diff --git a/.github/workflows/ms.network.privateendpoints.yml b/.github/workflows/ms.network.privateendpoints.yml index b1840b91c2..4515318760 100644 --- a/.github/workflows/ms.network.privateendpoints.yml +++ b/.github/workflows/ms.network.privateendpoints.yml @@ -106,8 +106,7 @@ jobs: - name: 'Using test file [${{ matrix.moduleTestFilePaths }}]' uses: ./.github/actions/templates/validateModuleDeployment with: - templateFilePath: '${{ env.modulePath }}/deploy.bicep' - parameterFilePath: '${{ env.modulePath }}/${{ matrix.moduleTestFilePaths }}' + templateFilePath: '${{ env.modulePath }}/${{ matrix.moduleTestFilePaths }}' location: '${{ env.location }}' resourceGroupName: '${{ env.resourceGroupName }}' subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' diff --git a/modules/Microsoft.Network/privateEndpoints/.test/common/dependencies.bicep b/modules/Microsoft.Network/privateEndpoints/.test/common/dependencies.bicep new file mode 100644 index 0000000000..eae35bc03e --- /dev/null +++ b/modules/Microsoft.Network/privateEndpoints/.test/common/dependencies.bicep @@ -0,0 +1,82 @@ +@description('Optional. The location to deploy to.') +param location string = resourceGroup().location + +@description('Required. The name of the Virtual Network to create.') +param virtualNetworkName string + +@description('Required. The name of the Key Vault to create.') +param keyVaultName string + +@description('Required. The name of the Managed Identity to create.') +param managedIdentityName string + +resource virtualNetwork 'Microsoft.Network/virtualNetworks@2022-01-01' = { + name: virtualNetworkName + location: location + properties: { + addressSpace: { + addressPrefixes: [ + '10.0.0.0/24' + ] + } + subnets: [ + { + name: 'defaultSubnet' + properties: { + addressPrefix: '10.0.0.0/24' + } + } + ] + } +} + +resource keyVault 'Microsoft.KeyVault/vaults@2022-07-01' = { + name: keyVaultName + location: location + properties: { + sku: { + family: 'A' + name: 'standard' + } + tenantId: tenant().tenantId + enablePurgeProtection: null + enabledForTemplateDeployment: true + enabledForDiskEncryption: true + enabledForDeployment: true + enableRbacAuthorization: true + accessPolicies: [] + } +} + +resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { + name: managedIdentityName + location: location +} + +resource privateDNSZone 'Microsoft.Network/privateDnsZones@2020-06-01' = { + name: 'privatelink.vaultcore.azure.net' + location: 'global' + + resource virtualNetworkLinks 'virtualNetworkLinks@2020-06-01' = { + name: '${virtualNetwork.name}-vnetlink' + location: 'global' + properties: { + virtualNetwork: { + id: virtualNetwork.id + } + registrationEnabled: false + } + } +} + +@description('The resource ID of the created Virtual Network Subnet.') +output subnetResourceId string = virtualNetwork.properties.subnets[0].id + +@description('The resource ID of the created Key Vault.') +output keyVaultResourceId string = keyVault.id + +@description('The principal ID of the created Managed Identity.') +output managedIdentityPrincipalId string = managedIdentity.properties.principalId + +@description('The resource ID of the created Private DNS Zone.') +output privateDNSZoneResourceId string = privateDNSZone.id diff --git a/modules/Microsoft.Network/privateEndpoints/.test/common/deploy.test.bicep b/modules/Microsoft.Network/privateEndpoints/.test/common/deploy.test.bicep new file mode 100644 index 0000000000..c681744e8b --- /dev/null +++ b/modules/Microsoft.Network/privateEndpoints/.test/common/deploy.test.bicep @@ -0,0 +1,66 @@ +targetScope = 'subscription' + +// ========== // +// Parameters // +// ========== // +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'ms.network.privateendpoints-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'npecom' + +// =========== // +// Deployments // +// =========== // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: location +} + +module resourceGroupResources 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-paramNested' + params: { + virtualNetworkName: 'dep-<>-vnet-${serviceShort}' + keyVaultName: 'dep-<>-kv-${serviceShort}' + managedIdentityName: 'dep-<>-msi-${serviceShort}' + } +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../deploy.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name)}-test-${serviceShort}' + params: { + name: '<>${serviceShort}001' + groupIds: [ + 'vault' + ] + serviceResourceId: resourceGroupResources.outputs.keyVaultResourceId + subnetResourceId: resourceGroupResources.outputs.subnetResourceId + lock: 'CanNotDelete' + privateDnsZoneGroup: { + privateDNSResourceIds: [ + resourceGroupResources.outputs.privateDNSZoneResourceId + ] + } + roleAssignments: [ + { + principalIds: [ + resourceGroupResources.outputs.managedIdentityPrincipalId + ] + roleDefinitionIdOrName: 'Reader' + } + ] + } +} diff --git a/modules/Microsoft.Network/privateEndpoints/.test/min.parameters.json b/modules/Microsoft.Network/privateEndpoints/.test/min.parameters.json deleted file mode 100644 index aa3ea8eba2..0000000000 --- a/modules/Microsoft.Network/privateEndpoints/.test/min.parameters.json +++ /dev/null @@ -1,20 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "name": { - "value": "<>-az-pe-kvlt-min-001" - }, - "subnetResourceId": { - "value": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/adp-<>-az-vnet-x-001/subnets/<>-az-subnet-x-005-privateEndpoints" - }, - "serviceResourceId": { - "value": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.KeyVault/vaults/adp-<>-az-kv-x-pe" - }, - "groupIds": { - "value": [ - "vault" - ] - } - } -} diff --git a/modules/Microsoft.Network/privateEndpoints/.test/min/dependencies.bicep b/modules/Microsoft.Network/privateEndpoints/.test/min/dependencies.bicep new file mode 100644 index 0000000000..ad2ed286f2 --- /dev/null +++ b/modules/Microsoft.Network/privateEndpoints/.test/min/dependencies.bicep @@ -0,0 +1,52 @@ +@description('Optional. The location to deploy to.') +param location string = resourceGroup().location + +@description('Required. The name of the Virtual Network to create.') +param virtualNetworkName string + +@description('Required. The name of the Key Vault to create.') +param keyVaultName string + +resource virtualNetwork 'Microsoft.Network/virtualNetworks@2022-01-01' = { + name: virtualNetworkName + location: location + properties: { + addressSpace: { + addressPrefixes: [ + '10.0.0.0/24' + ] + } + subnets: [ + { + name: 'defaultSubnet' + properties: { + addressPrefix: '10.0.0.0/24' + } + } + ] + } +} + +resource keyVault 'Microsoft.KeyVault/vaults@2022-07-01' = { + name: keyVaultName + location: location + properties: { + sku: { + family: 'A' + name: 'standard' + } + tenantId: tenant().tenantId + enablePurgeProtection: null + enabledForTemplateDeployment: true + enabledForDiskEncryption: true + enabledForDeployment: true + enableRbacAuthorization: true + accessPolicies: [] + } +} + +@description('The resource ID of the created Virtual Network Subnet.') +output subnetResourceId string = virtualNetwork.properties.subnets[0].id + +@description('The resource ID of the created Key Vault.') +output keyVaultResourceId string = keyVault.id diff --git a/modules/Microsoft.Network/privateEndpoints/.test/min/deploy.test.bicep b/modules/Microsoft.Network/privateEndpoints/.test/min/deploy.test.bicep new file mode 100644 index 0000000000..724cde73ae --- /dev/null +++ b/modules/Microsoft.Network/privateEndpoints/.test/min/deploy.test.bicep @@ -0,0 +1,51 @@ +targetScope = 'subscription' + +// ========== // +// Parameters // +// ========== // +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'ms.network.privateendpoints-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'npemin' + +// =========== // +// Deployments // +// =========== // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: location +} + +module resourceGroupResources 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-paramNested' + params: { + virtualNetworkName: 'dep-<>-vnet-${serviceShort}' + keyVaultName: 'dep-<>-kv-${serviceShort}' + } +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../deploy.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name)}-test-${serviceShort}' + params: { + name: '<>${serviceShort}001' + groupIds: [ + 'vault' + ] + serviceResourceId: resourceGroupResources.outputs.keyVaultResourceId + subnetResourceId: resourceGroupResources.outputs.subnetResourceId + } +} diff --git a/modules/Microsoft.Network/privateEndpoints/.test/parameters.json b/modules/Microsoft.Network/privateEndpoints/.test/parameters.json deleted file mode 100644 index b6cadbed92..0000000000 --- a/modules/Microsoft.Network/privateEndpoints/.test/parameters.json +++ /dev/null @@ -1,40 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "name": { - "value": "<>-az-pe-kvlt-001" - }, - "lock": { - "value": "CanNotDelete" - }, - "subnetResourceId": { - "value": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/adp-<>-az-vnet-x-001/subnets/<>-az-subnet-x-005-privateEndpoints" - }, - "serviceResourceId": { - "value": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.KeyVault/vaults/adp-<>-az-kv-x-pe" - }, - "groupIds": { - "value": [ - "vault" - ] - }, - "privateDnsZoneGroup": { - "value": { - "privateDNSResourceIds": [ - "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/privateDnsZones/privatelink.vaultcore.azure.net" - ] - } - }, - "roleAssignments": { - "value": [ - { - "roleDefinitionIdOrName": "Reader", - "principalIds": [ - "<>" - ] - } - ] - } - } -} diff --git a/modules/Microsoft.Network/privateEndpoints/readme.md b/modules/Microsoft.Network/privateEndpoints/readme.md index 16798e0db2..a11d2152ca 100644 --- a/modules/Microsoft.Network/privateEndpoints/readme.md +++ b/modules/Microsoft.Network/privateEndpoints/readme.md @@ -172,7 +172,7 @@ The following module usage examples are retrieved from the content of the files >**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. -

Example 1: Min

+

Example 1: Common

@@ -180,15 +180,30 @@ The following module usage examples are retrieved from the content of the files ```bicep module privateEndpoints './Microsoft.Network/privateEndpoints/deploy.bicep' = { - name: '${uniqueString(deployment().name)}-PrivateEndpoints' + name: '${uniqueString(deployment().name)}-test-npecom' params: { // Required parameters groupIds: [ 'vault' ] - name: '<>-az-pe-kvlt-min-001' - serviceResourceId: '/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.KeyVault/vaults/adp-<>-az-kv-x-pe' - subnetResourceId: '/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/adp-<>-az-vnet-x-001/subnets/<>-az-subnet-x-005-privateEndpoints' + name: '<>npecom001' + serviceResourceId: '' + subnetResourceId: '' + // Non-required parameters + lock: 'CanNotDelete' + privateDnsZoneGroup: { + privateDNSResourceIds: [ + '' + ] + } + roleAssignments: [ + { + principalIds: [ + '' + ] + roleDefinitionIdOrName: 'Reader' + } + ] } } ``` @@ -212,13 +227,34 @@ module privateEndpoints './Microsoft.Network/privateEndpoints/deploy.bicep' = { ] }, "name": { - "value": "<>-az-pe-kvlt-min-001" + "value": "<>npecom001" }, "serviceResourceId": { - "value": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.KeyVault/vaults/adp-<>-az-kv-x-pe" + "value": "" }, "subnetResourceId": { - "value": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/adp-<>-az-vnet-x-001/subnets/<>-az-subnet-x-005-privateEndpoints" + "value": "" + }, + // Non-required parameters + "lock": { + "value": "CanNotDelete" + }, + "privateDnsZoneGroup": { + "value": { + "privateDNSResourceIds": [ + "" + ] + } + }, + "roleAssignments": { + "value": [ + { + "principalIds": [ + "" + ], + "roleDefinitionIdOrName": "Reader" + } + ] } } } @@ -227,7 +263,7 @@ module privateEndpoints './Microsoft.Network/privateEndpoints/deploy.bicep' = {

-

Example 2: Parameters

+

Example 2: Min

@@ -235,30 +271,15 @@ module privateEndpoints './Microsoft.Network/privateEndpoints/deploy.bicep' = { ```bicep module privateEndpoints './Microsoft.Network/privateEndpoints/deploy.bicep' = { - name: '${uniqueString(deployment().name)}-PrivateEndpoints' + name: '${uniqueString(deployment().name)}-test-npemin' params: { // Required parameters groupIds: [ 'vault' ] - name: '<>-az-pe-kvlt-001' - serviceResourceId: '/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.KeyVault/vaults/adp-<>-az-kv-x-pe' - subnetResourceId: '/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/adp-<>-az-vnet-x-001/subnets/<>-az-subnet-x-005-privateEndpoints' - // Non-required parameters - lock: 'CanNotDelete' - privateDnsZoneGroup: { - privateDNSResourceIds: [ - '/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/privateDnsZones/privatelink.vaultcore.azure.net' - ] - } - roleAssignments: [ - { - principalIds: [ - '<>' - ] - roleDefinitionIdOrName: 'Reader' - } - ] + name: '<>npemin001' + serviceResourceId: '' + subnetResourceId: '' } } ``` @@ -282,34 +303,13 @@ module privateEndpoints './Microsoft.Network/privateEndpoints/deploy.bicep' = { ] }, "name": { - "value": "<>-az-pe-kvlt-001" + "value": "<>npemin001" }, "serviceResourceId": { - "value": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.KeyVault/vaults/adp-<>-az-kv-x-pe" + "value": "" }, "subnetResourceId": { - "value": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/adp-<>-az-vnet-x-001/subnets/<>-az-subnet-x-005-privateEndpoints" - }, - // Non-required parameters - "lock": { - "value": "CanNotDelete" - }, - "privateDnsZoneGroup": { - "value": { - "privateDNSResourceIds": [ - "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/privateDnsZones/privatelink.vaultcore.azure.net" - ] - } - }, - "roleAssignments": { - "value": [ - { - "principalIds": [ - "<>" - ], - "roleDefinitionIdOrName": "Reader" - } - ] + "value": "" } } }