From 3a9b7989e4e987d5e728fd5c07cff6b8f7ad2505 Mon Sep 17 00:00:00 2001 From: Tao Yang Date: Fri, 3 Feb 2023 21:51:24 +1100 Subject: [PATCH 01/69] purview account module --- .../.bicep/nested_roleAssignments.bicep | 79 ++++ .../accounts/.test/common/dependencies.bicep | 63 +++ .../accounts/.test/common/deploy.test.bicep | 77 ++++ .../accounts/.test/min/deploy.test.bicep | 43 ++ .../microsoft.purview/accounts/deploy.bicep | 394 ++++++++++++++++++ modules/microsoft.purview/accounts/readme.md | 245 +++++++++++ .../microsoft.purview/accounts/version.json | 4 + 7 files changed, 905 insertions(+) create mode 100644 modules/microsoft.purview/accounts/.bicep/nested_roleAssignments.bicep create mode 100644 modules/microsoft.purview/accounts/.test/common/dependencies.bicep create mode 100644 modules/microsoft.purview/accounts/.test/common/deploy.test.bicep create mode 100644 modules/microsoft.purview/accounts/.test/min/deploy.test.bicep create mode 100644 modules/microsoft.purview/accounts/deploy.bicep create mode 100644 modules/microsoft.purview/accounts/readme.md create mode 100644 modules/microsoft.purview/accounts/version.json diff --git a/modules/microsoft.purview/accounts/.bicep/nested_roleAssignments.bicep b/modules/microsoft.purview/accounts/.bicep/nested_roleAssignments.bicep new file mode 100644 index 0000000000..604cd4bd00 --- /dev/null +++ b/modules/microsoft.purview/accounts/.bicep/nested_roleAssignments.bicep @@ -0,0 +1,79 @@ +@sys.description('Required. The IDs of the principals to assign the role to.') +param principalIds array + +@sys.description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') +param roleDefinitionIdOrName string + +@sys.description('Required. The resource ID of the resource to apply the role assignment to.') +param resourceId string + +@sys.description('Optional. The principal type of the assigned principal ID.') +@allowed([ + 'ServicePrincipal' + 'Group' + 'User' + 'ForeignGroup' + 'Device' + '' +]) +param principalType string = '' + +@sys.description('Optional. The description of the role assignment.') +param description string = '' + +@sys.description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container".') +param condition string = '' + +@sys.description('Optional. Version of the condition.') +@allowed([ + '2.0' +]) +param conditionVersion string = '2.0' + +@sys.description('Optional. Id of the delegated managed identity resource.') +param delegatedManagedIdentityResourceId string = '' + +var builtInRoleNames = { + Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') + 'Desktop Virtualization Virtual Machine Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a959dbd1-f747-45e3-8ba6-dd80f235f97c') + 'Key Vault Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '00482a5a-887f-4fb3-b363-3b7fe8e74483') + 'Key Vault Certificates Officer': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a4417e6f-fecd-4de8-b567-7b0420556985') + 'Key Vault Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f25e0fa2-a7c8-4377-a976-54943a77a395') + 'Key Vault Crypto Officer': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '14b46e9e-c2b7-41b4-b07b-48a6ebf60603') + 'Key Vault Crypto Service Encryption User': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e147488a-f6f5-4113-8e2d-b22465e65bf6') + 'Key Vault Crypto User': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '12338af0-0e69-4776-bea7-57ae8d297424') + 'Key Vault Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '21090545-7ca7-4776-b22c-e363652d74d2') + 'Key Vault Secrets Officer': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b86a8fe4-44ce-4948-aee5-eccb2c155cd7') + 'Key Vault Secrets User': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4633458b-17de-408a-b874-0445c86b69e6') + 'Log Analytics Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293') + 'Log Analytics Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893') + 'Managed Application Contributor Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e') + 'Managed Application Operator Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae') + 'Managed Applications Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44') + 'Managed HSM contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18500a29-7fe2-46b2-a342-b16a415e101d') + 'Monitoring Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa') + 'Monitoring Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05') + Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') + Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') + 'Resource Policy Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608') + 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') + 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') +} + +resource purviewAccount 'Microsoft.Purview/accounts@2021-07-01' existing = { + name: last(split(resourceId, '/')) +} + +resource roleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for principalId in principalIds: { + name: guid(purviewAccount.id, principalId, roleDefinitionIdOrName) + properties: { + description: description + roleDefinitionId: contains(builtInRoleNames, roleDefinitionIdOrName) ? builtInRoleNames[roleDefinitionIdOrName] : roleDefinitionIdOrName + principalId: principalId + principalType: !empty(principalType) ? any(principalType) : null + condition: !empty(condition) ? condition : null + conditionVersion: !empty(conditionVersion) && !empty(condition) ? conditionVersion : null + delegatedManagedIdentityResourceId: !empty(delegatedManagedIdentityResourceId) ? delegatedManagedIdentityResourceId : null + } + scope: purviewAccount +}] diff --git a/modules/microsoft.purview/accounts/.test/common/dependencies.bicep b/modules/microsoft.purview/accounts/.test/common/dependencies.bicep new file mode 100644 index 0000000000..5119944dd2 --- /dev/null +++ b/modules/microsoft.purview/accounts/.test/common/dependencies.bicep @@ -0,0 +1,63 @@ +@description('Optional. The location to deploy to.') +param location string = resourceGroup().location + +@description('Required. The name of the Virtual Network to create.') +param virtualNetworkName string + +@description('Required. The name of the Managed Identity to create.') +param managedIdentityName string + +resource virtualNetwork 'Microsoft.Network/virtualNetworks@2022-01-01' = { + name: virtualNetworkName + location: location + properties: { + addressSpace: { + addressPrefixes: [ + '10.0.0.0/24' + ] + } + subnets: [ + { + name: 'defaultSubnet' + properties: { + addressPrefix: '10.0.0.0/24' + serviceEndpoints: [ + { + service: 'Microsoft.KeyVault' + } + ] + } + } + ] + } +} + +resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { + name: managedIdentityName + location: location +} + +resource privateDNSZone 'Microsoft.Network/privateDnsZones@2020-06-01' = { + name: 'privatelink.vaultcore.azure.net' + location: 'global' + + resource virtualNetworkLinks 'virtualNetworkLinks@2020-06-01' = { + name: '${virtualNetwork.name}-vnetlink' + location: 'global' + properties: { + virtualNetwork: { + id: virtualNetwork.id + } + registrationEnabled: false + } + } +} + +@description('The resource ID of the created Virtual Network Subnet.') +output subnetResourceId string = virtualNetwork.properties.subnets[0].id + +@description('The principal ID of the created Managed Identity.') +output managedIdentityPrincipalId string = managedIdentity.properties.principalId + +@description('The resource ID of the created Private DNS Zone.') +output privateDNSResourceId string = privateDNSZone.id diff --git a/modules/microsoft.purview/accounts/.test/common/deploy.test.bicep b/modules/microsoft.purview/accounts/.test/common/deploy.test.bicep new file mode 100644 index 0000000000..ddc676d847 --- /dev/null +++ b/modules/microsoft.purview/accounts/.test/common/deploy.test.bicep @@ -0,0 +1,77 @@ +targetScope = 'subscription' + +// ========== // +// Parameters // +// ========== // +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'ms.purview-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'pviewcom' + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = false + +// =========== // +// Deployments // +// =========== // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: location +} + +module resourceGroupResources 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-paramNested' + params: { + virtualNetworkName: 'dep-<>-vnet-${serviceShort}' + managedIdentityName: 'dep-<>-msi-${serviceShort}' + } +} + +// Diagnostics +// =========== +module diagnosticDependencies '../../../../.shared/dependencyConstructs/diagnostic.dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' + params: { + storageAccountName: 'dep<>diasa${serviceShort}03' + logAnalyticsWorkspaceName: 'dep-<>-law-${serviceShort}' + eventHubNamespaceEventHubName: 'dep-<>-evh-${serviceShort}01' + eventHubNamespaceName: 'dep-<>-evhns-${serviceShort}01' + location: location + } +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../deploy.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name)}-test-${serviceShort}' + params: { + name: '<>${serviceShort}002' + managedResourceGroupName: '<>${serviceShort}002-managed-rg' + publicNetworkAccess: 'Disabled' + diagnosticLogsRetentionInDays: 7 + diagnosticStorageAccountId: diagnosticDependencies.outputs.storageAccountResourceId + diagnosticWorkspaceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId + diagnosticEventHubAuthorizationRuleId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId + diagnosticEventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + subnetId: resourceGroupResources.outputs.subnetResourceId + accountPrivateEndpointName: 'pe-<>${serviceShort}002-account' + portalPrivateEndpointName: 'pe-<>${serviceShort}002-portal' + storageAccountBlobPrivateEndpointName: 'pe-<>${serviceShort}002-sa-blob-blob' + storageAccountQueuePrivateEndpointName: 'pe-<>${serviceShort}002-sa-queue-blob' + eventHubPrivateEndpointName: 'pe-<>${serviceShort}002-eh' + enableDefaultTelemetry: enableDefaultTelemetry + } +} diff --git a/modules/microsoft.purview/accounts/.test/min/deploy.test.bicep b/modules/microsoft.purview/accounts/.test/min/deploy.test.bicep new file mode 100644 index 0000000000..98abe0a944 --- /dev/null +++ b/modules/microsoft.purview/accounts/.test/min/deploy.test.bicep @@ -0,0 +1,43 @@ +targetScope = 'subscription' + +// ========== // +// Parameters // +// ========== // +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'ms.purview-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'pviewmin' + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +// =========== // +// Deployments // +// =========== // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: location +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../deploy.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name)}-test-${serviceShort}' + params: { + name: '<>${serviceShort}001' + managedResourceGroupName: '<>${serviceShort}001-managed-rg' + publicNetworkAccess: 'Enabled' + enableDefaultTelemetry: enableDefaultTelemetry + } +} diff --git a/modules/microsoft.purview/accounts/deploy.bicep b/modules/microsoft.purview/accounts/deploy.bicep new file mode 100644 index 0000000000..d9f187fe5a --- /dev/null +++ b/modules/microsoft.purview/accounts/deploy.bicep @@ -0,0 +1,394 @@ +@description('Azure location where the Purview Account will be created') +param location string = resourceGroup().location + +@description('Name of the Purview Account') +param name string + +@description('Tags') +param tags object = {} + +@description('Optional. The ID(s) to assign to the resource.') +param userAssignedIdentities object = {} + +@description('Required. The Managed Resource Group Name.') +param managedResourceGroupName string + +@description('Optional. Enable or disable resource provider inbound network traffic from public clients. default is Disabled') +@allowed([ + 'Enabled' + 'Disabled' + 'NotSpecified' +]) +param publicNetworkAccess string = 'Disabled' + +@description('Optional. Specifies the number of days that logs will be kept for; a value of 0 will retain data indefinitely.') +@minValue(0) +@maxValue(365) +param diagnosticLogsRetentionInDays int = 365 + +@description('Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') +param diagnosticStorageAccountId string = '' + +@description('Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') +param diagnosticWorkspaceId string = '' + +@description('Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to.') +param diagnosticEventHubAuthorizationRuleId string = '' + +@description('Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') +param diagnosticEventHubName string = '' + +@description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') +param roleAssignments array = [] + +@description('Conditional. Existing Subnet Resource ID to assign to the Private Endpoint. Required for Private Endpoints.') +param subnetId string = '' + +@description('Conditional. Name of the Purview Account Private Endpoint. Required for the Purview account Private Endpoint.') +param accountPrivateEndpointName string = '' + +@description('Optional. The custom name of the network interface attached to the Purview Account private endpoint.') +param accountPrivateEndpointNicName string = '' + +@description('Optional. The static privavte IP address for the Purview Account private endpoint.') +param accountPrivateEndpointIP string = '' + +@description('Conditional. Name of the Purview Portal Private Endpoint. Required for the Purview portal Private Endpoint.') +param portalPrivateEndpointName string = '' + +@description('Optional. The custom name of the network interface attached to the Purview Portal private endpoint.') +param portalPrivateEndpointNicName string = '' + +@description('Optional. The static privavte IP address for the Purview Portal private endpoint.') +param portalPrivateEndpointIP string = '' + +@description('Conditional. Name of the managed Storage Account blob Private Endpoint. Required for the managed storage account blob private endpoint.') +param storageAccountBlobPrivateEndpointName string = '' + +@description('Optional. The custom name of the network interface attached to the managed Storage Account blob private endpoint.') +param storageAccountBlobPrivateEndpointNicName string = '' + +@description('Optional. The static private IP address for the managed Storage Account blob private endpoint.') +param storageAccountBlobPrivateEndpointIP string = '' + +@description('Conditional. Name of the managed Storage Account queue Private Endpoint. Required for the managed storage account queue private endpoint') +param storageAccountQueuePrivateEndpointName string = '' + +@description('Optional. The custom name of the network interface attached to the managed Storage Account queue private endpoint.') +param storageAccountQueuePrivateEndpointNicName string = '' + +@description('Optional. The static private IP address for the managed Storage Account blob private endpoint.') +param storageAccountQueuePrivateEndpointIP string = '' + +@description('Conditional. Name of the managed Event Hub Namespace Private Endpoint. Required for the managed Event Hub Namespace private endpoint.') +param eventHubPrivateEndpointName string = '' + +@description('Optional. The custom name of the network interface attached to the managed Event Hub Namespace private endpoint.') +param eventHubPrivateEndpointNicName string = '' + +@description('Optional. The static private IP address for the managed Event Hub Namespace private endpoint.') +param eventHubPrivateEndpointIP string = '' + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource.') +@allowed([ + 'allLogs' + 'ScanStatus' + 'DataSensitivity' + 'PurviewAccountAuditEvents' +]) +param diagnosticLogCategoriesToEnable array = [ + 'allLogs' +] + +@description('Optional. The name of metrics that will be streamed.') +@allowed([ + 'AllMetrics' +]) +param diagnosticMetricsToEnable array = [ + 'AllMetrics' +] + +@description('Optional. The name of the diagnostic setting, if deployed.') +param diagnosticSettingsName string = '${name}-diagnosticSettings' + +@allowed([ + '' + 'CanNotDelete' + 'ReadOnly' +]) +@description('Optional. Specify the type of lock.') +param lock string = '' + +// =========== // +// Variables // +// =========== // +var diagnosticsLogsSpecified = [for category in filter(diagnosticLogCategoriesToEnable, item => item != 'allLogs'): { + category: category + enabled: true + retentionPolicy: { + enabled: true + days: diagnosticLogsRetentionInDays + } +}] + +var diagnosticsLogs = contains(diagnosticLogCategoriesToEnable, 'allLogs') ? [ + { + categoryGroup: 'allLogs' + enabled: true + retentionPolicy: { + enabled: true + days: diagnosticLogsRetentionInDays + } + } +] : diagnosticsLogsSpecified + +var diagnosticsMetrics = [for metric in diagnosticMetricsToEnable: { + category: metric + timeGrain: null + enabled: true + retentionPolicy: { + enabled: true + days: diagnosticLogsRetentionInDays + } +}] + +var identityType = !empty(userAssignedIdentities) ? 'SystemAssigned,UserAssigned' : 'SystemAssigned' + +var identity = identityType != 'None' ? { + type: identityType + userAssignedIdentities: !empty(userAssignedIdentities) ? userAssignedIdentities : null +} : null + +var deploymentNameSuffix = last(split(deployment().name, '-')) + +var enableReferencedModulesTelemetry = false + +resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { + name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' + properties: { + mode: 'Incremental' + template: { + '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' + contentVersion: '1.0.0.0' + resources: [] + } + } +} + +resource purviewAccount 'Microsoft.Purview/accounts@2021-07-01' = { + name: name + location: location + tags: tags + identity: any(identity) + properties: { + cloudConnectors: {} + managedResourceGroupName: managedResourceGroupName + publicNetworkAccess: publicNetworkAccess + } +} + +resource purview_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock)) { + name: '${purviewAccount.name}-${lock}-lock' + properties: { + level: any(lock) + notes: lock == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.' + } + scope: purviewAccount +} + +resource purview_diagnosticSettings 'Microsoft.Insights/diagnosticsettings@2021-05-01-preview' = if ((!empty(diagnosticStorageAccountId)) || (!empty(diagnosticWorkspaceId)) || (!empty(diagnosticEventHubAuthorizationRuleId)) || (!empty(diagnosticEventHubName))) { + name: diagnosticSettingsName + properties: { + storageAccountId: !empty(diagnosticStorageAccountId) ? diagnosticStorageAccountId : null + workspaceId: !empty(diagnosticWorkspaceId) ? diagnosticWorkspaceId : null + eventHubAuthorizationRuleId: !empty(diagnosticEventHubAuthorizationRuleId) ? diagnosticEventHubAuthorizationRuleId : null + eventHubName: !empty(diagnosticEventHubName) ? diagnosticEventHubName : null + metrics: diagnosticsMetrics + logs: diagnosticsLogs + } + scope: purviewAccount +} + +module purviewAccountPE '../../Microsoft.Network/privateEndpoints/deploy.bicep' = if (!empty(accountPrivateEndpointName)) { + name: take('purview-account-pe-${name}-${deploymentNameSuffix}', 64) + params: { + name: accountPrivateEndpointName + tags: tags + subnetResourceId: subnetId + serviceResourceId: purviewAccount.id + enableDefaultTelemetry: enableReferencedModulesTelemetry + groupIds: [ + 'account' + ] + ipConfigurations: !empty(accountPrivateEndpointIP) ? [ + { + name: 'ipconfig1' + properties: { + groupId: 'account' + memberName: 'default' + privateIPAddress: accountPrivateEndpointIP + } + } + ] : [] + customNetworkInterfaceName: accountPrivateEndpointNicName + lock: lock + } +} + +module purviewPortalPE '../../Microsoft.Network/privateEndpoints/deploy.bicep' = if (!empty(portalPrivateEndpointName)) { + name: take('purview-portal-pe-${name}-${deploymentNameSuffix}', 64) + params: { + name: portalPrivateEndpointName + tags: tags + subnetResourceId: subnetId + serviceResourceId: purviewAccount.id + enableDefaultTelemetry: enableReferencedModulesTelemetry + groupIds: [ + 'portal' + ] + ipConfigurations: !empty(accountPrivateEndpointIP) ? [ + { + name: 'ipconfig1' + properties: { + groupId: 'portal' + memberName: 'default' + privateIPAddress: portalPrivateEndpointIP + } + } + ] : [] + customNetworkInterfaceName: portalPrivateEndpointNicName + } +} + +module storageBlobPe '../../Microsoft.Network/privateEndpoints/deploy.bicep' = if (!empty(storageAccountBlobPrivateEndpointName)) { + name: take('purview-sa-blob-pe-${name}-${deploymentNameSuffix}', 64) + params: { + name: storageAccountBlobPrivateEndpointName + tags: tags + subnetResourceId: subnetId + serviceResourceId: purviewAccount.properties.managedResources.storageAccount + enableDefaultTelemetry: enableReferencedModulesTelemetry + groupIds: [ + 'blob' + ] + ipConfigurations: !empty(accountPrivateEndpointIP) ? [ + { + name: 'ipconfig1' + properties: { + groupId: 'blob' + memberName: 'default' + privateIPAddress: storageAccountBlobPrivateEndpointIP + } + } + ] : [] + customNetworkInterfaceName: storageAccountBlobPrivateEndpointNicName + } +} + +module storageQueuePe '../../Microsoft.Network/privateEndpoints/deploy.bicep' = if (!empty(storageAccountQueuePrivateEndpointName)) { + name: take('purview-sa-queue-pe-${name}-${deploymentNameSuffix}', 64) + params: { + name: storageAccountQueuePrivateEndpointName + tags: tags + subnetResourceId: subnetId + serviceResourceId: purviewAccount.properties.managedResources.storageAccount + enableDefaultTelemetry: enableReferencedModulesTelemetry + groupIds: [ + 'queue' + ] + ipConfigurations: !empty(accountPrivateEndpointIP) ? [ + { + name: 'ipconfig1' + properties: { + groupId: 'queue' + memberName: 'default' + privateIPAddress: storageAccountQueuePrivateEndpointIP + } + } + ] : [] + customNetworkInterfaceName: storageAccountQueuePrivateEndpointNicName + } +} + +module eventHubPe '../../Microsoft.Network/privateEndpoints/deploy.bicep' = if (!empty(eventHubPrivateEndpointName)) { + name: take('purview-eh-pe-${name}-${deploymentNameSuffix}', 64) + params: { + name: eventHubPrivateEndpointName + tags: tags + subnetResourceId: subnetId + serviceResourceId: purviewAccount.properties.managedResources.eventHubNamespace + enableDefaultTelemetry: enableReferencedModulesTelemetry + groupIds: [ + 'namespace' + ] + ipConfigurations: !empty(accountPrivateEndpointIP) ? [ + { + name: 'ipconfig1' + properties: { + groupId: 'namespace' + memberName: 'default' + privateIPAddress: eventHubPrivateEndpointIP + } + } + ] : [] + customNetworkInterfaceName: eventHubPrivateEndpointNicName + } +} + +module purview_roleAssignments '.bicep/nested_roleAssignments.bicep' = [for (roleAssignment, index) in roleAssignments: { + name: '${uniqueString(deployment().name, location)}-KeyVault-Rbac-${index}' + params: { + description: contains(roleAssignment, 'description') ? roleAssignment.description : '' + principalIds: roleAssignment.principalIds + principalType: contains(roleAssignment, 'principalType') ? roleAssignment.principalType : '' + roleDefinitionIdOrName: roleAssignment.roleDefinitionIdOrName + condition: contains(roleAssignment, 'condition') ? roleAssignment.condition : '' + delegatedManagedIdentityResourceId: contains(roleAssignment, 'delegatedManagedIdentityResourceId') ? roleAssignment.delegatedManagedIdentityResourceId : '' + resourceId: purviewAccount.id + } +}] + +@description('The name of the Microsoft Purview Account.') +output accountName string = purviewAccount.name + +@description('The resource group the Microsoft Purview Account was deployed into.') +output resourceGroupName string = resourceGroup().name + +@description('The resource ID of the Microsoft Purview Account.') +output resourceId string = purviewAccount.id + +@description('The location the resource was deployed into.') +output location string = location + +@description('The name of the managed resource group.') +output managedResourceGroupName string = purviewAccount.properties.managedResourceGroupName + +@description('The resource ID of the managed resource group.') +output managedResourceGroupId string = purviewAccount.properties.managedResources.resourceGroup + +@description('The resource ID of the managed storage account.') +output managedStorageAccountId string = purviewAccount.properties.managedResources.storageAccount + +@description('The resource ID of the managed Event Hub Namespace') +output managedEventHubId string = purviewAccount.properties.managedResources.eventHubNamespace + +@description('The principal ID of the system assigned identity.') +output systemAssignedPrincipalId string = purviewAccount.identity.principalId + +@description('The resource ID of the Purview Account private endpoint') +output accountPrivateEndpointId string = !empty(accountPrivateEndpointName) ? purviewAccountPE.outputs.resourceId : '' + +@description('The resource ID of the Purview portal private endpoint') +output portalPrivateEndpointId string = !empty(portalPrivateEndpointName) ? purviewPortalPE.outputs.resourceId : '' + +@description('The resource ID of the Purview Managed Storage Account Blob private endpoint') +output storageAccountBlobPrivateEndpointId string = !empty(storageAccountBlobPrivateEndpointName) ? storageBlobPe.outputs.resourceId : '' + +@description('The resource ID of the Purview Managed Storage Account Queue private endpoint') +output storageAccountQueuePrivateEndpointId string = !empty(storageAccountQueuePrivateEndpointName) ? storageQueuePe.outputs.resourceId : '' + +@description('The resource ID of the Purview Managed Event Hub Namepsace private endpoint') +output eventHubPrivateEndpointId string = !empty(eventHubPrivateEndpointName) ? eventHubPe.outputs.resourceId : '' diff --git a/modules/microsoft.purview/accounts/readme.md b/modules/microsoft.purview/accounts/readme.md new file mode 100644 index 0000000000..cb342cfee0 --- /dev/null +++ b/modules/microsoft.purview/accounts/readme.md @@ -0,0 +1,245 @@ +# `[Microsoft.]` + +This module deploys . +// TODO: Replace Resource and fill in description + +## Navigation + +- [Resource Types](#Resource-Types) +- [Parameters](#Parameters) +- [Outputs](#Outputs) +- [Cross-referenced modules](#Cross-referenced-modules) + +## Resource Types + +| Resource Type | API Version | +| :-- | :-- | +| `Microsoft.Authorization/locks` | [2020-05-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2020-05-01/locks) | +| `Microsoft.Authorization/roleAssignments` | [2022-04-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-04-01/roleAssignments) | +| `Microsoft.Insights/diagnosticSettings` | [2021-05-01-preview](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Insights/2021-05-01-preview/diagnosticSettings) | +| `Microsoft.Network/privateEndpoints` | [2022-05-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Network/2022-05-01/privateEndpoints) | +| `Microsoft.Network/privateEndpoints/privateDnsZoneGroups` | [2022-05-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Network/2022-05-01/privateEndpoints/privateDnsZoneGroups) | +| `Microsoft.Purview/accounts` | [2021-07-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Purview/2021-07-01/accounts) | + +## Parameters + +**Required parameters** + +| Parameter Name | Type | Description | +| :-- | :-- | :-- | +| `managedResourceGroupName` | string | The Managed Resource Group Name. | + +**Conditional parameters** + +| Parameter Name | Type | Default Value | Description | +| :-- | :-- | :-- | :-- | +| `accountPrivateEndpointName` | string | `''` | Name of the Purview Account Private Endpoint. Required for the Purview account Private Endpoint. | +| `eventHubPrivateEndpointName` | string | `''` | Name of the managed Event Hub Namespace Private Endpoint. Required for the managed Event Hub Namespace private endpoint. | +| `portalPrivateEndpointName` | string | `''` | Name of the Purview Portal Private Endpoint. Required for the Purview portal Private Endpoint. | +| `storageAccountBlobPrivateEndpointName` | string | `''` | Name of the managed Storage Account blob Private Endpoint. Required for the managed storage account blob private endpoint. | +| `storageAccountQueuePrivateEndpointName` | string | `''` | Name of the managed Storage Account queue Private Endpoint. Required for the managed storage account queue private endpoint | +| `subnetId` | string | `''` | Existing Subnet Resource ID to assign to the Private Endpoint. Required for Private Endpoints. | + +**Optional parameters** + +| Parameter Name | Type | Default Value | Allowed Values | Description | +| :-- | :-- | :-- | :-- | :-- | +| `accountPrivateEndpointIP` | string | `''` | | The static privavte IP address for the Purview Account private endpoint. | +| `accountPrivateEndpointNicName` | string | `''` | | The custom name of the network interface attached to the Purview Account private endpoint. | +| `diagnosticEventHubAuthorizationRuleId` | string | `''` | | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | +| `diagnosticEventHubName` | string | `''` | | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| `diagnosticLogCategoriesToEnable` | array | `[allLogs]` | `[allLogs, DataSensitivity, PurviewAccountAuditEvents, ScanStatus]` | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. | +| `diagnosticLogsRetentionInDays` | int | `365` | | Specifies the number of days that logs will be kept for; a value of 0 will retain data indefinitely. | +| `diagnosticMetricsToEnable` | array | `[AllMetrics]` | `[AllMetrics]` | The name of metrics that will be streamed. | +| `diagnosticSettingsName` | string | `[format('{0}-diagnosticSettings', parameters('name'))]` | | The name of the diagnostic setting, if deployed. | +| `diagnosticStorageAccountId` | string | `''` | | Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| `diagnosticWorkspaceId` | string | `''` | | Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via a Globally Unique Identifier (GUID). | +| `eventHubPrivateEndpointIP` | string | `''` | | The static private IP address for the managed Event Hub Namespace private endpoint. | +| `eventHubPrivateEndpointNicName` | string | `''` | | The custom name of the network interface attached to the managed Event Hub Namespace private endpoint. | +| `lock` | string | `''` | `['', CanNotDelete, ReadOnly]` | Specify the type of lock. | +| `portalPrivateEndpointIP` | string | `''` | | The static privavte IP address for the Purview Portal private endpoint. | +| `portalPrivateEndpointNicName` | string | `''` | | The custom name of the network interface attached to the Purview Portal private endpoint. | +| `publicNetworkAccess` | string | `'Disabled'` | `[Disabled, Enabled, NotSpecified]` | Enable or disable resource provider inbound network traffic from public clients. default is Disabled | +| `roleAssignments` | array | `[]` | | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| `storageAccountBlobPrivateEndpointIP` | string | `''` | | The static private IP address for the managed Storage Account blob private endpoint. | +| `storageAccountBlobPrivateEndpointNicName` | string | `''` | | The custom name of the network interface attached to the managed Storage Account blob private endpoint. | +| `storageAccountQueuePrivateEndpointIP` | string | `''` | | The static private IP address for the managed Storage Account blob private endpoint. | +| `storageAccountQueuePrivateEndpointNicName` | string | `''` | | The custom name of the network interface attached to the managed Storage Account queue private endpoint. | +| `userAssignedIdentities` | object | `{object}` | | The ID(s) to assign to the resource. | + +**Azure location where the Purview Account will be created parameters** + +| Parameter Name | Type | Description | +| :-- | :-- | :-- | + +**Name of the Purview Account parameters** + +| Parameter Name | Type | Description | +| :-- | :-- | :-- | + +**Tags parameters** + +| Parameter Name | Type | Description | +| :-- | :-- | :-- | + + +### Parameter Usage: `` + +// TODO: Fill in Parameter usage + +### Parameter Usage: `roleAssignments` + +Create a role assignment for the given resource. If you want to assign a service principal / managed identity that is created in the same deployment, make sure to also specify the `'principalType'` parameter and set it to `'ServicePrincipal'`. This will ensure the role assignment waits for the principal's propagation in Azure. + +
+ +Parameter JSON format + +```json +"roleAssignments": { + "value": [ + { + "roleDefinitionIdOrName": "Reader", + "description": "Reader Role Assignment", + "principalIds": [ + "12345678-1234-1234-1234-123456789012", // object 1 + "78945612-1234-1234-1234-123456789012" // object 2 + ] + }, + { + "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", + "principalIds": [ + "12345678-1234-1234-1234-123456789012" // object 1 + ], + "principalType": "ServicePrincipal" + } + ] +} +``` + +
+ +
+ +Bicep format + +```bicep +roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + description: 'Reader Role Assignment' + principalIds: [ + '12345678-1234-1234-1234-123456789012' // object 1 + '78945612-1234-1234-1234-123456789012' // object 2 + ] + } + { + roleDefinitionIdOrName: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' + principalIds: [ + '12345678-1234-1234-1234-123456789012' // object 1 + ] + principalType: 'ServicePrincipal' + } +] +``` + +
+

+ +### Parameter Usage: `tags` + +Tag names and tag values can be provided as needed. A tag can be left without a value. + +

+ +Parameter JSON format + +```json +"tags": { + "value": { + "Environment": "Non-Prod", + "Contact": "test.user@testcompany.com", + "PurchaseOrder": "1234", + "CostCenter": "7890", + "ServiceName": "DeploymentValidation", + "Role": "DeploymentValidation" + } +} +``` + +
+ +
+ +Bicep format + +```bicep +tags: { + Environment: 'Non-Prod' + Contact: 'test.user@testcompany.com' + PurchaseOrder: '1234' + CostCenter: '7890' + ServiceName: 'DeploymentValidation' + Role: 'DeploymentValidation' +} +``` + +
+

+ +### Parameter Usage: `userAssignedIdentities` + +You can specify multiple user assigned identities to a resource by providing additional resource IDs using the following format: + +

+ +Parameter JSON format + +```json +"userAssignedIdentities": { + "value": { + "/subscriptions/<>/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-001": {}, + "/subscriptions/<>/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-002": {} + } +} +``` + +
+ +
+ +Bicep format + +```bicep +userAssignedIdentities: { + '/subscriptions/<>/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-001': {} + '/subscriptions/<>/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-002': {} +} +``` + +
+

+ +## Outputs + +| Output Name | Type | Description | +| :-- | :-- | :-- | +| `accountName` | string | The name of the Microsoft Purview Account. | +| `accountPrivateEndpointId` | string | The resource ID of the Purview Account private endpoint | +| `eventHubPrivateEndpointId` | string | The resource ID of the Purview Managed Event Hub Namepsace private endpoint | +| `location` | string | The location the resource was deployed into. | +| `managedEventHubId` | string | The resource ID of the managed Event Hub Namespace | +| `managedResourceGroupId` | string | The resource ID of the managed resource group. | +| `managedResourceGroupName` | string | The name of the managed resource group. | +| `managedStorageAccountId` | string | The resource ID of the managed storage account. | +| `portalPrivateEndpointId` | string | The resource ID of the Purview portal private endpoint | +| `resourceGroupName` | string | The resource group the Microsoft Purview Account was deployed into. | +| `resourceId` | string | The resource ID of the Microsoft Purview Account. | +| `storageAccountBlobPrivateEndpointId` | string | The resource ID of the Purview Managed Storage Account Blob private endpoint | +| `storageAccountQueuePrivateEndpointId` | string | The resource ID of the Purview Managed Storage Account Queue private endpoint | +| `systemAssignedPrincipalId` | string | The principal ID of the system assigned identity. | + +## Cross-referenced modules + +_None_ diff --git a/modules/microsoft.purview/accounts/version.json b/modules/microsoft.purview/accounts/version.json new file mode 100644 index 0000000000..41f66cc990 --- /dev/null +++ b/modules/microsoft.purview/accounts/version.json @@ -0,0 +1,4 @@ +{ + "$schema": "https://raw.githubusercontent.com/dotnet/Nerdbank.GitVersioning/master/src/NerdBank.GitVersioning/version.schema.json", + "version": "0.1" +} From 988728f3c3e58aff521be5c24e1183d59326b4aa Mon Sep 17 00:00:00 2001 From: Tao Yang Date: Fri, 3 Feb 2023 21:56:17 +1100 Subject: [PATCH 02/69] add github action for purview --- .github/workflows/ms.purview.accounts.yml | 147 ++++++++++++++++++++++ 1 file changed, 147 insertions(+) create mode 100644 .github/workflows/ms.purview.accounts.yml diff --git a/.github/workflows/ms.purview.accounts.yml b/.github/workflows/ms.purview.accounts.yml new file mode 100644 index 0000000000..c1f2ef9c2e --- /dev/null +++ b/.github/workflows/ms.purview.accounts.yml @@ -0,0 +1,147 @@ +name: 'Purview: Accounts' + +on: + workflow_dispatch: + inputs: + removeDeployment: + type: boolean + description: 'Remove deployed module' + required: false + default: true + prerelease: + type: boolean + description: 'Publish prerelease module' + required: false + default: false + push: + branches: + - main + paths: + - '.github/actions/templates/**' + - '.github/workflows/ms.purview.accounts.yml' + - 'modules/Microsoft.Purview/accounts/**' + - 'utilities/pipelines/**' + - '!utilities/pipelines/deploymentRemoval/**' + - '!*/**/readme.md' + +env: + variablesPath: 'settings.yml' + modulePath: 'modules/Microsoft.Purview/accounts' + workflowPath: '.github/workflows/ms.purview.accounts.yml' + AZURE_CREDENTIALS: ${{ secrets.AZURE_CREDENTIALS }} + ARM_SUBSCRIPTION_ID: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + ARM_MGMTGROUP_ID: '${{ secrets.ARM_MGMTGROUP_ID }}' + ARM_TENANT_ID: '${{ secrets.ARM_TENANT_ID }}' + TOKEN_NAMEPREFIX: '${{ secrets.TOKEN_NAMEPREFIX }}' + +concurrency: + group: ${{ github.workflow }} + +jobs: + ########################### + # Initialize pipeline # + ########################### + job_initialize_pipeline: + runs-on: ubuntu-20.04 + name: 'Initialize pipeline' + steps: + - name: 'Checkout' + uses: actions/checkout@v3 + with: + fetch-depth: 0 + - name: 'Set input parameters to output variables' + id: get-workflow-param + uses: ./.github/actions/templates/getWorkflowInput + with: + workflowPath: '${{ env.workflowPath}}' + - name: 'Get parameter file paths' + id: get-module-test-file-paths + uses: ./.github/actions/templates/getModuleTestFiles + with: + modulePath: '${{ env.modulePath }}' + outputs: + workflowInput: ${{ steps.get-workflow-param.outputs.workflowInput }} + moduleTestFilePaths: ${{ steps.get-module-test-file-paths.outputs.moduleTestFilePaths }} + + ######################### + # Static validation # + ######################### + job_module_pester_validation: + runs-on: ubuntu-20.04 + name: 'Static validation' + steps: + - name: 'Checkout' + uses: actions/checkout@v3 + with: + fetch-depth: 0 + - name: Set environment variables + uses: ./.github/actions/templates/setEnvironmentVariables + with: + variablesPath: ${{ env.variablesPath }} + - name: 'Run tests' + uses: ./.github/actions/templates/validateModulePester + with: + modulePath: '${{ env.modulePath }}' + moduleTestFilePath: '${{ env.moduleTestFilePath }}' + + ############################# + # Deployment validation # + ############################# + job_module_deploy_validation: + runs-on: ubuntu-20.04 + name: 'Deployment validation' + needs: + - job_initialize_pipeline + - job_module_pester_validation + strategy: + fail-fast: false + matrix: + moduleTestFilePaths: ${{ fromJson(needs.job_initialize_pipeline.outputs.moduleTestFilePaths) }} + steps: + - name: 'Checkout' + uses: actions/checkout@v3 + with: + fetch-depth: 0 + - name: Set environment variables + uses: ./.github/actions/templates/setEnvironmentVariables + with: + variablesPath: ${{ env.variablesPath }} + - name: 'Using test file [${{ matrix.moduleTestFilePaths }}]' + uses: ./.github/actions/templates/validateModuleDeployment + with: + templateFilePath: '${{ env.modulePath }}/${{ matrix.moduleTestFilePaths }}' + location: '${{ env.location }}' + subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' + removeDeployment: '${{ (fromJson(needs.job_initialize_pipeline.outputs.workflowInput)).removeDeployment }}' + + ################## + # Publishing # + ################## + job_publish_module: + name: 'Publishing' + if: github.ref == 'refs/heads/main' || github.ref == 'refs/heads/master' || github.event.inputs.prerelease == 'true' + runs-on: ubuntu-20.04 + needs: + - job_module_deploy_validation + steps: + - name: 'Checkout' + uses: actions/checkout@v3 + with: + fetch-depth: 0 + - name: Set environment variables + uses: ./.github/actions/templates/setEnvironmentVariables + with: + variablesPath: ${{ env.variablesPath }} + - name: 'Publishing' + uses: ./.github/actions/templates/publishModule + with: + templateFilePath: '${{ env.modulePath }}/deploy.bicep' + templateSpecsRGName: '${{ env.templateSpecsRGName }}' + templateSpecsRGLocation: '${{ env.templateSpecsRGLocation }}' + templateSpecsDescription: '${{ env.templateSpecsDescription }}' + templateSpecsDoPublish: '${{ env.templateSpecsDoPublish }}' + bicepRegistryName: '${{ env.bicepRegistryName }}' + bicepRegistryRGName: '${{ env.bicepRegistryRGName }}' + bicepRegistryRgLocation: '${{ env.bicepRegistryRgLocation }}' + bicepRegistryDoPublish: '${{ env.bicepRegistryDoPublish }}' From 201965bdd21473e305de8560aa90c4ef088b60f9 Mon Sep 17 00:00:00 2001 From: Tao Yang Date: Fri, 3 Feb 2023 23:04:46 +1100 Subject: [PATCH 03/69] add --- .../accounts/.bicep/nested_roleAssignments.bicep | 0 .../accounts/.test/common/dependencies.bicep | 0 .../accounts/.test/common/deploy.test.bicep | 0 .../accounts/.test/min/deploy.test.bicep | 0 modules/{microsoft.purview => MS.Purview}/accounts/deploy.bicep | 0 modules/{microsoft.purview => MS.Purview}/accounts/readme.md | 0 modules/{microsoft.purview => MS.Purview}/accounts/version.json | 0 7 files changed, 0 insertions(+), 0 deletions(-) rename modules/{microsoft.purview => MS.Purview}/accounts/.bicep/nested_roleAssignments.bicep (100%) rename modules/{microsoft.purview => MS.Purview}/accounts/.test/common/dependencies.bicep (100%) rename modules/{microsoft.purview => MS.Purview}/accounts/.test/common/deploy.test.bicep (100%) rename modules/{microsoft.purview => MS.Purview}/accounts/.test/min/deploy.test.bicep (100%) rename modules/{microsoft.purview => MS.Purview}/accounts/deploy.bicep (100%) rename modules/{microsoft.purview => MS.Purview}/accounts/readme.md (100%) rename modules/{microsoft.purview => MS.Purview}/accounts/version.json (100%) diff --git a/modules/microsoft.purview/accounts/.bicep/nested_roleAssignments.bicep b/modules/MS.Purview/accounts/.bicep/nested_roleAssignments.bicep similarity index 100% rename from modules/microsoft.purview/accounts/.bicep/nested_roleAssignments.bicep rename to modules/MS.Purview/accounts/.bicep/nested_roleAssignments.bicep diff --git a/modules/microsoft.purview/accounts/.test/common/dependencies.bicep b/modules/MS.Purview/accounts/.test/common/dependencies.bicep similarity index 100% rename from modules/microsoft.purview/accounts/.test/common/dependencies.bicep rename to modules/MS.Purview/accounts/.test/common/dependencies.bicep diff --git a/modules/microsoft.purview/accounts/.test/common/deploy.test.bicep b/modules/MS.Purview/accounts/.test/common/deploy.test.bicep similarity index 100% rename from modules/microsoft.purview/accounts/.test/common/deploy.test.bicep rename to modules/MS.Purview/accounts/.test/common/deploy.test.bicep diff --git a/modules/microsoft.purview/accounts/.test/min/deploy.test.bicep b/modules/MS.Purview/accounts/.test/min/deploy.test.bicep similarity index 100% rename from modules/microsoft.purview/accounts/.test/min/deploy.test.bicep rename to modules/MS.Purview/accounts/.test/min/deploy.test.bicep diff --git a/modules/microsoft.purview/accounts/deploy.bicep b/modules/MS.Purview/accounts/deploy.bicep similarity index 100% rename from modules/microsoft.purview/accounts/deploy.bicep rename to modules/MS.Purview/accounts/deploy.bicep diff --git a/modules/microsoft.purview/accounts/readme.md b/modules/MS.Purview/accounts/readme.md similarity index 100% rename from modules/microsoft.purview/accounts/readme.md rename to modules/MS.Purview/accounts/readme.md diff --git a/modules/microsoft.purview/accounts/version.json b/modules/MS.Purview/accounts/version.json similarity index 100% rename from modules/microsoft.purview/accounts/version.json rename to modules/MS.Purview/accounts/version.json From 0ec4548f9a95e2aceb6137367e6c17f940b57bb2 Mon Sep 17 00:00:00 2001 From: Tao Yang Date: Fri, 3 Feb 2023 23:05:19 +1100 Subject: [PATCH 04/69] update --- .../accounts/.bicep/nested_roleAssignments.bicep | 0 .../accounts/.test/common/dependencies.bicep | 0 .../accounts/.test/common/deploy.test.bicep | 0 .../accounts/.test/min/deploy.test.bicep | 0 modules/{MS.Purview => Microsoft.Purview}/accounts/deploy.bicep | 0 modules/{MS.Purview => Microsoft.Purview}/accounts/readme.md | 0 modules/{MS.Purview => Microsoft.Purview}/accounts/version.json | 0 7 files changed, 0 insertions(+), 0 deletions(-) rename modules/{MS.Purview => Microsoft.Purview}/accounts/.bicep/nested_roleAssignments.bicep (100%) rename modules/{MS.Purview => Microsoft.Purview}/accounts/.test/common/dependencies.bicep (100%) rename modules/{MS.Purview => Microsoft.Purview}/accounts/.test/common/deploy.test.bicep (100%) rename modules/{MS.Purview => Microsoft.Purview}/accounts/.test/min/deploy.test.bicep (100%) rename modules/{MS.Purview => Microsoft.Purview}/accounts/deploy.bicep (100%) rename modules/{MS.Purview => Microsoft.Purview}/accounts/readme.md (100%) rename modules/{MS.Purview => Microsoft.Purview}/accounts/version.json (100%) diff --git a/modules/MS.Purview/accounts/.bicep/nested_roleAssignments.bicep b/modules/Microsoft.Purview/accounts/.bicep/nested_roleAssignments.bicep similarity index 100% rename from modules/MS.Purview/accounts/.bicep/nested_roleAssignments.bicep rename to modules/Microsoft.Purview/accounts/.bicep/nested_roleAssignments.bicep diff --git a/modules/MS.Purview/accounts/.test/common/dependencies.bicep b/modules/Microsoft.Purview/accounts/.test/common/dependencies.bicep similarity index 100% rename from modules/MS.Purview/accounts/.test/common/dependencies.bicep rename to modules/Microsoft.Purview/accounts/.test/common/dependencies.bicep diff --git a/modules/MS.Purview/accounts/.test/common/deploy.test.bicep b/modules/Microsoft.Purview/accounts/.test/common/deploy.test.bicep similarity index 100% rename from modules/MS.Purview/accounts/.test/common/deploy.test.bicep rename to modules/Microsoft.Purview/accounts/.test/common/deploy.test.bicep diff --git a/modules/MS.Purview/accounts/.test/min/deploy.test.bicep b/modules/Microsoft.Purview/accounts/.test/min/deploy.test.bicep similarity index 100% rename from modules/MS.Purview/accounts/.test/min/deploy.test.bicep rename to modules/Microsoft.Purview/accounts/.test/min/deploy.test.bicep diff --git a/modules/MS.Purview/accounts/deploy.bicep b/modules/Microsoft.Purview/accounts/deploy.bicep similarity index 100% rename from modules/MS.Purview/accounts/deploy.bicep rename to modules/Microsoft.Purview/accounts/deploy.bicep diff --git a/modules/MS.Purview/accounts/readme.md b/modules/Microsoft.Purview/accounts/readme.md similarity index 100% rename from modules/MS.Purview/accounts/readme.md rename to modules/Microsoft.Purview/accounts/readme.md diff --git a/modules/MS.Purview/accounts/version.json b/modules/Microsoft.Purview/accounts/version.json similarity index 100% rename from modules/MS.Purview/accounts/version.json rename to modules/Microsoft.Purview/accounts/version.json From da0682353c602ee1b2720e7c218af4983b609392 Mon Sep 17 00:00:00 2001 From: Tao Yang Date: Fri, 3 Feb 2023 23:22:49 +1100 Subject: [PATCH 05/69] update readme --- modules/Microsoft.Purview/accounts/readme.md | 166 ++++++++++++++++++- 1 file changed, 164 insertions(+), 2 deletions(-) diff --git a/modules/Microsoft.Purview/accounts/readme.md b/modules/Microsoft.Purview/accounts/readme.md index cb342cfee0..4783be9fee 100644 --- a/modules/Microsoft.Purview/accounts/readme.md +++ b/modules/Microsoft.Purview/accounts/readme.md @@ -1,4 +1,4 @@ -# `[Microsoft.]` +# `[Microsoft.Purview/accounts]` This module deploys . // TODO: Replace Resource and fill in description @@ -9,6 +9,7 @@ This module deploys . - [Parameters](#Parameters) - [Outputs](#Outputs) - [Cross-referenced modules](#Cross-referenced-modules) +- [Deployment examples](#Deployment-examples) ## Resource Types @@ -242,4 +243,165 @@ userAssignedIdentities: { ## Cross-referenced modules -_None_ +This section gives you an overview of all local-referenced module files (i.e., other CARML modules that are referenced in this module) and all remote-referenced files (i.e., Bicep modules that are referenced from a Bicep Registry or Template Specs). + +| Reference | Type | +| :-- | :-- | +| `Microsoft.Network/privateEndpoints` | Local reference | + +## Deployment examples + +The following module usage examples are retrieved from the content of the files hosted in the module's `.test` folder. + >**Note**: The name of each example is based on the name of the file from which it is taken. + + >**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. + +

Example 1: Common

+ +
+ +via Bicep module + +```bicep +module accounts './Microsoft.Purview/accounts/deploy.bicep' = { + name: '${uniqueString(deployment().name)}-test-pviewcom' + params: { + // Required parameters + managedResourceGroupName: '<>pviewcom002-managed-rg' + name: '<>pviewcom002' + // Non-required parameters + accountPrivateEndpointName: 'pe-<>pviewcom002-account' + diagnosticEventHubAuthorizationRuleId: '' + diagnosticEventHubName: '' + diagnosticLogsRetentionInDays: 7 + diagnosticStorageAccountId: '' + diagnosticWorkspaceId: '' + enableDefaultTelemetry: '' + eventHubPrivateEndpointName: 'pe-<>pviewcom002-eh' + portalPrivateEndpointName: 'pe-<>pviewcom002-portal' + publicNetworkAccess: 'Disabled' + storageAccountBlobPrivateEndpointName: 'pe-<>pviewcom002-sa-blob-blob' + storageAccountQueuePrivateEndpointName: 'pe-<>pviewcom002-sa-queue-blob' + subnetId: '' + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "managedResourceGroupName": { + "value": "<>pviewcom002-managed-rg" + }, + "name": { + "value": "<>pviewcom002" + }, + // Non-required parameters + "accountPrivateEndpointName": { + "value": "pe-<>pviewcom002-account" + }, + "diagnosticEventHubAuthorizationRuleId": { + "value": "" + }, + "diagnosticEventHubName": { + "value": "" + }, + "diagnosticLogsRetentionInDays": { + "value": 7 + }, + "diagnosticStorageAccountId": { + "value": "" + }, + "diagnosticWorkspaceId": { + "value": "" + }, + "enableDefaultTelemetry": { + "value": "" + }, + "eventHubPrivateEndpointName": { + "value": "pe-<>pviewcom002-eh" + }, + "portalPrivateEndpointName": { + "value": "pe-<>pviewcom002-portal" + }, + "publicNetworkAccess": { + "value": "Disabled" + }, + "storageAccountBlobPrivateEndpointName": { + "value": "pe-<>pviewcom002-sa-blob-blob" + }, + "storageAccountQueuePrivateEndpointName": { + "value": "pe-<>pviewcom002-sa-queue-blob" + }, + "subnetId": { + "value": "" + } + } +} +``` + +
+

+ +

Example 2: Min

+ +
+ +via Bicep module + +```bicep +module accounts './Microsoft.Purview/accounts/deploy.bicep' = { + name: '${uniqueString(deployment().name)}-test-pviewmin' + params: { + // Required parameters + managedResourceGroupName: '<>pviewmin001-managed-rg' + name: '<>pviewmin001' + // Non-required parameters + enableDefaultTelemetry: '' + publicNetworkAccess: 'Enabled' + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "managedResourceGroupName": { + "value": "<>pviewmin001-managed-rg" + }, + "name": { + "value": "<>pviewmin001" + }, + // Non-required parameters + "enableDefaultTelemetry": { + "value": "" + }, + "publicNetworkAccess": { + "value": "Enabled" + } + } +} +``` + +
+

From 2c60a3dbbd7725cf971e35d5c4baad5d00b94859 Mon Sep 17 00:00:00 2001 From: Tao Yang Date: Fri, 3 Feb 2023 23:41:04 +1100 Subject: [PATCH 06/69] update --- .../accounts/.test/common/deploy.test.bicep | 21 +++ .../Microsoft.Purview/accounts/deploy.bicep | 34 ++--- modules/Microsoft.Purview/accounts/readme.md | 120 ++++++++++++++---- 3 files changed, 130 insertions(+), 45 deletions(-) diff --git a/modules/Microsoft.Purview/accounts/.test/common/deploy.test.bicep b/modules/Microsoft.Purview/accounts/.test/common/deploy.test.bicep index ddc676d847..cab979ee2c 100644 --- a/modules/Microsoft.Purview/accounts/.test/common/deploy.test.bicep +++ b/modules/Microsoft.Purview/accounts/.test/common/deploy.test.bicep @@ -10,6 +10,9 @@ param resourceGroupName string = 'ms.purview-${serviceShort}-rg' @description('Optional. The location to deploy resources to.') param location string = deployment().location +@description('Tags') +param tags object = {} + @description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') param serviceShort string = 'pviewcom' @@ -47,6 +50,7 @@ module diagnosticDependencies '../../../../.shared/dependencyConstructs/diagnost eventHubNamespaceEventHubName: 'dep-<>-evh-${serviceShort}01' eventHubNamespaceName: 'dep-<>-evhns-${serviceShort}01' location: location + } } @@ -59,6 +63,9 @@ module testDeployment '../../deploy.bicep' = { name: '${uniqueString(deployment().name)}-test-${serviceShort}' params: { name: '<>${serviceShort}002' + location: location + tags: tags + userAssignedIdentities: {} managedResourceGroupName: '<>${serviceShort}002-managed-rg' publicNetworkAccess: 'Disabled' diagnosticLogsRetentionInDays: 7 @@ -66,12 +73,26 @@ module testDeployment '../../deploy.bicep' = { diagnosticWorkspaceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId diagnosticEventHubAuthorizationRuleId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId diagnosticEventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + roleAssignments: [] subnetId: resourceGroupResources.outputs.subnetResourceId accountPrivateEndpointName: 'pe-<>${serviceShort}002-account' + accountPrivateEndpointNicName: 'nic-pe-<>${serviceShort}002-account' + accountPrivateEndpointIP: '' portalPrivateEndpointName: 'pe-<>${serviceShort}002-portal' + portalPrivateEndpointNicName: 'nic-pe-<>${serviceShort}002-portal' + portalPrivateEndpointIP: '' storageAccountBlobPrivateEndpointName: 'pe-<>${serviceShort}002-sa-blob-blob' + storageAccountBlobPrivateEndpointNicName: 'nic-pe-<>${serviceShort}002-sa-blob-blob' + storageAccountBlobPrivateEndpointIP: '' storageAccountQueuePrivateEndpointName: 'pe-<>${serviceShort}002-sa-queue-blob' + storageAccountQueuePrivateEndpointNicName: 'nic-pe-<>${serviceShort}002-sa-queue-blob' + storageAccountQueuePrivateEndpointIP: '' eventHubPrivateEndpointName: 'pe-<>${serviceShort}002-eh' + eventHubPrivateEndpointNicName: 'nic-e-<>${serviceShort}002-eh' + eventHubPrivateEndpointIP: '' enableDefaultTelemetry: enableDefaultTelemetry + diagnosticLogCategoriesToEnable: [ 'allLogs' ] + diagnosticMetricsToEnable: [ 'AllMetrics' ] + lock: '' } } diff --git a/modules/Microsoft.Purview/accounts/deploy.bicep b/modules/Microsoft.Purview/accounts/deploy.bicep index d9f187fe5a..3afdc79d07 100644 --- a/modules/Microsoft.Purview/accounts/deploy.bicep +++ b/modules/Microsoft.Purview/accounts/deploy.bicep @@ -1,10 +1,10 @@ -@description('Azure location where the Purview Account will be created') +@description('Optional. Azure location where the Purview Account will be created') param location string = resourceGroup().location -@description('Name of the Purview Account') +@description('Required. Name of the Purview Account') param name string -@description('Tags') +@description('Optional. Resource Tags') param tags object = {} @description('Optional. The ID(s) to assign to the resource.') @@ -41,10 +41,10 @@ param diagnosticEventHubName string = '' @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') param roleAssignments array = [] -@description('Conditional. Existing Subnet Resource ID to assign to the Private Endpoint. Required for Private Endpoints.') +@description('Conditional. Existing Subnet Resource ID to assign to the Private Endpoint. Required if Private Endpoints are required.') param subnetId string = '' -@description('Conditional. Name of the Purview Account Private Endpoint. Required for the Purview account Private Endpoint.') +@description('Conditional. Name of the Purview Account Private Endpoint. Required if the Purview account Private Endpoint is required.') param accountPrivateEndpointName string = '' @description('Optional. The custom name of the network interface attached to the Purview Account private endpoint.') @@ -53,7 +53,7 @@ param accountPrivateEndpointNicName string = '' @description('Optional. The static privavte IP address for the Purview Account private endpoint.') param accountPrivateEndpointIP string = '' -@description('Conditional. Name of the Purview Portal Private Endpoint. Required for the Purview portal Private Endpoint.') +@description('Conditional. Name of the Purview Portal Private Endpoint. Required if the Purview portal Private Endpoint is required.') param portalPrivateEndpointName string = '' @description('Optional. The custom name of the network interface attached to the Purview Portal private endpoint.') @@ -62,7 +62,7 @@ param portalPrivateEndpointNicName string = '' @description('Optional. The static privavte IP address for the Purview Portal private endpoint.') param portalPrivateEndpointIP string = '' -@description('Conditional. Name of the managed Storage Account blob Private Endpoint. Required for the managed storage account blob private endpoint.') +@description('Conditional. Name of the managed Storage Account blob Private Endpoint. Required if the managed storage account blob private endpoint is required.') param storageAccountBlobPrivateEndpointName string = '' @description('Optional. The custom name of the network interface attached to the managed Storage Account blob private endpoint.') @@ -71,7 +71,7 @@ param storageAccountBlobPrivateEndpointNicName string = '' @description('Optional. The static private IP address for the managed Storage Account blob private endpoint.') param storageAccountBlobPrivateEndpointIP string = '' -@description('Conditional. Name of the managed Storage Account queue Private Endpoint. Required for the managed storage account queue private endpoint') +@description('Conditional. Name of the managed Storage Account queue Private Endpoint. Required if the managed storage account queue private endpoint is required.') param storageAccountQueuePrivateEndpointName string = '' @description('Optional. The custom name of the network interface attached to the managed Storage Account queue private endpoint.') @@ -80,7 +80,7 @@ param storageAccountQueuePrivateEndpointNicName string = '' @description('Optional. The static private IP address for the managed Storage Account blob private endpoint.') param storageAccountQueuePrivateEndpointIP string = '' -@description('Conditional. Name of the managed Event Hub Namespace Private Endpoint. Required for the managed Event Hub Namespace private endpoint.') +@description('Conditional. Name of the managed Event Hub Namespace Private Endpoint. Required if the managed Event Hub Namespace private endpoint is required.') param eventHubPrivateEndpointName string = '' @description('Optional. The custom name of the network interface attached to the managed Event Hub Namespace private endpoint.') @@ -352,7 +352,7 @@ module purview_roleAssignments '.bicep/nested_roleAssignments.bicep' = [for (rol }] @description('The name of the Microsoft Purview Account.') -output accountName string = purviewAccount.name +output name string = purviewAccount.name @description('The resource group the Microsoft Purview Account was deployed into.') output resourceGroupName string = resourceGroup().name @@ -361,7 +361,7 @@ output resourceGroupName string = resourceGroup().name output resourceId string = purviewAccount.id @description('The location the resource was deployed into.') -output location string = location +output location string = purviewAccount.location @description('The name of the managed resource group.') output managedResourceGroupName string = purviewAccount.properties.managedResourceGroupName @@ -372,23 +372,23 @@ output managedResourceGroupId string = purviewAccount.properties.managedResource @description('The resource ID of the managed storage account.') output managedStorageAccountId string = purviewAccount.properties.managedResources.storageAccount -@description('The resource ID of the managed Event Hub Namespace') +@description('The resource ID of the managed Event Hub Namespace.') output managedEventHubId string = purviewAccount.properties.managedResources.eventHubNamespace @description('The principal ID of the system assigned identity.') output systemAssignedPrincipalId string = purviewAccount.identity.principalId -@description('The resource ID of the Purview Account private endpoint') +@description('The resource ID of the Purview Account private endpoint.') output accountPrivateEndpointId string = !empty(accountPrivateEndpointName) ? purviewAccountPE.outputs.resourceId : '' -@description('The resource ID of the Purview portal private endpoint') +@description('The resource ID of the Purview portal private endpoint.') output portalPrivateEndpointId string = !empty(portalPrivateEndpointName) ? purviewPortalPE.outputs.resourceId : '' -@description('The resource ID of the Purview Managed Storage Account Blob private endpoint') +@description('The resource ID of the Purview Managed Storage Account Blob private endpoint.') output storageAccountBlobPrivateEndpointId string = !empty(storageAccountBlobPrivateEndpointName) ? storageBlobPe.outputs.resourceId : '' -@description('The resource ID of the Purview Managed Storage Account Queue private endpoint') +@description('The resource ID of the Purview Managed Storage Account Queue private endpoint.') output storageAccountQueuePrivateEndpointId string = !empty(storageAccountQueuePrivateEndpointName) ? storageQueuePe.outputs.resourceId : '' -@description('The resource ID of the Purview Managed Event Hub Namepsace private endpoint') +@description('The resource ID of the Purview Managed Event Hub Namepsace private endpoint.') output eventHubPrivateEndpointId string = !empty(eventHubPrivateEndpointName) ? eventHubPe.outputs.resourceId : '' diff --git a/modules/Microsoft.Purview/accounts/readme.md b/modules/Microsoft.Purview/accounts/readme.md index 4783be9fee..48c6f7435f 100644 --- a/modules/Microsoft.Purview/accounts/readme.md +++ b/modules/Microsoft.Purview/accounts/readme.md @@ -29,17 +29,18 @@ This module deploys . | Parameter Name | Type | Description | | :-- | :-- | :-- | | `managedResourceGroupName` | string | The Managed Resource Group Name. | +| `name` | string | Name of the Purview Account | **Conditional parameters** | Parameter Name | Type | Default Value | Description | | :-- | :-- | :-- | :-- | -| `accountPrivateEndpointName` | string | `''` | Name of the Purview Account Private Endpoint. Required for the Purview account Private Endpoint. | -| `eventHubPrivateEndpointName` | string | `''` | Name of the managed Event Hub Namespace Private Endpoint. Required for the managed Event Hub Namespace private endpoint. | -| `portalPrivateEndpointName` | string | `''` | Name of the Purview Portal Private Endpoint. Required for the Purview portal Private Endpoint. | -| `storageAccountBlobPrivateEndpointName` | string | `''` | Name of the managed Storage Account blob Private Endpoint. Required for the managed storage account blob private endpoint. | -| `storageAccountQueuePrivateEndpointName` | string | `''` | Name of the managed Storage Account queue Private Endpoint. Required for the managed storage account queue private endpoint | -| `subnetId` | string | `''` | Existing Subnet Resource ID to assign to the Private Endpoint. Required for Private Endpoints. | +| `accountPrivateEndpointName` | string | `''` | Name of the Purview Account Private Endpoint. Required if the Purview account Private Endpoint is required. | +| `eventHubPrivateEndpointName` | string | `''` | Name of the managed Event Hub Namespace Private Endpoint. Required if the managed Event Hub Namespace private endpoint is required. | +| `portalPrivateEndpointName` | string | `''` | Name of the Purview Portal Private Endpoint. Required if the Purview portal Private Endpoint is required. | +| `storageAccountBlobPrivateEndpointName` | string | `''` | Name of the managed Storage Account blob Private Endpoint. Required if the managed storage account blob private endpoint is required. | +| `storageAccountQueuePrivateEndpointName` | string | `''` | Name of the managed Storage Account queue Private Endpoint. Required if the managed storage account queue private endpoint is required. | +| `subnetId` | string | `''` | Existing Subnet Resource ID to assign to the Private Endpoint. Required if Private Endpoints are required. | **Optional parameters** @@ -58,6 +59,7 @@ This module deploys . | `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via a Globally Unique Identifier (GUID). | | `eventHubPrivateEndpointIP` | string | `''` | | The static private IP address for the managed Event Hub Namespace private endpoint. | | `eventHubPrivateEndpointNicName` | string | `''` | | The custom name of the network interface attached to the managed Event Hub Namespace private endpoint. | +| `location` | string | `[resourceGroup().location]` | | Azure location where the Purview Account will be created | | `lock` | string | `''` | `['', CanNotDelete, ReadOnly]` | Specify the type of lock. | | `portalPrivateEndpointIP` | string | `''` | | The static privavte IP address for the Purview Portal private endpoint. | | `portalPrivateEndpointNicName` | string | `''` | | The custom name of the network interface attached to the Purview Portal private endpoint. | @@ -67,23 +69,9 @@ This module deploys . | `storageAccountBlobPrivateEndpointNicName` | string | `''` | | The custom name of the network interface attached to the managed Storage Account blob private endpoint. | | `storageAccountQueuePrivateEndpointIP` | string | `''` | | The static private IP address for the managed Storage Account blob private endpoint. | | `storageAccountQueuePrivateEndpointNicName` | string | `''` | | The custom name of the network interface attached to the managed Storage Account queue private endpoint. | +| `tags` | object | `{object}` | | Resource Tags | | `userAssignedIdentities` | object | `{object}` | | The ID(s) to assign to the resource. | -**Azure location where the Purview Account will be created parameters** - -| Parameter Name | Type | Description | -| :-- | :-- | :-- | - -**Name of the Purview Account parameters** - -| Parameter Name | Type | Description | -| :-- | :-- | :-- | - -**Tags parameters** - -| Parameter Name | Type | Description | -| :-- | :-- | :-- | - ### Parameter Usage: `` @@ -226,19 +214,19 @@ userAssignedIdentities: { | Output Name | Type | Description | | :-- | :-- | :-- | -| `accountName` | string | The name of the Microsoft Purview Account. | -| `accountPrivateEndpointId` | string | The resource ID of the Purview Account private endpoint | -| `eventHubPrivateEndpointId` | string | The resource ID of the Purview Managed Event Hub Namepsace private endpoint | +| `accountPrivateEndpointId` | string | The resource ID of the Purview Account private endpoint. | +| `eventHubPrivateEndpointId` | string | The resource ID of the Purview Managed Event Hub Namepsace private endpoint. | | `location` | string | The location the resource was deployed into. | -| `managedEventHubId` | string | The resource ID of the managed Event Hub Namespace | +| `managedEventHubId` | string | The resource ID of the managed Event Hub Namespace. | | `managedResourceGroupId` | string | The resource ID of the managed resource group. | | `managedResourceGroupName` | string | The name of the managed resource group. | | `managedStorageAccountId` | string | The resource ID of the managed storage account. | -| `portalPrivateEndpointId` | string | The resource ID of the Purview portal private endpoint | +| `name` | string | The name of the Microsoft Purview Account. | +| `portalPrivateEndpointId` | string | The resource ID of the Purview portal private endpoint. | | `resourceGroupName` | string | The resource group the Microsoft Purview Account was deployed into. | | `resourceId` | string | The resource ID of the Microsoft Purview Account. | -| `storageAccountBlobPrivateEndpointId` | string | The resource ID of the Purview Managed Storage Account Blob private endpoint | -| `storageAccountQueuePrivateEndpointId` | string | The resource ID of the Purview Managed Storage Account Queue private endpoint | +| `storageAccountBlobPrivateEndpointId` | string | The resource ID of the Purview Managed Storage Account Blob private endpoint. | +| `storageAccountQueuePrivateEndpointId` | string | The resource ID of the Purview Managed Storage Account Queue private endpoint. | | `systemAssignedPrincipalId` | string | The principal ID of the system assigned identity. | ## Cross-referenced modules @@ -270,19 +258,40 @@ module accounts './Microsoft.Purview/accounts/deploy.bicep' = { managedResourceGroupName: '<>pviewcom002-managed-rg' name: '<>pviewcom002' // Non-required parameters + accountPrivateEndpointIP: '' accountPrivateEndpointName: 'pe-<>pviewcom002-account' + accountPrivateEndpointNicName: 'nic-pe-<>pviewcom002-account' diagnosticEventHubAuthorizationRuleId: '' diagnosticEventHubName: '' + diagnosticLogCategoriesToEnable: [ + 'allLogs' + ] diagnosticLogsRetentionInDays: 7 + diagnosticMetricsToEnable: [ + 'AllMetrics' + ] diagnosticStorageAccountId: '' diagnosticWorkspaceId: '' enableDefaultTelemetry: '' + eventHubPrivateEndpointIP: '' eventHubPrivateEndpointName: 'pe-<>pviewcom002-eh' + eventHubPrivateEndpointNicName: 'nic-e-<>pviewcom002-eh' + location: '' + lock: '' + portalPrivateEndpointIP: '' portalPrivateEndpointName: 'pe-<>pviewcom002-portal' + portalPrivateEndpointNicName: 'nic-pe-<>pviewcom002-portal' publicNetworkAccess: 'Disabled' + roleAssignments: [] + storageAccountBlobPrivateEndpointIP: '' storageAccountBlobPrivateEndpointName: 'pe-<>pviewcom002-sa-blob-blob' + storageAccountBlobPrivateEndpointNicName: 'nic-pe-<>pviewcom002-sa-blob-blob' + storageAccountQueuePrivateEndpointIP: '' storageAccountQueuePrivateEndpointName: 'pe-<>pviewcom002-sa-queue-blob' + storageAccountQueuePrivateEndpointNicName: 'nic-pe-<>pviewcom002-sa-queue-blob' subnetId: '' + tags: '' + userAssignedIdentities: {} } } ``` @@ -307,18 +316,34 @@ module accounts './Microsoft.Purview/accounts/deploy.bicep' = { "value": "<>pviewcom002" }, // Non-required parameters + "accountPrivateEndpointIP": { + "value": "" + }, "accountPrivateEndpointName": { "value": "pe-<>pviewcom002-account" }, + "accountPrivateEndpointNicName": { + "value": "nic-pe-<>pviewcom002-account" + }, "diagnosticEventHubAuthorizationRuleId": { "value": "" }, "diagnosticEventHubName": { "value": "" }, + "diagnosticLogCategoriesToEnable": { + "value": [ + "allLogs" + ] + }, "diagnosticLogsRetentionInDays": { "value": 7 }, + "diagnosticMetricsToEnable": { + "value": [ + "AllMetrics" + ] + }, "diagnosticStorageAccountId": { "value": "" }, @@ -328,23 +353,62 @@ module accounts './Microsoft.Purview/accounts/deploy.bicep' = { "enableDefaultTelemetry": { "value": "" }, + "eventHubPrivateEndpointIP": { + "value": "" + }, "eventHubPrivateEndpointName": { "value": "pe-<>pviewcom002-eh" }, + "eventHubPrivateEndpointNicName": { + "value": "nic-e-<>pviewcom002-eh" + }, + "location": { + "value": "" + }, + "lock": { + "value": "" + }, + "portalPrivateEndpointIP": { + "value": "" + }, "portalPrivateEndpointName": { "value": "pe-<>pviewcom002-portal" }, + "portalPrivateEndpointNicName": { + "value": "nic-pe-<>pviewcom002-portal" + }, "publicNetworkAccess": { "value": "Disabled" }, + "roleAssignments": { + "value": [] + }, + "storageAccountBlobPrivateEndpointIP": { + "value": "" + }, "storageAccountBlobPrivateEndpointName": { "value": "pe-<>pviewcom002-sa-blob-blob" }, + "storageAccountBlobPrivateEndpointNicName": { + "value": "nic-pe-<>pviewcom002-sa-blob-blob" + }, + "storageAccountQueuePrivateEndpointIP": { + "value": "" + }, "storageAccountQueuePrivateEndpointName": { "value": "pe-<>pviewcom002-sa-queue-blob" }, + "storageAccountQueuePrivateEndpointNicName": { + "value": "nic-pe-<>pviewcom002-sa-queue-blob" + }, "subnetId": { "value": "" + }, + "tags": { + "value": "" + }, + "userAssignedIdentities": { + "value": {} } } } From bdab25f8a1ca342ef81c96e71ab1d4e81989c4ba Mon Sep 17 00:00:00 2001 From: Tao Yang Date: Fri, 3 Feb 2023 23:48:34 +1100 Subject: [PATCH 07/69] update readme --- modules/Microsoft.Purview/accounts/deploy.bicep | 8 ++++---- modules/Microsoft.Purview/accounts/readme.md | 8 ++++---- 2 files changed, 8 insertions(+), 8 deletions(-) diff --git a/modules/Microsoft.Purview/accounts/deploy.bicep b/modules/Microsoft.Purview/accounts/deploy.bicep index 3afdc79d07..d2cdfb9098 100644 --- a/modules/Microsoft.Purview/accounts/deploy.bicep +++ b/modules/Microsoft.Purview/accounts/deploy.bicep @@ -1,10 +1,10 @@ -@description('Optional. Azure location where the Purview Account will be created') +@description('Optional. Azure location where the Purview Account will be created.') param location string = resourceGroup().location -@description('Required. Name of the Purview Account') +@description('Required. Name of the Purview Account.') param name string -@description('Optional. Resource Tags') +@description('Optional. Resource Tags.') param tags object = {} @description('Optional. The ID(s) to assign to the resource.') @@ -13,7 +13,7 @@ param userAssignedIdentities object = {} @description('Required. The Managed Resource Group Name.') param managedResourceGroupName string -@description('Optional. Enable or disable resource provider inbound network traffic from public clients. default is Disabled') +@description('Optional. Enable or disable resource provider inbound network traffic from public clients. default is Disabled.') @allowed([ 'Enabled' 'Disabled' diff --git a/modules/Microsoft.Purview/accounts/readme.md b/modules/Microsoft.Purview/accounts/readme.md index 48c6f7435f..7d2521b142 100644 --- a/modules/Microsoft.Purview/accounts/readme.md +++ b/modules/Microsoft.Purview/accounts/readme.md @@ -29,7 +29,7 @@ This module deploys . | Parameter Name | Type | Description | | :-- | :-- | :-- | | `managedResourceGroupName` | string | The Managed Resource Group Name. | -| `name` | string | Name of the Purview Account | +| `name` | string | Name of the Purview Account. | **Conditional parameters** @@ -59,17 +59,17 @@ This module deploys . | `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via a Globally Unique Identifier (GUID). | | `eventHubPrivateEndpointIP` | string | `''` | | The static private IP address for the managed Event Hub Namespace private endpoint. | | `eventHubPrivateEndpointNicName` | string | `''` | | The custom name of the network interface attached to the managed Event Hub Namespace private endpoint. | -| `location` | string | `[resourceGroup().location]` | | Azure location where the Purview Account will be created | +| `location` | string | `[resourceGroup().location]` | | Azure location where the Purview Account will be created. | | `lock` | string | `''` | `['', CanNotDelete, ReadOnly]` | Specify the type of lock. | | `portalPrivateEndpointIP` | string | `''` | | The static privavte IP address for the Purview Portal private endpoint. | | `portalPrivateEndpointNicName` | string | `''` | | The custom name of the network interface attached to the Purview Portal private endpoint. | -| `publicNetworkAccess` | string | `'Disabled'` | `[Disabled, Enabled, NotSpecified]` | Enable or disable resource provider inbound network traffic from public clients. default is Disabled | +| `publicNetworkAccess` | string | `'Disabled'` | `[Disabled, Enabled, NotSpecified]` | Enable or disable resource provider inbound network traffic from public clients. default is Disabled. | | `roleAssignments` | array | `[]` | | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | | `storageAccountBlobPrivateEndpointIP` | string | `''` | | The static private IP address for the managed Storage Account blob private endpoint. | | `storageAccountBlobPrivateEndpointNicName` | string | `''` | | The custom name of the network interface attached to the managed Storage Account blob private endpoint. | | `storageAccountQueuePrivateEndpointIP` | string | `''` | | The static private IP address for the managed Storage Account blob private endpoint. | | `storageAccountQueuePrivateEndpointNicName` | string | `''` | | The custom name of the network interface attached to the managed Storage Account queue private endpoint. | -| `tags` | object | `{object}` | | Resource Tags | +| `tags` | object | `{object}` | | Resource Tags. | | `userAssignedIdentities` | object | `{object}` | | The ID(s) to assign to the resource. | From 1c86f63d3d421d020f2679cc26cad0935b2daa33 Mon Sep 17 00:00:00 2001 From: Tao Yang Date: Fri, 3 Feb 2023 23:53:29 +1100 Subject: [PATCH 08/69] add --- .../modulePipelines/ms.purview.accounts.yml | 50 +++++++++++++++++++ 1 file changed, 50 insertions(+) create mode 100644 .azuredevops/modulePipelines/ms.purview.accounts.yml diff --git a/.azuredevops/modulePipelines/ms.purview.accounts.yml b/.azuredevops/modulePipelines/ms.purview.accounts.yml new file mode 100644 index 0000000000..ecc59bec88 --- /dev/null +++ b/.azuredevops/modulePipelines/ms.purview.accounts.yml @@ -0,0 +1,50 @@ +name: 'Purview - Accounts' + +parameters: + - name: staticValidation + displayName: Execute static validation + type: boolean + default: true + - name: deploymentValidation + displayName: Execute deployment validation + type: boolean + default: true + - name: removeDeployment + displayName: Remove deployed module + type: boolean + default: true + - name: prerelease + displayName: Publish prerelease module + type: boolean + default: false + +pr: none + +trigger: + batch: true + branches: + include: + - main + paths: + include: + - '/.azuredevops/modulePipelines/ms.purview.accounts.yml' + - '/.azuredevops/pipelineTemplates/*.yml' + - '/modules/Microsoft.Purview/accounts/*' + - '/utilities/pipelines/*' + exclude: + - '/utilities/pipelines/deploymentRemoval/*' + - '/**/*.md' + +variables: + - template: '../../settings.yml' + - group: 'PLATFORM_VARIABLES' + - name: modulePath + value: '/modules/Microsoft.Purview/accounts' + +stages: + - template: /.azuredevops/pipelineTemplates/stages.module.yml + parameters: + staticValidation: '${{ parameters.staticValidation }}' + deploymentValidation: '${{ parameters.deploymentValidation }}' + removeDeployment: '${{ parameters.removeDeployment }}' + prerelease: '${{ parameters.prerelease }}' From 2e628d39e7f65b414a82d2cfd85714ec794f21c1 Mon Sep 17 00:00:00 2001 From: Tao Yang Date: Sat, 4 Feb 2023 00:12:49 +1100 Subject: [PATCH 09/69] update readme --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index 093a326130..1c5acb7a32 100644 --- a/README.md +++ b/README.md @@ -108,6 +108,7 @@ The CI environment supports both ARM and Bicep and can be leveraged using GitHub | [Proximity Placement Groups](https://github.com/Azure/ResourceModules/tree/main/modules/Microsoft.Compute/proximityPlacementGroups) | [![Compute: ProximityPlacementGroups](https://github.com/Azure/ResourceModules/workflows/Compute:%20ProximityPlacementGroups/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.compute.proximityplacementgroups.yml) | | [Public IP Addresses](https://github.com/Azure/ResourceModules/tree/main/modules/Microsoft.Network/publicIPAddresses) | [![Network: PublicIpAddresses](https://github.com/Azure/ResourceModules/workflows/Network:%20PublicIpAddresses/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.publicipaddresses.yml) | | [Public IP Prefixes](https://github.com/Azure/ResourceModules/tree/main/modules/Microsoft.Network/publicIPPrefixes) | [![Network: PublicIpPrefixes](https://github.com/Azure/ResourceModules/workflows/Network:%20PublicIpPrefixes/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.publicipprefixes.yml) | +| [Purview Account](https://github.com/Azure/ResourceModules/tree/main/modules/Microsoft.Purview/accounts) | [![Purview: Accounts](https://github.com/Azure/ResourceModules/workflows/Purview:%20Accounts/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.purview.accounts.yml) | | [Recovery Services Vaults](https://github.com/Azure/ResourceModules/tree/main/modules/Microsoft.RecoveryServices/vaults) | [![RecoveryServices: Vaults](https://github.com/Azure/ResourceModules/workflows/RecoveryServices:%20Vaults/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.recoveryservices.vaults.yml) | | [Registration Definitions](https://github.com/Azure/ResourceModules/tree/main/modules/Microsoft.ManagedServices/registrationDefinitions) | [![ManagedServices: RegistrationDefinitions](https://github.com/Azure/ResourceModules/workflows/ManagedServices:%20RegistrationDefinitions/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.managedservices.registrationdefinitions.yml) | | [Resource Groups](https://github.com/Azure/ResourceModules/tree/main/modules/Microsoft.Resources/resourceGroups) | [![Resources: ResourceGroups](https://github.com/Azure/ResourceModules/workflows/Resources:%20ResourceGroups/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.resources.resourcegroups.yml) | From 110af53f61b03943c0203d4639a2e8224beb203e Mon Sep 17 00:00:00 2001 From: Tao Yang Date: Sun, 5 Feb 2023 16:55:44 +1100 Subject: [PATCH 10/69] update --- README.md | 1 - 1 file changed, 1 deletion(-) diff --git a/README.md b/README.md index 1c5acb7a32..093a326130 100644 --- a/README.md +++ b/README.md @@ -108,7 +108,6 @@ The CI environment supports both ARM and Bicep and can be leveraged using GitHub | [Proximity Placement Groups](https://github.com/Azure/ResourceModules/tree/main/modules/Microsoft.Compute/proximityPlacementGroups) | [![Compute: ProximityPlacementGroups](https://github.com/Azure/ResourceModules/workflows/Compute:%20ProximityPlacementGroups/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.compute.proximityplacementgroups.yml) | | [Public IP Addresses](https://github.com/Azure/ResourceModules/tree/main/modules/Microsoft.Network/publicIPAddresses) | [![Network: PublicIpAddresses](https://github.com/Azure/ResourceModules/workflows/Network:%20PublicIpAddresses/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.publicipaddresses.yml) | | [Public IP Prefixes](https://github.com/Azure/ResourceModules/tree/main/modules/Microsoft.Network/publicIPPrefixes) | [![Network: PublicIpPrefixes](https://github.com/Azure/ResourceModules/workflows/Network:%20PublicIpPrefixes/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.publicipprefixes.yml) | -| [Purview Account](https://github.com/Azure/ResourceModules/tree/main/modules/Microsoft.Purview/accounts) | [![Purview: Accounts](https://github.com/Azure/ResourceModules/workflows/Purview:%20Accounts/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.purview.accounts.yml) | | [Recovery Services Vaults](https://github.com/Azure/ResourceModules/tree/main/modules/Microsoft.RecoveryServices/vaults) | [![RecoveryServices: Vaults](https://github.com/Azure/ResourceModules/workflows/RecoveryServices:%20Vaults/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.recoveryservices.vaults.yml) | | [Registration Definitions](https://github.com/Azure/ResourceModules/tree/main/modules/Microsoft.ManagedServices/registrationDefinitions) | [![ManagedServices: RegistrationDefinitions](https://github.com/Azure/ResourceModules/workflows/ManagedServices:%20RegistrationDefinitions/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.managedservices.registrationdefinitions.yml) | | [Resource Groups](https://github.com/Azure/ResourceModules/tree/main/modules/Microsoft.Resources/resourceGroups) | [![Resources: ResourceGroups](https://github.com/Azure/ResourceModules/workflows/Resources:%20ResourceGroups/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.resources.resourcegroups.yml) | From 3a34cc8ac1f53be569e59502c335d0ec128ad4f2 Mon Sep 17 00:00:00 2001 From: Tao Yang Date: Sun, 5 Feb 2023 16:57:49 +1100 Subject: [PATCH 11/69] Update modules/Microsoft.Purview/accounts/deploy.bicep Co-authored-by: Ahmad Abdalla <28486158+ahmadabdalla@users.noreply.github.com> --- modules/Microsoft.Purview/accounts/deploy.bicep | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/Microsoft.Purview/accounts/deploy.bicep b/modules/Microsoft.Purview/accounts/deploy.bicep index d2cdfb9098..cc3ada1de7 100644 --- a/modules/Microsoft.Purview/accounts/deploy.bicep +++ b/modules/Microsoft.Purview/accounts/deploy.bicep @@ -357,7 +357,7 @@ output name string = purviewAccount.name @description('The resource group the Microsoft Purview Account was deployed into.') output resourceGroupName string = resourceGroup().name -@description('The resource ID of the Microsoft Purview Account.') +@description('The resource ID of the Purview Account.') output resourceId string = purviewAccount.id @description('The location the resource was deployed into.') From 45086aeb69b552567838dc8eb17b14e0957b42fe Mon Sep 17 00:00:00 2001 From: Tao Yang Date: Sun, 5 Feb 2023 17:02:00 +1100 Subject: [PATCH 12/69] update built-in roles --- .../accounts/.bicep/nested_roleAssignments.bicep | 14 +++----------- 1 file changed, 3 insertions(+), 11 deletions(-) diff --git a/modules/Microsoft.Purview/accounts/.bicep/nested_roleAssignments.bicep b/modules/Microsoft.Purview/accounts/.bicep/nested_roleAssignments.bicep index 604cd4bd00..0287728458 100644 --- a/modules/Microsoft.Purview/accounts/.bicep/nested_roleAssignments.bicep +++ b/modules/Microsoft.Purview/accounts/.bicep/nested_roleAssignments.bicep @@ -35,25 +35,17 @@ param delegatedManagedIdentityResourceId string = '' var builtInRoleNames = { Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') - 'Desktop Virtualization Virtual Machine Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a959dbd1-f747-45e3-8ba6-dd80f235f97c') - 'Key Vault Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '00482a5a-887f-4fb3-b363-3b7fe8e74483') - 'Key Vault Certificates Officer': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a4417e6f-fecd-4de8-b567-7b0420556985') - 'Key Vault Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f25e0fa2-a7c8-4377-a976-54943a77a395') - 'Key Vault Crypto Officer': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '14b46e9e-c2b7-41b4-b07b-48a6ebf60603') - 'Key Vault Crypto Service Encryption User': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e147488a-f6f5-4113-8e2d-b22465e65bf6') - 'Key Vault Crypto User': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '12338af0-0e69-4776-bea7-57ae8d297424') - 'Key Vault Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '21090545-7ca7-4776-b22c-e363652d74d2') - 'Key Vault Secrets Officer': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b86a8fe4-44ce-4948-aee5-eccb2c155cd7') - 'Key Vault Secrets User': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4633458b-17de-408a-b874-0445c86b69e6') 'Log Analytics Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293') 'Log Analytics Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893') 'Managed Application Contributor Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e') 'Managed Application Operator Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae') 'Managed Applications Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44') - 'Managed HSM contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18500a29-7fe2-46b2-a342-b16a415e101d') 'Monitoring Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa') 'Monitoring Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05') Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') + 'Purview role 1 (Deprecated)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8a3c2885-9b38-4fd2-9d99-91af537c1347') + 'Purview role 2 (Deprecated)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '200bba9e-f0c8-430f-892b-6f0794863803') + 'Purview role 3 (Deprecated)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ff100721-1b9d-43d8-af52-42b69c1272db') Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') 'Resource Policy Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608') 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') From 059e899119abd9ce8950101a3a2e89efe95154d7 Mon Sep 17 00:00:00 2001 From: Tao Yang Date: Sun, 5 Feb 2023 17:03:57 +1100 Subject: [PATCH 13/69] update --- .../accounts/.test/common/dependencies.bicep | 68 ++++++++++--------- 1 file changed, 35 insertions(+), 33 deletions(-) diff --git a/modules/Microsoft.Purview/accounts/.test/common/dependencies.bicep b/modules/Microsoft.Purview/accounts/.test/common/dependencies.bicep index 5119944dd2..1e6416dfdc 100644 --- a/modules/Microsoft.Purview/accounts/.test/common/dependencies.bicep +++ b/modules/Microsoft.Purview/accounts/.test/common/dependencies.bicep @@ -7,50 +7,52 @@ param virtualNetworkName string @description('Required. The name of the Managed Identity to create.') param managedIdentityName string +var addressPrefix = '10.0.0.0/16' + resource virtualNetwork 'Microsoft.Network/virtualNetworks@2022-01-01' = { - name: virtualNetworkName - location: location - properties: { - addressSpace: { - addressPrefixes: [ - '10.0.0.0/24' - ] - } - subnets: [ + name: virtualNetworkName + location: location + properties: { + addressSpace: { + addressPrefixes: [ + addressPrefix + ] + } + subnets: [ + { + name: 'defaultSubnet' + properties: { + addressPrefix: '10.0.0.0/24' + serviceEndpoints: [ { - name: 'defaultSubnet' - properties: { - addressPrefix: '10.0.0.0/24' - serviceEndpoints: [ - { - service: 'Microsoft.KeyVault' - } - ] - } + service: 'Microsoft.KeyVault' } - ] - } + ] + } + } + ] + } } resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { - name: managedIdentityName - location: location + name: managedIdentityName + location: location } resource privateDNSZone 'Microsoft.Network/privateDnsZones@2020-06-01' = { - name: 'privatelink.vaultcore.azure.net' - location: 'global' + name: 'privatelink.vaultcore.azure.net' + location: 'global' - resource virtualNetworkLinks 'virtualNetworkLinks@2020-06-01' = { - name: '${virtualNetwork.name}-vnetlink' - location: 'global' - properties: { - virtualNetwork: { - id: virtualNetwork.id - } - registrationEnabled: false - } + resource virtualNetworkLinks 'virtualNetworkLinks@2020-06-01' = { + name: '${virtualNetwork.name}-vnetlink' + location: 'global' + properties: { + virtualNetwork: { + id: virtualNetwork.id + } + registrationEnabled: false } + } } @description('The resource ID of the created Virtual Network Subnet.') From 03fe483a10b086d4a496f099754d8bd712078d25 Mon Sep 17 00:00:00 2001 From: Tao Yang Date: Sun, 5 Feb 2023 17:04:54 +1100 Subject: [PATCH 14/69] Update modules/Microsoft.Purview/accounts/.test/common/deploy.test.bicep Co-authored-by: Ahmad Abdalla <28486158+ahmadabdalla@users.noreply.github.com> --- .../Microsoft.Purview/accounts/.test/common/deploy.test.bicep | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/Microsoft.Purview/accounts/.test/common/deploy.test.bicep b/modules/Microsoft.Purview/accounts/.test/common/deploy.test.bicep index cab979ee2c..5032c02225 100644 --- a/modules/Microsoft.Purview/accounts/.test/common/deploy.test.bicep +++ b/modules/Microsoft.Purview/accounts/.test/common/deploy.test.bicep @@ -14,7 +14,7 @@ param location string = deployment().location param tags object = {} @description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'pviewcom' +param serviceShort string = 'pvacom' @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = false From 290dd96e513c361ab003b6028ce84c90adc71a0f Mon Sep 17 00:00:00 2001 From: Tao Yang Date: Sun, 5 Feb 2023 17:05:17 +1100 Subject: [PATCH 15/69] Update modules/Microsoft.Purview/accounts/.test/min/deploy.test.bicep Co-authored-by: Ahmad Abdalla <28486158+ahmadabdalla@users.noreply.github.com> --- modules/Microsoft.Purview/accounts/.test/min/deploy.test.bicep | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/Microsoft.Purview/accounts/.test/min/deploy.test.bicep b/modules/Microsoft.Purview/accounts/.test/min/deploy.test.bicep index 98abe0a944..8611a026ce 100644 --- a/modules/Microsoft.Purview/accounts/.test/min/deploy.test.bicep +++ b/modules/Microsoft.Purview/accounts/.test/min/deploy.test.bicep @@ -11,7 +11,7 @@ param resourceGroupName string = 'ms.purview-${serviceShort}-rg' param location string = deployment().location @description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'pviewmin' +param serviceShort string = 'pvamin' @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true From ff50100ff85ded79e84a63403ea527a897a96400 Mon Sep 17 00:00:00 2001 From: Tao Yang Date: Sun, 5 Feb 2023 17:13:24 +1100 Subject: [PATCH 16/69] Update modules/Microsoft.Purview/accounts/.test/common/deploy.test.bicep Co-authored-by: Ahmad Abdalla <28486158+ahmadabdalla@users.noreply.github.com> --- .../Microsoft.Purview/accounts/.test/common/deploy.test.bicep | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/Microsoft.Purview/accounts/.test/common/deploy.test.bicep b/modules/Microsoft.Purview/accounts/.test/common/deploy.test.bicep index 5032c02225..7b02fc06f9 100644 --- a/modules/Microsoft.Purview/accounts/.test/common/deploy.test.bicep +++ b/modules/Microsoft.Purview/accounts/.test/common/deploy.test.bicep @@ -45,7 +45,7 @@ module diagnosticDependencies '../../../../.shared/dependencyConstructs/diagnost scope: resourceGroup name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' params: { - storageAccountName: 'dep<>diasa${serviceShort}03' + storageAccountName: 'dep<>diasa${serviceShort}01' logAnalyticsWorkspaceName: 'dep-<>-law-${serviceShort}' eventHubNamespaceEventHubName: 'dep-<>-evh-${serviceShort}01' eventHubNamespaceName: 'dep-<>-evhns-${serviceShort}01' From ee5c44a99a07ce8d916299cb471745d1dda17a71 Mon Sep 17 00:00:00 2001 From: Tao Yang Date: Sun, 5 Feb 2023 17:14:08 +1100 Subject: [PATCH 17/69] Update modules/Microsoft.Purview/accounts/.test/common/deploy.test.bicep Co-authored-by: Ahmad Abdalla <28486158+ahmadabdalla@users.noreply.github.com> --- .../accounts/.test/common/deploy.test.bicep | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/modules/Microsoft.Purview/accounts/.test/common/deploy.test.bicep b/modules/Microsoft.Purview/accounts/.test/common/deploy.test.bicep index 7b02fc06f9..59ae482023 100644 --- a/modules/Microsoft.Purview/accounts/.test/common/deploy.test.bicep +++ b/modules/Microsoft.Purview/accounts/.test/common/deploy.test.bicep @@ -73,7 +73,15 @@ module testDeployment '../../deploy.bicep' = { diagnosticWorkspaceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId diagnosticEventHubAuthorizationRuleId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId diagnosticEventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName - roleAssignments: [] + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalIds: [ + nestedDependencies.outputs.managedIdentityPrincipalId + ] + principalType: 'ServicePrincipal' + } + ] subnetId: resourceGroupResources.outputs.subnetResourceId accountPrivateEndpointName: 'pe-<>${serviceShort}002-account' accountPrivateEndpointNicName: 'nic-pe-<>${serviceShort}002-account' From e7c18876e201364bb62e5f4faf09e51e5cf02be0 Mon Sep 17 00:00:00 2001 From: Tao Yang Date: Sun, 5 Feb 2023 17:14:32 +1100 Subject: [PATCH 18/69] Update modules/Microsoft.Purview/accounts/.test/common/deploy.test.bicep Co-authored-by: Ahmad Abdalla <28486158+ahmadabdalla@users.noreply.github.com> --- .../Microsoft.Purview/accounts/.test/common/deploy.test.bicep | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/modules/Microsoft.Purview/accounts/.test/common/deploy.test.bicep b/modules/Microsoft.Purview/accounts/.test/common/deploy.test.bicep index 59ae482023..dc41f7ee42 100644 --- a/modules/Microsoft.Purview/accounts/.test/common/deploy.test.bicep +++ b/modules/Microsoft.Purview/accounts/.test/common/deploy.test.bicep @@ -65,7 +65,9 @@ module testDeployment '../../deploy.bicep' = { name: '<>${serviceShort}002' location: location tags: tags - userAssignedIdentities: {} + userAssignedIdentities: { + '${nestedDependencies.outputs.managedIdentityResourceId}': {} + } managedResourceGroupName: '<>${serviceShort}002-managed-rg' publicNetworkAccess: 'Disabled' diagnosticLogsRetentionInDays: 7 From 73b677e54f4ffc635adfa70d09aff9ece4adb57f Mon Sep 17 00:00:00 2001 From: Tao Yang Date: Sun, 5 Feb 2023 17:13:03 +1100 Subject: [PATCH 19/69] update --- .../accounts/.test/common/dependencies.bicep | 83 ++++++++++++++++++- 1 file changed, 79 insertions(+), 4 deletions(-) diff --git a/modules/Microsoft.Purview/accounts/.test/common/dependencies.bicep b/modules/Microsoft.Purview/accounts/.test/common/dependencies.bicep index 1e6416dfdc..19cac02cdb 100644 --- a/modules/Microsoft.Purview/accounts/.test/common/dependencies.bicep +++ b/modules/Microsoft.Purview/accounts/.test/common/dependencies.bicep @@ -39,8 +39,8 @@ resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018- location: location } -resource privateDNSZone 'Microsoft.Network/privateDnsZones@2020-06-01' = { - name: 'privatelink.vaultcore.azure.net' +resource privateDNSZone_account 'Microsoft.Network/privateDnsZones@2020-06-01' = { + name: 'privatelink.purview.azure.com' location: 'global' resource virtualNetworkLinks 'virtualNetworkLinks@2020-06-01' = { @@ -55,11 +55,86 @@ resource privateDNSZone 'Microsoft.Network/privateDnsZones@2020-06-01' = { } } +resource privateDNSZone_portal 'Microsoft.Network/privateDnsZones@2020-06-01' = { + name: 'privatelink.purviewstudio.azure.com' + location: 'global' + + resource virtualNetworkLinks 'virtualNetworkLinks@2020-06-01' = { + name: '${virtualNetwork.name}-vnetlink' + location: 'global' + properties: { + virtualNetwork: { + id: virtualNetwork.id + } + registrationEnabled: false + } + } +} + +resource privateDNSZone_blob 'Microsoft.Network/privateDnsZones@2020-06-01' = { + name: 'privatelink.blob.core.windows.net' + location: 'global' + + resource virtualNetworkLinks 'virtualNetworkLinks@2020-06-01' = { + name: '${virtualNetwork.name}-vnetlink' + location: 'global' + properties: { + virtualNetwork: { + id: virtualNetwork.id + } + registrationEnabled: false + } + } +} + +resource privateDNSZone_queue 'Microsoft.Network/privateDnsZones@2020-06-01' = { + name: 'privatelink.queue.core.windows.net' + location: 'global' + + resource virtualNetworkLinks 'virtualNetworkLinks@2020-06-01' = { + name: '${virtualNetwork.name}-vnetlink' + location: 'global' + properties: { + virtualNetwork: { + id: virtualNetwork.id + } + registrationEnabled: false + } + } +} + +resource privateDNSZone_eh 'Microsoft.Network/privateDnsZones@2020-06-01' = { + name: 'privatelink.servicebus.windows.net' + location: 'global' + + resource virtualNetworkLinks 'virtualNetworkLinks@2020-06-01' = { + name: '${virtualNetwork.name}-vnetlink' + location: 'global' + properties: { + virtualNetwork: { + id: virtualNetwork.id + } + registrationEnabled: false + } + } +} @description('The resource ID of the created Virtual Network Subnet.') output subnetResourceId string = virtualNetwork.properties.subnets[0].id @description('The principal ID of the created Managed Identity.') output managedIdentityPrincipalId string = managedIdentity.properties.principalId -@description('The resource ID of the created Private DNS Zone.') -output privateDNSResourceId string = privateDNSZone.id +@description('The resource ID of the created Private DNS Zone for Purview Account.') +output purviewAccountPrivateDNSResourceId string = privateDNSZone_account.id + +@description('The resource ID of the created Private DNS Zone for Purview Portal.') +output purviewPortalPrivateDNSResourceId string = privateDNSZone_portal.id + +@description('The resource ID of the created Private DNS Zone for Storage Account Blob.') +output storageBlobPrivateDNSResourceId string = privateDNSZone_blob.id + +@description('The resource ID of the created Private DNS Zone for Storage Account Queue.') +output storageQueuePrivateDNSResourceId string = privateDNSZone_queue.id + +@description('The resource ID of the created Private DNS Zone for Event Hub Namespace.') +output eventHubPrivateDNSResourceId string = privateDNSZone_eh.id From 9718305fb76da489f0f75ec1627475eda3b2cbcd Mon Sep 17 00:00:00 2001 From: Tao Yang Date: Sun, 5 Feb 2023 17:32:43 +1100 Subject: [PATCH 20/69] Update modules/Microsoft.Purview/accounts/deploy.bicep Co-authored-by: Ahmad Abdalla <28486158+ahmadabdalla@users.noreply.github.com> --- modules/Microsoft.Purview/accounts/deploy.bicep | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/modules/Microsoft.Purview/accounts/deploy.bicep b/modules/Microsoft.Purview/accounts/deploy.bicep index cc3ada1de7..1d7c3c5b06 100644 --- a/modules/Microsoft.Purview/accounts/deploy.bicep +++ b/modules/Microsoft.Purview/accounts/deploy.bicep @@ -1,4 +1,8 @@ -@description('Optional. Azure location where the Purview Account will be created.') +@description('Required. Name of the Purview Account.') +param name string + +@description('Optional. Location for all resources.) +param location string = resourceGroup().location param location string = resourceGroup().location @description('Required. Name of the Purview Account.') From 743bbe9d3247f046147884930210ec7ee1a1c2ec Mon Sep 17 00:00:00 2001 From: Tao Yang Date: Sun, 5 Feb 2023 17:33:13 +1100 Subject: [PATCH 21/69] Update modules/Microsoft.Purview/accounts/.test/common/deploy.test.bicep Co-authored-by: Ahmad Abdalla <28486158+ahmadabdalla@users.noreply.github.com> --- .../Microsoft.Purview/accounts/.test/common/deploy.test.bicep | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/Microsoft.Purview/accounts/.test/common/deploy.test.bicep b/modules/Microsoft.Purview/accounts/.test/common/deploy.test.bicep index dc41f7ee42..121854d8e3 100644 --- a/modules/Microsoft.Purview/accounts/.test/common/deploy.test.bicep +++ b/modules/Microsoft.Purview/accounts/.test/common/deploy.test.bicep @@ -103,6 +103,6 @@ module testDeployment '../../deploy.bicep' = { enableDefaultTelemetry: enableDefaultTelemetry diagnosticLogCategoriesToEnable: [ 'allLogs' ] diagnosticMetricsToEnable: [ 'AllMetrics' ] - lock: '' + lock: 'CanNotDelete' } } From a672a524828a9d3a644bfe0a2d9458bf7fd2d010 Mon Sep 17 00:00:00 2001 From: Tao Yang Date: Sun, 5 Feb 2023 17:33:54 +1100 Subject: [PATCH 22/69] Update modules/Microsoft.Purview/accounts/deploy.bicep Co-authored-by: Ahmad Abdalla <28486158+ahmadabdalla@users.noreply.github.com> --- modules/Microsoft.Purview/accounts/deploy.bicep | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/Microsoft.Purview/accounts/deploy.bicep b/modules/Microsoft.Purview/accounts/deploy.bicep index 1d7c3c5b06..bb6b20dd8b 100644 --- a/modules/Microsoft.Purview/accounts/deploy.bicep +++ b/modules/Microsoft.Purview/accounts/deploy.bicep @@ -8,7 +8,7 @@ param location string = resourceGroup().location @description('Required. Name of the Purview Account.') param name string -@description('Optional. Resource Tags.') +@description('Optional. Tags of the resource.') param tags object = {} @description('Optional. The ID(s) to assign to the resource.') From e1ae14df49820afe8abe7c9dfd1a2e7e50742051 Mon Sep 17 00:00:00 2001 From: Tao Yang Date: Sun, 5 Feb 2023 17:34:17 +1100 Subject: [PATCH 23/69] Update modules/Microsoft.Purview/accounts/deploy.bicep Co-authored-by: Ahmad Abdalla <28486158+ahmadabdalla@users.noreply.github.com> --- modules/Microsoft.Purview/accounts/deploy.bicep | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/Microsoft.Purview/accounts/deploy.bicep b/modules/Microsoft.Purview/accounts/deploy.bicep index bb6b20dd8b..0be04a72d1 100644 --- a/modules/Microsoft.Purview/accounts/deploy.bicep +++ b/modules/Microsoft.Purview/accounts/deploy.bicep @@ -17,7 +17,7 @@ param userAssignedIdentities object = {} @description('Required. The Managed Resource Group Name.') param managedResourceGroupName string -@description('Optional. Enable or disable resource provider inbound network traffic from public clients. default is Disabled.') +@description('Optional. Whether or not public network access is allowed for this resource. For security reasons it should be disabled. If not specified, it will be disabled by default if private endpoints are set.') @allowed([ 'Enabled' 'Disabled' From 7c2f2daea89de1f8ece12bf5f9969e3f0e2d6427 Mon Sep 17 00:00:00 2001 From: Tao Yang Date: Sun, 5 Feb 2023 17:43:47 +1100 Subject: [PATCH 24/69] update --- .../accounts/.test/common/dependencies.bicep | 5 ----- .../accounts/.test/common/deploy.test.bicep | 12 +++++++++++- 2 files changed, 11 insertions(+), 6 deletions(-) diff --git a/modules/Microsoft.Purview/accounts/.test/common/dependencies.bicep b/modules/Microsoft.Purview/accounts/.test/common/dependencies.bicep index 19cac02cdb..981aceaa7e 100644 --- a/modules/Microsoft.Purview/accounts/.test/common/dependencies.bicep +++ b/modules/Microsoft.Purview/accounts/.test/common/dependencies.bicep @@ -23,11 +23,6 @@ resource virtualNetwork 'Microsoft.Network/virtualNetworks@2022-01-01' = { name: 'defaultSubnet' properties: { addressPrefix: '10.0.0.0/24' - serviceEndpoints: [ - { - service: 'Microsoft.KeyVault' - } - ] } } ] diff --git a/modules/Microsoft.Purview/accounts/.test/common/deploy.test.bicep b/modules/Microsoft.Purview/accounts/.test/common/deploy.test.bicep index 121854d8e3..d9e16997cd 100644 --- a/modules/Microsoft.Purview/accounts/.test/common/deploy.test.bicep +++ b/modules/Microsoft.Purview/accounts/.test/common/deploy.test.bicep @@ -25,6 +25,16 @@ param enableDefaultTelemetry bool = false // General resources // ================= + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + virtualNetworkName: 'dep-<>-vnet-${serviceShort}' + managedIdentityName: 'dep-<>-msi-${serviceShort}' + } +} + resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { name: resourceGroupName location: location @@ -66,7 +76,7 @@ module testDeployment '../../deploy.bicep' = { location: location tags: tags userAssignedIdentities: { - '${nestedDependencies.outputs.managedIdentityResourceId}': {} + '${nestedDependencies.outputs.managedIdentityPrincipalId}': {} } managedResourceGroupName: '<>${serviceShort}002-managed-rg' publicNetworkAccess: 'Disabled' From 36de801ee91603c8d785f73d1f493f5407380b4b Mon Sep 17 00:00:00 2001 From: Tao Yang Date: Sun, 5 Feb 2023 17:56:44 +1100 Subject: [PATCH 25/69] update --- .../accounts/.test/min/deploy.test.bicep | 1 - modules/Microsoft.Purview/accounts/deploy.bicep | 10 ++++------ 2 files changed, 4 insertions(+), 7 deletions(-) diff --git a/modules/Microsoft.Purview/accounts/.test/min/deploy.test.bicep b/modules/Microsoft.Purview/accounts/.test/min/deploy.test.bicep index 8611a026ce..fbc4ea6ccd 100644 --- a/modules/Microsoft.Purview/accounts/.test/min/deploy.test.bicep +++ b/modules/Microsoft.Purview/accounts/.test/min/deploy.test.bicep @@ -37,7 +37,6 @@ module testDeployment '../../deploy.bicep' = { params: { name: '<>${serviceShort}001' managedResourceGroupName: '<>${serviceShort}001-managed-rg' - publicNetworkAccess: 'Enabled' enableDefaultTelemetry: enableDefaultTelemetry } } diff --git a/modules/Microsoft.Purview/accounts/deploy.bicep b/modules/Microsoft.Purview/accounts/deploy.bicep index 0be04a72d1..77a811217b 100644 --- a/modules/Microsoft.Purview/accounts/deploy.bicep +++ b/modules/Microsoft.Purview/accounts/deploy.bicep @@ -1,12 +1,10 @@ @description('Required. Name of the Purview Account.') +@minLength(3) +@maxLength(63) param name string -@description('Optional. Location for all resources.) +@description('Optional. Location for all resources.') param location string = resourceGroup().location -param location string = resourceGroup().location - -@description('Required. Name of the Purview Account.') -param name string @description('Optional. Tags of the resource.') param tags object = {} @@ -23,7 +21,7 @@ param managedResourceGroupName string 'Disabled' 'NotSpecified' ]) -param publicNetworkAccess string = 'Disabled' +param publicNetworkAccess string = 'NotSpecified' @description('Optional. Specifies the number of days that logs will be kept for; a value of 0 will retain data indefinitely.') @minValue(0) From af5d34e67809a5fb9703696979c3fcbf71d7cbce Mon Sep 17 00:00:00 2001 From: Tao Yang Date: Sun, 5 Feb 2023 18:06:32 +1100 Subject: [PATCH 26/69] update --- .../Microsoft.Purview/accounts/deploy.bicep | 52 ++++++++++--------- 1 file changed, 27 insertions(+), 25 deletions(-) diff --git a/modules/Microsoft.Purview/accounts/deploy.bicep b/modules/Microsoft.Purview/accounts/deploy.bicep index 77a811217b..7b2cf4ed82 100644 --- a/modules/Microsoft.Purview/accounts/deploy.bicep +++ b/modules/Microsoft.Purview/accounts/deploy.bicep @@ -12,8 +12,8 @@ param tags object = {} @description('Optional. The ID(s) to assign to the resource.') param userAssignedIdentities object = {} -@description('Required. The Managed Resource Group Name.') -param managedResourceGroupName string +@description('Optional. The Managed Resource Group Name. Default to \'managed-rg-\'.') +param managedResourceGroupName string = '' @description('Optional. Whether or not public network access is allowed for this resource. For security reasons it should be disabled. If not specified, it will be disabled by default if private endpoints are set.') @allowed([ @@ -127,6 +127,8 @@ param lock string = '' // =========== // // Variables // // =========== // +var managedRgName = !empty(managedResourceGroupName) ? managedResourceGroupName : 'managed-rg-${name}' + var diagnosticsLogsSpecified = [for category in filter(diagnosticLogCategoriesToEnable, item => item != 'allLogs'): { category: category enabled: true @@ -180,25 +182,25 @@ resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (ena } } -resource purviewAccount 'Microsoft.Purview/accounts@2021-07-01' = { +resource account 'Microsoft.Purview/accounts@2021-07-01' = { name: name location: location tags: tags identity: any(identity) properties: { cloudConnectors: {} - managedResourceGroupName: managedResourceGroupName + managedResourceGroupName: managedRgName publicNetworkAccess: publicNetworkAccess } } resource purview_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock)) { - name: '${purviewAccount.name}-${lock}-lock' + name: '${account.name}-${lock}-lock' properties: { level: any(lock) notes: lock == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.' } - scope: purviewAccount + scope: account } resource purview_diagnosticSettings 'Microsoft.Insights/diagnosticsettings@2021-05-01-preview' = if ((!empty(diagnosticStorageAccountId)) || (!empty(diagnosticWorkspaceId)) || (!empty(diagnosticEventHubAuthorizationRuleId)) || (!empty(diagnosticEventHubName))) { @@ -211,16 +213,16 @@ resource purview_diagnosticSettings 'Microsoft.Insights/diagnosticsettings@2021- metrics: diagnosticsMetrics logs: diagnosticsLogs } - scope: purviewAccount + scope: account } -module purviewAccountPE '../../Microsoft.Network/privateEndpoints/deploy.bicep' = if (!empty(accountPrivateEndpointName)) { +module accountPE '../../Microsoft.Network/privateEndpoints/deploy.bicep' = if (!empty(accountPrivateEndpointName)) { name: take('purview-account-pe-${name}-${deploymentNameSuffix}', 64) params: { name: accountPrivateEndpointName tags: tags subnetResourceId: subnetId - serviceResourceId: purviewAccount.id + serviceResourceId: account.id enableDefaultTelemetry: enableReferencedModulesTelemetry groupIds: [ 'account' @@ -240,13 +242,13 @@ module purviewAccountPE '../../Microsoft.Network/privateEndpoints/deploy.bicep' } } -module purviewPortalPE '../../Microsoft.Network/privateEndpoints/deploy.bicep' = if (!empty(portalPrivateEndpointName)) { +module portalPE '../../Microsoft.Network/privateEndpoints/deploy.bicep' = if (!empty(portalPrivateEndpointName)) { name: take('purview-portal-pe-${name}-${deploymentNameSuffix}', 64) params: { name: portalPrivateEndpointName tags: tags subnetResourceId: subnetId - serviceResourceId: purviewAccount.id + serviceResourceId: account.id enableDefaultTelemetry: enableReferencedModulesTelemetry groupIds: [ 'portal' @@ -271,7 +273,7 @@ module storageBlobPe '../../Microsoft.Network/privateEndpoints/deploy.bicep' = i name: storageAccountBlobPrivateEndpointName tags: tags subnetResourceId: subnetId - serviceResourceId: purviewAccount.properties.managedResources.storageAccount + serviceResourceId: account.properties.managedResources.storageAccount enableDefaultTelemetry: enableReferencedModulesTelemetry groupIds: [ 'blob' @@ -296,7 +298,7 @@ module storageQueuePe '../../Microsoft.Network/privateEndpoints/deploy.bicep' = name: storageAccountQueuePrivateEndpointName tags: tags subnetResourceId: subnetId - serviceResourceId: purviewAccount.properties.managedResources.storageAccount + serviceResourceId: account.properties.managedResources.storageAccount enableDefaultTelemetry: enableReferencedModulesTelemetry groupIds: [ 'queue' @@ -321,7 +323,7 @@ module eventHubPe '../../Microsoft.Network/privateEndpoints/deploy.bicep' = if ( name: eventHubPrivateEndpointName tags: tags subnetResourceId: subnetId - serviceResourceId: purviewAccount.properties.managedResources.eventHubNamespace + serviceResourceId: account.properties.managedResources.eventHubNamespace enableDefaultTelemetry: enableReferencedModulesTelemetry groupIds: [ 'namespace' @@ -349,42 +351,42 @@ module purview_roleAssignments '.bicep/nested_roleAssignments.bicep' = [for (rol roleDefinitionIdOrName: roleAssignment.roleDefinitionIdOrName condition: contains(roleAssignment, 'condition') ? roleAssignment.condition : '' delegatedManagedIdentityResourceId: contains(roleAssignment, 'delegatedManagedIdentityResourceId') ? roleAssignment.delegatedManagedIdentityResourceId : '' - resourceId: purviewAccount.id + resourceId: account.id } }] @description('The name of the Microsoft Purview Account.') -output name string = purviewAccount.name +output name string = account.name @description('The resource group the Microsoft Purview Account was deployed into.') output resourceGroupName string = resourceGroup().name @description('The resource ID of the Purview Account.') -output resourceId string = purviewAccount.id +output resourceId string = account.id @description('The location the resource was deployed into.') -output location string = purviewAccount.location +output location string = account.location @description('The name of the managed resource group.') -output managedResourceGroupName string = purviewAccount.properties.managedResourceGroupName +output managedResourceGroupName string = account.properties.managedResourceGroupName @description('The resource ID of the managed resource group.') -output managedResourceGroupId string = purviewAccount.properties.managedResources.resourceGroup +output managedResourceGroupId string = account.properties.managedResources.resourceGroup @description('The resource ID of the managed storage account.') -output managedStorageAccountId string = purviewAccount.properties.managedResources.storageAccount +output managedStorageAccountId string = account.properties.managedResources.storageAccount @description('The resource ID of the managed Event Hub Namespace.') -output managedEventHubId string = purviewAccount.properties.managedResources.eventHubNamespace +output managedEventHubId string = account.properties.managedResources.eventHubNamespace @description('The principal ID of the system assigned identity.') -output systemAssignedPrincipalId string = purviewAccount.identity.principalId +output systemAssignedPrincipalId string = account.identity.principalId @description('The resource ID of the Purview Account private endpoint.') -output accountPrivateEndpointId string = !empty(accountPrivateEndpointName) ? purviewAccountPE.outputs.resourceId : '' +output accountPrivateEndpointId string = !empty(accountPrivateEndpointName) ? accountPE.outputs.resourceId : '' @description('The resource ID of the Purview portal private endpoint.') -output portalPrivateEndpointId string = !empty(portalPrivateEndpointName) ? purviewPortalPE.outputs.resourceId : '' +output portalPrivateEndpointId string = !empty(portalPrivateEndpointName) ? portalPE.outputs.resourceId : '' @description('The resource ID of the Purview Managed Storage Account Blob private endpoint.') output storageAccountBlobPrivateEndpointId string = !empty(storageAccountBlobPrivateEndpointName) ? storageBlobPe.outputs.resourceId : '' From ba61d800395d7274ca506222a36024e0583c17d8 Mon Sep 17 00:00:00 2001 From: Tao Yang Date: Sun, 5 Feb 2023 20:03:10 +1100 Subject: [PATCH 27/69] update --- .../accounts/.test/common/deploy.test.bicep | 66 ++++- .../Microsoft.Purview/accounts/deploy.bicep | 251 ++++++---------- modules/Microsoft.Purview/accounts/readme.md | 274 ++++++++++-------- 3 files changed, 300 insertions(+), 291 deletions(-) diff --git a/modules/Microsoft.Purview/accounts/.test/common/deploy.test.bicep b/modules/Microsoft.Purview/accounts/.test/common/deploy.test.bicep index d9e16997cd..be9f2fcbbc 100644 --- a/modules/Microsoft.Purview/accounts/.test/common/deploy.test.bicep +++ b/modules/Microsoft.Purview/accounts/.test/common/deploy.test.bicep @@ -94,22 +94,56 @@ module testDeployment '../../deploy.bicep' = { principalType: 'ServicePrincipal' } ] - subnetId: resourceGroupResources.outputs.subnetResourceId - accountPrivateEndpointName: 'pe-<>${serviceShort}002-account' - accountPrivateEndpointNicName: 'nic-pe-<>${serviceShort}002-account' - accountPrivateEndpointIP: '' - portalPrivateEndpointName: 'pe-<>${serviceShort}002-portal' - portalPrivateEndpointNicName: 'nic-pe-<>${serviceShort}002-portal' - portalPrivateEndpointIP: '' - storageAccountBlobPrivateEndpointName: 'pe-<>${serviceShort}002-sa-blob-blob' - storageAccountBlobPrivateEndpointNicName: 'nic-pe-<>${serviceShort}002-sa-blob-blob' - storageAccountBlobPrivateEndpointIP: '' - storageAccountQueuePrivateEndpointName: 'pe-<>${serviceShort}002-sa-queue-blob' - storageAccountQueuePrivateEndpointNicName: 'nic-pe-<>${serviceShort}002-sa-queue-blob' - storageAccountQueuePrivateEndpointIP: '' - eventHubPrivateEndpointName: 'pe-<>${serviceShort}002-eh' - eventHubPrivateEndpointNicName: 'nic-e-<>${serviceShort}002-eh' - eventHubPrivateEndpointIP: '' + accountPrivateEndpoints: [ + { + privateDnsZoneGroup: { + privateDNSResourceIds: [ + nestedDependencies.outputs.purviewAccountPrivateDNSResourceId + ] + } + subnetResourceId: nestedDependencies.outputs.subnetResourceId + } + ] + portalPrivateEndpoints: [ + { + privateDnsZoneGroup: { + privateDNSResourceIds: [ + nestedDependencies.outputs.purviewPortalPrivateDNSResourceId + ] + } + subnetResourceId: nestedDependencies.outputs.subnetResourceId + } + ] + storageBlobPrivateEndpoints: [ + { + privateDnsZoneGroup: { + privateDNSResourceIds: [ + nestedDependencies.outputs.storageBlobPrivateDNSResourceId + ] + } + subnetResourceId: nestedDependencies.outputs.subnetResourceId + } + ] + storageQueuePrivateEndpoints: [ + { + privateDnsZoneGroup: { + privateDNSResourceIds: [ + nestedDependencies.outputs.storageQueuePrivateDNSResourceId + ] + } + subnetResourceId: nestedDependencies.outputs.subnetResourceId + } + ] + eventHubPrivateEndpoints: [ + { + privateDnsZoneGroup: { + privateDNSResourceIds: [ + nestedDependencies.outputs.eventHubPrivateDNSResourceId + ] + } + subnetResourceId: nestedDependencies.outputs.subnetResourceId + } + ] enableDefaultTelemetry: enableDefaultTelemetry diagnosticLogCategoriesToEnable: [ 'allLogs' ] diagnosticMetricsToEnable: [ 'AllMetrics' ] diff --git a/modules/Microsoft.Purview/accounts/deploy.bicep b/modules/Microsoft.Purview/accounts/deploy.bicep index 7b2cf4ed82..b5e901256b 100644 --- a/modules/Microsoft.Purview/accounts/deploy.bicep +++ b/modules/Microsoft.Purview/accounts/deploy.bicep @@ -43,53 +43,20 @@ param diagnosticEventHubName string = '' @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') param roleAssignments array = [] -@description('Conditional. Existing Subnet Resource ID to assign to the Private Endpoint. Required if Private Endpoints are required.') -param subnetId string = '' +@description('Optional. Configuration details for Purview Account private endpoints. For security reasons, it is recommended to use private endpoints whenever possible.') +param accountPrivateEndpoints array = [] -@description('Conditional. Name of the Purview Account Private Endpoint. Required if the Purview account Private Endpoint is required.') -param accountPrivateEndpointName string = '' +@description('Optional. Configuration details for Purview Portal private endpoints. For security reasons, it is recommended to use private endpoints whenever possible.') +param portalPrivateEndpoints array = [] -@description('Optional. The custom name of the network interface attached to the Purview Account private endpoint.') -param accountPrivateEndpointNicName string = '' +@description('Optional. Configuration details for Purview Managed Storage Account blob private endpoints. For security reasons, it is recommended to use private endpoints whenever possible.') +param storageBlobPrivateEndpoints array = [] -@description('Optional. The static privavte IP address for the Purview Account private endpoint.') -param accountPrivateEndpointIP string = '' +@description('Optional. Configuration details for Purview Managed Storage Account queue private endpoints. For security reasons, it is recommended to use private endpoints whenever possible.') +param storageQueuePrivateEndpoints array = [] -@description('Conditional. Name of the Purview Portal Private Endpoint. Required if the Purview portal Private Endpoint is required.') -param portalPrivateEndpointName string = '' - -@description('Optional. The custom name of the network interface attached to the Purview Portal private endpoint.') -param portalPrivateEndpointNicName string = '' - -@description('Optional. The static privavte IP address for the Purview Portal private endpoint.') -param portalPrivateEndpointIP string = '' - -@description('Conditional. Name of the managed Storage Account blob Private Endpoint. Required if the managed storage account blob private endpoint is required.') -param storageAccountBlobPrivateEndpointName string = '' - -@description('Optional. The custom name of the network interface attached to the managed Storage Account blob private endpoint.') -param storageAccountBlobPrivateEndpointNicName string = '' - -@description('Optional. The static private IP address for the managed Storage Account blob private endpoint.') -param storageAccountBlobPrivateEndpointIP string = '' - -@description('Conditional. Name of the managed Storage Account queue Private Endpoint. Required if the managed storage account queue private endpoint is required.') -param storageAccountQueuePrivateEndpointName string = '' - -@description('Optional. The custom name of the network interface attached to the managed Storage Account queue private endpoint.') -param storageAccountQueuePrivateEndpointNicName string = '' - -@description('Optional. The static private IP address for the managed Storage Account blob private endpoint.') -param storageAccountQueuePrivateEndpointIP string = '' - -@description('Conditional. Name of the managed Event Hub Namespace Private Endpoint. Required if the managed Event Hub Namespace private endpoint is required.') -param eventHubPrivateEndpointName string = '' - -@description('Optional. The custom name of the network interface attached to the managed Event Hub Namespace private endpoint.') -param eventHubPrivateEndpointNicName string = '' - -@description('Optional. The static private IP address for the managed Event Hub Namespace private endpoint.') -param eventHubPrivateEndpointIP string = '' +@description('Optional. Configuration details for Purview Managed Event Hub namespace private endpoints. For security reasons, it is recommended to use private endpoints whenever possible.') +param eventHubPrivateEndpoints array = [] @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true @@ -166,8 +133,6 @@ var identity = identityType != 'None' ? { userAssignedIdentities: !empty(userAssignedIdentities) ? userAssignedIdentities : null } : null -var deploymentNameSuffix = last(split(deployment().name, '-')) - var enableReferencedModulesTelemetry = false resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { @@ -216,131 +181,120 @@ resource purview_diagnosticSettings 'Microsoft.Insights/diagnosticsettings@2021- scope: account } -module accountPE '../../Microsoft.Network/privateEndpoints/deploy.bicep' = if (!empty(accountPrivateEndpointName)) { - name: take('purview-account-pe-${name}-${deploymentNameSuffix}', 64) +module account_privateEndpoints '../../Microsoft.Network/privateEndpoints/deploy.bicep' = [for (privateEndpoint, index) in accountPrivateEndpoints: { + name: '${uniqueString(deployment().name, location)}-purview-account-PrivateEndpoint-${index}' params: { - name: accountPrivateEndpointName - tags: tags - subnetResourceId: subnetId - serviceResourceId: account.id - enableDefaultTelemetry: enableReferencedModulesTelemetry groupIds: [ 'account' ] - ipConfigurations: !empty(accountPrivateEndpointIP) ? [ - { - name: 'ipconfig1' - properties: { - groupId: 'account' - memberName: 'default' - privateIPAddress: accountPrivateEndpointIP - } - } - ] : [] - customNetworkInterfaceName: accountPrivateEndpointNicName - lock: lock + name: contains(privateEndpoint, 'name') ? privateEndpoint.name : 'pe-${last(split(account.id, '/'))}-${privateEndpoint.service}-${index}' + serviceResourceId: account.id + subnetResourceId: privateEndpoint.subnetResourceId + enableDefaultTelemetry: enableReferencedModulesTelemetry + location: reference(split(privateEndpoint.subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location + lock: contains(privateEndpoint, 'lock') ? privateEndpoint.lock : lock + privateDnsZoneGroup: contains(privateEndpoint, 'privateDnsZoneGroup') ? privateEndpoint.privateDnsZoneGroup : {} + roleAssignments: contains(privateEndpoint, 'roleAssignments') ? privateEndpoint.roleAssignments : [] + tags: contains(privateEndpoint, 'tags') ? privateEndpoint.tags : {} + manualPrivateLinkServiceConnections: contains(privateEndpoint, 'manualPrivateLinkServiceConnections') ? privateEndpoint.manualPrivateLinkServiceConnections : [] + customDnsConfigs: contains(privateEndpoint, 'customDnsConfigs') ? privateEndpoint.customDnsConfigs : [] + ipConfigurations: contains(privateEndpoint, 'ipConfigurations') ? privateEndpoint.ipConfigurations : [] + applicationSecurityGroups: contains(privateEndpoint, 'applicationSecurityGroups') ? privateEndpoint.applicationSecurityGroups : [] + customNetworkInterfaceName: contains(privateEndpoint, 'customNetworkInterfaceName') ? privateEndpoint.customNetworkInterfaceName : '' } -} +}] -module portalPE '../../Microsoft.Network/privateEndpoints/deploy.bicep' = if (!empty(portalPrivateEndpointName)) { - name: take('purview-portal-pe-${name}-${deploymentNameSuffix}', 64) +module portal_privateEndpoints '../../Microsoft.Network/privateEndpoints/deploy.bicep' = [for (privateEndpoint, index) in portalPrivateEndpoints: { + name: '${uniqueString(deployment().name, location)}-purview-portal-PrivateEndpoint-${index}' params: { - name: portalPrivateEndpointName - tags: tags - subnetResourceId: subnetId - serviceResourceId: account.id - enableDefaultTelemetry: enableReferencedModulesTelemetry groupIds: [ 'portal' ] - ipConfigurations: !empty(accountPrivateEndpointIP) ? [ - { - name: 'ipconfig1' - properties: { - groupId: 'portal' - memberName: 'default' - privateIPAddress: portalPrivateEndpointIP - } - } - ] : [] - customNetworkInterfaceName: portalPrivateEndpointNicName + name: contains(privateEndpoint, 'name') ? privateEndpoint.name : 'pe-${last(split(account.id, '/'))}-${privateEndpoint.service}-${index}' + serviceResourceId: account.id + subnetResourceId: privateEndpoint.subnetResourceId + enableDefaultTelemetry: enableReferencedModulesTelemetry + location: reference(split(privateEndpoint.subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location + lock: contains(privateEndpoint, 'lock') ? privateEndpoint.lock : lock + privateDnsZoneGroup: contains(privateEndpoint, 'privateDnsZoneGroup') ? privateEndpoint.privateDnsZoneGroup : {} + roleAssignments: contains(privateEndpoint, 'roleAssignments') ? privateEndpoint.roleAssignments : [] + tags: contains(privateEndpoint, 'tags') ? privateEndpoint.tags : {} + manualPrivateLinkServiceConnections: contains(privateEndpoint, 'manualPrivateLinkServiceConnections') ? privateEndpoint.manualPrivateLinkServiceConnections : [] + customDnsConfigs: contains(privateEndpoint, 'customDnsConfigs') ? privateEndpoint.customDnsConfigs : [] + ipConfigurations: contains(privateEndpoint, 'ipConfigurations') ? privateEndpoint.ipConfigurations : [] + applicationSecurityGroups: contains(privateEndpoint, 'applicationSecurityGroups') ? privateEndpoint.applicationSecurityGroups : [] + customNetworkInterfaceName: contains(privateEndpoint, 'customNetworkInterfaceName') ? privateEndpoint.customNetworkInterfaceName : '' } -} +}] -module storageBlobPe '../../Microsoft.Network/privateEndpoints/deploy.bicep' = if (!empty(storageAccountBlobPrivateEndpointName)) { - name: take('purview-sa-blob-pe-${name}-${deploymentNameSuffix}', 64) +module blob_privateEndpoints '../../Microsoft.Network/privateEndpoints/deploy.bicep' = [for (privateEndpoint, index) in storageBlobPrivateEndpoints: { + name: '${uniqueString(deployment().name, location)}-purview-storage-blob-PrivateEndpoint-${index}' params: { - name: storageAccountBlobPrivateEndpointName - tags: tags - subnetResourceId: subnetId - serviceResourceId: account.properties.managedResources.storageAccount - enableDefaultTelemetry: enableReferencedModulesTelemetry groupIds: [ 'blob' ] - ipConfigurations: !empty(accountPrivateEndpointIP) ? [ - { - name: 'ipconfig1' - properties: { - groupId: 'blob' - memberName: 'default' - privateIPAddress: storageAccountBlobPrivateEndpointIP - } - } - ] : [] - customNetworkInterfaceName: storageAccountBlobPrivateEndpointNicName + name: contains(privateEndpoint, 'name') ? privateEndpoint.name : 'pe-${last(split(account.id, '/'))}-${privateEndpoint.service}-${index}' + serviceResourceId: account.properties.managedResources.storageAccount + subnetResourceId: privateEndpoint.subnetResourceId + enableDefaultTelemetry: enableReferencedModulesTelemetry + location: reference(split(privateEndpoint.subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location + lock: contains(privateEndpoint, 'lock') ? privateEndpoint.lock : lock + privateDnsZoneGroup: contains(privateEndpoint, 'privateDnsZoneGroup') ? privateEndpoint.privateDnsZoneGroup : {} + roleAssignments: contains(privateEndpoint, 'roleAssignments') ? privateEndpoint.roleAssignments : [] + tags: contains(privateEndpoint, 'tags') ? privateEndpoint.tags : {} + manualPrivateLinkServiceConnections: contains(privateEndpoint, 'manualPrivateLinkServiceConnections') ? privateEndpoint.manualPrivateLinkServiceConnections : [] + customDnsConfigs: contains(privateEndpoint, 'customDnsConfigs') ? privateEndpoint.customDnsConfigs : [] + ipConfigurations: contains(privateEndpoint, 'ipConfigurations') ? privateEndpoint.ipConfigurations : [] + applicationSecurityGroups: contains(privateEndpoint, 'applicationSecurityGroups') ? privateEndpoint.applicationSecurityGroups : [] + customNetworkInterfaceName: contains(privateEndpoint, 'customNetworkInterfaceName') ? privateEndpoint.customNetworkInterfaceName : '' } -} +}] -module storageQueuePe '../../Microsoft.Network/privateEndpoints/deploy.bicep' = if (!empty(storageAccountQueuePrivateEndpointName)) { - name: take('purview-sa-queue-pe-${name}-${deploymentNameSuffix}', 64) +module queue_privateEndpoints '../../Microsoft.Network/privateEndpoints/deploy.bicep' = [for (privateEndpoint, index) in storageQueuePrivateEndpoints: { + name: '${uniqueString(deployment().name, location)}-purview-storage-queue-PrivateEndpoint-${index}' params: { - name: storageAccountQueuePrivateEndpointName - tags: tags - subnetResourceId: subnetId - serviceResourceId: account.properties.managedResources.storageAccount - enableDefaultTelemetry: enableReferencedModulesTelemetry groupIds: [ 'queue' ] - ipConfigurations: !empty(accountPrivateEndpointIP) ? [ - { - name: 'ipconfig1' - properties: { - groupId: 'queue' - memberName: 'default' - privateIPAddress: storageAccountQueuePrivateEndpointIP - } - } - ] : [] - customNetworkInterfaceName: storageAccountQueuePrivateEndpointNicName + name: contains(privateEndpoint, 'name') ? privateEndpoint.name : 'pe-${last(split(account.id, '/'))}-${privateEndpoint.service}-${index}' + serviceResourceId: account.properties.managedResources.storageAccount + subnetResourceId: privateEndpoint.subnetResourceId + enableDefaultTelemetry: enableReferencedModulesTelemetry + location: reference(split(privateEndpoint.subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location + lock: contains(privateEndpoint, 'lock') ? privateEndpoint.lock : lock + privateDnsZoneGroup: contains(privateEndpoint, 'privateDnsZoneGroup') ? privateEndpoint.privateDnsZoneGroup : {} + roleAssignments: contains(privateEndpoint, 'roleAssignments') ? privateEndpoint.roleAssignments : [] + tags: contains(privateEndpoint, 'tags') ? privateEndpoint.tags : {} + manualPrivateLinkServiceConnections: contains(privateEndpoint, 'manualPrivateLinkServiceConnections') ? privateEndpoint.manualPrivateLinkServiceConnections : [] + customDnsConfigs: contains(privateEndpoint, 'customDnsConfigs') ? privateEndpoint.customDnsConfigs : [] + ipConfigurations: contains(privateEndpoint, 'ipConfigurations') ? privateEndpoint.ipConfigurations : [] + applicationSecurityGroups: contains(privateEndpoint, 'applicationSecurityGroups') ? privateEndpoint.applicationSecurityGroups : [] + customNetworkInterfaceName: contains(privateEndpoint, 'customNetworkInterfaceName') ? privateEndpoint.customNetworkInterfaceName : '' } -} +}] -module eventHubPe '../../Microsoft.Network/privateEndpoints/deploy.bicep' = if (!empty(eventHubPrivateEndpointName)) { - name: take('purview-eh-pe-${name}-${deploymentNameSuffix}', 64) +module eventHub_privateEndpoints '../../Microsoft.Network/privateEndpoints/deploy.bicep' = [for (privateEndpoint, index) in eventHubPrivateEndpoints: { + name: '${uniqueString(deployment().name, location)}-purview-event-hub-PrivateEndpoint-${index}' params: { - name: eventHubPrivateEndpointName - tags: tags - subnetResourceId: subnetId - serviceResourceId: account.properties.managedResources.eventHubNamespace - enableDefaultTelemetry: enableReferencedModulesTelemetry groupIds: [ 'namespace' ] - ipConfigurations: !empty(accountPrivateEndpointIP) ? [ - { - name: 'ipconfig1' - properties: { - groupId: 'namespace' - memberName: 'default' - privateIPAddress: eventHubPrivateEndpointIP - } - } - ] : [] - customNetworkInterfaceName: eventHubPrivateEndpointNicName + name: contains(privateEndpoint, 'name') ? privateEndpoint.name : 'pe-${last(split(account.id, '/'))}-${privateEndpoint.service}-${index}' + serviceResourceId: account.properties.managedResources.eventHubNamespace + subnetResourceId: privateEndpoint.subnetResourceId + enableDefaultTelemetry: enableReferencedModulesTelemetry + location: reference(split(privateEndpoint.subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location + lock: contains(privateEndpoint, 'lock') ? privateEndpoint.lock : lock + privateDnsZoneGroup: contains(privateEndpoint, 'privateDnsZoneGroup') ? privateEndpoint.privateDnsZoneGroup : {} + roleAssignments: contains(privateEndpoint, 'roleAssignments') ? privateEndpoint.roleAssignments : [] + tags: contains(privateEndpoint, 'tags') ? privateEndpoint.tags : {} + manualPrivateLinkServiceConnections: contains(privateEndpoint, 'manualPrivateLinkServiceConnections') ? privateEndpoint.manualPrivateLinkServiceConnections : [] + customDnsConfigs: contains(privateEndpoint, 'customDnsConfigs') ? privateEndpoint.customDnsConfigs : [] + ipConfigurations: contains(privateEndpoint, 'ipConfigurations') ? privateEndpoint.ipConfigurations : [] + applicationSecurityGroups: contains(privateEndpoint, 'applicationSecurityGroups') ? privateEndpoint.applicationSecurityGroups : [] + customNetworkInterfaceName: contains(privateEndpoint, 'customNetworkInterfaceName') ? privateEndpoint.customNetworkInterfaceName : '' } -} +}] module purview_roleAssignments '.bicep/nested_roleAssignments.bicep' = [for (roleAssignment, index) in roleAssignments: { name: '${uniqueString(deployment().name, location)}-KeyVault-Rbac-${index}' @@ -381,18 +335,3 @@ output managedEventHubId string = account.properties.managedResources.eventHubNa @description('The principal ID of the system assigned identity.') output systemAssignedPrincipalId string = account.identity.principalId - -@description('The resource ID of the Purview Account private endpoint.') -output accountPrivateEndpointId string = !empty(accountPrivateEndpointName) ? accountPE.outputs.resourceId : '' - -@description('The resource ID of the Purview portal private endpoint.') -output portalPrivateEndpointId string = !empty(portalPrivateEndpointName) ? portalPE.outputs.resourceId : '' - -@description('The resource ID of the Purview Managed Storage Account Blob private endpoint.') -output storageAccountBlobPrivateEndpointId string = !empty(storageAccountBlobPrivateEndpointName) ? storageBlobPe.outputs.resourceId : '' - -@description('The resource ID of the Purview Managed Storage Account Queue private endpoint.') -output storageAccountQueuePrivateEndpointId string = !empty(storageAccountQueuePrivateEndpointName) ? storageQueuePe.outputs.resourceId : '' - -@description('The resource ID of the Purview Managed Event Hub Namepsace private endpoint.') -output eventHubPrivateEndpointId string = !empty(eventHubPrivateEndpointName) ? eventHubPe.outputs.resourceId : '' diff --git a/modules/Microsoft.Purview/accounts/readme.md b/modules/Microsoft.Purview/accounts/readme.md index 7d2521b142..20f5e22005 100644 --- a/modules/Microsoft.Purview/accounts/readme.md +++ b/modules/Microsoft.Purview/accounts/readme.md @@ -1,7 +1,6 @@ -# `[Microsoft.Purview/accounts]` +# Purview Accounts `[Microsoft.Purview/accounts]` -This module deploys . -// TODO: Replace Resource and fill in description +This module deploys Purview Accounts. ## Navigation @@ -28,26 +27,13 @@ This module deploys . | Parameter Name | Type | Description | | :-- | :-- | :-- | -| `managedResourceGroupName` | string | The Managed Resource Group Name. | | `name` | string | Name of the Purview Account. | -**Conditional parameters** - -| Parameter Name | Type | Default Value | Description | -| :-- | :-- | :-- | :-- | -| `accountPrivateEndpointName` | string | `''` | Name of the Purview Account Private Endpoint. Required if the Purview account Private Endpoint is required. | -| `eventHubPrivateEndpointName` | string | `''` | Name of the managed Event Hub Namespace Private Endpoint. Required if the managed Event Hub Namespace private endpoint is required. | -| `portalPrivateEndpointName` | string | `''` | Name of the Purview Portal Private Endpoint. Required if the Purview portal Private Endpoint is required. | -| `storageAccountBlobPrivateEndpointName` | string | `''` | Name of the managed Storage Account blob Private Endpoint. Required if the managed storage account blob private endpoint is required. | -| `storageAccountQueuePrivateEndpointName` | string | `''` | Name of the managed Storage Account queue Private Endpoint. Required if the managed storage account queue private endpoint is required. | -| `subnetId` | string | `''` | Existing Subnet Resource ID to assign to the Private Endpoint. Required if Private Endpoints are required. | - **Optional parameters** | Parameter Name | Type | Default Value | Allowed Values | Description | | :-- | :-- | :-- | :-- | :-- | -| `accountPrivateEndpointIP` | string | `''` | | The static privavte IP address for the Purview Account private endpoint. | -| `accountPrivateEndpointNicName` | string | `''` | | The custom name of the network interface attached to the Purview Account private endpoint. | +| `accountPrivateEndpoints` | array | `[]` | | Configuration details for Purview Account private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. | | `diagnosticEventHubAuthorizationRuleId` | string | `''` | | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | | `diagnosticEventHubName` | string | `''` | | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | | `diagnosticLogCategoriesToEnable` | array | `[allLogs]` | `[allLogs, DataSensitivity, PurviewAccountAuditEvents, ScanStatus]` | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. | @@ -57,26 +43,19 @@ This module deploys . | `diagnosticStorageAccountId` | string | `''` | | Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | | `diagnosticWorkspaceId` | string | `''` | | Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | | `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via a Globally Unique Identifier (GUID). | -| `eventHubPrivateEndpointIP` | string | `''` | | The static private IP address for the managed Event Hub Namespace private endpoint. | -| `eventHubPrivateEndpointNicName` | string | `''` | | The custom name of the network interface attached to the managed Event Hub Namespace private endpoint. | -| `location` | string | `[resourceGroup().location]` | | Azure location where the Purview Account will be created. | +| `eventHubPrivateEndpoints` | array | `[]` | | Configuration details for Purview Managed Event Hub namespace private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. | +| `location` | string | `[resourceGroup().location]` | | Location for all resources. | | `lock` | string | `''` | `['', CanNotDelete, ReadOnly]` | Specify the type of lock. | -| `portalPrivateEndpointIP` | string | `''` | | The static privavte IP address for the Purview Portal private endpoint. | -| `portalPrivateEndpointNicName` | string | `''` | | The custom name of the network interface attached to the Purview Portal private endpoint. | -| `publicNetworkAccess` | string | `'Disabled'` | `[Disabled, Enabled, NotSpecified]` | Enable or disable resource provider inbound network traffic from public clients. default is Disabled. | +| `managedResourceGroupName` | string | `''` | | The Managed Resource Group Name. Default to 'managed-rg-'. | +| `portalPrivateEndpoints` | array | `[]` | | Configuration details for Purview Portal private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. | +| `publicNetworkAccess` | string | `'NotSpecified'` | `[Disabled, Enabled, NotSpecified]` | Whether or not public network access is allowed for this resource. For security reasons it should be disabled. If not specified, it will be disabled by default if private endpoints are set. | | `roleAssignments` | array | `[]` | | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -| `storageAccountBlobPrivateEndpointIP` | string | `''` | | The static private IP address for the managed Storage Account blob private endpoint. | -| `storageAccountBlobPrivateEndpointNicName` | string | `''` | | The custom name of the network interface attached to the managed Storage Account blob private endpoint. | -| `storageAccountQueuePrivateEndpointIP` | string | `''` | | The static private IP address for the managed Storage Account blob private endpoint. | -| `storageAccountQueuePrivateEndpointNicName` | string | `''` | | The custom name of the network interface attached to the managed Storage Account queue private endpoint. | -| `tags` | object | `{object}` | | Resource Tags. | +| `storageBlobPrivateEndpoints` | array | `[]` | | Configuration details for Purview Managed Storage Account blob private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. | +| `storageQueuePrivateEndpoints` | array | `[]` | | Configuration details for Purview Managed Storage Account queue private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. | +| `tags` | object | `{object}` | | Tags of the resource. | | `userAssignedIdentities` | object | `{object}` | | The ID(s) to assign to the resource. | -### Parameter Usage: `` - -// TODO: Fill in Parameter usage - ### Parameter Usage: `roleAssignments` Create a role assignment for the given resource. If you want to assign a service principal / managed identity that is created in the same deployment, make sure to also specify the `'principalType'` parameter and set it to `'ServicePrincipal'`. This will ensure the role assignment waits for the principal's propagation in Azure. @@ -214,19 +193,14 @@ userAssignedIdentities: { | Output Name | Type | Description | | :-- | :-- | :-- | -| `accountPrivateEndpointId` | string | The resource ID of the Purview Account private endpoint. | -| `eventHubPrivateEndpointId` | string | The resource ID of the Purview Managed Event Hub Namepsace private endpoint. | | `location` | string | The location the resource was deployed into. | | `managedEventHubId` | string | The resource ID of the managed Event Hub Namespace. | | `managedResourceGroupId` | string | The resource ID of the managed resource group. | | `managedResourceGroupName` | string | The name of the managed resource group. | | `managedStorageAccountId` | string | The resource ID of the managed storage account. | | `name` | string | The name of the Microsoft Purview Account. | -| `portalPrivateEndpointId` | string | The resource ID of the Purview portal private endpoint. | | `resourceGroupName` | string | The resource group the Microsoft Purview Account was deployed into. | -| `resourceId` | string | The resource ID of the Microsoft Purview Account. | -| `storageAccountBlobPrivateEndpointId` | string | The resource ID of the Purview Managed Storage Account Blob private endpoint. | -| `storageAccountQueuePrivateEndpointId` | string | The resource ID of the Purview Managed Storage Account Queue private endpoint. | +| `resourceId` | string | The resource ID of the Purview Account. | | `systemAssignedPrincipalId` | string | The principal ID of the system assigned identity. | ## Cross-referenced modules @@ -252,15 +226,21 @@ The following module usage examples are retrieved from the content of the files ```bicep module accounts './Microsoft.Purview/accounts/deploy.bicep' = { - name: '${uniqueString(deployment().name)}-test-pviewcom' + name: '${uniqueString(deployment().name)}-test-pvacom' params: { // Required parameters - managedResourceGroupName: '<>pviewcom002-managed-rg' - name: '<>pviewcom002' + name: '<>pvacom002' // Non-required parameters - accountPrivateEndpointIP: '' - accountPrivateEndpointName: 'pe-<>pviewcom002-account' - accountPrivateEndpointNicName: 'nic-pe-<>pviewcom002-account' + accountPrivateEndpoints: [ + { + privateDnsZoneGroup: { + privateDNSResourceIds: [ + '' + ] + } + subnetResourceId: '' + } + ] diagnosticEventHubAuthorizationRuleId: '' diagnosticEventHubName: '' diagnosticLogCategoriesToEnable: [ @@ -273,25 +253,63 @@ module accounts './Microsoft.Purview/accounts/deploy.bicep' = { diagnosticStorageAccountId: '' diagnosticWorkspaceId: '' enableDefaultTelemetry: '' - eventHubPrivateEndpointIP: '' - eventHubPrivateEndpointName: 'pe-<>pviewcom002-eh' - eventHubPrivateEndpointNicName: 'nic-e-<>pviewcom002-eh' + eventHubPrivateEndpoints: [ + { + privateDnsZoneGroup: { + privateDNSResourceIds: [ + '' + ] + } + subnetResourceId: '' + } + ] location: '' - lock: '' - portalPrivateEndpointIP: '' - portalPrivateEndpointName: 'pe-<>pviewcom002-portal' - portalPrivateEndpointNicName: 'nic-pe-<>pviewcom002-portal' + lock: 'CanNotDelete' + managedResourceGroupName: '<>pvacom002-managed-rg' + portalPrivateEndpoints: [ + { + privateDnsZoneGroup: { + privateDNSResourceIds: [ + '' + ] + } + subnetResourceId: '' + } + ] publicNetworkAccess: 'Disabled' - roleAssignments: [] - storageAccountBlobPrivateEndpointIP: '' - storageAccountBlobPrivateEndpointName: 'pe-<>pviewcom002-sa-blob-blob' - storageAccountBlobPrivateEndpointNicName: 'nic-pe-<>pviewcom002-sa-blob-blob' - storageAccountQueuePrivateEndpointIP: '' - storageAccountQueuePrivateEndpointName: 'pe-<>pviewcom002-sa-queue-blob' - storageAccountQueuePrivateEndpointNicName: 'nic-pe-<>pviewcom002-sa-queue-blob' - subnetId: '' + roleAssignments: [ + { + principalIds: [ + '' + ] + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Reader' + } + ] + storageBlobPrivateEndpoints: [ + { + privateDnsZoneGroup: { + privateDNSResourceIds: [ + '' + ] + } + subnetResourceId: '' + } + ] + storageQueuePrivateEndpoints: [ + { + privateDnsZoneGroup: { + privateDNSResourceIds: [ + '' + ] + } + subnetResourceId: '' + } + ] tags: '' - userAssignedIdentities: {} + userAssignedIdentities: { + '': {} + } } } ``` @@ -309,21 +327,21 @@ module accounts './Microsoft.Purview/accounts/deploy.bicep' = { "contentVersion": "1.0.0.0", "parameters": { // Required parameters - "managedResourceGroupName": { - "value": "<>pviewcom002-managed-rg" - }, "name": { - "value": "<>pviewcom002" + "value": "<>pvacom002" }, // Non-required parameters - "accountPrivateEndpointIP": { - "value": "" - }, - "accountPrivateEndpointName": { - "value": "pe-<>pviewcom002-account" - }, - "accountPrivateEndpointNicName": { - "value": "nic-pe-<>pviewcom002-account" + "accountPrivateEndpoints": { + "value": [ + { + "privateDnsZoneGroup": { + "privateDNSResourceIds": [ + "" + ] + }, + "subnetResourceId": "" + } + ] }, "diagnosticEventHubAuthorizationRuleId": { "value": "" @@ -353,62 +371,84 @@ module accounts './Microsoft.Purview/accounts/deploy.bicep' = { "enableDefaultTelemetry": { "value": "" }, - "eventHubPrivateEndpointIP": { - "value": "" - }, - "eventHubPrivateEndpointName": { - "value": "pe-<>pviewcom002-eh" - }, - "eventHubPrivateEndpointNicName": { - "value": "nic-e-<>pviewcom002-eh" + "eventHubPrivateEndpoints": { + "value": [ + { + "privateDnsZoneGroup": { + "privateDNSResourceIds": [ + "" + ] + }, + "subnetResourceId": "" + } + ] }, "location": { "value": "" }, "lock": { - "value": "" + "value": "CanNotDelete" }, - "portalPrivateEndpointIP": { - "value": "" - }, - "portalPrivateEndpointName": { - "value": "pe-<>pviewcom002-portal" + "managedResourceGroupName": { + "value": "<>pvacom002-managed-rg" }, - "portalPrivateEndpointNicName": { - "value": "nic-pe-<>pviewcom002-portal" + "portalPrivateEndpoints": { + "value": [ + { + "privateDnsZoneGroup": { + "privateDNSResourceIds": [ + "" + ] + }, + "subnetResourceId": "" + } + ] }, "publicNetworkAccess": { "value": "Disabled" }, "roleAssignments": { - "value": [] - }, - "storageAccountBlobPrivateEndpointIP": { - "value": "" - }, - "storageAccountBlobPrivateEndpointName": { - "value": "pe-<>pviewcom002-sa-blob-blob" - }, - "storageAccountBlobPrivateEndpointNicName": { - "value": "nic-pe-<>pviewcom002-sa-blob-blob" - }, - "storageAccountQueuePrivateEndpointIP": { - "value": "" - }, - "storageAccountQueuePrivateEndpointName": { - "value": "pe-<>pviewcom002-sa-queue-blob" + "value": [ + { + "principalIds": [ + "" + ], + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Reader" + } + ] }, - "storageAccountQueuePrivateEndpointNicName": { - "value": "nic-pe-<>pviewcom002-sa-queue-blob" + "storageBlobPrivateEndpoints": { + "value": [ + { + "privateDnsZoneGroup": { + "privateDNSResourceIds": [ + "" + ] + }, + "subnetResourceId": "" + } + ] }, - "subnetId": { - "value": "" + "storageQueuePrivateEndpoints": { + "value": [ + { + "privateDnsZoneGroup": { + "privateDNSResourceIds": [ + "" + ] + }, + "subnetResourceId": "" + } + ] }, "tags": { "value": "" }, "userAssignedIdentities": { - "value": {} + "value": { + "": {} + } } } } @@ -425,14 +465,13 @@ module accounts './Microsoft.Purview/accounts/deploy.bicep' = { ```bicep module accounts './Microsoft.Purview/accounts/deploy.bicep' = { - name: '${uniqueString(deployment().name)}-test-pviewmin' + name: '${uniqueString(deployment().name)}-test-pvamin' params: { // Required parameters - managedResourceGroupName: '<>pviewmin001-managed-rg' - name: '<>pviewmin001' + name: '<>pvamin001' // Non-required parameters enableDefaultTelemetry: '' - publicNetworkAccess: 'Enabled' + managedResourceGroupName: '<>pvamin001-managed-rg' } } ``` @@ -450,18 +489,15 @@ module accounts './Microsoft.Purview/accounts/deploy.bicep' = { "contentVersion": "1.0.0.0", "parameters": { // Required parameters - "managedResourceGroupName": { - "value": "<>pviewmin001-managed-rg" - }, "name": { - "value": "<>pviewmin001" + "value": "<>pvamin001" }, // Non-required parameters "enableDefaultTelemetry": { "value": "" }, - "publicNetworkAccess": { - "value": "Enabled" + "managedResourceGroupName": { + "value": "<>pvamin001-managed-rg" } } } From a5b2fd017458703385d6ff9987597187eb35c303 Mon Sep 17 00:00:00 2001 From: Tao Yang Date: Sun, 5 Feb 2023 20:22:27 +1100 Subject: [PATCH 28/69] update github action yaml --- .github/workflows/ms.purview.accounts.yml | 27 ++++++++++++++++++++--- 1 file changed, 24 insertions(+), 3 deletions(-) diff --git a/.github/workflows/ms.purview.accounts.yml b/.github/workflows/ms.purview.accounts.yml index c1f2ef9c2e..5adf1336c0 100644 --- a/.github/workflows/ms.purview.accounts.yml +++ b/.github/workflows/ms.purview.accounts.yml @@ -3,6 +3,16 @@ name: 'Purview: Accounts' on: workflow_dispatch: inputs: + staticValidation: + type: boolean + description: 'Execute static validation' + required: false + default: true + deploymentValidation: + type: boolean + description: 'Execute deployment validation' + required: false + default: true removeDeployment: type: boolean description: 'Remove deployed module' @@ -66,9 +76,12 @@ jobs: ######################### # Static validation # ######################### - job_module_pester_validation: + job_module_static_validation: runs-on: ubuntu-20.04 name: 'Static validation' + if: (fromJson(needs.job_initialize_pipeline.outputs.workflowInput)).staticValidation == 'true' + needs: + - job_initialize_pipeline steps: - name: 'Checkout' uses: actions/checkout@v3 @@ -89,10 +102,14 @@ jobs: ############################# job_module_deploy_validation: runs-on: ubuntu-20.04 - name: 'Deployment validation' + name: 'Deploying' + if: | + !cancelled() && + (fromJson(needs.job_initialize_pipeline.outputs.workflowInput)).deploymentValidation == 'true' && + needs.job_module_static_validation.result != 'failure' needs: - job_initialize_pipeline - - job_module_pester_validation + - job_module_static_validation strategy: fail-fast: false matrix: @@ -106,6 +123,9 @@ jobs: uses: ./.github/actions/templates/setEnvironmentVariables with: variablesPath: ${{ env.variablesPath }} + # ------------------- # + ## Deploy & Remove ## + # ------------------- # - name: 'Using test file [${{ matrix.moduleTestFilePaths }}]' uses: ./.github/actions/templates/validateModuleDeployment with: @@ -145,3 +165,4 @@ jobs: bicepRegistryRGName: '${{ env.bicepRegistryRGName }}' bicepRegistryRgLocation: '${{ env.bicepRegistryRgLocation }}' bicepRegistryDoPublish: '${{ env.bicepRegistryDoPublish }}' + publishLatest: '${{ env.publishLatest }}' From dcce9aab191c92d70de95b89cccf30883127a32e Mon Sep 17 00:00:00 2001 From: Tao Yang Date: Sun, 5 Feb 2023 20:40:34 +1100 Subject: [PATCH 29/69] update --- .../accounts/.test/common/dependencies.bicep | 16 ++++++++++++---- 1 file changed, 12 insertions(+), 4 deletions(-) diff --git a/modules/Microsoft.Purview/accounts/.test/common/dependencies.bicep b/modules/Microsoft.Purview/accounts/.test/common/dependencies.bicep index 981aceaa7e..42feea5fde 100644 --- a/modules/Microsoft.Purview/accounts/.test/common/dependencies.bicep +++ b/modules/Microsoft.Purview/accounts/.test/common/dependencies.bicep @@ -53,7 +53,9 @@ resource privateDNSZone_account 'Microsoft.Network/privateDnsZones@2020-06-01' = resource privateDNSZone_portal 'Microsoft.Network/privateDnsZones@2020-06-01' = { name: 'privatelink.purviewstudio.azure.com' location: 'global' - + dependsOn: [ + privateDNSZone_account + ] resource virtualNetworkLinks 'virtualNetworkLinks@2020-06-01' = { name: '${virtualNetwork.name}-vnetlink' location: 'global' @@ -69,7 +71,9 @@ resource privateDNSZone_portal 'Microsoft.Network/privateDnsZones@2020-06-01' = resource privateDNSZone_blob 'Microsoft.Network/privateDnsZones@2020-06-01' = { name: 'privatelink.blob.core.windows.net' location: 'global' - + dependsOn: [ + privateDNSZone_portal + ] resource virtualNetworkLinks 'virtualNetworkLinks@2020-06-01' = { name: '${virtualNetwork.name}-vnetlink' location: 'global' @@ -85,7 +89,9 @@ resource privateDNSZone_blob 'Microsoft.Network/privateDnsZones@2020-06-01' = { resource privateDNSZone_queue 'Microsoft.Network/privateDnsZones@2020-06-01' = { name: 'privatelink.queue.core.windows.net' location: 'global' - + dependsOn: [ + privateDNSZone_blob + ] resource virtualNetworkLinks 'virtualNetworkLinks@2020-06-01' = { name: '${virtualNetwork.name}-vnetlink' location: 'global' @@ -101,7 +107,9 @@ resource privateDNSZone_queue 'Microsoft.Network/privateDnsZones@2020-06-01' = { resource privateDNSZone_eh 'Microsoft.Network/privateDnsZones@2020-06-01' = { name: 'privatelink.servicebus.windows.net' location: 'global' - + dependsOn: [ + privateDNSZone_queue + ] resource virtualNetworkLinks 'virtualNetworkLinks@2020-06-01' = { name: '${virtualNetwork.name}-vnetlink' location: 'global' From 7afd7398538a418c62155bd41a3ccf1bb535a8ec Mon Sep 17 00:00:00 2001 From: Tao Yang Date: Sun, 5 Feb 2023 21:10:24 +1100 Subject: [PATCH 30/69] update --- .../accounts/.test/common/dependencies.bicep | 24 +++++++++---------- 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/modules/Microsoft.Purview/accounts/.test/common/dependencies.bicep b/modules/Microsoft.Purview/accounts/.test/common/dependencies.bicep index 42feea5fde..f05f399896 100644 --- a/modules/Microsoft.Purview/accounts/.test/common/dependencies.bicep +++ b/modules/Microsoft.Purview/accounts/.test/common/dependencies.bicep @@ -53,12 +53,12 @@ resource privateDNSZone_account 'Microsoft.Network/privateDnsZones@2020-06-01' = resource privateDNSZone_portal 'Microsoft.Network/privateDnsZones@2020-06-01' = { name: 'privatelink.purviewstudio.azure.com' location: 'global' - dependsOn: [ - privateDNSZone_account - ] resource virtualNetworkLinks 'virtualNetworkLinks@2020-06-01' = { name: '${virtualNetwork.name}-vnetlink' location: 'global' + dependsOn: [ + privateDNSZone_account::virtualNetworkLinks + ] properties: { virtualNetwork: { id: virtualNetwork.id @@ -71,12 +71,12 @@ resource privateDNSZone_portal 'Microsoft.Network/privateDnsZones@2020-06-01' = resource privateDNSZone_blob 'Microsoft.Network/privateDnsZones@2020-06-01' = { name: 'privatelink.blob.core.windows.net' location: 'global' - dependsOn: [ - privateDNSZone_portal - ] resource virtualNetworkLinks 'virtualNetworkLinks@2020-06-01' = { name: '${virtualNetwork.name}-vnetlink' location: 'global' + dependsOn: [ + privateDNSZone_portal::virtualNetworkLinks + ] properties: { virtualNetwork: { id: virtualNetwork.id @@ -89,12 +89,12 @@ resource privateDNSZone_blob 'Microsoft.Network/privateDnsZones@2020-06-01' = { resource privateDNSZone_queue 'Microsoft.Network/privateDnsZones@2020-06-01' = { name: 'privatelink.queue.core.windows.net' location: 'global' - dependsOn: [ - privateDNSZone_blob - ] resource virtualNetworkLinks 'virtualNetworkLinks@2020-06-01' = { name: '${virtualNetwork.name}-vnetlink' location: 'global' + dependsOn: [ + privateDNSZone_blob::virtualNetworkLinks + ] properties: { virtualNetwork: { id: virtualNetwork.id @@ -107,12 +107,12 @@ resource privateDNSZone_queue 'Microsoft.Network/privateDnsZones@2020-06-01' = { resource privateDNSZone_eh 'Microsoft.Network/privateDnsZones@2020-06-01' = { name: 'privatelink.servicebus.windows.net' location: 'global' - dependsOn: [ - privateDNSZone_queue - ] resource virtualNetworkLinks 'virtualNetworkLinks@2020-06-01' = { name: '${virtualNetwork.name}-vnetlink' location: 'global' + dependsOn: [ + privateDNSZone_queue::virtualNetworkLinks + ] properties: { virtualNetwork: { id: virtualNetwork.id From b0dd8abcec500093cb5dcb2372bfb612a526fb7a Mon Sep 17 00:00:00 2001 From: Tao Yang Date: Sun, 5 Feb 2023 21:34:12 +1100 Subject: [PATCH 31/69] update --- .../accounts/.test/common/dependencies.bicep | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/modules/Microsoft.Purview/accounts/.test/common/dependencies.bicep b/modules/Microsoft.Purview/accounts/.test/common/dependencies.bicep index f05f399896..2b6ebefc37 100644 --- a/modules/Microsoft.Purview/accounts/.test/common/dependencies.bicep +++ b/modules/Microsoft.Purview/accounts/.test/common/dependencies.bicep @@ -39,7 +39,7 @@ resource privateDNSZone_account 'Microsoft.Network/privateDnsZones@2020-06-01' = location: 'global' resource virtualNetworkLinks 'virtualNetworkLinks@2020-06-01' = { - name: '${virtualNetwork.name}-vnetlink' + name: '${virtualNetwork.name}-account-vnetlink' location: 'global' properties: { virtualNetwork: { @@ -54,7 +54,7 @@ resource privateDNSZone_portal 'Microsoft.Network/privateDnsZones@2020-06-01' = name: 'privatelink.purviewstudio.azure.com' location: 'global' resource virtualNetworkLinks 'virtualNetworkLinks@2020-06-01' = { - name: '${virtualNetwork.name}-vnetlink' + name: '${virtualNetwork.name}-portal-vnetlink' location: 'global' dependsOn: [ privateDNSZone_account::virtualNetworkLinks @@ -72,7 +72,7 @@ resource privateDNSZone_blob 'Microsoft.Network/privateDnsZones@2020-06-01' = { name: 'privatelink.blob.core.windows.net' location: 'global' resource virtualNetworkLinks 'virtualNetworkLinks@2020-06-01' = { - name: '${virtualNetwork.name}-vnetlink' + name: '${virtualNetwork.name}-blob-vnetlink' location: 'global' dependsOn: [ privateDNSZone_portal::virtualNetworkLinks @@ -90,7 +90,7 @@ resource privateDNSZone_queue 'Microsoft.Network/privateDnsZones@2020-06-01' = { name: 'privatelink.queue.core.windows.net' location: 'global' resource virtualNetworkLinks 'virtualNetworkLinks@2020-06-01' = { - name: '${virtualNetwork.name}-vnetlink' + name: '${virtualNetwork.name}-queue-vnetlink' location: 'global' dependsOn: [ privateDNSZone_blob::virtualNetworkLinks @@ -108,7 +108,7 @@ resource privateDNSZone_eh 'Microsoft.Network/privateDnsZones@2020-06-01' = { name: 'privatelink.servicebus.windows.net' location: 'global' resource virtualNetworkLinks 'virtualNetworkLinks@2020-06-01' = { - name: '${virtualNetwork.name}-vnetlink' + name: '${virtualNetwork.name}-eh-vnetlink' location: 'global' dependsOn: [ privateDNSZone_queue::virtualNetworkLinks From 5edb4d79e56dcc54e830a35cdf8771dd7cdebffa Mon Sep 17 00:00:00 2001 From: Tao Yang Date: Sun, 5 Feb 2023 23:18:53 +1100 Subject: [PATCH 32/69] update --- .../accounts/.test/common/dependencies.bicep | 63 ------------------- 1 file changed, 63 deletions(-) diff --git a/modules/Microsoft.Purview/accounts/.test/common/dependencies.bicep b/modules/Microsoft.Purview/accounts/.test/common/dependencies.bicep index 2b6ebefc37..624e8f17a7 100644 --- a/modules/Microsoft.Purview/accounts/.test/common/dependencies.bicep +++ b/modules/Microsoft.Purview/accounts/.test/common/dependencies.bicep @@ -37,89 +37,26 @@ resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018- resource privateDNSZone_account 'Microsoft.Network/privateDnsZones@2020-06-01' = { name: 'privatelink.purview.azure.com' location: 'global' - - resource virtualNetworkLinks 'virtualNetworkLinks@2020-06-01' = { - name: '${virtualNetwork.name}-account-vnetlink' - location: 'global' - properties: { - virtualNetwork: { - id: virtualNetwork.id - } - registrationEnabled: false - } - } } resource privateDNSZone_portal 'Microsoft.Network/privateDnsZones@2020-06-01' = { name: 'privatelink.purviewstudio.azure.com' location: 'global' - resource virtualNetworkLinks 'virtualNetworkLinks@2020-06-01' = { - name: '${virtualNetwork.name}-portal-vnetlink' - location: 'global' - dependsOn: [ - privateDNSZone_account::virtualNetworkLinks - ] - properties: { - virtualNetwork: { - id: virtualNetwork.id - } - registrationEnabled: false - } - } } resource privateDNSZone_blob 'Microsoft.Network/privateDnsZones@2020-06-01' = { name: 'privatelink.blob.core.windows.net' location: 'global' - resource virtualNetworkLinks 'virtualNetworkLinks@2020-06-01' = { - name: '${virtualNetwork.name}-blob-vnetlink' - location: 'global' - dependsOn: [ - privateDNSZone_portal::virtualNetworkLinks - ] - properties: { - virtualNetwork: { - id: virtualNetwork.id - } - registrationEnabled: false - } - } } resource privateDNSZone_queue 'Microsoft.Network/privateDnsZones@2020-06-01' = { name: 'privatelink.queue.core.windows.net' location: 'global' - resource virtualNetworkLinks 'virtualNetworkLinks@2020-06-01' = { - name: '${virtualNetwork.name}-queue-vnetlink' - location: 'global' - dependsOn: [ - privateDNSZone_blob::virtualNetworkLinks - ] - properties: { - virtualNetwork: { - id: virtualNetwork.id - } - registrationEnabled: false - } - } } resource privateDNSZone_eh 'Microsoft.Network/privateDnsZones@2020-06-01' = { name: 'privatelink.servicebus.windows.net' location: 'global' - resource virtualNetworkLinks 'virtualNetworkLinks@2020-06-01' = { - name: '${virtualNetwork.name}-eh-vnetlink' - location: 'global' - dependsOn: [ - privateDNSZone_queue::virtualNetworkLinks - ] - properties: { - virtualNetwork: { - id: virtualNetwork.id - } - registrationEnabled: false - } - } } @description('The resource ID of the created Virtual Network Subnet.') output subnetResourceId string = virtualNetwork.properties.subnets[0].id From 39454bea38036bd610f68d6778eaed94d0ebc390 Mon Sep 17 00:00:00 2001 From: Tao Yang Date: Sun, 5 Feb 2023 23:23:37 +1100 Subject: [PATCH 33/69] update --- .../accounts/.test/common/dependencies.bicep | 63 +++++++++++++++++++ .../Microsoft.Purview/accounts/deploy.bicep | 10 +-- 2 files changed, 68 insertions(+), 5 deletions(-) diff --git a/modules/Microsoft.Purview/accounts/.test/common/dependencies.bicep b/modules/Microsoft.Purview/accounts/.test/common/dependencies.bicep index 624e8f17a7..2b6ebefc37 100644 --- a/modules/Microsoft.Purview/accounts/.test/common/dependencies.bicep +++ b/modules/Microsoft.Purview/accounts/.test/common/dependencies.bicep @@ -37,26 +37,89 @@ resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018- resource privateDNSZone_account 'Microsoft.Network/privateDnsZones@2020-06-01' = { name: 'privatelink.purview.azure.com' location: 'global' + + resource virtualNetworkLinks 'virtualNetworkLinks@2020-06-01' = { + name: '${virtualNetwork.name}-account-vnetlink' + location: 'global' + properties: { + virtualNetwork: { + id: virtualNetwork.id + } + registrationEnabled: false + } + } } resource privateDNSZone_portal 'Microsoft.Network/privateDnsZones@2020-06-01' = { name: 'privatelink.purviewstudio.azure.com' location: 'global' + resource virtualNetworkLinks 'virtualNetworkLinks@2020-06-01' = { + name: '${virtualNetwork.name}-portal-vnetlink' + location: 'global' + dependsOn: [ + privateDNSZone_account::virtualNetworkLinks + ] + properties: { + virtualNetwork: { + id: virtualNetwork.id + } + registrationEnabled: false + } + } } resource privateDNSZone_blob 'Microsoft.Network/privateDnsZones@2020-06-01' = { name: 'privatelink.blob.core.windows.net' location: 'global' + resource virtualNetworkLinks 'virtualNetworkLinks@2020-06-01' = { + name: '${virtualNetwork.name}-blob-vnetlink' + location: 'global' + dependsOn: [ + privateDNSZone_portal::virtualNetworkLinks + ] + properties: { + virtualNetwork: { + id: virtualNetwork.id + } + registrationEnabled: false + } + } } resource privateDNSZone_queue 'Microsoft.Network/privateDnsZones@2020-06-01' = { name: 'privatelink.queue.core.windows.net' location: 'global' + resource virtualNetworkLinks 'virtualNetworkLinks@2020-06-01' = { + name: '${virtualNetwork.name}-queue-vnetlink' + location: 'global' + dependsOn: [ + privateDNSZone_blob::virtualNetworkLinks + ] + properties: { + virtualNetwork: { + id: virtualNetwork.id + } + registrationEnabled: false + } + } } resource privateDNSZone_eh 'Microsoft.Network/privateDnsZones@2020-06-01' = { name: 'privatelink.servicebus.windows.net' location: 'global' + resource virtualNetworkLinks 'virtualNetworkLinks@2020-06-01' = { + name: '${virtualNetwork.name}-eh-vnetlink' + location: 'global' + dependsOn: [ + privateDNSZone_queue::virtualNetworkLinks + ] + properties: { + virtualNetwork: { + id: virtualNetwork.id + } + registrationEnabled: false + } + } } @description('The resource ID of the created Virtual Network Subnet.') output subnetResourceId string = virtualNetwork.properties.subnets[0].id diff --git a/modules/Microsoft.Purview/accounts/deploy.bicep b/modules/Microsoft.Purview/accounts/deploy.bicep index b5e901256b..9227eb0845 100644 --- a/modules/Microsoft.Purview/accounts/deploy.bicep +++ b/modules/Microsoft.Purview/accounts/deploy.bicep @@ -187,7 +187,7 @@ module account_privateEndpoints '../../Microsoft.Network/privateEndpoints/deploy groupIds: [ 'account' ] - name: contains(privateEndpoint, 'name') ? privateEndpoint.name : 'pe-${last(split(account.id, '/'))}-${privateEndpoint.service}-${index}' + name: contains(privateEndpoint, 'name') ? privateEndpoint.name : 'pe-${last(split(account.id, '/'))}-account-${index}' serviceResourceId: account.id subnetResourceId: privateEndpoint.subnetResourceId enableDefaultTelemetry: enableReferencedModulesTelemetry @@ -210,7 +210,7 @@ module portal_privateEndpoints '../../Microsoft.Network/privateEndpoints/deploy. groupIds: [ 'portal' ] - name: contains(privateEndpoint, 'name') ? privateEndpoint.name : 'pe-${last(split(account.id, '/'))}-${privateEndpoint.service}-${index}' + name: contains(privateEndpoint, 'name') ? privateEndpoint.name : 'pe-${last(split(account.id, '/'))}-portal-${index}' serviceResourceId: account.id subnetResourceId: privateEndpoint.subnetResourceId enableDefaultTelemetry: enableReferencedModulesTelemetry @@ -233,7 +233,7 @@ module blob_privateEndpoints '../../Microsoft.Network/privateEndpoints/deploy.bi groupIds: [ 'blob' ] - name: contains(privateEndpoint, 'name') ? privateEndpoint.name : 'pe-${last(split(account.id, '/'))}-${privateEndpoint.service}-${index}' + name: contains(privateEndpoint, 'name') ? privateEndpoint.name : 'pe-${last(split(account.id, '/'))}-blob-${index}' serviceResourceId: account.properties.managedResources.storageAccount subnetResourceId: privateEndpoint.subnetResourceId enableDefaultTelemetry: enableReferencedModulesTelemetry @@ -256,7 +256,7 @@ module queue_privateEndpoints '../../Microsoft.Network/privateEndpoints/deploy.b groupIds: [ 'queue' ] - name: contains(privateEndpoint, 'name') ? privateEndpoint.name : 'pe-${last(split(account.id, '/'))}-${privateEndpoint.service}-${index}' + name: contains(privateEndpoint, 'name') ? privateEndpoint.name : 'pe-${last(split(account.id, '/'))}-queue-${index}' serviceResourceId: account.properties.managedResources.storageAccount subnetResourceId: privateEndpoint.subnetResourceId enableDefaultTelemetry: enableReferencedModulesTelemetry @@ -279,7 +279,7 @@ module eventHub_privateEndpoints '../../Microsoft.Network/privateEndpoints/deplo groupIds: [ 'namespace' ] - name: contains(privateEndpoint, 'name') ? privateEndpoint.name : 'pe-${last(split(account.id, '/'))}-${privateEndpoint.service}-${index}' + name: contains(privateEndpoint, 'name') ? privateEndpoint.name : 'pe-${last(split(account.id, '/'))}-namespace-${index}' serviceResourceId: account.properties.managedResources.eventHubNamespace subnetResourceId: privateEndpoint.subnetResourceId enableDefaultTelemetry: enableReferencedModulesTelemetry From 05e8433bd6d934dd31d17fd9bd7313b9e060adef Mon Sep 17 00:00:00 2001 From: Tao Yang Date: Sun, 5 Feb 2023 23:44:11 +1100 Subject: [PATCH 34/69] fix --- .../accounts/.test/common/dependencies.bicep | 63 ------------------- 1 file changed, 63 deletions(-) diff --git a/modules/Microsoft.Purview/accounts/.test/common/dependencies.bicep b/modules/Microsoft.Purview/accounts/.test/common/dependencies.bicep index 2b6ebefc37..624e8f17a7 100644 --- a/modules/Microsoft.Purview/accounts/.test/common/dependencies.bicep +++ b/modules/Microsoft.Purview/accounts/.test/common/dependencies.bicep @@ -37,89 +37,26 @@ resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018- resource privateDNSZone_account 'Microsoft.Network/privateDnsZones@2020-06-01' = { name: 'privatelink.purview.azure.com' location: 'global' - - resource virtualNetworkLinks 'virtualNetworkLinks@2020-06-01' = { - name: '${virtualNetwork.name}-account-vnetlink' - location: 'global' - properties: { - virtualNetwork: { - id: virtualNetwork.id - } - registrationEnabled: false - } - } } resource privateDNSZone_portal 'Microsoft.Network/privateDnsZones@2020-06-01' = { name: 'privatelink.purviewstudio.azure.com' location: 'global' - resource virtualNetworkLinks 'virtualNetworkLinks@2020-06-01' = { - name: '${virtualNetwork.name}-portal-vnetlink' - location: 'global' - dependsOn: [ - privateDNSZone_account::virtualNetworkLinks - ] - properties: { - virtualNetwork: { - id: virtualNetwork.id - } - registrationEnabled: false - } - } } resource privateDNSZone_blob 'Microsoft.Network/privateDnsZones@2020-06-01' = { name: 'privatelink.blob.core.windows.net' location: 'global' - resource virtualNetworkLinks 'virtualNetworkLinks@2020-06-01' = { - name: '${virtualNetwork.name}-blob-vnetlink' - location: 'global' - dependsOn: [ - privateDNSZone_portal::virtualNetworkLinks - ] - properties: { - virtualNetwork: { - id: virtualNetwork.id - } - registrationEnabled: false - } - } } resource privateDNSZone_queue 'Microsoft.Network/privateDnsZones@2020-06-01' = { name: 'privatelink.queue.core.windows.net' location: 'global' - resource virtualNetworkLinks 'virtualNetworkLinks@2020-06-01' = { - name: '${virtualNetwork.name}-queue-vnetlink' - location: 'global' - dependsOn: [ - privateDNSZone_blob::virtualNetworkLinks - ] - properties: { - virtualNetwork: { - id: virtualNetwork.id - } - registrationEnabled: false - } - } } resource privateDNSZone_eh 'Microsoft.Network/privateDnsZones@2020-06-01' = { name: 'privatelink.servicebus.windows.net' location: 'global' - resource virtualNetworkLinks 'virtualNetworkLinks@2020-06-01' = { - name: '${virtualNetwork.name}-eh-vnetlink' - location: 'global' - dependsOn: [ - privateDNSZone_queue::virtualNetworkLinks - ] - properties: { - virtualNetwork: { - id: virtualNetwork.id - } - registrationEnabled: false - } - } } @description('The resource ID of the created Virtual Network Subnet.') output subnetResourceId string = virtualNetwork.properties.subnets[0].id From 424f7f46ecf02142c389d660f94c42c85be47446 Mon Sep 17 00:00:00 2001 From: Tao Yang Date: Mon, 6 Feb 2023 00:06:05 +1100 Subject: [PATCH 35/69] update --- .../accounts/.test/common/dependencies.bicep | 44 +++++++------------ 1 file changed, 17 insertions(+), 27 deletions(-) diff --git a/modules/Microsoft.Purview/accounts/.test/common/dependencies.bicep b/modules/Microsoft.Purview/accounts/.test/common/dependencies.bicep index 624e8f17a7..aa100b27e4 100644 --- a/modules/Microsoft.Purview/accounts/.test/common/dependencies.bicep +++ b/modules/Microsoft.Purview/accounts/.test/common/dependencies.bicep @@ -9,6 +9,14 @@ param managedIdentityName string var addressPrefix = '10.0.0.0/16' +var privateDNSZoneNames = [ + 'privatelink.purview.azure.com' + 'privatelink.purviewstudio.azure.com' + 'privatelink.blob.core.windows.net' + 'privatelink.queue.core.windows.net' + 'privatelink.servicebus.windows.net' +] + resource virtualNetwork 'Microsoft.Network/virtualNetworks@2022-01-01' = { name: virtualNetworkName location: location @@ -34,30 +42,12 @@ resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018- location: location } -resource privateDNSZone_account 'Microsoft.Network/privateDnsZones@2020-06-01' = { - name: 'privatelink.purview.azure.com' +@batchSize(1) +resource privateDNSZones 'Microsoft.Network/privateDnsZones@2020-06-01' = [for privateDNSZone in privateDNSZoneNames: { + name: privateDNSZone location: 'global' -} +}] -resource privateDNSZone_portal 'Microsoft.Network/privateDnsZones@2020-06-01' = { - name: 'privatelink.purviewstudio.azure.com' - location: 'global' -} - -resource privateDNSZone_blob 'Microsoft.Network/privateDnsZones@2020-06-01' = { - name: 'privatelink.blob.core.windows.net' - location: 'global' -} - -resource privateDNSZone_queue 'Microsoft.Network/privateDnsZones@2020-06-01' = { - name: 'privatelink.queue.core.windows.net' - location: 'global' -} - -resource privateDNSZone_eh 'Microsoft.Network/privateDnsZones@2020-06-01' = { - name: 'privatelink.servicebus.windows.net' - location: 'global' -} @description('The resource ID of the created Virtual Network Subnet.') output subnetResourceId string = virtualNetwork.properties.subnets[0].id @@ -65,16 +55,16 @@ output subnetResourceId string = virtualNetwork.properties.subnets[0].id output managedIdentityPrincipalId string = managedIdentity.properties.principalId @description('The resource ID of the created Private DNS Zone for Purview Account.') -output purviewAccountPrivateDNSResourceId string = privateDNSZone_account.id +output purviewAccountPrivateDNSResourceId string = privateDNSZones[0].id @description('The resource ID of the created Private DNS Zone for Purview Portal.') -output purviewPortalPrivateDNSResourceId string = privateDNSZone_portal.id +output purviewPortalPrivateDNSResourceId string = privateDNSZones[1].id @description('The resource ID of the created Private DNS Zone for Storage Account Blob.') -output storageBlobPrivateDNSResourceId string = privateDNSZone_blob.id +output storageBlobPrivateDNSResourceId string = privateDNSZones[2].id @description('The resource ID of the created Private DNS Zone for Storage Account Queue.') -output storageQueuePrivateDNSResourceId string = privateDNSZone_queue.id +output storageQueuePrivateDNSResourceId string = privateDNSZones[3].id @description('The resource ID of the created Private DNS Zone for Event Hub Namespace.') -output eventHubPrivateDNSResourceId string = privateDNSZone_eh.id +output eventHubPrivateDNSResourceId string = privateDNSZones[4].id From 193f7f710e6d18c9bb69c946a169b7c486e027b4 Mon Sep 17 00:00:00 2001 From: Tao Yang Date: Mon, 6 Feb 2023 08:21:57 +1100 Subject: [PATCH 36/69] fix --- .../accounts/.test/common/deploy.test.bicep | 9 --------- 1 file changed, 9 deletions(-) diff --git a/modules/Microsoft.Purview/accounts/.test/common/deploy.test.bicep b/modules/Microsoft.Purview/accounts/.test/common/deploy.test.bicep index be9f2fcbbc..0b7a801d03 100644 --- a/modules/Microsoft.Purview/accounts/.test/common/deploy.test.bicep +++ b/modules/Microsoft.Purview/accounts/.test/common/deploy.test.bicep @@ -40,15 +40,6 @@ resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { location: location } -module resourceGroupResources 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-paramNested' - params: { - virtualNetworkName: 'dep-<>-vnet-${serviceShort}' - managedIdentityName: 'dep-<>-msi-${serviceShort}' - } -} - // Diagnostics // =========== module diagnosticDependencies '../../../../.shared/dependencyConstructs/diagnostic.dependencies.bicep' = { From 4ba4888a0a4820cfe7a55ffae9d29d28d532d129 Mon Sep 17 00:00:00 2001 From: Tao Yang Date: Mon, 6 Feb 2023 09:24:17 +1100 Subject: [PATCH 37/69] fix --- .../Microsoft.Purview/accounts/.test/common/dependencies.bicep | 2 ++ .../Microsoft.Purview/accounts/.test/common/deploy.test.bicep | 2 +- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/modules/Microsoft.Purview/accounts/.test/common/dependencies.bicep b/modules/Microsoft.Purview/accounts/.test/common/dependencies.bicep index aa100b27e4..a18ff39c19 100644 --- a/modules/Microsoft.Purview/accounts/.test/common/dependencies.bicep +++ b/modules/Microsoft.Purview/accounts/.test/common/dependencies.bicep @@ -54,6 +54,8 @@ output subnetResourceId string = virtualNetwork.properties.subnets[0].id @description('The principal ID of the created Managed Identity.') output managedIdentityPrincipalId string = managedIdentity.properties.principalId +@description('The resource ID of the created Managed Identity.') +output managedIdentityResourceId string = managedIdentity.id @description('The resource ID of the created Private DNS Zone for Purview Account.') output purviewAccountPrivateDNSResourceId string = privateDNSZones[0].id diff --git a/modules/Microsoft.Purview/accounts/.test/common/deploy.test.bicep b/modules/Microsoft.Purview/accounts/.test/common/deploy.test.bicep index 0b7a801d03..bd2c8efe62 100644 --- a/modules/Microsoft.Purview/accounts/.test/common/deploy.test.bicep +++ b/modules/Microsoft.Purview/accounts/.test/common/deploy.test.bicep @@ -67,7 +67,7 @@ module testDeployment '../../deploy.bicep' = { location: location tags: tags userAssignedIdentities: { - '${nestedDependencies.outputs.managedIdentityPrincipalId}': {} + '${nestedDependencies.outputs.managedIdentityResourceId}': {} } managedResourceGroupName: '<>${serviceShort}002-managed-rg' publicNetworkAccess: 'Disabled' From 36216e29b021298bacd7dfe209af78f19f846485 Mon Sep 17 00:00:00 2001 From: Tao Yang Date: Mon, 6 Feb 2023 09:47:08 +1100 Subject: [PATCH 38/69] updated readme --- modules/Microsoft.Purview/accounts/readme.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/Microsoft.Purview/accounts/readme.md b/modules/Microsoft.Purview/accounts/readme.md index 20f5e22005..8955e8d92d 100644 --- a/modules/Microsoft.Purview/accounts/readme.md +++ b/modules/Microsoft.Purview/accounts/readme.md @@ -308,7 +308,7 @@ module accounts './Microsoft.Purview/accounts/deploy.bicep' = { ] tags: '' userAssignedIdentities: { - '': {} + '': {} } } } @@ -447,7 +447,7 @@ module accounts './Microsoft.Purview/accounts/deploy.bicep' = { }, "userAssignedIdentities": { "value": { - "": {} + "": {} } } } From 4cc7e68bef37e980c1d31da7fbb6b2bacead15e0 Mon Sep 17 00:00:00 2001 From: Tao Yang Date: Mon, 6 Feb 2023 13:39:02 +1100 Subject: [PATCH 39/69] Update modules/Microsoft.Purview/accounts/.test/common/dependencies.bicep Co-authored-by: Ahmad Abdalla <28486158+ahmadabdalla@users.noreply.github.com> --- .../accounts/.test/common/dependencies.bicep | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/modules/Microsoft.Purview/accounts/.test/common/dependencies.bicep b/modules/Microsoft.Purview/accounts/.test/common/dependencies.bicep index a18ff39c19..9dd63803ba 100644 --- a/modules/Microsoft.Purview/accounts/.test/common/dependencies.bicep +++ b/modules/Microsoft.Purview/accounts/.test/common/dependencies.bicep @@ -54,8 +54,12 @@ output subnetResourceId string = virtualNetwork.properties.subnets[0].id @description('The principal ID of the created Managed Identity.') output managedIdentityPrincipalId string = managedIdentity.properties.principalId +@description('The resource ID of the created Managed Identity.') @description('The resource ID of the created Managed Identity.') output managedIdentityResourceId string = managedIdentity.id + +@description('The resource ID of the created Private DNS Zone for Purview Account.') +output purviewAccountPrivateDNSResourceId string = privateDNSZones[0].id @description('The resource ID of the created Private DNS Zone for Purview Account.') output purviewAccountPrivateDNSResourceId string = privateDNSZones[0].id From 01f3bc6c121636c8b1652d54aa809e373c390056 Mon Sep 17 00:00:00 2001 From: Tao Yang Date: Mon, 6 Feb 2023 13:39:12 +1100 Subject: [PATCH 40/69] Update modules/Microsoft.Purview/accounts/.test/common/deploy.test.bicep Co-authored-by: Ahmad Abdalla <28486158+ahmadabdalla@users.noreply.github.com> --- .../Microsoft.Purview/accounts/.test/common/deploy.test.bicep | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/Microsoft.Purview/accounts/.test/common/deploy.test.bicep b/modules/Microsoft.Purview/accounts/.test/common/deploy.test.bicep index bd2c8efe62..401fc5bf87 100644 --- a/modules/Microsoft.Purview/accounts/.test/common/deploy.test.bicep +++ b/modules/Microsoft.Purview/accounts/.test/common/deploy.test.bicep @@ -69,7 +69,7 @@ module testDeployment '../../deploy.bicep' = { userAssignedIdentities: { '${nestedDependencies.outputs.managedIdentityResourceId}': {} } - managedResourceGroupName: '<>${serviceShort}002-managed-rg' + managedResourceGroupName: '<>${serviceShort}001-managed-rg' publicNetworkAccess: 'Disabled' diagnosticLogsRetentionInDays: 7 diagnosticStorageAccountId: diagnosticDependencies.outputs.storageAccountResourceId From f669fa72b49a22f5c897632794e5528c5200e66f Mon Sep 17 00:00:00 2001 From: Tao Yang Date: Mon, 6 Feb 2023 13:39:19 +1100 Subject: [PATCH 41/69] Update modules/Microsoft.Purview/accounts/.test/common/deploy.test.bicep Co-authored-by: Ahmad Abdalla <28486158+ahmadabdalla@users.noreply.github.com> --- .../Microsoft.Purview/accounts/.test/common/deploy.test.bicep | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/Microsoft.Purview/accounts/.test/common/deploy.test.bicep b/modules/Microsoft.Purview/accounts/.test/common/deploy.test.bicep index 401fc5bf87..d553304c71 100644 --- a/modules/Microsoft.Purview/accounts/.test/common/deploy.test.bicep +++ b/modules/Microsoft.Purview/accounts/.test/common/deploy.test.bicep @@ -63,7 +63,7 @@ module testDeployment '../../deploy.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name)}-test-${serviceShort}' params: { - name: '<>${serviceShort}002' + name: '<>${serviceShort}001' location: location tags: tags userAssignedIdentities: { From e24b7da9a9d088e099030ea6372836619c3aa170 Mon Sep 17 00:00:00 2001 From: Tao Yang Date: Mon, 6 Feb 2023 13:39:35 +1100 Subject: [PATCH 42/69] Update modules/Microsoft.Purview/accounts/.test/common/deploy.test.bicep Co-authored-by: Ahmad Abdalla <28486158+ahmadabdalla@users.noreply.github.com> --- .../Microsoft.Purview/accounts/.test/common/deploy.test.bicep | 1 + 1 file changed, 1 insertion(+) diff --git a/modules/Microsoft.Purview/accounts/.test/common/deploy.test.bicep b/modules/Microsoft.Purview/accounts/.test/common/deploy.test.bicep index d553304c71..2ba58ba5fa 100644 --- a/modules/Microsoft.Purview/accounts/.test/common/deploy.test.bicep +++ b/modules/Microsoft.Purview/accounts/.test/common/deploy.test.bicep @@ -102,6 +102,7 @@ module testDeployment '../../deploy.bicep' = { nestedDependencies.outputs.purviewPortalPrivateDNSResourceId ] } + service: 'portal' subnetResourceId: nestedDependencies.outputs.subnetResourceId } ] From cbf31139098265e061ea0c82b5a7dd8ea0df30d1 Mon Sep 17 00:00:00 2001 From: Tao Yang Date: Mon, 6 Feb 2023 13:39:55 +1100 Subject: [PATCH 43/69] Update modules/Microsoft.Purview/accounts/deploy.bicep Co-authored-by: Ahmad Abdalla <28486158+ahmadabdalla@users.noreply.github.com> --- modules/Microsoft.Purview/accounts/deploy.bicep | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/Microsoft.Purview/accounts/deploy.bicep b/modules/Microsoft.Purview/accounts/deploy.bicep index 9227eb0845..4be80f6feb 100644 --- a/modules/Microsoft.Purview/accounts/deploy.bicep +++ b/modules/Microsoft.Purview/accounts/deploy.bicep @@ -297,7 +297,7 @@ module eventHub_privateEndpoints '../../Microsoft.Network/privateEndpoints/deplo }] module purview_roleAssignments '.bicep/nested_roleAssignments.bicep' = [for (roleAssignment, index) in roleAssignments: { - name: '${uniqueString(deployment().name, location)}-KeyVault-Rbac-${index}' + name: '${uniqueString(deployment().name, location)}-Account-Rbac-${index}' params: { description: contains(roleAssignment, 'description') ? roleAssignment.description : '' principalIds: roleAssignment.principalIds From 6e3b2680ab8d99785e74eec4f63b6d32cfdc25c6 Mon Sep 17 00:00:00 2001 From: Tao Yang Date: Mon, 6 Feb 2023 13:43:16 +1100 Subject: [PATCH 44/69] Update modules/Microsoft.Purview/accounts/deploy.bicep Co-authored-by: Ahmad Abdalla <28486158+ahmadabdalla@users.noreply.github.com> --- modules/Microsoft.Purview/accounts/deploy.bicep | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/Microsoft.Purview/accounts/deploy.bicep b/modules/Microsoft.Purview/accounts/deploy.bicep index 4be80f6feb..455f73d48b 100644 --- a/modules/Microsoft.Purview/accounts/deploy.bicep +++ b/modules/Microsoft.Purview/accounts/deploy.bicep @@ -274,7 +274,7 @@ module queue_privateEndpoints '../../Microsoft.Network/privateEndpoints/deploy.b }] module eventHub_privateEndpoints '../../Microsoft.Network/privateEndpoints/deploy.bicep' = [for (privateEndpoint, index) in eventHubPrivateEndpoints: { - name: '${uniqueString(deployment().name, location)}-purview-event-hub-PrivateEndpoint-${index}' + name: '${uniqueString(deployment().name, location)}-Eventhub-Namespace-PrivateEndpoint-${index}' params: { groupIds: [ 'namespace' From d356fd359dfca2994c1391554a80446b223c04fe Mon Sep 17 00:00:00 2001 From: Tao Yang Date: Mon, 6 Feb 2023 18:47:20 +1100 Subject: [PATCH 45/69] Update modules/Microsoft.Purview/accounts/deploy.bicep Co-authored-by: Ahmad Abdalla <28486158+ahmadabdalla@users.noreply.github.com> --- modules/Microsoft.Purview/accounts/deploy.bicep | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/Microsoft.Purview/accounts/deploy.bicep b/modules/Microsoft.Purview/accounts/deploy.bicep index 455f73d48b..9157319c29 100644 --- a/modules/Microsoft.Purview/accounts/deploy.bicep +++ b/modules/Microsoft.Purview/accounts/deploy.bicep @@ -309,7 +309,7 @@ module purview_roleAssignments '.bicep/nested_roleAssignments.bicep' = [for (rol } }] -@description('The name of the Microsoft Purview Account.') +@description('The name of the Purview Account.') output name string = account.name @description('The resource group the Microsoft Purview Account was deployed into.') From 55b6c03bc72850e888abcb3d4eadfb859ea0d765 Mon Sep 17 00:00:00 2001 From: Tao Yang Date: Mon, 6 Feb 2023 18:47:31 +1100 Subject: [PATCH 46/69] Update modules/Microsoft.Purview/accounts/deploy.bicep Co-authored-by: Ahmad Abdalla <28486158+ahmadabdalla@users.noreply.github.com> --- modules/Microsoft.Purview/accounts/deploy.bicep | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/Microsoft.Purview/accounts/deploy.bicep b/modules/Microsoft.Purview/accounts/deploy.bicep index 9157319c29..44a8520e8a 100644 --- a/modules/Microsoft.Purview/accounts/deploy.bicep +++ b/modules/Microsoft.Purview/accounts/deploy.bicep @@ -312,7 +312,7 @@ module purview_roleAssignments '.bicep/nested_roleAssignments.bicep' = [for (rol @description('The name of the Purview Account.') output name string = account.name -@description('The resource group the Microsoft Purview Account was deployed into.') +@description('The resource group the Purview Account was deployed into.') output resourceGroupName string = resourceGroup().name @description('The resource ID of the Purview Account.') From c22263fea6d1952f0f8119b8d91b94e822c1375f Mon Sep 17 00:00:00 2001 From: Tao Yang Date: Mon, 6 Feb 2023 18:47:58 +1100 Subject: [PATCH 47/69] Update modules/Microsoft.Purview/accounts/deploy.bicep Co-authored-by: Ahmad Abdalla <28486158+ahmadabdalla@users.noreply.github.com> --- modules/Microsoft.Purview/accounts/deploy.bicep | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/Microsoft.Purview/accounts/deploy.bicep b/modules/Microsoft.Purview/accounts/deploy.bicep index 44a8520e8a..494be2f385 100644 --- a/modules/Microsoft.Purview/accounts/deploy.bicep +++ b/modules/Microsoft.Purview/accounts/deploy.bicep @@ -256,7 +256,7 @@ module queue_privateEndpoints '../../Microsoft.Network/privateEndpoints/deploy.b groupIds: [ 'queue' ] - name: contains(privateEndpoint, 'name') ? privateEndpoint.name : 'pe-${last(split(account.id, '/'))}-queue-${index}' + name: contains(privateEndpoint, 'name') ? privateEndpoint.name : 'pe-${last(split(account.id, '/'))}-${privateEndpoint.service}-${index}' serviceResourceId: account.properties.managedResources.storageAccount subnetResourceId: privateEndpoint.subnetResourceId enableDefaultTelemetry: enableReferencedModulesTelemetry From b2f788a80ea92288b812e6be5394b8fe2df8d346 Mon Sep 17 00:00:00 2001 From: Tao Yang Date: Mon, 6 Feb 2023 18:48:09 +1100 Subject: [PATCH 48/69] Update modules/Microsoft.Purview/accounts/deploy.bicep Co-authored-by: Ahmad Abdalla <28486158+ahmadabdalla@users.noreply.github.com> --- modules/Microsoft.Purview/accounts/deploy.bicep | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/Microsoft.Purview/accounts/deploy.bicep b/modules/Microsoft.Purview/accounts/deploy.bicep index 494be2f385..99cad2fcf3 100644 --- a/modules/Microsoft.Purview/accounts/deploy.bicep +++ b/modules/Microsoft.Purview/accounts/deploy.bicep @@ -279,7 +279,7 @@ module eventHub_privateEndpoints '../../Microsoft.Network/privateEndpoints/deplo groupIds: [ 'namespace' ] - name: contains(privateEndpoint, 'name') ? privateEndpoint.name : 'pe-${last(split(account.id, '/'))}-namespace-${index}' + name: contains(privateEndpoint, 'name') ? privateEndpoint.name : 'pe-${last(split(account.id, '/'))}-${privateEndpoint.service}-${index}' serviceResourceId: account.properties.managedResources.eventHubNamespace subnetResourceId: privateEndpoint.subnetResourceId enableDefaultTelemetry: enableReferencedModulesTelemetry From edff7f055481e2083526853274960f2bef251775 Mon Sep 17 00:00:00 2001 From: Tao Yang Date: Mon, 6 Feb 2023 18:48:17 +1100 Subject: [PATCH 49/69] Update modules/Microsoft.Purview/accounts/deploy.bicep Co-authored-by: Ahmad Abdalla <28486158+ahmadabdalla@users.noreply.github.com> --- modules/Microsoft.Purview/accounts/deploy.bicep | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/Microsoft.Purview/accounts/deploy.bicep b/modules/Microsoft.Purview/accounts/deploy.bicep index 99cad2fcf3..e923c36e2b 100644 --- a/modules/Microsoft.Purview/accounts/deploy.bicep +++ b/modules/Microsoft.Purview/accounts/deploy.bicep @@ -277,7 +277,7 @@ module eventHub_privateEndpoints '../../Microsoft.Network/privateEndpoints/deplo name: '${uniqueString(deployment().name, location)}-Eventhub-Namespace-PrivateEndpoint-${index}' params: { groupIds: [ - 'namespace' + ${privateEndpoint.service} ] name: contains(privateEndpoint, 'name') ? privateEndpoint.name : 'pe-${last(split(account.id, '/'))}-${privateEndpoint.service}-${index}' serviceResourceId: account.properties.managedResources.eventHubNamespace From 0b762d9298478f4712fcecdbc9d4b9b1c3194a3a Mon Sep 17 00:00:00 2001 From: Tao Yang Date: Mon, 6 Feb 2023 18:48:32 +1100 Subject: [PATCH 50/69] Update modules/Microsoft.Purview/accounts/.test/common/deploy.test.bicep Co-authored-by: Ahmad Abdalla <28486158+ahmadabdalla@users.noreply.github.com> --- .../Microsoft.Purview/accounts/.test/common/deploy.test.bicep | 1 + 1 file changed, 1 insertion(+) diff --git a/modules/Microsoft.Purview/accounts/.test/common/deploy.test.bicep b/modules/Microsoft.Purview/accounts/.test/common/deploy.test.bicep index 2ba58ba5fa..ba6fd75d0d 100644 --- a/modules/Microsoft.Purview/accounts/.test/common/deploy.test.bicep +++ b/modules/Microsoft.Purview/accounts/.test/common/deploy.test.bicep @@ -92,6 +92,7 @@ module testDeployment '../../deploy.bicep' = { nestedDependencies.outputs.purviewAccountPrivateDNSResourceId ] } + service: 'account' subnetResourceId: nestedDependencies.outputs.subnetResourceId } ] From 747d89eb6c8551c2d9a13b234c6d59fb4a8d49d2 Mon Sep 17 00:00:00 2001 From: Tao Yang Date: Mon, 6 Feb 2023 18:48:53 +1100 Subject: [PATCH 51/69] Update modules/Microsoft.Purview/accounts/.test/common/deploy.test.bicep Co-authored-by: Ahmad Abdalla <28486158+ahmadabdalla@users.noreply.github.com> --- .../Microsoft.Purview/accounts/.test/common/deploy.test.bicep | 1 + 1 file changed, 1 insertion(+) diff --git a/modules/Microsoft.Purview/accounts/.test/common/deploy.test.bicep b/modules/Microsoft.Purview/accounts/.test/common/deploy.test.bicep index ba6fd75d0d..821227e73d 100644 --- a/modules/Microsoft.Purview/accounts/.test/common/deploy.test.bicep +++ b/modules/Microsoft.Purview/accounts/.test/common/deploy.test.bicep @@ -114,6 +114,7 @@ module testDeployment '../../deploy.bicep' = { nestedDependencies.outputs.storageBlobPrivateDNSResourceId ] } + service: 'blob' subnetResourceId: nestedDependencies.outputs.subnetResourceId } ] From b34730e56e48a7a886c43696a68e6b9a6a5002eb Mon Sep 17 00:00:00 2001 From: Tao Yang Date: Mon, 6 Feb 2023 18:49:22 +1100 Subject: [PATCH 52/69] Update modules/Microsoft.Purview/accounts/.test/common/deploy.test.bicep Co-authored-by: Ahmad Abdalla <28486158+ahmadabdalla@users.noreply.github.com> --- .../Microsoft.Purview/accounts/.test/common/deploy.test.bicep | 1 + 1 file changed, 1 insertion(+) diff --git a/modules/Microsoft.Purview/accounts/.test/common/deploy.test.bicep b/modules/Microsoft.Purview/accounts/.test/common/deploy.test.bicep index 821227e73d..ecfa929978 100644 --- a/modules/Microsoft.Purview/accounts/.test/common/deploy.test.bicep +++ b/modules/Microsoft.Purview/accounts/.test/common/deploy.test.bicep @@ -125,6 +125,7 @@ module testDeployment '../../deploy.bicep' = { nestedDependencies.outputs.storageQueuePrivateDNSResourceId ] } + service: 'queue' subnetResourceId: nestedDependencies.outputs.subnetResourceId } ] From f52c5888bf5735007dfa84ca0b42ad05ae392df6 Mon Sep 17 00:00:00 2001 From: Tao Yang Date: Mon, 6 Feb 2023 18:49:45 +1100 Subject: [PATCH 53/69] Update modules/Microsoft.Purview/accounts/.test/common/deploy.test.bicep Co-authored-by: Ahmad Abdalla <28486158+ahmadabdalla@users.noreply.github.com> --- .../Microsoft.Purview/accounts/.test/common/deploy.test.bicep | 1 + 1 file changed, 1 insertion(+) diff --git a/modules/Microsoft.Purview/accounts/.test/common/deploy.test.bicep b/modules/Microsoft.Purview/accounts/.test/common/deploy.test.bicep index ecfa929978..45c3bbdc3b 100644 --- a/modules/Microsoft.Purview/accounts/.test/common/deploy.test.bicep +++ b/modules/Microsoft.Purview/accounts/.test/common/deploy.test.bicep @@ -136,6 +136,7 @@ module testDeployment '../../deploy.bicep' = { nestedDependencies.outputs.eventHubPrivateDNSResourceId ] } + service: 'namespace' subnetResourceId: nestedDependencies.outputs.subnetResourceId } ] From 5adb3466f94d1f5221728049bb97835807085332 Mon Sep 17 00:00:00 2001 From: Tao Yang Date: Mon, 6 Feb 2023 18:50:18 +1100 Subject: [PATCH 54/69] Update modules/Microsoft.Purview/accounts/deploy.bicep Co-authored-by: Ahmad Abdalla <28486158+ahmadabdalla@users.noreply.github.com> --- modules/Microsoft.Purview/accounts/deploy.bicep | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/Microsoft.Purview/accounts/deploy.bicep b/modules/Microsoft.Purview/accounts/deploy.bicep index e923c36e2b..645956b8fc 100644 --- a/modules/Microsoft.Purview/accounts/deploy.bicep +++ b/modules/Microsoft.Purview/accounts/deploy.bicep @@ -254,7 +254,7 @@ module queue_privateEndpoints '../../Microsoft.Network/privateEndpoints/deploy.b name: '${uniqueString(deployment().name, location)}-purview-storage-queue-PrivateEndpoint-${index}' params: { groupIds: [ - 'queue' + ${privateEndpoint.service} ] name: contains(privateEndpoint, 'name') ? privateEndpoint.name : 'pe-${last(split(account.id, '/'))}-${privateEndpoint.service}-${index}' serviceResourceId: account.properties.managedResources.storageAccount From 5814e8bed7e105092e3403992237112f1506f84d Mon Sep 17 00:00:00 2001 From: Tao Yang Date: Mon, 6 Feb 2023 18:51:45 +1100 Subject: [PATCH 55/69] Update modules/Microsoft.Purview/accounts/deploy.bicep Co-authored-by: Ahmad Abdalla <28486158+ahmadabdalla@users.noreply.github.com> --- modules/Microsoft.Purview/accounts/deploy.bicep | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/Microsoft.Purview/accounts/deploy.bicep b/modules/Microsoft.Purview/accounts/deploy.bicep index 645956b8fc..cfc53c37bb 100644 --- a/modules/Microsoft.Purview/accounts/deploy.bicep +++ b/modules/Microsoft.Purview/accounts/deploy.bicep @@ -12,7 +12,7 @@ param tags object = {} @description('Optional. The ID(s) to assign to the resource.') param userAssignedIdentities object = {} -@description('Optional. The Managed Resource Group Name. Default to \'managed-rg-\'.') +@description('Optional. The Managed Resource Group Name. A managed Storage Account, and an Event Hubs will be created in the selected subscription for catalog ingestion scenarios. Default is \'managed-rg-\'.') param managedResourceGroupName string = '' @description('Optional. Whether or not public network access is allowed for this resource. For security reasons it should be disabled. If not specified, it will be disabled by default if private endpoints are set.') From 1f567beab7d5c16c9b5708d695c121150e421b84 Mon Sep 17 00:00:00 2001 From: Tao Yang Date: Mon, 6 Feb 2023 18:52:13 +1100 Subject: [PATCH 56/69] Update modules/Microsoft.Purview/accounts/deploy.bicep Co-authored-by: Ahmad Abdalla <28486158+ahmadabdalla@users.noreply.github.com> --- modules/Microsoft.Purview/accounts/deploy.bicep | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/Microsoft.Purview/accounts/deploy.bicep b/modules/Microsoft.Purview/accounts/deploy.bicep index cfc53c37bb..041b58dccb 100644 --- a/modules/Microsoft.Purview/accounts/deploy.bicep +++ b/modules/Microsoft.Purview/accounts/deploy.bicep @@ -13,7 +13,7 @@ param tags object = {} param userAssignedIdentities object = {} @description('Optional. The Managed Resource Group Name. A managed Storage Account, and an Event Hubs will be created in the selected subscription for catalog ingestion scenarios. Default is \'managed-rg-\'.') -param managedResourceGroupName string = '' +param managedResourceGroupName string = 'managed-rg-${name}' @description('Optional. Whether or not public network access is allowed for this resource. For security reasons it should be disabled. If not specified, it will be disabled by default if private endpoints are set.') @allowed([ From 792334f1b26f9f383400515d1367f75e0197e13a Mon Sep 17 00:00:00 2001 From: Tao Yang Date: Mon, 6 Feb 2023 18:52:35 +1100 Subject: [PATCH 57/69] Update modules/Microsoft.Purview/accounts/deploy.bicep Co-authored-by: Ahmad Abdalla <28486158+ahmadabdalla@users.noreply.github.com> --- modules/Microsoft.Purview/accounts/deploy.bicep | 1 - 1 file changed, 1 deletion(-) diff --git a/modules/Microsoft.Purview/accounts/deploy.bicep b/modules/Microsoft.Purview/accounts/deploy.bicep index 041b58dccb..54f0c21b74 100644 --- a/modules/Microsoft.Purview/accounts/deploy.bicep +++ b/modules/Microsoft.Purview/accounts/deploy.bicep @@ -94,7 +94,6 @@ param lock string = '' // =========== // // Variables // // =========== // -var managedRgName = !empty(managedResourceGroupName) ? managedResourceGroupName : 'managed-rg-${name}' var diagnosticsLogsSpecified = [for category in filter(diagnosticLogCategoriesToEnable, item => item != 'allLogs'): { category: category From ad68cf652d7e2ee16391601e498ee8bcdc89aa2b Mon Sep 17 00:00:00 2001 From: Tao Yang Date: Mon, 6 Feb 2023 18:53:00 +1100 Subject: [PATCH 58/69] Update modules/Microsoft.Purview/accounts/deploy.bicep Co-authored-by: Ahmad Abdalla <28486158+ahmadabdalla@users.noreply.github.com> --- modules/Microsoft.Purview/accounts/deploy.bicep | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/Microsoft.Purview/accounts/deploy.bicep b/modules/Microsoft.Purview/accounts/deploy.bicep index 54f0c21b74..ee91a39e18 100644 --- a/modules/Microsoft.Purview/accounts/deploy.bicep +++ b/modules/Microsoft.Purview/accounts/deploy.bicep @@ -153,7 +153,7 @@ resource account 'Microsoft.Purview/accounts@2021-07-01' = { identity: any(identity) properties: { cloudConnectors: {} - managedResourceGroupName: managedRgName + managedResourceGroupName: managedResourceGroupName publicNetworkAccess: publicNetworkAccess } } From 494bd0ff53cf1a3c3d8feb688da38fca405c6bc6 Mon Sep 17 00:00:00 2001 From: Tao Yang Date: Mon, 6 Feb 2023 18:53:41 +1100 Subject: [PATCH 59/69] Update modules/Microsoft.Purview/accounts/deploy.bicep Co-authored-by: Ahmad Abdalla <28486158+ahmadabdalla@users.noreply.github.com> --- modules/Microsoft.Purview/accounts/deploy.bicep | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/Microsoft.Purview/accounts/deploy.bicep b/modules/Microsoft.Purview/accounts/deploy.bicep index ee91a39e18..d15a4fb690 100644 --- a/modules/Microsoft.Purview/accounts/deploy.bicep +++ b/modules/Microsoft.Purview/accounts/deploy.bicep @@ -181,7 +181,7 @@ resource purview_diagnosticSettings 'Microsoft.Insights/diagnosticsettings@2021- } module account_privateEndpoints '../../Microsoft.Network/privateEndpoints/deploy.bicep' = [for (privateEndpoint, index) in accountPrivateEndpoints: { - name: '${uniqueString(deployment().name, location)}-purview-account-PrivateEndpoint-${index}' + name: '${uniqueString(deployment().name, location)}-Account-PrivateEndpoint-${index}' params: { groupIds: [ 'account' From cb3eeaa7966d5bd7ef316c5c51ce1d25d6052e32 Mon Sep 17 00:00:00 2001 From: Tao Yang Date: Mon, 6 Feb 2023 18:53:59 +1100 Subject: [PATCH 60/69] Update modules/Microsoft.Purview/accounts/deploy.bicep Co-authored-by: Ahmad Abdalla <28486158+ahmadabdalla@users.noreply.github.com> --- modules/Microsoft.Purview/accounts/deploy.bicep | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/Microsoft.Purview/accounts/deploy.bicep b/modules/Microsoft.Purview/accounts/deploy.bicep index d15a4fb690..9cbfffe5c6 100644 --- a/modules/Microsoft.Purview/accounts/deploy.bicep +++ b/modules/Microsoft.Purview/accounts/deploy.bicep @@ -184,7 +184,7 @@ module account_privateEndpoints '../../Microsoft.Network/privateEndpoints/deploy name: '${uniqueString(deployment().name, location)}-Account-PrivateEndpoint-${index}' params: { groupIds: [ - 'account' + privateEndpoint.service ] name: contains(privateEndpoint, 'name') ? privateEndpoint.name : 'pe-${last(split(account.id, '/'))}-account-${index}' serviceResourceId: account.id From bcd94b024ab60ca95a7a4de075c87051c5eb531d Mon Sep 17 00:00:00 2001 From: Tao Yang Date: Mon, 6 Feb 2023 18:55:50 +1100 Subject: [PATCH 61/69] Update modules/Microsoft.Purview/accounts/deploy.bicep Co-authored-by: Ahmad Abdalla <28486158+ahmadabdalla@users.noreply.github.com> --- modules/Microsoft.Purview/accounts/deploy.bicep | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/Microsoft.Purview/accounts/deploy.bicep b/modules/Microsoft.Purview/accounts/deploy.bicep index 9cbfffe5c6..c9b07875fc 100644 --- a/modules/Microsoft.Purview/accounts/deploy.bicep +++ b/modules/Microsoft.Purview/accounts/deploy.bicep @@ -186,7 +186,7 @@ module account_privateEndpoints '../../Microsoft.Network/privateEndpoints/deploy groupIds: [ privateEndpoint.service ] - name: contains(privateEndpoint, 'name') ? privateEndpoint.name : 'pe-${last(split(account.id, '/'))}-account-${index}' + name: contains(privateEndpoint, 'name') ? privateEndpoint.name : 'pe-${last(split(account.id, '/'))}-${privateEndpoint.service}-${index}' serviceResourceId: account.id subnetResourceId: privateEndpoint.subnetResourceId enableDefaultTelemetry: enableReferencedModulesTelemetry From cbeb96be1004f68de4dab1bfe7f1b965c02b951c Mon Sep 17 00:00:00 2001 From: Tao Yang Date: Mon, 6 Feb 2023 18:56:11 +1100 Subject: [PATCH 62/69] Update modules/Microsoft.Purview/accounts/deploy.bicep Co-authored-by: Ahmad Abdalla <28486158+ahmadabdalla@users.noreply.github.com> --- modules/Microsoft.Purview/accounts/deploy.bicep | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/Microsoft.Purview/accounts/deploy.bicep b/modules/Microsoft.Purview/accounts/deploy.bicep index c9b07875fc..84b68d689d 100644 --- a/modules/Microsoft.Purview/accounts/deploy.bicep +++ b/modules/Microsoft.Purview/accounts/deploy.bicep @@ -204,7 +204,7 @@ module account_privateEndpoints '../../Microsoft.Network/privateEndpoints/deploy }] module portal_privateEndpoints '../../Microsoft.Network/privateEndpoints/deploy.bicep' = [for (privateEndpoint, index) in portalPrivateEndpoints: { - name: '${uniqueString(deployment().name, location)}-purview-portal-PrivateEndpoint-${index}' + name: '${uniqueString(deployment().name, location)}-Portal-PrivateEndpoint-${index}' params: { groupIds: [ 'portal' From 6abe49c390e50bc0659d1a93945b4b1600845c5b Mon Sep 17 00:00:00 2001 From: Tao Yang Date: Mon, 6 Feb 2023 18:56:29 +1100 Subject: [PATCH 63/69] Update modules/Microsoft.Purview/accounts/deploy.bicep Co-authored-by: Ahmad Abdalla <28486158+ahmadabdalla@users.noreply.github.com> --- modules/Microsoft.Purview/accounts/deploy.bicep | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/Microsoft.Purview/accounts/deploy.bicep b/modules/Microsoft.Purview/accounts/deploy.bicep index 84b68d689d..ec12cfe465 100644 --- a/modules/Microsoft.Purview/accounts/deploy.bicep +++ b/modules/Microsoft.Purview/accounts/deploy.bicep @@ -207,7 +207,7 @@ module portal_privateEndpoints '../../Microsoft.Network/privateEndpoints/deploy. name: '${uniqueString(deployment().name, location)}-Portal-PrivateEndpoint-${index}' params: { groupIds: [ - 'portal' + ${privateEndpoint.service} ] name: contains(privateEndpoint, 'name') ? privateEndpoint.name : 'pe-${last(split(account.id, '/'))}-portal-${index}' serviceResourceId: account.id From 9d1af873bf7a57361063f22c973693c1f9694213 Mon Sep 17 00:00:00 2001 From: Tao Yang Date: Mon, 6 Feb 2023 18:56:55 +1100 Subject: [PATCH 64/69] Update modules/Microsoft.Purview/accounts/deploy.bicep Co-authored-by: Ahmad Abdalla <28486158+ahmadabdalla@users.noreply.github.com> --- modules/Microsoft.Purview/accounts/deploy.bicep | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/Microsoft.Purview/accounts/deploy.bicep b/modules/Microsoft.Purview/accounts/deploy.bicep index ec12cfe465..f627cd2f0a 100644 --- a/modules/Microsoft.Purview/accounts/deploy.bicep +++ b/modules/Microsoft.Purview/accounts/deploy.bicep @@ -209,7 +209,7 @@ module portal_privateEndpoints '../../Microsoft.Network/privateEndpoints/deploy. groupIds: [ ${privateEndpoint.service} ] - name: contains(privateEndpoint, 'name') ? privateEndpoint.name : 'pe-${last(split(account.id, '/'))}-portal-${index}' + name: contains(privateEndpoint, 'name') ? privateEndpoint.name : 'pe-${last(split(account.id, '/'))}-${privateEndpoint.service}-${index}' serviceResourceId: account.id subnetResourceId: privateEndpoint.subnetResourceId enableDefaultTelemetry: enableReferencedModulesTelemetry From 68a6a4dacf11158adb6086dcdf618725728475ae Mon Sep 17 00:00:00 2001 From: Tao Yang Date: Mon, 6 Feb 2023 18:57:10 +1100 Subject: [PATCH 65/69] Update modules/Microsoft.Purview/accounts/deploy.bicep Co-authored-by: Ahmad Abdalla <28486158+ahmadabdalla@users.noreply.github.com> --- modules/Microsoft.Purview/accounts/deploy.bicep | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/Microsoft.Purview/accounts/deploy.bicep b/modules/Microsoft.Purview/accounts/deploy.bicep index f627cd2f0a..d7be2f8a2b 100644 --- a/modules/Microsoft.Purview/accounts/deploy.bicep +++ b/modules/Microsoft.Purview/accounts/deploy.bicep @@ -227,7 +227,7 @@ module portal_privateEndpoints '../../Microsoft.Network/privateEndpoints/deploy. }] module blob_privateEndpoints '../../Microsoft.Network/privateEndpoints/deploy.bicep' = [for (privateEndpoint, index) in storageBlobPrivateEndpoints: { - name: '${uniqueString(deployment().name, location)}-purview-storage-blob-PrivateEndpoint-${index}' + name: '${uniqueString(deployment().name, location)}-Storage-Blob-PrivateEndpoint-${index}' params: { groupIds: [ 'blob' From 9d68a14daba60ed8a9c98839e89f0e2e70caa81b Mon Sep 17 00:00:00 2001 From: Tao Yang Date: Mon, 6 Feb 2023 18:57:25 +1100 Subject: [PATCH 66/69] Update modules/Microsoft.Purview/accounts/deploy.bicep Co-authored-by: Ahmad Abdalla <28486158+ahmadabdalla@users.noreply.github.com> --- modules/Microsoft.Purview/accounts/deploy.bicep | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/Microsoft.Purview/accounts/deploy.bicep b/modules/Microsoft.Purview/accounts/deploy.bicep index d7be2f8a2b..9a1bb2045f 100644 --- a/modules/Microsoft.Purview/accounts/deploy.bicep +++ b/modules/Microsoft.Purview/accounts/deploy.bicep @@ -230,7 +230,7 @@ module blob_privateEndpoints '../../Microsoft.Network/privateEndpoints/deploy.bi name: '${uniqueString(deployment().name, location)}-Storage-Blob-PrivateEndpoint-${index}' params: { groupIds: [ - 'blob' + ${privateEndpoint.service} ] name: contains(privateEndpoint, 'name') ? privateEndpoint.name : 'pe-${last(split(account.id, '/'))}-blob-${index}' serviceResourceId: account.properties.managedResources.storageAccount From cc3dcde2196474fec139bb19b4250feea244bc61 Mon Sep 17 00:00:00 2001 From: Tao Yang Date: Mon, 6 Feb 2023 18:57:44 +1100 Subject: [PATCH 67/69] Update modules/Microsoft.Purview/accounts/deploy.bicep Co-authored-by: Ahmad Abdalla <28486158+ahmadabdalla@users.noreply.github.com> --- modules/Microsoft.Purview/accounts/deploy.bicep | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/Microsoft.Purview/accounts/deploy.bicep b/modules/Microsoft.Purview/accounts/deploy.bicep index 9a1bb2045f..90198dcecb 100644 --- a/modules/Microsoft.Purview/accounts/deploy.bicep +++ b/modules/Microsoft.Purview/accounts/deploy.bicep @@ -232,7 +232,7 @@ module blob_privateEndpoints '../../Microsoft.Network/privateEndpoints/deploy.bi groupIds: [ ${privateEndpoint.service} ] - name: contains(privateEndpoint, 'name') ? privateEndpoint.name : 'pe-${last(split(account.id, '/'))}-blob-${index}' + name: contains(privateEndpoint, 'name') ? privateEndpoint.name : 'pe-${last(split(account.id, '/'))}-${privateEndpoint.service}-${index}' serviceResourceId: account.properties.managedResources.storageAccount subnetResourceId: privateEndpoint.subnetResourceId enableDefaultTelemetry: enableReferencedModulesTelemetry From 67e65e1704dc835c6af9a05d0bc831ec5a8b995a Mon Sep 17 00:00:00 2001 From: Tao Yang Date: Mon, 6 Feb 2023 18:58:49 +1100 Subject: [PATCH 68/69] Update modules/Microsoft.Purview/accounts/deploy.bicep Co-authored-by: Ahmad Abdalla <28486158+ahmadabdalla@users.noreply.github.com> --- modules/Microsoft.Purview/accounts/deploy.bicep | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/Microsoft.Purview/accounts/deploy.bicep b/modules/Microsoft.Purview/accounts/deploy.bicep index 90198dcecb..017f06cf8d 100644 --- a/modules/Microsoft.Purview/accounts/deploy.bicep +++ b/modules/Microsoft.Purview/accounts/deploy.bicep @@ -250,7 +250,7 @@ module blob_privateEndpoints '../../Microsoft.Network/privateEndpoints/deploy.bi }] module queue_privateEndpoints '../../Microsoft.Network/privateEndpoints/deploy.bicep' = [for (privateEndpoint, index) in storageQueuePrivateEndpoints: { - name: '${uniqueString(deployment().name, location)}-purview-storage-queue-PrivateEndpoint-${index}' + name: '${uniqueString(deployment().name, location)}-Storage-Queue-PrivateEndpoint-${index}' params: { groupIds: [ ${privateEndpoint.service} From 9500d725920fc3167c174e8047a161bbeae0b113 Mon Sep 17 00:00:00 2001 From: Tao Yang Date: Mon, 6 Feb 2023 19:10:57 +1100 Subject: [PATCH 69/69] update --- .../accounts/.test/common/dependencies.bicep | 3 -- .../Microsoft.Purview/accounts/deploy.bicep | 18 +++++----- modules/Microsoft.Purview/accounts/readme.md | 34 ++++++++++++------- 3 files changed, 31 insertions(+), 24 deletions(-) diff --git a/modules/Microsoft.Purview/accounts/.test/common/dependencies.bicep b/modules/Microsoft.Purview/accounts/.test/common/dependencies.bicep index 9dd63803ba..0987da418b 100644 --- a/modules/Microsoft.Purview/accounts/.test/common/dependencies.bicep +++ b/modules/Microsoft.Purview/accounts/.test/common/dependencies.bicep @@ -54,12 +54,9 @@ output subnetResourceId string = virtualNetwork.properties.subnets[0].id @description('The principal ID of the created Managed Identity.') output managedIdentityPrincipalId string = managedIdentity.properties.principalId -@description('The resource ID of the created Managed Identity.') @description('The resource ID of the created Managed Identity.') output managedIdentityResourceId string = managedIdentity.id -@description('The resource ID of the created Private DNS Zone for Purview Account.') -output purviewAccountPrivateDNSResourceId string = privateDNSZones[0].id @description('The resource ID of the created Private DNS Zone for Purview Account.') output purviewAccountPrivateDNSResourceId string = privateDNSZones[0].id diff --git a/modules/Microsoft.Purview/accounts/deploy.bicep b/modules/Microsoft.Purview/accounts/deploy.bicep index 017f06cf8d..56b162215c 100644 --- a/modules/Microsoft.Purview/accounts/deploy.bicep +++ b/modules/Microsoft.Purview/accounts/deploy.bicep @@ -43,19 +43,19 @@ param diagnosticEventHubName string = '' @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') param roleAssignments array = [] -@description('Optional. Configuration details for Purview Account private endpoints. For security reasons, it is recommended to use private endpoints whenever possible.') +@description('Optional. Configuration details for Purview Account private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. Make sure the service property is set to \'account\'.') param accountPrivateEndpoints array = [] -@description('Optional. Configuration details for Purview Portal private endpoints. For security reasons, it is recommended to use private endpoints whenever possible.') +@description('Optional. Configuration details for Purview Portal private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. Make sure the service property is set to \'portal\'.') param portalPrivateEndpoints array = [] -@description('Optional. Configuration details for Purview Managed Storage Account blob private endpoints. For security reasons, it is recommended to use private endpoints whenever possible.') +@description('Optional. Configuration details for Purview Managed Storage Account blob private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. Make sure the service property is set to \'blob\'.') param storageBlobPrivateEndpoints array = [] -@description('Optional. Configuration details for Purview Managed Storage Account queue private endpoints. For security reasons, it is recommended to use private endpoints whenever possible.') +@description('Optional. Configuration details for Purview Managed Storage Account queue private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. Make sure the service property is set to \'queue\'.') param storageQueuePrivateEndpoints array = [] -@description('Optional. Configuration details for Purview Managed Event Hub namespace private endpoints. For security reasons, it is recommended to use private endpoints whenever possible.') +@description('Optional. Configuration details for Purview Managed Event Hub namespace private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. Make sure the service property is set to \'namespace\'.') param eventHubPrivateEndpoints array = [] @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') @@ -207,7 +207,7 @@ module portal_privateEndpoints '../../Microsoft.Network/privateEndpoints/deploy. name: '${uniqueString(deployment().name, location)}-Portal-PrivateEndpoint-${index}' params: { groupIds: [ - ${privateEndpoint.service} + privateEndpoint.service ] name: contains(privateEndpoint, 'name') ? privateEndpoint.name : 'pe-${last(split(account.id, '/'))}-${privateEndpoint.service}-${index}' serviceResourceId: account.id @@ -230,7 +230,7 @@ module blob_privateEndpoints '../../Microsoft.Network/privateEndpoints/deploy.bi name: '${uniqueString(deployment().name, location)}-Storage-Blob-PrivateEndpoint-${index}' params: { groupIds: [ - ${privateEndpoint.service} + privateEndpoint.service ] name: contains(privateEndpoint, 'name') ? privateEndpoint.name : 'pe-${last(split(account.id, '/'))}-${privateEndpoint.service}-${index}' serviceResourceId: account.properties.managedResources.storageAccount @@ -253,7 +253,7 @@ module queue_privateEndpoints '../../Microsoft.Network/privateEndpoints/deploy.b name: '${uniqueString(deployment().name, location)}-Storage-Queue-PrivateEndpoint-${index}' params: { groupIds: [ - ${privateEndpoint.service} + privateEndpoint.service ] name: contains(privateEndpoint, 'name') ? privateEndpoint.name : 'pe-${last(split(account.id, '/'))}-${privateEndpoint.service}-${index}' serviceResourceId: account.properties.managedResources.storageAccount @@ -276,7 +276,7 @@ module eventHub_privateEndpoints '../../Microsoft.Network/privateEndpoints/deplo name: '${uniqueString(deployment().name, location)}-Eventhub-Namespace-PrivateEndpoint-${index}' params: { groupIds: [ - ${privateEndpoint.service} + privateEndpoint.service ] name: contains(privateEndpoint, 'name') ? privateEndpoint.name : 'pe-${last(split(account.id, '/'))}-${privateEndpoint.service}-${index}' serviceResourceId: account.properties.managedResources.eventHubNamespace diff --git a/modules/Microsoft.Purview/accounts/readme.md b/modules/Microsoft.Purview/accounts/readme.md index 8955e8d92d..5d03a1292a 100644 --- a/modules/Microsoft.Purview/accounts/readme.md +++ b/modules/Microsoft.Purview/accounts/readme.md @@ -33,7 +33,7 @@ This module deploys Purview Accounts. | Parameter Name | Type | Default Value | Allowed Values | Description | | :-- | :-- | :-- | :-- | :-- | -| `accountPrivateEndpoints` | array | `[]` | | Configuration details for Purview Account private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. | +| `accountPrivateEndpoints` | array | `[]` | | Configuration details for Purview Account private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. Make sure the service property is set to 'account'. | | `diagnosticEventHubAuthorizationRuleId` | string | `''` | | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | | `diagnosticEventHubName` | string | `''` | | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | | `diagnosticLogCategoriesToEnable` | array | `[allLogs]` | `[allLogs, DataSensitivity, PurviewAccountAuditEvents, ScanStatus]` | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. | @@ -43,15 +43,15 @@ This module deploys Purview Accounts. | `diagnosticStorageAccountId` | string | `''` | | Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | | `diagnosticWorkspaceId` | string | `''` | | Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | | `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via a Globally Unique Identifier (GUID). | -| `eventHubPrivateEndpoints` | array | `[]` | | Configuration details for Purview Managed Event Hub namespace private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. | +| `eventHubPrivateEndpoints` | array | `[]` | | Configuration details for Purview Managed Event Hub namespace private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. Make sure the service property is set to 'namespace'. | | `location` | string | `[resourceGroup().location]` | | Location for all resources. | | `lock` | string | `''` | `['', CanNotDelete, ReadOnly]` | Specify the type of lock. | -| `managedResourceGroupName` | string | `''` | | The Managed Resource Group Name. Default to 'managed-rg-'. | -| `portalPrivateEndpoints` | array | `[]` | | Configuration details for Purview Portal private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. | +| `managedResourceGroupName` | string | `[format('managed-rg-{0}', parameters('name'))]` | | The Managed Resource Group Name. A managed Storage Account, and an Event Hubs will be created in the selected subscription for catalog ingestion scenarios. Default is 'managed-rg-'. | +| `portalPrivateEndpoints` | array | `[]` | | Configuration details for Purview Portal private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. Make sure the service property is set to 'portal'. | | `publicNetworkAccess` | string | `'NotSpecified'` | `[Disabled, Enabled, NotSpecified]` | Whether or not public network access is allowed for this resource. For security reasons it should be disabled. If not specified, it will be disabled by default if private endpoints are set. | | `roleAssignments` | array | `[]` | | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -| `storageBlobPrivateEndpoints` | array | `[]` | | Configuration details for Purview Managed Storage Account blob private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. | -| `storageQueuePrivateEndpoints` | array | `[]` | | Configuration details for Purview Managed Storage Account queue private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. | +| `storageBlobPrivateEndpoints` | array | `[]` | | Configuration details for Purview Managed Storage Account blob private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. Make sure the service property is set to 'blob'. | +| `storageQueuePrivateEndpoints` | array | `[]` | | Configuration details for Purview Managed Storage Account queue private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. Make sure the service property is set to 'queue'. | | `tags` | object | `{object}` | | Tags of the resource. | | `userAssignedIdentities` | object | `{object}` | | The ID(s) to assign to the resource. | @@ -198,8 +198,8 @@ userAssignedIdentities: { | `managedResourceGroupId` | string | The resource ID of the managed resource group. | | `managedResourceGroupName` | string | The name of the managed resource group. | | `managedStorageAccountId` | string | The resource ID of the managed storage account. | -| `name` | string | The name of the Microsoft Purview Account. | -| `resourceGroupName` | string | The resource group the Microsoft Purview Account was deployed into. | +| `name` | string | The name of the Purview Account. | +| `resourceGroupName` | string | The resource group the Purview Account was deployed into. | | `resourceId` | string | The resource ID of the Purview Account. | | `systemAssignedPrincipalId` | string | The principal ID of the system assigned identity. | @@ -229,7 +229,7 @@ module accounts './Microsoft.Purview/accounts/deploy.bicep' = { name: '${uniqueString(deployment().name)}-test-pvacom' params: { // Required parameters - name: '<>pvacom002' + name: '<>pvacom001' // Non-required parameters accountPrivateEndpoints: [ { @@ -238,6 +238,7 @@ module accounts './Microsoft.Purview/accounts/deploy.bicep' = { '' ] } + service: 'account' subnetResourceId: '' } ] @@ -260,12 +261,13 @@ module accounts './Microsoft.Purview/accounts/deploy.bicep' = { '' ] } + service: 'namespace' subnetResourceId: '' } ] location: '' lock: 'CanNotDelete' - managedResourceGroupName: '<>pvacom002-managed-rg' + managedResourceGroupName: '<>pvacom001-managed-rg' portalPrivateEndpoints: [ { privateDnsZoneGroup: { @@ -273,6 +275,7 @@ module accounts './Microsoft.Purview/accounts/deploy.bicep' = { '' ] } + service: 'portal' subnetResourceId: '' } ] @@ -293,6 +296,7 @@ module accounts './Microsoft.Purview/accounts/deploy.bicep' = { '' ] } + service: 'blob' subnetResourceId: '' } ] @@ -303,6 +307,7 @@ module accounts './Microsoft.Purview/accounts/deploy.bicep' = { '' ] } + service: 'queue' subnetResourceId: '' } ] @@ -328,7 +333,7 @@ module accounts './Microsoft.Purview/accounts/deploy.bicep' = { "parameters": { // Required parameters "name": { - "value": "<>pvacom002" + "value": "<>pvacom001" }, // Non-required parameters "accountPrivateEndpoints": { @@ -339,6 +344,7 @@ module accounts './Microsoft.Purview/accounts/deploy.bicep' = { "" ] }, + "service": "account", "subnetResourceId": "" } ] @@ -379,6 +385,7 @@ module accounts './Microsoft.Purview/accounts/deploy.bicep' = { "" ] }, + "service": "namespace", "subnetResourceId": "" } ] @@ -390,7 +397,7 @@ module accounts './Microsoft.Purview/accounts/deploy.bicep' = { "value": "CanNotDelete" }, "managedResourceGroupName": { - "value": "<>pvacom002-managed-rg" + "value": "<>pvacom001-managed-rg" }, "portalPrivateEndpoints": { "value": [ @@ -400,6 +407,7 @@ module accounts './Microsoft.Purview/accounts/deploy.bicep' = { "" ] }, + "service": "portal", "subnetResourceId": "" } ] @@ -426,6 +434,7 @@ module accounts './Microsoft.Purview/accounts/deploy.bicep' = { "" ] }, + "service": "blob", "subnetResourceId": "" } ] @@ -438,6 +447,7 @@ module accounts './Microsoft.Purview/accounts/deploy.bicep' = { "" ] }, + "service": "queue", "subnetResourceId": "" } ]