diff --git a/modules/Microsoft.Automation/automationAccounts/deploy.bicep b/modules/Microsoft.Automation/automationAccounts/deploy.bicep index aa258ad196..e0ecd96a58 100644 --- a/modules/Microsoft.Automation/automationAccounts/deploy.bicep +++ b/modules/Microsoft.Automation/automationAccounts/deploy.bicep @@ -11,13 +11,13 @@ param location string = resourceGroup().location ]) param skuName string = 'Basic' -@description('Optional. The resource ID of a key vault to reference a customer managed key for encryption from.') +@description('Conditional. The resource ID of a key vault to reference a customer managed key for encryption from. Required if \'cMKKeyName\' is not empty.') param cMKKeyVaultResourceId string = '' @description('Optional. The name of the customer managed key to use for encryption.') param cMKKeyName string = '' -@description('Optional. User assigned identity to use when fetching the customer managed key. If not provided, a system-assigned identity can be used - but must be given access to the referenced key vault first.') +@description('Conditional. User assigned identity to use when fetching the customer managed key. Required if \'cMKKeyName\' is not empty.') param cMKUserAssignedIdentityResourceId string = '' @description('Optional. The version of the customer managed key to reference for encryption. If not provided, the latest key version is used.') diff --git a/modules/Microsoft.Automation/automationAccounts/readme.md b/modules/Microsoft.Automation/automationAccounts/readme.md index 9f76ebabe0..92e81ecc1c 100644 --- a/modules/Microsoft.Automation/automationAccounts/readme.md +++ b/modules/Microsoft.Automation/automationAccounts/readme.md @@ -37,14 +37,19 @@ This module deploys an Azure Automation Account. | :-- | :-- | :-- | | `name` | string | Name of the Automation Account. | +**Conditional parameters** + +| Parameter Name | Type | Default Value | Description | +| :-- | :-- | :-- | :-- | +| `cMKKeyVaultResourceId` | string | `''` | The resource ID of a key vault to reference a customer managed key for encryption from. Required if 'cMKKeyName' is not empty. | +| `cMKUserAssignedIdentityResourceId` | string | `''` | User assigned identity to use when fetching the customer managed key. Required if 'cMKKeyName' is not empty. | + **Optional parameters** | Parameter Name | Type | Default Value | Allowed Values | Description | | :-- | :-- | :-- | :-- | :-- | | `cMKKeyName` | string | `''` | | The name of the customer managed key to use for encryption. | -| `cMKKeyVaultResourceId` | string | `''` | | The resource ID of a key vault to reference a customer managed key for encryption from. | | `cMKKeyVersion` | string | `''` | | The version of the customer managed key to reference for encryption. If not provided, the latest key version is used. | -| `cMKUserAssignedIdentityResourceId` | string | `''` | | User assigned identity to use when fetching the customer managed key. If not provided, a system-assigned identity can be used - but must be given access to the referenced key vault first. | | `diagnosticEventHubAuthorizationRuleId` | string | `''` | | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | | `diagnosticEventHubName` | string | `''` | | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. | | `diagnosticLogCategoriesToEnable` | array | `[DscNodeStatus, JobLogs, JobStreams]` | `[DscNodeStatus, JobLogs, JobStreams]` | The name of logs that will be streamed. | diff --git a/modules/Microsoft.Batch/batchAccounts/deploy.bicep b/modules/Microsoft.Batch/batchAccounts/deploy.bicep index 8097d31504..1fe112450b 100644 --- a/modules/Microsoft.Batch/batchAccounts/deploy.bicep +++ b/modules/Microsoft.Batch/batchAccounts/deploy.bicep @@ -90,7 +90,7 @@ param tags object = {} @description('Optional. List of allowed authentication modes for the Batch account that can be used to authenticate with the data plane.') param allowedAuthenticationModes array = [] -@description('Optional. The resource ID of a key vault to reference a customer managed key for encryption from.') +@description('Conditional. The resource ID of a key vault to reference a customer managed key for encryption from. Required if \'cMKKeyName\' is not empty.') param cMKKeyVaultResourceId string = '' @description('Optional. The name of the customer managed key to use for encryption.') diff --git a/modules/Microsoft.Batch/batchAccounts/readme.md b/modules/Microsoft.Batch/batchAccounts/readme.md index 61def4e0ba..aed3605a35 100644 --- a/modules/Microsoft.Batch/batchAccounts/readme.md +++ b/modules/Microsoft.Batch/batchAccounts/readme.md @@ -32,6 +32,7 @@ | Parameter Name | Type | Default Value | Description | | :-- | :-- | :-- | :-- | +| `cMKKeyVaultResourceId` | string | `''` | The resource ID of a key vault to reference a customer managed key for encryption from. Required if 'cMKKeyName' is not empty. | | `keyVaultReferenceResourceId` | string | `''` | The key vault to associate with the Batch account. Required if the 'poolAllocationMode' is set to 'UserSubscription' and requires the service principal 'Microsoft Azure Batch' to be granted contributor permissions on this key vault. | **Optional parameters** @@ -40,7 +41,6 @@ | :-- | :-- | :-- | :-- | :-- | | `allowedAuthenticationModes` | array | `[]` | `[AAD, SharedKey, TaskAuthenticationToken]` | List of allowed authentication modes for the Batch account that can be used to authenticate with the data plane. | | `cMKKeyName` | string | `''` | | The name of the customer managed key to use for encryption. | -| `cMKKeyVaultResourceId` | string | `''` | | The resource ID of a key vault to reference a customer managed key for encryption from. | | `cMKKeyVersion` | string | `''` | | The version of the customer managed key to reference for encryption. If not provided, the latest key version is used. | | `diagnosticEventHubAuthorizationRuleId` | string | `''` | | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | | `diagnosticEventHubName` | string | `''` | | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. | diff --git a/modules/Microsoft.CognitiveServices/accounts/.test/encr/dependencies.bicep b/modules/Microsoft.CognitiveServices/accounts/.test/encr/dependencies.bicep index 93aa8495b2..8959773eb3 100644 --- a/modules/Microsoft.CognitiveServices/accounts/.test/encr/dependencies.bicep +++ b/modules/Microsoft.CognitiveServices/accounts/.test/encr/dependencies.bicep @@ -62,7 +62,7 @@ resource keyVault 'Microsoft.KeyVault/vaults@2022-07-01' = { } resource keyPermissions 'Microsoft.Authorization/roleAssignments@2022-04-01' = { - name: guid('msi-${keyVault::key.id}-${location}-${managedIdentity.id}-Key-Reader-RoleAssignment') + name: guid('msi-${keyVault::key.id}-${location}-${managedIdentity.id}-Key-Key-Vault-Crypto-User-RoleAssignment') scope: keyVault::key properties: { principalId: managedIdentity.properties.principalId @@ -77,15 +77,9 @@ output subnetResourceId string = virtualNetwork.properties.subnets[0].id @description('The resource ID of the created Key Vault.') output keyVaultResourceId string = keyVault.id -@description('The vault URI of the created Key Vault.') -output keyVaultUri string = keyVault.properties.vaultUri - @description('The name of the created Key Vault encryption key.') output keyVaultKeyName string = keyVault::key.name -@description('The version of the created Key Vault encryption key.') -output keyVaultKeyVersion string = last(split(keyVault::key.properties.keyUriWithVersion, '/')) - @description('The resource ID of the created Managed Identity.') output managedIdentityResourceId string = managedIdentity.id diff --git a/modules/Microsoft.CognitiveServices/accounts/.test/encr/deploy.test.bicep b/modules/Microsoft.CognitiveServices/accounts/.test/encr/deploy.test.bicep index e43d8bbc4d..bbce780d1a 100644 --- a/modules/Microsoft.CognitiveServices/accounts/.test/encr/deploy.test.bicep +++ b/modules/Microsoft.CognitiveServices/accounts/.test/encr/deploy.test.bicep @@ -52,15 +52,9 @@ module testDeployment '../../deploy.bicep' = { enableDefaultTelemetry: enableDefaultTelemetry name: '<>${serviceShort}001' kind: 'SpeechServices' - encryption: { - keySource: 'Microsoft.KeyVault' - keyVaultProperties: { - identityClientId: resourceGroupResources.outputs.managedIdentityClientId - keyName: resourceGroupResources.outputs.keyVaultKeyName - keyVaultUri: resourceGroupResources.outputs.keyVaultUri - keyversion: resourceGroupResources.outputs.keyVaultKeyVersion - } - } + cMKKeyVaultResourceId: resourceGroupResources.outputs.keyVaultResourceId + cMKKeyName: resourceGroupResources.outputs.keyVaultKeyName + cMKUserAssignedIdentityResourceId: resourceGroupResources.outputs.managedIdentityResourceId publicNetworkAccess: 'Enabled' sku: 'S0' userAssignedIdentities: { diff --git a/modules/Microsoft.CognitiveServices/accounts/deploy.bicep b/modules/Microsoft.CognitiveServices/accounts/deploy.bicep index 3a39db809f..d73c99145d 100644 --- a/modules/Microsoft.CognitiveServices/accounts/deploy.bicep +++ b/modules/Microsoft.CognitiveServices/accounts/deploy.bicep @@ -116,8 +116,20 @@ param apiProperties object = {} @description('Optional. Allow only Azure AD authentication. Should be enabled for security reasons.') param disableLocalAuth bool = true -@description('Optional. Properties to configure encryption.') -param encryption object = {} +@description('Conditional. The resource ID of a key vault to reference a customer managed key for encryption from. Required if \'cMKKeyName\' is not empty.') +param cMKKeyVaultResourceId string = '' + +@description('Optional. The name of the customer managed key to use for encryption. Cannot be deployed together with the parameter \'systemAssignedIdentity\' enabled.') +param cMKKeyName string = '' + +@description('Conditional. User assigned identity to use when fetching the customer managed key. Required if \'cMKKeyName\' is not empty.') +param cMKUserAssignedIdentityResourceId string = '' + +@description('Optional. The version of the customer managed key to reference for encryption. If not provided, latest is used.') +param cMKKeyVersion string = '' + +@description('Optional. The flag to enable dynamic throttling.') +param dynamicThrottlingEnabled bool = false @description('Optional. Resource migration token.') param migrationToken string = '' @@ -195,7 +207,22 @@ resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (ena } } -resource cognitiveServices 'Microsoft.CognitiveServices/accounts@2021-10-01' = { +resource cMKKeyVault 'Microsoft.KeyVault/vaults@2021-06-01-preview' existing = if (!empty(cMKKeyVaultResourceId)) { + name: last(split(cMKKeyVaultResourceId, '/')) + scope: resourceGroup(split(cMKKeyVaultResourceId, '/')[2], split(cMKKeyVaultResourceId, '/')[4]) +} + +resource cMKKeyVaultKey 'Microsoft.KeyVault/vaults/keys@2021-10-01' existing = if (!empty(cMKKeyVaultResourceId) && !empty(cMKKeyName)) { + name: '${last(split(cMKKeyVaultResourceId, '/'))}/${cMKKeyName}' + scope: resourceGroup(split(cMKKeyVaultResourceId, '/')[2], split(cMKKeyVaultResourceId, '/')[4]) +} + +resource cMKUserAssignedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' existing = if (!empty(cMKUserAssignedIdentityResourceId)) { + name: last(split(cMKUserAssignedIdentityResourceId, '/')) + scope: resourceGroup(split(cMKUserAssignedIdentityResourceId, '/')[2], split(cMKUserAssignedIdentityResourceId, '/')[4]) +} + +resource cognitiveServices 'Microsoft.CognitiveServices/accounts@2022-10-01' = { name: name kind: kind identity: identity @@ -215,11 +242,20 @@ resource cognitiveServices 'Microsoft.CognitiveServices/accounts@2021-10-01' = { allowedFqdnList: allowedFqdnList apiProperties: apiProperties disableLocalAuth: disableLocalAuth - encryption: !empty(encryption) ? encryption : null + encryption: !empty(cMKKeyName) ? { + keySource: 'Microsoft.KeyVault' + keyVaultProperties: { + identityClientId: cMKUserAssignedIdentity.properties.clientId + keyVaultUri: cMKKeyVault.properties.vaultUri + keyName: cMKKeyName + keyVersion: !empty(cMKKeyVersion) ? cMKKeyVersion : last(split(cMKKeyVaultKey.properties.keyUriWithVersion, '/')) + } + } : null migrationToken: !empty(migrationToken) ? migrationToken : null restore: restore restrictOutboundNetworkAccess: restrictOutboundNetworkAccess userOwnedStorage: !empty(userOwnedStorage) ? userOwnedStorage : null + dynamicThrottlingEnabled: dynamicThrottlingEnabled } } diff --git a/modules/Microsoft.CognitiveServices/accounts/readme.md b/modules/Microsoft.CognitiveServices/accounts/readme.md index 3dd8adaaa5..5989c79ec3 100644 --- a/modules/Microsoft.CognitiveServices/accounts/readme.md +++ b/modules/Microsoft.CognitiveServices/accounts/readme.md @@ -17,7 +17,7 @@ This module deploys different kinds of cognitive services resources | :-- | :-- | | `Microsoft.Authorization/locks` | [2020-05-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2020-05-01/locks) | | `Microsoft.Authorization/roleAssignments` | [2022-04-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-04-01/roleAssignments) | -| `Microsoft.CognitiveServices/accounts` | [2021-10-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.CognitiveServices/2021-10-01/accounts) | +| `Microsoft.CognitiveServices/accounts` | [2022-10-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.CognitiveServices/2022-10-01/accounts) | | `Microsoft.Insights/diagnosticSettings` | [2021-05-01-preview](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Insights/2021-05-01-preview/diagnosticSettings) | | `Microsoft.Network/privateEndpoints` | [2022-05-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Network/2022-05-01/privateEndpoints) | | `Microsoft.Network/privateEndpoints/privateDnsZoneGroups` | [2022-05-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Network/2022-05-01/privateEndpoints/privateDnsZoneGroups) | @@ -35,6 +35,8 @@ This module deploys different kinds of cognitive services resources | Parameter Name | Type | Default Value | Description | | :-- | :-- | :-- | :-- | +| `cMKKeyVaultResourceId` | string | `''` | The resource ID of a key vault to reference a customer managed key for encryption from. Required if 'cMKKeyName' is not empty. | +| `cMKUserAssignedIdentityResourceId` | string | `''` | User assigned identity to use when fetching the customer managed key. Required if 'cMKKeyName' is not empty. | | `customSubDomainName` | string | `''` | Subdomain name used for token-based authentication. Required if 'networkAcls' or 'privateEndpoints' are set. | | `userAssignedIdentities` | object | `{object}` | The ID(s) to assign to the resource. Required if a user assigned identity is used for encryption. | @@ -44,6 +46,8 @@ This module deploys different kinds of cognitive services resources | :-- | :-- | :-- | :-- | :-- | | `allowedFqdnList` | array | `[]` | | List of allowed FQDN. | | `apiProperties` | object | `{object}` | | The API properties for special APIs. | +| `cMKKeyName` | string | `''` | | The name of the customer managed key to use for encryption. Cannot be deployed together with the parameter 'systemAssignedIdentity' enabled. | +| `cMKKeyVersion` | string | `''` | | The version of the customer managed key to reference for encryption. If not provided, latest is used. | | `diagnosticEventHubAuthorizationRuleId` | string | `''` | | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | | `diagnosticEventHubName` | string | `''` | | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. | | `diagnosticLogCategoriesToEnable` | array | `[Audit, RequestResponse]` | `[Audit, RequestResponse]` | The name of logs that will be streamed. | @@ -53,8 +57,8 @@ This module deploys different kinds of cognitive services resources | `diagnosticStorageAccountId` | string | `''` | | Resource ID of the diagnostic storage account. | | `diagnosticWorkspaceId` | string | `''` | | Resource ID of the diagnostic log analytics workspace. | | `disableLocalAuth` | bool | `True` | | Allow only Azure AD authentication. Should be enabled for security reasons. | +| `dynamicThrottlingEnabled` | bool | `False` | | The flag to enable dynamic throttling. | | `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via a Globally Unique Identifier (GUID). | -| `encryption` | object | `{object}` | | Properties to configure encryption. | | `location` | string | `[resourceGroup().location]` | | Location for all Resources. | | `lock` | string | `''` | `['', CanNotDelete, ReadOnly]` | Specify the type of lock. | | `migrationToken` | string | `''` | | Resource migration token. | @@ -606,16 +610,10 @@ module accounts './Microsoft.CognitiveServices/accounts/deploy.bicep' = { kind: 'SpeechServices' name: '<>csaencr001' // Non-required parameters + cMKKeyName: '' + cMKKeyVaultResourceId: '' + cMKUserAssignedIdentityResourceId: '' enableDefaultTelemetry: '' - encryption: { - keySource: 'Microsoft.KeyVault' - keyVaultProperties: { - identityClientId: '' - keyName: '' - keyVaultUri: '' - keyversion: '' - } - } publicNetworkAccess: 'Enabled' sku: 'S0' userAssignedIdentities: { @@ -645,20 +643,18 @@ module accounts './Microsoft.CognitiveServices/accounts/deploy.bicep' = { "value": "<>csaencr001" }, // Non-required parameters + "cMKKeyName": { + "value": "" + }, + "cMKKeyVaultResourceId": { + "value": "" + }, + "cMKUserAssignedIdentityResourceId": { + "value": "" + }, "enableDefaultTelemetry": { "value": "" }, - "encryption": { - "value": { - "keySource": "Microsoft.KeyVault", - "keyVaultProperties": { - "identityClientId": "", - "keyName": "", - "keyVaultUri": "", - "keyversion": "" - } - } - }, "publicNetworkAccess": { "value": "Enabled" }, diff --git a/modules/Microsoft.ContainerRegistry/registries/deploy.bicep b/modules/Microsoft.ContainerRegistry/registries/deploy.bicep index 444ce26cce..6cde372515 100644 --- a/modules/Microsoft.ContainerRegistry/registries/deploy.bicep +++ b/modules/Microsoft.ContainerRegistry/registries/deploy.bicep @@ -222,7 +222,7 @@ resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (ena } } -resource encryptionIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' existing = if (!empty(cMKUserAssignedIdentityResourceId)) { +resource cMKUserAssignedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' existing = if (!empty(cMKUserAssignedIdentityResourceId)) { name: last(split(cMKUserAssignedIdentityResourceId, '/')) scope: resourceGroup(split(cMKUserAssignedIdentityResourceId, '/')[2], split(cMKUserAssignedIdentityResourceId, '/')[4]) } @@ -245,7 +245,7 @@ resource registry 'Microsoft.ContainerRegistry/registries@2022-02-01-preview' = encryption: !empty(cMKKeyName) ? { status: 'enabled' keyVaultProperties: { - identity: encryptionIdentity.properties.clientId + identity: cMKUserAssignedIdentity.properties.clientId keyIdentifier: !empty(cMKKeyVersion) ? '${cMKKeyVaultKey.properties.keyUri}/${cMKKeyVersion}' : cMKKeyVaultKey.properties.keyUriWithVersion } } : null diff --git a/modules/Microsoft.ContainerService/managedClusters/agentPools/deploy.bicep b/modules/Microsoft.ContainerService/managedClusters/agentPools/deploy.bicep index 60320ffc29..1ce4168d56 100644 --- a/modules/Microsoft.ContainerService/managedClusters/agentPools/deploy.bicep +++ b/modules/Microsoft.ContainerService/managedClusters/agentPools/deploy.bicep @@ -17,38 +17,18 @@ param count int = 1 param sourceResourceId string = '' @description('Optional. Whether to enable auto-scaler.') -@allowed([ - true - false -]) param enableAutoScaling bool = false @description('Optional. This is only supported on certain VM sizes and in certain Azure regions. For more information, see: /azure/aks/enable-host-encryption. For security reasons, this setting should be enabled.') -@allowed([ - true - false -]) param enableEncryptionAtHost bool = false @description('Optional. See Add a FIPS-enabled node pool (https://docs.microsoft.com/en-us/azure/aks/use-multiple-node-pools#add-a-fips-enabled-node-pool-preview) for more details.') -@allowed([ - true - false -]) param enableFIPS bool = false -@description('Optional. Some scenarios may require nodes in a node pool to receive their own dedicated public IP addresses. A common scenario is for gaming workloads, where a console needs to make a direct connection to a cloud virtual machine to minimize hops. For more information see assigning a public IP per node (https://docs.microsoft.com/en-us/azure/aks/use-multiple-node-pools#assign-a-public-ip-per-node-for-your-node-pools). The default is false.') -@allowed([ - true - false -]) +@description('Optional. Some scenarios may require nodes in a node pool to receive their own dedicated public IP addresses. A common scenario is for gaming workloads, where a console needs to make a direct connection to a cloud virtual machine to minimize hops. For more information see assigning a public IP per node (https://docs.microsoft.com/en-us/azure/aks/use-multiple-node-pools#assign-a-public-ip-per-node-for-your-node-pools).') param enableNodePublicIP bool = false @description('Optional. Whether to enable UltraSSD.') -@allowed([ - true - false -]) param enableUltraSSD bool = false @description('Optional. GPUInstanceProfile to be used to specify GPU MIG instance profile for supported GPU VM SKU.') diff --git a/modules/Microsoft.ContainerService/managedClusters/agentPools/readme.md b/modules/Microsoft.ContainerService/managedClusters/agentPools/readme.md index da9dd513c4..3cebb45864 100644 --- a/modules/Microsoft.ContainerService/managedClusters/agentPools/readme.md +++ b/modules/Microsoft.ContainerService/managedClusters/agentPools/readme.md @@ -35,12 +35,12 @@ This module deploys an Agent Pool for a Container Service Managed Cluster | :-- | :-- | :-- | :-- | :-- | | `availabilityZones` | array | `[]` | | The list of Availability zones to use for nodes. This can only be specified if the AgentPoolType property is "VirtualMachineScaleSets". | | `count` | int | `1` | | Desired Number of agents (VMs) specified to host docker containers. Allowed values must be in the range of 0 to 1000 (inclusive) for user pools and in the range of 1 to 1000 (inclusive) for system pools. The default value is 1. | -| `enableAutoScaling` | bool | `False` | `[False, True]` | Whether to enable auto-scaler. | +| `enableAutoScaling` | bool | `False` | | Whether to enable auto-scaler. | | `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via a Globally Unique Identifier (GUID). | -| `enableEncryptionAtHost` | bool | `False` | `[False, True]` | This is only supported on certain VM sizes and in certain Azure regions. For more information, see: /azure/aks/enable-host-encryption. For security reasons, this setting should be enabled. | -| `enableFIPS` | bool | `False` | `[False, True]` | See Add a FIPS-enabled node pool (https://docs.microsoft.com/en-us/azure/aks/use-multiple-node-pools#add-a-fips-enabled-node-pool-preview) for more details. | -| `enableNodePublicIP` | bool | `False` | `[False, True]` | Some scenarios may require nodes in a node pool to receive their own dedicated public IP addresses. A common scenario is for gaming workloads, where a console needs to make a direct connection to a cloud virtual machine to minimize hops. For more information see assigning a public IP per node (https://docs.microsoft.com/en-us/azure/aks/use-multiple-node-pools#assign-a-public-ip-per-node-for-your-node-pools). The default is false. | -| `enableUltraSSD` | bool | `False` | `[False, True]` | Whether to enable UltraSSD. | +| `enableEncryptionAtHost` | bool | `False` | | This is only supported on certain VM sizes and in certain Azure regions. For more information, see: /azure/aks/enable-host-encryption. For security reasons, this setting should be enabled. | +| `enableFIPS` | bool | `False` | | See Add a FIPS-enabled node pool (https://docs.microsoft.com/en-us/azure/aks/use-multiple-node-pools#add-a-fips-enabled-node-pool-preview) for more details. | +| `enableNodePublicIP` | bool | `False` | | Some scenarios may require nodes in a node pool to receive their own dedicated public IP addresses. A common scenario is for gaming workloads, where a console needs to make a direct connection to a cloud virtual machine to minimize hops. For more information see assigning a public IP per node (https://docs.microsoft.com/en-us/azure/aks/use-multiple-node-pools#assign-a-public-ip-per-node-for-your-node-pools). | +| `enableUltraSSD` | bool | `False` | | Whether to enable UltraSSD. | | `gpuInstanceProfile` | string | `''` | `['', MIG1g, MIG2g, MIG3g, MIG4g, MIG7g]` | GPUInstanceProfile to be used to specify GPU MIG instance profile for supported GPU VM SKU. | | `kubeletDiskType` | string | `''` | | Determines the placement of emptyDir volumes, container runtime data root, and Kubelet ephemeral storage. | | `maxCount` | int | `-1` | | The maximum number of nodes for auto-scaling. | diff --git a/modules/Microsoft.DataFactory/factories/deploy.bicep b/modules/Microsoft.DataFactory/factories/deploy.bicep index 7f733d00f2..b5a66b0af8 100644 --- a/modules/Microsoft.DataFactory/factories/deploy.bicep +++ b/modules/Microsoft.DataFactory/factories/deploy.bicep @@ -76,7 +76,7 @@ param userAssignedIdentities object = {} @description('Optional. Configuration Details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible.') param privateEndpoints array = [] -@description('Optional. The resource ID of a key vault to reference a customer managed key for encryption from.') +@description('Conditional. The resource ID of a key vault to reference a customer managed key for encryption from. Required if \'cMKKeyName\' is not empty.') param cMKKeyVaultResourceId string = '' @description('Optional. The name of the customer managed key to use for encryption.') @@ -85,7 +85,7 @@ param cMKKeyName string = '' @description('Optional. The version of the customer managed key to reference for encryption. If not provided, the latest key version is used.') param cMKKeyVersion string = '' -@description('Optional. User assigned identity to use when fetching the customer managed key.') +@description('Conditional. User assigned identity to use when fetching the customer managed key. Required if \'cMKKeyName\' is not empty.') param cMKUserAssignedIdentityResourceId string = '' @description('Optional. The name of logs that will be streamed.') diff --git a/modules/Microsoft.DataFactory/factories/readme.md b/modules/Microsoft.DataFactory/factories/readme.md index 08bf39c2e5..e2a740ac09 100644 --- a/modules/Microsoft.DataFactory/factories/readme.md +++ b/modules/Microsoft.DataFactory/factories/readme.md @@ -30,14 +30,19 @@ | :-- | :-- | :-- | | `name` | string | The name of the Azure Factory to create. | +**Conditional parameters** + +| Parameter Name | Type | Default Value | Description | +| :-- | :-- | :-- | :-- | +| `cMKKeyVaultResourceId` | string | `''` | The resource ID of a key vault to reference a customer managed key for encryption from. Required if 'cMKKeyName' is not empty. | +| `cMKUserAssignedIdentityResourceId` | string | `''` | User assigned identity to use when fetching the customer managed key. Required if 'cMKKeyName' is not empty. | + **Optional parameters** | Parameter Name | Type | Default Value | Allowed Values | Description | | :-- | :-- | :-- | :-- | :-- | | `cMKKeyName` | string | `''` | | The name of the customer managed key to use for encryption. | -| `cMKKeyVaultResourceId` | string | `''` | | The resource ID of a key vault to reference a customer managed key for encryption from. | | `cMKKeyVersion` | string | `''` | | The version of the customer managed key to reference for encryption. If not provided, the latest key version is used. | -| `cMKUserAssignedIdentityResourceId` | string | `''` | | User assigned identity to use when fetching the customer managed key. | | `diagnosticEventHubAuthorizationRuleId` | string | `''` | | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | | `diagnosticEventHubName` | string | `''` | | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. | | `diagnosticLogCategoriesToEnable` | array | `[ActivityRuns, PipelineRuns, SSISIntegrationRuntimeLogs, SSISPackageEventMessageContext, SSISPackageEventMessages, SSISPackageExecutableStatistics, SSISPackageExecutionComponentPhases, SSISPackageExecutionDataStatistics, TriggerRuns]` | `[ActivityRuns, PipelineRuns, SSISIntegrationRuntimeLogs, SSISPackageEventMessageContext, SSISPackageEventMessages, SSISPackageExecutableStatistics, SSISPackageExecutionComponentPhases, SSISPackageExecutionDataStatistics, TriggerRuns]` | The name of logs that will be streamed. | diff --git a/modules/Microsoft.EventHub/namespaces/networkRuleSets/deploy.bicep b/modules/Microsoft.EventHub/namespaces/networkRuleSets/deploy.bicep index e67a1331ab..e8ab19accf 100644 --- a/modules/Microsoft.EventHub/namespaces/networkRuleSets/deploy.bicep +++ b/modules/Microsoft.EventHub/namespaces/networkRuleSets/deploy.bicep @@ -15,10 +15,6 @@ param publicNetworkAccess string = 'Enabled' @description('Optional. Default Action for Network Rule Set. Default is "Allow". It will not be set if publicNetworkAccess is "Disabled". Otherwise, it will be set to "Deny" if ipRules or virtualNetworkRules are being used.') param defaultAction string = 'Allow' -@allowed([ - true - false -]) @description('Optional. Value that indicates whether Trusted Service Access is enabled or not. Default is "true". It will not be set if publicNetworkAccess is "Disabled".') param trustedServiceAccessEnabled bool = true diff --git a/modules/Microsoft.EventHub/namespaces/networkRuleSets/readme.md b/modules/Microsoft.EventHub/namespaces/networkRuleSets/readme.md index a22e0398c7..d4bbf1427b 100644 --- a/modules/Microsoft.EventHub/namespaces/networkRuleSets/readme.md +++ b/modules/Microsoft.EventHub/namespaces/networkRuleSets/readme.md @@ -31,7 +31,7 @@ This module deploys EventHub Namespaces NetworkRuleSets. | `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via a Globally Unique Identifier (GUID). | | `ipRules` | array | `[]` | | List of IpRules. It will not be set if publicNetworkAccess is "Disabled". Otherwise, when used, defaultAction will be set to "Deny". | | `publicNetworkAccess` | string | `'Enabled'` | `[Disabled, Enabled]` | This determines if traffic is allowed over public network. Default is "Enabled". If set to "Disabled", traffic to this namespace will be restricted over Private Endpoints only and network rules will not be applied. | -| `trustedServiceAccessEnabled` | bool | `True` | `[False, True]` | Value that indicates whether Trusted Service Access is enabled or not. Default is "true". It will not be set if publicNetworkAccess is "Disabled". | +| `trustedServiceAccessEnabled` | bool | `True` | | Value that indicates whether Trusted Service Access is enabled or not. Default is "true". It will not be set if publicNetworkAccess is "Disabled". | | `virtualNetworkRules` | array | `[]` | | List virtual network rules. It will not be set if publicNetworkAccess is "Disabled". Otherwise, when used, defaultAction will be set to "Deny". | diff --git a/modules/Microsoft.KeyVault/vaults/deploy.bicep b/modules/Microsoft.KeyVault/vaults/deploy.bicep index bdb1c9b0f7..ffc6d4d515 100644 --- a/modules/Microsoft.KeyVault/vaults/deploy.bicep +++ b/modules/Microsoft.KeyVault/vaults/deploy.bicep @@ -19,24 +19,12 @@ param secrets object = {} param keys array = [] @description('Optional. Specifies if the vault is enabled for deployment by script or compute.') -@allowed([ - true - false -]) param enableVaultForDeployment bool = true @description('Optional. Specifies if the vault is enabled for a template deployment.') -@allowed([ - true - false -]) param enableVaultForTemplateDeployment bool = true @description('Optional. Specifies if the azure platform has access to the vault for enabling disk encryption scenarios.') -@allowed([ - true - false -]) param enableVaultForDiskEncryption bool = true @description('Optional. Switch to enable/disable Key Vault\'s soft delete feature.') diff --git a/modules/Microsoft.KeyVault/vaults/readme.md b/modules/Microsoft.KeyVault/vaults/readme.md index f7fecfaa16..6fd4fdb82c 100644 --- a/modules/Microsoft.KeyVault/vaults/readme.md +++ b/modules/Microsoft.KeyVault/vaults/readme.md @@ -50,9 +50,9 @@ This module deploys a key vault and its child resources. | `enablePurgeProtection` | bool | `True` | | Provide 'true' to enable Key Vault's purge protection feature. | | `enableRbacAuthorization` | bool | `False` | | Property that controls how data actions are authorized. When true, the key vault will use Role Based Access Control (RBAC) for authorization of data actions, and the access policies specified in vault properties will be ignored (warning: this is a preview feature). When false, the key vault will use the access policies specified in vault properties, and any policy stored on Azure Resource Manager will be ignored. If null or not specified, the vault is created with the default value of false. Note that management actions are always authorized with RBAC. | | `enableSoftDelete` | bool | `True` | | Switch to enable/disable Key Vault's soft delete feature. | -| `enableVaultForDeployment` | bool | `True` | `[False, True]` | Specifies if the vault is enabled for deployment by script or compute. | -| `enableVaultForDiskEncryption` | bool | `True` | `[False, True]` | Specifies if the azure platform has access to the vault for enabling disk encryption scenarios. | -| `enableVaultForTemplateDeployment` | bool | `True` | `[False, True]` | Specifies if the vault is enabled for a template deployment. | +| `enableVaultForDeployment` | bool | `True` | | Specifies if the vault is enabled for deployment by script or compute. | +| `enableVaultForDiskEncryption` | bool | `True` | | Specifies if the azure platform has access to the vault for enabling disk encryption scenarios. | +| `enableVaultForTemplateDeployment` | bool | `True` | | Specifies if the vault is enabled for a template deployment. | | `keys` | _[keys](keys/readme.md)_ array | `[]` | | All keys to create. | | `location` | string | `[resourceGroup().location]` | | Location for all resources. | | `lock` | string | `''` | `['', CanNotDelete, ReadOnly]` | Specify the type of lock. | diff --git a/modules/Microsoft.MachineLearningServices/workspaces/deploy.bicep b/modules/Microsoft.MachineLearningServices/workspaces/deploy.bicep index 4fa6c0d032..9481de7a34 100644 --- a/modules/Microsoft.MachineLearningServices/workspaces/deploy.bicep +++ b/modules/Microsoft.MachineLearningServices/workspaces/deploy.bicep @@ -115,7 +115,7 @@ param description string = '' @sys.description('Optional. URL for the discovery service to identify regional endpoints for machine learning experimentation services.') param discoveryUrl string = '' -@sys.description('Optional. The resource ID of a key vault to reference a customer managed key for encryption from.') +@sys.description('Conditional. The resource ID of a key vault to reference a customer managed key for encryption from. Required if \'cMKKeyName\' is not empty.') param cMKKeyVaultResourceId string = '' @sys.description('Optional. The name of the customer managed key to use for encryption.') diff --git a/modules/Microsoft.MachineLearningServices/workspaces/readme.md b/modules/Microsoft.MachineLearningServices/workspaces/readme.md index 48a6bce26f..65c0041a85 100644 --- a/modules/Microsoft.MachineLearningServices/workspaces/readme.md +++ b/modules/Microsoft.MachineLearningServices/workspaces/readme.md @@ -38,6 +38,7 @@ This module deploys a Machine Learning Services Workspace. | Parameter Name | Type | Default Value | Description | | :-- | :-- | :-- | :-- | +| `cMKKeyVaultResourceId` | string | `''` | The resource ID of a key vault to reference a customer managed key for encryption from. Required if 'cMKKeyName' is not empty. | | `primaryUserAssignedIdentity` | string | `''` | The user assigned identity resource ID that represents the workspace identity. Required if 'userAssignedIdentities' is not empty and may not be used if 'systemAssignedIdentity' is enabled. | | `systemAssignedIdentity` | bool | `False` | Enables system assigned managed identity on the resource. Required if `userAssignedIdentities` is not provided. | | `userAssignedIdentities` | object | `{object}` | The ID(s) to assign to the resource. Required if `systemAssignedIdentity` is set to false. | @@ -49,7 +50,6 @@ This module deploys a Machine Learning Services Workspace. | `allowPublicAccessWhenBehindVnet` | bool | `False` | | The flag to indicate whether to allow public access when behind VNet. | | `associatedContainerRegistryResourceId` | string | `''` | | The resource ID of the associated Container Registry. | | `cMKKeyName` | string | `''` | | The name of the customer managed key to use for encryption. | -| `cMKKeyVaultResourceId` | string | `''` | | The resource ID of a key vault to reference a customer managed key for encryption from. | | `cMKKeyVersion` | string | `''` | | The version of the customer managed key to reference for encryption. If not provided, the latest key version is used. | | `cMKUserAssignedIdentityResourceId` | string | `''` | | User assigned identity to use when fetching the customer managed key. If not provided, a system-assigned identity can be used - but must be given access to the referenced key vault first. | | `computes` | _[computes](computes/readme.md)_ array | `[]` | | Computes to create respectively attach to the workspace. | diff --git a/modules/Microsoft.Network/expressRouteCircuits/deploy.bicep b/modules/Microsoft.Network/expressRouteCircuits/deploy.bicep index d3e15bb133..0d5022f98b 100644 --- a/modules/Microsoft.Network/expressRouteCircuits/deploy.bicep +++ b/modules/Microsoft.Network/expressRouteCircuits/deploy.bicep @@ -26,10 +26,6 @@ param skuTier string = 'Standard' param skuFamily string = 'MeteredData' @description('Optional. Enabled BGP peering type for the Circuit.') -@allowed([ - true - false -]) param peering bool = false @description('Optional. BGP peering type for the Circuit. Choose from AzurePrivatePeering, AzurePublicPeering or MicrosoftPeering.') diff --git a/modules/Microsoft.Network/expressRouteCircuits/readme.md b/modules/Microsoft.Network/expressRouteCircuits/readme.md index 7cc4058a25..8f049cdb3f 100644 --- a/modules/Microsoft.Network/expressRouteCircuits/readme.md +++ b/modules/Microsoft.Network/expressRouteCircuits/readme.md @@ -46,7 +46,7 @@ This template deploys an express route circuit. | `location` | string | `[resourceGroup().location]` | | Location for all resources. | | `lock` | string | `''` | `['', CanNotDelete, ReadOnly]` | Specify the type of lock. | | `peerASN` | int | `0` | | The autonomous system number of the customer/connectivity provider. | -| `peering` | bool | `False` | `[False, True]` | Enabled BGP peering type for the Circuit. | +| `peering` | bool | `False` | | Enabled BGP peering type for the Circuit. | | `peeringType` | string | `'AzurePrivatePeering'` | `[AzurePrivatePeering, MicrosoftPeering]` | BGP peering type for the Circuit. Choose from AzurePrivatePeering, AzurePublicPeering or MicrosoftPeering. | | `primaryPeerAddressPrefix` | string | `''` | | A /30 subnet used to configure IP addresses for interfaces on Link1. | | `roleAssignments` | array | `[]` | | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | diff --git a/modules/Microsoft.ServiceBus/namespaces/deploy.bicep b/modules/Microsoft.ServiceBus/namespaces/deploy.bicep index 286731fea5..18d9602528 100644 --- a/modules/Microsoft.ServiceBus/namespaces/deploy.bicep +++ b/modules/Microsoft.ServiceBus/namespaces/deploy.bicep @@ -86,7 +86,7 @@ param queues array = [] @description('Optional. The topics to create in the service bus namespace.') param topics array = [] -@description('Optional. The resource ID of a key vault to reference a customer managed key for encryption from.') +@description('Conditional. The resource ID of a key vault to reference a customer managed key for encryption from. Required if \'cMKKeyName\' is not empty.') param cMKKeyVaultResourceId string = '' @description('Optional. The name of the customer managed key to use for encryption. If not provided, encryption is automatically enabled with a Microsoft-managed key.') diff --git a/modules/Microsoft.ServiceBus/namespaces/networkRuleSets/deploy.bicep b/modules/Microsoft.ServiceBus/namespaces/networkRuleSets/deploy.bicep index ad06f2dc65..046d022e12 100644 --- a/modules/Microsoft.ServiceBus/namespaces/networkRuleSets/deploy.bicep +++ b/modules/Microsoft.ServiceBus/namespaces/networkRuleSets/deploy.bicep @@ -17,10 +17,6 @@ param publicNetworkAccess string = 'Enabled' @description('Optional. Default Action for Network Rule Set. Default is "Allow". It will not be set if publicNetworkAccess is "Disabled". Otherwise, it will be set to "Deny" if ipRules or virtualNetworkRules are being used.') param defaultAction string = 'Allow' -@allowed([ - true - false -]) @description('Optional. Value that indicates whether Trusted Service Access is enabled or not. Default is "true". It will not be set if publicNetworkAccess is "Disabled".') param trustedServiceAccessEnabled bool = true diff --git a/modules/Microsoft.ServiceBus/namespaces/networkRuleSets/readme.md b/modules/Microsoft.ServiceBus/namespaces/networkRuleSets/readme.md index 9b9aa8a5a7..dc75d76f25 100644 --- a/modules/Microsoft.ServiceBus/namespaces/networkRuleSets/readme.md +++ b/modules/Microsoft.ServiceBus/namespaces/networkRuleSets/readme.md @@ -31,7 +31,7 @@ This module deploys ServiceBus Namespaces NetworkRuleSets. | `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via a Globally Unique Identifier (GUID). | | `ipRules` | array | `[]` | | List of IpRules. It will not be set if publicNetworkAccess is "Disabled". Otherwise, when used, defaultAction will be set to "Deny". | | `publicNetworkAccess` | string | `'Enabled'` | `[Disabled, Enabled]` | This determines if traffic is allowed over public network. Default is "Enabled". If set to "Disabled", traffic to this namespace will be restricted over Private Endpoints only and network rules will not be applied. | -| `trustedServiceAccessEnabled` | bool | `True` | `[False, True]` | Value that indicates whether Trusted Service Access is enabled or not. Default is "true". It will not be set if publicNetworkAccess is "Disabled". | +| `trustedServiceAccessEnabled` | bool | `True` | | Value that indicates whether Trusted Service Access is enabled or not. Default is "true". It will not be set if publicNetworkAccess is "Disabled". | | `virtualNetworkRules` | array | `[]` | | List virtual network rules. It will not be set if publicNetworkAccess is "Disabled". Otherwise, when used, defaultAction will be set to "Deny". | diff --git a/modules/Microsoft.ServiceBus/namespaces/readme.md b/modules/Microsoft.ServiceBus/namespaces/readme.md index a7d28da9bd..9fa4821b21 100644 --- a/modules/Microsoft.ServiceBus/namespaces/readme.md +++ b/modules/Microsoft.ServiceBus/namespaces/readme.md @@ -37,13 +37,18 @@ This module deploys a service bus namespace resource. | :-- | :-- | :-- | | `name` | string | Name of the Service Bus Namespace. | +**Conditional parameters** + +| Parameter Name | Type | Default Value | Description | +| :-- | :-- | :-- | :-- | +| `cMKKeyVaultResourceId` | string | `''` | The resource ID of a key vault to reference a customer managed key for encryption from. Required if 'cMKKeyName' is not empty. | + **Optional parameters** | Parameter Name | Type | Default Value | Allowed Values | Description | | :-- | :-- | :-- | :-- | :-- | | `authorizationRules` | _[authorizationRules](authorizationRules/readme.md)_ array | `[System.Management.Automation.OrderedHashtable]` | | Authorization Rules for the Service Bus namespace. | | `cMKKeyName` | string | `''` | | The name of the customer managed key to use for encryption. If not provided, encryption is automatically enabled with a Microsoft-managed key. | -| `cMKKeyVaultResourceId` | string | `''` | | The resource ID of a key vault to reference a customer managed key for encryption from. | | `cMKKeyVersion` | string | `''` | | The version of the customer managed key to reference for encryption. If not provided, the latest key version is used. | | `cMKUserAssignedIdentityResourceId` | string | `''` | | User assigned identity to use when fetching the customer managed key. If not provided, a system-assigned identity can be used - but must be given access to the referenced key vault first. | | `diagnosticEventHubAuthorizationRuleId` | string | `''` | | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | diff --git a/modules/Microsoft.Storage/storageAccounts/deploy.bicep b/modules/Microsoft.Storage/storageAccounts/deploy.bicep index cb3c0ffc81..a781d8b828 100644 --- a/modules/Microsoft.Storage/storageAccounts/deploy.bicep +++ b/modules/Microsoft.Storage/storageAccounts/deploy.bicep @@ -135,7 +135,7 @@ param diagnosticMetricsToEnable array = [ 'Transaction' ] -@description('Optional. The resource ID of a key vault to reference a customer managed key for encryption from.') +@description('Conditional. The resource ID of a key vault to reference a customer managed key for encryption from. Required if \'cMKKeyName\' is not empty.') param cMKKeyVaultResourceId string = '' @description('Optional. The name of the customer managed key to use for encryption. Cannot be deployed together with the parameter \'systemAssignedIdentity\' enabled.') diff --git a/modules/Microsoft.Storage/storageAccounts/readme.md b/modules/Microsoft.Storage/storageAccounts/readme.md index f76689cd74..9dc4d70b92 100644 --- a/modules/Microsoft.Storage/storageAccounts/readme.md +++ b/modules/Microsoft.Storage/storageAccounts/readme.md @@ -44,6 +44,7 @@ This module is used to deploy a storage account, with the ability to deploy 1 or | Parameter Name | Type | Default Value | Description | | :-- | :-- | :-- | :-- | +| `cMKKeyVaultResourceId` | string | `''` | The resource ID of a key vault to reference a customer managed key for encryption from. Required if 'cMKKeyName' is not empty. | | `cMKUserAssignedIdentityResourceId` | string | `''` | User assigned identity to use when fetching the customer managed key. Required if 'cMKKeyName' is not empty. | **Optional parameters** @@ -54,7 +55,6 @@ This module is used to deploy a storage account, with the ability to deploy 1 or | `azureFilesIdentityBasedAuthentication` | object | `{object}` | | Provides the identity based authentication settings for Azure Files. | | `blobServices` | _[blobServices](blobServices/readme.md)_ object | `{object}` | | Blob service and containers to deploy. | | `cMKKeyName` | string | `''` | | The name of the customer managed key to use for encryption. Cannot be deployed together with the parameter 'systemAssignedIdentity' enabled. | -| `cMKKeyVaultResourceId` | string | `''` | | The resource ID of a key vault to reference a customer managed key for encryption from. | | `cMKKeyVersion` | string | `''` | | The version of the customer managed key to reference for encryption. If not provided, latest is used. | | `diagnosticEventHubAuthorizationRuleId` | string | `''` | | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | | `diagnosticEventHubName` | string | `''` | | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. | diff --git a/modules/Microsoft.Synapse/workspaces/deploy.bicep b/modules/Microsoft.Synapse/workspaces/deploy.bicep index a75c4783ba..7deb290a22 100644 --- a/modules/Microsoft.Synapse/workspaces/deploy.bicep +++ b/modules/Microsoft.Synapse/workspaces/deploy.bicep @@ -27,7 +27,7 @@ param defaultDataLakeStorageCreateManagedPrivateEndpoint bool = false @description('Optional. Double encryption using a customer-managed key.') param encryption bool = false -@description('Optional. The resource ID of a key vault to reference a customer managed key for encryption from.') +@description('Conditional. The resource ID of a key vault to reference a customer managed key for encryption from. Required if \'cMKKeyName\' is not empty.') param cMKKeyVaultResourceId string = '' @description('Optional. The name of the customer managed key to use for encryption.') diff --git a/modules/Microsoft.Synapse/workspaces/readme.md b/modules/Microsoft.Synapse/workspaces/readme.md index a16196f680..78b76ec7da 100644 --- a/modules/Microsoft.Synapse/workspaces/readme.md +++ b/modules/Microsoft.Synapse/workspaces/readme.md @@ -34,6 +34,12 @@ This module deploys a Synapse Workspace. | `name` | string | The name of the Synapse Workspace. | | `sqlAdministratorLogin` | string | Login for administrator access to the workspace's SQL pools. | +**Conditional parameters** + +| Parameter Name | Type | Default Value | Description | +| :-- | :-- | :-- | :-- | +| `cMKKeyVaultResourceId` | string | `''` | The resource ID of a key vault to reference a customer managed key for encryption from. Required if 'cMKKeyName' is not empty. | + **Optional parameters** | Parameter Name | Type | Default Value | Allowed Values | Description | @@ -41,7 +47,6 @@ This module deploys a Synapse Workspace. | `allowedAadTenantIdsForLinking` | array | `[]` | | Allowed AAD Tenant IDs For Linking. | | `azureADOnlyAuthentication` | bool | `False` | | Enable or Disable AzureADOnlyAuthentication on All Workspace sub-resource. | | `cMKKeyName` | string | `''` | | The name of the customer managed key to use for encryption. | -| `cMKKeyVaultResourceId` | string | `''` | | The resource ID of a key vault to reference a customer managed key for encryption from. | | `cMKUserAssignedIdentityResourceId` | string | `''` | | The ID of User Assigned Managed identity that will be used to access your customer-managed key stored in key vault. | | `cMKUseSystemAssignedIdentity` | bool | `False` | | Use System Assigned Managed identity that will be used to access your customer-managed key stored in key vault. | | `defaultDataLakeStorageCreateManagedPrivateEndpoint` | bool | `False` | | Create managed private endpoint to the default storage account or not. If Yes is selected, a managed private endpoint connection request is sent to the workspace's primary Data Lake Storage Gen2 account for Spark pools to access data. This must be approved by an owner of the storage account. |