From e4234211a312cf00c3091c26987c613096ff2c82 Mon Sep 17 00:00:00 2001 From: MrMCake Date: Fri, 10 Jun 2022 14:35:33 +0200 Subject: [PATCH 01/30] Added first draft for CMK + minor fixes --- .../ms.containerinstance.containergroups.yml | 1 + .../.parameters/encr.parameters.json | 32 ++++++++ .../containerGroups/deploy.bicep | 35 ++++++++- .../containerGroups/readme.md | 76 +++++++++++++++++++ 4 files changed, 142 insertions(+), 2 deletions(-) create mode 100644 arm/Microsoft.ContainerInstance/containerGroups/.parameters/encr.parameters.json diff --git a/.azuredevops/modulePipelines/ms.containerinstance.containergroups.yml b/.azuredevops/modulePipelines/ms.containerinstance.containergroups.yml index ec49b3c6ce..63dc7cc62b 100644 --- a/.azuredevops/modulePipelines/ms.containerinstance.containergroups.yml +++ b/.azuredevops/modulePipelines/ms.containerinstance.containergroups.yml @@ -45,6 +45,7 @@ stages: parameters: removeDeployment: '${{ parameters.removeDeployment }}' deploymentBlocks: + - path: $(modulePath)/.parameters/encr.parameters.json - path: $(modulePath)/.parameters/parameters.json - stage: Publishing diff --git a/arm/Microsoft.ContainerInstance/containerGroups/.parameters/encr.parameters.json b/arm/Microsoft.ContainerInstance/containerGroups/.parameters/encr.parameters.json new file mode 100644 index 0000000000..cf1fe4cd26 --- /dev/null +++ b/arm/Microsoft.ContainerInstance/containerGroups/.parameters/encr.parameters.json @@ -0,0 +1,32 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "name": { + "value": "<>-az-acg-ecnr-001" + }, + "containerName": { + "value": "<>-az-aci-x-001" + }, + "image": { + "value": "mcr.microsoft.com/azuredocs/aci-helloworld" + }, + "userAssignedIdentities": { + "value": { + "/subscriptions/<>/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-<>-az-msi-x-001": {} + } + }, + "cMKKeyVaultResourceId": { + "value": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.KeyVault/vaults/adp-<>-az-kv-nopr-002" + }, + "cMKKeyName": { + "value": "keyEncryptionKey" + }, + // "cMKUserAssignedIdentityResourceId": { + // "value": "/subscriptions//resourceGroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-<>-az-msi-x-001" + // }, + "cMKKeyVersion": { + "value": "590ebf5bfd9948698e5286ab924249a0" + } + } +} diff --git a/arm/Microsoft.ContainerInstance/containerGroups/deploy.bicep b/arm/Microsoft.ContainerInstance/containerGroups/deploy.bicep index 6ba3d5db01..147a70e7c7 100644 --- a/arm/Microsoft.ContainerInstance/containerGroups/deploy.bicep +++ b/arm/Microsoft.ContainerInstance/containerGroups/deploy.bicep @@ -10,8 +10,8 @@ param image string @description('Optional. Port to open on the container and the public IP address.') param ports array = [ { - name: 'Tcp' - value: '443' + protocol: 'Tcp' + port: '443' } ] @@ -59,6 +59,25 @@ param tags object = {} @description('Optional. Enable telemetry via the Customer Usage Attribution ID (GUID).') param enableDefaultTelemetry bool = true +@description('Optional. The container group SKU.') +@allowed([ + 'Dedicated' + 'Standard' +]) +param sku string = 'Standard' + +@description('Optional. Enable service encryption.') +param enableEncryption bool = true + +@description('Optional. The resource ID of a key vault to reference a customer managed key for encryption from.') +param cMKKeyVaultResourceId string = '' + +@description('Optional. The name of the customer managed key to use for encryption. Cannot be deployed together with the parameter \'systemAssignedIdentity\' enabled.') +param cMKKeyName string = '' + +@description('Conditional. The version of the customer managed key to reference for encryption. Required if \'cMKeyName\' is not empty.') +param cMKKeyVersion string = '' + var identityType = systemAssignedIdentity ? (!empty(userAssignedIdentities) ? 'SystemAssigned,UserAssigned' : 'SystemAssigned') : (!empty(userAssignedIdentities) ? 'UserAssigned' : 'None') var identity = identityType != 'None' ? { @@ -78,12 +97,18 @@ resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (ena } } +resource cmkKeyVault 'Microsoft.KeyVault/vaults@2021-06-01-preview' existing = if (!empty(cMKKeyVaultResourceId)) { + name: last(split(cMKKeyVaultResourceId, '/')) + scope: resourceGroup(split(cMKKeyVaultResourceId, '/')[2], split(cMKKeyVaultResourceId, '/')[4]) +} + resource containergroup 'Microsoft.ContainerInstance/containerGroups@2021-03-01' = { name: name location: location identity: identity tags: tags properties: { + sku: sku containers: [ { name: containername @@ -101,6 +126,12 @@ resource containergroup 'Microsoft.ContainerInstance/containerGroups@2021-03-01' } } ] + encryptionProperties: enableEncryption && !empty(cMKKeyName) ? { + // Customer-managed key + keyName: cMKKeyName + keyVersion: cMKKeyVersion + vaultBaseUrl: cmkKeyVault.properties.vaultUri + } : null imageRegistryCredentials: imageRegistryCredentials restartPolicy: restartPolicy osType: osType diff --git a/arm/Microsoft.ContainerInstance/containerGroups/readme.md b/arm/Microsoft.ContainerInstance/containerGroups/readme.md index e224724a17..fb2af7aee8 100644 --- a/arm/Microsoft.ContainerInstance/containerGroups/readme.md +++ b/arm/Microsoft.ContainerInstance/containerGroups/readme.md @@ -27,11 +27,19 @@ The top-level resource in Azure Container Instances is the container group. A co | `image` | string | Name of the image. | | `name` | string | Name for the container group. | +**Conditional parameters** +| Parameter Name | Type | Default Value | Description | +| :-- | :-- | :-- | :-- | +| `cMKKeyVersion` | string | `''` | The version of the customer managed key to reference for encryption. Required if 'cMKeyName' is not empty. | + **Optional parameters** | Parameter Name | Type | Default Value | Allowed Values | Description | | :-- | :-- | :-- | :-- | :-- | +| `cMKKeyName` | string | `''` | | The name of the customer managed key to use for encryption. Cannot be deployed together with the parameter 'systemAssignedIdentity' enabled. | +| `cMKKeyVaultResourceId` | string | `''` | | The resource ID of a key vault to reference a customer managed key for encryption from. | | `cpuCores` | int | `2` | | The number of CPU cores to allocate to the container. | | `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via the Customer Usage Attribution ID (GUID). | +| `enableEncryption` | bool | `True` | | Enable service encryption. | | `environmentVariables` | array | `[]` | | Environment variables of the container group. | | `imageRegistryCredentials` | array | `[]` | | The image registry credentials by which the container group is created from. | | `ipAddressType` | string | `'Public'` | | Specifies if the IP is exposed to the public internet or private VNET. - Public or Private. | @@ -41,6 +49,7 @@ The top-level resource in Azure Container Instances is the container group. A co | `osType` | string | `'Linux'` | | The operating system type required by the containers in the container group. - Windows or Linux. | | `ports` | array | `[System.Collections.Hashtable]` | | Port to open on the container and the public IP address. | | `restartPolicy` | string | `'Always'` | | Restart policy for all containers within the container group. - Always: Always restart. OnFailure: Restart on failure. Never: Never restart. - Always, OnFailure, Never. | +| `sku` | string | `'Standard'` | `[Dedicated, Standard]` | The container group SKU. | | `systemAssignedIdentity` | bool | `False` | | Enables system assigned managed identity on the resource. | | `tags` | object | `{object}` | | Tags of the resource. | | `userAssignedIdentities` | object | `{object}` | | The ID(s) to assign to the resource. | @@ -176,6 +185,73 @@ userAssignedIdentities: { via JSON Parameter file +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "name": { + "value": "<>-az-acg-ecnr-001" + }, + "containerName": { + "value": "<>-az-aci-x-001" + }, + "image": { + "value": "mcr.microsoft.com/azuredocs/aci-helloworld" + }, + "userAssignedIdentities": { + "value": { + "/subscriptions/<>/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-<>-az-msi-x-001": {} + } + }, + "cMKKeyVaultResourceId": { + "value": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.KeyVault/vaults/adp-<>-az-kv-nopr-002" + }, + "cMKKeyName": { + "value": "keyEncryptionKey" + }, + // "cMKUserAssignedIdentityResourceId": { + // "value": "/subscriptions//resourceGroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-<>-az-msi-x-001" + // }, + "cMKKeyVersion": { + "value": "590ebf5bfd9948698e5286ab924249a0" + } + } +} + +``` + + + +
+ +via Bicep module + +```bicep +module containerGroups './Microsoft.ContainerInstance/containerGroups/deploy.bicep' = { + name: '${uniqueString(deployment().name)}-containerGroups' + params: { + name: '<>-az-acg-ecnr-001' + containerName: '<>-az-aci-x-001' + image: 'mcr.microsoft.com/azuredocs/aci-helloworld' + userAssignedIdentities: { + '/subscriptions/<>/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-<>-az-msi-x-001': {} + } + cMKKeyVaultResourceId: '/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.KeyVault/vaults/adp-<>-az-kv-nopr-002' + cMKKeyName: 'keyEncryptionKey' + cMKKeyVersion: '590ebf5bfd9948698e5286ab924249a0' + } +``` + +
+

+ +

Example 2

+ +
+ +via JSON Parameter file + ```json { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", From 08bace4ad0f6a0c0d2e66a9fe3a24e568a60576a Mon Sep 17 00:00:00 2001 From: MrMCake Date: Sun, 19 Jun 2022 21:32:58 +0200 Subject: [PATCH 02/30] Disabled ports for testing --- .../containerGroups/.parameters/encr.parameters.json | 3 +++ 1 file changed, 3 insertions(+) diff --git a/arm/Microsoft.ContainerInstance/containerGroups/.parameters/encr.parameters.json b/arm/Microsoft.ContainerInstance/containerGroups/.parameters/encr.parameters.json index cf1fe4cd26..61c39b0830 100644 --- a/arm/Microsoft.ContainerInstance/containerGroups/.parameters/encr.parameters.json +++ b/arm/Microsoft.ContainerInstance/containerGroups/.parameters/encr.parameters.json @@ -27,6 +27,9 @@ // }, "cMKKeyVersion": { "value": "590ebf5bfd9948698e5286ab924249a0" + }, + "ports": { + "value": [] } } } From 6b0c30b2c5420c1de225169243bde930a3a7ae94 Mon Sep 17 00:00:00 2001 From: MrMCake Date: Sun, 19 Jun 2022 21:34:06 +0200 Subject: [PATCH 03/30] Disabled test file & pester --- .../ms.containerinstance.containergroups.yml | 26 +++++++++---------- .../{parameters.json => parameters.dis..json} | 0 2 files changed, 13 insertions(+), 13 deletions(-) rename arm/Microsoft.ContainerInstance/containerGroups/.parameters/{parameters.json => parameters.dis..json} (100%) diff --git a/.github/workflows/ms.containerinstance.containergroups.yml b/.github/workflows/ms.containerinstance.containergroups.yml index b742a184d5..06560dd9db 100644 --- a/.github/workflows/ms.containerinstance.containergroups.yml +++ b/.github/workflows/ms.containerinstance.containergroups.yml @@ -64,18 +64,18 @@ jobs: ######################### # Static validation # ######################### - job_module_pester_validation: - runs-on: ubuntu-20.04 - name: 'Static validation' - steps: - - name: 'Checkout' - uses: actions/checkout@v2 - with: - fetch-depth: 0 - - name: 'Run tests' - uses: ./.github/actions/templates/validateModulePester - with: - modulePath: '${{ env.modulePath }}' + # job_module_pester_validation: + # runs-on: ubuntu-20.04 + # name: 'Static validation' + # steps: + # - name: 'Checkout' + # uses: actions/checkout@v2 + # with: + # fetch-depth: 0 + # - name: 'Run tests' + # uses: ./.github/actions/templates/validateModulePester + # with: + # modulePath: '${{ env.modulePath }}' ############################# # Deployment validation # @@ -85,7 +85,7 @@ jobs: name: 'Deployment validation' needs: - job_initialize_pipeline - - job_module_pester_validation + #- job_module_pester_validation strategy: fail-fast: false matrix: diff --git a/arm/Microsoft.ContainerInstance/containerGroups/.parameters/parameters.json b/arm/Microsoft.ContainerInstance/containerGroups/.parameters/parameters.dis..json similarity index 100% rename from arm/Microsoft.ContainerInstance/containerGroups/.parameters/parameters.json rename to arm/Microsoft.ContainerInstance/containerGroups/.parameters/parameters.dis..json From 7ea48fca252e886f9d34a0f8a5eb968522731069 Mon Sep 17 00:00:00 2001 From: MrMCake Date: Sun, 19 Jun 2022 21:42:02 +0200 Subject: [PATCH 04/30] URL & port tests --- .../containerGroups/.parameters/encr.parameters.json | 9 ++++++++- .../containerGroups/deploy.bicep | 2 +- 2 files changed, 9 insertions(+), 2 deletions(-) diff --git a/arm/Microsoft.ContainerInstance/containerGroups/.parameters/encr.parameters.json b/arm/Microsoft.ContainerInstance/containerGroups/.parameters/encr.parameters.json index 61c39b0830..1e91332ed5 100644 --- a/arm/Microsoft.ContainerInstance/containerGroups/.parameters/encr.parameters.json +++ b/arm/Microsoft.ContainerInstance/containerGroups/.parameters/encr.parameters.json @@ -29,7 +29,14 @@ "value": "590ebf5bfd9948698e5286ab924249a0" }, "ports": { - "value": [] + "value": [ + { + "port": 80 + }, + { + "port": 8080 + } + ] } } } diff --git a/arm/Microsoft.ContainerInstance/containerGroups/deploy.bicep b/arm/Microsoft.ContainerInstance/containerGroups/deploy.bicep index 147a70e7c7..3658cf533e 100644 --- a/arm/Microsoft.ContainerInstance/containerGroups/deploy.bicep +++ b/arm/Microsoft.ContainerInstance/containerGroups/deploy.bicep @@ -130,7 +130,7 @@ resource containergroup 'Microsoft.ContainerInstance/containerGroups@2021-03-01' // Customer-managed key keyName: cMKKeyName keyVersion: cMKKeyVersion - vaultBaseUrl: cmkKeyVault.properties.vaultUri + vaultBaseUrl: 'https://adp-carml-az-kv-nopr-002.vault.azure.net' //cmkKeyVault.properties.vaultUri } : null imageRegistryCredentials: imageRegistryCredentials restartPolicy: restartPolicy From b64a63d94a3c64ebbdc9e881100f23bd82ef9eac Mon Sep 17 00:00:00 2001 From: MrMCake Date: Sun, 19 Jun 2022 21:50:44 +0200 Subject: [PATCH 05/30] Undid changes --- .../containerGroups/.parameters/encr.parameters.json | 10 ---------- .../containerGroups/deploy.bicep | 2 +- 2 files changed, 1 insertion(+), 11 deletions(-) diff --git a/arm/Microsoft.ContainerInstance/containerGroups/.parameters/encr.parameters.json b/arm/Microsoft.ContainerInstance/containerGroups/.parameters/encr.parameters.json index 1e91332ed5..cf1fe4cd26 100644 --- a/arm/Microsoft.ContainerInstance/containerGroups/.parameters/encr.parameters.json +++ b/arm/Microsoft.ContainerInstance/containerGroups/.parameters/encr.parameters.json @@ -27,16 +27,6 @@ // }, "cMKKeyVersion": { "value": "590ebf5bfd9948698e5286ab924249a0" - }, - "ports": { - "value": [ - { - "port": 80 - }, - { - "port": 8080 - } - ] } } } diff --git a/arm/Microsoft.ContainerInstance/containerGroups/deploy.bicep b/arm/Microsoft.ContainerInstance/containerGroups/deploy.bicep index 3658cf533e..147a70e7c7 100644 --- a/arm/Microsoft.ContainerInstance/containerGroups/deploy.bicep +++ b/arm/Microsoft.ContainerInstance/containerGroups/deploy.bicep @@ -130,7 +130,7 @@ resource containergroup 'Microsoft.ContainerInstance/containerGroups@2021-03-01' // Customer-managed key keyName: cMKKeyName keyVersion: cMKKeyVersion - vaultBaseUrl: 'https://adp-carml-az-kv-nopr-002.vault.azure.net' //cmkKeyVault.properties.vaultUri + vaultBaseUrl: cmkKeyVault.properties.vaultUri } : null imageRegistryCredentials: imageRegistryCredentials restartPolicy: restartPolicy From 672185f1cd63539f5264f6bcd86febb92f3e713d Mon Sep 17 00:00:00 2001 From: MrMCake Date: Sun, 19 Jun 2022 22:17:43 +0200 Subject: [PATCH 06/30] Updated docs --- .../ms.containerinstance.containergroups.yml | 26 +++++++++---------- .../.parameters/encr.parameters.json | 3 --- .../{parameters.dis..json => parameters.json} | 0 .../containerGroups/deploy.bicep | 2 +- .../containerGroups/readme.md | 5 +--- 5 files changed, 15 insertions(+), 21 deletions(-) rename arm/Microsoft.ContainerInstance/containerGroups/.parameters/{parameters.dis..json => parameters.json} (100%) diff --git a/.github/workflows/ms.containerinstance.containergroups.yml b/.github/workflows/ms.containerinstance.containergroups.yml index 06560dd9db..b742a184d5 100644 --- a/.github/workflows/ms.containerinstance.containergroups.yml +++ b/.github/workflows/ms.containerinstance.containergroups.yml @@ -64,18 +64,18 @@ jobs: ######################### # Static validation # ######################### - # job_module_pester_validation: - # runs-on: ubuntu-20.04 - # name: 'Static validation' - # steps: - # - name: 'Checkout' - # uses: actions/checkout@v2 - # with: - # fetch-depth: 0 - # - name: 'Run tests' - # uses: ./.github/actions/templates/validateModulePester - # with: - # modulePath: '${{ env.modulePath }}' + job_module_pester_validation: + runs-on: ubuntu-20.04 + name: 'Static validation' + steps: + - name: 'Checkout' + uses: actions/checkout@v2 + with: + fetch-depth: 0 + - name: 'Run tests' + uses: ./.github/actions/templates/validateModulePester + with: + modulePath: '${{ env.modulePath }}' ############################# # Deployment validation # @@ -85,7 +85,7 @@ jobs: name: 'Deployment validation' needs: - job_initialize_pipeline - #- job_module_pester_validation + - job_module_pester_validation strategy: fail-fast: false matrix: diff --git a/arm/Microsoft.ContainerInstance/containerGroups/.parameters/encr.parameters.json b/arm/Microsoft.ContainerInstance/containerGroups/.parameters/encr.parameters.json index cf1fe4cd26..867e0eb9ee 100644 --- a/arm/Microsoft.ContainerInstance/containerGroups/.parameters/encr.parameters.json +++ b/arm/Microsoft.ContainerInstance/containerGroups/.parameters/encr.parameters.json @@ -22,9 +22,6 @@ "cMKKeyName": { "value": "keyEncryptionKey" }, - // "cMKUserAssignedIdentityResourceId": { - // "value": "/subscriptions//resourceGroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-<>-az-msi-x-001" - // }, "cMKKeyVersion": { "value": "590ebf5bfd9948698e5286ab924249a0" } diff --git a/arm/Microsoft.ContainerInstance/containerGroups/.parameters/parameters.dis..json b/arm/Microsoft.ContainerInstance/containerGroups/.parameters/parameters.json similarity index 100% rename from arm/Microsoft.ContainerInstance/containerGroups/.parameters/parameters.dis..json rename to arm/Microsoft.ContainerInstance/containerGroups/.parameters/parameters.json diff --git a/arm/Microsoft.ContainerInstance/containerGroups/deploy.bicep b/arm/Microsoft.ContainerInstance/containerGroups/deploy.bicep index 147a70e7c7..e1abb978f6 100644 --- a/arm/Microsoft.ContainerInstance/containerGroups/deploy.bicep +++ b/arm/Microsoft.ContainerInstance/containerGroups/deploy.bicep @@ -66,7 +66,7 @@ param enableDefaultTelemetry bool = true ]) param sku string = 'Standard' -@description('Optional. Enable service encryption.') +@description('Optional. Enable service encryption. Note: This feature requires you to register a service principal for application [Azure Container Instance Service] as described here: https://docs.microsoft.com/en-us/azure/container-instances/container-instances-encrypt-data#create-service-principal-for-aci.') param enableEncryption bool = true @description('Optional. The resource ID of a key vault to reference a customer managed key for encryption from.') diff --git a/arm/Microsoft.ContainerInstance/containerGroups/readme.md b/arm/Microsoft.ContainerInstance/containerGroups/readme.md index fb2af7aee8..9e100f614b 100644 --- a/arm/Microsoft.ContainerInstance/containerGroups/readme.md +++ b/arm/Microsoft.ContainerInstance/containerGroups/readme.md @@ -39,7 +39,7 @@ The top-level resource in Azure Container Instances is the container group. A co | `cMKKeyVaultResourceId` | string | `''` | | The resource ID of a key vault to reference a customer managed key for encryption from. | | `cpuCores` | int | `2` | | The number of CPU cores to allocate to the container. | | `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via the Customer Usage Attribution ID (GUID). | -| `enableEncryption` | bool | `True` | | Enable service encryption. | +| `enableEncryption` | bool | `True` | | Enable service encryption. Note: This feature requires you to register a service principal for application [Azure Container Instance Service] as described here: https://docs.microsoft.com/en-us/azure/container-instances/container-instances-encrypt-data#create-service-principal-for-aci. | | `environmentVariables` | array | `[]` | | Environment variables of the container group. | | `imageRegistryCredentials` | array | `[]` | | The image registry credentials by which the container group is created from. | | `ipAddressType` | string | `'Public'` | | Specifies if the IP is exposed to the public internet or private VNET. - Public or Private. | @@ -210,9 +210,6 @@ userAssignedIdentities: { "cMKKeyName": { "value": "keyEncryptionKey" }, - // "cMKUserAssignedIdentityResourceId": { - // "value": "/subscriptions//resourceGroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-<>-az-msi-x-001" - // }, "cMKKeyVersion": { "value": "590ebf5bfd9948698e5286ab924249a0" } From 7edcef27e64c775fe90cbdcf167f1a7459bc326d Mon Sep 17 00:00:00 2001 From: MrMCake Date: Sun, 19 Jun 2022 22:38:54 +0200 Subject: [PATCH 07/30] Updated wiki --- .../.parameters/encr.parameters.json | 2 +- .../containerGroups/deploy.bicep | 2 +- ...Onboard module library and CI environment.md | 17 +++++++++++++---- 3 files changed, 15 insertions(+), 6 deletions(-) diff --git a/arm/Microsoft.ContainerInstance/containerGroups/.parameters/encr.parameters.json b/arm/Microsoft.ContainerInstance/containerGroups/.parameters/encr.parameters.json index 867e0eb9ee..1c921a1440 100644 --- a/arm/Microsoft.ContainerInstance/containerGroups/.parameters/encr.parameters.json +++ b/arm/Microsoft.ContainerInstance/containerGroups/.parameters/encr.parameters.json @@ -23,7 +23,7 @@ "value": "keyEncryptionKey" }, "cMKKeyVersion": { - "value": "590ebf5bfd9948698e5286ab924249a0" + "value": "590ebf5bfd9948698e5286ab924249a0" // ID must be updated for new keys } } } diff --git a/arm/Microsoft.ContainerInstance/containerGroups/deploy.bicep b/arm/Microsoft.ContainerInstance/containerGroups/deploy.bicep index e1abb978f6..6f8eb60a84 100644 --- a/arm/Microsoft.ContainerInstance/containerGroups/deploy.bicep +++ b/arm/Microsoft.ContainerInstance/containerGroups/deploy.bicep @@ -69,7 +69,7 @@ param sku string = 'Standard' @description('Optional. Enable service encryption. Note: This feature requires you to register a service principal for application [Azure Container Instance Service] as described here: https://docs.microsoft.com/en-us/azure/container-instances/container-instances-encrypt-data#create-service-principal-for-aci.') param enableEncryption bool = true -@description('Optional. The resource ID of a key vault to reference a customer managed key for encryption from.') +@description('Optional. The resource ID of a key vault to reference a customer managed key for encryption from. Required if \'cMKeyName\' is not empty.') param cMKKeyVaultResourceId string = '' @description('Optional. The name of the customer managed key to use for encryption. Cannot be deployed together with the parameter \'systemAssignedIdentity\' enabled.') diff --git a/docs/wiki/Getting started - Scenario 1 Onboard module library and CI environment.md b/docs/wiki/Getting started - Scenario 1 Onboard module library and CI environment.md index 63c1784079..160def31c9 100644 --- a/docs/wiki/Getting started - Scenario 1 Onboard module library and CI environment.md +++ b/docs/wiki/Getting started - Scenario 1 Onboard module library and CI environment.md @@ -7,7 +7,8 @@ This requires several steps: 1. [Configure the CI environment](#3-configure-the-ci-environment) 1. [Deploy dependencies](#4-deploy-dependencies) 1. [Update module parameter files](#5-update-module-parameter-files) -1. [(Optional) Convert library to ARM](#6-optional-convert-library-to-arm) +1. [Setup special module requirements](#6-setup-special-module-requirements) +1. [(Optional) Convert library to ARM](#7-optional-convert-library-to-arm) Depending on the DevOps environment you choose (GitHub or Azure DevOps) make sure you also account for the specific requirements outlined below. @@ -218,7 +219,7 @@ To do so, perform the following steps: Enable Actions - + ### 3.2.4 Set R/W Workflow permissions To let the worflow engine publish their results into your repository, you have to enable the read / write access for the github actions. @@ -390,10 +391,18 @@ For this reason, make sure to update the references in the following modules onc | `arm\Microsoft.Network\applicationGateways\.parameters\parameters.json` | `sslCertificates.value.properties.keyVaultSecretId` | | | `arm\Microsoft.Web\sites\.parameters\fa.parameters.json` | `appSettingsKeyValuePairs.value.EASYAUTH_SECRET` | Key Vault secret URI without version | | `arm\Microsoft.Web\sites\.parameters\fa.parameters.json` | `authSettingV2Configuration.value.identityProviders.azureActiveDirectory.registration.clientId` | App ID from the Azure Active Directory App | -| `arm\Microsoft.Web\sites\.parameters\fa.parameters.json` | `authSettingV2Configuration.value.identityProviders.azureActiveDirectory.validation.allowedAudiences` | API endpoint from the Azure Active Directory app | +| `arm\Microsoft.Web\sites\.parameters\fa.parameters.json` | `authSettingV2Configuration.value.identityProviders.azureActiveDirectory.validation.allowedAudiences` | API endpoint from the Azure Active Directory app || +| `arm\Microsoft.ContainerInstance\containerGroups\.parameters\encr.parameters.json` | `cMKKeyVersion` |
-# 6. (Optional) Convert library to ARM +# 6. Setup special module requirements + +Certain module may require you to perform additional actions if you want to use them in your CI environment: + +| Module | Condition | Actions | +| arm\Microsoft.ContainerInstance\containerGroups | If you want to test Customer-Managed-Key encryption using the `encr.parameters.json` file. | See [ref](https://docs.microsoft.com/en-us/azure/container-instances/container-instances-encrypt-data#create-service-principal-for-aci) | + +# 7. (Optional) Convert library to ARM Note that in case you don't want to use Bicep, you always have the option to use the utility `ConvertTo-ARMTemplate` we provide in path `utilities/tools` to convert the repository to an ARM-only repository. Due to the way Bicep works and the CI environment is set up, you should be able to use it with ARM templates in the same way as you would when using Bicep. For further information on how to use the tool, please refer to the tool-specific [documentation](./Interoperability%20-%20Bicep%20to%20ARM%20conversion). From 25ad60c163a8d6ec3112f60d57a38c02d237094f Mon Sep 17 00:00:00 2001 From: MrMCake Date: Sun, 19 Jun 2022 22:40:22 +0200 Subject: [PATCH 08/30] Updated wiki --- ... - Scenario 1 Onboard module library and CI environment.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/wiki/Getting started - Scenario 1 Onboard module library and CI environment.md b/docs/wiki/Getting started - Scenario 1 Onboard module library and CI environment.md index 160def31c9..cf39ecbf5e 100644 --- a/docs/wiki/Getting started - Scenario 1 Onboard module library and CI environment.md +++ b/docs/wiki/Getting started - Scenario 1 Onboard module library and CI environment.md @@ -400,8 +400,8 @@ For this reason, make sure to update the references in the following modules onc Certain module may require you to perform additional actions if you want to use them in your CI environment: -| Module | Condition | Actions | -| arm\Microsoft.ContainerInstance\containerGroups | If you want to test Customer-Managed-Key encryption using the `encr.parameters.json` file. | See [ref](https://docs.microsoft.com/en-us/azure/container-instances/container-instances-encrypt-data#create-service-principal-for-aci) | +| Module | Condition | Actions | Opt-out | +| arm\Microsoft.ContainerInstance\containerGroups | If you want to test Customer-Managed-Key encryption using the `encr.parameters.json` file. | See [ref](https://docs.microsoft.com/en-us/azure/container-instances/container-instances-encrypt-data#create-service-principal-for-aci) | If you don't want to test the encryption properties or lack the capabilities to satisfy the requirements you can simply remove the `encr.parameters.json` parameter file from the module folder. | # 7. (Optional) Convert library to ARM From cc1f7768747c7dfb1aab6e08e1bc9179f51b49e0 Mon Sep 17 00:00:00 2001 From: MrMCake Date: Sun, 19 Jun 2022 22:41:39 +0200 Subject: [PATCH 09/30] Update to latest --- ...ted - Scenario 1 Onboard module library and CI environment.md | 1 + 1 file changed, 1 insertion(+) diff --git a/docs/wiki/Getting started - Scenario 1 Onboard module library and CI environment.md b/docs/wiki/Getting started - Scenario 1 Onboard module library and CI environment.md index cf39ecbf5e..942bef489f 100644 --- a/docs/wiki/Getting started - Scenario 1 Onboard module library and CI environment.md +++ b/docs/wiki/Getting started - Scenario 1 Onboard module library and CI environment.md @@ -401,6 +401,7 @@ For this reason, make sure to update the references in the following modules onc Certain module may require you to perform additional actions if you want to use them in your CI environment: | Module | Condition | Actions | Opt-out | +| - | - | - | - | | arm\Microsoft.ContainerInstance\containerGroups | If you want to test Customer-Managed-Key encryption using the `encr.parameters.json` file. | See [ref](https://docs.microsoft.com/en-us/azure/container-instances/container-instances-encrypt-data#create-service-principal-for-aci) | If you don't want to test the encryption properties or lack the capabilities to satisfy the requirements you can simply remove the `encr.parameters.json` parameter file from the module folder. | # 7. (Optional) Convert library to ARM From d6de3df752c0a335b53e54fab45e2f843977711d Mon Sep 17 00:00:00 2001 From: MrMCake Date: Mon, 20 Jun 2022 11:03:05 +0200 Subject: [PATCH 10/30] Removed redundant param --- .../containerGroups/deploy.bicep | 7 ++----- arm/Microsoft.ContainerInstance/containerGroups/readme.md | 7 +++---- 2 files changed, 5 insertions(+), 9 deletions(-) diff --git a/arm/Microsoft.ContainerInstance/containerGroups/deploy.bicep b/arm/Microsoft.ContainerInstance/containerGroups/deploy.bicep index 6f8eb60a84..9f0184e370 100644 --- a/arm/Microsoft.ContainerInstance/containerGroups/deploy.bicep +++ b/arm/Microsoft.ContainerInstance/containerGroups/deploy.bicep @@ -66,13 +66,10 @@ param enableDefaultTelemetry bool = true ]) param sku string = 'Standard' -@description('Optional. Enable service encryption. Note: This feature requires you to register a service principal for application [Azure Container Instance Service] as described here: https://docs.microsoft.com/en-us/azure/container-instances/container-instances-encrypt-data#create-service-principal-for-aci.') -param enableEncryption bool = true - @description('Optional. The resource ID of a key vault to reference a customer managed key for encryption from. Required if \'cMKeyName\' is not empty.') param cMKKeyVaultResourceId string = '' -@description('Optional. The name of the customer managed key to use for encryption. Cannot be deployed together with the parameter \'systemAssignedIdentity\' enabled.') +@description('Optional. The name of the customer managed key to use for encryption.') param cMKKeyName string = '' @description('Conditional. The version of the customer managed key to reference for encryption. Required if \'cMKeyName\' is not empty.') @@ -126,7 +123,7 @@ resource containergroup 'Microsoft.ContainerInstance/containerGroups@2021-03-01' } } ] - encryptionProperties: enableEncryption && !empty(cMKKeyName) ? { + encryptionProperties: !empty(cMKKeyName) ? { // Customer-managed key keyName: cMKKeyName keyVersion: cMKKeyVersion diff --git a/arm/Microsoft.ContainerInstance/containerGroups/readme.md b/arm/Microsoft.ContainerInstance/containerGroups/readme.md index 9e100f614b..1b66586c7e 100644 --- a/arm/Microsoft.ContainerInstance/containerGroups/readme.md +++ b/arm/Microsoft.ContainerInstance/containerGroups/readme.md @@ -35,11 +35,10 @@ The top-level resource in Azure Container Instances is the container group. A co **Optional parameters** | Parameter Name | Type | Default Value | Allowed Values | Description | | :-- | :-- | :-- | :-- | :-- | -| `cMKKeyName` | string | `''` | | The name of the customer managed key to use for encryption. Cannot be deployed together with the parameter 'systemAssignedIdentity' enabled. | -| `cMKKeyVaultResourceId` | string | `''` | | The resource ID of a key vault to reference a customer managed key for encryption from. | +| `cMKKeyName` | string | `''` | | The name of the customer managed key to use for encryption. | +| `cMKKeyVaultResourceId` | string | `''` | | The resource ID of a key vault to reference a customer managed key for encryption from. Required if 'cMKeyName' is not empty. | | `cpuCores` | int | `2` | | The number of CPU cores to allocate to the container. | | `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via the Customer Usage Attribution ID (GUID). | -| `enableEncryption` | bool | `True` | | Enable service encryption. Note: This feature requires you to register a service principal for application [Azure Container Instance Service] as described here: https://docs.microsoft.com/en-us/azure/container-instances/container-instances-encrypt-data#create-service-principal-for-aci. | | `environmentVariables` | array | `[]` | | Environment variables of the container group. | | `imageRegistryCredentials` | array | `[]` | | The image registry credentials by which the container group is created from. | | `ipAddressType` | string | `'Public'` | | Specifies if the IP is exposed to the public internet or private VNET. - Public or Private. | @@ -211,7 +210,7 @@ userAssignedIdentities: { "value": "keyEncryptionKey" }, "cMKKeyVersion": { - "value": "590ebf5bfd9948698e5286ab924249a0" + "value": "590ebf5bfd9948698e5286ab924249a0" // ID must be updated for new keys } } } From 98cd5d098d0e8e51540d46844877e9e86e50dd80 Mon Sep 17 00:00:00 2001 From: MrMCake Date: Mon, 27 Jun 2022 19:33:08 +0200 Subject: [PATCH 11/30] Minor change in prep --- ...board module library and CI environment.md | 22 +++++++++---------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/docs/wiki/Getting started - Scenario 2 Onboard module library and CI environment.md b/docs/wiki/Getting started - Scenario 2 Onboard module library and CI environment.md index 1d5bc686b2..805387033c 100644 --- a/docs/wiki/Getting started - Scenario 2 Onboard module library and CI environment.md +++ b/docs/wiki/Getting started - Scenario 2 Onboard module library and CI environment.md @@ -380,17 +380,17 @@ For this reason, make sure to update the references in the following modules onc | File | Parameter | Notes | | - | - | - | -| `arm\Microsoft.Compute\diskEncryptionSets\.parameters\parameters.json` |`keyUrl.value` | | -| `arm\Microsoft.Compute\virtualMachines\.parameters\linux.parameters.json` | `extensionDiskEncryptionConfig.value.settings.KeyEncryptionKeyURL` | | -| `arm\Microsoft.Compute\virtualMachines\.parameters\windows.parameters.json` | `extensionDiskEncryptionConfig.value.settings.KeyEncryptionKeyURL` | | -| `arm\Microsoft.Compute\virtualMachineScaleSets\.parameters\linux.parameters.json` | `extensionDiskEncryptionConfig.value.settings.KeyEncryptionKeyURL` | | -| `arm\Microsoft.Compute\virtualMachineScaleSets\.parameters\windows.parameters.json` | `extensionDiskEncryptionConfig.value.settings.KeyEncryptionKeyURL` | | -| `arm\Microsoft.Sql\managedInstances\.parameters\parameters.json` | `keys.value.uri` | | -| `arm\Microsoft.Network\applicationGateways\.parameters\parameters.json` | `sslCertificates.value.properties.keyVaultSecretId` | | -| `arm\Microsoft.Web\sites\.parameters\fa.parameters.json` | `appSettingsKeyValuePairs.value.EASYAUTH_SECRET` | Key Vault secret URI without version | -| `arm\Microsoft.Web\sites\.parameters\fa.parameters.json` | `authSettingV2Configuration.value.identityProviders.azureActiveDirectory.registration.clientId` | App ID from the Azure Active Directory App | -| `arm\Microsoft.Web\sites\.parameters\fa.parameters.json` | `authSettingV2Configuration.value.identityProviders.azureActiveDirectory.validation.allowedAudiences` | API endpoint from the Azure Active Directory app || -| `arm\Microsoft.ContainerInstance\containerGroups\.parameters\encr.parameters.json` | `cMKKeyVersion` | +| `modules\Microsoft.Compute\diskEncryptionSets\.parameters\parameters.json` |`keyUrl.value` | | +| `modules\Microsoft.Compute\virtualMachines\.parameters\linux.parameters.json` | `extensionDiskEncryptionConfig.value.settings.KeyEncryptionKeyURL` | | +| `modules\Microsoft.Compute\virtualMachines\.parameters\windows.parameters.json` | `extensionDiskEncryptionConfig.value.settings.KeyEncryptionKeyURL` | | +| `modules\Microsoft.Compute\virtualMachineScaleSets\.parameters\linux.parameters.json` | `extensionDiskEncryptionConfig.value.settings.KeyEncryptionKeyURL` | | +| `modules\Microsoft.Compute\virtualMachineScaleSets\.parameters\windows.parameters.json` | `extensionDiskEncryptionConfig.value.settings.KeyEncryptionKeyURL` | | +| `modules\Microsoft.Sql\managedInstances\.parameters\parameters.json` | `keys.value.uri` | | +| `modules\Microsoft.Network\applicationGateways\.parameters\parameters.json` | `sslCertificates.value.properties.keyVaultSecretId` | | +| `modules\Microsoft.Web\sites\.parameters\fa.parameters.json` | `appSettingsKeyValuePairs.value.EASYAUTH_SECRET` | Key Vault secret URI without version | +| `modules\Microsoft.Web\sites\.parameters\fa.parameters.json` | `authSettingV2Configuration.value.identityProviders.azureActiveDirectory.registration.clientId` | App ID from the Azure Active Directory App | +| `modules\Microsoft.Web\sites\.parameters\fa.parameters.json` | `authSettingV2Configuration.value.identityProviders.azureActiveDirectory.validation.allowedAudiences` | API endpoint from the Azure Active Directory app || +| `modules\Microsoft.ContainerInstance\containerGroups\.parameters\encr.parameters.json` | `cMKKeyVersion` | From f7a1a0cdf15a8eb938349a2b0728f3a8a8e990f0 Mon Sep 17 00:00:00 2001 From: MrMCake Date: Mon, 27 Jun 2022 19:37:41 +0200 Subject: [PATCH 12/30] Updated versioning --- .../containerGroups/deploy.bicep | 12 ++++++++---- .../containerGroups/readme.md | 10 +++------- 2 files changed, 11 insertions(+), 11 deletions(-) diff --git a/modules/Microsoft.ContainerInstance/containerGroups/deploy.bicep b/modules/Microsoft.ContainerInstance/containerGroups/deploy.bicep index 9f0184e370..4310ac4605 100644 --- a/modules/Microsoft.ContainerInstance/containerGroups/deploy.bicep +++ b/modules/Microsoft.ContainerInstance/containerGroups/deploy.bicep @@ -66,13 +66,13 @@ param enableDefaultTelemetry bool = true ]) param sku string = 'Standard' -@description('Optional. The resource ID of a key vault to reference a customer managed key for encryption from. Required if \'cMKeyName\' is not empty.') +@description('Optional. The resource ID of a key vault to reference a customer managed key for encryption from.') param cMKKeyVaultResourceId string = '' @description('Optional. The name of the customer managed key to use for encryption.') param cMKKeyName string = '' -@description('Conditional. The version of the customer managed key to reference for encryption. Required if \'cMKeyName\' is not empty.') +@description('Optional. The version of the customer managed key to reference for encryption. If not provided, the latest key version is used.') param cMKKeyVersion string = '' var identityType = systemAssignedIdentity ? (!empty(userAssignedIdentities) ? 'SystemAssigned,UserAssigned' : 'SystemAssigned') : (!empty(userAssignedIdentities) ? 'UserAssigned' : 'None') @@ -99,6 +99,11 @@ resource cmkKeyVault 'Microsoft.KeyVault/vaults@2021-06-01-preview' existing = i scope: resourceGroup(split(cMKKeyVaultResourceId, '/')[2], split(cMKKeyVaultResourceId, '/')[4]) } +resource cMKKeyVaultKey 'Microsoft.KeyVault/vaults/keys@2021-10-01' existing = if (!empty(cMKKeyVaultResourceId) && !empty(cMKKeyName)) { + name: '${last(split(cMKKeyVaultResourceId, '/'))}/${cMKKeyName}' + scope: resourceGroup(split(cMKKeyVaultResourceId, '/')[2], split(cMKKeyVaultResourceId, '/')[4]) +} + resource containergroup 'Microsoft.ContainerInstance/containerGroups@2021-03-01' = { name: name location: location @@ -124,9 +129,8 @@ resource containergroup 'Microsoft.ContainerInstance/containerGroups@2021-03-01' } ] encryptionProperties: !empty(cMKKeyName) ? { - // Customer-managed key keyName: cMKKeyName - keyVersion: cMKKeyVersion + keyVersion: !empty(cMKKeyVersion) ? '${cMKKeyVaultKey.properties.keyUri}/${cMKKeyVersion}' : cMKKeyVaultKey.properties.keyUriWithVersion vaultBaseUrl: cmkKeyVault.properties.vaultUri } : null imageRegistryCredentials: imageRegistryCredentials diff --git a/modules/Microsoft.ContainerInstance/containerGroups/readme.md b/modules/Microsoft.ContainerInstance/containerGroups/readme.md index ff4cbfdef3..169fe44cca 100644 --- a/modules/Microsoft.ContainerInstance/containerGroups/readme.md +++ b/modules/Microsoft.ContainerInstance/containerGroups/readme.md @@ -27,16 +27,12 @@ The top-level resource in Azure Container Instances is the container group. A co | `image` | string | Name of the image. | | `name` | string | Name for the container group. | -**Conditional parameters** -| Parameter Name | Type | Default Value | Description | -| :-- | :-- | :-- | :-- | -| `cMKKeyVersion` | string | `''` | The version of the customer managed key to reference for encryption. Required if 'cMKeyName' is not empty. | - **Optional parameters** | Parameter Name | Type | Default Value | Allowed Values | Description | | :-- | :-- | :-- | :-- | :-- | | `cMKKeyName` | string | `''` | | The name of the customer managed key to use for encryption. | -| `cMKKeyVaultResourceId` | string | `''` | | The resource ID of a key vault to reference a customer managed key for encryption from. Required if 'cMKeyName' is not empty. | +| `cMKKeyVaultResourceId` | string | `''` | | The resource ID of a key vault to reference a customer managed key for encryption from. | +| `cMKKeyVersion` | string | `''` | | The version of the customer managed key to reference for encryption. If not provided, the latest key version is used. | | `cpuCores` | int | `2` | | The number of CPU cores to allocate to the container. | | `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via the Customer Usage Attribution ID (GUID). | | `environmentVariables` | array | `[]` | | Environment variables of the container group. | @@ -214,7 +210,6 @@ userAssignedIdentities: { } } } - ``` @@ -237,6 +232,7 @@ module containerGroups './Microsoft.ContainerInstance/containerGroups/deploy.bic cMKKeyName: 'keyEncryptionKey' cMKKeyVersion: '590ebf5bfd9948698e5286ab924249a0' } +} ``` From b244c172076b011cfea314b94c11d215cf5acaff Mon Sep 17 00:00:00 2001 From: MrMCake Date: Mon, 27 Jun 2022 19:38:40 +0200 Subject: [PATCH 13/30] Update to latest --- ...ed - Scenario 2 Onboard module library and CI environment.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/wiki/Getting started - Scenario 2 Onboard module library and CI environment.md b/docs/wiki/Getting started - Scenario 2 Onboard module library and CI environment.md index ebb73f2116..2f5ee9dec2 100644 --- a/docs/wiki/Getting started - Scenario 2 Onboard module library and CI environment.md +++ b/docs/wiki/Getting started - Scenario 2 Onboard module library and CI environment.md @@ -400,7 +400,7 @@ Certain module may require you to perform additional actions if you want to use | Module | Condition | Actions | Opt-out | | - | - | - | - | -| arm\Microsoft.ContainerInstance\containerGroups | If you want to test Customer-Managed-Key encryption using the `encr.parameters.json` file. | See [ref](https://docs.microsoft.com/en-us/azure/container-instances/container-instances-encrypt-data#create-service-principal-for-aci) | If you don't want to test the encryption properties or lack the capabilities to satisfy the requirements you can simply remove the `encr.parameters.json` parameter file from the module folder. | +| modules\Microsoft.ContainerInstance\containerGroups | If you want to test Customer-Managed-Key encryption using the `encr.parameters.json` file. | See [ref](https://docs.microsoft.com/en-us/azure/container-instances/container-instances-encrypt-data#create-service-principal-for-aci) | If you don't want to test the encryption properties or lack the capabilities to satisfy the requirements you can simply remove the `encr.parameters.json` parameter file from the module folder. | # 7. (Optional) Convert library to ARM From cb129b0c4436d6d4d3a3353e90480cdca9a32857 Mon Sep 17 00:00:00 2001 From: MrMCake Date: Mon, 27 Jun 2022 19:38:56 +0200 Subject: [PATCH 14/30] Update to latest --- ...ted - Scenario 2 Onboard module library and CI environment.md | 1 - 1 file changed, 1 deletion(-) diff --git a/docs/wiki/Getting started - Scenario 2 Onboard module library and CI environment.md b/docs/wiki/Getting started - Scenario 2 Onboard module library and CI environment.md index 2f5ee9dec2..ca7761c62b 100644 --- a/docs/wiki/Getting started - Scenario 2 Onboard module library and CI environment.md +++ b/docs/wiki/Getting started - Scenario 2 Onboard module library and CI environment.md @@ -390,7 +390,6 @@ For this reason, make sure to update the references in the following modules onc | `modules\Microsoft.Web\sites\.parameters\fa.parameters.json` | `appSettingsKeyValuePairs.value.EASYAUTH_SECRET` | Key Vault secret URI without version | | `modules\Microsoft.Web\sites\.parameters\fa.parameters.json` | `authSettingV2Configuration.value.identityProviders.azureActiveDirectory.registration.clientId` | App ID from the Azure Active Directory App | | `modules\Microsoft.Web\sites\.parameters\fa.parameters.json` | `authSettingV2Configuration.value.identityProviders.azureActiveDirectory.validation.allowedAudiences` | API endpoint from the Azure Active Directory app | -| `modules\Microsoft.ContainerInstance\containerGroups\.parameters\encr.parameters.json` | `cMKKeyVersion` | From 1b6acc1246d8381b592e17cc5270df86d6d39006 Mon Sep 17 00:00:00 2001 From: MrMCake Date: Mon, 27 Jun 2022 19:42:14 +0200 Subject: [PATCH 15/30] Cleanup --- ...ted - Scenario 2 Onboard module library and CI environment.md | 1 - 1 file changed, 1 deletion(-) diff --git a/docs/wiki/Getting started - Scenario 2 Onboard module library and CI environment.md b/docs/wiki/Getting started - Scenario 2 Onboard module library and CI environment.md index ca7761c62b..57e5b45153 100644 --- a/docs/wiki/Getting started - Scenario 2 Onboard module library and CI environment.md +++ b/docs/wiki/Getting started - Scenario 2 Onboard module library and CI environment.md @@ -380,7 +380,6 @@ For this reason, make sure to update the references in the following modules onc | File | Parameter | Notes | | - | - | - | -| `modules\Microsoft.Compute\diskEncryptionSets\.parameters\parameters.json` |`keyUrl.value` | | | `modules\Microsoft.Compute\virtualMachines\.parameters\linux.parameters.json` | `extensionDiskEncryptionConfig.value.settings.KeyEncryptionKeyURL` | | | `modules\Microsoft.Compute\virtualMachines\.parameters\windows.parameters.json` | `extensionDiskEncryptionConfig.value.settings.KeyEncryptionKeyURL` | | | `modules\Microsoft.Compute\virtualMachineScaleSets\.parameters\linux.parameters.json` | `extensionDiskEncryptionConfig.value.settings.KeyEncryptionKeyURL` | | From 89c478c61325d7fc28bf3395565e40d066a75660 Mon Sep 17 00:00:00 2001 From: MrMCake Date: Mon, 27 Jun 2022 19:45:54 +0200 Subject: [PATCH 16/30] Update to latest --- .../containerGroups/.parameters/encr.parameters.json | 3 --- 1 file changed, 3 deletions(-) diff --git a/modules/Microsoft.ContainerInstance/containerGroups/.parameters/encr.parameters.json b/modules/Microsoft.ContainerInstance/containerGroups/.parameters/encr.parameters.json index 1c921a1440..a159afd8df 100644 --- a/modules/Microsoft.ContainerInstance/containerGroups/.parameters/encr.parameters.json +++ b/modules/Microsoft.ContainerInstance/containerGroups/.parameters/encr.parameters.json @@ -21,9 +21,6 @@ }, "cMKKeyName": { "value": "keyEncryptionKey" - }, - "cMKKeyVersion": { - "value": "590ebf5bfd9948698e5286ab924249a0" // ID must be updated for new keys } } } From 13e3a384288c14ab8c022078db76dcd569a96615 Mon Sep 17 00:00:00 2001 From: MrMCake Date: Mon, 27 Jun 2022 19:48:57 +0200 Subject: [PATCH 17/30] Update to latest --- modules/Microsoft.ContainerInstance/containerGroups/readme.md | 4 ---- 1 file changed, 4 deletions(-) diff --git a/modules/Microsoft.ContainerInstance/containerGroups/readme.md b/modules/Microsoft.ContainerInstance/containerGroups/readme.md index 169fe44cca..d7a993fb74 100644 --- a/modules/Microsoft.ContainerInstance/containerGroups/readme.md +++ b/modules/Microsoft.ContainerInstance/containerGroups/readme.md @@ -204,9 +204,6 @@ userAssignedIdentities: { }, "cMKKeyName": { "value": "keyEncryptionKey" - }, - "cMKKeyVersion": { - "value": "590ebf5bfd9948698e5286ab924249a0" // ID must be updated for new keys } } } @@ -230,7 +227,6 @@ module containerGroups './Microsoft.ContainerInstance/containerGroups/deploy.bic } cMKKeyVaultResourceId: '/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.KeyVault/vaults/adp-<>-az-kv-nopr-002' cMKKeyName: 'keyEncryptionKey' - cMKKeyVersion: '590ebf5bfd9948698e5286ab924249a0' } } ``` From e10655ee77b92c6d2e678faf8afb2c01c65d6b58 Mon Sep 17 00:00:00 2001 From: AlexanderSehr Date: Fri, 2 Dec 2022 21:45:01 +0100 Subject: [PATCH 18/30] Update to latest --- .../.test/encr/dependencies.bicep | 60 +++++++++ .../.test/encr/deploy.test.bicep | 117 ++++++++++++++++++ .../containerGroups/deploy.bicep | 3 +- 3 files changed, 179 insertions(+), 1 deletion(-) create mode 100644 modules/Microsoft.ContainerInstance/containerGroups/.test/encr/dependencies.bicep create mode 100644 modules/Microsoft.ContainerInstance/containerGroups/.test/encr/deploy.test.bicep diff --git a/modules/Microsoft.ContainerInstance/containerGroups/.test/encr/dependencies.bicep b/modules/Microsoft.ContainerInstance/containerGroups/.test/encr/dependencies.bicep new file mode 100644 index 0000000000..34e61cedc6 --- /dev/null +++ b/modules/Microsoft.ContainerInstance/containerGroups/.test/encr/dependencies.bicep @@ -0,0 +1,60 @@ +@description('Required. The name of the managed identity to create.') +param managedIdentityName string + +@description('Optional. The location to deploy resources to.') +param location string = resourceGroup().location + +@description('Required. The name of the Key Vault to create.') +@minLength(3) +@maxLength(24) +param keyVaultName string + +resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { + name: managedIdentityName + location: location +} + +resource keyVault 'Microsoft.KeyVault/vaults@2022-07-01' = { + name: keyVaultName + location: location + properties: { + sku: { + family: 'A' + name: 'standard' + } + tenantId: tenant().tenantId + enablePurgeProtection: true // Required by batch account + softDeleteRetentionInDays: 7 + enabledForTemplateDeployment: true + enabledForDiskEncryption: true + enabledForDeployment: true + enableRbacAuthorization: true + accessPolicies: [] + } + + resource key 'keys@2022-07-01' = { + name: 'keyEncryptionKey' + properties: { + kty: 'RSA' + } + } +} + +resource keyPermissions 'Microsoft.Authorization/roleAssignments@2022-04-01' = { + name: guid('msi-${keyVault::key.id}-${location}-${managedIdentity.id}-Key-Reader-RoleAssignment') + scope: keyVault::key + properties: { + principalId: managedIdentity.properties.principalId + roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '12338af0-0e69-4776-bea7-57ae8d297424') // Key Vault Crypto User + principalType: 'ServicePrincipal' + } +} + +@description('The resource ID of the created managed identity.') +output managedIdentityResourceId string = managedIdentity.id + +@description('The resource ID of the created Key Vault.') +output keyVaultResourceId string = keyVault.id + +@description('The name of the Key Vault Encryption Key.') +output keyVaultEncryptionKeyName string = keyVault::key.name diff --git a/modules/Microsoft.ContainerInstance/containerGroups/.test/encr/deploy.test.bicep b/modules/Microsoft.ContainerInstance/containerGroups/.test/encr/deploy.test.bicep new file mode 100644 index 0000000000..78d1415326 --- /dev/null +++ b/modules/Microsoft.ContainerInstance/containerGroups/.test/encr/deploy.test.bicep @@ -0,0 +1,117 @@ +targetScope = 'subscription' + +// ========== // +// Parameters // +// ========== // +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'ms.containerinstance.containergroups-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'cicgecr' + +@description('Generated. Used as a basis for unique resource names.') +param baseTime string = utcNow('u') + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +// =========== // +// Deployments // +// =========== // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: location +} + +module resourceGroupResources 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-paramNested' + params: { + managedIdentityName: 'dep-<>-msi-${serviceShort}' + // Adding base time to make the name unique as purge protection must be enabled (but may not be longer than 24 characters total) + keyVaultName: 'dep-<>-kv-${serviceShort}-${substring(uniqueString(baseTime), 0, 3)}' + } +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../deploy.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name)}-test-${serviceShort}' + params: { + enableDefaultTelemetry: enableDefaultTelemetry + name: '<>${serviceShort}001' + lock: 'CanNotDelete' + containers: [ + { + name: '<>-az-aci-x-001' + properties: { + command: [] + environmentVariables: [] + image: 'mcr.microsoft.com/azuredocs/aci-helloworld' + ports: [ + { + port: '80' + protocol: 'Tcp' + } + { + port: '443' + protocol: 'Tcp' + } + ] + resources: { + requests: { + cpu: 2 + memoryInGB: 2 + } + } + } + } + { + name: '<>-az-aci-x-002' + properties: { + command: [] + environmentVariables: [] + image: 'mcr.microsoft.com/azuredocs/aci-helloworld' + ports: [ + { + port: '8080' + protocol: 'Tcp' + } + ] + resources: { + requests: { + cpu: 2 + memoryInGB: 2 + } + } + } + } + ] + ipAddressPorts: [ + { + protocol: 'Tcp' + port: 80 + } + { + protocol: 'Tcp' + port: 443 + } + ] + systemAssignedIdentity: true + userAssignedIdentities: { + '${resourceGroupResources.outputs.managedIdentityResourceId}': {} + } + cMKKeyName: resourceGroupResources.outputs.keyVaultEncryptionKeyName + cMKKeyVaultResourceId: resourceGroupResources.outputs.keyVaultResourceId + } +} diff --git a/modules/Microsoft.ContainerInstance/containerGroups/deploy.bicep b/modules/Microsoft.ContainerInstance/containerGroups/deploy.bicep index f7a42cb1c3..7525be614f 100644 --- a/modules/Microsoft.ContainerInstance/containerGroups/deploy.bicep +++ b/modules/Microsoft.ContainerInstance/containerGroups/deploy.bicep @@ -96,7 +96,8 @@ resource containergroup 'Microsoft.ContainerInstance/containerGroups@2021-10-01' sku: sku encryptionProperties: !empty(cMKKeyName) ? { keyName: cMKKeyName - keyVersion: !empty(cMKKeyVersion) ? '${cMKKeyVaultKey.properties.keyUri}/${cMKKeyVersion}' : cMKKeyVaultKey.properties.keyUriWithVersion + // keyVersion: !empty(cMKKeyVersion) ? '${cMKKeyVaultKey.properties.keyUri}/${cMKKeyVersion}' : cMKKeyVaultKey.properties.keyUriWithVersion + keyVersion: !empty(cMKKeyVersion) ? cMKKeyVersion : last(split(cMKKeyVaultKey.properties.keyUriWithVersion, '/')) vaultBaseUrl: cmkKeyVault.properties.vaultUri } : null containers: containers From bc6535754afbbad29a694f6ebfa80be60593ea6c Mon Sep 17 00:00:00 2001 From: AlexanderSehr Date: Wed, 21 Dec 2022 15:59:03 +0100 Subject: [PATCH 19/30] cleanup --- .../.parameters/encr.parameters.json | 26 --- .../containerGroups/readme.md | 187 +++++++++++++++++- 2 files changed, 186 insertions(+), 27 deletions(-) delete mode 100644 modules/Microsoft.ContainerInstance/containerGroups/.parameters/encr.parameters.json diff --git a/modules/Microsoft.ContainerInstance/containerGroups/.parameters/encr.parameters.json b/modules/Microsoft.ContainerInstance/containerGroups/.parameters/encr.parameters.json deleted file mode 100644 index a159afd8df..0000000000 --- a/modules/Microsoft.ContainerInstance/containerGroups/.parameters/encr.parameters.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "name": { - "value": "<>-az-acg-ecnr-001" - }, - "containerName": { - "value": "<>-az-aci-x-001" - }, - "image": { - "value": "mcr.microsoft.com/azuredocs/aci-helloworld" - }, - "userAssignedIdentities": { - "value": { - "/subscriptions/<>/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-<>-az-msi-x-001": {} - } - }, - "cMKKeyVaultResourceId": { - "value": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.KeyVault/vaults/adp-<>-az-kv-nopr-002" - }, - "cMKKeyName": { - "value": "keyEncryptionKey" - } - } -} diff --git a/modules/Microsoft.ContainerInstance/containerGroups/readme.md b/modules/Microsoft.ContainerInstance/containerGroups/readme.md index 5e016c8481..be6d323a44 100644 --- a/modules/Microsoft.ContainerInstance/containerGroups/readme.md +++ b/modules/Microsoft.ContainerInstance/containerGroups/readme.md @@ -359,7 +359,192 @@ module containerGroups './Microsoft.ContainerInstance/containerGroups/deploy.bic

-

Example 2: Min

+

Example 2: Encr

+ +
+ +via Bicep module + +```bicep +module containerGroups './Microsoft.ContainerInstance/containerGroups/deploy.bicep' = { + name: '${uniqueString(deployment().name)}-test-cicgecr' + params: { + // Required parameters + containers: [ + { + name: '<>-az-aci-x-001' + properties: { + command: [] + environmentVariables: [] + image: 'mcr.microsoft.com/azuredocs/aci-helloworld' + ports: [ + { + port: '80' + protocol: 'Tcp' + } + { + port: '443' + protocol: 'Tcp' + } + ] + resources: { + requests: { + cpu: 2 + memoryInGB: 2 + } + } + } + } + { + name: '<>-az-aci-x-002' + properties: { + command: [] + environmentVariables: [] + image: 'mcr.microsoft.com/azuredocs/aci-helloworld' + ports: [ + { + port: '8080' + protocol: 'Tcp' + } + ] + resources: { + requests: { + cpu: 2 + memoryInGB: 2 + } + } + } + } + ] + name: '<>cicgecr001' + // Non-required parameters + cMKKeyName: '' + cMKKeyVaultResourceId: '' + enableDefaultTelemetry: '' + ipAddressPorts: [ + { + port: 80 + protocol: 'Tcp' + } + { + port: 443 + protocol: 'Tcp' + } + ] + lock: 'CanNotDelete' + systemAssignedIdentity: true + userAssignedIdentities: { + '': {} + } + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "containers": { + "value": [ + { + "name": "<>-az-aci-x-001", + "properties": { + "command": [], + "environmentVariables": [], + "image": "mcr.microsoft.com/azuredocs/aci-helloworld", + "ports": [ + { + "port": "80", + "protocol": "Tcp" + }, + { + "port": "443", + "protocol": "Tcp" + } + ], + "resources": { + "requests": { + "cpu": 2, + "memoryInGB": 2 + } + } + } + }, + { + "name": "<>-az-aci-x-002", + "properties": { + "command": [], + "environmentVariables": [], + "image": "mcr.microsoft.com/azuredocs/aci-helloworld", + "ports": [ + { + "port": "8080", + "protocol": "Tcp" + } + ], + "resources": { + "requests": { + "cpu": 2, + "memoryInGB": 2 + } + } + } + } + ] + }, + "name": { + "value": "<>cicgecr001" + }, + // Non-required parameters + "cMKKeyName": { + "value": "" + }, + "cMKKeyVaultResourceId": { + "value": "" + }, + "enableDefaultTelemetry": { + "value": "" + }, + "ipAddressPorts": { + "value": [ + { + "port": 80, + "protocol": "Tcp" + }, + { + "port": 443, + "protocol": "Tcp" + } + ] + }, + "lock": { + "value": "CanNotDelete" + }, + "systemAssignedIdentity": { + "value": true + }, + "userAssignedIdentities": { + "value": { + "": {} + } + } + } +} +``` + +
+

+ +

Example 3: Min

From ff0f10e27edc8e277075781824779d6330648f31 Mon Sep 17 00:00:00 2001 From: AlexanderSehr Date: Wed, 21 Dec 2022 16:47:26 +0100 Subject: [PATCH 20/30] Latest somehow working --- .../.test/encr/dependencies.bicep | 38 +++++++++++++++++-- .../.test/encr/deploy.test.bicep | 2 +- 2 files changed, 36 insertions(+), 4 deletions(-) diff --git a/modules/Microsoft.ContainerInstance/containerGroups/.test/encr/dependencies.bicep b/modules/Microsoft.ContainerInstance/containerGroups/.test/encr/dependencies.bicep index 34e61cedc6..e1997ce40e 100644 --- a/modules/Microsoft.ContainerInstance/containerGroups/.test/encr/dependencies.bicep +++ b/modules/Microsoft.ContainerInstance/containerGroups/.test/encr/dependencies.bicep @@ -40,12 +40,44 @@ resource keyVault 'Microsoft.KeyVault/vaults@2022-07-01' = { } } +// resource keyPermissions 'Microsoft.Authorization/roleAssignments@2022-04-01' = { +// name: guid('msi-${keyVault::key.id}-${location}-${managedIdentity.id}-Key-Reader-RoleAssignment') +// scope: keyVault::key +// properties: { +// principalId: managedIdentity.properties.principalId +// roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '12338af0-0e69-4776-bea7-57ae8d297424') // Key Vault Crypto User +// principalType: 'ServicePrincipal' +// } +// } + resource keyPermissions 'Microsoft.Authorization/roleAssignments@2022-04-01' = { - name: guid('msi-${keyVault::key.id}-${location}-${managedIdentity.id}-Key-Reader-RoleAssignment') - scope: keyVault::key + name: guid('msi-${keyVault::key.id}-${location}-${managedIdentity.id}-Key Vault Crypto User') + scope: keyVault properties: { principalId: managedIdentity.properties.principalId - roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '12338af0-0e69-4776-bea7-57ae8d297424') // Key Vault Crypto User + roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e147488a-f6f5-4113-8e2d-b22465e65bf6') // Key Vault Crypto Service Encryption User + principalType: 'ServicePrincipal' + } +} + +// resource keyPermissions_2 'Microsoft.Authorization/roleAssignments@2022-04-01' = { +// name: guid('msi-${keyVault::key.id}-${location}-6bb8e274-af5d-4df2-98a3-4fd78b4cafd9-Key-Reader-RoleAssignment') +// scope: keyVault::key +// properties: { +// principalId: '6bb8e274-af5d-4df2-98a3-4fd78b4cafd9' +// roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '12338af0-0e69-4776-bea7-57ae8d297424') // Key Vault Crypto User +// principalType: 'ServicePrincipal' +// } +// } + +resource keyPermissions_2 'Microsoft.Authorization/roleAssignments@2022-04-01' = { + // name: guid('msi-${keyVault::key.id}-${location}-6bb8e274-af5d-4df2-98a3-4fd78b4cafd9-Key Vault Crypto User') + name: guid('msi-${keyVault::key.id}-${location}-8b659b68-1eb9-4ea5-ab00-a6a182520436-4fd78b4cafd9-Key Vault Crypto User') + scope: keyVault + properties: { + // principalId: '6bb8e274-af5d-4df2-98a3-4fd78b4cafd9' // AppId + principalId: '8b659b68-1eb9-4ea5-ab00-a6a182520436' // Obj Id + roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e147488a-f6f5-4113-8e2d-b22465e65bf6') // Key Vault Crypto Service Encryption User principalType: 'ServicePrincipal' } } diff --git a/modules/Microsoft.ContainerInstance/containerGroups/.test/encr/deploy.test.bicep b/modules/Microsoft.ContainerInstance/containerGroups/.test/encr/deploy.test.bicep index 78d1415326..2e27af1bc5 100644 --- a/modules/Microsoft.ContainerInstance/containerGroups/.test/encr/deploy.test.bicep +++ b/modules/Microsoft.ContainerInstance/containerGroups/.test/encr/deploy.test.bicep @@ -14,7 +14,7 @@ param location string = deployment().location param serviceShort string = 'cicgecr' @description('Generated. Used as a basis for unique resource names.') -param baseTime string = utcNow('u') +param baseTime string = 'alsehr2112222' // utcNow('u') @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true From 6ff98719dcd26f3b5cc23e47b03e27f7ac718611 Mon Sep 17 00:00:00 2001 From: AlexanderSehr Date: Wed, 21 Dec 2022 17:35:59 +0100 Subject: [PATCH 21/30] Updated docs --- ...board module library and CI environment.md | 12 ++++-- .../.test/encr/dependencies.bicep | 39 ++----------------- .../.test/encr/deploy.test.bicep | 2 +- 3 files changed, 14 insertions(+), 39 deletions(-) diff --git a/docs/wiki/Getting started - Scenario 2 Onboard module library and CI environment.md b/docs/wiki/Getting started - Scenario 2 Onboard module library and CI environment.md index 1d2637456b..0a4c372c09 100644 --- a/docs/wiki/Getting started - Scenario 2 Onboard module library and CI environment.md +++ b/docs/wiki/Getting started - Scenario 2 Onboard module library and CI environment.md @@ -383,9 +383,15 @@ Finally, the elements described above must further be configured in the followin | File | Parameter | Notes | | - | - | - | -| `modules\Microsoft.Web\sites\.test\common\deploy.bicep` | `appSettingsKeyValuePairs.EASYAUTH_SECRET` | Key Vault secret URI without version (e.g., 'https://Test-KeyVault.vault.azure.net/secrets/aBcDeFghIjK69Ln') | -| `modules\Microsoft.Web\sites\.test\common\deploy.bicep` | `authSettingV2Configuration.identityProviders.azureActiveDirectory.registration.clientId` | App ID from the Azure Active Directory App (e.g., '11111111-1111-1111-1111-11111111111') | -| `modules\Microsoft.Web\sites\.test\common\deploy.bicep` | `authSettingV2Configuration.identityProviders.azureActiveDirectory.validation.allowedAudiences` | API endpoint from the Azure Active Directory app (e.g., 'api://11111111-1111-1111-1111-11111111111') | +| `modules/Microsoft.Web/sites/.test/common/deploy.bicep` | `appSettingsKeyValuePairs.EASYAUTH_SECRET` | Key Vault secret URI without version (e.g., 'https://Test-KeyVault.vault.azure.net/secrets/aBcDeFghIjK69Ln') | +| `modules/Microsoft.Web/sites/.test/common/deploy.bicep` | `authSettingV2Configuration.identityProviders.azureActiveDirectory.registration.clientId` | App ID from the Azure Active Directory App (e.g., '11111111-1111-1111-1111-11111111111') | +| `modules/Microsoft.Web/sites/.test/common/deploy.bicep` | `authSettingV2Configuration.identityProviders.azureActiveDirectory.validation.allowedAudiences` | API endpoint from the Azure Active Directory app (e.g., 'api://11111111-1111-1111-1111-11111111111') | + +### Microsoft.ContainerInstance/containerGroup + +To successfully run the Customer-Managed-Keys encryption test `encr/deploy.test.bicep` of the Container Instance module, you need to register a Service Principal instance of the `Azure Container Instance Service` Azure application in your test Tenant using the command `New-AzADServicePrincipal -ApplicationId '6bb8e274-af5d-4df2-98a3-4fd78b4cafd9'`. For further information, please refer to the [offical docs](https://learn.microsoft.com/en-us/azure/container-instances/container-instances-encrypt-data#create-service-principal-for-aci). + +Once the Service Principal was created, please update the `properties/principalId` of the `keyPermissions` deployment in the dependencies file `modules/Microsoft.ContainerInstance/containerGroups/.test/encr/dependencies.bicep` with its object ID. You can fetch the object ID using the command `(Get-AzADServicePrincipal -DisplayName 'Azure Container Instance Service').Id`. # 5. (Optional) Convert library to ARM diff --git a/modules/Microsoft.ContainerInstance/containerGroups/.test/encr/dependencies.bicep b/modules/Microsoft.ContainerInstance/containerGroups/.test/encr/dependencies.bicep index e1997ce40e..4e6fad3b79 100644 --- a/modules/Microsoft.ContainerInstance/containerGroups/.test/encr/dependencies.bicep +++ b/modules/Microsoft.ContainerInstance/containerGroups/.test/encr/dependencies.bicep @@ -40,44 +40,13 @@ resource keyVault 'Microsoft.KeyVault/vaults@2022-07-01' = { } } -// resource keyPermissions 'Microsoft.Authorization/roleAssignments@2022-04-01' = { -// name: guid('msi-${keyVault::key.id}-${location}-${managedIdentity.id}-Key-Reader-RoleAssignment') -// scope: keyVault::key -// properties: { -// principalId: managedIdentity.properties.principalId -// roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '12338af0-0e69-4776-bea7-57ae8d297424') // Key Vault Crypto User -// principalType: 'ServicePrincipal' -// } -// } - +// Ref: https://learn.microsoft.com/en-us/azure/container-instances/container-instances-encrypt-data#create-service-principal-for-aci resource keyPermissions 'Microsoft.Authorization/roleAssignments@2022-04-01' = { - name: guid('msi-${keyVault::key.id}-${location}-${managedIdentity.id}-Key Vault Crypto User') - scope: keyVault - properties: { - principalId: managedIdentity.properties.principalId - roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e147488a-f6f5-4113-8e2d-b22465e65bf6') // Key Vault Crypto Service Encryption User - principalType: 'ServicePrincipal' - } -} - -// resource keyPermissions_2 'Microsoft.Authorization/roleAssignments@2022-04-01' = { -// name: guid('msi-${keyVault::key.id}-${location}-6bb8e274-af5d-4df2-98a3-4fd78b4cafd9-Key-Reader-RoleAssignment') -// scope: keyVault::key -// properties: { -// principalId: '6bb8e274-af5d-4df2-98a3-4fd78b4cafd9' -// roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '12338af0-0e69-4776-bea7-57ae8d297424') // Key Vault Crypto User -// principalType: 'ServicePrincipal' -// } -// } - -resource keyPermissions_2 'Microsoft.Authorization/roleAssignments@2022-04-01' = { - // name: guid('msi-${keyVault::key.id}-${location}-6bb8e274-af5d-4df2-98a3-4fd78b4cafd9-Key Vault Crypto User') - name: guid('msi-${keyVault::key.id}-${location}-8b659b68-1eb9-4ea5-ab00-a6a182520436-4fd78b4cafd9-Key Vault Crypto User') + name: guid('msi-${keyVault::key.id}-${location}-Azure Container Instance Service-Key Vault Crypto User') scope: keyVault properties: { - // principalId: '6bb8e274-af5d-4df2-98a3-4fd78b4cafd9' // AppId - principalId: '8b659b68-1eb9-4ea5-ab00-a6a182520436' // Obj Id - roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e147488a-f6f5-4113-8e2d-b22465e65bf6') // Key Vault Crypto Service Encryption User + principalId: '8b659b68-1eb9-4ea5-ab00-a6a182520436' // 'Azure Container Instance Service' Service Principal Object Id + roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e147488a-f6f5-4113-8e2d-b22465e65bf6') // Key Vault Crypto Service Encryption User. Allows Keys: get, list, wrap key, unwrap key principalType: 'ServicePrincipal' } } diff --git a/modules/Microsoft.ContainerInstance/containerGroups/.test/encr/deploy.test.bicep b/modules/Microsoft.ContainerInstance/containerGroups/.test/encr/deploy.test.bicep index 2e27af1bc5..78d1415326 100644 --- a/modules/Microsoft.ContainerInstance/containerGroups/.test/encr/deploy.test.bicep +++ b/modules/Microsoft.ContainerInstance/containerGroups/.test/encr/deploy.test.bicep @@ -14,7 +14,7 @@ param location string = deployment().location param serviceShort string = 'cicgecr' @description('Generated. Used as a basis for unique resource names.') -param baseTime string = 'alsehr2112222' // utcNow('u') +param baseTime string = utcNow('u') @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true From 7b18342dc10ce548ff40ca8124812427d2d0951c Mon Sep 17 00:00:00 2001 From: AlexanderSehr Date: Wed, 21 Dec 2022 17:40:04 +0100 Subject: [PATCH 22/30] Update to latest --- ... - Scenario 2 Onboard module library and CI environment.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/wiki/Getting started - Scenario 2 Onboard module library and CI environment.md b/docs/wiki/Getting started - Scenario 2 Onboard module library and CI environment.md index 0a4c372c09..e6bbcbdbad 100644 --- a/docs/wiki/Getting started - Scenario 2 Onboard module library and CI environment.md +++ b/docs/wiki/Getting started - Scenario 2 Onboard module library and CI environment.md @@ -389,9 +389,9 @@ Finally, the elements described above must further be configured in the followin ### Microsoft.ContainerInstance/containerGroup -To successfully run the Customer-Managed-Keys encryption test `encr/deploy.test.bicep` of the Container Instance module, you need to register a Service Principal instance of the `Azure Container Instance Service` Azure application in your test Tenant using the command `New-AzADServicePrincipal -ApplicationId '6bb8e274-af5d-4df2-98a3-4fd78b4cafd9'`. For further information, please refer to the [offical docs](https://learn.microsoft.com/en-us/azure/container-instances/container-instances-encrypt-data#create-service-principal-for-aci). +To successfully run the Customer-Managed-Keys encryption test `encr/deploy.test.bicep` of the Container Instance module, you need to register a Service Principal instance of the `Azure Container Instance Service` Azure application in your test Tenant using the command `New-AzADServicePrincipal -ApplicationId '6bb8e274-af5d-4df2-98a3-4fd78b4cafd9'`. For further information, please refer to the official[docs](https://learn.microsoft.com/en-us/azure/container-instances/container-instances-encrypt-data#create-service-principal-for-aci). -Once the Service Principal was created, please update the `properties/principalId` of the `keyPermissions` deployment in the dependencies file `modules/Microsoft.ContainerInstance/containerGroups/.test/encr/dependencies.bicep` with its object ID. You can fetch the object ID using the command `(Get-AzADServicePrincipal -DisplayName 'Azure Container Instance Service').Id`. +Once the Service Principal is created, please update the `properties/principalId` of the `keyPermissions` deployment in the dependencies file `modules/Microsoft.ContainerInstance/containerGroups/.test/encr/dependencies.bicep` with its object ID. You can fetch the object ID using the command `(Get-AzADServicePrincipal -DisplayName 'Azure Container Instance Service').Id`. # 5. (Optional) Convert library to ARM From 41fd8aa115eed8e34c6a3f171cc4dda577724dfe Mon Sep 17 00:00:00 2001 From: CARMLPipelinePrincipal Date: Fri, 23 Dec 2022 08:05:27 +0000 Subject: [PATCH 23/30] Push updated API Specs file --- utilities/src/apiSpecsList.json | 42 ++++++++++++++++++++++----------- 1 file changed, 28 insertions(+), 14 deletions(-) diff --git a/utilities/src/apiSpecsList.json b/utilities/src/apiSpecsList.json index 07e8bc8b14..c8079cddd2 100644 --- a/utilities/src/apiSpecsList.json +++ b/utilities/src/apiSpecsList.json @@ -3337,7 +3337,8 @@ "2021-06-01", "2021-06-01-preview", "2022-03-01", - "2022-04-01-preview" + "2022-04-01-preview", + "2022-12-01-preview" ], "dataBoxEdgeDevices/bandwidthSchedules": [ "2019-03-01", @@ -3352,21 +3353,24 @@ "2021-06-01", "2021-06-01-preview", "2022-03-01", - "2022-04-01-preview" + "2022-04-01-preview", + "2022-12-01-preview" ], "dataBoxEdgeDevices/diagnosticProactiveLogCollectionSettings": [ "2021-02-01", "2021-06-01", "2021-06-01-preview", "2022-03-01", - "2022-04-01-preview" + "2022-04-01-preview", + "2022-12-01-preview" ], "dataBoxEdgeDevices/diagnosticRemoteSupportSettings": [ "2021-02-01", "2021-06-01", "2021-06-01-preview", "2022-03-01", - "2022-04-01-preview" + "2022-04-01-preview", + "2022-12-01-preview" ], "dataBoxEdgeDevices/orders": [ "2019-03-01", @@ -3381,7 +3385,8 @@ "2021-06-01", "2021-06-01-preview", "2022-03-01", - "2022-04-01-preview" + "2022-04-01-preview", + "2022-12-01-preview" ], "dataBoxEdgeDevices/roles": [ "2019-03-01", @@ -3396,7 +3401,8 @@ "2021-06-01", "2021-06-01-preview", "2022-03-01", - "2022-04-01-preview" + "2022-04-01-preview", + "2022-12-01-preview" ], "dataBoxEdgeDevices/roles/addons": [ "2020-09-01", @@ -3407,7 +3413,8 @@ "2021-06-01", "2021-06-01-preview", "2022-03-01", - "2022-04-01-preview" + "2022-04-01-preview", + "2022-12-01-preview" ], "dataBoxEdgeDevices/roles/monitoringConfig": [ "2020-09-01", @@ -3418,7 +3425,8 @@ "2021-06-01", "2021-06-01-preview", "2022-03-01", - "2022-04-01-preview" + "2022-04-01-preview", + "2022-12-01-preview" ], "dataBoxEdgeDevices/shares": [ "2019-03-01", @@ -3433,7 +3441,8 @@ "2021-06-01", "2021-06-01-preview", "2022-03-01", - "2022-04-01-preview" + "2022-04-01-preview", + "2022-12-01-preview" ], "dataBoxEdgeDevices/storageAccountCredentials": [ "2019-03-01", @@ -3448,7 +3457,8 @@ "2021-06-01", "2021-06-01-preview", "2022-03-01", - "2022-04-01-preview" + "2022-04-01-preview", + "2022-12-01-preview" ], "dataBoxEdgeDevices/storageAccounts": [ "2019-08-01", @@ -3461,7 +3471,8 @@ "2021-06-01", "2021-06-01-preview", "2022-03-01", - "2022-04-01-preview" + "2022-04-01-preview", + "2022-12-01-preview" ], "dataBoxEdgeDevices/storageAccounts/containers": [ "2019-08-01", @@ -3474,7 +3485,8 @@ "2021-06-01", "2021-06-01-preview", "2022-03-01", - "2022-04-01-preview" + "2022-04-01-preview", + "2022-12-01-preview" ], "dataBoxEdgeDevices/triggers": [ "2019-03-01", @@ -3489,7 +3501,8 @@ "2021-06-01", "2021-06-01-preview", "2022-03-01", - "2022-04-01-preview" + "2022-04-01-preview", + "2022-12-01-preview" ], "dataBoxEdgeDevices/users": [ "2019-03-01", @@ -3504,7 +3517,8 @@ "2021-06-01", "2021-06-01-preview", "2022-03-01", - "2022-04-01-preview" + "2022-04-01-preview", + "2022-12-01-preview" ] }, "Microsoft.Databricks": { From ffb7c03ac7fb3e094af2b610da446fb59c6f0672 Mon Sep 17 00:00:00 2001 From: AlexanderSehr Date: Fri, 23 Dec 2022 09:22:50 +0100 Subject: [PATCH 24/30] Small fixes --- .../containerGroups/deploy.bicep | 23 ++++++++----------- 1 file changed, 9 insertions(+), 14 deletions(-) diff --git a/modules/Microsoft.ContainerInstance/containerGroups/deploy.bicep b/modules/Microsoft.ContainerInstance/containerGroups/deploy.bicep index 5b6f3db480..102f82d098 100644 --- a/modules/Microsoft.ContainerInstance/containerGroups/deploy.bicep +++ b/modules/Microsoft.ContainerInstance/containerGroups/deploy.bicep @@ -102,17 +102,6 @@ var identity = identityType != 'None' ? { userAssignedIdentities: !empty(userAssignedIdentities) ? userAssignedIdentities : null } : null -var dnsConfig = !empty(dnsNameServers) ? { - nameServers: dnsNameServers - searchDomains: dnsSearchDomains -} : null - -var subnetIds = !empty(subnetId) ? [ - { - id: subnetId - } -] : null - resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' properties: { @@ -142,7 +131,6 @@ resource containergroup 'Microsoft.ContainerInstance/containerGroups@2021-10-01' tags: tags properties: union({ containers: containers - dnsConfig: dnsConfig encryptionProperties: !empty(cMKKeyName) ? { keyName: cMKKeyName keyVersion: !empty(cMKKeyVersion) ? cMKKeyVersion : last(split(cMKKeyVaultKey.properties.keyUriWithVersion, '/')) @@ -159,10 +147,17 @@ resource containergroup 'Microsoft.ContainerInstance/containerGroups@2021-10-01' ports: ipAddressPorts } sku: sku - subnetIds: subnetIds + subnetIds: !empty(subnetId) ? [ + { + id: subnetId + } + ] : null volumes: volumes }, !empty(dnsNameServers) ? { - dnsConfig: dnsConfig + dnsConfig: { + nameServers: dnsNameServers + searchDomains: dnsSearchDomains + } } : {}) } From 7ec486bd3115196ffb2faa3d89db9e19bc9a7cf2 Mon Sep 17 00:00:00 2001 From: CARMLPipelinePrincipal Date: Fri, 23 Dec 2022 08:31:48 +0000 Subject: [PATCH 25/30] Push updated API Specs file --- utilities/src/apiSpecsList.json | 38 ++++++++++++++++----------------- 1 file changed, 19 insertions(+), 19 deletions(-) diff --git a/utilities/src/apiSpecsList.json b/utilities/src/apiSpecsList.json index 29b36e43d4..c8079cddd2 100644 --- a/utilities/src/apiSpecsList.json +++ b/utilities/src/apiSpecsList.json @@ -2046,7 +2046,7 @@ ] }, "Microsoft.Cdn": { - "CdnWebApplicationFirewallPolicies": [ + "cdnWebApplicationFirewallPolicies": [ "2019-06-15", "2019-06-15-preview", "2020-03-31", @@ -3882,7 +3882,7 @@ "2018-06-01-privatepreview" ] }, - "Microsoft.DBforMySQL": { + "Microsoft.DBForMySql": { "flexibleServers": [ "2020-07-01-preview", "2020-07-01-privatepreview", @@ -3919,7 +3919,7 @@ "2017-12-01-preview", "2018-06-01-privatepreview" ], - "servers/Administrators": [ + "servers/administrators": [ "2017-12-01", "2017-12-01-preview", "2018-06-01-privatepreview" @@ -6040,7 +6040,7 @@ "2016-05-01" ] }, - "microsoft.insights": { + "Microsoft.Insights": { "actionGroups": [ "2017-04-01", "2018-03-01", @@ -7966,7 +7966,7 @@ "2020-04-01-preview", "2022-07-01" ], - "dnszones": [ + "dnsZones": [ "2015-05-04-preview", "2016-04-01", "2017-09-01", @@ -7974,7 +7974,7 @@ "2018-03-01-preview", "2018-05-01" ], - "dnszones/A": [ + "dnsZones/A": [ "2015-05-04-preview", "2016-04-01", "2017-09-01", @@ -7982,7 +7982,7 @@ "2018-03-01-preview", "2018-05-01" ], - "dnszones/AAAA": [ + "dnsZones/AAAA": [ "2015-05-04-preview", "2016-04-01", "2017-09-01", @@ -7996,7 +7996,7 @@ "2018-03-01-preview", "2018-05-01" ], - "dnszones/CNAME": [ + "dnsZones/CNAME": [ "2015-05-04-preview", "2016-04-01", "2017-09-01", @@ -8004,7 +8004,7 @@ "2018-03-01-preview", "2018-05-01" ], - "dnszones/MX": [ + "dnsZones/MX": [ "2015-05-04-preview", "2016-04-01", "2017-09-01", @@ -8012,7 +8012,7 @@ "2018-03-01-preview", "2018-05-01" ], - "dnszones/NS": [ + "dnsZones/NS": [ "2015-05-04-preview", "2016-04-01", "2017-09-01", @@ -8020,7 +8020,7 @@ "2018-03-01-preview", "2018-05-01" ], - "dnszones/PTR": [ + "dnsZones/PTR": [ "2015-05-04-preview", "2016-04-01", "2017-09-01", @@ -8028,7 +8028,7 @@ "2018-03-01-preview", "2018-05-01" ], - "dnszones/SOA": [ + "dnsZones/SOA": [ "2015-05-04-preview", "2016-04-01", "2017-09-01", @@ -8036,7 +8036,7 @@ "2018-03-01-preview", "2018-05-01" ], - "dnszones/SRV": [ + "dnsZones/SRV": [ "2015-05-04-preview", "2016-04-01", "2017-09-01", @@ -8044,7 +8044,7 @@ "2018-03-01-preview", "2018-05-01" ], - "dnszones/TXT": [ + "dnsZones/TXT": [ "2015-05-04-preview", "2016-04-01", "2017-09-01", @@ -11218,17 +11218,17 @@ "2018-01-01-preview", "2021-11-01" ], - "namespaces/authorizationRules": [ + "namespaces/AuthorizationRules": [ "2016-07-01", "2017-04-01", "2021-11-01" ], - "namespaces/hybridConnections": [ + "namespaces/HybridConnections": [ "2016-07-01", "2017-04-01", "2021-11-01" ], - "namespaces/hybridConnections/authorizationRules": [ + "namespaces/HybridConnections/authorizationRules": [ "2016-07-01", "2017-04-01", "2021-11-01" @@ -11241,12 +11241,12 @@ "2018-01-01-preview", "2021-11-01" ], - "namespaces/wcfRelays": [ + "namespaces/WcfRelays": [ "2016-07-01", "2017-04-01", "2021-11-01" ], - "namespaces/wcfRelays/authorizationRules": [ + "namespaces/WcfRelays/authorizationRules": [ "2016-07-01", "2017-04-01", "2021-11-01" From ebd770165c0bce58e1d3acc23c0804e816a9baaf Mon Sep 17 00:00:00 2001 From: AlexanderSehr Date: Fri, 23 Dec 2022 09:38:10 +0100 Subject: [PATCH 26/30] Update to latest --- utilities/src/apiSpecsList.json | 40 ++++++++++++++++----------------- 1 file changed, 20 insertions(+), 20 deletions(-) diff --git a/utilities/src/apiSpecsList.json b/utilities/src/apiSpecsList.json index c8079cddd2..0f525d6e0f 100644 --- a/utilities/src/apiSpecsList.json +++ b/utilities/src/apiSpecsList.json @@ -2046,7 +2046,7 @@ ] }, "Microsoft.Cdn": { - "cdnWebApplicationFirewallPolicies": [ + "CdnWebApplicationFirewallPolicies": [ "2019-06-15", "2019-06-15-preview", "2020-03-31", @@ -3882,7 +3882,7 @@ "2018-06-01-privatepreview" ] }, - "Microsoft.DBForMySql": { + "Microsoft.DBforMySQL": { "flexibleServers": [ "2020-07-01-preview", "2020-07-01-privatepreview", @@ -3919,7 +3919,7 @@ "2017-12-01-preview", "2018-06-01-privatepreview" ], - "servers/administrators": [ + "servers/Administrators": [ "2017-12-01", "2017-12-01-preview", "2018-06-01-privatepreview" @@ -6040,7 +6040,7 @@ "2016-05-01" ] }, - "Microsoft.Insights": { + "microsoft.insights": { "actionGroups": [ "2017-04-01", "2018-03-01", @@ -7966,7 +7966,7 @@ "2020-04-01-preview", "2022-07-01" ], - "dnsZones": [ + "dnszones": [ "2015-05-04-preview", "2016-04-01", "2017-09-01", @@ -7974,7 +7974,7 @@ "2018-03-01-preview", "2018-05-01" ], - "dnsZones/A": [ + "dnszones/A": [ "2015-05-04-preview", "2016-04-01", "2017-09-01", @@ -7982,7 +7982,7 @@ "2018-03-01-preview", "2018-05-01" ], - "dnsZones/AAAA": [ + "dnszones/AAAA": [ "2015-05-04-preview", "2016-04-01", "2017-09-01", @@ -7996,7 +7996,7 @@ "2018-03-01-preview", "2018-05-01" ], - "dnsZones/CNAME": [ + "dnszones/CNAME": [ "2015-05-04-preview", "2016-04-01", "2017-09-01", @@ -8004,7 +8004,7 @@ "2018-03-01-preview", "2018-05-01" ], - "dnsZones/MX": [ + "dnszones/MX": [ "2015-05-04-preview", "2016-04-01", "2017-09-01", @@ -8012,7 +8012,7 @@ "2018-03-01-preview", "2018-05-01" ], - "dnsZones/NS": [ + "dnszones/NS": [ "2015-05-04-preview", "2016-04-01", "2017-09-01", @@ -8020,7 +8020,7 @@ "2018-03-01-preview", "2018-05-01" ], - "dnsZones/PTR": [ + "dnszones/PTR": [ "2015-05-04-preview", "2016-04-01", "2017-09-01", @@ -8028,7 +8028,7 @@ "2018-03-01-preview", "2018-05-01" ], - "dnsZones/SOA": [ + "dnszones/SOA": [ "2015-05-04-preview", "2016-04-01", "2017-09-01", @@ -8036,7 +8036,7 @@ "2018-03-01-preview", "2018-05-01" ], - "dnsZones/SRV": [ + "dnszones/SRV": [ "2015-05-04-preview", "2016-04-01", "2017-09-01", @@ -8044,7 +8044,7 @@ "2018-03-01-preview", "2018-05-01" ], - "dnsZones/TXT": [ + "dnszones/TXT": [ "2015-05-04-preview", "2016-04-01", "2017-09-01", @@ -11218,17 +11218,17 @@ "2018-01-01-preview", "2021-11-01" ], - "namespaces/AuthorizationRules": [ + "namespaces/authorizationRules": [ "2016-07-01", "2017-04-01", "2021-11-01" ], - "namespaces/HybridConnections": [ + "namespaces/hybridConnections": [ "2016-07-01", "2017-04-01", "2021-11-01" ], - "namespaces/HybridConnections/authorizationRules": [ + "namespaces/hybridConnections/authorizationRules": [ "2016-07-01", "2017-04-01", "2021-11-01" @@ -11241,12 +11241,12 @@ "2018-01-01-preview", "2021-11-01" ], - "namespaces/WcfRelays": [ + "namespaces/wcfRelays": [ "2016-07-01", "2017-04-01", "2021-11-01" ], - "namespaces/WcfRelays/authorizationRules": [ + "namespaces/wcfRelays/authorizationRules": [ "2016-07-01", "2017-04-01", "2021-11-01" @@ -15215,4 +15215,4 @@ "2021-12-01-preview" ] } -} +} \ No newline at end of file From 3b8f916c7975f83d31c9fc006a315eb9070e96af Mon Sep 17 00:00:00 2001 From: AlexanderSehr Date: Fri, 23 Dec 2022 09:39:18 +0100 Subject: [PATCH 27/30] Update to latest --- utilities/src/apiSpecsList.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/utilities/src/apiSpecsList.json b/utilities/src/apiSpecsList.json index 0f525d6e0f..29b36e43d4 100644 --- a/utilities/src/apiSpecsList.json +++ b/utilities/src/apiSpecsList.json @@ -15215,4 +15215,4 @@ "2021-12-01-preview" ] } -} \ No newline at end of file +} From cd104fb1ff2089cdd429d9cafe413b3cf3df6450 Mon Sep 17 00:00:00 2001 From: CARMLPipelinePrincipal Date: Fri, 23 Dec 2022 08:41:51 +0000 Subject: [PATCH 28/30] Push updated API Specs file --- utilities/src/apiSpecsList.json | 38 ++++++++++++++++----------------- 1 file changed, 19 insertions(+), 19 deletions(-) diff --git a/utilities/src/apiSpecsList.json b/utilities/src/apiSpecsList.json index 29b36e43d4..c8079cddd2 100644 --- a/utilities/src/apiSpecsList.json +++ b/utilities/src/apiSpecsList.json @@ -2046,7 +2046,7 @@ ] }, "Microsoft.Cdn": { - "CdnWebApplicationFirewallPolicies": [ + "cdnWebApplicationFirewallPolicies": [ "2019-06-15", "2019-06-15-preview", "2020-03-31", @@ -3882,7 +3882,7 @@ "2018-06-01-privatepreview" ] }, - "Microsoft.DBforMySQL": { + "Microsoft.DBForMySql": { "flexibleServers": [ "2020-07-01-preview", "2020-07-01-privatepreview", @@ -3919,7 +3919,7 @@ "2017-12-01-preview", "2018-06-01-privatepreview" ], - "servers/Administrators": [ + "servers/administrators": [ "2017-12-01", "2017-12-01-preview", "2018-06-01-privatepreview" @@ -6040,7 +6040,7 @@ "2016-05-01" ] }, - "microsoft.insights": { + "Microsoft.Insights": { "actionGroups": [ "2017-04-01", "2018-03-01", @@ -7966,7 +7966,7 @@ "2020-04-01-preview", "2022-07-01" ], - "dnszones": [ + "dnsZones": [ "2015-05-04-preview", "2016-04-01", "2017-09-01", @@ -7974,7 +7974,7 @@ "2018-03-01-preview", "2018-05-01" ], - "dnszones/A": [ + "dnsZones/A": [ "2015-05-04-preview", "2016-04-01", "2017-09-01", @@ -7982,7 +7982,7 @@ "2018-03-01-preview", "2018-05-01" ], - "dnszones/AAAA": [ + "dnsZones/AAAA": [ "2015-05-04-preview", "2016-04-01", "2017-09-01", @@ -7996,7 +7996,7 @@ "2018-03-01-preview", "2018-05-01" ], - "dnszones/CNAME": [ + "dnsZones/CNAME": [ "2015-05-04-preview", "2016-04-01", "2017-09-01", @@ -8004,7 +8004,7 @@ "2018-03-01-preview", "2018-05-01" ], - "dnszones/MX": [ + "dnsZones/MX": [ "2015-05-04-preview", "2016-04-01", "2017-09-01", @@ -8012,7 +8012,7 @@ "2018-03-01-preview", "2018-05-01" ], - "dnszones/NS": [ + "dnsZones/NS": [ "2015-05-04-preview", "2016-04-01", "2017-09-01", @@ -8020,7 +8020,7 @@ "2018-03-01-preview", "2018-05-01" ], - "dnszones/PTR": [ + "dnsZones/PTR": [ "2015-05-04-preview", "2016-04-01", "2017-09-01", @@ -8028,7 +8028,7 @@ "2018-03-01-preview", "2018-05-01" ], - "dnszones/SOA": [ + "dnsZones/SOA": [ "2015-05-04-preview", "2016-04-01", "2017-09-01", @@ -8036,7 +8036,7 @@ "2018-03-01-preview", "2018-05-01" ], - "dnszones/SRV": [ + "dnsZones/SRV": [ "2015-05-04-preview", "2016-04-01", "2017-09-01", @@ -8044,7 +8044,7 @@ "2018-03-01-preview", "2018-05-01" ], - "dnszones/TXT": [ + "dnsZones/TXT": [ "2015-05-04-preview", "2016-04-01", "2017-09-01", @@ -11218,17 +11218,17 @@ "2018-01-01-preview", "2021-11-01" ], - "namespaces/authorizationRules": [ + "namespaces/AuthorizationRules": [ "2016-07-01", "2017-04-01", "2021-11-01" ], - "namespaces/hybridConnections": [ + "namespaces/HybridConnections": [ "2016-07-01", "2017-04-01", "2021-11-01" ], - "namespaces/hybridConnections/authorizationRules": [ + "namespaces/HybridConnections/authorizationRules": [ "2016-07-01", "2017-04-01", "2021-11-01" @@ -11241,12 +11241,12 @@ "2018-01-01-preview", "2021-11-01" ], - "namespaces/wcfRelays": [ + "namespaces/WcfRelays": [ "2016-07-01", "2017-04-01", "2021-11-01" ], - "namespaces/wcfRelays/authorizationRules": [ + "namespaces/WcfRelays/authorizationRules": [ "2016-07-01", "2017-04-01", "2021-11-01" From 583814266b3910aab4e9122a1560ea1dff7f72ff Mon Sep 17 00:00:00 2001 From: Alexander Sehr Date: Tue, 3 Jan 2023 21:41:40 +0100 Subject: [PATCH 29/30] Update docs/wiki/Getting started - Scenario 2 Onboard module library and CI environment.md Co-authored-by: Erika Gressi <56914614+eriqua@users.noreply.github.com> --- ...ed - Scenario 2 Onboard module library and CI environment.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/wiki/Getting started - Scenario 2 Onboard module library and CI environment.md b/docs/wiki/Getting started - Scenario 2 Onboard module library and CI environment.md index e6bbcbdbad..dd5e40a080 100644 --- a/docs/wiki/Getting started - Scenario 2 Onboard module library and CI environment.md +++ b/docs/wiki/Getting started - Scenario 2 Onboard module library and CI environment.md @@ -389,7 +389,7 @@ Finally, the elements described above must further be configured in the followin ### Microsoft.ContainerInstance/containerGroup -To successfully run the Customer-Managed-Keys encryption test `encr/deploy.test.bicep` of the Container Instance module, you need to register a Service Principal instance of the `Azure Container Instance Service` Azure application in your test Tenant using the command `New-AzADServicePrincipal -ApplicationId '6bb8e274-af5d-4df2-98a3-4fd78b4cafd9'`. For further information, please refer to the official[docs](https://learn.microsoft.com/en-us/azure/container-instances/container-instances-encrypt-data#create-service-principal-for-aci). +To successfully run the Customer-Managed-Keys encryption test `encr/deploy.test.bicep` of the Container Instance module, you first need to register a Service Principal instance of the `Azure Container Instance Service` Azure application in your test Tenant. This can be achieved, for example, by running the command `New-AzADServicePrincipal -ApplicationId '6bb8e274-af5d-4df2-98a3-4fd78b4cafd9'`. For further information, please refer to the official [docs](https://learn.microsoft.com/en-us/azure/container-instances/container-instances-encrypt-data#create-service-principal-for-aci). Once the Service Principal is created, please update the `properties/principalId` of the `keyPermissions` deployment in the dependencies file `modules/Microsoft.ContainerInstance/containerGroups/.test/encr/dependencies.bicep` with its object ID. You can fetch the object ID using the command `(Get-AzADServicePrincipal -DisplayName 'Azure Container Instance Service').Id`. From ebbe74928e55024a3974d28b92ab6518346933fc Mon Sep 17 00:00:00 2001 From: Alexander Sehr Date: Tue, 3 Jan 2023 21:41:48 +0100 Subject: [PATCH 30/30] Update modules/Microsoft.ContainerInstance/containerGroups/.test/encr/dependencies.bicep Co-authored-by: Erika Gressi <56914614+eriqua@users.noreply.github.com> --- .../containerGroups/.test/encr/dependencies.bicep | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/Microsoft.ContainerInstance/containerGroups/.test/encr/dependencies.bicep b/modules/Microsoft.ContainerInstance/containerGroups/.test/encr/dependencies.bicep index 4e6fad3b79..6556bed151 100644 --- a/modules/Microsoft.ContainerInstance/containerGroups/.test/encr/dependencies.bicep +++ b/modules/Microsoft.ContainerInstance/containerGroups/.test/encr/dependencies.bicep @@ -45,7 +45,7 @@ resource keyPermissions 'Microsoft.Authorization/roleAssignments@2022-04-01' = { name: guid('msi-${keyVault::key.id}-${location}-Azure Container Instance Service-Key Vault Crypto User') scope: keyVault properties: { - principalId: '8b659b68-1eb9-4ea5-ab00-a6a182520436' // 'Azure Container Instance Service' Service Principal Object Id + principalId: '8b659b68-1eb9-4ea5-ab00-a6a182520436' // Replace with your tenant 'Azure Container Instance Service' Service Principal Object Id roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e147488a-f6f5-4113-8e2d-b22465e65bf6') // Key Vault Crypto Service Encryption User. Allows Keys: get, list, wrap key, unwrap key principalType: 'ServicePrincipal' }