From 0f0edd1a12a696efe58bf1291a4949d7036963fa Mon Sep 17 00:00:00 2001 From: Erika Gressi Date: Wed, 15 Jun 2022 16:02:10 +0200 Subject: [PATCH 1/3] Align backupVaults to new telemetry and lock strategy --- .../backupVaults/.parameters/parameters.json | 3 +++ arm/Microsoft.DataProtection/backupVaults/deploy.bicep | 10 +++++----- arm/Microsoft.DataProtection/backupVaults/readme.md | 6 +++++- 3 files changed, 13 insertions(+), 6 deletions(-) diff --git a/arm/Microsoft.DataProtection/backupVaults/.parameters/parameters.json b/arm/Microsoft.DataProtection/backupVaults/.parameters/parameters.json index fa4274854d..bad76a8a40 100644 --- a/arm/Microsoft.DataProtection/backupVaults/.parameters/parameters.json +++ b/arm/Microsoft.DataProtection/backupVaults/.parameters/parameters.json @@ -5,6 +5,9 @@ "name": { "value": "<>-az-bv-x-001" }, + "lock": { + "value": "CanNotDelete" + }, "backupPolicies": { "value": [ { diff --git a/arm/Microsoft.DataProtection/backupVaults/deploy.bicep b/arm/Microsoft.DataProtection/backupVaults/deploy.bicep index 91e85dfd0b..87b35f8395 100644 --- a/arm/Microsoft.DataProtection/backupVaults/deploy.bicep +++ b/arm/Microsoft.DataProtection/backupVaults/deploy.bicep @@ -11,12 +11,12 @@ param location string = resourceGroup().location param roleAssignments array = [] @allowed([ + '' 'CanNotDelete' - 'NotSpecified' 'ReadOnly' ]) @description('Optional. Specify the type of lock.') -param lock string = 'NotSpecified' +param lock string = '' @description('Optional. Enables system assigned managed identity on the resource.') param systemAssignedIdentity bool = false @@ -52,7 +52,7 @@ var identity = identityType != 'None' ? { userAssignedIdentities: !empty(userAssignedIdentities) ? userAssignedIdentities : null } : null -var enableChildTelemetry = false +var enableReferencedModulesTelemetry = false resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' @@ -87,14 +87,14 @@ module backupVault_backupPolicies 'backupPolicies/deploy.bicep' = [for (backupPo backupVaultName: backupVault.name name: backupPolicy.name properties: backupPolicy.properties - enableDefaultTelemetry: enableChildTelemetry + enableDefaultTelemetry: enableReferencedModulesTelemetry } }] resource backupVault_lock 'Microsoft.Authorization/locks@2020-05-01' = if (lock != 'NotSpecified') { name: '${backupVault.name}-${lock}-lock' properties: { - level: lock + level: any(lock) notes: lock == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.' } scope: backupVault diff --git a/arm/Microsoft.DataProtection/backupVaults/readme.md b/arm/Microsoft.DataProtection/backupVaults/readme.md index cbde48bd06..196f983a7d 100644 --- a/arm/Microsoft.DataProtection/backupVaults/readme.md +++ b/arm/Microsoft.DataProtection/backupVaults/readme.md @@ -32,7 +32,7 @@ This module deploys DataProtection BackupVaults. | `dataStoreType` | string | `'SnapshotStore'` | `[ArchiveStore, SnapshotStore, VaultStore]` | The datastore type to use. | | `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via the Customer Usage Attribution ID (GUID). | | `location` | string | `[resourceGroup().location]` | | Location for all resources. | -| `lock` | string | `'NotSpecified'` | `[CanNotDelete, NotSpecified, ReadOnly]` | Specify the type of lock. | +| `lock` | string | `''` | `[, CanNotDelete, ReadOnly]` | Specify the type of lock. | | `roleAssignments` | array | `[]` | | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | | `systemAssignedIdentity` | bool | `False` | | Enables system assigned managed identity on the resource. | | `tags` | object | `{object}` | | Tags of the Recovery Service Vault resource. | @@ -382,6 +382,9 @@ module backupVaults './Microsoft.DataProtection/backupVaults/deploy.bicep' = { "name": { "value": "<>-az-bv-x-001" }, + "lock": { + "value": "CanNotDelete" + }, "backupPolicies": { "value": [ { @@ -462,6 +465,7 @@ module backupVaults './Microsoft.DataProtection/backupVaults/deploy.bicep' = { name: '${uniqueString(deployment().name)}-backupVaults' params: { name: '<>-az-bv-x-001' + lock: 'CanNotDelete' backupPolicies: [ { name: 'DefaultPolicy' From 96a3d08c84043606e0665494b49b7dc3fb1992bd Mon Sep 17 00:00:00 2001 From: Erika Gressi Date: Wed, 15 Jun 2022 16:08:26 +0200 Subject: [PATCH 2/3] Api lock update --- arm/Microsoft.DataProtection/backupVaults/deploy.bicep | 2 +- arm/Microsoft.DataProtection/backupVaults/readme.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/arm/Microsoft.DataProtection/backupVaults/deploy.bicep b/arm/Microsoft.DataProtection/backupVaults/deploy.bicep index 87b35f8395..408721650f 100644 --- a/arm/Microsoft.DataProtection/backupVaults/deploy.bicep +++ b/arm/Microsoft.DataProtection/backupVaults/deploy.bicep @@ -91,7 +91,7 @@ module backupVault_backupPolicies 'backupPolicies/deploy.bicep' = [for (backupPo } }] -resource backupVault_lock 'Microsoft.Authorization/locks@2020-05-01' = if (lock != 'NotSpecified') { +resource backupVault_lock 'Microsoft.Authorization/locks@2017-04-01' = if (lock != 'NotSpecified') { name: '${backupVault.name}-${lock}-lock' properties: { level: any(lock) diff --git a/arm/Microsoft.DataProtection/backupVaults/readme.md b/arm/Microsoft.DataProtection/backupVaults/readme.md index 196f983a7d..b83dc6ea84 100644 --- a/arm/Microsoft.DataProtection/backupVaults/readme.md +++ b/arm/Microsoft.DataProtection/backupVaults/readme.md @@ -13,7 +13,7 @@ This module deploys DataProtection BackupVaults. | Resource Type | API Version | | :-- | :-- | -| `Microsoft.Authorization/locks` | [2020-05-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2020-05-01/locks) | +| `Microsoft.Authorization/locks` | [2017-04-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2017-04-01/locks) | | `Microsoft.Authorization/roleAssignments` | [2020-10-01-preview](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2020-10-01-preview/roleAssignments) | | `Microsoft.DataProtection/backupVaults` | [2022-03-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.DataProtection/2022-03-01/backupVaults) | | `Microsoft.DataProtection/backupVaults/backupPolicies` | [2022-03-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.DataProtection/2022-03-01/backupVaults/backupPolicies) | From bd0bc7735eb8da5ab2c2fd214cf6d2adb9fa6754 Mon Sep 17 00:00:00 2001 From: Erika Gressi Date: Wed, 15 Jun 2022 16:21:18 +0200 Subject: [PATCH 3/3] lock condition --- arm/Microsoft.DataProtection/backupVaults/deploy.bicep | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/arm/Microsoft.DataProtection/backupVaults/deploy.bicep b/arm/Microsoft.DataProtection/backupVaults/deploy.bicep index 408721650f..7018414b15 100644 --- a/arm/Microsoft.DataProtection/backupVaults/deploy.bicep +++ b/arm/Microsoft.DataProtection/backupVaults/deploy.bicep @@ -91,7 +91,7 @@ module backupVault_backupPolicies 'backupPolicies/deploy.bicep' = [for (backupPo } }] -resource backupVault_lock 'Microsoft.Authorization/locks@2017-04-01' = if (lock != 'NotSpecified') { +resource backupVault_lock 'Microsoft.Authorization/locks@2017-04-01' = if (!empty(lock)) { name: '${backupVault.name}-${lock}-lock' properties: { level: any(lock)