diff --git a/modules/Microsoft.DataFactory/factories/.test/parameters.json b/modules/Microsoft.DataFactory/factories/.test/parameters.json index f686b88025..e1fa770665 100644 --- a/modules/Microsoft.DataFactory/factories/.test/parameters.json +++ b/modules/Microsoft.DataFactory/factories/.test/parameters.json @@ -24,7 +24,7 @@ } }, "publicNetworkAccess": { - "value": true + "value": "Disabled" }, "gitConfigureLater": { "value": true @@ -61,6 +61,23 @@ "value": { "/subscriptions/<>/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-<>-az-msi-x-001": {} } + }, + "privateEndpoints": { + "value": [ + { + "subnetResourceId": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/adp-<>-az-vnet-x-001/subnets/<>-az-subnet-x-005-privateEndpoints", + "service": "dataFactory" + } + ] + }, + "cMKUserAssignedIdentityResourceId": { + "value": "/subscriptions/<>/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-<>-az-msi-x-001" + }, + "cMKKeyName": { + "value": "keyEncryptionKey" + }, + "cMKKeyVaultResourceId": { + "value": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.KeyVault/vaults/adp-<>-az-kv-nopr-002" } } } diff --git a/modules/Microsoft.DataFactory/factories/deploy.bicep b/modules/Microsoft.DataFactory/factories/deploy.bicep index 3046acdaa9..19383e59fd 100644 --- a/modules/Microsoft.DataFactory/factories/deploy.bicep +++ b/modules/Microsoft.DataFactory/factories/deploy.bicep @@ -10,8 +10,12 @@ param integrationRuntime object = {} @description('Optional. Location for all Resources.') param location string = resourceGroup().location -@description('Optional. Enable or disable public network access.') -param publicNetworkAccess bool = true +@description('Optional. Whether or not public network access is allowed for this resource.') +@allowed([ + 'Enabled' + 'Disabled' +]) +param publicNetworkAccess string = 'Disabled' @description('Optional. Boolean to define whether or not to configure git during template deployment.') param gitConfigureLater bool = true @@ -65,6 +69,21 @@ param systemAssignedIdentity bool = false @description('Optional. The ID(s) to assign to the resource.') param userAssignedIdentities object = {} +@description('Optional. Configuration Details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible.') +param privateEndpoints array = [] + +@description('Optional. The resource ID of a key vault to reference a customer managed key for encryption from.') +param cMKKeyVaultResourceId string = '' + +@description('Optional. The name of the customer managed key to use for encryption.') +param cMKKeyName string = '' + +@description('Optional. The version of the customer managed key to reference for encryption. If not provided, the latest key version is used.') +param cMKKeyVersion string = '' + +@description('Optional. User assigned identity to use when fetching the customer managed key.') +param cMKUserAssignedIdentityResourceId string = '' + @description('Optional. The name of logs that will be streamed.') @allowed([ 'ActivityRuns' @@ -137,6 +156,11 @@ var identity = identityType != 'None' ? { var enableReferencedModulesTelemetry = false +resource cMKKeyVault 'Microsoft.KeyVault/vaults@2021-10-01' existing = if (!empty(cMKKeyVaultResourceId)) { + name: last(split(cMKKeyVaultResourceId, '/')) + scope: resourceGroup(split(cMKKeyVaultResourceId, '/')[2], split(cMKKeyVaultResourceId, '/')[4]) +} + resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' properties: { @@ -155,8 +179,24 @@ resource dataFactory 'Microsoft.DataFactory/factories@2018-06-01' = { tags: tags identity: identity properties: { - repoConfiguration: bool(gitConfigureLater) ? null : json('{"type": "${gitRepoType}","accountName": "${gitAccountName}","repositoryName": "${gitRepositoryName}",${((gitRepoType == 'FactoryVSTSConfiguration') ? '"projectName": "${gitProjectName}",' : '')}"collaborationBranch": "${gitCollaborationBranch}","rootFolder": "${gitRootFolder}"}') - publicNetworkAccess: bool(publicNetworkAccess) ? 'Enabled' : 'Disabled' + repoConfiguration: bool(gitConfigureLater) ? null : union({ + type: gitRepoType + accountName: gitAccountName + repositoryName: gitRepositoryName + collaborationBranch: gitCollaborationBranch + rootFolder: gitRootFolder + }, (gitRepoType == 'FactoryVSTSConfiguration' ? { + projectName: gitProjectName + } : {}), {}) + publicNetworkAccess: !empty(publicNetworkAccess) ? any(publicNetworkAccess) : (!empty(privateEndpoints) ? 'Disabled' : null) + encryption: !empty(cMKKeyName) ? { + identity: { + userAssignedIdentity: cMKUserAssignedIdentityResourceId + } + keyName: cMKKeyName + keyVersion: !empty(cMKKeyVersion) ? cMKKeyVersion : null + vaultBaseUrl: cMKKeyVault.properties.vaultUri + } : null } } diff --git a/modules/Microsoft.DataFactory/factories/readme.md b/modules/Microsoft.DataFactory/factories/readme.md index be5e3ef51e..16527bdac5 100644 --- a/modules/Microsoft.DataFactory/factories/readme.md +++ b/modules/Microsoft.DataFactory/factories/readme.md @@ -28,6 +28,10 @@ **Optional parameters** | Parameter Name | Type | Default Value | Allowed Values | Description | | :-- | :-- | :-- | :-- | :-- | +| `cMKKeyName` | string | `''` | | The name of the customer managed key to use for encryption. | +| `cMKKeyVaultResourceId` | string | `''` | | The resource ID of a key vault to reference a customer managed key for encryption from. | +| `cMKKeyVersion` | string | `''` | | The version of the customer managed key to reference for encryption. If not provided, the latest key version is used. | +| `cMKUserAssignedIdentityResourceId` | string | `''` | | User assigned identity to use when fetching the customer managed key. | | `diagnosticEventHubAuthorizationRuleId` | string | `''` | | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | | `diagnosticEventHubName` | string | `''` | | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. | | `diagnosticLogCategoriesToEnable` | array | `[ActivityRuns, PipelineRuns, TriggerRuns, SSISPackageEventMessages, SSISPackageExecutableStatistics, SSISPackageEventMessageContext, SSISPackageExecutionComponentPhases, SSISPackageExecutionDataStatistics, SSISIntegrationRuntimeLogs]` | `[ActivityRuns, PipelineRuns, TriggerRuns, SSISPackageEventMessages, SSISPackageExecutableStatistics, SSISPackageEventMessageContext, SSISPackageExecutionComponentPhases, SSISPackageExecutionDataStatistics, SSISIntegrationRuntimeLogs]` | The name of logs that will be streamed. | @@ -48,7 +52,8 @@ | `location` | string | `[resourceGroup().location]` | | Location for all Resources. | | `lock` | string | `''` | `[, CanNotDelete, ReadOnly]` | Specify the type of lock. | | `managedVirtualNetworkName` | string | `''` | | The name of the Managed Virtual Network. | -| `publicNetworkAccess` | bool | `True` | | Enable or disable public network access. | +| `privateEndpoints` | array | `[]` | | Configuration Details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. | +| `publicNetworkAccess` | string | `'Disabled'` | `[Enabled, Disabled]` | Whether or not public network access is allowed for this resource. | | `roleAssignments` | array | `[]` | | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | | `systemAssignedIdentity` | bool | `False` | | Enables system assigned managed identity on the resource. | | `tags` | object | `{object}` | | Tags of the resource. | @@ -310,7 +315,7 @@ privateEndpoints: [ } }, "publicNetworkAccess": { - "value": true + "value": "Disabled" }, "gitConfigureLater": { "value": true @@ -347,6 +352,23 @@ privateEndpoints: [ "value": { "/subscriptions/<>/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-<>-az-msi-x-001": {} } + }, + "privateEndpoints": { + "value": [ + { + "subnetResourceId": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/adp-<>-az-vnet-x-001/subnets/<>-az-subnet-x-005-privateEndpoints", + "service": "dataFactory" + } + ] + }, + "cMKUserAssignedIdentityResourceId": { + "value": "/subscriptions/<>/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-<>-az-msi-x-001" + }, + "cMKKeyName": { + "value": "keyEncryptionKey" + }, + "cMKKeyVaultResourceId": { + "value": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.KeyVault/vaults/adp-<>-az-kv-nopr-002" } } } @@ -375,7 +397,7 @@ module factories './Microsoft.DataFactory/factories/deploy.bicep' = { } } } - publicNetworkAccess: true + publicNetworkAccess: 'Disabled' gitConfigureLater: true roleAssignments: [ { @@ -394,6 +416,15 @@ module factories './Microsoft.DataFactory/factories/deploy.bicep' = { userAssignedIdentities: { '/subscriptions/<>/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-<>-az-msi-x-001': {} } + privateEndpoints: [ + { + subnetResourceId: '/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/adp-<>-az-vnet-x-001/subnets/<>-az-subnet-x-005-privateEndpoints' + service: 'dataFactory' + } + ] + cMKUserAssignedIdentityResourceId: '/subscriptions/<>/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-<>-az-msi-x-001' + cMKKeyName: 'keyEncryptionKey' + cMKKeyVaultResourceId: '/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.KeyVault/vaults/adp-<>-az-kv-nopr-002' } } ```