From 648aa13a3af7c42e87f676473c9898011168a854 Mon Sep 17 00:00:00 2001 From: Ahmad Abdalla <28486158+ahmadabdalla@users.noreply.github.com> Date: Fri, 14 Oct 2022 08:38:53 +0000 Subject: [PATCH] commit --- .../workflows/ms.servicebus.namespaces.yml | 3 +- .../.test/common/dependencies.bicep | 61 +++ .../namespaces/.test/common/deploy.test.bicep | 192 ++++++++++ .../namespaces/.test/encr/dependencies.bicep | 88 +++++ .../namespaces/.test/encr/deploy.test.bicep | 106 ++++++ .../namespaces/.test/min.parameters.json | 9 - .../namespaces/.test/min/deploy.test.bicep | 37 ++ .../namespaces/.test/parameters.json | 184 --------- .../namespaces/.test/pe.parameters.json | 25 -- .../namespaces/.test/pe/dependencies.bicep | 47 +++ .../namespaces/.test/pe/deploy.test.bicep | 57 +++ .../Microsoft.ServiceBus/namespaces/readme.md | 355 +++++++++++++----- 12 files changed, 845 insertions(+), 319 deletions(-) create mode 100644 modules/Microsoft.ServiceBus/namespaces/.test/common/dependencies.bicep create mode 100644 modules/Microsoft.ServiceBus/namespaces/.test/common/deploy.test.bicep create mode 100644 modules/Microsoft.ServiceBus/namespaces/.test/encr/dependencies.bicep create mode 100644 modules/Microsoft.ServiceBus/namespaces/.test/encr/deploy.test.bicep delete mode 100644 modules/Microsoft.ServiceBus/namespaces/.test/min.parameters.json create mode 100644 modules/Microsoft.ServiceBus/namespaces/.test/min/deploy.test.bicep delete mode 100644 modules/Microsoft.ServiceBus/namespaces/.test/parameters.json delete mode 100644 modules/Microsoft.ServiceBus/namespaces/.test/pe.parameters.json create mode 100644 modules/Microsoft.ServiceBus/namespaces/.test/pe/dependencies.bicep create mode 100644 modules/Microsoft.ServiceBus/namespaces/.test/pe/deploy.test.bicep diff --git a/.github/workflows/ms.servicebus.namespaces.yml b/.github/workflows/ms.servicebus.namespaces.yml index db2358ad0a..82458e9eff 100644 --- a/.github/workflows/ms.servicebus.namespaces.yml +++ b/.github/workflows/ms.servicebus.namespaces.yml @@ -106,8 +106,7 @@ jobs: - name: 'Using test file [${{ matrix.moduleTestFilePaths }}]' uses: ./.github/actions/templates/validateModuleDeployment with: - templateFilePath: '${{ env.modulePath }}/deploy.bicep' - parameterFilePath: '${{ env.modulePath }}/${{ matrix.moduleTestFilePaths }}' + templateFilePath: '${{ env.modulePath }}/${{ matrix.moduleTestFilePaths }}' location: '${{ env.location }}' resourceGroupName: '${{ env.resourceGroupName }}' subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' diff --git a/modules/Microsoft.ServiceBus/namespaces/.test/common/dependencies.bicep b/modules/Microsoft.ServiceBus/namespaces/.test/common/dependencies.bicep new file mode 100644 index 0000000000..3f8f9b1c52 --- /dev/null +++ b/modules/Microsoft.ServiceBus/namespaces/.test/common/dependencies.bicep @@ -0,0 +1,61 @@ +@description('Optional. The location to deploy resources to.') +param location string = resourceGroup().location + +@description('Required. The name of the Virtual Network to create.') +param virtualNetworkName string + +@description('Required. The name of the Managed Identity to create.') +param managedIdentityName string + +resource virtualNetwork 'Microsoft.Network/virtualNetworks@2022-01-01' = { + name: virtualNetworkName + location: location + properties: { + addressSpace: { + addressPrefixes: [ + '10.0.0.0/24' + ] + } + subnets: [ + { + name: 'defaultSubnet' + properties: { + addressPrefix: '10.0.0.0/24' + } + } + ] + } +} + +resource privateDNSZone 'Microsoft.Network/privateDnsZones@2020-06-01' = { + name: 'privatelink.servicebus.windows.net' + location: 'global' + + resource virtualNetworkLinks 'virtualNetworkLinks@2020-06-01' = { + name: '${virtualNetwork.name}-vnetlink' + location: 'global' + properties: { + virtualNetwork: { + id: virtualNetwork.id + } + registrationEnabled: false + } + } +} + +resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { + name: managedIdentityName + location: location +} + +@description('The resource ID of the created Virtual Network Subnet.') +output subnetResourceId string = virtualNetwork.properties.subnets[0].id + +@description('The principal ID of the created Managed Identity.') +output managedIdentityPrincipalId string = managedIdentity.properties.principalId + +@description('The resource ID of the created Managed Identity.') +output managedIdentityResourceId string = managedIdentity.id + +@description('The resource ID of the created Private DNS Zone.') +output privateDNSZoneResourceId string = privateDNSZone.id diff --git a/modules/Microsoft.ServiceBus/namespaces/.test/common/deploy.test.bicep b/modules/Microsoft.ServiceBus/namespaces/.test/common/deploy.test.bicep new file mode 100644 index 0000000000..40ea112433 --- /dev/null +++ b/modules/Microsoft.ServiceBus/namespaces/.test/common/deploy.test.bicep @@ -0,0 +1,192 @@ +targetScope = 'subscription' + +// ========== // +// Parameters // +// ========== // +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'ms.servicebus.namespaces-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'sbncom' + +// =========== // +// Deployments // +// =========== // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: location +} + +module resourceGroupResources 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-paramNested' + params: { + virtualNetworkName: 'dep-<>-vnet-${serviceShort}' + managedIdentityName: 'dep-<>-msi-${serviceShort}' + } +} + +// Diagnostics +// =========== +module diagnosticDependencies '../../../../.shared/dependencyConstructs/diagnostic.dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' + params: { + storageAccountName: 'dep<>diasa${serviceShort}01' + logAnalyticsWorkspaceName: 'dep-<>-law-${serviceShort}' + eventHubNamespaceEventHubName: 'dep-<>-evh-${serviceShort}' + eventHubNamespaceName: 'dep-<>-evhns-${serviceShort}' + location: location + } +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../deploy.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name)}-test-${serviceShort}' + params: { + name: '<>${serviceShort}001' + lock: 'CanNotDelete' + skuName: 'Premium' + tags: { + 'test': 'true' + } + roleAssignments: [ + { + principalIds: [ + resourceGroupResources.outputs.managedIdentityPrincipalId + ] + roleDefinitionIdOrName: 'Reader' + } + ] + networkRuleSets: { + defaultAction: 'Deny' + trustedServiceAccessEnabled: true + virtualNetworkRules: [ + { + subnet: { + ignoreMissingVnetServiceEndpoint: true + id: resourceGroupResources.outputs.subnetResourceId + } + } + ] + ipRules: [ + { + ipMask: '10.0.1.0/32' + action: 'Allow' + } + { + ipMask: '10.0.2.0/32' + action: 'Allow' + } + ] + } + authorizationRules: [ + { + name: 'RootManageSharedAccessKey' + rights: [ + 'Listen' + 'Manage' + 'Send' + ] + } + { + name: 'AnotherKey' + rights: [ + 'Listen' + 'Send' + ] + } + ] + queues: [ + { + name: '<>${serviceShort}q001' + roleAssignments: [ + { + principalIds: [ + resourceGroupResources.outputs.managedIdentityPrincipalId + ] + roleDefinitionIdOrName: 'Reader' + } + ] + authorizationRules: [ + { + name: 'RootManageSharedAccessKey' + rights: [ + 'Listen' + 'Manage' + 'Send' + ] + } + { + name: 'AnotherKey' + rights: [ + 'Listen' + 'Send' + ] + } + ] + } + ] + topics: [ + { + name: '<>${serviceShort}t001' + roleAssignments: [ + { + principalIds: [ + resourceGroupResources.outputs.managedIdentityPrincipalId + ] + roleDefinitionIdOrName: 'Reader' + } + ] + authorizationRules: [ + { + name: 'RootManageSharedAccessKey' + rights: [ + 'Listen' + 'Manage' + 'Send' + ] + } + { + name: 'AnotherKey' + rights: [ + 'Listen' + 'Send' + ] + } + ] + } + ] + diagnosticLogsRetentionInDays: 7 + diagnosticStorageAccountId: diagnosticDependencies.outputs.storageAccountResourceId + diagnosticWorkspaceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId + diagnosticEventHubAuthorizationRuleId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId + diagnosticEventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + privateEndpoints: [ + { + service: 'namespace' + subnetResourceId: resourceGroupResources.outputs.subnetResourceId + privateDnsZoneGroup: { + privateDNSResourceIds: [ + resourceGroupResources.outputs.privateDNSZoneResourceId + ] + } + } + ] + systemAssignedIdentity: true + userAssignedIdentities: { + '${resourceGroupResources.outputs.managedIdentityResourceId}': {} + } + } +} diff --git a/modules/Microsoft.ServiceBus/namespaces/.test/encr/dependencies.bicep b/modules/Microsoft.ServiceBus/namespaces/.test/encr/dependencies.bicep new file mode 100644 index 0000000000..e3283a67bb --- /dev/null +++ b/modules/Microsoft.ServiceBus/namespaces/.test/encr/dependencies.bicep @@ -0,0 +1,88 @@ +@description('Optional. The location to deploy resources to.') +param location string = resourceGroup().location + +@description('Required. The name of the Key Vault to create.') +param keyVaultName string + +@description('Required. The name of the Virtual Network to create.') +param virtualNetworkName string + +@description('Required. The name of the Managed Identity to create.') +param managedIdentityName string + +resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { + name: managedIdentityName + location: location +} + +resource virtualNetwork 'Microsoft.Network/virtualNetworks@2022-01-01' = { + name: virtualNetworkName + location: location + properties: { + addressSpace: { + addressPrefixes: [ + '10.0.0.0/24' + ] + } + subnets: [ + { + name: 'defaultSubnet' + properties: { + addressPrefix: '10.0.0.0/24' + } + } + ] + } +} + +resource keyVault 'Microsoft.KeyVault/vaults@2022-07-01' = { + name: keyVaultName + location: location + properties: { + sku: { + family: 'A' + name: 'standard' + } + tenantId: tenant().tenantId + enablePurgeProtection: true // Required by service bus namespace + softDeleteRetentionInDays: 7 + enabledForTemplateDeployment: true + enabledForDiskEncryption: true + enabledForDeployment: true + enableRbacAuthorization: true + accessPolicies: [] + } + + resource key 'keys@2022-07-01' = { + name: 'keyEncryptionKey' + properties: { + kty: 'RSA' + } + } +} + +resource keyPermissions 'Microsoft.Authorization/roleAssignments@2022-04-01' = { + name: guid('msi-${keyVault::key.id}-${location}-${managedIdentity.id}-Key-Reader-RoleAssignment') + scope: keyVault::key + properties: { + principalId: managedIdentity.properties.principalId + // Key Vault Crypto User + roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '12338af0-0e69-4776-bea7-57ae8d297424') + principalType: 'ServicePrincipal' + } +} + +@description('The resource ID of the created Virtual Network Subnet.') +output subnetResourceId string = virtualNetwork.properties.subnets[0].id + +@description('The resource ID of the created Key Vault.') +output keyVaultResourceId string = keyVault.id + +@description('The name of the created encryption key.') +output keyName string = keyVault::key.name + +@description('The principal ID of the created Managed Identity.') +output managedIdentityPrincipalId string = managedIdentity.properties.principalId + +@description('The resource ID of the created Managed Identity.') +output managedIdentityResourceId string = managedIdentity.id diff --git a/modules/Microsoft.ServiceBus/namespaces/.test/encr/deploy.test.bicep b/modules/Microsoft.ServiceBus/namespaces/.test/encr/deploy.test.bicep new file mode 100644 index 0000000000..211ebfedb8 --- /dev/null +++ b/modules/Microsoft.ServiceBus/namespaces/.test/encr/deploy.test.bicep @@ -0,0 +1,106 @@ +targetScope = 'subscription' + +// ========== // +// Parameters // +// ========== // +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'ms.servicebus.namespaces-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'sbnencr' + +@description('Generated. Used as a basis for unique resource names.') +param baseTime string = utcNow('u') + +// =========== // +// Deployments // +// =========== // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: location +} + +module resourceGroupResources 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-paramNested' + params: { + virtualNetworkName: 'dep-<>-vnet-${serviceShort}' + // Adding base time to make the name unique as purge protection must be enabled (but may not be longer than 24 characters total) + keyVaultName: 'dep-<>-kv-${serviceShort}-${substring(uniqueString(baseTime), 0, 3)}' + managedIdentityName: 'dep-<>-msi-${serviceShort}' + } +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../deploy.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name)}-test-${serviceShort}' + params: { + name: '<>${serviceShort}001' + skuName: 'Premium' + roleAssignments: [ + { + principalIds: [ + resourceGroupResources.outputs.managedIdentityPrincipalId + ] + roleDefinitionIdOrName: 'Reader' + } + ] + networkRuleSets: { + defaultAction: 'Deny' + trustedServiceAccessEnabled: true + virtualNetworkRules: [ + { + subnet: { + ignoreMissingVnetServiceEndpoint: true + id: resourceGroupResources.outputs.subnetResourceId + } + } + ] + ipRules: [ + { + ipMask: '10.0.1.0/32' + action: 'Allow' + } + { + ipMask: '10.0.2.0/32' + action: 'Allow' + } + ] + } + authorizationRules: [ + { + name: 'RootManageSharedAccessKey' + rights: [ + 'Listen' + 'Manage' + 'Send' + ] + } + { + name: 'AnotherKey' + rights: [ + 'Listen' + 'Send' + ] + } + ] + systemAssignedIdentity: false + userAssignedIdentities: { + '${resourceGroupResources.outputs.managedIdentityResourceId}': {} + } + cMKKeyVaultResourceId: resourceGroupResources.outputs.keyVaultResourceId + cMKKeyName: resourceGroupResources.outputs.keyName + cMKUserAssignedIdentityResourceId: resourceGroupResources.outputs.managedIdentityResourceId + } +} diff --git a/modules/Microsoft.ServiceBus/namespaces/.test/min.parameters.json b/modules/Microsoft.ServiceBus/namespaces/.test/min.parameters.json deleted file mode 100644 index fb97a21930..0000000000 --- a/modules/Microsoft.ServiceBus/namespaces/.test/min.parameters.json +++ /dev/null @@ -1,9 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "name": { - "value": "<>-az-sbn-min-001" - } - } -} diff --git a/modules/Microsoft.ServiceBus/namespaces/.test/min/deploy.test.bicep b/modules/Microsoft.ServiceBus/namespaces/.test/min/deploy.test.bicep new file mode 100644 index 0000000000..a090bd8992 --- /dev/null +++ b/modules/Microsoft.ServiceBus/namespaces/.test/min/deploy.test.bicep @@ -0,0 +1,37 @@ +targetScope = 'subscription' + +// ========== // +// Parameters // +// ========== // +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'ms.servicebus.namespaces-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'sbnmin' + +// =========== // +// Deployments // +// =========== // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: location +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../deploy.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name)}-test-${serviceShort}' + params: { + name: '<>${serviceShort}001' + } +} diff --git a/modules/Microsoft.ServiceBus/namespaces/.test/parameters.json b/modules/Microsoft.ServiceBus/namespaces/.test/parameters.json deleted file mode 100644 index 88e91ebcd2..0000000000 --- a/modules/Microsoft.ServiceBus/namespaces/.test/parameters.json +++ /dev/null @@ -1,184 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "name": { - "value": "<>-az-sbn-x-002" - }, - "lock": { - "value": "CanNotDelete" - }, - "skuName": { - "value": "Premium" - }, - "tags": { - "value": {} - }, - "roleAssignments": { - "value": [ - { - "roleDefinitionIdOrName": "Reader", - "principalIds": [ - "<>" - ] - } - ] - }, - "disasterRecoveryConfigs": { - "value": {} - }, - "migrationConfigurations": { - "value": {} - }, - "networkRuleSets": { - "value": { - "defaultAction": "Deny", - "trustedServiceAccessEnabled": true, - "virtualNetworkRules": [ - { - "ignoreMissingVnetServiceEndpoint": true, - "subnetResourceId": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/adp-<>-az-vnet-x-001/subnets/<>-az-subnet-x-003" - } - ], - "ipRules": [ - { - "ipMask": "10.0.1.0/32", - "action": "Allow" - }, - { - "ipMask": "10.0.2.0/32", - "action": "Allow" - } - ] - } - }, - "authorizationRules": { - "value": [ - { - "name": "RootManageSharedAccessKey", - "rights": [ - "Listen", - "Manage", - "Send" - ] - }, - { - "name": "AnotherKey", - "rights": [ - "Listen", - "Send" - ] - } - ] - }, - "queues": { - "value": [ - { - "name": "<>-az-sbq-x-002", - "roleAssignments": [ - { - "roleDefinitionIdOrName": "Reader", - "principalIds": [ - "<>" - ] - } - ], - "authorizationRules": [ - { - "name": "RootManageSharedAccessKey", - "rights": [ - "Listen", - "Manage", - "Send" - ] - }, - { - "name": "AnotherKey", - "rights": [ - "Listen", - "Send" - ] - } - ] - } - ] - }, - "topics": { - "value": [ - { - "name": "<>-az-sbt-x-001", - "roleAssignments": [ - { - "roleDefinitionIdOrName": "Reader", - "principalIds": [ - "<>" - ] - } - ], - "authorizationRules": [ - { - "name": "RootManageSharedAccessKey", - "rights": [ - "Listen", - "Manage", - "Send" - ] - }, - { - "name": "AnotherKey", - "rights": [ - "Listen", - "Send" - ] - } - ] - } - ] - }, - "diagnosticLogsRetentionInDays": { - "value": 7 - }, - "diagnosticStorageAccountId": { - "value": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Storage/storageAccounts/adp<>azsax001" - }, - "diagnosticWorkspaceId": { - "value": "/subscriptions/<>/resourcegroups/validation-rg/providers/microsoft.operationalinsights/workspaces/adp-<>-az-law-x-001" - }, - "diagnosticEventHubAuthorizationRuleId": { - "value": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.EventHub/namespaces/adp-<>-az-evhns-x-001/AuthorizationRules/RootManageSharedAccessKey" - }, - "diagnosticEventHubName": { - "value": "adp-<>-az-evh-x-001" - }, - "systemAssignedIdentity": { - "value": true - }, - "userAssignedIdentities": { - "value": { - "/subscriptions/<>/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-<>-az-msi-x-001": {} - } - }, - "privateEndpoints": { - "value": [ - { - "subnetResourceId": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/adp-<>-az-vnet-x-001/subnets/<>-az-subnet-x-005-privateEndpoints", - "service": "namespace", - "privateDnsZoneGroup": { - "privateDNSResourceIds": [ - "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/privateDnsZones/privatelink.servicebus.windows.net" - ] - } - } - ] - }, - "cMKUserAssignedIdentityResourceId": { - "value": "/subscriptions/<>/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-<>-az-msi-x-001" - }, - "cMKKeyName": { - "value": "keyEncryptionKey" - }, - "cMKKeyVaultResourceId": { - "value": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.KeyVault/vaults/adp-<>-az-kv-nopr-002" - } - } -} diff --git a/modules/Microsoft.ServiceBus/namespaces/.test/pe.parameters.json b/modules/Microsoft.ServiceBus/namespaces/.test/pe.parameters.json deleted file mode 100644 index 66beb6fac9..0000000000 --- a/modules/Microsoft.ServiceBus/namespaces/.test/pe.parameters.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "name": { - "value": "<>-az-sbn-pe-001" - }, - "skuName": { - "value": "Premium" - }, - "privateEndpoints": { - "value": [ - { - "subnetResourceId": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/adp-<>-az-vnet-x-001/subnets/<>-az-subnet-x-005-privateEndpoints", - "service": "namespace", - "privateDnsZoneGroup": { - "privateDNSResourceIds": [ - "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/privateDnsZones/privatelink.servicebus.windows.net" - ] - } - } - ] - } - } -} diff --git a/modules/Microsoft.ServiceBus/namespaces/.test/pe/dependencies.bicep b/modules/Microsoft.ServiceBus/namespaces/.test/pe/dependencies.bicep new file mode 100644 index 0000000000..711d47f7ee --- /dev/null +++ b/modules/Microsoft.ServiceBus/namespaces/.test/pe/dependencies.bicep @@ -0,0 +1,47 @@ +@description('Optional. The location to deploy resources to.') +param location string = resourceGroup().location + +@description('Required. The name of the Virtual Network to create.') +param virtualNetworkName string + +resource virtualNetwork 'Microsoft.Network/virtualNetworks@2022-01-01' = { + name: virtualNetworkName + location: location + properties: { + addressSpace: { + addressPrefixes: [ + '10.0.0.0/24' + ] + } + subnets: [ + { + name: 'defaultSubnet' + properties: { + addressPrefix: '10.0.0.0/24' + } + } + ] + } +} + +resource privateDNSZone 'Microsoft.Network/privateDnsZones@2020-06-01' = { + name: 'privatelink.servicebus.windows.net' + location: 'global' + + resource virtualNetworkLinks 'virtualNetworkLinks@2020-06-01' = { + name: '${virtualNetwork.name}-vnetlink' + location: 'global' + properties: { + virtualNetwork: { + id: virtualNetwork.id + } + registrationEnabled: false + } + } +} + +@description('The resource ID of the created Virtual Network Subnet.') +output subnetResourceId string = virtualNetwork.properties.subnets[0].id + +@description('The resource ID of the created Private DNS Zone.') +output privateDNSZoneResourceId string = privateDNSZone.id diff --git a/modules/Microsoft.ServiceBus/namespaces/.test/pe/deploy.test.bicep b/modules/Microsoft.ServiceBus/namespaces/.test/pe/deploy.test.bicep new file mode 100644 index 0000000000..833ba8bbb3 --- /dev/null +++ b/modules/Microsoft.ServiceBus/namespaces/.test/pe/deploy.test.bicep @@ -0,0 +1,57 @@ +targetScope = 'subscription' + +// ========== // +// Parameters // +// ========== // +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'ms.servicebus.namespaces-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'sbnpe' + +// =========== // +// Deployments // +// =========== // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: location +} + +module resourceGroupResources 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-paramNested' + params: { + virtualNetworkName: 'dep-<>-vnet-${serviceShort}' + } +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../deploy.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name)}-test-${serviceShort}' + params: { + name: '<>${serviceShort}001' + skuName: 'Premium' + privateEndpoints: [ + { + service: 'namespace' + subnetResourceId: resourceGroupResources.outputs.subnetResourceId + privateDnsZoneGroup: { + privateDNSResourceIds: [ + resourceGroupResources.outputs.privateDNSZoneResourceId + ] + } + } + ] + } +} diff --git a/modules/Microsoft.ServiceBus/namespaces/readme.md b/modules/Microsoft.ServiceBus/namespaces/readme.md index 703282adf5..ecb510cfa4 100644 --- a/modules/Microsoft.ServiceBus/namespaces/readme.md +++ b/modules/Microsoft.ServiceBus/namespaces/readme.md @@ -347,7 +347,7 @@ The following module usage examples are retrieved from the content of the files >**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. -

Example 1: Min

+

Example 1: Common

@@ -355,47 +355,10 @@ The following module usage examples are retrieved from the content of the files ```bicep module namespaces './Microsoft.ServiceBus/namespaces/deploy.bicep' = { - name: '${uniqueString(deployment().name)}-Namespaces' - params: { - name: '<>-az-sbn-min-001' - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "name": { - "value": "<>-az-sbn-min-001" - } - } -} -``` - -
-

- -

Example 2: Parameters

- -
- -via Bicep module - -```bicep -module namespaces './Microsoft.ServiceBus/namespaces/deploy.bicep' = { - name: '${uniqueString(deployment().name)}-Namespaces' + name: '${uniqueString(deployment().name)}-test-sbncom' params: { // Required parameters - name: '<>-az-sbn-x-002' + name: '<>sbncom001' // Non-required parameters authorizationRules: [ { @@ -414,17 +377,12 @@ module namespaces './Microsoft.ServiceBus/namespaces/deploy.bicep' = { ] } ] - cMKKeyName: 'keyEncryptionKey' - cMKKeyVaultResourceId: '/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.KeyVault/vaults/adp-<>-az-kv-nopr-002' - cMKUserAssignedIdentityResourceId: '/subscriptions/<>/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-<>-az-msi-x-001' - diagnosticEventHubAuthorizationRuleId: '/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.EventHub/namespaces/adp-<>-az-evhns-x-001/AuthorizationRules/RootManageSharedAccessKey' - diagnosticEventHubName: 'adp-<>-az-evh-x-001' + diagnosticEventHubAuthorizationRuleId: '' + diagnosticEventHubName: '' diagnosticLogsRetentionInDays: 7 - diagnosticStorageAccountId: '/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Storage/storageAccounts/adp<>azsax001' - diagnosticWorkspaceId: '/subscriptions/<>/resourcegroups/validation-rg/providers/microsoft.operationalinsights/workspaces/adp-<>-az-law-x-001' - disasterRecoveryConfigs: {} + diagnosticStorageAccountId: '' + diagnosticWorkspaceId: '' lock: 'CanNotDelete' - migrationConfigurations: {} networkRuleSets: { defaultAction: 'Deny' ipRules: [ @@ -440,8 +398,10 @@ module namespaces './Microsoft.ServiceBus/namespaces/deploy.bicep' = { trustedServiceAccessEnabled: true virtualNetworkRules: [ { - ignoreMissingVnetServiceEndpoint: true - subnetResourceId: '/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/adp-<>-az-vnet-x-001/subnets/<>-az-subnet-x-003' + subnet: { + id: '' + ignoreMissingVnetServiceEndpoint: true + } } ] } @@ -449,11 +409,11 @@ module namespaces './Microsoft.ServiceBus/namespaces/deploy.bicep' = { { privateDnsZoneGroup: { privateDNSResourceIds: [ - '/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/privateDnsZones/privatelink.servicebus.windows.net' + '' ] } service: 'namespace' - subnetResourceId: '/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/adp-<>-az-vnet-x-001/subnets/<>-az-subnet-x-005-privateEndpoints' + subnetResourceId: '' } ] queues: [ @@ -475,11 +435,11 @@ module namespaces './Microsoft.ServiceBus/namespaces/deploy.bicep' = { ] } ] - name: '<>-az-sbq-x-002' + name: '<>sbncomq001' roleAssignments: [ { principalIds: [ - '<>' + '' ] roleDefinitionIdOrName: 'Reader' } @@ -489,14 +449,16 @@ module namespaces './Microsoft.ServiceBus/namespaces/deploy.bicep' = { roleAssignments: [ { principalIds: [ - '<>' + '' ] roleDefinitionIdOrName: 'Reader' } ] skuName: 'Premium' systemAssignedIdentity: true - tags: {} + tags: { + test: 'true' + } topics: [ { authorizationRules: [ @@ -516,11 +478,11 @@ module namespaces './Microsoft.ServiceBus/namespaces/deploy.bicep' = { ] } ] - name: '<>-az-sbt-x-001' + name: '<>sbncomt001' roleAssignments: [ { principalIds: [ - '<>' + '' ] roleDefinitionIdOrName: 'Reader' } @@ -528,7 +490,7 @@ module namespaces './Microsoft.ServiceBus/namespaces/deploy.bicep' = { } ] userAssignedIdentities: { - '/subscriptions/<>/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-<>-az-msi-x-001': {} + '': {} } } } @@ -548,7 +510,7 @@ module namespaces './Microsoft.ServiceBus/namespaces/deploy.bicep' = { "parameters": { // Required parameters "name": { - "value": "<>-az-sbn-x-002" + "value": "<>sbncom001" }, // Non-required parameters "authorizationRules": { @@ -570,39 +532,24 @@ module namespaces './Microsoft.ServiceBus/namespaces/deploy.bicep' = { } ] }, - "cMKKeyName": { - "value": "keyEncryptionKey" - }, - "cMKKeyVaultResourceId": { - "value": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.KeyVault/vaults/adp-<>-az-kv-nopr-002" - }, - "cMKUserAssignedIdentityResourceId": { - "value": "/subscriptions/<>/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-<>-az-msi-x-001" - }, "diagnosticEventHubAuthorizationRuleId": { - "value": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.EventHub/namespaces/adp-<>-az-evhns-x-001/AuthorizationRules/RootManageSharedAccessKey" + "value": "" }, "diagnosticEventHubName": { - "value": "adp-<>-az-evh-x-001" + "value": "" }, "diagnosticLogsRetentionInDays": { "value": 7 }, "diagnosticStorageAccountId": { - "value": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Storage/storageAccounts/adp<>azsax001" + "value": "" }, "diagnosticWorkspaceId": { - "value": "/subscriptions/<>/resourcegroups/validation-rg/providers/microsoft.operationalinsights/workspaces/adp-<>-az-law-x-001" - }, - "disasterRecoveryConfigs": { - "value": {} + "value": "" }, "lock": { "value": "CanNotDelete" }, - "migrationConfigurations": { - "value": {} - }, "networkRuleSets": { "value": { "defaultAction": "Deny", @@ -619,8 +566,10 @@ module namespaces './Microsoft.ServiceBus/namespaces/deploy.bicep' = { "trustedServiceAccessEnabled": true, "virtualNetworkRules": [ { - "ignoreMissingVnetServiceEndpoint": true, - "subnetResourceId": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/adp-<>-az-vnet-x-001/subnets/<>-az-subnet-x-003" + "subnet": { + "id": "", + "ignoreMissingVnetServiceEndpoint": true + } } ] } @@ -630,11 +579,11 @@ module namespaces './Microsoft.ServiceBus/namespaces/deploy.bicep' = { { "privateDnsZoneGroup": { "privateDNSResourceIds": [ - "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/privateDnsZones/privatelink.servicebus.windows.net" + "" ] }, "service": "namespace", - "subnetResourceId": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/adp-<>-az-vnet-x-001/subnets/<>-az-subnet-x-005-privateEndpoints" + "subnetResourceId": "" } ] }, @@ -658,11 +607,11 @@ module namespaces './Microsoft.ServiceBus/namespaces/deploy.bicep' = { ] } ], - "name": "<>-az-sbq-x-002", + "name": "<>sbncomq001", "roleAssignments": [ { "principalIds": [ - "<>" + "" ], "roleDefinitionIdOrName": "Reader" } @@ -674,7 +623,7 @@ module namespaces './Microsoft.ServiceBus/namespaces/deploy.bicep' = { "value": [ { "principalIds": [ - "<>" + "" ], "roleDefinitionIdOrName": "Reader" } @@ -687,7 +636,9 @@ module namespaces './Microsoft.ServiceBus/namespaces/deploy.bicep' = { "value": true }, "tags": { - "value": {} + "value": { + "test": "true" + } }, "topics": { "value": [ @@ -709,11 +660,11 @@ module namespaces './Microsoft.ServiceBus/namespaces/deploy.bicep' = { ] } ], - "name": "<>-az-sbt-x-001", + "name": "<>sbncomt001", "roleAssignments": [ { "principalIds": [ - "<>" + "" ], "roleDefinitionIdOrName": "Reader" } @@ -723,7 +674,176 @@ module namespaces './Microsoft.ServiceBus/namespaces/deploy.bicep' = { }, "userAssignedIdentities": { "value": { - "/subscriptions/<>/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-<>-az-msi-x-001": {} + "": {} + } + } + } +} +``` + +
+

+ +

Example 2: Encr

+ +
+ +via Bicep module + +```bicep +module namespaces './Microsoft.ServiceBus/namespaces/deploy.bicep' = { + name: '${uniqueString(deployment().name)}-test-sbnencr' + params: { + // Required parameters + name: '<>sbnencr001' + // Non-required parameters + authorizationRules: [ + { + name: 'RootManageSharedAccessKey' + rights: [ + 'Listen' + 'Manage' + 'Send' + ] + } + { + name: 'AnotherKey' + rights: [ + 'Listen' + 'Send' + ] + } + ] + cMKKeyName: '' + cMKKeyVaultResourceId: '' + cMKUserAssignedIdentityResourceId: '' + networkRuleSets: { + defaultAction: 'Deny' + ipRules: [ + { + action: 'Allow' + ipMask: '10.0.1.0/32' + } + { + action: 'Allow' + ipMask: '10.0.2.0/32' + } + ] + trustedServiceAccessEnabled: true + virtualNetworkRules: [ + { + subnet: { + id: '' + ignoreMissingVnetServiceEndpoint: true + } + } + ] + } + roleAssignments: [ + { + principalIds: [ + '' + ] + roleDefinitionIdOrName: 'Reader' + } + ] + skuName: 'Premium' + systemAssignedIdentity: false + userAssignedIdentities: { + '': {} + } + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "name": { + "value": "<>sbnencr001" + }, + // Non-required parameters + "authorizationRules": { + "value": [ + { + "name": "RootManageSharedAccessKey", + "rights": [ + "Listen", + "Manage", + "Send" + ] + }, + { + "name": "AnotherKey", + "rights": [ + "Listen", + "Send" + ] + } + ] + }, + "cMKKeyName": { + "value": "" + }, + "cMKKeyVaultResourceId": { + "value": "" + }, + "cMKUserAssignedIdentityResourceId": { + "value": "" + }, + "networkRuleSets": { + "value": { + "defaultAction": "Deny", + "ipRules": [ + { + "action": "Allow", + "ipMask": "10.0.1.0/32" + }, + { + "action": "Allow", + "ipMask": "10.0.2.0/32" + } + ], + "trustedServiceAccessEnabled": true, + "virtualNetworkRules": [ + { + "subnet": { + "id": "", + "ignoreMissingVnetServiceEndpoint": true + } + } + ] + } + }, + "roleAssignments": { + "value": [ + { + "principalIds": [ + "" + ], + "roleDefinitionIdOrName": "Reader" + } + ] + }, + "skuName": { + "value": "Premium" + }, + "systemAssignedIdentity": { + "value": false + }, + "userAssignedIdentities": { + "value": { + "": {} } } } @@ -733,7 +853,44 @@ module namespaces './Microsoft.ServiceBus/namespaces/deploy.bicep' = {

-

Example 3: Pe

+

Example 3: Min

+ +
+ +via Bicep module + +```bicep +module namespaces './Microsoft.ServiceBus/namespaces/deploy.bicep' = { + name: '${uniqueString(deployment().name)}-test-sbnmin' + params: { + name: '<>sbnmin001' + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "name": { + "value": "<>sbnmin001" + } + } +} +``` + +
+

+ +

Example 4: Pe

@@ -741,20 +898,20 @@ module namespaces './Microsoft.ServiceBus/namespaces/deploy.bicep' = { ```bicep module namespaces './Microsoft.ServiceBus/namespaces/deploy.bicep' = { - name: '${uniqueString(deployment().name)}-Namespaces' + name: '${uniqueString(deployment().name)}-test-sbnpe' params: { // Required parameters - name: '<>-az-sbn-pe-001' + name: '<>sbnpe001' // Non-required parameters privateEndpoints: [ { privateDnsZoneGroup: { privateDNSResourceIds: [ - '/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/privateDnsZones/privatelink.servicebus.windows.net' + '' ] } service: 'namespace' - subnetResourceId: '/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/adp-<>-az-vnet-x-001/subnets/<>-az-subnet-x-005-privateEndpoints' + subnetResourceId: '' } ] skuName: 'Premium' @@ -776,7 +933,7 @@ module namespaces './Microsoft.ServiceBus/namespaces/deploy.bicep' = { "parameters": { // Required parameters "name": { - "value": "<>-az-sbn-pe-001" + "value": "<>sbnpe001" }, // Non-required parameters "privateEndpoints": { @@ -784,11 +941,11 @@ module namespaces './Microsoft.ServiceBus/namespaces/deploy.bicep' = { { "privateDnsZoneGroup": { "privateDNSResourceIds": [ - "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/privateDnsZones/privatelink.servicebus.windows.net" + "" ] }, "service": "namespace", - "subnetResourceId": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/adp-<>-az-vnet-x-001/subnets/<>-az-subnet-x-005-privateEndpoints" + "subnetResourceId": "" } ] },