From f5eb874ad2ddef4b7d7c4d13863279bfea878311 Mon Sep 17 00:00:00 2001 From: MrMCake Date: Fri, 28 Oct 2022 07:56:54 +0200 Subject: [PATCH 01/12] First commit --- utilities/tools/REST2CARML/temp/azure-rest-api-specs | 1 + 1 file changed, 1 insertion(+) create mode 160000 utilities/tools/REST2CARML/temp/azure-rest-api-specs diff --git a/utilities/tools/REST2CARML/temp/azure-rest-api-specs b/utilities/tools/REST2CARML/temp/azure-rest-api-specs new file mode 160000 index 0000000000..7b7f4b52c5 --- /dev/null +++ b/utilities/tools/REST2CARML/temp/azure-rest-api-specs @@ -0,0 +1 @@ +Subproject commit 7b7f4b52c549d6ba62c387f569477ececf45f9f3 From 6a410f92013723ad9a349055445c0034fa362717 Mon Sep 17 00:00:00 2001 From: MrMCake Date: Fri, 28 Oct 2022 08:04:00 +0200 Subject: [PATCH 02/12] Refactored CMK implementation --- .../accounts/.test/encr/deploy.test.bicep | 12 ++---- .../accounts/deploy.bicep | 40 +++++++++++++++++-- .../accounts/readme.md | 36 ++++++++--------- .../REST2CARML/temp/azure-rest-api-specs | 1 - 4 files changed, 56 insertions(+), 33 deletions(-) delete mode 160000 utilities/tools/REST2CARML/temp/azure-rest-api-specs diff --git a/modules/Microsoft.CognitiveServices/accounts/.test/encr/deploy.test.bicep b/modules/Microsoft.CognitiveServices/accounts/.test/encr/deploy.test.bicep index bcf6139d15..84b9810b6a 100644 --- a/modules/Microsoft.CognitiveServices/accounts/.test/encr/deploy.test.bicep +++ b/modules/Microsoft.CognitiveServices/accounts/.test/encr/deploy.test.bicep @@ -48,15 +48,9 @@ module testDeployment '../../deploy.bicep' = { params: { name: '<>${serviceShort}001' kind: 'SpeechServices' - encryption: { - keySource: 'Microsoft.KeyVault' - keyVaultProperties: { - identityClientId: resourceGroupResources.outputs.managedIdentityClientId - keyName: resourceGroupResources.outputs.keyVaultKeyName - keyVaultUri: resourceGroupResources.outputs.keyVaultUri - keyversion: resourceGroupResources.outputs.keyVaultKeyVersion - } - } + cMKKeyVaultResourceId: resourceGroupResources.outputs.keyVaultResourceId + cMKKeyName: resourceGroupResources.outputs.keyVaultKeyName + cMKUserAssignedIdentityResourceId: resourceGroupResources.outputs.managedIdentityResourceId publicNetworkAccess: 'Enabled' sku: 'S0' userAssignedIdentities: { diff --git a/modules/Microsoft.CognitiveServices/accounts/deploy.bicep b/modules/Microsoft.CognitiveServices/accounts/deploy.bicep index 1dc690e454..22c6de0249 100644 --- a/modules/Microsoft.CognitiveServices/accounts/deploy.bicep +++ b/modules/Microsoft.CognitiveServices/accounts/deploy.bicep @@ -116,8 +116,20 @@ param apiProperties object = {} @description('Optional. Allow only Azure AD authentication. Should be enabled for security reasons.') param disableLocalAuth bool = true -@description('Optional. Properties to configure encryption.') -param encryption object = {} +@description('Optional. Enable service encryption.') +param enableEncryption bool = true + +@description('Optional. The resource ID of a key vault to reference a customer managed key for encryption from.') +param cMKKeyVaultResourceId string = '' + +@description('Optional. The name of the customer managed key to use for encryption. Cannot be deployed together with the parameter \'systemAssignedIdentity\' enabled.') +param cMKKeyName string = '' + +@description('Conditional. User assigned identity to use when fetching the customer managed key. Required if \'cMKKeyName\' is not empty.') +param cMKUserAssignedIdentityResourceId string = '' + +@description('Optional. The version of the customer managed key to reference for encryption. If not provided, latest is used.') +param cMKKeyVersion string = '' @description('Optional. Resource migration token.') param migrationToken string = '' @@ -195,6 +207,16 @@ resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (ena } } +resource cmkKeyVault 'Microsoft.KeyVault/vaults@2021-06-01-preview' existing = if (!empty(cMKKeyVaultResourceId)) { + name: last(split(cMKKeyVaultResourceId, '/')) + scope: resourceGroup(split(cMKKeyVaultResourceId, '/')[2], split(cMKKeyVaultResourceId, '/')[4]) +} + +resource cmkUserAssignedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' existing = if (!empty(cMKUserAssignedIdentityResourceId)) { + name: last(split(cMKUserAssignedIdentityResourceId, '/')) + scope: resourceGroup(split(cMKUserAssignedIdentityResourceId, '/')[2], split(cMKUserAssignedIdentityResourceId, '/')[4]) +} + resource cognitiveServices 'Microsoft.CognitiveServices/accounts@2021-10-01' = { name: name kind: kind @@ -215,7 +237,19 @@ resource cognitiveServices 'Microsoft.CognitiveServices/accounts@2021-10-01' = { allowedFqdnList: allowedFqdnList apiProperties: apiProperties disableLocalAuth: disableLocalAuth - encryption: !empty(encryption) ? encryption : null + encryption: enableEncryption && !empty(cMKKeyName) ? { + // Customer-managed key + keySource: 'Microsoft.KeyVault' + keyVaultProperties: { + identityClientId: cmkUserAssignedIdentity.properties.clientId + keyVaultUri: cmkKeyVault.properties.vaultUri + keyName: cMKKeyName + keyVersion: cMKKeyVersion + } + } : enableEncryption ? { + // Service-managed key + keySource: 'Microsoft.CognitiveServices/accounts' + } : null migrationToken: !empty(migrationToken) ? migrationToken : null restore: restore restrictOutboundNetworkAccess: restrictOutboundNetworkAccess diff --git a/modules/Microsoft.CognitiveServices/accounts/readme.md b/modules/Microsoft.CognitiveServices/accounts/readme.md index 08d729696a..009256c36a 100644 --- a/modules/Microsoft.CognitiveServices/accounts/readme.md +++ b/modules/Microsoft.CognitiveServices/accounts/readme.md @@ -35,6 +35,7 @@ This module deploys different kinds of cognitive services resources | Parameter Name | Type | Default Value | Description | | :-- | :-- | :-- | :-- | +| `cMKUserAssignedIdentityResourceId` | string | `''` | User assigned identity to use when fetching the customer managed key. Required if 'cMKKeyName' is not empty. | | `customSubDomainName` | string | `''` | Subdomain name used for token-based authentication. Required if 'networkAcls' or 'privateEndpoints' are set. | | `userAssignedIdentities` | object | `{object}` | The ID(s) to assign to the resource. Required if a user assigned identity is used for encryption. | @@ -44,6 +45,9 @@ This module deploys different kinds of cognitive services resources | :-- | :-- | :-- | :-- | :-- | | `allowedFqdnList` | array | `[]` | | List of allowed FQDN. | | `apiProperties` | object | `{object}` | | The API properties for special APIs. | +| `cMKKeyName` | string | `''` | | The name of the customer managed key to use for encryption. Cannot be deployed together with the parameter 'systemAssignedIdentity' enabled. | +| `cMKKeyVaultResourceId` | string | `''` | | The resource ID of a key vault to reference a customer managed key for encryption from. | +| `cMKKeyVersion` | string | `''` | | The version of the customer managed key to reference for encryption. If not provided, latest is used. | | `diagnosticEventHubAuthorizationRuleId` | string | `''` | | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | | `diagnosticEventHubName` | string | `''` | | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. | | `diagnosticLogCategoriesToEnable` | array | `[Audit, RequestResponse]` | `[Audit, RequestResponse]` | The name of logs that will be streamed. | @@ -54,7 +58,7 @@ This module deploys different kinds of cognitive services resources | `diagnosticWorkspaceId` | string | `''` | | Resource ID of the diagnostic log analytics workspace. | | `disableLocalAuth` | bool | `True` | | Allow only Azure AD authentication. Should be enabled for security reasons. | | `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via the Customer Usage Attribution ID (GUID). | -| `encryption` | object | `{object}` | | Properties to configure encryption. | +| `enableEncryption` | bool | `True` | | Enable service encryption. | | `location` | string | `[resourceGroup().location]` | | Location for all Resources. | | `lock` | string | `''` | `['', CanNotDelete, ReadOnly]` | Specify the type of lock. | | `migrationToken` | string | `''` | | Resource migration token. | @@ -600,15 +604,9 @@ module accounts './Microsoft.CognitiveServices/accounts/deploy.bicep' = { kind: 'SpeechServices' name: '<>csaencr001' // Non-required parameters - encryption: { - keySource: 'Microsoft.KeyVault' - keyVaultProperties: { - identityClientId: '' - keyName: '' - keyVaultUri: '' - keyversion: '' - } - } + cMKKeyName: '' + cMKKeyVaultResourceId: '' + cMKUserAssignedIdentityResourceId: '' publicNetworkAccess: 'Enabled' sku: 'S0' userAssignedIdentities: { @@ -638,16 +636,14 @@ module accounts './Microsoft.CognitiveServices/accounts/deploy.bicep' = { "value": "<>csaencr001" }, // Non-required parameters - "encryption": { - "value": { - "keySource": "Microsoft.KeyVault", - "keyVaultProperties": { - "identityClientId": "", - "keyName": "", - "keyVaultUri": "", - "keyversion": "" - } - } + "cMKKeyName": { + "value": "" + }, + "cMKKeyVaultResourceId": { + "value": "" + }, + "cMKUserAssignedIdentityResourceId": { + "value": "" }, "publicNetworkAccess": { "value": "Enabled" diff --git a/utilities/tools/REST2CARML/temp/azure-rest-api-specs b/utilities/tools/REST2CARML/temp/azure-rest-api-specs deleted file mode 160000 index 7b7f4b52c5..0000000000 --- a/utilities/tools/REST2CARML/temp/azure-rest-api-specs +++ /dev/null @@ -1 +0,0 @@ -Subproject commit 7b7f4b52c549d6ba62c387f569477ececf45f9f3 From f4caea7c3058105f9305216545bf73e550b8f430 Mon Sep 17 00:00:00 2001 From: MrMCake Date: Fri, 28 Oct 2022 08:25:18 +0200 Subject: [PATCH 03/12] Updated to october api version --- modules/Microsoft.CognitiveServices/accounts/deploy.bicep | 6 +++++- modules/Microsoft.CognitiveServices/accounts/readme.md | 3 ++- 2 files changed, 7 insertions(+), 2 deletions(-) diff --git a/modules/Microsoft.CognitiveServices/accounts/deploy.bicep b/modules/Microsoft.CognitiveServices/accounts/deploy.bicep index 22c6de0249..862f16ae07 100644 --- a/modules/Microsoft.CognitiveServices/accounts/deploy.bicep +++ b/modules/Microsoft.CognitiveServices/accounts/deploy.bicep @@ -131,6 +131,9 @@ param cMKUserAssignedIdentityResourceId string = '' @description('Optional. The version of the customer managed key to reference for encryption. If not provided, latest is used.') param cMKKeyVersion string = '' +@description('Optional. The flag to enable dynamic throttling.') +param dynamicThrottlingEnabled bool = false + @description('Optional. Resource migration token.') param migrationToken string = '' @@ -217,7 +220,7 @@ resource cmkUserAssignedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentiti scope: resourceGroup(split(cMKUserAssignedIdentityResourceId, '/')[2], split(cMKUserAssignedIdentityResourceId, '/')[4]) } -resource cognitiveServices 'Microsoft.CognitiveServices/accounts@2021-10-01' = { +resource cognitiveServices 'Microsoft.CognitiveServices/accounts@2022-10-01' = { name: name kind: kind identity: identity @@ -254,6 +257,7 @@ resource cognitiveServices 'Microsoft.CognitiveServices/accounts@2021-10-01' = { restore: restore restrictOutboundNetworkAccess: restrictOutboundNetworkAccess userOwnedStorage: !empty(userOwnedStorage) ? userOwnedStorage : null + dynamicThrottlingEnabled: dynamicThrottlingEnabled } } diff --git a/modules/Microsoft.CognitiveServices/accounts/readme.md b/modules/Microsoft.CognitiveServices/accounts/readme.md index 009256c36a..f26ce651b2 100644 --- a/modules/Microsoft.CognitiveServices/accounts/readme.md +++ b/modules/Microsoft.CognitiveServices/accounts/readme.md @@ -17,7 +17,7 @@ This module deploys different kinds of cognitive services resources | :-- | :-- | | `Microsoft.Authorization/locks` | [2017-04-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2017-04-01/locks) | | `Microsoft.Authorization/roleAssignments` | [2022-04-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-04-01/roleAssignments) | -| `Microsoft.CognitiveServices/accounts` | [2021-10-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.CognitiveServices/2021-10-01/accounts) | +| `Microsoft.CognitiveServices/accounts` | [2022-10-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.CognitiveServices/2022-10-01/accounts) | | `Microsoft.Insights/diagnosticSettings` | [2021-05-01-preview](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Insights/2021-05-01-preview/diagnosticSettings) | | `Microsoft.Network/privateEndpoints` | [2021-08-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Network/2021-08-01/privateEndpoints) | | `Microsoft.Network/privateEndpoints/privateDnsZoneGroups` | [2021-08-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Network/2021-08-01/privateEndpoints/privateDnsZoneGroups) | @@ -57,6 +57,7 @@ This module deploys different kinds of cognitive services resources | `diagnosticStorageAccountId` | string | `''` | | Resource ID of the diagnostic storage account. | | `diagnosticWorkspaceId` | string | `''` | | Resource ID of the diagnostic log analytics workspace. | | `disableLocalAuth` | bool | `True` | | Allow only Azure AD authentication. Should be enabled for security reasons. | +| `dynamicThrottlingEnabled` | bool | `False` | | The flag to enable dynamic throttling. | | `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via the Customer Usage Attribution ID (GUID). | | `enableEncryption` | bool | `True` | | Enable service encryption. | | `location` | string | `[resourceGroup().location]` | | Location for all Resources. | From c1156aec1c1c997510fc8f1243f6465c4fe682c4 Mon Sep 17 00:00:00 2001 From: AlexanderSehr Date: Fri, 2 Dec 2022 18:28:21 +0100 Subject: [PATCH 04/12] Enabled encryption & updated readme --- .../accounts/.test/encr/dependencies.bicep | 2 +- .../accounts/deploy.bicep | 11 ++++-- .../accounts/readme.md | 35 ++++++++----------- 3 files changed, 23 insertions(+), 25 deletions(-) diff --git a/modules/Microsoft.CognitiveServices/accounts/.test/encr/dependencies.bicep b/modules/Microsoft.CognitiveServices/accounts/.test/encr/dependencies.bicep index 93aa8495b2..c335e5ed1a 100644 --- a/modules/Microsoft.CognitiveServices/accounts/.test/encr/dependencies.bicep +++ b/modules/Microsoft.CognitiveServices/accounts/.test/encr/dependencies.bicep @@ -62,7 +62,7 @@ resource keyVault 'Microsoft.KeyVault/vaults@2022-07-01' = { } resource keyPermissions 'Microsoft.Authorization/roleAssignments@2022-04-01' = { - name: guid('msi-${keyVault::key.id}-${location}-${managedIdentity.id}-Key-Reader-RoleAssignment') + name: guid('msi-${keyVault::key.id}-${location}-${managedIdentity.id}-Key-Key-Vault-Crypto-User-RoleAssignment') scope: keyVault::key properties: { principalId: managedIdentity.properties.principalId diff --git a/modules/Microsoft.CognitiveServices/accounts/deploy.bicep b/modules/Microsoft.CognitiveServices/accounts/deploy.bicep index 0f42b20388..c5f6ccab2e 100644 --- a/modules/Microsoft.CognitiveServices/accounts/deploy.bicep +++ b/modules/Microsoft.CognitiveServices/accounts/deploy.bicep @@ -215,7 +215,12 @@ resource cmkKeyVault 'Microsoft.KeyVault/vaults@2021-06-01-preview' existing = i scope: resourceGroup(split(cMKKeyVaultResourceId, '/')[2], split(cMKKeyVaultResourceId, '/')[4]) } -resource cmkUserAssignedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' existing = if (!empty(cMKUserAssignedIdentityResourceId)) { +resource cMKKeyVaultKey 'Microsoft.KeyVault/vaults/keys@2021-10-01' existing = if (!empty(cMKKeyVaultResourceId) && !empty(cMKKeyName)) { + name: '${last(split(cMKKeyVaultResourceId, '/'))}/${cMKKeyName}' + scope: resourceGroup(split(cMKKeyVaultResourceId, '/')[2], split(cMKKeyVaultResourceId, '/')[4]) +} + +resource cMkUserAssignedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' existing = if (!empty(cMKUserAssignedIdentityResourceId)) { name: last(split(cMKUserAssignedIdentityResourceId, '/')) scope: resourceGroup(split(cMKUserAssignedIdentityResourceId, '/')[2], split(cMKUserAssignedIdentityResourceId, '/')[4]) } @@ -244,10 +249,10 @@ resource cognitiveServices 'Microsoft.CognitiveServices/accounts@2022-10-01' = { // Customer-managed key keySource: 'Microsoft.KeyVault' keyVaultProperties: { - identityClientId: cmkUserAssignedIdentity.properties.clientId + identityClientId: cMkUserAssignedIdentity.properties.clientId keyVaultUri: cmkKeyVault.properties.vaultUri keyName: cMKKeyName - keyVersion: cMKKeyVersion + keyVersion: !empty(cMKKeyVersion) ? cMKKeyVersion : last(split(cMKKeyVaultKey.properties.keyUriWithVersion, '/')) } } : enableEncryption ? { // Service-managed key diff --git a/modules/Microsoft.CognitiveServices/accounts/readme.md b/modules/Microsoft.CognitiveServices/accounts/readme.md index d7d9d9d1be..1e506d2b26 100644 --- a/modules/Microsoft.CognitiveServices/accounts/readme.md +++ b/modules/Microsoft.CognitiveServices/accounts/readme.md @@ -57,8 +57,9 @@ This module deploys different kinds of cognitive services resources | `diagnosticStorageAccountId` | string | `''` | | Resource ID of the diagnostic storage account. | | `diagnosticWorkspaceId` | string | `''` | | Resource ID of the diagnostic log analytics workspace. | | `disableLocalAuth` | bool | `True` | | Allow only Azure AD authentication. Should be enabled for security reasons. | +| `dynamicThrottlingEnabled` | bool | `False` | | The flag to enable dynamic throttling. | | `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via a Globally Unique Identifier (GUID). | -| `encryption` | object | `{object}` | | Properties to configure encryption. | +| `enableEncryption` | bool | `True` | | Enable service encryption. | | `location` | string | `[resourceGroup().location]` | | Location for all Resources. | | `lock` | string | `''` | `['', CanNotDelete, ReadOnly]` | Specify the type of lock. | | `migrationToken` | string | `''` | | Resource migration token. | @@ -610,16 +611,10 @@ module accounts './Microsoft.CognitiveServices/accounts/deploy.bicep' = { kind: 'SpeechServices' name: '<>csaencr001' // Non-required parameters + cMKKeyName: '' + cMKKeyVaultResourceId: '' + cMKUserAssignedIdentityResourceId: '' enableDefaultTelemetry: '' - encryption: { - keySource: 'Microsoft.KeyVault' - keyVaultProperties: { - identityClientId: '' - keyName: '' - keyVaultUri: '' - keyversion: '' - } - } publicNetworkAccess: 'Enabled' sku: 'S0' userAssignedIdentities: { @@ -649,20 +644,18 @@ module accounts './Microsoft.CognitiveServices/accounts/deploy.bicep' = { "value": "<>csaencr001" }, // Non-required parameters + "cMKKeyName": { + "value": "" + }, + "cMKKeyVaultResourceId": { + "value": "" + }, + "cMKUserAssignedIdentityResourceId": { + "value": "" + }, "enableDefaultTelemetry": { "value": "" }, - "encryption": { - "value": { - "keySource": "Microsoft.KeyVault", - "keyVaultProperties": { - "identityClientId": "", - "keyName": "", - "keyVaultUri": "", - "keyversion": "" - } - } - }, "publicNetworkAccess": { "value": "Enabled" }, From 3595aed06040adcdd595ae4e7e818102e6c2ef80 Mon Sep 17 00:00:00 2001 From: AlexanderSehr Date: Fri, 2 Dec 2022 18:32:45 +0100 Subject: [PATCH 05/12] Cleanup --- .../accounts/.test/encr/dependencies.bicep | 6 ------ 1 file changed, 6 deletions(-) diff --git a/modules/Microsoft.CognitiveServices/accounts/.test/encr/dependencies.bicep b/modules/Microsoft.CognitiveServices/accounts/.test/encr/dependencies.bicep index c335e5ed1a..8959773eb3 100644 --- a/modules/Microsoft.CognitiveServices/accounts/.test/encr/dependencies.bicep +++ b/modules/Microsoft.CognitiveServices/accounts/.test/encr/dependencies.bicep @@ -77,15 +77,9 @@ output subnetResourceId string = virtualNetwork.properties.subnets[0].id @description('The resource ID of the created Key Vault.') output keyVaultResourceId string = keyVault.id -@description('The vault URI of the created Key Vault.') -output keyVaultUri string = keyVault.properties.vaultUri - @description('The name of the created Key Vault encryption key.') output keyVaultKeyName string = keyVault::key.name -@description('The version of the created Key Vault encryption key.') -output keyVaultKeyVersion string = last(split(keyVault::key.properties.keyUriWithVersion, '/')) - @description('The resource ID of the created Managed Identity.') output managedIdentityResourceId string = managedIdentity.id From cb25bf94c9bf0f7e1d3aa05f69ca3a2eccdf733b Mon Sep 17 00:00:00 2001 From: AlexanderSehr Date: Fri, 2 Dec 2022 18:48:01 +0100 Subject: [PATCH 06/12] Small fix --- modules/Microsoft.CognitiveServices/accounts/deploy.bicep | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/Microsoft.CognitiveServices/accounts/deploy.bicep b/modules/Microsoft.CognitiveServices/accounts/deploy.bicep index c5f6ccab2e..bcbae089c8 100644 --- a/modules/Microsoft.CognitiveServices/accounts/deploy.bicep +++ b/modules/Microsoft.CognitiveServices/accounts/deploy.bicep @@ -256,7 +256,7 @@ resource cognitiveServices 'Microsoft.CognitiveServices/accounts@2022-10-01' = { } } : enableEncryption ? { // Service-managed key - keySource: 'Microsoft.CognitiveServices/accounts' + keySource: 'Microsoft.CognitiveServices' } : null migrationToken: !empty(migrationToken) ? migrationToken : null restore: restore From 8de4d01b15de8cbbed758560a88de0243c44cee9 Mon Sep 17 00:00:00 2001 From: AlexanderSehr Date: Fri, 2 Dec 2022 19:13:59 +0100 Subject: [PATCH 07/12] Update to latest --- .../accounts/.test/common/deploy.test.bicep | 1 + modules/Microsoft.CognitiveServices/accounts/readme.md | 4 ++++ 2 files changed, 5 insertions(+) diff --git a/modules/Microsoft.CognitiveServices/accounts/.test/common/deploy.test.bicep b/modules/Microsoft.CognitiveServices/accounts/.test/common/deploy.test.bicep index 5f635ac49e..e937960b07 100644 --- a/modules/Microsoft.CognitiveServices/accounts/.test/common/deploy.test.bicep +++ b/modules/Microsoft.CognitiveServices/accounts/.test/common/deploy.test.bicep @@ -63,6 +63,7 @@ module testDeployment '../../deploy.bicep' = { kind: 'Face' customSubDomainName: '<>xdomain' diagnosticLogsRetentionInDays: 7 + enableEncryption: false diagnosticStorageAccountId: diagnosticDependencies.outputs.storageAccountResourceId diagnosticWorkspaceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId diagnosticEventHubAuthorizationRuleId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId diff --git a/modules/Microsoft.CognitiveServices/accounts/readme.md b/modules/Microsoft.CognitiveServices/accounts/readme.md index 1e506d2b26..b1fbbc529e 100644 --- a/modules/Microsoft.CognitiveServices/accounts/readme.md +++ b/modules/Microsoft.CognitiveServices/accounts/readme.md @@ -451,6 +451,7 @@ module accounts './Microsoft.CognitiveServices/accounts/deploy.bicep' = { diagnosticStorageAccountId: '' diagnosticWorkspaceId: '' enableDefaultTelemetry: '' + enableEncryption: false lock: 'CanNotDelete' networkAcls: { defaultAction: 'Deny' @@ -536,6 +537,9 @@ module accounts './Microsoft.CognitiveServices/accounts/deploy.bicep' = { "enableDefaultTelemetry": { "value": "" }, + "enableEncryption": { + "value": false + }, "lock": { "value": "CanNotDelete" }, From 42a981e2ce440710089fc94ac0d1b0cb0c6c323f Mon Sep 17 00:00:00 2001 From: AlexanderSehr Date: Sun, 4 Dec 2022 10:58:03 +0100 Subject: [PATCH 08/12] Adjusted encryption & default values --- .../accounts/.test/common/deploy.test.bicep | 1 - .../accounts/deploy.bicep | 9 +------- .../accounts/readme.md | 5 ----- .../managedClusters/agentPools/deploy.bicep | 22 +------------------ .../managedClusters/agentPools/readme.md | 10 ++++----- .../namespaces/networkRuleSets/deploy.bicep | 4 ---- .../namespaces/networkRuleSets/readme.md | 2 +- .../Microsoft.KeyVault/vaults/deploy.bicep | 12 ---------- modules/Microsoft.KeyVault/vaults/readme.md | 6 ++--- .../expressRouteCircuits/deploy.bicep | 4 ---- .../expressRouteCircuits/readme.md | 2 +- .../namespaces/networkRuleSets/deploy.bicep | 4 ---- .../namespaces/networkRuleSets/readme.md | 2 +- 13 files changed, 13 insertions(+), 70 deletions(-) diff --git a/modules/Microsoft.CognitiveServices/accounts/.test/common/deploy.test.bicep b/modules/Microsoft.CognitiveServices/accounts/.test/common/deploy.test.bicep index e937960b07..5f635ac49e 100644 --- a/modules/Microsoft.CognitiveServices/accounts/.test/common/deploy.test.bicep +++ b/modules/Microsoft.CognitiveServices/accounts/.test/common/deploy.test.bicep @@ -63,7 +63,6 @@ module testDeployment '../../deploy.bicep' = { kind: 'Face' customSubDomainName: '<>xdomain' diagnosticLogsRetentionInDays: 7 - enableEncryption: false diagnosticStorageAccountId: diagnosticDependencies.outputs.storageAccountResourceId diagnosticWorkspaceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId diagnosticEventHubAuthorizationRuleId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId diff --git a/modules/Microsoft.CognitiveServices/accounts/deploy.bicep b/modules/Microsoft.CognitiveServices/accounts/deploy.bicep index bcbae089c8..5e4d2317ec 100644 --- a/modules/Microsoft.CognitiveServices/accounts/deploy.bicep +++ b/modules/Microsoft.CognitiveServices/accounts/deploy.bicep @@ -116,9 +116,6 @@ param apiProperties object = {} @description('Optional. Allow only Azure AD authentication. Should be enabled for security reasons.') param disableLocalAuth bool = true -@description('Optional. Enable service encryption.') -param enableEncryption bool = true - @description('Optional. The resource ID of a key vault to reference a customer managed key for encryption from.') param cMKKeyVaultResourceId string = '' @@ -245,8 +242,7 @@ resource cognitiveServices 'Microsoft.CognitiveServices/accounts@2022-10-01' = { allowedFqdnList: allowedFqdnList apiProperties: apiProperties disableLocalAuth: disableLocalAuth - encryption: enableEncryption && !empty(cMKKeyName) ? { - // Customer-managed key + encryption: !empty(cMKKeyName) ? { keySource: 'Microsoft.KeyVault' keyVaultProperties: { identityClientId: cMkUserAssignedIdentity.properties.clientId @@ -254,9 +250,6 @@ resource cognitiveServices 'Microsoft.CognitiveServices/accounts@2022-10-01' = { keyName: cMKKeyName keyVersion: !empty(cMKKeyVersion) ? cMKKeyVersion : last(split(cMKKeyVaultKey.properties.keyUriWithVersion, '/')) } - } : enableEncryption ? { - // Service-managed key - keySource: 'Microsoft.CognitiveServices' } : null migrationToken: !empty(migrationToken) ? migrationToken : null restore: restore diff --git a/modules/Microsoft.CognitiveServices/accounts/readme.md b/modules/Microsoft.CognitiveServices/accounts/readme.md index b1fbbc529e..470264c7f3 100644 --- a/modules/Microsoft.CognitiveServices/accounts/readme.md +++ b/modules/Microsoft.CognitiveServices/accounts/readme.md @@ -59,7 +59,6 @@ This module deploys different kinds of cognitive services resources | `disableLocalAuth` | bool | `True` | | Allow only Azure AD authentication. Should be enabled for security reasons. | | `dynamicThrottlingEnabled` | bool | `False` | | The flag to enable dynamic throttling. | | `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via a Globally Unique Identifier (GUID). | -| `enableEncryption` | bool | `True` | | Enable service encryption. | | `location` | string | `[resourceGroup().location]` | | Location for all Resources. | | `lock` | string | `''` | `['', CanNotDelete, ReadOnly]` | Specify the type of lock. | | `migrationToken` | string | `''` | | Resource migration token. | @@ -451,7 +450,6 @@ module accounts './Microsoft.CognitiveServices/accounts/deploy.bicep' = { diagnosticStorageAccountId: '' diagnosticWorkspaceId: '' enableDefaultTelemetry: '' - enableEncryption: false lock: 'CanNotDelete' networkAcls: { defaultAction: 'Deny' @@ -537,9 +535,6 @@ module accounts './Microsoft.CognitiveServices/accounts/deploy.bicep' = { "enableDefaultTelemetry": { "value": "" }, - "enableEncryption": { - "value": false - }, "lock": { "value": "CanNotDelete" }, diff --git a/modules/Microsoft.ContainerService/managedClusters/agentPools/deploy.bicep b/modules/Microsoft.ContainerService/managedClusters/agentPools/deploy.bicep index 60320ffc29..1ce4168d56 100644 --- a/modules/Microsoft.ContainerService/managedClusters/agentPools/deploy.bicep +++ b/modules/Microsoft.ContainerService/managedClusters/agentPools/deploy.bicep @@ -17,38 +17,18 @@ param count int = 1 param sourceResourceId string = '' @description('Optional. Whether to enable auto-scaler.') -@allowed([ - true - false -]) param enableAutoScaling bool = false @description('Optional. This is only supported on certain VM sizes and in certain Azure regions. For more information, see: /azure/aks/enable-host-encryption. For security reasons, this setting should be enabled.') -@allowed([ - true - false -]) param enableEncryptionAtHost bool = false @description('Optional. See Add a FIPS-enabled node pool (https://docs.microsoft.com/en-us/azure/aks/use-multiple-node-pools#add-a-fips-enabled-node-pool-preview) for more details.') -@allowed([ - true - false -]) param enableFIPS bool = false -@description('Optional. Some scenarios may require nodes in a node pool to receive their own dedicated public IP addresses. A common scenario is for gaming workloads, where a console needs to make a direct connection to a cloud virtual machine to minimize hops. For more information see assigning a public IP per node (https://docs.microsoft.com/en-us/azure/aks/use-multiple-node-pools#assign-a-public-ip-per-node-for-your-node-pools). The default is false.') -@allowed([ - true - false -]) +@description('Optional. Some scenarios may require nodes in a node pool to receive their own dedicated public IP addresses. A common scenario is for gaming workloads, where a console needs to make a direct connection to a cloud virtual machine to minimize hops. For more information see assigning a public IP per node (https://docs.microsoft.com/en-us/azure/aks/use-multiple-node-pools#assign-a-public-ip-per-node-for-your-node-pools).') param enableNodePublicIP bool = false @description('Optional. Whether to enable UltraSSD.') -@allowed([ - true - false -]) param enableUltraSSD bool = false @description('Optional. GPUInstanceProfile to be used to specify GPU MIG instance profile for supported GPU VM SKU.') diff --git a/modules/Microsoft.ContainerService/managedClusters/agentPools/readme.md b/modules/Microsoft.ContainerService/managedClusters/agentPools/readme.md index da9dd513c4..3cebb45864 100644 --- a/modules/Microsoft.ContainerService/managedClusters/agentPools/readme.md +++ b/modules/Microsoft.ContainerService/managedClusters/agentPools/readme.md @@ -35,12 +35,12 @@ This module deploys an Agent Pool for a Container Service Managed Cluster | :-- | :-- | :-- | :-- | :-- | | `availabilityZones` | array | `[]` | | The list of Availability zones to use for nodes. This can only be specified if the AgentPoolType property is "VirtualMachineScaleSets". | | `count` | int | `1` | | Desired Number of agents (VMs) specified to host docker containers. Allowed values must be in the range of 0 to 1000 (inclusive) for user pools and in the range of 1 to 1000 (inclusive) for system pools. The default value is 1. | -| `enableAutoScaling` | bool | `False` | `[False, True]` | Whether to enable auto-scaler. | +| `enableAutoScaling` | bool | `False` | | Whether to enable auto-scaler. | | `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via a Globally Unique Identifier (GUID). | -| `enableEncryptionAtHost` | bool | `False` | `[False, True]` | This is only supported on certain VM sizes and in certain Azure regions. For more information, see: /azure/aks/enable-host-encryption. For security reasons, this setting should be enabled. | -| `enableFIPS` | bool | `False` | `[False, True]` | See Add a FIPS-enabled node pool (https://docs.microsoft.com/en-us/azure/aks/use-multiple-node-pools#add-a-fips-enabled-node-pool-preview) for more details. | -| `enableNodePublicIP` | bool | `False` | `[False, True]` | Some scenarios may require nodes in a node pool to receive their own dedicated public IP addresses. A common scenario is for gaming workloads, where a console needs to make a direct connection to a cloud virtual machine to minimize hops. For more information see assigning a public IP per node (https://docs.microsoft.com/en-us/azure/aks/use-multiple-node-pools#assign-a-public-ip-per-node-for-your-node-pools). The default is false. | -| `enableUltraSSD` | bool | `False` | `[False, True]` | Whether to enable UltraSSD. | +| `enableEncryptionAtHost` | bool | `False` | | This is only supported on certain VM sizes and in certain Azure regions. For more information, see: /azure/aks/enable-host-encryption. For security reasons, this setting should be enabled. | +| `enableFIPS` | bool | `False` | | See Add a FIPS-enabled node pool (https://docs.microsoft.com/en-us/azure/aks/use-multiple-node-pools#add-a-fips-enabled-node-pool-preview) for more details. | +| `enableNodePublicIP` | bool | `False` | | Some scenarios may require nodes in a node pool to receive their own dedicated public IP addresses. A common scenario is for gaming workloads, where a console needs to make a direct connection to a cloud virtual machine to minimize hops. For more information see assigning a public IP per node (https://docs.microsoft.com/en-us/azure/aks/use-multiple-node-pools#assign-a-public-ip-per-node-for-your-node-pools). | +| `enableUltraSSD` | bool | `False` | | Whether to enable UltraSSD. | | `gpuInstanceProfile` | string | `''` | `['', MIG1g, MIG2g, MIG3g, MIG4g, MIG7g]` | GPUInstanceProfile to be used to specify GPU MIG instance profile for supported GPU VM SKU. | | `kubeletDiskType` | string | `''` | | Determines the placement of emptyDir volumes, container runtime data root, and Kubelet ephemeral storage. | | `maxCount` | int | `-1` | | The maximum number of nodes for auto-scaling. | diff --git a/modules/Microsoft.EventHub/namespaces/networkRuleSets/deploy.bicep b/modules/Microsoft.EventHub/namespaces/networkRuleSets/deploy.bicep index e67a1331ab..e8ab19accf 100644 --- a/modules/Microsoft.EventHub/namespaces/networkRuleSets/deploy.bicep +++ b/modules/Microsoft.EventHub/namespaces/networkRuleSets/deploy.bicep @@ -15,10 +15,6 @@ param publicNetworkAccess string = 'Enabled' @description('Optional. Default Action for Network Rule Set. Default is "Allow". It will not be set if publicNetworkAccess is "Disabled". Otherwise, it will be set to "Deny" if ipRules or virtualNetworkRules are being used.') param defaultAction string = 'Allow' -@allowed([ - true - false -]) @description('Optional. Value that indicates whether Trusted Service Access is enabled or not. Default is "true". It will not be set if publicNetworkAccess is "Disabled".') param trustedServiceAccessEnabled bool = true diff --git a/modules/Microsoft.EventHub/namespaces/networkRuleSets/readme.md b/modules/Microsoft.EventHub/namespaces/networkRuleSets/readme.md index a22e0398c7..d4bbf1427b 100644 --- a/modules/Microsoft.EventHub/namespaces/networkRuleSets/readme.md +++ b/modules/Microsoft.EventHub/namespaces/networkRuleSets/readme.md @@ -31,7 +31,7 @@ This module deploys EventHub Namespaces NetworkRuleSets. | `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via a Globally Unique Identifier (GUID). | | `ipRules` | array | `[]` | | List of IpRules. It will not be set if publicNetworkAccess is "Disabled". Otherwise, when used, defaultAction will be set to "Deny". | | `publicNetworkAccess` | string | `'Enabled'` | `[Disabled, Enabled]` | This determines if traffic is allowed over public network. Default is "Enabled". If set to "Disabled", traffic to this namespace will be restricted over Private Endpoints only and network rules will not be applied. | -| `trustedServiceAccessEnabled` | bool | `True` | `[False, True]` | Value that indicates whether Trusted Service Access is enabled or not. Default is "true". It will not be set if publicNetworkAccess is "Disabled". | +| `trustedServiceAccessEnabled` | bool | `True` | | Value that indicates whether Trusted Service Access is enabled or not. Default is "true". It will not be set if publicNetworkAccess is "Disabled". | | `virtualNetworkRules` | array | `[]` | | List virtual network rules. It will not be set if publicNetworkAccess is "Disabled". Otherwise, when used, defaultAction will be set to "Deny". | diff --git a/modules/Microsoft.KeyVault/vaults/deploy.bicep b/modules/Microsoft.KeyVault/vaults/deploy.bicep index bdb1c9b0f7..ffc6d4d515 100644 --- a/modules/Microsoft.KeyVault/vaults/deploy.bicep +++ b/modules/Microsoft.KeyVault/vaults/deploy.bicep @@ -19,24 +19,12 @@ param secrets object = {} param keys array = [] @description('Optional. Specifies if the vault is enabled for deployment by script or compute.') -@allowed([ - true - false -]) param enableVaultForDeployment bool = true @description('Optional. Specifies if the vault is enabled for a template deployment.') -@allowed([ - true - false -]) param enableVaultForTemplateDeployment bool = true @description('Optional. Specifies if the azure platform has access to the vault for enabling disk encryption scenarios.') -@allowed([ - true - false -]) param enableVaultForDiskEncryption bool = true @description('Optional. Switch to enable/disable Key Vault\'s soft delete feature.') diff --git a/modules/Microsoft.KeyVault/vaults/readme.md b/modules/Microsoft.KeyVault/vaults/readme.md index f7fecfaa16..6fd4fdb82c 100644 --- a/modules/Microsoft.KeyVault/vaults/readme.md +++ b/modules/Microsoft.KeyVault/vaults/readme.md @@ -50,9 +50,9 @@ This module deploys a key vault and its child resources. | `enablePurgeProtection` | bool | `True` | | Provide 'true' to enable Key Vault's purge protection feature. | | `enableRbacAuthorization` | bool | `False` | | Property that controls how data actions are authorized. When true, the key vault will use Role Based Access Control (RBAC) for authorization of data actions, and the access policies specified in vault properties will be ignored (warning: this is a preview feature). When false, the key vault will use the access policies specified in vault properties, and any policy stored on Azure Resource Manager will be ignored. If null or not specified, the vault is created with the default value of false. Note that management actions are always authorized with RBAC. | | `enableSoftDelete` | bool | `True` | | Switch to enable/disable Key Vault's soft delete feature. | -| `enableVaultForDeployment` | bool | `True` | `[False, True]` | Specifies if the vault is enabled for deployment by script or compute. | -| `enableVaultForDiskEncryption` | bool | `True` | `[False, True]` | Specifies if the azure platform has access to the vault for enabling disk encryption scenarios. | -| `enableVaultForTemplateDeployment` | bool | `True` | `[False, True]` | Specifies if the vault is enabled for a template deployment. | +| `enableVaultForDeployment` | bool | `True` | | Specifies if the vault is enabled for deployment by script or compute. | +| `enableVaultForDiskEncryption` | bool | `True` | | Specifies if the azure platform has access to the vault for enabling disk encryption scenarios. | +| `enableVaultForTemplateDeployment` | bool | `True` | | Specifies if the vault is enabled for a template deployment. | | `keys` | _[keys](keys/readme.md)_ array | `[]` | | All keys to create. | | `location` | string | `[resourceGroup().location]` | | Location for all resources. | | `lock` | string | `''` | `['', CanNotDelete, ReadOnly]` | Specify the type of lock. | diff --git a/modules/Microsoft.Network/expressRouteCircuits/deploy.bicep b/modules/Microsoft.Network/expressRouteCircuits/deploy.bicep index d3e15bb133..0d5022f98b 100644 --- a/modules/Microsoft.Network/expressRouteCircuits/deploy.bicep +++ b/modules/Microsoft.Network/expressRouteCircuits/deploy.bicep @@ -26,10 +26,6 @@ param skuTier string = 'Standard' param skuFamily string = 'MeteredData' @description('Optional. Enabled BGP peering type for the Circuit.') -@allowed([ - true - false -]) param peering bool = false @description('Optional. BGP peering type for the Circuit. Choose from AzurePrivatePeering, AzurePublicPeering or MicrosoftPeering.') diff --git a/modules/Microsoft.Network/expressRouteCircuits/readme.md b/modules/Microsoft.Network/expressRouteCircuits/readme.md index 7cc4058a25..8f049cdb3f 100644 --- a/modules/Microsoft.Network/expressRouteCircuits/readme.md +++ b/modules/Microsoft.Network/expressRouteCircuits/readme.md @@ -46,7 +46,7 @@ This template deploys an express route circuit. | `location` | string | `[resourceGroup().location]` | | Location for all resources. | | `lock` | string | `''` | `['', CanNotDelete, ReadOnly]` | Specify the type of lock. | | `peerASN` | int | `0` | | The autonomous system number of the customer/connectivity provider. | -| `peering` | bool | `False` | `[False, True]` | Enabled BGP peering type for the Circuit. | +| `peering` | bool | `False` | | Enabled BGP peering type for the Circuit. | | `peeringType` | string | `'AzurePrivatePeering'` | `[AzurePrivatePeering, MicrosoftPeering]` | BGP peering type for the Circuit. Choose from AzurePrivatePeering, AzurePublicPeering or MicrosoftPeering. | | `primaryPeerAddressPrefix` | string | `''` | | A /30 subnet used to configure IP addresses for interfaces on Link1. | | `roleAssignments` | array | `[]` | | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | diff --git a/modules/Microsoft.ServiceBus/namespaces/networkRuleSets/deploy.bicep b/modules/Microsoft.ServiceBus/namespaces/networkRuleSets/deploy.bicep index ad06f2dc65..046d022e12 100644 --- a/modules/Microsoft.ServiceBus/namespaces/networkRuleSets/deploy.bicep +++ b/modules/Microsoft.ServiceBus/namespaces/networkRuleSets/deploy.bicep @@ -17,10 +17,6 @@ param publicNetworkAccess string = 'Enabled' @description('Optional. Default Action for Network Rule Set. Default is "Allow". It will not be set if publicNetworkAccess is "Disabled". Otherwise, it will be set to "Deny" if ipRules or virtualNetworkRules are being used.') param defaultAction string = 'Allow' -@allowed([ - true - false -]) @description('Optional. Value that indicates whether Trusted Service Access is enabled or not. Default is "true". It will not be set if publicNetworkAccess is "Disabled".') param trustedServiceAccessEnabled bool = true diff --git a/modules/Microsoft.ServiceBus/namespaces/networkRuleSets/readme.md b/modules/Microsoft.ServiceBus/namespaces/networkRuleSets/readme.md index 9b9aa8a5a7..dc75d76f25 100644 --- a/modules/Microsoft.ServiceBus/namespaces/networkRuleSets/readme.md +++ b/modules/Microsoft.ServiceBus/namespaces/networkRuleSets/readme.md @@ -31,7 +31,7 @@ This module deploys ServiceBus Namespaces NetworkRuleSets. | `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via a Globally Unique Identifier (GUID). | | `ipRules` | array | `[]` | | List of IpRules. It will not be set if publicNetworkAccess is "Disabled". Otherwise, when used, defaultAction will be set to "Deny". | | `publicNetworkAccess` | string | `'Enabled'` | `[Disabled, Enabled]` | This determines if traffic is allowed over public network. Default is "Enabled". If set to "Disabled", traffic to this namespace will be restricted over Private Endpoints only and network rules will not be applied. | -| `trustedServiceAccessEnabled` | bool | `True` | `[False, True]` | Value that indicates whether Trusted Service Access is enabled or not. Default is "true". It will not be set if publicNetworkAccess is "Disabled". | +| `trustedServiceAccessEnabled` | bool | `True` | | Value that indicates whether Trusted Service Access is enabled or not. Default is "true". It will not be set if publicNetworkAccess is "Disabled". | | `virtualNetworkRules` | array | `[]` | | List virtual network rules. It will not be set if publicNetworkAccess is "Disabled". Otherwise, when used, defaultAction will be set to "Deny". | From 85fc8afd1eb55edf6bedd80f9cd6556e40070472 Mon Sep 17 00:00:00 2001 From: Alexander Sehr Date: Sun, 4 Dec 2022 14:32:54 +0100 Subject: [PATCH 09/12] Update modules/Microsoft.CognitiveServices/accounts/deploy.bicep Co-authored-by: Erika Gressi <56914614+eriqua@users.noreply.github.com> --- modules/Microsoft.CognitiveServices/accounts/deploy.bicep | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/Microsoft.CognitiveServices/accounts/deploy.bicep b/modules/Microsoft.CognitiveServices/accounts/deploy.bicep index 5e4d2317ec..62c6c81c80 100644 --- a/modules/Microsoft.CognitiveServices/accounts/deploy.bicep +++ b/modules/Microsoft.CognitiveServices/accounts/deploy.bicep @@ -217,7 +217,7 @@ resource cMKKeyVaultKey 'Microsoft.KeyVault/vaults/keys@2021-10-01' existing = i scope: resourceGroup(split(cMKKeyVaultResourceId, '/')[2], split(cMKKeyVaultResourceId, '/')[4]) } -resource cMkUserAssignedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' existing = if (!empty(cMKUserAssignedIdentityResourceId)) { +resource cMKUserAssignedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' existing = if (!empty(cMKUserAssignedIdentityResourceId)) { name: last(split(cMKUserAssignedIdentityResourceId, '/')) scope: resourceGroup(split(cMKUserAssignedIdentityResourceId, '/')[2], split(cMKUserAssignedIdentityResourceId, '/')[4]) } From 1cc1ba3214583b06e3a959cc14b3e8cf5c1183ac Mon Sep 17 00:00:00 2001 From: Alexander Sehr Date: Sun, 4 Dec 2022 14:33:00 +0100 Subject: [PATCH 10/12] Update modules/Microsoft.CognitiveServices/accounts/deploy.bicep Co-authored-by: Erika Gressi <56914614+eriqua@users.noreply.github.com> --- modules/Microsoft.CognitiveServices/accounts/deploy.bicep | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/Microsoft.CognitiveServices/accounts/deploy.bicep b/modules/Microsoft.CognitiveServices/accounts/deploy.bicep index 62c6c81c80..fbcad4bf5a 100644 --- a/modules/Microsoft.CognitiveServices/accounts/deploy.bicep +++ b/modules/Microsoft.CognitiveServices/accounts/deploy.bicep @@ -207,7 +207,7 @@ resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (ena } } -resource cmkKeyVault 'Microsoft.KeyVault/vaults@2021-06-01-preview' existing = if (!empty(cMKKeyVaultResourceId)) { +resource cMKKeyVault 'Microsoft.KeyVault/vaults@2021-06-01-preview' existing = if (!empty(cMKKeyVaultResourceId)) { name: last(split(cMKKeyVaultResourceId, '/')) scope: resourceGroup(split(cMKKeyVaultResourceId, '/')[2], split(cMKKeyVaultResourceId, '/')[4]) } From b8955c4a827e36d5acefec805eabc4d65041ea9e Mon Sep 17 00:00:00 2001 From: AlexanderSehr Date: Sun, 4 Dec 2022 14:52:10 +0100 Subject: [PATCH 11/12] Update to latest --- .../Microsoft.Automation/automationAccounts/deploy.bicep | 2 +- .../Microsoft.Automation/automationAccounts/readme.md | 7 ++++++- modules/Microsoft.Batch/batchAccounts/deploy.bicep | 2 +- modules/Microsoft.Batch/batchAccounts/readme.md | 2 +- .../Microsoft.CognitiveServices/accounts/deploy.bicep | 6 +++--- modules/Microsoft.CognitiveServices/accounts/readme.md | 2 +- modules/Microsoft.DataFactory/factories/deploy.bicep | 4 ++-- modules/Microsoft.DataFactory/factories/readme.md | 9 +++++++-- .../workspaces/deploy.bicep | 2 +- .../workspaces/readme.md | 2 +- modules/Microsoft.ServiceBus/namespaces/deploy.bicep | 2 +- modules/Microsoft.ServiceBus/namespaces/readme.md | 7 ++++++- modules/Microsoft.Storage/storageAccounts/deploy.bicep | 2 +- modules/Microsoft.Storage/storageAccounts/readme.md | 2 +- modules/Microsoft.Synapse/workspaces/deploy.bicep | 2 +- modules/Microsoft.Synapse/workspaces/readme.md | 7 ++++++- 16 files changed, 40 insertions(+), 20 deletions(-) diff --git a/modules/Microsoft.Automation/automationAccounts/deploy.bicep b/modules/Microsoft.Automation/automationAccounts/deploy.bicep index aa258ad196..20fbd01404 100644 --- a/modules/Microsoft.Automation/automationAccounts/deploy.bicep +++ b/modules/Microsoft.Automation/automationAccounts/deploy.bicep @@ -11,7 +11,7 @@ param location string = resourceGroup().location ]) param skuName string = 'Basic' -@description('Optional. The resource ID of a key vault to reference a customer managed key for encryption from.') +@description('Conditional. The resource ID of a key vault to reference a customer managed key for encryption from. Required if \'cMKKeyName\' is not empty.') param cMKKeyVaultResourceId string = '' @description('Optional. The name of the customer managed key to use for encryption.') diff --git a/modules/Microsoft.Automation/automationAccounts/readme.md b/modules/Microsoft.Automation/automationAccounts/readme.md index 9f76ebabe0..9e2781c9a8 100644 --- a/modules/Microsoft.Automation/automationAccounts/readme.md +++ b/modules/Microsoft.Automation/automationAccounts/readme.md @@ -37,12 +37,17 @@ This module deploys an Azure Automation Account. | :-- | :-- | :-- | | `name` | string | Name of the Automation Account. | +**Conditional parameters** + +| Parameter Name | Type | Default Value | Description | +| :-- | :-- | :-- | :-- | +| `cMKKeyVaultResourceId` | string | `''` | The resource ID of a key vault to reference a customer managed key for encryption from. Required if 'cMKKeyName' is not empty. | + **Optional parameters** | Parameter Name | Type | Default Value | Allowed Values | Description | | :-- | :-- | :-- | :-- | :-- | | `cMKKeyName` | string | `''` | | The name of the customer managed key to use for encryption. | -| `cMKKeyVaultResourceId` | string | `''` | | The resource ID of a key vault to reference a customer managed key for encryption from. | | `cMKKeyVersion` | string | `''` | | The version of the customer managed key to reference for encryption. If not provided, the latest key version is used. | | `cMKUserAssignedIdentityResourceId` | string | `''` | | User assigned identity to use when fetching the customer managed key. If not provided, a system-assigned identity can be used - but must be given access to the referenced key vault first. | | `diagnosticEventHubAuthorizationRuleId` | string | `''` | | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | diff --git a/modules/Microsoft.Batch/batchAccounts/deploy.bicep b/modules/Microsoft.Batch/batchAccounts/deploy.bicep index 8097d31504..1fe112450b 100644 --- a/modules/Microsoft.Batch/batchAccounts/deploy.bicep +++ b/modules/Microsoft.Batch/batchAccounts/deploy.bicep @@ -90,7 +90,7 @@ param tags object = {} @description('Optional. List of allowed authentication modes for the Batch account that can be used to authenticate with the data plane.') param allowedAuthenticationModes array = [] -@description('Optional. The resource ID of a key vault to reference a customer managed key for encryption from.') +@description('Conditional. The resource ID of a key vault to reference a customer managed key for encryption from. Required if \'cMKKeyName\' is not empty.') param cMKKeyVaultResourceId string = '' @description('Optional. The name of the customer managed key to use for encryption.') diff --git a/modules/Microsoft.Batch/batchAccounts/readme.md b/modules/Microsoft.Batch/batchAccounts/readme.md index 61def4e0ba..aed3605a35 100644 --- a/modules/Microsoft.Batch/batchAccounts/readme.md +++ b/modules/Microsoft.Batch/batchAccounts/readme.md @@ -32,6 +32,7 @@ | Parameter Name | Type | Default Value | Description | | :-- | :-- | :-- | :-- | +| `cMKKeyVaultResourceId` | string | `''` | The resource ID of a key vault to reference a customer managed key for encryption from. Required if 'cMKKeyName' is not empty. | | `keyVaultReferenceResourceId` | string | `''` | The key vault to associate with the Batch account. Required if the 'poolAllocationMode' is set to 'UserSubscription' and requires the service principal 'Microsoft Azure Batch' to be granted contributor permissions on this key vault. | **Optional parameters** @@ -40,7 +41,6 @@ | :-- | :-- | :-- | :-- | :-- | | `allowedAuthenticationModes` | array | `[]` | `[AAD, SharedKey, TaskAuthenticationToken]` | List of allowed authentication modes for the Batch account that can be used to authenticate with the data plane. | | `cMKKeyName` | string | `''` | | The name of the customer managed key to use for encryption. | -| `cMKKeyVaultResourceId` | string | `''` | | The resource ID of a key vault to reference a customer managed key for encryption from. | | `cMKKeyVersion` | string | `''` | | The version of the customer managed key to reference for encryption. If not provided, the latest key version is used. | | `diagnosticEventHubAuthorizationRuleId` | string | `''` | | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | | `diagnosticEventHubName` | string | `''` | | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. | diff --git a/modules/Microsoft.CognitiveServices/accounts/deploy.bicep b/modules/Microsoft.CognitiveServices/accounts/deploy.bicep index fbcad4bf5a..d73c99145d 100644 --- a/modules/Microsoft.CognitiveServices/accounts/deploy.bicep +++ b/modules/Microsoft.CognitiveServices/accounts/deploy.bicep @@ -116,7 +116,7 @@ param apiProperties object = {} @description('Optional. Allow only Azure AD authentication. Should be enabled for security reasons.') param disableLocalAuth bool = true -@description('Optional. The resource ID of a key vault to reference a customer managed key for encryption from.') +@description('Conditional. The resource ID of a key vault to reference a customer managed key for encryption from. Required if \'cMKKeyName\' is not empty.') param cMKKeyVaultResourceId string = '' @description('Optional. The name of the customer managed key to use for encryption. Cannot be deployed together with the parameter \'systemAssignedIdentity\' enabled.') @@ -245,8 +245,8 @@ resource cognitiveServices 'Microsoft.CognitiveServices/accounts@2022-10-01' = { encryption: !empty(cMKKeyName) ? { keySource: 'Microsoft.KeyVault' keyVaultProperties: { - identityClientId: cMkUserAssignedIdentity.properties.clientId - keyVaultUri: cmkKeyVault.properties.vaultUri + identityClientId: cMKUserAssignedIdentity.properties.clientId + keyVaultUri: cMKKeyVault.properties.vaultUri keyName: cMKKeyName keyVersion: !empty(cMKKeyVersion) ? cMKKeyVersion : last(split(cMKKeyVaultKey.properties.keyUriWithVersion, '/')) } diff --git a/modules/Microsoft.CognitiveServices/accounts/readme.md b/modules/Microsoft.CognitiveServices/accounts/readme.md index 470264c7f3..5989c79ec3 100644 --- a/modules/Microsoft.CognitiveServices/accounts/readme.md +++ b/modules/Microsoft.CognitiveServices/accounts/readme.md @@ -35,6 +35,7 @@ This module deploys different kinds of cognitive services resources | Parameter Name | Type | Default Value | Description | | :-- | :-- | :-- | :-- | +| `cMKKeyVaultResourceId` | string | `''` | The resource ID of a key vault to reference a customer managed key for encryption from. Required if 'cMKKeyName' is not empty. | | `cMKUserAssignedIdentityResourceId` | string | `''` | User assigned identity to use when fetching the customer managed key. Required if 'cMKKeyName' is not empty. | | `customSubDomainName` | string | `''` | Subdomain name used for token-based authentication. Required if 'networkAcls' or 'privateEndpoints' are set. | | `userAssignedIdentities` | object | `{object}` | The ID(s) to assign to the resource. Required if a user assigned identity is used for encryption. | @@ -46,7 +47,6 @@ This module deploys different kinds of cognitive services resources | `allowedFqdnList` | array | `[]` | | List of allowed FQDN. | | `apiProperties` | object | `{object}` | | The API properties for special APIs. | | `cMKKeyName` | string | `''` | | The name of the customer managed key to use for encryption. Cannot be deployed together with the parameter 'systemAssignedIdentity' enabled. | -| `cMKKeyVaultResourceId` | string | `''` | | The resource ID of a key vault to reference a customer managed key for encryption from. | | `cMKKeyVersion` | string | `''` | | The version of the customer managed key to reference for encryption. If not provided, latest is used. | | `diagnosticEventHubAuthorizationRuleId` | string | `''` | | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | | `diagnosticEventHubName` | string | `''` | | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. | diff --git a/modules/Microsoft.DataFactory/factories/deploy.bicep b/modules/Microsoft.DataFactory/factories/deploy.bicep index 7f733d00f2..b5a66b0af8 100644 --- a/modules/Microsoft.DataFactory/factories/deploy.bicep +++ b/modules/Microsoft.DataFactory/factories/deploy.bicep @@ -76,7 +76,7 @@ param userAssignedIdentities object = {} @description('Optional. Configuration Details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible.') param privateEndpoints array = [] -@description('Optional. The resource ID of a key vault to reference a customer managed key for encryption from.') +@description('Conditional. The resource ID of a key vault to reference a customer managed key for encryption from. Required if \'cMKKeyName\' is not empty.') param cMKKeyVaultResourceId string = '' @description('Optional. The name of the customer managed key to use for encryption.') @@ -85,7 +85,7 @@ param cMKKeyName string = '' @description('Optional. The version of the customer managed key to reference for encryption. If not provided, the latest key version is used.') param cMKKeyVersion string = '' -@description('Optional. User assigned identity to use when fetching the customer managed key.') +@description('Conditional. User assigned identity to use when fetching the customer managed key. Required if \'cMKKeyName\' is not empty.') param cMKUserAssignedIdentityResourceId string = '' @description('Optional. The name of logs that will be streamed.') diff --git a/modules/Microsoft.DataFactory/factories/readme.md b/modules/Microsoft.DataFactory/factories/readme.md index 08bf39c2e5..e2a740ac09 100644 --- a/modules/Microsoft.DataFactory/factories/readme.md +++ b/modules/Microsoft.DataFactory/factories/readme.md @@ -30,14 +30,19 @@ | :-- | :-- | :-- | | `name` | string | The name of the Azure Factory to create. | +**Conditional parameters** + +| Parameter Name | Type | Default Value | Description | +| :-- | :-- | :-- | :-- | +| `cMKKeyVaultResourceId` | string | `''` | The resource ID of a key vault to reference a customer managed key for encryption from. Required if 'cMKKeyName' is not empty. | +| `cMKUserAssignedIdentityResourceId` | string | `''` | User assigned identity to use when fetching the customer managed key. Required if 'cMKKeyName' is not empty. | + **Optional parameters** | Parameter Name | Type | Default Value | Allowed Values | Description | | :-- | :-- | :-- | :-- | :-- | | `cMKKeyName` | string | `''` | | The name of the customer managed key to use for encryption. | -| `cMKKeyVaultResourceId` | string | `''` | | The resource ID of a key vault to reference a customer managed key for encryption from. | | `cMKKeyVersion` | string | `''` | | The version of the customer managed key to reference for encryption. If not provided, the latest key version is used. | -| `cMKUserAssignedIdentityResourceId` | string | `''` | | User assigned identity to use when fetching the customer managed key. | | `diagnosticEventHubAuthorizationRuleId` | string | `''` | | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | | `diagnosticEventHubName` | string | `''` | | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. | | `diagnosticLogCategoriesToEnable` | array | `[ActivityRuns, PipelineRuns, SSISIntegrationRuntimeLogs, SSISPackageEventMessageContext, SSISPackageEventMessages, SSISPackageExecutableStatistics, SSISPackageExecutionComponentPhases, SSISPackageExecutionDataStatistics, TriggerRuns]` | `[ActivityRuns, PipelineRuns, SSISIntegrationRuntimeLogs, SSISPackageEventMessageContext, SSISPackageEventMessages, SSISPackageExecutableStatistics, SSISPackageExecutionComponentPhases, SSISPackageExecutionDataStatistics, TriggerRuns]` | The name of logs that will be streamed. | diff --git a/modules/Microsoft.MachineLearningServices/workspaces/deploy.bicep b/modules/Microsoft.MachineLearningServices/workspaces/deploy.bicep index 4fa6c0d032..9481de7a34 100644 --- a/modules/Microsoft.MachineLearningServices/workspaces/deploy.bicep +++ b/modules/Microsoft.MachineLearningServices/workspaces/deploy.bicep @@ -115,7 +115,7 @@ param description string = '' @sys.description('Optional. URL for the discovery service to identify regional endpoints for machine learning experimentation services.') param discoveryUrl string = '' -@sys.description('Optional. The resource ID of a key vault to reference a customer managed key for encryption from.') +@sys.description('Conditional. The resource ID of a key vault to reference a customer managed key for encryption from. Required if \'cMKKeyName\' is not empty.') param cMKKeyVaultResourceId string = '' @sys.description('Optional. The name of the customer managed key to use for encryption.') diff --git a/modules/Microsoft.MachineLearningServices/workspaces/readme.md b/modules/Microsoft.MachineLearningServices/workspaces/readme.md index 48a6bce26f..65c0041a85 100644 --- a/modules/Microsoft.MachineLearningServices/workspaces/readme.md +++ b/modules/Microsoft.MachineLearningServices/workspaces/readme.md @@ -38,6 +38,7 @@ This module deploys a Machine Learning Services Workspace. | Parameter Name | Type | Default Value | Description | | :-- | :-- | :-- | :-- | +| `cMKKeyVaultResourceId` | string | `''` | The resource ID of a key vault to reference a customer managed key for encryption from. Required if 'cMKKeyName' is not empty. | | `primaryUserAssignedIdentity` | string | `''` | The user assigned identity resource ID that represents the workspace identity. Required if 'userAssignedIdentities' is not empty and may not be used if 'systemAssignedIdentity' is enabled. | | `systemAssignedIdentity` | bool | `False` | Enables system assigned managed identity on the resource. Required if `userAssignedIdentities` is not provided. | | `userAssignedIdentities` | object | `{object}` | The ID(s) to assign to the resource. Required if `systemAssignedIdentity` is set to false. | @@ -49,7 +50,6 @@ This module deploys a Machine Learning Services Workspace. | `allowPublicAccessWhenBehindVnet` | bool | `False` | | The flag to indicate whether to allow public access when behind VNet. | | `associatedContainerRegistryResourceId` | string | `''` | | The resource ID of the associated Container Registry. | | `cMKKeyName` | string | `''` | | The name of the customer managed key to use for encryption. | -| `cMKKeyVaultResourceId` | string | `''` | | The resource ID of a key vault to reference a customer managed key for encryption from. | | `cMKKeyVersion` | string | `''` | | The version of the customer managed key to reference for encryption. If not provided, the latest key version is used. | | `cMKUserAssignedIdentityResourceId` | string | `''` | | User assigned identity to use when fetching the customer managed key. If not provided, a system-assigned identity can be used - but must be given access to the referenced key vault first. | | `computes` | _[computes](computes/readme.md)_ array | `[]` | | Computes to create respectively attach to the workspace. | diff --git a/modules/Microsoft.ServiceBus/namespaces/deploy.bicep b/modules/Microsoft.ServiceBus/namespaces/deploy.bicep index 286731fea5..18d9602528 100644 --- a/modules/Microsoft.ServiceBus/namespaces/deploy.bicep +++ b/modules/Microsoft.ServiceBus/namespaces/deploy.bicep @@ -86,7 +86,7 @@ param queues array = [] @description('Optional. The topics to create in the service bus namespace.') param topics array = [] -@description('Optional. The resource ID of a key vault to reference a customer managed key for encryption from.') +@description('Conditional. The resource ID of a key vault to reference a customer managed key for encryption from. Required if \'cMKKeyName\' is not empty.') param cMKKeyVaultResourceId string = '' @description('Optional. The name of the customer managed key to use for encryption. If not provided, encryption is automatically enabled with a Microsoft-managed key.') diff --git a/modules/Microsoft.ServiceBus/namespaces/readme.md b/modules/Microsoft.ServiceBus/namespaces/readme.md index a7d28da9bd..9fa4821b21 100644 --- a/modules/Microsoft.ServiceBus/namespaces/readme.md +++ b/modules/Microsoft.ServiceBus/namespaces/readme.md @@ -37,13 +37,18 @@ This module deploys a service bus namespace resource. | :-- | :-- | :-- | | `name` | string | Name of the Service Bus Namespace. | +**Conditional parameters** + +| Parameter Name | Type | Default Value | Description | +| :-- | :-- | :-- | :-- | +| `cMKKeyVaultResourceId` | string | `''` | The resource ID of a key vault to reference a customer managed key for encryption from. Required if 'cMKKeyName' is not empty. | + **Optional parameters** | Parameter Name | Type | Default Value | Allowed Values | Description | | :-- | :-- | :-- | :-- | :-- | | `authorizationRules` | _[authorizationRules](authorizationRules/readme.md)_ array | `[System.Management.Automation.OrderedHashtable]` | | Authorization Rules for the Service Bus namespace. | | `cMKKeyName` | string | `''` | | The name of the customer managed key to use for encryption. If not provided, encryption is automatically enabled with a Microsoft-managed key. | -| `cMKKeyVaultResourceId` | string | `''` | | The resource ID of a key vault to reference a customer managed key for encryption from. | | `cMKKeyVersion` | string | `''` | | The version of the customer managed key to reference for encryption. If not provided, the latest key version is used. | | `cMKUserAssignedIdentityResourceId` | string | `''` | | User assigned identity to use when fetching the customer managed key. If not provided, a system-assigned identity can be used - but must be given access to the referenced key vault first. | | `diagnosticEventHubAuthorizationRuleId` | string | `''` | | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | diff --git a/modules/Microsoft.Storage/storageAccounts/deploy.bicep b/modules/Microsoft.Storage/storageAccounts/deploy.bicep index cb3c0ffc81..a781d8b828 100644 --- a/modules/Microsoft.Storage/storageAccounts/deploy.bicep +++ b/modules/Microsoft.Storage/storageAccounts/deploy.bicep @@ -135,7 +135,7 @@ param diagnosticMetricsToEnable array = [ 'Transaction' ] -@description('Optional. The resource ID of a key vault to reference a customer managed key for encryption from.') +@description('Conditional. The resource ID of a key vault to reference a customer managed key for encryption from. Required if \'cMKKeyName\' is not empty.') param cMKKeyVaultResourceId string = '' @description('Optional. The name of the customer managed key to use for encryption. Cannot be deployed together with the parameter \'systemAssignedIdentity\' enabled.') diff --git a/modules/Microsoft.Storage/storageAccounts/readme.md b/modules/Microsoft.Storage/storageAccounts/readme.md index f76689cd74..9dc4d70b92 100644 --- a/modules/Microsoft.Storage/storageAccounts/readme.md +++ b/modules/Microsoft.Storage/storageAccounts/readme.md @@ -44,6 +44,7 @@ This module is used to deploy a storage account, with the ability to deploy 1 or | Parameter Name | Type | Default Value | Description | | :-- | :-- | :-- | :-- | +| `cMKKeyVaultResourceId` | string | `''` | The resource ID of a key vault to reference a customer managed key for encryption from. Required if 'cMKKeyName' is not empty. | | `cMKUserAssignedIdentityResourceId` | string | `''` | User assigned identity to use when fetching the customer managed key. Required if 'cMKKeyName' is not empty. | **Optional parameters** @@ -54,7 +55,6 @@ This module is used to deploy a storage account, with the ability to deploy 1 or | `azureFilesIdentityBasedAuthentication` | object | `{object}` | | Provides the identity based authentication settings for Azure Files. | | `blobServices` | _[blobServices](blobServices/readme.md)_ object | `{object}` | | Blob service and containers to deploy. | | `cMKKeyName` | string | `''` | | The name of the customer managed key to use for encryption. Cannot be deployed together with the parameter 'systemAssignedIdentity' enabled. | -| `cMKKeyVaultResourceId` | string | `''` | | The resource ID of a key vault to reference a customer managed key for encryption from. | | `cMKKeyVersion` | string | `''` | | The version of the customer managed key to reference for encryption. If not provided, latest is used. | | `diagnosticEventHubAuthorizationRuleId` | string | `''` | | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | | `diagnosticEventHubName` | string | `''` | | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. | diff --git a/modules/Microsoft.Synapse/workspaces/deploy.bicep b/modules/Microsoft.Synapse/workspaces/deploy.bicep index a75c4783ba..7deb290a22 100644 --- a/modules/Microsoft.Synapse/workspaces/deploy.bicep +++ b/modules/Microsoft.Synapse/workspaces/deploy.bicep @@ -27,7 +27,7 @@ param defaultDataLakeStorageCreateManagedPrivateEndpoint bool = false @description('Optional. Double encryption using a customer-managed key.') param encryption bool = false -@description('Optional. The resource ID of a key vault to reference a customer managed key for encryption from.') +@description('Conditional. The resource ID of a key vault to reference a customer managed key for encryption from. Required if \'cMKKeyName\' is not empty.') param cMKKeyVaultResourceId string = '' @description('Optional. The name of the customer managed key to use for encryption.') diff --git a/modules/Microsoft.Synapse/workspaces/readme.md b/modules/Microsoft.Synapse/workspaces/readme.md index a16196f680..78b76ec7da 100644 --- a/modules/Microsoft.Synapse/workspaces/readme.md +++ b/modules/Microsoft.Synapse/workspaces/readme.md @@ -34,6 +34,12 @@ This module deploys a Synapse Workspace. | `name` | string | The name of the Synapse Workspace. | | `sqlAdministratorLogin` | string | Login for administrator access to the workspace's SQL pools. | +**Conditional parameters** + +| Parameter Name | Type | Default Value | Description | +| :-- | :-- | :-- | :-- | +| `cMKKeyVaultResourceId` | string | `''` | The resource ID of a key vault to reference a customer managed key for encryption from. Required if 'cMKKeyName' is not empty. | + **Optional parameters** | Parameter Name | Type | Default Value | Allowed Values | Description | @@ -41,7 +47,6 @@ This module deploys a Synapse Workspace. | `allowedAadTenantIdsForLinking` | array | `[]` | | Allowed AAD Tenant IDs For Linking. | | `azureADOnlyAuthentication` | bool | `False` | | Enable or Disable AzureADOnlyAuthentication on All Workspace sub-resource. | | `cMKKeyName` | string | `''` | | The name of the customer managed key to use for encryption. | -| `cMKKeyVaultResourceId` | string | `''` | | The resource ID of a key vault to reference a customer managed key for encryption from. | | `cMKUserAssignedIdentityResourceId` | string | `''` | | The ID of User Assigned Managed identity that will be used to access your customer-managed key stored in key vault. | | `cMKUseSystemAssignedIdentity` | bool | `False` | | Use System Assigned Managed identity that will be used to access your customer-managed key stored in key vault. | | `defaultDataLakeStorageCreateManagedPrivateEndpoint` | bool | `False` | | Create managed private endpoint to the default storage account or not. If Yes is selected, a managed private endpoint connection request is sent to the workspace's primary Data Lake Storage Gen2 account for Spark pools to access data. This must be approved by an owner of the storage account. | From 4f6f41a1f8bc02c58074b6f37310433881f48b90 Mon Sep 17 00:00:00 2001 From: AlexanderSehr Date: Fri, 9 Dec 2022 14:34:05 +0100 Subject: [PATCH 12/12] Updated param --- modules/Microsoft.Automation/automationAccounts/deploy.bicep | 2 +- modules/Microsoft.Automation/automationAccounts/readme.md | 2 +- modules/Microsoft.ContainerRegistry/registries/deploy.bicep | 4 ++-- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/modules/Microsoft.Automation/automationAccounts/deploy.bicep b/modules/Microsoft.Automation/automationAccounts/deploy.bicep index 20fbd01404..e0ecd96a58 100644 --- a/modules/Microsoft.Automation/automationAccounts/deploy.bicep +++ b/modules/Microsoft.Automation/automationAccounts/deploy.bicep @@ -17,7 +17,7 @@ param cMKKeyVaultResourceId string = '' @description('Optional. The name of the customer managed key to use for encryption.') param cMKKeyName string = '' -@description('Optional. User assigned identity to use when fetching the customer managed key. If not provided, a system-assigned identity can be used - but must be given access to the referenced key vault first.') +@description('Conditional. User assigned identity to use when fetching the customer managed key. Required if \'cMKKeyName\' is not empty.') param cMKUserAssignedIdentityResourceId string = '' @description('Optional. The version of the customer managed key to reference for encryption. If not provided, the latest key version is used.') diff --git a/modules/Microsoft.Automation/automationAccounts/readme.md b/modules/Microsoft.Automation/automationAccounts/readme.md index 9e2781c9a8..92e81ecc1c 100644 --- a/modules/Microsoft.Automation/automationAccounts/readme.md +++ b/modules/Microsoft.Automation/automationAccounts/readme.md @@ -42,6 +42,7 @@ This module deploys an Azure Automation Account. | Parameter Name | Type | Default Value | Description | | :-- | :-- | :-- | :-- | | `cMKKeyVaultResourceId` | string | `''` | The resource ID of a key vault to reference a customer managed key for encryption from. Required if 'cMKKeyName' is not empty. | +| `cMKUserAssignedIdentityResourceId` | string | `''` | User assigned identity to use when fetching the customer managed key. Required if 'cMKKeyName' is not empty. | **Optional parameters** @@ -49,7 +50,6 @@ This module deploys an Azure Automation Account. | :-- | :-- | :-- | :-- | :-- | | `cMKKeyName` | string | `''` | | The name of the customer managed key to use for encryption. | | `cMKKeyVersion` | string | `''` | | The version of the customer managed key to reference for encryption. If not provided, the latest key version is used. | -| `cMKUserAssignedIdentityResourceId` | string | `''` | | User assigned identity to use when fetching the customer managed key. If not provided, a system-assigned identity can be used - but must be given access to the referenced key vault first. | | `diagnosticEventHubAuthorizationRuleId` | string | `''` | | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | | `diagnosticEventHubName` | string | `''` | | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. | | `diagnosticLogCategoriesToEnable` | array | `[DscNodeStatus, JobLogs, JobStreams]` | `[DscNodeStatus, JobLogs, JobStreams]` | The name of logs that will be streamed. | diff --git a/modules/Microsoft.ContainerRegistry/registries/deploy.bicep b/modules/Microsoft.ContainerRegistry/registries/deploy.bicep index 444ce26cce..6cde372515 100644 --- a/modules/Microsoft.ContainerRegistry/registries/deploy.bicep +++ b/modules/Microsoft.ContainerRegistry/registries/deploy.bicep @@ -222,7 +222,7 @@ resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (ena } } -resource encryptionIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' existing = if (!empty(cMKUserAssignedIdentityResourceId)) { +resource cMKUserAssignedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' existing = if (!empty(cMKUserAssignedIdentityResourceId)) { name: last(split(cMKUserAssignedIdentityResourceId, '/')) scope: resourceGroup(split(cMKUserAssignedIdentityResourceId, '/')[2], split(cMKUserAssignedIdentityResourceId, '/')[4]) } @@ -245,7 +245,7 @@ resource registry 'Microsoft.ContainerRegistry/registries@2022-02-01-preview' = encryption: !empty(cMKKeyName) ? { status: 'enabled' keyVaultProperties: { - identity: encryptionIdentity.properties.clientId + identity: cMKUserAssignedIdentity.properties.clientId keyIdentifier: !empty(cMKKeyVersion) ? '${cMKKeyVaultKey.properties.keyUri}/${cMKKeyVersion}' : cMKKeyVaultKey.properties.keyUriWithVersion } } : null