From af5aceb7883c3619d276662b6770407b5bafa5d0 Mon Sep 17 00:00:00 2001 From: MrMCake Date: Sat, 3 Sep 2022 12:16:18 +0200 Subject: [PATCH 1/8] Updated DiskEncryptionSet --- .../ms.compute.diskencryptionsets.yml | 3 +- .../.test/default/dependencies.bicep | 57 +++++++++++++++++++ .../.test/default/deploy.test.bicep | 56 ++++++++++++++++++ .../diskEncryptionSets/.test/parameters.json | 25 -------- .../diskEncryptionSets/readme.md | 20 +++---- 5 files changed, 124 insertions(+), 37 deletions(-) create mode 100644 modules/Microsoft.Compute/diskEncryptionSets/.test/default/dependencies.bicep create mode 100644 modules/Microsoft.Compute/diskEncryptionSets/.test/default/deploy.test.bicep delete mode 100644 modules/Microsoft.Compute/diskEncryptionSets/.test/parameters.json diff --git a/.github/workflows/ms.compute.diskencryptionsets.yml b/.github/workflows/ms.compute.diskencryptionsets.yml index 41f443ce2a..9f19019556 100644 --- a/.github/workflows/ms.compute.diskencryptionsets.yml +++ b/.github/workflows/ms.compute.diskencryptionsets.yml @@ -106,8 +106,7 @@ jobs: - name: 'Using test file [${{ matrix.moduleTestFilePaths }}]' uses: ./.github/actions/templates/validateModuleDeployment with: - templateFilePath: '${{ env.modulePath }}/deploy.bicep' - parameterFilePath: '${{ env.modulePath }}/${{ matrix.moduleTestFilePaths }}' + templateFilePath: '${{ env.modulePath }}/${{ matrix.moduleTestFilePaths }}' location: '${{ env.location }}' resourceGroupName: '${{ env.resourceGroupName }}' subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' diff --git a/modules/Microsoft.Compute/diskEncryptionSets/.test/default/dependencies.bicep b/modules/Microsoft.Compute/diskEncryptionSets/.test/default/dependencies.bicep new file mode 100644 index 0000000000..3029969379 --- /dev/null +++ b/modules/Microsoft.Compute/diskEncryptionSets/.test/default/dependencies.bicep @@ -0,0 +1,57 @@ +@description('Optional. The location to deploy to.') +param location string = resourceGroup().location + +@description('Required. The name of the Key Vault to create.') +param keyVaultName string + +@description('Required. The name of the Managed Identity to create.') +param managedIdentityName string + +resource keyVault 'Microsoft.KeyVault/vaults@2022-07-01' = { + name: keyVaultName + location: location + properties: { + sku: { + family: 'A' + name: 'standard' + } + tenantId: tenant().tenantId + enablePurgeProtection: null + enabledForTemplateDeployment: true + enabledForDiskEncryption: true + enabledForDeployment: true + enableRbacAuthorization: true + accessPolicies: [] + } + + resource key 'keys@2022-07-01' = { + name: 'keyEncryptionKey' + properties: { + kty: 'RSA' + } + } +} + +resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { + name: managedIdentityName + location: location +} + +resource keyPermissions 'Microsoft.Authorization/roleAssignments@2022-04-01' = { + name: guid('msi-${keyVault::key.id}-${location}-${managedIdentity.id}-KeyVault-Reader-RoleAssignment') + scope: keyVault::key + properties: { + principalId: managedIdentity.properties.principalId + roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '12338af0-0e69-4776-bea7-57ae8d297424') // Key Vault Crypto User + principalType: 'ServicePrincipal' + } +} + +@description('The resource ID of the created Key Vault.') +output keyVaultResourceId string = keyVault.id + +@description('The name of the created encryption key.') +output keyName string = keyVault::key.name + +@description('The principal ID of the created Managed Identity.') +output managedIdentityPrincipalId string = managedIdentity.properties.principalId diff --git a/modules/Microsoft.Compute/diskEncryptionSets/.test/default/deploy.test.bicep b/modules/Microsoft.Compute/diskEncryptionSets/.test/default/deploy.test.bicep new file mode 100644 index 0000000000..98798c58d9 --- /dev/null +++ b/modules/Microsoft.Compute/diskEncryptionSets/.test/default/deploy.test.bicep @@ -0,0 +1,56 @@ +targetScope = 'subscription' + +// ========== // +// Parameters // +// ========== // +@description('Optional. The name of the resource group to deploy for a testing purposes') +@maxLength(90) +param resourceGroupName string = 'ms.compute.diskencryptionsets-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment .Should be kept short to not run into resource-name length-constraints') +param serviceShort string = '...' + +// =========== // +// Deployments // +// =========== // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: location +} + +module resourceGroupResources 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-paramNested' + params: { + keyVaultName: 'dep-<>-kv-${serviceShort}' + managedIdentityName: 'dep-<>-msi-${serviceShort}' + } +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../deploy.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name)}-test-${serviceShort}' + params: { + name: '<>${serviceShort}001' + keyName: resourceGroupResources.outputs.keyName + keyVaultResourceId: resourceGroupResources.outputs.keyVaultResourceId + roleAssignments: [ + { + principalIds: [ + resourceGroupResources.outputs.managedIdentityPrincipalId + ] + roleDefinitionIdOrName: 'Reader' + } + ] + } +} diff --git a/modules/Microsoft.Compute/diskEncryptionSets/.test/parameters.json b/modules/Microsoft.Compute/diskEncryptionSets/.test/parameters.json deleted file mode 100644 index 58ec4d9a2a..0000000000 --- a/modules/Microsoft.Compute/diskEncryptionSets/.test/parameters.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "name": { - "value": "<>-az-des-x-001" - }, - "keyVaultResourceId": { - "value": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.KeyVault/vaults/adp-<>-az-kv-x-001" - }, - "keyName": { - "value": "keyEncryptionKey" - }, - "roleAssignments": { - "value": [ - { - "roleDefinitionIdOrName": "Reader", - "principalIds": [ - "<>" - ] - } - ] - } - } -} diff --git a/modules/Microsoft.Compute/diskEncryptionSets/readme.md b/modules/Microsoft.Compute/diskEncryptionSets/readme.md index 53638c0d1c..8cf5b5e1c6 100644 --- a/modules/Microsoft.Compute/diskEncryptionSets/readme.md +++ b/modules/Microsoft.Compute/diskEncryptionSets/readme.md @@ -164,7 +164,7 @@ The following module usage examples are retrieved from the content of the files >**Note**: The name of each example is based on the name of the file from which it is taken. >**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. -

Example 1: Parameters

+

Example 1: Default

@@ -172,17 +172,17 @@ The following module usage examples are retrieved from the content of the files ```bicep module diskEncryptionSets './Microsoft.Compute/diskEncryptionSets/deploy.bicep' = { - name: '${uniqueString(deployment().name)}-DiskEncryptionSets' + name: '${uniqueString(deployment().name)}-test-...' params: { // Required parameters - keyName: 'keyEncryptionKey' - keyVaultResourceId: '/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.KeyVault/vaults/adp-<>-az-kv-x-001' - name: '<>-az-des-x-001' + keyName: '' + keyVaultResourceId: '' + name: '<>...001' // Non-required parameters roleAssignments: [ { principalIds: [ - '<>' + '' ] roleDefinitionIdOrName: 'Reader' } @@ -205,20 +205,20 @@ module diskEncryptionSets './Microsoft.Compute/diskEncryptionSets/deploy.bicep' "parameters": { // Required parameters "keyName": { - "value": "keyEncryptionKey" + "value": "" }, "keyVaultResourceId": { - "value": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.KeyVault/vaults/adp-<>-az-kv-x-001" + "value": "" }, "name": { - "value": "<>-az-des-x-001" + "value": "<>...001" }, // Non-required parameters "roleAssignments": { "value": [ { "principalIds": [ - "<>" + "" ], "roleDefinitionIdOrName": "Reader" } From f8c2d12a9e1f7e840d56ac6ebabe9f1f8210f47c Mon Sep 17 00:00:00 2001 From: MrMCake Date: Sat, 3 Sep 2022 12:41:06 +0200 Subject: [PATCH 2/8] Update to latest --- .../diskEncryptionSets/.test/default/deploy.test.bicep | 2 +- modules/Microsoft.Compute/diskEncryptionSets/readme.md | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/modules/Microsoft.Compute/diskEncryptionSets/.test/default/deploy.test.bicep b/modules/Microsoft.Compute/diskEncryptionSets/.test/default/deploy.test.bicep index 98798c58d9..a8847b07f3 100644 --- a/modules/Microsoft.Compute/diskEncryptionSets/.test/default/deploy.test.bicep +++ b/modules/Microsoft.Compute/diskEncryptionSets/.test/default/deploy.test.bicep @@ -11,7 +11,7 @@ param resourceGroupName string = 'ms.compute.diskencryptionsets-${serviceShort}- param location string = deployment().location @description('Optional. A short identifier for the kind of deployment .Should be kept short to not run into resource-name length-constraints') -param serviceShort string = '...' +param serviceShort string = 'cdesdef' // =========== // // Deployments // diff --git a/modules/Microsoft.Compute/diskEncryptionSets/readme.md b/modules/Microsoft.Compute/diskEncryptionSets/readme.md index 8cf5b5e1c6..6f3df36f8b 100644 --- a/modules/Microsoft.Compute/diskEncryptionSets/readme.md +++ b/modules/Microsoft.Compute/diskEncryptionSets/readme.md @@ -172,12 +172,12 @@ The following module usage examples are retrieved from the content of the files ```bicep module diskEncryptionSets './Microsoft.Compute/diskEncryptionSets/deploy.bicep' = { - name: '${uniqueString(deployment().name)}-test-...' + name: '${uniqueString(deployment().name)}-test-cdesdef' params: { // Required parameters keyName: '' keyVaultResourceId: '' - name: '<>...001' + name: '<>cdesdef001' // Non-required parameters roleAssignments: [ { @@ -211,7 +211,7 @@ module diskEncryptionSets './Microsoft.Compute/diskEncryptionSets/deploy.bicep' "value": "" }, "name": { - "value": "<>...001" + "value": "<>cdesdef001" }, // Non-required parameters "roleAssignments": { From 65e3e89cc061ab26f419c7f2439a3445d1278c38 Mon Sep 17 00:00:00 2001 From: MrMCake Date: Thu, 8 Sep 2022 19:19:58 +0200 Subject: [PATCH 3/8] Updated folder default to common. --- .../.test/{default => common}/dependencies.bicep | 0 .../.test/{default => common}/deploy.test.bicep | 0 modules/Microsoft.Compute/diskEncryptionSets/readme.md | 2 +- 3 files changed, 1 insertion(+), 1 deletion(-) rename modules/Microsoft.Compute/diskEncryptionSets/.test/{default => common}/dependencies.bicep (100%) rename modules/Microsoft.Compute/diskEncryptionSets/.test/{default => common}/deploy.test.bicep (100%) diff --git a/modules/Microsoft.Compute/diskEncryptionSets/.test/default/dependencies.bicep b/modules/Microsoft.Compute/diskEncryptionSets/.test/common/dependencies.bicep similarity index 100% rename from modules/Microsoft.Compute/diskEncryptionSets/.test/default/dependencies.bicep rename to modules/Microsoft.Compute/diskEncryptionSets/.test/common/dependencies.bicep diff --git a/modules/Microsoft.Compute/diskEncryptionSets/.test/default/deploy.test.bicep b/modules/Microsoft.Compute/diskEncryptionSets/.test/common/deploy.test.bicep similarity index 100% rename from modules/Microsoft.Compute/diskEncryptionSets/.test/default/deploy.test.bicep rename to modules/Microsoft.Compute/diskEncryptionSets/.test/common/deploy.test.bicep diff --git a/modules/Microsoft.Compute/diskEncryptionSets/readme.md b/modules/Microsoft.Compute/diskEncryptionSets/readme.md index 6f3df36f8b..c36340580a 100644 --- a/modules/Microsoft.Compute/diskEncryptionSets/readme.md +++ b/modules/Microsoft.Compute/diskEncryptionSets/readme.md @@ -164,7 +164,7 @@ The following module usage examples are retrieved from the content of the files >**Note**: The name of each example is based on the name of the file from which it is taken. >**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. -

Example 1: Default

+

Example 1: Common

From c58c341b9959841cd2ab940fec79eadf0ca18f7b Mon Sep 17 00:00:00 2001 From: MrMCake Date: Fri, 9 Sep 2022 12:52:39 +0200 Subject: [PATCH 4/8] Update to latest --- .../diskEncryptionSets/.test/common/deploy.test.bicep | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/Microsoft.Compute/diskEncryptionSets/.test/common/deploy.test.bicep b/modules/Microsoft.Compute/diskEncryptionSets/.test/common/deploy.test.bicep index a8847b07f3..25a72e0343 100644 --- a/modules/Microsoft.Compute/diskEncryptionSets/.test/common/deploy.test.bicep +++ b/modules/Microsoft.Compute/diskEncryptionSets/.test/common/deploy.test.bicep @@ -10,8 +10,8 @@ param resourceGroupName string = 'ms.compute.diskencryptionsets-${serviceShort}- @description('Optional. The location to deploy resources to') param location string = deployment().location -@description('Optional. A short identifier for the kind of deployment .Should be kept short to not run into resource-name length-constraints') -param serviceShort string = 'cdesdef' +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints') +param serviceShort string = 'cdescom' // =========== // // Deployments // From 0597d25b2699ef72727610bcb702e8a7d5dd799f Mon Sep 17 00:00:00 2001 From: MrMCake Date: Fri, 9 Sep 2022 13:05:57 +0200 Subject: [PATCH 5/8] Update to latest --- .../diskEncryptionSets/.test/common/deploy.test.bicep | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/modules/Microsoft.Compute/diskEncryptionSets/.test/common/deploy.test.bicep b/modules/Microsoft.Compute/diskEncryptionSets/.test/common/deploy.test.bicep index 25a72e0343..feaae51157 100644 --- a/modules/Microsoft.Compute/diskEncryptionSets/.test/common/deploy.test.bicep +++ b/modules/Microsoft.Compute/diskEncryptionSets/.test/common/deploy.test.bicep @@ -3,14 +3,14 @@ targetScope = 'subscription' // ========== // // Parameters // // ========== // -@description('Optional. The name of the resource group to deploy for a testing purposes') +@description('Optional. The name of the resource group to deploy for a testing purposes.') @maxLength(90) param resourceGroupName string = 'ms.compute.diskencryptionsets-${serviceShort}-rg' -@description('Optional. The location to deploy resources to') +@description('Optional. The location to deploy resources to.') param location string = deployment().location -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints') +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') param serviceShort string = 'cdescom' // =========== // From ee5a0d6f5082af3ebfe28aa967bf0ca268ee9ffc Mon Sep 17 00:00:00 2001 From: MrMCake Date: Fri, 9 Sep 2022 14:18:00 +0200 Subject: [PATCH 6/8] Update to latest --- modules/Microsoft.Compute/diskEncryptionSets/readme.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/modules/Microsoft.Compute/diskEncryptionSets/readme.md b/modules/Microsoft.Compute/diskEncryptionSets/readme.md index 46a983bb22..858c819262 100644 --- a/modules/Microsoft.Compute/diskEncryptionSets/readme.md +++ b/modules/Microsoft.Compute/diskEncryptionSets/readme.md @@ -173,12 +173,12 @@ The following module usage examples are retrieved from the content of the files ```bicep module diskEncryptionSets './Microsoft.Compute/diskEncryptionSets/deploy.bicep' = { - name: '${uniqueString(deployment().name)}-test-cdesdef' + name: '${uniqueString(deployment().name)}-test-cdescom' params: { // Required parameters keyName: '' keyVaultResourceId: '' - name: '<>cdesdef001' + name: '<>cdescom001' // Non-required parameters roleAssignments: [ { @@ -212,7 +212,7 @@ module diskEncryptionSets './Microsoft.Compute/diskEncryptionSets/deploy.bicep' "value": "" }, "name": { - "value": "<>cdesdef001" + "value": "<>cdescom001" }, // Non-required parameters "roleAssignments": { From b5103505ee06e703c9591202927f77c6ef0b7062 Mon Sep 17 00:00:00 2001 From: Alexander Sehr Date: Mon, 19 Sep 2022 08:21:56 +0200 Subject: [PATCH 7/8] Update modules/Microsoft.Compute/diskEncryptionSets/.test/common/deploy.test.bicep --- .../diskEncryptionSets/.test/common/deploy.test.bicep | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/Microsoft.Compute/diskEncryptionSets/.test/common/deploy.test.bicep b/modules/Microsoft.Compute/diskEncryptionSets/.test/common/deploy.test.bicep index feaae51157..86842f699f 100644 --- a/modules/Microsoft.Compute/diskEncryptionSets/.test/common/deploy.test.bicep +++ b/modules/Microsoft.Compute/diskEncryptionSets/.test/common/deploy.test.bicep @@ -3,7 +3,7 @@ targetScope = 'subscription' // ========== // // Parameters // // ========== // -@description('Optional. The name of the resource group to deploy for a testing purposes.') +@description('Optional. The name of the resource group to deploy for testing purposes.') @maxLength(90) param resourceGroupName string = 'ms.compute.diskencryptionsets-${serviceShort}-rg' From 7a9ea9ae187f51876a3c814dd34e8ef05a7ad2c4 Mon Sep 17 00:00:00 2001 From: MrMCake Date: Wed, 5 Oct 2022 21:54:54 +0200 Subject: [PATCH 8/8] Update to latest --- .../diskEncryptionSets/.test/common/dependencies.bicep | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/Microsoft.Compute/diskEncryptionSets/.test/common/dependencies.bicep b/modules/Microsoft.Compute/diskEncryptionSets/.test/common/dependencies.bicep index 3029969379..75de19a493 100644 --- a/modules/Microsoft.Compute/diskEncryptionSets/.test/common/dependencies.bicep +++ b/modules/Microsoft.Compute/diskEncryptionSets/.test/common/dependencies.bicep @@ -38,7 +38,7 @@ resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018- } resource keyPermissions 'Microsoft.Authorization/roleAssignments@2022-04-01' = { - name: guid('msi-${keyVault::key.id}-${location}-${managedIdentity.id}-KeyVault-Reader-RoleAssignment') + name: guid('msi-${keyVault::key.id}-${location}-${managedIdentity.id}-KeyVault-Reader-RoleAssignment.') scope: keyVault::key properties: { principalId: managedIdentity.properties.principalId