRoleNames')[parameters('roleAssignment').roleDefinitionIdOrName] , parameters('roleAssignment').roleDefinitionIdOrName )]", + "principalId": "[array(parameters('roleAssignment').principalIds)[copyIndex()]]", + "scope": "[concat(subscription().id, '/resourceGroups/', parameters('resourceGroupName'))]" + } + } + ] + } + } + } + ], + "functions": [ + ], + "outputs": { + "resourceGroupName": { + "type": "string", + "value": "[parameters('resourceGroupName')]", + "metadata": { + "description": "The name of the Resource Group" + } + }, + "resourceGroupResourceId": { + "type": "string", + "value": "[subscriptionResourceId('Microsoft.Resources/resourceGroups', parameters('resourceGroupName'))]", + "metadata": { + "description": "The resource id of the Resource Group" + } + } + } +} diff --git a/arm/Microsoft.Resources/resourceGroups/parameters/parameters.json b/arm/Microsoft.Resources/resourceGroups/parameters/parameters.json new file mode 100644 index 0000000000..3f901eb158 --- /dev/null +++ b/arm/Microsoft.Resources/resourceGroups/parameters/parameters.json @@ -0,0 +1,27 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceGroupName": { + "value": "sxx-az-rg-weu-x-002" + }, + "lockForDeletion": { + "value": false + }, + // "roleAssignments": { + // "value": [ + // { + // "roleDefinitionIdOrName": "Desktop Virtualization User", + // "principalIds": [ + // "12345678-1234-1234-1234-123456789012", // object 1 + // "78945612-1234-1234-1234-123456789012" // object 2 + // ] + // } + // ] + // }, + "tags": { + "value": { + } + } + } +} \ No newline at end of file diff --git a/arm/Microsoft.Resources/resourceGroups/readme.md b/arm/Microsoft.Resources/resourceGroups/readme.md new file mode 100644 index 0000000000..0477ec6d5e --- /dev/null +++ b/arm/Microsoft.Resources/resourceGroups/readme.md @@ -0,0 +1,88 @@ +# Resource Group + +This module deploys Resource Groups. + +## Resource types + +|Resource Type|ApiVersion| +|:--|:--| +|`Microsoft.Resources/resourceGroups`|2018-05-01| +|`Microsoft.Resources/deployments`|2018-05-01| +|`Microsoft.Authorization/locks`|2016-09-01| +|`Microsoft.Authorization/roleAssignments`|2018-09-01-preview| + +## Parameters + +| Parameter Name | Type | Description | DefaultValue | Possible values | +| :-- | :-- | :-- | :-- | :-- | +| `location` | string | Optional. Location of the Resource Group. It uses the deployment's location when not provided. | [deployment().location] | | +| `lockForDeletion` | bool | Optional. Switch to lock storage from deletion. | False | | +| `resourceGroupName` | string | Required. The name of the Resource Group | | | +| `roleAssignments` | array | Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' | System.Object[] | | +| `tags` | object | Optional. Tags of the storage account resource. | | | + +### Parameter Usage: `roleAssignments` + +```json +"roleAssignments": { + "value": [ + { + "roleDefinitionIdOrName": "Desktop Virtualization User", + "principalIds": [ + "12345678-1234-1234-1234-123456789012", // object 1 + "78945612-1234-1234-1234-123456789012" // object 2 + ] + }, + { + "roleDefinitionIdOrName": "Reader", + "principalIds": [ + "12345678-1234-1234-1234-123456789012", // object 1 + "78945612-1234-1234-1234-123456789012" // object 2 + ] + }, + { + "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", + "principalIds": [ + "12345678-1234-1234-1234-123456789012" // object 1 + ] + } + ] +} +``` + +### Parameter Usage: `tags` + +Tag names and tag values can be provided as needed. A tag can be left without a value. + +```json +"tags": { + "value": { + "Environment": "Non-Prod", + "Contact": "test.user@testcompany.com", + "PurchaseOrder": "1234", + "CostCenter": "7890", + "ServiceName": "DeploymentValidation", + "Role": "DeploymentValidation" + } +} +``` + +## Outputs + +| Output Name | Type | Description | +| :-- | :-- | :-- | +| `resourceGroupName` | string | The name of the Resource Group | +| `resourceGroupResourceId` | string | The resource id of the Resource Group | + +### Scripts + +- There is no Scripts for this Module + +## Considerations + +- There is no deployment considerations for this Module + +## Additional resources + +- [Microsoft Resource Group template reference](https://docs.microsoft.com/en-us/azure/templates/microsoft.resources/2019-05-01/resourcegroups) +- [Use tags to organize your Azure resources](https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-using-tags) diff --git a/arm/Microsoft.Security/azureSecurityCenter/deploy.json b/arm/Microsoft.Security/azureSecurityCenter/deploy.json new file mode 100644 index 0000000000..4614e323b8 --- /dev/null +++ b/arm/Microsoft.Security/azureSecurityCenter/deploy.json @@ -0,0 +1,318 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "workspaceId": { + "type": "string", + "metadata": { + "description": "Required. The full Azure ID of the workspace to save the data in." + } + }, + "scope": { + "type": "string", + "metadata": { + "description": "Required. All the VMs in this scope will send their security data to the mentioned workspace unless overridden by a setting with more specific scope." + } + }, + "autoProvision": { + "type": "string", + "allowedValues": [ + "On", + "Off" + ], + "defaultValue": "On", + "metadata": { + "description": "Optional. Describes what kind of security agent provisioning action to take. - On or Off" + } + }, + "deviceSecurityGroupProperties": { + "type": "object", + "defaultValue": { + }, + "metadata": { + "description": "Optional. Device Security group data" + } + }, + "ioTSecuritySolutionProperties": { + "type": "object", + "defaultValue": { + }, + "metadata": { + "description": "Optional. Security Solution data" + } + }, + "virtualMachinesPricingTier": { + "type": "string", + "allowedValues": [ + "Free", + "Standard" + ], + "defaultValue": "Free", + "metadata": { + "description": "Optional. The pricing tier value for VMs. Azure Security Center is provided in two pricing tiers: free and standard, with the standard tier available with a trial period. The standard tier offers advanced security capabilities, while the free tier offers basic security features. - Free or Standard" + } + }, + "sqlServersPricingTier": { + "type": "string", + "allowedValues": [ + "Free", + "Standard" + ], + "defaultValue": "Free", + "metadata": { + "description": "Optional. The pricing tier value for SqlServers. Azure Security Center is provided in two pricing tiers: free and standard, with the standard tier available with a trial period. The standard tier offers advanced security capabilities, while the free tier offers basic security features. - Free or Standard" + } + }, + "appServicesPricingTier": { + "type": "string", + "allowedValues": [ + "Free", + "Standard" + ], + "defaultValue": "Free", + "metadata": { + "description": "Optional. The pricing tier value for AppServices. Azure Security Center is provided in two pricing tiers: free and standard, with the standard tier available with a trial period. The standard tier offers advanced security capabilities, while the free tier offers basic security features. - Free or Standard" + } + }, + "storageAccountsPricingTier": { + "type": "string", + "allowedValues": [ + "Free", + "Standard" + ], + "defaultValue": "Free", + "metadata": { + "description": "Optional. The pricing tier value for StorageAccounts. Azure Security Center is provided in two pricing tiers: free and standard, with the standard tier available with a trial period. The standard tier offers advanced security capabilities, while the free tier offers basic security features. - Free or Standard" + } + }, + "sqlServerVirtualMachinesPricingTier": { + "type": "string", + "allowedValues": [ + "Free", + "Standard" + ], + "defaultValue": "Free", + "metadata": { + "description": "Optional. The pricing tier value for SqlServerVirtualMachines. Azure Security Center is provided in two pricing tiers: free and standard, with the standard tier available with a trial period. The standard tier offers advanced security capabilities, while the free tier offers basic security features. - Free or Standard" + } + }, + "kubernetesServicePricingTier": { + "type": "string", + "allowedValues": [ + "Free", + "Standard" + ], + "defaultValue": "Free", + "metadata": { + "description": "Optional. The pricing tier value for KubernetesService. Azure Security Center is provided in two pricing tiers: free and standard, with the standard tier available with a trial period. The standard tier offers advanced security capabilities, while the free tier offers basic security features. - Free or Standard" + } + }, + "containerRegistryPricingTier": { + "type": "string", + "allowedValues": [ + "Free", + "Standard" + ], + "defaultValue": "Free", + "metadata": { + "description": "Optional. The pricing tier value for ContainerRegistry. Azure Security Center is provided in two pricing tiers: free and standard, with the standard tier available with a trial period. The standard tier offers advanced security capabilities, while the free tier offers basic security features. - Free or Standard" + } + }, + "keyVaultsPricingTier": { + "type": "string", + "allowedValues": [ + "Free", + "Standard" + ], + "defaultValue": "Free", + "metadata": { + "description": "Optional. The pricing tier value for KeyVaults. Azure Security Center is provided in two pricing tiers: free and standard, with the standard tier available with a trial period. The standard tier offers advanced security capabilities, while the free tier offers basic security features. - Free or Standard" + } + }, + "dnsPricingTier": { + "type": "string", + "allowedValues": [ + "Free", + "Standard" + ], + "defaultValue": "Free", + "metadata": { + "description": "Optional. The pricing tier value for DNS. Azure Security Center is provided in two pricing tiers: free and standard, with the standard tier available with a trial period. The standard tier offers advanced security capabilities, while the free tier offers basic security features. - Free or Standard" + } + }, + "armPricingTier": { + "type": "string", + "allowedValues": [ + "Free", + "Standard" + ], + "defaultValue": "Free", + "metadata": { + "description": "Optional. The pricing tier value for ARM. Azure Security Center is provided in two pricing tiers: free and standard, with the standard tier available with a trial period. The standard tier offers advanced security capabilities, while the free tier offers basic security features. - Free or Standard" + } + }, + "securityContactProperties": { + "type": "object", + "defaultValue": { + }, + "metadata": { + "description": "Optional. Security contact data" + } + } + }, + "variables": { + }, + "resources": [ + { + "name": "default", + "type": "Microsoft.Security/autoProvisioningSettings", + "apiVersion": "2017-08-01-preview", + "properties": { + "autoProvision": "[parameters('autoProvision')]" + } + }, + { + "name": "deviceSecurityGroups", + "type": "Microsoft.Security/deviceSecurityGroups", + "apiVersion": "2019-08-01", + "condition": "[not(empty(parameters('deviceSecurityGroupProperties')))]", + "properties": { + "thresholdRules": "[parameters('deviceSecurityGroupProperties').thresholdRules]", + "timeWindowRules": "[parameters('deviceSecurityGroupProperties').timeWindowRules]", + "allowlistRules": "[parameters('deviceSecurityGroupProperties').allowlistRules]", + "denylistRules": "[parameters('deviceSecurityGroupProperties').denylistRules]" + } + }, + { + "name": "iotSecuritySolutions", + "type": "Microsoft.Security/iotSecuritySolutions", + "apiVersion": "2019-08-01", + "condition": "[not(empty(parameters('ioTSecuritySolutionProperties')))]", + "properties": { + "workspace": "[parameters('ioTSecuritySolutionProperties').workspace]", + "displayName": "[parameters('ioTSecuritySolutionProperties').displayName]", + "status": "[parameters('ioTSecuritySolutionProperties').status]", + "export": "[parameters('ioTSecuritySolutionProperties').export]", + "disabledDataSources": "[parameters('ioTSecuritySolutionProperties').disabledDataSources]", + "iotHubs": "[parameters('ioTSecuritySolutionProperties').iotHubs]", + "userDefinedResources": "[parameters('ioTSecuritySolutionProperties').userDefinedResources]", + "recommendationsConfiguration": "[parameters('ioTSecuritySolutionProperties').recommendationsConfiguration]" + } + }, + { + "name": "VirtualMachines", + "type": "Microsoft.Security/pricings", + "apiVersion": "2018-06-01", + "properties": { + "pricingTier": "[parameters('virtualMachinesPricingTier')]" + } + }, + { + "name": "SqlServers", + "type": "Microsoft.Security/pricings", + "apiVersion": "2018-06-01", + "properties": { + "pricingTier": "[parameters('sqlServersPricingTier')]" + } + }, + { + "name": "AppServices", + "type": "Microsoft.Security/pricings", + "apiVersion": "2018-06-01", + "properties": { + "pricingTier": "[parameters('appServicesPricingTier')]" + } + }, + { + "name": "StorageAccounts", + "type": "Microsoft.Security/pricings", + "apiVersion": "2018-06-01", + "properties": { + "pricingTier": "[parameters('storageAccountsPricingTier')]" + } + }, + { + "name": "SqlServerVirtualMachines", + "type": "Microsoft.Security/pricings", + "apiVersion": "2018-06-01", + "properties": { + "pricingTier": "[parameters('sqlServerVirtualMachinesPricingTier')]" + } + }, + { + "name": "KubernetesService", + "type": "Microsoft.Security/pricings", + "apiVersion": "2018-06-01", + "properties": { + "pricingTier": "[parameters('kubernetesServicePricingTier')]" + } + }, + { + "name": "ContainerRegistry", + "type": "Microsoft.Security/pricings", + "apiVersion": "2018-06-01", + "properties": { + "pricingTier": "[parameters('containerRegistryPricingTier')]" + } + }, + { + "name": "KeyVaults", + "type": "Microsoft.Security/pricings", + "apiVersion": "2018-06-01", + "properties": { + "pricingTier": "[parameters('keyVaultsPricingTier')]" + } + }, + { + "name": "Dns", + "type": "Microsoft.Security/pricings", + "apiVersion": "2018-06-01", + "properties": { + "pricingTier": "[parameters('dnsPricingTier')]" + } + }, + { + "name": "Arm", + "type": "Microsoft.Security/pricings", + "apiVersion": "2018-06-01", + "properties": { + "pricingTier": "[parameters('armPricingTier')]" + } + }, + { + "name": "default1", + "type": "Microsoft.Security/securityContacts", + "apiVersion": "2017-08-01-preview", + "condition": "[not(empty(parameters('securityContactProperties')))]", + "properties": { + "email": "[parameters('securityContactProperties').email]", + "phone": "[parameters('securityContactProperties').phone]", + "alertNotifications": "[parameters('securityContactProperties').alertNotifications]", + "alertsToAdmins": "[parameters('securityContactProperties').alertsToAdmins]" + } + }, + { + "name": "default", + "type": "Microsoft.Security/workspaceSettings", + "apiVersion": "2017-08-01-preview", + "dependsOn": [ + "Microsoft.Security/autoProvisioningSettings/default" + ], + "properties": { + "workspaceId": "[parameters('workspaceId')]", + "scope": "[parameters('scope')]" + } + } + ], + "functions": [ + ], + "outputs": { + "workspaceName": { + "type": "string", + "value": "[parameters('workspaceId')]", + "metadata": { + "description": "This is the workspaceid" + } + } + } +} \ No newline at end of file diff --git a/arm/Microsoft.Security/azureSecurityCenter/parameters/parameters.json b/arm/Microsoft.Security/azureSecurityCenter/parameters/parameters.json new file mode 100644 index 0000000000..4b0d60a501 --- /dev/null +++ b/arm/Microsoft.Security/azureSecurityCenter/parameters/parameters.json @@ -0,0 +1,20 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "workspaceId": { + "value": "/subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2/resourcegroups/dependencies-rg/providers/microsoft.operationalinsights/workspaces/sxx-az-la-weu-x-003" + }, + "scope": { + "value": "/subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2" + }, + "securityContactProperties": { + "value": { + "email": "test@contoso.com", + "phone": "+12345678", + "alertNotifications": "On", + "alertsToAdmins": "Off" + } + } + } +} \ No newline at end of file diff --git a/arm/Microsoft.Security/azureSecurityCenter/readme.md b/arm/Microsoft.Security/azureSecurityCenter/readme.md new file mode 100644 index 0000000000..6e46c74eed --- /dev/null +++ b/arm/Microsoft.Security/azureSecurityCenter/readme.md @@ -0,0 +1,138 @@ +# AzureSecurityCenter + +This template enables Azure Security Center - Standard tier by default, could be overridden. + +## Resource types + +|Resource Type|ApiVersion| +|:--|:--| +|`Microsoft.Security/autoProvisioningSettings`|2017-08-01-preview| +|`Microsoft.Security/deviceSecurityGroups`|2019-08-01| +|`Microsoft.Security/iotSecuritySolutions`|2019-08-01| +|`Microsoft.Security/pricings`|2018-06-01| +|`Microsoft.Security/securityContacts`|2017-08-01-preview| +|`Microsoft.Security/workspaceSettings`|2017-08-01-preview| + +## Parameters + +| Parameter Name | Type | Description | DefaultValue | Possible values | +| :-- | :-- | :-- | :-- | :-- | +| `appServicesPricingTier` | string | Optional. The pricing tier value for AppServices. Azure Security Center is provided in two pricing tiers: free and standard, with the standard tier available with a trial period. The standard tier offers advanced security capabilities, while the free tier offers basic security features. - Free or Standard | Standard | System.Object[] | +| `autoProvision` | string | Optional. Describes what kind of security agent provisioning action to take. - On or Off | On | System.Object[] | +| `containerRegistryPricingTier` | string | Optional. The pricing tier value for ContainerRegistry. Azure Security Center is provided in two pricing tiers: free and standard, with the standard tier available with a trial period. The standard tier offers advanced security capabilities, while the free tier offers basic security features. - Free or Standard | Standard | System.Object[] | +| `deviceSecurityGroupProperties` | object | Optional. Device Security group data | | | +| `ioTSecuritySolutionProperties` | object | Optional. Security Solution data | | | +| `kubernetesServicePricingTier` | string | Optional. The pricing tier value for KubernetesService. Azure Security Center is provided in two pricing tiers: free and standard, with the standard tier available with a trial period. The standard tier offers advanced security capabilities, while the free tier offers basic security features. - Free or Standard | Standard | System.Object[] | +| `scope` | string | Required. All the VMs in this scope will send their security data to the mentioned workspace unless overridden by a setting with more specific scope. | | | +| `securityContactProperties` | object | Optional. Security contact data | | | +| `sqlServersPricingTier` | string | Optional. The pricing tier value for SqlServers. Azure Security Center is provided in two pricing tiers: free and standard, with the standard tier available with a trial period. The standard tier offers advanced security capabilities, while the free tier offers basic security features. - Free or Standard | Standard | System.Object[] | +| `sqlServerVirtualMachinesPricingTier` | string | Optional. The pricing tier value for SqlServerVirtualMachines. Azure Security Center is provided in two pricing tiers: free and standard, with the standard tier available with a trial period. The standard tier offers advanced security capabilities, while the free tier offers basic security features. - Free or Standard | Standard | System.Object[] | +| `storageAccountsPricingTier` | string | Optional. The pricing tier value for StorageAccounts. Azure Security Center is provided in two pricing tiers: free and standard, with the standard tier available with a trial period. The standard tier offers advanced security capabilities, while the free tier offers basic security features. - Free or Standard | Standard | System.Object[] | +| `virtualMachinesPricingTier` | string | Optional. The pricing tier value for VMs. Azure Security Center is provided in two pricing tiers: free and standard, with the standard tier available with a trial period. The standard tier offers advanced security capabilities, while the free tier offers basic security features. - Free or Standard | Standard | System.Object[] | +| `keyVaultsPricingTier` | string | Optional. The pricing tier value for KeayVaults. Azure Security Center is provided in two pricing tiers: free and standard, with the standard tier available with a trial period. The standard tier offers advanced security capabilities, while the free tier offers basic security features. - Free or Standard | Standard | System.Object[] | +| `dnsPricingTier` | string | Optional. The pricing tier value for DNS. Azure Security Center is provided in two pricing tiers: free and standard, with the standard tier available with a trial period. The standard tier offers advanced security capabilities, while the free tier offers basic security features. - Free or Standard | Standard | System.Object[] | +| `armPricingTier` | string | Optional. The pricing tier value for ARM. Azure Security Center is provided in two pricing tiers: free and standard, with the standard tier available with a trial period. The standard tier offers advanced security capabilities, while the free tier offers basic security features. - Free or Standard | Standard | System.Object[] | +| `workspaceId` | string | Required. The full Azure ID of the workspace to save the data in. | | | + +### Parameter Usage: `deviceSecurityGroupProperties` + +```json +"deviceSecurityGroupProperties": { + "value": { + "thresholdRules": [ + { + "isEnabled": "boolean", + "ruleType": "string", + "minThreshold": "integer", + "maxThreshold": "integer" + } + ], + "timeWindowRules": [ + { + "isEnabled": "boolean", + "ruleType": "string", + "minThreshold": "integer", + "maxThreshold": "integer", + "timeWindowSize": "string" + } + ], + "allowlistRules": [ + { + "isEnabled": "boolean", + "ruleType": "string", + "allowlistValues": [ + "string" + ] + } + ], + "denylistRules": [ + { + "isEnabled": "boolean", + "ruleType": "string", + "denylistValues": [ + "string" + ] + } + ] + } +} +``` + +### Parameter Usage: `ioTSecuritySolutionProperties` + +```json +"ioTSecuritySolutionProperties": { + "value": { + "workspace": "string", + "displayName": "string", + "status": "string", + "export": [ + "RawEvents" + ], + "disabledDataSources": [ + "TwinData" + ], + "iotHubs": [ + "string" + ], + "userDefinedResources": { + "query": "string", + "querySubscriptions": [ + "string" + ] + }, + "recommendationsConfiguration": [ + { + "recommendationType": "string", + "status": "string" + } + ] + } +} +``` + +### Parameter Usage: `securityContactProperties` + +```json +"securityContactProperties": { + "value": { + "email": "test@contoso.com", + "phone": "+12345678", + "alertNotifications": "On", + "alertsToAdmins": "Off" + } +} +``` + +## Outputs + +| Output Name | Type | Description | +| :-- | :-- | :-- | +| `workspaceName` | string | This is the workspaceid | + +## Considerations + +## Additional resources + +- [What is Azure Security Center?](https://docs.microsoft.com/en-us/azure/security-center/security-center-intro) +- [Microsoft.Security template reference](https://docs.microsoft.com/en-us/azure/templates/microsoft.security/allversions) \ No newline at end of file diff --git a/arm/Microsoft.ServiceBus/namespaceQueues/deploy.json b/arm/Microsoft.ServiceBus/namespaceQueues/deploy.json new file mode 100644 index 0000000000..f1a38e46b5 --- /dev/null +++ b/arm/Microsoft.ServiceBus/namespaceQueues/deploy.json @@ -0,0 +1,536 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "namespaceName": { + "type": "string", + "minLength": 6, + "maxLength": 50, + "metadata": { + "description": "Required. Name of the parent Service Bus Namespace for the Service Bus Queue." + } + }, + "queueName": { + "type": "string", + "minLength": 6, + "maxLength": 50, + "metadata": { + "description": "Required. Name of the Service Bus Queue." + } + }, + "location": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "Optional. Location for all resources." + } + }, + "lockDuration": { + "type": "string", + "defaultValue": "PT1M", + "metadata": { + "description": "Optional. ISO 8601 timespan duration of a peek-lock; that is, the amount of time that the message is locked for other receivers. The maximum value for LockDuration is 5 minutes; the default value is 1 minute." + } + }, + "maxSizeInMegabytes": { + "type": "int", + "defaultValue": 1024, + "metadata": { + "description": "Optional. The maximum size of the queue in megabytes, which is the size of memory allocated for the queue. Default is 1024." + } + }, + "requiresDuplicateDetection": { + "type": "bool", + "defaultValue": false, + "metadata": { + "description": "Optional. A value indicating if this queue requires duplicate detection." + } + }, + "requiresSession": { + "type": "bool", + "defaultValue": false, + "metadata": { + "description": "Optional. A value that indicates whether the queue supports the concept of sessions." + } + }, + "defaultMessageTimeToLive": { + "type": "string", + "defaultValue": "P14D", + "metadata": { + "description": "Optional. ISO 8601 default message timespan to live value. This is the duration after which the message expires, starting from when the message is sent to Service Bus. This is the default value used when TimeToLive is not set on a message itself." + } + }, + "deadLetteringOnMessageExpiration": { + "type": "bool", + "defaultValue": true, + "metadata": { + "description": "Optional. A value that indicates whether this queue has dead letter support when a message expires." + } + }, + "enableBatchedOperations": { + "type": "bool", + "defaultValue": true, + "metadata": { + "description": "Optional. Value that indicates whether server-side batched operations are enabled." + } + }, + "duplicateDetectionHistoryTimeWindow": { + "type": "string", + "defaultValue": "PT10M", + "metadata": { + "description": "Optional. ISO 8601 timeSpan structure that defines the duration of the duplicate detection history. The default value is 10 minutes." + } + }, + "maxDeliveryCount": { + "type": "int", + "defaultValue": 10, + "metadata": { + "description": "Optional. The maximum delivery count. A message is automatically deadlettered after this number of deliveries. default value is 10." + } + }, + "status": { + "type": "string", + "defaultValue": "Active", + "allowedValues": [ + "Active", + "Disabled", + "Restoring", + "SendDisabled", + "ReceiveDisabled", + "Creating", + "Deleting", + "Renaming", + "Unknown" + ], + "metadata": { + "description": "Optional. Enumerates the possible values for the status of a messaging entity. - Active, Disabled, Restoring, SendDisabled, ReceiveDisabled, Creating, Deleting, Renaming, Unknown" + } + }, + "enablePartitioning": { + "type": "bool", + "defaultValue": false, + "metadata": { + "description": "Optional. A value that indicates whether the queue is to be partitioned across multiple message brokers." + } + }, + "enableExpress": { + "type": "bool", + "defaultValue": false, + "metadata": { + "description": "Optional. A value that indicates whether Express Entities are enabled. An express queue holds a message in memory temporarily before writing it to persistent storage." + } + }, + "authorizationRules": { + "type": "array", + "defaultValue": [ + { + "name": "RootManageSharedAccessKey", + "properties": { + "rights": [ + "Listen", + "Manage", + "Send" + ] + } + } + ], + "metadata": { + "description": "Optional. Authorization Rules for the Service Bus Queue" + } + }, + "lockForDeletion": { + "type": "bool", + "defaultValue": false, + "metadata": { + "description": "Optional. Switch to lock Service Bus Queue from deletion." + } + }, + "roleAssignments": { + "defaultValue": [ + ], + "type": "array", + "metadata": { + "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'" + } + }, + "tags": { + "type": "object", + "defaultValue": { + }, + "metadata": { + "description": "Optional. Tags of the resource." + } + }, + "cuaId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered" + } + } + }, + "variables": { + "queueId": "[resourceId('Microsoft.ServiceBus/namespaces/queues', parameters('namespaceName'), parameters('queueName'))]", + "defaultSASKeyName": "RootManageSharedAccessKey", + "authRuleResourceId": "[resourceId('Microsoft.ServiceBus/namespaces/authorizationRules', parameters('namespaceName'), variables('defaultSASKeyName'))]", + "builtInRoleNames": { + "AcrDelete": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", + "AcrImageSigner": "/providers/Microsoft.Authorization/roleDefinitions/6cef56e8-d556-48e5-a04f-b8e64114680f", + "AcrPull": "/providers/Microsoft.Authorization/roleDefinitions/7f951dda-4ed3-4680-a7ca-43fe172d538d", + "AcrPush": "/providers/Microsoft.Authorization/roleDefinitions/8311e382-0749-4cb8-b61a-304f252e45ec", + "AcrQuarantineReader": "/providers/Microsoft.Authorization/roleDefinitions/cdda3590-29a3-44f6-95f2-9f980659eb04", + "AcrQuarantineWriter": "/providers/Microsoft.Authorization/roleDefinitions/c8d4ff99-41c3-41a8-9f60-21dfdad59608", + "API Management Service Contributor": "/providers/Microsoft.Authorization/roleDefinitions/312a565d-c81f-4fd8-895a-4e21e48d571c", + "API Management Service Operator Role": "/providers/Microsoft.Authorization/roleDefinitions/e022efe7-f5ba-4159-bbe4-b44f577e9b61", + "API Management Service Reader Role": "/providers/Microsoft.Authorization/roleDefinitions/71522526-b88f-4d52-b57f-d31fc3546d0d", + "App Configuration Data Owner": "/providers/Microsoft.Authorization/roleDefinitions/5ae67dd6-50cb-40e7-96ff-dc2bfa4b606b", + "App Configuration Data Reader": "/providers/Microsoft.Authorization/roleDefinitions/516239f1-63e1-4d78-a4de-a74fb236a071", + "Application Insights Component Contributor": "/providers/Microsoft.Authorization/roleDefinitions/ae349356-3a1b-4a5e-921d-050484c6347e", + "Application Insights Snapshot Debugger": "/providers/Microsoft.Authorization/roleDefinitions/08954f03-6346-4c2e-81c0-ec3a5cfae23b", + "Attestation Contributor": "/providers/Microsoft.Authorization/roleDefinitions/bbf86eb8-f7b4-4cce-96e4-18cddf81d86e", + "Attestation Reader": "/providers/Microsoft.Authorization/roleDefinitions/fd1bd22b-8476-40bc-a0bc-69b95687b9f3", + "Automation Job Operator": "/providers/Microsoft.Authorization/roleDefinitions/4fe576fe-1146-4730-92eb-48519fa6bf9f", + "Automation Operator": "/providers/Microsoft.Authorization/roleDefinitions/d3881f73-407a-4167-8283-e981cbba0404", + "Automation Runbook Operator": "/providers/Microsoft.Authorization/roleDefinitions/5fb5aef8-1081-4b8e-bb16-9d5d0385bab5", + "Avere Contributor": "/providers/Microsoft.Authorization/roleDefinitions/4f8fab4f-1852-4a58-a46a-8eaf358af14a", + "Avere Operator": "/providers/Microsoft.Authorization/roleDefinitions/c025889f-8102-4ebf-b32c-fc0c6f0c6bd9", + "Azure Connected Machine Onboarding": "/providers/Microsoft.Authorization/roleDefinitions/b64e21ea-ac4e-4cdf-9dc9-5b892992bee7", + "Azure Connected Machine Resource Administrator": "/providers/Microsoft.Authorization/roleDefinitions/cd570a14-e51a-42ad-bac8-bafd67325302", + "Azure Digital Twins Owner (Preview)": "/providers/Microsoft.Authorization/roleDefinitions/bcd981a7-7f74-457b-83e1-cceb9e632ffe", + "Azure Digital Twins Reader (Preview)": "/providers/Microsoft.Authorization/roleDefinitions/d57506d4-4c8d-48b1-8587-93c323f6a5a3", + "Azure Event Hubs Data Owner": "/providers/Microsoft.Authorization/roleDefinitions/f526a384-b230-433a-b45c-95f59c4a2dec", + "Azure Event Hubs Data Receiver": "/providers/Microsoft.Authorization/roleDefinitions/a638d3c7-ab3a-418d-83e6-5f17a39d4fde", + "Azure Event Hubs Data Sender": "/providers/Microsoft.Authorization/roleDefinitions/2b629674-e913-4c01-ae53-ef4638d8f975", + "Azure Kubernetes Service Cluster Admin Role": "/providers/Microsoft.Authorization/roleDefinitions/0ab0b1a8-8aac-4efd-b8c2-3ee1fb270be8", + "Azure Kubernetes Service Cluster User Role": "/providers/Microsoft.Authorization/roleDefinitions/4abbcc35-e782-43d8-92c5-2d3f1bd2253f", + "Azure Kubernetes Service Contributor Role": "/providers/Microsoft.Authorization/roleDefinitions/ed7f3fbd-7b88-4dd4-9017-9adb7ce333f8", + "Azure Maps Data Contributor": "/providers/Microsoft.Authorization/roleDefinitions/8f5e0ce6-4f7b-4dcf-bddf-e6f48634a204", + "Azure Maps Data Reader": "/providers/Microsoft.Authorization/roleDefinitions/423170ca-a8f6-4b0f-8487-9e4eb8f49bfa", + "Azure Sentinel Contributor": "/providers/Microsoft.Authorization/roleDefinitions/ab8e14d6-4a74-4a29-9ba8-549422addade", + "Azure Sentinel Reader": "/providers/Microsoft.Authorization/roleDefinitions/8d289c81-5878-46d4-8554-54e1e3d8b5cb", + "Azure Sentinel Responder": "/providers/Microsoft.Authorization/roleDefinitions/3e150937-b8fe-4cfb-8069-0eaf05ecd056", + "Azure Service Bus Data Owner": "/providers/Microsoft.Authorization/roleDefinitions/090c5cfd-751d-490a-894a-3ce6f1109419", + "Azure Service Bus Data Receiver": "/providers/Microsoft.Authorization/roleDefinitions/4f6d3b9b-027b-4f4c-9142-0e5a2a2247e0", + "Azure Service Bus Data Sender": "/providers/Microsoft.Authorization/roleDefinitions/69a216fc-b8fb-44d8-bc22-1f3c2cd27a39", + "Azure Stack Registration Owner": "/providers/Microsoft.Authorization/roleDefinitions/6f12a6df-dd06-4f3e-bcb1-ce8be600526a", + "Backup Contributor": "/providers/Microsoft.Authorization/roleDefinitions/5e467623-bb1f-42f4-a55d-6e525e11384b", + "Backup Operator": "/providers/Microsoft.Authorization/roleDefinitions/00c29273-979b-4161-815c-10b084fb9324", + "Backup Reader": "/providers/Microsoft.Authorization/roleDefinitions/a795c7a0-d4a2-40c1-ae25-d81f01202912", + "Billing Reader": "/providers/Microsoft.Authorization/roleDefinitions/fa23ad8b-c56e-40d8-ac0c-ce449e1d2c64", + "BizTalk Contributor": "/providers/Microsoft.Authorization/roleDefinitions/5e3c6656-6cfa-4708-81fe-0de47ac73342", + "Blockchain Member Node Access (Preview)": "/providers/Microsoft.Authorization/roleDefinitions/31a002a1-acaf-453e-8a5b-297c9ca1ea24", + "Blueprint Contributor": "/providers/Microsoft.Authorization/roleDefinitions/41077137-e803-4205-871c-5a86e6a753b4", + "Blueprint Operator": "/providers/Microsoft.Authorization/roleDefinitions/437d2ced-4a38-4302-8479-ed2bcb43d090", + "CDN Endpoint Contributor": "/providers/Microsoft.Authorization/roleDefinitions/426e0c7f-0c7e-4658-b36f-ff54d6c29b45", + "CDN Endpoint Reader": "/providers/Microsoft.Authorization/roleDefinitions/871e35f6-b5c1-49cc-a043-bde969a0f2cd", + "CDN Profile Contributor": "/providers/Microsoft.Authorization/roleDefinitions/ec156ff8-a8d1-4d15-830c-5b80698ca432", + "CDN Profile Reader": "/providers/Microsoft.Authorization/roleDefinitions/8f96442b-4075-438f-813d-ad51ab4019af", + "Classic Network Contributor": "/providers/Microsoft.Authorization/roleDefinitions/b34d265f-36f7-4a0d-a4d4-e158ca92e90f", + "Classic Storage Account Contributor": "/providers/Microsoft.Authorization/roleDefinitions/86e8f5dc-a6e9-4c67-9d15-de283e8eac25", + "Classic Storage Account Key Operator Service Role": "/providers/Microsoft.Authorization/roleDefinitions/985d6b00-f706-48f5-a6fe-d0ca12fb668d", + "Classic Virtual Machine Contributor": "/providers/Microsoft.Authorization/roleDefinitions/d73bb868-a0df-4d4d-bd69-98a00b01fccb", + "ClearDB MySQL DB Contributor": "/providers/Microsoft.Authorization/roleDefinitions/9106cda0-8a86-4e81-b686-29a22c54effe", + "Cognitive Services Contributor": "/providers/Microsoft.Authorization/roleDefinitions/25fbc0a9-bd7c-42a3-aa1a-3b75d497ee68", + "Cognitive Services Custom Vision Contributor": "/providers/Microsoft.Authorization/roleDefinitions/c1ff6cc2-c111-46fe-8896-e0ef812ad9f3", + "Cognitive Services Custom Vision Deployment": "/providers/Microsoft.Authorization/roleDefinitions/5c4089e1-6d96-4d2f-b296-c1bc7137275f", + "Cognitive Services Custom Vision Labeler": "/providers/Microsoft.Authorization/roleDefinitions/88424f51-ebe7-446f-bc41-7fa16989e96c", + "Cognitive Services Custom Vision Reader": "/providers/Microsoft.Authorization/roleDefinitions/93586559-c37d-4a6b-ba08-b9f0940c2d73", + "Cognitive Services Custom Vision Trainer": "/providers/Microsoft.Authorization/roleDefinitions/0a5ae4ab-0d65-4eeb-be61-29fc9b54394b", + "Cognitive Services Data Reader (Preview)": "/providers/Microsoft.Authorization/roleDefinitions/b59867f0-fa02-499b-be73-45a86b5b3e1c", + "Cognitive Services QnA Maker Editor": "/providers/Microsoft.Authorization/roleDefinitions/f4cc2bf9-21be-47a1-bdf1-5c5804381025", + "Cognitive Services QnA Maker Reader": "/providers/Microsoft.Authorization/roleDefinitions/466ccd10-b268-4a11-b098-b4849f024126", + "Cognitive Services User": "/providers/Microsoft.Authorization/roleDefinitions/a97b65f3-24c7-4388-baec-2e87135dc908", + "Contributor": "/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c", + "Cosmos DB Account Reader Role": "/providers/Microsoft.Authorization/roleDefinitions/fbdf93bf-df7d-467e-a4d2-9458aa1360c8", + "Cosmos DB Operator": "/providers/Microsoft.Authorization/roleDefinitions/230815da-be43-4aae-9cb4-875f7bd000aa", + "CosmosBackupOperator": "/providers/Microsoft.Authorization/roleDefinitions/db7b14f2-5adf-42da-9f96-f2ee17bab5cb", + "Cost Management Contributor": "/providers/Microsoft.Authorization/roleDefinitions/434105ed-43f6-45c7-a02f-909b2ba83430", + "Cost Management Reader": "/providers/Microsoft.Authorization/roleDefinitions/72fafb9e-0641-4937-9268-a91bfd8191a3", + "Data Box Contributor": "/providers/Microsoft.Authorization/roleDefinitions/add466c9-e687-43fc-8d98-dfcf8d720be5", + "Data Box Reader": "/providers/Microsoft.Authorization/roleDefinitions/028f4ed7-e2a9-465e-a8f4-9c0ffdfdc027", + "Data Factory Contributor": "/providers/Microsoft.Authorization/roleDefinitions/673868aa-7521-48a0-acc6-0f60742d39f5", + "Data Lake Analytics Developer": "/providers/Microsoft.Authorization/roleDefinitions/47b7735b-770e-4598-a7da-8b91488b4c88", + "Data Purger": "/providers/Microsoft.Authorization/roleDefinitions/150f5e0c-0603-4f03-8c7f-cf70034c4e90", + "Desktop Virtualization User": "/providers/Microsoft.Authorization/roleDefinitions/1d18fff3-a72a-46b5-b4a9-0b38a3cd7e63", + "DevTest Labs User": "/providers/Microsoft.Authorization/roleDefinitions/76283e04-6283-4c54-8f91-bcf1374a3c64", + "DNS Zone Contributor": "/providers/Microsoft.Authorization/roleDefinitions/befefa01-2a29-4197-83a8-272ff33ce314", + "DocumentDB Account Contributor": "/providers/Microsoft.Authorization/roleDefinitions/5bd9cd88-fe45-4216-938b-f97437e15450", + "EventGrid EventSubscription Contributor": "/providers/Microsoft.Authorization/roleDefinitions/428e0ff0-5e57-4d9c-a221-2c70d0e0a443", + "EventGrid EventSubscription Reader": "/providers/Microsoft.Authorization/roleDefinitions/2414bbcf-6497-4faf-8c65-045460748405", + "Experimentation Administrator": "/providers/Microsoft.Authorization/roleDefinitions/7f646f1b-fa08-80eb-a33b-edd6ce5c915c", + "Experimentation Contributor": "/providers/Microsoft.Authorization/roleDefinitions/7f646f1b-fa08-80eb-a22b-edd6ce5c915c", + "Experimentation Reader": "/providers/Microsoft.Authorization/roleDefinitions/49632ef5-d9ac-41f4-b8e7-bbe587fa74a1", + "FHIR Data Contributor": "/providers/Microsoft.Authorization/roleDefinitions/5a1fc7df-4bf1-4951-a576-89034ee01acd", + "FHIR Data Exporter": "/providers/Microsoft.Authorization/roleDefinitions/3db33094-8700-4567-8da5-1501d4e7e843", + "FHIR Data Reader": "/providers/Microsoft.Authorization/roleDefinitions/4c8d0bbc-75d3-4935-991f-5f3c56d81508", + "FHIR Data Writer": "/providers/Microsoft.Authorization/roleDefinitions/3f88fce4-5892-4214-ae73-ba5294559913", + "Graph Owner": "/providers/Microsoft.Authorization/roleDefinitions/b60367af-1334-4454-b71e-769d9a4f83d9", + "HDInsight Cluster Operator": "/providers/Microsoft.Authorization/roleDefinitions/61ed4efc-fab3-44fd-b111-e24485cc132a", + "HDInsight Domain Services Contributor": "/providers/Microsoft.Authorization/roleDefinitions/8d8d5a11-05d3-4bda-a417-a08778121c7c", + "Hierarchy Settings Administrator": "/providers/Microsoft.Authorization/roleDefinitions/350f8d15-c687-4448-8ae1-157740a3936d", + "Hybrid Server Onboarding": "/providers/Microsoft.Authorization/roleDefinitions/5d1e5ee4-7c68-4a71-ac8b-0739630a3dfb", + "Hybrid Server Resource Administrator": "/providers/Microsoft.Authorization/roleDefinitions/48b40c6e-82e0-4eb3-90d5-19e40f49b624", + "Integration Service Environment Contributor": "/providers/Microsoft.Authorization/roleDefinitions/a41e2c5b-bd99-4a07-88f4-9bf657a760b8", + "Integration Service Environment Developer": "/providers/Microsoft.Authorization/roleDefinitions/c7aa55d3-1abb-444a-a5ca-5e51e485d6ec", + "Intelligent Systems Account Contributor": "/providers/Microsoft.Authorization/roleDefinitions/03a6d094-3444-4b3d-88af-7477090a9e5e", + "Key Vault Contributor": "/providers/Microsoft.Authorization/roleDefinitions/f25e0fa2-a7c8-4377-a976-54943a77a395", + "Knowledge Consumer": "/providers/Microsoft.Authorization/roleDefinitions/ee361c5d-f7b5-4119-b4b6-892157c8f64c", + "Kubernetes Cluster - Azure Arc Onboarding": "/providers/Microsoft.Authorization/roleDefinitions/34e09817-6cbe-4d01-b1a2-e0eac5743d41", + "Lab Creator": "/providers/Microsoft.Authorization/roleDefinitions/b97fb8bc-a8b2-4522-a38b-dd33c7e65ead", + "Log Analytics Contributor": "/providers/Microsoft.Authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293", + "Log Analytics Reader": "/providers/Microsoft.Authorization/roleDefinitions/73c42c96-874c-492b-b04d-ab87d138a893", + "Logic App Contributor": "/providers/Microsoft.Authorization/roleDefinitions/87a39d53-fc1b-424a-814c-f7e04687dc9e", + "Logic App Operator": "/providers/Microsoft.Authorization/roleDefinitions/515c2055-d9d4-4321-b1b9-bd0c9a0f79fe", + "Managed Application Contributor Role": "/providers/Microsoft.Authorization/roleDefinitions/641177b8-a67a-45b9-a033-47bc880bb21e", + "Managed Application Operator Role": "/providers/Microsoft.Authorization/roleDefinitions/c7393b34-138c-406f-901b-d8cf2b17e6ae", + "Managed Applications Reader": "/providers/Microsoft.Authorization/roleDefinitions/b9331d33-8a36-4f8c-b097-4f54124fdb44", + "Managed Identity Contributor": "/providers/Microsoft.Authorization/roleDefinitions/e40ec5ca-96e0-45a2-b4ff-59039f2c2b59", + "Managed Identity Operator": "/providers/Microsoft.Authorization/roleDefinitions/f1a07417-d97a-45cb-824c-7a7467783830", + "Managed Services Registration assignment Delete ": "/providers/Microsoft.Authorization/roleDefinitions/91c1777a-f3dc-4fae-b103-61d183457e46", + "Management Group Contributor": "/providers/Microsoft.Authorization/roleDefinitions/5d58bcaf-24a5-4b20-bdb6-eed9f69fbe4c", + "Management Group Reader": "/providers/Microsoft.Authorization/roleDefinitions/ac63b705-f282-497d-ac71-919bf39d939d", + "Marketplace Admin": "/providers/Microsoft.Authorization/roleDefinitions/dd920d6d-f481-47f1-b461-f338c46b2d9f", + "Monitoring Contributor": "/providers/Microsoft.Authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "Monitoring Metrics Publisher": "/providers/Microsoft.Authorization/roleDefinitions/3913510d-42f4-4e42-8a64-420c390055eb", + "Monitoring Reader": "/providers/Microsoft.Authorization/roleDefinitions/43d0d8ad-25c7-4714-9337-8ba259a9fe05", + "Network Contributor": "/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7", + "New Relic APM Account Contributor": "/providers/Microsoft.Authorization/roleDefinitions/5d28c62d-5b37-4476-8438-e587778df237", + "Object Understanding Account Owner": "/providers/Microsoft.Authorization/roleDefinitions/4dd61c23-6743-42fe-a388-d8bdd41cb745", + "Owner": "/providers/Microsoft.Authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635", + "Policy Insights Data Writer (Preview)": "/providers/Microsoft.Authorization/roleDefinitions/66bb4e9e-b016-4a94-8249-4c0511c2be84", + "Private DNS Zone Contributor": "/providers/Microsoft.Authorization/roleDefinitions/b12aa53e-6015-4669-85d0-8515ebb3ae7f", + "Reader": "/providers/Microsoft.Authorization/roleDefinitions/acdd72a7-3385-48ef-bd42-f606fba81ae7", + "Reader and Data Access": "/providers/Microsoft.Authorization/roleDefinitions/c12c1c16-33a1-487b-954d-41c89c60f349", + "Redis Cache Contributor": "/providers/Microsoft.Authorization/roleDefinitions/e0f68234-74aa-48ed-b826-c38b57376e17", + "Remote Rendering Administrator": "/providers/Microsoft.Authorization/roleDefinitions/3df8b902-2a6f-47c7-8cc5-360e9b272a7e", + "Remote Rendering Client": "/providers/Microsoft.Authorization/roleDefinitions/d39065c4-c120-43c9-ab0a-63eed9795f0a", + "Resource Policy Contributor": "/providers/Microsoft.Authorization/roleDefinitions/36243c78-bf99-498c-9df9-86d9f8d28608", + "Scheduler Job Collections Contributor": "/providers/Microsoft.Authorization/roleDefinitions/188a0f2f-5c9e-469b-ae67-2aa5ce574b94", + "Search Service Contributor": "/providers/Microsoft.Authorization/roleDefinitions/7ca78c08-252a-4471-8644-bb5ff32d4ba0", + "Security Admin": "/providers/Microsoft.Authorization/roleDefinitions/fb1c8493-542b-48eb-b624-b4c8fea62acd", + "Security Assessment Contributor": "/providers/Microsoft.Authorization/roleDefinitions/612c2aa1-cb24-443b-ac28-3ab7272de6f5", + "Security Manager (Legacy)": "/providers/Microsoft.Authorization/roleDefinitions/e3d13bf0-dd5a-482e-ba6b-9b8433878d10", + "Security Reader": "/providers/Microsoft.Authorization/roleDefinitions/39bc4728-0917-49c7-9d2c-d95423bc2eb4", + "SignalR AccessKey Reader": "/providers/Microsoft.Authorization/roleDefinitions/04165923-9d83-45d5-8227-78b77b0a687e", + "SignalR Contributor": "/providers/Microsoft.Authorization/roleDefinitions/8cf5e20a-e4b2-4e9d-b3a1-5ceb692c2761", + "Site Recovery Contributor": "/providers/Microsoft.Authorization/roleDefinitions/6670b86e-a3f7-4917-ac9b-5d6ab1be4567", + "Site Recovery Operator": "/providers/Microsoft.Authorization/roleDefinitions/494ae006-db33-4328-bf46-533a6560a3ca", + "Site Recovery Reader": "/providers/Microsoft.Authorization/roleDefinitions/dbaa88c4-0c30-4179-9fb3-46319faa6149", + "Spatial Anchors Account Contributor": "/providers/Microsoft.Authorization/roleDefinitions/8bbe83f1-e2a6-4df7-8cb4-4e04d4e5c827", + "Spatial Anchors Account Owner": "/providers/Microsoft.Authorization/roleDefinitions/70bbe301-9835-447d-afdd-19eb3167307c", + "Spatial Anchors Account Reader": "/providers/Microsoft.Authorization/roleDefinitions/5d51204f-eb77-4b1c-b86a-2ec626c49413", + "SQL DB Contributor": "/providers/Microsoft.Authorization/roleDefinitions/9b7fa17d-e63e-47b0-bb0a-15c516ac86ec", + "SQL Managed Instance Contributor": "/providers/Microsoft.Authorization/roleDefinitions/4939a1f6-9ae0-4e48-a1e0-f2cbe897382d", + "SQL Security Manager": "/providers/Microsoft.Authorization/roleDefinitions/056cd41c-7e88-42e1-933e-88ba6a50c9c3", + "SQL Server Contributor": "/providers/Microsoft.Authorization/roleDefinitions/6d8ee4ec-f05a-4a1d-8b00-a9b17e38b437", + "Storage Account Contributor": "/providers/Microsoft.Authorization/roleDefinitions/17d1049b-9a84-46fb-8f53-869881c3d3ab", + "Storage Account Key Operator Service Role": "/providers/Microsoft.Authorization/roleDefinitions/81a9662b-bebf-436f-a333-f67b29880f12", + "Storage Blob Data Contributor": "/providers/Microsoft.Authorization/roleDefinitions/ba92f5b4-2d11-453d-a403-e96b0029c9fe", + "Storage Blob Data Owner": "/providers/Microsoft.Authorization/roleDefinitions/b7e6dc6d-f1e8-4753-8033-0f276bb0955b", + "Storage Blob Data Reader": "/providers/Microsoft.Authorization/roleDefinitions/2a2b9908-6ea1-4ae2-8e65-a410df84e7d1", + "Storage Blob Delegator": "/providers/Microsoft.Authorization/roleDefinitions/db58b8e5-c6ad-4a2a-8342-4190687cbf4a", + "Storage File Data SMB Share Contributor": "/providers/Microsoft.Authorization/roleDefinitions/0c867c2a-1d8c-454a-a3db-ab2ea1bdc8bb", + "Storage File Data SMB Share Elevated Contributor": "/providers/Microsoft.Authorization/roleDefinitions/a7264617-510b-434b-a828-9731dc254ea7", + "Storage File Data SMB Share Reader": "/providers/Microsoft.Authorization/roleDefinitions/aba4ae5f-2193-4029-9191-0cb91df5e314", + "Storage Queue Data Contributor": "/providers/Microsoft.Authorization/roleDefinitions/974c5e8b-45b9-4653-ba55-5f855dd0fb88", + "Storage Queue Data Message Processor": "/providers/Microsoft.Authorization/roleDefinitions/8a0f0c08-91a1-4084-bc3d-661d67233fed", + "Storage Queue Data Message Sender": "/providers/Microsoft.Authorization/roleDefinitions/c6a89b2d-59bc-44d0-9896-0f6e12d7b80a", + "Storage Queue Data Reader": "/providers/Microsoft.Authorization/roleDefinitions/19e7f393-937e-4f77-808e-94535e297925", + "Support Request Contributor": "/providers/Microsoft.Authorization/roleDefinitions/cfd33db0-3dd1-45e3-aa9d-cdbdf3b6f24e", + "Tag Contributor": "/providers/Microsoft.Authorization/roleDefinitions/4a9ae827-6dc8-4573-8ac7-8239d42aa03f", + "Traffic Manager Contributor": "/providers/Microsoft.Authorization/roleDefinitions/a4b10055-b0c7-44c2-b00f-c7b5b3550cf7", + "User Access Administrator": "/providers/Microsoft.Authorization/roleDefinitions/18d7d88d-d35e-4fb5-a5c3-7773c20a72d9", + "Virtual Machine Administrator Login": "/providers/Microsoft.Authorization/roleDefinitions/1c0163c0-47e6-4577-8991-ea5c82e286e4", + "Virtual Machine Contributor": "/providers/Microsoft.Authorization/roleDefinitions/9980e02c-c2be-4d73-94e8-173b1dc7cf3c", + "Virtual Machine User Login": "/providers/Microsoft.Authorization/roleDefinitions/fb879df8-f326-4884-b1cf-06f3ad86be52", + "Web Plan Contributor": "/providers/Microsoft.Authorization/roleDefinitions/2cc479cb-7b4d-49a8-b449-8c00fd0f0a4b", + "Website Contributor": "/providers/Microsoft.Authorization/roleDefinitions/de139f84-1756-47ae-9be6-808fbbe84772", + "Workbook Contributor": "/providers/Microsoft.Authorization/roleDefinitions/e8ddcd69-c73f-4f9f-9844-4100522f16ad", + "Workbook Reader": "/providers/Microsoft.Authorization/roleDefinitions/b279062a-9be3-42a0-92ae-8b3cf002ec4d" + } + }, + "resources": [ + { + "condition": "[not(empty(parameters('cuaId')))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-06-01", + "name": "[concat('pid-', parameters('cuaId'))]", + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [ + ] + } + } + }, + { + "type": "Microsoft.ServiceBus/namespaces/queues", + "apiVersion": "2017-04-01", + "name": "[concat(parameters('namespaceName'),'/',parameters('queueName'))]", + "location": "[parameters('location')]", + "tags": "[if(empty(parameters('tags')), json('null'), parameters('tags'))]", + "properties": { + "lockDuration": "[parameters('lockDuration')]", + "maxSizeInMegabytes": "[parameters('maxSizeInMegabytes')]", + "requiresDuplicateDetection": "[parameters('requiresDuplicateDetection')]", + "requiresSession": "[parameters('requiresSession')]", + "defaultMessageTimeToLive": "[parameters('defaultMessageTimeToLive')]", + "deadLetteringOnMessageExpiration":"[parameters('deadLetteringOnMessageExpiration')]", + "enableBatchedOperations": "[parameters('enableBatchedOperations')]", + "duplicateDetectionHistoryTimeWindow": "[parameters('duplicateDetectionHistoryTimeWindow')]", + "maxDeliveryCount": "[parameters('maxDeliveryCount')]", + "status": "[parameters('status')]", + "enablePartitioning": "[parameters('enablePartitioning')]", + "enableExpress": "[parameters('enableExpress')]" + }, + "resources": [ + { + "type": "providers/locks", + "apiVersion": "2016-09-01", + "condition": "[parameters('lockForDeletion')]", + "name": "Microsoft.Authorization/serviceBusQueueDoNotDelete", + "dependsOn": [ + "[resourceId('Microsoft.ServiceBus/namespaces/queues/', parameters('namespaceName'), parameters('queueName'))]" + ], + "comments": "Resource lock on the Azure Service Bus Queue", + "properties": { + "level": "CannotDelete" + } + } + ] + }, + { + "type": "Microsoft.ServiceBus/namespaces/queues/authorizationRules", + "apiVersion": "2017-04-01", + "name": "[concat(parameters('namespaceName'), '/', parameters('queueName'), '/', parameters('authorizationRules')[copyIndex()].name)]", + "condition": "[greater(length(parameters('authorizationRules')),0)]", + "location": "[parameters('location')]", + "dependsOn": [ + "[variables('queueId')]" + ], + "copy": { + "name": "authorizationRules", + "count": "[length(parameters('authorizationRules'))]" + }, + "properties": { + "rights": "[parameters('authorizationRules')[copyIndex()].properties.rights]" + } + }, + { + "name": "[concat('rbac-',deployment().name, copyIndex())]", + "apiVersion": "2020-06-01", + "type": "Microsoft.Resources/deployments", + "condition": "[not(empty(parameters('roleAssignments')))]", + "dependsOn": [ + "[parameters('queueName')]" + ], + "copy": { + "name": "rbacDeplCopy", + "count": "[length(parameters('roleAssignments'))]" + }, + "properties": { + "mode": "Incremental", + "expressionEvaluationOptions": { + "scope": "inner" + }, + "parameters": { + "roleAssignment": { + "value": "[parameters('roleAssignments')[copyIndex()]]" + }, + "builtInRoleNames": { + "value": "[variables('builtInRoleNames')]" + }, + "namespaceName":{ + "value": "[parameters('namespaceName')]" + }, + "queueName": { + "value": "[parameters('queueName')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "roleAssignment": { + "type": "object" + }, + "builtInRoleNames": { + "type": "object" + }, + "namespaceName": { + "type": "string" + }, + "queueName": { + "type": "string" + } + }, + "resources": [ + { + "type": "Microsoft.ServiceBus/namespaces/queues/providers/roleAssignments", + "apiVersion": "2018-09-01-preview", + "name": "[concat(parameters('namespaceName'), '/', parameters('queueName'), '/Microsoft.Authorization/', guid(uniqueString(concat(parameters('queueName'), array(parameters('roleAssignment').principalIds)[copyIndex('innerRbacCopy')], parameters('roleAssignment').roleDefinitionIdOrName ) )))]", + "dependsOn": [ + ], + "copy": { + "name": "innerRbacCopy", + "count": "[length(parameters('roleAssignment').principalIds)]" + }, + "properties": { + "roleDefinitionId": "[if(contains(parameters('builtInRoleNames'), parameters('roleAssignment').roleDefinitionIdOrName ), parameters('builtInRoleNames')[parameters('roleAssignment').roleDefinitionIdOrName] , parameters('roleAssignment').roleDefinitionIdOrName )]", + "principalId": "[array(parameters('roleAssignment').principalIds)[copyIndex()]]" + } + } + ] + } + } + } + ], + "functions": [ + ], + "outputs": { + "namespaceName": { + "type": "string", + "value": "[parameters('namespaceName')]", + "metadata": { + "description": "The Name of the Service Bus Namespace." + } + }, + "queueResourceId": { + "type": "string", + "value": "[variables('queueId')]", + "metadata": { + "description": "The Resource Id of the Service Bus Queue." + } + }, + "namespaceResourceGroup": { + "type": "string", + "value": "[resourceGroup().name]", + "metadata": { + "description": "The name of the Resource Group with the Service Bus Namespace." + } + }, + "authRuleResourceId": { + "type": "string", + "value": "[variables('authRuleResourceId')]", + "metadata": { + "description": "The Id of the authorization rule marked by the variable with the same name." + } + }, + "namespaceConnectionString": { + "type": "securestring", + "value": "[listkeys(variables('authRuleResourceId'), '2017-04-01').primaryConnectionString]", + "metadata": { + "description": "The connection string of the Service Bus Namespace" + } + }, + "sharedAccessPolicyPrimaryKey": { + "type": "securestring", + "value": "[listkeys(variables('authRuleResourceId'), '2017-04-01').primaryKey]", + "metadata": { + "description": "The shared access policy primary key for the Service Bus Namespace" + } + } + } +} \ No newline at end of file diff --git a/arm/Microsoft.ServiceBus/namespaceQueues/parameters/parameters.json b/arm/Microsoft.ServiceBus/namespaceQueues/parameters/parameters.json new file mode 100644 index 0000000000..8f7dd2a014 --- /dev/null +++ b/arm/Microsoft.ServiceBus/namespaceQueues/parameters/parameters.json @@ -0,0 +1,12 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "namespaceName": { + "value": "sxx-az-sbn-weu-x-001" + }, + "queueName": { + "value": "sxx-az-sbq-weu-x-001" + } + } +} \ No newline at end of file diff --git a/arm/Microsoft.ServiceBus/namespaceQueues/readme.md b/arm/Microsoft.ServiceBus/namespaceQueues/readme.md new file mode 100644 index 0000000000..c4f07b1173 --- /dev/null +++ b/arm/Microsoft.ServiceBus/namespaceQueues/readme.md @@ -0,0 +1,156 @@ +# ServiceBusQueues + +This module deploys Service Bus Queue. + +## Resource types + +| Resource Type | Api Version | +| :-- | :-- | +| `Microsoft.Resources/deployments` | 2020-06-01 | +| `Microsoft.ServiceBus/namespaces/queues/authorizationRules` | 2017-04-01 | +| `Microsoft.ServiceBus/namespaces/queues/providers/roleAssignments` | 2018-09-01-preview | +| `Microsoft.ServiceBus/namespaces/queues` | 2017-04-01 | +| `providers/locks` | 2016-09-01 | + +- Microsoft.ServiceBus/namespaces + +## Parameters + +| Parameter Name | Type | Description | DefaultValue | Possible values | +| :-- | :-- | :-- | :-- | :-- | +| `authorizationRules` | array | Optional. Authorization Rules for the Service Bus Queue | System.Object[] | | +| `cuaId` | string | Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered | | | +| `deadLetteringOnMessageExpiration` | bool | Optional. A value that indicates whether this queue has dead letter support when a message expires. | True | | +| `defaultMessageTimeToLive` | string | Optional. ISO 8601 default message timespan to live value. This is the duration after which the message expires, starting from when the message is sent to Service Bus. This is the default value used when TimeToLive is not set on a message itself. | P14D | | +| `duplicateDetectionHistoryTimeWindow` | string | Optional. ISO 8601 timeSpan structure that defines the duration of the duplicate detection history. The default value is 10 minutes. | PT10M | | +| `enableBatchedOperations` | bool | Optional. Value that indicates whether server-side batched operations are enabled. | True | | +| `enableExpress` | bool | Optional. A value that indicates whether Express Entities are enabled. An express queue holds a message in memory temporarily before writing it to persistent storage. | False | | +| `enablePartitioning` | bool | Optional. A value that indicates whether the queue is to be partitioned across multiple message brokers. | False | | +| `location` | string | Optional. Location for all resources. | [resourceGroup().location] | | +| `lockDuration` | string | Optional. ISO 8601 timespan duration of a peek-lock; that is, the amount of time that the message is locked for other receivers. The maximum value for LockDuration is 5 minutes; the default value is 1 minute. | PT1M | | +| `lockForDeletion` | bool | Optional. Switch to lock Service Bus Queue from deletion. | False | | +| `maxDeliveryCount` | int | Optional. The maximum delivery count. A message is automatically deadlettered after this number of deliveries. default value is 10. | 10 | | +| `maxSizeInMegabytes` | int | Optional. The maximum size of the queue in megabytes, which is the size of memory allocated for the queue. Default is 1024. | 1024 | | +| `namespaceName` | string | Required. Name of the parent Service Bus Namespace for the Service Bus Queue. | | | +| `queueName` | string | Required. Name of the Service Bus Queue. | | | +| `requiresDuplicateDetection` | bool | Optional. A value indicating if this queue requires duplicate detection. | False | | +| `requiresSession` | bool | Optional. A value that indicates whether the queue supports the concept of sessions. | False | | +| `roleAssignments` | array | Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' | System.Object[] | | +| `status` | string | Optional. Enumerates the possible values for the status of a messaging entity. - Active, Disabled, Restoring, SendDisabled, ReceiveDisabled, Creating, Deleting, Renaming, Unknown | Active | System.Object[] | +| `tags` | object | Optional. Tags of the resource. | | | + +### Parameter Usage: `authorizationRules` + +Default value: + +```json +"authorizationRules": { + "value": [ + { + "name": "RootManageSharedAccessKey", + "properties": { + "rights": [ + "Listen", + "Manage", + "Send" + ] + } + } + ] +} +``` + +Example for 2 authorization rules: + +```json +"authorizationRules": { + "value": [ + { + "name": "RootManageSharedAccessKey", + "properties": { + "rights": [ + "Listen", + "Manage", + "Send" + ] + } + }, + { + "name": "AnotherKey", + "properties": { + "rights": [ + "Listen", + "Send" + ] + } + } + ] +} +``` + +### Parameter Usage: `roleAssignments` + +```json +"roleAssignments": { + "value": [ + { + "roleDefinitionIdOrName": "Desktop Virtualization User", + "principalIds": [ + "12345678-1234-1234-1234-123456789012", // object 1 + "78945612-1234-1234-1234-123456789012" // object 2 + ] + }, + { + "roleDefinitionIdOrName": "Reader", + "principalIds": [ + "12345678-1234-1234-1234-123456789012", // object 1 + "78945612-1234-1234-1234-123456789012" // object 2 + ] + }, + { + "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", + "principalIds": [ + "12345678-1234-1234-1234-123456789012" // object 1 + ] + } + ] +} +``` + +### Parameter Usage: `tags` + +Tag names and tag values can be provided as needed. A tag can be left without a value. + +```json +"tags": { + "value": { + "Environment": "Non-Prod", + "Contact": "test.user@testcompany.com", + "PurchaseOrder": "1234", + "CostCenter": "7890", + "ServiceName": "DeploymentValidation", + "Role": "DeploymentValidation" + } +} +``` + +## Outputs + +| Output Name | Type | Description | +| :-- | :-- | :-- | +| `authRuleResourceId` | string | The Id of the authorization rule marked by the variable with the same name. | +| `namespaceConnectionString` | securestring | The connection string of the Service Bus Namespace | +| `namespaceName` | string | The Name of the Service Bus Namespace. | +| `namespaceResourceGroup` | string | The name of the Resource Group with the Service Bus Namespace. | +| `queueResourceId` | string | The Resource Id of the Service Bus Queue. | +| `sharedAccessPolicyPrimaryKey` | securestring | The shared access policy primary key for the Service Bus Namespace | + +## Considerations + +*N/A* + +## Additional resources + +- [About Service Bus Queue] (https://docs.microsoft.com/en-us/azure/service-bus-messaging/service-bus-queues-topics-subscriptions) +- [Microsoft.ServiceBus/namespaces/queues template reference](https://docs.microsoft.com/en-us/azure/templates/microsoft.servicebus/namespaces/queues) +- [Use tags to organize your Azure resources](https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-using-tags) diff --git a/arm/Microsoft.ServiceBus/namespaces/deploy.json b/arm/Microsoft.ServiceBus/namespaces/deploy.json new file mode 100644 index 0000000000..4c6eb84d4b --- /dev/null +++ b/arm/Microsoft.ServiceBus/namespaces/deploy.json @@ -0,0 +1,741 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "serviceBusNamespaceName": { + "type": "string", + "defaultValue":"", + "maxLength": 50, + "metadata": { + "description": "Optional. Name of the Service Bus Namespace. If no name is provided, then unique name will be created." + } + }, + "location": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "Optional. Location for all resources." + } + }, + "skuName": { + "type": "string", + "defaultValue": "Basic", + "allowedValues": [ + "Basic", + "Standard", + "Premium" + ], + "metadata": { + "description": "Required. Name of this SKU. - Basic, Standard, Premium" + } + }, + "zoneRedundant": { + "type": "bool", + "defaultValue": false, + "metadata": { + "description": "Optional. Enabling this property creates a Premium Service Bus Namespace in regions supported availability zones." + } + }, + "partnerNamespaceId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. ARM Id of the Primary/Secondary Service Bus namespace name, which is part of GEO DR pairing" + } + }, + "namespaceAlias": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. The Disaster Recovery configuration name" + } + }, + "authorizationRules": { + "type": "array", + "defaultValue": [ + { + "name": "RootManageSharedAccessKey", + "properties": { + "rights": [ + "Listen", + "Manage", + "Send" + ] + } + } + ], + "metadata": { + "description": "Optional. Authorization Rules for the Service Bus namespace" + } + }, + "ipFilterRules": { + "type": "array", + "defaultValue": [ + ], + "metadata": { + "description": "Optional. IP Filter Rules for the Service Bus namespace" + } + }, + "targetNamespace": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Existing premium Namespace ARM Id name which has no entities, will be used for migration." + } + }, + "postMigrationName": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Name to access Standard Namespace after migration." + } + }, + "virtualNetworkRuleSubnetIds": { + "type": "array", + "defaultValue": [ + ], + "metadata": { + "description": "Optional. vNet Rules SubnetIds for the Service Bus namespace." + } + }, + "diagnosticLogsRetentionInDays": { + "type": "int", + "defaultValue": 365, + "minValue": 0, + "maxValue": 365, + "metadata": { + "description": "Optional. Specifies the number of days that logs will be kept for; a value of 0 will retain data indefinitely." + } + }, + "diagnosticStorageAccountId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Resource identifier of the Diagnostic Storage Account." + } + }, + "workspaceId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Resource identifier of Log Analytics." + } + }, + "eventHubAuthorizationRuleId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Resource ID of the event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." + } + }, + "eventHubName": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Name of the event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category." + } + }, + "lockForDeletion": { + "type": "bool", + "defaultValue": false, + "metadata": { + "description": "Optional. Flag indicating if resource is locked for deletion." + } + }, + "roleAssignments": { + "defaultValue": [ + ], + "type": "array", + "metadata": { + "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'" + } + }, + "privateEndpoints": { + "type": "array", + "defaultValue": [], + "metadata": { + "description": "Optional. Configuration Details for private endpoints." + } + }, + "tags": { + "type": "object", + "defaultValue": { + }, + "metadata": { + "description": "Optional. Tags of the resource." + } + }, + "cuaId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered" + } + }, + "baseTime": { + "type": "string", + "defaultValue": "[utcNow('u')]", + "metadata": { + "description": "Generated. Do not provide a value! This date value is used to generate a SAS token to access the modules." + } + } + }, + "variables": { + "moduleName": "Service Bus Namespace", + "maxNameLength": 50, + "uniqueServiceBusNamespaceNameUntrim": "[uniqueString(concat(variables('moduleName'),parameters('baseTime')))]", + "uniqueServiceBusNamespaceName": "[if(greater(length(variables('uniqueServiceBusNamespaceNameUntrim')),variables('maxNameLength')),substring(variables('uniqueServiceBusNamespaceNameUntrim'),0,variables('maxNameLength')),variables('uniqueServiceBusNamespaceNameUntrim'))]", + "serviceBusNamespaceName": "[if(empty(parameters('serviceBusNamespaceName')),variables('uniqueServiceBusNamespaceName'),parameters('serviceBusNamespaceName'))]", + "namespaceResourceId": "[resourceId('Microsoft.ServiceBus/Namespaces', variables('serviceBusNamespaceName'))]", + "defaultAuthorizationRuleId": "[resourceId('Microsoft.ServiceBus/namespaces/AuthorizationRules', variables('serviceBusNamespaceName'), 'RootManageSharedAccessKey')]", + "namespaceAlias": "[if(empty(parameters('namespaceAlias')), 'placeholder', parameters('namespaceAlias'))]", + "diagnosticsMetrics": [ + { + "category": "AllMetrics", + "timeGrain": null, + "enabled": true, + "retentionPolicy": { + "enabled": true, + "days": "[parameters('diagnosticLogsRetentionInDays')]" + } + } + ], + "diagnosticsLogs": [ + { + "category": "OperationalLogs", + "enabled": true, + "retentionPolicy": { + "days": "[parameters('diagnosticLogsRetentionInDays')]", + "enabled": true + } + } + ], + "builtInRoleNames": { + "AcrDelete": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", + "AcrImageSigner": "/providers/Microsoft.Authorization/roleDefinitions/6cef56e8-d556-48e5-a04f-b8e64114680f", + "AcrPull": "/providers/Microsoft.Authorization/roleDefinitions/7f951dda-4ed3-4680-a7ca-43fe172d538d", + "AcrPush": "/providers/Microsoft.Authorization/roleDefinitions/8311e382-0749-4cb8-b61a-304f252e45ec", + "AcrQuarantineReader": "/providers/Microsoft.Authorization/roleDefinitions/cdda3590-29a3-44f6-95f2-9f980659eb04", + "AcrQuarantineWriter": "/providers/Microsoft.Authorization/roleDefinitions/c8d4ff99-41c3-41a8-9f60-21dfdad59608", + "API Management Service Contributor": "/providers/Microsoft.Authorization/roleDefinitions/312a565d-c81f-4fd8-895a-4e21e48d571c", + "API Management Service Operator Role": "/providers/Microsoft.Authorization/roleDefinitions/e022efe7-f5ba-4159-bbe4-b44f577e9b61", + "API Management Service Reader Role": "/providers/Microsoft.Authorization/roleDefinitions/71522526-b88f-4d52-b57f-d31fc3546d0d", + "App Configuration Data Owner": "/providers/Microsoft.Authorization/roleDefinitions/5ae67dd6-50cb-40e7-96ff-dc2bfa4b606b", + "App Configuration Data Reader": "/providers/Microsoft.Authorization/roleDefinitions/516239f1-63e1-4d78-a4de-a74fb236a071", + "Application Insights Component Contributor": "/providers/Microsoft.Authorization/roleDefinitions/ae349356-3a1b-4a5e-921d-050484c6347e", + "Application Insights Snapshot Debugger": "/providers/Microsoft.Authorization/roleDefinitions/08954f03-6346-4c2e-81c0-ec3a5cfae23b", + "Attestation Contributor": "/providers/Microsoft.Authorization/roleDefinitions/bbf86eb8-f7b4-4cce-96e4-18cddf81d86e", + "Attestation Reader": "/providers/Microsoft.Authorization/roleDefinitions/fd1bd22b-8476-40bc-a0bc-69b95687b9f3", + "Automation Job Operator": "/providers/Microsoft.Authorization/roleDefinitions/4fe576fe-1146-4730-92eb-48519fa6bf9f", + "Automation Operator": "/providers/Microsoft.Authorization/roleDefinitions/d3881f73-407a-4167-8283-e981cbba0404", + "Automation Runbook Operator": "/providers/Microsoft.Authorization/roleDefinitions/5fb5aef8-1081-4b8e-bb16-9d5d0385bab5", + "Avere Contributor": "/providers/Microsoft.Authorization/roleDefinitions/4f8fab4f-1852-4a58-a46a-8eaf358af14a", + "Avere Operator": "/providers/Microsoft.Authorization/roleDefinitions/c025889f-8102-4ebf-b32c-fc0c6f0c6bd9", + "Azure Connected Machine Onboarding": "/providers/Microsoft.Authorization/roleDefinitions/b64e21ea-ac4e-4cdf-9dc9-5b892992bee7", + "Azure Connected Machine Resource Administrator": "/providers/Microsoft.Authorization/roleDefinitions/cd570a14-e51a-42ad-bac8-bafd67325302", + "Azure Digital Twins Owner (Preview)": "/providers/Microsoft.Authorization/roleDefinitions/bcd981a7-7f74-457b-83e1-cceb9e632ffe", + "Azure Digital Twins Reader (Preview)": "/providers/Microsoft.Authorization/roleDefinitions/d57506d4-4c8d-48b1-8587-93c323f6a5a3", + "Azure Event Hubs Data Owner": "/providers/Microsoft.Authorization/roleDefinitions/f526a384-b230-433a-b45c-95f59c4a2dec", + "Azure Event Hubs Data Receiver": "/providers/Microsoft.Authorization/roleDefinitions/a638d3c7-ab3a-418d-83e6-5f17a39d4fde", + "Azure Event Hubs Data Sender": "/providers/Microsoft.Authorization/roleDefinitions/2b629674-e913-4c01-ae53-ef4638d8f975", + "Azure Kubernetes Service Cluster Admin Role": "/providers/Microsoft.Authorization/roleDefinitions/0ab0b1a8-8aac-4efd-b8c2-3ee1fb270be8", + "Azure Kubernetes Service Cluster User Role": "/providers/Microsoft.Authorization/roleDefinitions/4abbcc35-e782-43d8-92c5-2d3f1bd2253f", + "Azure Kubernetes Service Contributor Role": "/providers/Microsoft.Authorization/roleDefinitions/ed7f3fbd-7b88-4dd4-9017-9adb7ce333f8", + "Azure Maps Data Contributor": "/providers/Microsoft.Authorization/roleDefinitions/8f5e0ce6-4f7b-4dcf-bddf-e6f48634a204", + "Azure Maps Data Reader": "/providers/Microsoft.Authorization/roleDefinitions/423170ca-a8f6-4b0f-8487-9e4eb8f49bfa", + "Azure Sentinel Contributor": "/providers/Microsoft.Authorization/roleDefinitions/ab8e14d6-4a74-4a29-9ba8-549422addade", + "Azure Sentinel Reader": "/providers/Microsoft.Authorization/roleDefinitions/8d289c81-5878-46d4-8554-54e1e3d8b5cb", + "Azure Sentinel Responder": "/providers/Microsoft.Authorization/roleDefinitions/3e150937-b8fe-4cfb-8069-0eaf05ecd056", + "Azure Service Bus Data Owner": "/providers/Microsoft.Authorization/roleDefinitions/090c5cfd-751d-490a-894a-3ce6f1109419", + "Azure Service Bus Data Receiver": "/providers/Microsoft.Authorization/roleDefinitions/4f6d3b9b-027b-4f4c-9142-0e5a2a2247e0", + "Azure Service Bus Data Sender": "/providers/Microsoft.Authorization/roleDefinitions/69a216fc-b8fb-44d8-bc22-1f3c2cd27a39", + "Azure Stack Registration Owner": "/providers/Microsoft.Authorization/roleDefinitions/6f12a6df-dd06-4f3e-bcb1-ce8be600526a", + "Backup Contributor": "/providers/Microsoft.Authorization/roleDefinitions/5e467623-bb1f-42f4-a55d-6e525e11384b", + "Backup Operator": "/providers/Microsoft.Authorization/roleDefinitions/00c29273-979b-4161-815c-10b084fb9324", + "Backup Reader": "/providers/Microsoft.Authorization/roleDefinitions/a795c7a0-d4a2-40c1-ae25-d81f01202912", + "Billing Reader": "/providers/Microsoft.Authorization/roleDefinitions/fa23ad8b-c56e-40d8-ac0c-ce449e1d2c64", + "BizTalk Contributor": "/providers/Microsoft.Authorization/roleDefinitions/5e3c6656-6cfa-4708-81fe-0de47ac73342", + "Blockchain Member Node Access (Preview)": "/providers/Microsoft.Authorization/roleDefinitions/31a002a1-acaf-453e-8a5b-297c9ca1ea24", + "Blueprint Contributor": "/providers/Microsoft.Authorization/roleDefinitions/41077137-e803-4205-871c-5a86e6a753b4", + "Blueprint Operator": "/providers/Microsoft.Authorization/roleDefinitions/437d2ced-4a38-4302-8479-ed2bcb43d090", + "CDN Endpoint Contributor": "/providers/Microsoft.Authorization/roleDefinitions/426e0c7f-0c7e-4658-b36f-ff54d6c29b45", + "CDN Endpoint Reader": "/providers/Microsoft.Authorization/roleDefinitions/871e35f6-b5c1-49cc-a043-bde969a0f2cd", + "CDN Profile Contributor": "/providers/Microsoft.Authorization/roleDefinitions/ec156ff8-a8d1-4d15-830c-5b80698ca432", + "CDN Profile Reader": "/providers/Microsoft.Authorization/roleDefinitions/8f96442b-4075-438f-813d-ad51ab4019af", + "Classic Network Contributor": "/providers/Microsoft.Authorization/roleDefinitions/b34d265f-36f7-4a0d-a4d4-e158ca92e90f", + "Classic Storage Account Contributor": "/providers/Microsoft.Authorization/roleDefinitions/86e8f5dc-a6e9-4c67-9d15-de283e8eac25", + "Classic Storage Account Key Operator Service Role": "/providers/Microsoft.Authorization/roleDefinitions/985d6b00-f706-48f5-a6fe-d0ca12fb668d", + "Classic Virtual Machine Contributor": "/providers/Microsoft.Authorization/roleDefinitions/d73bb868-a0df-4d4d-bd69-98a00b01fccb", + "ClearDB MySQL DB Contributor": "/providers/Microsoft.Authorization/roleDefinitions/9106cda0-8a86-4e81-b686-29a22c54effe", + "Cognitive Services Contributor": "/providers/Microsoft.Authorization/roleDefinitions/25fbc0a9-bd7c-42a3-aa1a-3b75d497ee68", + "Cognitive Services Custom Vision Contributor": "/providers/Microsoft.Authorization/roleDefinitions/c1ff6cc2-c111-46fe-8896-e0ef812ad9f3", + "Cognitive Services Custom Vision Deployment": "/providers/Microsoft.Authorization/roleDefinitions/5c4089e1-6d96-4d2f-b296-c1bc7137275f", + "Cognitive Services Custom Vision Labeler": "/providers/Microsoft.Authorization/roleDefinitions/88424f51-ebe7-446f-bc41-7fa16989e96c", + "Cognitive Services Custom Vision Reader": "/providers/Microsoft.Authorization/roleDefinitions/93586559-c37d-4a6b-ba08-b9f0940c2d73", + "Cognitive Services Custom Vision Trainer": "/providers/Microsoft.Authorization/roleDefinitions/0a5ae4ab-0d65-4eeb-be61-29fc9b54394b", + "Cognitive Services Data Reader (Preview)": "/providers/Microsoft.Authorization/roleDefinitions/b59867f0-fa02-499b-be73-45a86b5b3e1c", + "Cognitive Services QnA Maker Editor": "/providers/Microsoft.Authorization/roleDefinitions/f4cc2bf9-21be-47a1-bdf1-5c5804381025", + "Cognitive Services QnA Maker Reader": "/providers/Microsoft.Authorization/roleDefinitions/466ccd10-b268-4a11-b098-b4849f024126", + "Cognitive Services User": "/providers/Microsoft.Authorization/roleDefinitions/a97b65f3-24c7-4388-baec-2e87135dc908", + "Contributor": "/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c", + "Cosmos DB Account Reader Role": "/providers/Microsoft.Authorization/roleDefinitions/fbdf93bf-df7d-467e-a4d2-9458aa1360c8", + "Cosmos DB Operator": "/providers/Microsoft.Authorization/roleDefinitions/230815da-be43-4aae-9cb4-875f7bd000aa", + "CosmosBackupOperator": "/providers/Microsoft.Authorization/roleDefinitions/db7b14f2-5adf-42da-9f96-f2ee17bab5cb", + "Cost Management Contributor": "/providers/Microsoft.Authorization/roleDefinitions/434105ed-43f6-45c7-a02f-909b2ba83430", + "Cost Management Reader": "/providers/Microsoft.Authorization/roleDefinitions/72fafb9e-0641-4937-9268-a91bfd8191a3", + "Data Box Contributor": "/providers/Microsoft.Authorization/roleDefinitions/add466c9-e687-43fc-8d98-dfcf8d720be5", + "Data Box Reader": "/providers/Microsoft.Authorization/roleDefinitions/028f4ed7-e2a9-465e-a8f4-9c0ffdfdc027", + "Data Factory Contributor": "/providers/Microsoft.Authorization/roleDefinitions/673868aa-7521-48a0-acc6-0f60742d39f5", + "Data Lake Analytics Developer": "/providers/Microsoft.Authorization/roleDefinitions/47b7735b-770e-4598-a7da-8b91488b4c88", + "Data Purger": "/providers/Microsoft.Authorization/roleDefinitions/150f5e0c-0603-4f03-8c7f-cf70034c4e90", + "Desktop Virtualization User": "/providers/Microsoft.Authorization/roleDefinitions/1d18fff3-a72a-46b5-b4a9-0b38a3cd7e63", + "DevTest Labs User": "/providers/Microsoft.Authorization/roleDefinitions/76283e04-6283-4c54-8f91-bcf1374a3c64", + "DNS Zone Contributor": "/providers/Microsoft.Authorization/roleDefinitions/befefa01-2a29-4197-83a8-272ff33ce314", + "DocumentDB Account Contributor": "/providers/Microsoft.Authorization/roleDefinitions/5bd9cd88-fe45-4216-938b-f97437e15450", + "EventGrid EventSubscription Contributor": "/providers/Microsoft.Authorization/roleDefinitions/428e0ff0-5e57-4d9c-a221-2c70d0e0a443", + "EventGrid EventSubscription Reader": "/providers/Microsoft.Authorization/roleDefinitions/2414bbcf-6497-4faf-8c65-045460748405", + "Experimentation Administrator": "/providers/Microsoft.Authorization/roleDefinitions/7f646f1b-fa08-80eb-a33b-edd6ce5c915c", + "Experimentation Contributor": "/providers/Microsoft.Authorization/roleDefinitions/7f646f1b-fa08-80eb-a22b-edd6ce5c915c", + "Experimentation Reader": "/providers/Microsoft.Authorization/roleDefinitions/49632ef5-d9ac-41f4-b8e7-bbe587fa74a1", + "FHIR Data Contributor": "/providers/Microsoft.Authorization/roleDefinitions/5a1fc7df-4bf1-4951-a576-89034ee01acd", + "FHIR Data Exporter": "/providers/Microsoft.Authorization/roleDefinitions/3db33094-8700-4567-8da5-1501d4e7e843", + "FHIR Data Reader": "/providers/Microsoft.Authorization/roleDefinitions/4c8d0bbc-75d3-4935-991f-5f3c56d81508", + "FHIR Data Writer": "/providers/Microsoft.Authorization/roleDefinitions/3f88fce4-5892-4214-ae73-ba5294559913", + "Graph Owner": "/providers/Microsoft.Authorization/roleDefinitions/b60367af-1334-4454-b71e-769d9a4f83d9", + "HDInsight Cluster Operator": "/providers/Microsoft.Authorization/roleDefinitions/61ed4efc-fab3-44fd-b111-e24485cc132a", + "HDInsight Domain Services Contributor": "/providers/Microsoft.Authorization/roleDefinitions/8d8d5a11-05d3-4bda-a417-a08778121c7c", + "Hierarchy Settings Administrator": "/providers/Microsoft.Authorization/roleDefinitions/350f8d15-c687-4448-8ae1-157740a3936d", + "Hybrid Server Onboarding": "/providers/Microsoft.Authorization/roleDefinitions/5d1e5ee4-7c68-4a71-ac8b-0739630a3dfb", + "Hybrid Server Resource Administrator": "/providers/Microsoft.Authorization/roleDefinitions/48b40c6e-82e0-4eb3-90d5-19e40f49b624", + "Integration Service Environment Contributor": "/providers/Microsoft.Authorization/roleDefinitions/a41e2c5b-bd99-4a07-88f4-9bf657a760b8", + "Integration Service Environment Developer": "/providers/Microsoft.Authorization/roleDefinitions/c7aa55d3-1abb-444a-a5ca-5e51e485d6ec", + "Intelligent Systems Account Contributor": "/providers/Microsoft.Authorization/roleDefinitions/03a6d094-3444-4b3d-88af-7477090a9e5e", + "Key Vault Contributor": "/providers/Microsoft.Authorization/roleDefinitions/f25e0fa2-a7c8-4377-a976-54943a77a395", + "Knowledge Consumer": "/providers/Microsoft.Authorization/roleDefinitions/ee361c5d-f7b5-4119-b4b6-892157c8f64c", + "Kubernetes Cluster - Azure Arc Onboarding": "/providers/Microsoft.Authorization/roleDefinitions/34e09817-6cbe-4d01-b1a2-e0eac5743d41", + "Lab Creator": "/providers/Microsoft.Authorization/roleDefinitions/b97fb8bc-a8b2-4522-a38b-dd33c7e65ead", + "Log Analytics Contributor": "/providers/Microsoft.Authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293", + "Log Analytics Reader": "/providers/Microsoft.Authorization/roleDefinitions/73c42c96-874c-492b-b04d-ab87d138a893", + "Logic App Contributor": "/providers/Microsoft.Authorization/roleDefinitions/87a39d53-fc1b-424a-814c-f7e04687dc9e", + "Logic App Operator": "/providers/Microsoft.Authorization/roleDefinitions/515c2055-d9d4-4321-b1b9-bd0c9a0f79fe", + "Managed Application Contributor Role": "/providers/Microsoft.Authorization/roleDefinitions/641177b8-a67a-45b9-a033-47bc880bb21e", + "Managed Application Operator Role": "/providers/Microsoft.Authorization/roleDefinitions/c7393b34-138c-406f-901b-d8cf2b17e6ae", + "Managed Applications Reader": "/providers/Microsoft.Authorization/roleDefinitions/b9331d33-8a36-4f8c-b097-4f54124fdb44", + "Managed Identity Contributor": "/providers/Microsoft.Authorization/roleDefinitions/e40ec5ca-96e0-45a2-b4ff-59039f2c2b59", + "Managed Identity Operator": "/providers/Microsoft.Authorization/roleDefinitions/f1a07417-d97a-45cb-824c-7a7467783830", + "Managed Services Registration assignment Delete ": "/providers/Microsoft.Authorization/roleDefinitions/91c1777a-f3dc-4fae-b103-61d183457e46", + "Management Group Contributor": "/providers/Microsoft.Authorization/roleDefinitions/5d58bcaf-24a5-4b20-bdb6-eed9f69fbe4c", + "Management Group Reader": "/providers/Microsoft.Authorization/roleDefinitions/ac63b705-f282-497d-ac71-919bf39d939d", + "Marketplace Admin": "/providers/Microsoft.Authorization/roleDefinitions/dd920d6d-f481-47f1-b461-f338c46b2d9f", + "Monitoring Contributor": "/providers/Microsoft.Authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "Monitoring Metrics Publisher": "/providers/Microsoft.Authorization/roleDefinitions/3913510d-42f4-4e42-8a64-420c390055eb", + "Monitoring Reader": "/providers/Microsoft.Authorization/roleDefinitions/43d0d8ad-25c7-4714-9337-8ba259a9fe05", + "Network Contributor": "/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7", + "New Relic APM Account Contributor": "/providers/Microsoft.Authorization/roleDefinitions/5d28c62d-5b37-4476-8438-e587778df237", + "Object Understanding Account Owner": "/providers/Microsoft.Authorization/roleDefinitions/4dd61c23-6743-42fe-a388-d8bdd41cb745", + "Owner": "/providers/Microsoft.Authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635", + "Policy Insights Data Writer (Preview)": "/providers/Microsoft.Authorization/roleDefinitions/66bb4e9e-b016-4a94-8249-4c0511c2be84", + "Private DNS Zone Contributor": "/providers/Microsoft.Authorization/roleDefinitions/b12aa53e-6015-4669-85d0-8515ebb3ae7f", + "Reader": "/providers/Microsoft.Authorization/roleDefinitions/acdd72a7-3385-48ef-bd42-f606fba81ae7", + "Reader and Data Access": "/providers/Microsoft.Authorization/roleDefinitions/c12c1c16-33a1-487b-954d-41c89c60f349", + "Redis Cache Contributor": "/providers/Microsoft.Authorization/roleDefinitions/e0f68234-74aa-48ed-b826-c38b57376e17", + "Remote Rendering Administrator": "/providers/Microsoft.Authorization/roleDefinitions/3df8b902-2a6f-47c7-8cc5-360e9b272a7e", + "Remote Rendering Client": "/providers/Microsoft.Authorization/roleDefinitions/d39065c4-c120-43c9-ab0a-63eed9795f0a", + "Resource Policy Contributor": "/providers/Microsoft.Authorization/roleDefinitions/36243c78-bf99-498c-9df9-86d9f8d28608", + "Scheduler Job Collections Contributor": "/providers/Microsoft.Authorization/roleDefinitions/188a0f2f-5c9e-469b-ae67-2aa5ce574b94", + "Search Service Contributor": "/providers/Microsoft.Authorization/roleDefinitions/7ca78c08-252a-4471-8644-bb5ff32d4ba0", + "Security Admin": "/providers/Microsoft.Authorization/roleDefinitions/fb1c8493-542b-48eb-b624-b4c8fea62acd", + "Security Assessment Contributor": "/providers/Microsoft.Authorization/roleDefinitions/612c2aa1-cb24-443b-ac28-3ab7272de6f5", + "Security Manager (Legacy)": "/providers/Microsoft.Authorization/roleDefinitions/e3d13bf0-dd5a-482e-ba6b-9b8433878d10", + "Security Reader": "/providers/Microsoft.Authorization/roleDefinitions/39bc4728-0917-49c7-9d2c-d95423bc2eb4", + "SignalR AccessKey Reader": "/providers/Microsoft.Authorization/roleDefinitions/04165923-9d83-45d5-8227-78b77b0a687e", + "SignalR Contributor": "/providers/Microsoft.Authorization/roleDefinitions/8cf5e20a-e4b2-4e9d-b3a1-5ceb692c2761", + "Site Recovery Contributor": "/providers/Microsoft.Authorization/roleDefinitions/6670b86e-a3f7-4917-ac9b-5d6ab1be4567", + "Site Recovery Operator": "/providers/Microsoft.Authorization/roleDefinitions/494ae006-db33-4328-bf46-533a6560a3ca", + "Site Recovery Reader": "/providers/Microsoft.Authorization/roleDefinitions/dbaa88c4-0c30-4179-9fb3-46319faa6149", + "Spatial Anchors Account Contributor": "/providers/Microsoft.Authorization/roleDefinitions/8bbe83f1-e2a6-4df7-8cb4-4e04d4e5c827", + "Spatial Anchors Account Owner": "/providers/Microsoft.Authorization/roleDefinitions/70bbe301-9835-447d-afdd-19eb3167307c", + "Spatial Anchors Account Reader": "/providers/Microsoft.Authorization/roleDefinitions/5d51204f-eb77-4b1c-b86a-2ec626c49413", + "SQL DB Contributor": "/providers/Microsoft.Authorization/roleDefinitions/9b7fa17d-e63e-47b0-bb0a-15c516ac86ec", + "SQL Managed Instance Contributor": "/providers/Microsoft.Authorization/roleDefinitions/4939a1f6-9ae0-4e48-a1e0-f2cbe897382d", + "SQL Security Manager": "/providers/Microsoft.Authorization/roleDefinitions/056cd41c-7e88-42e1-933e-88ba6a50c9c3", + "SQL Server Contributor": "/providers/Microsoft.Authorization/roleDefinitions/6d8ee4ec-f05a-4a1d-8b00-a9b17e38b437", + "Storage Account Contributor": "/providers/Microsoft.Authorization/roleDefinitions/17d1049b-9a84-46fb-8f53-869881c3d3ab", + "Storage Account Key Operator Service Role": "/providers/Microsoft.Authorization/roleDefinitions/81a9662b-bebf-436f-a333-f67b29880f12", + "Storage Blob Data Contributor": "/providers/Microsoft.Authorization/roleDefinitions/ba92f5b4-2d11-453d-a403-e96b0029c9fe", + "Storage Blob Data Owner": "/providers/Microsoft.Authorization/roleDefinitions/b7e6dc6d-f1e8-4753-8033-0f276bb0955b", + "Storage Blob Data Reader": "/providers/Microsoft.Authorization/roleDefinitions/2a2b9908-6ea1-4ae2-8e65-a410df84e7d1", + "Storage Blob Delegator": "/providers/Microsoft.Authorization/roleDefinitions/db58b8e5-c6ad-4a2a-8342-4190687cbf4a", + "Storage File Data SMB Share Contributor": "/providers/Microsoft.Authorization/roleDefinitions/0c867c2a-1d8c-454a-a3db-ab2ea1bdc8bb", + "Storage File Data SMB Share Elevated Contributor": "/providers/Microsoft.Authorization/roleDefinitions/a7264617-510b-434b-a828-9731dc254ea7", + "Storage File Data SMB Share Reader": "/providers/Microsoft.Authorization/roleDefinitions/aba4ae5f-2193-4029-9191-0cb91df5e314", + "Storage Queue Data Contributor": "/providers/Microsoft.Authorization/roleDefinitions/974c5e8b-45b9-4653-ba55-5f855dd0fb88", + "Storage Queue Data Message Processor": "/providers/Microsoft.Authorization/roleDefinitions/8a0f0c08-91a1-4084-bc3d-661d67233fed", + "Storage Queue Data Message Sender": "/providers/Microsoft.Authorization/roleDefinitions/c6a89b2d-59bc-44d0-9896-0f6e12d7b80a", + "Storage Queue Data Reader": "/providers/Microsoft.Authorization/roleDefinitions/19e7f393-937e-4f77-808e-94535e297925", + "Support Request Contributor": "/providers/Microsoft.Authorization/roleDefinitions/cfd33db0-3dd1-45e3-aa9d-cdbdf3b6f24e", + "Tag Contributor": "/providers/Microsoft.Authorization/roleDefinitions/4a9ae827-6dc8-4573-8ac7-8239d42aa03f", + "Traffic Manager Contributor": "/providers/Microsoft.Authorization/roleDefinitions/a4b10055-b0c7-44c2-b00f-c7b5b3550cf7", + "User Access Administrator": "/providers/Microsoft.Authorization/roleDefinitions/18d7d88d-d35e-4fb5-a5c3-7773c20a72d9", + "Virtual Machine Administrator Login": "/providers/Microsoft.Authorization/roleDefinitions/1c0163c0-47e6-4577-8991-ea5c82e286e4", + "Virtual Machine Contributor": "/providers/Microsoft.Authorization/roleDefinitions/9980e02c-c2be-4d73-94e8-173b1dc7cf3c", + "Virtual Machine User Login": "/providers/Microsoft.Authorization/roleDefinitions/fb879df8-f326-4884-b1cf-06f3ad86be52", + "Web Plan Contributor": "/providers/Microsoft.Authorization/roleDefinitions/2cc479cb-7b4d-49a8-b449-8c00fd0f0a4b", + "Website Contributor": "/providers/Microsoft.Authorization/roleDefinitions/de139f84-1756-47ae-9be6-808fbbe84772", + "Workbook Contributor": "/providers/Microsoft.Authorization/roleDefinitions/e8ddcd69-c73f-4f9f-9844-4100522f16ad", + "Workbook Reader": "/providers/Microsoft.Authorization/roleDefinitions/b279062a-9be3-42a0-92ae-8b3cf002ec4d" + } + }, + "resources": [ + { + "condition": "[not(empty(parameters('cuaId')))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-06-01", + "name": "[concat('pid-', parameters('cuaId'))]", + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [ + ] + } + } + }, + { + "name": "[variables('serviceBusNamespaceName')]", + "type": "Microsoft.ServiceBus/namespaces", + "apiVersion": "2018-01-01-preview", + "location": "[parameters('location')]", + "tags": "[if(empty(parameters('tags')), json('null'), parameters('tags'))]", + "sku": { + "name": "[parameters('skuName')]" + }, + "properties": { + "zoneRedundant": "[parameters('zoneRedundant')]" + }, + "resources": [ + { + "type": "providers/locks", + "apiVersion": "2016-09-01", + "condition": "[parameters('lockForDeletion')]", + "name": "Microsoft.Authorization/serviceBusNamespaceDoNotDelete", + "dependsOn": [ + "[resourceId('Microsoft.ServiceBus/namespaces/', variables('serviceBusNamespaceName'))]" + ], + "comments": "Resource lock on the Azure Service Bus Namespace", + "properties": { + "level": "CannotDelete" + } + }, + { + "type": "Microsoft.ServiceBus/namespaces/providers/diagnosticsettings", + "apiVersion": "2017-05-01-preview", + "name": "[concat(variables('serviceBusNamespaceName'), '/Microsoft.Insights/service')]", + "condition": "[or(not(empty(parameters('diagnosticStorageAccountId'))),not(empty(parameters('workspaceId'))))]", + "location": "[parameters('location')]", + "dependsOn": [ + "[concat('Microsoft.ServiceBus/namespaces/', variables('serviceBusNamespaceName'))]" + ], + "properties": { + "storageAccountId": "[if(empty(parameters('diagnosticStorageAccountId')), json('null'), parameters('diagnosticStorageAccountId'))]", + "workspaceId": "[if(empty(parameters('workspaceId')), json('null'), parameters('workspaceId'))]", + "eventHubAuthorizationRuleId": "[if(empty(parameters('eventHubAuthorizationRuleId')), json('null'), parameters('eventHubAuthorizationRuleId'))]", + "eventHubName": "[if(empty(parameters('eventHubName')), json('null'), parameters('eventHubName'))]", + "metrics": "[if(and(empty(parameters('diagnosticStorageAccountId')), empty(parameters('workspaceId'))), json('null'), variables('diagnosticsMetrics'))]", + "logs": "[if(and(empty(parameters('diagnosticStorageAccountId')), empty(parameters('workspaceId'))), json('null'), variables('diagnosticsLogs'))]" + } + } + ] + }, + { + "type": "Microsoft.ServiceBus/namespaces/disasterRecoveryConfigs", + "apiVersion": "2017-04-01", + "name": "[concat(variables('serviceBusNamespaceName'), '/', variables('namespaceAlias'))]", + "location": "[parameters('location')]", + "condition": "[if(and(not(empty(parameters('partnerNamespaceId'))),not(empty(parameters('namespaceAlias')))), bool('true') , bool('false'))]", + "dependsOn": [ + "[variables('namespaceResourceId')]" + ], + "properties": { + "partnerNamespace": "[parameters('partnerNamespaceId')]" + } + }, + { + "type": "Microsoft.ServiceBus/namespaces/AuthorizationRules", + "apiVersion": "2017-04-01", + "name": "[concat(variables('serviceBusNamespaceName'),'/', parameters('authorizationRules')[copyIndex()].name)]", + "condition": "[greater(length(parameters('authorizationRules')),0)]", + "location": "[parameters('location')]", + "dependsOn": [ + "[variables('namespaceResourceId')]" + ], + "copy": { + "name": "authorizationRules", + "count": "[length(parameters('authorizationRules'))]" + }, + "properties": { + "rights": "[parameters('authorizationRules')[copyIndex()].properties.rights]" + } + }, + { + "type": "Microsoft.ServiceBus/namespaces/ipFilterRules", + "apiVersion": "2018-01-01-preview", + "name": "[concat(variables('serviceBusNamespaceName'),'/', if(empty(parameters('ipFilterRules')), concat(variables('serviceBusNamespaceName'),'-ifr'), parameters('ipFilterRules')[copyIndex()].filterName))]", + "condition": "[greater(length(parameters('ipFilterRules')),0)]", + "location": "[parameters('location')]", + "dependsOn": [ + "[variables('namespaceResourceId')]" + ], + "copy": { + "name": "ipFilterRules", + "count": "[length(parameters('ipFilterRules'))]" + }, + "properties": "[parameters('ipFilterRules')[copyIndex()]]" + }, + { + "type": "Microsoft.ServiceBus/namespaces/migrationConfigurations", + "apiVersion": "2017-04-01", + "name": "[concat(variables('serviceBusNamespaceName'),'/', '$default')]", + "condition": "[not(empty(parameters('targetNamespace')))]", + "location": "[parameters('location')]", + "dependsOn": [ + "[variables('namespaceResourceId')]" + ], + "properties": { + "targetNamespace": "[parameters('targetNamespace')]", + "postMigrationName": "[parameters('postMigrationName')]" + } + }, + { + "type": "Microsoft.ServiceBus/namespaces/virtualNetworkRules", + "apiVersion": "2018-01-01-preview", + "name": "[concat(variables('serviceBusNamespaceName'),'/',if(empty(parameters('virtualNetworkRuleSubnetIds')), concat(variables('serviceBusNamespaceName'),'-vnr'), split(parameters('virtualNetworkRuleSubnetIds')[copyIndex()], '/')[10]))]", + "condition": "[greater(length(parameters('virtualNetworkRuleSubnetIds')),0)]", + "location": "[parameters('location')]", + "dependsOn": [ + "[variables('namespaceResourceId')]" + ], + "copy": { + "name": "virtualNetworkRuleSubnetIds", + "count": "[length(parameters('virtualNetworkRuleSubnetIds'))]" + }, + "properties": { + "virtualNetworkSubnetId": "[parameters('virtualNetworkRuleSubnetIds')[copyIndex()]]" + } + }, + // Private Endpoints + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-06-01", + "name": "[concat(uniqueString(deployment().name, parameters('location')), '-ServiceBusNamespaces-PrivateEndpoints','-',copyIndex())]", + "condition": "[not(empty(parameters('privateEndpoints')))]", + "dependsOn": [ + "[variables('serviceBusNamespaceName')]" + ], + "copy": { + "name": "privateEndpointsCopy", + "count": "[length(parameters('privateEndpoints'))]" + }, + "properties": { + "mode": "Incremental", + "expressionEvaluationOptions": { + "scope": "inner" + }, + "parameters": { + "privateEndpointResourceId": { + "value": "[resourceId('Microsoft.ServiceBus/namespaces', variables('serviceBusNamespaceName'))]" + }, + "privateEndpointVnetLocation": { + "value": "[if(empty(parameters('privateEndpoints')),'dummy',reference(split(parameters('privateEndpoints')[copyIndex()].subnetResourceId,'/subnets/')[0],'2020-06-01', 'Full').location)]" + }, + "privateEndpoint": { + "value": "[parameters('privateEndpoints')[copyIndex()]]" + }, + "tags": { + "value": "[parameters('tags')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "privateEndpointResourceId": { + "type": "string" + }, + "privateEndpointVnetLocation": { + "type": "string" + }, + "privateEndpoint": { + "type": "object" + }, + "tags": { + "type": "object" + } + }, + "variables": { + "privateEndpointResourceName": "[last(split(parameters('privateEndpointResourceId'),'/'))]", + "privateEndpoint": { + "name": "[if(contains(parameters('privateEndpoint'), 'name'),if(empty(parameters('privateEndpoint').name),concat(variables('privateEndpointResourceName'),'-',parameters('privateEndpoint').service),parameters('privateEndpoint').name),concat(variables('privateEndpointResourceName'),'-',parameters('privateEndpoint').service))]", + "subnetResourceId": "[parameters('privateEndpoint').subnetResourceId]", + "service": [ + "[parameters('privateEndpoint').service]" + ], + "privateDnsZoneResourceIds": "[if(contains(parameters('privateEndpoint'), 'privateDnsZoneResourceIds'),if(empty(parameters('privateEndpoint').privateDnsZoneResourceIds),createArray(),parameters('privateEndpoint').privateDnsZoneResourceIds),createArray())]", + "customDnsConfigs": "[if(contains(parameters('privateEndpoint'), 'customDnsConfigs'),if(empty(parameters('privateEndpoint').customDnsConfigs),json('null'),parameters('privateEndpoint').customDnsConfigs),json('null'))]" + } + }, + "resources": [ + { + "type": "Microsoft.Network/privateEndpoints", + "apiVersion": "2020-05-01", + "name": "[variables('privateEndpoint').name]", + "location": "[parameters('privateEndpointVnetLocation')]", + "tags": "[parameters('tags')]", + "properties": { + "privateLinkServiceConnections": [ + { + "name": "[variables('privateEndpoint').name]", + "properties": { + "privateLinkServiceId": "[parameters('privateEndpointResourceId')]", + "groupIds": "[variables('privateEndpoint').service]" + } + } + ], + "manualPrivateLinkServiceConnections": [], + "subnet": { + "id": "[variables('privateEndpoint').subnetResourceId]" + }, + "customDnsConfigs": "[variables('privateEndpoint').customDnsConfigs]" + } + }, + { + "type": "Microsoft.Network/privateEndpoints/privateDnsZoneGroups", + "apiVersion": "2020-05-01", + "condition": "[not(empty(variables('privateEndpoint').privateDnsZoneResourceIds))]", + "name": "[concat(variables('privateEndpoint').name, '/default')]", + "dependsOn": [ + "[resourceId('Microsoft.Network/privateEndpoints', variables('privateEndpoint').name)]" + ], + "properties": { + "copy": [ + { + "name": "privateDnsZoneConfigs", + "count": "[length(variables('privateEndpoint').privateDnsZoneResourceIds)]", + "input": { + "name": "[last(split(variables('privateEndpoint').privateDnsZoneResourceIds[copyIndex('privateDnsZoneConfigs')],'/'))]", + "properties": { + "privateDnsZoneId": "[variables('privateEndpoint').privateDnsZoneResourceIds[copyIndex('privateDnsZoneConfigs')]]" + } + } + } + ] + } + } + ] + } + } + }, + { + "name": "[concat('rbac-',deployment().name, copyIndex())]", + "apiVersion": "2020-06-01", + "type": "Microsoft.Resources/deployments", + "condition": "[not(empty(parameters('roleAssignments')))]", + "dependsOn": [ + "[variables('serviceBusNamespaceName')]" + ], + "copy": { + "name": "rbacDeplCopy", + "count": "[length(parameters('roleAssignments'))]" + }, + "properties": { + "mode": "Incremental", + "expressionEvaluationOptions": { + "scope": "inner" + }, + "parameters": { + "roleAssignment": { + "value": "[parameters('roleAssignments')[copyIndex()]]" + }, + "builtInRoleNames": { + "value": "[variables('builtInRoleNames')]" + }, + "namespaceName": { + "value": "[variables('serviceBusNamespaceName')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "roleAssignment": { + "type": "object" + }, + "builtInRoleNames": { + "type": "object" + }, + "namespaceName": { + "type": "string" + } + }, + "resources": [ + { + "type": "Microsoft.ServiceBus/namespaces/providers/roleAssignments", + "apiVersion": "2018-09-01-preview", + "name": "[concat(parameters('namespaceName'), '/Microsoft.Authorization/', guid(uniqueString(concat(parameters('namespaceName'), array(parameters('roleAssignment').principalIds)[copyIndex('innerRbacCopy')], parameters('roleAssignment').roleDefinitionIdOrName ) )))]", + "dependsOn": [ + ], + "copy": { + "name": "innerRbacCopy", + "count": "[length(parameters('roleAssignment').principalIds)]" + }, + "properties": { + "roleDefinitionId": "[if(contains(parameters('builtInRoleNames'), parameters('roleAssignment').roleDefinitionIdOrName ), parameters('builtInRoleNames')[parameters('roleAssignment').roleDefinitionIdOrName] , parameters('roleAssignment').roleDefinitionIdOrName )]", + "principalId": "[array(parameters('roleAssignment').principalIds)[copyIndex()]]" + } + } + ] + } + } + } + ], + "functions": [ + ], + "outputs": { + "serviceBusNamespaceResourceId": { + "type": "string", + "value": "[resourceId('Microsoft.ServiceBus/namespaces', variables('serviceBusNamespaceName'))]", + "metadata": { + "description": "The Resource Id of the Service Bus Namespace." + } + }, + "serviceBusNamespaceResourceGroup": { + "type": "string", + "value": "[resourceGroup().name]", + "metadata": { + "description": "The name of the Resource Group the Service Bus Namespace was created in." + } + }, + "serviceBusNamespaceName": { + "type": "string", + "value": "[variables('serviceBusNamespaceName')]", + "metadata": { + "description": "The Name of the Service Bus Namespace." + } + }, + "defaultAuthorizationRuleId": { + "type": "string", + "value": "[variables('defaultAuthorizationRuleId')]", + "metadata": { + "description": "The Id of the authorization rule marked by the variable with the same name." + } + }, + "serviceBusConnectionString": { + "type": "string", + "value": "[concat('Endpoint=sb://', variables('serviceBusNamespaceName'), '.servicebus.windows.net/;SharedAccessKeyName=',listkeys(resourceId('Microsoft.ServiceBus/namespaces/authorizationRules', variables('serviceBusNamespaceName'), 'RootManageSharedAccessKey'), '2017-04-01').primaryKey)]", + "metadata": { + "description": "The Service Bus Namespace connection string." + } + } + } +} \ No newline at end of file diff --git a/arm/Microsoft.ServiceBus/namespaces/parameters/parameters.json b/arm/Microsoft.ServiceBus/namespaces/parameters/parameters.json new file mode 100644 index 0000000000..a5b3ed7fd8 --- /dev/null +++ b/arm/Microsoft.ServiceBus/namespaces/parameters/parameters.json @@ -0,0 +1,29 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + //"serviceBusNamespaceName": { + // "value": "sxx-az-sbn-weu-x-001" + //}, + "skuName": { + "value": "Basic" + }, + "lockForDeletion": { + "value": false + }, + // "roleAssignments": { + // "value": [ + // { + // "roleDefinitionIdOrName": "Desktop Virtualization User", + // "principalIds": [ + // "12345678-1234-1234-1234-123456789012", // object 1 + // "78945612-1234-1234-1234-123456789012" // object 2 + // ] + // } + // ] + // }, + "tags": { + "value": {} + } + } +} \ No newline at end of file diff --git a/arm/Microsoft.ServiceBus/namespaces/readme.md b/arm/Microsoft.ServiceBus/namespaces/readme.md new file mode 100644 index 0000000000..1ffb7e35fa --- /dev/null +++ b/arm/Microsoft.ServiceBus/namespaces/readme.md @@ -0,0 +1,195 @@ +# ServiceBusNamespaces + +This module deploys Service Bus Namespace resource. + +## Resource types + +| Resource Type | Api Version | +| :-- | :-- | +| `Microsoft.Resources/deployments` | 2020-06-01 | +| `Microsoft.Network/privateEndpoints/privateDnsZoneGroups` | 2020-05-01 | +| `Microsoft.Network/privateEndpoints` | 2020-05-01 | +| `Microsoft.ServiceBus/namespaces/AuthorizationRules` | 2017-04-01 | +| `Microsoft.ServiceBus/namespaces/disasterRecoveryConfigs` | 2017-04-01 | +| `Microsoft.ServiceBus/namespaces/ipFilterRules` | 2018-01-01-preview | +| `Microsoft.ServiceBus/namespaces/migrationConfigurations` | 2017-04-01 | +| `Microsoft.ServiceBus/namespaces/virtualNetworkRules` | 2018-01-01-preview | +| `Microsoft.ServiceBus/namespaces/providers/diagnosticsettings` | 2017-05-01-preview | +| `Microsoft.ServiceBus/namespaces/providers/roleAssignments` | 2018-09-01-preview | +| `Microsoft.ServiceBus/namespaces` | 2018-01-01-preview | +| `providers/locks` | 2016-09-01 | + +## Parameters + +| Parameter Name | Type | Default Value | Possible values | Description | +| :--| :--| :-| :--| :----------------------------------------------------------------------------------------------------------------- | +| `serviceBusNamespaceName`| string | | | Optional. Name of the Service Bus Namespace.If no name is provided, then unique name will be created.| +| `location`| string | | | Required. The Geo-location where the resource lives. | | +| `skuName`| string | | | Required. Name of this SKU. - Basic, Standard, Premium. | Basic, Standard, Premium | +| `zoneRedundant`| string | | | Optional. Enabling this property creates a Premium Service Bus Namespace in regions supported availability zones. | | +| `partnerNamespaceId` | string | Optional. ARM Id of the Primary/Secondary Service Bus namespace name, which is part of GEO DR pairing. | | | +| `namespaceAlias` | string | Optional. The Disaster Recovery configuration name. | | | +| `authorizationRules` | array | Optional. Authorization Rules for the Event Hub namespace. | System.Object[] | | +| `ipFilterRules` | array | Optional. IP Filter Rules for the Service Bus namespace (requires Premium sku). | System.Object[] | | +| `targetNamespace` | string | Optional. Existing premium Namespace ARM Id name which has no entities, will be used for migration. | | | +| `postMigrationName` | string | Optional. Name to access Standard Namespace after migration. | | | +| `virtualNetworkRuleSubnetIds` | array | Optional. vNet Rules SubnetIds for the Service Bus namespace. | System.Object[] | | +| `diagnosticLogsRetentionInDays` | int | Optional. Specifies the number of days that logs will be kept for; a value of 0 will retain data indefinitely. | 365 | | +| `diagnosticStorageAccountId` | string | Optional. Resource identifier of the Diagnostic Storage Account. | | | +| `workspaceId` | string | Optional. Resource identifier of Log Analytics. | | | +| `eventHubAuthorizationRuleId` | string | "" | | Optional. Resource ID of the event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. +| `eventHubName` | string | "" | | Optional. Name of the event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. +| `lockForDeletion`| bool | | | Optional. Flag indicating if resource is locked for deletion. | | +| `roleAssignments` | array | Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' | System.Object[] | | +| `privateEndpoints` | array | System.Object[] | | Optional. Configuration Details for private endpoints. | +| `tags`| string | | | Optional. Tag names and tag values can be provided as needed (see below) | | +| `cuaId`| string | | | Customer Usage Attribution id (GUID). This GUID must be previously registered | | +| `baseTime` | string | utcNow('u') | | Generated. Do not provide a value! This date value is used to generate a SAS token toaccess the modules. + +### Parameter Usage: `authorizationRules` + +Default value: + +```json +"authorizationRules": { + "value": [ + { + "name": "RootManageSharedAccessKey", + "properties": { + "rights": [ + "Listen", + "Manage", + "Send" + ] + } + } + ] +} +``` + +### Parameter Usage: `ipFilterRules` + +```json +"ipFilterRules": { + "value": [ + { + "filterName": "ipFilter1", + "ipMask": "10.0.1.0/32", + "action": "Accept" + }, + { + "filterName": "ipFilter2", + "ipMask": "10.0.2.0/32", + "action": "Deny" + } + ] +} +``` + +### Parameter Usage: `virtualNetworkRuleSubnetIds` + +```json +"virtualNetworkRuleSubnetIds": { + "value": [ + "/subscriptions//resourceGroups/resourceGroup/providers/Microsoft.Network/virtualNetworks//subnets/", + "/subscriptions//resourceGroups/resourceGroup/providers/Microsoft.Network/virtualNetworks//subnets/" + ] +} +``` + +### Parameter Usage: `roleAssignments` + +```json +"roleAssignments": { + "value": [ + { + "roleDefinitionIdOrName": "Desktop Virtualization User", + "principalIds": [ + "12345678-1234-1234-1234-123456789012", // object 1 + "78945612-1234-1234-1234-123456789012" // object 2 + ] + }, + { + "roleDefinitionIdOrName": "Reader", + "principalIds": [ + "12345678-1234-1234-1234-123456789012", // object 1 + "78945612-1234-1234-1234-123456789012" // object 2 + ] + }, + { + "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", + "principalIds": [ + "12345678-1234-1234-1234-123456789012" // object 1 + ] + } + ] +} +``` +### Parameter Usage: `privateEndpoints` + +To use Private Endpoint the following dependencies must be deployed: + +- Destination subnet must be created with the following configuration option - `"privateEndpointNetworkPolicies": "Disabled"`. Setting this option acknowledges that NSG rules are not applied to Private Endpoints (this capability is coming soon). A full example is available in the Virtual Network Module. + +- Although not strictly required, it is highly recommened to first create a private DNS Zone to host Private Endpoint DNS records. See [Azure Private Endpoint DNS configuration](https://docs.microsoft.com/en-us/azure/private-link/private-endpoint-dns) for more information. + +```json +"privateEndpoints": { + "value": [ + // Example showing all available fields + { + "name": "sxx-az-sa-cac-y-123-pe", // Optional: Name will be automatically generated if one is not provided here + "subnetResourceId": "/subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-weu-x-001/subnets/sxx-az-subnet-weu-x-001", + "service": "vault", + "privateDnsZoneResourceIds": [ // Optional: No DNS record will be created if a private DNS zone Resource ID is not specified + "/subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2/resourceGroups/validation-rg/providers/Microsoft.Network/privateDnsZones/privatelink.vaultcore.azure.net" + ], + "customDnsConfigs": [ // Optional + { + "fqdn": "customname.test.local", + "ipAddresses": [ + "10.10.10.10" + ] + } + ] + } + ] +} +``` + +### Parameter Usage: `tags` + +Tag names and tag values can be provided as needed. A tag can be left without a value. + +```json +"tags": { + "value": { + "Environment": "Non-Prod", + "Contact": "test.user@testcompany.com", + "PurchaseOrder": "1234", + "CostCenter": "7890", + "ServiceName": "DeploymentValidation", + "Role": "DeploymentValidation" + } +} +``` + +## Outputs + +| Output Name | Type | Description | +| :-- | :-- | :-- | +| `defaultAuthorizationRuleId` | string | The Id of the authorization rule marked by the variable with the same name. | +| `serviceBusConnectionString` | string | The Service Bus Namespace connection string. | +| `serviceBusNamespaceName` | string | The Name of the Service Bus Namespace. | +| `serviceBusNamespaceResourceGroup` | string | The name of the Resource Group the Service Bus Namespace was created in. | +| `serviceBusNamespaceResourceId` | string | The Resource Id of the Service Bus Namespace. | + +## Considerations + +*N/A* + +## Additional resources + +- [Microsoft.ServiceBus Namespace template reference](https://docs.microsoft.com/en-us/azure/templates/Microsoft.ServiceBus/2018-01-01-preview/namespaces) +- [What is Azure Service Bus?](https://docs.microsoft.com/en-us/azure/service-bus-messaging/service-bus-messaging-overview) +- [Use tags to organize your Azure resources](https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-using-tags) \ No newline at end of file diff --git a/arm/Microsoft.Sql/managedInstanceDatabases/deploy.json b/arm/Microsoft.Sql/managedInstanceDatabases/deploy.json new file mode 100644 index 0000000000..de19a7f2a6 --- /dev/null +++ b/arm/Microsoft.Sql/managedInstanceDatabases/deploy.json @@ -0,0 +1,368 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "databaseName": { + "type": "string", + "metadata": { + "description": "Required. The name of the SQL managed instance database." + } + }, + "managedInstanceName": { + "type": "string", + "metadata": { + "description": "Required. The name of the SQL managed instance." + } + }, + "location": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "Optional. Location for all resources." + } + }, + "collation": { + "type": "string", + "defaultValue": "SQL_Latin1_General_CP1_CI_AS", + "metadata": { + "description": "Optional. Collation of the managed instance database." + } + }, + "restorePointInTime": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Conditional. If createMode is PointInTimeRestore, this value is required. Specifies the point in time (ISO8601 format) of the source database that will be restored to create the new database." + } + }, + "catalogCollation": { + "type": "string", + "defaultValue": "SQL_Latin1_General_CP1_CI_AS", + "metadata": { + "description": "Optional. Collation of the managed instance." + } + }, + "createMode": { + "type": "string", + "defaultValue": "Default", + "allowedValues": [ + "Default", + "RestoreExternalBackup", + "PointInTimeRestore", + "Recovery", + "RestoreLongTermRetentionBackup" + ], + "metadata": { + "description": "Optional. Managed database create mode. PointInTimeRestore: Create a database by restoring a point in time backup of an existing database. SourceDatabaseName, SourceManagedInstanceName and PointInTime must be specified. RestoreExternalBackup: Create a database by restoring from external backup files. Collation, StorageContainerUri and StorageContainerSasToken must be specified. Recovery: Creates a database by restoring a geo-replicated backup. RecoverableDatabaseId must be specified as the recoverable database resource ID to restore." + } + }, + "storageContainerUri": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Conditional. If createMode is RestoreExternalBackup, this value is required. Specifies the uri of the storage container where backups for this restore are stored." + } + + }, + "sourceDatabaseId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Conditional. The resource identifier of the source database associated with create operation of this database." + } + }, + "restorableDroppedDatabaseId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Conditional. The restorable dropped database resource id to restore when creating this database." + } + }, + "storageContainerSasToken": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Conditional. If createMode is RestoreExternalBackup, this value is required. Specifies the storage container sas token." + } + }, + "recoverableDatabaseId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Conditional. The resource identifier of the recoverable database associated with create operation of this database." + } + }, + "longTermRetentionBackupResourceId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Conditional. The name of the Long Term Retention backup to be used for restore of this managed database." + } + }, + "diagnosticLogsRetentionInDays": { + "type": "int", + "defaultValue": 365, + "minValue": 0, + "maxValue": 365, + "metadata": { + "description": "Optional. Specifies the number of days that logs will be kept for; a value of 0 will retain data indefinitely." + } + }, + "diagnosticStorageAccountId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Resource identifier of the Diagnostic Storage Account." + } + }, + "workspaceId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Resource identifier of Log Analytics." + } + }, + "eventHubAuthorizationRuleId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Resource ID of the event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." + } + }, + "eventHubName": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Name of the event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category." + } + }, + "lockForDeletion": { + "type": "bool", + "defaultValue": false, + "metadata": { + "description": "Optional. Switch to lock Key Vault from deletion." + } + }, + "backupLongTermRetentionPoliciesName": { //LTR Not used yet + "type": "string", + "defaultValue": "LTRdefault", + "metadata": { + "description": "Required. The name of the Long Term Retention backup policy." + } + }, + "weeklyRetention": { //LTR Not used yet + "type": "string", + "defaultValue": "P1M", + "metadata": { + "description": "Required. The weekly retention policy for an LTR backup in an ISO 8601 format." + } + }, + "monthlyRetention": { //LTR Not used yet + "type": "string", + "defaultValue": "P1Y", + "metadata": { + "description": "Required. The monthly retention policy for an LTR backup in an ISO 8601 format." + } + }, + "yearlyRetention": { //LTR Not used yet + "type": "string", + "defaultValue": "P5Y", + "metadata": { + "description": "Required. The yearly retention policy for an LTR backup in an ISO 8601 format." + } + }, + "weekOfYear": { //LTR Not used yet + "type": "int", + "defaultValue": 5, + "metadata": { + "description": "Required. The week of year to take the yearly backup in an ISO 8601 format." + } + }, + "backupShortTermRetentionPoliciesName": { + "type": "string", + "defaultValue": "Default", + "metadata": { + "description": "Required. The name of the Short Term Retention backup policy." + } + }, + "retentionDays": { + "type": "int", + "defaultValue": 35, + "metadata": { + "description": "Required. The backup retention period in days. This is how many days Point-in-Time Restore will be supported." + } + }, + "tags": { + "type": "object", + "defaultValue": { + }, + "metadata": { + "description": "Optional. Tags of the resource." + } + }, + "cuaId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered" + } + } + }, + "variables": { + + "diagnosticsLogs": [ + { + "category": "SQLInsights", + "enabled": true, + "retentionPolicy": { + "enabled": true, + "days": "[parameters('diagnosticLogsRetentionInDays')]" + } + }, + { + "category": "QueryStoreRuntimeStatistics", + "enabled": true, + "retentionPolicy": { + "enabled": true, + "days": "[parameters('diagnosticLogsRetentionInDays')]" + } + }, + { + "category": "QueryStoreWaitStatistics", + "enabled": true, + "retentionPolicy": { + "enabled": true, + "days": "[parameters('diagnosticLogsRetentionInDays')]" + } + }, + { + "category": "Errors", + "enabled": true, + "retentionPolicy": { + "enabled": true, + "days": "[parameters('diagnosticLogsRetentionInDays')]" + } + } + ] + }, + "resources": [ + { + "condition": "[not(empty(parameters('cuaId')))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-06-01", + "name": "[concat('pid-', parameters('cuaId'))]", + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [ + ] + } + } + }, + { + "type": "Microsoft.Sql/managedInstances/databases", + "apiVersion": "2020-02-02-preview", + "name": "[concat(parameters('managedInstanceName'), '/', parameters('databaseName'))]", + "location": "[parameters('location')]", + "tags": "[parameters('tags')]", + "properties": { + "collation": "[if(empty(parameters('collation')), json('null'), parameters('collation'))]", + "restorePointInTime": "[if(empty(parameters('restorePointInTime')), json('null'), parameters('restorePointInTime'))]", + "catalogCollation": "[if(empty(parameters('catalogCollation')), json('null'), parameters('catalogCollation'))]", + "createMode": "[if(empty(parameters('createMode')), json('null'), parameters('createMode'))]", + "storageContainerUri": "[if(empty(parameters('storageContainerUri')), json('null'), parameters('storageContainerUri'))]", + "sourceDatabaseId": "[if(empty(parameters('sourceDatabaseId')), json('null'), parameters('sourceDatabaseId'))]", + "restorableDroppedDatabaseId": "[if(empty(parameters('restorableDroppedDatabaseId')), json('null'), parameters('restorableDroppedDatabaseId'))]", + "storageContainerSasToken": "[if(empty(parameters('storageContainerSasToken')), json('null'), parameters('storageContainerSasToken'))]", + "recoverableDatabaseId": "[if(empty(parameters('recoverableDatabaseId')), json('null'), parameters('recoverableDatabaseId'))]", + "longTermRetentionBackupResourceId": "[if(empty(parameters('longTermRetentionBackupResourceId')), json('null'), parameters('longTermRetentionBackupResourceId'))]" + }, + "resources": [ + { + "type": "providers/locks", + "apiVersion": "2016-09-01", + "condition": "[parameters('lockForDeletion')]", + "name": "Microsoft.Authorization/managedInstanceDatabaseDoNotDelete", + "dependsOn": [ + "[resourceId('Microsoft.Sql/managedInstances/databases', parameters('managedInstanceName'), parameters('databaseName'))]" + ], + "comments": "Resource lock on Azure SQL managed instance database", + "properties": { + "level": "CannotDelete" + } + }, + { + "type": "Microsoft.Sql/managedInstances/databases/providers/diagnosticsettings", + "apiVersion": "2017-05-01-preview", + "name": "[concat(parameters('managedInstanceName'), '/', parameters('databaseName') ,'/Microsoft.Insights/service')]", + "location": "[parameters('location')]", + "condition": "[or(not(empty(parameters('diagnosticStorageAccountId'))),not(empty(parameters('workspaceId'))),not(empty(parameters('eventHubAuthorizationRuleId'))),not(empty(parameters('eventHubName'))))]", + "dependsOn": [ + "[resourceId('Microsoft.Sql/managedInstances/databases', parameters('managedInstanceName'), parameters('databaseName'))]" + ], + "properties": { + "storageAccountId": "[if(empty(parameters('diagnosticStorageAccountId')), json('null'), parameters('diagnosticStorageAccountId'))]", + "workspaceId": "[if(empty(parameters('workspaceId')), json('null'), parameters('workspaceId'))]", + "eventHubAuthorizationRuleId": "[if(empty(parameters('eventHubAuthorizationRuleId')), json('null'), parameters('eventHubAuthorizationRuleId'))]", + "eventHubName": "[if(empty(parameters('eventHubName')), json('null'), parameters('eventHubName'))]", + "logs": "[if(and(empty(parameters('diagnosticStorageAccountId')), empty(parameters('workspaceId')), empty(parameters('eventHubAuthorizationRuleId')), empty(parameters('eventHubName'))), json('null'), variables('diagnosticsLogs'))]" + } + }, + // Long Term Retention Policy is Not Supported Yet + //{ + // "type": "Microsoft.Sql/managedInstances/databases/backupLongTermRetentionPolicies", + // "apiVersion": "2018-06-01-preview", + // "name": "[concat(parameters('managedInstanceName'), '/', parameters('databaseName'), '/', parameters('backupLongTermRetentionPoliciesName'))]", + // "dependsOn": [ + // "[resourceId('Microsoft.Sql/managedInstances/databases', parameters('managedInstanceName'), parameters('databaseName'))]" + // ], + // "properties": { + // "weeklyRetention": "[parameters('weeklyRetention')]", + // "monthlyRetention": "[parameters('monthlyRetention')]", + // "yearlyRetention": "[parameters('yearlyRetention')]", + // "weekOfYear": "[parameters('weekOfYear')]" + // } + //} + { + "type": "Microsoft.Sql/managedInstances/databases/backupShortTermRetentionPolicies", + "apiVersion": "2017-03-01-preview", + "name": "[concat(parameters('managedInstanceName'), '/', parameters('databaseName'), '/', parameters('backupShortTermRetentionPoliciesName'))]", + "dependsOn": [ + "[resourceId('Microsoft.Sql/managedInstances/databases', parameters('managedInstanceName'), parameters('databaseName'))]" + ], + "properties": { + "retentionDays": "[parameters('retentionDays')]" + } + } + + ] + } + ], + "functions": [ + ], + "outputs": { + "managedInstanceName": { + "type": "string", + "value": "[parameters('managedInstanceName')]", + "metadata": { + "description": "The name of the SQL managed instance." + } + }, + "managedInstanceResourceId": { + "type": "string", + "value": "[resourceId('Microsoft.Sql/managedInstances', parameters('managedInstanceName'))]", + "metadata": { + "description": "The Resource ID of the Manged Instance." + } + }, + "managedInstanceResourceGroup": { + "type": "string", + "value": "[resourceGroup().name]", + "metadata": { + "description": "The Resource Group in which the resource has been created." + } + } + } +} diff --git a/arm/Microsoft.Sql/managedInstanceDatabases/parameters/parameters.json b/arm/Microsoft.Sql/managedInstanceDatabases/parameters/parameters.json new file mode 100644 index 0000000000..98d4c6921e --- /dev/null +++ b/arm/Microsoft.Sql/managedInstanceDatabases/parameters/parameters.json @@ -0,0 +1,12 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "databaseName": { + "value": "sxx-az-sqlmidb-weu-x-001" + }, + "managedInstanceName": { + "value": "sxx-az-sqlmi-weu-x-001" + } + } +} \ No newline at end of file diff --git a/arm/Microsoft.Sql/managedInstanceDatabases/readme.md b/arm/Microsoft.Sql/managedInstanceDatabases/readme.md new file mode 100644 index 0000000000..2b1ec7cf8c --- /dev/null +++ b/arm/Microsoft.Sql/managedInstanceDatabases/readme.md @@ -0,0 +1,103 @@ +# SQL Managed Instances Database + +This template deploys an SQL Managed Instances Database. + + +## Resource types + +|Resource Type|Api Version| +|:--|:--| +|`Microsoft.Sql/managedInstances/databases`|2019-06-01-preview| +|`Microsoft.Sql/managedInstances/databases/backupShortTermRetentionPolicies`|2017-03-01-preview| +|`Microsoft.Sql/managedInstances/databases/providers/diagnosticsettings`|2017-05-01-preview| +|`providers/locks`|2016-09-01| +|`Microsoft.Resources/deployments`|2018-02-01| + + +### Deployment prerequisites + +The SQL Managed Instance Database is deployed on a SQL Managed Instance. + +## Parameters + +| Parameter Name | Type | Description | DefaultValue | Possible values | +| :-- | :-- | :-- | :-- | :-- | +| `backupLongTermRetentionPoliciesName` | string | Required. The name of the Long Term Retention backup policy. | LTRdefault | | +| `backupShortTermRetentionPoliciesName` | string | Required. The name of the Short Term Retention backup policy. | Default | | +| `catalogCollation` | string | Optional. Collation of the managed instance. | SQL_Latin1_General_CP1_CI_AS | | +| `collation` | string | Optional. Collation of the managed instance database. | SQL_Latin1_General_CP1_CI_AS | | +| `createMode` | string | Optional. Managed database create mode. PointInTimeRestore: Create a database by restoring a point in time backup of an existing database. SourceDatabaseName, SourceManagedInstanceName and PointInTime must be specified. RestoreExternalBackup: Create a database by restoring from external backup files. Collation, StorageContainerUri and StorageContainerSasToken must be specified. Recovery: Creates a database by restoring a geo-replicated backup. RecoverableDatabaseId must be specified as the recoverable database resource ID to restore. | Default | | +| `cuaId` | string | Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered | | | +| `databaseName` | string | Required. The name of the SQL managed instance database. | | | +| `diagnosticLogsRetentionInDays` | int | Optional. Specifies the number of days that logs will be kept for; a value of 0 will retain data indefinitely. | 365 | | +| `diagnosticStorageAccountId` | string | Optional. Resource identifier of the Diagnostic Storage Account. | | | +| `eventHubAuthorizationRuleId` | string | Optional. Resource ID of the event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | | | +| `eventHubName` | string | Optional. Name of the event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. | | | +| `location` | string | Optional. Location for all resources. | [resourceGroup().location] | | +| `lockForDeletion` | bool | Optional. Switch to lock Key Vault from deletion. | False | | +| `longTermRetentionBackupResourceId` | string | Optional. Conditional. The name of the Long Term Retention backup to be used for restore of this managed database. | | | +| `managedInstanceName` | string | Required. The name of the SQL managed instance. | | | +| `monthlyRetention` | string | Required. The monthly retention policy for an LTR backup in an ISO 8601 format. | P1Y | | +| `recoverableDatabaseId` | string | Optional. Conditional. The resource identifier of the recoverable database associated with create operation of this database. | | | +| `restorableDroppedDatabaseId` | string | Optional. Conditional. The restorable dropped database resource id to restore when creating this database. | | | +| `restorePointInTime` | string | Optional. Conditional. If createMode is PointInTimeRestore, this value is required. Specifies the point in time (ISO8601 format) of the source database that will be restored to create the new database. | | | +| `retentionDays` | int | Required. The backup retention period in days. This is how many days Point-in-Time Restore will be supported. | 35 | | +| `sourceDatabaseId` | string | Optional. Conditional. The resource identifier of the source database associated with create operation of this database. | | | +| `storageContainerSasToken` | string | Optional. Conditional. If createMode is RestoreExternalBackup, this value is required. Specifies the storage container sas token. | | | +| `storageContainerUri` | string | Optional. Conditional. If createMode is RestoreExternalBackup, this value is required. Specifies the uri of the storage container where backups for this restore are stored. | | | +| `tags` | object | Optional. Tags of the resource. | | | +| `weeklyRetention` | string | Required. The weekly retention policy for an LTR backup in an ISO 8601 format. | P1M | | +| `weekOfYear` | int | Required. The week of year to take the yearly backup in an ISO 8601 format. | 5 | | +| `workspaceId` | string | Optional. Resource identifier of Log Analytics. | | | +| `yearlyRetention` | string | Required. The yearly retention policy for an LTR backup in an ISO 8601 format. | P5Y | | + +### Parameter Usage: `tags` + +Tag names and tag values can be provided as needed. A tag can be left without a value. + +""`json +"tags": { + "value": { + "Environment": "Non-Prod", + "Contact": "test.user@testcompany.com", + "PurchaseOrder": "1234", + "CostCenter": "7890", + "ServiceName": "DeploymentValidation", + "Role": "DeploymentValidation" + } +} +""` +### Parameter Usage: `LongTermRetention` + +""`json +{ + "name": "default", + "type": "Microsoft.Sql/resourceGroups/servers/databases/backupLongTermRetentionPolicies", + "properties": { + "weeklyRetention": "P1M", + "monthlyRetention": "P1Y", + "yearlyRetention": "P5Y", + "weekOfYear": 5 + } +} +""` + +## Outputs + +| Output Name | Type | Description | +| :-- | :-- | :-- | +| `managedInstanceName` | string | The name of the SQL managed instance. | +| `managedInstanceResourceGroup` | string | The Resource Group in which the resource has been created. | +| `managedInstanceResourceId` | string | The Resource ID of the Manged Instance. | + +## Considerations + +*N/A* + + +## Additional resources + +- [Introduction to Azure SQL Managed Instance](https://docs.microsoft.com/en-us/azure/sql-database/sql-database-managed-instance-index) +- [ARM Template schema for SQL Managed Instance Database](https://docs.microsoft.com/en-us/azure/templates/microsoft.sql/2019-06-01-preview/managedinstances/databases) +- [ARM Template schema for SQL Managed Instance](https://docs.microsoft.com/en-us/azure/templates/microsoft.sql/2018-06-01-preview/managedinstances) +- [Use tags to organize your Azure resources](https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-using-tags) \ No newline at end of file diff --git a/arm/Microsoft.Sql/managedInstances/deploy.json b/arm/Microsoft.Sql/managedInstances/deploy.json new file mode 100644 index 0000000000..5f91721ba4 --- /dev/null +++ b/arm/Microsoft.Sql/managedInstances/deploy.json @@ -0,0 +1,724 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "managedInstanceName": { + "type": "string", + "metadata": { + "description": "Required. The name of the SQL managed instance." + } + }, + "location": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "Optional. Location for all resources." + } + }, + "administratorLogin": { + "type": "string", + "metadata": { + "description": "Required. The username used to establish jumpbox VMs." + } + }, + "administratorLoginPassword": { + "type": "securestring", + "metadata": { + "description": "Required. The password given to the admin user." + } + }, + "subnetId": { + "type": "string", + "metadata": { + "description": "Required. The fully qualified resource ID of the subnet on which the SQL managed instance will be placed." + } + }, + "skuName": { + "type": "string", + "defaultValue": "GP_Gen5", + "metadata": { + "description": "Optional. The name of the SKU, typically, a letter + Number code, e.g. P3." + } + }, + "skuTier": { + "type": "string", + "defaultValue": "GeneralPurpose", + "metadata": { + "description": "Optional. The tier or edition of the particular SKU, e.g. Basic, Premium." + } + }, + "storageSizeInGB": { + "type": "int", + "defaultValue": "32", + "metadata": { + "description": "Optional. Storage size in GB. Minimum value: 32. Maximum value: 8192. Increments of 32 GB allowed only." + } + }, + "vCores": { + "type": "int", + "defaultValue": "4", + "metadata": { + "description": "Optional. The number of vCores. Allowed values: 8, 16, 24, 32, 40, 64, 80." + } + }, + "licenseType": { + "type": "string", + "defaultValue": "LicenseIncluded", + "allowedValues": [ + "LicenseIncluded", + "BasePrice" + ], + "metadata": { + "description": "Optional. The license type. Possible values are 'LicenseIncluded' (regular price inclusive of a new SQL license) and 'BasePrice' (discounted AHB price for bringing your own SQL licenses)." + } + }, + "hardwareFamily": { + "type": "string", + "defaultValue": "Gen5", + "metadata": { + "description": "Optional. If the service has different generations of hardware, for the same SKU, then that can be captured here." + } + }, + "managedInstanceCreateMode": { + "type": "string", + "defaultValue": "Default", + "allowedValues": [ + "Default", + "PointInTimeRestore" + ], + "metadata": { + "description": "Optional. Specifies the mode of database creation. Default: Regular instance creation. Restore: Creates an instance by restoring a set of backups to specific point in time. RestorePointInTime and SourceManagedInstanceId must be specified." + } + }, + "dnsZonePartner": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. The resource id of another managed instance whose DNS zone this managed instance will share after creation." + } + }, + "collation": { + "type": "string", + "defaultValue": "SQL_Latin1_General_CP1_CI_AS", + "metadata": { + "description": "Optional. Collation of the managed instance." + } + }, + "proxyOverride": { + "type": "string", + "defaultValue": "Proxy", + "allowedValues": [ + "Proxy", + "Redirect", + "Default" + ], + "metadata": { + "description": "Optional. Connection type used for connecting to the instance." + } + }, + "publicDataEndpointEnabled": { + "type": "bool", + "defaultValue": false, + "metadata": { + "description": "Optional. Whether or not the public data endpoint is enabled." + } + }, + "timezoneId": { + "type": "string", + "defaultValue": "UTC", + "metadata": { + "description": "Optional. Id of the timezone. Allowed values are timezones supported by Windows." + } + }, + "instancePoolId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. The Id of the instance pool this managed server belongs to." + } + }, + "restorePointInTime": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Specifies the point in time (ISO8601 format) of the source database that will be restored to create the new database." + } + }, + "sourceManagedInstanceId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. The resource identifier of the source managed instance associated with create operation of this instance." + } + }, + "customerManagedEnryptionKeyUri": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. The URI of the key (in Azure Key Vault) for transparent data encryption. The key vault must have SoftDelete enabled and must reside in the same region as the SQL MI. The managed identity of the SQL managed instance needs to have the following key permissions in the key vault: Get, Unwrap Key, Wrap Key. If blank, service managed key will be used." + } + }, + "enableAdvancedDataSecurity": { + "type": "bool", + "defaultValue": false, + "metadata": { + "description": "Optional. Enables advanced data security features, like recuring vulnerability assesment scans and ATP. If enabled, storage account must be provided." + } + }, + "vulnerabilityAssessmentsStorageAccountId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. A blob storage to hold the scan results." + } + }, + "enableRecuringVulnerabilityAssessmentsScans": { + "type": "bool", + "defaultValue": false, + "metadata": { + "description": "Optional. Recurring scans state." + } + }, + "sendScanReportEmailsToSubscriptionAdmins": { + "type": "bool", + "defaultValue": false, + "metadata": { + "description": "Optional. Specifies that the schedule scan notification will be is sent to the subscription administrators." + } + }, + "sendScanReportToEmailAddresses": { + "type": "array", + "defaultValue": [ + ], + "metadata": { + "description": "Optional. Specifies an array of e-mail addresses to which the scan notification is sent." + } + }, + "azureAdAdmin": { + "type": "object", + "defaultValue": { + }, + "metadata": { + "description": "Optional. An Azure Active Directory administrator account." + } + }, + "diagnosticLogsRetentionInDays": { + "type": "int", + "defaultValue": 365, + "minValue": 0, + "maxValue": 365, + "metadata": { + "description": "Optional. Specifies the number of days that logs will be kept for; a value of 0 will retain data indefinitely." + } + }, + "diagnosticStorageAccountId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Resource identifier of the Diagnostic Storage Account." + } + }, + "workspaceId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Resource identifier of Log Analytics." + } + }, + "eventHubAuthorizationRuleId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Resource ID of the event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." + } + }, + "eventHubName": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Name of the event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category." + } + }, + "lockForDeletion": { + "type": "bool", + "defaultValue": false, + "metadata": { + "description": "Optional. Switch to lock Key Vault from deletion." + } + }, + "roleAssignments": { + "defaultValue": [ + ], + "type": "array", + "metadata": { + "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'" + } + }, + "tags": { + "type": "object", + "defaultValue": { + }, + "metadata": { + "description": "Optional. Tags of the resource." + } + }, + "cuaId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered" + } + } + }, + "variables": { + "splittedKeyUri": "[split(parameters('customerManagedEnryptionKeyUri'), '/')]", + "serverKeyName": "[if(empty(parameters('customerManagedEnryptionKeyUri')), 'ServiceManaged', concat(split(variables('splittedKeyUri')[2], '.')[0], '_', variables('splittedKeyUri')[4], '_', variables('splittedKeyUri')[5]))]", + "diagnosticsMetrics": [ + { + "category": "AllMetrics", + "timeGrain": null, + "enabled": true, + "retentionPolicy": { + "enabled": true, + "days": "[parameters('diagnosticLogsRetentionInDays')]" + } + } + ], + "diagnosticsLogs": [ + { + "category": "ResourceUsageStats", + "enabled": true, + "retentionPolicy": { + "enabled": true, + "days": "[parameters('diagnosticLogsRetentionInDays')]" + } + }, + { + "category": "SQLSecurityAuditEvents", + "enabled": true, + "retentionPolicy": { + "enabled": true, + "days": "[parameters('diagnosticLogsRetentionInDays')]" + } + } + ], + "builtInRoleNames": { + "AcrDelete": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c2f4ef07-c644-48eb-af81-4b1b4947fb11')]", + "AcrImageSigner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '6cef56e8-d556-48e5-a04f-b8e64114680f')]", + "AcrPull": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '7f951dda-4ed3-4680-a7ca-43fe172d538d')]", + "AcrPush": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8311e382-0749-4cb8-b61a-304f252e45ec')]", + "AcrQuarantineReader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'cdda3590-29a3-44f6-95f2-9f980659eb04')]", + "AcrQuarantineWriter": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c8d4ff99-41c3-41a8-9f60-21dfdad59608')]", + "API Management Service Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '312a565d-c81f-4fd8-895a-4e21e48d571c')]", + "API Management Service Operator Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'e022efe7-f5ba-4159-bbe4-b44f577e9b61')]", + "API Management Service Reader Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '71522526-b88f-4d52-b57f-d31fc3546d0d')]", + "App Configuration Data Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5ae67dd6-50cb-40e7-96ff-dc2bfa4b606b')]", + "App Configuration Data Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '516239f1-63e1-4d78-a4de-a74fb236a071')]", + "Application Insights Component Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ae349356-3a1b-4a5e-921d-050484c6347e')]", + "Application Insights Snapshot Debugger": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '08954f03-6346-4c2e-81c0-ec3a5cfae23b')]", + "Attestation Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'bbf86eb8-f7b4-4cce-96e4-18cddf81d86e')]", + "Attestation Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'fd1bd22b-8476-40bc-a0bc-69b95687b9f3')]", + "Automation Job Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4fe576fe-1146-4730-92eb-48519fa6bf9f')]", + "Automation Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'd3881f73-407a-4167-8283-e981cbba0404')]", + "Automation Runbook Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5fb5aef8-1081-4b8e-bb16-9d5d0385bab5')]", + "Avere Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4f8fab4f-1852-4a58-a46a-8eaf358af14a')]", + "Avere Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c025889f-8102-4ebf-b32c-fc0c6f0c6bd9')]", + "Azure Connected Machine Onboarding": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b64e21ea-ac4e-4cdf-9dc9-5b892992bee7')]", + "Azure Connected Machine Resource Administrator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'cd570a14-e51a-42ad-bac8-bafd67325302')]", + "Azure Digital Twins Owner (Preview)": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'bcd981a7-7f74-457b-83e1-cceb9e632ffe')]", + "Azure Digital Twins Reader (Preview)": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'd57506d4-4c8d-48b1-8587-93c323f6a5a3')]", + "Azure Event Hubs Data Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'f526a384-b230-433a-b45c-95f59c4a2dec')]", + "Azure Event Hubs Data Receiver": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'a638d3c7-ab3a-418d-83e6-5f17a39d4fde')]", + "Azure Event Hubs Data Sender": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '2b629674-e913-4c01-ae53-ef4638d8f975')]", + "Azure Kubernetes Service Cluster Admin Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '0ab0b1a8-8aac-4efd-b8c2-3ee1fb270be8')]", + "Azure Kubernetes Service Cluster User Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4abbcc35-e782-43d8-92c5-2d3f1bd2253f')]", + "Azure Kubernetes Service Contributor Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ed7f3fbd-7b88-4dd4-9017-9adb7ce333f8')]", + "Azure Maps Data Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8f5e0ce6-4f7b-4dcf-bddf-e6f48634a204')]", + "Azure Maps Data Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '423170ca-a8f6-4b0f-8487-9e4eb8f49bfa')]", + "Azure Sentinel Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ab8e14d6-4a74-4a29-9ba8-549422addade')]", + "Azure Sentinel Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8d289c81-5878-46d4-8554-54e1e3d8b5cb')]", + "Azure Sentinel Responder": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '3e150937-b8fe-4cfb-8069-0eaf05ecd056')]", + "Azure Service Bus Data Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '090c5cfd-751d-490a-894a-3ce6f1109419')]", + "Azure Service Bus Data Receiver": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4f6d3b9b-027b-4f4c-9142-0e5a2a2247e0')]", + "Azure Service Bus Data Sender": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '69a216fc-b8fb-44d8-bc22-1f3c2cd27a39')]", + "Azure Stack Registration Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '6f12a6df-dd06-4f3e-bcb1-ce8be600526a')]", + "Backup Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5e467623-bb1f-42f4-a55d-6e525e11384b')]", + "Backup Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '00c29273-979b-4161-815c-10b084fb9324')]", + "Backup Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'a795c7a0-d4a2-40c1-ae25-d81f01202912')]", + "Billing Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'fa23ad8b-c56e-40d8-ac0c-ce449e1d2c64')]", + "BizTalk Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5e3c6656-6cfa-4708-81fe-0de47ac73342')]", + "Blockchain Member Node Access (Preview)": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '31a002a1-acaf-453e-8a5b-297c9ca1ea24')]", + "Blueprint Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '41077137-e803-4205-871c-5a86e6a753b4')]", + "Blueprint Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '437d2ced-4a38-4302-8479-ed2bcb43d090')]", + "CDN Endpoint Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '426e0c7f-0c7e-4658-b36f-ff54d6c29b45')]", + "CDN Endpoint Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '871e35f6-b5c1-49cc-a043-bde969a0f2cd')]", + "CDN Profile Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ec156ff8-a8d1-4d15-830c-5b80698ca432')]", + "CDN Profile Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8f96442b-4075-438f-813d-ad51ab4019af')]", + "Classic Network Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b34d265f-36f7-4a0d-a4d4-e158ca92e90f')]", + "Classic Storage Account Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '86e8f5dc-a6e9-4c67-9d15-de283e8eac25')]", + "Classic Storage Account Key Operator Service Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '985d6b00-f706-48f5-a6fe-d0ca12fb668d')]", + "Classic Virtual Machine Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'd73bb868-a0df-4d4d-bd69-98a00b01fccb')]", + "ClearDB MySQL DB Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '9106cda0-8a86-4e81-b686-29a22c54effe')]", + "Cognitive Services Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '25fbc0a9-bd7c-42a3-aa1a-3b75d497ee68')]", + "Cognitive Services Custom Vision Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c1ff6cc2-c111-46fe-8896-e0ef812ad9f3')]", + "Cognitive Services Custom Vision Deployment": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5c4089e1-6d96-4d2f-b296-c1bc7137275f')]", + "Cognitive Services Custom Vision Labeler": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '88424f51-ebe7-446f-bc41-7fa16989e96c')]", + "Cognitive Services Custom Vision Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '93586559-c37d-4a6b-ba08-b9f0940c2d73')]", + "Cognitive Services Custom Vision Trainer": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '0a5ae4ab-0d65-4eeb-be61-29fc9b54394b')]", + "Cognitive Services Data Reader (Preview)": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b59867f0-fa02-499b-be73-45a86b5b3e1c')]", + "Cognitive Services QnA Maker Editor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'f4cc2bf9-21be-47a1-bdf1-5c5804381025')]", + "Cognitive Services QnA Maker Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '466ccd10-b268-4a11-b098-b4849f024126')]", + "Cognitive Services User": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'a97b65f3-24c7-4388-baec-2e87135dc908')]", + "Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "Cosmos DB Account Reader Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'fbdf93bf-df7d-467e-a4d2-9458aa1360c8')]", + "Cosmos DB Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '230815da-be43-4aae-9cb4-875f7bd000aa')]", + "CosmosBackupOperator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'db7b14f2-5adf-42da-9f96-f2ee17bab5cb')]", + "Cost Management Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '434105ed-43f6-45c7-a02f-909b2ba83430')]", + "Cost Management Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '72fafb9e-0641-4937-9268-a91bfd8191a3')]", + "Data Box Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'add466c9-e687-43fc-8d98-dfcf8d720be5')]", + "Data Box Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '028f4ed7-e2a9-465e-a8f4-9c0ffdfdc027')]", + "Data Factory Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '673868aa-7521-48a0-acc6-0f60742d39f5')]", + "Data Lake Analytics Developer": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '47b7735b-770e-4598-a7da-8b91488b4c88')]", + "Data Purger": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '150f5e0c-0603-4f03-8c7f-cf70034c4e90')]", + "Desktop Virtualization User": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '1d18fff3-a72a-46b5-b4a9-0b38a3cd7e63')]", + "DevTest Labs User": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '76283e04-6283-4c54-8f91-bcf1374a3c64')]", + "DNS Zone Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'befefa01-2a29-4197-83a8-272ff33ce314')]", + "DocumentDB Account Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5bd9cd88-fe45-4216-938b-f97437e15450')]", + "EventGrid EventSubscription Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '428e0ff0-5e57-4d9c-a221-2c70d0e0a443')]", + "EventGrid EventSubscription Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '2414bbcf-6497-4faf-8c65-045460748405')]", + "Experimentation Administrator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '7f646f1b-fa08-80eb-a33b-edd6ce5c915c')]", + "Experimentation Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '7f646f1b-fa08-80eb-a22b-edd6ce5c915c')]", + "Experimentation Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '49632ef5-d9ac-41f4-b8e7-bbe587fa74a1')]", + "FHIR Data Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5a1fc7df-4bf1-4951-a576-89034ee01acd')]", + "FHIR Data Exporter": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '3db33094-8700-4567-8da5-1501d4e7e843')]", + "FHIR Data Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4c8d0bbc-75d3-4935-991f-5f3c56d81508')]", + "FHIR Data Writer": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '3f88fce4-5892-4214-ae73-ba5294559913')]", + "Graph Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b60367af-1334-4454-b71e-769d9a4f83d9')]", + "HDInsight Cluster Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '61ed4efc-fab3-44fd-b111-e24485cc132a')]", + "HDInsight Domain Services Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8d8d5a11-05d3-4bda-a417-a08778121c7c')]", + "Hierarchy Settings Administrator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '350f8d15-c687-4448-8ae1-157740a3936d')]", + "Hybrid Server Onboarding": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5d1e5ee4-7c68-4a71-ac8b-0739630a3dfb')]", + "Hybrid Server Resource Administrator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '48b40c6e-82e0-4eb3-90d5-19e40f49b624')]", + "Integration Service Environment Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'a41e2c5b-bd99-4a07-88f4-9bf657a760b8')]", + "Integration Service Environment Developer": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c7aa55d3-1abb-444a-a5ca-5e51e485d6ec')]", + "Intelligent Systems Account Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '03a6d094-3444-4b3d-88af-7477090a9e5e')]", + "Key Vault Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'f25e0fa2-a7c8-4377-a976-54943a77a395')]", + "Knowledge Consumer": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ee361c5d-f7b5-4119-b4b6-892157c8f64c')]", + "Kubernetes Cluster - Azure Arc Onboarding": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '34e09817-6cbe-4d01-b1a2-e0eac5743d41')]", + "Lab Creator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b97fb8bc-a8b2-4522-a38b-dd33c7e65ead')]", + "Log Analytics Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]", + "Log Analytics Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '73c42c96-874c-492b-b04d-ab87d138a893')]", + "Logic App Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '87a39d53-fc1b-424a-814c-f7e04687dc9e')]", + "Logic App Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '515c2055-d9d4-4321-b1b9-bd0c9a0f79fe')]", + "Managed Application Contributor Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '641177b8-a67a-45b9-a033-47bc880bb21e')]", + "Managed Application Operator Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')]", + "Managed Applications Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')]", + "Managed Identity Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'e40ec5ca-96e0-45a2-b4ff-59039f2c2b59')]", + "Managed Identity Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'f1a07417-d97a-45cb-824c-7a7467783830')]", + "Managed Services Registration assignment Delete ": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '91c1777a-f3dc-4fae-b103-61d183457e46')]", + "Management Group Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5d58bcaf-24a5-4b20-bdb6-eed9f69fbe4c')]", + "Management Group Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ac63b705-f282-497d-ac71-919bf39d939d')]", + "Marketplace Admin": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'dd920d6d-f481-47f1-b461-f338c46b2d9f')]", + "Monitoring Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')]", + "Monitoring Metrics Publisher": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '3913510d-42f4-4e42-8a64-420c390055eb')]", + "Monitoring Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')]", + "Network Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", + "New Relic APM Account Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5d28c62d-5b37-4476-8438-e587778df237')]", + "Object Understanding Account Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4dd61c23-6743-42fe-a388-d8bdd41cb745')]", + "Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", + "Policy Insights Data Writer (Preview)": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '66bb4e9e-b016-4a94-8249-4c0511c2be84')]", + "Private DNS Zone Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", + "Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", + "Reader and Data Access": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c12c1c16-33a1-487b-954d-41c89c60f349')]", + "Redis Cache Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'e0f68234-74aa-48ed-b826-c38b57376e17')]", + "Remote Rendering Administrator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '3df8b902-2a6f-47c7-8cc5-360e9b272a7e')]", + "Remote Rendering Client": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'd39065c4-c120-43c9-ab0a-63eed9795f0a')]", + "Resource Policy Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '36243c78-bf99-498c-9df9-86d9f8d28608')]", + "Scheduler Job Collections Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '188a0f2f-5c9e-469b-ae67-2aa5ce574b94')]", + "Search Service Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '7ca78c08-252a-4471-8644-bb5ff32d4ba0')]", + "Security Admin": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'fb1c8493-542b-48eb-b624-b4c8fea62acd')]", + "Security Assessment Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '612c2aa1-cb24-443b-ac28-3ab7272de6f5')]", + "Security Manager (Legacy)": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'e3d13bf0-dd5a-482e-ba6b-9b8433878d10')]", + "Security Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '39bc4728-0917-49c7-9d2c-d95423bc2eb4')]", + "SignalR AccessKey Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '04165923-9d83-45d5-8227-78b77b0a687e')]", + "SignalR Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8cf5e20a-e4b2-4e9d-b3a1-5ceb692c2761')]", + "Site Recovery Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '6670b86e-a3f7-4917-ac9b-5d6ab1be4567')]", + "Site Recovery Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '494ae006-db33-4328-bf46-533a6560a3ca')]", + "Site Recovery Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'dbaa88c4-0c30-4179-9fb3-46319faa6149')]", + "Spatial Anchors Account Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8bbe83f1-e2a6-4df7-8cb4-4e04d4e5c827')]", + "Spatial Anchors Account Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '70bbe301-9835-447d-afdd-19eb3167307c')]", + "Spatial Anchors Account Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5d51204f-eb77-4b1c-b86a-2ec626c49413')]", + "SQL DB Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '9b7fa17d-e63e-47b0-bb0a-15c516ac86ec')]", + "SQL Managed Instance Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4939a1f6-9ae0-4e48-a1e0-f2cbe897382d')]", + "SQL Security Manager": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '056cd41c-7e88-42e1-933e-88ba6a50c9c3')]", + "SQL Server Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '6d8ee4ec-f05a-4a1d-8b00-a9b17e38b437')]", + "Storage Account Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '17d1049b-9a84-46fb-8f53-869881c3d3ab')]", + "Storage Account Key Operator Service Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '81a9662b-bebf-436f-a333-f67b29880f12')]", + "Storage Blob Data Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ba92f5b4-2d11-453d-a403-e96b0029c9fe')]", + "Storage Blob Data Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b7e6dc6d-f1e8-4753-8033-0f276bb0955b')]", + "Storage Blob Data Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '2a2b9908-6ea1-4ae2-8e65-a410df84e7d1')]", + "Storage Blob Delegator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'db58b8e5-c6ad-4a2a-8342-4190687cbf4a')]", + "Storage File Data SMB Share Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '0c867c2a-1d8c-454a-a3db-ab2ea1bdc8bb')]", + "Storage File Data SMB Share Elevated Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'a7264617-510b-434b-a828-9731dc254ea7')]", + "Storage File Data SMB Share Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'aba4ae5f-2193-4029-9191-0cb91df5e314')]", + "Storage Queue Data Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '974c5e8b-45b9-4653-ba55-5f855dd0fb88')]", + "Storage Queue Data Message Processor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8a0f0c08-91a1-4084-bc3d-661d67233fed')]", + "Storage Queue Data Message Sender": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c6a89b2d-59bc-44d0-9896-0f6e12d7b80a')]", + "Storage Queue Data Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '19e7f393-937e-4f77-808e-94535e297925')]", + "Support Request Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'cfd33db0-3dd1-45e3-aa9d-cdbdf3b6f24e')]", + "Tag Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4a9ae827-6dc8-4573-8ac7-8239d42aa03f')]", + "Traffic Manager Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'a4b10055-b0c7-44c2-b00f-c7b5b3550cf7')]", + "User Access Administrator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]", + "Virtual Machine Administrator Login": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '1c0163c0-47e6-4577-8991-ea5c82e286e4')]", + "Virtual Machine Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c')]", + "Virtual Machine User Login": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'fb879df8-f326-4884-b1cf-06f3ad86be52')]", + "Web Plan Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '2cc479cb-7b4d-49a8-b449-8c00fd0f0a4b')]", + "Website Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'de139f84-1756-47ae-9be6-808fbbe84772')]", + "Workbook Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'e8ddcd69-c73f-4f9f-9844-4100522f16ad')]", + "Workbook Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b279062a-9be3-42a0-92ae-8b3cf002ec4d')]" + } + }, + "resources": [ + { + "condition": "[not(empty(parameters('cuaId')))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-06-01", + "name": "[concat('pid-', parameters('cuaId'))]", + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [ + ] + } + } + }, + { + "type": "Microsoft.Sql/managedInstances", + "apiVersion": "2020-08-01-preview", + "name": "[parameters('managedInstanceName')]", + "location": "[parameters('location')]", + "identity": { + "type": "SystemAssigned" + }, + "sku": { + "name": "[parameters('skuName')]", + "tier": "[parameters('skuTier')]" + }, + "tags": "[parameters('tags')]", + "properties": { + "managedInstanceCreateMode": "[parameters('managedInstanceCreateMode')]", + "administratorLogin": "[parameters('administratorLogin')]", + "administratorLoginPassword": "[parameters('administratorLoginPassword')]", + "subnetId": "[parameters('subnetId')]", + "licenseType": "[parameters('licenseType')]", + "hardwareFamily": "[parameters('hardwareFamily')]", + "vCores": "[parameters('vCores')]", + "storageSizeInGB": "[parameters('storageSizeInGB')]", + "collation": "[parameters('collation')]", + "dnsZonePartner": "[parameters('dnsZonePartner')]", + "publicDataEndpointEnabled": "[parameters('publicDataEndpointEnabled')]", + "sourceManagedInstanceId": "[parameters('sourceManagedInstanceId')]", + "restorePointInTime": "[parameters('restorePointInTime')]", + "proxyOverride": "[parameters('proxyOverride')]", + "timezoneId": "[parameters('timezoneId')]", + "instancePoolId": "[parameters('instancePoolId')]" + }, + "resources": [ + { + "type": "providers/locks", + "apiVersion": "2016-09-01", + "condition": "[parameters('lockForDeletion')]", + "name": "Microsoft.Authorization/managedInstancesDoNotDelete", + "dependsOn": [ + "[resourceId('Microsoft.Sql/managedInstances', parameters('managedInstanceName'))]" + ], + "comments": "Resource lock on Azure SQL managed instance", + "properties": { + "level": "CannotDelete" + } + }, + { + "type": "Microsoft.Sql/managedInstances/providers/diagnosticsettings", + "apiVersion": "2017-05-01-preview", + "name": "[concat(parameters('managedInstanceName'), '/Microsoft.Insights/service')]", + "location": "[parameters('location')]", + "condition": "[or(not(empty(parameters('diagnosticStorageAccountId'))),not(empty(parameters('workspaceId'))),not(empty(parameters('eventHubAuthorizationRuleId'))),not(empty(parameters('eventHubName'))))]", + "dependsOn": [ + "[resourceId('Microsoft.Sql/managedInstances', parameters('managedInstanceName'))]" + ], + "properties": { + "storageAccountId": "[if(empty(parameters('diagnosticStorageAccountId')), json('null'), parameters('diagnosticStorageAccountId'))]", + "workspaceId": "[if(empty(parameters('workspaceId')), json('null'), parameters('workspaceId'))]", + "eventHubAuthorizationRuleId": "[if(empty(parameters('eventHubAuthorizationRuleId')), json('null'), parameters('eventHubAuthorizationRuleId'))]", + "eventHubName": "[if(empty(parameters('eventHubName')), json('null'), parameters('eventHubName'))]", + "metrics": "[if(and(empty(parameters('diagnosticStorageAccountId')), empty(parameters('workspaceId')), empty(parameters('eventHubAuthorizationRuleId')), empty(parameters('eventHubName'))), json('null'), variables('diagnosticsMetrics'))]", + "logs": "[if(and(empty(parameters('diagnosticStorageAccountId')), empty(parameters('workspaceId')), empty(parameters('eventHubAuthorizationRuleId')), empty(parameters('eventHubName'))), json('null'), variables('diagnosticsLogs'))]" + } + } + ] + }, + { + "type": "Microsoft.Sql/managedInstances/keys", + "apiVersion": "2017-10-01-preview", + "name": "[concat(parameters('managedInstanceName'), '/', variables('serverKeyName'))]", + "condition": "[not(empty(parameters('customerManagedEnryptionKeyUri')))]", + "dependsOn": [ + "[resourceId('Microsoft.Sql/managedInstances', parameters('managedInstanceName'))]" + ], + "properties": { + "serverKeyType": "AzureKeyVault", + "uri": "[parameters('customerManagedEnryptionKeyUri')]" + } + }, + { + "type": "Microsoft.Sql/managedInstances/encryptionProtector", + "apiVersion": "2017-10-01-preview", + "name": "[concat(parameters('managedInstanceName'), '/current')]", + "dependsOn": [ + "[resourceId('Microsoft.Sql/managedInstances', parameters('managedInstanceName'))]", + "[resourceId('Microsoft.Sql/managedInstances/keys/', parameters('managedInstanceName'), variables('serverKeyName'))]" + ], + "properties": { + "serverKeyName": "[variables('serverKeyName')]", + "serverKeyType": "[if(empty(parameters('customerManagedEnryptionKeyUri')), 'ServiceManaged', 'AzureKeyVault')]", + "uri": "[parameters('customerManagedEnryptionKeyUri')]" + } + }, + { + "name": "[concat(parameters('managedInstanceName'), '/Default')]", + "type": "Microsoft.Sql/managedInstances/securityAlertPolicies", + "apiVersion": "2017-03-01-preview", + "dependsOn": [ + "[resourceId('Microsoft.Sql/managedInstances', parameters('managedInstanceName'))]" + ], + "properties": { + "state": "[if(parameters('enableAdvancedDataSecurity'), 'Enabled', 'Disabled')]", + "emailAccountAdmins": "[parameters('sendScanReportEmailsToSubscriptionAdmins')]" + } + }, + { + "name": "[concat(parameters('managedInstanceName'), '/Default')]", + "type": "Microsoft.Sql/managedInstances/vulnerabilityAssessments", + "apiVersion": "2018-06-01-preview", + "condition": "[parameters('enableAdvancedDataSecurity')]", + "dependsOn": [ + "[resourceId('Microsoft.Sql/managedInstances', parameters('managedInstanceName'))]", + "[resourceId('Microsoft.Sql/managedInstances/securityAlertPolicies/', parameters('managedInstanceName'), 'Default')]" + ], + "properties": { + "storageContainerPath": "[if(parameters('enableAdvancedDataSecurity'), concat('https://', split(parameters('vulnerabilityAssessmentsStorageAccountId'), '/')[8],'.blob.core.windows.net/vulnerability-assessment/'), '')]", + //"storageContainerSasKey": "string", + "storageAccountAccessKey": "[if(parameters('enableAdvancedDataSecurity'), listKeys(parameters('vulnerabilityAssessmentsStorageAccountId'), '2019-06-01').keys[0].value, '')]", + "recurringScans": { + "isEnabled": "[parameters('enableRecuringVulnerabilityAssessmentsScans')]", + "emailSubscriptionAdmins": "[parameters('sendScanReportEmailsToSubscriptionAdmins')]", + "emails": "[parameters('sendScanReportToEmailAddresses')]" + } + } + }, + { + "type": "Microsoft.Sql/managedInstances/administrators", + "apiVersion": "2017-03-01-preview", + "name": "[concat(parameters('managedInstanceName'), '/ActiveDirectory')]", + "condition": "[not(empty(parameters('azureAdAdmin')))]", + "dependsOn": [ + "[resourceId('Microsoft.Sql/managedInstances', parameters('managedInstanceName'))]" + ], + "properties": { + "administratorType": "ActiveDirectory", + "login": "[parameters('azureAdAdmin').login]", + "sid": "[parameters('azureAdAdmin').sid]", + "tenantId": "[parameters('azureAdAdmin').tenantId]" + } + }, + { + "name": "[concat('rbac-',deployment().name, copyIndex())]", + "apiVersion": "2020-06-01", + "type": "Microsoft.Resources/deployments", + "condition": "[not(empty(parameters('roleAssignments')))]", + "dependsOn": [ + "[parameters('managedInstanceName')]" + ], + "copy": { + "name": "rbacDeplCopy", + "count": "[length(parameters('roleAssignments'))]" + }, + "properties": { + "mode": "Incremental", + "expressionEvaluationOptions": { + "scope": "inner" + }, + "parameters": { + "roleAssignment": { + "value": "[parameters('roleAssignments')[copyIndex()]]" + }, + "builtInRoleNames": { + "value": "[variables('builtInRoleNames')]" + }, + "managedInstanceName": { + "value": "[parameters('managedInstanceName')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "roleAssignment": { + "type": "object" + }, + "builtInRoleNames": { + "type": "object" + }, + "managedInstanceName": { + "type": "string" + } + }, + "resources": [ + { + "type": "Microsoft.Sql/managedInstances/providers/roleAssignments", + "apiVersion": "2020-04-01-preview", + "name": "[concat(parameters('managedInstanceName'), '/Microsoft.Authorization/', guid(uniqueString(concat(parameters('managedInstanceName'), array(parameters('roleAssignment').principalIds)[copyIndex('innerRbacCopy')], parameters('roleAssignment').roleDefinitionIdOrName ) )))]", + "dependsOn": [ + ], + "copy": { + "name": "innerRbacCopy", + "count": "[length(parameters('roleAssignment').principalIds)]" + }, + "properties": { + "roleDefinitionId": "[if(contains(parameters('builtInRoleNames'), parameters('roleAssignment').roleDefinitionIdOrName ), parameters('builtInRoleNames')[parameters('roleAssignment').roleDefinitionIdOrName] , parameters('roleAssignment').roleDefinitionIdOrName )]", + "principalId": "[array(parameters('roleAssignment').principalIds)[copyIndex()]]" + } + } + ] + } + } + } + ], + "functions": [ + ], + "outputs": { + "managedInstanceName": { + "type": "string", + "value": "[parameters('managedInstanceName')]", + "metadata": { + "description": "The name of the SQL managed instance." + } + }, + "managedInstanceResourceId": { + "type": "string", + "value": "[resourceId('Microsoft.Sql/managedInstances', parameters('managedInstanceName'))]", + "metadata": { + "description": "The Resource ID of the Managed instance." + } + }, + "managedInstanceResourceGroup": { + "type": "string", + "value": "[resourceGroup().name]", + "metadata": { + "description": "The Resource grpup in which this resource has been created." + } + } + } +} \ No newline at end of file diff --git a/arm/Microsoft.Sql/managedInstances/parameters/parameters.json b/arm/Microsoft.Sql/managedInstances/parameters/parameters.json new file mode 100644 index 0000000000..272f664054 --- /dev/null +++ b/arm/Microsoft.Sql/managedInstances/parameters/parameters.json @@ -0,0 +1,76 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "managedInstanceName": { + "value": "sxx-az-sqlmi-weu-x-001" + }, + "administratorLogin": { + "reference": { + "keyVault": { + "id": "/subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2/resourceGroups/dependencies-rg/providers/Microsoft.KeyVault/vaults/sxx-az-kv-weu-x-004" + }, + "secretName": "administratorLogin" + } + }, + "administratorLoginPassword": { + "reference": { + "keyVault": { + "id": "/subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2/resourceGroups/dependencies-rg/providers/Microsoft.KeyVault/vaults/sxx-az-kv-weu-x-004" + }, + "secretName": "administratorLoginPassword" + } + }, + "subnetId": { + "value": "/subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2/resourceGroups/dependencies-sqlmi-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-weu-x-005/subnets/sxx-az-subnet-weu-x-003" + }, + "skuName": { + "value": "GP_Gen5" + }, + "skuTier": { + "value": "GeneralPurpose" + }, + "storageSizeInGB": { + "value": 32 + }, + "vCores": { + "value": 4 + }, + "licenseType": { + "value": "LicenseIncluded" + }, + "hardwareFamily": { + "value": "Gen5" + }, + "dnsZonePartner": { + "value": "" + }, + "timezoneId": { + "value": "UTC" + }, + "collation": { + "value": "SQL_Latin1_General_CP1_CI_AS" + }, + "proxyOverride": { + "value": "Proxy" + }, + "publicDataEndpointEnabled": { + "value": false + }, + "enableAdvancedDataSecurity": { + "value": false + }, + "enableRecuringVulnerabilityAssessmentsScans": { + "value": false + }, + "sendScanReportEmailsToSubscriptionAdmins": { + "value": true + }, + "sendScanReportToEmailAddresses": { + "value": ["test1@contoso.com", "test2@contoso.com"] + }, + "lockForDeletion": { + "value": false + } + } +} diff --git a/arm/Microsoft.Sql/managedInstances/readme.md b/arm/Microsoft.Sql/managedInstances/readme.md new file mode 100644 index 0000000000..bdc968f0bc --- /dev/null +++ b/arm/Microsoft.Sql/managedInstances/readme.md @@ -0,0 +1,139 @@ +# SQL Managed Instances + +This template deploys an SQL Managed Instance, with resource lock. + + +## Resource types + +|Resource Type|ApiVersion| +|:--|:--| +|`Microsoft.Sql/managedInstances`|2018-06-01-preview| +|`Microsoft.Sql/managedInstances/keys`|2017-10-01-preview| +|`Microsoft.Sql/managedInstances/encryptionProtector`|2017-10-01-preview| +|`Microsoft.Sql/managedInstances/securityAlertPolicies`|2017-03-01-preview| +|`Microsoft.Sql/managedInstances/vulnerabilityAssessments`|2018-06-01-preview| +|`Microsoft.Sql/managedInstances/administrators`|2017-03-01-preview| +|`Microsoft.Sql/managedInstances/providers/diagnosticsettings`|2017-05-01-preview| +|`providers/locks`|1900-01-00| +|`Microsoft.Sql/managedInstances/providers/roleAssignments`|2018-09-01-preview| +|`Microsoft.Resources/deployments`|2019-10-01| + +### Deployment prerequisites +SQL Managed Instance is deployed on a virtual network. This network is required to satisfy the requirements explained [here](https://docs.microsoft.com/en-us/azure/sql-database/sql-database-managed-instance-connectivity-architecture#network-requirements). In the module is a second ARM template UpdateSubnet.deploy.json, which configures a subnet to be ready for the SQL managed instance. + +## Parameters + +| Parameter Name | Type | Description | DefaultValue | Possible values | +| :-- | :-- | :-- | :-- | :-- | +| `administratorLogin` | string | Required. The username used to establish jumpbox VMs. | | | +| `administratorLoginPassword` | securestring | Required. The password given to the admin user. | | | +| `azureAdAdmin` | object | Optional. An Azure Active Directory administrator account. | | | +| `collation` | string | Optional. Collation of the managed instance. | SQL_Latin1_General_CP1_CI_AS | | +| `cuaId` | string | Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered | | | +| `customerManagedEnryptionKeyUri` | string | Optional. The URI of the key (in Azure Key Vault) for transparent data encryption. The key vault must have SoftDelete enabled and must reside in the same region as the SQL MI. The managed identity of the SQL managed instance needs to have the following key permissions in the key vault: Get, Unwrap Key, Wrap Key. If blank, service managed key will be used. | | | +| `diagnosticLogsRetentionInDays` | int | Optional. Specifies the number of days that logs will be kept for; a value of 0 will retain data indefinitely. | 365 | | +| `diagnosticStorageAccountId` | string | Optional. Resource identifier of the Diagnostic Storage Account. | | | +| `dnsZonePartner` | string | Optional. The resource id of another managed instance whose DNS zone this managed instance will share after creation. | | | +| `enableAdvancedDataSecurity` | bool | Optional. Enables advanced data security features, like recuring vulnerability assesment scans and ATP. If enabled, storage account must be provided. | False | | +| `enableRecuringVulnerabilityAssessmentsScans` | bool | Optional. Recurring scans state. | False | | +| `eventHubAuthorizationRuleId` | string | Optional. Resource ID of the event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | | | +| `eventHubName` | string | Optional. Name of the event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. | | | +| `hardwareFamily` | string | Optional. If the service has different generations of hardware, for the same SKU, then that can be captured here. | Gen5 | | +| `instancePoolId` | string | Optional. The Id of the instance pool this managed server belongs to. | | | +| `licenseType` | string | Optional. The license type. Possible values are 'LicenseIncluded' (regular price inclusive of a new SQL license) and 'BasePrice' (discounted AHB price for bringing your own SQL licenses). | LicenseIncluded | | +| `location` | string | Optional. Location for all resources. | [resourceGroup().location] | | +| `lockForDeletion` | bool | Optional. Switch to lock Key Vault from deletion. | False | | +| `managedInstanceCreateMode` | string | Optional. Specifies the mode of database creation. Default: Regular instance creation. Restore: Creates an instance by restoring a set of backups to specific point in time. RestorePointInTime and SourceManagedInstanceId must be specified. | Default | | +| `managedInstanceName` | string | Required. The name of the SQL managed instance. | | | +| `proxyOverride` | string | Optional. Connection type used for connecting to the instance. | Proxy | +| `publicDataEndpointEnabled` | bool | Optional. Whether or not the public data endpoint is enabled. | False | | +| `restorePointInTime` | string | Optional. Specifies the point in time (ISO8601 format) of the source database that will be restored to create the new database. | | | +| `roleAssignments` | array | Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' | System.Object[] | | +| `sendScanReportEmailsToSubscriptionAdmins` | bool | Optional. Specifies that the schedule scan notification will be is sent to the subscription administrators. | False | | +| `sendScanReportToEmailAddresses` | array | Optional. Specifies an array of e-mail addresses to which the scan notification is sent. | System.Object[] | | +| `skuName` | string | Optional. The name of the SKU, typically, a letter + Number code, e.g. P3. | GP_Gen5 | | +| `skuTier` | string | Optional. The tier or edition of the particular SKU, e.g. Basic, Premium. | GeneralPurpose | | +| `sourceManagedInstanceId` | string | Optional. The resource identifier of the source managed instance associated with create operation of this instance. | | | +| `storageSizeInGB` | int | Optional. Storage size in GB. Minimum value: 32. Maximum value: 8192. Increments of 32 GB allowed only. | 32 | | +| `subnetId` | string | Required. The fully qualified resource ID of the subnet on which the SQL managed instance will be placed. | | | +| `tags` | object | Optional. Tags of the resource. | | | +| `timezoneId` | string | Optional. Id of the timezone. Allowed values are timezones supported by Windows. | UTC | | +| `vCores` | int | Optional. The number of vCores. Allowed values: 8, 16, 24, 32, 40, 64, 80. | 4 | | +| `vulnerabilityAssessmentsStorageAccountId` | string | Optional. A blob storage to hold the scan results. | | | +| `workspaceId` | string | Optional. Resource identifier of Log Analytics. | | | + +### Parameter Usage: `azureAdAdmin` + +```json +"azureAdAdmin": { + "value": { + "login": "username@contoso.com", + "sid": "111111-222222-33333-4444-5555555", + "tenantId": "a8f2ac6f-681f-4361-b51f-c85d86014a17" + } +} +``` + +### Parameter Usage: `roleAssignments` + +```json +"roleAssignments": { + "value": [ + { + "roleDefinitionIdOrName": "Desktop Virtualization User", + "principalIds": [ + "12345678-1234-1234-1234-123456789012", // object 1 + "78945612-1234-1234-1234-123456789012" // object 2 + ] + }, + { + "roleDefinitionIdOrName": "Reader", + "principalIds": [ + "12345678-1234-1234-1234-123456789012", // object 1 + "78945612-1234-1234-1234-123456789012" // object 2 + ] + }, + { + "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", + "principalIds": [ + "12345678-1234-1234-1234-123456789012" // object 1 + ] + } + ] +} +``` + +### Parameter Usage: `tags` + +Tag names and tag values can be provided as needed. A tag can be left without a value. + +```json +"tags": { + "value": { + "Environment": "Non-Prod", + "Contact": "test.user@testcompany.com", + "PurchaseOrder": "1234", + "CostCenter": "7890", + "ServiceName": "DeploymentValidation", + "Role": "DeploymentValidation" + } +} +``` + +## Outputs + +| Output Name | Type | Description | +| :-- | :-- | :-- | +| `managedInstanceName` | string | The name of the SQL managed instance. | +| `managedInstanceResourceGroup` | string | The Resource grpup in which this resource has been created. | +| `managedInstanceResourceId` | string | The Resource ID of the Managed instance. | + +## Considerations + +*N/A* + +## Additional resources + +- [Introduction to Azure SQL Managed Instance](https://docs.microsoft.com/en-us/azure/sql-database/sql-database-managed-instance-index) +- [ARM Template schema for SQL Managed Instance](https://docs.microsoft.com/en-us/azure/templates/microsoft.sql/2018-06-01-preview/managedinstances) +- [Use tags to organize your Azure resources](https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-using-tags) \ No newline at end of file diff --git a/arm/Microsoft.Sql/serverDatabases/deploy.json b/arm/Microsoft.Sql/serverDatabases/deploy.json new file mode 100644 index 0000000000..85e85c0ece --- /dev/null +++ b/arm/Microsoft.Sql/serverDatabases/deploy.json @@ -0,0 +1,294 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "collation": { + "type": "string", + "metadata": { + "description": "Optional. The collation of the database." + } + }, + "databaseName": { + "type": "string", + "metadata": { + "description": "Required. The name of the database." + } + }, + "tier": { + "type": "string", + "metadata": { + "description": "Optional. The tier or edition of the particular SKU." + } + }, + "skuName": { + "type": "string", + "metadata": { + "description": "Required. The name of the SKU." + } + }, + "maxSizeBytes": { + "type": "int", + "metadata": { + "description": "Optional. The max size of the database expressed in bytes." + } + }, + "serverName": { + "type": "string", + "metadata": { + "description": "Required. The Name of SQL Server" + } + }, + "sampleName": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. The name of the sample schema to apply when creating this database." + } + }, + "zoneRedundant": { + "type": "bool", + "defaultValue": false, + "metadata": { + "description": "Optional. Whether or not this database is zone redundant." + } + }, + "licenseType": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. The license type to apply for this database." + } + }, + "readScaleOut": { + "type": "string", + "defaultValue": "Disabled", + "metadata": { + "description": "Optional. The state of read-only routing." + } + }, + "numberOfReplicas": { + "type": "int", + "defaultValue": 0, + "metadata": { + "description": "Optional. The number of readonly secondary replicas associated with the database." + } + }, + "minCapacity": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Minimal capacity that database will always have allocated." + } + }, + "autoPauseDelay": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Time in minutes after which database is automatically paused." + } + }, + "enableADS": { + "type": "bool", + "defaultValue": false, + "metadata": { + "description": "Optional. Whether or not ADS is enabled." + } + }, + "enableVA": { + "type": "bool", + "defaultValue": false, + "metadata": { + "description": "Optional. Whether or not VA is enabled." + } + }, + "enablePrivateEndpoint": { + "type": "bool", + "defaultValue": false, + "metadata": { + "description": "Optional. Whether or not private Endpoint is enabled" + } + }, + "privateEndpointNestedTemplateId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Nested template ID." + } + }, + "privateEndpointSubscriptionId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. This is not requried anymore." + } + }, + "privateEndpointResourceGroup": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. private Endpoint Resource Group." + } + }, + "privateEndpointName": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Private Endpoint Name." + } + }, + "privateEndpointLocation": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. This is not required anymore." + } + }, + "privateEndpointSubnetId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Subnet of Private endpoint." + } + }, + "privateLinkServiceName": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. privatelink service name." + } + }, + "privateLinkServiceServiceId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. For setting service connection." + } + }, + "tags": { + "type": "object", + "defaultValue": { + }, + "metadata": { + "description": "Optional. Tags of the resource." + } + }, + "location": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "Optional. Location for all resources." + } + }, + "cuaId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered" + } + } + }, + "variables": { + }, + "resources": [ + { + "condition": "[not(empty(parameters('cuaId')))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-06-01", + "name": "[concat('pid-', parameters('cuaId'))]", + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [ + ] + } + } + }, + { + "type": "Microsoft.Sql/servers/databases", + "apiVersion": "2019-06-01-preview", + "location": "[parameters('location')]", + "tags": "[parameters('tags')]", + "name": "[concat(parameters('serverName'), '/', parameters('databaseName'))]", + "properties": { + "collation": "[parameters('collation')]", + "maxSizeBytes": "[parameters('maxSizeBytes')]", + "sampleName": "[parameters('sampleName')]", + "zoneRedundant": "[parameters('zoneRedundant')]", + "licenseType": "[parameters('licenseType')]", + "readScale": "[parameters('readScaleOut')]", + "readReplicaCount": "[parameters('numberOfReplicas')]", + "minCapacity": "[parameters('minCapacity')]", + "autoPauseDelay": "[parameters('autoPauseDelay')]" + }, + "sku": { + "name": "[parameters('skuName')]", + "tier": "[parameters('tier')]" + } + }, + { + "condition": "[parameters('enablePrivateEndpoint')]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-06-01", + "name": "[parameters('privateEndpointNestedTemplateId')]", + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [ + { + "apiVersion": "2019-02-01", + "location": "[parameters('location')]", + "name": "[parameters('privateEndpointName')]", + "properties": { + "privateLinkServiceConnections": [ + { + "name": "[parameters('privateLinkServiceName')]", + "properties": { + "privateLinkServiceId": "[parameters('privateLinkServiceServiceId')]", + "groupIds": [ + "SqlServer" + ], + "requestMessage": "AutoApproved" + } + } + ], + "subnet": { + "id": "[parameters('privateEndpointSubnetId')]" + } + }, + "type": "Microsoft.Network/privateEndpoints" + } + ] + } + } + } + ], + "functions": [ + ], + "outputs": { + "databaseName": { + "type": "string", + "value": "[parameters('databaseName')]", + "metadata": { + "description": "The name of the created database." + } + }, + "databaseResourceGroup": { + "type": "string", + "value": "[resourceGroup().name]", + "metadata": { + "description": "Name of the Databse ResourceGroup." + } + }, + "serverName": { + "type": "string", + "value": "[parameters('serverName')]", + "metadata": { + "description": "The name of the target SQL Server instance." + } + } + } +} \ No newline at end of file diff --git a/arm/Microsoft.Sql/serverDatabases/parameters/parameters.json b/arm/Microsoft.Sql/serverDatabases/parameters/parameters.json new file mode 100644 index 0000000000..03764225b1 --- /dev/null +++ b/arm/Microsoft.Sql/serverDatabases/parameters/parameters.json @@ -0,0 +1,75 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "collation": { + "value": "SQL_Latin1_General_CP1_CI_AS" + }, + "databaseName": { + "value": "sxx-az-sqldb-weu-x-001" + }, + "tier": { + "value": "GeneralPurpose" + }, + "skuName": { + "value": "GP_Gen5_2" + }, + "maxSizeBytes": { + "value": 34359738368 + }, + "sampleName": { + "value": "" + }, + "serverName": { + "value": "sxx-az-sqlsrv-weu-x-001" + }, + "zoneRedundant": { + "value": false + }, + "licenseType": { + "value": "LicenseIncluded" + }, + "readScaleOut": { + "value": "Disabled" + }, + "numberOfReplicas": { + "value": 0 + }, + "enableADS": { + "value": true + }, + "enableVA": { + "value": true + }, + "enablePrivateEndpoint": { + "value": false + }, + "privateEndpointNestedTemplateId": { + "value": "Nested-2019-9-25_11-55-27" + }, + "privateEndpointSubscriptionId": { + "value": "" + }, + "privateEndpointResourceGroup": { + "value": "" + }, + "privateEndpointName": { + "value": "" + }, + "privateEndpointLocation": { + "value": "" + }, + "privateEndpointSubnetId": { + "value": "" + }, + "privateLinkServiceName": { + "value": "" + }, + "privateLinkServiceServiceId": { + "value": "" + }, + "location":{ + "value": "westeurope" + } + } +} \ No newline at end of file diff --git a/arm/Microsoft.Sql/serverDatabases/readme.md b/arm/Microsoft.Sql/serverDatabases/readme.md new file mode 100644 index 0000000000..b3bef37591 --- /dev/null +++ b/arm/Microsoft.Sql/serverDatabases/readme.md @@ -0,0 +1,79 @@ +# AzureSQLDatabase + +This module deploys an Azure SQL Server. + +## Resource types + +|Resource Type|Api Version| +|:--|:--| +|`Microsoft.Resources/deployments`|2018-02-01| +|`Microsoft.Sql/servers/databases`|2017-10-01-preview| +|`Microsoft.Network/privateEndpoints`|2019-02-01| + +## Parameters + +| Parameter Name | Type | Description | DefaultValue | Possible values | +| :-- | :-- | :-- | :-- | :-- | +| `autoPauseDelay` | string | Optional. Time in minutes after which database is automatically paused. | | | +| `collation` | string | Optional. The collation of the database. | | | +| `cuaId` | string | Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered | | | +| `databaseName` | string | Required. The name of the database. | | | +| `enableADS` | bool | Optional. Whether or not ADS is enabled. | False | | +| `enablePrivateEndpoint` | bool | Optional. Whether or not private Endpoint is enabled | False | | +| `enableVA` | bool | Optional. Whether or not VA is enabled. | False | | +| `licenseType` | string | Optional. The license type to apply for this database. | | | +| `location` | string | Optional. Location for all resources. | [resourceGroup().location] | | +| `maxSizeBytes` | int | Optional. The max size of the database expressed in bytes. | | | +| `minCapacity` | string | Optional. Minimal capacity that database will always have allocated. | | | +| `numberOfReplicas` | int | Optional. The number of readonly secondary replicas associated with the database. | 0 | | +| `privateEndpointLocation` | string | Optional. This is not required anymore. | | | +| `privateEndpointName` | string | Optional. Private Endpoint Name. | | | +| `privateEndpointNestedTemplateId` | string | Optional. Nested template ID. | | | +| `privateEndpointResourceGroup` | string | Optional. private Endpoint Resource Group. | | | +| `privateEndpointSubnetId` | string | Optional. Subnet of Private endpoint. | | | +| `privateEndpointSubscriptionId` | string | Optional. This is not requried anymore. | | | +| `privateLinkServiceName` | string | Optional. privatelink service name. | | | +| `privateLinkServiceServiceId` | string | Optional. For setting service connection. | | | +| `readScaleOut` | string | Optional. The state of read-only routing. | Disabled | | +| `sampleName` | string | Optional. The name of the sample schema to apply when creating this database. | | | +| `serverName` | string | Required. The Name of SQL Server | | | +| `skuName` | string | Required. The name of the SKU. | | | +| `tags` | object | Optional. Tags of the resource. | | | +| `tier` | string | Optional. The tier or edition of the particular SKU. | | | +| `zoneRedundant` | bool | Optional. Whether or not this database is zone redundant. | False | | + +### Parameter Usage: `tags` + +Tag names and tag values can be provided as needed. A tag can be left without a value. + +```json +"tags": { + "value": { + "Environment": "Non-Prod", + "Contact": "test.user@testcompany.com", + "PurchaseOrder": "1234", + "CostCenter": "7890", + "ServiceName": "DeploymentValidation", + "Role": "DeploymentValidation" + } +} +``` + +## Outputs + +| Output Name | Type | Description | +| :-- | :-- | :-- | +| `databaseName` | string | The name of the created database. | +| `databaseResourceGroup` | string | Name of the Databse ResourceGroup. | +| `serverName` | string | The name of the target SQL Server instance. | + +## Considerations + +*N/A* + +## Additional resources + +- [Microsoft.Network bastionHosts template reference](https://docs.microsoft.com/en-us/azure/templates/microsoft.network/2019-09-01/bastionhosts) +- [What is Azure Bastion?](https://docs.microsoft.com/en-us/azure/bastion/bastion-overview) +- [Public IP address prefix](https://docs.microsoft.com/en-us/azure/virtual-network/public-ip-address-prefix) +- [Use tags to organize your Azure resources](https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-using-tags) diff --git a/arm/Microsoft.Sql/servers/deploy.json b/arm/Microsoft.Sql/servers/deploy.json new file mode 100644 index 0000000000..300ecbcae2 --- /dev/null +++ b/arm/Microsoft.Sql/servers/deploy.json @@ -0,0 +1,397 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "administratorLogin": { + "type": "string", + "metadata": { + "description": "Required. Administrator username for the server." + } + }, + "administratorLoginPassword": { + "type": "securestring", + "metadata": { + "description": "Required. The administrator login password." + } + }, + "location": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "Optional. Location for all resources." + } + }, + "serverName": { + "type": "string", + "metadata": { + "description": "Required. The name of the server." + } + }, + "enableADS": { + "type": "bool", + "defaultValue": false, + "metadata": { + "description": "Optional. Whether or not ADS should be enabled." + } + }, + "allowAzureIps": { + "type": "bool", + "defaultValue": false, + "metadata": { + "description": "Required. Whether or not Azure IP's are allowed." + } + }, + "roleAssignments": { + "defaultValue": [ + ], + "type": "array", + "metadata": { + "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'" + } + }, + "tags": { + "type": "object", + "defaultValue": { + }, + "metadata": { + "description": "Optional. Tags of the resource." + } + }, + "cuaId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered" + } + } + }, + "variables": { + "subscriptionId": "[subscription().subscriptionId]", + "resourceGroupName": "[resourceGroup().name]", + "uniqueStorage": "[uniqueString(variables('subscriptionId'), variables('resourceGroupName'), parameters('location'))]", + "builtInRoleNames": { + "AcrDelete": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c2f4ef07-c644-48eb-af81-4b1b4947fb11')]", + "AcrImageSigner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '6cef56e8-d556-48e5-a04f-b8e64114680f')]", + "AcrPull": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '7f951dda-4ed3-4680-a7ca-43fe172d538d')]", + "AcrPush": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8311e382-0749-4cb8-b61a-304f252e45ec')]", + "AcrQuarantineReader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'cdda3590-29a3-44f6-95f2-9f980659eb04')]", + "AcrQuarantineWriter": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c8d4ff99-41c3-41a8-9f60-21dfdad59608')]", + "API Management Service Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '312a565d-c81f-4fd8-895a-4e21e48d571c')]", + "API Management Service Operator Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'e022efe7-f5ba-4159-bbe4-b44f577e9b61')]", + "API Management Service Reader Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '71522526-b88f-4d52-b57f-d31fc3546d0d')]", + "App Configuration Data Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5ae67dd6-50cb-40e7-96ff-dc2bfa4b606b')]", + "App Configuration Data Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '516239f1-63e1-4d78-a4de-a74fb236a071')]", + "Application Insights Component Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ae349356-3a1b-4a5e-921d-050484c6347e')]", + "Application Insights Snapshot Debugger": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '08954f03-6346-4c2e-81c0-ec3a5cfae23b')]", + "Attestation Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'bbf86eb8-f7b4-4cce-96e4-18cddf81d86e')]", + "Attestation Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'fd1bd22b-8476-40bc-a0bc-69b95687b9f3')]", + "Automation Job Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4fe576fe-1146-4730-92eb-48519fa6bf9f')]", + "Automation Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'd3881f73-407a-4167-8283-e981cbba0404')]", + "Automation Runbook Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5fb5aef8-1081-4b8e-bb16-9d5d0385bab5')]", + "Avere Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4f8fab4f-1852-4a58-a46a-8eaf358af14a')]", + "Avere Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c025889f-8102-4ebf-b32c-fc0c6f0c6bd9')]", + "Azure Connected Machine Onboarding": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b64e21ea-ac4e-4cdf-9dc9-5b892992bee7')]", + "Azure Connected Machine Resource Administrator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'cd570a14-e51a-42ad-bac8-bafd67325302')]", + "Azure Digital Twins Owner (Preview)": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'bcd981a7-7f74-457b-83e1-cceb9e632ffe')]", + "Azure Digital Twins Reader (Preview)": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'd57506d4-4c8d-48b1-8587-93c323f6a5a3')]", + "Azure Event Hubs Data Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'f526a384-b230-433a-b45c-95f59c4a2dec')]", + "Azure Event Hubs Data Receiver": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'a638d3c7-ab3a-418d-83e6-5f17a39d4fde')]", + "Azure Event Hubs Data Sender": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '2b629674-e913-4c01-ae53-ef4638d8f975')]", + "Azure Kubernetes Service Cluster Admin Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '0ab0b1a8-8aac-4efd-b8c2-3ee1fb270be8')]", + "Azure Kubernetes Service Cluster User Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4abbcc35-e782-43d8-92c5-2d3f1bd2253f')]", + "Azure Kubernetes Service Contributor Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ed7f3fbd-7b88-4dd4-9017-9adb7ce333f8')]", + "Azure Maps Data Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8f5e0ce6-4f7b-4dcf-bddf-e6f48634a204')]", + "Azure Maps Data Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '423170ca-a8f6-4b0f-8487-9e4eb8f49bfa')]", + "Azure Sentinel Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ab8e14d6-4a74-4a29-9ba8-549422addade')]", + "Azure Sentinel Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8d289c81-5878-46d4-8554-54e1e3d8b5cb')]", + "Azure Sentinel Responder": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '3e150937-b8fe-4cfb-8069-0eaf05ecd056')]", + "Azure Service Bus Data Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '090c5cfd-751d-490a-894a-3ce6f1109419')]", + "Azure Service Bus Data Receiver": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4f6d3b9b-027b-4f4c-9142-0e5a2a2247e0')]", + "Azure Service Bus Data Sender": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '69a216fc-b8fb-44d8-bc22-1f3c2cd27a39')]", + "Azure Stack Registration Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '6f12a6df-dd06-4f3e-bcb1-ce8be600526a')]", + "Backup Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5e467623-bb1f-42f4-a55d-6e525e11384b')]", + "Backup Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '00c29273-979b-4161-815c-10b084fb9324')]", + "Backup Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'a795c7a0-d4a2-40c1-ae25-d81f01202912')]", + "Billing Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'fa23ad8b-c56e-40d8-ac0c-ce449e1d2c64')]", + "BizTalk Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5e3c6656-6cfa-4708-81fe-0de47ac73342')]", + "Blockchain Member Node Access (Preview)": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '31a002a1-acaf-453e-8a5b-297c9ca1ea24')]", + "Blueprint Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '41077137-e803-4205-871c-5a86e6a753b4')]", + "Blueprint Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '437d2ced-4a38-4302-8479-ed2bcb43d090')]", + "CDN Endpoint Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '426e0c7f-0c7e-4658-b36f-ff54d6c29b45')]", + "CDN Endpoint Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '871e35f6-b5c1-49cc-a043-bde969a0f2cd')]", + "CDN Profile Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ec156ff8-a8d1-4d15-830c-5b80698ca432')]", + "CDN Profile Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8f96442b-4075-438f-813d-ad51ab4019af')]", + "Classic Network Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b34d265f-36f7-4a0d-a4d4-e158ca92e90f')]", + "Classic Storage Account Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '86e8f5dc-a6e9-4c67-9d15-de283e8eac25')]", + "Classic Storage Account Key Operator Service Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '985d6b00-f706-48f5-a6fe-d0ca12fb668d')]", + "Classic Virtual Machine Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'd73bb868-a0df-4d4d-bd69-98a00b01fccb')]", + "ClearDB MySQL DB Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '9106cda0-8a86-4e81-b686-29a22c54effe')]", + "Cognitive Services Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '25fbc0a9-bd7c-42a3-aa1a-3b75d497ee68')]", + "Cognitive Services Custom Vision Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c1ff6cc2-c111-46fe-8896-e0ef812ad9f3')]", + "Cognitive Services Custom Vision Deployment": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5c4089e1-6d96-4d2f-b296-c1bc7137275f')]", + "Cognitive Services Custom Vision Labeler": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '88424f51-ebe7-446f-bc41-7fa16989e96c')]", + "Cognitive Services Custom Vision Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '93586559-c37d-4a6b-ba08-b9f0940c2d73')]", + "Cognitive Services Custom Vision Trainer": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '0a5ae4ab-0d65-4eeb-be61-29fc9b54394b')]", + "Cognitive Services Data Reader (Preview)": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b59867f0-fa02-499b-be73-45a86b5b3e1c')]", + "Cognitive Services QnA Maker Editor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'f4cc2bf9-21be-47a1-bdf1-5c5804381025')]", + "Cognitive Services QnA Maker Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '466ccd10-b268-4a11-b098-b4849f024126')]", + "Cognitive Services User": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'a97b65f3-24c7-4388-baec-2e87135dc908')]", + "Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "Cosmos DB Account Reader Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'fbdf93bf-df7d-467e-a4d2-9458aa1360c8')]", + "Cosmos DB Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '230815da-be43-4aae-9cb4-875f7bd000aa')]", + "CosmosBackupOperator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'db7b14f2-5adf-42da-9f96-f2ee17bab5cb')]", + "Cost Management Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '434105ed-43f6-45c7-a02f-909b2ba83430')]", + "Cost Management Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '72fafb9e-0641-4937-9268-a91bfd8191a3')]", + "Data Box Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'add466c9-e687-43fc-8d98-dfcf8d720be5')]", + "Data Box Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '028f4ed7-e2a9-465e-a8f4-9c0ffdfdc027')]", + "Data Factory Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '673868aa-7521-48a0-acc6-0f60742d39f5')]", + "Data Lake Analytics Developer": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '47b7735b-770e-4598-a7da-8b91488b4c88')]", + "Data Purger": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '150f5e0c-0603-4f03-8c7f-cf70034c4e90')]", + "Desktop Virtualization User": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '1d18fff3-a72a-46b5-b4a9-0b38a3cd7e63')]", + "DevTest Labs User": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '76283e04-6283-4c54-8f91-bcf1374a3c64')]", + "DNS Zone Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'befefa01-2a29-4197-83a8-272ff33ce314')]", + "DocumentDB Account Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5bd9cd88-fe45-4216-938b-f97437e15450')]", + "EventGrid EventSubscription Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '428e0ff0-5e57-4d9c-a221-2c70d0e0a443')]", + "EventGrid EventSubscription Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '2414bbcf-6497-4faf-8c65-045460748405')]", + "Experimentation Administrator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '7f646f1b-fa08-80eb-a33b-edd6ce5c915c')]", + "Experimentation Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '7f646f1b-fa08-80eb-a22b-edd6ce5c915c')]", + "Experimentation Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '49632ef5-d9ac-41f4-b8e7-bbe587fa74a1')]", + "FHIR Data Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5a1fc7df-4bf1-4951-a576-89034ee01acd')]", + "FHIR Data Exporter": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '3db33094-8700-4567-8da5-1501d4e7e843')]", + "FHIR Data Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4c8d0bbc-75d3-4935-991f-5f3c56d81508')]", + "FHIR Data Writer": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '3f88fce4-5892-4214-ae73-ba5294559913')]", + "Graph Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b60367af-1334-4454-b71e-769d9a4f83d9')]", + "HDInsight Cluster Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '61ed4efc-fab3-44fd-b111-e24485cc132a')]", + "HDInsight Domain Services Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8d8d5a11-05d3-4bda-a417-a08778121c7c')]", + "Hierarchy Settings Administrator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '350f8d15-c687-4448-8ae1-157740a3936d')]", + "Hybrid Server Onboarding": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5d1e5ee4-7c68-4a71-ac8b-0739630a3dfb')]", + "Hybrid Server Resource Administrator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '48b40c6e-82e0-4eb3-90d5-19e40f49b624')]", + "Integration Service Environment Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'a41e2c5b-bd99-4a07-88f4-9bf657a760b8')]", + "Integration Service Environment Developer": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c7aa55d3-1abb-444a-a5ca-5e51e485d6ec')]", + "Intelligent Systems Account Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '03a6d094-3444-4b3d-88af-7477090a9e5e')]", + "Key Vault Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'f25e0fa2-a7c8-4377-a976-54943a77a395')]", + "Knowledge Consumer": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ee361c5d-f7b5-4119-b4b6-892157c8f64c')]", + "Kubernetes Cluster - Azure Arc Onboarding": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '34e09817-6cbe-4d01-b1a2-e0eac5743d41')]", + "Lab Creator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b97fb8bc-a8b2-4522-a38b-dd33c7e65ead')]", + "Log Analytics Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]", + "Log Analytics Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '73c42c96-874c-492b-b04d-ab87d138a893')]", + "Logic App Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '87a39d53-fc1b-424a-814c-f7e04687dc9e')]", + "Logic App Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '515c2055-d9d4-4321-b1b9-bd0c9a0f79fe')]", + "Managed Application Contributor Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '641177b8-a67a-45b9-a033-47bc880bb21e')]", + "Managed Application Operator Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')]", + "Managed Applications Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')]", + "Managed Identity Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'e40ec5ca-96e0-45a2-b4ff-59039f2c2b59')]", + "Managed Identity Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'f1a07417-d97a-45cb-824c-7a7467783830')]", + "Managed Services Registration assignment Delete ": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '91c1777a-f3dc-4fae-b103-61d183457e46')]", + "Management Group Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5d58bcaf-24a5-4b20-bdb6-eed9f69fbe4c')]", + "Management Group Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ac63b705-f282-497d-ac71-919bf39d939d')]", + "Marketplace Admin": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'dd920d6d-f481-47f1-b461-f338c46b2d9f')]", + "Monitoring Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')]", + "Monitoring Metrics Publisher": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '3913510d-42f4-4e42-8a64-420c390055eb')]", + "Monitoring Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')]", + "Network Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", + "New Relic APM Account Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5d28c62d-5b37-4476-8438-e587778df237')]", + "Object Understanding Account Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4dd61c23-6743-42fe-a388-d8bdd41cb745')]", + "Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", + "Policy Insights Data Writer (Preview)": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '66bb4e9e-b016-4a94-8249-4c0511c2be84')]", + "Private DNS Zone Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", + "Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", + "Reader and Data Access": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c12c1c16-33a1-487b-954d-41c89c60f349')]", + "Redis Cache Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'e0f68234-74aa-48ed-b826-c38b57376e17')]", + "Remote Rendering Administrator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '3df8b902-2a6f-47c7-8cc5-360e9b272a7e')]", + "Remote Rendering Client": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'd39065c4-c120-43c9-ab0a-63eed9795f0a')]", + "Resource Policy Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '36243c78-bf99-498c-9df9-86d9f8d28608')]", + "Scheduler Job Collections Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '188a0f2f-5c9e-469b-ae67-2aa5ce574b94')]", + "Search Service Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '7ca78c08-252a-4471-8644-bb5ff32d4ba0')]", + "Security Admin": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'fb1c8493-542b-48eb-b624-b4c8fea62acd')]", + "Security Assessment Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '612c2aa1-cb24-443b-ac28-3ab7272de6f5')]", + "Security Manager (Legacy)": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'e3d13bf0-dd5a-482e-ba6b-9b8433878d10')]", + "Security Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '39bc4728-0917-49c7-9d2c-d95423bc2eb4')]", + "SignalR AccessKey Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '04165923-9d83-45d5-8227-78b77b0a687e')]", + "SignalR Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8cf5e20a-e4b2-4e9d-b3a1-5ceb692c2761')]", + "Site Recovery Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '6670b86e-a3f7-4917-ac9b-5d6ab1be4567')]", + "Site Recovery Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '494ae006-db33-4328-bf46-533a6560a3ca')]", + "Site Recovery Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'dbaa88c4-0c30-4179-9fb3-46319faa6149')]", + "Spatial Anchors Account Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8bbe83f1-e2a6-4df7-8cb4-4e04d4e5c827')]", + "Spatial Anchors Account Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '70bbe301-9835-447d-afdd-19eb3167307c')]", + "Spatial Anchors Account Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5d51204f-eb77-4b1c-b86a-2ec626c49413')]", + "SQL DB Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '9b7fa17d-e63e-47b0-bb0a-15c516ac86ec')]", + "SQL Managed Instance Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4939a1f6-9ae0-4e48-a1e0-f2cbe897382d')]", + "SQL Security Manager": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '056cd41c-7e88-42e1-933e-88ba6a50c9c3')]", + "SQL Server Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '6d8ee4ec-f05a-4a1d-8b00-a9b17e38b437')]", + "Storage Account Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '17d1049b-9a84-46fb-8f53-869881c3d3ab')]", + "Storage Account Key Operator Service Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '81a9662b-bebf-436f-a333-f67b29880f12')]", + "Storage Blob Data Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ba92f5b4-2d11-453d-a403-e96b0029c9fe')]", + "Storage Blob Data Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b7e6dc6d-f1e8-4753-8033-0f276bb0955b')]", + "Storage Blob Data Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '2a2b9908-6ea1-4ae2-8e65-a410df84e7d1')]", + "Storage Blob Delegator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'db58b8e5-c6ad-4a2a-8342-4190687cbf4a')]", + "Storage File Data SMB Share Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '0c867c2a-1d8c-454a-a3db-ab2ea1bdc8bb')]", + "Storage File Data SMB Share Elevated Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'a7264617-510b-434b-a828-9731dc254ea7')]", + "Storage File Data SMB Share Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'aba4ae5f-2193-4029-9191-0cb91df5e314')]", + "Storage Queue Data Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '974c5e8b-45b9-4653-ba55-5f855dd0fb88')]", + "Storage Queue Data Message Processor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8a0f0c08-91a1-4084-bc3d-661d67233fed')]", + "Storage Queue Data Message Sender": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c6a89b2d-59bc-44d0-9896-0f6e12d7b80a')]", + "Storage Queue Data Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '19e7f393-937e-4f77-808e-94535e297925')]", + "Support Request Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'cfd33db0-3dd1-45e3-aa9d-cdbdf3b6f24e')]", + "Tag Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4a9ae827-6dc8-4573-8ac7-8239d42aa03f')]", + "Traffic Manager Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'a4b10055-b0c7-44c2-b00f-c7b5b3550cf7')]", + "User Access Administrator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]", + "Virtual Machine Administrator Login": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '1c0163c0-47e6-4577-8991-ea5c82e286e4')]", + "Virtual Machine Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c')]", + "Virtual Machine User Login": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'fb879df8-f326-4884-b1cf-06f3ad86be52')]", + "Web Plan Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '2cc479cb-7b4d-49a8-b449-8c00fd0f0a4b')]", + "Website Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'de139f84-1756-47ae-9be6-808fbbe84772')]", + "Workbook Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'e8ddcd69-c73f-4f9f-9844-4100522f16ad')]", + "Workbook Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b279062a-9be3-42a0-92ae-8b3cf002ec4d')]" + } + }, + "resources": [ + { + "condition": "[not(empty(parameters('cuaId')))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-06-01", + "name": "[concat('pid-', parameters('cuaId'))]", + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [ + ] + } + } + }, + { + "apiVersion": "2020-02-02-preview", + "location": "[parameters('location')]", + "name": "[parameters('serverName')]", + "tags": "[parameters('tags')]", + "properties": { + "administratorLogin": "[parameters('administratorLogin')]", + "administratorLoginPassword": "[parameters('administratorLoginPassword')]", + "version": "12.0" + }, + "resources": [ + { + "condition": "[parameters('allowAzureIps')]", + "apiVersion": "2014-04-01-preview", + "dependsOn": [ + "[concat('Microsoft.Sql/servers/', parameters('serverName'))]" + ], + "location": "[parameters('location')]", + "name": "AllowAllWindowsAzureIps", + "properties": { + "endIpAddress": "0.0.0.0", + "startIpAddress": "0.0.0.0" + }, + "type": "firewallrules" + }, + { + "condition": "[parameters('enableADS')]", + "apiVersion": "2017-03-01-preview", + "type": "securityAlertPolicies", + "name": "Default", + "dependsOn": [ + "[concat('Microsoft.Sql/servers/', parameters('serverName'))]" + ], + "properties": { + "state": "Enabled", + "disabledAlerts": [ + ], + "emailAddresses": [ + ], + "emailAccountAdmins": true + } + } + ], + "type": "Microsoft.Sql/servers" + }, + { + "name": "[concat('rbac-',deployment().name, copyIndex())]", + "apiVersion": "2020-06-01", + "type": "Microsoft.Resources/deployments", + "condition": "[not(empty(parameters('roleAssignments')))]", + "dependsOn": [ + "[parameters('serverName')]" + ], + "copy": { + "name": "rbacDeplCopy", + "count": "[length(parameters('roleAssignments'))]" + }, + "properties": { + "mode": "Incremental", + "expressionEvaluationOptions": { + "scope": "inner" + }, + "parameters": { + "roleAssignment": { + "value": "[parameters('roleAssignments')[copyIndex()]]" + }, + "builtInRoleNames": { + "value": "[variables('builtInRoleNames')]" + }, + "serverName": { + "value": "[parameters('serverName')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "roleAssignment": { + "type": "object" + }, + "builtInRoleNames": { + "type": "object" + }, + "serverName": { + "type": "string" + } + }, + "resources": [ + { + "type": "Microsoft.Sql/servers/providers/roleAssignments", + "apiVersion": "2018-09-01-preview", + "name": "[concat(parameters('serverName'), '/Microsoft.Authorization/', guid(uniqueString(concat(parameters('serverName'), array(parameters('roleAssignment').principalIds)[copyIndex('innerRbacCopy')], parameters('roleAssignment').roleDefinitionIdOrName ) )))]", + "dependsOn": [ + ], + "copy": { + "name": "innerRbacCopy", + "count": "[length(parameters('roleAssignment').principalIds)]" + }, + "properties": { + "roleDefinitionId": "[if(contains(parameters('builtInRoleNames'), parameters('roleAssignment').roleDefinitionIdOrName ), parameters('builtInRoleNames')[parameters('roleAssignment').roleDefinitionIdOrName] , parameters('roleAssignment').roleDefinitionIdOrName )]", + "principalId": "[array(parameters('roleAssignment').principalIds)[copyIndex()]]" + } + } + ] + } + } + } + ], + "functions": [ + ], + "outputs": { + "serverName": { + "type": "string", + "value": "[parameters('serverName')]", + "metadata": { + "description": "The name of the target SQL Server instance." + } + }, + "serverResourceId": { + "type": "string", + "value": "[resourceId('Microsoft.Sql/servers/', parameters('serverName'))]", + "metadata": { + "description": "The resource ID of the server." + } + }, + "serverResourceGroup": { + "type": "string", + "value": "[resourceGroup().name]", + "metadata": { + "description": "The Resource Group in which the server is created." + } + } + } +} \ No newline at end of file diff --git a/arm/Microsoft.Sql/servers/parameters/parameters.json b/arm/Microsoft.Sql/servers/parameters/parameters.json new file mode 100644 index 0000000000..ae0f052f12 --- /dev/null +++ b/arm/Microsoft.Sql/servers/parameters/parameters.json @@ -0,0 +1,42 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "allowAzureIps": { + "value": false + }, + "administratorLogin": { + "reference": { + "keyVault": { + "id": "/subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2/resourceGroups/dependencies-rg/providers/Microsoft.KeyVault/vaults/sxx-az-kv-weu-x-004" + }, + "secretName": "administratorLogin" + } + }, + "administratorLoginPassword": { + "reference": { + "keyVault": { + "id": "/subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2/resourceGroups/dependencies-rg/providers/Microsoft.KeyVault/vaults/sxx-az-kv-weu-x-004" + }, + "secretName": "administratorLoginPassword" + } + }, + "location": { + "value": "westeurope" + }, + "serverName": { + "value": "sxx-az-sqlsrv-weu-x-001" + } + // "roleAssignments": { + // "value": [ + // { + // "roleDefinitionIdOrName": "Desktop Virtualization User", + // "principalIds": [ + // "12345678-1234-1234-1234-123456789012", // object 1 + // "78945612-1234-1234-1234-123456789012" // object 2 + // ] + // } + // ] + // }, + } +} \ No newline at end of file diff --git a/arm/Microsoft.Sql/servers/readme.md b/arm/Microsoft.Sql/servers/readme.md new file mode 100644 index 0000000000..ab99f6efa1 --- /dev/null +++ b/arm/Microsoft.Sql/servers/readme.md @@ -0,0 +1,93 @@ +# AzureSQLServer + +This module deploys an Azure SQL Server. + + +## Resource types + +|Resource Type|Api Version| +|:--|:--| +|`Microsoft.Resources/deployments`|2018-02-01| +|`Microsoft.Sql/servers`|2015-05-01-preview| +|`firewallrules`|2014-04-01-preview| +|`securityAlertPolicies`|2017-03-01-preview| +|`Microsoft.Sql/servers/providers/roleAssignments`|2018-09-01-preview| + +## Parameters + +| Parameter Name | Type | Description | DefaultValue | Possible values | +| :-- | :-- | :-- | :-- | :-- | +| `administratorLogin` | string | Required. Administrator username for the server. | | | +| `administratorLoginPassword` | securestring | Required. The administrator login password. | | | +| `allowAzureIps` | bool | Required. Whether or not Azure IP's are allowed. | False | | +| `cuaId` | string | Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered | | | +| `enableADS` | bool | Optional. Whether or not ADS should be enabled. | False | | +| `location` | string | Optional. Location for all resources. | [resourceGroup().location] | | +| `roleAssignments` | array | Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' | System.Object[] | | +| `serverName` | string | Required. The name of the server. | | | +| `tags` | object | Optional. Tags of the resource. | | | + +### Parameter Usage: `roleAssignments` + +```json +"roleAssignments": { + "value": [ + { + "roleDefinitionIdOrName": "Desktop Virtualization User", + "principalIds": [ + "12345678-1234-1234-1234-123456789012", // object 1 + "78945612-1234-1234-1234-123456789012" // object 2 + ] + }, + { + "roleDefinitionIdOrName": "Reader", + "principalIds": [ + "12345678-1234-1234-1234-123456789012", // object 1 + "78945612-1234-1234-1234-123456789012" // object 2 + ] + }, + { + "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", + "principalIds": [ + "12345678-1234-1234-1234-123456789012" // object 1 + ] + } + ] +} +``` + +### Parameter Usage: `tags` + +Tag names and tag values can be provided as needed. A tag can be left without a value. + +```json +"tags": { + "value": { + "Environment": "Non-Prod", + "Contact": "test.user@testcompany.com", + "PurchaseOrder": "1234", + "CostCenter": "7890", + "ServiceName": "DeploymentValidation", + "Role": "DeploymentValidation" + } +} +``` + +## Outputs + +| Output Name | Type | Description | +| :-- | :-- | :-- | +| `serverName` | string | The name of the target SQL Server instance. | +| `serverResourceGroup` | string | The Resource Group in which the server is created. | +| `serverResourceId` | string | The resource ID of the server. | + +## Considerations + +*N/A* + +## Additional resources + +- [Microsoft.Network bastionHosts template reference](https://docs.microsoft.com/en-us/azure/templates/microsoft.network/2019-09-01/bastionhosts) +- [What is Azure Bastion?](https://docs.microsoft.com/en-us/azure/bastion/bastion-overview) +- [Public IP address prefix](https://docs.microsoft.com/en-us/azure/virtual-network/public-ip-address-prefix) +- [Use tags to organize your Azure resources](https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-using-tags) diff --git a/arm/Microsoft.Storage/storageAccounts/deploy.json b/arm/Microsoft.Storage/storageAccounts/deploy.json new file mode 100644 index 0000000000..41fbb35376 --- /dev/null +++ b/arm/Microsoft.Storage/storageAccounts/deploy.json @@ -0,0 +1,1287 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "storageAccountName": { + "type": "string", + "defaultValue": "", + "maxLength": 24, + "metadata": { + "description": "Optional. Name of the Storage Account. If no name is provided, then unique name will be created." + } + }, + "location": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "Optional. Location for all resources." + } + }, + "roleAssignments": { + "defaultValue": [ + ], + "type": "array", + "metadata": { + "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or it's fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'" + } + }, + "managedServiceIdentity": { + "type": "string", + "defaultValue": "None", + "allowedValues": [ + "None", + "SystemAssigned", + "UserAssigned", + "SystemAssigned, UserAssigned", + "UserAssigned, SystemAssigned" + ], + "metadata": { + "description": "Optional. Type of managed service identity." + } + }, + "userAssignedIdentities": { + "type": "object", + "defaultValue": {}, + "metadata": { + "description": "Optional. Mandatory 'managedServiceIdentity' contains UserAssigned. The identy to assign to the resource." + } + }, + "storageAccountKind": { + "type": "string", + "defaultValue": "StorageV2", + "allowedValues": [ + "Storage", + "StorageV2", + "BlobStorage", + "FileStorage", + "BlockBlobStorage" + ], + "metadata": { + "description": "Optional. Type of Storage Account to create." + } + }, + "storageAccountSku": { + "type": "string", + "defaultValue": "Standard_GRS", + "allowedValues": [ + "Standard_LRS", + "Standard_GRS", + "Standard_RAGRS", + "Standard_ZRS", + "Premium_LRS", + "Premium_ZRS", + "Standard_GZRS", + "Standard_RAGZRS" + ], + "metadata": { + "description": "Optional. Storage Account Sku Name." + } + }, + "storageAccountAccessTier": { + "type": "string", + "defaultValue": "Hot", + "allowedValues": [ + "Hot", + "Cool" + ], + "metadata": { + "description": "Optional. Storage Account Access Tier." + } + }, + "azureFilesIdentityBasedAuthentication": { + "type": "object", + "defaultValue": { + }, + "metadata": { + "description": "Optional. Provides the identity based authentication settings for Azure Files." + } + }, + "vNetId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Virtual Network Identifier used to create a service endpoint." + } + }, + "privateEndpoints": { + "type": "array", + "defaultValue": [], + "metadata": { + "description": "Optional. Configuration Details for private endpoints." + } + }, + "networkAcls": { + "type": "object", + "defaultValue": { + }, + "metadata": { + "description": "Optional. Networks ACLs, this value contains IPs to whitelist and/or Subnet information." + } + }, + "blobContainers": { + "type": "array", + "defaultValue": [ + ], + "metadata": { + "description": "Optional. Blob containers to create." + } + }, + "deleteRetentionPolicy": { + "type": "bool", + "defaultValue": true, + "metadata": { + "description": "Optional. Indicates whether DeleteRetentionPolicy is enabled for the Blob service." + } + }, + "deleteRetentionPolicyDays": { + "type": "int", + "defaultValue": 7, + "metadata": { + "description": "Optional. Indicates the number of days that the deleted blob should be retained. The minimum specified value can be 1 and the maximum value can be 365." + } + }, + "automaticSnapshotPolicyEnabled": { + "type": "bool", + "defaultValue": false, + "metadata": { + "description": "Optional. Automatic Snapshot is enabled if set to true." + } + }, + "allowBlobPublicAccess": { + "type": "bool", + "defaultValue": true, + "metadata": { + "description": "Optional. Indicates whether public access is enabled for all blobs or containers in the storage account." + } + }, + "fileShares": { + "type": "array", + "defaultValue": [ + ], + "metadata": { + "description": "Optional. File shares to create." + } + }, + "queues": { + "type": "array", + "defaultValue": [], + "metadata": { + "description": "Optional. Queues to create." + } + }, + "tables": { + "type": "array", + "defaultValue": [], + "metadata": { + "description": "Optional. Tables to create." + } + }, + "minimumTlsVersion": { + "type": "string", + "defaultValue": "TLS1_2", + "allowedValues": [ + "TLS1_0", + "TLS1_1", + "TLS1_2" + ], + "metadata": { + "description": "Optional. Set the minimum TLS version on request to storage." + } + }, + "enableArchiveAndDelete": { + "type": "bool", + "defaultValue": false, + "metadata": { + "description": "Optional. If true, enables move to archive tier and auto-delete" + } + }, + "enableHierarchicalNamespace": { + "type": "bool", + "defaultValue": false, + "metadata": { + "description": "Optional. If true, enables Hierarchical Namespace for the storage account" + } + }, + "moveToArchiveAfter": { + "type": "int", + "defaultValue": 30, + "metadata": { + "description": "Optional. Set up the amount of days after which the blobs will be moved to archive tier" + } + }, + "deleteBlobsAfter": { + "type": "int", + "defaultValue": 1096, + "metadata": { + "description": "Optional. Set up the amount of days after which the blobs will be deleted" + } + }, + "lockForDeletion": { + "type": "bool", + "defaultValue": false, + "metadata": { + "description": "Optional. Switch to lock storage from deletion." + } + }, + "tags": { + "type": "object", + "defaultValue": { + }, + "metadata": { + "description": "Optional. Tags of the resource." + } + }, + "cuaId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered" + } + }, + "sasTokenValidityLength": { + "defaultValue": "PT8H", + "type": "string", + "metadata": { + "description": "Optional. SAS token validity length. Usage: 'PT8H' - valid for 8 hours; 'P5D' - valid for 5 days; 'P1Y' - valid for 1 year. When not provided, the SAS token will be valid for 8 hours." + } + }, + "baseTime": { + "type": "string", + "defaultValue": "[utcNow('u')]", + "metadata": { + "description": "Generated. Do not provide a value! This date value is used to generate a SAS token to access the modules." + } + } + }, + "variables": { + // SAS token validity calculation - DO NOT CHANGE THESE VALUES ! + + "moduleName": "Storage Account", + "maxNameLength": 24, + "uniqueStoragenameUntrim": "[uniqueString(concat(variables('moduleName'),parameters('baseTime')))]", + "uniqueStoragename": "[if(greater(length(variables('uniqueStoragenameUntrim')),variables('maxNameLength')),substring(variables('uniqueStoragenameUntrim'),0,variables('maxNameLength')),variables('uniqueStoragenameUntrim'))]", + "storageAccountName": "[if(empty(parameters('storageAccountName')),variables('uniqueStoragename'),parameters('storageAccountName'))]", + + "accountSasProperties": { + "signedServices": "bt", //Blob (b), Queue (q), Table (t), File (f). + "signedPermission": "racuw", //Read (r), Write (w), Delete (d), List (l), Add (a), Create (c), Update (u) and Process (p) + "signedExpiry": "[dateTimeAdd(parameters('baseTime'), parameters('sasTokenValidityLength'))]", //format: 2017-05-24T10:42:03Z + "signedResourceTypes": "co", //Service (s): Access to service-level APIs; Container (c): Access to container-level APIs; Object (o): Access to object-level APIs for blobs, queue messages, table entities, and files. + "signedProtocol": "https" + }, + "virtualNetworkRules": { + "copy": [ + { + "name": "virtualNetworkRules", + "count": "[if(empty(parameters('networkAcls')), 0, length(parameters('networkAcls').virtualNetworkRules))]", + "input": { + "id": "[concat(parameters('vNetId'), '/subnets/', parameters('networkAcls').virtualNetworkRules[copyIndex('virtualNetworkRules')].subnet)]" + } + } + ] + }, + "networkAcls": { + "bypass": "[if(empty(parameters('networkAcls')), json('null'), parameters('networkAcls').bypass)]", + "defaultAction": "[if(empty(parameters('networkAcls')), json('null'), parameters('networkAcls').defaultAction)]", + "virtualNetworkRules": "[if(empty(parameters('networkAcls')), json('null'), variables('virtualNetworkRules').virtualNetworkRules)]", + "ipRules": "[if(empty(parameters('networkAcls')), json('null'), if(equals(length(parameters('networkAcls').ipRules), 0), json('null'), parameters('networkAcls').ipRules))]" + }, + "azureFilesIdentityBasedAuthentication": "[parameters('azureFilesIdentityBasedAuthentication')]", + // It was needed to decouple the Stroage Account Parameters to a variable, as this was the only option to keep not let the azureFilesIdentityBasedAuthentication + // configuration changed back to null, when not providing a corresponding input parameter. With other word, using the json('null') expression in the body + // of the Storage Account's properties block did not achieve the desired results. + "saBaseProperties": { + "encryption": { + "keySource": "Microsoft.Storage", + "services": { + "blob": "[if(or(equals(parameters('storageAccountKind'), 'BlockBlobStorage'), equals(parameters('storageAccountKind'), 'BlobStorage'), equals(parameters('storageAccountKind'), 'StorageV2'), equals(parameters('storageAccountKind'), 'Storage')), json('{\"enabled\": true}'), json('null'))]", + "file": "[if(or(equals(parameters('storageAccountKind'), 'FileStorage'), equals(parameters('storageAccountKind'), 'StorageV2'), equals(parameters('storageAccountKind'), 'Storage')), json('{\"enabled\": true}'), json('null'))]" + } + }, + "accessTier": "[parameters('storageAccountAccessTier')]", + "supportsHttpsTrafficOnly": true, + "isHnsEnabled": "[if(not(parameters('enableHierarchicalNamespace')), json('null'), parameters('enableHierarchicalNamespace'))]", + "minimumTlsVersion": "[parameters('minimumTlsVersion')]", + "networkAcls": "[if(empty(parameters('networkAcls')), json('null'), variables('networkAcls'))]", + "allowBlobPublicAccess": "[parameters('allowBlobPublicAccess')]" + }, + "saOptIdBasedAuthProperties": { + "azureFilesIdentityBasedAuthentication": "[variables('azureFilesIdentityBasedAuthentication')]" + }, + "saProperties": "[if(empty(parameters('azureFilesIdentityBasedAuthentication')), variables('saBaseProperties'), union(variables('saBaseProperties'), variables('saOptIdBasedAuthProperties') ))]", + "builtInRoleNames": { + "AcrDelete": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", + "AcrImageSigner": "/providers/Microsoft.Authorization/roleDefinitions/6cef56e8-d556-48e5-a04f-b8e64114680f", + "AcrPull": "/providers/Microsoft.Authorization/roleDefinitions/7f951dda-4ed3-4680-a7ca-43fe172d538d", + "AcrPush": "/providers/Microsoft.Authorization/roleDefinitions/8311e382-0749-4cb8-b61a-304f252e45ec", + "AcrQuarantineReader": "/providers/Microsoft.Authorization/roleDefinitions/cdda3590-29a3-44f6-95f2-9f980659eb04", + "AcrQuarantineWriter": "/providers/Microsoft.Authorization/roleDefinitions/c8d4ff99-41c3-41a8-9f60-21dfdad59608", + "API Management Service Contributor": "/providers/Microsoft.Authorization/roleDefinitions/312a565d-c81f-4fd8-895a-4e21e48d571c", + "API Management Service Operator Role": "/providers/Microsoft.Authorization/roleDefinitions/e022efe7-f5ba-4159-bbe4-b44f577e9b61", + "API Management Service Reader Role": "/providers/Microsoft.Authorization/roleDefinitions/71522526-b88f-4d52-b57f-d31fc3546d0d", + "App Configuration Data Owner": "/providers/Microsoft.Authorization/roleDefinitions/5ae67dd6-50cb-40e7-96ff-dc2bfa4b606b", + "App Configuration Data Reader": "/providers/Microsoft.Authorization/roleDefinitions/516239f1-63e1-4d78-a4de-a74fb236a071", + "Application Insights Component Contributor": "/providers/Microsoft.Authorization/roleDefinitions/ae349356-3a1b-4a5e-921d-050484c6347e", + "Application Insights Snapshot Debugger": "/providers/Microsoft.Authorization/roleDefinitions/08954f03-6346-4c2e-81c0-ec3a5cfae23b", + "Attestation Contributor": "/providers/Microsoft.Authorization/roleDefinitions/bbf86eb8-f7b4-4cce-96e4-18cddf81d86e", + "Attestation Reader": "/providers/Microsoft.Authorization/roleDefinitions/fd1bd22b-8476-40bc-a0bc-69b95687b9f3", + "Automation Job Operator": "/providers/Microsoft.Authorization/roleDefinitions/4fe576fe-1146-4730-92eb-48519fa6bf9f", + "Automation Operator": "/providers/Microsoft.Authorization/roleDefinitions/d3881f73-407a-4167-8283-e981cbba0404", + "Automation Runbook Operator": "/providers/Microsoft.Authorization/roleDefinitions/5fb5aef8-1081-4b8e-bb16-9d5d0385bab5", + "Avere Contributor": "/providers/Microsoft.Authorization/roleDefinitions/4f8fab4f-1852-4a58-a46a-8eaf358af14a", + "Avere Operator": "/providers/Microsoft.Authorization/roleDefinitions/c025889f-8102-4ebf-b32c-fc0c6f0c6bd9", + "Azure Connected Machine Onboarding": "/providers/Microsoft.Authorization/roleDefinitions/b64e21ea-ac4e-4cdf-9dc9-5b892992bee7", + "Azure Connected Machine Resource Administrator": "/providers/Microsoft.Authorization/roleDefinitions/cd570a14-e51a-42ad-bac8-bafd67325302", + "Azure Digital Twins Owner (Preview)": "/providers/Microsoft.Authorization/roleDefinitions/bcd981a7-7f74-457b-83e1-cceb9e632ffe", + "Azure Digital Twins Reader (Preview)": "/providers/Microsoft.Authorization/roleDefinitions/d57506d4-4c8d-48b1-8587-93c323f6a5a3", + "Azure Event Hubs Data Owner": "/providers/Microsoft.Authorization/roleDefinitions/f526a384-b230-433a-b45c-95f59c4a2dec", + "Azure Event Hubs Data Receiver": "/providers/Microsoft.Authorization/roleDefinitions/a638d3c7-ab3a-418d-83e6-5f17a39d4fde", + "Azure Event Hubs Data Sender": "/providers/Microsoft.Authorization/roleDefinitions/2b629674-e913-4c01-ae53-ef4638d8f975", + "Azure Kubernetes Service Cluster Admin Role": "/providers/Microsoft.Authorization/roleDefinitions/0ab0b1a8-8aac-4efd-b8c2-3ee1fb270be8", + "Azure Kubernetes Service Cluster User Role": "/providers/Microsoft.Authorization/roleDefinitions/4abbcc35-e782-43d8-92c5-2d3f1bd2253f", + "Azure Kubernetes Service Contributor Role": "/providers/Microsoft.Authorization/roleDefinitions/ed7f3fbd-7b88-4dd4-9017-9adb7ce333f8", + "Azure Maps Data Contributor": "/providers/Microsoft.Authorization/roleDefinitions/8f5e0ce6-4f7b-4dcf-bddf-e6f48634a204", + "Azure Maps Data Reader": "/providers/Microsoft.Authorization/roleDefinitions/423170ca-a8f6-4b0f-8487-9e4eb8f49bfa", + "Azure Sentinel Contributor": "/providers/Microsoft.Authorization/roleDefinitions/ab8e14d6-4a74-4a29-9ba8-549422addade", + "Azure Sentinel Reader": "/providers/Microsoft.Authorization/roleDefinitions/8d289c81-5878-46d4-8554-54e1e3d8b5cb", + "Azure Sentinel Responder": "/providers/Microsoft.Authorization/roleDefinitions/3e150937-b8fe-4cfb-8069-0eaf05ecd056", + "Azure Service Bus Data Owner": "/providers/Microsoft.Authorization/roleDefinitions/090c5cfd-751d-490a-894a-3ce6f1109419", + "Azure Service Bus Data Receiver": "/providers/Microsoft.Authorization/roleDefinitions/4f6d3b9b-027b-4f4c-9142-0e5a2a2247e0", + "Azure Service Bus Data Sender": "/providers/Microsoft.Authorization/roleDefinitions/69a216fc-b8fb-44d8-bc22-1f3c2cd27a39", + "Azure Stack Registration Owner": "/providers/Microsoft.Authorization/roleDefinitions/6f12a6df-dd06-4f3e-bcb1-ce8be600526a", + "Backup Contributor": "/providers/Microsoft.Authorization/roleDefinitions/5e467623-bb1f-42f4-a55d-6e525e11384b", + "Backup Operator": "/providers/Microsoft.Authorization/roleDefinitions/00c29273-979b-4161-815c-10b084fb9324", + "Backup Reader": "/providers/Microsoft.Authorization/roleDefinitions/a795c7a0-d4a2-40c1-ae25-d81f01202912", + "Billing Reader": "/providers/Microsoft.Authorization/roleDefinitions/fa23ad8b-c56e-40d8-ac0c-ce449e1d2c64", + "BizTalk Contributor": "/providers/Microsoft.Authorization/roleDefinitions/5e3c6656-6cfa-4708-81fe-0de47ac73342", + "Blockchain Member Node Access (Preview)": "/providers/Microsoft.Authorization/roleDefinitions/31a002a1-acaf-453e-8a5b-297c9ca1ea24", + "Blueprint Contributor": "/providers/Microsoft.Authorization/roleDefinitions/41077137-e803-4205-871c-5a86e6a753b4", + "Blueprint Operator": "/providers/Microsoft.Authorization/roleDefinitions/437d2ced-4a38-4302-8479-ed2bcb43d090", + "CDN Endpoint Contributor": "/providers/Microsoft.Authorization/roleDefinitions/426e0c7f-0c7e-4658-b36f-ff54d6c29b45", + "CDN Endpoint Reader": "/providers/Microsoft.Authorization/roleDefinitions/871e35f6-b5c1-49cc-a043-bde969a0f2cd", + "CDN Profile Contributor": "/providers/Microsoft.Authorization/roleDefinitions/ec156ff8-a8d1-4d15-830c-5b80698ca432", + "CDN Profile Reader": "/providers/Microsoft.Authorization/roleDefinitions/8f96442b-4075-438f-813d-ad51ab4019af", + "Classic Network Contributor": "/providers/Microsoft.Authorization/roleDefinitions/b34d265f-36f7-4a0d-a4d4-e158ca92e90f", + "Classic Storage Account Contributor": "/providers/Microsoft.Authorization/roleDefinitions/86e8f5dc-a6e9-4c67-9d15-de283e8eac25", + "Classic Storage Account Key Operator Service Role": "/providers/Microsoft.Authorization/roleDefinitions/985d6b00-f706-48f5-a6fe-d0ca12fb668d", + "Classic Virtual Machine Contributor": "/providers/Microsoft.Authorization/roleDefinitions/d73bb868-a0df-4d4d-bd69-98a00b01fccb", + "ClearDB MySQL DB Contributor": "/providers/Microsoft.Authorization/roleDefinitions/9106cda0-8a86-4e81-b686-29a22c54effe", + "Cognitive Services Contributor": "/providers/Microsoft.Authorization/roleDefinitions/25fbc0a9-bd7c-42a3-aa1a-3b75d497ee68", + "Cognitive Services Custom Vision Contributor": "/providers/Microsoft.Authorization/roleDefinitions/c1ff6cc2-c111-46fe-8896-e0ef812ad9f3", + "Cognitive Services Custom Vision Deployment": "/providers/Microsoft.Authorization/roleDefinitions/5c4089e1-6d96-4d2f-b296-c1bc7137275f", + "Cognitive Services Custom Vision Labeler": "/providers/Microsoft.Authorization/roleDefinitions/88424f51-ebe7-446f-bc41-7fa16989e96c", + "Cognitive Services Custom Vision Reader": "/providers/Microsoft.Authorization/roleDefinitions/93586559-c37d-4a6b-ba08-b9f0940c2d73", + "Cognitive Services Custom Vision Trainer": "/providers/Microsoft.Authorization/roleDefinitions/0a5ae4ab-0d65-4eeb-be61-29fc9b54394b", + "Cognitive Services Data Reader (Preview)": "/providers/Microsoft.Authorization/roleDefinitions/b59867f0-fa02-499b-be73-45a86b5b3e1c", + "Cognitive Services QnA Maker Editor": "/providers/Microsoft.Authorization/roleDefinitions/f4cc2bf9-21be-47a1-bdf1-5c5804381025", + "Cognitive Services QnA Maker Reader": "/providers/Microsoft.Authorization/roleDefinitions/466ccd10-b268-4a11-b098-b4849f024126", + "Cognitive Services User": "/providers/Microsoft.Authorization/roleDefinitions/a97b65f3-24c7-4388-baec-2e87135dc908", + "Contributor": "/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c", + "Cosmos DB Account Reader Role": "/providers/Microsoft.Authorization/roleDefinitions/fbdf93bf-df7d-467e-a4d2-9458aa1360c8", + "Cosmos DB Operator": "/providers/Microsoft.Authorization/roleDefinitions/230815da-be43-4aae-9cb4-875f7bd000aa", + "CosmosBackupOperator": "/providers/Microsoft.Authorization/roleDefinitions/db7b14f2-5adf-42da-9f96-f2ee17bab5cb", + "Cost Management Contributor": "/providers/Microsoft.Authorization/roleDefinitions/434105ed-43f6-45c7-a02f-909b2ba83430", + "Cost Management Reader": "/providers/Microsoft.Authorization/roleDefinitions/72fafb9e-0641-4937-9268-a91bfd8191a3", + "Data Box Contributor": "/providers/Microsoft.Authorization/roleDefinitions/add466c9-e687-43fc-8d98-dfcf8d720be5", + "Data Box Reader": "/providers/Microsoft.Authorization/roleDefinitions/028f4ed7-e2a9-465e-a8f4-9c0ffdfdc027", + "Data Factory Contributor": "/providers/Microsoft.Authorization/roleDefinitions/673868aa-7521-48a0-acc6-0f60742d39f5", + "Data Lake Analytics Developer": "/providers/Microsoft.Authorization/roleDefinitions/47b7735b-770e-4598-a7da-8b91488b4c88", + "Data Purger": "/providers/Microsoft.Authorization/roleDefinitions/150f5e0c-0603-4f03-8c7f-cf70034c4e90", + "Desktop Virtualization User": "/providers/Microsoft.Authorization/roleDefinitions/1d18fff3-a72a-46b5-b4a9-0b38a3cd7e63", + "DevTest Labs User": "/providers/Microsoft.Authorization/roleDefinitions/76283e04-6283-4c54-8f91-bcf1374a3c64", + "DNS Zone Contributor": "/providers/Microsoft.Authorization/roleDefinitions/befefa01-2a29-4197-83a8-272ff33ce314", + "DocumentDB Account Contributor": "/providers/Microsoft.Authorization/roleDefinitions/5bd9cd88-fe45-4216-938b-f97437e15450", + "EventGrid EventSubscription Contributor": "/providers/Microsoft.Authorization/roleDefinitions/428e0ff0-5e57-4d9c-a221-2c70d0e0a443", + "EventGrid EventSubscription Reader": "/providers/Microsoft.Authorization/roleDefinitions/2414bbcf-6497-4faf-8c65-045460748405", + "Experimentation Administrator": "/providers/Microsoft.Authorization/roleDefinitions/7f646f1b-fa08-80eb-a33b-edd6ce5c915c", + "Experimentation Contributor": "/providers/Microsoft.Authorization/roleDefinitions/7f646f1b-fa08-80eb-a22b-edd6ce5c915c", + "Experimentation Reader": "/providers/Microsoft.Authorization/roleDefinitions/49632ef5-d9ac-41f4-b8e7-bbe587fa74a1", + "FHIR Data Contributor": "/providers/Microsoft.Authorization/roleDefinitions/5a1fc7df-4bf1-4951-a576-89034ee01acd", + "FHIR Data Exporter": "/providers/Microsoft.Authorization/roleDefinitions/3db33094-8700-4567-8da5-1501d4e7e843", + "FHIR Data Reader": "/providers/Microsoft.Authorization/roleDefinitions/4c8d0bbc-75d3-4935-991f-5f3c56d81508", + "FHIR Data Writer": "/providers/Microsoft.Authorization/roleDefinitions/3f88fce4-5892-4214-ae73-ba5294559913", + "Graph Owner": "/providers/Microsoft.Authorization/roleDefinitions/b60367af-1334-4454-b71e-769d9a4f83d9", + "HDInsight Cluster Operator": "/providers/Microsoft.Authorization/roleDefinitions/61ed4efc-fab3-44fd-b111-e24485cc132a", + "HDInsight Domain Services Contributor": "/providers/Microsoft.Authorization/roleDefinitions/8d8d5a11-05d3-4bda-a417-a08778121c7c", + "Hierarchy Settings Administrator": "/providers/Microsoft.Authorization/roleDefinitions/350f8d15-c687-4448-8ae1-157740a3936d", + "Hybrid Server Onboarding": "/providers/Microsoft.Authorization/roleDefinitions/5d1e5ee4-7c68-4a71-ac8b-0739630a3dfb", + "Hybrid Server Resource Administrator": "/providers/Microsoft.Authorization/roleDefinitions/48b40c6e-82e0-4eb3-90d5-19e40f49b624", + "Integration Service Environment Contributor": "/providers/Microsoft.Authorization/roleDefinitions/a41e2c5b-bd99-4a07-88f4-9bf657a760b8", + "Integration Service Environment Developer": "/providers/Microsoft.Authorization/roleDefinitions/c7aa55d3-1abb-444a-a5ca-5e51e485d6ec", + "Intelligent Systems Account Contributor": "/providers/Microsoft.Authorization/roleDefinitions/03a6d094-3444-4b3d-88af-7477090a9e5e", + "Key Vault Contributor": "/providers/Microsoft.Authorization/roleDefinitions/f25e0fa2-a7c8-4377-a976-54943a77a395", + "Knowledge Consumer": "/providers/Microsoft.Authorization/roleDefinitions/ee361c5d-f7b5-4119-b4b6-892157c8f64c", + "Kubernetes Cluster - Azure Arc Onboarding": "/providers/Microsoft.Authorization/roleDefinitions/34e09817-6cbe-4d01-b1a2-e0eac5743d41", + "Lab Creator": "/providers/Microsoft.Authorization/roleDefinitions/b97fb8bc-a8b2-4522-a38b-dd33c7e65ead", + "Log Analytics Contributor": "/providers/Microsoft.Authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293", + "Log Analytics Reader": "/providers/Microsoft.Authorization/roleDefinitions/73c42c96-874c-492b-b04d-ab87d138a893", + "Logic App Contributor": "/providers/Microsoft.Authorization/roleDefinitions/87a39d53-fc1b-424a-814c-f7e04687dc9e", + "Logic App Operator": "/providers/Microsoft.Authorization/roleDefinitions/515c2055-d9d4-4321-b1b9-bd0c9a0f79fe", + "Managed Application Contributor Role": "/providers/Microsoft.Authorization/roleDefinitions/641177b8-a67a-45b9-a033-47bc880bb21e", + "Managed Application Operator Role": "/providers/Microsoft.Authorization/roleDefinitions/c7393b34-138c-406f-901b-d8cf2b17e6ae", + "Managed Applications Reader": "/providers/Microsoft.Authorization/roleDefinitions/b9331d33-8a36-4f8c-b097-4f54124fdb44", + "Managed Identity Contributor": "/providers/Microsoft.Authorization/roleDefinitions/e40ec5ca-96e0-45a2-b4ff-59039f2c2b59", + "Managed Identity Operator": "/providers/Microsoft.Authorization/roleDefinitions/f1a07417-d97a-45cb-824c-7a7467783830", + "Managed Services Registration assignment Delete ": "/providers/Microsoft.Authorization/roleDefinitions/91c1777a-f3dc-4fae-b103-61d183457e46", + "Management Group Contributor": "/providers/Microsoft.Authorization/roleDefinitions/5d58bcaf-24a5-4b20-bdb6-eed9f69fbe4c", + "Management Group Reader": "/providers/Microsoft.Authorization/roleDefinitions/ac63b705-f282-497d-ac71-919bf39d939d", + "Marketplace Admin": "/providers/Microsoft.Authorization/roleDefinitions/dd920d6d-f481-47f1-b461-f338c46b2d9f", + "Monitoring Contributor": "/providers/Microsoft.Authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "Monitoring Metrics Publisher": "/providers/Microsoft.Authorization/roleDefinitions/3913510d-42f4-4e42-8a64-420c390055eb", + "Monitoring Reader": "/providers/Microsoft.Authorization/roleDefinitions/43d0d8ad-25c7-4714-9337-8ba259a9fe05", + "Network Contributor": "/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7", + "New Relic APM Account Contributor": "/providers/Microsoft.Authorization/roleDefinitions/5d28c62d-5b37-4476-8438-e587778df237", + "Object Understanding Account Owner": "/providers/Microsoft.Authorization/roleDefinitions/4dd61c23-6743-42fe-a388-d8bdd41cb745", + "Owner": "/providers/Microsoft.Authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635", + "Policy Insights Data Writer (Preview)": "/providers/Microsoft.Authorization/roleDefinitions/66bb4e9e-b016-4a94-8249-4c0511c2be84", + "Private DNS Zone Contributor": "/providers/Microsoft.Authorization/roleDefinitions/b12aa53e-6015-4669-85d0-8515ebb3ae7f", + "Reader": "/providers/Microsoft.Authorization/roleDefinitions/acdd72a7-3385-48ef-bd42-f606fba81ae7", + "Reader and Data Access": "/providers/Microsoft.Authorization/roleDefinitions/c12c1c16-33a1-487b-954d-41c89c60f349", + "Redis Cache Contributor": "/providers/Microsoft.Authorization/roleDefinitions/e0f68234-74aa-48ed-b826-c38b57376e17", + "Remote Rendering Administrator": "/providers/Microsoft.Authorization/roleDefinitions/3df8b902-2a6f-47c7-8cc5-360e9b272a7e", + "Remote Rendering Client": "/providers/Microsoft.Authorization/roleDefinitions/d39065c4-c120-43c9-ab0a-63eed9795f0a", + "Resource Policy Contributor": "/providers/Microsoft.Authorization/roleDefinitions/36243c78-bf99-498c-9df9-86d9f8d28608", + "Scheduler Job Collections Contributor": "/providers/Microsoft.Authorization/roleDefinitions/188a0f2f-5c9e-469b-ae67-2aa5ce574b94", + "Search Service Contributor": "/providers/Microsoft.Authorization/roleDefinitions/7ca78c08-252a-4471-8644-bb5ff32d4ba0", + "Security Admin": "/providers/Microsoft.Authorization/roleDefinitions/fb1c8493-542b-48eb-b624-b4c8fea62acd", + "Security Assessment Contributor": "/providers/Microsoft.Authorization/roleDefinitions/612c2aa1-cb24-443b-ac28-3ab7272de6f5", + "Security Manager (Legacy)": "/providers/Microsoft.Authorization/roleDefinitions/e3d13bf0-dd5a-482e-ba6b-9b8433878d10", + "Security Reader": "/providers/Microsoft.Authorization/roleDefinitions/39bc4728-0917-49c7-9d2c-d95423bc2eb4", + "SignalR AccessKey Reader": "/providers/Microsoft.Authorization/roleDefinitions/04165923-9d83-45d5-8227-78b77b0a687e", + "SignalR Contributor": "/providers/Microsoft.Authorization/roleDefinitions/8cf5e20a-e4b2-4e9d-b3a1-5ceb692c2761", + "Site Recovery Contributor": "/providers/Microsoft.Authorization/roleDefinitions/6670b86e-a3f7-4917-ac9b-5d6ab1be4567", + "Site Recovery Operator": "/providers/Microsoft.Authorization/roleDefinitions/494ae006-db33-4328-bf46-533a6560a3ca", + "Site Recovery Reader": "/providers/Microsoft.Authorization/roleDefinitions/dbaa88c4-0c30-4179-9fb3-46319faa6149", + "Spatial Anchors Account Contributor": "/providers/Microsoft.Authorization/roleDefinitions/8bbe83f1-e2a6-4df7-8cb4-4e04d4e5c827", + "Spatial Anchors Account Owner": "/providers/Microsoft.Authorization/roleDefinitions/70bbe301-9835-447d-afdd-19eb3167307c", + "Spatial Anchors Account Reader": "/providers/Microsoft.Authorization/roleDefinitions/5d51204f-eb77-4b1c-b86a-2ec626c49413", + "SQL DB Contributor": "/providers/Microsoft.Authorization/roleDefinitions/9b7fa17d-e63e-47b0-bb0a-15c516ac86ec", + "SQL Managed Instance Contributor": "/providers/Microsoft.Authorization/roleDefinitions/4939a1f6-9ae0-4e48-a1e0-f2cbe897382d", + "SQL Security Manager": "/providers/Microsoft.Authorization/roleDefinitions/056cd41c-7e88-42e1-933e-88ba6a50c9c3", + "SQL Server Contributor": "/providers/Microsoft.Authorization/roleDefinitions/6d8ee4ec-f05a-4a1d-8b00-a9b17e38b437", + "Storage Account Contributor": "/providers/Microsoft.Authorization/roleDefinitions/17d1049b-9a84-46fb-8f53-869881c3d3ab", + "Storage Account Key Operator Service Role": "/providers/Microsoft.Authorization/roleDefinitions/81a9662b-bebf-436f-a333-f67b29880f12", + "Storage Blob Data Contributor": "/providers/Microsoft.Authorization/roleDefinitions/ba92f5b4-2d11-453d-a403-e96b0029c9fe", + "Storage Blob Data Owner": "/providers/Microsoft.Authorization/roleDefinitions/b7e6dc6d-f1e8-4753-8033-0f276bb0955b", + "Storage Blob Data Reader": "/providers/Microsoft.Authorization/roleDefinitions/2a2b9908-6ea1-4ae2-8e65-a410df84e7d1", + "Storage Blob Delegator": "/providers/Microsoft.Authorization/roleDefinitions/db58b8e5-c6ad-4a2a-8342-4190687cbf4a", + "Storage File Data SMB Share Contributor": "/providers/Microsoft.Authorization/roleDefinitions/0c867c2a-1d8c-454a-a3db-ab2ea1bdc8bb", + "Storage File Data SMB Share Elevated Contributor": "/providers/Microsoft.Authorization/roleDefinitions/a7264617-510b-434b-a828-9731dc254ea7", + "Storage File Data SMB Share Reader": "/providers/Microsoft.Authorization/roleDefinitions/aba4ae5f-2193-4029-9191-0cb91df5e314", + "Storage Queue Data Contributor": "/providers/Microsoft.Authorization/roleDefinitions/974c5e8b-45b9-4653-ba55-5f855dd0fb88", + "Storage Queue Data Message Processor": "/providers/Microsoft.Authorization/roleDefinitions/8a0f0c08-91a1-4084-bc3d-661d67233fed", + "Storage Queue Data Message Sender": "/providers/Microsoft.Authorization/roleDefinitions/c6a89b2d-59bc-44d0-9896-0f6e12d7b80a", + "Storage Queue Data Reader": "/providers/Microsoft.Authorization/roleDefinitions/19e7f393-937e-4f77-808e-94535e297925", + "Support Request Contributor": "/providers/Microsoft.Authorization/roleDefinitions/cfd33db0-3dd1-45e3-aa9d-cdbdf3b6f24e", + "Tag Contributor": "/providers/Microsoft.Authorization/roleDefinitions/4a9ae827-6dc8-4573-8ac7-8239d42aa03f", + "Traffic Manager Contributor": "/providers/Microsoft.Authorization/roleDefinitions/a4b10055-b0c7-44c2-b00f-c7b5b3550cf7", + "User Access Administrator": "/providers/Microsoft.Authorization/roleDefinitions/18d7d88d-d35e-4fb5-a5c3-7773c20a72d9", + "Virtual Machine Administrator Login": "/providers/Microsoft.Authorization/roleDefinitions/1c0163c0-47e6-4577-8991-ea5c82e286e4", + "Virtual Machine Contributor": "/providers/Microsoft.Authorization/roleDefinitions/9980e02c-c2be-4d73-94e8-173b1dc7cf3c", + "Virtual Machine User Login": "/providers/Microsoft.Authorization/roleDefinitions/fb879df8-f326-4884-b1cf-06f3ad86be52", + "Web Plan Contributor": "/providers/Microsoft.Authorization/roleDefinitions/2cc479cb-7b4d-49a8-b449-8c00fd0f0a4b", + "Website Contributor": "/providers/Microsoft.Authorization/roleDefinitions/de139f84-1756-47ae-9be6-808fbbe84772", + "Workbook Contributor": "/providers/Microsoft.Authorization/roleDefinitions/e8ddcd69-c73f-4f9f-9844-4100522f16ad", + "Workbook Reader": "/providers/Microsoft.Authorization/roleDefinitions/b279062a-9be3-42a0-92ae-8b3cf002ec4d" + } + }, + "resources": [ + // cuaId + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-06-01", + "name": "[concat('pid-', parameters('cuaId'))]", + "condition": "[not(empty(parameters('cuaId')))]", + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [ + ] + } + } + }, + // storage account + { + "type": "Microsoft.Storage/storageAccounts", + "apiVersion": "2019-06-01", + "name": "[variables('storageAccountName')]", + "location": "[parameters('location')]", + "kind": "[parameters('storageAccountKind')]", + "sku": { + "name": "[parameters('storageAccountSku')]" + }, + "identity": { + "type": "[parameters('managedServiceIdentity')]", + "userAssignedIdentities": "[if(empty(parameters('userAssignedIdentities')),json('null'),parameters('userAssignedIdentities') )]" + }, + "tags": "[parameters('tags')]", + // It was needed to decouple the Storage Account Parameters to a variable, as this was the only option to keep not let the azureFilesIdentityBasedAuthentication + // configuration changed back to null, when not providing a corresponding input parameter. With other word, using the json('null') expression in the body + // of the Storage Account's properties block did not achieve the desired results. + "properties": "[variables('saProperties')]", + "resources": [ + { + "type": "providers/locks", + "apiVersion": "2016-09-01", + "condition": "[parameters('lockForDeletion')]", + "name": "Microsoft.Authorization/storageDoNotDelete", + "dependsOn": [ + "[resourceId('Microsoft.Storage/storageAccounts/', variables('storageAccountName'))]" + ], + "comments": "Resource lock on the Storage Account", + "properties": { + "level": "CannotDelete" + } + } + ] + }, + // private endpoints + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-06-01", + "name": "[concat(uniqueString(deployment().name, parameters('location')), '-Storage-PrivateEndpoints','-',copyIndex())]", + "condition": "[not(empty(parameters('privateEndpoints')))]", + "dependsOn": [ + "[variables('storageAccountName')]" + ], + "copy": { + "name": "privateEndpointsCopy", + "count": "[length(parameters('privateEndpoints'))]", + "mode": "Serial" + }, + "properties": { + "mode": "Incremental", + "expressionEvaluationOptions": { + "scope": "inner" + }, + "parameters": { + "privateEndpointResourceId": { + "value": "[resourceId('Microsoft.Storage/storageAccounts/', variables('storageAccountName'))]" + }, + "privateEndpointVnetLocation": { + "value": "[if(empty(parameters('privateEndpoints')),'dummy',reference(split(parameters('privateEndpoints')[copyIndex()].subnetResourceId,'/subnets/')[0],'2020-06-01', 'Full').location)]" + }, + "privateEndpoint": { + "value": "[parameters('privateEndpoints')[copyIndex()]]" + }, + "tags": { + "value": "[parameters('tags')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "privateEndpointResourceId": { + "type": "string" + }, + "privateEndpointVnetLocation": { + "type": "string" + }, + "privateEndpoint": { + "type": "object" + }, + "tags": { + "type": "object" + } + }, + "variables": { + "privateEndpointResourceName": "[last(split(parameters('privateEndpointResourceId'),'/'))]", + "privateEndpoint": { + "name": "[if(contains(parameters('privateEndpoint'), 'name'),if(empty(parameters('privateEndpoint').name),concat(variables('privateEndpointResourceName'),'-',parameters('privateEndpoint').service),parameters('privateEndpoint').name),concat(variables('privateEndpointResourceName'),'-',parameters('privateEndpoint').service))]", + "subnetResourceId": "[parameters('privateEndpoint').subnetResourceId]", + "service": [ + "[parameters('privateEndpoint').service]" + ], + "privateDnsZoneResourceIds": "[if(contains(parameters('privateEndpoint'), 'privateDnsZoneResourceIds'),if(empty(parameters('privateEndpoint').privateDnsZoneResourceIds),createArray(),parameters('privateEndpoint').privateDnsZoneResourceIds),createArray())]", + "customDnsConfigs": "[if(contains(parameters('privateEndpoint'), 'customDnsConfigs'),if(empty(parameters('privateEndpoint').customDnsConfigs),json('null'),parameters('privateEndpoint').customDnsConfigs),json('null'))]" + } + }, + "resources": [ + { + "type": "Microsoft.Network/privateEndpoints", + "apiVersion": "2020-05-01", + "name": "[variables('privateEndpoint').name]", + "location": "[parameters('privateEndpointVnetLocation')]", + "tags": "[parameters('tags')]", + "properties": { + "privateLinkServiceConnections": [ + { + "name": "[variables('privateEndpoint').name]", + "properties": { + "privateLinkServiceId": "[parameters('privateEndpointResourceId')]", + "groupIds": "[variables('privateEndpoint').service]" + } + } + ], + "manualPrivateLinkServiceConnections": [], + "subnet": { + "id": "[variables('privateEndpoint').subnetResourceId]" + }, + "customDnsConfigs": "[variables('privateEndpoint').customDnsConfigs]" + } + }, + { + "type": "Microsoft.Network/privateEndpoints/privateDnsZoneGroups", + "apiVersion": "2020-05-01", + "condition": "[not(empty(variables('privateEndpoint').privateDnsZoneResourceIds))]", + "name": "[concat(variables('privateEndpoint').name, '/default')]", + "dependsOn": [ + "[resourceId('Microsoft.Network/privateEndpoints', variables('privateEndpoint').name)]" + ], + "properties": { + "copy": [ + { + "name": "privateDnsZoneConfigs", + "count": "[length(variables('privateEndpoint').privateDnsZoneResourceIds)]", + "input": { + "name": "[last(split(variables('privateEndpoint').privateDnsZoneResourceIds[copyIndex('privateDnsZoneConfigs')],'/'))]", + "properties": { + "privateDnsZoneId": "[variables('privateEndpoint').privateDnsZoneResourceIds[copyIndex('privateDnsZoneConfigs')]]" + } + } + } + ] + } + } + ] + } + } + }, + // storage account RBAC + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-06-01", + "name": "[concat(uniqueString(deployment().name, parameters('location')), '-Storage-Rbac-', copyIndex())]", + "condition": "[not(empty(parameters('roleAssignments')))]", + "dependsOn": [ + "[variables('storageAccountName')]" + ], + "copy": { + "name": "storageRbacDeplCopy", + "count": "[length(parameters('roleAssignments'))]" + }, + "properties": { + "mode": "Incremental", + "expressionEvaluationOptions": { + "scope": "inner" + }, + "parameters": { + "roleAssignment": { + "value": "[parameters('roleAssignments')[copyIndex()]]" + }, + "builtInRoleNames": { + "value": "[variables('builtInRoleNames')]" + }, + "storageAccountName": { + "value": "[variables('storageAccountName')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "roleAssignment": { + "type": "object" + }, + "builtInRoleNames": { + "type": "object" + }, + "storageAccountName": { + "type": "string" + } + }, + "resources": [ + { + "type": "Microsoft.Storage/storageAccounts/providers/roleAssignments", + "apiVersion": "2020-04-01-preview", + "name": "[concat(parameters('storageAccountName'), '/Microsoft.Authorization/', guid(parameters('storageAccountName'), array(parameters('roleAssignment').principalIds)[copyIndex('storageInnerRbacCopy')], parameters('roleAssignment').roleDefinitionIdOrName ))]", + "dependsOn": [ + ], + "copy": { + "name": "storageInnerRbacCopy", + "count": "[length(parameters('roleAssignment').principalIds)]" + }, + "properties": { + "roleDefinitionId": "[if(contains(parameters('builtInRoleNames'), parameters('roleAssignment').roleDefinitionIdOrName ), parameters('builtInRoleNames')[parameters('roleAssignment').roleDefinitionIdOrName] , parameters('roleAssignment').roleDefinitionIdOrName )]", + "principalId": "[array(parameters('roleAssignment').principalIds)[copyIndex()]]" + } + } + ] + } + } + }, + // blob services + { + + "type": "Microsoft.Storage/storageAccounts/blobServices", + "apiVersion": "2019-06-01", + "name": "[concat(variables('storageAccountName'), '/default')]", + "condition": "[not(empty(parameters('blobContainers')))]", + "dependsOn": [ + "[concat('Microsoft.Storage/storageAccounts/', variables('storageAccountName'))]" + ], + "properties": { + "deleteRetentionPolicy": { + "enabled": "[parameters('deleteRetentionPolicy')]", + "days": "[parameters('deleteRetentionPolicyDays')]" + }, + "automaticSnapshotPolicyEnabled": "[parameters('automaticSnapshotPolicyEnabled')]" + } + }, + // storage container + { + "type": "Microsoft.Storage/storageAccounts/blobServices/containers", + "apiVersion": "2019-06-01", + "name": "[if(empty(parameters('blobContainers')), concat(variables('storageAccountName'), '/', 'default/dummy'), concat(variables('storageAccountName'), '/default/', parameters('blobContainers')[copyIndex()].name))]", + "condition": "[not(empty(parameters('blobContainers')))]", + "dependsOn": [ + "[concat('Microsoft.Storage/storageAccounts/', variables('storageAccountName'))]" + ], + "copy": { + "name": "containerLoop", + "count": "[length(parameters('blobContainers'))]" + }, + "properties": { + "publicAccess": "[parameters('blobContainers')[copyIndex()].publicAccess]" + }, + "resources": [ + { + "type": "immutabilityPolicies", + "apiVersion": "2019-06-01", + "name": "default", + "condition": "[and(not(empty(parameters('blobContainers'))),contains(parameters('blobContainers')[copyIndex('containerLoop')],'enableWORM'),parameters('blobContainers')[copyIndex('containerLoop')].enableWORM)]", + "dependsOn": [ + "[concat(resourceId('Microsoft.Storage/storageAccounts/',variables('storageAccountName')),'/blobServices/default/containers/',if(empty(parameters('blobContainers')),'dummy',parameters('blobContainers')[copyIndex('containerLoop')].name))]" + ], + "properties": { + "immutabilityPeriodSinceCreationInDays": "[if(contains(parameters('blobContainers')[copyIndex('containerLoop')],'WORMRetention'),parameters('blobContainers')[copyIndex('containerLoop')].WORMRetention,365)]", + "allowProtectedAppendWrites": "[if(contains(parameters('blobContainers')[copyIndex('containerLoop')],'allowProtectedAppendWrites'),parameters('blobContainers')[copyIndex('containerLoop')].allowProtectedAppendWrites,true())]" + } + } + ] + }, + // lifecycle policy + { + "type": "Microsoft.Storage/storageAccounts/managementPolicies", + "apiVersion": "2019-06-01", + "name": "[concat(variables('storageAccountName'), '/default')]", + "condition": "[parameters('enableArchiveAndDelete')]", + "dependsOn": [ + "[resourceId('Microsoft.Storage/storageAccounts/',variables('storageAccountName'))]" + ], + "properties": { + "policy": { + "rules": [ + { + "enabled": true, + "name": "retention-policy", + "type": "Lifecycle", + "definition": { + "actions": { + "baseBlob": { + "tierToArchive": { + "daysAfterModificationGreaterThan": "[parameters('moveToArchiveAfter')]" + }, + "delete": { + "daysAfterModificationGreaterThan": "[parameters('deleteBlobsAfter')]" + } + }, + "snapshot": { + "delete": { + "daysAfterCreationGreaterThan": "[parameters('deleteBlobsAfter')]" + } + } + }, + "filters": { + "blobTypes": [ + "blockBlob" + ] + } + } + } + ] + } + } + }, + // storage container RBAC + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-06-01", + "name": "[concat(uniqueString(deployment().name, parameters('location')), '-Storage-Container-', if(empty(parameters('blobContainers')), 'dummy', copyIndex()) )]", + "condition": "[not(empty(parameters('blobContainers')))]", + "dependsOn": [ + "containerLoop" + ], + "copy": { + "name": "containerDeplLoop", + "count": "[length(parameters('blobContainers'))]" + }, + "properties": { + "mode": "Incremental", + "expressionEvaluationOptions": { + "scope": "inner" + }, + "parameters": { + "blobContainer": { + "value": "[parameters('blobContainers')[copyIndex()]]" + }, + "builtInRoleNames": { + "value": "[variables('builtInRoleNames')]" + }, + "storageAccountName": { + "value": "[variables('storageAccountName')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "blobContainer": { + "type": "object" + }, + "builtInRoleNames": { + "type": "object" + }, + "storageAccountName": { + "type": "string" + } + }, + "resources": [ + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-06-01", + "name": "[concat(deployment().name, '-Rbac-', if(empty(parameters('blobContainer').roleAssignments),'dummy', copyIndex()) )]", + "condition": "[not(empty(array(parameters('blobContainer').roleAssignments)))]", + "dependsOn": [ + ], + "copy": { + "name": "containerRbacDeplLoop", + "count": "[length(array(parameters('blobContainer').roleAssignments))]" + }, + "properties": { + "mode": "Incremental", + "expressionEvaluationOptions": { + "scope": "inner" + }, + "parameters": { + "blobContainerName": { + "value": "[parameters('blobContainer').name]" + }, + "roleAssignment": { + "value": "[array(parameters('blobContainer').roleAssignments)[copyIndex('containerRbacDeplLoop')]]" + }, + "builtInRoleNames": { + "value": "[parameters('builtInRoleNames')]" + }, + "storageAccountName": { + "value": "[parameters('storageAccountName')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "blobContainerName": { + "type": "string" + }, + "roleAssignment": { + "type": "object" + }, + "builtInRoleNames": { + "type": "object" + }, + "storageAccountName": { + "type": "string" + } + }, + "resources": [ + { + "type": "Microsoft.Storage/storageAccounts/blobServices/containers/providers/roleAssignments", + "apiVersion": "2020-04-01-preview", + "name": "[concat(parameters('storageAccountName'), '/default/', parameters('blobContainerName') ,'/Microsoft.Authorization/', if(empty(parameters('roleAssignment')), guid(parameters('storageAccountName')), guid(parameters('storageAccountName'), parameters('blobContainerName'), array(parameters('roleAssignment').principalIds)[copyIndex('containerRbacLoop')], parameters('roleAssignment').roleDefinitionIdOrName )))]", + "condition": "[not(empty(parameters('roleAssignment')))]", + "copy": { + "name": "containerRbacLoop", + "count": "[length(parameters('roleAssignment').principalIds)]" + }, + "properties": { + "roleDefinitionId": "[if(contains(parameters('builtInRoleNames'), parameters('roleAssignment').roleDefinitionIdOrName ), parameters('builtInRoleNames')[parameters('roleAssignment').roleDefinitionIdOrName] , parameters('roleAssignment').roleDefinitionIdOrName )]", + "principalId": "[array(parameters('roleAssignment').principalIds)[copyIndex('containerRbacLoop')]]" + } + } + ] + } + } + } + ] + } + } + }, + // file share + { + "type": "Microsoft.Storage/storageAccounts/fileServices/shares", + "apiVersion": "2019-06-01", + "name": "[if(empty(parameters('fileShares')), concat(variables('storageAccountName'), '/', 'default/dummy'), concat(variables('storageAccountName'), '/default/', parameters('fileShares')[copyIndex()].name))]", + "condition": "[not(empty(parameters('fileShares')))]", + "dependsOn": [ + "[concat('Microsoft.Storage/storageAccounts/', variables('storageAccountName'))]" + ], + "copy": { + "name": "fileShareLoop", + "count": "[length(parameters('fileShares'))]" + }, + "properties": { + "shareQuota": "[parameters('fileShares')[copyIndex()].shareQuota]" + } + }, + // file share RBAC + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-06-01", + "name": "[concat(uniqueString(deployment().name, parameters('location')), '-Storage-FileShare-', if(empty(parameters('fileShares')), 'dummy', copyIndex()) )]", + "condition": "[not(empty(parameters('fileShares')))]", + "dependsOn": [ + "fileShareLoop" + ], + "copy": { + "name": "fileShareDeplLoop", + "count": "[length(parameters('fileShares'))]" + }, + "properties": { + "mode": "Incremental", + "expressionEvaluationOptions": { + "scope": "inner" + }, + "parameters": { + "fileShare": { + "value": "[parameters('fileShares')[copyIndex()]]" + }, + "builtInRoleNames": { + "value": "[variables('builtInRoleNames')]" + }, + "storageAccountName": { + "value": "[variables('storageAccountName')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "fileShare": { + "type": "object" + }, + "builtInRoleNames": { + "type": "object" + }, + "storageAccountName": { + "type": "string" + } + }, + "resources": [ + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-06-01", + "name": "[concat(deployment().name, '-Rbac-', if(empty(parameters('fileShare').roleAssignments),'dummy', copyIndex()) )]", + "condition": "[not(empty(array(parameters('fileShare').roleAssignments)))]", + "dependsOn": [ + ], + "copy": { + "name": "fileShareRbacDeplLoop", + "count": "[length(array(parameters('fileShare').roleAssignments))]" + }, + "properties": { + "mode": "Incremental", + "expressionEvaluationOptions": { + "scope": "inner" + }, + "parameters": { + "fileShareName": { + "value": "[parameters('fileShare').name]" + }, + "roleAssignment": { + "value": "[array(parameters('fileShare').roleAssignments)[copyIndex('fileShareRbacDeplLoop')]]" + }, + "builtInRoleNames": { + "value": "[parameters('builtInRoleNames')]" + }, + "storageAccountName": { + "value": "[parameters('storageAccountName')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "fileShareName": { + "type": "string" + }, + "roleAssignment": { + "type": "object" + }, + "builtInRoleNames": { + "type": "object" + }, + "storageAccountName": { + "type": "string" + } + }, + "resources": [ + { + "type": "Microsoft.Storage/storageAccounts/fileServices/fileshares/providers/roleAssignments", + "apiVersion": "2018-09-01-preview", + "name": "[concat(parameters('storageAccountName'), '/default/', parameters('fileShareName') ,'/Microsoft.Authorization/', if(empty(parameters('roleAssignment')), guid(parameters('storageAccountName')), guid(parameters('storageAccountName'), parameters('fileShareName'), array(parameters('roleAssignment').principalIds)[copyIndex('containerRbacLoop')], parameters('roleAssignment').roleDefinitionIdOrName )))]", + "condition": "[not(empty(parameters('roleAssignment')))]", + "copy": { + "name": "containerRbacLoop", + "count": "[length(parameters('roleAssignment').principalIds)]" + }, + "properties": { + "roleDefinitionId": "[if(contains(parameters('builtInRoleNames'), parameters('roleAssignment').roleDefinitionIdOrName ), parameters('builtInRoleNames')[parameters('roleAssignment').roleDefinitionIdOrName] , parameters('roleAssignment').roleDefinitionIdOrName )]", + "principalId": "[array(parameters('roleAssignment').principalIds)[copyIndex('containerRbacLoop')]]" + } + } + ] + } + } + } + ] + } + } + }, + // queue + { + "type": "Microsoft.Storage/storageAccounts/queueServices/queues", + "apiVersion": "2019-06-01", + "name": "[if(empty(parameters('queues')), concat(variables('storageAccountName'), '/', 'default/dummy'), concat(variables('storageAccountName'), '/default/', parameters('queues')[copyIndex()].name))]", + "condition": "[not(empty(parameters('queues')))]", + "dependsOn": [ + "[concat('Microsoft.Storage/storageAccounts/', variables('storageAccountName'))]" + ], + "copy": { + "name": "queueLoop", + "count": "[length(parameters('queues'))]" + }, + "properties": { + "metadata": "[if(contains(parameters('queues')[copyIndex()], 'metadata'), parameters('queues')[copyIndex()].metadata, json('null'))]" + } + }, + // queue RBAC + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-06-01", + "name": "[concat(uniqueString(deployment().name, parameters('location')), '-Storage-Queue-', if(empty(parameters('queues')), 'dummy', copyIndex()) )]", + "condition": "[not(empty(parameters('queues')))]", + "dependsOn": [ + "queueLoop" + ], + "copy": { + "name": "queueDeplLoop", + "count": "[length(parameters('queues'))]" + }, + "properties": { + "mode": "Incremental", + "expressionEvaluationOptions": { + "scope": "inner" + }, + "parameters": { + "queue": { + "value": "[parameters('queues')[copyIndex()]]" + }, + "builtInRoleNames": { + "value": "[variables('builtInRoleNames')]" + }, + "storageAccountName": { + "value": "[variables('storageAccountName')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "queue": { + "type": "object" + }, + "builtInRoleNames": { + "type": "object" + }, + "storageAccountName": { + "type": "string" + } + }, + "resources": [ + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-06-01", + "name": "[concat(deployment().name, '-Rbac-', if(empty(parameters('queue').roleAssignments),'dummy', copyIndex()) )]", + "condition": "[not(empty(array(parameters('queue').roleAssignments)))]", + "dependsOn": [ + ], + "copy": { + "name": "queueRbacDeplLoop", + "count": "[length(array(parameters('queue').roleAssignments))]" + }, + "properties": { + "mode": "Incremental", + "expressionEvaluationOptions": { + "scope": "inner" + }, + "parameters": { + "queueName": { + "value": "[parameters('queue').name]" + }, + "roleAssignment": { + "value": "[array(parameters('queue').roleAssignments)[copyIndex('queueRbacDeplLoop')]]" + }, + "builtInRoleNames": { + "value": "[parameters('builtInRoleNames')]" + }, + "storageAccountName": { + "value": "[parameters('storageAccountName')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "queueName": { + "type": "string" + }, + "roleAssignment": { + "type": "object" + }, + "builtInRoleNames": { + "type": "object" + }, + "storageAccountName": { + "type": "string" + } + }, + "resources": [ + { + "type": "Microsoft.Storage/storageAccounts/queueServices/queues/providers/roleAssignments", + "apiVersion": "2018-09-01-preview", + "name": "[concat(parameters('storageAccountName'), '/default/', parameters('queueName') ,'/Microsoft.Authorization/', if(empty(parameters('roleAssignment')), guid(parameters('storageAccountName')), guid(parameters('storageAccountName'), parameters('queueName'), array(parameters('roleAssignment').principalIds)[copyIndex('containerRbacLoop')], parameters('roleAssignment').roleDefinitionIdOrName )))]", + "condition": "[not(empty(parameters('roleAssignment')))]", + "copy": { + "name": "containerRbacLoop", + "count": "[length(parameters('roleAssignment').principalIds)]" + }, + "properties": { + "roleDefinitionId": "[if(contains(parameters('builtInRoleNames'), parameters('roleAssignment').roleDefinitionIdOrName ), parameters('builtInRoleNames')[parameters('roleAssignment').roleDefinitionIdOrName] , parameters('roleAssignment').roleDefinitionIdOrName )]", + "principalId": "[array(parameters('roleAssignment').principalIds)[copyIndex('containerRbacLoop')]]" + } + } + ] + } + } + } + ] + } + } + }, + // table + { + "type": "Microsoft.Storage/storageAccounts/tableServices/tables", + "apiVersion": "2019-06-01", + "name": "[if(empty(parameters('tables')), concat(variables('storageAccountName'), '/default/dummy'), concat(variables('storageAccountName'), '/default/', parameters('tables')[copyIndex()]))]", + "dependsOn": [ + "[concat('Microsoft.Storage/storageAccounts/', variables('storageAccountName'))]" + ], + "copy": { + "name": "tablesLoop", + "count": "[length(parameters('tables'))]" + } + } + ], + "functions": [ + ], + "outputs": { + "storageAccountsResourceId": { + "type": "string", + "value": "[resourceId('Microsoft.Storage/storageAccounts', variables('storageAccountName'))]", + "metadata": { + "description": "The Resource Id of the Storage Account." + } + }, + "storageAccountsRegion": { + "type": "string", + "value": "[parameters('location')]", + "metadata": { + "description": "The Region of the Storage Account." + } + }, + "storageAccountsName": { + "type": "string", + "value": "[variables('storageAccountName')]", + "metadata": { + "description": "The Name of the Storage Account." + } + }, + "storageAccountsResourceGroup": { + "type": "string", + "value": "[resourceGroup().name]", + "metadata": { + "description": "The name of the Resource Group the Storage Account was created in." + } + }, + "storageAccountsSasToken": { + "type": "securestring", + "value": "[listAccountSas(variables('storageAccountName'), '2019-04-01', variables('accountSasProperties')).accountSasToken]", + "metadata": { + "description": "The SAS Token for the Storage Account." + } + }, + "storageAccountsAccessKey": { + "type": "securestring", + "value": "[listKeys(variables('storageAccountName'), '2016-12-01').keys[0].value]", + "metadata": { + "description": "The Access Key for the Storage Account." + } + }, + "storageAccountsPrimaryBlobEndpoint": { + "type": "string", + "value": "[reference(concat('Microsoft.Storage/storageAccounts/', variables('storageAccountName')), '2019-04-01').primaryEndpoints.blob]", + "metadata": { + "description": "The public endpoint of the Storage Account." + } + }, + "blobContainers": { + "type": "array", + "value": "[parameters('blobContainers')]", + "metadata": { + "description": "The array of the blob containers created." + } + }, + "fileShares": { + "type": "array", + "value": "[parameters('fileShares')]", + "metadata": { + "description": "The array of the file shares created." + } + }, + "queues": { + "type": "array", + "value": "[parameters('queues')]", + "metadata": { + "description": "The array of the queues created." + } + }, + "tables": { + "type": "array", + "value": "[parameters('tables')]", + "metadata": { + "description": "The array of the tables created." + } + }, + "assignedIdentityID": { + "type": "string", + "value":"[if(contains(parameters('managedServiceIdentity'),'SystemAssigned'),reference(resourceId('Microsoft.Storage/storageAccounts', parameters('storageAccountName')), '2019-06-01', 'full').identity.principalId,'')]", + "metadata": { + "description": "User id of the created system assigned identity" + } + } + } +} \ No newline at end of file diff --git a/arm/Microsoft.Storage/storageAccounts/parameters/noname.parameters.json b/arm/Microsoft.Storage/storageAccounts/parameters/noname.parameters.json new file mode 100644 index 0000000000..87393f018a --- /dev/null +++ b/arm/Microsoft.Storage/storageAccounts/parameters/noname.parameters.json @@ -0,0 +1,81 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "storageAccountKind": { + "value": "StorageV2" + }, + "storageAccountSku": { + "value": "Standard_LRS" + }, + "storageAccountAccessTier": { + "value": "Hot" + }, + "deleteRetentionPolicy": { + "value": true + }, + "deleteRetentionPolicyDays": { + "value": 7 + }, + "automaticSnapshotPolicyEnabled": { + "value": false + }, + "minimumTlsVersion": { + "value": "TLS1_2" + }, + "blobContainers": { + "value": [ + { + "name": "wvdscripts", + "publicAccess": "Container", + "roleAssignments": [] + }, + { + "name": "wvdsoftware", + "publicAccess": "Container", + "roleAssignments": [] + }, + { + "name": "archivecontainer", + "publicAccess": "Container", + "enableWORM": true, + "WORMRetention": 666, + "allowProtectedAppendWrites": false, + "roleAssignments": [] + } + ] + }, + "enableArchiveAndDelete": { + "value": true + }, + "fileShares": { + "value": [ + { + "name": "wvdprofiles", + "shareQuota": "5120", + "roleAssignments": [] + }, + { + "name": "wvdprofiles2", + "shareQuota": "5120", + "roleAssignments": [] + } + ] + }, + "tables": { + "value": [ + "table1", + "table2" + ] + }, + "queues": { + "value": [ + { + "name": "queue1", + "metadata": {}, + "roleAssignments": [] + } + ] + } + } +} \ No newline at end of file diff --git a/arm/Microsoft.Storage/storageAccounts/parameters/parameters.json b/arm/Microsoft.Storage/storageAccounts/parameters/parameters.json new file mode 100644 index 0000000000..815cc81212 --- /dev/null +++ b/arm/Microsoft.Storage/storageAccounts/parameters/parameters.json @@ -0,0 +1,149 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "storageAccountName": { + "value": "sxxazsacacy1312" + }, + "storageAccountKind": { + "value": "StorageV2" + }, + "managedServiceIdentity": { + "value": "SystemAssigned" + }, + "storageAccountSku": { + "value": "Standard_LRS" + }, + "storageAccountAccessTier": { + "value": "Hot" + }, + "deleteRetentionPolicy": { + "value": true + }, + "deleteRetentionPolicyDays": { + "value": 7 + }, + "automaticSnapshotPolicyEnabled": { + "value": false + }, + "minimumTlsVersion": { + "value": "TLS1_2" + }, + "blobContainers": { + "value": [ + { + "name": "wvdscripts", + "publicAccess": "Container", //Container, Blob, None + "roleAssignments": [ + // { + // "roleDefinitionIdOrName": "Reader", + // "principalIds": [ + // "12345678-1234-1234-1234-123456789012" // object 1 + // ] + // } + ] + }, + { + "name": "wvdsoftware", + "publicAccess": "Container", //Container, Blob, None + "roleAssignments": [ + // { + // "roleDefinitionIdOrName": "Reader", + // "principalIds": [ + // "12345678-1234-1234-1234-123456789012" // object 1 + // ] + // } + ] + }, + { + "name": "archivecontainer", + "publicAccess": "Container", + "enableWORM": true, + "WORMRetention": 666, + "allowProtectedAppendWrites": false, + "roleAssignments": [] + } + ] + }, + "enableArchiveAndDelete": { + "value": true + }, + "fileShares": { + "value": [ + { + "name": "wvdprofiles", + "shareQuota": "5120", + "roleAssignments": [ + // { + // "roleDefinitionIdOrName": "Reader", + // "principalIds": [ + // "12345678-1234-1234-1234-123456789012" // object 1 + // ] + // } + ] + }, + { + "name": "wvdprofiles2", + "shareQuota": "5120", + "roleAssignments": [ + // { + // "roleDefinitionIdOrName": "Reader", + // "principalIds": [ + // "12345678-1234-1234-1234-123456789012" // object 1 + // ] + // } + ] + } + ] + }, + "tables": { + "value": [ + "table1", + "table2" + ] + }, + "queues": { + "value": [ + { + "name": "queue1", + "metadata": {}, + "roleAssignments": [ + // { + // "roleDefinitionIdOrName": "Reader", + // "principalIds": [ + // "12345678-1234-1234-1234-123456789012" // object 1 + // ] + // } + ] + } + ] + } + // "roleAssignments": { + // "value": [ + // { + // "roleDefinitionIdOrName": "Reader", + // "principalIds": [ + // "12345678-1234-1234-1234-123456789012" // object 1 + // ] + // } + // ] + // } + // "privateEndpoints": { + // "value": [ + // { // Example showing all available fields + // "name": "sxx-az-sa-cac-y-123-pe", + // "subnetResourceId": "/subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2/resourceGroups/dependencies-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-weu-x-002/subnets/sxx-az-subnet-weu-x-005", + // "service": "blob", + // "privateDnsZoneResourceIds": [ + // "/subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2/resourceGroups/dependencies-rg/providers/Microsoft.Network/privateDnsZones/test.local" + // ], + // "customDnsConfigs": [] // Optional + // }, + // { // Example showing only mandatory fields + // "subnetResourceId": "/subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2/resourceGroups/dependencies-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-weu-x-002/subnets/sxx-az-subnet-weu-x-005", + // "service": "file" + // } + // ] + // } + } +} \ No newline at end of file diff --git a/arm/Microsoft.Storage/storageAccounts/readme.md b/arm/Microsoft.Storage/storageAccounts/readme.md new file mode 100644 index 0000000000..5118d10a29 --- /dev/null +++ b/arm/Microsoft.Storage/storageAccounts/readme.md @@ -0,0 +1,294 @@ +# StorageAccounts + +This module is used to deploy an Azure Storage Account, with resource lock and the ability to deploy 1 or more Blob Containers and 1 or more File Shares. Optional ACLs can be configured on the Storage Account and optional RBAC can be assigned on the Storage Account and on each Blob Container and File Share. + +The default parameter values are based on the needs of deploying a diagnostic storage account. + +## Resource types + +| Resource Type | Api Version | +| :-- | :-- | +| `immutabilityPolicies` | 2019-06-01 | +| `Microsoft.Network/privateEndpoints/privateDnsZoneGroups` | 2020-05-01 | +| `Microsoft.Network/privateEndpoints` | 2020-05-01 | +| `Microsoft.Resources/deployments` | 2020-06-01 | +| `Microsoft.Storage/storageAccounts/blobServices/containers` | 2019-06-01 | +| `Microsoft.Storage/storageAccounts/blobServices` | 2019-06-01 | +| `Microsoft.Storage/storageAccounts/fileServices/shares` | 2019-06-01 | +| `Microsoft.Storage/storageAccounts/managementPolicies` | 2019-06-01 | +| `Microsoft.Storage/storageAccounts/providers/roleAssignments` | 2020-04-01-preview | +| `Microsoft.Storage/storageAccounts/queueServices/queues` | 2019-06-01 | +| `Microsoft.Storage/storageAccounts/tableServices/tables` | 2019-06-01 | +| `Microsoft.Storage/storageAccounts` | 2019-06-01 | +| `providers/locks` | 2016-09-01 | + +## Parameters + +| Parameter Name | Type | Default Value | Possible values | Description | +| :-- | :-- | :-- | :-- | :-- | +| `allowBlobPublicAccess` | bool | True | | Optional. Indicates whether public access is enabled for all blobs or containers in the storage account. | +| `automaticSnapshotPolicyEnabled` | bool | False | | Optional. Automatic Snapshot is enabled if set to true. | +| `azureFilesIdentityBasedAuthentication` | object | | | Optional. Provides the identity based authentication settings for Azure Files. | +| `baseTime` | string | [utcNow('u')] | | Generated. Do not provide a value! This date value is used to generate a SAS token to access the modules. | +| `blobContainers` | array | System.Object[] | | Optional. Blob containers to create. | +| `cuaId` | string | | | Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered | +| `deleteBlobsAfter` | int | 1096 | | Optional. Set up the amount of days after which the blobs will be deleted | +| `deleteRetentionPolicy` | bool | True | | Optional. Indicates whether DeleteRetentionPolicy is enabled for the Blob service. | +| `deleteRetentionPolicyDays` | int | 7 | | Optional. Indicates the number of days that the deleted blob should be retained. The minimum specified value can be 1 and the maximum value can be 365. | +| `enableArchiveAndDelete` | bool | False | | Optional. If true, enables move to archive tier and auto-delete | +| `enableHierarchicalNamespace` | bool | False | | Optional. If true, enables Hierarchical Namespace for the storage account | +| `fileShares` | array | System.Object[] | | Optional. File shares to create. | +| `location` | string | [resourceGroup().location] | | Optional. Location for all resources. | +| `lockForDeletion` | bool | False | | Optional. Switch to lock storage from deletion. | +| `minimumTlsVersion` | string | TLS1_2 | System.Object[] | Optional. Set the minimum TLS version on request to storage. | +| `moveToArchiveAfter` | int | 30 | | Optional. Set up the amount of days after which the blobs will be moved to archive tier | +| `networkAcls` | object | | | Optional. Networks ACLs, this value contains IPs to whitelist and/or Subnet information. | +| `privateEndpoints` | array | System.Object[] | | Optional. Configuration Details for private endpoints. | +| `queues` | array | System.Object[] | | Optional. Queues to create. | +| `roleAssignments` | array | System.Object[] | | Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or it's fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' | +| `managedServiceIdentity` | string | None | System.Object[] | Optional. Type of managed service identity. | +| `userAssignedIdentities` | object | | System.Object[] | Optional. Mandatory 'managedServiceIdentity' contains UserAssigned. The identy to assign to the resource. | +| `sasTokenValidityLength` | string | PT8H | | Optional. SAS token validity length. Usage: 'PT8H' - valid for 8 hours; 'P5D' - valid for 5 days; 'P1Y' - valid for 1 year. When not provided, the SAS token will be valid for 8 hours. | +| `storageAccountAccessTier` | string | Hot | System.Object[] | Optional. Storage Account Access Tier. | +| `storageAccountKind` | string | StorageV2 | System.Object[] | Optional. Type of Storage Account to create. | +| `storageAccountName` | string | | | Optional. Name of the Storage Account. If no name is provided, then unique name will be created.| +| `storageAccountSku` | string | Standard_GRS | System.Object[] | Optional. Storage Account Sku Name. | +| `tables` | array | System.Object[] | | Optional. Tables to create. | +| `tags` | object | | | Optional. Tags of the resource. | +| `vNetId` | string | | | Optional. Virtual Network Identifier used to create a service endpoint. | + +### Parameter Usage: `roleAssignments` + +```json +"roleAssignments": { + "value": [ + { + "roleDefinitionIdOrName": "Storage File Data SMB Share Contributor", + "principalIds": [ + "12345678-1234-1234-1234-123456789012", // object 1 + "78945612-1234-1234-1234-123456789012" // object 2 + ] + }, + { + "roleDefinitionIdOrName": "Reader", + "principalIds": [ + "12345678-1234-1234-1234-123456789012", // object 1 + "78945612-1234-1234-1234-123456789012" // object 2 + ] + }, + { + "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", + "principalIds": [ + "12345678-1234-1234-1234-123456789012" // object 1 + ] + } + ] +} +``` + +### Parameter Usage: `networkAcls` + +```json +"networkAcls": { + "value": { + "bypass": "AzureServices", + "defaultAction": "Deny", + "virtualNetworkRules": [ + { + "subnet": "sharedsvcs" + } + ], + "ipRules": [] + } +} +``` + +### Parameter Usage: `blobContainers` + +The `blobContainer` parameter accepts a JSON Array of object with "name" and "publicAccess" properties in each to specify the name of the Blob Containers to create and level of public access (container level, blob level or none). Also RBAC can be assigned at Blob Container level + +Here's an example of specifying two Blob Containes. The first named "one" with public access set at container level and RBAC Reader role assigned to two principal Ids. The second named "two" with no public access level and no RBAC role assigned. + +```json +"blobContainers": { + "value": [ + { + "name": "one", + "publicAccess": "Container", //Container, Blob, None + "roleAssignments": [ + { + "roleDefinitionIdOrName": "Reader", + "principalIds": [ + "12345678-1234-1234-1234-123456789012", // object 1 + "78945612-1234-1234-1234-123456789012" // object 2 + ] + }, + { + "name": "two", + "publicAccess": "None", //Container, Blob, None + "roleAssignments": [], + "enableWORM": true, + "WORMRetention": 200, + "allowProtectedAppendWrites": false + } + ] +``` + +### Parameter Usage: `fileShares` + +The `fileShares` parameter accepts a JSON Array of object with "name" and "shareQuota" properties in each to specify the name of the File Shares to create and the maximum size of the shares, in gigabytes. Also RBAC can be assigned at File Share level. + +Here's an example of specifying a single File Share named "wvdprofiles" with 5TB (5120GB) of shareQuota and Reader role assigned to two principal Ids. + +```json +"fileShares": { + "value": [ + { + "name": "wvdprofiles", + "shareQuota": "5120", + "roleAssignments": [ + { + "roleDefinitionIdOrName": "Reader", + "principalIds": [ + "12345678-1234-1234-1234-123456789012", // object 1 + "78945612-1234-1234-1234-123456789012" // object 2 + ] + } + ] + } + ] +} +``` + +### Parameter Usage: `queues` + +The `queues` parameter accepts a JSON Array of object with "name" and "metadata" properties in each to specify the name of the queue to create and its metadata, as a name-value pair. Also RBAC can be assigned at queue level. + +Here's an example of specifying a single qeue named "queue1" with no metadata and Reader role assigned to two principal Ids. + +```json +"queues": { + "value": [ + { + "name": "queue1", + "metadata": {}, + "roleAssignments": [ + { + "roleDefinitionIdOrName": "Reader", + "principalIds": [ + "12345678-1234-1234-1234-123456789012", // object 1 + "78945612-1234-1234-1234-123456789012" // object 2 + ] + } + ] + } + ] +} +``` + +### Parameter Usage: `tables` + +The tables to be created in the storage account + +```json +"tables": { + "value": [ + "table1", + "table2" + ] +}, +``` + +### Parameter Usage: `tags` + +Tag names and tag values can be provided as needed. A tag can be left without a value. + +```json +"tags": { + "value": { + "Environment": "Non-Prod", + "Contact": "test.user@testcompany.com", + "PurchaseOrder": "1234", + "CostCenter": "7890", + "ServiceName": "DeploymentValidation", + "Role": "DeploymentValidation" + } +} +``` + +### Parameter Usage: `privateEndpoints` + +To use Private Endpoint the following dependencies must be deployed: + +- Destination subnet must be created with the following configuration option - `"privateEndpointNetworkPolicies": "Disabled"`. Setting this option acknowledges that NSG rules are not applied to Private Endpoints (this capability is coming soon). A full example is available in the Virtual Network Module. + +- Although not strictly required, it is highly recommened to first create a private DNS Zone to host Private Endpoint DNS records. See [Azure Private Endpoint DNS configuration](https://docs.microsoft.com/en-us/azure/private-link/private-endpoint-dns) for more information. + +```json +"privateEndpoints": { + "value": [ + // Example showing all available fields + { + "name": "sxx-az-sa-cac-y-123-pe", // Optional: Name will be automatically generated if one is not provided here + "subnetResourceId": "/subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-weu-x-001/subnets/sxx-az-subnet-weu-x-001", + "service": "blob", + "privateDnsZoneResourceIds": [ // Optional: No DNS record will be created if a private DNS zone Resource ID is not specified + "/subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2/resourceGroups/validation-rg/providers/Microsoft.Network/privateDnsZones/privatelink.blob.core.windows.net" + ], + "customDnsConfigs": [ // Optional + { + "fqdn": "customname.test.local", + "ipAddresses": [ + "10.10.10.10" + ] + } + ] + }, + // Example showing only mandatory fields + { + "subnetResourceId": "/subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-weu-x-001/subnets/sxx-az-subnet-weu-x-001", + "service": "file" + } + ] +} +``` + +## Outputs + +| Output Name | Type | Description | +| :-- | :-- | :-- | +| `blobContainers` | array | The array of the blob containers created. | +| `fileShares` | array | The array of the file shares created. | +| `queues` | array | The array of the queues created. | +| `storageAccountsAccessKey` | securestring | The Access Key for the Storage Account. | +| `storageAccountsName` | string | The Name of the Storage Account. | +| `storageAccountsPrimaryBlobEndpoint` | string | The public endpoint of the Storage Account. | +| `storageAccountsRegion` | string | The Region of the Storage Account. | +| `storageAccountsResourceGroup` | string | The name of the Resource Group the Storage Account was created in. | +| `storageAccountsResourceId` | string | The Resource Id of the Storage Account. | +| `storageAccountsSasToken` | securestring | The SAS Token for the Storage Account. | +| `tables` | array | The array of the tables created. | +| `assignedIdentityID` | string | User id of the created system assigned identity. | + +## Considerations + +This is a generic module for deploying a Storage Account. Any customization for different storage needs (such as a diagnostic or other storage account) need to be done through the Archetype. +The hierarchical namespace of the storage account (see parameter `enableHierarchicalNamespace`), can be only set at creation time. + +## Additional resources + +- [Use tags to organize your Azure resources](https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-using-tags) +- [Azure Resource Manager template reference](https://docs.microsoft.com/en-us/azure/templates/) +- [Deployments](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Resources/2020-06-01/deployments) +- [StorageAccountS](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Storage/2019-06-01/storageAccounts) +- [Deployments](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Resources/2020-06-01/deployments) +- [Deployments](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Resources/2020-06-01/deployments) +- [StorageAccountS/blobServiceS](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Storage/2019-06-01/storageAccounts/blobServices) +- [StorageAccountS/blobServiceS/containerS](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Storage/2019-06-01/storageAccounts/blobServices/containers) +- [StorageAccountS/managementPolicieS](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Storage/2019-06-01/storageAccounts/managementPolicies) +- [Deployments](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Resources/2020-06-01/deployments) +- [StorageAccountS/fileServiceS/ShareS](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Storage/2019-06-01/storageAccounts/fileServices/shares) +- [Deployments](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Resources/2020-06-01/deployments) +- [StorageAccountS/queueServiceS/queueS](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Storage/2019-06-01/storageAccounts/queueServices/queues) +- [Deployments](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Resources/2020-06-01/deployments) +- [StorageAccountS/tableServiceS/tableS](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Storage/2019-06-01/storageAccounts/tableServices/tables) diff --git a/arm/Microsoft.Subscription/aliases/deploy.json b/arm/Microsoft.Subscription/aliases/deploy.json new file mode 100644 index 0000000000..0c250601db --- /dev/null +++ b/arm/Microsoft.Subscription/aliases/deploy.json @@ -0,0 +1,549 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/tenantDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "subscriptionAliasName": { + "type": "string", + "metadata": { + "description": "Required. Unique alias name. Unique and linking ID" + } + }, + "displayName": { + "type": "string", + "metadata": { + "description": "Required. Subscription display name." + } + }, + "targetManagementGroupId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Target management group where the subscription will be created." + } + }, + "billingScope": { + "type": "string", + "metadata": { + "description": "Required. The account to be invoiced for the subscription. e.g. '/providers/Microsoft.Billing/billingAccounts/12345678/enrollmentAccounts/123456" + } + }, + "workload": { + "type": "string", + "allowedValues": [ + "Production", + "DevTest" + ], + "defaultValue": "Production", + "metadata": { + "description": "Optional. Subscription workload." + } + }, + "tags": { + "type": "object", + "defaultValue": { + }, + "metadata": { + "description": "Optional. Tags of the subscription." + } + }, + "roleAssignments": { + "defaultValue": [ + ], + "type": "array", + "metadata": { + "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalIds' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or it's fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'" + } + } + }, + "variables": { + "unique": "[uniqueString(parameters('subscriptionAliasName'))]", + "subDeploymentName": "[concat('Deploy-Sub', variables('unique'))]", + "tagDeploymentName": "[concat('Deploy-Tag', variables('unique'))]", + "rbacDeploymentName": "[concat('Deploy-RBAC', variables('unique'))]" + }, + "resources": [ + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2019-10-01", + "name": "[variables('subDeploymentName')]", + "location": "[deployment().location]", + "properties": { + "mode": "Incremental", + "expressionEvaluationOptions": { + "scope": "inner" + }, + "parameters": { + "subscriptionAliasName": { + "value": "[parameters('subscriptionAliasName')]" + }, + "displayName": { + "value": "[parameters('displayName')]" + }, + "targetManagementGroupId": { + "value": "[parameters('targetManagementGroupId')]" + }, + "billingScope": { + "value": "[parameters('billingScope')]" + }, + "workload": { + "value": "[parameters('workload')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "subscriptionAliasName": { + "type": "string" + }, + "displayName": { + "type": "string" + }, + "targetManagementGroupId": { + "type": "string" + }, + "billingScope": { + "type": "string" + }, + "workload": { + "type": "string" + } + }, + "resources": [ + { + "name": "[parameters('subscriptionAliasName')]", + "type": "Microsoft.Subscription/aliases", + "apiVersion": "2020-09-01", + "properties": { + "workload": "[parameters('workload')]", + "displayName": "[parameters('displayName')]", + "billingScope": "[parameters('billingScope')]", + "managementGroupId": "[tenantResourceId('Microsoft.Management/managementGroups/', parameters('targetManagementGroupId'))]" + } + } + ], + "outputs": { + "subscriptionId": { + "type": "string", + "value": "[reference(parameters('subscriptionAliasName')).subscriptionId]" + } + } + } + } + }, + { + "name": "[variables('tagDeploymentName')]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2019-10-01", + "location": "[deployment().location]", + "condition": "[not(empty(parameters('tags')))]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('subDeploymentName'))]" + ], + "properties": { + "expressionEvaluationOptions": { + "scope": "inner" + }, + "mode": "Incremental", + "parameters": { + "subscriptionId": { + "value": "[reference(variables('subDeploymentName')).outputs.subscriptionId.value]" + }, + "tags": { + "value": "[parameters('tags')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/tenantDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "subscriptionId": { + "type": "string" + }, + "tags": { + "type": "object" + } + }, + "variables": { + "unique": "[uniqueString(parameters('subscriptionId'))]", + "tagDeploymentName": "[concat('nestedTagDeploy-', variables('unique'))]" + }, + "resources": [ + { + "name": "[variables('tagDeploymentName')]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2019-10-01", + "subscriptionId": "[parameters('subscriptionId')]", + "location": "[deployment().location]", + "properties": { + "expressionEvaluationOptions": { + "scope": "inner" + }, + "mode": "Incremental", + "parameters": { + "tags": { + "value": "[parameters('tags')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "tags": { + "type": "object" + } + }, + "resources": [ + { + "name": "default", + "type": "Microsoft.Resources/tags", + "apiVersion": "2020-10-01", + "properties": { + "tags": "[parameters('tags')]" + } + } + ] + } + } + } + ] + } + } + }, + { + "name": "[variables('rbacDeploymentName')]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2019-10-01", + "location": "[deployment().location]", + "condition": "[not(empty(parameters('roleAssignments')))]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('subDeploymentName'))]" + ], + "properties": { + "expressionEvaluationOptions": { + "scope": "inner" + }, + "mode": "Incremental", + "parameters": { + "subscriptionId": { + "value": "[reference(variables('subDeploymentName')).outputs.subscriptionId.value]" + }, + "roleAssignments": { + "value": "[parameters('roleAssignments')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/tenantDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "subscriptionId": { + "type": "string" + }, + "roleAssignments": { + "type": "array" + } + }, + "variables": { + "unique": "[uniqueString(parameters('subscriptionId'))]", + "rbacDeploymentName": "[concat('nestedRBACDeploy-', variables('unique'))]" + }, + "resources": [ + { + "name": "[variables('rbacDeploymentName')]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2019-10-01", + "subscriptionId": "[parameters('subscriptionId')]", + "location": "[deployment().location]", + "properties": { + "expressionEvaluationOptions": { + "scope": "inner" + }, + "mode": "Incremental", + "parameters": { + "roleAssignments": { + "value": "[parameters('roleAssignments')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "roleAssignments": { + "type": "array" + } + }, + "variables": { + "builtInRoleNames": { + "AcrDelete": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", + "AcrImageSigner": "/providers/Microsoft.Authorization/roleDefinitions/6cef56e8-d556-48e5-a04f-b8e64114680f", + "AcrPull": "/providers/Microsoft.Authorization/roleDefinitions/7f951dda-4ed3-4680-a7ca-43fe172d538d", + "AcrPush": "/providers/Microsoft.Authorization/roleDefinitions/8311e382-0749-4cb8-b61a-304f252e45ec", + "AcrQuarantineReader": "/providers/Microsoft.Authorization/roleDefinitions/cdda3590-29a3-44f6-95f2-9f980659eb04", + "AcrQuarantineWriter": "/providers/Microsoft.Authorization/roleDefinitions/c8d4ff99-41c3-41a8-9f60-21dfdad59608", + "API Management Service Contributor": "/providers/Microsoft.Authorization/roleDefinitions/312a565d-c81f-4fd8-895a-4e21e48d571c", + "API Management Service Operator Role": "/providers/Microsoft.Authorization/roleDefinitions/e022efe7-f5ba-4159-bbe4-b44f577e9b61", + "API Management Service Reader Role": "/providers/Microsoft.Authorization/roleDefinitions/71522526-b88f-4d52-b57f-d31fc3546d0d", + "App Configuration Data Owner": "/providers/Microsoft.Authorization/roleDefinitions/5ae67dd6-50cb-40e7-96ff-dc2bfa4b606b", + "App Configuration Data Reader": "/providers/Microsoft.Authorization/roleDefinitions/516239f1-63e1-4d78-a4de-a74fb236a071", + "Application Insights Component Contributor": "/providers/Microsoft.Authorization/roleDefinitions/ae349356-3a1b-4a5e-921d-050484c6347e", + "Application Insights Snapshot Debugger": "/providers/Microsoft.Authorization/roleDefinitions/08954f03-6346-4c2e-81c0-ec3a5cfae23b", + "Attestation Contributor": "/providers/Microsoft.Authorization/roleDefinitions/bbf86eb8-f7b4-4cce-96e4-18cddf81d86e", + "Attestation Reader": "/providers/Microsoft.Authorization/roleDefinitions/fd1bd22b-8476-40bc-a0bc-69b95687b9f3", + "Automation Job Operator": "/providers/Microsoft.Authorization/roleDefinitions/4fe576fe-1146-4730-92eb-48519fa6bf9f", + "Automation Operator": "/providers/Microsoft.Authorization/roleDefinitions/d3881f73-407a-4167-8283-e981cbba0404", + "Automation Runbook Operator": "/providers/Microsoft.Authorization/roleDefinitions/5fb5aef8-1081-4b8e-bb16-9d5d0385bab5", + "Avere Contributor": "/providers/Microsoft.Authorization/roleDefinitions/4f8fab4f-1852-4a58-a46a-8eaf358af14a", + "Avere Operator": "/providers/Microsoft.Authorization/roleDefinitions/c025889f-8102-4ebf-b32c-fc0c6f0c6bd9", + "Azure Connected Machine Onboarding": "/providers/Microsoft.Authorization/roleDefinitions/b64e21ea-ac4e-4cdf-9dc9-5b892992bee7", + "Azure Connected Machine Resource Administrator": "/providers/Microsoft.Authorization/roleDefinitions/cd570a14-e51a-42ad-bac8-bafd67325302", + "Azure Digital Twins Owner (Preview)": "/providers/Microsoft.Authorization/roleDefinitions/bcd981a7-7f74-457b-83e1-cceb9e632ffe", + "Azure Digital Twins Reader (Preview)": "/providers/Microsoft.Authorization/roleDefinitions/d57506d4-4c8d-48b1-8587-93c323f6a5a3", + "Azure Event Hubs Data Owner": "/providers/Microsoft.Authorization/roleDefinitions/f526a384-b230-433a-b45c-95f59c4a2dec", + "Azure Event Hubs Data Receiver": "/providers/Microsoft.Authorization/roleDefinitions/a638d3c7-ab3a-418d-83e6-5f17a39d4fde", + "Azure Event Hubs Data Sender": "/providers/Microsoft.Authorization/roleDefinitions/2b629674-e913-4c01-ae53-ef4638d8f975", + "Azure Kubernetes Service Cluster Admin Role": "/providers/Microsoft.Authorization/roleDefinitions/0ab0b1a8-8aac-4efd-b8c2-3ee1fb270be8", + "Azure Kubernetes Service Cluster User Role": "/providers/Microsoft.Authorization/roleDefinitions/4abbcc35-e782-43d8-92c5-2d3f1bd2253f", + "Azure Kubernetes Service Contributor Role": "/providers/Microsoft.Authorization/roleDefinitions/ed7f3fbd-7b88-4dd4-9017-9adb7ce333f8", + "Azure Maps Data Contributor": "/providers/Microsoft.Authorization/roleDefinitions/8f5e0ce6-4f7b-4dcf-bddf-e6f48634a204", + "Azure Maps Data Reader": "/providers/Microsoft.Authorization/roleDefinitions/423170ca-a8f6-4b0f-8487-9e4eb8f49bfa", + "Azure Sentinel Contributor": "/providers/Microsoft.Authorization/roleDefinitions/ab8e14d6-4a74-4a29-9ba8-549422addade", + "Azure Sentinel Reader": "/providers/Microsoft.Authorization/roleDefinitions/8d289c81-5878-46d4-8554-54e1e3d8b5cb", + "Azure Sentinel Responder": "/providers/Microsoft.Authorization/roleDefinitions/3e150937-b8fe-4cfb-8069-0eaf05ecd056", + "Azure Service Bus Data Owner": "/providers/Microsoft.Authorization/roleDefinitions/090c5cfd-751d-490a-894a-3ce6f1109419", + "Azure Service Bus Data Receiver": "/providers/Microsoft.Authorization/roleDefinitions/4f6d3b9b-027b-4f4c-9142-0e5a2a2247e0", + "Azure Service Bus Data Sender": "/providers/Microsoft.Authorization/roleDefinitions/69a216fc-b8fb-44d8-bc22-1f3c2cd27a39", + "Azure Stack Registration Owner": "/providers/Microsoft.Authorization/roleDefinitions/6f12a6df-dd06-4f3e-bcb1-ce8be600526a", + "Backup Contributor": "/providers/Microsoft.Authorization/roleDefinitions/5e467623-bb1f-42f4-a55d-6e525e11384b", + "Backup Operator": "/providers/Microsoft.Authorization/roleDefinitions/00c29273-979b-4161-815c-10b084fb9324", + "Backup Reader": "/providers/Microsoft.Authorization/roleDefinitions/a795c7a0-d4a2-40c1-ae25-d81f01202912", + "Billing Reader": "/providers/Microsoft.Authorization/roleDefinitions/fa23ad8b-c56e-40d8-ac0c-ce449e1d2c64", + "BizTalk Contributor": "/providers/Microsoft.Authorization/roleDefinitions/5e3c6656-6cfa-4708-81fe-0de47ac73342", + "Blockchain Member Node Access (Preview)": "/providers/Microsoft.Authorization/roleDefinitions/31a002a1-acaf-453e-8a5b-297c9ca1ea24", + "Blueprint Contributor": "/providers/Microsoft.Authorization/roleDefinitions/41077137-e803-4205-871c-5a86e6a753b4", + "Blueprint Operator": "/providers/Microsoft.Authorization/roleDefinitions/437d2ced-4a38-4302-8479-ed2bcb43d090", + "CDN Endpoint Contributor": "/providers/Microsoft.Authorization/roleDefinitions/426e0c7f-0c7e-4658-b36f-ff54d6c29b45", + "CDN Endpoint Reader": "/providers/Microsoft.Authorization/roleDefinitions/871e35f6-b5c1-49cc-a043-bde969a0f2cd", + "CDN Profile Contributor": "/providers/Microsoft.Authorization/roleDefinitions/ec156ff8-a8d1-4d15-830c-5b80698ca432", + "CDN Profile Reader": "/providers/Microsoft.Authorization/roleDefinitions/8f96442b-4075-438f-813d-ad51ab4019af", + "Classic Network Contributor": "/providers/Microsoft.Authorization/roleDefinitions/b34d265f-36f7-4a0d-a4d4-e158ca92e90f", + "Classic Storage Account Contributor": "/providers/Microsoft.Authorization/roleDefinitions/86e8f5dc-a6e9-4c67-9d15-de283e8eac25", + "Classic Storage Account Key Operator Service Role": "/providers/Microsoft.Authorization/roleDefinitions/985d6b00-f706-48f5-a6fe-d0ca12fb668d", + "Classic Virtual Machine Contributor": "/providers/Microsoft.Authorization/roleDefinitions/d73bb868-a0df-4d4d-bd69-98a00b01fccb", + "ClearDB MySQL DB Contributor": "/providers/Microsoft.Authorization/roleDefinitions/9106cda0-8a86-4e81-b686-29a22c54effe", + "Cognitive Services Contributor": "/providers/Microsoft.Authorization/roleDefinitions/25fbc0a9-bd7c-42a3-aa1a-3b75d497ee68", + "Cognitive Services Custom Vision Contributor": "/providers/Microsoft.Authorization/roleDefinitions/c1ff6cc2-c111-46fe-8896-e0ef812ad9f3", + "Cognitive Services Custom Vision Deployment": "/providers/Microsoft.Authorization/roleDefinitions/5c4089e1-6d96-4d2f-b296-c1bc7137275f", + "Cognitive Services Custom Vision Labeler": "/providers/Microsoft.Authorization/roleDefinitions/88424f51-ebe7-446f-bc41-7fa16989e96c", + "Cognitive Services Custom Vision Reader": "/providers/Microsoft.Authorization/roleDefinitions/93586559-c37d-4a6b-ba08-b9f0940c2d73", + "Cognitive Services Custom Vision Trainer": "/providers/Microsoft.Authorization/roleDefinitions/0a5ae4ab-0d65-4eeb-be61-29fc9b54394b", + "Cognitive Services Data Reader (Preview)": "/providers/Microsoft.Authorization/roleDefinitions/b59867f0-fa02-499b-be73-45a86b5b3e1c", + "Cognitive Services QnA Maker Editor": "/providers/Microsoft.Authorization/roleDefinitions/f4cc2bf9-21be-47a1-bdf1-5c5804381025", + "Cognitive Services QnA Maker Reader": "/providers/Microsoft.Authorization/roleDefinitions/466ccd10-b268-4a11-b098-b4849f024126", + "Cognitive Services User": "/providers/Microsoft.Authorization/roleDefinitions/a97b65f3-24c7-4388-baec-2e87135dc908", + "Contributor": "/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c", + "Cosmos DB Account Reader Role": "/providers/Microsoft.Authorization/roleDefinitions/fbdf93bf-df7d-467e-a4d2-9458aa1360c8", + "Cosmos DB Operator": "/providers/Microsoft.Authorization/roleDefinitions/230815da-be43-4aae-9cb4-875f7bd000aa", + "CosmosBackupOperator": "/providers/Microsoft.Authorization/roleDefinitions/db7b14f2-5adf-42da-9f96-f2ee17bab5cb", + "Cost Management Contributor": "/providers/Microsoft.Authorization/roleDefinitions/434105ed-43f6-45c7-a02f-909b2ba83430", + "Cost Management Reader": "/providers/Microsoft.Authorization/roleDefinitions/72fafb9e-0641-4937-9268-a91bfd8191a3", + "Data Box Contributor": "/providers/Microsoft.Authorization/roleDefinitions/add466c9-e687-43fc-8d98-dfcf8d720be5", + "Data Box Reader": "/providers/Microsoft.Authorization/roleDefinitions/028f4ed7-e2a9-465e-a8f4-9c0ffdfdc027", + "Data Factory Contributor": "/providers/Microsoft.Authorization/roleDefinitions/673868aa-7521-48a0-acc6-0f60742d39f5", + "Data Lake Analytics Developer": "/providers/Microsoft.Authorization/roleDefinitions/47b7735b-770e-4598-a7da-8b91488b4c88", + "Data Purger": "/providers/Microsoft.Authorization/roleDefinitions/150f5e0c-0603-4f03-8c7f-cf70034c4e90", + "Desktop Virtualization User": "/providers/Microsoft.Authorization/roleDefinitions/1d18fff3-a72a-46b5-b4a9-0b38a3cd7e63", + "DevTest Labs User": "/providers/Microsoft.Authorization/roleDefinitions/76283e04-6283-4c54-8f91-bcf1374a3c64", + "DNS Zone Contributor": "/providers/Microsoft.Authorization/roleDefinitions/befefa01-2a29-4197-83a8-272ff33ce314", + "DocumentDB Account Contributor": "/providers/Microsoft.Authorization/roleDefinitions/5bd9cd88-fe45-4216-938b-f97437e15450", + "EventGrid EventSubscription Contributor": "/providers/Microsoft.Authorization/roleDefinitions/428e0ff0-5e57-4d9c-a221-2c70d0e0a443", + "EventGrid EventSubscription Reader": "/providers/Microsoft.Authorization/roleDefinitions/2414bbcf-6497-4faf-8c65-045460748405", + "Experimentation Administrator": "/providers/Microsoft.Authorization/roleDefinitions/7f646f1b-fa08-80eb-a33b-edd6ce5c915c", + "Experimentation Contributor": "/providers/Microsoft.Authorization/roleDefinitions/7f646f1b-fa08-80eb-a22b-edd6ce5c915c", + "Experimentation Reader": "/providers/Microsoft.Authorization/roleDefinitions/49632ef5-d9ac-41f4-b8e7-bbe587fa74a1", + "FHIR Data Contributor": "/providers/Microsoft.Authorization/roleDefinitions/5a1fc7df-4bf1-4951-a576-89034ee01acd", + "FHIR Data Exporter": "/providers/Microsoft.Authorization/roleDefinitions/3db33094-8700-4567-8da5-1501d4e7e843", + "FHIR Data Reader": "/providers/Microsoft.Authorization/roleDefinitions/4c8d0bbc-75d3-4935-991f-5f3c56d81508", + "FHIR Data Writer": "/providers/Microsoft.Authorization/roleDefinitions/3f88fce4-5892-4214-ae73-ba5294559913", + "Graph Owner": "/providers/Microsoft.Authorization/roleDefinitions/b60367af-1334-4454-b71e-769d9a4f83d9", + "HDInsight Cluster Operator": "/providers/Microsoft.Authorization/roleDefinitions/61ed4efc-fab3-44fd-b111-e24485cc132a", + "HDInsight Domain Services Contributor": "/providers/Microsoft.Authorization/roleDefinitions/8d8d5a11-05d3-4bda-a417-a08778121c7c", + "Hierarchy Settings Administrator": "/providers/Microsoft.Authorization/roleDefinitions/350f8d15-c687-4448-8ae1-157740a3936d", + "Hybrid Server Onboarding": "/providers/Microsoft.Authorization/roleDefinitions/5d1e5ee4-7c68-4a71-ac8b-0739630a3dfb", + "Hybrid Server Resource Administrator": "/providers/Microsoft.Authorization/roleDefinitions/48b40c6e-82e0-4eb3-90d5-19e40f49b624", + "Integration Service Environment Contributor": "/providers/Microsoft.Authorization/roleDefinitions/a41e2c5b-bd99-4a07-88f4-9bf657a760b8", + "Integration Service Environment Developer": "/providers/Microsoft.Authorization/roleDefinitions/c7aa55d3-1abb-444a-a5ca-5e51e485d6ec", + "Intelligent Systems Account Contributor": "/providers/Microsoft.Authorization/roleDefinitions/03a6d094-3444-4b3d-88af-7477090a9e5e", + "Key Vault Contributor": "/providers/Microsoft.Authorization/roleDefinitions/f25e0fa2-a7c8-4377-a976-54943a77a395", + "Knowledge Consumer": "/providers/Microsoft.Authorization/roleDefinitions/ee361c5d-f7b5-4119-b4b6-892157c8f64c", + "Kubernetes Cluster - Azure Arc Onboarding": "/providers/Microsoft.Authorization/roleDefinitions/34e09817-6cbe-4d01-b1a2-e0eac5743d41", + "Lab Creator": "/providers/Microsoft.Authorization/roleDefinitions/b97fb8bc-a8b2-4522-a38b-dd33c7e65ead", + "Log Analytics Contributor": "/providers/Microsoft.Authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293", + "Log Analytics Reader": "/providers/Microsoft.Authorization/roleDefinitions/73c42c96-874c-492b-b04d-ab87d138a893", + "Logic App Contributor": "/providers/Microsoft.Authorization/roleDefinitions/87a39d53-fc1b-424a-814c-f7e04687dc9e", + "Logic App Operator": "/providers/Microsoft.Authorization/roleDefinitions/515c2055-d9d4-4321-b1b9-bd0c9a0f79fe", + "Managed Application Contributor Role": "/providers/Microsoft.Authorization/roleDefinitions/641177b8-a67a-45b9-a033-47bc880bb21e", + "Managed Application Operator Role": "/providers/Microsoft.Authorization/roleDefinitions/c7393b34-138c-406f-901b-d8cf2b17e6ae", + "Managed Applications Reader": "/providers/Microsoft.Authorization/roleDefinitions/b9331d33-8a36-4f8c-b097-4f54124fdb44", + "Managed Identity Contributor": "/providers/Microsoft.Authorization/roleDefinitions/e40ec5ca-96e0-45a2-b4ff-59039f2c2b59", + "Managed Identity Operator": "/providers/Microsoft.Authorization/roleDefinitions/f1a07417-d97a-45cb-824c-7a7467783830", + "Managed Services Registration assignment Delete ": "/providers/Microsoft.Authorization/roleDefinitions/91c1777a-f3dc-4fae-b103-61d183457e46", + "Management Group Contributor": "/providers/Microsoft.Authorization/roleDefinitions/5d58bcaf-24a5-4b20-bdb6-eed9f69fbe4c", + "Management Group Reader": "/providers/Microsoft.Authorization/roleDefinitions/ac63b705-f282-497d-ac71-919bf39d939d", + "Marketplace Admin": "/providers/Microsoft.Authorization/roleDefinitions/dd920d6d-f481-47f1-b461-f338c46b2d9f", + "Monitoring Contributor": "/providers/Microsoft.Authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "Monitoring Metrics Publisher": "/providers/Microsoft.Authorization/roleDefinitions/3913510d-42f4-4e42-8a64-420c390055eb", + "Monitoring Reader": "/providers/Microsoft.Authorization/roleDefinitions/43d0d8ad-25c7-4714-9337-8ba259a9fe05", + "Network Contributor": "/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7", + "New Relic APM Account Contributor": "/providers/Microsoft.Authorization/roleDefinitions/5d28c62d-5b37-4476-8438-e587778df237", + "Object Understanding Account Owner": "/providers/Microsoft.Authorization/roleDefinitions/4dd61c23-6743-42fe-a388-d8bdd41cb745", + "Owner": "/providers/Microsoft.Authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635", + "Policy Insights Data Writer (Preview)": "/providers/Microsoft.Authorization/roleDefinitions/66bb4e9e-b016-4a94-8249-4c0511c2be84", + "Private DNS Zone Contributor": "/providers/Microsoft.Authorization/roleDefinitions/b12aa53e-6015-4669-85d0-8515ebb3ae7f", + "Reader": "/providers/Microsoft.Authorization/roleDefinitions/acdd72a7-3385-48ef-bd42-f606fba81ae7", + "Reader and Data Access": "/providers/Microsoft.Authorization/roleDefinitions/c12c1c16-33a1-487b-954d-41c89c60f349", + "Redis Cache Contributor": "/providers/Microsoft.Authorization/roleDefinitions/e0f68234-74aa-48ed-b826-c38b57376e17", + "Remote Rendering Administrator": "/providers/Microsoft.Authorization/roleDefinitions/3df8b902-2a6f-47c7-8cc5-360e9b272a7e", + "Remote Rendering Client": "/providers/Microsoft.Authorization/roleDefinitions/d39065c4-c120-43c9-ab0a-63eed9795f0a", + "Resource Policy Contributor": "/providers/Microsoft.Authorization/roleDefinitions/36243c78-bf99-498c-9df9-86d9f8d28608", + "Scheduler Job Collections Contributor": "/providers/Microsoft.Authorization/roleDefinitions/188a0f2f-5c9e-469b-ae67-2aa5ce574b94", + "Search Service Contributor": "/providers/Microsoft.Authorization/roleDefinitions/7ca78c08-252a-4471-8644-bb5ff32d4ba0", + "Security Admin": "/providers/Microsoft.Authorization/roleDefinitions/fb1c8493-542b-48eb-b624-b4c8fea62acd", + "Security Assessment Contributor": "/providers/Microsoft.Authorization/roleDefinitions/612c2aa1-cb24-443b-ac28-3ab7272de6f5", + "Security Manager (Legacy)": "/providers/Microsoft.Authorization/roleDefinitions/e3d13bf0-dd5a-482e-ba6b-9b8433878d10", + "Security Reader": "/providers/Microsoft.Authorization/roleDefinitions/39bc4728-0917-49c7-9d2c-d95423bc2eb4", + "SignalR AccessKey Reader": "/providers/Microsoft.Authorization/roleDefinitions/04165923-9d83-45d5-8227-78b77b0a687e", + "SignalR Contributor": "/providers/Microsoft.Authorization/roleDefinitions/8cf5e20a-e4b2-4e9d-b3a1-5ceb692c2761", + "Site Recovery Contributor": "/providers/Microsoft.Authorization/roleDefinitions/6670b86e-a3f7-4917-ac9b-5d6ab1be4567", + "Site Recovery Operator": "/providers/Microsoft.Authorization/roleDefinitions/494ae006-db33-4328-bf46-533a6560a3ca", + "Site Recovery Reader": "/providers/Microsoft.Authorization/roleDefinitions/dbaa88c4-0c30-4179-9fb3-46319faa6149", + "Spatial Anchors Account Contributor": "/providers/Microsoft.Authorization/roleDefinitions/8bbe83f1-e2a6-4df7-8cb4-4e04d4e5c827", + "Spatial Anchors Account Owner": "/providers/Microsoft.Authorization/roleDefinitions/70bbe301-9835-447d-afdd-19eb3167307c", + "Spatial Anchors Account Reader": "/providers/Microsoft.Authorization/roleDefinitions/5d51204f-eb77-4b1c-b86a-2ec626c49413", + "SQL DB Contributor": "/providers/Microsoft.Authorization/roleDefinitions/9b7fa17d-e63e-47b0-bb0a-15c516ac86ec", + "SQL Managed Instance Contributor": "/providers/Microsoft.Authorization/roleDefinitions/4939a1f6-9ae0-4e48-a1e0-f2cbe897382d", + "SQL Security Manager": "/providers/Microsoft.Authorization/roleDefinitions/056cd41c-7e88-42e1-933e-88ba6a50c9c3", + "SQL Server Contributor": "/providers/Microsoft.Authorization/roleDefinitions/6d8ee4ec-f05a-4a1d-8b00-a9b17e38b437", + "Storage Account Contributor": "/providers/Microsoft.Authorization/roleDefinitions/17d1049b-9a84-46fb-8f53-869881c3d3ab", + "Storage Account Key Operator Service Role": "/providers/Microsoft.Authorization/roleDefinitions/81a9662b-bebf-436f-a333-f67b29880f12", + "Storage Blob Data Contributor": "/providers/Microsoft.Authorization/roleDefinitions/ba92f5b4-2d11-453d-a403-e96b0029c9fe", + "Storage Blob Data Owner": "/providers/Microsoft.Authorization/roleDefinitions/b7e6dc6d-f1e8-4753-8033-0f276bb0955b", + "Storage Blob Data Reader": "/providers/Microsoft.Authorization/roleDefinitions/2a2b9908-6ea1-4ae2-8e65-a410df84e7d1", + "Storage Blob Delegator": "/providers/Microsoft.Authorization/roleDefinitions/db58b8e5-c6ad-4a2a-8342-4190687cbf4a", + "Storage File Data SMB Share Contributor": "/providers/Microsoft.Authorization/roleDefinitions/0c867c2a-1d8c-454a-a3db-ab2ea1bdc8bb", + "Storage File Data SMB Share Elevated Contributor": "/providers/Microsoft.Authorization/roleDefinitions/a7264617-510b-434b-a828-9731dc254ea7", + "Storage File Data SMB Share Reader": "/providers/Microsoft.Authorization/roleDefinitions/aba4ae5f-2193-4029-9191-0cb91df5e314", + "Storage Queue Data Contributor": "/providers/Microsoft.Authorization/roleDefinitions/974c5e8b-45b9-4653-ba55-5f855dd0fb88", + "Storage Queue Data Message Processor": "/providers/Microsoft.Authorization/roleDefinitions/8a0f0c08-91a1-4084-bc3d-661d67233fed", + "Storage Queue Data Message Sender": "/providers/Microsoft.Authorization/roleDefinitions/c6a89b2d-59bc-44d0-9896-0f6e12d7b80a", + "Storage Queue Data Reader": "/providers/Microsoft.Authorization/roleDefinitions/19e7f393-937e-4f77-808e-94535e297925", + "Support Request Contributor": "/providers/Microsoft.Authorization/roleDefinitions/cfd33db0-3dd1-45e3-aa9d-cdbdf3b6f24e", + "Tag Contributor": "/providers/Microsoft.Authorization/roleDefinitions/4a9ae827-6dc8-4573-8ac7-8239d42aa03f", + "Traffic Manager Contributor": "/providers/Microsoft.Authorization/roleDefinitions/a4b10055-b0c7-44c2-b00f-c7b5b3550cf7", + "User Access Administrator": "/providers/Microsoft.Authorization/roleDefinitions/18d7d88d-d35e-4fb5-a5c3-7773c20a72d9", + "Virtual Machine Administrator Login": "/providers/Microsoft.Authorization/roleDefinitions/1c0163c0-47e6-4577-8991-ea5c82e286e4", + "Virtual Machine Contributor": "/providers/Microsoft.Authorization/roleDefinitions/9980e02c-c2be-4d73-94e8-173b1dc7cf3c", + "Virtual Machine User Login": "/providers/Microsoft.Authorization/roleDefinitions/fb879df8-f326-4884-b1cf-06f3ad86be52", + "Web Plan Contributor": "/providers/Microsoft.Authorization/roleDefinitions/2cc479cb-7b4d-49a8-b449-8c00fd0f0a4b", + "Website Contributor": "/providers/Microsoft.Authorization/roleDefinitions/de139f84-1756-47ae-9be6-808fbbe84772", + "Workbook Contributor": "/providers/Microsoft.Authorization/roleDefinitions/e8ddcd69-c73f-4f9f-9844-4100522f16ad", + "Workbook Reader": "/providers/Microsoft.Authorization/roleDefinitions/b279062a-9be3-42a0-92ae-8b3cf002ec4d" + } + }, + "resources": [ + { + "name": "[concat('RbacDeplCopy-',uniqueString(subscription().subscriptionId),'-', copyIndex())]", + "apiVersion": "2020-06-01", + "type": "Microsoft.Resources/deployments", + "location": "[deployment().location]", + "dependsOn": [ + ], + "copy": { + "name": "subscriptionRbacDeplCopy", + "count": "[length(parameters('roleAssignments'))]" + }, + "properties": { + "mode": "Incremental", + "expressionEvaluationOptions": { + "scope": "inner" + }, + "parameters": { + "roleAssignment": { + "value": "[parameters('roleAssignments')[copyIndex()]]" + }, + "builtInRoleNames": { + "value": "[variables('builtInRoleNames')]" + }, + "subscriptionId": { + "value": "[subscription().id]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "roleAssignment": { + "type": "object" + }, + "builtInRoleNames": { + "type": "object" + }, + "subscriptionId": { + "type": "string" + } + }, + "variables": { + "condition": "[and(not(empty(parameters('roleAssignment'))), contains(parameters('roleAssignment'), 'roleDefinitionIdOrName'), contains(parameters('roleAssignment'), 'principalIds'), not(empty(parameters('roleAssignment').roleDefinitionIdOrName)), not(empty(parameters('roleAssignment').principalIds)) )]" + }, + "resources": [ + { + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2018-09-01-preview", + "name": "[if( variables('condition'), guid( parameters('subscriptionId'), array(parameters('roleAssignment').principalIds)[copyIndex('innerRbacCopy')], parameters('roleAssignment').roleDefinitionIdOrName ), guid('dummy'))]", + "condition": "[variables('condition')]", + "copy": { + "name": "innerRbacCopy", + "count": "[length(array(parameters('roleAssignment').principalIds))]" + }, + "properties": { + "roleDefinitionId": "[if(contains(parameters('builtInRoleNames'), parameters('roleAssignment').roleDefinitionIdOrName ), parameters('builtInRoleNames')[parameters('roleAssignment').roleDefinitionIdOrName] , parameters('roleAssignment').roleDefinitionIdOrName )]", + "principalId": "[array(parameters('roleAssignment').principalIds)[copyIndex('innerRbacCopy')]]" + } + } + ] + } + } + } + ] + } + } + } + ] + } + } + } + ], + "functions": [], + "outputs": { + "subscriptionId": { + "type": "string", + "value": "[reference(variables('subDeploymentName')).outputs.subscriptionId.value]", + "metadata": { + "description": "The subscription Id of the created subscription." + } + }, + "tags": { + "type": "object", + "value": "[parameters('tags')]", + "metadata": { + "description": "The tags applied to the subscription." + } + }, + "roleAssignments": { + "type": "array", + "value": "[parameters('roleAssignments')]", + "metadata": { + "description": "Array of role assignment objects." + } + } + } +} diff --git a/arm/Microsoft.Subscription/aliases/parameters/parameters.json b/arm/Microsoft.Subscription/aliases/parameters/parameters.json new file mode 100644 index 0000000000..c35b881481 --- /dev/null +++ b/arm/Microsoft.Subscription/aliases/parameters/parameters.json @@ -0,0 +1,39 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "subscriptionAliasName": { + "value": "Sample-Subscription-01" + }, + "displayName": { + "value": "Sample-Subscription-01" + }, + "targetManagementGroupId": { + "value": "d2bdaa69-7c9c-467d-87b8-aba30eb8987a" + }, + "billingScope": { + "value": "/providers/Microsoft.Billing/billingAccounts/5e98e158-xxxx-xxxx-xxxx-xxxxxxxxxxxx:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx_xxxx-xx-xx/billingProfiles/AW4F-xxxx-xxx-xxx/invoiceSections/SH3V-xxxx-xxx-xxx" + }, //, + // "billingScope": { + // "value": "/providers/Microsoft.Billing/billingAccounts/XXXXXXX/enrollmentAccounts/XXXXXX" + // } + // "roleAssignments": { + // "value": [ + // { + // "roleDefinitionIdOrName": "Desktop Virtualization User", + // "principalIds": [ + // "12345678-1234-1234-1234-123456789012", // object 1 + // "78945612-1234-1234-1234-123456789012" // object 2 + // ] + // } + // ] + // }, + "tags": { + "value": { + "costCenter": "1234", + "environment": "prod", + "contactinfo": "someone@company.com" + } + } + } +} diff --git a/arm/Microsoft.Subscription/aliases/readme.md b/arm/Microsoft.Subscription/aliases/readme.md new file mode 100644 index 0000000000..b17198bd91 --- /dev/null +++ b/arm/Microsoft.Subscription/aliases/readme.md @@ -0,0 +1,164 @@ +# Subscription + +This template will create a subscription based on the provided parameter. + +## Resource types + +| Resource Type | Api Version | +| :---------------------------------------- | :----------------- | +| `Microsoft.Resources/deployments` | 2019-10-01 | +| `Microsoft.Subscription/aliases` | 2020-09-01 | +| `Microsoft.Resources/tags` | 2020-10-01 | +| `Microsoft.Authorization/roleAssignments` | 2018-09-01-preview | + +### Resource dependency + +The following resources are required to be able to deploy this resource: + +- *None* + +## Parameters + +| Parameter Name | Type | Default Value | Possible values | Description | +| :------------------------ | :----- | :------------ | :------------------ | :------------------------------------------------------------------------ | +| `subscriptionAliasName` | string | | | Required. Unique alias name. | +| `displayName` | string | | | Required. Subscription display name. | +| `targetManagementGroupId` | string | "" | | Optional. Target management group where the subscription will be created. | +| `billingScope` | string | | | Required. The account to be invoiced for the subscription. | +| `workload` | string | Production | Production, DevTest | Optional. Subscription workload. | +| `tags` | object | [] | | Optional. Tags of the storage account resource. | +| `roleAssignments` | array | [] | | Optional. Array of role assignment objects. | + +### Parameter Usage: `tags` + +Tag names and tag values can be provided as needed. A tag can be left without a value. + +```json +"tags": { + "value": { + "Environment": "Non-Prod", + "Contact": "test.user@testcompany.com", + "PurchaseOrder": "1234", + "CostCenter": "7890", + "ServiceName": "DeploymentValidation", + "Role": "DeploymentValidation" + } +} +``` + +### Parameter Usage: `roleAssignments` + +```json +"roleAssignments": { + "value": [ + // Built-in Role Definition, referenced by Name + { + "roleDefinitionIdOrName": "Owner", + "principalIds": [ + "12345678-1234-1234-1234-123456780123" + "abcd5678-1234-1234-1234-123456780123" + ] + }, + // Built-in Role Definition, referenced by ID + { + "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", + "principalIds": [ + "12345678-1234-1234-1234-123456780123" + "abcd5678-1234-1234-1234-123456780123" + ] + }, + // Custom Role Definition on Subscription scope + { + "roleDefinitionIdOrName": "/subscriptions/bbfef42b-7d75-4e17-9f39-bd431e69189f/providers/Microsoft.Authorization/roleDefinitions/54597af5-2126-5a52-a2ce-4bb56e90d3c8", + "principalIds": [ + "12345678-1234-1234-1234-123456780123" + "abcd5678-1234-1234-1234-123456780123" + ] + }, + // Custom Role Definition on Resource Group scope + { + "roleDefinitionIdOrName": "/subscriptions/bbfef42b-7d75-4e17-9f39-bd431e69189f/resourceGroups/rbacTest/providers/Microsoft.Authorization/roleDefinitions/08e417aa-3d20-5a4e-94da-b2aa45bd5929", + "principalIds": [ + "12345678-1234-1234-1234-123456780123" + "abcd5678-1234-1234-1234-123456780123" + ] + } + ] +} +``` + +## Outputs + +| Output Name | Type | Description | +| :---------------- | :----- | :----------------------------------------------- | +| `subscriptionId` | string | The subscription Id of the created subscription. | +| `tags` | object | The tags applied to the subscription. | +| `roleAssignments` | array | Array of role assignment objects. | + +## Prerequisites + +In order to create a subscription via code, the following pre-requisites are necessary: + +- the used enrollment account in the billing scope is active and created at least one subscription manually +- A single SPN used for the template deployment with permissions to both: + - the billing scope of the EA enrollment account. + - deployments on the tenant scope and management group where the subscription will be provisioned. + +### Permissions to create subscriptions + +Refer to the [Enterprise-Scale - Enabling subscription creation](https://github.com/Azure/Enterprise-Scale/blob/main/docs/Deploy/enable-subscription-creation.md) guide on how to setup permissions. If this does not align with your scenario, please refer to the [official documentation on creating subscriptions using the API](https://docs.microsoft.com/en-us/azure/cost-management-billing/manage/programmatically-create-subscription-preview). +If you cannot find the billingID or enrollmentID using the mentioned guides, find them using the Azure portal under the 'Cost + Billing' blade. Expected format is 5-10 digits for each of the values. + +### Permissions to deploy Azure Resource in tenant + +The subscription module is deployed on the **Tenant scope**. Providing the [required permissions](https://docs.microsoft.com/en-us/azure/azure-resource-manager/templates/deploy-to-tenant#required-access) is not supported in the portal. +To run the commands listed here you need `User Access Administrator` or `Owner` on the tenant scope (also refered to root or '/') . Follow the [official documentation for how to elevate your permissions](https://docs.microsoft.com/en-us/azure/role-based-access-control/elevate-access-global-admin) to this level. + +#### Quick setup + +Using a quick setup we assign `Owner` on the root, allowing for all other activities within the Azure tenant. Quick setup is not recommended in production, as it breaks with principle of least privilege and would potentially scope permissions wider than applicable for your scenario. +Use quick setup for 'Minimal Viable Product' (MVP) configurations, PoC setups or test environments. + +To assign `Owner` role on root to the SPN, execute the following commands: + +```powershell +$SPNObjectID = Get-AzADServicePrincipal -DisplayName "[SPNName]" +New-AzRoleAssignment -ObjectID $SPNObjectID -Scope "/" -RoleDefinitionName "Owner" +``` + +> Note! +> +> Remember to [remove your elevated access](https://docs.microsoft.com/en-us/azure/role-based-access-control/elevate-access-global-admin#remove-elevated-access) after assigning the permissions on the entity that requires the permissions on root. + +#### Least-privilege approach + +If `Owner` permission is too excessive, provide least privilege permissions to the entity used for deploying subscriptions. +As [custom roles are not supported on the root level](https://docs.microsoft.com/en-us/azure/role-based-access-control/custom-roles#custom-role-limits), a built-in role is required. +The build-in role with the least privilege to perform the `Microsoft.Resources/deployments/*` actions is `Automation Job Operator`. + +To assign `Automation Job Operator` role on root to the SPN, execute the following commands: + +```powershell +$SPNObjectID = Get-AzADServicePrincipal -DisplayName "[SPNName]" +New-AzRoleAssignment -ObjectID $SPNObjectID -Scope "/" -RoleDefinitionName "Automation Job Operator" +``` + +A custom role can be created for with following permissions on a management group when using the template by providing the `targetManagementGroup` parameter. Using this parameter will move the subscription to them management group. + +- `Microsoft.Management/managementGroups/read` +- `Microsoft.Management/managementGroups/write` +- `Microsoft.Management/managementGroups/subscriptions/delete` +- `Microsoft.Management/managementGroups/subscriptions/write` + +Scope: `/providers/Microsoft.Management/managementGroups/` + +Consider adding more of the [`Microsoft.Management`](https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftmanagement) and [`Microsoft.Subscription`](https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftsubscription) operations to the custom role as needed. + +## Additional resources + +- [Use tags to organize your Azure resources | Microsoft Docs](https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-using-tags) +- [Azure Resource Manager template reference | Microsoft Docs](https://docs.microsoft.com/en-us/azure/templates/) +- [Deployments | Microsoft Docs](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Resources/2019-10-01/deployments) +- [Aliases | Microsoft Docs](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Subscription/2020-09-01/aliases) +- [Programmatically create Azure subscriptions with preview APIs | Microsoft Docs](https://docs.microsoft.com/en-us/azure/cost-management-billing/manage/programmatically-create-subscription-preview) +- [Enable subscription creation to a service principal | GitHub](https://github.com/Azure/Enterprise-Scale/blob/main/docs/Deploy/enable-subscription-creation.md) diff --git a/arm/Microsoft.Subscription/aliases/rg-deploy.json b/arm/Microsoft.Subscription/aliases/rg-deploy.json new file mode 100644 index 0000000000..b5a60c59f2 --- /dev/null +++ b/arm/Microsoft.Subscription/aliases/rg-deploy.json @@ -0,0 +1,90 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "subscriptionAliasName": { + "type": "string", + "metadata": { + "description": "Required. Unique alias name." + } + }, + "displayName": { + "type": "string", + "metadata": { + "description": "Required. Subscription display name." + } + }, + "targetManagementGroupId": { + "type": "string", + "metadata": { + "details": "Optional. Target management group where the subscription will be created." + } + }, + "billingScope": { + "type": "string", + "metadata": { + "description": "Required. The account to be invoiced for the subscription." + } + }, + "workLoad": { + "type": "string", + "defaultValue": "Production", + "metadata": { + "description": "Optional. Subscription workload." + } + }, + "location": { + "type": "string", + "metadata": { + "description": "Required. Location is required for DeploymentTemplate." + } + } + }, + "variables": {}, + "resources": [ + { + "name": "[concat('subscription-',deployment().name)]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2019-10-01", + "location": "[parameters('location')]", + "properties": { + "expressionEvaluationOptions": { + "scope": "outer" // default + }, + "mode": "Incremental", // default + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "variables": {}, + "resources": [ + { + "name": "[parameters('subscriptionAliasName')]", + "type": "Microsoft.Subscription/aliases", + "apiVersion": "2020-09-01", + "properties": { + "workLoad": "[parameters('workLoad')]", + "displayName": "[parameters('displayName')]", + "billingScope": "[parameters('billingScope')]", + "managementGroupId": "[tenantResourceId('Microsoft.Management/managementGroups/', parameters('targetManagementGroupId'))]" + }, + "dependsOn": [], + "tags": {} + } + ], + "outputs": { + "subscriptionId": { + "type": "string", + "value": "[replace(reference(parameters('subscriptionAliasName')).subscriptionId, 'invalidrandom/', '')]" + } + } + } + } + } + ], + "outputs": { + "messageFromLinkedTemplate": { + "type": "string", + "value": "[reference('subscription-',deployment().name).outputs.subscriptionId.value]" + } + } +} diff --git a/arm/Microsoft.VirtualMachineImages/imageTemplates/deploy.json b/arm/Microsoft.VirtualMachineImages/imageTemplates/deploy.json new file mode 100644 index 0000000000..d900b0bec7 --- /dev/null +++ b/arm/Microsoft.VirtualMachineImages/imageTemplates/deploy.json @@ -0,0 +1,284 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "imageTemplateName": { + "type": "string", + "metadata": { + "description": "Required. Name of the Image Template to be built by the Azure Image Builder service." + } + }, + "userMsiName": { + "type": "string", + "metadata": { + "description": "Required. Name of the User Assigned Identity to be used to deploy Image Templates in Azure Image Builder." + } + }, + "userMsiResourceGroup": { + "type": "string", + "defaultValue": "[resourceGroup().name]", + "metadata": { + "description": "Optional. Resource group of the user assigned identity." + } + }, + "location": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "Optional. Location for all resources." + } + }, + "buildTimeoutInMinutes": { + "type": "int", + "defaultValue": 0, + "minValue": 0, + "maxValue": 960, + "metadata": { + "description": "Optional. Image build timeout in minutes. Allowed values: 0-960. 0 means the default 240 minutes" + } + }, + "vmSize": { + "type": "string", + "defaultValue": "Standard_D2s_v3", + "metadata": { + "description": "Optional. Specifies the size for the VM." + } + }, + "osDiskSizeGB": { + "type": "int", + "defaultValue": 128, + "metadata": { + "description": "Optional. Specifies the size of OS disk." + } + }, + "subnetId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Resource Id of an already existing subnet, e.g. '/subscriptions//resourceGroups//providers/Microsoft.Network/virtualNetworks//subnets/'. If no value is provided, a new VNET will be created in the target Resource Group." + } + }, + "imageSource": { + "type": "object", + "metadata": { + "description": "Required. Image source definition in object format." + } + }, + "customizationSteps": { + "type": "array", + "metadata": { + "description": "Required. Customization steps to be run when building the VM image." + } + }, + "managedImageName": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Name of the managed image that will be created in the AIB resourcegroup." + } + }, + "unManagedImageName": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Name of the unmanaged image that will be created in the AIB resourcegroup." + } + }, + "sigImageDefinitionId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Resource Id of Shared Image Gallery to distribute image to, e.g.: /subscriptions//resourceGroups//providers/Microsoft.Compute/galleries//images/" + } + }, + "imageReplicationRegions": { + "type": "array", + "defaultValue": [ + ], + "metadata": { + "description": "Optional. List of the regions the image produced by this solution should be stored in the Shared Image Gallery. When left empty, the deployment's location will be taken as a default value." + } + }, + "lockForDeletion": { + "type": "bool", + "defaultValue": false, + "metadata": { + "description": "Optional. Switch to lock Resource from deletion." + } + }, + "tags": { + "type": "object", + "defaultValue": { + }, + "metadata": { + "description": "Optional. Tags of the resource." + } + }, + "baseTime": { + "type": "string", + "defaultValue": "[utcNow('yyyy-MM-dd-HH-mm-ss')]", + "metadata": { + "description": "Generated. Do not provide a value! This date value is used to generate a unique image template name." + } + }, + "cuaId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered" + } + } + }, + "variables": { + "imageTemplateName": "[concat(parameters('imageTemplateName'), '-', parameters('baseTime'))]", + "managedImageName": "[concat(parameters('managedImageName'), '-', parameters('baseTime'))]", + "managedImageId": "[concat('/subscriptions/',subscription().subscriptionId,'/resourceGroups/',resourceGroup().name,'/providers/Microsoft.Compute/images/', variables('ManagedImageName'))]", + "imageReplicationRegions": "[if(empty(parameters('imageReplicationRegions')), array(parameters('location')), parameters('imageReplicationRegions'))]", + "emptyArray": [ + ], + "managedImage": { + "type": "ManagedImage", + "imageId": "[variables('managedImageId')]", + "location": "[parameters('location')]", + "runOutputName": "[concat(variables('managedImageName'),'-ManagedImage')]", + "artifactTags": { + "sourceType": "[parameters('imageSource').type]", + "sourcePublisher": "[if(contains(parameters('imageSource'), 'publisher'),parameters('imageSource').publisher, json('null'))]", + "sourceOffer": "[if(contains(parameters('imageSource'), 'offer'),parameters('imageSource').offer, json('null'))]", + "sourceSku": "[if(contains(parameters('imageSource'), 'sku'),parameters('imageSource').sku, json('null'))]", + "sourceVersion": "[if(contains(parameters('imageSource'), 'version'),parameters('imageSource').version, json('null'))]", + "sourceImageId": "[if(contains(parameters('imageSource'), 'imageId'),parameters('imageSource').imageId, json('null'))]", + "sourceImageVersionID": "[if(contains(parameters('imageSource'), 'imageVersionID'),parameters('imageSource').imageVersionID, json('null'))]", + "creationTime": "[parameters('baseTime')]" + } + }, + "conditionalManagedImage": "[if(empty(parameters('managedImageName')), variables('emptyArray'), array(variables('managedImage')))]", + "sharedImage": { + "type": "SharedImage", + "galleryImageId": "[parameters('sigImageDefinitionId')]", + "runOutputName": "[if(not(empty(parameters('sigImageDefinitionId'))), concat(split(parameters('sigImageDefinitionId'), '/')[10], '-SharedImage'), 'SharedImage')]", + "artifactTags": { + "sourceType": "[parameters('imageSource').type]", + "sourcePublisher": "[if(contains(parameters('imageSource'), 'publisher'),parameters('imageSource').publisher, json('null'))]", + "sourceOffer": "[if(contains(parameters('imageSource'), 'offer'),parameters('imageSource').offer, json('null'))]", + "sourceSku": "[if(contains(parameters('imageSource'), 'sku'),parameters('imageSource').sku, json('null'))]", + "sourceVersion": "[if(contains(parameters('imageSource'), 'version'),parameters('imageSource').version, json('null'))]", + "sourceImageId": "[if(contains(parameters('imageSource'), 'imageId'),parameters('imageSource').imageId, json('null'))]", + "sourceImageVersionID": "[if(contains(parameters('imageSource'), 'imageVersionID'),parameters('imageSource').imageVersionID, json('null'))]", + "creationTime": "[parameters('baseTime')]" + }, + "replicationRegions": "[variables('imageReplicationRegions')]" + }, + "conditionalSharedImage": "[if(empty(parameters('sigImageDefinitionId')), variables('emptyArray'), array(variables('sharedImage')))]", + "unManagedImage": { + "type": "VHD", + "runOutputName": "[concat(parameters('unManagedImageName'),'-VHD')]", + "artifactTags": { + "sourceType": "[parameters('imageSource').type]", + "sourcePublisher": "[if(contains(parameters('imageSource'), 'publisher'),parameters('imageSource').publisher, json('null'))]", + "sourceOffer": "[if(contains(parameters('imageSource'), 'offer'),parameters('imageSource').offer, json('null'))]", + "sourceSku": "[if(contains(parameters('imageSource'), 'sku'),parameters('imageSource').sku, json('null'))]", + "sourceVersion": "[if(contains(parameters('imageSource'), 'version'),parameters('imageSource').version, json('null'))]", + "sourceImageId": "[if(contains(parameters('imageSource'), 'imageId'),parameters('imageSource').imageId, json('null'))]", + "sourceImageVersionID": "[if(contains(parameters('imageSource'), 'imageVersionID'),parameters('imageSource').imageVersionID, json('null'))]", + "creationTime": "[parameters('baseTime')]" + } + }, + "conditionalUnManagedImage": "[if(empty(parameters('unManagedImageName')), variables('emptyArray'), array(variables('unManagedImage')))]", + "distribute": "[concat(variables('conditionalManagedImage'), variables('conditionalSharedImage'), variables('conditionalUnManagedImage'))]", + "vnetConfig": { + "subnetId": "[parameters('subnetId')]" + } + }, + "resources": [ + { + "condition": "[not(empty(parameters('cuaId')))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-06-01", + "name": "[concat('pid-', parameters('cuaId'))]", + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [ + ] + } + } + }, + { + "type": "Microsoft.VirtualMachineImages/imageTemplates", + "apiVersion": "2020-02-14", + "name": "[variables('imageTemplateName')]", + "location": "[parameters('location')]", + "tags": "[parameters('tags')]", + "dependsOn": [ + ], + "identity": { + "type": "UserAssigned", + "userAssignedIdentities": { + "[resourceId(parameters('userMsiResourceGroup'), 'Microsoft.ManagedIdentity/userAssignedIdentities', parameters('userMsiName'))]": { + } + } + }, + "properties": { + "buildTimeoutInMinutes": "[parameters('buildTimeoutInMinutes')]", //0-960, 0 means the default 240 minutes + "vmProfile": { + "vmSize": "[parameters('vmSize')]", + "osDiskSizeGB": "[parameters('osDiskSizeGB')]", + "vnetConfig": "[if(empty(parameters('subnetId')), json('null'), variables('vnetConfig'))]" + }, + "source": "[parameters('imageSource')]", + "customize": "[parameters('customizationSteps')]", + "distribute": "[variables('distribute')]" + }, + "resources": [ + { + "type": "providers/locks", + "apiVersion": "2016-09-01", + "condition": "[parameters('lockForDeletion')]", + "name": "Microsoft.Authorization/imageTemplateDoNotDelete", + "dependsOn": [ + "[concat('Microsoft.VirtualMachineImages/imageTemplates/', variables('imageTemplateName'))]" + ], + "comments": "Resource lock on the Image Template", + "properties": { + "level": "CannotDelete" + } + } + ] + } + ], + "functions": [ + ], + "outputs": { + "imageTemplateResourceId": { + "type": "string", + "value": "[resourceId('Microsoft.VirtualMachineImages/imageTemplates', variables('imageTemplateName'))]", + "metadata": { + "description": "The Resource Id of the Image Template." + } + }, + "imageTemplateResourceGroup": { + "type": "string", + "value": "[resourceGroup().name]", + "metadata": { + "description": "The Resource Group the Image Template was deployed to." + } + }, + "imageTemplateName": { + "type": "string", + "value": "[variables('imageTemplateName')]", + "metadata": { + "description": "The Name of the Image Template." + } + }, + "runThisCommand": { + "type": "string", + "value": "[concat('Invoke-AzResourceAction -ResourceName ', variables('imageTemplateName'), ' -ResourceGroupName ', resourceGroup().name, ' -ResourceType Microsoft.VirtualMachineImages/imageTemplates -Action Run -Force')]", + "metadata": { + "description": "Cmdlet to invoke an action on specified Azure resource" + } + } + } +} diff --git a/arm/Microsoft.VirtualMachineImages/imageTemplates/parameters/parameters.json b/arm/Microsoft.VirtualMachineImages/imageTemplates/parameters/parameters.json new file mode 100644 index 0000000000..4a488c58b3 --- /dev/null +++ b/arm/Microsoft.VirtualMachineImages/imageTemplates/parameters/parameters.json @@ -0,0 +1,62 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "imageTemplateName": { + "value": "sxx-az-imgt-weu-x-001" + }, + "location": { + "value": "eastus" + }, + "userMsiName": { + "value": "sxx-az-msi-weu-x-002" + }, + "userMsiResourceGroup": { + "value": "dependencies-rg" + }, + "buildTimeoutInMinutes": { + "value": 0 + }, + "vmSize": { + "value": "Standard_D2s_v3" + }, + "osDiskSizeGB": { + "value": 127 + }, + "subnetId": { + "value": "" + }, + "imageSource": { + "value": { + "type": "PlatformImage", + "publisher": "MicrosoftWindowsDesktop", + "offer": "Windows-10", + "sku": "19h2-evd", + "version": "latest" + } + }, + "customizationSteps": { + "value": [ + { + "type": "WindowsRestart", + "restartTimeout": "30m" + } + ] + }, + "managedImageName": { + "value": "sxx-az-mi-weu-x-001" + }, + "unManagedImageName": { + "value": "sxx-az-umi-weu-x-001" + }, + "sigImageDefinitionId": { + "value": "/subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2/resourceGroups/dependencies-rg/providers/Microsoft.Compute/galleries/sxxazsigweux001/images/sxx-az-imgd-weu-x-002" + }, + "imageReplicationRegions": { + "value": [] + }, + "lockForDeletion": { + "value": false + } + } +} \ No newline at end of file diff --git a/arm/Microsoft.VirtualMachineImages/imageTemplates/readme.md b/arm/Microsoft.VirtualMachineImages/imageTemplates/readme.md new file mode 100644 index 0000000000..5941a3fef0 --- /dev/null +++ b/arm/Microsoft.VirtualMachineImages/imageTemplates/readme.md @@ -0,0 +1,104 @@ + +# Image Templates + +This module deploys an Image Template (for Azure Image Builder service) that can be consumed by the Azure Image Builder service + +## Resource types + +|Resource Type|Api Version| +|:--|:--| +|`Microsoft.VirtualMachineImages/imageTemplates`|2020-02-14| +|`providers/locks`|2016-09-01| +|`Microsoft.Resources/deployments`|2018-02-01| + +## Parameters + +| Parameter Name | Type | Default Value | Possible values | Description | +| :- | :- | :- | :- | :- | +| `imageTemplateName` | string | | | Required. Name of the Image Template to be built by the Azure Image Builder service. +| `location` | string | `[resourceGroup().location]` | | Optional. Location for all resources. +| `userMsiName` | string | | | Required. Name of the User Assigned Identity to be used to deploy Image Templates in Azure Image Builder. +| `userMsiResourceGroup` | string | Optional. ResourceGroup of the MSI. By default the same of the current deployment +| `buildTimeoutInMinutes` | int | 0 | 0-960 | Optional. Image build timeout in minutes. Allowed values: 0-960. 0 means the default 240 minutes +| `vmSize` | string | "Standard_D2s_v3" | | Optional. Specifies the size for the VM. +| `osDiskSizeGB` | int | 127 | | Optional. Specifies the size of OS disk. +| `subnetId` | string | "" | | Optional. Resource Id of an already existing subnet, e.g. `/subscriptions//resourceGroups//providers/Microsoft.Network/virtualNetworks//subnets/`. If no value is provided, a new VNET will be created in the target Resource Group. +| `imageSource` | object | | Complex structure, see below. | Required. Image source definition in object format. +| `customizationSteps` | array | | | Required. Customization steps to be run when building the VM image. +| `unManagedImageName` | string | "" | | Optional. Name of the unmanaged image that will be created in the AIB resourcegroup. +| `sigImageDefinitionId` | string | "" | | Optional. Resource Id of Shared Image Gallery to distribute image to, e.g.: `/subscriptions//resourceGroups//providers/Microsoft.Compute/galleries//images/` +| `imageReplicationRegions` | string | "" | | Optional. List of the regions the image produced by this solution should be stored in the Shared Image Gallery. When left empty, the deployment's location will be taken as a default value. +| `managedImageName` | string | "" | | Optional. Name of the managed image that will be created in the AIB resourcegroup. +| `lockForDeletion` | bool | `true` | | Optional. Switch to lock the resource from deletion. +| `tags` | object | {} | Complex structure, see below. | Optional. Tags of the resource. +| `baseTime` | string | `utcNow('yyyy-MM-dd-HH-mm-ss')` | | Generated. Do not provide a value! This date value is used to generate a unique image template name. +| `cuaId` | string | "" | | Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered + +### Parameter Usage: `imageSource` + +Tag names and tag values can be provided as needed. A tag can be left without a value. + +#### Platform Image + +```json +"source": { + "type": "PlatformImage", + "publisher": "MicrosoftWindowsDesktop", + "offer": "Windows-10", + "sku": "19h2-evd", + "version": "latest" +} +``` + +#### Managed Image + +```json +"source": { + "type": "ManagedImage", + "imageId": "/subscriptions//resourceGroups/{destinationResourceGroupName}/providers/Microsoft.Compute/images/" +} +``` + +#### Shared Image + +```json +"source": { + "type": "SharedImageVersion", + "imageVersionID": "/subscriptions//resourceGroups//providers/Microsoft.Compute/galleries//images/" +} +``` + +### Parameter Usage: `tags` + +Tag names and tag values can be provided as needed. A tag can be left without a value. + +```json +"tags": { + "value": { + "Environment": "Non-Prod", + "Contact": "test.user@testcompany.com", + "PurchaseOrder": "1234", + "CostCenter": "7890", + "ServiceName": "DeploymentValidation", + "Role": "DeploymentValidation" + } +} +``` + +## Outputs + +| Output Name | Type | Description | +| :-- | :-- | :-- | +| `imageTemplateName` | string | The Name of the Image Template. | +| `imageTemplateResourceGroup` | string | The Resource Group the Image Template was deployed to. | +| `imageTemplateResourceId` | string | The Resource Id of the Image Template. | +| `runThisCommand` | string | Cmdlet to invoke an action on specified Azure resource | + +## Considerations + +az network vnet subnet update --name aib --resource-group WVDCustomerEnvironment --vnet-name wvd-vnet --disable-private-link-service-network-policies true + +## Additional resources + +- [Preview: Create an Azure Image Builder template](https://docs.microsoft.com/en-us/azure/virtual-machines/linux/image-builder-json) +- [Use tags to organize your Azure resources](https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-using-tags) \ No newline at end of file diff --git a/arm/Microsoft.Web/appService/deploy.json b/arm/Microsoft.Web/appService/deploy.json new file mode 100644 index 0000000000..6544e81db8 --- /dev/null +++ b/arm/Microsoft.Web/appService/deploy.json @@ -0,0 +1,389 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "webAppPortalName": { + "type": "string", + "metadata": { + "description": "Required. Name of the Web Application Portal Name" + } + }, + "hostingPlanName": { + "type": "string", + "metadata": { + "description": "Required. Name of the Application Service Plan" + } + }, + "sku": { + "type": "string", + "allowedValues": [ + "F1", + "D1", + "B1", + "B2", + "B3", + "S1", + "S2", + "S3", + "P1", + "P2", + "P3", + "P4" + ], + "defaultValue": "F1", + "metadata": { + "description": "Optional. The pricing tier for the hosting plan." + } + }, + "workerSize": { + "type": "int", + "defaultValue": 2, + "metadata": { + "description": "Optional. Defines the number of workers from the worker pool that will be used by the app service plan" + } + }, + "location": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "Optional. Location for all Resources." + } + }, + "diagnosticLogsRetentionInDays": { + "type": "int", + "defaultValue": 365, + "minValue": 0, + "maxValue": 365, + "metadata": { + "description": "Optional. Specifies the number of days that logs will be kept for; a value of 0 will retain data indefinitely." + } + }, + "diagnosticStorageAccountId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Resource identifier of the Diagnostic Storage Account." + } + }, + "workspaceId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Resource identifier of Log Analytics." + } + }, + "eventHubAuthorizationRuleId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Resource ID of the event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." + } + }, + "eventHubName": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Name of the event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category." + } + }, + "lockForDeletion": { + "type": "bool", + "defaultValue": false, + "metadata": { + "description": "Optional. Switch to lock Key Vault from deletion." + } + }, + "privateEndpoints": { + "type": "array", + "defaultValue": [], + "metadata": { + "description": "Optional. Configuration Details for private endpoints." + } + }, + "tags": { + "type": "object", + "defaultValue": { + }, + "metadata": { + "description": "Optional. Tags of the resource." + } + }, + "cuaId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered" + } + } + }, + "variables": { + "diagnosticsMetrics": [ + { + "category": "AllMetrics", + "enabled": true, + "retentionPolicy": { + "days": "[parameters('diagnosticLogsRetentionInDays')]", + "enabled": true + } + } + ], + "diagnosticsLogs": [ + { + "category": "AppServiceHTTPLogs", + "enabled": true, + "retentionPolicy": { + "enabled": true, + "days": "[parameters('diagnosticLogsRetentionInDays')]" + } + }, + { + "category": "AppServiceConsoleLogs", + "enabled": true, + "retentionPolicy": { + "enabled": true, + "days": "[parameters('diagnosticLogsRetentionInDays')]" + } + }, + { + "category": "AppServiceAppLogs", + "enabled": true, + "retentionPolicy": { + "enabled": true, + "days": "[parameters('diagnosticLogsRetentionInDays')]" + } + }, + { + "category": "AppServiceFileAuditLogs", + "enabled": true, + "retentionPolicy": { + "enabled": true, + "days": "[parameters('diagnosticLogsRetentionInDays')]" + } + }, + { + "category": "AppServiceAuditLogs", + "enabled": true, + "retentionPolicy": { + "enabled": true, + "days": "[parameters('diagnosticLogsRetentionInDays')]" + } + } + ] + }, + "resources": [ + { + "condition": "[not(empty(parameters('cuaId')))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-06-01", + "name": "[concat('pid-', parameters('cuaId'))]", + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [ + ] + } + } + }, + { + "type": "Microsoft.Web/serverfarms", + "apiVersion": "2019-08-01", + "name": "[parameters('hostingPlanName')]", + "kind": "app", + "location": "[parameters('location')]", + "tags": "[parameters('tags')]", + "sku": { + "name": "[parameters('sku')]", + "capacity": "[parameters('workerSize')]" + }, + "properties": { + "name": "[parameters('hostingPlanName')]" + } + }, + { + "type": "Microsoft.Web/sites", + "apiVersion": "2019-08-01", + "name": "[parameters('webAppPortalName')]", + "location": "[parameters('location')]", + "dependsOn": [ + "[resourceId('Microsoft.Web/serverfarms',parameters('hostingPlanName'))]" + ], + "kind": "app", + "tags": "[parameters('tags')]", + "properties": { + "serverFarmId": "[resourceId('Microsoft.Web/serverfarms',parameters('hostingPlanName'))]", + "httpsOnly": true + }, + "resources": [ + { + "type": "providers/locks", + "apiVersion": "2016-09-01", + "condition": "[parameters('lockForDeletion')]", + "name": "Microsoft.Authorization/webAppDoNotDelete", + "dependsOn": [ + "[concat('Microsoft.Web/sites/', parameters('webAppPortalName'))]" + ], + "comments": "Resource lock", + "properties": { + "level": "CannotDelete" + } + }, + { + "type": "Microsoft.Web/sites/providers/diagnosticsettings", + "apiVersion": "2017-05-01-preview", + "name": "[concat(parameters('webAppPortalName'), '/Microsoft.Insights/service')]", + "condition": "[or(not(empty(parameters('diagnosticStorageAccountId'))),not(empty(parameters('workspaceId'))),not(empty(parameters('eventHubAuthorizationRuleId'))),not(empty(parameters('eventHubName'))))]", + "dependsOn": [ + "[concat('Microsoft.Web/sites/', parameters('webAppPortalName'))]" + ], + "properties": { + "storageAccountId": "[if(empty(parameters('diagnosticStorageAccountId')), json('null'), parameters('diagnosticStorageAccountId'))]", + "workspaceId": "[if(empty(parameters('workspaceId')), json('null'), parameters('workspaceId'))]", + "eventHubAuthorizationRuleId": "[if(empty(parameters('eventHubAuthorizationRuleId')), json('null'), parameters('eventHubAuthorizationRuleId'))]", + "eventHubName": "[if(empty(parameters('eventHubName')), json('null'), parameters('eventHubName'))]", + "metrics": "[if(and(empty(parameters('diagnosticStorageAccountId')), empty(parameters('workspaceId')), empty(parameters('eventHubAuthorizationRuleId')), empty(parameters('eventHubName'))), json('null'), variables('diagnosticsMetrics'))]", + "logs": "[if(and(empty(parameters('diagnosticStorageAccountId')), empty(parameters('workspaceId')), empty(parameters('eventHubAuthorizationRuleId')), empty(parameters('eventHubName'))), json('null'), variables('diagnosticsLogs'))]" + } + } + ] + }, + // Private Endpoints + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-06-01", + "name": "[concat(uniqueString(deployment().name, parameters('location')), '-AppService-PrivateEndpoints','-',copyIndex())]", + "condition": "[not(empty(parameters('privateEndpoints')))]", + "dependsOn": [ + "[parameters('webAppPortalName')]" + ], + "copy": { + "name": "privateEndpointsCopy", + "count": "[length(parameters('privateEndpoints'))]" + }, + "properties": { + "mode": "Incremental", + "expressionEvaluationOptions": { + "scope": "inner" + }, + "parameters": { + "privateEndpointResourceId": { + "value": "[resourceId('Microsoft.Web/sites/', parameters('webAppPortalName'))]" + }, + "privateEndpointVnetLocation": { + "value": "[if(empty(parameters('privateEndpoints')),'dummy',reference(split(parameters('privateEndpoints')[copyIndex()].subnetResourceId,'/subnets/')[0],'2020-06-01', 'Full').location)]" + }, + "privateEndpoint": { + "value": "[parameters('privateEndpoints')[copyIndex()]]" + }, + "tags": { + "value": "[parameters('tags')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "privateEndpointResourceId": { + "type": "string" + }, + "privateEndpointVnetLocation": { + "type": "string" + }, + "privateEndpoint": { + "type": "object" + }, + "tags": { + "type": "object" + } + }, + "variables": { + "privateEndpointResourceName": "[last(split(parameters('privateEndpointResourceId'),'/'))]", + "privateEndpoint": { + "name": "[if(contains(parameters('privateEndpoint'), 'name'),if(empty(parameters('privateEndpoint').name),concat(variables('privateEndpointResourceName'),'-',parameters('privateEndpoint').service),parameters('privateEndpoint').name),concat(variables('privateEndpointResourceName'),'-',parameters('privateEndpoint').service))]", + "subnetResourceId": "[parameters('privateEndpoint').subnetResourceId]", + "service": [ + "[parameters('privateEndpoint').service]" + ], + "privateDnsZoneResourceIds": "[if(contains(parameters('privateEndpoint'), 'privateDnsZoneResourceIds'),if(empty(parameters('privateEndpoint').privateDnsZoneResourceIds),createArray(),parameters('privateEndpoint').privateDnsZoneResourceIds),createArray())]", + "customDnsConfigs": "[if(contains(parameters('privateEndpoint'), 'customDnsConfigs'),if(empty(parameters('privateEndpoint').customDnsConfigs),json('null'),parameters('privateEndpoint').customDnsConfigs),json('null'))]" + } + }, + "resources": [ + { + "type": "Microsoft.Network/privateEndpoints", + "apiVersion": "2020-05-01", + "name": "[variables('privateEndpoint').name]", + "location": "[parameters('privateEndpointVnetLocation')]", + "tags": "[parameters('tags')]", + "properties": { + "privateLinkServiceConnections": [ + { + "name": "[variables('privateEndpoint').name]", + "properties": { + "privateLinkServiceId": "[parameters('privateEndpointResourceId')]", + "groupIds": "[variables('privateEndpoint').service]" + } + } + ], + "manualPrivateLinkServiceConnections": [], + "subnet": { + "id": "[variables('privateEndpoint').subnetResourceId]" + }, + "customDnsConfigs": "[variables('privateEndpoint').customDnsConfigs]" + } + }, + { + "type": "Microsoft.Network/privateEndpoints/privateDnsZoneGroups", + "apiVersion": "2020-05-01", + "condition": "[not(empty(variables('privateEndpoint').privateDnsZoneResourceIds))]", + "name": "[concat(variables('privateEndpoint').name, '/default')]", + "dependsOn": [ + "[resourceId('Microsoft.Network/privateEndpoints', variables('privateEndpoint').name)]" + ], + "properties": { + "copy": [ + { + "name": "privateDnsZoneConfigs", + "count": "[length(variables('privateEndpoint').privateDnsZoneResourceIds)]", + "input": { + "name": "[last(split(variables('privateEndpoint').privateDnsZoneResourceIds[copyIndex('privateDnsZoneConfigs')],'/'))]", + "properties": { + "privateDnsZoneId": "[variables('privateEndpoint').privateDnsZoneResourceIds[copyIndex('privateDnsZoneConfigs')]]" + } + } + } + ] + } + } + ] + } + } + } + ], + "functions": [ + ], + "outputs": { + "appServiceName": { + "type": "string", + "value": "[parameters('hostingPlanName')]", + "metadata": { + "description": "The Name of the Application Web Services" + } + }, + "appServiceResourceId": { + "type": "string", + "value": "[resourceId('Microsoft.Web/serverfarms',parameters('hostingPlanName'))]", + "metadata": { + "description": "The Resource Id of the Application Web Services" + } + }, + "appServiceResourceGroup": { + "type": "string", + "value": "[resourceGroup().name]", + "metadata": { + "description": "The name of the Resource Group with the Application Web Services" + } + } + } +} diff --git a/arm/Microsoft.Web/appService/parameters/parameters.json b/arm/Microsoft.Web/appService/parameters/parameters.json new file mode 100644 index 0000000000..a99c90462d --- /dev/null +++ b/arm/Microsoft.Web/appService/parameters/parameters.json @@ -0,0 +1,12 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "hostingPlanName": { + "value": "sxx-az-app-weu-x-hp-001" + }, + "webAppPortalName": { + "value": "sxxazappweux001" + } + } +} \ No newline at end of file diff --git a/arm/Microsoft.Web/appService/readme.md b/arm/Microsoft.Web/appService/readme.md new file mode 100644 index 0000000000..ed067d1c48 --- /dev/null +++ b/arm/Microsoft.Web/appService/readme.md @@ -0,0 +1,111 @@ +# App Services + + +## Resource types + +|Resource Type| Api Version| +|:--|:--| +|`Microsoft.Network/privateEndpoints/privateDnsZoneGroups` | 2020-05-01 | +|`Microsoft.Network/privateEndpoints` | 2020-05-01 | +|`Microsoft.Resources/deployments`|2018-02-01| +|`Microsoft.Web/serverfarms`|2018-02-01| +|`Microsoft.Web/sites` |2018-02-01| +|`providers/locks` |2016-09-01| +|`Microsoft.Web/sites/providers/diagnosticsettings`|2017-05-01-preview| + + +### Resource dependency + +The following resources are required to be able to deploy this resource. + +## Parameters + +| Parameter Name | Type | Description | DefaultValue | Allowed Values | +| :-- | :-- | :-- | :-- | :-- | +| `cuaId` | string | Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered | | | +| `diagnosticLogsRetentionInDays` | int | Optional. Specifies the number of days that logs will be kept for; a value of 0 will retain data indefinitely. | 365 | | +| `diagnosticStorageAccountId` | string | Optional. Resource identifier of the Diagnostic Storage Account. | | | +| `eventHubAuthorizationRuleId` | string | Optional. Resource ID of the event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | | | +| `eventHubName` | string | Optional. Name of the event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. | | | +| `hostingPlanName` | string | Required. Name of the Application Service Plan | | | +| `location` | string | Optional. Location for all Resources. | [resourceGroup().location] | | +| `lockForDeletion` | bool | Optional. Switch to lock Key Vault from deletion. | False | | +| `privateEndpoints` | array | System.Object[] | | Optional. Configuration Details for private endpoints. | +| `sku` | string | Optional. The pricing tier for the hosting plan. | F1 | | +| `tags` | object | Optional. Tags of the resource. | | | +| `webAppPortalName` | string | Required. Name of the Web Application Portal Name | | | +| `workerSize` | int | Optional. Defines the number of workers from the worker pool that will be used by the app service plan | 2 | | +| `workspaceId` | string | Optional. Resource identifier of Log Analytics. | | | + +### Parameter Usage: `privateEndpoints` + +To use Private Endpoint the following dependencies must be deployed: + +- Destination subnet must be created with the following configuration option - `"privateEndpointNetworkPolicies": "Disabled"`. Setting this option acknowledges that NSG rules are not applied to Private Endpoints (this capability is coming soon). A full example is available in the Virtual Network Module. + +- Although not strictly required, it is highly recommened to first create a private DNS Zone to host Private Endpoint DNS records. See [Azure Private Endpoint DNS configuration](https://docs.microsoft.com/en-us/azure/private-link/private-endpoint-dns) for more information. + +```json +"privateEndpoints": { + "value": [ + // Example showing all available fields + { + "name": "sxx-az-sa-cac-y-123-pe", // Optional: Name will be automatically generated if one is not provided here + "subnetResourceId": "/subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-weu-x-001/subnets/sxx-az-subnet-weu-x-001", + "service": "vault", + "privateDnsZoneResourceIds": [ // Optional: No DNS record will be created if a private DNS zone Resource ID is not specified + "/subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2/resourceGroups/validation-rg/providers/Microsoft.Network/privateDnsZones/privatelink.vaultcore.azure.net" + ], + "customDnsConfigs": [ // Optional + { + "fqdn": "customname.test.local", + "ipAddresses": [ + "10.10.10.10" + ] + } + ] + } + ] +} +``` + +### Parameter Usage: `tags` + +Tag names and tag values can be provided as needed. A tag can be left without a value. + +```json +"tags": { + "value": { + "Environment": "Non-Prod", + "Contact": "test.user@testcompany.com", + "PurchaseOrder": "1234", + "CostCenter": "7890", + "ServiceName": "DeploymentValidation", + "Role": "DeploymentValidation" + } +} +``` + +## Outputs + +| Output Name | Type | Description | +| :-- | :-- | :-- | +| `appServiceName` | string | The Name of the Application Web Services | +| `appServiceResourceGroup` | string | The name of the Resource Group with the Application Web Services | +| `appServiceResourceId` | string | The Resource Id of the Application Web Services | + +### References + +### Template references + +- [Deployments](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Resources/2018-02-01/deployments) +- [ServerfarmS](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Web/2018-02-01/serverfarms) +- [SiteS](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Web/2018-02-01/sites) + +## Considerations + +## Additional resources + +- [Deployments](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Resources/2018-02-01/deployments) +- [ServerfarmS](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Web/2018-02-01/serverfarms) +- [SiteS](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Web/2018-02-01/sites) diff --git a/arm/Microsoft.Web/appServicePlan/deploy.json b/arm/Microsoft.Web/appServicePlan/deploy.json new file mode 100644 index 0000000000..e1e76bb17e --- /dev/null +++ b/arm/Microsoft.Web/appServicePlan/deploy.json @@ -0,0 +1,432 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "appServicePlanName": { + "type": "string", + "minLength": 1, + "maxLength": 40, + "metadata": { + "description": "Required. The Name of the App Service Plan to deploy." + } + }, + "sku": { + "type": "object", + "metadata": { + "description": "Required. Defines the name, tier, size, family and capacity of the App Service Plan." + } + }, + "location": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "Optional. Location for all resources." + } + }, + "serverOS": { + "type": "string", + "defaultValue": "Windows", + "allowedValues": [ + "Windows", + "Linux" + ], + "metadata": { + "description": "Optional. Kind of server OS." + } + }, + "appServiceEnvironmentId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. The Resource Id of the App Service Environment to use for the App Service Plan." + } + }, + "workerTierName": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Target worker tier assigned to the App Service plan." + } + }, + "perSiteScaling": { + "type": "bool", + "defaultValue": false, + "metadata": { + "description": "Optional. If true, apps assigned to this App Service plan can be scaled independently. If false, apps assigned to this App Service plan will scale to all instances of the plan." + } + }, + "maximumElasticWorkerCount": { + "type": "int", + "defaultValue": 1, + "metadata": { + "description": "Optional. Maximum number of total workers allowed for this ElasticScaleEnabled App Service Plan." + } + }, + "targetWorkerCount": { + "type": "int", + "defaultValue": 0, + "metadata": { + "description": "Optional. Scaling worker count." + } + }, + "targetWorkerSize": { + "type": "int", + "allowedValues": [ + 0, + 1, + 2 + ], + "defaultValue": 0, + "metadata": { + "description": "Optional. The instance size of the hosting plan (small, medium, or large)." + } + }, + "lockForDeletion": { + "type": "bool", + "defaultValue": false, + "metadata": { + "description": "Optional. Switch to lock App Service Plan from deletion." + } + }, + "roleAssignments": { + "defaultValue": [ + ], + "type": "array", + "metadata": { + "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'" + } + }, + "tags": { + "type": "object", + "defaultValue": { + }, + "metadata": { + "description": "Optional. Tags of the resource." + } + }, + "cuaId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered" + } + } + }, + "variables": { + "hostingEnvironmentProfile": { + "id": "[parameters('appServiceEnvironmentId')]" + }, + "builtInRoleNames": { + "AcrDelete": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c2f4ef07-c644-48eb-af81-4b1b4947fb11')]", + "AcrImageSigner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '6cef56e8-d556-48e5-a04f-b8e64114680f')]", + "AcrPull": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '7f951dda-4ed3-4680-a7ca-43fe172d538d')]", + "AcrPush": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8311e382-0749-4cb8-b61a-304f252e45ec')]", + "AcrQuarantineReader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'cdda3590-29a3-44f6-95f2-9f980659eb04')]", + "AcrQuarantineWriter": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c8d4ff99-41c3-41a8-9f60-21dfdad59608')]", + "API Management Service Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '312a565d-c81f-4fd8-895a-4e21e48d571c')]", + "API Management Service Operator Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'e022efe7-f5ba-4159-bbe4-b44f577e9b61')]", + "API Management Service Reader Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '71522526-b88f-4d52-b57f-d31fc3546d0d')]", + "App Configuration Data Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5ae67dd6-50cb-40e7-96ff-dc2bfa4b606b')]", + "App Configuration Data Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '516239f1-63e1-4d78-a4de-a74fb236a071')]", + "Application Insights Component Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ae349356-3a1b-4a5e-921d-050484c6347e')]", + "Application Insights Snapshot Debugger": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '08954f03-6346-4c2e-81c0-ec3a5cfae23b')]", + "Attestation Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'bbf86eb8-f7b4-4cce-96e4-18cddf81d86e')]", + "Attestation Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'fd1bd22b-8476-40bc-a0bc-69b95687b9f3')]", + "Automation Job Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4fe576fe-1146-4730-92eb-48519fa6bf9f')]", + "Automation Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'd3881f73-407a-4167-8283-e981cbba0404')]", + "Automation Runbook Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5fb5aef8-1081-4b8e-bb16-9d5d0385bab5')]", + "Avere Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4f8fab4f-1852-4a58-a46a-8eaf358af14a')]", + "Avere Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c025889f-8102-4ebf-b32c-fc0c6f0c6bd9')]", + "Azure Connected Machine Onboarding": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b64e21ea-ac4e-4cdf-9dc9-5b892992bee7')]", + "Azure Connected Machine Resource Administrator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'cd570a14-e51a-42ad-bac8-bafd67325302')]", + "Azure Digital Twins Owner (Preview)": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'bcd981a7-7f74-457b-83e1-cceb9e632ffe')]", + "Azure Digital Twins Reader (Preview)": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'd57506d4-4c8d-48b1-8587-93c323f6a5a3')]", + "Azure Event Hubs Data Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'f526a384-b230-433a-b45c-95f59c4a2dec')]", + "Azure Event Hubs Data Receiver": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'a638d3c7-ab3a-418d-83e6-5f17a39d4fde')]", + "Azure Event Hubs Data Sender": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '2b629674-e913-4c01-ae53-ef4638d8f975')]", + "Azure Kubernetes Service Cluster Admin Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '0ab0b1a8-8aac-4efd-b8c2-3ee1fb270be8')]", + "Azure Kubernetes Service Cluster User Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4abbcc35-e782-43d8-92c5-2d3f1bd2253f')]", + "Azure Kubernetes Service Contributor Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ed7f3fbd-7b88-4dd4-9017-9adb7ce333f8')]", + "Azure Maps Data Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8f5e0ce6-4f7b-4dcf-bddf-e6f48634a204')]", + "Azure Maps Data Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '423170ca-a8f6-4b0f-8487-9e4eb8f49bfa')]", + "Azure Sentinel Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ab8e14d6-4a74-4a29-9ba8-549422addade')]", + "Azure Sentinel Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8d289c81-5878-46d4-8554-54e1e3d8b5cb')]", + "Azure Sentinel Responder": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '3e150937-b8fe-4cfb-8069-0eaf05ecd056')]", + "Azure Service Bus Data Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '090c5cfd-751d-490a-894a-3ce6f1109419')]", + "Azure Service Bus Data Receiver": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4f6d3b9b-027b-4f4c-9142-0e5a2a2247e0')]", + "Azure Service Bus Data Sender": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '69a216fc-b8fb-44d8-bc22-1f3c2cd27a39')]", + "Azure Stack Registration Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '6f12a6df-dd06-4f3e-bcb1-ce8be600526a')]", + "Backup Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5e467623-bb1f-42f4-a55d-6e525e11384b')]", + "Backup Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '00c29273-979b-4161-815c-10b084fb9324')]", + "Backup Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'a795c7a0-d4a2-40c1-ae25-d81f01202912')]", + "Billing Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'fa23ad8b-c56e-40d8-ac0c-ce449e1d2c64')]", + "BizTalk Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5e3c6656-6cfa-4708-81fe-0de47ac73342')]", + "Blockchain Member Node Access (Preview)": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '31a002a1-acaf-453e-8a5b-297c9ca1ea24')]", + "Blueprint Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '41077137-e803-4205-871c-5a86e6a753b4')]", + "Blueprint Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '437d2ced-4a38-4302-8479-ed2bcb43d090')]", + "CDN Endpoint Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '426e0c7f-0c7e-4658-b36f-ff54d6c29b45')]", + "CDN Endpoint Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '871e35f6-b5c1-49cc-a043-bde969a0f2cd')]", + "CDN Profile Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ec156ff8-a8d1-4d15-830c-5b80698ca432')]", + "CDN Profile Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8f96442b-4075-438f-813d-ad51ab4019af')]", + "Classic Network Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b34d265f-36f7-4a0d-a4d4-e158ca92e90f')]", + "Classic Storage Account Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '86e8f5dc-a6e9-4c67-9d15-de283e8eac25')]", + "Classic Storage Account Key Operator Service Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '985d6b00-f706-48f5-a6fe-d0ca12fb668d')]", + "Classic Virtual Machine Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'd73bb868-a0df-4d4d-bd69-98a00b01fccb')]", + "ClearDB MySQL DB Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '9106cda0-8a86-4e81-b686-29a22c54effe')]", + "Cognitive Services Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '25fbc0a9-bd7c-42a3-aa1a-3b75d497ee68')]", + "Cognitive Services Custom Vision Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c1ff6cc2-c111-46fe-8896-e0ef812ad9f3')]", + "Cognitive Services Custom Vision Deployment": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5c4089e1-6d96-4d2f-b296-c1bc7137275f')]", + "Cognitive Services Custom Vision Labeler": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '88424f51-ebe7-446f-bc41-7fa16989e96c')]", + "Cognitive Services Custom Vision Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '93586559-c37d-4a6b-ba08-b9f0940c2d73')]", + "Cognitive Services Custom Vision Trainer": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '0a5ae4ab-0d65-4eeb-be61-29fc9b54394b')]", + "Cognitive Services Data Reader (Preview)": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b59867f0-fa02-499b-be73-45a86b5b3e1c')]", + "Cognitive Services QnA Maker Editor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'f4cc2bf9-21be-47a1-bdf1-5c5804381025')]", + "Cognitive Services QnA Maker Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '466ccd10-b268-4a11-b098-b4849f024126')]", + "Cognitive Services User": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'a97b65f3-24c7-4388-baec-2e87135dc908')]", + "Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "Cosmos DB Account Reader Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'fbdf93bf-df7d-467e-a4d2-9458aa1360c8')]", + "Cosmos DB Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '230815da-be43-4aae-9cb4-875f7bd000aa')]", + "CosmosBackupOperator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'db7b14f2-5adf-42da-9f96-f2ee17bab5cb')]", + "Cost Management Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '434105ed-43f6-45c7-a02f-909b2ba83430')]", + "Cost Management Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '72fafb9e-0641-4937-9268-a91bfd8191a3')]", + "Data Box Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'add466c9-e687-43fc-8d98-dfcf8d720be5')]", + "Data Box Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '028f4ed7-e2a9-465e-a8f4-9c0ffdfdc027')]", + "Data Factory Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '673868aa-7521-48a0-acc6-0f60742d39f5')]", + "Data Lake Analytics Developer": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '47b7735b-770e-4598-a7da-8b91488b4c88')]", + "Data Purger": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '150f5e0c-0603-4f03-8c7f-cf70034c4e90')]", + "Desktop Virtualization User": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '1d18fff3-a72a-46b5-b4a9-0b38a3cd7e63')]", + "DevTest Labs User": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '76283e04-6283-4c54-8f91-bcf1374a3c64')]", + "DNS Zone Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'befefa01-2a29-4197-83a8-272ff33ce314')]", + "DocumentDB Account Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5bd9cd88-fe45-4216-938b-f97437e15450')]", + "EventGrid EventSubscription Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '428e0ff0-5e57-4d9c-a221-2c70d0e0a443')]", + "EventGrid EventSubscription Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '2414bbcf-6497-4faf-8c65-045460748405')]", + "Experimentation Administrator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '7f646f1b-fa08-80eb-a33b-edd6ce5c915c')]", + "Experimentation Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '7f646f1b-fa08-80eb-a22b-edd6ce5c915c')]", + "Experimentation Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '49632ef5-d9ac-41f4-b8e7-bbe587fa74a1')]", + "FHIR Data Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5a1fc7df-4bf1-4951-a576-89034ee01acd')]", + "FHIR Data Exporter": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '3db33094-8700-4567-8da5-1501d4e7e843')]", + "FHIR Data Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4c8d0bbc-75d3-4935-991f-5f3c56d81508')]", + "FHIR Data Writer": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '3f88fce4-5892-4214-ae73-ba5294559913')]", + "Graph Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b60367af-1334-4454-b71e-769d9a4f83d9')]", + "HDInsight Cluster Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '61ed4efc-fab3-44fd-b111-e24485cc132a')]", + "HDInsight Domain Services Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8d8d5a11-05d3-4bda-a417-a08778121c7c')]", + "Hierarchy Settings Administrator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '350f8d15-c687-4448-8ae1-157740a3936d')]", + "Hybrid Server Onboarding": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5d1e5ee4-7c68-4a71-ac8b-0739630a3dfb')]", + "Hybrid Server Resource Administrator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '48b40c6e-82e0-4eb3-90d5-19e40f49b624')]", + "Integration Service Environment Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'a41e2c5b-bd99-4a07-88f4-9bf657a760b8')]", + "Integration Service Environment Developer": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c7aa55d3-1abb-444a-a5ca-5e51e485d6ec')]", + "Intelligent Systems Account Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '03a6d094-3444-4b3d-88af-7477090a9e5e')]", + "Key Vault Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'f25e0fa2-a7c8-4377-a976-54943a77a395')]", + "Knowledge Consumer": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ee361c5d-f7b5-4119-b4b6-892157c8f64c')]", + "Kubernetes Cluster - Azure Arc Onboarding": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '34e09817-6cbe-4d01-b1a2-e0eac5743d41')]", + "Lab Creator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b97fb8bc-a8b2-4522-a38b-dd33c7e65ead')]", + "Log Analytics Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]", + "Log Analytics Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '73c42c96-874c-492b-b04d-ab87d138a893')]", + "Logic App Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '87a39d53-fc1b-424a-814c-f7e04687dc9e')]", + "Logic App Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '515c2055-d9d4-4321-b1b9-bd0c9a0f79fe')]", + "Managed Application Contributor Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '641177b8-a67a-45b9-a033-47bc880bb21e')]", + "Managed Application Operator Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')]", + "Managed Applications Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')]", + "Managed Identity Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'e40ec5ca-96e0-45a2-b4ff-59039f2c2b59')]", + "Managed Identity Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'f1a07417-d97a-45cb-824c-7a7467783830')]", + "Managed Services Registration assignment Delete ": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '91c1777a-f3dc-4fae-b103-61d183457e46')]", + "Management Group Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5d58bcaf-24a5-4b20-bdb6-eed9f69fbe4c')]", + "Management Group Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ac63b705-f282-497d-ac71-919bf39d939d')]", + "Marketplace Admin": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'dd920d6d-f481-47f1-b461-f338c46b2d9f')]", + "Monitoring Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')]", + "Monitoring Metrics Publisher": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '3913510d-42f4-4e42-8a64-420c390055eb')]", + "Monitoring Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')]", + "Network Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", + "New Relic APM Account Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5d28c62d-5b37-4476-8438-e587778df237')]", + "Object Understanding Account Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4dd61c23-6743-42fe-a388-d8bdd41cb745')]", + "Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", + "Policy Insights Data Writer (Preview)": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '66bb4e9e-b016-4a94-8249-4c0511c2be84')]", + "Private DNS Zone Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", + "Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", + "Reader and Data Access": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c12c1c16-33a1-487b-954d-41c89c60f349')]", + "Redis Cache Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'e0f68234-74aa-48ed-b826-c38b57376e17')]", + "Remote Rendering Administrator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '3df8b902-2a6f-47c7-8cc5-360e9b272a7e')]", + "Remote Rendering Client": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'd39065c4-c120-43c9-ab0a-63eed9795f0a')]", + "Resource Policy Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '36243c78-bf99-498c-9df9-86d9f8d28608')]", + "Scheduler Job Collections Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '188a0f2f-5c9e-469b-ae67-2aa5ce574b94')]", + "Search Service Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '7ca78c08-252a-4471-8644-bb5ff32d4ba0')]", + "Security Admin": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'fb1c8493-542b-48eb-b624-b4c8fea62acd')]", + "Security Assessment Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '612c2aa1-cb24-443b-ac28-3ab7272de6f5')]", + "Security Manager (Legacy)": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'e3d13bf0-dd5a-482e-ba6b-9b8433878d10')]", + "Security Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '39bc4728-0917-49c7-9d2c-d95423bc2eb4')]", + "SignalR AccessKey Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '04165923-9d83-45d5-8227-78b77b0a687e')]", + "SignalR Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8cf5e20a-e4b2-4e9d-b3a1-5ceb692c2761')]", + "Site Recovery Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '6670b86e-a3f7-4917-ac9b-5d6ab1be4567')]", + "Site Recovery Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '494ae006-db33-4328-bf46-533a6560a3ca')]", + "Site Recovery Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'dbaa88c4-0c30-4179-9fb3-46319faa6149')]", + "Spatial Anchors Account Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8bbe83f1-e2a6-4df7-8cb4-4e04d4e5c827')]", + "Spatial Anchors Account Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '70bbe301-9835-447d-afdd-19eb3167307c')]", + "Spatial Anchors Account Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5d51204f-eb77-4b1c-b86a-2ec626c49413')]", + "SQL DB Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '9b7fa17d-e63e-47b0-bb0a-15c516ac86ec')]", + "SQL Managed Instance Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4939a1f6-9ae0-4e48-a1e0-f2cbe897382d')]", + "SQL Security Manager": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '056cd41c-7e88-42e1-933e-88ba6a50c9c3')]", + "SQL Server Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '6d8ee4ec-f05a-4a1d-8b00-a9b17e38b437')]", + "Storage Account Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '17d1049b-9a84-46fb-8f53-869881c3d3ab')]", + "Storage Account Key Operator Service Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '81a9662b-bebf-436f-a333-f67b29880f12')]", + "Storage Blob Data Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ba92f5b4-2d11-453d-a403-e96b0029c9fe')]", + "Storage Blob Data Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b7e6dc6d-f1e8-4753-8033-0f276bb0955b')]", + "Storage Blob Data Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '2a2b9908-6ea1-4ae2-8e65-a410df84e7d1')]", + "Storage Blob Delegator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'db58b8e5-c6ad-4a2a-8342-4190687cbf4a')]", + "Storage File Data SMB Share Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '0c867c2a-1d8c-454a-a3db-ab2ea1bdc8bb')]", + "Storage File Data SMB Share Elevated Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'a7264617-510b-434b-a828-9731dc254ea7')]", + "Storage File Data SMB Share Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'aba4ae5f-2193-4029-9191-0cb91df5e314')]", + "Storage Queue Data Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '974c5e8b-45b9-4653-ba55-5f855dd0fb88')]", + "Storage Queue Data Message Processor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8a0f0c08-91a1-4084-bc3d-661d67233fed')]", + "Storage Queue Data Message Sender": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c6a89b2d-59bc-44d0-9896-0f6e12d7b80a')]", + "Storage Queue Data Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '19e7f393-937e-4f77-808e-94535e297925')]", + "Support Request Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'cfd33db0-3dd1-45e3-aa9d-cdbdf3b6f24e')]", + "Tag Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4a9ae827-6dc8-4573-8ac7-8239d42aa03f')]", + "Traffic Manager Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'a4b10055-b0c7-44c2-b00f-c7b5b3550cf7')]", + "User Access Administrator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]", + "Virtual Machine Administrator Login": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '1c0163c0-47e6-4577-8991-ea5c82e286e4')]", + "Virtual Machine Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c')]", + "Virtual Machine User Login": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'fb879df8-f326-4884-b1cf-06f3ad86be52')]", + "Web Plan Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '2cc479cb-7b4d-49a8-b449-8c00fd0f0a4b')]", + "Website Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'de139f84-1756-47ae-9be6-808fbbe84772')]", + "Workbook Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'e8ddcd69-c73f-4f9f-9844-4100522f16ad')]", + "Workbook Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b279062a-9be3-42a0-92ae-8b3cf002ec4d')]" + } + }, + "resources": [ + { + "condition": "[not(empty(parameters('cuaId')))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-06-01", + "name": "[concat('pid-', parameters('cuaId'))]", + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [ + ] + } + } + }, + { + "name": "[parameters('appServicePlanName')]", + "type": "Microsoft.Web/serverfarms", + "apiVersion": "2019-08-01", + "kind": "[if(equals(parameters('serverOS'), 'Windows'),'','linux')]", + "location": "[parameters('location')]", + "tags": "[parameters('tags')]", + "sku": "[parameters('sku')]", + "properties": { + "workerTierName": "[parameters('workerTierName')]", + "hostingEnvironmentProfile": "[if(empty(parameters('appServiceEnvironmentId')), json('null'), variables('hostingEnvironmentProfile'))]", + "perSiteScaling": "[parameters('perSiteScaling')]", + "maximumElasticWorkerCount": "[parameters('maximumElasticWorkerCount')]", + "reserved": "[equals(parameters('serverOS'), 'Linux')]", + "targetWorkerCount": "[parameters('targetWorkerCount')]", + "targetWorkerSizeId": "[parameters('targetWorkerSize')]" + }, + "resources": [ + { + "type": "providers/locks", + "apiVersion": "2016-09-01", + "condition": "[parameters('lockForDeletion')]", + "name": "Microsoft.Authorization/appServicePlanDoNotDelete", + "dependsOn": [ + "[concat('Microsoft.Web/serverfarms/', parameters('appServicePlanName'))]" + ], + "comments": "Resource lock on App Service Plan", + "properties": { + "level": "CannotDelete" + } + } + ] + }, + { + "name": "[concat('rbac-',deployment().name, copyIndex())]", + "apiVersion": "2020-06-01", + "type": "Microsoft.Resources/deployments", + "condition": "[not(empty(parameters('roleAssignments')))]", + "dependsOn": [ + "[parameters('appServicePlanName')]" + ], + "copy": { + "name": "rbacDeplCopy", + "count": "[length(parameters('roleAssignments'))]" + }, + "properties": { + "mode": "Incremental", + "expressionEvaluationOptions": { + "scope": "inner" + }, + "parameters": { + "roleAssignment": { + "value": "[parameters('roleAssignments')[copyIndex()]]" + }, + "builtInRoleNames": { + "value": "[variables('builtInRoleNames')]" + }, + "appServicePlanName": { + "value": "[parameters('appServicePlanName')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "roleAssignment": { + "type": "object" + }, + "builtInRoleNames": { + "type": "object" + }, + "appServicePlanName": { + "type": "string" + } + }, + "resources": [ + { + "type": "Microsoft.Web/serverfarms/providers/roleAssignments", + "apiVersion": "2018-09-01-preview", + "name": "[concat(parameters('appServicePlanName'), '/Microsoft.Authorization/', guid(uniqueString(concat(parameters('appServicePlanName'), array(parameters('roleAssignment').principalIds)[copyIndex('innerRbacCopy')], parameters('roleAssignment').roleDefinitionIdOrName ) )))]", + "dependsOn": [ + ], + "copy": { + "name": "innerRbacCopy", + "count": "[length(parameters('roleAssignment').principalIds)]" + }, + "properties": { + "roleDefinitionId": "[if(contains(parameters('builtInRoleNames'), parameters('roleAssignment').roleDefinitionIdOrName ), parameters('builtInRoleNames')[parameters('roleAssignment').roleDefinitionIdOrName] , parameters('roleAssignment').roleDefinitionIdOrName )]", + "principalId": "[array(parameters('roleAssignment').principalIds)[copyIndex()]]" + } + } + ] + } + } + } + ], + "functions": [ + ], + "outputs": { + "appServicePlanResourceGroup": { + "type": "string", + "value": "[resourceGroup().name]", + "metadata": { + "description": "The Resource Group the App Service Plan was deployed to." + } + }, + "appServicePlanName": { + "type": "string", + "value": "[parameters('appServicePlanName')]", + "metadata": { + "description": "The Name of the App Service Plan that was deployed." + } + }, + "appServicePlanResourceId": { + "type": "string", + "value": "[resourceId('Microsoft.Web/serverfarms', parameters('appServicePlanName'))]", + "metadata": { + "description": "The Resource Id of the App Service Plan that was deployed." + } + } + } +} \ No newline at end of file diff --git a/arm/Microsoft.Web/appServicePlan/parameters/parameters.json b/arm/Microsoft.Web/appServicePlan/parameters/parameters.json new file mode 100644 index 0000000000..5d0672a8d3 --- /dev/null +++ b/arm/Microsoft.Web/appServicePlan/parameters/parameters.json @@ -0,0 +1,29 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "appServicePlanName": { + "value": "sxx-az-asp-weu-x-001" + }, + "sku": { + "value": { + "name": "S1", + "tier": "Standard", + "size": "S1", + "family": "S", + "capacity": "1" + } + } + // "roleAssignments": { + // "value": [ + // { + // "roleDefinitionIdOrName": "Desktop Virtualization User", + // "principalIds": [ + // "12345678-1234-1234-1234-123456789012", // object 1 + // "78945612-1234-1234-1234-123456789012" // object 2 + // ] + // } + // ] + // } + } +} diff --git a/arm/Microsoft.Web/appServicePlan/readme.md b/arm/Microsoft.Web/appServicePlan/readme.md new file mode 100644 index 0000000000..d3f04bef16 --- /dev/null +++ b/arm/Microsoft.Web/appServicePlan/readme.md @@ -0,0 +1,111 @@ +# AppServicePlan + +This module deploys an App Service Plan. + + +## Resource Types + +|Resource Type|Api Version| +|:--|:--| +|`Microsoft.Resources/deployments`|2018-02-01| +|`Microsoft.Web/serverfarms`|2019-08-01| +|`providers/locks`|2016-09-01|  +|`Microsoft.Web/serverfarms/providers/roleAssignments`|2018-09-01-preview| + + +## Parameters + +| Parameter Name | Type | Description | DefaultValue | Possible values | +| :-- | :-- | :-- | :-- | :-- | +| `appServiceEnvironmentId` | string | Optional. The Resource Id of the App Service Environment to use for the App Service Plan. | | | +| `appServicePlanName` | string | Required. The Name of the App Service Plan to deploy. | | | +| `cuaId` | string | Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered | | | +| `location` | string | Optional. Location for all resources. | [resourceGroup().location] | | +| `lockForDeletion` | bool | Optional. Switch to lock App Service Plan from deletion. | False | | +| `maximumElasticWorkerCount` | int | Optional. Maximum number of total workers allowed for this ElasticScaleEnabled App Service Plan. | 1 | | +| `perSiteScaling` | bool | Optional. If true, apps assigned to this App Service plan can be scaled independently. If false, apps assigned to this App Service plan will scale to all instances of the plan. | False | | +| `roleAssignments` | array | Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' | System.Object[] | | +| `serverOS` | string | Optional. Kind of server OS. | Windows | System.Object[] | +| `sku` | object | Required. Defines the name, tier, size, family and capacity of the App Service Plan. | | | +| `tags` | object | Optional. Tags of the resource. | | | +| `targetWorkerCount` | int | Optional. Scaling worker count. | 0 | | +| `targetWorkerSize` | int | Optional. The instance size of the hosting plan (small, medium, or large). | 0 | System.Object[] | +| `workerTierName` | string | Optional. Target worker tier assigned to the App Service plan. | | | + +### Parameter Usage: `sku` + +```json +"sku": { + "value": { + "name": "P1v2", + "tier": "PremiumV2", + "size": "P1v2", + "family": "Pv2", + "capacity": 1 + } +} +``` + +### Parameter Usage: `roleAssignments` + +```json +"roleAssignments": { + "value": [ + { + "roleDefinitionIdOrName": "Desktop Virtualization User", + "principalIds": [ + "12345678-1234-1234-1234-123456789012", // object 1 + "78945612-1234-1234-1234-123456789012" // object 2 + ] + }, + { + "roleDefinitionIdOrName": "Reader", + "principalIds": [ + "12345678-1234-1234-1234-123456789012", // object 1 + "78945612-1234-1234-1234-123456789012" // object 2 + ] + }, + { + "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", + "principalIds": [ + "12345678-1234-1234-1234-123456789012" // object 1 + ] + } + ] +} +``` + +### Parameter Usage: `tags` + +Tag names and tag values can be provided as needed. A tag can be left without a value. + +```json +"tags": { + "value": { + "Environment": "Non-Prod", + "Contact": "test.user@testcompany.com", + "PurchaseOrder": "1234", + "CostCenter": "7890", + "ServiceName": "DeploymentValidation", + "Role": "DeploymentValidation" + } +} +``` + +## Outputs + +| Output Name | Type | Description | +| :-- | :-- | :-- | +| `appServicePlanName` | string | The Name of the App Service Plan that was deployed. | +| `appServicePlanResourceGroup` | string | The Resource Group the App Service Plan was deployed to. | +| `appServicePlanResourceId` | string | The Resource Id of the App Service Plan that was deployed. | + +## Considerations + +*N/A* + +## Additional resources + +- [Azure App Service plan overview](https://docs.microsoft.com/en-us/azure/app-service/overview-hosting-plans) +- [Microsoft.Web serverfarms template reference](https://docs.microsoft.com/en-us/azure/templates/microsoft.web/2019-08-01/serverfarms) +- [Use tags to organize your Azure resources](https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-using-tags) \ No newline at end of file diff --git a/arm/Microsoft.Web/connections/deploy.json b/arm/Microsoft.Web/connections/deploy.json new file mode 100644 index 0000000000..16071ad5ca --- /dev/null +++ b/arm/Microsoft.Web/connections/deploy.json @@ -0,0 +1,408 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "alternativeParameterValues": { + "type": "object", + "defaultValue": {}, + "metadata": { + "description": "Optional. Alternative parameter values." + } + }, + "connectionApi": { + "type": "object", + "defaultValue": {}, + "metadata": { + "description": "Optional. Specific values for some API connections." + } + }, + "connectionKind": { + "type": "string", + "metadata": { + "description": "Required. Connection Kind. Example: 'V1' when using blobs. It can change depending on the resource." + } + }, + "connectionName": { + "type": "string", + "metadata": { + "description": "Required. Connection name for connection. Example: 'azureblob' when using blobs. It can change depending on the resource." + } + }, + "cuaId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered." + } + }, + "customParameterValues": { + "type": "object", + "defaultValue": {}, + "metadata": { + "description": "Optional. Customized parameter values for specific connections." + } + }, + "displayName": { + "type": "string", + "metadata": { + "description": "Required. Display name connection. Example: 'blobconnection' when using blobs. It can change depending on the resource." + } + }, + "location": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "Optional. Location of the deployment." + } + }, + "nonSecretParameterValues": { + "type": "object", + "defaultValue": {}, + "metadata": { + "description": "Optional. Dictionary of nonsecret parameter values." + } + }, + "parameterValues": { + "type": "secureobject", + "defaultValue": {}, + "metadata": { + "description": "Optional. Connection strings or access keys for connection. Example: 'accountName' and 'accessKey' when using blobs. It can change depending on the resource." + } + }, + "parameterValueType": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Value Type of parameter, in case alternativeParameterValues is used." + } + }, + "roleAssignments": { + "defaultValue": [], + "type": "array", + "metadata": { + "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + } + }, + "statuses": { + "type": "array", + "defaultValue": [], + "metadata": { + "description": "Optional. Status of the connection." + } + }, + "tags": { + "type": "object", + "defaultValue": {}, + "metadata": { + "description": "Optional. Tags of the resource." + } + }, + "testLinks": { + "type": "array", + "defaultValue": [], + "metadata": { + "description": "Optional. Links to test the API connection." + } + } + }, + "variables": { + "builtInRoleNames": { + "AcrDelete": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", + "AcrImageSigner": "/providers/Microsoft.Authorization/roleDefinitions/6cef56e8-d556-48e5-a04f-b8e64114680f", + "AcrPull": "/providers/Microsoft.Authorization/roleDefinitions/7f951dda-4ed3-4680-a7ca-43fe172d538d", + "AcrPush": "/providers/Microsoft.Authorization/roleDefinitions/8311e382-0749-4cb8-b61a-304f252e45ec", + "AcrQuarantineReader": "/providers/Microsoft.Authorization/roleDefinitions/cdda3590-29a3-44f6-95f2-9f980659eb04", + "AcrQuarantineWriter": "/providers/Microsoft.Authorization/roleDefinitions/c8d4ff99-41c3-41a8-9f60-21dfdad59608", + "API Management Service Contributor": "/providers/Microsoft.Authorization/roleDefinitions/312a565d-c81f-4fd8-895a-4e21e48d571c", + "API Management Service Operator Role": "/providers/Microsoft.Authorization/roleDefinitions/e022efe7-f5ba-4159-bbe4-b44f577e9b61", + "API Management Service Reader Role": "/providers/Microsoft.Authorization/roleDefinitions/71522526-b88f-4d52-b57f-d31fc3546d0d", + "App Configuration Data Owner": "/providers/Microsoft.Authorization/roleDefinitions/5ae67dd6-50cb-40e7-96ff-dc2bfa4b606b", + "App Configuration Data Reader": "/providers/Microsoft.Authorization/roleDefinitions/516239f1-63e1-4d78-a4de-a74fb236a071", + "Application Insights Component Contributor": "/providers/Microsoft.Authorization/roleDefinitions/ae349356-3a1b-4a5e-921d-050484c6347e", + "Application Insights Snapshot Debugger": "/providers/Microsoft.Authorization/roleDefinitions/08954f03-6346-4c2e-81c0-ec3a5cfae23b", + "Attestation Contributor": "/providers/Microsoft.Authorization/roleDefinitions/bbf86eb8-f7b4-4cce-96e4-18cddf81d86e", + "Attestation Reader": "/providers/Microsoft.Authorization/roleDefinitions/fd1bd22b-8476-40bc-a0bc-69b95687b9f3", + "Automation Job Operator": "/providers/Microsoft.Authorization/roleDefinitions/4fe576fe-1146-4730-92eb-48519fa6bf9f", + "Automation Operator": "/providers/Microsoft.Authorization/roleDefinitions/d3881f73-407a-4167-8283-e981cbba0404", + "Automation Runbook Operator": "/providers/Microsoft.Authorization/roleDefinitions/5fb5aef8-1081-4b8e-bb16-9d5d0385bab5", + "Avere Contributor": "/providers/Microsoft.Authorization/roleDefinitions/4f8fab4f-1852-4a58-a46a-8eaf358af14a", + "Avere Operator": "/providers/Microsoft.Authorization/roleDefinitions/c025889f-8102-4ebf-b32c-fc0c6f0c6bd9", + "Azure Connected Machine Onboarding": "/providers/Microsoft.Authorization/roleDefinitions/b64e21ea-ac4e-4cdf-9dc9-5b892992bee7", + "Azure Connected Machine Resource Administrator": "/providers/Microsoft.Authorization/roleDefinitions/cd570a14-e51a-42ad-bac8-bafd67325302", + "Azure Digital Twins Owner (Preview)": "/providers/Microsoft.Authorization/roleDefinitions/bcd981a7-7f74-457b-83e1-cceb9e632ffe", + "Azure Digital Twins Reader (Preview)": "/providers/Microsoft.Authorization/roleDefinitions/d57506d4-4c8d-48b1-8587-93c323f6a5a3", + "Azure Event Hubs Data Owner": "/providers/Microsoft.Authorization/roleDefinitions/f526a384-b230-433a-b45c-95f59c4a2dec", + "Azure Event Hubs Data Receiver": "/providers/Microsoft.Authorization/roleDefinitions/a638d3c7-ab3a-418d-83e6-5f17a39d4fde", + "Azure Event Hubs Data Sender": "/providers/Microsoft.Authorization/roleDefinitions/2b629674-e913-4c01-ae53-ef4638d8f975", + "Azure Kubernetes Service Cluster Admin Role": "/providers/Microsoft.Authorization/roleDefinitions/0ab0b1a8-8aac-4efd-b8c2-3ee1fb270be8", + "Azure Kubernetes Service Cluster User Role": "/providers/Microsoft.Authorization/roleDefinitions/4abbcc35-e782-43d8-92c5-2d3f1bd2253f", + "Azure Kubernetes Service Contributor Role": "/providers/Microsoft.Authorization/roleDefinitions/ed7f3fbd-7b88-4dd4-9017-9adb7ce333f8", + "Azure Maps Data Contributor": "/providers/Microsoft.Authorization/roleDefinitions/8f5e0ce6-4f7b-4dcf-bddf-e6f48634a204", + "Azure Maps Data Reader": "/providers/Microsoft.Authorization/roleDefinitions/423170ca-a8f6-4b0f-8487-9e4eb8f49bfa", + "Azure Sentinel Contributor": "/providers/Microsoft.Authorization/roleDefinitions/ab8e14d6-4a74-4a29-9ba8-549422addade", + "Azure Sentinel Reader": "/providers/Microsoft.Authorization/roleDefinitions/8d289c81-5878-46d4-8554-54e1e3d8b5cb", + "Azure Sentinel Responder": "/providers/Microsoft.Authorization/roleDefinitions/3e150937-b8fe-4cfb-8069-0eaf05ecd056", + "Azure Service Bus Data Owner": "/providers/Microsoft.Authorization/roleDefinitions/090c5cfd-751d-490a-894a-3ce6f1109419", + "Azure Service Bus Data Receiver": "/providers/Microsoft.Authorization/roleDefinitions/4f6d3b9b-027b-4f4c-9142-0e5a2a2247e0", + "Azure Service Bus Data Sender": "/providers/Microsoft.Authorization/roleDefinitions/69a216fc-b8fb-44d8-bc22-1f3c2cd27a39", + "Azure Stack Registration Owner": "/providers/Microsoft.Authorization/roleDefinitions/6f12a6df-dd06-4f3e-bcb1-ce8be600526a", + "Backup Contributor": "/providers/Microsoft.Authorization/roleDefinitions/5e467623-bb1f-42f4-a55d-6e525e11384b", + "Backup Operator": "/providers/Microsoft.Authorization/roleDefinitions/00c29273-979b-4161-815c-10b084fb9324", + "Backup Reader": "/providers/Microsoft.Authorization/roleDefinitions/a795c7a0-d4a2-40c1-ae25-d81f01202912", + "Billing Reader": "/providers/Microsoft.Authorization/roleDefinitions/fa23ad8b-c56e-40d8-ac0c-ce449e1d2c64", + "BizTalk Contributor": "/providers/Microsoft.Authorization/roleDefinitions/5e3c6656-6cfa-4708-81fe-0de47ac73342", + "Blockchain Member Node Access (Preview)": "/providers/Microsoft.Authorization/roleDefinitions/31a002a1-acaf-453e-8a5b-297c9ca1ea24", + "Blueprint Contributor": "/providers/Microsoft.Authorization/roleDefinitions/41077137-e803-4205-871c-5a86e6a753b4", + "Blueprint Operator": "/providers/Microsoft.Authorization/roleDefinitions/437d2ced-4a38-4302-8479-ed2bcb43d090", + "CDN Endpoint Contributor": "/providers/Microsoft.Authorization/roleDefinitions/426e0c7f-0c7e-4658-b36f-ff54d6c29b45", + "CDN Endpoint Reader": "/providers/Microsoft.Authorization/roleDefinitions/871e35f6-b5c1-49cc-a043-bde969a0f2cd", + "CDN Profile Contributor": "/providers/Microsoft.Authorization/roleDefinitions/ec156ff8-a8d1-4d15-830c-5b80698ca432", + "CDN Profile Reader": "/providers/Microsoft.Authorization/roleDefinitions/8f96442b-4075-438f-813d-ad51ab4019af", + "Classic Network Contributor": "/providers/Microsoft.Authorization/roleDefinitions/b34d265f-36f7-4a0d-a4d4-e158ca92e90f", + "Classic Storage Account Contributor": "/providers/Microsoft.Authorization/roleDefinitions/86e8f5dc-a6e9-4c67-9d15-de283e8eac25", + "Classic Storage Account Key Operator Service Role": "/providers/Microsoft.Authorization/roleDefinitions/985d6b00-f706-48f5-a6fe-d0ca12fb668d", + "Classic Virtual Machine Contributor": "/providers/Microsoft.Authorization/roleDefinitions/d73bb868-a0df-4d4d-bd69-98a00b01fccb", + "ClearDB MySQL DB Contributor": "/providers/Microsoft.Authorization/roleDefinitions/9106cda0-8a86-4e81-b686-29a22c54effe", + "Cognitive Services Contributor": "/providers/Microsoft.Authorization/roleDefinitions/25fbc0a9-bd7c-42a3-aa1a-3b75d497ee68", + "Cognitive Services Custom Vision Contributor": "/providers/Microsoft.Authorization/roleDefinitions/c1ff6cc2-c111-46fe-8896-e0ef812ad9f3", + "Cognitive Services Custom Vision Deployment": "/providers/Microsoft.Authorization/roleDefinitions/5c4089e1-6d96-4d2f-b296-c1bc7137275f", + "Cognitive Services Custom Vision Labeler": "/providers/Microsoft.Authorization/roleDefinitions/88424f51-ebe7-446f-bc41-7fa16989e96c", + "Cognitive Services Custom Vision Reader": "/providers/Microsoft.Authorization/roleDefinitions/93586559-c37d-4a6b-ba08-b9f0940c2d73", + "Cognitive Services Custom Vision Trainer": "/providers/Microsoft.Authorization/roleDefinitions/0a5ae4ab-0d65-4eeb-be61-29fc9b54394b", + "Cognitive Services Data Reader (Preview)": "/providers/Microsoft.Authorization/roleDefinitions/b59867f0-fa02-499b-be73-45a86b5b3e1c", + "Cognitive Services QnA Maker Editor": "/providers/Microsoft.Authorization/roleDefinitions/f4cc2bf9-21be-47a1-bdf1-5c5804381025", + "Cognitive Services QnA Maker Reader": "/providers/Microsoft.Authorization/roleDefinitions/466ccd10-b268-4a11-b098-b4849f024126", + "Cognitive Services User": "/providers/Microsoft.Authorization/roleDefinitions/a97b65f3-24c7-4388-baec-2e87135dc908", + "Contributor": "/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c", + "Cosmos DB Account Reader Role": "/providers/Microsoft.Authorization/roleDefinitions/fbdf93bf-df7d-467e-a4d2-9458aa1360c8", + "Cosmos DB Operator": "/providers/Microsoft.Authorization/roleDefinitions/230815da-be43-4aae-9cb4-875f7bd000aa", + "CosmosBackupOperator": "/providers/Microsoft.Authorization/roleDefinitions/db7b14f2-5adf-42da-9f96-f2ee17bab5cb", + "Cost Management Contributor": "/providers/Microsoft.Authorization/roleDefinitions/434105ed-43f6-45c7-a02f-909b2ba83430", + "Cost Management Reader": "/providers/Microsoft.Authorization/roleDefinitions/72fafb9e-0641-4937-9268-a91bfd8191a3", + "Data Box Contributor": "/providers/Microsoft.Authorization/roleDefinitions/add466c9-e687-43fc-8d98-dfcf8d720be5", + "Data Box Reader": "/providers/Microsoft.Authorization/roleDefinitions/028f4ed7-e2a9-465e-a8f4-9c0ffdfdc027", + "Data Factory Contributor": "/providers/Microsoft.Authorization/roleDefinitions/673868aa-7521-48a0-acc6-0f60742d39f5", + "Data Lake Analytics Developer": "/providers/Microsoft.Authorization/roleDefinitions/47b7735b-770e-4598-a7da-8b91488b4c88", + "Data Purger": "/providers/Microsoft.Authorization/roleDefinitions/150f5e0c-0603-4f03-8c7f-cf70034c4e90", + "Desktop Virtualization User": "/providers/Microsoft.Authorization/roleDefinitions/1d18fff3-a72a-46b5-b4a9-0b38a3cd7e63", + "DevTest Labs User": "/providers/Microsoft.Authorization/roleDefinitions/76283e04-6283-4c54-8f91-bcf1374a3c64", + "DNS Zone Contributor": "/providers/Microsoft.Authorization/roleDefinitions/befefa01-2a29-4197-83a8-272ff33ce314", + "DocumentDB Account Contributor": "/providers/Microsoft.Authorization/roleDefinitions/5bd9cd88-fe45-4216-938b-f97437e15450", + "EventGrid EventSubscription Contributor": "/providers/Microsoft.Authorization/roleDefinitions/428e0ff0-5e57-4d9c-a221-2c70d0e0a443", + "EventGrid EventSubscription Reader": "/providers/Microsoft.Authorization/roleDefinitions/2414bbcf-6497-4faf-8c65-045460748405", + "Experimentation Administrator": "/providers/Microsoft.Authorization/roleDefinitions/7f646f1b-fa08-80eb-a33b-edd6ce5c915c", + "Experimentation Contributor": "/providers/Microsoft.Authorization/roleDefinitions/7f646f1b-fa08-80eb-a22b-edd6ce5c915c", + "Experimentation Reader": "/providers/Microsoft.Authorization/roleDefinitions/49632ef5-d9ac-41f4-b8e7-bbe587fa74a1", + "FHIR Data Contributor": "/providers/Microsoft.Authorization/roleDefinitions/5a1fc7df-4bf1-4951-a576-89034ee01acd", + "FHIR Data Exporter": "/providers/Microsoft.Authorization/roleDefinitions/3db33094-8700-4567-8da5-1501d4e7e843", + "FHIR Data Reader": "/providers/Microsoft.Authorization/roleDefinitions/4c8d0bbc-75d3-4935-991f-5f3c56d81508", + "FHIR Data Writer": "/providers/Microsoft.Authorization/roleDefinitions/3f88fce4-5892-4214-ae73-ba5294559913", + "Graph Owner": "/providers/Microsoft.Authorization/roleDefinitions/b60367af-1334-4454-b71e-769d9a4f83d9", + "HDInsight Cluster Operator": "/providers/Microsoft.Authorization/roleDefinitions/61ed4efc-fab3-44fd-b111-e24485cc132a", + "HDInsight Domain Services Contributor": "/providers/Microsoft.Authorization/roleDefinitions/8d8d5a11-05d3-4bda-a417-a08778121c7c", + "Hierarchy Settings Administrator": "/providers/Microsoft.Authorization/roleDefinitions/350f8d15-c687-4448-8ae1-157740a3936d", + "Hybrid Server Onboarding": "/providers/Microsoft.Authorization/roleDefinitions/5d1e5ee4-7c68-4a71-ac8b-0739630a3dfb", + "Hybrid Server Resource Administrator": "/providers/Microsoft.Authorization/roleDefinitions/48b40c6e-82e0-4eb3-90d5-19e40f49b624", + "Integration Service Environment Contributor": "/providers/Microsoft.Authorization/roleDefinitions/a41e2c5b-bd99-4a07-88f4-9bf657a760b8", + "Integration Service Environment Developer": "/providers/Microsoft.Authorization/roleDefinitions/c7aa55d3-1abb-444a-a5ca-5e51e485d6ec", + "Intelligent Systems Account Contributor": "/providers/Microsoft.Authorization/roleDefinitions/03a6d094-3444-4b3d-88af-7477090a9e5e", + "Key Vault Contributor": "/providers/Microsoft.Authorization/roleDefinitions/f25e0fa2-a7c8-4377-a976-54943a77a395", + "Knowledge Consumer": "/providers/Microsoft.Authorization/roleDefinitions/ee361c5d-f7b5-4119-b4b6-892157c8f64c", + "Kubernetes Cluster - Azure Arc Onboarding": "/providers/Microsoft.Authorization/roleDefinitions/34e09817-6cbe-4d01-b1a2-e0eac5743d41", + "Lab Creator": "/providers/Microsoft.Authorization/roleDefinitions/b97fb8bc-a8b2-4522-a38b-dd33c7e65ead", + "Log Analytics Contributor": "/providers/Microsoft.Authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293", + "Log Analytics Reader": "/providers/Microsoft.Authorization/roleDefinitions/73c42c96-874c-492b-b04d-ab87d138a893", + "Logic App Contributor": "/providers/Microsoft.Authorization/roleDefinitions/87a39d53-fc1b-424a-814c-f7e04687dc9e", + "Logic App Operator": "/providers/Microsoft.Authorization/roleDefinitions/515c2055-d9d4-4321-b1b9-bd0c9a0f79fe", + "Managed Application Contributor Role": "/providers/Microsoft.Authorization/roleDefinitions/641177b8-a67a-45b9-a033-47bc880bb21e", + "Managed Application Operator Role": "/providers/Microsoft.Authorization/roleDefinitions/c7393b34-138c-406f-901b-d8cf2b17e6ae", + "Managed Applications Reader": "/providers/Microsoft.Authorization/roleDefinitions/b9331d33-8a36-4f8c-b097-4f54124fdb44", + "Managed Identity Contributor": "/providers/Microsoft.Authorization/roleDefinitions/e40ec5ca-96e0-45a2-b4ff-59039f2c2b59", + "Managed Identity Operator": "/providers/Microsoft.Authorization/roleDefinitions/f1a07417-d97a-45cb-824c-7a7467783830", + "Managed Services Registration assignment Delete ": "/providers/Microsoft.Authorization/roleDefinitions/91c1777a-f3dc-4fae-b103-61d183457e46", + "Management Group Contributor": "/providers/Microsoft.Authorization/roleDefinitions/5d58bcaf-24a5-4b20-bdb6-eed9f69fbe4c", + "Management Group Reader": "/providers/Microsoft.Authorization/roleDefinitions/ac63b705-f282-497d-ac71-919bf39d939d", + "Marketplace Admin": "/providers/Microsoft.Authorization/roleDefinitions/dd920d6d-f481-47f1-b461-f338c46b2d9f", + "Monitoring Contributor": "/providers/Microsoft.Authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "Monitoring Metrics Publisher": "/providers/Microsoft.Authorization/roleDefinitions/3913510d-42f4-4e42-8a64-420c390055eb", + "Monitoring Reader": "/providers/Microsoft.Authorization/roleDefinitions/43d0d8ad-25c7-4714-9337-8ba259a9fe05", + "Network Contributor": "/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7", + "New Relic APM Account Contributor": "/providers/Microsoft.Authorization/roleDefinitions/5d28c62d-5b37-4476-8438-e587778df237", + "Object Understanding Account Owner": "/providers/Microsoft.Authorization/roleDefinitions/4dd61c23-6743-42fe-a388-d8bdd41cb745", + "Owner": "/providers/Microsoft.Authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635", + "Policy Insights Data Writer (Preview)": "/providers/Microsoft.Authorization/roleDefinitions/66bb4e9e-b016-4a94-8249-4c0511c2be84", + "Private DNS Zone Contributor": "/providers/Microsoft.Authorization/roleDefinitions/b12aa53e-6015-4669-85d0-8515ebb3ae7f", + "Reader": "/providers/Microsoft.Authorization/roleDefinitions/acdd72a7-3385-48ef-bd42-f606fba81ae7", + "Reader and Data Access": "/providers/Microsoft.Authorization/roleDefinitions/c12c1c16-33a1-487b-954d-41c89c60f349", + "Redis Cache Contributor": "/providers/Microsoft.Authorization/roleDefinitions/e0f68234-74aa-48ed-b826-c38b57376e17", + "Remote Rendering Administrator": "/providers/Microsoft.Authorization/roleDefinitions/3df8b902-2a6f-47c7-8cc5-360e9b272a7e", + "Remote Rendering Client": "/providers/Microsoft.Authorization/roleDefinitions/d39065c4-c120-43c9-ab0a-63eed9795f0a", + "Resource Policy Contributor": "/providers/Microsoft.Authorization/roleDefinitions/36243c78-bf99-498c-9df9-86d9f8d28608", + "Scheduler Job Collections Contributor": "/providers/Microsoft.Authorization/roleDefinitions/188a0f2f-5c9e-469b-ae67-2aa5ce574b94", + "Search Service Contributor": "/providers/Microsoft.Authorization/roleDefinitions/7ca78c08-252a-4471-8644-bb5ff32d4ba0", + "Security Admin": "/providers/Microsoft.Authorization/roleDefinitions/fb1c8493-542b-48eb-b624-b4c8fea62acd", + "Security Assessment Contributor": "/providers/Microsoft.Authorization/roleDefinitions/612c2aa1-cb24-443b-ac28-3ab7272de6f5", + "Security Manager (Legacy)": "/providers/Microsoft.Authorization/roleDefinitions/e3d13bf0-dd5a-482e-ba6b-9b8433878d10", + "Security Reader": "/providers/Microsoft.Authorization/roleDefinitions/39bc4728-0917-49c7-9d2c-d95423bc2eb4", + "SignalR AccessKey Reader": "/providers/Microsoft.Authorization/roleDefinitions/04165923-9d83-45d5-8227-78b77b0a687e", + "SignalR Contributor": "/providers/Microsoft.Authorization/roleDefinitions/8cf5e20a-e4b2-4e9d-b3a1-5ceb692c2761", + "Site Recovery Contributor": "/providers/Microsoft.Authorization/roleDefinitions/6670b86e-a3f7-4917-ac9b-5d6ab1be4567", + "Site Recovery Operator": "/providers/Microsoft.Authorization/roleDefinitions/494ae006-db33-4328-bf46-533a6560a3ca", + "Site Recovery Reader": "/providers/Microsoft.Authorization/roleDefinitions/dbaa88c4-0c30-4179-9fb3-46319faa6149", + "Spatial Anchors Account Contributor": "/providers/Microsoft.Authorization/roleDefinitions/8bbe83f1-e2a6-4df7-8cb4-4e04d4e5c827", + "Spatial Anchors Account Owner": "/providers/Microsoft.Authorization/roleDefinitions/70bbe301-9835-447d-afdd-19eb3167307c", + "Spatial Anchors Account Reader": "/providers/Microsoft.Authorization/roleDefinitions/5d51204f-eb77-4b1c-b86a-2ec626c49413", + "SQL DB Contributor": "/providers/Microsoft.Authorization/roleDefinitions/9b7fa17d-e63e-47b0-bb0a-15c516ac86ec", + "SQL Managed Instance Contributor": "/providers/Microsoft.Authorization/roleDefinitions/4939a1f6-9ae0-4e48-a1e0-f2cbe897382d", + "SQL Security Manager": "/providers/Microsoft.Authorization/roleDefinitions/056cd41c-7e88-42e1-933e-88ba6a50c9c3", + "SQL Server Contributor": "/providers/Microsoft.Authorization/roleDefinitions/6d8ee4ec-f05a-4a1d-8b00-a9b17e38b437", + "Storage Account Contributor": "/providers/Microsoft.Authorization/roleDefinitions/17d1049b-9a84-46fb-8f53-869881c3d3ab", + "Storage Account Key Operator Service Role": "/providers/Microsoft.Authorization/roleDefinitions/81a9662b-bebf-436f-a333-f67b29880f12", + "Storage Blob Data Contributor": "/providers/Microsoft.Authorization/roleDefinitions/ba92f5b4-2d11-453d-a403-e96b0029c9fe", + "Storage Blob Data Owner": "/providers/Microsoft.Authorization/roleDefinitions/b7e6dc6d-f1e8-4753-8033-0f276bb0955b", + "Storage Blob Data Reader": "/providers/Microsoft.Authorization/roleDefinitions/2a2b9908-6ea1-4ae2-8e65-a410df84e7d1", + "Storage Blob Delegator": "/providers/Microsoft.Authorization/roleDefinitions/db58b8e5-c6ad-4a2a-8342-4190687cbf4a", + "Storage File Data SMB Share Contributor": "/providers/Microsoft.Authorization/roleDefinitions/0c867c2a-1d8c-454a-a3db-ab2ea1bdc8bb", + "Storage File Data SMB Share Elevated Contributor": "/providers/Microsoft.Authorization/roleDefinitions/a7264617-510b-434b-a828-9731dc254ea7", + "Storage File Data SMB Share Reader": "/providers/Microsoft.Authorization/roleDefinitions/aba4ae5f-2193-4029-9191-0cb91df5e314", + "Storage Queue Data Contributor": "/providers/Microsoft.Authorization/roleDefinitions/974c5e8b-45b9-4653-ba55-5f855dd0fb88", + "Storage Queue Data Message Processor": "/providers/Microsoft.Authorization/roleDefinitions/8a0f0c08-91a1-4084-bc3d-661d67233fed", + "Storage Queue Data Message Sender": "/providers/Microsoft.Authorization/roleDefinitions/c6a89b2d-59bc-44d0-9896-0f6e12d7b80a", + "Storage Queue Data Reader": "/providers/Microsoft.Authorization/roleDefinitions/19e7f393-937e-4f77-808e-94535e297925", + "Support Request Contributor": "/providers/Microsoft.Authorization/roleDefinitions/cfd33db0-3dd1-45e3-aa9d-cdbdf3b6f24e", + "Tag Contributor": "/providers/Microsoft.Authorization/roleDefinitions/4a9ae827-6dc8-4573-8ac7-8239d42aa03f", + "Traffic Manager Contributor": "/providers/Microsoft.Authorization/roleDefinitions/a4b10055-b0c7-44c2-b00f-c7b5b3550cf7", + "User Access Administrator": "/providers/Microsoft.Authorization/roleDefinitions/18d7d88d-d35e-4fb5-a5c3-7773c20a72d9", + "Virtual Machine Administrator Login": "/providers/Microsoft.Authorization/roleDefinitions/1c0163c0-47e6-4577-8991-ea5c82e286e4", + "Virtual Machine Contributor": "/providers/Microsoft.Authorization/roleDefinitions/9980e02c-c2be-4d73-94e8-173b1dc7cf3c", + "Virtual Machine User Login": "/providers/Microsoft.Authorization/roleDefinitions/fb879df8-f326-4884-b1cf-06f3ad86be52", + "Web Plan Contributor": "/providers/Microsoft.Authorization/roleDefinitions/2cc479cb-7b4d-49a8-b449-8c00fd0f0a4b", + "Website Contributor": "/providers/Microsoft.Authorization/roleDefinitions/de139f84-1756-47ae-9be6-808fbbe84772", + "Workbook Contributor": "/providers/Microsoft.Authorization/roleDefinitions/e8ddcd69-c73f-4f9f-9844-4100522f16ad", + "Workbook Reader": "/providers/Microsoft.Authorization/roleDefinitions/b279062a-9be3-42a0-92ae-8b3cf002ec4d" + } + }, + "resources": [ + { + "condition": "[not(empty(parameters('cuaId')))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-06-01", + "name": "[concat('pid-', parameters('cuaId'))]", + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [] + } + } + }, + // API CONNECTION DEPLOYMENT + { + "name": "[parameters('connectionName')]", + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "location": "[parameters('location')]", + "kind": "[parameters('connectionKind')]", + "tags": "[parameters('tags')]", + "properties": { + "displayName": "[parameters('displayName')]", + "customParameterValues": "[parameters('customParameterValues')]", + "parameterValueType": "[if(not(empty(parameters('parameterValueType'))),parameters('parameterValueType'),json('null'))]", + "alternativeParameterValues": "[if(not(empty(parameters('alternativeParameterValues'))),parameters('alternativeParameterValues'),json('null'))]", + "api": "[parameters('connectionApi')]", + "parameterValues": "[if(empty(parameters('alternativeParameterValues')), parameters('parameterValues'),json('null'))]", + "nonSecretParameterValues": "[if(not(empty(parameters('nonSecretParameterValues'))), parameters('nonSecretParameterValues'),json('null'))]", + "testLinks": "[if(not(empty(parameters('testLinks'))), parameters('testLinks'),json('null'))]", + "statuses": "[if(not(empty(parameters('statuses'))), parameters('statuses'),json('null'))]" + } + }, + // RBAC + { + "name": "[concat('rbac-',deployment().name, copyIndex())]", + "apiVersion": "2020-06-01", + "type": "Microsoft.Resources/deployments", + "condition": "[not(empty(parameters('roleAssignments')))]", + "dependsOn": [ + "[parameters('connectionName')]" + ], + "copy": { + "name": "rbacDeplCopy", + "count": "[length(parameters('roleAssignments'))]" + }, + "properties": { + "mode": "Incremental", + "expressionEvaluationOptions": { + "scope": "inner" + }, + "parameters": { + "roleAssignment": { + "value": "[parameters('roleAssignments')[copyIndex()]]" + }, + "builtInRoleNames": { + "value": "[variables('builtInRoleNames')]" + }, + "connectionName": { + "value": "[parameters('connectionName')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "roleAssignment": { + "type": "object" + }, + "builtInRoleNames": { + "type": "object" + }, + "connectionName": { + "type": "string" + } + }, + "resources": [ + { + "type": "Microsoft.Web/connection/providers/roleAssignments", + "apiVersion": "2018-09-01-preview", + "name": "[concat(parameters('connectionName'), '/Microsoft.Authorization/', guid(uniqueString(concat(parameters('connectionName'), array(parameters('roleAssignment').principalIds)[copyIndex('innerRbacCopy')], parameters('roleAssignment').roleDefinitionIdOrName ) )))]", + "dependsOn": [ + ], + "copy": { + "name": "innerRbacCopy", + "count": "[length(parameters('roleAssignment').principalIds)]" + }, + "properties": { + "roleDefinitionId": "[if(contains(parameters('builtInRoleNames'), parameters('roleAssignment').roleDefinitionIdOrName ), parameters('builtInRoleNames')[parameters('roleAssignment').roleDefinitionIdOrName] , parameters('roleAssignment').roleDefinitionIdOrName )]", + "principalId": "[array(parameters('roleAssignment').principalIds)[copyIndex()]]" + } + } + ] + } + } + } + ], + "functions": [], + "outputs": { + "connectionResourceId": { + "type": "string", + "value": "[resourceId('Microsoft.Web/connections',parameters('connectionName'))]", + "metadata": { + "description": "The Resource Id of the API Connection." + } + }, + "connectionResourceGroup": { + "type": "string", + "value": "[resourceGroup().name]", + "metadata": { + "description": "The name of the Resource Group the API Connection was created in." + } + }, + "connectionName": { + "type": "string", + "value": "[parameters('connectionName')]", + "metadata": { + "description": "The Name of the API Connection." + } + } + } +} \ No newline at end of file diff --git a/arm/Microsoft.Web/connections/parameters/parameters.json b/arm/Microsoft.Web/connections/parameters/parameters.json new file mode 100644 index 0000000000..f8bd74cbb3 --- /dev/null +++ b/arm/Microsoft.Web/connections/parameters/parameters.json @@ -0,0 +1,20 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "connectionName": { + "value": "azuremonitor" + }, + "connectionKind": { + "value": "V1" + }, + "displayName": { + "value": "azuremonitorlogs" + }, + "connectionApi": { + "value": { + "id": "/subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2/providers/Microsoft.Web/locations/westeurope/managedApis/azuremonitorlogs" + } + } + } +} \ No newline at end of file diff --git a/arm/Microsoft.Web/connections/readme.md b/arm/Microsoft.Web/connections/readme.md new file mode 100644 index 0000000000..46a24336d6 --- /dev/null +++ b/arm/Microsoft.Web/connections/readme.md @@ -0,0 +1,116 @@ +# API Connection + +This module deploys an Azure API Connection. + +## Resource types + +| Resource Type | Api Version | +| ---------------------------------------------------- | ------------------ | +| `Microsoft.Resources/deployments` | 2020-06-01 | +| `Microsoft.Web/connections` | 2016-06-01 | +| `Microsoft.Web/connection/providers/roleAssignments` | 2018-09-01-preview | + +## Parameters + +| Parameter Name | Type | Description | DefaultValue | Possible values | +| ---------------------------- | ------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ------------------------ | --------------------------------------- | +| `alternativeParameterValues` | object | **Optional**. Alternative parameter values. | System.Object | | +| `connectionApi` | object | **Optional**. Specific values for some API connections. | System.Object | Complex structure, see below. | +| `connectionKind` | string | **Required**. Connection Kind. Example: 'V1' when using blobs. It can change depending on the resource. | | | +| `connectionName` | string | **Required**. Connection name for connection. Example: 'azureblob' when using blobs. It can change depending on the resource. | | | +| `cuaId` | string | **Optional**. Customer Usage Attribution id (GUID). This GUID must be previously registered. | | | +| `customParameterValues` | object | **Optional**. Customized parameter values for specific connections | System.Object | Complex structure, see below. | +| `displayName` | string | **Required**. Display name connection. Example: 'blobconnection' when using blobs. It can change depending on the resource. | | | +| `location` | string | **Optional**. Location of the deployment. | resourceGroup().location | | +| `nonSecretParameterValues` | object | **Optional**. Dictionary of nonsecret parameter values. | System.Object | | +| `parameterValues` | secureobject | **Optional**. Connection strings or access keys for connection. Example: 'accountName' and 'accessKey' when using blobs. It can change depending on the resource. | System.Object | | +| `parameterValueType` | string | **Optional**. Value Type of parameter, in case alternativeParameterValues is used. | | "Alternative" | +| `roleAssignments` | array | **Optional**. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID. | System.Object[] | Array of complex structures, see below. | +| `statuses` | array | **Optional**. Status of the connection. | System.Object[] | Array of complex structures, see below. | +| `tags` | object | **Optional**. Tags of the resource. | System.Object | Complex structure, see below. | +| `testLinks` | array | **Optional**. Links to test the API connection. | System.Object[] | Array of complex structures, see below. | + +### Parameter Usage: `connectionApi` + +```json +"connectionApi": { + "value": { + "id": "string", + "type": "string", + "swagger": {}, + "brandColor": "string", + "description": "string", + "displayName": "string", + "iconUri": "string", + "name": "string" + } +} +``` + +### Parameter Usage: `statuses` + +```json +"statuses": { + "value": [ + { + "status": "string", + "target": "string", + "error": { + "location": "string", + "tags": {}, + "properties": { + "code": "string", + "message": "string" + } + } + } + ] +} +``` + +### Parameter Usage: `tags` + +Tag names and tag values can be provided as needed. A tag can be left without a value. + +```json +"tags": { + "value": { + "Environment": "Non-Prod", + "Contact": "test.user@testcompany.com", + "PurchaseOrder": "1234", + "CostCenter": "7890", + "ServiceName": "DeploymentValidation", + "Role": "DeploymentValidation" + } +} +``` + +### Parameter Usage: `testLinks` + +```json +"testLinks": { + "value":[ + { + "requestUri": "string", + "method": "string" + } + ] +} +``` + +## Outputs + +| Output Name | Type | Description | +| ------------------------- | ------ | ----------------------------------------------------------------- | +| `connectionResourceId` | string | The Resource Id of the API Connection. | +| `connectionResourceGroup` | string | The name of the Resource Group the API Connection was created in. | +| `connectionName` | string | The Name of the API Connection. | + +## Considerations + +- _None_ + +## Additional resources + +- [Microsoft.Logic workflows template reference](https://docs.microsoft.com/en-us/azure/templates/microsoft.web/connections?tabs=json) +- [Use tags to organize your Azure resources](https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-using-tags) diff --git a/arm/Microsoft.Web/hostingEnvironments/deploy.json b/arm/Microsoft.Web/hostingEnvironments/deploy.json new file mode 100644 index 0000000000..1937679bac --- /dev/null +++ b/arm/Microsoft.Web/hostingEnvironments/deploy.json @@ -0,0 +1,573 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "appServiceEnvironmentName": { + "type": "string", + "minLength": 1, + "metadata": { + "description": "Required. Name of the App Service Environment" + } + }, + "location": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "Optional. Location for all resources." + } + }, + "kind": { + "type": "string", + "defaultValue": "ASEV2", + "metadata": { + "description": "Optional. Kind of resource." + } + }, + "subnetResourceId": { + "type": "string", + "metadata": { + "description": "Required. ResourceId for the sub net" + } + }, + "internalLoadBalancingMode" : { + "type": "string", + "allowedValues": [ + "None", + "Web", + "Publishing" + ], + "defaultValue": "None", + "metadata": { + "description": "Optional. Specifies which endpoints to serve internally in the Virtual Network for the App Service Environment. - None, Web, Publishing, Web,Publishing" + } + }, + "multiSize": { + "type": "string", + "allowedValues": [ + "Medium", + "Large", + "ExtraLarge", + "Standard_D2", + "Standard_D3", + "Standard_D4", + "Standard_D1_V2", + "Standard_D2_V2", + "Standard_D3_V2", + "Standard_D4_V2" + ], + "defaultValue": "Standard_D1_V2", + "metadata": { + "description": "Optional. Front-end VM size, e.g. Medium, Large" + } + }, + "multiRoleCount" : { + "type": "int", + "defaultValue": 2, + "metadata": { + "description": "Optional. Number of front-end instances." + } + }, + "ipsslAddressCount": { + "type": "int", + "defaultValue": 2, + "metadata": { + "description": "Optional. Number of IP SSL addresses reserved for the App Service Environment." + } + }, + "workerPools": { + "type": "array", + "defaultValue": [], + "metadata": { + "description": "Optional. Description of worker pools with worker size IDs, VM sizes, and number of workers in each pool.." + } + }, + + "dnsSuffix": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. DNS suffix of the App Service Environment." + } + }, + "networkAccessControlList": { + "type": "array", + "defaultValue": [], + "metadata": { + "description": "Optional. Access control list for controlling traffic to the App Service Environment.." + } + }, + "frontEndScaleFactor": { + "type": "int", + "defaultValue": 15, + "metadata": { + "description": "Optional. Scale factor for front-ends." + } + }, + "apiManagementAccountId": { + "type": "String", + "defaultValue": "", + "metadata": { + "description": "Optional. API Management Account associated with the App Service Environment." + } + }, + "suspended": { + "type": "bool", + "defaultValue": false, + "metadata": { + "description": "Optional. true if the App Service Environment is suspended; otherwise, false. The environment can be suspended, e.g. when the management endpoint is no longer available (most likely because NSG blocked the incoming traffic)." + } + }, + "dynamicCacheEnabled": { + "type": "bool", + "defaultValue": false, + "metadata": { + "description": "Optional. True/false indicating whether the App Service Environment is suspended. The environment can be suspended e.g. when the management endpoint is no longer available(most likely because NSG blocked the incoming traffic)." + } + }, + "userWhitelistedIpRanges": { + "type": "array", + "defaultValue": [], + "metadata": { + "description": "Optional. User added ip ranges to whitelist on ASE db - string" + } + }, + "hasLinuxWorkers": { + "type": "bool", + "defaultValue": false, + "metadata": { + "description": "Optional. Flag that displays whether an ASE has linux workers or not" + } + }, + "clusterSettings" : { + "type": "array", + "defaultValue": [], + "metadata": { + "description": "Optional. Custom settings for changing the behavior of the App Service Environment" + } + }, + "diagnosticLogsRetentionInDays": { + "type": "int", + "defaultValue": 365, + "minValue": 0, + "maxValue": 365, + "metadata": { + "description": "Optional. Specifies the number of days that logs will be kept for; a value of 0 will retain data indefinitely." + } + }, + "diagnosticStorageAccountId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Resource identifier of the Diagnostic Storage Account." + } + }, + "workspaceId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Resource identifier of Log Analytics." + } + }, + "eventHubAuthorizationRuleId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Resource ID of the event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." + } + }, + "eventHubName": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Name of the event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category." + } + }, + "lockForDeletion": { + "type": "bool", + "defaultValue": false, + "metadata": { + "description": "Optional. Switch to lock Key Vault from deletion." + } + }, + "roleAssignments": { + "defaultValue": [ + ], + "type": "array", + "metadata": { + "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'" + } + }, + "tags": { + "type": "object", + "defaultValue": { + }, + "metadata": { + "description": "Optional. Resource tags." + } + }, + "cuaId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered" + } + } + }, + "variables": { + "diagnosticsMetrics": [], + "diagnosticsLogs": [ + { + "category": "AppServiceEnvironmentPlatformLogs", + "enabled": true, + "retentionPolicy": { + "enabled": true, + "days": "[parameters('diagnosticLogsRetentionInDays')]" + } + } + ], + "vnetResourceId": "[split(parameters('SubnetResourceId'),'/')]", + "builtInRoleNames": { + "AcrDelete": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c2f4ef07-c644-48eb-af81-4b1b4947fb11')]", + "AcrImageSigner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '6cef56e8-d556-48e5-a04f-b8e64114680f')]", + "AcrPull": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '7f951dda-4ed3-4680-a7ca-43fe172d538d')]", + "AcrPush": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8311e382-0749-4cb8-b61a-304f252e45ec')]", + "AcrQuarantineReader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'cdda3590-29a3-44f6-95f2-9f980659eb04')]", + "AcrQuarantineWriter": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c8d4ff99-41c3-41a8-9f60-21dfdad59608')]", + "API Management Service Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '312a565d-c81f-4fd8-895a-4e21e48d571c')]", + "API Management Service Operator Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'e022efe7-f5ba-4159-bbe4-b44f577e9b61')]", + "API Management Service Reader Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '71522526-b88f-4d52-b57f-d31fc3546d0d')]", + "App Configuration Data Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5ae67dd6-50cb-40e7-96ff-dc2bfa4b606b')]", + "App Configuration Data Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '516239f1-63e1-4d78-a4de-a74fb236a071')]", + "Application Insights Component Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ae349356-3a1b-4a5e-921d-050484c6347e')]", + "Application Insights Snapshot Debugger": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '08954f03-6346-4c2e-81c0-ec3a5cfae23b')]", + "Attestation Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'bbf86eb8-f7b4-4cce-96e4-18cddf81d86e')]", + "Attestation Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'fd1bd22b-8476-40bc-a0bc-69b95687b9f3')]", + "Automation Job Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4fe576fe-1146-4730-92eb-48519fa6bf9f')]", + "Automation Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'd3881f73-407a-4167-8283-e981cbba0404')]", + "Automation Runbook Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5fb5aef8-1081-4b8e-bb16-9d5d0385bab5')]", + "Avere Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4f8fab4f-1852-4a58-a46a-8eaf358af14a')]", + "Avere Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c025889f-8102-4ebf-b32c-fc0c6f0c6bd9')]", + "Azure Connected Machine Onboarding": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b64e21ea-ac4e-4cdf-9dc9-5b892992bee7')]", + "Azure Connected Machine Resource Administrator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'cd570a14-e51a-42ad-bac8-bafd67325302')]", + "Azure Digital Twins Owner (Preview)": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'bcd981a7-7f74-457b-83e1-cceb9e632ffe')]", + "Azure Digital Twins Reader (Preview)": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'd57506d4-4c8d-48b1-8587-93c323f6a5a3')]", + "Azure Event Hubs Data Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'f526a384-b230-433a-b45c-95f59c4a2dec')]", + "Azure Event Hubs Data Receiver": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'a638d3c7-ab3a-418d-83e6-5f17a39d4fde')]", + "Azure Event Hubs Data Sender": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '2b629674-e913-4c01-ae53-ef4638d8f975')]", + "Azure Kubernetes Service Cluster Admin Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '0ab0b1a8-8aac-4efd-b8c2-3ee1fb270be8')]", + "Azure Kubernetes Service Cluster User Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4abbcc35-e782-43d8-92c5-2d3f1bd2253f')]", + "Azure Kubernetes Service Contributor Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ed7f3fbd-7b88-4dd4-9017-9adb7ce333f8')]", + "Azure Maps Data Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8f5e0ce6-4f7b-4dcf-bddf-e6f48634a204')]", + "Azure Maps Data Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '423170ca-a8f6-4b0f-8487-9e4eb8f49bfa')]", + "Azure Sentinel Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ab8e14d6-4a74-4a29-9ba8-549422addade')]", + "Azure Sentinel Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8d289c81-5878-46d4-8554-54e1e3d8b5cb')]", + "Azure Sentinel Responder": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '3e150937-b8fe-4cfb-8069-0eaf05ecd056')]", + "Azure Service Bus Data Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '090c5cfd-751d-490a-894a-3ce6f1109419')]", + "Azure Service Bus Data Receiver": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4f6d3b9b-027b-4f4c-9142-0e5a2a2247e0')]", + "Azure Service Bus Data Sender": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '69a216fc-b8fb-44d8-bc22-1f3c2cd27a39')]", + "Azure Stack Registration Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '6f12a6df-dd06-4f3e-bcb1-ce8be600526a')]", + "Backup Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5e467623-bb1f-42f4-a55d-6e525e11384b')]", + "Backup Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '00c29273-979b-4161-815c-10b084fb9324')]", + "Backup Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'a795c7a0-d4a2-40c1-ae25-d81f01202912')]", + "Billing Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'fa23ad8b-c56e-40d8-ac0c-ce449e1d2c64')]", + "BizTalk Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5e3c6656-6cfa-4708-81fe-0de47ac73342')]", + "Blockchain Member Node Access (Preview)": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '31a002a1-acaf-453e-8a5b-297c9ca1ea24')]", + "Blueprint Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '41077137-e803-4205-871c-5a86e6a753b4')]", + "Blueprint Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '437d2ced-4a38-4302-8479-ed2bcb43d090')]", + "CDN Endpoint Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '426e0c7f-0c7e-4658-b36f-ff54d6c29b45')]", + "CDN Endpoint Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '871e35f6-b5c1-49cc-a043-bde969a0f2cd')]", + "CDN Profile Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ec156ff8-a8d1-4d15-830c-5b80698ca432')]", + "CDN Profile Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8f96442b-4075-438f-813d-ad51ab4019af')]", + "Classic Network Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b34d265f-36f7-4a0d-a4d4-e158ca92e90f')]", + "Classic Storage Account Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '86e8f5dc-a6e9-4c67-9d15-de283e8eac25')]", + "Classic Storage Account Key Operator Service Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '985d6b00-f706-48f5-a6fe-d0ca12fb668d')]", + "Classic Virtual Machine Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'd73bb868-a0df-4d4d-bd69-98a00b01fccb')]", + "ClearDB MySQL DB Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '9106cda0-8a86-4e81-b686-29a22c54effe')]", + "Cognitive Services Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '25fbc0a9-bd7c-42a3-aa1a-3b75d497ee68')]", + "Cognitive Services Custom Vision Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c1ff6cc2-c111-46fe-8896-e0ef812ad9f3')]", + "Cognitive Services Custom Vision Deployment": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5c4089e1-6d96-4d2f-b296-c1bc7137275f')]", + "Cognitive Services Custom Vision Labeler": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '88424f51-ebe7-446f-bc41-7fa16989e96c')]", + "Cognitive Services Custom Vision Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '93586559-c37d-4a6b-ba08-b9f0940c2d73')]", + "Cognitive Services Custom Vision Trainer": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '0a5ae4ab-0d65-4eeb-be61-29fc9b54394b')]", + "Cognitive Services Data Reader (Preview)": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b59867f0-fa02-499b-be73-45a86b5b3e1c')]", + "Cognitive Services QnA Maker Editor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'f4cc2bf9-21be-47a1-bdf1-5c5804381025')]", + "Cognitive Services QnA Maker Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '466ccd10-b268-4a11-b098-b4849f024126')]", + "Cognitive Services User": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'a97b65f3-24c7-4388-baec-2e87135dc908')]", + "Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "Cosmos DB Account Reader Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'fbdf93bf-df7d-467e-a4d2-9458aa1360c8')]", + "Cosmos DB Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '230815da-be43-4aae-9cb4-875f7bd000aa')]", + "CosmosBackupOperator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'db7b14f2-5adf-42da-9f96-f2ee17bab5cb')]", + "Cost Management Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '434105ed-43f6-45c7-a02f-909b2ba83430')]", + "Cost Management Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '72fafb9e-0641-4937-9268-a91bfd8191a3')]", + "Data Box Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'add466c9-e687-43fc-8d98-dfcf8d720be5')]", + "Data Box Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '028f4ed7-e2a9-465e-a8f4-9c0ffdfdc027')]", + "Data Factory Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '673868aa-7521-48a0-acc6-0f60742d39f5')]", + "Data Lake Analytics Developer": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '47b7735b-770e-4598-a7da-8b91488b4c88')]", + "Data Purger": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '150f5e0c-0603-4f03-8c7f-cf70034c4e90')]", + "Desktop Virtualization User": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '1d18fff3-a72a-46b5-b4a9-0b38a3cd7e63')]", + "DevTest Labs User": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '76283e04-6283-4c54-8f91-bcf1374a3c64')]", + "DNS Zone Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'befefa01-2a29-4197-83a8-272ff33ce314')]", + "DocumentDB Account Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5bd9cd88-fe45-4216-938b-f97437e15450')]", + "EventGrid EventSubscription Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '428e0ff0-5e57-4d9c-a221-2c70d0e0a443')]", + "EventGrid EventSubscription Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '2414bbcf-6497-4faf-8c65-045460748405')]", + "Experimentation Administrator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '7f646f1b-fa08-80eb-a33b-edd6ce5c915c')]", + "Experimentation Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '7f646f1b-fa08-80eb-a22b-edd6ce5c915c')]", + "Experimentation Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '49632ef5-d9ac-41f4-b8e7-bbe587fa74a1')]", + "FHIR Data Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5a1fc7df-4bf1-4951-a576-89034ee01acd')]", + "FHIR Data Exporter": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '3db33094-8700-4567-8da5-1501d4e7e843')]", + "FHIR Data Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4c8d0bbc-75d3-4935-991f-5f3c56d81508')]", + "FHIR Data Writer": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '3f88fce4-5892-4214-ae73-ba5294559913')]", + "Graph Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b60367af-1334-4454-b71e-769d9a4f83d9')]", + "HDInsight Cluster Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '61ed4efc-fab3-44fd-b111-e24485cc132a')]", + "HDInsight Domain Services Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8d8d5a11-05d3-4bda-a417-a08778121c7c')]", + "Hierarchy Settings Administrator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '350f8d15-c687-4448-8ae1-157740a3936d')]", + "Hybrid Server Onboarding": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5d1e5ee4-7c68-4a71-ac8b-0739630a3dfb')]", + "Hybrid Server Resource Administrator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '48b40c6e-82e0-4eb3-90d5-19e40f49b624')]", + "Integration Service Environment Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'a41e2c5b-bd99-4a07-88f4-9bf657a760b8')]", + "Integration Service Environment Developer": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c7aa55d3-1abb-444a-a5ca-5e51e485d6ec')]", + "Intelligent Systems Account Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '03a6d094-3444-4b3d-88af-7477090a9e5e')]", + "Key Vault Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'f25e0fa2-a7c8-4377-a976-54943a77a395')]", + "Knowledge Consumer": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ee361c5d-f7b5-4119-b4b6-892157c8f64c')]", + "Kubernetes Cluster - Azure Arc Onboarding": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '34e09817-6cbe-4d01-b1a2-e0eac5743d41')]", + "Lab Creator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b97fb8bc-a8b2-4522-a38b-dd33c7e65ead')]", + "Log Analytics Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]", + "Log Analytics Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '73c42c96-874c-492b-b04d-ab87d138a893')]", + "Logic App Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '87a39d53-fc1b-424a-814c-f7e04687dc9e')]", + "Logic App Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '515c2055-d9d4-4321-b1b9-bd0c9a0f79fe')]", + "Managed Application Contributor Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '641177b8-a67a-45b9-a033-47bc880bb21e')]", + "Managed Application Operator Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')]", + "Managed Applications Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')]", + "Managed Identity Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'e40ec5ca-96e0-45a2-b4ff-59039f2c2b59')]", + "Managed Identity Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'f1a07417-d97a-45cb-824c-7a7467783830')]", + "Managed Services Registration assignment Delete ": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '91c1777a-f3dc-4fae-b103-61d183457e46')]", + "Management Group Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5d58bcaf-24a5-4b20-bdb6-eed9f69fbe4c')]", + "Management Group Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ac63b705-f282-497d-ac71-919bf39d939d')]", + "Marketplace Admin": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'dd920d6d-f481-47f1-b461-f338c46b2d9f')]", + "Monitoring Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')]", + "Monitoring Metrics Publisher": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '3913510d-42f4-4e42-8a64-420c390055eb')]", + "Monitoring Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')]", + "Network Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", + "New Relic APM Account Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5d28c62d-5b37-4476-8438-e587778df237')]", + "Object Understanding Account Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4dd61c23-6743-42fe-a388-d8bdd41cb745')]", + "Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", + "Policy Insights Data Writer (Preview)": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '66bb4e9e-b016-4a94-8249-4c0511c2be84')]", + "Private DNS Zone Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", + "Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", + "Reader and Data Access": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c12c1c16-33a1-487b-954d-41c89c60f349')]", + "Redis Cache Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'e0f68234-74aa-48ed-b826-c38b57376e17')]", + "Remote Rendering Administrator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '3df8b902-2a6f-47c7-8cc5-360e9b272a7e')]", + "Remote Rendering Client": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'd39065c4-c120-43c9-ab0a-63eed9795f0a')]", + "Resource Policy Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '36243c78-bf99-498c-9df9-86d9f8d28608')]", + "Scheduler Job Collections Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '188a0f2f-5c9e-469b-ae67-2aa5ce574b94')]", + "Search Service Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '7ca78c08-252a-4471-8644-bb5ff32d4ba0')]", + "Security Admin": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'fb1c8493-542b-48eb-b624-b4c8fea62acd')]", + "Security Assessment Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '612c2aa1-cb24-443b-ac28-3ab7272de6f5')]", + "Security Manager (Legacy)": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'e3d13bf0-dd5a-482e-ba6b-9b8433878d10')]", + "Security Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '39bc4728-0917-49c7-9d2c-d95423bc2eb4')]", + "SignalR AccessKey Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '04165923-9d83-45d5-8227-78b77b0a687e')]", + "SignalR Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8cf5e20a-e4b2-4e9d-b3a1-5ceb692c2761')]", + "Site Recovery Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '6670b86e-a3f7-4917-ac9b-5d6ab1be4567')]", + "Site Recovery Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '494ae006-db33-4328-bf46-533a6560a3ca')]", + "Site Recovery Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'dbaa88c4-0c30-4179-9fb3-46319faa6149')]", + "Spatial Anchors Account Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8bbe83f1-e2a6-4df7-8cb4-4e04d4e5c827')]", + "Spatial Anchors Account Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '70bbe301-9835-447d-afdd-19eb3167307c')]", + "Spatial Anchors Account Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5d51204f-eb77-4b1c-b86a-2ec626c49413')]", + "SQL DB Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '9b7fa17d-e63e-47b0-bb0a-15c516ac86ec')]", + "SQL Managed Instance Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4939a1f6-9ae0-4e48-a1e0-f2cbe897382d')]", + "SQL Security Manager": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '056cd41c-7e88-42e1-933e-88ba6a50c9c3')]", + "SQL Server Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '6d8ee4ec-f05a-4a1d-8b00-a9b17e38b437')]", + "Storage Account Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '17d1049b-9a84-46fb-8f53-869881c3d3ab')]", + "Storage Account Key Operator Service Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '81a9662b-bebf-436f-a333-f67b29880f12')]", + "Storage Blob Data Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ba92f5b4-2d11-453d-a403-e96b0029c9fe')]", + "Storage Blob Data Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b7e6dc6d-f1e8-4753-8033-0f276bb0955b')]", + "Storage Blob Data Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '2a2b9908-6ea1-4ae2-8e65-a410df84e7d1')]", + "Storage Blob Delegator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'db58b8e5-c6ad-4a2a-8342-4190687cbf4a')]", + "Storage File Data SMB Share Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '0c867c2a-1d8c-454a-a3db-ab2ea1bdc8bb')]", + "Storage File Data SMB Share Elevated Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'a7264617-510b-434b-a828-9731dc254ea7')]", + "Storage File Data SMB Share Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'aba4ae5f-2193-4029-9191-0cb91df5e314')]", + "Storage Queue Data Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '974c5e8b-45b9-4653-ba55-5f855dd0fb88')]", + "Storage Queue Data Message Processor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8a0f0c08-91a1-4084-bc3d-661d67233fed')]", + "Storage Queue Data Message Sender": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c6a89b2d-59bc-44d0-9896-0f6e12d7b80a')]", + "Storage Queue Data Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '19e7f393-937e-4f77-808e-94535e297925')]", + "Support Request Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'cfd33db0-3dd1-45e3-aa9d-cdbdf3b6f24e')]", + "Tag Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4a9ae827-6dc8-4573-8ac7-8239d42aa03f')]", + "Traffic Manager Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'a4b10055-b0c7-44c2-b00f-c7b5b3550cf7')]", + "User Access Administrator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]", + "Virtual Machine Administrator Login": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '1c0163c0-47e6-4577-8991-ea5c82e286e4')]", + "Virtual Machine Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c')]", + "Virtual Machine User Login": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'fb879df8-f326-4884-b1cf-06f3ad86be52')]", + "Web Plan Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '2cc479cb-7b4d-49a8-b449-8c00fd0f0a4b')]", + "Website Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'de139f84-1756-47ae-9be6-808fbbe84772')]", + "Workbook Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'e8ddcd69-c73f-4f9f-9844-4100522f16ad')]", + "Workbook Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b279062a-9be3-42a0-92ae-8b3cf002ec4d')]" + } + }, + "resources": [ + { + "condition": "[not(empty(parameters('cuaId')))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-06-01", + "name": "[concat('pid-', parameters('cuaId'))]", + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [ + ] + } + } + }, + { + "name": "[parameters('appServiceEnvironmentName')]", + "type": "Microsoft.Web/hostingEnvironments", + "apiVersion": "2020-06-01", + "kind": "[parameters('kind')]", + "location": "[parameters('location')]", + "tags": "[parameters('tags')]", + "properties": { + "name": "[parameters('appServiceEnvironmentName')]", + "location": "[parameters('location')]", + "virtualNetwork": { + "id": "[parameters('SubnetResourceId')]", + "subnet": "[last(variables('vnetResourceId'))]" + }, + "internalLoadBalancingMode": "[parameters('internalLoadBalancingMode')]", + "multiSize": "[parameters('multiSize')]", + "multiRoleCount": "[parameters('multiRoleCount')]", + "workerPools": "[parameters('workerPools')]", + "ipsslAddressCount": "[parameters('ipSslAddressCount')]", + "dnsSuffix": "[parameters('dnssuffix')]", + "networkAccessControlList": "[parameters('networkAccessControlList')]", + "frontEndScaleFactor": "[parameters('frontEndScaleFactor')]", + "apiManagementAccountId": "[parameters('apiManagementAccountId')]", + "suspended": "[parameters('suspended')]", + "dynamicCacheEnabled": "[parameters('dynamicCacheEnabled')]", + "clusterSettings": "[parameters('clusterSettings')]", + "userWhitelistedIpRanges": "[parameters('userWhitelistedIpRanges')]", + "hasLinuxWorkers": "[parameters('hasLinuxWorkers')]" + }, + "resources": [ + { + "type": "providers/locks", + "apiVersion": "2016-09-01", + "condition": "[parameters('lockForDeletion')]", + "name": "Microsoft.Authorization/appServiceEnvironmentDoNotDelete", + "dependsOn": [ + "[concat('Microsoft.Web/hostingEnvironments/', parameters('appServiceEnvironmentName'))]" + ], + "comments": "Resource lock on App Service Environment", + "properties": { + "level": "CannotDelete" + } + }, + { + "type": "Microsoft.Web/hostingEnvironments/providers/diagnosticsettings", + "apiVersion": "2017-05-01-preview", + "name": "[concat(parameters('appServiceEnvironmentName'), '/Microsoft.Insights/service')]", + "location": "[parameters('location')]", + "condition": "[or(not(empty(parameters('diagnosticStorageAccountId'))),not(empty(parameters('workspaceId'))),not(empty(parameters('eventHubAuthorizationRuleId'))),not(empty(parameters('eventHubName'))))]", + "dependsOn": [ + "[concat('Microsoft.Web/hostingEnvironments/', parameters('appServiceEnvironmentName'))]" + ], + "properties": { + "storageAccountId": "[if(empty(parameters('diagnosticStorageAccountId')), json('null'), parameters('diagnosticStorageAccountId'))]", + "workspaceId": "[if(empty(parameters('workspaceId')), json('null'), parameters('workspaceId'))]", + "eventHubAuthorizationRuleId": "[if(empty(parameters('eventHubAuthorizationRuleId')), json('null'), parameters('eventHubAuthorizationRuleId'))]", + "eventHubName": "[if(empty(parameters('eventHubName')), json('null'), parameters('eventHubName'))]", + "metrics": "[if(and(empty(parameters('diagnosticStorageAccountId')), empty(parameters('workspaceId')), empty(parameters('eventHubAuthorizationRuleId')), empty(parameters('eventHubName'))), json('null'), variables('diagnosticsMetrics'))]", + "logs": "[if(and(empty(parameters('diagnosticStorageAccountId')), empty(parameters('workspaceId')), empty(parameters('eventHubAuthorizationRuleId')), empty(parameters('eventHubName'))), json('null'), variables('diagnosticsLogs'))]" + } + } + ] + }, + { + "name": "[concat('rbac-',deployment().name, copyIndex())]", + "apiVersion": "2020-06-01", + "type": "Microsoft.Resources/deployments", + "condition": "[not(empty(parameters('roleAssignments')))]", + "dependsOn": [ + "[parameters('appServiceEnvironmentName')]" + ], + "copy": { + "name": "rbacDeplCopy", + "count": "[length(parameters('roleAssignments'))]" + }, + "properties": { + "mode": "Incremental", + "expressionEvaluationOptions": { + "scope": "inner" + }, + "parameters": { + "roleAssignment": { + "value": "[parameters('roleAssignments')[copyIndex()]]" + }, + "builtInRoleNames": { + "value": "[variables('builtInRoleNames')]" + }, + "appServiceEnvironmentName": { + "value": "[parameters('appServiceEnvironmentName')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "roleAssignment": { + "type": "object" + }, + "builtInRoleNames": { + "type": "object" + }, + "appServiceEnvironmentName": { + "type": "string" + } + }, + "resources": [ + { + "type": "Microsoft.Web/hostingEnvironments/providers/roleAssignments", + "apiVersion": "2018-09-01-preview", + "name": "[concat(parameters('appServiceEnvironmentName'), '/Microsoft.Authorization/', guid(uniqueString(concat(parameters('appServiceEnvironmentName'), array(parameters('roleAssignment').principalIds)[copyIndex('innerRbacCopy')], parameters('roleAssignment').roleDefinitionIdOrName ) )))]", + "dependsOn": [ + ], + "copy": { + "name": "innerRbacCopy", + "count": "[length(parameters('roleAssignment').principalIds)]" + }, + "properties": { + "roleDefinitionId": "[if(contains(parameters('builtInRoleNames'), parameters('roleAssignment').roleDefinitionIdOrName ), parameters('builtInRoleNames')[parameters('roleAssignment').roleDefinitionIdOrName] , parameters('roleAssignment').roleDefinitionIdOrName )]", + "principalId": "[array(parameters('roleAssignment').principalIds)[copyIndex()]]" + } + } + ] + } + } + } + ], + "functions": [ + ], + "outputs": { + "appServiceEnvironmentResourceId": { + "type": "string", + "value": "[resourceId('Microsoft.Web/hostingEnvironments', parameters('appServiceEnvironmentName'))]", + "metadata": { + "description": "The Resource Id of the AppServiceEnvironment." + } + }, + "appServiceEnvironmentResourceGroup": { + "type": "string", + "value": "[resourceGroup().name]", + "metadata": { + "description": "The name of the Resource Group the AppServiceEnvironment was created in." + } + }, + "appServiceEnvironmentName": { + "type": "string", + "value": "[parameters('appServiceEnvironmentName')]", + "metadata": { + "description": "The Name of the AppServiceEnvironment." + } + } + + } +} diff --git a/arm/Microsoft.Web/hostingEnvironments/parameters/parameters.json b/arm/Microsoft.Web/hostingEnvironments/parameters/parameters.json new file mode 100644 index 0000000000..09d6feb668 --- /dev/null +++ b/arm/Microsoft.Web/hostingEnvironments/parameters/parameters.json @@ -0,0 +1,12 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "appServiceEnvironmentName": { + "value": "sxx-az-ase-weu-x-001" + }, + "SubnetResourceId": { + "value": "/subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2/resourceGroups/dependencies-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-weu-x-002/subnets/sxx-az-subnet-weu-x-005" + } + } +} \ No newline at end of file diff --git a/arm/Microsoft.Web/hostingEnvironments/readme.md b/arm/Microsoft.Web/hostingEnvironments/readme.md new file mode 100644 index 0000000000..8de6798d30 --- /dev/null +++ b/arm/Microsoft.Web/hostingEnvironments/readme.md @@ -0,0 +1,159 @@ +# App Service Environment + +This module deploys App Service Environment, with resource lock. + +## Resource types + +| Resource Type | Api Version | +| :-- | :-- | +| `Microsoft.Web/hostingEnvironments` | 2020-06-01 | +| `Microsoft.Web/hostingEnvironments/providers/diagnosticsettings` | 2017-05-01-preview | +| `Microsoft.Web/hostingEnvironments/providers/roleAssignments` | 2018-09-01-preview | +| `Microsoft.Resources/deployments` | 2020-06-01 | +| `providers/locks` | 2016-09-01 | + +## Parameters + +| Parameter Name | Type | Default Value | Possible values | Description | +| :- | :- | :- | :- | :- | +| `appServiceEnvironmentName` | string | | | Required. Name of the Azure App Service Environment +| `location` | string | `[resourceGroup().location]` | | Optional. Location for all resources. +| `kind` | string | `ASEV2` | | Optional. Kind of resource. +| `subnetResourceId` | string | | | Required. ResourceId for the sub net. +| `internalLoadBalancingMode` | string | `None` | ` "None", "Web", "Publishing" ` | Optional. Specifies which endpoints to serve internally in the Virtual Network for the App Service Environment. - None, Web, Publishing, Web,Publishing +| `multiSize` | string | `Standard_D1_V2` | ` "Medium","Large","ExtraLarge","Standard_D2","Standard_D3", "Standard_D4","Standard_D1_V2","Standard_D2_V2", "Standard_D3_V2","Standard_D4_V2"` | Optional: Front-end VM size, e.g. Medium, Large +| `multiRoleCount` | int | `2` | | Optional. Number of front-end instances +| `ipsslAddressCount` | int | `2` | | Optional. Number of IP SSL addresses reserved for the App Service Environment. +| `workerPools` | array | `[]` | Complex structure, see below. | Optional. Description of worker pools with worker size IDs, VM sizes, and number of workers in each pool. +| `dnsSuffix` | string | `""` | | Optional. DNS suffix of the App Service Environment. +| `networkAccessControlList` | array | `[]` | | Optional. Access control list for controlling traffic to the App Service Environment. +| `frontEndScaleFactor` | int | `15` | | Optional. Scale factor for front-ends. +| `apiManagementAccountId` | string | `""` | | Optional. API Management Account associated with the App Service Environment. +| `suspended` | bool | `false` | | Optional. true if the App Service Environment is suspended; otherwise, false. The environment can be suspended, e.g. when the management endpoint is no longer available (most likely because NSG blocked the incoming traffic). +| `dynamicCacheEnabled` | bool | `false` | | Optional. True/false indicating whether the App Service Environment is suspended. The environment can be suspended e.g. when the management endpoint is no longer available(most likely because NSG blocked the incoming traffic). +| `userWhitelistedIpRanges` | array | `[]` | | Optional. User added ip ranges to whitelist on ASE db - string. +| `hasLinuxWorkers` | bool | `false` | | Optional. Flag that displays whether an ASE has linux workers or not +| `clusterSettings` | array | `[]` | | Optional. Custom settings for changing the behavior of the App Service Environment. +| `diagnosticLogsRetentionInDays` | int | `365` | | Optional. Specifies the number of days that logs will be kept for; a value of 0 will retain data indefinitely. +| `diagnosticStorageAccountId` | string | "" | | Optional. Resource identifier of the Diagnostic Storage Account. +| `workspaceId` | string | "" | | Optional. Resource identifier of Log Analytics. +| `eventHubAuthorizationRuleId` | string | "" | | Optional. Resource ID of the event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. +| `eventHubName` | string | "" | | Optional. Name of the event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. +| `lockForDeletion` | bool | `true` | | Optional. Switch to lock Azure Key Vault from deletion. +| `roleAssignments` | array | [] | Complex structure, see below. | Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or it's fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' +| `tags` | object | {} | Complex structure, see below. | Optional. Tags of the Azure Key Vault resource. +| `cuaId` | string | "" | | Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered. + +### Parameter Usage: `roleAssignments` + +```json +"roleAssignments": { + "value": [ + { + "roleDefinitionIdOrName": "Desktop Virtualization User", + "principalIds": [ + "12345678-1234-1234-1234-123456789012", // object 1 + "78945612-1234-1234-1234-123456789012" // object 2 + ] + }, + { + "roleDefinitionIdOrName": "Reader", + "principalIds": [ + "12345678-1234-1234-1234-123456789012", // object 1 + "78945612-1234-1234-1234-123456789012" // object 2 + ] + }, + { + "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", + "principalIds": [ + "12345678-1234-1234-1234-123456789012" // object 1 + ] + } + ] +} +``` + +### Parameter Usage: `tags` + +Tag names and tag values can be provided as needed. A tag can be left without a value. + +```json +"tags": { + "value": { + "Environment": "Non-Prod", + "Contact": "test.user@testcompany.com", + "PurchaseOrder": "1234", + "CostCenter": "7890", + "ServiceName": "DeploymentValidation", + "Role": "DeploymentValidation" + } +} +``` + +### Parameter Usage: `workerPools` + +```json +"workerPools": { + "value": { + "workerPools": [ + { + "workerSizeId": 0, + "workerSize": "Small", + "workerCount": 2 + }, + { + "workerSizeId": 1, + "workerSize": "Small", + "workerCount": 2 + } + ] + } +} +``` + +workerPools can have two properties workerSize and workerCount: + +```json + "workerSize": { + "type": "string", + "allowedValues": [ + "Small", + "Medium", + "Large", + "ExtraLarge" + ], + "defaultValue": "Small", + "metadata": { + "description": "Instance size for worker pool one. Maps to P1,P2,P3,P4." + } + }, + "workerCount": { + "type": "int", + "defaultValue": 2, + "minValue": 2, + "maxValue": 100, + "metadata": { + "description": "Number of instances in worker pool one. Minimum of two." + } + } +``` + +## Outputs + +| Output Name | Type | Description | +| :-- | :-- | :-- | +| `appServiceEnvironmentName` | string | The Name of the AppServiceEnvironment | +| `appServiceEnvironmentResourceGroup` | string | The name of the Resource Group the AppServiceEnvironment was created in. | +| `appServiceEnvironmentResourceId` | string | The Resource Id of the AppServiceEnvironment. | + +## Considerations + +**N/A* + +## Additional resources + +- [Introduction to App Service Environment?](https://docs.microsoft.com/en-us/azure/app-service/environment/intro) +- [Microsoft.Web hostingEnvironments template reference](https://docs.microsoft.com/en-us/azure/templates/microsoft.web/2020-06-01/hostingenvironments) +- [Use tags to organize your Azure resources](https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-using-tags) +- [Deployments](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Resources/2020-06-01/deployments) + diff --git a/arm/Microsoft.Web/sitesFunction/deploy.json b/arm/Microsoft.Web/sitesFunction/deploy.json new file mode 100644 index 0000000000..8a189295d1 --- /dev/null +++ b/arm/Microsoft.Web/sitesFunction/deploy.json @@ -0,0 +1,505 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "functionAppName": { + "type": "string", + "minLength": 1, + "metadata": { + "description": "Required. Name of the Function App" + } + }, + "storageAccountName": { + "type": "string", + "metadata": { + "description": "Required. The name of the storage account to managing triggers and logging function executions." + } + }, + "storageAccountResourceGroupName": { + "type": "string", + "defaultValue": "[resourceGroup().name]", + "metadata": { + "description": "Optional. Resource group of the storage account to use. Required if the storage account is in a different resource group than the function app itself." + } + }, + "functionsWorkerRuntime": { + "type": "string", + "allowedValues": [ + "dotnet", + "node", + "python", + "java", + "powershell" + ], + "metadata": { + "description": "Required. Runtime of the function worker." + } + }, + "location": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "Optional. Location for all resources." + } + }, + "httpsOnly": { + "type": "bool", + "defaultValue": true, + "metadata": { + "description": "Optional. Configures a web site to accept only https requests. Issues redirect for http requests." + } + }, + "appServicePlanId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. The Resource Id of the App Service Plan to use for the Function App." + } + }, + "appServiceEnvironmentId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. The Resource Id of the App Service Environment to use for the Function App." + } + }, + "managedServiceIdentity": { + "type": "string", + "defaultValue": "None", + "allowedValues": [ + "None", + "SystemAssigned", + "UserAssigned", + "SystemAssigned, UserAssigned", + "UserAssigned, SystemAssigned" + ], + "metadata": { + "description": "Optional. Type of managed service identity." + } + }, + "clientAffinityEnabled": { + "type": "bool", + "defaultValue": true, + "metadata": { + "description": "Optional. If Client Affinity is enabled." + } + }, + "siteConfig": { + "type": "object", + "defaultValue": {}, + "metadata": { + "description": "Required. Configuration of the app." + } + }, + "functionsExtensionVersion": { + "type": "string", + "defaultValue": "~3", + "metadata": { + "description": "Optional. Version if the function extension." + } + }, + "enableMonitoring": { + "type": "bool", + "defaultValue": true, + "metadata": { + "description": "Optional. If true, ApplicationInsights will be configured for the Function App." + } + }, + "userAssignedIdentities": { + "type": "object", + "defaultValue":{}, + "metadata": { + "description": "Optional. Mandatory 'managedServiceIdentity' contains UserAssigned. The identy to assign to the resource." + } + }, + "lockForDeletion": { + "type": "bool", + "defaultValue": false, + "metadata": { + "description": "Optional. Switch to lock Function App from deletion." + } + }, + "roleAssignments": { + "defaultValue": [ + ], + "type": "array", + "metadata": { + "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'" + } + }, + "tags": { + "type": "object", + "defaultValue": { + }, + "metadata": { + "description": "Optional. Tags of the resource." + } + }, + "cuaId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered" + } + } + }, + "variables": { + "hostingEnvironment": { + "id": "[parameters('appServiceEnvironmentId')]" + }, + "builtInRoleNames": { + "AcrDelete": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c2f4ef07-c644-48eb-af81-4b1b4947fb11')]", + "AcrImageSigner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '6cef56e8-d556-48e5-a04f-b8e64114680f')]", + "AcrPull": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '7f951dda-4ed3-4680-a7ca-43fe172d538d')]", + "AcrPush": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8311e382-0749-4cb8-b61a-304f252e45ec')]", + "AcrQuarantineReader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'cdda3590-29a3-44f6-95f2-9f980659eb04')]", + "AcrQuarantineWriter": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c8d4ff99-41c3-41a8-9f60-21dfdad59608')]", + "API Management Service Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '312a565d-c81f-4fd8-895a-4e21e48d571c')]", + "API Management Service Operator Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'e022efe7-f5ba-4159-bbe4-b44f577e9b61')]", + "API Management Service Reader Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '71522526-b88f-4d52-b57f-d31fc3546d0d')]", + "App Configuration Data Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5ae67dd6-50cb-40e7-96ff-dc2bfa4b606b')]", + "App Configuration Data Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '516239f1-63e1-4d78-a4de-a74fb236a071')]", + "Application Insights Component Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ae349356-3a1b-4a5e-921d-050484c6347e')]", + "Application Insights Snapshot Debugger": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '08954f03-6346-4c2e-81c0-ec3a5cfae23b')]", + "Attestation Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'bbf86eb8-f7b4-4cce-96e4-18cddf81d86e')]", + "Attestation Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'fd1bd22b-8476-40bc-a0bc-69b95687b9f3')]", + "Automation Job Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4fe576fe-1146-4730-92eb-48519fa6bf9f')]", + "Automation Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'd3881f73-407a-4167-8283-e981cbba0404')]", + "Automation Runbook Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5fb5aef8-1081-4b8e-bb16-9d5d0385bab5')]", + "Avere Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4f8fab4f-1852-4a58-a46a-8eaf358af14a')]", + "Avere Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c025889f-8102-4ebf-b32c-fc0c6f0c6bd9')]", + "Azure Connected Machine Onboarding": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b64e21ea-ac4e-4cdf-9dc9-5b892992bee7')]", + "Azure Connected Machine Resource Administrator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'cd570a14-e51a-42ad-bac8-bafd67325302')]", + "Azure Digital Twins Owner (Preview)": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'bcd981a7-7f74-457b-83e1-cceb9e632ffe')]", + "Azure Digital Twins Reader (Preview)": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'd57506d4-4c8d-48b1-8587-93c323f6a5a3')]", + "Azure Event Hubs Data Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'f526a384-b230-433a-b45c-95f59c4a2dec')]", + "Azure Event Hubs Data Receiver": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'a638d3c7-ab3a-418d-83e6-5f17a39d4fde')]", + "Azure Event Hubs Data Sender": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '2b629674-e913-4c01-ae53-ef4638d8f975')]", + "Azure Kubernetes Service Cluster Admin Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '0ab0b1a8-8aac-4efd-b8c2-3ee1fb270be8')]", + "Azure Kubernetes Service Cluster User Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4abbcc35-e782-43d8-92c5-2d3f1bd2253f')]", + "Azure Kubernetes Service Contributor Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ed7f3fbd-7b88-4dd4-9017-9adb7ce333f8')]", + "Azure Maps Data Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8f5e0ce6-4f7b-4dcf-bddf-e6f48634a204')]", + "Azure Maps Data Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '423170ca-a8f6-4b0f-8487-9e4eb8f49bfa')]", + "Azure Sentinel Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ab8e14d6-4a74-4a29-9ba8-549422addade')]", + "Azure Sentinel Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8d289c81-5878-46d4-8554-54e1e3d8b5cb')]", + "Azure Sentinel Responder": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '3e150937-b8fe-4cfb-8069-0eaf05ecd056')]", + "Azure Service Bus Data Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '090c5cfd-751d-490a-894a-3ce6f1109419')]", + "Azure Service Bus Data Receiver": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4f6d3b9b-027b-4f4c-9142-0e5a2a2247e0')]", + "Azure Service Bus Data Sender": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '69a216fc-b8fb-44d8-bc22-1f3c2cd27a39')]", + "Azure Stack Registration Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '6f12a6df-dd06-4f3e-bcb1-ce8be600526a')]", + "Backup Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5e467623-bb1f-42f4-a55d-6e525e11384b')]", + "Backup Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '00c29273-979b-4161-815c-10b084fb9324')]", + "Backup Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'a795c7a0-d4a2-40c1-ae25-d81f01202912')]", + "Billing Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'fa23ad8b-c56e-40d8-ac0c-ce449e1d2c64')]", + "BizTalk Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5e3c6656-6cfa-4708-81fe-0de47ac73342')]", + "Blockchain Member Node Access (Preview)": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '31a002a1-acaf-453e-8a5b-297c9ca1ea24')]", + "Blueprint Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '41077137-e803-4205-871c-5a86e6a753b4')]", + "Blueprint Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '437d2ced-4a38-4302-8479-ed2bcb43d090')]", + "CDN Endpoint Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '426e0c7f-0c7e-4658-b36f-ff54d6c29b45')]", + "CDN Endpoint Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '871e35f6-b5c1-49cc-a043-bde969a0f2cd')]", + "CDN Profile Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ec156ff8-a8d1-4d15-830c-5b80698ca432')]", + "CDN Profile Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8f96442b-4075-438f-813d-ad51ab4019af')]", + "Classic Network Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b34d265f-36f7-4a0d-a4d4-e158ca92e90f')]", + "Classic Storage Account Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '86e8f5dc-a6e9-4c67-9d15-de283e8eac25')]", + "Classic Storage Account Key Operator Service Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '985d6b00-f706-48f5-a6fe-d0ca12fb668d')]", + "Classic Virtual Machine Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'd73bb868-a0df-4d4d-bd69-98a00b01fccb')]", + "ClearDB MySQL DB Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '9106cda0-8a86-4e81-b686-29a22c54effe')]", + "Cognitive Services Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '25fbc0a9-bd7c-42a3-aa1a-3b75d497ee68')]", + "Cognitive Services Custom Vision Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c1ff6cc2-c111-46fe-8896-e0ef812ad9f3')]", + "Cognitive Services Custom Vision Deployment": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5c4089e1-6d96-4d2f-b296-c1bc7137275f')]", + "Cognitive Services Custom Vision Labeler": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '88424f51-ebe7-446f-bc41-7fa16989e96c')]", + "Cognitive Services Custom Vision Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '93586559-c37d-4a6b-ba08-b9f0940c2d73')]", + "Cognitive Services Custom Vision Trainer": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '0a5ae4ab-0d65-4eeb-be61-29fc9b54394b')]", + "Cognitive Services Data Reader (Preview)": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b59867f0-fa02-499b-be73-45a86b5b3e1c')]", + "Cognitive Services QnA Maker Editor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'f4cc2bf9-21be-47a1-bdf1-5c5804381025')]", + "Cognitive Services QnA Maker Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '466ccd10-b268-4a11-b098-b4849f024126')]", + "Cognitive Services User": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'a97b65f3-24c7-4388-baec-2e87135dc908')]", + "Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "Cosmos DB Account Reader Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'fbdf93bf-df7d-467e-a4d2-9458aa1360c8')]", + "Cosmos DB Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '230815da-be43-4aae-9cb4-875f7bd000aa')]", + "CosmosBackupOperator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'db7b14f2-5adf-42da-9f96-f2ee17bab5cb')]", + "Cost Management Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '434105ed-43f6-45c7-a02f-909b2ba83430')]", + "Cost Management Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '72fafb9e-0641-4937-9268-a91bfd8191a3')]", + "Data Box Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'add466c9-e687-43fc-8d98-dfcf8d720be5')]", + "Data Box Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '028f4ed7-e2a9-465e-a8f4-9c0ffdfdc027')]", + "Data Factory Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '673868aa-7521-48a0-acc6-0f60742d39f5')]", + "Data Lake Analytics Developer": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '47b7735b-770e-4598-a7da-8b91488b4c88')]", + "Data Purger": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '150f5e0c-0603-4f03-8c7f-cf70034c4e90')]", + "Desktop Virtualization User": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '1d18fff3-a72a-46b5-b4a9-0b38a3cd7e63')]", + "DevTest Labs User": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '76283e04-6283-4c54-8f91-bcf1374a3c64')]", + "DNS Zone Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'befefa01-2a29-4197-83a8-272ff33ce314')]", + "DocumentDB Account Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5bd9cd88-fe45-4216-938b-f97437e15450')]", + "EventGrid EventSubscription Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '428e0ff0-5e57-4d9c-a221-2c70d0e0a443')]", + "EventGrid EventSubscription Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '2414bbcf-6497-4faf-8c65-045460748405')]", + "Experimentation Administrator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '7f646f1b-fa08-80eb-a33b-edd6ce5c915c')]", + "Experimentation Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '7f646f1b-fa08-80eb-a22b-edd6ce5c915c')]", + "Experimentation Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '49632ef5-d9ac-41f4-b8e7-bbe587fa74a1')]", + "FHIR Data Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5a1fc7df-4bf1-4951-a576-89034ee01acd')]", + "FHIR Data Exporter": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '3db33094-8700-4567-8da5-1501d4e7e843')]", + "FHIR Data Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4c8d0bbc-75d3-4935-991f-5f3c56d81508')]", + "FHIR Data Writer": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '3f88fce4-5892-4214-ae73-ba5294559913')]", + "Graph Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b60367af-1334-4454-b71e-769d9a4f83d9')]", + "HDInsight Cluster Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '61ed4efc-fab3-44fd-b111-e24485cc132a')]", + "HDInsight Domain Services Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8d8d5a11-05d3-4bda-a417-a08778121c7c')]", + "Hierarchy Settings Administrator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '350f8d15-c687-4448-8ae1-157740a3936d')]", + "Hybrid Server Onboarding": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5d1e5ee4-7c68-4a71-ac8b-0739630a3dfb')]", + "Hybrid Server Resource Administrator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '48b40c6e-82e0-4eb3-90d5-19e40f49b624')]", + "Integration Service Environment Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'a41e2c5b-bd99-4a07-88f4-9bf657a760b8')]", + "Integration Service Environment Developer": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c7aa55d3-1abb-444a-a5ca-5e51e485d6ec')]", + "Intelligent Systems Account Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '03a6d094-3444-4b3d-88af-7477090a9e5e')]", + "Key Vault Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'f25e0fa2-a7c8-4377-a976-54943a77a395')]", + "Knowledge Consumer": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ee361c5d-f7b5-4119-b4b6-892157c8f64c')]", + "Kubernetes Cluster - Azure Arc Onboarding": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '34e09817-6cbe-4d01-b1a2-e0eac5743d41')]", + "Lab Creator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b97fb8bc-a8b2-4522-a38b-dd33c7e65ead')]", + "Log Analytics Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]", + "Log Analytics Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '73c42c96-874c-492b-b04d-ab87d138a893')]", + "Logic App Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '87a39d53-fc1b-424a-814c-f7e04687dc9e')]", + "Logic App Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '515c2055-d9d4-4321-b1b9-bd0c9a0f79fe')]", + "Managed Application Contributor Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '641177b8-a67a-45b9-a033-47bc880bb21e')]", + "Managed Application Operator Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')]", + "Managed Applications Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')]", + "Managed Identity Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'e40ec5ca-96e0-45a2-b4ff-59039f2c2b59')]", + "Managed Identity Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'f1a07417-d97a-45cb-824c-7a7467783830')]", + "Managed Services Registration assignment Delete ": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '91c1777a-f3dc-4fae-b103-61d183457e46')]", + "Management Group Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5d58bcaf-24a5-4b20-bdb6-eed9f69fbe4c')]", + "Management Group Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ac63b705-f282-497d-ac71-919bf39d939d')]", + "Marketplace Admin": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'dd920d6d-f481-47f1-b461-f338c46b2d9f')]", + "Monitoring Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')]", + "Monitoring Metrics Publisher": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '3913510d-42f4-4e42-8a64-420c390055eb')]", + "Monitoring Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')]", + "Network Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", + "New Relic APM Account Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5d28c62d-5b37-4476-8438-e587778df237')]", + "Object Understanding Account Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4dd61c23-6743-42fe-a388-d8bdd41cb745')]", + "Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", + "Policy Insights Data Writer (Preview)": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '66bb4e9e-b016-4a94-8249-4c0511c2be84')]", + "Private DNS Zone Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", + "Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", + "Reader and Data Access": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c12c1c16-33a1-487b-954d-41c89c60f349')]", + "Redis Cache Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'e0f68234-74aa-48ed-b826-c38b57376e17')]", + "Remote Rendering Administrator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '3df8b902-2a6f-47c7-8cc5-360e9b272a7e')]", + "Remote Rendering Client": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'd39065c4-c120-43c9-ab0a-63eed9795f0a')]", + "Resource Policy Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '36243c78-bf99-498c-9df9-86d9f8d28608')]", + "Scheduler Job Collections Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '188a0f2f-5c9e-469b-ae67-2aa5ce574b94')]", + "Search Service Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '7ca78c08-252a-4471-8644-bb5ff32d4ba0')]", + "Security Admin": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'fb1c8493-542b-48eb-b624-b4c8fea62acd')]", + "Security Assessment Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '612c2aa1-cb24-443b-ac28-3ab7272de6f5')]", + "Security Manager (Legacy)": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'e3d13bf0-dd5a-482e-ba6b-9b8433878d10')]", + "Security Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '39bc4728-0917-49c7-9d2c-d95423bc2eb4')]", + "SignalR AccessKey Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '04165923-9d83-45d5-8227-78b77b0a687e')]", + "SignalR Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8cf5e20a-e4b2-4e9d-b3a1-5ceb692c2761')]", + "Site Recovery Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '6670b86e-a3f7-4917-ac9b-5d6ab1be4567')]", + "Site Recovery Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '494ae006-db33-4328-bf46-533a6560a3ca')]", + "Site Recovery Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'dbaa88c4-0c30-4179-9fb3-46319faa6149')]", + "Spatial Anchors Account Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8bbe83f1-e2a6-4df7-8cb4-4e04d4e5c827')]", + "Spatial Anchors Account Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '70bbe301-9835-447d-afdd-19eb3167307c')]", + "Spatial Anchors Account Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5d51204f-eb77-4b1c-b86a-2ec626c49413')]", + "SQL DB Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '9b7fa17d-e63e-47b0-bb0a-15c516ac86ec')]", + "SQL Managed Instance Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4939a1f6-9ae0-4e48-a1e0-f2cbe897382d')]", + "SQL Security Manager": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '056cd41c-7e88-42e1-933e-88ba6a50c9c3')]", + "SQL Server Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '6d8ee4ec-f05a-4a1d-8b00-a9b17e38b437')]", + "Storage Account Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '17d1049b-9a84-46fb-8f53-869881c3d3ab')]", + "Storage Account Key Operator Service Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '81a9662b-bebf-436f-a333-f67b29880f12')]", + "Storage Blob Data Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ba92f5b4-2d11-453d-a403-e96b0029c9fe')]", + "Storage Blob Data Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b7e6dc6d-f1e8-4753-8033-0f276bb0955b')]", + "Storage Blob Data Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '2a2b9908-6ea1-4ae2-8e65-a410df84e7d1')]", + "Storage Blob Delegator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'db58b8e5-c6ad-4a2a-8342-4190687cbf4a')]", + "Storage File Data SMB Share Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '0c867c2a-1d8c-454a-a3db-ab2ea1bdc8bb')]", + "Storage File Data SMB Share Elevated Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'a7264617-510b-434b-a828-9731dc254ea7')]", + "Storage File Data SMB Share Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'aba4ae5f-2193-4029-9191-0cb91df5e314')]", + "Storage Queue Data Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '974c5e8b-45b9-4653-ba55-5f855dd0fb88')]", + "Storage Queue Data Message Processor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8a0f0c08-91a1-4084-bc3d-661d67233fed')]", + "Storage Queue Data Message Sender": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c6a89b2d-59bc-44d0-9896-0f6e12d7b80a')]", + "Storage Queue Data Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '19e7f393-937e-4f77-808e-94535e297925')]", + "Support Request Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'cfd33db0-3dd1-45e3-aa9d-cdbdf3b6f24e')]", + "Tag Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4a9ae827-6dc8-4573-8ac7-8239d42aa03f')]", + "Traffic Manager Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'a4b10055-b0c7-44c2-b00f-c7b5b3550cf7')]", + "User Access Administrator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]", + "Virtual Machine Administrator Login": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '1c0163c0-47e6-4577-8991-ea5c82e286e4')]", + "Virtual Machine Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c')]", + "Virtual Machine User Login": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'fb879df8-f326-4884-b1cf-06f3ad86be52')]", + "Web Plan Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '2cc479cb-7b4d-49a8-b449-8c00fd0f0a4b')]", + "Website Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'de139f84-1756-47ae-9be6-808fbbe84772')]", + "Workbook Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'e8ddcd69-c73f-4f9f-9844-4100522f16ad')]", + "Workbook Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b279062a-9be3-42a0-92ae-8b3cf002ec4d')]" + } + }, + "resources": [ + { + "condition": "[not(empty(parameters('cuaId')))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-06-01", + "name": "[concat('pid-', parameters('cuaId'))]", + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [ + ] + } + } + }, + { + "apiVersion": "2019-08-01", + "type": "Microsoft.Web/sites", + "name": "[parameters('functionAppName')]", + "location": "[parameters('location')]", + "kind": "functionapp", + "tags": "[parameters('tags')]", + "dependsOn": [ + "[concat('microsoft.insights/components/',parameters('functionAppName'))]" + ], + "identity": { + "type": "[parameters('managedServiceIdentity')]", + "userAssignedIdentities": "[if(empty(parameters('userAssignedIdentities')),json('null'),parameters('userAssignedIdentities') )]" + }, + "properties": { + "name": "[parameters('functionAppName')]", + "httpsOnly": "[parameters('httpsOnly')]", + "serverFarmId": "[parameters('appServicePlanId')]", + "hostingEnvironment": "[if(empty(parameters('appServiceEnvironmentId')), json('null'), variables('hostingEnvironment'))]", + "clientAffinityEnabled": "[parameters('clientAffinityEnabled')]", + "siteConfig": "[parameters('siteConfig')]" + }, + "resources": [ + { + "apiVersion": "2016-03-01", + "name": "appsettings", + "type": "config", + "dependsOn": [ + "[resourceId('Microsoft.Web/sites', parameters('functionAppName'))]" + ], + "properties": { + "AzureWebJobsStorage": "[concat('DefaultEndpointsProtocol=https;AccountName=',parameters('storageAccountName'),';AccountKey=',listkeys(resourceId(subscription().subscriptionId ,parameters('storageAccountResourceGroupName'), 'Microsoft.Storage/storageAccounts', parameters('storageAccountName')), '2019-06-01').keys[0].value,';')]", + "AzureWebJobsDashboard": "[concat('DefaultEndpointsProtocol=https;AccountName=',parameters('storageAccountName'),';AccountKey=',listkeys(resourceId(subscription().subscriptionId ,parameters('storageAccountResourceGroupName'), 'Microsoft.Storage/storageAccounts', parameters('storageAccountName')), '2019-06-01').keys[0].value,';')]", + "FUNCTIONS_EXTENSION_VERSION": "[parameters('functionsExtensionVersion')]", + "FUNCTIONS_WORKER_RUNTIME": "[parameters('functionsWorkerRuntime')]", + "APPINSIGHTS_INSTRUMENTATIONKEY": "[if(parameters('enableMonitoring'), reference(concat('microsoft.insights/components/',parameters('functionAppName')), '2015-05-01').InstrumentationKey, json('null'))]", + "APPLICATIONINSIGHTS_CONNECTION_STRING": "[if(parameters('enableMonitoring'), reference(concat('microsoft.insights/components/',parameters('functionAppName')), '2015-05-01').ConnectionString, json('null'))]" + } + }, + { + "type": "providers/locks", + "apiVersion": "2016-09-01", + "condition": "[parameters('lockForDeletion')]", + "name": "Microsoft.Authorization/functionAppDoNotDelete", + "dependsOn": [ + "[concat('Microsoft.Web/sites/', parameters('functionAppName'))]" + ], + "comments": "Resource lock on Function App", + "properties": { + "level": "CannotDelete" + } + } + ] + }, + { + "apiVersion": "2015-05-01", + "name": "[parameters('functionAppName')]", + "type": "microsoft.insights/components", + "location": "[parameters('location')]", + "condition": "[parameters('enableMonitoring')]", + "kind": "web", + "tags": "[parameters('tags')]", + "properties": { + "ApplicationId": "[parameters('functionAppName')]", + "Application_Type": "web", + "Request_Source": "IbizaWebAppExtensionCreate" + } + }, + { + "name": "[concat('rbac-',deployment().name, copyIndex())]", + "apiVersion": "2020-06-01", + "type": "Microsoft.Resources/deployments", + "condition": "[not(empty(parameters('roleAssignments')))]", + "dependsOn": [ + "[parameters('functionAppName')]" + ], + "copy": { + "name": "rbacDeplCopy", + "count": "[length(parameters('roleAssignments'))]" + }, + "properties": { + "mode": "Incremental", + "expressionEvaluationOptions": { + "scope": "inner" + }, + "parameters": { + "roleAssignment": { + "value": "[parameters('roleAssignments')[copyIndex()]]" + }, + "builtInRoleNames": { + "value": "[variables('builtInRoleNames')]" + }, + "functionAppName": { + "value": "[parameters('functionAppName')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "roleAssignment": { + "type": "object" + }, + "builtInRoleNames": { + "type": "object" + }, + "functionAppName": { + "type": "string" + } + }, + "resources": [ + { + "type": "Microsoft.Web/sites/providers/roleAssignments", + "apiVersion": "2018-09-01-preview", + "name": "[concat(parameters('functionAppName'), '/Microsoft.Authorization/', guid(uniqueString(concat(parameters('functionAppName'), array(parameters('roleAssignment').principalIds)[copyIndex('innerRbacCopy')], parameters('roleAssignment').roleDefinitionIdOrName ) )))]", + "dependsOn": [ + ], + "copy": { + "name": "innerRbacCopy", + "count": "[length(parameters('roleAssignment').principalIds)]" + }, + "properties": { + "roleDefinitionId": "[if(contains(parameters('builtInRoleNames'), parameters('roleAssignment').roleDefinitionIdOrName ), parameters('builtInRoleNames')[parameters('roleAssignment').roleDefinitionIdOrName] , parameters('roleAssignment').roleDefinitionIdOrName )]", + "principalId": "[array(parameters('roleAssignment').principalIds)[copyIndex()]]" + } + } + ] + } + } + } + ], + "functions": [ + ], + "outputs": { + "functionAppName": { + "type": "string", + "value": "[parameters('functionAppName')]", + "metadata": { + "description": "Name of the Function App." + } + }, + "functionResourceId": { + "type": "string", + "value": "[resourceId('Microsoft.Web/sites', parameters('functionAppName'))]", + "metadata": { + "description": "The Resource ID of the Function App." + } + }, + "functionAppResourceGroup": { + "type": "string", + "value": "[resourceGroup().name]", + "metadata": { + "description": "The Resource group in which the Resource has been created." + } + }, + "assignedIdentityID": { + "type": "string", + "value":"[if(contains(parameters('managedServiceIdentity'),'SystemAssigned'),reference(resourceId('Microsoft.Web/sites', parameters('functionAppName')), '2019-08-01', 'full').identity.principalId,'')]", + "metadata": { + "description": "User id of the created system assigned identity" + } + } + } +} \ No newline at end of file diff --git a/arm/Microsoft.Web/sitesFunction/parameters/parameters.json b/arm/Microsoft.Web/sitesFunction/parameters/parameters.json new file mode 100644 index 0000000000..7e011193da --- /dev/null +++ b/arm/Microsoft.Web/sitesFunction/parameters/parameters.json @@ -0,0 +1,40 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "functionAppName": { + "value": "azfaweux01" + }, + "appServicePlanId": { + "value": "/subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2/resourceGroups/dependencies-rg/providers/Microsoft.Web/serverFarms/sxx-az-asp-weu-x-003" + }, + "siteConfig": { + "value": { + "alwaysOn": true + } + }, + "storageAccountName": { + "value": "sxxazsaweux005" + }, + "storageAccountResourceGroupName": { + "value": "validation-rg" + }, + "functionsWorkerRuntime": { + "value": "powershell" + }, + "enableMonitoring": { + "value": false + } + // "roleAssignments": { + // "value": [ + // { + // "roleDefinitionIdOrName": "Desktop Virtualization User", + // "principalIds": [ + // "12345678-1234-1234-1234-123456789012", // object 1 + // "78945612-1234-1234-1234-123456789012" // object 2 + // ] + // } + // ] + // } + } +} \ No newline at end of file diff --git a/arm/Microsoft.Web/sitesFunction/readme.md b/arm/Microsoft.Web/sitesFunction/readme.md new file mode 100644 index 0000000000..e86f3ddf84 --- /dev/null +++ b/arm/Microsoft.Web/sitesFunction/readme.md @@ -0,0 +1,125 @@ +# FunctionApp + +This module deploys an Function App. + +## Resource types + +|ResourceType|ApiVersion| +|:--|:--| +|`Microsoft.Resources/deployments`|2018-02-01| +|`Microsoft.Web/sites`|2019-08-01| +|`microsoft.insights/components`|2015-05-01| +|`config`|2016-03-01| +|`providers/locks`|2016-09-01| +|`Microsoft.Web/sites/providers/roleAssignments`|2018-09-01-preview| + +## Parameters + +| Parameter Name | Type | Description | DefaultValue | Possible values | +| :-- | :-- | :-- | :-- | :-- | +| `appServiceEnvironmentId` | string | Optional. The Resource Id of the App Service Environment to use for the Function App. | | | +| `appServicePlanId` | string | Optional. The Resource Id of the App Service Plan to use for the Function App. | | | +| `clientAffinityEnabled` | bool | Optional. If Client Affinity is enabled. | True | | +| `cuaId` | string | Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered | | | +| `enableMonitoring` | bool | Optional. If true, ApplicationInsights will be configured for the Function App. | True | | +| `functionAppName` | string | Required. Name of the Function App | | | +| `functionsExtensionVersion` | string | Optional. Version if the function extension. | ~3 | | +| `functionsWorkerRuntime` | string | Required. Runtime of the function worker. | | System.Object[] | +| `httpsOnly` | bool | Optional. Configures a web site to accept only https requests. Issues redirect for http requests. | True | | +| `location` | string | Optional. Location for all resources. | [resourceGroup().location] | | +| `lockForDeletion` | bool | Optional. Switch to lock Function App from deletion. | False | | +| `managedServiceIdentity` | string | Optional. Type of managed service identity. | None | System.Object[] | +| `roleAssignments` | array | Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' | System.Object[] | | +| `siteConfig` | object | Required. Configuration of the app. | | | +| `storageAccountName` | string | Required. The name of the storage account to managing triggers and logging function executions. | | | +| `storageAccountResourceGroupName` | string | Optional. Resource group of the storage account to use. Required if the storage account is in a different resource group than the function app itself. | +| `tags` | object | Optional. Tags of the resource. | | | +| `userAssignedIdentities` | object | Optional. Mandatory 'managedServiceIdentity' contains UserAssigned. The identy to assign to the resource. | | | + +### Parameter usage: `userAssignedIdentities` + +```json +"userAssignedIdentities":{ + "value": + { + "/subscriptions//resourcegroups//providers/Microsoft.ManagedIdentity/userAssignedIdentities/":{}, + "/subscriptions//resourcegroups//providers/Microsoft.ManagedIdentity/userAssignedIdentities/":{} + } +} +``` +Use the managed identity id as key, value must be empty. + +### Parameter Usage: `siteConfig` + +```json +"siteConfig": { + "value": { + "alwaysOn": true + } +} +``` + +### Parameter Usage: `roleAssignments` + +```json +"roleAssignments": { + "value": [ + { + "roleDefinitionIdOrName": "Desktop Virtualization User", + "principalIds": [ + "12345678-1234-1234-1234-123456789012", // object 1 + "78945612-1234-1234-1234-123456789012" // object 2 + ] + }, + { + "roleDefinitionIdOrName": "Reader", + "principalIds": [ + "12345678-1234-1234-1234-123456789012", // object 1 + "78945612-1234-1234-1234-123456789012" // object 2 + ] + }, + { + "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", + "principalIds": [ + "12345678-1234-1234-1234-123456789012" // object 1 + ] + } + ] +} +``` + +### Parameter Usage: `tags` + +Tag names and tag values can be provided as needed. A tag can be left without a value. + +```json +"tags": { + "value": { + "Environment": "Non-Prod", + "Contact": "test.user@testcompany.com", + "PurchaseOrder": "1234", + "CostCenter": "7890", + "ServiceName": "DeploymentValidation", + "Role": "DeploymentValidation" + } +} +``` + +## Outputs + +| Output Name | Type | Description | +| :-- | :-- | :-- | +| `functionAppName` | string | The Name of the created function. Same as functionAppName parameter | +| `functionAppResourceGroup` | string | Name of the resource group where the resource was created | +| `functionResourceId` | string | The full resource ID of the created resource | +| `assignedIdentityID` | string | The object ID of the identity assigned to the resource. Blank if system assigned identity was not requested | + +## Considerations + +*N/A* + +## Additional resources + +- [An introduction to Azure Functions](https://docs.microsoft.com/en-us/azure/azure-functions/functions-overview) +- [Microsoft.Web sites template reference](https://docs.microsoft.com/en-us/azure/templates/microsoft.web/2019-08-01/sites) +- [Use tags to organize your Azure resources](https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-using-tags) \ No newline at end of file diff --git a/arm/Microsoft.Web/webApp/deploy.json b/arm/Microsoft.Web/webApp/deploy.json new file mode 100644 index 0000000000..a75e09d301 --- /dev/null +++ b/arm/Microsoft.Web/webApp/deploy.json @@ -0,0 +1,586 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "webAppName": { + "type": "string", + "minLength": 1, + "metadata": { + "description": "Required. Name of the Web App" + } + }, + "location": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "Optional. Location for all resources." + } + }, + "httpsOnly": { + "type": "bool", + "defaultValue": true, + "metadata": { + "description": "Optional. Configures a web site to accept only https requests. Issues redirect for http requests." + } + }, + "appServicePlanId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. The Resource Id of the App Service Plan to use for the Function App." + } + }, + "appServiceEnvironmentId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. The Resource Id of the App Service Environment to use for the Function App." + } + }, + "managedServiceIdentity": { + "type": "string", + "defaultValue": "None", + "allowedValues": [ + "None", + "SystemAssigned", + "UserAssigned", + "SystemAssigned, UserAssigned", + "UserAssigned, SystemAssigned" + ], + "metadata": { + "description": "Optional. Type of managed service identity." + } + }, + "clientAffinityEnabled": { + "type": "bool", + "defaultValue": true, + "metadata": { + "description": "Optional. If Client Affinity is enabled." + } + }, + "siteConfig": { + "type": "object", + "metadata": { + "description": "Required. Configuration of the app." + } + }, + "enableMonitoring": { + "type": "bool", + "defaultValue": true, + "metadata": { + "description": "Optional. If true, ApplicationInsights will be configured for the Function App." + } + }, + "userAssignedIdentities": { + "type": "object", + "defaultValue":{}, + "metadata": { + "description": "Optional. Mandatory 'managedServiceIdentity' contains UserAssigned. The identy to assign to the resource." + } + }, + "lockForDeletion": { + "type": "bool", + "defaultValue": false, + "metadata": { + "description": "Optional. Switch to lock Function App from deletion." + } + }, + "privateEndpoints": { + "type": "array", + "defaultValue": [], + "metadata": { + "description": "Optional. Configuration Details for private endpoints." + } + }, + "roleAssignments": { + "defaultValue": [ + ], + "type": "array", + "metadata": { + "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'" + } + }, + "tags": { + "type": "object", + "defaultValue": { + }, + "metadata": { + "description": "Optional. Tags of the resource." + } + }, + "cuaId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered" + } + } + }, + "variables": { + "hostingEnvironment": { + "id": "[parameters('appServiceEnvironmentId')]" + }, + "builtInRoleNames": { + "AcrDelete": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c2f4ef07-c644-48eb-af81-4b1b4947fb11')]", + "AcrImageSigner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '6cef56e8-d556-48e5-a04f-b8e64114680f')]", + "AcrPull": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '7f951dda-4ed3-4680-a7ca-43fe172d538d')]", + "AcrPush": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8311e382-0749-4cb8-b61a-304f252e45ec')]", + "AcrQuarantineReader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'cdda3590-29a3-44f6-95f2-9f980659eb04')]", + "AcrQuarantineWriter": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c8d4ff99-41c3-41a8-9f60-21dfdad59608')]", + "API Management Service Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '312a565d-c81f-4fd8-895a-4e21e48d571c')]", + "API Management Service Operator Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'e022efe7-f5ba-4159-bbe4-b44f577e9b61')]", + "API Management Service Reader Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '71522526-b88f-4d52-b57f-d31fc3546d0d')]", + "App Configuration Data Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5ae67dd6-50cb-40e7-96ff-dc2bfa4b606b')]", + "App Configuration Data Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '516239f1-63e1-4d78-a4de-a74fb236a071')]", + "Application Insights Component Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ae349356-3a1b-4a5e-921d-050484c6347e')]", + "Application Insights Snapshot Debugger": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '08954f03-6346-4c2e-81c0-ec3a5cfae23b')]", + "Attestation Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'bbf86eb8-f7b4-4cce-96e4-18cddf81d86e')]", + "Attestation Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'fd1bd22b-8476-40bc-a0bc-69b95687b9f3')]", + "Automation Job Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4fe576fe-1146-4730-92eb-48519fa6bf9f')]", + "Automation Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'd3881f73-407a-4167-8283-e981cbba0404')]", + "Automation Runbook Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5fb5aef8-1081-4b8e-bb16-9d5d0385bab5')]", + "Avere Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4f8fab4f-1852-4a58-a46a-8eaf358af14a')]", + "Avere Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c025889f-8102-4ebf-b32c-fc0c6f0c6bd9')]", + "Azure Connected Machine Onboarding": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b64e21ea-ac4e-4cdf-9dc9-5b892992bee7')]", + "Azure Connected Machine Resource Administrator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'cd570a14-e51a-42ad-bac8-bafd67325302')]", + "Azure Digital Twins Owner (Preview)": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'bcd981a7-7f74-457b-83e1-cceb9e632ffe')]", + "Azure Digital Twins Reader (Preview)": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'd57506d4-4c8d-48b1-8587-93c323f6a5a3')]", + "Azure Event Hubs Data Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'f526a384-b230-433a-b45c-95f59c4a2dec')]", + "Azure Event Hubs Data Receiver": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'a638d3c7-ab3a-418d-83e6-5f17a39d4fde')]", + "Azure Event Hubs Data Sender": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '2b629674-e913-4c01-ae53-ef4638d8f975')]", + "Azure Kubernetes Service Cluster Admin Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '0ab0b1a8-8aac-4efd-b8c2-3ee1fb270be8')]", + "Azure Kubernetes Service Cluster User Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4abbcc35-e782-43d8-92c5-2d3f1bd2253f')]", + "Azure Kubernetes Service Contributor Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ed7f3fbd-7b88-4dd4-9017-9adb7ce333f8')]", + "Azure Maps Data Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8f5e0ce6-4f7b-4dcf-bddf-e6f48634a204')]", + "Azure Maps Data Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '423170ca-a8f6-4b0f-8487-9e4eb8f49bfa')]", + "Azure Sentinel Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ab8e14d6-4a74-4a29-9ba8-549422addade')]", + "Azure Sentinel Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8d289c81-5878-46d4-8554-54e1e3d8b5cb')]", + "Azure Sentinel Responder": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '3e150937-b8fe-4cfb-8069-0eaf05ecd056')]", + "Azure Service Bus Data Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '090c5cfd-751d-490a-894a-3ce6f1109419')]", + "Azure Service Bus Data Receiver": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4f6d3b9b-027b-4f4c-9142-0e5a2a2247e0')]", + "Azure Service Bus Data Sender": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '69a216fc-b8fb-44d8-bc22-1f3c2cd27a39')]", + "Azure Stack Registration Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '6f12a6df-dd06-4f3e-bcb1-ce8be600526a')]", + "Backup Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5e467623-bb1f-42f4-a55d-6e525e11384b')]", + "Backup Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '00c29273-979b-4161-815c-10b084fb9324')]", + "Backup Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'a795c7a0-d4a2-40c1-ae25-d81f01202912')]", + "Billing Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'fa23ad8b-c56e-40d8-ac0c-ce449e1d2c64')]", + "BizTalk Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5e3c6656-6cfa-4708-81fe-0de47ac73342')]", + "Blockchain Member Node Access (Preview)": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '31a002a1-acaf-453e-8a5b-297c9ca1ea24')]", + "Blueprint Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '41077137-e803-4205-871c-5a86e6a753b4')]", + "Blueprint Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '437d2ced-4a38-4302-8479-ed2bcb43d090')]", + "CDN Endpoint Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '426e0c7f-0c7e-4658-b36f-ff54d6c29b45')]", + "CDN Endpoint Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '871e35f6-b5c1-49cc-a043-bde969a0f2cd')]", + "CDN Profile Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ec156ff8-a8d1-4d15-830c-5b80698ca432')]", + "CDN Profile Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8f96442b-4075-438f-813d-ad51ab4019af')]", + "Classic Network Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b34d265f-36f7-4a0d-a4d4-e158ca92e90f')]", + "Classic Storage Account Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '86e8f5dc-a6e9-4c67-9d15-de283e8eac25')]", + "Classic Storage Account Key Operator Service Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '985d6b00-f706-48f5-a6fe-d0ca12fb668d')]", + "Classic Virtual Machine Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'd73bb868-a0df-4d4d-bd69-98a00b01fccb')]", + "ClearDB MySQL DB Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '9106cda0-8a86-4e81-b686-29a22c54effe')]", + "Cognitive Services Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '25fbc0a9-bd7c-42a3-aa1a-3b75d497ee68')]", + "Cognitive Services Custom Vision Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c1ff6cc2-c111-46fe-8896-e0ef812ad9f3')]", + "Cognitive Services Custom Vision Deployment": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5c4089e1-6d96-4d2f-b296-c1bc7137275f')]", + "Cognitive Services Custom Vision Labeler": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '88424f51-ebe7-446f-bc41-7fa16989e96c')]", + "Cognitive Services Custom Vision Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '93586559-c37d-4a6b-ba08-b9f0940c2d73')]", + "Cognitive Services Custom Vision Trainer": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '0a5ae4ab-0d65-4eeb-be61-29fc9b54394b')]", + "Cognitive Services Data Reader (Preview)": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b59867f0-fa02-499b-be73-45a86b5b3e1c')]", + "Cognitive Services QnA Maker Editor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'f4cc2bf9-21be-47a1-bdf1-5c5804381025')]", + "Cognitive Services QnA Maker Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '466ccd10-b268-4a11-b098-b4849f024126')]", + "Cognitive Services User": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'a97b65f3-24c7-4388-baec-2e87135dc908')]", + "Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "Cosmos DB Account Reader Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'fbdf93bf-df7d-467e-a4d2-9458aa1360c8')]", + "Cosmos DB Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '230815da-be43-4aae-9cb4-875f7bd000aa')]", + "CosmosBackupOperator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'db7b14f2-5adf-42da-9f96-f2ee17bab5cb')]", + "Cost Management Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '434105ed-43f6-45c7-a02f-909b2ba83430')]", + "Cost Management Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '72fafb9e-0641-4937-9268-a91bfd8191a3')]", + "Data Box Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'add466c9-e687-43fc-8d98-dfcf8d720be5')]", + "Data Box Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '028f4ed7-e2a9-465e-a8f4-9c0ffdfdc027')]", + "Data Factory Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '673868aa-7521-48a0-acc6-0f60742d39f5')]", + "Data Lake Analytics Developer": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '47b7735b-770e-4598-a7da-8b91488b4c88')]", + "Data Purger": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '150f5e0c-0603-4f03-8c7f-cf70034c4e90')]", + "Desktop Virtualization User": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '1d18fff3-a72a-46b5-b4a9-0b38a3cd7e63')]", + "DevTest Labs User": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '76283e04-6283-4c54-8f91-bcf1374a3c64')]", + "DNS Zone Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'befefa01-2a29-4197-83a8-272ff33ce314')]", + "DocumentDB Account Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5bd9cd88-fe45-4216-938b-f97437e15450')]", + "EventGrid EventSubscription Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '428e0ff0-5e57-4d9c-a221-2c70d0e0a443')]", + "EventGrid EventSubscription Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '2414bbcf-6497-4faf-8c65-045460748405')]", + "Experimentation Administrator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '7f646f1b-fa08-80eb-a33b-edd6ce5c915c')]", + "Experimentation Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '7f646f1b-fa08-80eb-a22b-edd6ce5c915c')]", + "Experimentation Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '49632ef5-d9ac-41f4-b8e7-bbe587fa74a1')]", + "FHIR Data Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5a1fc7df-4bf1-4951-a576-89034ee01acd')]", + "FHIR Data Exporter": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '3db33094-8700-4567-8da5-1501d4e7e843')]", + "FHIR Data Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4c8d0bbc-75d3-4935-991f-5f3c56d81508')]", + "FHIR Data Writer": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '3f88fce4-5892-4214-ae73-ba5294559913')]", + "Graph Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b60367af-1334-4454-b71e-769d9a4f83d9')]", + "HDInsight Cluster Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '61ed4efc-fab3-44fd-b111-e24485cc132a')]", + "HDInsight Domain Services Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8d8d5a11-05d3-4bda-a417-a08778121c7c')]", + "Hierarchy Settings Administrator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '350f8d15-c687-4448-8ae1-157740a3936d')]", + "Hybrid Server Onboarding": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5d1e5ee4-7c68-4a71-ac8b-0739630a3dfb')]", + "Hybrid Server Resource Administrator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '48b40c6e-82e0-4eb3-90d5-19e40f49b624')]", + "Integration Service Environment Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'a41e2c5b-bd99-4a07-88f4-9bf657a760b8')]", + "Integration Service Environment Developer": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c7aa55d3-1abb-444a-a5ca-5e51e485d6ec')]", + "Intelligent Systems Account Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '03a6d094-3444-4b3d-88af-7477090a9e5e')]", + "Key Vault Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'f25e0fa2-a7c8-4377-a976-54943a77a395')]", + "Knowledge Consumer": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ee361c5d-f7b5-4119-b4b6-892157c8f64c')]", + "Kubernetes Cluster - Azure Arc Onboarding": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '34e09817-6cbe-4d01-b1a2-e0eac5743d41')]", + "Lab Creator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b97fb8bc-a8b2-4522-a38b-dd33c7e65ead')]", + "Log Analytics Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]", + "Log Analytics Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '73c42c96-874c-492b-b04d-ab87d138a893')]", + "Logic App Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '87a39d53-fc1b-424a-814c-f7e04687dc9e')]", + "Logic App Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '515c2055-d9d4-4321-b1b9-bd0c9a0f79fe')]", + "Managed Application Contributor Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '641177b8-a67a-45b9-a033-47bc880bb21e')]", + "Managed Application Operator Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')]", + "Managed Applications Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')]", + "Managed Identity Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'e40ec5ca-96e0-45a2-b4ff-59039f2c2b59')]", + "Managed Identity Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'f1a07417-d97a-45cb-824c-7a7467783830')]", + "Managed Services Registration assignment Delete ": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '91c1777a-f3dc-4fae-b103-61d183457e46')]", + "Management Group Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5d58bcaf-24a5-4b20-bdb6-eed9f69fbe4c')]", + "Management Group Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ac63b705-f282-497d-ac71-919bf39d939d')]", + "Marketplace Admin": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'dd920d6d-f481-47f1-b461-f338c46b2d9f')]", + "Monitoring Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')]", + "Monitoring Metrics Publisher": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '3913510d-42f4-4e42-8a64-420c390055eb')]", + "Monitoring Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')]", + "Network Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", + "New Relic APM Account Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5d28c62d-5b37-4476-8438-e587778df237')]", + "Object Understanding Account Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4dd61c23-6743-42fe-a388-d8bdd41cb745')]", + "Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", + "Policy Insights Data Writer (Preview)": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '66bb4e9e-b016-4a94-8249-4c0511c2be84')]", + "Private DNS Zone Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", + "Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", + "Reader and Data Access": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c12c1c16-33a1-487b-954d-41c89c60f349')]", + "Redis Cache Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'e0f68234-74aa-48ed-b826-c38b57376e17')]", + "Remote Rendering Administrator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '3df8b902-2a6f-47c7-8cc5-360e9b272a7e')]", + "Remote Rendering Client": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'd39065c4-c120-43c9-ab0a-63eed9795f0a')]", + "Resource Policy Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '36243c78-bf99-498c-9df9-86d9f8d28608')]", + "Scheduler Job Collections Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '188a0f2f-5c9e-469b-ae67-2aa5ce574b94')]", + "Search Service Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '7ca78c08-252a-4471-8644-bb5ff32d4ba0')]", + "Security Admin": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'fb1c8493-542b-48eb-b624-b4c8fea62acd')]", + "Security Assessment Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '612c2aa1-cb24-443b-ac28-3ab7272de6f5')]", + "Security Manager (Legacy)": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'e3d13bf0-dd5a-482e-ba6b-9b8433878d10')]", + "Security Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '39bc4728-0917-49c7-9d2c-d95423bc2eb4')]", + "SignalR AccessKey Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '04165923-9d83-45d5-8227-78b77b0a687e')]", + "SignalR Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8cf5e20a-e4b2-4e9d-b3a1-5ceb692c2761')]", + "Site Recovery Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '6670b86e-a3f7-4917-ac9b-5d6ab1be4567')]", + "Site Recovery Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '494ae006-db33-4328-bf46-533a6560a3ca')]", + "Site Recovery Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'dbaa88c4-0c30-4179-9fb3-46319faa6149')]", + "Spatial Anchors Account Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8bbe83f1-e2a6-4df7-8cb4-4e04d4e5c827')]", + "Spatial Anchors Account Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '70bbe301-9835-447d-afdd-19eb3167307c')]", + "Spatial Anchors Account Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5d51204f-eb77-4b1c-b86a-2ec626c49413')]", + "SQL DB Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '9b7fa17d-e63e-47b0-bb0a-15c516ac86ec')]", + "SQL Managed Instance Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4939a1f6-9ae0-4e48-a1e0-f2cbe897382d')]", + "SQL Security Manager": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '056cd41c-7e88-42e1-933e-88ba6a50c9c3')]", + "SQL Server Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '6d8ee4ec-f05a-4a1d-8b00-a9b17e38b437')]", + "Storage Account Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '17d1049b-9a84-46fb-8f53-869881c3d3ab')]", + "Storage Account Key Operator Service Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '81a9662b-bebf-436f-a333-f67b29880f12')]", + "Storage Blob Data Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ba92f5b4-2d11-453d-a403-e96b0029c9fe')]", + "Storage Blob Data Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b7e6dc6d-f1e8-4753-8033-0f276bb0955b')]", + "Storage Blob Data Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '2a2b9908-6ea1-4ae2-8e65-a410df84e7d1')]", + "Storage Blob Delegator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'db58b8e5-c6ad-4a2a-8342-4190687cbf4a')]", + "Storage File Data SMB Share Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '0c867c2a-1d8c-454a-a3db-ab2ea1bdc8bb')]", + "Storage File Data SMB Share Elevated Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'a7264617-510b-434b-a828-9731dc254ea7')]", + "Storage File Data SMB Share Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'aba4ae5f-2193-4029-9191-0cb91df5e314')]", + "Storage Queue Data Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '974c5e8b-45b9-4653-ba55-5f855dd0fb88')]", + "Storage Queue Data Message Processor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8a0f0c08-91a1-4084-bc3d-661d67233fed')]", + "Storage Queue Data Message Sender": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c6a89b2d-59bc-44d0-9896-0f6e12d7b80a')]", + "Storage Queue Data Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '19e7f393-937e-4f77-808e-94535e297925')]", + "Support Request Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'cfd33db0-3dd1-45e3-aa9d-cdbdf3b6f24e')]", + "Tag Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4a9ae827-6dc8-4573-8ac7-8239d42aa03f')]", + "Traffic Manager Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'a4b10055-b0c7-44c2-b00f-c7b5b3550cf7')]", + "User Access Administrator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]", + "Virtual Machine Administrator Login": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '1c0163c0-47e6-4577-8991-ea5c82e286e4')]", + "Virtual Machine Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c')]", + "Virtual Machine User Login": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'fb879df8-f326-4884-b1cf-06f3ad86be52')]", + "Web Plan Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '2cc479cb-7b4d-49a8-b449-8c00fd0f0a4b')]", + "Website Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'de139f84-1756-47ae-9be6-808fbbe84772')]", + "Workbook Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'e8ddcd69-c73f-4f9f-9844-4100522f16ad')]", + "Workbook Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b279062a-9be3-42a0-92ae-8b3cf002ec4d')]" + } + }, + "resources": [ + { + "condition": "[not(empty(parameters('cuaId')))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-06-01", + "name": "[concat('pid-', parameters('cuaId'))]", + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [ + ] + } + } + }, + { + "apiVersion": "2019-08-01", + "type": "Microsoft.Web/sites", + "name": "[parameters('webAppName')]", + "location": "[parameters('location')]", + "kind": "app", + "tags": "[parameters('tags')]", + "dependsOn": [ + "[concat('microsoft.insights/components/',parameters('webAppName'))]" + ], + "identity": { + "type": "[parameters('managedServiceIdentity')]", + "userAssignedIdentities": "[if(empty(parameters('userAssignedIdentities')),json('null'),parameters('userAssignedIdentities') )]" + }, + "properties": { + "name": "[parameters('webAppName')]", + "httpsOnly": "[parameters('httpsOnly')]", + "serverFarmId": "[parameters('appServicePlanId')]", + "hostingEnvironment": "[if(empty(parameters('appServiceEnvironmentId')), json('null'), variables('hostingEnvironment'))]", + "clientAffinityEnabled": "[parameters('clientAffinityEnabled')]", + "siteConfig": "[parameters('siteConfig')]" + }, + "resources": [ + { + "apiVersion": "2019-08-01", + "name": "appsettings", + "type": "config", + "dependsOn": [ + "[resourceId('Microsoft.Web/sites', parameters('webAppName'))]" + ], + "properties": { + "APPINSIGHTS_INSTRUMENTATIONKEY": "[if(parameters('enableMonitoring'), reference(concat('microsoft.insights/components/',parameters('webAppName')), '2015-05-01').InstrumentationKey, json('null'))]", + "APPLICATIONINSIGHTS_CONNECTION_STRING": "[if(parameters('enableMonitoring'), reference(concat('microsoft.insights/components/',parameters('webAppName')), '2015-05-01').ConnectionString, json('null'))]" + } + }, + { + "type": "providers/locks", + "apiVersion": "2016-09-01", + "condition": "[parameters('lockForDeletion')]", + "name": "Microsoft.Authorization/functionAppDoNotDelete", + "dependsOn": [ + "[concat('Microsoft.Web/sites/', parameters('webAppName'))]" + ], + "comments": "Resource lock on Function App", + "properties": { + "level": "CannotDelete" + } + } + ] + }, + { + "apiVersion": "2018-05-01-preview", + "name": "[parameters('webAppName')]", + "type": "microsoft.insights/components", + "location": "[parameters('location')]", + "condition": "[parameters('enableMonitoring')]", + "kind": "web", + "tags": "[parameters('tags')]", + "properties": { + "ApplicationId": "[parameters('webAppName')]", + "Application_Type": "web", + "Request_Source": "IbizaWebAppExtensionCreate" + } + }, + { + "name": "[concat('rbac-',deployment().name, copyIndex())]", + "apiVersion": "2020-06-01", + "type": "Microsoft.Resources/deployments", + "condition": "[not(empty(parameters('roleAssignments')))]", + "dependsOn": [ + "[parameters('webAppName')]" + ], + "copy": { + "name": "rbacDeplCopy", + "count": "[length(parameters('roleAssignments'))]" + }, + "properties": { + "mode": "Incremental", + "expressionEvaluationOptions": { + "scope": "inner" + }, + "parameters": { + "roleAssignment": { + "value": "[parameters('roleAssignments')[copyIndex()]]" + }, + "builtInRoleNames": { + "value": "[variables('builtInRoleNames')]" + }, + "webAppName": { + "value": "[parameters('webAppName')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "roleAssignment": { + "type": "object" + }, + "builtInRoleNames": { + "type": "object" + }, + "webAppName": { + "type": "string" + } + }, + "resources": [ + { + "type": "Microsoft.Web/sites/providers/roleAssignments", + "apiVersion": "2020-04-01-preview", + "name": "[concat(parameters('webAppName'), '/Microsoft.Authorization/', guid(uniqueString(concat(parameters('webAppName'), array(parameters('roleAssignment').principalIds)[copyIndex('innerRbacCopy')], parameters('roleAssignment').roleDefinitionIdOrName ) )))]", + "dependsOn": [ + ], + "copy": { + "name": "innerRbacCopy", + "count": "[length(parameters('roleAssignment').principalIds)]" + }, + "properties": { + "roleDefinitionId": "[if(contains(parameters('builtInRoleNames'), parameters('roleAssignment').roleDefinitionIdOrName ), parameters('builtInRoleNames')[parameters('roleAssignment').roleDefinitionIdOrName] , parameters('roleAssignment').roleDefinitionIdOrName )]", + "principalId": "[array(parameters('roleAssignment').principalIds)[copyIndex()]]" + } + } + ] + } + } + }, + // Private Endpoints + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-06-01", + "name": "[concat(uniqueString(deployment().name, parameters('location')), '-WebApp-PrivateEndpoints','-',copyIndex())]", + "condition": "[not(empty(parameters('privateEndpoints')))]", + "dependsOn": [ + "[parameters('webAppName')]" + ], + "copy": { + "name": "privateEndpointsCopy", + "count": "[length(parameters('privateEndpoints'))]" + }, + "properties": { + "mode": "Incremental", + "expressionEvaluationOptions": { + "scope": "inner" + }, + "parameters": { + "privateEndpointResourceId": { + "value": "[resourceId('Microsoft.Web/sites/', parameters('webAppName'))]" + }, + "privateEndpointVnetLocation": { + "value": "[if(empty(parameters('privateEndpoints')),'dummy',reference(split(parameters('privateEndpoints')[copyIndex()].subnetResourceId,'/subnets/')[0],'2020-06-01', 'Full').location)]" + }, + "privateEndpoint": { + "value": "[parameters('privateEndpoints')[copyIndex()]]" + }, + "tags": { + "value": "[parameters('tags')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "privateEndpointResourceId": { + "type": "string" + }, + "privateEndpointVnetLocation": { + "type": "string" + }, + "privateEndpoint": { + "type": "object" + }, + "tags": { + "type": "object" + } + }, + "variables": { + "privateEndpointResourceName": "[last(split(parameters('privateEndpointResourceId'),'/'))]", + "privateEndpoint": { + "name": "[if(contains(parameters('privateEndpoint'), 'name'),if(empty(parameters('privateEndpoint').name),concat(variables('privateEndpointResourceName'),'-',parameters('privateEndpoint').service),parameters('privateEndpoint').name),concat(variables('privateEndpointResourceName'),'-',parameters('privateEndpoint').service))]", + "subnetResourceId": "[parameters('privateEndpoint').subnetResourceId]", + "service": [ + "[parameters('privateEndpoint').service]" + ], + "privateDnsZoneResourceIds": "[if(contains(parameters('privateEndpoint'), 'privateDnsZoneResourceIds'),if(empty(parameters('privateEndpoint').privateDnsZoneResourceIds),createArray(),parameters('privateEndpoint').privateDnsZoneResourceIds),createArray())]", + "customDnsConfigs": "[if(contains(parameters('privateEndpoint'), 'customDnsConfigs'),if(empty(parameters('privateEndpoint').customDnsConfigs),json('null'),parameters('privateEndpoint').customDnsConfigs),json('null'))]" + } + }, + "resources": [ + { + "type": "Microsoft.Network/privateEndpoints", + "apiVersion": "2020-05-01", + "name": "[variables('privateEndpoint').name]", + "location": "[parameters('privateEndpointVnetLocation')]", + "tags": "[parameters('tags')]", + "properties": { + "privateLinkServiceConnections": [ + { + "name": "[variables('privateEndpoint').name]", + "properties": { + "privateLinkServiceId": "[parameters('privateEndpointResourceId')]", + "groupIds": "[variables('privateEndpoint').service]" + } + } + ], + "manualPrivateLinkServiceConnections": [], + "subnet": { + "id": "[variables('privateEndpoint').subnetResourceId]" + }, + "customDnsConfigs": "[variables('privateEndpoint').customDnsConfigs]" + } + }, + { + "type": "Microsoft.Network/privateEndpoints/privateDnsZoneGroups", + "apiVersion": "2020-05-01", + "condition": "[not(empty(variables('privateEndpoint').privateDnsZoneResourceIds))]", + "name": "[concat(variables('privateEndpoint').name, '/default')]", + "dependsOn": [ + "[resourceId('Microsoft.Network/privateEndpoints', variables('privateEndpoint').name)]" + ], + "properties": { + "copy": [ + { + "name": "privateDnsZoneConfigs", + "count": "[length(variables('privateEndpoint').privateDnsZoneResourceIds)]", + "input": { + "name": "[last(split(variables('privateEndpoint').privateDnsZoneResourceIds[copyIndex('privateDnsZoneConfigs')],'/'))]", + "properties": { + "privateDnsZoneId": "[variables('privateEndpoint').privateDnsZoneResourceIds[copyIndex('privateDnsZoneConfigs')]]" + } + } + } + ] + } + } + ] + } + } + } + ], + "functions": [ + ], + "outputs": { + "webAppName": { + "type": "string", + "value": "[parameters('webAppName')]", + "metadata": { + "description": "Name of the Web App." + } + }, + "webAppResourceId": { + "type": "string", + "value": "[resourceId('Microsoft.Web/sites', parameters('webAppName'))]", + "metadata": { + "description": "The Resource ID of the WebApp." + } + }, + "webAppResourceGroup": { + "type": "string", + "value": "[resourceGroup().name]", + "metadata": { + "description": "The REsource Group in which the resource is created." + } + }, + "assignedIdentityID": { + "type": "string", + "value":"[if(contains(parameters('managedServiceIdentity'),'SystemAssigned'),reference(resourceId('Microsoft.Web/sites', parameters('webAppName')), '2019-08-01', 'full').identity.principalId,'')]", + "metadata": { + "description": "User id of the created system assigned identity" + } + } + } +} \ No newline at end of file diff --git a/arm/Microsoft.Web/webApp/parameters/parameters.json b/arm/Microsoft.Web/webApp/parameters/parameters.json new file mode 100644 index 0000000000..6b5fd10062 --- /dev/null +++ b/arm/Microsoft.Web/webApp/parameters/parameters.json @@ -0,0 +1,43 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "webAppName": { + "value": "sxx-az-wa-weu-x-001" + }, + "appServicePlanId": { + "value": "/subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2/resourceGroups/dependencies-rg/providers/Microsoft.Web/serverFarms/sxx-az-asp-weu-x-003" + }, + "managedServiceIdentity": { + "value": "SystemAssigned" + }, + "siteConfig": { + "value": { + "metadata": [ + { + "name": "CURRENT_STACK", + "value": "dotnetcore" + } + ], + "alwaysOn": true + } + }, + "httpsOnly": { + "value": true + }, + "enableMonitoring": { + "value": true + } + // "roleAssignments": { + // "value": [ + // { + // "roleDefinitionIdOrName": "Desktop Virtualization User", + // "principalIds": [ + // "12345678-1234-1234-1234-123456789012", // object 1 + // "78945612-1234-1234-1234-123456789012" // object 2 + // ] + // } + // ] + // } + } +} diff --git a/arm/Microsoft.Web/webApp/readme.md b/arm/Microsoft.Web/webApp/readme.md new file mode 100644 index 0000000000..912d3f3f25 --- /dev/null +++ b/arm/Microsoft.Web/webApp/readme.md @@ -0,0 +1,157 @@ +# WebApp + +This module deploys an Web App. + + + +## Resource types + +|Resource Type|ApiVersion| +|:--|:--| +|`Microsoft.Network/privateEndpoints/privateDnsZoneGroups` | 2020-05-01 | +|`Microsoft.Network/privateEndpoints` | 2020-05-01 | +|`Microsoft.Resources/deployments`|2018-02-01| +|`Microsoft.Web/sites`|2019-08-01| +|`microsoft.insights/components`|2015-05-01| +|`config`|2016-03-01| +|`providers/locks`|2016-09-01| +|`Microsoft.Web/sites/providers/roleAssignments`|2018-09-01-preview| + +## Parameters + +| Parameter Name | Type | Description | DefaultValue | Possible values | +| :-- | :-- | :-- | :-- | :-- | +| `appServiceEnvironmentId` | string | Optional. The Resource Id of the App Service Environment to use for the Function App. | | | +| `appServicePlanId` | string | Optional. The Resource Id of the App Service Plan to use for the Function App. | | | +| `clientAffinityEnabled` | bool | Optional. If Client Affinity is enabled. | True | | +| `cuaId` | string | Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered | | | +| `enableMonitoring` | bool | Optional. If true, ApplicationInsights will be configured for the Function App. | True | | +| `httpsOnly` | bool | Optional. Configures a web site to accept only https requests. Issues redirect for http requests. | True | | +| `location` | string | Optional. Location for all resources. | [resourceGroup().location] | | +| `lockForDeletion` | bool | Optional. Switch to lock Function App from deletion. | False | | +| `managedServiceIdentity` | string | Optional. Type of managed service identity. | None | System.Object[] | +| `privateEndpoints` | array | Optional. Configuration Details for private endpoints. | System.Object[] | | +| `roleAssignments` | array | Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' | System.Object[] | | +| `siteConfig` | object | Required. Configuration of the app. | | | +| `tags` | object | Optional. Tags of the resource. | | | +| `webAppName` | string | Required. Name of the Web App | | | +| `userAssignedIdentities` | object | Optional. Mandatory 'managedServiceIdentity' contains UserAssigned. The identy to assign to the resource. | | | + +### Parameter usage: `userAssignedIdentities` + +```json +"userAssignedIdentities":{ + "value": + { + "/subscriptions//resourcegroups//providers/Microsoft.ManagedIdentity/userAssignedIdentities/":{}, + "/subscriptions//resourcegroups//providers/Microsoft.ManagedIdentity/userAssignedIdentities/":{} + } +} +``` +Use the managed identity id as key, value must be empty. + +### Parameter Usage: `siteConfig` + +```json +"siteConfig": { + "value": { + "alwaysOn": true + } +} +``` +### Parameter Usage: `privateEndpoints` + +To use Private Endpoint the following dependencies must be deployed: + +- Destination subnet must be created with the following configuration option - `"privateEndpointNetworkPolicies": "Disabled"`. Setting this option acknowledges that NSG rules are not applied to Private Endpoints (this capability is coming soon). A full example is available in the Virtual Network Module. + +- Although not strictly required, it is highly recommened to first create a private DNS Zone to host Private Endpoint DNS records. See [Azure Private Endpoint DNS configuration](https://docs.microsoft.com/en-us/azure/private-link/private-endpoint-dns) for more information. + +```json +"privateEndpoints": { + "value": [ + // Example showing all available fields + { + "name": "sxx-az-sa-cac-y-123-pe", // Optional: Name will be automatically generated if one is not provided here + "subnetResourceId": "/subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-weu-x-001/subnets/sxx-az-subnet-weu-x-001", + "service": "vault", + "privateDnsZoneResourceIds": [ // Optional: No DNS record will be created if a private DNS zone Resource ID is not specified + "/subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2/resourceGroups/validation-rg/providers/Microsoft.Network/privateDnsZones/privatelink.vaultcore.azure.net" + ], + "customDnsConfigs": [ // Optional + { + "fqdn": "customname.test.local", + "ipAddresses": [ + "10.10.10.10" + ] + } + ] + } + ] +} +``` + +### Parameter Usage: `roleAssignments` + +```json +"roleAssignments": { + "value": [ + { + "roleDefinitionIdOrName": "Desktop Virtualization User", + "principalIds": [ + "12345678-1234-1234-1234-123456789012", // object 1 + "78945612-1234-1234-1234-123456789012" // object 2 + ] + }, + { + "roleDefinitionIdOrName": "Reader", + "principalIds": [ + "12345678-1234-1234-1234-123456789012", // object 1 + "78945612-1234-1234-1234-123456789012" // object 2 + ] + }, + { + "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", + "principalIds": [ + "12345678-1234-1234-1234-123456789012" // object 1 + ] + } + ] +} +``` + +### Parameter Usage: `tags` + +Tag names and tag values can be provided as needed. A tag can be left without a value. + +```json +"tags": { + "value": { + "Environment": "Non-Prod", + "Contact": "test.user@testcompany.com", + "PurchaseOrder": "1234", + "CostCenter": "7890", + "ServiceName": "DeploymentValidation", + "Role": "DeploymentValidation" + } +} +``` + +## Outputs + +| Output Name | Type | Description | +| :-- | :-- | :-- | +| `webAppName` | string | Name of the Web App. | +| `webAppResourceGroup` | string | The REsource Group in which the resource is created. | +| `webAppResourceId` | string | The Resource ID of the WebApp. | +| `assignedIdentityID` | string | User id of the created system assigned identity | + +## Considerations + +*N/A* + +## Additional resources + +- [An introduction to Azure Webs](https://docs.microsoft.com/en-us/azure/azure-Webs/Webs-overview) +- [Microsoft.Web sites template reference](https://docs.microsoft.com/en-us/azure/templates/microsoft.web/2019-08-01/sites) +- [Use tags to organize your Azure resources](https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-using-tags) \ No newline at end of file diff --git a/arm/servers/deploy.json b/arm/servers/deploy.json new file mode 100644 index 0000000000..569cb5632e --- /dev/null +++ b/arm/servers/deploy.json @@ -0,0 +1,227 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "analysisServicesName": { + "type": "string", + "metadata": { + "description": "Required. The name of the Azure Analysis Services server to create." + } + }, + "skuName": { + "type": "string", + "defaultValue": "S0", + "metadata": { + "description": "Optional. The sku name of the Azure Analysis Services server to create." + } + }, + "skuCapacity": { + "type": "int", + "defaultValue": 1, + "metadata": { + "description": "Optional. The total number of query replica scale-out instances." + } + }, + "firewallSettings": { + "type": "object", + "defaultValue": { + "firewallRules": [ + { + "firewallRuleName": "AllowFromAll", + "rangeStart": "0.0.0.0", + "rangeEnd": "255.255.255.255" + } + ], + "enablePowerBIService": true + }, + "metadata": { + "description": "Optional. The inbound firewall rules to define on the server. If not specified, firewall is disabled." + } + }, + "location": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "Optional. Location for all Resources." + } + }, + "diagnosticLogsRetentionInDays": { + "type": "int", + "defaultValue": 365, + "minValue": 0, + "maxValue": 365, + "metadata": { + "description": "Optional. Specifies the number of days that logs will be kept for; a value of 0 will retain data indefinitely." + } + }, + "diagnosticStorageAccountId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Resource identifier of the Diagnostic Storage Account." + } + }, + "workspaceId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Resource identifier of Log Analytics." + } + }, + "eventHubAuthorizationRuleId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Resource ID of the event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." + } + }, + "eventHubName": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Name of the event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category." + } + }, + "lockForDeletion": { + "type": "bool", + "defaultValue": false, + "metadata": { + "description": "Optional. Switch to lock Key Vault from deletion." + } + }, + "tags": { + "type": "object", + "defaultValue": { + }, + "metadata": { + "description": "Optional. Tags of the resource." + } + }, + "cuaId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered" + } + } + }, + "variables": { + "diagnosticsMetrics": [ + { + "category": "AllMetrics", + "timeGrain": null, + "enabled": true, + "retentionPolicy": { + "enabled": true, + "days": "[parameters('diagnosticLogsRetentionInDays')]" + } + } + ], + "diagnosticsLogs": [ + { + "category": "Engine", + "enabled": true, + "retentionPolicy": { + "enabled": true, + "days": "[parameters('diagnosticLogsRetentionInDays')]" + } + }, + { + "category": "Service", + "enabled": true, + "retentionPolicy": { + "enabled": true, + "days": "[parameters('diagnosticLogsRetentionInDays')]" + } + } + ] + }, + "resources": [ + { + "condition": "[not(empty(parameters('cuaId')))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-06-01", + "name": "[concat('pid-', parameters('cuaId'))]", + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [ + ] + } + } + }, + { + "type": "Microsoft.AnalysisServices/servers", + "apiVersion": "2017-08-01", + "name": "[parameters('analysisServicesName')]", + "location": "[parameters('location')]", + "tags": "[parameters('tags')]", + "sku": { + "name": "[parameters('skuName')]", + "capacity": "[parameters('skuCapacity')]" + }, + "properties": { + "ipV4FirewallSettings": "[parameters('firewallSettings')]" + }, + "resources": [ + { + "type": "providers/locks", + "apiVersion": "2016-09-01", + "condition": "[parameters('lockForDeletion')]", + "name": "Microsoft.Authorization/analysisServicesDoNotDelete", + "dependsOn": [ + "[concat('Microsoft.AnalysisServices/servers/', parameters('analysisServicesName'))]" + ], + "comments": "Resource lock", + "properties": { + "level": "CannotDelete" + } + }, + { + "type": "Microsoft.AnalysisServices/servers/providers/diagnosticsettings", + "apiVersion": "2017-05-01-preview", + "name": "[concat(parameters('analysisServicesName'), '/Microsoft.Insights/service')]", + "condition": "[or(not(empty(parameters('diagnosticStorageAccountId'))),not(empty(parameters('workspaceId'))),not(empty(parameters('eventHubAuthorizationRuleId'))),not(empty(parameters('eventHubName'))))]", + "dependsOn": [ + "[concat('Microsoft.AnalysisServices/servers/', parameters('analysisServicesName'))]" + ], + "properties": { + "storageAccountId": "[if(empty(parameters('diagnosticStorageAccountId')), json('null'), parameters('diagnosticStorageAccountId'))]", + "workspaceId": "[if(empty(parameters('workspaceId')), json('null'), parameters('workspaceId'))]", + "eventHubAuthorizationRuleId": "[if(empty(parameters('eventHubAuthorizationRuleId')), json('null'), parameters('eventHubAuthorizationRuleId'))]", + "eventHubName": "[if(empty(parameters('eventHubName')), json('null'), parameters('eventHubName'))]", + "metrics": "[if(and(empty(parameters('diagnosticStorageAccountId')), empty(parameters('workspaceId')), empty(parameters('eventHubAuthorizationRuleId')), empty(parameters('eventHubName'))), json('null'), variables('diagnosticsMetrics'))]", + "logs": "[if(and(empty(parameters('diagnosticStorageAccountId')), empty(parameters('workspaceId')), empty(parameters('eventHubAuthorizationRuleId')), empty(parameters('eventHubName'))), json('null'), variables('diagnosticsLogs'))]" + } + } + ] + } + ], + "functions": [ + ], + "outputs": { + "analysisServicesName": { + "type": "string", + "value": "[parameters('analysisServicesName')]", + "metadata": { + "description": "The Name of the Analysis Services." + } + }, + "analysisServicesResourceId": { + "type": "string", + "value": "[resourceId('Microsoft.AnalysisServices/servers', parameters('analysisServicesName'))]", + "metadata": { + "description": "The Resource Id of the Analysis Services." + } + }, + "analysisServicesResourceGroup": { + "type": "string", + "value": "[resourceGroup().name]", + "metadata": { + "description": "The name of the Resource Group with the Analysis Services." + } + } + } +} diff --git a/arm/servers/parameters/parameters.json b/arm/servers/parameters/parameters.json new file mode 100644 index 0000000000..6d5a4754fd --- /dev/null +++ b/arm/servers/parameters/parameters.json @@ -0,0 +1,12 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "analysisServicesName": { + "value": "sxxazasweux001" + }, + "skuName": { + "value": "D1" + } + } +} \ No newline at end of file diff --git a/arm/servers/readme.md b/arm/servers/readme.md new file mode 100644 index 0000000000000000000000000000000000000000..3e0334e20263c8a520efd6f0ba3e28974725df24 GIT binary patch literal 6938 zcmeI1Z*LPv5XSd)rGAG~cmooNNhwgMkeU*pQU8FFl)gYnaT155A-3yth|;Ftg-_b{ z`OSE|cjt3(T4>)?$jers0 z%JgaaWcs<5ShH#G2kBJvm{X)}tsmBAU(C#UH=T8%U5AqYF1^s2k?lN?9v8OHMS75y z^)LTLgNwA2zBiplX`mH@bdbhrWoDN$b<)114rS9oTAk>*ubHLRU!>2{t+blHkn~%6 z=6iLzYrFg=K23BwlI(c7C3%;7Cg1m}?lP3c1H%_RvA$!v?xo|JmUnIa{g0w$NBGQY zu`hhP>9z0z;jy8Obz^((Yov;z+jnQ8-?B;UnO(hfHbE875i{*k<9@}amoVd*KN7Q!ht&jbp$UL&&`x+T*W|4MHT33JH*pt7lMhY_z zwGL^`9ag4#Eo=0JNgrz$GN(vCNa9%f4YclfI@7IwZkly14#%2@zayhAw03qJc|N}o ziaEFZ*SchsLTV%(hUOPCCyyOy?WwdHOG~snHEVq*yh@e_25+Y`usO1?nB32M-{hTZO}2r= zuI7=0?%yNrQ>5$Zsb+7a^>o8zfrm$Iye}lx7JKlOernSC5d;hZLLRT&*aau zwT&6RlV&i&rX(Q)mUV46^t>*Ms40OBo*ipnc4$LoOGxz;*GKZ_k)DXi@M>RrpI8Qi zmV11EBHw4>twNT$Mul+&tPvO-OCs6gd@@R3>Zz+w&VZ16OK)KsUkyrQ%|!b`2(b_A z_zicUYhNGi2iJ&~+v#q)qj`a6j+!|=Qjqj$+0+P}{2?qQGs2T$ zS=OY`{^)}5=V?P`xIPgpISwCBZ7PymMU(~?m5Q*g@F9ymUd}8#_w=1*v}scsF6>H< zd!?$f5O0YO_zG@-onSxSKQ_s|$LfAy~WuH4wHgToD09i1t>QLyH*MQeHBjTC&`nU#>>wIh5`t#;tJA&JEA zz_cNLs|>tvc+T$WIKpF8E$=1vr!m-^AK6`|heCyl09T%9{<8`eFVidIWEdl4K9^o+ znmbBgOVfJ)@KBuqd5Vp*97`0r_ncv(26-$ImvoWy(5J3dS7#n@-_D+Y%Bl4)Eefja z`&4i6;83-jn%&gx)g=}jrzcuF5~opJh^V?f#0K5*d|S4xmW^ePa}W{Y8XW8CTgjvs zpi}go5nIvsL~n_t>aM{uPb|iXr8ewKb-<_Uak>*WgbU6W?gAq6VFoHKwzXA%`a&Wj zIvGxTa0s=T?wFN5olJru@HyUx9sE=q)~sG)MX=u0;wNlyByxRda_7hDRkw7ibxcei~<0*HG^ZXX-p3bYIhl zC}yv^1mc|=5$|4M{D}Q}pPNszJF;X))d)ZK&5EUIlq~5CSft-VI3OYJ=LUv+gL+*H#)DeYJ35lg6|hR&pww}jy$}AUR$b2if%>f8tZQ0#6(8V- zV0ok;Sf-M*-VrcfowKcRxa5uEh^+QIlX Date: Thu, 26 Aug 2021 00:43:58 +0200 Subject: [PATCH 6/7] Small fix --- .../servers/deploy.json | 0 .../servers/parameters/parameters.json | 0 .../servers/readme.md | Bin 3 files changed, 0 insertions(+), 0 deletions(-) rename arm/{ => Microsoft.AnalysisServices}/servers/deploy.json (100%) rename arm/{ => Microsoft.AnalysisServices}/servers/parameters/parameters.json (100%) rename arm/{ => Microsoft.AnalysisServices}/servers/readme.md (100%) diff --git a/arm/servers/deploy.json b/arm/Microsoft.AnalysisServices/servers/deploy.json similarity index 100% rename from arm/servers/deploy.json rename to arm/Microsoft.AnalysisServices/servers/deploy.json diff --git a/arm/servers/parameters/parameters.json b/arm/Microsoft.AnalysisServices/servers/parameters/parameters.json similarity index 100% rename from arm/servers/parameters/parameters.json rename to arm/Microsoft.AnalysisServices/servers/parameters/parameters.json diff --git a/arm/servers/readme.md b/arm/Microsoft.AnalysisServices/servers/readme.md similarity index 100% rename from arm/servers/readme.md rename to arm/Microsoft.AnalysisServices/servers/readme.md From 2d624de682b7bf23343dad01f52fb9fe8935f8b8 Mon Sep 17 00:00:00 2001 From: IaCS solution Date: Thu, 26 Aug 2021 00:45:27 +0200 Subject: [PATCH 7/7] Small fix --- .../workspaces/{workspaces => }/deploy.json | 0 .../workspaces/{workspaces => }/parameters/parameters.json | 0 .../workspaces/{workspaces => }/readme.md | 0 3 files changed, 0 insertions(+), 0 deletions(-) rename arm/Microsoft.MachineLearningServices/workspaces/{workspaces => }/deploy.json (100%) rename arm/Microsoft.MachineLearningServices/workspaces/{workspaces => }/parameters/parameters.json (100%) rename arm/Microsoft.MachineLearningServices/workspaces/{workspaces => }/readme.md (100%) diff --git a/arm/Microsoft.MachineLearningServices/workspaces/workspaces/deploy.json b/arm/Microsoft.MachineLearningServices/workspaces/deploy.json similarity index 100% rename from arm/Microsoft.MachineLearningServices/workspaces/workspaces/deploy.json rename to arm/Microsoft.MachineLearningServices/workspaces/deploy.json diff --git a/arm/Microsoft.MachineLearningServices/workspaces/workspaces/parameters/parameters.json b/arm/Microsoft.MachineLearningServices/workspaces/parameters/parameters.json similarity index 100% rename from arm/Microsoft.MachineLearningServices/workspaces/workspaces/parameters/parameters.json rename to arm/Microsoft.MachineLearningServices/workspaces/parameters/parameters.json diff --git a/arm/Microsoft.MachineLearningServices/workspaces/workspaces/readme.md b/arm/Microsoft.MachineLearningServices/workspaces/readme.md similarity index 100% rename from arm/Microsoft.MachineLearningServices/workspaces/workspaces/readme.md rename to arm/Microsoft.MachineLearningServices/workspaces/readme.md