From 3da4300c181e0ff713c35e3a7ed9b4b2eada7d78 Mon Sep 17 00:00:00 2001 From: MrMCake Date: Fri, 24 Jun 2022 13:32:43 +0200 Subject: [PATCH 01/11] Added encryption capabilities --- .../namespaces/.parameters/parameters.json | 9 ++++ .../namespaces/deploy.bicep | 46 +++++++++++++++++++ arm/Microsoft.ServiceBus/namespaces/readme.md | 22 +++++++++ 3 files changed, 77 insertions(+) diff --git a/arm/Microsoft.ServiceBus/namespaces/.parameters/parameters.json b/arm/Microsoft.ServiceBus/namespaces/.parameters/parameters.json index 33c0288e8c..6ae1a09159 100644 --- a/arm/Microsoft.ServiceBus/namespaces/.parameters/parameters.json +++ b/arm/Microsoft.ServiceBus/namespaces/.parameters/parameters.json @@ -162,6 +162,15 @@ "service": "namespace" } ] + }, + "cMKUserAssignedIdentityResourceId": { + "value": "/subscriptions/<>/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-<>-az-msi-x-001" + }, + "cMKKeyName": { + "value": "keyEncryptionKey" + }, + "cMKKeyVaultResourceId": { + "value": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.KeyVault/vaults/adp-<>-az-kv-nopr-002" } } } diff --git a/arm/Microsoft.ServiceBus/namespaces/deploy.bicep b/arm/Microsoft.ServiceBus/namespaces/deploy.bicep index d84954cc60..9d91d7622b 100644 --- a/arm/Microsoft.ServiceBus/namespaces/deploy.bicep +++ b/arm/Microsoft.ServiceBus/namespaces/deploy.bicep @@ -92,6 +92,24 @@ param queues array = [] @description('Optional. The topics to create in the service bus namespace.') param topics array = [] +@description('Optional. Enable service encryption.') +param enableEncryption bool = true + +@description('Optional. The resource ID of a key vault to reference a customer managed key for encryption from.') +param cMKKeyVaultResourceId string = '' + +@description('Optional. The name of the customer managed key to use for encryption.') +param cMKKeyName string = '' + +@description('Conditional. User assigned identity to use when fetching the customer managed key. Required if \'cMKeyName\' is not empty.') +param cMKUserAssignedIdentityResourceId string = '' + +@description('Conditional. The version of the customer managed key to reference for encryption. Required if \'cMKeyName\' is not empty.') +param cMKKeyVersion string = '' + +@description('Optional. Enable Infrastructure Encryption (Double Encryption)') +param requireInfrastructureEncryption bool = true + @description('Optional. The name of logs that will be streamed.') @allowed([ 'OperationalLogs' @@ -155,6 +173,16 @@ resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (ena } } +resource cMKKeyVault 'Microsoft.KeyVault/vaults@2021-10-01' existing = if (!empty(cMKKeyVaultResourceId)) { + name: last(split(cMKKeyVaultResourceId, '/')) + scope: resourceGroup(split(cMKKeyVaultResourceId, '/')[2], split(cMKKeyVaultResourceId, '/')[4]) +} + +resource cMKKeyVaultKey 'Microsoft.KeyVault/vaults/keys@2021-10-01' existing = if (!empty(cMKKeyVaultResourceId) && !empty(cMKKeyName) && empty(cMKKeyVersion)) { + name: '${last(split(cMKKeyVaultResourceId, '/'))}/${cMKKeyName}' + scope: resourceGroup(split(cMKKeyVaultResourceId, '/')[2], split(cMKKeyVaultResourceId, '/')[4]) +} + resource serviceBusNamespace 'Microsoft.ServiceBus/namespaces@2021-06-01-preview' = { name: !empty(name) ? name : uniqueServiceBusNamespaceName location: location @@ -165,6 +193,24 @@ resource serviceBusNamespace 'Microsoft.ServiceBus/namespaces@2021-06-01-preview identity: identity properties: { zoneRedundant: zoneRedundant + encryption: enableEncryption && !empty(cMKKeyName) ? { + // Customer-managed key + keySource: 'Microsoft.KeyVault' + keyVaultProperties: [ + { + identity: { + userAssignedIdentity: cMKUserAssignedIdentityResourceId + } + keyName: cMKKeyName + keyVaultUri: cMKKeyVault.properties.vaultUri + keyVersion: !empty(cMKKeyVersion) ? cMKKeyVersion : last(split(cMKKeyVaultKey.properties.keyUriWithVersion, '/')) + } + ] + requireInfrastructureEncryption: requireInfrastructureEncryption + } : enableEncryption ? { + // Service-managed key + keySource: 'Microsoft.ServiceBus/namespaces' + } : null } } diff --git a/arm/Microsoft.ServiceBus/namespaces/readme.md b/arm/Microsoft.ServiceBus/namespaces/readme.md index e6651b7295..d8fd3ce525 100644 --- a/arm/Microsoft.ServiceBus/namespaces/readme.md +++ b/arm/Microsoft.ServiceBus/namespaces/readme.md @@ -36,10 +36,18 @@ This module deploys a service bus namespace resource. | :-- | :-- | :-- | :-- | :-- | | `skuName` | string | `'Basic'` | `[Basic, Standard, Premium]` | Name of this SKU. - Basic, Standard, Premium. | +**Conditional parameters** +| Parameter Name | Type | Default Value | Description | +| :-- | :-- | :-- | :-- | +| `cMKKeyVersion` | string | `''` | The version of the customer managed key to reference for encryption. Required if 'cMKeyName' is not empty. | +| `cMKUserAssignedIdentityResourceId` | string | `''` | User assigned identity to use when fetching the customer managed key. Required if 'cMKeyName' is not empty. | + **Optional parameters** | Parameter Name | Type | Default Value | Allowed Values | Description | | :-- | :-- | :-- | :-- | :-- | | `authorizationRules` | _[authorizationRules](authorizationRules/readme.md)_ array | `[System.Collections.Hashtable]` | | Authorization Rules for the Service Bus namespace. | +| `cMKKeyName` | string | `''` | | The name of the customer managed key to use for encryption. | +| `cMKKeyVaultResourceId` | string | `''` | | The resource ID of a key vault to reference a customer managed key for encryption from. | | `diagnosticEventHubAuthorizationRuleId` | string | `''` | | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | | `diagnosticEventHubName` | string | `''` | | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. | | `diagnosticLogCategoriesToEnable` | array | `[OperationalLogs]` | `[OperationalLogs]` | The name of logs that will be streamed. | @@ -50,6 +58,7 @@ This module deploys a service bus namespace resource. | `diagnosticWorkspaceId` | string | `''` | | Resource ID of the diagnostic log analytics workspace. | | `disasterRecoveryConfigs` | _[disasterRecoveryConfigs](disasterRecoveryConfigs/readme.md)_ object | `{object}` | | The disaster recovery configuration. | | `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via the Customer Usage Attribution ID (GUID). | +| `enableEncryption` | bool | `True` | | Enable service encryption. | | `ipFilterRules` | _[ipFilterRules](ipFilterRules/readme.md)_ array | `[]` | | IP Filter Rules for the Service Bus namespace. | | `location` | string | `[resourceGroup().location]` | | Location for all resources. | | `lock` | string | `''` | `[, CanNotDelete, ReadOnly]` | Specify the type of lock. | @@ -57,6 +66,7 @@ This module deploys a service bus namespace resource. | `name` | string | `''` | | Name of the Service Bus Namespace. If no name is provided, then unique name will be created. | | `privateEndpoints` | array | `[]` | | Configuration Details for private endpoints. | | `queues` | _[queues](queues/readme.md)_ array | `[]` | | The queues to create in the service bus namespace. | +| `requireInfrastructureEncryption` | bool | `True` | | Enable Infrastructure Encryption (Double Encryption) | | `roleAssignments` | array | `[]` | | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | | `systemAssignedIdentity` | bool | `False` | | Enables system assigned managed identity on the resource. | | `tags` | object | `{object}` | | Tags of the resource. | @@ -497,6 +507,15 @@ module namespaces './Microsoft.ServiceBus/namespaces/deploy.bicep' = { "service": "namespace" } ] + }, + "cMKUserAssignedIdentityResourceId": { + "value": "/subscriptions/<>/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-<>-az-msi-x-001" + }, + "cMKKeyName": { + "value": "keyEncryptionKey" + }, + "cMKKeyVaultResourceId": { + "value": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.KeyVault/vaults/adp-<>-az-kv-nopr-002" } } } @@ -634,6 +653,9 @@ module namespaces './Microsoft.ServiceBus/namespaces/deploy.bicep' = { service: 'namespace' } ] + cMKUserAssignedIdentityResourceId: '/subscriptions/<>/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-<>-az-msi-x-001' + cMKKeyName: 'keyEncryptionKey' + cMKKeyVaultResourceId: '/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.KeyVault/vaults/adp-<>-az-kv-nopr-002' } } ``` From dee0884a5d6d26ad1b2dff790d9c0df555ee48e0 Mon Sep 17 00:00:00 2001 From: MrMCake Date: Fri, 24 Jun 2022 13:59:35 +0200 Subject: [PATCH 02/11] Cleanup --- arm/Microsoft.ServiceBus/namespaces/deploy.bicep | 13 +++---------- arm/Microsoft.ServiceBus/namespaces/readme.md | 3 +-- 2 files changed, 4 insertions(+), 12 deletions(-) diff --git a/arm/Microsoft.ServiceBus/namespaces/deploy.bicep b/arm/Microsoft.ServiceBus/namespaces/deploy.bicep index 9d91d7622b..d24d068269 100644 --- a/arm/Microsoft.ServiceBus/namespaces/deploy.bicep +++ b/arm/Microsoft.ServiceBus/namespaces/deploy.bicep @@ -92,13 +92,10 @@ param queues array = [] @description('Optional. The topics to create in the service bus namespace.') param topics array = [] -@description('Optional. Enable service encryption.') -param enableEncryption bool = true - @description('Optional. The resource ID of a key vault to reference a customer managed key for encryption from.') param cMKKeyVaultResourceId string = '' -@description('Optional. The name of the customer managed key to use for encryption.') +@description('Optional. The name of the customer managed key to use for encryption. If not provided, encryption is automatically enabled with a Microsoft-managed key.') param cMKKeyName string = '' @description('Conditional. User assigned identity to use when fetching the customer managed key. Required if \'cMKeyName\' is not empty.') @@ -178,7 +175,7 @@ resource cMKKeyVault 'Microsoft.KeyVault/vaults@2021-10-01' existing = if (!empt scope: resourceGroup(split(cMKKeyVaultResourceId, '/')[2], split(cMKKeyVaultResourceId, '/')[4]) } -resource cMKKeyVaultKey 'Microsoft.KeyVault/vaults/keys@2021-10-01' existing = if (!empty(cMKKeyVaultResourceId) && !empty(cMKKeyName) && empty(cMKKeyVersion)) { +resource cMKKeyVaultKey 'Microsoft.KeyVault/vaults/keys@2021-10-01' existing = if (!empty(cMKKeyVaultResourceId) && !empty(cMKKeyName)) { name: '${last(split(cMKKeyVaultResourceId, '/'))}/${cMKKeyName}' scope: resourceGroup(split(cMKKeyVaultResourceId, '/')[2], split(cMKKeyVaultResourceId, '/')[4]) } @@ -193,8 +190,7 @@ resource serviceBusNamespace 'Microsoft.ServiceBus/namespaces@2021-06-01-preview identity: identity properties: { zoneRedundant: zoneRedundant - encryption: enableEncryption && !empty(cMKKeyName) ? { - // Customer-managed key + encryption: !empty(cMKKeyName) ? { keySource: 'Microsoft.KeyVault' keyVaultProperties: [ { @@ -207,9 +203,6 @@ resource serviceBusNamespace 'Microsoft.ServiceBus/namespaces@2021-06-01-preview } ] requireInfrastructureEncryption: requireInfrastructureEncryption - } : enableEncryption ? { - // Service-managed key - keySource: 'Microsoft.ServiceBus/namespaces' } : null } } diff --git a/arm/Microsoft.ServiceBus/namespaces/readme.md b/arm/Microsoft.ServiceBus/namespaces/readme.md index d8fd3ce525..7a06d83856 100644 --- a/arm/Microsoft.ServiceBus/namespaces/readme.md +++ b/arm/Microsoft.ServiceBus/namespaces/readme.md @@ -46,7 +46,7 @@ This module deploys a service bus namespace resource. | Parameter Name | Type | Default Value | Allowed Values | Description | | :-- | :-- | :-- | :-- | :-- | | `authorizationRules` | _[authorizationRules](authorizationRules/readme.md)_ array | `[System.Collections.Hashtable]` | | Authorization Rules for the Service Bus namespace. | -| `cMKKeyName` | string | `''` | | The name of the customer managed key to use for encryption. | +| `cMKKeyName` | string | `''` | | The name of the customer managed key to use for encryption. If not provided, encryption is automatically enabled with a Microsoft-managed key. | | `cMKKeyVaultResourceId` | string | `''` | | The resource ID of a key vault to reference a customer managed key for encryption from. | | `diagnosticEventHubAuthorizationRuleId` | string | `''` | | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | | `diagnosticEventHubName` | string | `''` | | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. | @@ -58,7 +58,6 @@ This module deploys a service bus namespace resource. | `diagnosticWorkspaceId` | string | `''` | | Resource ID of the diagnostic log analytics workspace. | | `disasterRecoveryConfigs` | _[disasterRecoveryConfigs](disasterRecoveryConfigs/readme.md)_ object | `{object}` | | The disaster recovery configuration. | | `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via the Customer Usage Attribution ID (GUID). | -| `enableEncryption` | bool | `True` | | Enable service encryption. | | `ipFilterRules` | _[ipFilterRules](ipFilterRules/readme.md)_ array | `[]` | | IP Filter Rules for the Service Bus namespace. | | `location` | string | `[resourceGroup().location]` | | Location for all resources. | | `lock` | string | `''` | `[, CanNotDelete, ReadOnly]` | Specify the type of lock. | From 47e26f7cbdbb100faf4845de24bb027b42af2e5f Mon Sep 17 00:00:00 2001 From: MrMCake Date: Fri, 24 Jun 2022 14:04:59 +0200 Subject: [PATCH 03/11] Updated docs --- arm/Microsoft.ServiceBus/namespaces/deploy.bicep | 2 +- arm/Microsoft.ServiceBus/namespaces/readme.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/arm/Microsoft.ServiceBus/namespaces/deploy.bicep b/arm/Microsoft.ServiceBus/namespaces/deploy.bicep index d24d068269..72574ceee9 100644 --- a/arm/Microsoft.ServiceBus/namespaces/deploy.bicep +++ b/arm/Microsoft.ServiceBus/namespaces/deploy.bicep @@ -74,7 +74,7 @@ param userAssignedIdentities object = {} @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') param roleAssignments array = [] -@description('Optional. Configuration Details for private endpoints.') +@description('Optional. Configuration Details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible.') param privateEndpoints array = [] @description('Optional. Tags of the resource.') diff --git a/arm/Microsoft.ServiceBus/namespaces/readme.md b/arm/Microsoft.ServiceBus/namespaces/readme.md index 7a06d83856..3f2b941626 100644 --- a/arm/Microsoft.ServiceBus/namespaces/readme.md +++ b/arm/Microsoft.ServiceBus/namespaces/readme.md @@ -63,7 +63,7 @@ This module deploys a service bus namespace resource. | `lock` | string | `''` | `[, CanNotDelete, ReadOnly]` | Specify the type of lock. | | `migrationConfigurations` | _[migrationConfigurations](migrationConfigurations/readme.md)_ object | `{object}` | | The migration configuration. | | `name` | string | `''` | | Name of the Service Bus Namespace. If no name is provided, then unique name will be created. | -| `privateEndpoints` | array | `[]` | | Configuration Details for private endpoints. | +| `privateEndpoints` | array | `[]` | | Configuration Details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. | | `queues` | _[queues](queues/readme.md)_ array | `[]` | | The queues to create in the service bus namespace. | | `requireInfrastructureEncryption` | bool | `True` | | Enable Infrastructure Encryption (Double Encryption) | | `roleAssignments` | array | `[]` | | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | From 682147c75ae1bfeeeb64f01e6e9d4d69910b8029 Mon Sep 17 00:00:00 2001 From: MrMCake Date: Fri, 24 Jun 2022 14:09:16 +0200 Subject: [PATCH 04/11] Added missing dot --- arm/Microsoft.ServiceBus/namespaces/deploy.bicep | 2 +- arm/Microsoft.ServiceBus/namespaces/readme.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/arm/Microsoft.ServiceBus/namespaces/deploy.bicep b/arm/Microsoft.ServiceBus/namespaces/deploy.bicep index 72574ceee9..7f2700fee4 100644 --- a/arm/Microsoft.ServiceBus/namespaces/deploy.bicep +++ b/arm/Microsoft.ServiceBus/namespaces/deploy.bicep @@ -104,7 +104,7 @@ param cMKUserAssignedIdentityResourceId string = '' @description('Conditional. The version of the customer managed key to reference for encryption. Required if \'cMKeyName\' is not empty.') param cMKKeyVersion string = '' -@description('Optional. Enable Infrastructure Encryption (Double Encryption)') +@description('Optional. Enable Infrastructure Encryption (Double Encryption).') param requireInfrastructureEncryption bool = true @description('Optional. The name of logs that will be streamed.') diff --git a/arm/Microsoft.ServiceBus/namespaces/readme.md b/arm/Microsoft.ServiceBus/namespaces/readme.md index 3f2b941626..0523f7f193 100644 --- a/arm/Microsoft.ServiceBus/namespaces/readme.md +++ b/arm/Microsoft.ServiceBus/namespaces/readme.md @@ -65,7 +65,7 @@ This module deploys a service bus namespace resource. | `name` | string | `''` | | Name of the Service Bus Namespace. If no name is provided, then unique name will be created. | | `privateEndpoints` | array | `[]` | | Configuration Details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. | | `queues` | _[queues](queues/readme.md)_ array | `[]` | | The queues to create in the service bus namespace. | -| `requireInfrastructureEncryption` | bool | `True` | | Enable Infrastructure Encryption (Double Encryption) | +| `requireInfrastructureEncryption` | bool | `True` | | Enable Infrastructure Encryption (Double Encryption). | | `roleAssignments` | array | `[]` | | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | | `systemAssignedIdentity` | bool | `False` | | Enables system assigned managed identity on the resource. | | `tags` | object | `{object}` | | Tags of the resource. | From a01856dd398023bac601f388d7c4ebe11405592d Mon Sep 17 00:00:00 2001 From: MrMCake Date: Fri, 24 Jun 2022 15:11:44 +0200 Subject: [PATCH 05/11] Added service bus removal case handling --- .../helper/Invoke-ResourceRemoval.ps1 | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/utilities/pipelines/resourceRemoval/helper/Invoke-ResourceRemoval.ps1 b/utilities/pipelines/resourceRemoval/helper/Invoke-ResourceRemoval.ps1 index 428e0785fe..93db6c2a6e 100644 --- a/utilities/pipelines/resourceRemoval/helper/Invoke-ResourceRemoval.ps1 +++ b/utilities/pipelines/resourceRemoval/helper/Invoke-ResourceRemoval.ps1 @@ -57,6 +57,22 @@ function Invoke-ResourceRemoval { Write-Verbose ('Skip resource removal for type [{0}]. Reason: handled by different logic.' -f $type) -Verbose break } + 'Microsoft.ServiceBus/namespaces/ipfilterrules' { + Write-Verbose ('Skip resource removal for type [{0}]. Reason: Service Bus IP Filter Rules are not a resource that can be removed.' -f $type) -Verbose + break + } + 'Microsoft.ServiceBus/namespaces/virtualnetworkrules' { + Write-Verbose ('Skip resource removal for type [{0}]. Reason: Service Bus Virtual Network Rules are not a resource that can be removed.' -f $type) -Verbose + break + } + 'Microsoft.ServiceBus/namespaces/AuthorizationRules' { + if ((Split-Path $ResourceId '/')[-1] -eq 'RootManageSharedAccessKey') { + Write-Verbose ('Skip resource removal for type [{0}]. Reason: The Service Bus''s default authorization key [RootManageSharedAccessKey] cannot be removed.' -f $type) -Verbose + } else { + $null = Remove-AzResource -ResourceId $resourceId -Force -ErrorAction 'Stop' + } + break + } 'Microsoft.Compute/diskEncryptionSets' { # Pre-Removal # ----------- From 09a32f61e9f270ecf2bc44417bb8e57d1236b2a7 Mon Sep 17 00:00:00 2001 From: MrMCake Date: Sat, 25 Jun 2022 00:15:08 +0200 Subject: [PATCH 06/11] Update to latest --- arm/Microsoft.ServiceBus/namespaces/deploy.bicep | 8 ++++---- arm/Microsoft.ServiceBus/namespaces/readme.md | 4 ++-- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/arm/Microsoft.ServiceBus/namespaces/deploy.bicep b/arm/Microsoft.ServiceBus/namespaces/deploy.bicep index 7f2700fee4..bf5a78443a 100644 --- a/arm/Microsoft.ServiceBus/namespaces/deploy.bicep +++ b/arm/Microsoft.ServiceBus/namespaces/deploy.bicep @@ -98,10 +98,10 @@ param cMKKeyVaultResourceId string = '' @description('Optional. The name of the customer managed key to use for encryption. If not provided, encryption is automatically enabled with a Microsoft-managed key.') param cMKKeyName string = '' -@description('Conditional. User assigned identity to use when fetching the customer managed key. Required if \'cMKeyName\' is not empty.') +@description('Conditional. User assigned identity to use when fetching the customer managed key. If not provided, a system-assigned identity can be used - but must be given access to the referenced key vault first.') param cMKUserAssignedIdentityResourceId string = '' -@description('Conditional. The version of the customer managed key to reference for encryption. Required if \'cMKeyName\' is not empty.') +@description('Conditional. The version of the customer managed key to reference for encryption. If not provided, the latest key version is used.') param cMKKeyVersion string = '' @description('Optional. Enable Infrastructure Encryption (Double Encryption).') @@ -194,9 +194,9 @@ resource serviceBusNamespace 'Microsoft.ServiceBus/namespaces@2021-06-01-preview keySource: 'Microsoft.KeyVault' keyVaultProperties: [ { - identity: { + identity: !empty(cMKUserAssignedIdentityResourceId) ? { userAssignedIdentity: cMKUserAssignedIdentityResourceId - } + } : null keyName: cMKKeyName keyVaultUri: cMKKeyVault.properties.vaultUri keyVersion: !empty(cMKKeyVersion) ? cMKKeyVersion : last(split(cMKKeyVaultKey.properties.keyUriWithVersion, '/')) diff --git a/arm/Microsoft.ServiceBus/namespaces/readme.md b/arm/Microsoft.ServiceBus/namespaces/readme.md index 0523f7f193..d3a39e4a38 100644 --- a/arm/Microsoft.ServiceBus/namespaces/readme.md +++ b/arm/Microsoft.ServiceBus/namespaces/readme.md @@ -39,8 +39,8 @@ This module deploys a service bus namespace resource. **Conditional parameters** | Parameter Name | Type | Default Value | Description | | :-- | :-- | :-- | :-- | -| `cMKKeyVersion` | string | `''` | The version of the customer managed key to reference for encryption. Required if 'cMKeyName' is not empty. | -| `cMKUserAssignedIdentityResourceId` | string | `''` | User assigned identity to use when fetching the customer managed key. Required if 'cMKeyName' is not empty. | +| `cMKKeyVersion` | string | `''` | The version of the customer managed key to reference for encryption. If not provided, the latest key version is used. | +| `cMKUserAssignedIdentityResourceId` | string | `''` | User assigned identity to use when fetching the customer managed key. If not provided, a system-assigned identity can be used - but must be given access to the referenced key vault first. | **Optional parameters** | Parameter Name | Type | Default Value | Allowed Values | Description | From e18c822f68a57eb8a3bc983519b00f15e615703a Mon Sep 17 00:00:00 2001 From: MrMCake Date: Sat, 25 Jun 2022 00:22:12 +0200 Subject: [PATCH 07/11] Update to latest --- arm/Microsoft.ServiceBus/namespaces/deploy.bicep | 4 ++-- arm/Microsoft.ServiceBus/namespaces/readme.md | 8 ++------ 2 files changed, 4 insertions(+), 8 deletions(-) diff --git a/arm/Microsoft.ServiceBus/namespaces/deploy.bicep b/arm/Microsoft.ServiceBus/namespaces/deploy.bicep index bf5a78443a..516454ab72 100644 --- a/arm/Microsoft.ServiceBus/namespaces/deploy.bicep +++ b/arm/Microsoft.ServiceBus/namespaces/deploy.bicep @@ -98,10 +98,10 @@ param cMKKeyVaultResourceId string = '' @description('Optional. The name of the customer managed key to use for encryption. If not provided, encryption is automatically enabled with a Microsoft-managed key.') param cMKKeyName string = '' -@description('Conditional. User assigned identity to use when fetching the customer managed key. If not provided, a system-assigned identity can be used - but must be given access to the referenced key vault first.') +@description('Optional. User assigned identity to use when fetching the customer managed key. If not provided, a system-assigned identity can be used - but must be given access to the referenced key vault first.') param cMKUserAssignedIdentityResourceId string = '' -@description('Conditional. The version of the customer managed key to reference for encryption. If not provided, the latest key version is used.') +@description('Optional. The version of the customer managed key to reference for encryption. If not provided, the latest key version is used.') param cMKKeyVersion string = '' @description('Optional. Enable Infrastructure Encryption (Double Encryption).') diff --git a/arm/Microsoft.ServiceBus/namespaces/readme.md b/arm/Microsoft.ServiceBus/namespaces/readme.md index d3a39e4a38..8b1185e72a 100644 --- a/arm/Microsoft.ServiceBus/namespaces/readme.md +++ b/arm/Microsoft.ServiceBus/namespaces/readme.md @@ -36,18 +36,14 @@ This module deploys a service bus namespace resource. | :-- | :-- | :-- | :-- | :-- | | `skuName` | string | `'Basic'` | `[Basic, Standard, Premium]` | Name of this SKU. - Basic, Standard, Premium. | -**Conditional parameters** -| Parameter Name | Type | Default Value | Description | -| :-- | :-- | :-- | :-- | -| `cMKKeyVersion` | string | `''` | The version of the customer managed key to reference for encryption. If not provided, the latest key version is used. | -| `cMKUserAssignedIdentityResourceId` | string | `''` | User assigned identity to use when fetching the customer managed key. If not provided, a system-assigned identity can be used - but must be given access to the referenced key vault first. | - **Optional parameters** | Parameter Name | Type | Default Value | Allowed Values | Description | | :-- | :-- | :-- | :-- | :-- | | `authorizationRules` | _[authorizationRules](authorizationRules/readme.md)_ array | `[System.Collections.Hashtable]` | | Authorization Rules for the Service Bus namespace. | | `cMKKeyName` | string | `''` | | The name of the customer managed key to use for encryption. If not provided, encryption is automatically enabled with a Microsoft-managed key. | | `cMKKeyVaultResourceId` | string | `''` | | The resource ID of a key vault to reference a customer managed key for encryption from. | +| `cMKKeyVersion` | string | `''` | | The version of the customer managed key to reference for encryption. If not provided, the latest key version is used. | +| `cMKUserAssignedIdentityResourceId` | string | `''` | | User assigned identity to use when fetching the customer managed key. If not provided, a system-assigned identity can be used - but must be given access to the referenced key vault first. | | `diagnosticEventHubAuthorizationRuleId` | string | `''` | | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | | `diagnosticEventHubName` | string | `''` | | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. | | `diagnosticLogCategoriesToEnable` | array | `[OperationalLogs]` | `[OperationalLogs]` | The name of logs that will be streamed. | From 9ab6a73104f6664bb12111fa3e93a9a6da866acb Mon Sep 17 00:00:00 2001 From: Alexander Sehr Date: Fri, 8 Jul 2022 10:46:28 +0200 Subject: [PATCH 08/11] Update modules/Microsoft.ServiceBus/namespaces/deploy.bicep Co-authored-by: Erika Gressi <56914614+eriqua@users.noreply.github.com> --- modules/Microsoft.ServiceBus/namespaces/deploy.bicep | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/Microsoft.ServiceBus/namespaces/deploy.bicep b/modules/Microsoft.ServiceBus/namespaces/deploy.bicep index d82c21d879..6682840ebe 100644 --- a/modules/Microsoft.ServiceBus/namespaces/deploy.bicep +++ b/modules/Microsoft.ServiceBus/namespaces/deploy.bicep @@ -107,7 +107,7 @@ param cMKUserAssignedIdentityResourceId string = '' @description('Optional. The version of the customer managed key to reference for encryption. If not provided, the latest key version is used.') param cMKKeyVersion string = '' -@description('Optional. Enable Infrastructure Encryption (Double Encryption).') +@description('Optional. Enable infrastructure encryption (double encryption).') param requireInfrastructureEncryption bool = true @description('Optional. The name of logs that will be streamed.') From 8a2c0736b15f3f9046a7daf2924923cc5333741f Mon Sep 17 00:00:00 2001 From: MrMCake Date: Fri, 8 Jul 2022 10:47:49 +0200 Subject: [PATCH 09/11] Regenerated docs --- modules/Microsoft.ServiceBus/namespaces/readme.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/Microsoft.ServiceBus/namespaces/readme.md b/modules/Microsoft.ServiceBus/namespaces/readme.md index a0a0fb722d..d4f0bc9e9f 100644 --- a/modules/Microsoft.ServiceBus/namespaces/readme.md +++ b/modules/Microsoft.ServiceBus/namespaces/readme.md @@ -63,7 +63,7 @@ This module deploys a service bus namespace resource. | `networkRuleSets` | _[networkRuleSets](networkRuleSets/readme.md)_ object | `{object}` | | Configure networking options for Premium SKU Service Bus, ipRules and virtualNetworkRules are not required when using dedicated modules. | | `privateEndpoints` | array | `[]` | | Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. | | `queues` | _[queues](queues/readme.md)_ array | `[]` | | The queues to create in the service bus namespace. | -| `requireInfrastructureEncryption` | bool | `True` | | Enable Infrastructure Encryption (Double Encryption). | +| `requireInfrastructureEncryption` | bool | `True` | | Enable infrastructure encryption (double encryption). | | `roleAssignments` | array | `[]` | | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | | `systemAssignedIdentity` | bool | `False` | | Enables system assigned managed identity on the resource. | | `tags` | object | `{object}` | | Tags of the resource. | From 64634ff8ee18c419d878086438e934a4dcb0f43a Mon Sep 17 00:00:00 2001 From: MrMCake Date: Fri, 8 Jul 2022 10:48:30 +0200 Subject: [PATCH 10/11] Moved param --- modules/Microsoft.ServiceBus/namespaces/deploy.bicep | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/modules/Microsoft.ServiceBus/namespaces/deploy.bicep b/modules/Microsoft.ServiceBus/namespaces/deploy.bicep index 6682840ebe..742d2782d5 100644 --- a/modules/Microsoft.ServiceBus/namespaces/deploy.bicep +++ b/modules/Microsoft.ServiceBus/namespaces/deploy.bicep @@ -101,12 +101,12 @@ param cMKKeyVaultResourceId string = '' @description('Optional. The name of the customer managed key to use for encryption. If not provided, encryption is automatically enabled with a Microsoft-managed key.') param cMKKeyName string = '' -@description('Optional. User assigned identity to use when fetching the customer managed key. If not provided, a system-assigned identity can be used - but must be given access to the referenced key vault first.') -param cMKUserAssignedIdentityResourceId string = '' - @description('Optional. The version of the customer managed key to reference for encryption. If not provided, the latest key version is used.') param cMKKeyVersion string = '' +@description('Optional. User assigned identity to use when fetching the customer managed key. If not provided, a system-assigned identity can be used - but must be given access to the referenced key vault first.') +param cMKUserAssignedIdentityResourceId string = '' + @description('Optional. Enable infrastructure encryption (double encryption).') param requireInfrastructureEncryption bool = true From 8bedbed174895e0d10bd012a12a4f37fe557cee1 Mon Sep 17 00:00:00 2001 From: MrMCake Date: Fri, 8 Jul 2022 21:18:03 +0200 Subject: [PATCH 11/11] Extended docs --- modules/Microsoft.ServiceBus/namespaces/deploy.bicep | 2 +- modules/Microsoft.ServiceBus/namespaces/readme.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/Microsoft.ServiceBus/namespaces/deploy.bicep b/modules/Microsoft.ServiceBus/namespaces/deploy.bicep index 742d2782d5..0c9dba1f67 100644 --- a/modules/Microsoft.ServiceBus/namespaces/deploy.bicep +++ b/modules/Microsoft.ServiceBus/namespaces/deploy.bicep @@ -107,7 +107,7 @@ param cMKKeyVersion string = '' @description('Optional. User assigned identity to use when fetching the customer managed key. If not provided, a system-assigned identity can be used - but must be given access to the referenced key vault first.') param cMKUserAssignedIdentityResourceId string = '' -@description('Optional. Enable infrastructure encryption (double encryption).') +@description('Optional. Enable infrastructure encryption (double encryption). Note, this setting requires the configuration of Customer-Managed-Keys (CMK) via the corresponding module parameters.') param requireInfrastructureEncryption bool = true @description('Optional. The name of logs that will be streamed.') diff --git a/modules/Microsoft.ServiceBus/namespaces/readme.md b/modules/Microsoft.ServiceBus/namespaces/readme.md index d4f0bc9e9f..1908f4b255 100644 --- a/modules/Microsoft.ServiceBus/namespaces/readme.md +++ b/modules/Microsoft.ServiceBus/namespaces/readme.md @@ -63,7 +63,7 @@ This module deploys a service bus namespace resource. | `networkRuleSets` | _[networkRuleSets](networkRuleSets/readme.md)_ object | `{object}` | | Configure networking options for Premium SKU Service Bus, ipRules and virtualNetworkRules are not required when using dedicated modules. | | `privateEndpoints` | array | `[]` | | Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. | | `queues` | _[queues](queues/readme.md)_ array | `[]` | | The queues to create in the service bus namespace. | -| `requireInfrastructureEncryption` | bool | `True` | | Enable infrastructure encryption (double encryption). | +| `requireInfrastructureEncryption` | bool | `True` | | Enable infrastructure encryption (double encryption). Note, this setting requires the configuration of Customer-Managed-Keys (CMK) via the corresponding module parameters. | | `roleAssignments` | array | `[]` | | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | | `systemAssignedIdentity` | bool | `False` | | Enables system assigned managed identity on the resource. | | `tags` | object | `{object}` | | Tags of the resource. |