diff --git a/modules/Microsoft.ServiceBus/namespaces/.test/parameters.json b/modules/Microsoft.ServiceBus/namespaces/.test/parameters.json index 33c0288e8c..6ae1a09159 100644 --- a/modules/Microsoft.ServiceBus/namespaces/.test/parameters.json +++ b/modules/Microsoft.ServiceBus/namespaces/.test/parameters.json @@ -162,6 +162,15 @@ "service": "namespace" } ] + }, + "cMKUserAssignedIdentityResourceId": { + "value": "/subscriptions/<>/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-<>-az-msi-x-001" + }, + "cMKKeyName": { + "value": "keyEncryptionKey" + }, + "cMKKeyVaultResourceId": { + "value": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.KeyVault/vaults/adp-<>-az-kv-nopr-002" } } } diff --git a/modules/Microsoft.ServiceBus/namespaces/deploy.bicep b/modules/Microsoft.ServiceBus/namespaces/deploy.bicep index 3ba4a7b7b0..0c9dba1f67 100644 --- a/modules/Microsoft.ServiceBus/namespaces/deploy.bicep +++ b/modules/Microsoft.ServiceBus/namespaces/deploy.bicep @@ -95,6 +95,21 @@ param queues array = [] @description('Optional. The topics to create in the service bus namespace.') param topics array = [] +@description('Optional. The resource ID of a key vault to reference a customer managed key for encryption from.') +param cMKKeyVaultResourceId string = '' + +@description('Optional. The name of the customer managed key to use for encryption. If not provided, encryption is automatically enabled with a Microsoft-managed key.') +param cMKKeyName string = '' + +@description('Optional. The version of the customer managed key to reference for encryption. If not provided, the latest key version is used.') +param cMKKeyVersion string = '' + +@description('Optional. User assigned identity to use when fetching the customer managed key. If not provided, a system-assigned identity can be used - but must be given access to the referenced key vault first.') +param cMKUserAssignedIdentityResourceId string = '' + +@description('Optional. Enable infrastructure encryption (double encryption). Note, this setting requires the configuration of Customer-Managed-Keys (CMK) via the corresponding module parameters.') +param requireInfrastructureEncryption bool = true + @description('Optional. The name of logs that will be streamed.') @allowed([ 'OperationalLogs' @@ -158,6 +173,16 @@ resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (ena } } +resource cMKKeyVault 'Microsoft.KeyVault/vaults@2021-10-01' existing = if (!empty(cMKKeyVaultResourceId)) { + name: last(split(cMKKeyVaultResourceId, '/')) + scope: resourceGroup(split(cMKKeyVaultResourceId, '/')[2], split(cMKKeyVaultResourceId, '/')[4]) +} + +resource cMKKeyVaultKey 'Microsoft.KeyVault/vaults/keys@2021-10-01' existing = if (!empty(cMKKeyVaultResourceId) && !empty(cMKKeyName)) { + name: '${last(split(cMKKeyVaultResourceId, '/'))}/${cMKKeyName}' + scope: resourceGroup(split(cMKKeyVaultResourceId, '/')[2], split(cMKKeyVaultResourceId, '/')[4]) +} + resource serviceBusNamespace 'Microsoft.ServiceBus/namespaces@2021-06-01-preview' = { name: !empty(name) ? name : uniqueServiceBusNamespaceName location: location @@ -168,6 +193,20 @@ resource serviceBusNamespace 'Microsoft.ServiceBus/namespaces@2021-06-01-preview identity: identity properties: { zoneRedundant: zoneRedundant + encryption: !empty(cMKKeyName) ? { + keySource: 'Microsoft.KeyVault' + keyVaultProperties: [ + { + identity: !empty(cMKUserAssignedIdentityResourceId) ? { + userAssignedIdentity: cMKUserAssignedIdentityResourceId + } : null + keyName: cMKKeyName + keyVaultUri: cMKKeyVault.properties.vaultUri + keyVersion: !empty(cMKKeyVersion) ? cMKKeyVersion : last(split(cMKKeyVaultKey.properties.keyUriWithVersion, '/')) + } + ] + requireInfrastructureEncryption: requireInfrastructureEncryption + } : null } } diff --git a/modules/Microsoft.ServiceBus/namespaces/readme.md b/modules/Microsoft.ServiceBus/namespaces/readme.md index c50ac37894..1908f4b255 100644 --- a/modules/Microsoft.ServiceBus/namespaces/readme.md +++ b/modules/Microsoft.ServiceBus/namespaces/readme.md @@ -41,6 +41,10 @@ This module deploys a service bus namespace resource. | Parameter Name | Type | Default Value | Allowed Values | Description | | :-- | :-- | :-- | :-- | :-- | | `authorizationRules` | _[authorizationRules](authorizationRules/readme.md)_ array | `[System.Collections.Hashtable]` | | Authorization Rules for the Service Bus namespace. | +| `cMKKeyName` | string | `''` | | The name of the customer managed key to use for encryption. If not provided, encryption is automatically enabled with a Microsoft-managed key. | +| `cMKKeyVaultResourceId` | string | `''` | | The resource ID of a key vault to reference a customer managed key for encryption from. | +| `cMKKeyVersion` | string | `''` | | The version of the customer managed key to reference for encryption. If not provided, the latest key version is used. | +| `cMKUserAssignedIdentityResourceId` | string | `''` | | User assigned identity to use when fetching the customer managed key. If not provided, a system-assigned identity can be used - but must be given access to the referenced key vault first. | | `diagnosticEventHubAuthorizationRuleId` | string | `''` | | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | | `diagnosticEventHubName` | string | `''` | | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. | | `diagnosticLogCategoriesToEnable` | array | `[OperationalLogs]` | `[OperationalLogs]` | The name of logs that will be streamed. | @@ -59,6 +63,7 @@ This module deploys a service bus namespace resource. | `networkRuleSets` | _[networkRuleSets](networkRuleSets/readme.md)_ object | `{object}` | | Configure networking options for Premium SKU Service Bus, ipRules and virtualNetworkRules are not required when using dedicated modules. | | `privateEndpoints` | array | `[]` | | Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. | | `queues` | _[queues](queues/readme.md)_ array | `[]` | | The queues to create in the service bus namespace. | +| `requireInfrastructureEncryption` | bool | `True` | | Enable infrastructure encryption (double encryption). Note, this setting requires the configuration of Customer-Managed-Keys (CMK) via the corresponding module parameters. | | `roleAssignments` | array | `[]` | | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | | `systemAssignedIdentity` | bool | `False` | | Enables system assigned managed identity on the resource. | | `tags` | object | `{object}` | | Tags of the resource. | @@ -534,6 +539,15 @@ module namespaces './Microsoft.ServiceBus/namespaces/deploy.bicep' = { "service": "namespace" } ] + }, + "cMKUserAssignedIdentityResourceId": { + "value": "/subscriptions/<>/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-<>-az-msi-x-001" + }, + "cMKKeyName": { + "value": "keyEncryptionKey" + }, + "cMKKeyVaultResourceId": { + "value": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.KeyVault/vaults/adp-<>-az-kv-nopr-002" } } } @@ -670,6 +684,9 @@ module namespaces './Microsoft.ServiceBus/namespaces/deploy.bicep' = { service: 'namespace' } ] + cMKUserAssignedIdentityResourceId: '/subscriptions/<>/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-<>-az-msi-x-001' + cMKKeyName: 'keyEncryptionKey' + cMKKeyVaultResourceId: '/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.KeyVault/vaults/adp-<>-az-kv-nopr-002' } } ``` diff --git a/utilities/pipelines/resourceRemoval/helper/Invoke-ResourceRemoval.ps1 b/utilities/pipelines/resourceRemoval/helper/Invoke-ResourceRemoval.ps1 index 428e0785fe..93db6c2a6e 100644 --- a/utilities/pipelines/resourceRemoval/helper/Invoke-ResourceRemoval.ps1 +++ b/utilities/pipelines/resourceRemoval/helper/Invoke-ResourceRemoval.ps1 @@ -57,6 +57,22 @@ function Invoke-ResourceRemoval { Write-Verbose ('Skip resource removal for type [{0}]. Reason: handled by different logic.' -f $type) -Verbose break } + 'Microsoft.ServiceBus/namespaces/ipfilterrules' { + Write-Verbose ('Skip resource removal for type [{0}]. Reason: Service Bus IP Filter Rules are not a resource that can be removed.' -f $type) -Verbose + break + } + 'Microsoft.ServiceBus/namespaces/virtualnetworkrules' { + Write-Verbose ('Skip resource removal for type [{0}]. Reason: Service Bus Virtual Network Rules are not a resource that can be removed.' -f $type) -Verbose + break + } + 'Microsoft.ServiceBus/namespaces/AuthorizationRules' { + if ((Split-Path $ResourceId '/')[-1] -eq 'RootManageSharedAccessKey') { + Write-Verbose ('Skip resource removal for type [{0}]. Reason: The Service Bus''s default authorization key [RootManageSharedAccessKey] cannot be removed.' -f $type) -Verbose + } else { + $null = Remove-AzResource -ResourceId $resourceId -Force -ErrorAction 'Stop' + } + break + } 'Microsoft.Compute/diskEncryptionSets' { # Pre-Removal # -----------