diff --git a/modules/Microsoft.AppConfiguration/configurationStores/deploy.bicep b/modules/Microsoft.AppConfiguration/configurationStores/deploy.bicep index d447225b45..64af32f508 100644 --- a/modules/Microsoft.AppConfiguration/configurationStores/deploy.bicep +++ b/modules/Microsoft.AppConfiguration/configurationStores/deploy.bicep @@ -30,12 +30,13 @@ param disableLocalAuth bool = false @description('Optional. Property specifying whether protection against purge is enabled for this configuration store.') param enablePurgeProtection bool = false +@description('Optional. Whether or not public network access is allowed for this resource. For security reasons it should be disabled. If not specified, it will be disabled by default if private endpoints are set.') @allowed([ - 'Disabled' + '' 'Enabled' + 'Disabled' ]) -@description('Optional. Control permission for data plane traffic coming from public networks while private endpoint is enabled.') -param publicNetworkAccess string = 'Enabled' +param publicNetworkAccess string = '' @description('Optional. The amount of time in days that the configuration store will be retained when it is soft deleted.') @minValue(1) @@ -155,7 +156,7 @@ resource configurationStore 'Microsoft.AppConfiguration/configurationStores@2021 createMode: createMode disableLocalAuth: disableLocalAuth enablePurgeProtection: sku == 'Free' ? false : enablePurgeProtection - publicNetworkAccess: publicNetworkAccess + publicNetworkAccess: !empty(publicNetworkAccess) ? any(publicNetworkAccess) : (!empty(privateEndpoints) ? 'Disabled' : null) softDeleteRetentionInDays: sku == 'Free' ? 0 : softDeleteRetentionInDays } } diff --git a/modules/Microsoft.AppConfiguration/configurationStores/readme.md b/modules/Microsoft.AppConfiguration/configurationStores/readme.md index 3a36c165c4..42e1502cd5 100644 --- a/modules/Microsoft.AppConfiguration/configurationStores/readme.md +++ b/modules/Microsoft.AppConfiguration/configurationStores/readme.md @@ -48,7 +48,7 @@ This module deploys an App Configuration Store. | `location` | string | `[resourceGroup().location]` | | Location for all Resources. | | `lock` | string | `''` | `[, CanNotDelete, ReadOnly]` | Specify the type of lock. | | `privateEndpoints` | array | `[]` | | Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. | -| `publicNetworkAccess` | string | `'Enabled'` | `[Disabled, Enabled]` | Control permission for data plane traffic coming from public networks while private endpoint is enabled. | +| `publicNetworkAccess` | string | `''` | `[, Enabled, Disabled]` | Whether or not public network access is allowed for this resource. For security reasons it should be disabled. If not specified, it will be disabled by default if private endpoints are set. | | `roleAssignments` | array | `[]` | | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | | `softDeleteRetentionInDays` | int | `1` | | The amount of time in days that the configuration store will be retained when it is soft deleted. | | `systemAssignedIdentity` | bool | `False` | | Enables system assigned managed identity on the resource. | diff --git a/modules/Microsoft.Batch/batchAccounts/deploy.bicep b/modules/Microsoft.Batch/batchAccounts/deploy.bicep index 34f5e2daf1..f4eb236dbe 100644 --- a/modules/Microsoft.Batch/batchAccounts/deploy.bicep +++ b/modules/Microsoft.Batch/batchAccounts/deploy.bicep @@ -33,12 +33,13 @@ param poolAllocationMode string = 'BatchService' @description('Conditional. The key vault to associate with the Batch account. Required if the \'poolAllocationMode\' is set to \'UserSubscription\' and requires the service principal \'Microsoft Azure Batch\' to be granted contributor permissions on this key vault.') param keyVaultReferenceResourceId string = '' +@description('Optional. Whether or not public network access is allowed for this resource. For security reasons it should be disabled. If not specified, it will be disabled by default if private endpoints are set.') @allowed([ - 'Disabled' + '' 'Enabled' + 'Disabled' ]) -@description('Optional. The network access type for operating on the resources in the Batch account.') -param publicNetworkAccess string = 'Enabled' +param publicNetworkAccess string = '' @description('Optional. Specifies the number of days that logs will be kept for; a value of 0 will retain data indefinitely.') @minValue(0) @@ -189,7 +190,7 @@ resource batchAccount 'Microsoft.Batch/batchAccounts@2022-01-01' = { url: keyVaultReferenceKeyVault.properties.vaultUri } : null poolAllocationMode: poolAllocationMode - publicNetworkAccess: publicNetworkAccess + publicNetworkAccess: !empty(publicNetworkAccess) ? any(publicNetworkAccess) : (!empty(privateEndpoints) ? 'Disabled' : null) } } diff --git a/modules/Microsoft.Batch/batchAccounts/readme.md b/modules/Microsoft.Batch/batchAccounts/readme.md index 3c85c2f26b..e83ea9b824 100644 --- a/modules/Microsoft.Batch/batchAccounts/readme.md +++ b/modules/Microsoft.Batch/batchAccounts/readme.md @@ -51,7 +51,7 @@ | `lock` | string | `''` | `[, CanNotDelete, ReadOnly]` | Specify the type of lock. | | `poolAllocationMode` | string | `'BatchService'` | `[BatchService, UserSubscription]` | The allocation mode for creating pools in the Batch account. Determines which quota will be used. | | `privateEndpoints` | array | `[]` | | Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. | -| `publicNetworkAccess` | string | `'Enabled'` | `[Disabled, Enabled]` | The network access type for operating on the resources in the Batch account. | +| `publicNetworkAccess` | string | `''` | `[, Enabled, Disabled]` | Whether or not public network access is allowed for this resource. For security reasons it should be disabled. If not specified, it will be disabled by default if private endpoints are set. | | `storageAccessIdentity` | string | `''` | | The reference to a user assigned identity associated with the Batch pool which a compute node will use. | | `storageAuthenticationMode` | string | `'StorageKeys'` | `[BatchAccountManagedIdentity, StorageKeys]` | The authentication mode which the Batch service will use to manage the auto-storage account. | | `systemAssignedIdentity` | bool | `False` | | Enables system assigned managed identity on the resource. | diff --git a/modules/Microsoft.ContainerRegistry/registries/deploy.bicep b/modules/Microsoft.ContainerRegistry/registries/deploy.bicep index 025c2bbc54..3dec090c19 100644 --- a/modules/Microsoft.ContainerRegistry/registries/deploy.bicep +++ b/modules/Microsoft.ContainerRegistry/registries/deploy.bicep @@ -57,12 +57,13 @@ param retentionPolicyDays int = 15 @description('Optional. Enable a single data endpoint per region for serving data. Not relevant in case of disabled public access.') param dataEndpointEnabled bool = false +@description('Optional. Whether or not public network access is allowed for this resource. For security reasons it should be disabled. If not specified, it will be disabled by default if private endpoints are set.') @allowed([ - 'Disabled' + '' 'Enabled' + 'Disabled' ]) -@description('Optional. Whether or not public network access is allowed for the container registry. - Enabled or Disabled.') -param publicNetworkAccess string = 'Enabled' +param publicNetworkAccess string = '' @description('Optional. Whether to allow trusted Azure services to access a network restricted registry. Not relevant in case of public access. - AzureServices or None.') param networkRuleBypassOptions string = 'AzureServices' @@ -244,7 +245,7 @@ resource registry 'Microsoft.ContainerRegistry/registries@2021-09-01' = { } : null } dataEndpointEnabled: dataEndpointEnabled - publicNetworkAccess: publicNetworkAccess + publicNetworkAccess: !empty(publicNetworkAccess) ? any(publicNetworkAccess) : (!empty(privateEndpoints) ? 'Disabled' : null) networkRuleBypassOptions: networkRuleBypassOptions networkRuleSet: !empty(networkRuleSetIpRules) ? { defaultAction: networkRuleSetDefaultAction diff --git a/modules/Microsoft.ContainerRegistry/registries/readme.md b/modules/Microsoft.ContainerRegistry/registries/readme.md index 4b97f63697..4c0037875c 100644 --- a/modules/Microsoft.ContainerRegistry/registries/readme.md +++ b/modules/Microsoft.ContainerRegistry/registries/readme.md @@ -59,7 +59,7 @@ Azure Container Registry is a managed, private Docker registry service based on | `networkRuleSetDefaultAction` | string | `'Deny'` | `[Allow, Deny]` | The default action of allow or deny when no other rules match. | | `networkRuleSetIpRules` | array | `[]` | | The IP ACL rules. | | `privateEndpoints` | array | `[]` | | Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. | -| `publicNetworkAccess` | string | `'Enabled'` | `[Disabled, Enabled]` | Whether or not public network access is allowed for the container registry. - Enabled or Disabled. | +| `publicNetworkAccess` | string | `''` | `[, Enabled, Disabled]` | Whether or not public network access is allowed for this resource. For security reasons it should be disabled. If not specified, it will be disabled by default if private endpoints are set. | | `quarantinePolicyStatus` | string | `'disabled'` | `[disabled, enabled]` | The value that indicates whether the quarantine policy is enabled or not. | | `replications` | _[replications](replications/readme.md)_ array | `[]` | | All replications to create. | | `retentionPolicyDays` | int | `15` | | The number of days to retain an untagged manifest after which it gets purged. | diff --git a/modules/Microsoft.DataFactory/factories/deploy.bicep b/modules/Microsoft.DataFactory/factories/deploy.bicep index 19383e59fd..28829aa852 100644 --- a/modules/Microsoft.DataFactory/factories/deploy.bicep +++ b/modules/Microsoft.DataFactory/factories/deploy.bicep @@ -10,12 +10,13 @@ param integrationRuntime object = {} @description('Optional. Location for all Resources.') param location string = resourceGroup().location -@description('Optional. Whether or not public network access is allowed for this resource.') +@description('Optional. Whether or not public network access is allowed for this resource. For security reasons it should be disabled. If not specified, it will be disabled by default if private endpoints are set.') @allowed([ + '' 'Enabled' 'Disabled' ]) -param publicNetworkAccess string = 'Disabled' +param publicNetworkAccess string = '' @description('Optional. Boolean to define whether or not to configure git during template deployment.') param gitConfigureLater bool = true diff --git a/modules/Microsoft.DataFactory/factories/readme.md b/modules/Microsoft.DataFactory/factories/readme.md index 16527bdac5..f66b2ccab7 100644 --- a/modules/Microsoft.DataFactory/factories/readme.md +++ b/modules/Microsoft.DataFactory/factories/readme.md @@ -53,7 +53,7 @@ | `lock` | string | `''` | `[, CanNotDelete, ReadOnly]` | Specify the type of lock. | | `managedVirtualNetworkName` | string | `''` | | The name of the Managed Virtual Network. | | `privateEndpoints` | array | `[]` | | Configuration Details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. | -| `publicNetworkAccess` | string | `'Disabled'` | `[Enabled, Disabled]` | Whether or not public network access is allowed for this resource. | +| `publicNetworkAccess` | string | `''` | `[, Enabled, Disabled]` | Whether or not public network access is allowed for this resource. For security reasons it should be disabled. If not specified, it will be disabled by default if private endpoints are set. | | `roleAssignments` | array | `[]` | | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | | `systemAssignedIdentity` | bool | `False` | | Enables system assigned managed identity on the resource. | | `tags` | object | `{object}` | | Tags of the resource. | diff --git a/modules/Microsoft.EventGrid/topics/deploy.bicep b/modules/Microsoft.EventGrid/topics/deploy.bicep index c75a508aa7..6472a79da0 100644 --- a/modules/Microsoft.EventGrid/topics/deploy.bicep +++ b/modules/Microsoft.EventGrid/topics/deploy.bicep @@ -4,8 +4,13 @@ param name string @description('Optional. Location for all Resources.') param location string = resourceGroup().location -@description('Optional. Determines if traffic is allowed over public network.') -param publicNetworkAccess string = 'Enabled' +@description('Optional. Whether or not public network access is allowed for this resource. For security reasons it should be disabled. If not specified, it will be disabled by default if private endpoints are set.') +@allowed([ + '' + 'Enabled' + 'Disabled' +]) +param publicNetworkAccess string = '' @description('Optional. Array of IPs to whitelist.') param inboundIpRules array = [] @@ -106,7 +111,7 @@ resource topic 'Microsoft.EventGrid/topics@2020-06-01' = { location: location tags: tags properties: { - publicNetworkAccess: publicNetworkAccess + publicNetworkAccess: !empty(publicNetworkAccess) ? any(publicNetworkAccess) : (!empty(privateEndpoints) ? 'Disabled' : null) inboundIpRules: (empty(inboundIpRules) ? null : inboundIpRules) } } diff --git a/modules/Microsoft.EventGrid/topics/readme.md b/modules/Microsoft.EventGrid/topics/readme.md index 23e643ef60..c97ac5d2b6 100644 --- a/modules/Microsoft.EventGrid/topics/readme.md +++ b/modules/Microsoft.EventGrid/topics/readme.md @@ -43,7 +43,7 @@ This module deploys an event grid topic. | `location` | string | `[resourceGroup().location]` | | Location for all Resources. | | `lock` | string | `''` | `[, CanNotDelete, ReadOnly]` | Specify the type of lock. | | `privateEndpoints` | array | `[]` | | Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. | -| `publicNetworkAccess` | string | `'Enabled'` | | Determines if traffic is allowed over public network. | +| `publicNetworkAccess` | string | `''` | `[, Enabled, Disabled]` | Whether or not public network access is allowed for this resource. For security reasons it should be disabled. If not specified, it will be disabled by default if private endpoints are set. | | `roleAssignments` | array | `[]` | | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | | `tags` | object | `{object}` | | Tags of the resource. | diff --git a/modules/Microsoft.KeyVault/vaults/deploy.bicep b/modules/Microsoft.KeyVault/vaults/deploy.bicep index 2b012b70a0..b96a4bd8d8 100644 --- a/modules/Microsoft.KeyVault/vaults/deploy.bicep +++ b/modules/Microsoft.KeyVault/vaults/deploy.bicep @@ -64,12 +64,13 @@ param vaultSku string = 'premium' @description('Optional. Service endpoint object information. For security reasons, it is recommended to set the DefaultAction Deny.') param networkAcls object = {} -@description('Optional. Property to specify whether the vault will accept traffic from public internet. If set to "disabled" all traffic except private endpoint traffic and that that originates from trusted services will be blocked. This will override the set firewall rules, meaning that even if the firewall rules are present we will not honor the rules.') +@description('Optional. Whether or not public network access is allowed for this resource. For security reasons it should be disabled. If not specified, it will be disabled by default if private endpoints are set.') @allowed([ - 'enabled' - 'disabled' + '' + 'Enabled' + 'Disabled' ]) -param publicNetworkAccess string = 'enabled' +param publicNetworkAccess string = '' @description('Optional. Specifies the number of days that logs will be kept for; a value of 0 will retain data indefinitely.') @minValue(0) @@ -212,7 +213,7 @@ resource keyVault 'Microsoft.KeyVault/vaults@2021-11-01-preview' = { family: 'A' } networkAcls: !empty(networkAcls) ? networkAcls_var : null - publicNetworkAccess: publicNetworkAccess + publicNetworkAccess: !empty(publicNetworkAccess) ? any(publicNetworkAccess) : (!empty(privateEndpoints) ? 'Disabled' : null) } } diff --git a/modules/Microsoft.KeyVault/vaults/readme.md b/modules/Microsoft.KeyVault/vaults/readme.md index 0a0677d84a..e39cf1e141 100644 --- a/modules/Microsoft.KeyVault/vaults/readme.md +++ b/modules/Microsoft.KeyVault/vaults/readme.md @@ -51,7 +51,7 @@ This module deploys a key vault and its child resources. | `name` | string | `''` | | Name of the Key Vault. If no name is provided, then unique name will be created. | | `networkAcls` | object | `{object}` | | Service endpoint object information. For security reasons, it is recommended to set the DefaultAction Deny. | | `privateEndpoints` | array | `[]` | | Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. | -| `publicNetworkAccess` | string | `'enabled'` | `[enabled, disabled]` | Property to specify whether the vault will accept traffic from public internet. If set to "disabled" all traffic except private endpoint traffic and that that originates from trusted services will be blocked. This will override the set firewall rules, meaning that even if the firewall rules are present we will not honor the rules. | +| `publicNetworkAccess` | string | `''` | `[, Enabled, Disabled]` | Whether or not public network access is allowed for this resource. For security reasons it should be disabled. If not specified, it will be disabled by default if private endpoints are set. | | `roleAssignments` | array | `[]` | | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | | `secrets` | secureObject | `{object}` | | All secrets to create. | | `softDeleteRetentionInDays` | int | `90` | | softDelete data retention days. It accepts >=7 and <=90. | diff --git a/modules/Microsoft.MachineLearningServices/workspaces/deploy.bicep b/modules/Microsoft.MachineLearningServices/workspaces/deploy.bicep index c3c63ac945..e6190f0f65 100644 --- a/modules/Microsoft.MachineLearningServices/workspaces/deploy.bicep +++ b/modules/Microsoft.MachineLearningServices/workspaces/deploy.bicep @@ -128,15 +128,16 @@ param cMKUserAssignedIdentityResourceId string = '' @sys.description('Optional. The compute name for image build.') param imageBuildCompute string = '' -@sys.description('Conditional. The user assigned identity resource id that represents the workspace identity. Required if \'userAssignedIdentities\' is not empty and may not be used if \'systemAssignedIdentity\' is enabled.') +@sys.description('Conditional. The user assigned identity resource ID that represents the workspace identity. Required if \'userAssignedIdentities\' is not empty and may not be used if \'systemAssignedIdentity\' is enabled.') param primaryUserAssignedIdentity string = '' -@sys.description('Optional. Whether requests from Public Network are allowed.') +@sys.description('Optional. Whether or not public network access is allowed for this resource. For security reasons it should be disabled. If not specified, it will be disabled by default if private endpoints are set.') @allowed([ + '' 'Enabled' 'Disabled' ]) -param publicNetworkAccess string = 'Disabled' +param publicNetworkAccess string = '' // ================// // Variables // @@ -220,7 +221,7 @@ resource workspace 'Microsoft.MachineLearningServices/workspaces@2021-07-01' = { } : null imageBuildCompute: imageBuildCompute primaryUserAssignedIdentity: primaryUserAssignedIdentity - publicNetworkAccess: publicNetworkAccess + publicNetworkAccess: !empty(publicNetworkAccess) ? any(publicNetworkAccess) : (!empty(privateEndpoints) ? 'Disabled' : 'Enabled') } } diff --git a/modules/Microsoft.MachineLearningServices/workspaces/readme.md b/modules/Microsoft.MachineLearningServices/workspaces/readme.md index 80c6dc976e..1b85a98404 100644 --- a/modules/Microsoft.MachineLearningServices/workspaces/readme.md +++ b/modules/Microsoft.MachineLearningServices/workspaces/readme.md @@ -35,7 +35,7 @@ This module deploys a Machine Learning Services Workspace. **Conditional parameters** | Parameter Name | Type | Default Value | Description | | :-- | :-- | :-- | :-- | -| `primaryUserAssignedIdentity` | string | `''` | The user assigned identity resource id that represents the workspace identity. Required if 'userAssignedIdentities' is not empty and may not be used if 'systemAssignedIdentity' is enabled. | +| `primaryUserAssignedIdentity` | string | `''` | The user assigned identity resource ID that represents the workspace identity. Required if 'userAssignedIdentities' is not empty and may not be used if 'systemAssignedIdentity' is enabled. | | `systemAssignedIdentity` | bool | `False` | Enables system assigned managed identity on the resource. Required if `userAssignedIdentities` is not provided. | | `userAssignedIdentities` | object | `{object}` | The ID(s) to assign to the resource. Required if `systemAssignedIdentity` is set to false. | @@ -65,7 +65,7 @@ This module deploys a Machine Learning Services Workspace. | `location` | string | `[resourceGroup().location]` | | Location for all resources. | | `lock` | string | `''` | `[, CanNotDelete, ReadOnly]` | Specify the type of lock. | | `privateEndpoints` | array | `[]` | | Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. | -| `publicNetworkAccess` | string | `'Disabled'` | `[Enabled, Disabled]` | Whether requests from Public Network are allowed. | +| `publicNetworkAccess` | string | `''` | `[, Enabled, Disabled]` | Whether or not public network access is allowed for this resource. For security reasons it should be disabled. If not specified, it will be disabled by default if private endpoints are set. | | `roleAssignments` | array | `[]` | | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | | `tags` | object | `{object}` | | Resource tags. | diff --git a/modules/Microsoft.ServiceBus/namespaces/networkRuleSets/deploy.bicep b/modules/Microsoft.ServiceBus/namespaces/networkRuleSets/deploy.bicep index 9c85ef10c5..7ce50929ac 100644 --- a/modules/Microsoft.ServiceBus/namespaces/networkRuleSets/deploy.bicep +++ b/modules/Microsoft.ServiceBus/namespaces/networkRuleSets/deploy.bicep @@ -12,7 +12,7 @@ param enableDefaultTelemetry bool = true @description('Required. Configure default action in virtual network rule set.') param defaultAction string -@description('Required. Configure Publice Network Access restrictions in virtual network rule set.') +@description('Required. Configure Public Network Access restrictions in virtual network rule set.') param publicNetworkAccess string @description('Required. Configure Trusted Services in virtual network rule set.') diff --git a/modules/Microsoft.ServiceBus/namespaces/networkRuleSets/readme.md b/modules/Microsoft.ServiceBus/namespaces/networkRuleSets/readme.md index 9c670d3871..5c67e41d5a 100644 --- a/modules/Microsoft.ServiceBus/namespaces/networkRuleSets/readme.md +++ b/modules/Microsoft.ServiceBus/namespaces/networkRuleSets/readme.md @@ -21,7 +21,7 @@ This module deploys ServiceBus Namespaces NetworkRuleSets. | :-- | :-- | :-- | :-- | | `defaultAction` | string | | Configure default action in virtual network rule set. | | `name` | string | `'default'` | The default is the only valid ruleset. | -| `publicNetworkAccess` | string | | Configure Publice Network Access restrictions in virtual network rule set. | +| `publicNetworkAccess` | string | | Configure Public Network Access restrictions in virtual network rule set. | | `trustedServiceAccessEnabled` | bool | | Configure Trusted Services in virtual network rule set. | **Conditional parameters** diff --git a/modules/Microsoft.Storage/storageAccounts/deploy.bicep b/modules/Microsoft.Storage/storageAccounts/deploy.bicep index 3cc2c27179..8739cd0152 100644 --- a/modules/Microsoft.Storage/storageAccounts/deploy.bicep +++ b/modules/Microsoft.Storage/storageAccounts/deploy.bicep @@ -119,13 +119,13 @@ param enableDefaultTelemetry bool = true @description('Generated. Do not provide a value! This date value is used to generate a SAS token to access the modules.') param basetime string = utcNow('u') +@description('Optional. Whether or not public network access is allowed for this resource. For security reasons it should be disabled. If not specified, it will be disabled by default if private endpoints are set.') @allowed([ + '' 'Enabled' 'Disabled' ]) - -@description('Optional. Enable or disallow public network access to Storage Account..') -param publicNetworkAccess string = 'Enabled' +param publicNetworkAccess string = '' @description('Optional. Allows HTTPS traffic only to storage service if sets to true.') param supportsHttpsTrafficOnly bool = true @@ -242,7 +242,7 @@ resource storageAccount 'Microsoft.Storage/storageAccounts@2021-08-01' = { ipRules: (!empty(networkAcls) && contains(networkAcls, 'ipRules')) ? networkAcls.ipRules : [] } : null allowBlobPublicAccess: allowBlobPublicAccess - publicNetworkAccess: publicNetworkAccess + publicNetworkAccess: !empty(publicNetworkAccess) ? any(publicNetworkAccess) : (!empty(privateEndpoints) ? 'Disabled' : null) azureFilesIdentityBasedAuthentication: !empty(azureFilesIdentityBasedAuthentication) ? azureFilesIdentityBasedAuthentication : null } } diff --git a/modules/Microsoft.Storage/storageAccounts/readme.md b/modules/Microsoft.Storage/storageAccounts/readme.md index 14ed811f7f..02f1589e02 100644 --- a/modules/Microsoft.Storage/storageAccounts/readme.md +++ b/modules/Microsoft.Storage/storageAccounts/readme.md @@ -64,7 +64,7 @@ This module is used to deploy a storage account, with the ability to deploy 1 or | `name` | string | `''` | | Name of the Storage Account. Autogenerated with a unique string if not provided. | | `networkAcls` | object | `{object}` | | Networks ACLs, this value contains IPs to whitelist and/or Subnet information. For security reasons, it is recommended to set the DefaultAction Deny. | | `privateEndpoints` | array | `[]` | | Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. | -| `publicNetworkAccess` | string | `'Enabled'` | `[Enabled, Disabled]` | Enable or disallow public network access to Storage Account.. | +| `publicNetworkAccess` | string | `''` | `[, Enabled, Disabled]` | Whether or not public network access is allowed for this resource. For security reasons it should be disabled. If not specified, it will be disabled by default if private endpoints are set. | | `queueServices` | _[queueServices](queueServices/readme.md)_ object | `{object}` | | Queue service and queues to create. | | `requireInfrastructureEncryption` | bool | `True` | | A Boolean indicating whether or not the service applies a secondary layer of encryption with platform managed keys for data at rest. For security reasons, it is recommended to set it to true. | | `roleAssignments` | array | `[]` | | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. |