From 41adc2523d3d8103cad2e382a640b657e620f573 Mon Sep 17 00:00:00 2001 From: Jeremy Brun Date: Fri, 2 Jun 2023 12:16:57 -0400 Subject: [PATCH 01/66] Add Relay Support --- .../modulePipelines/ms.relay.namespaces.yml | 51 ++ .github/workflows/ms.relay.namespaces.yml | 85 ++ .../.bicep/nested_roleAssignments.bicep | 72 ++ .../.test/common/dependencies.bicep | 63 ++ .../namespaces/.test/common/main.test.bicep | 169 ++++ .../namespaces/.test/min/main.test.bicep | 42 + .../namespaces/.test/pe/dependencies.bicep | 49 ++ .../relay/namespaces/.test/pe/main.test.bicep | 70 ++ modules/relay/namespaces/README.md | 771 ++++++++++++++++++ .../namespaces/authorization-rules/README.md | 50 ++ .../namespaces/authorization-rules/main.bicep | 51 ++ .../authorization-rules/metadata.json | 6 + .../authorization-rules/version.json | 8 + .../.bicep/nested_roleAssignments.bicep | 72 ++ .../namespaces/hybrid-connections/README.md | 116 +++ .../authorization-rules/README.md | 51 ++ .../authorization-rules/main.bicep | 56 ++ .../authorization-rules/metadata.json | 6 + .../authorization-rules/version.json | 8 + .../namespaces/hybrid-connections/main.bicep | 122 +++ .../hybrid-connections/metadata.json | 6 + .../hybrid-connections/version.json | 8 + modules/relay/namespaces/main.bicep | 303 +++++++ modules/relay/namespaces/metadata.json | 6 + .../namespaces/network-rule-sets/README.md | 46 ++ .../namespaces/network-rule-sets/main.bicep | 59 ++ .../network-rule-sets/metadata.json | 6 + .../namespaces/network-rule-sets/version.json | 8 + modules/relay/namespaces/version.json | 8 + .../.bicep/nested_roleAssignments.bicep | 72 ++ modules/relay/namespaces/wcf-relays/README.md | 118 +++ .../wcf-relays/authorization-rules/README.md | 51 ++ .../wcf-relays/authorization-rules/main.bicep | 56 ++ .../authorization-rules/metadata.json | 6 + .../authorization-rules/version.json | 8 + .../relay/namespaces/wcf-relays/main.bicep | 134 +++ .../relay/namespaces/wcf-relays/metadata.json | 6 + .../relay/namespaces/wcf-relays/version.json | 8 + .../sites/.bicep/nested_roleAssignments.bicep | 1 + .../functionAppCommon/dependencies.bicep | 37 + .../.test/functionAppCommon/main.test.bicep | 8 + .../.test/webAppCommon/dependencies.bicep | 37 + .../sites/.test/webAppCommon/main.test.bicep | 15 +- modules/web/sites/README.md | 43 + .../web/sites/config--appsettings/main.bicep | 2 +- .../relays/README.md | 49 ++ .../relays/main.bicep | 60 ++ .../relays/metadata.json | 6 + .../relays/version.json | 8 + modules/web/sites/main.bicep | 14 + .../slots/.bicep/nested_roleAssignments.bicep | 1 + modules/web/sites/slots/README.md | 2 + .../slots/config--appsettings/main.bicep | 2 +- .../relays/README.md | 50 ++ .../relays/main.bicep | 63 ++ .../relays/metadata.json | 6 + .../relays/version.json | 8 + modules/web/sites/slots/main.bicep | 14 + 58 files changed, 3250 insertions(+), 3 deletions(-) create mode 100644 .azuredevops/modulePipelines/ms.relay.namespaces.yml create mode 100644 .github/workflows/ms.relay.namespaces.yml create mode 100644 modules/relay/namespaces/.bicep/nested_roleAssignments.bicep create mode 100644 modules/relay/namespaces/.test/common/dependencies.bicep create mode 100644 modules/relay/namespaces/.test/common/main.test.bicep create mode 100644 modules/relay/namespaces/.test/min/main.test.bicep create mode 100644 modules/relay/namespaces/.test/pe/dependencies.bicep create mode 100644 modules/relay/namespaces/.test/pe/main.test.bicep create mode 100644 modules/relay/namespaces/README.md create mode 100644 modules/relay/namespaces/authorization-rules/README.md create mode 100644 modules/relay/namespaces/authorization-rules/main.bicep create mode 100644 modules/relay/namespaces/authorization-rules/metadata.json create mode 100644 modules/relay/namespaces/authorization-rules/version.json create mode 100644 modules/relay/namespaces/hybrid-connections/.bicep/nested_roleAssignments.bicep create mode 100644 modules/relay/namespaces/hybrid-connections/README.md create mode 100644 modules/relay/namespaces/hybrid-connections/authorization-rules/README.md create mode 100644 modules/relay/namespaces/hybrid-connections/authorization-rules/main.bicep create mode 100644 modules/relay/namespaces/hybrid-connections/authorization-rules/metadata.json create mode 100644 modules/relay/namespaces/hybrid-connections/authorization-rules/version.json create mode 100644 modules/relay/namespaces/hybrid-connections/main.bicep create mode 100644 modules/relay/namespaces/hybrid-connections/metadata.json create mode 100644 modules/relay/namespaces/hybrid-connections/version.json create mode 100644 modules/relay/namespaces/main.bicep create mode 100644 modules/relay/namespaces/metadata.json create mode 100644 modules/relay/namespaces/network-rule-sets/README.md create mode 100644 modules/relay/namespaces/network-rule-sets/main.bicep create mode 100644 modules/relay/namespaces/network-rule-sets/metadata.json create mode 100644 modules/relay/namespaces/network-rule-sets/version.json create mode 100644 modules/relay/namespaces/version.json create mode 100644 modules/relay/namespaces/wcf-relays/.bicep/nested_roleAssignments.bicep create mode 100644 modules/relay/namespaces/wcf-relays/README.md create mode 100644 modules/relay/namespaces/wcf-relays/authorization-rules/README.md create mode 100644 modules/relay/namespaces/wcf-relays/authorization-rules/main.bicep create mode 100644 modules/relay/namespaces/wcf-relays/authorization-rules/metadata.json create mode 100644 modules/relay/namespaces/wcf-relays/authorization-rules/version.json create mode 100644 modules/relay/namespaces/wcf-relays/main.bicep create mode 100644 modules/relay/namespaces/wcf-relays/metadata.json create mode 100644 modules/relay/namespaces/wcf-relays/version.json create mode 100644 modules/web/sites/hybrid-connection-namespaces/relays/README.md create mode 100644 modules/web/sites/hybrid-connection-namespaces/relays/main.bicep create mode 100644 modules/web/sites/hybrid-connection-namespaces/relays/metadata.json create mode 100644 modules/web/sites/hybrid-connection-namespaces/relays/version.json create mode 100644 modules/web/sites/slots/hybrid-connection-namespaces/relays/README.md create mode 100644 modules/web/sites/slots/hybrid-connection-namespaces/relays/main.bicep create mode 100644 modules/web/sites/slots/hybrid-connection-namespaces/relays/metadata.json create mode 100644 modules/web/sites/slots/hybrid-connection-namespaces/relays/version.json diff --git a/.azuredevops/modulePipelines/ms.relay.namespaces.yml b/.azuredevops/modulePipelines/ms.relay.namespaces.yml new file mode 100644 index 0000000000..61892df9cf --- /dev/null +++ b/.azuredevops/modulePipelines/ms.relay.namespaces.yml @@ -0,0 +1,51 @@ +name: 'Relay - Namespaces' + +parameters: + - name: staticValidation + displayName: Execute static validation + type: boolean + default: true + - name: deploymentValidation + displayName: Execute deployment validation + type: boolean + default: true + - name: removeDeployment + displayName: Remove deployed module + type: boolean + default: true + - name: prerelease + displayName: Publish prerelease module + type: boolean + default: false + +pr: none + +trigger: + batch: true + branches: + include: + - main + paths: + include: + - '/modules/relay/namespaces/*' + - '/modules/network/private-endpoints/*' + - '/.azuredevops/modulePipelines/ms.relay.namespaces.yml' + - '/.azuredevops/pipelineTemplates/*.yml' + - '/utilities/pipelines/*' + exclude: + - '/utilities/pipelines/deploymentRemoval/*' + - '/**/*.md' + +variables: + - template: '../../settings.yml' + - group: 'PLATFORM_VARIABLES' + - name: modulePath + value: '/modules/relay/namespaces' + +stages: + - template: /.azuredevops/pipelineTemplates/stages.module.yml + parameters: + staticValidation: '${{ parameters.staticValidation }}' + deploymentValidation: '${{ parameters.deploymentValidation }}' + removeDeployment: '${{ parameters.removeDeployment }}' + prerelease: '${{ parameters.prerelease }}' diff --git a/.github/workflows/ms.relay.namespaces.yml b/.github/workflows/ms.relay.namespaces.yml new file mode 100644 index 0000000000..169c72e145 --- /dev/null +++ b/.github/workflows/ms.relay.namespaces.yml @@ -0,0 +1,85 @@ +name: 'Relay - Namespaces' + +on: + workflow_dispatch: + inputs: + staticValidation: + type: boolean + description: 'Execute static validation' + required: false + default: true + deploymentValidation: + type: boolean + description: 'Execute deployment validation' + required: false + default: true + removeDeployment: + type: boolean + description: 'Remove deployed module' + required: false + default: true + prerelease: + type: boolean + description: 'Publish prerelease module' + required: false + default: false + push: + branches: + - main + paths: + - 'modules/relay/namespaces/**' + - 'modules/network/private-endpoints/**' + - '.github/actions/templates/**' + - '.github/workflows/template.module.yml' + - '.github/workflows/ms.relay.namespaces.yml' + - 'utilities/pipelines/**' + - '!utilities/pipelines/deploymentRemoval/**' + - '!*/**/README.md' + +env: + modulePath: 'modules/relay/namespaces' + workflowPath: '.github/workflows/ms.relay.namespaces.yml' + +concurrency: + group: ${{ github.workflow }} + +jobs: + ########################### + # Initialize pipeline # + ########################### + job_initialize_pipeline: + runs-on: ubuntu-20.04 + name: 'Initialize pipeline' + steps: + - name: 'Checkout' + uses: actions/checkout@v3 + with: + fetch-depth: 0 + - name: 'Set input parameters to output variables' + id: get-workflow-param + uses: ./.github/actions/templates/getWorkflowInput + with: + workflowPath: '${{ env.workflowPath}}' + - name: 'Get parameter file paths' + id: get-module-test-file-paths + uses: ./.github/actions/templates/getModuleTestFiles + with: + modulePath: '${{ env.modulePath }}' + outputs: + workflowInput: ${{ steps.get-workflow-param.outputs.workflowInput }} + moduleTestFilePaths: ${{ steps.get-module-test-file-paths.outputs.moduleTestFilePaths }} + modulePath: '${{ env.modulePath }}' + + ############################## + # Call reusable workflow # + ############################## + call-workflow-passing-data: + name: 'Module' + needs: + - job_initialize_pipeline + uses: ./.github/workflows/template.module.yml + with: + workflowInput: '${{ needs.job_initialize_pipeline.outputs.workflowInput }}' + moduleTestFilePaths: '${{ needs.job_initialize_pipeline.outputs.moduleTestFilePaths }}' + modulePath: '${{ needs.job_initialize_pipeline.outputs.modulePath}}' + secrets: inherit diff --git a/modules/relay/namespaces/.bicep/nested_roleAssignments.bicep b/modules/relay/namespaces/.bicep/nested_roleAssignments.bicep new file mode 100644 index 0000000000..fac857dc45 --- /dev/null +++ b/modules/relay/namespaces/.bicep/nested_roleAssignments.bicep @@ -0,0 +1,72 @@ +@sys.description('Required. The IDs of the principals to assign the role to.') +param principalIds array + +@sys.description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') +param roleDefinitionIdOrName string + +@sys.description('Required. The resource ID of the resource to apply the role assignment to.') +param resourceId string + +@sys.description('Optional. The principal type of the assigned principal ID.') +@allowed([ + 'ServicePrincipal' + 'Group' + 'User' + 'ForeignGroup' + 'Device' + '' +]) +param principalType string = '' + +@sys.description('Optional. The description of the role assignment.') +param description string = '' + +@sys.description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container".') +param condition string = '' + +@sys.description('Optional. Version of the condition.') +@allowed([ + '2.0' +]) +param conditionVersion string = '2.0' + +@sys.description('Optional. Id of the delegated managed identity resource.') +param delegatedManagedIdentityResourceId string = '' + +var builtInRoleNames = { + 'App Compliance Automation Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f37683f-2463-46b6-9ce7-9b788b988ba2') + 'Azure Relay Listener': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '26e0b698-aa6d-4085-9386-aadae190014d') + 'Azure Relay Owner': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '2787bf04-f1f5-4bfe-8383-c8a24483ee38') + 'Azure Relay Sender': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '26baccc8-eea7-41f1-98f4-1762cc7f685d') + Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') + 'Log Analytics Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293') + 'Log Analytics Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893') + 'Managed Application Contributor Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e') + 'Managed Application Operator Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae') + 'Managed Applications Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44') + 'Monitoring Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa') + 'Monitoring Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05') + Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') + Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') + 'Resource Policy Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608') + 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') + 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') +} + +resource namespace 'Microsoft.Relay/namespaces@2021-11-01' existing = { + name: last(split(resourceId, '/'))! +} + +resource roleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for principalId in principalIds: { + name: guid(namespace.id, principalId, roleDefinitionIdOrName) + properties: { + description: description + roleDefinitionId: contains(builtInRoleNames, roleDefinitionIdOrName) ? builtInRoleNames[roleDefinitionIdOrName] : roleDefinitionIdOrName + principalId: principalId + principalType: !empty(principalType) ? any(principalType) : null + condition: !empty(condition) ? condition : null + conditionVersion: !empty(conditionVersion) && !empty(condition) ? conditionVersion : null + delegatedManagedIdentityResourceId: !empty(delegatedManagedIdentityResourceId) ? delegatedManagedIdentityResourceId : null + } + scope: namespace +}] diff --git a/modules/relay/namespaces/.test/common/dependencies.bicep b/modules/relay/namespaces/.test/common/dependencies.bicep new file mode 100644 index 0000000000..e551480248 --- /dev/null +++ b/modules/relay/namespaces/.test/common/dependencies.bicep @@ -0,0 +1,63 @@ +@description('Optional. The location to deploy resources to.') +param location string = resourceGroup().location + +@description('Required. The name of the Virtual Network to create.') +param virtualNetworkName string + +@description('Required. The name of the Managed Identity to create.') +param managedIdentityName string + +var addressPrefix = '10.0.0.0/16' + +resource virtualNetwork 'Microsoft.Network/virtualNetworks@2022-01-01' = { + name: virtualNetworkName + location: location + properties: { + addressSpace: { + addressPrefixes: [ + addressPrefix + ] + } + subnets: [ + { + name: 'defaultSubnet' + properties: { + addressPrefix: addressPrefix + } + } + ] + } +} + +resource privateDNSZone 'Microsoft.Network/privateDnsZones@2020-06-01' = { + name: 'privatelink.servicebus.windows.net' + location: 'global' + + resource virtualNetworkLinks 'virtualNetworkLinks@2020-06-01' = { + name: '${virtualNetwork.name}-vnetlink' + location: 'global' + properties: { + virtualNetwork: { + id: virtualNetwork.id + } + registrationEnabled: false + } + } +} + +resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { + name: managedIdentityName + location: location +} + +@description('The resource ID of the created Virtual Network Subnet.') +output subnetResourceId string = virtualNetwork.properties.subnets[0].id + +@description('The principal ID of the created Managed Identity.') +output managedIdentityPrincipalId string = managedIdentity.properties.principalId + +@description('The resource ID of the created Managed Identity.') +output managedIdentityResourceId string = managedIdentity.id + +@description('The resource ID of the created Private DNS Zone.') +output privateDNSZoneResourceId string = privateDNSZone.id diff --git a/modules/relay/namespaces/.test/common/main.test.bicep b/modules/relay/namespaces/.test/common/main.test.bicep new file mode 100644 index 0000000000..36b90bdd87 --- /dev/null +++ b/modules/relay/namespaces/.test/common/main.test.bicep @@ -0,0 +1,169 @@ +targetScope = 'subscription' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'ms.relay.namespaces-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'relcom' + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + virtualNetworkName: 'dep-<>-vnet-${serviceShort}' + managedIdentityName: 'dep-<>-msi-${serviceShort}' + } +} + +// Diagnostics +// =========== +module diagnosticDependencies '../../../../.shared/.templates/diagnostic.dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' + params: { + storageAccountName: 'dep<>diasa${serviceShort}01' + logAnalyticsWorkspaceName: 'dep-<>-law-${serviceShort}' + eventHubNamespaceEventHubName: 'dep-<>-evh-${serviceShort}' + eventHubNamespaceName: 'dep-<>-evhns-${serviceShort}' + location: location + } +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + enableDefaultTelemetry: enableDefaultTelemetry + name: '<>${serviceShort}001' + lock: 'CanNotDelete' + skuName: 'Standard' + tags: { + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalIds: [ + nestedDependencies.outputs.managedIdentityPrincipalId + ] + principalType: 'ServicePrincipal' + } + ] + networkRuleSets: { + defaultAction: 'Deny' + trustedServiceAccessEnabled: true + virtualNetworkRules: [ + { + subnet: { + ignoreMissingVnetServiceEndpoint: true + id: nestedDependencies.outputs.subnetResourceId + } + } + ] + ipRules: [ + { + ipMask: '10.0.1.0/32' + action: 'Allow' + } + { + ipMask: '10.0.2.0/32' + action: 'Allow' + } + ] + } + authorizationRules: [ + { + name: 'RootManageSharedAccessKey' + rights: [ + 'Listen' + 'Manage' + 'Send' + ] + } + { + name: 'AnotherKey' + rights: [ + 'Listen' + 'Send' + ] + } + ] + hybridConnections: [ + { + name: '<>${serviceShort}hc001' + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalIds: [ + nestedDependencies.outputs.managedIdentityPrincipalId + ] + principalType: 'ServicePrincipal' + } + ] + userMetadata: '[{"key":"endpoint","value":"db-server.constoso.com:1433"}]' + } + ] + wcfRelays: [ + { + name: '<>${serviceShort}wcf001' + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalIds: [ + nestedDependencies.outputs.managedIdentityPrincipalId + ] + principalType: 'ServicePrincipal' + } + ] + relayType: 'NetTcp' + } + ] + diagnosticLogsRetentionInDays: 7 + diagnosticStorageAccountId: diagnosticDependencies.outputs.storageAccountResourceId + diagnosticWorkspaceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId + diagnosticEventHubAuthorizationRuleId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId + diagnosticEventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + privateEndpoints: [ + { + service: 'namespace' + subnetResourceId: nestedDependencies.outputs.subnetResourceId + privateDnsZoneGroup: { + privateDNSResourceIds: [ + nestedDependencies.outputs.privateDNSZoneResourceId + ] + } + tags: { + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + } + ] + } +} diff --git a/modules/relay/namespaces/.test/min/main.test.bicep b/modules/relay/namespaces/.test/min/main.test.bicep new file mode 100644 index 0000000000..a90b17187a --- /dev/null +++ b/modules/relay/namespaces/.test/min/main.test.bicep @@ -0,0 +1,42 @@ +targetScope = 'subscription' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'ms.relay.namespaces-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'sbnmin' + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: location +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + enableDefaultTelemetry: enableDefaultTelemetry + name: '<>${serviceShort}001' + } +} diff --git a/modules/relay/namespaces/.test/pe/dependencies.bicep b/modules/relay/namespaces/.test/pe/dependencies.bicep new file mode 100644 index 0000000000..e84295c592 --- /dev/null +++ b/modules/relay/namespaces/.test/pe/dependencies.bicep @@ -0,0 +1,49 @@ +@description('Optional. The location to deploy resources to.') +param location string = resourceGroup().location + +@description('Required. The name of the Virtual Network to create.') +param virtualNetworkName string + +var addressPrefix = '10.0.0.0/16' + +resource virtualNetwork 'Microsoft.Network/virtualNetworks@2022-01-01' = { + name: virtualNetworkName + location: location + properties: { + addressSpace: { + addressPrefixes: [ + addressPrefix + ] + } + subnets: [ + { + name: 'defaultSubnet' + properties: { + addressPrefix: addressPrefix + } + } + ] + } +} + +resource privateDNSZone 'Microsoft.Network/privateDnsZones@2020-06-01' = { + name: 'privatelink.servicebus.windows.net' + location: 'global' + + resource virtualNetworkLinks 'virtualNetworkLinks@2020-06-01' = { + name: '${virtualNetwork.name}-vnetlink' + location: 'global' + properties: { + virtualNetwork: { + id: virtualNetwork.id + } + registrationEnabled: false + } + } +} + +@description('The resource ID of the created Virtual Network Subnet.') +output subnetResourceId string = virtualNetwork.properties.subnets[0].id + +@description('The resource ID of the created Private DNS Zone.') +output privateDNSZoneResourceId string = privateDNSZone.id diff --git a/modules/relay/namespaces/.test/pe/main.test.bicep b/modules/relay/namespaces/.test/pe/main.test.bicep new file mode 100644 index 0000000000..7ea1e690cd --- /dev/null +++ b/modules/relay/namespaces/.test/pe/main.test.bicep @@ -0,0 +1,70 @@ +targetScope = 'subscription' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'ms.relay.namespaces-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'sbnpe' + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + virtualNetworkName: 'dep-<>-vnet-${serviceShort}' + } +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + enableDefaultTelemetry: enableDefaultTelemetry + name: '<>${serviceShort}001' + skuName: 'Standard' + privateEndpoints: [ + { + service: 'namespace' + subnetResourceId: nestedDependencies.outputs.subnetResourceId + privateDnsZoneGroup: { + privateDNSResourceIds: [ + nestedDependencies.outputs.privateDNSZoneResourceId + ] + } + tags: { + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + } + ] + tags: { + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + } +} diff --git a/modules/relay/namespaces/README.md b/modules/relay/namespaces/README.md new file mode 100644 index 0000000000..9c558aa39e --- /dev/null +++ b/modules/relay/namespaces/README.md @@ -0,0 +1,771 @@ +# Relay Namespaces `[Microsoft.Relay/namespaces]` + +This module deploys a relay namespace resource. + +## Navigation + +- [Resource types](#Resource-types) +- [Parameters](#Parameters) +- [Outputs](#Outputs) +- [Cross-referenced modules](#Cross-referenced-modules) +- [Deployment examples](#Deployment-examples) + +## Resource types + +| Resource Type | API Version | +| :-- | :-- | +| `Microsoft.Authorization/locks` | [2020-05-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2020-05-01/locks) | +| `Microsoft.Authorization/roleAssignments` | [2022-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-04-01/roleAssignments) | +| `Microsoft.Insights/diagnosticSettings` | [2021-05-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Insights/2021-05-01-preview/diagnosticSettings) | +| `Microsoft.Network/privateEndpoints` | [2022-07-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2022-07-01/privateEndpoints) | +| `Microsoft.Network/privateEndpoints/privateDnsZoneGroups` | [2022-07-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2022-07-01/privateEndpoints/privateDnsZoneGroups) | +| `Microsoft.Relay/namespaces` | [2021-11-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Relay/2021-11-01/namespaces) | +| `Microsoft.Relay/namespaces/authorizationRules` | [2021-11-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Relay/2021-11-01/namespaces/authorizationRules) | +| `Microsoft.Relay/namespaces/hybridConnections` | [2021-11-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Relay/2021-11-01/namespaces/hybridConnections) | +| `Microsoft.Relay/namespaces/hybridConnections/authorizationRules` | [2021-11-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Relay/2021-11-01/namespaces/hybridConnections/authorizationRules) | +| `Microsoft.Relay/namespaces/networkRuleSets` | [2021-11-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Relay/2021-11-01/namespaces/networkRuleSets) | +| `Microsoft.Relay/namespaces/wcfRelays` | [2021-11-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Relay/2021-11-01/namespaces/wcfRelays) | +| `Microsoft.Relay/namespaces/wcfRelays/authorizationRules` | [2021-11-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Relay/2021-11-01/namespaces/wcfRelays/authorizationRules) | + +## Parameters + +**Required parameters** + +| Parameter Name | Type | Description | +| :-- | :-- | :-- | +| `name` | string | Name of the Relay Namespace. | + +**Optional parameters** + +| Parameter Name | Type | Default Value | Allowed Values | Description | +| :-- | :-- | :-- | :-- | :-- | +| `authorizationRules` | _[authorizationRules](authorization-rules/README.md)_ array | `[System.Management.Automation.OrderedHashtable]` | | Authorization Rules for the Relay namespace. | +| `diagnosticEventHubAuthorizationRuleId` | string | `''` | | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | +| `diagnosticEventHubName` | string | `''` | | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. | +| `diagnosticLogCategoriesToEnable` | array | `[allLogs]` | `[allLogs, OperationalLogs]` | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. | +| `diagnosticLogsRetentionInDays` | int | `365` | | Specifies the number of days that logs will be kept for; a value of 0 will retain data indefinitely. | +| `diagnosticMetricsToEnable` | array | `[AllMetrics]` | `[AllMetrics]` | The name of metrics that will be streamed. | +| `diagnosticSettingsName` | string | `''` | | The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings". | +| `diagnosticStorageAccountId` | string | `''` | | Resource ID of the diagnostic storage account. | +| `diagnosticWorkspaceId` | string | `''` | | Resource ID of the diagnostic log analytics workspace. | +| `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via a Globally Unique Identifier (GUID). | +| `hybridConnections` | _[hybridConnections](hybrid-connections/README.md)_ array | `[]` | | The hybrid connections to create in the relay namespace. | +| `location` | string | `[resourceGroup().location]` | | Location for all resources. | +| `lock` | string | `''` | `['', CanNotDelete, ReadOnly]` | Specify the type of lock. | +| `networkRuleSets` | _[networkRuleSets](network-rule-sets/README.md)_ object | `{object}` | | Configure networking options for Relay. This object contains IPs/Subnets to allow or restrict access to private endpoints only. For security reasons, it is recommended to configure this object on the Namespace. | +| `privateEndpoints` | array | `[]` | | Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. | +| `roleAssignments` | array | `[]` | | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| `skuName` | string | `'Standard'` | `[Standard]` | Name of this SKU. | +| `tags` | object | `{object}` | | Tags of the resource. | +| `wcfRelays` | _[wcfRelays](wcf-relays/README.md)_ array | `[]` | | The wcf relays to create in the relay namespace. | + + +### Parameter Usage: `roleAssignments` + +Create a role assignment for the given resource. If you want to assign a service principal / managed identity that is created in the same deployment, make sure to also specify the `'principalType'` parameter and set it to `'ServicePrincipal'`. This will ensure the role assignment waits for the principal's propagation in Azure. + +
+ +Parameter JSON format + +```json +"roleAssignments": { + "value": [ + { + "roleDefinitionIdOrName": "Reader", + "description": "Reader Role Assignment", + "principalIds": [ + "12345678-1234-1234-1234-123456789012", // object 1 + "78945612-1234-1234-1234-123456789012" // object 2 + ] + }, + { + "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", + "principalIds": [ + "12345678-1234-1234-1234-123456789012" // object 1 + ], + "principalType": "ServicePrincipal" + } + ] +} +``` + +
+ +
+ +Bicep format + +```bicep +roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + description: 'Reader Role Assignment' + principalIds: [ + '12345678-1234-1234-1234-123456789012' // object 1 + '78945612-1234-1234-1234-123456789012' // object 2 + ] + } + { + roleDefinitionIdOrName: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' + principalIds: [ + '12345678-1234-1234-1234-123456789012' // object 1 + ] + principalType: 'ServicePrincipal' + } +] +``` + +
+

+ +### Parameter Usage: `privateEndpoints` + +To use Private Endpoint the following dependencies must be deployed: + +- Destination subnet must be created with the following configuration option - `"privateEndpointNetworkPolicies": "Disabled"`. Setting this option acknowledges that NSG rules are not applied to Private Endpoints (this capability is coming soon). A full example is available in the Virtual Network Module. +- Although not strictly required, it is highly recommended to first create a private DNS Zone to host Private Endpoint DNS records. See [Azure Private Endpoint DNS configuration](https://learn.microsoft.com/en-us/azure/private-link/private-endpoint-dns) for more information. + +

+ +Parameter JSON format + +```json +"privateEndpoints": { + "value": [ + // Example showing all available fields + { + "name": "sxx-az-pe", // Optional: Name will be automatically generated if one is not provided here + "subnetResourceId": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-x-001/subnets/sxx-az-subnet-x-001", + "service": "", // e.g. vault, registry, blob + "privateDnsZoneGroup": { + "privateDNSResourceIds": [ // Optional: No DNS record will be created if a private DNS zone Resource ID is not specified + "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/privateDnsZones/" // e.g. privatelink.vaultcore.azure.net, privatelink.azurecr.io, privatelink.blob.core.windows.net + ] + }, + "ipConfigurations":[ + { + "name": "myIPconfigTest02", + "properties": { + "groupId": "blob", + "memberName": "blob", + "privateIPAddress": "10.0.0.30" + } + } + ], + "customDnsConfigs": [ + { + "fqdn": "customname.test.local", + "ipAddresses": [ + "10.10.10.10" + ] + } + ] + }, + // Example showing only mandatory fields + { + "subnetResourceId": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-x-001/subnets/sxx-az-subnet-x-001", + "service": "" // e.g. vault, registry, blob + } + ] +} +``` + +
+ +
+ +Bicep format + +```bicep +privateEndpoints: [ + // Example showing all available fields + { + name: 'sxx-az-pe' // Optional: Name will be automatically generated if one is not provided here + subnetResourceId: '/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-x-001/subnets/sxx-az-subnet-x-001' + service: '' // e.g. vault, registry, blob + privateDnsZoneGroup: { + privateDNSResourceIds: [ // Optional: No DNS record will be created if a private DNS zone Resource ID is not specified + '/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/privateDnsZones/' // e.g. privatelink.vaultcore.azure.net, privatelink.azurecr.io, privatelink.blob.core.windows.net + ] + } + customDnsConfigs: [ + { + fqdn: 'customname.test.local' + ipAddresses: [ + '10.10.10.10' + ] + } + ] + ipConfigurations:[ + { + name: 'myIPconfigTest02' + properties: { + groupId: 'blob' + memberName: 'blob' + privateIPAddress: '10.0.0.30' + } + } + ] + } + // Example showing only mandatory fields + { + subnetResourceId: '/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-x-001/subnets/sxx-az-subnet-x-001' + service: '' // e.g. vault, registry, blob + } +] +``` + +
+

+ +### Parameter Usage: `networkAcl` + +Configure networing options on premium SKU only. + +

+ +Parameter JSON format + +```json +"networkAclConfig": { + "value" : { + "publicNetworkAccess": "Disabled", + "allowTrustedServices": true + } +} + + +``` + +
+ +
+ +Bicep format + +```bicep +networkingAclConfig: { + publicNetworkAccess: "Disabled" + allowTrustedServices: true +} + +``` + +
+

+ +### Parameter Usage: `tags` + +Tag names and tag values can be provided as needed. A tag can be left without a value. + +

+ +Parameter JSON format + +```json +"tags": { + "value": { + "Environment": "Non-Prod", + "Contact": "test.user@testcompany.com", + "PurchaseOrder": "1234", + "CostCenter": "7890", + "ServiceName": "DeploymentValidation", + "Role": "DeploymentValidation" + } +} +``` + +
+ +
+ +Bicep format + +```bicep +tags: { + Environment: 'Non-Prod' + Contact: 'test.user@testcompany.com' + PurchaseOrder: '1234' + CostCenter: '7890' + ServiceName: 'DeploymentValidation' + Role: 'DeploymentValidation' +} +``` + +
+

+ +### Parameter Usage: `userAssignedIdentities` + +You can specify multiple user assigned identities to a resource by providing additional resource IDs using the following format: + +

+ +Parameter JSON format + +```json +"userAssignedIdentities": { + "value": { + "/subscriptions/<>/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-001": {}, + "/subscriptions/<>/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-002": {} + } +} +``` + +
+ +
+ +Bicep format + +```bicep +userAssignedIdentities: { + '/subscriptions/<>/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-001': {} + '/subscriptions/<>/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-002': {} +} +``` + +
+

+ +## Outputs + +| Output Name | Type | Description | +| :-- | :-- | :-- | +| `location` | string | The location the resource was deployed into. | +| `name` | string | The name of the deployed relay namespace. | +| `resourceGroupName` | string | The resource group of the deployed relay namespace. | +| `resourceId` | string | The resource ID of the deployed relay namespace. | + +## Cross-referenced modules + +This section gives you an overview of all local-referenced module files (i.e., other CARML modules that are referenced in this module) and all remote-referenced files (i.e., Bicep modules that are referenced from a Bicep Registry or Template Specs). + +| Reference | Type | +| :-- | :-- | +| `network/private-endpoints` | Local reference | + +## Deployment examples + +The following module usage examples are retrieved from the content of the files hosted in the module's `.test` folder. + >**Note**: The name of each example is based on the name of the file from which it is taken. + + >**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. + +

Example 1: Common

+ +
+ +via Bicep module + +```bicep +module namespaces './relay/namespaces/main.bicep' = { + name: '${uniqueString(deployment().name, location)}-test-relcom' + params: { + // Required parameters + name: '<>relcom001' + // Non-required parameters + authorizationRules: [ + { + name: 'RootManageSharedAccessKey' + rights: [ + 'Listen' + 'Manage' + 'Send' + ] + } + { + name: 'AnotherKey' + rights: [ + 'Listen' + 'Send' + ] + } + ] + diagnosticEventHubAuthorizationRuleId: '' + diagnosticEventHubName: '' + diagnosticLogsRetentionInDays: 7 + diagnosticStorageAccountId: '' + diagnosticWorkspaceId: '' + enableDefaultTelemetry: '' + hybridConnections: [ + { + name: '<>relcomhc001' + roleAssignments: [ + { + principalIds: [ + '' + ] + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Reader' + } + ] + userMetadata: '[{\'key\':\'endpoint\'\'value\':\'db-server.constoso.com:1433\'}]' + } + ] + lock: 'CanNotDelete' + networkRuleSets: { + defaultAction: 'Deny' + ipRules: [ + { + action: 'Allow' + ipMask: '10.0.1.0/32' + } + { + action: 'Allow' + ipMask: '10.0.2.0/32' + } + ] + trustedServiceAccessEnabled: true + virtualNetworkRules: [ + { + subnet: { + id: '' + ignoreMissingVnetServiceEndpoint: true + } + } + ] + } + privateEndpoints: [ + { + privateDnsZoneGroup: { + privateDNSResourceIds: [ + '' + ] + } + service: 'namespace' + subnetResourceId: '' + tags: { + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + } + ] + roleAssignments: [ + { + principalIds: [ + '' + ] + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Reader' + } + ] + skuName: 'Standard' + tags: { + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + wcfRelays: [ + { + name: '<>relcomwcf001' + relayType: 'NetTcp' + roleAssignments: [ + { + principalIds: [ + '' + ] + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Reader' + } + ] + } + ] + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "name": { + "value": "<>relcom001" + }, + // Non-required parameters + "authorizationRules": { + "value": [ + { + "name": "RootManageSharedAccessKey", + "rights": [ + "Listen", + "Manage", + "Send" + ] + }, + { + "name": "AnotherKey", + "rights": [ + "Listen", + "Send" + ] + } + ] + }, + "diagnosticEventHubAuthorizationRuleId": { + "value": "" + }, + "diagnosticEventHubName": { + "value": "" + }, + "diagnosticLogsRetentionInDays": { + "value": 7 + }, + "diagnosticStorageAccountId": { + "value": "" + }, + "diagnosticWorkspaceId": { + "value": "" + }, + "enableDefaultTelemetry": { + "value": "" + }, + "hybridConnections": { + "value": [ + { + "name": "<>relcomhc001", + "roleAssignments": [ + { + "principalIds": [ + "" + ], + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Reader" + } + ], + "userMetadata": "[{\"key\":\"endpoint\",\"value\":\"db-server.constoso.com:1433\"}]" + } + ] + }, + "lock": { + "value": "CanNotDelete" + }, + "networkRuleSets": { + "value": { + "defaultAction": "Deny", + "ipRules": [ + { + "action": "Allow", + "ipMask": "10.0.1.0/32" + }, + { + "action": "Allow", + "ipMask": "10.0.2.0/32" + } + ], + "trustedServiceAccessEnabled": true, + "virtualNetworkRules": [ + { + "subnet": { + "id": "", + "ignoreMissingVnetServiceEndpoint": true + } + } + ] + } + }, + "privateEndpoints": { + "value": [ + { + "privateDnsZoneGroup": { + "privateDNSResourceIds": [ + "" + ] + }, + "service": "namespace", + "subnetResourceId": "", + "tags": { + "Environment": "Non-Prod", + "Role": "DeploymentValidation" + } + } + ] + }, + "roleAssignments": { + "value": [ + { + "principalIds": [ + "" + ], + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Reader" + } + ] + }, + "skuName": { + "value": "Standard" + }, + "tags": { + "value": { + "Environment": "Non-Prod", + "Role": "DeploymentValidation" + } + }, + "wcfRelays": { + "value": [ + { + "name": "<>relcomwcf001", + "relayType": "NetTcp", + "roleAssignments": [ + { + "principalIds": [ + "" + ], + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Reader" + } + ] + } + ] + } + } +} +``` + +
+

+ +

Example 2: Min

+ +
+ +via Bicep module + +```bicep +module namespaces './relay/namespaces/main.bicep' = { + name: '${uniqueString(deployment().name, location)}-test-sbnmin' + params: { + // Required parameters + name: '<>sbnmin001' + // Non-required parameters + enableDefaultTelemetry: '' + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "name": { + "value": "<>sbnmin001" + }, + // Non-required parameters + "enableDefaultTelemetry": { + "value": "" + } + } +} +``` + +
+

+ +

Example 3: Pe

+ +
+ +via Bicep module + +```bicep +module namespaces './relay/namespaces/main.bicep' = { + name: '${uniqueString(deployment().name, location)}-test-sbnpe' + params: { + // Required parameters + name: '<>sbnpe001' + // Non-required parameters + enableDefaultTelemetry: '' + privateEndpoints: [ + { + privateDnsZoneGroup: { + privateDNSResourceIds: [ + '' + ] + } + service: 'namespace' + subnetResourceId: '' + tags: { + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + } + ] + skuName: 'Standard' + tags: { + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "name": { + "value": "<>sbnpe001" + }, + // Non-required parameters + "enableDefaultTelemetry": { + "value": "" + }, + "privateEndpoints": { + "value": [ + { + "privateDnsZoneGroup": { + "privateDNSResourceIds": [ + "" + ] + }, + "service": "namespace", + "subnetResourceId": "", + "tags": { + "Environment": "Non-Prod", + "Role": "DeploymentValidation" + } + } + ] + }, + "skuName": { + "value": "Standard" + }, + "tags": { + "value": { + "Environment": "Non-Prod", + "Role": "DeploymentValidation" + } + } + } +} +``` + +
+

diff --git a/modules/relay/namespaces/authorization-rules/README.md b/modules/relay/namespaces/authorization-rules/README.md new file mode 100644 index 0000000000..dfcb1c3ecd --- /dev/null +++ b/modules/relay/namespaces/authorization-rules/README.md @@ -0,0 +1,50 @@ +# Relay Namespace Authorization Rules `[Microsoft.Relay/namespaces/authorizationRules]` + +This module deploys authorization rules for a relay namespace. + +## Navigation + +- [Resource Types](#Resource-Types) +- [Parameters](#Parameters) +- [Outputs](#Outputs) +- [Cross-referenced modules](#Cross-referenced-modules) + +## Resource Types + +| Resource Type | API Version | +| :-- | :-- | +| `Microsoft.Relay/namespaces/authorizationRules` | [2021-11-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Relay/2021-11-01/namespaces/authorizationRules) | + +## Parameters + +**Required parameters** + +| Parameter Name | Type | Description | +| :-- | :-- | :-- | +| `name` | string | The name of the authorization rule. | + +**Conditional parameters** + +| Parameter Name | Type | Description | +| :-- | :-- | :-- | +| `namespaceName` | string | The name of the parent Relay Namespace for the Relay Hybrid Connection. Required if the template is used in a standalone deployment. | + +**Optional parameters** + +| Parameter Name | Type | Default Value | Allowed Values | Description | +| :-- | :-- | :-- | :-- | :-- | +| `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via a Globally Unique Identifier (GUID). | +| `rights` | array | `[]` | `[Listen, Manage, Send]` | The rights associated with the rule. | + + +## Outputs + +| Output Name | Type | Description | +| :-- | :-- | :-- | +| `name` | string | The name of the authorization rule. | +| `resourceGroupName` | string | The name of the Resource Group the authorization rule was created in. | +| `resourceId` | string | The resource ID of the authorization rule. | + +## Cross-referenced modules + +_None_ diff --git a/modules/relay/namespaces/authorization-rules/main.bicep b/modules/relay/namespaces/authorization-rules/main.bicep new file mode 100644 index 0000000000..e7ce609c74 --- /dev/null +++ b/modules/relay/namespaces/authorization-rules/main.bicep @@ -0,0 +1,51 @@ +@description('Conditional. The name of the parent Relay Namespace for the Relay Hybrid Connection. Required if the template is used in a standalone deployment.') +@minLength(6) +@maxLength(50) +param namespaceName string + +@description('Required. The name of the authorization rule.') +param name string + +@description('Optional. The rights associated with the rule.') +@allowed([ + 'Listen' + 'Manage' + 'Send' +]) +param rights array = [] + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { + name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}' + properties: { + mode: 'Incremental' + template: { + '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' + contentVersion: '1.0.0.0' + resources: [] + } + } +} + +resource namespace 'Microsoft.Relay/namespaces@2021-11-01' existing = { + name: namespaceName +} + +resource authorizationRule 'Microsoft.Relay/namespaces/authorizationRules@2021-11-01' = { + name: name + parent: namespace + properties: { + rights: rights + } +} + +@description('The name of the authorization rule.') +output name string = authorizationRule.name + +@description('The resource ID of the authorization rule.') +output resourceId string = authorizationRule.id + +@description('The name of the Resource Group the authorization rule was created in.') +output resourceGroupName string = resourceGroup().name diff --git a/modules/relay/namespaces/authorization-rules/metadata.json b/modules/relay/namespaces/authorization-rules/metadata.json new file mode 100644 index 0000000000..f38368f65c --- /dev/null +++ b/modules/relay/namespaces/authorization-rules/metadata.json @@ -0,0 +1,6 @@ +{ + "$schema": "https://aka.ms/bicep-registry-module-metadata-file-schema-v2#", + "name": "Relay Namespace Authorization Rules", + "summary": "This module deploys authorization rules for a relay namespace.", + "owner": "Azure/module-maintainers" +} diff --git a/modules/relay/namespaces/authorization-rules/version.json b/modules/relay/namespaces/authorization-rules/version.json new file mode 100644 index 0000000000..5b9f717b34 --- /dev/null +++ b/modules/relay/namespaces/authorization-rules/version.json @@ -0,0 +1,8 @@ +{ + "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", + "version": "0.4", + "pathFilters": [ + "./main.json", + "./metadata.json" + ] +} diff --git a/modules/relay/namespaces/hybrid-connections/.bicep/nested_roleAssignments.bicep b/modules/relay/namespaces/hybrid-connections/.bicep/nested_roleAssignments.bicep new file mode 100644 index 0000000000..95709ae56f --- /dev/null +++ b/modules/relay/namespaces/hybrid-connections/.bicep/nested_roleAssignments.bicep @@ -0,0 +1,72 @@ +@sys.description('Required. The IDs of the principals to assign the role to.') +param principalIds array + +@sys.description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') +param roleDefinitionIdOrName string + +@sys.description('Required. The resource ID of the resource to apply the role assignment to.') +param resourceId string + +@sys.description('Optional. The principal type of the assigned principal ID.') +@allowed([ + 'ServicePrincipal' + 'Group' + 'User' + 'ForeignGroup' + 'Device' + '' +]) +param principalType string = '' + +@sys.description('Optional. The description of the role assignment.') +param description string = '' + +@sys.description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container".') +param condition string = '' + +@sys.description('Optional. Version of the condition.') +@allowed([ + '2.0' +]) +param conditionVersion string = '2.0' + +@sys.description('Optional. Id of the delegated managed identity resource.') +param delegatedManagedIdentityResourceId string = '' + +var builtInRoleNames = { + 'App Compliance Automation Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f37683f-2463-46b6-9ce7-9b788b988ba2') + 'Azure Relay Listener': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '26e0b698-aa6d-4085-9386-aadae190014d') + 'Azure Relay Owner': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '2787bf04-f1f5-4bfe-8383-c8a24483ee38') + 'Azure Relay Sender': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '26baccc8-eea7-41f1-98f4-1762cc7f685d') + Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') + 'Log Analytics Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293') + 'Log Analytics Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893') + 'Managed Application Contributor Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e') + 'Managed Application Operator Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae') + 'Managed Applications Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44') + 'Monitoring Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa') + 'Monitoring Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05') + Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') + Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') + 'Resource Policy Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608') + 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') + 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') +} + +resource hybridConnection 'Microsoft.Relay/namespaces/hybridConnections@2021-11-01' existing = { + name: '${split(resourceId, '/')[8]}/${split(resourceId, '/')[10]}' +} + +resource roleAssigment 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for principalId in principalIds: { + name: guid(hybridConnection.id, principalId, roleDefinitionIdOrName) + properties: { + description: description + roleDefinitionId: contains(builtInRoleNames, roleDefinitionIdOrName) ? builtInRoleNames[roleDefinitionIdOrName] : roleDefinitionIdOrName + principalId: principalId + principalType: !empty(principalType) ? any(principalType) : null + condition: !empty(condition) ? condition : null + conditionVersion: !empty(conditionVersion) && !empty(condition) ? conditionVersion : null + delegatedManagedIdentityResourceId: !empty(delegatedManagedIdentityResourceId) ? delegatedManagedIdentityResourceId : null + } + scope: hybridConnection +}] diff --git a/modules/relay/namespaces/hybrid-connections/README.md b/modules/relay/namespaces/hybrid-connections/README.md new file mode 100644 index 0000000000..50fcc0e08e --- /dev/null +++ b/modules/relay/namespaces/hybrid-connections/README.md @@ -0,0 +1,116 @@ +# Hybrid Connection Relay `[Microsoft.Relay/namespaces/hybridConnections]` + +This module deploys a hybrid connection relay resource. + +## Navigation + +- [Resource types](#Resource-types) +- [Parameters](#Parameters) +- [Outputs](#Outputs) +- [Cross-referenced modules](#Cross-referenced-modules) + +## Resource types + +| Resource Type | API Version | +| :-- | :-- | +| `Microsoft.Authorization/locks` | [2020-05-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2020-05-01/locks) | +| `Microsoft.Authorization/roleAssignments` | [2022-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-04-01/roleAssignments) | +| `Microsoft.Relay/namespaces/hybridConnections` | [2021-11-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Relay/2021-11-01/namespaces/hybridConnections) | +| `Microsoft.Relay/namespaces/hybridConnections/authorizationRules` | [2021-11-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Relay/2021-11-01/namespaces/hybridConnections/authorizationRules) | + +## Parameters + +**Required parameters** + +| Parameter Name | Type | Description | +| :-- | :-- | :-- | +| `name` | string | Name of the Relay Hybrid Connection. | +| `userMetadata` | string | User-defined string data for the Relay Hybrid Connection. | + +**Conditional parameters** + +| Parameter Name | Type | Description | +| :-- | :-- | :-- | +| `namespaceName` | string | The name of the parent Relay Namespace for the Relay Hybrid Connection. Required if the template is used in a standalone deployment. | + +**Optional parameters** + +| Parameter Name | Type | Default Value | Allowed Values | Description | +| :-- | :-- | :-- | :-- | :-- | +| `authorizationRules` | _[authorizationRules](authorization-rules/README.md)_ array | `[System.Management.Automation.OrderedHashtable, System.Management.Automation.OrderedHashtable, System.Management.Automation.OrderedHashtable]` | | Authorization Rules for the Relay Hybrid Connection. | +| `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via a Globally Unique Identifier (GUID). | +| `lock` | string | `''` | `['', CanNotDelete, ReadOnly]` | Specify the type of lock. | +| `requiresClientAuthorization` | bool | `True` | | A value indicating if this hybrid connection requires duplicate detection. | +| `roleAssignments` | array | `[]` | | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | + + +### Parameter Usage: `roleAssignments` + +Create a role assignment for the given resource. If you want to assign a service principal / managed identity that is created in the same deployment, make sure to also specify the `'principalType'` parameter and set it to `'ServicePrincipal'`. This will ensure the role assignment waits for the principal's propagation in Azure. + +

+ +Parameter JSON format + +```json +"roleAssignments": { + "value": [ + { + "roleDefinitionIdOrName": "Reader", + "description": "Reader Role Assignment", + "principalIds": [ + "12345678-1234-1234-1234-123456789012", // object 1 + "78945612-1234-1234-1234-123456789012" // object 2 + ] + }, + { + "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", + "principalIds": [ + "12345678-1234-1234-1234-123456789012" // object 1 + ], + "principalType": "ServicePrincipal" + } + ] +} +``` + +
+ +
+ +Bicep format + +```bicep +roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + description: 'Reader Role Assignment' + principalIds: [ + '12345678-1234-1234-1234-123456789012' // object 1 + '78945612-1234-1234-1234-123456789012' // object 2 + ] + } + { + roleDefinitionIdOrName: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' + principalIds: [ + '12345678-1234-1234-1234-123456789012' // object 1 + ] + principalType: 'ServicePrincipal' + } +] +``` + +
+

+ +## Outputs + +| Output Name | Type | Description | +| :-- | :-- | :-- | +| `name` | string | The name of the deployed hybrid connection. | +| `resourceGroupName` | string | The resource group of the deployed hybrid connection. | +| `resourceId` | string | The resource ID of the deployed hybrid connection. | + +## Cross-referenced modules + +_None_ diff --git a/modules/relay/namespaces/hybrid-connections/authorization-rules/README.md b/modules/relay/namespaces/hybrid-connections/authorization-rules/README.md new file mode 100644 index 0000000000..e548a19fdf --- /dev/null +++ b/modules/relay/namespaces/hybrid-connections/authorization-rules/README.md @@ -0,0 +1,51 @@ +# Hybrid Connection Relay Authorization Rules `[Microsoft.Relay/namespaces/hybridConnections/authorizationRules]` + +This module deploys authorization rules for a hybrid connection relay. + +## Navigation + +- [Resource Types](#Resource-Types) +- [Parameters](#Parameters) +- [Outputs](#Outputs) +- [Cross-referenced modules](#Cross-referenced-modules) + +## Resource Types + +| Resource Type | API Version | +| :-- | :-- | +| `Microsoft.Relay/namespaces/hybridConnections/authorizationRules` | [2021-11-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Relay/2021-11-01/namespaces/hybridConnections/authorizationRules) | + +## Parameters + +**Required parameters** + +| Parameter Name | Type | Description | +| :-- | :-- | :-- | +| `name` | string | The name of the relay namepace hybrid connection. | + +**Conditional parameters** + +| Parameter Name | Type | Description | +| :-- | :-- | :-- | +| `hybridConnectionName` | string | The name of the parent Relay Namespace Hybrid Connection. Required if the template is used in a standalone deployment. | +| `namespaceName` | string | The name of the parent Relay Namespace. Required if the template is used in a standalone deployment. | + +**Optional parameters** + +| Parameter Name | Type | Default Value | Allowed Values | Description | +| :-- | :-- | :-- | :-- | :-- | +| `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via a Globally Unique Identifier (GUID). | +| `rights` | array | `[]` | `[Listen, Manage, Send]` | The rights associated with the rule. | + + +## Outputs + +| Output Name | Type | Description | +| :-- | :-- | :-- | +| `name` | string | The name of the authorization rule. | +| `resourceGroupName` | string | The name of the Resource Group the authorization rule was created in. | +| `resourceId` | string | The Resource ID of the authorization rule. | + +## Cross-referenced modules + +_None_ diff --git a/modules/relay/namespaces/hybrid-connections/authorization-rules/main.bicep b/modules/relay/namespaces/hybrid-connections/authorization-rules/main.bicep new file mode 100644 index 0000000000..f7d997e6b4 --- /dev/null +++ b/modules/relay/namespaces/hybrid-connections/authorization-rules/main.bicep @@ -0,0 +1,56 @@ +@description('Required. The name of the relay namepace hybrid connection.') +param name string + +@description('Conditional. The name of the parent Relay Namespace. Required if the template is used in a standalone deployment.') +param namespaceName string + +@description('Conditional. The name of the parent Relay Namespace Hybrid Connection. Required if the template is used in a standalone deployment.') +param hybridConnectionName string + +@description('Optional. The rights associated with the rule.') +@allowed([ + 'Listen' + 'Manage' + 'Send' +]) +param rights array = [] + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { + name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}' + properties: { + mode: 'Incremental' + template: { + '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' + contentVersion: '1.0.0.0' + resources: [] + } + } +} + +resource namespace 'Microsoft.Relay/namespaces@2021-11-01' existing = { + name: namespaceName + + resource hybridConnection 'hybridConnections@2021-11-01' existing = { + name: hybridConnectionName + } +} + +resource authorizationRule 'Microsoft.Relay/namespaces/hybridConnections/authorizationRules@2021-11-01' = { + name: name + parent: namespace::hybridConnection + properties: { + rights: rights + } +} + +@description('The name of the authorization rule.') +output name string = authorizationRule.name + +@description('The Resource ID of the authorization rule.') +output resourceId string = authorizationRule.id + +@description('The name of the Resource Group the authorization rule was created in.') +output resourceGroupName string = resourceGroup().name diff --git a/modules/relay/namespaces/hybrid-connections/authorization-rules/metadata.json b/modules/relay/namespaces/hybrid-connections/authorization-rules/metadata.json new file mode 100644 index 0000000000..35e15893fc --- /dev/null +++ b/modules/relay/namespaces/hybrid-connections/authorization-rules/metadata.json @@ -0,0 +1,6 @@ +{ + "$schema": "https://aka.ms/bicep-registry-module-metadata-file-schema-v2#", + "name": "Hybrid Connection Relay Authorization Rules", + "summary": "This module deploys authorization rules for a hybrid connection relay.", + "owner": "Azure/module-maintainers" +} diff --git a/modules/relay/namespaces/hybrid-connections/authorization-rules/version.json b/modules/relay/namespaces/hybrid-connections/authorization-rules/version.json new file mode 100644 index 0000000000..5b9f717b34 --- /dev/null +++ b/modules/relay/namespaces/hybrid-connections/authorization-rules/version.json @@ -0,0 +1,8 @@ +{ + "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", + "version": "0.4", + "pathFilters": [ + "./main.json", + "./metadata.json" + ] +} diff --git a/modules/relay/namespaces/hybrid-connections/main.bicep b/modules/relay/namespaces/hybrid-connections/main.bicep new file mode 100644 index 0000000000..a5098b7758 --- /dev/null +++ b/modules/relay/namespaces/hybrid-connections/main.bicep @@ -0,0 +1,122 @@ +@description('Conditional. The name of the parent Relay Namespace for the Relay Hybrid Connection. Required if the template is used in a standalone deployment.') +@minLength(6) +@maxLength(50) +param namespaceName string + +@description('Required. Name of the Relay Hybrid Connection.') +@minLength(6) +@maxLength(50) +param name string + +@description('Required. User-defined string data for the Relay Hybrid Connection.') +param userMetadata string + +@description('Optional. A value indicating if this hybrid connection requires duplicate detection.') +param requiresClientAuthorization bool = true + +@description('Optional. Authorization Rules for the Relay Hybrid Connection.') +param authorizationRules array = [ + { + name: 'RootManageSharedAccessKey' + rights: [ + 'Listen' + 'Manage' + 'Send' + ] + } + { + name: 'defaultListener' + rights: [ + 'Listen' + ] + } + { + name: 'defaultSender' + rights: [ + 'Send' + ] + } +] + +@allowed([ + '' + 'CanNotDelete' + 'ReadOnly' +]) +@description('Optional. Specify the type of lock.') +param lock string = '' + +@description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') +param roleAssignments array = [] + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +var enableReferencedModulesTelemetry = false + +resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { + name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}' + properties: { + mode: 'Incremental' + template: { + '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' + contentVersion: '1.0.0.0' + resources: [] + } + } +} + +resource namespace 'Microsoft.Relay/namespaces@2021-11-01' existing = { + name: namespaceName +} + +resource hybridConnection 'Microsoft.Relay/namespaces/hybridConnections@2021-11-01' = { + name: name + parent: namespace + properties: { + requiresClientAuthorization: requiresClientAuthorization + userMetadata: userMetadata + } +} + +module hybridconnection_authorizationRules 'authorization-rules/main.bicep' = [for (authorizationRule, index) in authorizationRules: { + name: '${deployment().name}-AuthRule-${index}' + params: { + namespaceName: namespaceName + hybridConnectionName: hybridConnection.name + name: authorizationRule.name + rights: contains(authorizationRule, 'rights') ? authorizationRule.rights : [] + enableDefaultTelemetry: enableReferencedModulesTelemetry + } +}] + +resource hybridConnection_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock)) { + name: '${hybridConnection.name}-${lock}-lock' + properties: { + level: any(lock) + notes: lock == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.' + } + scope: hybridConnection +} + +module hybridConnection_roleAssignments '.bicep/nested_roleAssignments.bicep' = [for (roleAssignment, index) in roleAssignments: { + name: '${deployment().name}-Rbac-${index}' + params: { + description: contains(roleAssignment, 'description') ? roleAssignment.description : '' + principalIds: roleAssignment.principalIds + principalType: contains(roleAssignment, 'principalType') ? roleAssignment.principalType : '' + roleDefinitionIdOrName: roleAssignment.roleDefinitionIdOrName + condition: contains(roleAssignment, 'condition') ? roleAssignment.condition : '' + delegatedManagedIdentityResourceId: contains(roleAssignment, 'delegatedManagedIdentityResourceId') ? roleAssignment.delegatedManagedIdentityResourceId : '' + resourceId: hybridConnection.id + } +}] + +@description('The name of the deployed hybrid connection.') +output name string = hybridConnection.name + +@description('The resource ID of the deployed hybrid connection.') +output resourceId string = hybridConnection.id + +@description('The resource group of the deployed hybrid connection.') +output resourceGroupName string = resourceGroup().name diff --git a/modules/relay/namespaces/hybrid-connections/metadata.json b/modules/relay/namespaces/hybrid-connections/metadata.json new file mode 100644 index 0000000000..1fbabdbbd2 --- /dev/null +++ b/modules/relay/namespaces/hybrid-connections/metadata.json @@ -0,0 +1,6 @@ +{ + "$schema": "https://aka.ms/bicep-registry-module-metadata-file-schema-v2#", + "name": "Hybrid Connection Relay", + "summary": "This module deploys a hybrid connection relay resource.", + "owner": "Azure/module-maintainers" +} diff --git a/modules/relay/namespaces/hybrid-connections/version.json b/modules/relay/namespaces/hybrid-connections/version.json new file mode 100644 index 0000000000..5b9f717b34 --- /dev/null +++ b/modules/relay/namespaces/hybrid-connections/version.json @@ -0,0 +1,8 @@ +{ + "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", + "version": "0.4", + "pathFilters": [ + "./main.json", + "./metadata.json" + ] +} diff --git a/modules/relay/namespaces/main.bicep b/modules/relay/namespaces/main.bicep new file mode 100644 index 0000000000..0ffac7ad73 --- /dev/null +++ b/modules/relay/namespaces/main.bicep @@ -0,0 +1,303 @@ +@description('Required. Name of the Relay Namespace.') +@maxLength(50) +param name string + +@description('Optional. Location for all resources.') +param location string = resourceGroup().location + +@description('Optional. Name of this SKU.') +@allowed([ + 'Standard' +]) +param skuName string = 'Standard' + +@description('Optional. Authorization Rules for the Relay namespace.') +param authorizationRules array = [ + { + name: 'RootManageSharedAccessKey' + rights: [ + 'Listen' + 'Manage' + 'Send' + ] + } +] + +@description('Optional. Specifies the number of days that logs will be kept for; a value of 0 will retain data indefinitely.') +@minValue(0) +@maxValue(365) +param diagnosticLogsRetentionInDays int = 365 + +@description('Optional. Resource ID of the diagnostic storage account.') +param diagnosticStorageAccountId string = '' + +@description('Optional. Resource ID of the diagnostic log analytics workspace.') +param diagnosticWorkspaceId string = '' + +@description('Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to.') +param diagnosticEventHubAuthorizationRuleId string = '' + +@description('Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category.') +param diagnosticEventHubName string = '' + +@allowed([ + '' + 'CanNotDelete' + 'ReadOnly' +]) +@description('Optional. Specify the type of lock.') +param lock string = '' + +@description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') +param roleAssignments array = [] + +@description('Optional. Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible.') +param privateEndpoints array = [] + +@description('Optional. Configure networking options for Relay. This object contains IPs/Subnets to allow or restrict access to private endpoints only. For security reasons, it is recommended to configure this object on the Namespace.') +param networkRuleSets object = {} + +@description('Optional. Tags of the resource.') +param tags object = {} + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. The hybrid connections to create in the relay namespace.') +param hybridConnections array = [] + +@description('Optional. The wcf relays to create in the relay namespace.') +param wcfRelays array = [] + +@description('Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource.') +@allowed([ + 'allLogs' + 'OperationalLogs' +]) +param diagnosticLogCategoriesToEnable array = [ + 'allLogs' +] + +@description('Optional. The name of metrics that will be streamed.') +@allowed([ + 'AllMetrics' +]) +param diagnosticMetricsToEnable array = [ + 'AllMetrics' +] + +@description('Optional. The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings".') +param diagnosticSettingsName string = '' + +var diagnosticsLogsSpecified = [for category in filter(diagnosticLogCategoriesToEnable, item => item != 'allLogs'): { + category: category + enabled: true + retentionPolicy: { + enabled: true + days: diagnosticLogsRetentionInDays + } +}] + +var diagnosticsLogs = contains(diagnosticLogCategoriesToEnable, 'allLogs') ? [ + { + categoryGroup: 'allLogs' + enabled: true + retentionPolicy: { + enabled: true + days: diagnosticLogsRetentionInDays + } + } +] : diagnosticsLogsSpecified + +var diagnosticsMetrics = [for metric in diagnosticMetricsToEnable: { + category: metric + timeGrain: null + enabled: true + retentionPolicy: { + enabled: true + days: diagnosticLogsRetentionInDays + } +}] + +var enableReferencedModulesTelemetry = false + +resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { + name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' + properties: { + mode: 'Incremental' + template: { + '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' + contentVersion: '1.0.0.0' + resources: [] + } + } +} + +resource namespace 'Microsoft.Relay/namespaces@2021-11-01' = { + name: name + location: location + tags: empty(tags) ? null : tags + sku: { + name: skuName + } + properties: {} +} + +module namespace_authorizationRules 'authorization-rules/main.bicep' = [for (authorizationRule, index) in authorizationRules: { + name: '${uniqueString(deployment().name, location)}-AuthorizationRules-${index}' + params: { + namespaceName: namespace.name + name: authorizationRule.name + rights: contains(authorizationRule, 'rights') ? authorizationRule.rights : [] + enableDefaultTelemetry: enableReferencedModulesTelemetry + } +}] + +module namespace_networkRuleSet 'network-rule-sets/main.bicep' = if (!empty(networkRuleSets) || !empty(privateEndpoints)) { + name: '${uniqueString(deployment().name, location)}-NetworkRuleSet' + params: { + namespaceName: namespace.name + publicNetworkAccess: contains(networkRuleSets, 'publicNetworkAccess') ? networkRuleSets.publicNetworkAccess : (!empty(privateEndpoints) && empty(networkRuleSets) ? 'Disabled' : 'Enabled') + defaultAction: contains(networkRuleSets, 'defaultAction') ? networkRuleSets.defaultAction : 'Allow' + ipRules: contains(networkRuleSets, 'ipRules') ? networkRuleSets.ipRules : [] + enableDefaultTelemetry: enableReferencedModulesTelemetry + } +} + +module namespace_hybridConnections 'hybrid-connections/main.bicep' = [for (hybridConnection, index) in hybridConnections: { + name: '${uniqueString(deployment().name, location)}-hybridConnection-${index}' + params: { + namespaceName: namespace.name + name: hybridConnection.name + authorizationRules: contains(hybridConnection, 'authorizationRules') ? hybridConnection.authorizationRules : [ + { + name: 'RootManageSharedAccessKey' + rights: [ + 'Listen' + 'Manage' + 'Send' + ] + } + { + name: 'defaultListener' + rights: [ + 'Listen' + ] + } + { + name: 'defaultSender' + rights: [ + 'Send' + ] + } + ] + requiresClientAuthorization: contains(hybridConnection, 'requiresClientAuthorization') ? hybridConnection.requiresClientAuthorization : true + userMetadata: hybridConnection.userMetadata + enableDefaultTelemetry: enableReferencedModulesTelemetry + } +}] + +module namespace_wcfRelays 'wcf-relays/main.bicep' = [for (wcfRelay, index) in wcfRelays: { + name: '${uniqueString(deployment().name, location)}-wcfRelay-${index}' + params: { + namespaceName: namespace.name + name: wcfRelay.name + authorizationRules: contains(wcfRelay, 'authorizationRules') ? wcfRelay.authorizationRules : [ + { + name: 'RootManageSharedAccessKey' + rights: [ + 'Listen' + 'Manage' + 'Send' + ] + } + { + name: 'defaultListener' + rights: [ + 'Listen' + ] + } + { + name: 'defaultSender' + rights: [ + 'Send' + ] + } + ] + relayType: wcfRelay.relayType + requiresClientAuthorization: contains(wcfRelay, 'requiresClientAuthorization') ? wcfRelay.requiresClientAuthorization : true + requiresTransportSecurity: contains(wcfRelay, 'requiresTransportSecurity') ? wcfRelay.requiresTransportSecurity : true + userMetadata: contains(wcfRelay, 'userMetadata') ? wcfRelay.userMetadata : null + enableDefaultTelemetry: enableReferencedModulesTelemetry + } +}] + +resource namespace_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock)) { + name: '${namespace.name}-${lock}-lock' + properties: { + level: any(lock) + notes: lock == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.' + } + scope: namespace +} + +resource namespace_diagnosticSettings 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = if (!empty(diagnosticStorageAccountId) || !empty(diagnosticWorkspaceId) || !empty(diagnosticEventHubAuthorizationRuleId) || !empty(diagnosticEventHubName)) { + name: !empty(diagnosticSettingsName) ? diagnosticSettingsName : '${name}-diagnosticSettings' + properties: { + storageAccountId: !empty(diagnosticStorageAccountId) ? diagnosticStorageAccountId : null + workspaceId: !empty(diagnosticWorkspaceId) ? diagnosticWorkspaceId : null + eventHubAuthorizationRuleId: !empty(diagnosticEventHubAuthorizationRuleId) ? diagnosticEventHubAuthorizationRuleId : null + eventHubName: !empty(diagnosticEventHubName) ? diagnosticEventHubName : null + metrics: diagnosticsMetrics + logs: diagnosticsLogs + } + scope: namespace +} + +module namespace_privateEndpoints '../../network/private-endpoints/main.bicep' = [for (privateEndpoint, index) in privateEndpoints: { + name: '${uniqueString(deployment().name, location)}-Namespace-PrivateEndpoint-${index}' + params: { + groupIds: [ + privateEndpoint.service + ] + name: contains(privateEndpoint, 'name') ? privateEndpoint.name : 'pe-${last(split(namespace.id, '/'))}-${privateEndpoint.service}-${index}' + serviceResourceId: namespace.id + subnetResourceId: privateEndpoint.subnetResourceId + enableDefaultTelemetry: enableReferencedModulesTelemetry + location: reference(split(privateEndpoint.subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location + lock: contains(privateEndpoint, 'lock') ? privateEndpoint.lock : lock + privateDnsZoneGroup: contains(privateEndpoint, 'privateDnsZoneGroup') ? privateEndpoint.privateDnsZoneGroup : {} + roleAssignments: contains(privateEndpoint, 'roleAssignments') ? privateEndpoint.roleAssignments : [] + tags: contains(privateEndpoint, 'tags') ? privateEndpoint.tags : {} + manualPrivateLinkServiceConnections: contains(privateEndpoint, 'manualPrivateLinkServiceConnections') ? privateEndpoint.manualPrivateLinkServiceConnections : [] + customDnsConfigs: contains(privateEndpoint, 'customDnsConfigs') ? privateEndpoint.customDnsConfigs : [] + ipConfigurations: contains(privateEndpoint, 'ipConfigurations') ? privateEndpoint.ipConfigurations : [] + applicationSecurityGroups: contains(privateEndpoint, 'applicationSecurityGroups') ? privateEndpoint.applicationSecurityGroups : [] + customNetworkInterfaceName: contains(privateEndpoint, 'customNetworkInterfaceName') ? privateEndpoint.customNetworkInterfaceName : '' + } +}] + +module namespace_roleAssignments '.bicep/nested_roleAssignments.bicep' = [for (roleAssignment, index) in roleAssignments: { + name: '${deployment().name}-Rbac-${index}' + params: { + description: contains(roleAssignment, 'description') ? roleAssignment.description : '' + principalIds: roleAssignment.principalIds + principalType: contains(roleAssignment, 'principalType') ? roleAssignment.principalType : '' + roleDefinitionIdOrName: roleAssignment.roleDefinitionIdOrName + condition: contains(roleAssignment, 'condition') ? roleAssignment.condition : '' + delegatedManagedIdentityResourceId: contains(roleAssignment, 'delegatedManagedIdentityResourceId') ? roleAssignment.delegatedManagedIdentityResourceId : '' + resourceId: namespace.id + } +}] + +@description('The resource ID of the deployed relay namespace.') +output resourceId string = namespace.id + +@description('The resource group of the deployed relay namespace.') +output resourceGroupName string = resourceGroup().name + +@description('The name of the deployed relay namespace.') +output name string = namespace.name + +@description('The location the resource was deployed into.') +output location string = namespace.location diff --git a/modules/relay/namespaces/metadata.json b/modules/relay/namespaces/metadata.json new file mode 100644 index 0000000000..511f76ec96 --- /dev/null +++ b/modules/relay/namespaces/metadata.json @@ -0,0 +1,6 @@ +{ + "$schema": "https://aka.ms/bicep-registry-module-metadata-file-schema-v2#", + "name": "Relay Namespaces", + "summary": "This module deploys a relay namespace resource.", + "owner": "Azure/module-maintainers" +} diff --git a/modules/relay/namespaces/network-rule-sets/README.md b/modules/relay/namespaces/network-rule-sets/README.md new file mode 100644 index 0000000000..094c4cdd9b --- /dev/null +++ b/modules/relay/namespaces/network-rule-sets/README.md @@ -0,0 +1,46 @@ +# Relay Namespaces Network Rules Sets `[Microsoft.Relay/namespaces/networkRuleSets]` + +This module deploys Relay Namespace Network Rule Sets. + +## Navigation + +- [Resource Types](#Resource-Types) +- [Parameters](#Parameters) +- [Outputs](#Outputs) +- [Cross-referenced modules](#Cross-referenced-modules) + +## Resource Types + +| Resource Type | API Version | +| :-- | :-- | +| `Microsoft.Relay/namespaces/networkRuleSets` | [2021-11-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Relay/2021-11-01/namespaces/networkRuleSets) | + +## Parameters + +**Conditional parameters** + +| Parameter Name | Type | Description | +| :-- | :-- | :-- | +| `namespaceName` | string | The name of the parent Relay Namespace for the Relay Network Rule Set. Required if the template is used in a standalone deployment. | + +**Optional parameters** + +| Parameter Name | Type | Default Value | Allowed Values | Description | +| :-- | :-- | :-- | :-- | :-- | +| `defaultAction` | string | `'Allow'` | `[Allow, Deny]` | Default Action for Network Rule Set. Default is "Allow". It will not be set if publicNetworkAccess is "Disabled". Otherwise, it will be set to "Deny" if ipRules or virtualNetworkRules are being used. | +| `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via a Globally Unique Identifier (GUID). | +| `ipRules` | array | `[]` | | List of IpRules. It will not be set if publicNetworkAccess is "Disabled". Otherwise, when used, defaultAction will be set to "Deny". | +| `publicNetworkAccess` | string | `'Enabled'` | `[Disabled, Enabled]` | This determines if traffic is allowed over public network. Default is "Enabled". If set to "Disabled", traffic to this namespace will be restricted over Private Endpoints only and network rules will not be applied. | + + +## Outputs + +| Output Name | Type | Description | +| :-- | :-- | :-- | +| `name` | string | The name of the network rule set. | +| `resourceGroupName` | string | The name of the resource group the network rule set was created in. | +| `resourceId` | string | The resource ID of the network rule set. | + +## Cross-referenced modules + +_None_ diff --git a/modules/relay/namespaces/network-rule-sets/main.bicep b/modules/relay/namespaces/network-rule-sets/main.bicep new file mode 100644 index 0000000000..7b01405643 --- /dev/null +++ b/modules/relay/namespaces/network-rule-sets/main.bicep @@ -0,0 +1,59 @@ +@description('Conditional. The name of the parent Relay Namespace for the Relay Network Rule Set. Required if the template is used in a standalone deployment.') +@minLength(6) +@maxLength(50) +param namespaceName string + +@allowed([ + 'Enabled' + 'Disabled' +]) +@description('Optional. This determines if traffic is allowed over public network. Default is "Enabled". If set to "Disabled", traffic to this namespace will be restricted over Private Endpoints only and network rules will not be applied.') +param publicNetworkAccess string = 'Enabled' + +@allowed([ + 'Allow' + 'Deny' +]) +@description('Optional. Default Action for Network Rule Set. Default is "Allow". It will not be set if publicNetworkAccess is "Disabled". Otherwise, it will be set to "Deny" if ipRules or virtualNetworkRules are being used.') +param defaultAction string = 'Allow' + +@description('Optional. List of IpRules. It will not be set if publicNetworkAccess is "Disabled". Otherwise, when used, defaultAction will be set to "Deny".') +param ipRules array = [] + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { + name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}' + properties: { + mode: 'Incremental' + template: { + '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' + contentVersion: '1.0.0.0' + resources: [] + } + } +} + +resource namespace 'Microsoft.Relay/namespaces@2021-11-01' existing = { + name: namespaceName +} + +resource networkRuleSet 'Microsoft.Relay/namespaces/networkRuleSets@2021-11-01' = { + name: 'default' + parent: namespace + properties: { + publicNetworkAccess: publicNetworkAccess + defaultAction: publicNetworkAccess == 'Disabled' ? null : (!empty(ipRules) ? 'Deny' : defaultAction) + ipRules: publicNetworkAccess == 'Disabled' ? null : ipRules + } +} + +@description('The name of the network rule set.') +output name string = networkRuleSet.name + +@description('The resource ID of the network rule set.') +output resourceId string = networkRuleSet.id + +@description('The name of the resource group the network rule set was created in.') +output resourceGroupName string = resourceGroup().name diff --git a/modules/relay/namespaces/network-rule-sets/metadata.json b/modules/relay/namespaces/network-rule-sets/metadata.json new file mode 100644 index 0000000000..d8f5cfc6e0 --- /dev/null +++ b/modules/relay/namespaces/network-rule-sets/metadata.json @@ -0,0 +1,6 @@ +{ + "$schema": "https://aka.ms/bicep-registry-module-metadata-file-schema-v2#", + "name": "Relay Namespaces Network Rules Sets", + "summary": "This module deploys Relay Namespace Network Rule Sets.", + "owner": "Azure/module-maintainers" +} diff --git a/modules/relay/namespaces/network-rule-sets/version.json b/modules/relay/namespaces/network-rule-sets/version.json new file mode 100644 index 0000000000..4f6911e8a0 --- /dev/null +++ b/modules/relay/namespaces/network-rule-sets/version.json @@ -0,0 +1,8 @@ +{ + "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", + "version": "0.2", + "pathFilters": [ + "./main.json", + "./metadata.json" + ] +} diff --git a/modules/relay/namespaces/version.json b/modules/relay/namespaces/version.json new file mode 100644 index 0000000000..3376ee6961 --- /dev/null +++ b/modules/relay/namespaces/version.json @@ -0,0 +1,8 @@ +{ + "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", + "version": "0.5", + "pathFilters": [ + "./main.json", + "./metadata.json" + ] +} diff --git a/modules/relay/namespaces/wcf-relays/.bicep/nested_roleAssignments.bicep b/modules/relay/namespaces/wcf-relays/.bicep/nested_roleAssignments.bicep new file mode 100644 index 0000000000..b3be79a81f --- /dev/null +++ b/modules/relay/namespaces/wcf-relays/.bicep/nested_roleAssignments.bicep @@ -0,0 +1,72 @@ +@sys.description('Required. The IDs of the principals to assign the role to.') +param principalIds array + +@sys.description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') +param roleDefinitionIdOrName string + +@sys.description('Required. The resource ID of the resource to apply the role assignment to.') +param resourceId string + +@sys.description('Optional. The principal type of the assigned principal ID.') +@allowed([ + 'ServicePrincipal' + 'Group' + 'User' + 'ForeignGroup' + 'Device' + '' +]) +param principalType string = '' + +@sys.description('Optional. The description of the role assignment.') +param description string = '' + +@sys.description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container".') +param condition string = '' + +@sys.description('Optional. Version of the condition.') +@allowed([ + '2.0' +]) +param conditionVersion string = '2.0' + +@sys.description('Optional. Id of the delegated managed identity resource.') +param delegatedManagedIdentityResourceId string = '' + +var builtInRoleNames = { + 'App Compliance Automation Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f37683f-2463-46b6-9ce7-9b788b988ba2') + 'Azure Relay Listener': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '26e0b698-aa6d-4085-9386-aadae190014d') + 'Azure Relay Owner': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '2787bf04-f1f5-4bfe-8383-c8a24483ee38') + 'Azure Relay Sender': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '26baccc8-eea7-41f1-98f4-1762cc7f685d') + Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') + 'Log Analytics Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293') + 'Log Analytics Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893') + 'Managed Application Contributor Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e') + 'Managed Application Operator Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae') + 'Managed Applications Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44') + 'Monitoring Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa') + 'Monitoring Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05') + Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') + Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') + 'Resource Policy Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608') + 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') + 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') +} + +resource wcfRelay 'Microsoft.Relay/namespaces/wcfRelays@2021-11-01' existing = { + name: '${split(resourceId, '/')[8]}/${split(resourceId, '/')[10]}' +} + +resource roleAssigment 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for principalId in principalIds: { + name: guid(wcfRelay.id, principalId, roleDefinitionIdOrName) + properties: { + description: description + roleDefinitionId: contains(builtInRoleNames, roleDefinitionIdOrName) ? builtInRoleNames[roleDefinitionIdOrName] : roleDefinitionIdOrName + principalId: principalId + principalType: !empty(principalType) ? any(principalType) : null + condition: !empty(condition) ? condition : null + conditionVersion: !empty(conditionVersion) && !empty(condition) ? conditionVersion : null + delegatedManagedIdentityResourceId: !empty(delegatedManagedIdentityResourceId) ? delegatedManagedIdentityResourceId : null + } + scope: wcfRelay +}] diff --git a/modules/relay/namespaces/wcf-relays/README.md b/modules/relay/namespaces/wcf-relays/README.md new file mode 100644 index 0000000000..095d6b7375 --- /dev/null +++ b/modules/relay/namespaces/wcf-relays/README.md @@ -0,0 +1,118 @@ +# WCF Relay `[Microsoft.Relay/namespaces/wcfRelays]` + +This module deploys a wcf relay resource. + +## Navigation + +- [Resource types](#Resource-types) +- [Parameters](#Parameters) +- [Outputs](#Outputs) +- [Cross-referenced modules](#Cross-referenced-modules) + +## Resource types + +| Resource Type | API Version | +| :-- | :-- | +| `Microsoft.Authorization/locks` | [2020-05-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2020-05-01/locks) | +| `Microsoft.Authorization/roleAssignments` | [2022-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-04-01/roleAssignments) | +| `Microsoft.Relay/namespaces/wcfRelays` | [2021-11-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Relay/2021-11-01/namespaces/wcfRelays) | +| `Microsoft.Relay/namespaces/wcfRelays/authorizationRules` | [2021-11-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Relay/2021-11-01/namespaces/wcfRelays/authorizationRules) | + +## Parameters + +**Required parameters** + +| Parameter Name | Type | Allowed Values | Description | +| :-- | :-- | :-- | :-- | +| `name` | string | | Name of the WCF Relay. | +| `relayType` | string | `[Http, NetTcp]` | Type of WCF Relay. | + +**Conditional parameters** + +| Parameter Name | Type | Description | +| :-- | :-- | :-- | +| `namespaceName` | string | The name of the parent Relay Namespace for the WCF Relay. Required if the template is used in a standalone deployment. | + +**Optional parameters** + +| Parameter Name | Type | Default Value | Allowed Values | Description | +| :-- | :-- | :-- | :-- | :-- | +| `authorizationRules` | _[authorizationRules](authorization-rules/README.md)_ array | `[System.Management.Automation.OrderedHashtable, System.Management.Automation.OrderedHashtable, System.Management.Automation.OrderedHashtable]` | | Authorization Rules for the WCF Relay. | +| `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via a Globally Unique Identifier (GUID). | +| `lock` | string | `''` | `['', CanNotDelete, ReadOnly]` | Specify the type of lock. | +| `requiresClientAuthorization` | bool | `True` | | A value indicating if this relay requires client authorization. | +| `requiresTransportSecurity` | bool | `True` | | A value indicating if this relay requires transport security. | +| `roleAssignments` | array | `[]` | | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| `userMetadata` | string | `''` | | User-defined string data for the WCF Relay. | + + +### Parameter Usage: `roleAssignments` + +Create a role assignment for the given resource. If you want to assign a service principal / managed identity that is created in the same deployment, make sure to also specify the `'principalType'` parameter and set it to `'ServicePrincipal'`. This will ensure the role assignment waits for the principal's propagation in Azure. + +

+ +Parameter JSON format + +```json +"roleAssignments": { + "value": [ + { + "roleDefinitionIdOrName": "Reader", + "description": "Reader Role Assignment", + "principalIds": [ + "12345678-1234-1234-1234-123456789012", // object 1 + "78945612-1234-1234-1234-123456789012" // object 2 + ] + }, + { + "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", + "principalIds": [ + "12345678-1234-1234-1234-123456789012" // object 1 + ], + "principalType": "ServicePrincipal" + } + ] +} +``` + +
+ +
+ +Bicep format + +```bicep +roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + description: 'Reader Role Assignment' + principalIds: [ + '12345678-1234-1234-1234-123456789012' // object 1 + '78945612-1234-1234-1234-123456789012' // object 2 + ] + } + { + roleDefinitionIdOrName: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' + principalIds: [ + '12345678-1234-1234-1234-123456789012' // object 1 + ] + principalType: 'ServicePrincipal' + } +] +``` + +
+

+ +## Outputs + +| Output Name | Type | Description | +| :-- | :-- | :-- | +| `name` | string | The name of the deployed wcf relay. | +| `resourceGroupName` | string | The resource group of the deployed wcf relay. | +| `resourceId` | string | The resource ID of the deployed wcf relay. | + +## Cross-referenced modules + +_None_ diff --git a/modules/relay/namespaces/wcf-relays/authorization-rules/README.md b/modules/relay/namespaces/wcf-relays/authorization-rules/README.md new file mode 100644 index 0000000000..ba12d5cd55 --- /dev/null +++ b/modules/relay/namespaces/wcf-relays/authorization-rules/README.md @@ -0,0 +1,51 @@ +# WCF Relay Authorization Rules `[Microsoft.Relay/namespaces/wcfRelays/authorizationRules]` + +This module deploys authorization rules for a wcf relay. + +## Navigation + +- [Resource Types](#Resource-Types) +- [Parameters](#Parameters) +- [Outputs](#Outputs) +- [Cross-referenced modules](#Cross-referenced-modules) + +## Resource Types + +| Resource Type | API Version | +| :-- | :-- | +| `Microsoft.Relay/namespaces/wcfRelays/authorizationRules` | [2021-11-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Relay/2021-11-01/namespaces/wcfRelays/authorizationRules) | + +## Parameters + +**Required parameters** + +| Parameter Name | Type | Description | +| :-- | :-- | :-- | +| `name` | string | The name of the relay namepace wcf relay. | + +**Conditional parameters** + +| Parameter Name | Type | Description | +| :-- | :-- | :-- | +| `namespaceName` | string | The name of the parent Relay Namespace. Required if the template is used in a standalone deployment. | +| `wcfRelayName` | string | The name of the parent Relay Namespace WCF Relay. Required if the template is used in a standalone deployment. | + +**Optional parameters** + +| Parameter Name | Type | Default Value | Allowed Values | Description | +| :-- | :-- | :-- | :-- | :-- | +| `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via a Globally Unique Identifier (GUID). | +| `rights` | array | `[]` | `[Listen, Manage, Send]` | The rights associated with the rule. | + + +## Outputs + +| Output Name | Type | Description | +| :-- | :-- | :-- | +| `name` | string | The name of the authorization rule. | +| `resourceGroupName` | string | The name of the Resource Group the authorization rule was created in. | +| `resourceId` | string | The Resource ID of the authorization rule. | + +## Cross-referenced modules + +_None_ diff --git a/modules/relay/namespaces/wcf-relays/authorization-rules/main.bicep b/modules/relay/namespaces/wcf-relays/authorization-rules/main.bicep new file mode 100644 index 0000000000..e83d4b9f25 --- /dev/null +++ b/modules/relay/namespaces/wcf-relays/authorization-rules/main.bicep @@ -0,0 +1,56 @@ +@description('Required. The name of the relay namepace wcf relay.') +param name string + +@description('Conditional. The name of the parent Relay Namespace. Required if the template is used in a standalone deployment.') +param namespaceName string + +@description('Conditional. The name of the parent Relay Namespace WCF Relay. Required if the template is used in a standalone deployment.') +param wcfRelayName string + +@description('Optional. The rights associated with the rule.') +@allowed([ + 'Listen' + 'Manage' + 'Send' +]) +param rights array = [] + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { + name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}' + properties: { + mode: 'Incremental' + template: { + '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' + contentVersion: '1.0.0.0' + resources: [] + } + } +} + +resource namespace 'Microsoft.Relay/namespaces@2021-11-01' existing = { + name: namespaceName + + resource wcfRelay 'wcfRelays@2021-11-01' existing = { + name: wcfRelayName + } +} + +resource authorizationRule 'Microsoft.Relay/namespaces/wcfRelays/authorizationRules@2021-11-01' = { + name: name + parent: namespace::wcfRelay + properties: { + rights: rights + } +} + +@description('The name of the authorization rule.') +output name string = authorizationRule.name + +@description('The Resource ID of the authorization rule.') +output resourceId string = authorizationRule.id + +@description('The name of the Resource Group the authorization rule was created in.') +output resourceGroupName string = resourceGroup().name diff --git a/modules/relay/namespaces/wcf-relays/authorization-rules/metadata.json b/modules/relay/namespaces/wcf-relays/authorization-rules/metadata.json new file mode 100644 index 0000000000..c4ff3f6b4d --- /dev/null +++ b/modules/relay/namespaces/wcf-relays/authorization-rules/metadata.json @@ -0,0 +1,6 @@ +{ + "$schema": "https://aka.ms/bicep-registry-module-metadata-file-schema-v2#", + "name": "WCF Relay Authorization Rules", + "summary": "This module deploys authorization rules for a wcf relay.", + "owner": "Azure/module-maintainers" +} diff --git a/modules/relay/namespaces/wcf-relays/authorization-rules/version.json b/modules/relay/namespaces/wcf-relays/authorization-rules/version.json new file mode 100644 index 0000000000..5b9f717b34 --- /dev/null +++ b/modules/relay/namespaces/wcf-relays/authorization-rules/version.json @@ -0,0 +1,8 @@ +{ + "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", + "version": "0.4", + "pathFilters": [ + "./main.json", + "./metadata.json" + ] +} diff --git a/modules/relay/namespaces/wcf-relays/main.bicep b/modules/relay/namespaces/wcf-relays/main.bicep new file mode 100644 index 0000000000..026502785d --- /dev/null +++ b/modules/relay/namespaces/wcf-relays/main.bicep @@ -0,0 +1,134 @@ +@description('Conditional. The name of the parent Relay Namespace for the WCF Relay. Required if the template is used in a standalone deployment.') +@minLength(6) +@maxLength(50) +param namespaceName string + +@description('Required. Name of the WCF Relay.') +@minLength(6) +@maxLength(50) +param name string + +@allowed([ + 'Http' + 'NetTcp' +]) +@description('Required. Type of WCF Relay.') +param relayType string + +@description('Optional. A value indicating if this relay requires client authorization.') +param requiresClientAuthorization bool = true + +@description('Optional. A value indicating if this relay requires transport security.') +param requiresTransportSecurity bool = true + +@description('Optional. User-defined string data for the WCF Relay.') +param userMetadata string = '' + +@description('Optional. Authorization Rules for the WCF Relay.') +param authorizationRules array = [ + { + name: 'RootManageSharedAccessKey' + rights: [ + 'Listen' + 'Manage' + 'Send' + ] + } + { + name: 'defaultListener' + rights: [ + 'Listen' + ] + } + { + name: 'defaultSender' + rights: [ + 'Send' + ] + } +] + +@allowed([ + '' + 'CanNotDelete' + 'ReadOnly' +]) +@description('Optional. Specify the type of lock.') +param lock string = '' + +@description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') +param roleAssignments array = [] + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +var enableReferencedModulesTelemetry = false + +resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { + name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}' + properties: { + mode: 'Incremental' + template: { + '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' + contentVersion: '1.0.0.0' + resources: [] + } + } +} + +resource namespace 'Microsoft.Relay/namespaces@2021-11-01' existing = { + name: namespaceName +} + +resource wcfRelay 'Microsoft.Relay/namespaces/wcfRelays@2021-11-01' = { + name: name + parent: namespace + properties: { + relayType: relayType + requiresClientAuthorization: requiresClientAuthorization + requiresTransportSecurity: requiresTransportSecurity + userMetadata: !empty(userMetadata) ? userMetadata : null + } +} + +module wcfRelay_authorizationRules 'authorization-rules/main.bicep' = [for (authorizationRule, index) in authorizationRules: { + name: '${deployment().name}-AuthRule-${index}' + params: { + namespaceName: namespaceName + wcfRelayName: wcfRelay.name + name: authorizationRule.name + rights: contains(authorizationRule, 'rights') ? authorizationRule.rights : [] + enableDefaultTelemetry: enableReferencedModulesTelemetry + } +}] + +resource wcfRelay_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock)) { + name: '${wcfRelay.name}-${lock}-lock' + properties: { + level: any(lock) + notes: lock == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.' + } + scope: wcfRelay +} + +module wcfRelay_roleAssignments '.bicep/nested_roleAssignments.bicep' = [for (roleAssignment, index) in roleAssignments: { + name: '${deployment().name}-Rbac-${index}' + params: { + description: contains(roleAssignment, 'description') ? roleAssignment.description : '' + principalIds: roleAssignment.principalIds + principalType: contains(roleAssignment, 'principalType') ? roleAssignment.principalType : '' + roleDefinitionIdOrName: roleAssignment.roleDefinitionIdOrName + condition: contains(roleAssignment, 'condition') ? roleAssignment.condition : '' + delegatedManagedIdentityResourceId: contains(roleAssignment, 'delegatedManagedIdentityResourceId') ? roleAssignment.delegatedManagedIdentityResourceId : '' + resourceId: wcfRelay.id + } +}] + +@description('The name of the deployed wcf relay.') +output name string = wcfRelay.name + +@description('The resource ID of the deployed wcf relay.') +output resourceId string = wcfRelay.id + +@description('The resource group of the deployed wcf relay.') +output resourceGroupName string = resourceGroup().name diff --git a/modules/relay/namespaces/wcf-relays/metadata.json b/modules/relay/namespaces/wcf-relays/metadata.json new file mode 100644 index 0000000000..996b74aaa6 --- /dev/null +++ b/modules/relay/namespaces/wcf-relays/metadata.json @@ -0,0 +1,6 @@ +{ + "$schema": "https://aka.ms/bicep-registry-module-metadata-file-schema-v2#", + "name": "WCF Relay", + "summary": "This module deploys a wcf relay resource.", + "owner": "Azure/module-maintainers" +} diff --git a/modules/relay/namespaces/wcf-relays/version.json b/modules/relay/namespaces/wcf-relays/version.json new file mode 100644 index 0000000000..5b9f717b34 --- /dev/null +++ b/modules/relay/namespaces/wcf-relays/version.json @@ -0,0 +1,8 @@ +{ + "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", + "version": "0.4", + "pathFilters": [ + "./main.json", + "./metadata.json" + ] +} diff --git a/modules/web/sites/.bicep/nested_roleAssignments.bicep b/modules/web/sites/.bicep/nested_roleAssignments.bicep index d78b6261b6..764dd19ea5 100644 --- a/modules/web/sites/.bicep/nested_roleAssignments.bicep +++ b/modules/web/sites/.bicep/nested_roleAssignments.bicep @@ -34,6 +34,7 @@ param conditionVersion string = '2.0' param delegatedManagedIdentityResourceId string = '' var builtInRoleNames = { + 'App Compliance Automation Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f37683f-2463-46b6-9ce7-9b788b988ba2') Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') 'Log Analytics Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293') 'Log Analytics Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893') diff --git a/modules/web/sites/.test/functionAppCommon/dependencies.bicep b/modules/web/sites/.test/functionAppCommon/dependencies.bicep index 6f7f7f7cb3..cb817abcd7 100644 --- a/modules/web/sites/.test/functionAppCommon/dependencies.bicep +++ b/modules/web/sites/.test/functionAppCommon/dependencies.bicep @@ -16,6 +16,12 @@ param storageAccountName string @description('Required. The name of the Application Insights instance to create.') param applicationInsightsName string +@description('Required. The name of the Relay Namespace to create.') +param namespaceName string + +@description('Required. The name of the Hybrid Connection to create.') +param hybridConnectionName string + var addressPrefix = '10.0.0.0/16' resource virtualNetwork 'Microsoft.Network/virtualNetworks@2022-01-01' = { @@ -89,6 +95,34 @@ resource applicationInsights 'Microsoft.Insights/components@2020-02-02' = { properties: {} } +resource namespace 'Microsoft.Relay/namespaces@2021-11-01' = { + name: namespaceName + location: location + sku: { + name: 'Standard' + } + properties: {} +} + +resource hybridConnection 'Microsoft.Relay/namespaces/hybridConnections@2021-11-01' = { + name: hybridConnectionName + parent: namespace + properties: { + requiresClientAuthorization: true + userMetadata: '[{"key":"endpoint","value":"db-server.constoso.com:1433"}]' + } +} + +resource authorizationRule 'Microsoft.Relay/namespaces/hybridConnections/authorizationRules@2021-11-01' = { + name: 'defaultSender' + parent: hybridConnection + properties: { + rights: [ + 'Send' + ] + } +} + @description('The resource ID of the created Virtual Network Subnet.') output subnetResourceId string = virtualNetwork.properties.subnets[0].id @@ -109,3 +143,6 @@ output applicationInsightsResourceId string = applicationInsights.id @description('The resource ID of the created Private DNS Zone.') output privateDNSZoneResourceId string = privateDNSZone.id + +@description('The resource ID of the created Hybrid Connection.') +output hybridConnectionResourceId string = hybridConnection.id diff --git a/modules/web/sites/.test/functionAppCommon/main.test.bicep b/modules/web/sites/.test/functionAppCommon/main.test.bicep index a1b28d9ee6..1f2574d91c 100644 --- a/modules/web/sites/.test/functionAppCommon/main.test.bicep +++ b/modules/web/sites/.test/functionAppCommon/main.test.bicep @@ -37,6 +37,8 @@ module nestedDependencies 'dependencies.bicep' = { serverFarmName: 'dep-<>-sf-${serviceShort}' storageAccountName: 'dep<>st${serviceShort}' applicationInsightsName: 'dep-<>-appi-${serviceShort}' + namespaceName: 'dep-<>-ns-${serviceShort}' + hybridConnectionName: 'dep-<>-hc-${serviceShort}' } } @@ -176,5 +178,11 @@ module testDeployment '../../main.bicep' = { userAssignedIdentities: { '${nestedDependencies.outputs.managedIdentityResourceId}': {} } + hybridConnectionRelays: [ + { + resourceId: nestedDependencies.outputs.hybridConnectionResourceId + sendKeyName: 'defaultSender' + } + ] } } diff --git a/modules/web/sites/.test/webAppCommon/dependencies.bicep b/modules/web/sites/.test/webAppCommon/dependencies.bicep index 8ce6b01cc0..88fc4d8ea6 100644 --- a/modules/web/sites/.test/webAppCommon/dependencies.bicep +++ b/modules/web/sites/.test/webAppCommon/dependencies.bicep @@ -10,6 +10,12 @@ param managedIdentityName string @description('Required. The name of the Server Farm to create.') param serverFarmName string +@description('Required. The name of the Relay Namespace to create.') +param namespaceName string + +@description('Required. The name of the Hybrid Connection to create.') +param hybridConnectionName string + var addressPrefix = '10.0.0.0/16' resource virtualNetwork 'Microsoft.Network/virtualNetworks@2022-01-01' = { @@ -66,6 +72,34 @@ resource serverFarm 'Microsoft.Web/serverfarms@2022-03-01' = { properties: {} } +resource namespace 'Microsoft.Relay/namespaces@2021-11-01' = { + name: namespaceName + location: location + sku: { + name: 'Standard' + } + properties: {} +} + +resource hybridConnection 'Microsoft.Relay/namespaces/hybridConnections@2021-11-01' = { + name: hybridConnectionName + parent: namespace + properties: { + requiresClientAuthorization: true + userMetadata: '[{"key":"endpoint","value":"db-server.constoso.com:1433"}]' + } +} + +resource authorizationRule 'Microsoft.Relay/namespaces/hybridConnections/authorizationRules@2021-11-01' = { + name: 'defaultSender' + parent: hybridConnection + properties: { + rights: [ + 'Send' + ] + } +} + @description('The resource ID of the created Virtual Network Subnet.') output subnetResourceId string = virtualNetwork.properties.subnets[0].id @@ -80,3 +114,6 @@ output serverFarmResourceId string = serverFarm.id @description('The resource ID of the created Private DNS Zone.') output privateDNSZoneResourceId string = privateDNSZone.id + +@description('The resource ID of the created Hybrid Connection.') +output hybridConnectionResourceId string = hybridConnection.id diff --git a/modules/web/sites/.test/webAppCommon/main.test.bicep b/modules/web/sites/.test/webAppCommon/main.test.bicep index eb6f4ba4c8..120235fe90 100644 --- a/modules/web/sites/.test/webAppCommon/main.test.bicep +++ b/modules/web/sites/.test/webAppCommon/main.test.bicep @@ -35,6 +35,8 @@ module nestedDependencies 'dependencies.bicep' = { virtualNetworkName: 'dep-<>-vnet-${serviceShort}' managedIdentityName: 'dep-<>-msi-${serviceShort}' serverFarmName: 'dep-<>-sf-${serviceShort}' + namespaceName: 'dep-<>-ns-${serviceShort}' + hybridConnectionName: 'dep-<>-hc-${serviceShort}' } } @@ -55,7 +57,6 @@ module diagnosticDependencies '../../../../.shared/.templates/diagnostic.depende // ============== // // Test Execution // // ============== // - module testDeployment '../../main.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' @@ -111,6 +112,12 @@ module testDeployment '../../main.bicep' = { } ] } + hybridConnectionRelays: [ + { + resourceId: nestedDependencies.outputs.hybridConnectionResourceId + sendKeyName: 'defaultSender' + } + ] } { name: 'slot2' @@ -162,5 +169,11 @@ module testDeployment '../../main.bicep' = { } ] + hybridConnectionRelays: [ + { + resourceId: nestedDependencies.outputs.hybridConnectionResourceId + sendKeyName: 'defaultSender' + } + ] } } diff --git a/modules/web/sites/README.md b/modules/web/sites/README.md index 553be2fc29..f59a3c5bbb 100644 --- a/modules/web/sites/README.md +++ b/modules/web/sites/README.md @@ -24,8 +24,10 @@ This module deploys a web or function app. | `Microsoft.Web/sites` | [2021-03-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Web/2021-03-01/sites) | | `Microsoft.Web/sites/basicPublishingCredentialsPolicies` | [2022-03-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Web/sites) | | `Microsoft.Web/sites/config` | [2022-03-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Web/sites) | +| `Microsoft.Web/sites/hybridConnectionNamespaces/relays` | [2022-03-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Web/2022-03-01/sites/hybridConnectionNamespaces/relays) | | `Microsoft.Web/sites/slots` | [2022-03-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Web/2022-03-01/sites/slots) | | `Microsoft.Web/sites/slots/config` | [2022-03-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Web/sites) | +| `Microsoft.Web/sites/slots/hybridConnectionNamespaces/relays` | [2022-03-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Web/2022-03-01/sites/slots/hybridConnectionNamespaces/relays) | ## Parameters @@ -66,6 +68,7 @@ This module deploys a web or function app. | `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via a Globally Unique Identifier (GUID). | | `hostNameSslStates` | array | `[]` | | Hostname SSL states are used to manage the SSL bindings for app's hostnames. | | `httpsOnly` | bool | `True` | | Configures a site to accept only HTTPS requests. Issues redirect for HTTP requests. | +| `hybridConnectionRelays` | array | `[]` | | Names of hybrid connection relays to connect app with. | | `hyperV` | bool | `False` | | Hyper-V sandbox. | | `keyVaultAccessIdentityResourceId` | string | `''` | | The resource ID of the assigned identity to be used to access a key vault with. | | `location` | string | `[resourceGroup().location]` | | Location for all Resources. | @@ -536,6 +539,12 @@ module sites './web/sites/main.bicep' = { diagnosticStorageAccountId: '' diagnosticWorkspaceId: '' enableDefaultTelemetry: '' + hybridConnectionRelays: [ + { + resourceId: '' + sendKeyName: 'defaultSender' + } + ] keyVaultAccessIdentityResourceId: '' lock: 'CanNotDelete' privateEndpoints: [ @@ -692,6 +701,14 @@ module sites './web/sites/main.bicep' = { "enableDefaultTelemetry": { "value": "" }, + "hybridConnectionRelays": { + "value": [ + { + "resourceId": "", + "sendKeyName": "defaultSender" + } + ] + }, "keyVaultAccessIdentityResourceId": { "value": "" }, @@ -844,6 +861,12 @@ module sites './web/sites/main.bicep' = { diagnosticWorkspaceId: '' enableDefaultTelemetry: '' httpsOnly: true + hybridConnectionRelays: [ + { + resourceId: '' + sendKeyName: 'defaultSender' + } + ] privateEndpoints: [ { privateDnsZoneGroup: { @@ -884,6 +907,12 @@ module sites './web/sites/main.bicep' = { diagnosticLogsRetentionInDays: 7 diagnosticStorageAccountId: '' diagnosticWorkspaceId: '' + hybridConnectionRelays: [ + { + resourceId: '' + sendKeyName: 'defaultSender' + } + ] name: 'slot1' privateEndpoints: [ { @@ -985,6 +1014,14 @@ module sites './web/sites/main.bicep' = { "httpsOnly": { "value": true }, + "hybridConnectionRelays": { + "value": [ + { + "resourceId": "", + "sendKeyName": "defaultSender" + } + ] + }, "privateEndpoints": { "value": [ { @@ -1032,6 +1069,12 @@ module sites './web/sites/main.bicep' = { "diagnosticLogsRetentionInDays": 7, "diagnosticStorageAccountId": "", "diagnosticWorkspaceId": "", + "hybridConnectionRelays": [ + { + "resourceId": "", + "sendKeyName": "defaultSender" + } + ], "name": "slot1", "privateEndpoints": [ { diff --git a/modules/web/sites/config--appsettings/main.bicep b/modules/web/sites/config--appsettings/main.bicep index c82764b9bb..34d78d021e 100644 --- a/modules/web/sites/config--appsettings/main.bicep +++ b/modules/web/sites/config--appsettings/main.bicep @@ -52,7 +52,7 @@ resource app 'Microsoft.Web/sites@2022-03-01' existing = { name: appName } -resource appInsight 'Microsoft.Insights/components@2020-02-02' existing = if (!empty(appInsightResourceId)) { +resource appInsight 'microsoft.insights/components@2020-02-02' existing = if (!empty(appInsightResourceId)) { name: last(split(appInsightResourceId, '/'))! scope: resourceGroup(split(appInsightResourceId, '/')[2], split(appInsightResourceId, '/')[4]) } diff --git a/modules/web/sites/hybrid-connection-namespaces/relays/README.md b/modules/web/sites/hybrid-connection-namespaces/relays/README.md new file mode 100644 index 0000000000..106aea40ab --- /dev/null +++ b/modules/web/sites/hybrid-connection-namespaces/relays/README.md @@ -0,0 +1,49 @@ +# Web/Function Apps Hybrid Connection Relay `[Microsoft.Web/sites/hybridConnectionNamespaces/relays]` + +This module configures a web or function app with a hybrid connection relay. + +## Navigation + +- [Resource Types](#Resource-Types) +- [Parameters](#Parameters) +- [Outputs](#Outputs) +- [Cross-referenced modules](#Cross-referenced-modules) + +## Resource Types + +| Resource Type | API Version | +| :-- | :-- | +| `Microsoft.Web/sites/hybridConnectionNamespaces/relays` | [2022-03-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Web/2022-03-01/sites/hybridConnectionNamespaces/relays) | + +## Parameters + +**Required parameters** + +| Parameter Name | Type | Description | +| :-- | :-- | :-- | +| `resourceId` | string | The resource id of the resource. | + +**Conditional parameters** + +| Parameter Name | Type | Description | +| :-- | :-- | :-- | +| `webAppName` | string | The name of the parent web site. Required if the template is used in a standalone deployment. | + +**Optional parameters** + +| Parameter Name | Type | Default Value | Description | +| :-- | :-- | :-- | :-- | +| `enableDefaultTelemetry` | bool | `True` | Enable telemetry via a Globally Unique Identifier (GUID). | +| `location` | string | `[resourceGroup().location]` | Location for all Resources. | +| `sendKeyName` | string | `'defaultSender'` | Name of the authorization rule send key to use. | + + +## Outputs + +| Output Name | Type | Description | +| :-- | :-- | :-- | +| `resourceGroupName` | string | The name of the resource group the resource was deployed into. | + +## Cross-referenced modules + +_None_ diff --git a/modules/web/sites/hybrid-connection-namespaces/relays/main.bicep b/modules/web/sites/hybrid-connection-namespaces/relays/main.bicep new file mode 100644 index 0000000000..85c90f5d5b --- /dev/null +++ b/modules/web/sites/hybrid-connection-namespaces/relays/main.bicep @@ -0,0 +1,60 @@ +@description('Required. The resource id of the resource.') +param resourceId string + +@description('Conditional. The name of the parent web site. Required if the template is used in a standalone deployment.') +param webAppName string + +@description('Optional. Name of the authorization rule send key to use.') +param sendKeyName string = 'defaultSender' + +@description('Optional. Location for all Resources.') +param location string = resourceGroup().location + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +var splitResourceId = split(resourceId, '/') + +resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { + name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' + properties: { + mode: 'Incremental' + template: { + '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' + contentVersion: '1.0.0.0' + resources: [] + } + } +} + +resource namespace 'Microsoft.Relay/namespaces@2021-11-01' existing = { + name: splitResourceId[8] + scope: resourceGroup(splitResourceId[2], splitResourceId[4]) +} + +resource hybridConnection 'Microsoft.Relay/namespaces/hybridConnections@2021-11-01' existing = { + name: splitResourceId[10] + parent: namespace +} + +resource authorizationRule 'Microsoft.Relay/namespaces/hybridConnections/authorizationRules@2021-11-01' existing = { + name: sendKeyName + parent: hybridConnection +} + +resource hybridConnectionRelay 'Microsoft.Web/sites/hybridConnectionNamespaces/relays@2022-03-01' = { + name: '${webAppName}/${splitResourceId[8]}/${splitResourceId[10]}' + properties: { + serviceBusNamespace: splitResourceId[8] + serviceBusSuffix: split(substring(namespace.properties.serviceBusEndpoint, indexOf(namespace.properties.serviceBusEndpoint, '.servicebus')), ':')[0] + relayName: splitResourceId[10] + relayArmUri: hybridConnection.id + hostname: split(json(hybridConnection.properties.userMetadata)[0].value, ':')[0] + port: int(split(json(hybridConnection.properties.userMetadata)[0].value, ':')[1]) + sendKeyName: authorizationRule.name + sendKeyValue: authorizationRule.listKeys().primaryKey + } +} + +@description('The name of the resource group the resource was deployed into.') +output resourceGroupName string = resourceGroup().name diff --git a/modules/web/sites/hybrid-connection-namespaces/relays/metadata.json b/modules/web/sites/hybrid-connection-namespaces/relays/metadata.json new file mode 100644 index 0000000000..e781a210a4 --- /dev/null +++ b/modules/web/sites/hybrid-connection-namespaces/relays/metadata.json @@ -0,0 +1,6 @@ +{ + "$schema": "https://aka.ms/bicep-registry-module-metadata-file-schema-v2#", + "name": "Web/Function Apps Hybrid Connection Relay", + "summary": "This module configures a web or function app with a hybrid connection relay.", + "owner": "Azure/module-maintainers" +} diff --git a/modules/web/sites/hybrid-connection-namespaces/relays/version.json b/modules/web/sites/hybrid-connection-namespaces/relays/version.json new file mode 100644 index 0000000000..039073633f --- /dev/null +++ b/modules/web/sites/hybrid-connection-namespaces/relays/version.json @@ -0,0 +1,8 @@ +{ + "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", + "version": "0.1", + "pathFilters": [ + "./main.json", + "./metadata.json" + ] +} diff --git a/modules/web/sites/main.bicep b/modules/web/sites/main.bicep index 808d0d33fb..8fcd4873f8 100644 --- a/modules/web/sites/main.bicep +++ b/modules/web/sites/main.bicep @@ -195,6 +195,9 @@ param redundancyMode string = 'None' @description('Optional. The site publishing credential policy names which are associated with the sites.') param basicPublishingCredentialsPolicies array = [] +@description('Optional. Names of hybrid connection relays to connect app with.') +param hybridConnectionRelays array = [] + // =========== // // Variables // // =========== // @@ -356,6 +359,7 @@ module app_slots 'slots/main.bicep' = [for (slot, index) in slots: { vnetContentShareEnabled: contains(slot, 'vnetContentShareEnabled') ? slot.vnetContentShareEnabled : false vnetImagePullEnabled: contains(slot, 'vnetImagePullEnabled') ? slot.vnetImagePullEnabled : false vnetRouteAllEnabled: contains(slot, 'vnetRouteAllEnabled') ? slot.vnetRouteAllEnabled : false + hybridConnectionRelays: contains(slot, 'hybridConnectionRelays') ? slot.hybridConnectionRelays : [] } }] @@ -368,6 +372,16 @@ module app_basicPublishingCredentialsPolicies 'basic-publishing-credentials-poli } }] +module app_hybridConnectionRelays 'hybrid-connection-namespaces/relays/main.bicep' = [for (hybridConnectionRelay, index) in hybridConnectionRelays: { + name: '${uniqueString(deployment().name, location)}-HybridConnectionRelay-${index}' + params: { + resourceId: hybridConnectionRelay.resourceId + webAppName: app.name + sendKeyName: contains(hybridConnectionRelay, 'sendKeyName') ? hybridConnectionRelay.sendKeyName : null + enableDefaultTelemetry: enableReferencedModulesTelemetry + } +}] + resource app_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock)) { name: '${app.name}-${lock}-lock' properties: { diff --git a/modules/web/sites/slots/.bicep/nested_roleAssignments.bicep b/modules/web/sites/slots/.bicep/nested_roleAssignments.bicep index c504349543..59c7b550b8 100644 --- a/modules/web/sites/slots/.bicep/nested_roleAssignments.bicep +++ b/modules/web/sites/slots/.bicep/nested_roleAssignments.bicep @@ -22,6 +22,7 @@ param principalType string = '' param description string = '' var builtInRoleNames = { + 'App Compliance Automation Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f37683f-2463-46b6-9ce7-9b788b988ba2') Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') 'Log Analytics Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293') 'Log Analytics Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893') diff --git a/modules/web/sites/slots/README.md b/modules/web/sites/slots/README.md index 380a83a7fc..ef260bd502 100644 --- a/modules/web/sites/slots/README.md +++ b/modules/web/sites/slots/README.md @@ -22,6 +22,7 @@ This module deploys a web or function app. | `Microsoft.Network/privateEndpoints/privateDnsZoneGroups` | [2022-07-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2022-07-01/privateEndpoints/privateDnsZoneGroups) | | `Microsoft.Web/sites/slots` | [2022-03-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Web/2022-03-01/sites/slots) | | `Microsoft.Web/sites/slots/config` | [2022-03-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Web/sites) | +| `Microsoft.Web/sites/slots/hybridConnectionNamespaces/relays` | [2022-03-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Web/2022-03-01/sites/slots/hybridConnectionNamespaces/relays) | ## Parameters @@ -66,6 +67,7 @@ This module deploys a web or function app. | `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via the Customer Usage Attribution ID (GUID). | | `hostNameSslStates` | array | `[]` | | Hostname SSL states are used to manage the SSL bindings for app's hostnames. | | `httpsOnly` | bool | `True` | | Configures a slot to accept only HTTPS requests. Issues redirect for HTTP requests. | +| `hybridConnectionRelays` | array | `[]` | | Names of hybrid connection relays to connect app with. | | `hyperV` | bool | `False` | | Hyper-V sandbox. | | `keyVaultAccessIdentityResourceId` | string | `''` | | The resource ID of the assigned identity to be used to access a key vault with. | | `location` | string | `[resourceGroup().location]` | | Location for all Resources. | diff --git a/modules/web/sites/slots/config--appsettings/main.bicep b/modules/web/sites/slots/config--appsettings/main.bicep index a38f1519c4..20f444436d 100644 --- a/modules/web/sites/slots/config--appsettings/main.bicep +++ b/modules/web/sites/slots/config--appsettings/main.bicep @@ -59,7 +59,7 @@ resource app 'Microsoft.Web/sites@2022-03-01' existing = { } } -resource appInsight 'Microsoft.Insights/components@2020-02-02' existing = if (!empty(appInsightResourceId)) { +resource appInsight 'microsoft.insights/components@2020-02-02' existing = if (!empty(appInsightResourceId)) { name: last(split(appInsightResourceId, '/'))! scope: resourceGroup(split(appInsightResourceId, '/')[2], split(appInsightResourceId, '/')[4]) } diff --git a/modules/web/sites/slots/hybrid-connection-namespaces/relays/README.md b/modules/web/sites/slots/hybrid-connection-namespaces/relays/README.md new file mode 100644 index 0000000000..cd7eeeb13a --- /dev/null +++ b/modules/web/sites/slots/hybrid-connection-namespaces/relays/README.md @@ -0,0 +1,50 @@ +# Web/Function Apps Hybrid Connection Relay `[Microsoft.Web/sites/slots/hybridConnectionNamespaces/relays]` + +This module configures a web or function app with a hybrid connection relay. + +## Navigation + +- [Resource Types](#Resource-Types) +- [Parameters](#Parameters) +- [Outputs](#Outputs) +- [Cross-referenced modules](#Cross-referenced-modules) + +## Resource Types + +| Resource Type | API Version | +| :-- | :-- | +| `Microsoft.Web/sites/slots/hybridConnectionNamespaces/relays` | [2022-03-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Web/2022-03-01/sites/slots/hybridConnectionNamespaces/relays) | + +## Parameters + +**Required parameters** + +| Parameter Name | Type | Description | +| :-- | :-- | :-- | +| `resourceId` | string | The resource id of the resource. | +| `slotName` | string | Slot name to be configured. | + +**Conditional parameters** + +| Parameter Name | Type | Description | +| :-- | :-- | :-- | +| `webAppName` | string | The name of the parent web site. Required if the template is used in a standalone deployment. | + +**Optional parameters** + +| Parameter Name | Type | Default Value | Description | +| :-- | :-- | :-- | :-- | +| `enableDefaultTelemetry` | bool | `True` | Enable telemetry via a Globally Unique Identifier (GUID). | +| `location` | string | `[resourceGroup().location]` | Location for all Resources. | +| `sendKeyName` | string | `'defaultSender'` | Name of the authorization rule send key to use. | + + +## Outputs + +| Output Name | Type | Description | +| :-- | :-- | :-- | +| `resourceGroupName` | string | The name of the resource group the resource was deployed into. | + +## Cross-referenced modules + +_None_ diff --git a/modules/web/sites/slots/hybrid-connection-namespaces/relays/main.bicep b/modules/web/sites/slots/hybrid-connection-namespaces/relays/main.bicep new file mode 100644 index 0000000000..e5b2a45ea9 --- /dev/null +++ b/modules/web/sites/slots/hybrid-connection-namespaces/relays/main.bicep @@ -0,0 +1,63 @@ +@description('Required. The resource id of the resource.') +param resourceId string + +@description('Required. Slot name to be configured.') +param slotName string + +@description('Conditional. The name of the parent web site. Required if the template is used in a standalone deployment.') +param webAppName string + +@description('Optional. Name of the authorization rule send key to use.') +param sendKeyName string = 'defaultSender' + +@description('Optional. Location for all Resources.') +param location string = resourceGroup().location + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +var splitResourceId = split(resourceId, '/') + +resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { + name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' + properties: { + mode: 'Incremental' + template: { + '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' + contentVersion: '1.0.0.0' + resources: [] + } + } +} + +resource namespace 'Microsoft.Relay/namespaces@2021-11-01' existing = { + name: splitResourceId[8] + scope: resourceGroup(splitResourceId[2], splitResourceId[4]) +} + +resource hybridConnection 'Microsoft.Relay/namespaces/hybridConnections@2021-11-01' existing = { + name: splitResourceId[10] + parent: namespace +} + +resource authorizationRule 'Microsoft.Relay/namespaces/hybridConnections/authorizationRules@2021-11-01' existing = { + name: sendKeyName + parent: hybridConnection +} + +resource hybridConnectionRelay 'Microsoft.Web/sites/slots/hybridConnectionNamespaces/relays@2022-03-01' = { + name: '${webAppName}/${slotName}/${splitResourceId[8]}/${splitResourceId[10]}' + properties: { + serviceBusNamespace: splitResourceId[8] + serviceBusSuffix: split(substring(namespace.properties.serviceBusEndpoint, indexOf(namespace.properties.serviceBusEndpoint, '.servicebus')), ':')[0] + relayName: splitResourceId[10] + relayArmUri: hybridConnection.id + hostname: split(json(hybridConnection.properties.userMetadata)[0].value, ':')[0] + port: int(split(json(hybridConnection.properties.userMetadata)[0].value, ':')[1]) + sendKeyName: authorizationRule.name + sendKeyValue: authorizationRule.listKeys().primaryKey + } +} + +@description('The name of the resource group the resource was deployed into.') +output resourceGroupName string = resourceGroup().name diff --git a/modules/web/sites/slots/hybrid-connection-namespaces/relays/metadata.json b/modules/web/sites/slots/hybrid-connection-namespaces/relays/metadata.json new file mode 100644 index 0000000000..e781a210a4 --- /dev/null +++ b/modules/web/sites/slots/hybrid-connection-namespaces/relays/metadata.json @@ -0,0 +1,6 @@ +{ + "$schema": "https://aka.ms/bicep-registry-module-metadata-file-schema-v2#", + "name": "Web/Function Apps Hybrid Connection Relay", + "summary": "This module configures a web or function app with a hybrid connection relay.", + "owner": "Azure/module-maintainers" +} diff --git a/modules/web/sites/slots/hybrid-connection-namespaces/relays/version.json b/modules/web/sites/slots/hybrid-connection-namespaces/relays/version.json new file mode 100644 index 0000000000..039073633f --- /dev/null +++ b/modules/web/sites/slots/hybrid-connection-namespaces/relays/version.json @@ -0,0 +1,8 @@ +{ + "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", + "version": "0.1", + "pathFilters": [ + "./main.json", + "./metadata.json" + ] +} diff --git a/modules/web/sites/slots/main.bicep b/modules/web/sites/slots/main.bicep index b39e6fcec9..eec81c18da 100644 --- a/modules/web/sites/slots/main.bicep +++ b/modules/web/sites/slots/main.bicep @@ -207,6 +207,9 @@ param vnetImagePullEnabled bool = false @description('Optional. Virtual Network Route All enabled. This causes all outbound traffic to have Virtual Network Security Groups and User Defined Routes applied.') param vnetRouteAllEnabled bool = false +@description('Optional. Names of hybrid connection relays to connect app with.') +param hybridConnectionRelays array = [] + // =========== // // Variables // // =========== // @@ -321,6 +324,17 @@ module slot_authsettingsv2 'config--authsettingsv2/main.bicep' = if (!empty(auth } } +module slot_hybridConnectionRelays 'hybrid-connection-namespaces/relays/main.bicep' = [for (hybridConnectionRelay, index) in hybridConnectionRelays: { + name: '${uniqueString(deployment().name, location)}-Slot-HybridConnectionRelay-${index}' + params: { + resourceId: hybridConnectionRelay.resourceId + webAppName: app.name + slotName: slot.name + sendKeyName: contains(hybridConnectionRelay, 'sendKeyName') ? hybridConnectionRelay.sendKeyName : null + enableDefaultTelemetry: enableReferencedModulesTelemetry + } +}] + resource slot_lock 'Microsoft.Authorization/locks@2017-04-01' = if (!empty(lock)) { name: '${slot.name}-${lock}-lock' properties: { From 187c70bd827fb09a9ff2e260b23163c0f59e083a Mon Sep 17 00:00:00 2001 From: Jeremy Brun Date: Tue, 20 Jun 2023 10:39:02 -0400 Subject: [PATCH 02/66] Update modules/relay/namespaces/.test/common/main.test.bicep Co-authored-by: Ahmad Abdalla <28486158+ahmadabdalla@users.noreply.github.com> --- modules/relay/namespaces/.test/common/main.test.bicep | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/relay/namespaces/.test/common/main.test.bicep b/modules/relay/namespaces/.test/common/main.test.bicep index 36b90bdd87..2cf206ca7a 100644 --- a/modules/relay/namespaces/.test/common/main.test.bicep +++ b/modules/relay/namespaces/.test/common/main.test.bicep @@ -12,7 +12,7 @@ param resourceGroupName string = 'ms.relay.namespaces-${serviceShort}-rg' param location string = deployment().location @description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'relcom' +param serviceShort string = 'rncom' @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true From 6061a1bfde1934ec62b30875ee844fdac8239b5b Mon Sep 17 00:00:00 2001 From: Jeremy Brun Date: Tue, 20 Jun 2023 10:39:15 -0400 Subject: [PATCH 03/66] Update modules/relay/namespaces/.test/min/main.test.bicep Co-authored-by: Ahmad Abdalla <28486158+ahmadabdalla@users.noreply.github.com> --- modules/relay/namespaces/.test/min/main.test.bicep | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/relay/namespaces/.test/min/main.test.bicep b/modules/relay/namespaces/.test/min/main.test.bicep index a90b17187a..890cb7e00c 100644 --- a/modules/relay/namespaces/.test/min/main.test.bicep +++ b/modules/relay/namespaces/.test/min/main.test.bicep @@ -12,7 +12,7 @@ param resourceGroupName string = 'ms.relay.namespaces-${serviceShort}-rg' param location string = deployment().location @description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'sbnmin' +param serviceShort string = 'rnmin' @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true From 71ad1594ea1c2ee0f8b20421050565bc7d107d03 Mon Sep 17 00:00:00 2001 From: Jeremy Brun Date: Tue, 20 Jun 2023 10:39:30 -0400 Subject: [PATCH 04/66] Update modules/relay/namespaces/README.md Co-authored-by: Ahmad Abdalla <28486158+ahmadabdalla@users.noreply.github.com> --- modules/relay/namespaces/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/relay/namespaces/README.md b/modules/relay/namespaces/README.md index 9c558aa39e..0503828960 100644 --- a/modules/relay/namespaces/README.md +++ b/modules/relay/namespaces/README.md @@ -1,6 +1,6 @@ # Relay Namespaces `[Microsoft.Relay/namespaces]` -This module deploys a relay namespace resource. +This module deploys a Relay Namespace. ## Navigation From c86ab0406b39d5a50c80d6346ec4bab5211d625c Mon Sep 17 00:00:00 2001 From: Jeremy Brun Date: Tue, 20 Jun 2023 10:39:40 -0400 Subject: [PATCH 05/66] Update modules/relay/namespaces/authorization-rules/README.md Co-authored-by: Ahmad Abdalla <28486158+ahmadabdalla@users.noreply.github.com> --- modules/relay/namespaces/authorization-rules/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/relay/namespaces/authorization-rules/README.md b/modules/relay/namespaces/authorization-rules/README.md index dfcb1c3ecd..44420982c3 100644 --- a/modules/relay/namespaces/authorization-rules/README.md +++ b/modules/relay/namespaces/authorization-rules/README.md @@ -1,6 +1,6 @@ # Relay Namespace Authorization Rules `[Microsoft.Relay/namespaces/authorizationRules]` -This module deploys authorization rules for a relay namespace. +This module deploys a Relay Namespace Authorization Rule. ## Navigation From 299fda3ab02cab82f031edf2b40f7b8c21eacbb4 Mon Sep 17 00:00:00 2001 From: Jeremy Brun Date: Tue, 20 Jun 2023 10:39:47 -0400 Subject: [PATCH 06/66] Update modules/relay/namespaces/authorization-rules/metadata.json Co-authored-by: Ahmad Abdalla <28486158+ahmadabdalla@users.noreply.github.com> --- modules/relay/namespaces/authorization-rules/metadata.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/relay/namespaces/authorization-rules/metadata.json b/modules/relay/namespaces/authorization-rules/metadata.json index f38368f65c..272f91d0a9 100644 --- a/modules/relay/namespaces/authorization-rules/metadata.json +++ b/modules/relay/namespaces/authorization-rules/metadata.json @@ -1,6 +1,6 @@ { "$schema": "https://aka.ms/bicep-registry-module-metadata-file-schema-v2#", "name": "Relay Namespace Authorization Rules", - "summary": "This module deploys authorization rules for a relay namespace.", + "summary": "This module deploys a Relay Namespace Authorization Rule.", "owner": "Azure/module-maintainers" } From ed5993447cde04deff9c80ada9ec8b6870df020b Mon Sep 17 00:00:00 2001 From: Jeremy Brun Date: Tue, 20 Jun 2023 10:40:17 -0400 Subject: [PATCH 07/66] Update modules/relay/namespaces/hybrid-connections/README.md Co-authored-by: Ahmad Abdalla <28486158+ahmadabdalla@users.noreply.github.com> --- modules/relay/namespaces/hybrid-connections/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/relay/namespaces/hybrid-connections/README.md b/modules/relay/namespaces/hybrid-connections/README.md index 50fcc0e08e..025942234e 100644 --- a/modules/relay/namespaces/hybrid-connections/README.md +++ b/modules/relay/namespaces/hybrid-connections/README.md @@ -1,6 +1,6 @@ # Hybrid Connection Relay `[Microsoft.Relay/namespaces/hybridConnections]` -This module deploys a hybrid connection relay resource. +This module deploys a Relay Namespace Hybrid Connection. ## Navigation From 1a1e0512646a574f932104c60bb7dd7dec2f9c81 Mon Sep 17 00:00:00 2001 From: Jeremy Brun Date: Tue, 20 Jun 2023 10:40:29 -0400 Subject: [PATCH 08/66] Update modules/web/sites/slots/hybrid-connection-namespaces/relays/metadata.json Co-authored-by: Ahmad Abdalla <28486158+ahmadabdalla@users.noreply.github.com> --- .../slots/hybrid-connection-namespaces/relays/metadata.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/web/sites/slots/hybrid-connection-namespaces/relays/metadata.json b/modules/web/sites/slots/hybrid-connection-namespaces/relays/metadata.json index e781a210a4..a502f8c8f3 100644 --- a/modules/web/sites/slots/hybrid-connection-namespaces/relays/metadata.json +++ b/modules/web/sites/slots/hybrid-connection-namespaces/relays/metadata.json @@ -1,6 +1,6 @@ { "$schema": "https://aka.ms/bicep-registry-module-metadata-file-schema-v2#", - "name": "Web/Function Apps Hybrid Connection Relay", + "name": "Web/Function Apps Slot Hybrid Connection Relay", "summary": "This module configures a web or function app with a hybrid connection relay.", "owner": "Azure/module-maintainers" } From de76a90eeb19b237d0dcb3b6eaff47c8a15d6e5c Mon Sep 17 00:00:00 2001 From: Jeremy Brun Date: Tue, 20 Jun 2023 10:40:40 -0400 Subject: [PATCH 09/66] Update modules/web/sites/slots/hybrid-connection-namespaces/relays/metadata.json Co-authored-by: Ahmad Abdalla <28486158+ahmadabdalla@users.noreply.github.com> --- .../slots/hybrid-connection-namespaces/relays/metadata.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/web/sites/slots/hybrid-connection-namespaces/relays/metadata.json b/modules/web/sites/slots/hybrid-connection-namespaces/relays/metadata.json index a502f8c8f3..ea9a18c024 100644 --- a/modules/web/sites/slots/hybrid-connection-namespaces/relays/metadata.json +++ b/modules/web/sites/slots/hybrid-connection-namespaces/relays/metadata.json @@ -1,6 +1,6 @@ { "$schema": "https://aka.ms/bicep-registry-module-metadata-file-schema-v2#", "name": "Web/Function Apps Slot Hybrid Connection Relay", - "summary": "This module configures a web or function app with a hybrid connection relay.", + "summary": "This module deploys a Site Slot Hybrid Connection Namespace Relay.", "owner": "Azure/module-maintainers" } From 58df166a8725dd4e6a8071cd9b8a9bf2eef15590 Mon Sep 17 00:00:00 2001 From: Jeremy Brun Date: Tue, 20 Jun 2023 10:40:52 -0400 Subject: [PATCH 10/66] Update modules/web/sites/slots/main.bicep Co-authored-by: Ahmad Abdalla <28486158+ahmadabdalla@users.noreply.github.com> --- modules/web/sites/slots/main.bicep | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/web/sites/slots/main.bicep b/modules/web/sites/slots/main.bicep index eec81c18da..fba52bcf26 100644 --- a/modules/web/sites/slots/main.bicep +++ b/modules/web/sites/slots/main.bicep @@ -328,7 +328,7 @@ module slot_hybridConnectionRelays 'hybrid-connection-namespaces/relays/main.bic name: '${uniqueString(deployment().name, location)}-Slot-HybridConnectionRelay-${index}' params: { resourceId: hybridConnectionRelay.resourceId - webAppName: app.name + appName: app.name slotName: slot.name sendKeyName: contains(hybridConnectionRelay, 'sendKeyName') ? hybridConnectionRelay.sendKeyName : null enableDefaultTelemetry: enableReferencedModulesTelemetry From b5e582d4485dd5d49a45e8a387e685513e71a7e8 Mon Sep 17 00:00:00 2001 From: Jeremy Brun Date: Tue, 20 Jun 2023 10:40:57 -0400 Subject: [PATCH 11/66] Update modules/web/sites/main.bicep Co-authored-by: Ahmad Abdalla <28486158+ahmadabdalla@users.noreply.github.com> --- modules/web/sites/main.bicep | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/web/sites/main.bicep b/modules/web/sites/main.bicep index 8fcd4873f8..1d441e2218 100644 --- a/modules/web/sites/main.bicep +++ b/modules/web/sites/main.bicep @@ -376,7 +376,7 @@ module app_hybridConnectionRelays 'hybrid-connection-namespaces/relays/main.bice name: '${uniqueString(deployment().name, location)}-HybridConnectionRelay-${index}' params: { resourceId: hybridConnectionRelay.resourceId - webAppName: app.name + appName: app.name sendKeyName: contains(hybridConnectionRelay, 'sendKeyName') ? hybridConnectionRelay.sendKeyName : null enableDefaultTelemetry: enableReferencedModulesTelemetry } From d92add0ac7285c3f0cceb20e0e584737322c2fcc Mon Sep 17 00:00:00 2001 From: Jeremy Brun Date: Tue, 20 Jun 2023 10:45:23 -0400 Subject: [PATCH 12/66] Update modules/relay/namespaces/.test/pe/main.test.bicep Co-authored-by: Ahmad Abdalla <28486158+ahmadabdalla@users.noreply.github.com> --- modules/relay/namespaces/.test/pe/main.test.bicep | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/relay/namespaces/.test/pe/main.test.bicep b/modules/relay/namespaces/.test/pe/main.test.bicep index 7ea1e690cd..c73d2eca40 100644 --- a/modules/relay/namespaces/.test/pe/main.test.bicep +++ b/modules/relay/namespaces/.test/pe/main.test.bicep @@ -12,7 +12,7 @@ param resourceGroupName string = 'ms.relay.namespaces-${serviceShort}-rg' param location string = deployment().location @description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'sbnpe' +param serviceShort string = 'rnpe' @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true From 243596e4221a7cc254374b73d2f91104292674b0 Mon Sep 17 00:00:00 2001 From: Jeremy Brun Date: Tue, 20 Jun 2023 10:45:39 -0400 Subject: [PATCH 13/66] Update modules/relay/namespaces/hybrid-connections/authorization-rules/README.md Co-authored-by: Ahmad Abdalla <28486158+ahmadabdalla@users.noreply.github.com> --- .../namespaces/hybrid-connections/authorization-rules/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/relay/namespaces/hybrid-connections/authorization-rules/README.md b/modules/relay/namespaces/hybrid-connections/authorization-rules/README.md index e548a19fdf..1beabcd068 100644 --- a/modules/relay/namespaces/hybrid-connections/authorization-rules/README.md +++ b/modules/relay/namespaces/hybrid-connections/authorization-rules/README.md @@ -1,6 +1,6 @@ # Hybrid Connection Relay Authorization Rules `[Microsoft.Relay/namespaces/hybridConnections/authorizationRules]` -This module deploys authorization rules for a hybrid connection relay. +This module deploys a Hybrid Connection Authorization Rule. ## Navigation From acca845fe05c3058fe44446fed401195c3aeb3fa Mon Sep 17 00:00:00 2001 From: Jeremy Brun Date: Tue, 20 Jun 2023 10:45:52 -0400 Subject: [PATCH 14/66] Update modules/relay/namespaces/hybrid-connections/authorization-rules/metadata.json Co-authored-by: Ahmad Abdalla <28486158+ahmadabdalla@users.noreply.github.com> --- .../hybrid-connections/authorization-rules/metadata.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/relay/namespaces/hybrid-connections/authorization-rules/metadata.json b/modules/relay/namespaces/hybrid-connections/authorization-rules/metadata.json index 35e15893fc..a504193bc5 100644 --- a/modules/relay/namespaces/hybrid-connections/authorization-rules/metadata.json +++ b/modules/relay/namespaces/hybrid-connections/authorization-rules/metadata.json @@ -1,6 +1,6 @@ { "$schema": "https://aka.ms/bicep-registry-module-metadata-file-schema-v2#", "name": "Hybrid Connection Relay Authorization Rules", - "summary": "This module deploys authorization rules for a hybrid connection relay.", + "summary": "This module deploys a Hybrid Connection Authorization Rule.", "owner": "Azure/module-maintainers" } From 600721a059251f57190b8da8b4347a96406dc0c4 Mon Sep 17 00:00:00 2001 From: Jeremy Brun Date: Tue, 20 Jun 2023 10:46:03 -0400 Subject: [PATCH 15/66] Update modules/relay/namespaces/hybrid-connections/authorization-rules/main.bicep Co-authored-by: Ahmad Abdalla <28486158+ahmadabdalla@users.noreply.github.com> --- .../hybrid-connections/authorization-rules/main.bicep | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/relay/namespaces/hybrid-connections/authorization-rules/main.bicep b/modules/relay/namespaces/hybrid-connections/authorization-rules/main.bicep index f7d997e6b4..9adf2bb9da 100644 --- a/modules/relay/namespaces/hybrid-connections/authorization-rules/main.bicep +++ b/modules/relay/namespaces/hybrid-connections/authorization-rules/main.bicep @@ -1,4 +1,4 @@ -@description('Required. The name of the relay namepace hybrid connection.') +@description('Required. The name of the authorization rule.') param name string @description('Conditional. The name of the parent Relay Namespace. Required if the template is used in a standalone deployment.') From 54016fd2f01217ead388815be1c7a47f991205bf Mon Sep 17 00:00:00 2001 From: Jeremy Brun Date: Tue, 20 Jun 2023 10:46:17 -0400 Subject: [PATCH 16/66] Update modules/relay/namespaces/hybrid-connections/authorization-rules/metadata.json Co-authored-by: Ahmad Abdalla <28486158+ahmadabdalla@users.noreply.github.com> --- .../hybrid-connections/authorization-rules/metadata.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/relay/namespaces/hybrid-connections/authorization-rules/metadata.json b/modules/relay/namespaces/hybrid-connections/authorization-rules/metadata.json index a504193bc5..03bcef7d7a 100644 --- a/modules/relay/namespaces/hybrid-connections/authorization-rules/metadata.json +++ b/modules/relay/namespaces/hybrid-connections/authorization-rules/metadata.json @@ -1,6 +1,6 @@ { "$schema": "https://aka.ms/bicep-registry-module-metadata-file-schema-v2#", - "name": "Hybrid Connection Relay Authorization Rules", + "name": "Hybrid Connection Authorization Rules", "summary": "This module deploys a Hybrid Connection Authorization Rule.", "owner": "Azure/module-maintainers" } From 164d63f7447f215e3318907fa6baee3a57306015 Mon Sep 17 00:00:00 2001 From: Jeremy Brun Date: Tue, 20 Jun 2023 10:46:31 -0400 Subject: [PATCH 17/66] Update modules/relay/namespaces/hybrid-connections/main.bicep Co-authored-by: Ahmad Abdalla <28486158+ahmadabdalla@users.noreply.github.com> --- modules/relay/namespaces/hybrid-connections/main.bicep | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/relay/namespaces/hybrid-connections/main.bicep b/modules/relay/namespaces/hybrid-connections/main.bicep index a5098b7758..c4d44a3a0a 100644 --- a/modules/relay/namespaces/hybrid-connections/main.bicep +++ b/modules/relay/namespaces/hybrid-connections/main.bicep @@ -3,7 +3,7 @@ @maxLength(50) param namespaceName string -@description('Required. Name of the Relay Hybrid Connection.') +@description('Required. The name of the hybrid connection.') @minLength(6) @maxLength(50) param name string From 35d6f04b7ddb8c6cdab6396832e9ede5c1b36d33 Mon Sep 17 00:00:00 2001 From: Jeremy Brun Date: Tue, 20 Jun 2023 10:46:52 -0400 Subject: [PATCH 18/66] Update modules/relay/namespaces/hybrid-connections/main.bicep Co-authored-by: Ahmad Abdalla <28486158+ahmadabdalla@users.noreply.github.com> --- modules/relay/namespaces/hybrid-connections/main.bicep | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/relay/namespaces/hybrid-connections/main.bicep b/modules/relay/namespaces/hybrid-connections/main.bicep index c4d44a3a0a..157c621705 100644 --- a/modules/relay/namespaces/hybrid-connections/main.bicep +++ b/modules/relay/namespaces/hybrid-connections/main.bicep @@ -8,7 +8,7 @@ param namespaceName string @maxLength(50) param name string -@description('Required. User-defined string data for the Relay Hybrid Connection.') +@description('Required. The user metadata is a placeholder to store user-defined string data for the hybrid connection endpoint. For example, it can be used to store descriptive data, such as a list of teams and their contact information. Also, user-defined configuration settings can be stored.') param userMetadata string @description('Optional. A value indicating if this hybrid connection requires duplicate detection.') From 3c6e25db655b975de0238074e2bf56d744bdad4b Mon Sep 17 00:00:00 2001 From: Jeremy Brun Date: Tue, 20 Jun 2023 10:47:12 -0400 Subject: [PATCH 19/66] Update modules/relay/namespaces/hybrid-connections/main.bicep Co-authored-by: Ahmad Abdalla <28486158+ahmadabdalla@users.noreply.github.com> --- modules/relay/namespaces/hybrid-connections/main.bicep | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/relay/namespaces/hybrid-connections/main.bicep b/modules/relay/namespaces/hybrid-connections/main.bicep index 157c621705..9670af6c77 100644 --- a/modules/relay/namespaces/hybrid-connections/main.bicep +++ b/modules/relay/namespaces/hybrid-connections/main.bicep @@ -11,7 +11,7 @@ param name string @description('Required. The user metadata is a placeholder to store user-defined string data for the hybrid connection endpoint. For example, it can be used to store descriptive data, such as a list of teams and their contact information. Also, user-defined configuration settings can be stored.') param userMetadata string -@description('Optional. A value indicating if this hybrid connection requires duplicate detection.') +@description('Optional. A value indicating if this hybrid connection requires client authorization.') param requiresClientAuthorization bool = true @description('Optional. Authorization Rules for the Relay Hybrid Connection.') From 05bc2492631e4c4e5ea326e4e60b4858db0545a9 Mon Sep 17 00:00:00 2001 From: Jeremy Brun Date: Tue, 20 Jun 2023 10:47:27 -0400 Subject: [PATCH 20/66] Update modules/relay/namespaces/hybrid-connections/main.bicep Co-authored-by: Ahmad Abdalla <28486158+ahmadabdalla@users.noreply.github.com> --- modules/relay/namespaces/hybrid-connections/main.bicep | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/relay/namespaces/hybrid-connections/main.bicep b/modules/relay/namespaces/hybrid-connections/main.bicep index 9670af6c77..e53666a3c1 100644 --- a/modules/relay/namespaces/hybrid-connections/main.bicep +++ b/modules/relay/namespaces/hybrid-connections/main.bicep @@ -79,7 +79,7 @@ resource hybridConnection 'Microsoft.Relay/namespaces/hybridConnections@2021-11- } } -module hybridconnection_authorizationRules 'authorization-rules/main.bicep' = [for (authorizationRule, index) in authorizationRules: { +module hybridConnection_authorizationRules 'authorization-rules/main.bicep' = [for (authorizationRule, index) in authorizationRules: { name: '${deployment().name}-AuthRule-${index}' params: { namespaceName: namespaceName From 62dd71d05e7ff8a1281d4817319b54c1eca9079f Mon Sep 17 00:00:00 2001 From: Jeremy Brun Date: Tue, 20 Jun 2023 10:47:43 -0400 Subject: [PATCH 21/66] Update modules/relay/namespaces/hybrid-connections/metadata.json Co-authored-by: Ahmad Abdalla <28486158+ahmadabdalla@users.noreply.github.com> --- modules/relay/namespaces/hybrid-connections/metadata.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/relay/namespaces/hybrid-connections/metadata.json b/modules/relay/namespaces/hybrid-connections/metadata.json index 1fbabdbbd2..512eeda775 100644 --- a/modules/relay/namespaces/hybrid-connections/metadata.json +++ b/modules/relay/namespaces/hybrid-connections/metadata.json @@ -1,6 +1,6 @@ { "$schema": "https://aka.ms/bicep-registry-module-metadata-file-schema-v2#", - "name": "Hybrid Connection Relay", + "name": "Relay Namespace Hybrid Connections", "summary": "This module deploys a hybrid connection relay resource.", "owner": "Azure/module-maintainers" } From bf88c3ffa7abc1b46bcf9914f177e42e30f64988 Mon Sep 17 00:00:00 2001 From: Jeremy Brun Date: Tue, 20 Jun 2023 10:47:58 -0400 Subject: [PATCH 22/66] Update modules/relay/namespaces/hybrid-connections/metadata.json Co-authored-by: Ahmad Abdalla <28486158+ahmadabdalla@users.noreply.github.com> --- modules/relay/namespaces/hybrid-connections/metadata.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/relay/namespaces/hybrid-connections/metadata.json b/modules/relay/namespaces/hybrid-connections/metadata.json index 512eeda775..f1c11cafe2 100644 --- a/modules/relay/namespaces/hybrid-connections/metadata.json +++ b/modules/relay/namespaces/hybrid-connections/metadata.json @@ -1,6 +1,6 @@ { "$schema": "https://aka.ms/bicep-registry-module-metadata-file-schema-v2#", "name": "Relay Namespace Hybrid Connections", - "summary": "This module deploys a hybrid connection relay resource.", + "summary": "This module deploys a Relay Namespace Hybrid Connection.", "owner": "Azure/module-maintainers" } From c69963d8ba66d2ddd1b974fc082bf02a74d677ce Mon Sep 17 00:00:00 2001 From: Jeremy Brun Date: Tue, 20 Jun 2023 10:48:12 -0400 Subject: [PATCH 23/66] Update modules/relay/namespaces/main.bicep Co-authored-by: Ahmad Abdalla <28486158+ahmadabdalla@users.noreply.github.com> --- modules/relay/namespaces/main.bicep | 1 + 1 file changed, 1 insertion(+) diff --git a/modules/relay/namespaces/main.bicep b/modules/relay/namespaces/main.bicep index 0ffac7ad73..08ba0efd07 100644 --- a/modules/relay/namespaces/main.bicep +++ b/modules/relay/namespaces/main.bicep @@ -1,4 +1,5 @@ @description('Required. Name of the Relay Namespace.') +@minLength(6) @maxLength(50) param name string From 9eec14203ea1de1391c285a1b5c3f38dde1b03ef Mon Sep 17 00:00:00 2001 From: Jeremy Brun Date: Tue, 20 Jun 2023 10:48:34 -0400 Subject: [PATCH 24/66] Update modules/relay/namespaces/main.bicep Co-authored-by: Ahmad Abdalla <28486158+ahmadabdalla@users.noreply.github.com> --- modules/relay/namespaces/main.bicep | 1 + 1 file changed, 1 insertion(+) diff --git a/modules/relay/namespaces/main.bicep b/modules/relay/namespaces/main.bicep index 08ba0efd07..7da3ac9009 100644 --- a/modules/relay/namespaces/main.bicep +++ b/modules/relay/namespaces/main.bicep @@ -77,6 +77,7 @@ param wcfRelays array = [] ]) param diagnosticLogCategoriesToEnable array = [ 'allLogs' + 'hybridConnectionsEvent' ] @description('Optional. The name of metrics that will be streamed.') From c9a14da593592b81f62ce65c63a7948a9570738b Mon Sep 17 00:00:00 2001 From: Jeremy Brun Date: Tue, 20 Jun 2023 10:48:52 -0400 Subject: [PATCH 25/66] Update modules/relay/namespaces/main.bicep Co-authored-by: Ahmad Abdalla <28486158+ahmadabdalla@users.noreply.github.com> --- modules/relay/namespaces/main.bicep | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/relay/namespaces/main.bicep b/modules/relay/namespaces/main.bicep index 7da3ac9009..5d2258fd35 100644 --- a/modules/relay/namespaces/main.bicep +++ b/modules/relay/namespaces/main.bicep @@ -167,7 +167,7 @@ module namespace_networkRuleSet 'network-rule-sets/main.bicep' = if (!empty(netw } module namespace_hybridConnections 'hybrid-connections/main.bicep' = [for (hybridConnection, index) in hybridConnections: { - name: '${uniqueString(deployment().name, location)}-hybridConnection-${index}' + name: '${uniqueString(deployment().name, location)}-HybridConnection-${index}' params: { namespaceName: namespace.name name: hybridConnection.name From ef52f7f6721723f2bab8aae1e8da6a15b8b46d8d Mon Sep 17 00:00:00 2001 From: Jeremy Brun Date: Tue, 20 Jun 2023 10:49:02 -0400 Subject: [PATCH 26/66] Update modules/relay/namespaces/main.bicep Co-authored-by: Ahmad Abdalla <28486158+ahmadabdalla@users.noreply.github.com> --- modules/relay/namespaces/main.bicep | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/relay/namespaces/main.bicep b/modules/relay/namespaces/main.bicep index 5d2258fd35..41a4191da8 100644 --- a/modules/relay/namespaces/main.bicep +++ b/modules/relay/namespaces/main.bicep @@ -200,7 +200,7 @@ module namespace_hybridConnections 'hybrid-connections/main.bicep' = [for (hybri }] module namespace_wcfRelays 'wcf-relays/main.bicep' = [for (wcfRelay, index) in wcfRelays: { - name: '${uniqueString(deployment().name, location)}-wcfRelay-${index}' + name: '${uniqueString(deployment().name, location)}-WcfRelay-${index}' params: { namespaceName: namespace.name name: wcfRelay.name From 4de1712b233f86d28cf4b2927ed765e75a289f51 Mon Sep 17 00:00:00 2001 From: Jeremy Brun Date: Tue, 20 Jun 2023 10:49:12 -0400 Subject: [PATCH 27/66] Update modules/relay/namespaces/metadata.json Co-authored-by: Ahmad Abdalla <28486158+ahmadabdalla@users.noreply.github.com> --- modules/relay/namespaces/metadata.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/relay/namespaces/metadata.json b/modules/relay/namespaces/metadata.json index 511f76ec96..05c36e6e89 100644 --- a/modules/relay/namespaces/metadata.json +++ b/modules/relay/namespaces/metadata.json @@ -1,6 +1,6 @@ { "$schema": "https://aka.ms/bicep-registry-module-metadata-file-schema-v2#", "name": "Relay Namespaces", - "summary": "This module deploys a relay namespace resource.", + "summary": "This module deploys a Relay Namespace", "owner": "Azure/module-maintainers" } From 3185a49a89664ce329d16da06fd202f27fce332c Mon Sep 17 00:00:00 2001 From: Jeremy Brun Date: Tue, 20 Jun 2023 10:49:27 -0400 Subject: [PATCH 28/66] Update modules/relay/namespaces/network-rule-sets/README.md Co-authored-by: Ahmad Abdalla <28486158+ahmadabdalla@users.noreply.github.com> --- modules/relay/namespaces/network-rule-sets/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/relay/namespaces/network-rule-sets/README.md b/modules/relay/namespaces/network-rule-sets/README.md index 094c4cdd9b..67cefac177 100644 --- a/modules/relay/namespaces/network-rule-sets/README.md +++ b/modules/relay/namespaces/network-rule-sets/README.md @@ -1,6 +1,6 @@ # Relay Namespaces Network Rules Sets `[Microsoft.Relay/namespaces/networkRuleSets]` -This module deploys Relay Namespace Network Rule Sets. +This module deploys a Relay Namespace Network Rule Set. ## Navigation From 04fbdfb48b50aaef0d1035c4bba17803cde0fa8f Mon Sep 17 00:00:00 2001 From: Jeremy Brun Date: Tue, 20 Jun 2023 10:49:41 -0400 Subject: [PATCH 29/66] Update modules/relay/namespaces/network-rule-sets/metadata.json Co-authored-by: Ahmad Abdalla <28486158+ahmadabdalla@users.noreply.github.com> --- modules/relay/namespaces/network-rule-sets/metadata.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/relay/namespaces/network-rule-sets/metadata.json b/modules/relay/namespaces/network-rule-sets/metadata.json index d8f5cfc6e0..e8cf9d69a8 100644 --- a/modules/relay/namespaces/network-rule-sets/metadata.json +++ b/modules/relay/namespaces/network-rule-sets/metadata.json @@ -1,6 +1,6 @@ { "$schema": "https://aka.ms/bicep-registry-module-metadata-file-schema-v2#", - "name": "Relay Namespaces Network Rules Sets", + "name": "Relay Namespace Network Rules Sets", "summary": "This module deploys Relay Namespace Network Rule Sets.", "owner": "Azure/module-maintainers" } From a46dc9cd2e2ba4d51dc3ebccd522d00531286c85 Mon Sep 17 00:00:00 2001 From: Jeremy Brun Date: Tue, 20 Jun 2023 10:49:51 -0400 Subject: [PATCH 30/66] Update modules/relay/namespaces/network-rule-sets/metadata.json Co-authored-by: Ahmad Abdalla <28486158+ahmadabdalla@users.noreply.github.com> --- modules/relay/namespaces/network-rule-sets/metadata.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/relay/namespaces/network-rule-sets/metadata.json b/modules/relay/namespaces/network-rule-sets/metadata.json index e8cf9d69a8..b9dca3e86f 100644 --- a/modules/relay/namespaces/network-rule-sets/metadata.json +++ b/modules/relay/namespaces/network-rule-sets/metadata.json @@ -1,6 +1,6 @@ { "$schema": "https://aka.ms/bicep-registry-module-metadata-file-schema-v2#", "name": "Relay Namespace Network Rules Sets", - "summary": "This module deploys Relay Namespace Network Rule Sets.", + "summary": "This module deploys a Relay Namespace Network Rule Set.", "owner": "Azure/module-maintainers" } From 0cfb96c1b258fee52475a904e3f6d2e2fa82c80f Mon Sep 17 00:00:00 2001 From: Jeremy Brun Date: Tue, 20 Jun 2023 10:50:00 -0400 Subject: [PATCH 31/66] Update modules/relay/namespaces/wcf-relays/README.md Co-authored-by: Ahmad Abdalla <28486158+ahmadabdalla@users.noreply.github.com> --- modules/relay/namespaces/wcf-relays/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/relay/namespaces/wcf-relays/README.md b/modules/relay/namespaces/wcf-relays/README.md index 095d6b7375..a328bf6276 100644 --- a/modules/relay/namespaces/wcf-relays/README.md +++ b/modules/relay/namespaces/wcf-relays/README.md @@ -1,6 +1,6 @@ # WCF Relay `[Microsoft.Relay/namespaces/wcfRelays]` -This module deploys a wcf relay resource. +This module deploys a Relay Namespace WCF Relay. ## Navigation From 40bfd2ceb5e203e6554c6560edfe5bd04d9094d8 Mon Sep 17 00:00:00 2001 From: Jeremy Brun Date: Tue, 20 Jun 2023 10:50:16 -0400 Subject: [PATCH 32/66] Update modules/relay/namespaces/wcf-relays/authorization-rules/README.md Co-authored-by: Ahmad Abdalla <28486158+ahmadabdalla@users.noreply.github.com> --- .../relay/namespaces/wcf-relays/authorization-rules/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/relay/namespaces/wcf-relays/authorization-rules/README.md b/modules/relay/namespaces/wcf-relays/authorization-rules/README.md index ba12d5cd55..90e83395a2 100644 --- a/modules/relay/namespaces/wcf-relays/authorization-rules/README.md +++ b/modules/relay/namespaces/wcf-relays/authorization-rules/README.md @@ -1,6 +1,6 @@ # WCF Relay Authorization Rules `[Microsoft.Relay/namespaces/wcfRelays/authorizationRules]` -This module deploys authorization rules for a wcf relay. +This module deploys a WCF Relay Authorization Rule. ## Navigation From 5bf75260e05fdd9d1bbbf34cde89d9c8c9d48203 Mon Sep 17 00:00:00 2001 From: Jeremy Brun Date: Tue, 20 Jun 2023 10:50:32 -0400 Subject: [PATCH 33/66] Update modules/relay/namespaces/wcf-relays/authorization-rules/main.bicep Co-authored-by: Ahmad Abdalla <28486158+ahmadabdalla@users.noreply.github.com> --- .../relay/namespaces/wcf-relays/authorization-rules/main.bicep | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/relay/namespaces/wcf-relays/authorization-rules/main.bicep b/modules/relay/namespaces/wcf-relays/authorization-rules/main.bicep index e83d4b9f25..a27baa2135 100644 --- a/modules/relay/namespaces/wcf-relays/authorization-rules/main.bicep +++ b/modules/relay/namespaces/wcf-relays/authorization-rules/main.bicep @@ -1,4 +1,4 @@ -@description('Required. The name of the relay namepace wcf relay.') +@description('Required. The name of the authorization rule.') param name string @description('Conditional. The name of the parent Relay Namespace. Required if the template is used in a standalone deployment.') From 08cb4788491b8a197d498229c8b6933611f0a54b Mon Sep 17 00:00:00 2001 From: Jeremy Brun Date: Tue, 20 Jun 2023 10:50:48 -0400 Subject: [PATCH 34/66] Update modules/relay/namespaces/wcf-relays/authorization-rules/metadata.json Co-authored-by: Ahmad Abdalla <28486158+ahmadabdalla@users.noreply.github.com> --- .../namespaces/wcf-relays/authorization-rules/metadata.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/relay/namespaces/wcf-relays/authorization-rules/metadata.json b/modules/relay/namespaces/wcf-relays/authorization-rules/metadata.json index c4ff3f6b4d..18f35ae6e9 100644 --- a/modules/relay/namespaces/wcf-relays/authorization-rules/metadata.json +++ b/modules/relay/namespaces/wcf-relays/authorization-rules/metadata.json @@ -1,6 +1,6 @@ { "$schema": "https://aka.ms/bicep-registry-module-metadata-file-schema-v2#", "name": "WCF Relay Authorization Rules", - "summary": "This module deploys authorization rules for a wcf relay.", + "summary": "This module deploys a WCF Relay Authorization Rule.", "owner": "Azure/module-maintainers" } From 4a38c314a47b0fde11f42a9a9bd306f59843b3eb Mon Sep 17 00:00:00 2001 From: Jeremy Brun Date: Tue, 20 Jun 2023 10:51:17 -0400 Subject: [PATCH 35/66] Update modules/relay/namespaces/wcf-relays/main.bicep Co-authored-by: Ahmad Abdalla <28486158+ahmadabdalla@users.noreply.github.com> --- modules/relay/namespaces/wcf-relays/main.bicep | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/relay/namespaces/wcf-relays/main.bicep b/modules/relay/namespaces/wcf-relays/main.bicep index 026502785d..33138fa634 100644 --- a/modules/relay/namespaces/wcf-relays/main.bicep +++ b/modules/relay/namespaces/wcf-relays/main.bicep @@ -92,7 +92,7 @@ resource wcfRelay 'Microsoft.Relay/namespaces/wcfRelays@2021-11-01' = { } module wcfRelay_authorizationRules 'authorization-rules/main.bicep' = [for (authorizationRule, index) in authorizationRules: { - name: '${deployment().name}-AuthRule-${index}' + name: '${deployment().name}-AuthorizationRule-${index}' params: { namespaceName: namespaceName wcfRelayName: wcfRelay.name From 572dc8ae6e58abbe4d6b549f363ea8b754869878 Mon Sep 17 00:00:00 2001 From: Jeremy Brun Date: Tue, 20 Jun 2023 10:51:32 -0400 Subject: [PATCH 36/66] Update modules/relay/namespaces/hybrid-connections/main.bicep Co-authored-by: Ahmad Abdalla <28486158+ahmadabdalla@users.noreply.github.com> --- modules/relay/namespaces/hybrid-connections/main.bicep | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/relay/namespaces/hybrid-connections/main.bicep b/modules/relay/namespaces/hybrid-connections/main.bicep index e53666a3c1..1affdbb154 100644 --- a/modules/relay/namespaces/hybrid-connections/main.bicep +++ b/modules/relay/namespaces/hybrid-connections/main.bicep @@ -80,7 +80,7 @@ resource hybridConnection 'Microsoft.Relay/namespaces/hybridConnections@2021-11- } module hybridConnection_authorizationRules 'authorization-rules/main.bicep' = [for (authorizationRule, index) in authorizationRules: { - name: '${deployment().name}-AuthRule-${index}' + name: '${deployment().name}-AuthorizationRule-${index}' params: { namespaceName: namespaceName hybridConnectionName: hybridConnection.name From 7cfe2d75efdcf72523dfed97b3679a36405e424a Mon Sep 17 00:00:00 2001 From: Jeremy Brun Date: Tue, 20 Jun 2023 11:01:47 -0400 Subject: [PATCH 37/66] Update modules/web/sites/hybrid-connection-namespaces/relays/README.md Co-authored-by: Ahmad Abdalla <28486158+ahmadabdalla@users.noreply.github.com> --- modules/web/sites/hybrid-connection-namespaces/relays/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/web/sites/hybrid-connection-namespaces/relays/README.md b/modules/web/sites/hybrid-connection-namespaces/relays/README.md index 106aea40ab..3bce7a338a 100644 --- a/modules/web/sites/hybrid-connection-namespaces/relays/README.md +++ b/modules/web/sites/hybrid-connection-namespaces/relays/README.md @@ -1,6 +1,6 @@ # Web/Function Apps Hybrid Connection Relay `[Microsoft.Web/sites/hybridConnectionNamespaces/relays]` -This module configures a web or function app with a hybrid connection relay. +This module deploys a Site Hybrid Connection Namespace Relay. ## Navigation From 0193b337f4608e0f65183cc142421698be79e7b5 Mon Sep 17 00:00:00 2001 From: Jeremy Brun Date: Tue, 20 Jun 2023 11:02:18 -0400 Subject: [PATCH 38/66] Update modules/web/sites/hybrid-connection-namespaces/relays/main.bicep Co-authored-by: Ahmad Abdalla <28486158+ahmadabdalla@users.noreply.github.com> --- .../web/sites/hybrid-connection-namespaces/relays/main.bicep | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/web/sites/hybrid-connection-namespaces/relays/main.bicep b/modules/web/sites/hybrid-connection-namespaces/relays/main.bicep index 85c90f5d5b..951e5173f4 100644 --- a/modules/web/sites/hybrid-connection-namespaces/relays/main.bicep +++ b/modules/web/sites/hybrid-connection-namespaces/relays/main.bicep @@ -2,7 +2,7 @@ param resourceId string @description('Conditional. The name of the parent web site. Required if the template is used in a standalone deployment.') -param webAppName string +param appName string @description('Optional. Name of the authorization rule send key to use.') param sendKeyName string = 'defaultSender' From ea53a62ea7918b6aa8bae4a7d3f3d416a7f31d09 Mon Sep 17 00:00:00 2001 From: Jeremy Brun Date: Tue, 20 Jun 2023 11:03:45 -0400 Subject: [PATCH 39/66] Update modules/web/sites/hybrid-connection-namespaces/relays/main.bicep Co-authored-by: Ahmad Abdalla <28486158+ahmadabdalla@users.noreply.github.com> --- .../web/sites/hybrid-connection-namespaces/relays/main.bicep | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/web/sites/hybrid-connection-namespaces/relays/main.bicep b/modules/web/sites/hybrid-connection-namespaces/relays/main.bicep index 951e5173f4..5e449e3cab 100644 --- a/modules/web/sites/hybrid-connection-namespaces/relays/main.bicep +++ b/modules/web/sites/hybrid-connection-namespaces/relays/main.bicep @@ -1,5 +1,5 @@ @description('Required. The resource id of the resource.') -param resourceId string +param hybridConnectionResourceId string @description('Conditional. The name of the parent web site. Required if the template is used in a standalone deployment.') param appName string From 2087f625db76c760b2102316bc7d10d61f7ce4ed Mon Sep 17 00:00:00 2001 From: Jeremy Brun Date: Tue, 20 Jun 2023 11:04:11 -0400 Subject: [PATCH 40/66] resolving comments --- modules/relay/namespaces/README.md | 69 ------------------- .../functionAppCommon/dependencies.bicep | 4 +- .../.test/functionAppCommon/main.test.bicep | 2 +- .../web/sites/config--appsettings/main.bicep | 2 +- .../relays/main.bicep | 4 +- 5 files changed, 6 insertions(+), 75 deletions(-) diff --git a/modules/relay/namespaces/README.md b/modules/relay/namespaces/README.md index 0503828960..1ec0e00527 100644 --- a/modules/relay/namespaces/README.md +++ b/modules/relay/namespaces/README.md @@ -219,42 +219,6 @@ privateEndpoints: [

-### Parameter Usage: `networkAcl` - -Configure networing options on premium SKU only. - -

- -Parameter JSON format - -```json -"networkAclConfig": { - "value" : { - "publicNetworkAccess": "Disabled", - "allowTrustedServices": true - } -} - - -``` - -
- -
- -Bicep format - -```bicep -networkingAclConfig: { - publicNetworkAccess: "Disabled" - allowTrustedServices: true -} - -``` - -
-

- ### Parameter Usage: `tags` Tag names and tag values can be provided as needed. A tag can be left without a value. @@ -296,39 +260,6 @@ tags: {

-### Parameter Usage: `userAssignedIdentities` - -You can specify multiple user assigned identities to a resource by providing additional resource IDs using the following format: - -

- -Parameter JSON format - -```json -"userAssignedIdentities": { - "value": { - "/subscriptions/<>/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-001": {}, - "/subscriptions/<>/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-002": {} - } -} -``` - -
- -
- -Bicep format - -```bicep -userAssignedIdentities: { - '/subscriptions/<>/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-001': {} - '/subscriptions/<>/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-002': {} -} -``` - -
-

- ## Outputs | Output Name | Type | Description | diff --git a/modules/web/sites/.test/functionAppCommon/dependencies.bicep b/modules/web/sites/.test/functionAppCommon/dependencies.bicep index cb817abcd7..c58bb47c3a 100644 --- a/modules/web/sites/.test/functionAppCommon/dependencies.bicep +++ b/modules/web/sites/.test/functionAppCommon/dependencies.bicep @@ -17,7 +17,7 @@ param storageAccountName string param applicationInsightsName string @description('Required. The name of the Relay Namespace to create.') -param namespaceName string +param relayNamespaceName string @description('Required. The name of the Hybrid Connection to create.') param hybridConnectionName string @@ -96,7 +96,7 @@ resource applicationInsights 'Microsoft.Insights/components@2020-02-02' = { } resource namespace 'Microsoft.Relay/namespaces@2021-11-01' = { - name: namespaceName + name: relayNamespaceName location: location sku: { name: 'Standard' diff --git a/modules/web/sites/.test/functionAppCommon/main.test.bicep b/modules/web/sites/.test/functionAppCommon/main.test.bicep index 1f2574d91c..fe6f7a7abe 100644 --- a/modules/web/sites/.test/functionAppCommon/main.test.bicep +++ b/modules/web/sites/.test/functionAppCommon/main.test.bicep @@ -37,7 +37,7 @@ module nestedDependencies 'dependencies.bicep' = { serverFarmName: 'dep-<>-sf-${serviceShort}' storageAccountName: 'dep<>st${serviceShort}' applicationInsightsName: 'dep-<>-appi-${serviceShort}' - namespaceName: 'dep-<>-ns-${serviceShort}' + relayNamespaceName: 'dep-<>-ns-${serviceShort}' hybridConnectionName: 'dep-<>-hc-${serviceShort}' } } diff --git a/modules/web/sites/config--appsettings/main.bicep b/modules/web/sites/config--appsettings/main.bicep index 34d78d021e..0940137f1a 100644 --- a/modules/web/sites/config--appsettings/main.bicep +++ b/modules/web/sites/config--appsettings/main.bicep @@ -52,7 +52,7 @@ resource app 'Microsoft.Web/sites@2022-03-01' existing = { name: appName } -resource appInsight 'microsoft.insights/components@2020-02-02' existing = if (!empty(appInsightResourceId)) { +resource appInsight 'microsoft.Insights/components@2020-02-02' existing = if (!empty(appInsightResourceId)) { name: last(split(appInsightResourceId, '/'))! scope: resourceGroup(split(appInsightResourceId, '/')[2], split(appInsightResourceId, '/')[4]) } diff --git a/modules/web/sites/hybrid-connection-namespaces/relays/main.bicep b/modules/web/sites/hybrid-connection-namespaces/relays/main.bicep index 85c90f5d5b..357aff5b57 100644 --- a/modules/web/sites/hybrid-connection-namespaces/relays/main.bicep +++ b/modules/web/sites/hybrid-connection-namespaces/relays/main.bicep @@ -1,5 +1,5 @@ @description('Required. The resource id of the resource.') -param resourceId string +param hybridConnectionResourceId string @description('Conditional. The name of the parent web site. Required if the template is used in a standalone deployment.') param webAppName string @@ -13,7 +13,7 @@ param location string = resourceGroup().location @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true -var splitResourceId = split(resourceId, '/') +var splitResourceId = split(hybridConnectionResourceId, '/') resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' From 706188d63c26fb476276fb76d83108ecda46e6e3 Mon Sep 17 00:00:00 2001 From: Jeremy Brun Date: Tue, 20 Jun 2023 11:04:25 -0400 Subject: [PATCH 41/66] Update modules/web/sites/hybrid-connection-namespaces/relays/main.bicep Co-authored-by: Ahmad Abdalla <28486158+ahmadabdalla@users.noreply.github.com> --- .../web/sites/hybrid-connection-namespaces/relays/main.bicep | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/web/sites/hybrid-connection-namespaces/relays/main.bicep b/modules/web/sites/hybrid-connection-namespaces/relays/main.bicep index 3d700ba880..5e57911fc2 100644 --- a/modules/web/sites/hybrid-connection-namespaces/relays/main.bicep +++ b/modules/web/sites/hybrid-connection-namespaces/relays/main.bicep @@ -1,4 +1,4 @@ -@description('Required. The resource id of the resource.') +@description('Required. The resource ID of the relay namespace hybrid connection.') param hybridConnectionResourceId string @description('Conditional. The name of the parent web site. Required if the template is used in a standalone deployment.') From 4df12d65922e8fbc4e335e9f1e285099863a9b36 Mon Sep 17 00:00:00 2001 From: Jeremy Brun Date: Tue, 20 Jun 2023 11:08:30 -0400 Subject: [PATCH 42/66] Update modules/web/sites/hybrid-connection-namespaces/relays/main.bicep Co-authored-by: Ahmad Abdalla <28486158+ahmadabdalla@users.noreply.github.com> --- .../web/sites/hybrid-connection-namespaces/relays/main.bicep | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/web/sites/hybrid-connection-namespaces/relays/main.bicep b/modules/web/sites/hybrid-connection-namespaces/relays/main.bicep index 5e57911fc2..42b59df817 100644 --- a/modules/web/sites/hybrid-connection-namespaces/relays/main.bicep +++ b/modules/web/sites/hybrid-connection-namespaces/relays/main.bicep @@ -43,7 +43,7 @@ resource authorizationRule 'Microsoft.Relay/namespaces/hybridConnections/authori } resource hybridConnectionRelay 'Microsoft.Web/sites/hybridConnectionNamespaces/relays@2022-03-01' = { - name: '${webAppName}/${splitResourceId[8]}/${splitResourceId[10]}' + name: '${appName}/${namespace::hybridConnection.name}/${namespace::hybridConnection::authorizationRule.name}' properties: { serviceBusNamespace: splitResourceId[8] serviceBusSuffix: split(substring(namespace.properties.serviceBusEndpoint, indexOf(namespace.properties.serviceBusEndpoint, '.servicebus')), ':')[0] From 52bcfe21f17ad88885372326bff2abeabcc8ae57 Mon Sep 17 00:00:00 2001 From: Jeremy Brun Date: Tue, 20 Jun 2023 11:08:59 -0400 Subject: [PATCH 43/66] updated resource hierarchy --- .../hybrid-connection-namespaces/relays/main.bicep | 14 ++++++-------- 1 file changed, 6 insertions(+), 8 deletions(-) diff --git a/modules/web/sites/hybrid-connection-namespaces/relays/main.bicep b/modules/web/sites/hybrid-connection-namespaces/relays/main.bicep index 3d700ba880..f7d2e8f4e5 100644 --- a/modules/web/sites/hybrid-connection-namespaces/relays/main.bicep +++ b/modules/web/sites/hybrid-connection-namespaces/relays/main.bicep @@ -30,16 +30,14 @@ resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (ena resource namespace 'Microsoft.Relay/namespaces@2021-11-01' existing = { name: splitResourceId[8] scope: resourceGroup(splitResourceId[2], splitResourceId[4]) -} -resource hybridConnection 'Microsoft.Relay/namespaces/hybridConnections@2021-11-01' existing = { - name: splitResourceId[10] - parent: namespace -} + resource hybridConnection 'hybridConnections@2021-11-01' existing = { + name: splitResourceId[10] -resource authorizationRule 'Microsoft.Relay/namespaces/hybridConnections/authorizationRules@2021-11-01' existing = { - name: sendKeyName - parent: hybridConnection + resource authorizationRule 'authorizationRules@2021-11-01' existing = { + name: sendKeyName + } + } } resource hybridConnectionRelay 'Microsoft.Web/sites/hybridConnectionNamespaces/relays@2022-03-01' = { From e36f3f237e161d228565d1c7e5d264ff4083de37 Mon Sep 17 00:00:00 2001 From: Jeremy Brun Date: Tue, 20 Jun 2023 11:10:00 -0400 Subject: [PATCH 44/66] additional resource hiararchy ref changes --- .../hybrid-connection-namespaces/relays/main.bicep | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/modules/web/sites/hybrid-connection-namespaces/relays/main.bicep b/modules/web/sites/hybrid-connection-namespaces/relays/main.bicep index d65f0c5ecd..6861500110 100644 --- a/modules/web/sites/hybrid-connection-namespaces/relays/main.bicep +++ b/modules/web/sites/hybrid-connection-namespaces/relays/main.bicep @@ -46,11 +46,11 @@ resource hybridConnectionRelay 'Microsoft.Web/sites/hybridConnectionNamespaces/r serviceBusNamespace: splitResourceId[8] serviceBusSuffix: split(substring(namespace.properties.serviceBusEndpoint, indexOf(namespace.properties.serviceBusEndpoint, '.servicebus')), ':')[0] relayName: splitResourceId[10] - relayArmUri: hybridConnection.id - hostname: split(json(hybridConnection.properties.userMetadata)[0].value, ':')[0] - port: int(split(json(hybridConnection.properties.userMetadata)[0].value, ':')[1]) - sendKeyName: authorizationRule.name - sendKeyValue: authorizationRule.listKeys().primaryKey + relayArmUri: namespace::hybridConnection.id + hostname: split(json(namespace::hybridConnection.properties.userMetadata)[0].value, ':')[0] + port: int(split(json(namespace::hybridConnection.properties.userMetadata)[0].value, ':')[1]) + sendKeyName: namespace::hybridConnection::authorizationRule.name + sendKeyValue: namespace::hybridConnection::authorizationRule.listKeys().primaryKey } } From 7e56fa65470364f00ddd2f8ec785840167ab7806 Mon Sep 17 00:00:00 2001 From: Jeremy Brun Date: Tue, 20 Jun 2023 11:11:09 -0400 Subject: [PATCH 45/66] Update modules/web/sites/hybrid-connection-namespaces/relays/metadata.json Co-authored-by: Ahmad Abdalla <28486158+ahmadabdalla@users.noreply.github.com> --- .../web/sites/hybrid-connection-namespaces/relays/metadata.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/web/sites/hybrid-connection-namespaces/relays/metadata.json b/modules/web/sites/hybrid-connection-namespaces/relays/metadata.json index e781a210a4..afb40f9ec0 100644 --- a/modules/web/sites/hybrid-connection-namespaces/relays/metadata.json +++ b/modules/web/sites/hybrid-connection-namespaces/relays/metadata.json @@ -1,6 +1,6 @@ { "$schema": "https://aka.ms/bicep-registry-module-metadata-file-schema-v2#", "name": "Web/Function Apps Hybrid Connection Relay", - "summary": "This module configures a web or function app with a hybrid connection relay.", + "summary": "This module deploys a Site Hybrid Connection Namespace Relay.", "owner": "Azure/module-maintainers" } From 40df9f0c4c6ba34573f17e83dc929d4f56ac65ef Mon Sep 17 00:00:00 2001 From: Jeremy Brun Date: Tue, 20 Jun 2023 11:11:38 -0400 Subject: [PATCH 46/66] Update modules/web/sites/slots/main.bicep Co-authored-by: Ahmad Abdalla <28486158+ahmadabdalla@users.noreply.github.com> --- modules/web/sites/slots/main.bicep | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/web/sites/slots/main.bicep b/modules/web/sites/slots/main.bicep index fba52bcf26..f47aa54b19 100644 --- a/modules/web/sites/slots/main.bicep +++ b/modules/web/sites/slots/main.bicep @@ -327,7 +327,7 @@ module slot_authsettingsv2 'config--authsettingsv2/main.bicep' = if (!empty(auth module slot_hybridConnectionRelays 'hybrid-connection-namespaces/relays/main.bicep' = [for (hybridConnectionRelay, index) in hybridConnectionRelays: { name: '${uniqueString(deployment().name, location)}-Slot-HybridConnectionRelay-${index}' params: { - resourceId: hybridConnectionRelay.resourceId + hybridConnectionResourceId: hybridConnectionRelay.resourceId appName: app.name slotName: slot.name sendKeyName: contains(hybridConnectionRelay, 'sendKeyName') ? hybridConnectionRelay.sendKeyName : null From 5280e5d3206a26aad246e3118dfe48f1be3068b3 Mon Sep 17 00:00:00 2001 From: Jeremy Brun Date: Tue, 20 Jun 2023 11:12:24 -0400 Subject: [PATCH 47/66] Update modules/web/sites/main.bicep Co-authored-by: Ahmad Abdalla <28486158+ahmadabdalla@users.noreply.github.com> --- modules/web/sites/main.bicep | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/web/sites/main.bicep b/modules/web/sites/main.bicep index 1d441e2218..0cbea34d8b 100644 --- a/modules/web/sites/main.bicep +++ b/modules/web/sites/main.bicep @@ -375,7 +375,7 @@ module app_basicPublishingCredentialsPolicies 'basic-publishing-credentials-poli module app_hybridConnectionRelays 'hybrid-connection-namespaces/relays/main.bicep' = [for (hybridConnectionRelay, index) in hybridConnectionRelays: { name: '${uniqueString(deployment().name, location)}-HybridConnectionRelay-${index}' params: { - resourceId: hybridConnectionRelay.resourceId + hybridConnectionResourceId: hybridConnectionRelay.resourceId appName: app.name sendKeyName: contains(hybridConnectionRelay, 'sendKeyName') ? hybridConnectionRelay.sendKeyName : null enableDefaultTelemetry: enableReferencedModulesTelemetry From 0cd9866528b7487118fb19c40eddc101e747695c Mon Sep 17 00:00:00 2001 From: Jeremy Brun Date: Tue, 20 Jun 2023 11:12:50 -0400 Subject: [PATCH 48/66] Update modules/web/sites/slots/hybrid-connection-namespaces/relays/main.bicep Co-authored-by: Ahmad Abdalla <28486158+ahmadabdalla@users.noreply.github.com> --- .../sites/slots/hybrid-connection-namespaces/relays/main.bicep | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/web/sites/slots/hybrid-connection-namespaces/relays/main.bicep b/modules/web/sites/slots/hybrid-connection-namespaces/relays/main.bicep index e5b2a45ea9..a286c5aa60 100644 --- a/modules/web/sites/slots/hybrid-connection-namespaces/relays/main.bicep +++ b/modules/web/sites/slots/hybrid-connection-namespaces/relays/main.bicep @@ -1,5 +1,5 @@ @description('Required. The resource id of the resource.') -param resourceId string +param hybridConnectionResourceId string @description('Required. Slot name to be configured.') param slotName string From 9abe5c7cf709a81f916f5ddca0545165ae124289 Mon Sep 17 00:00:00 2001 From: Jeremy Brun Date: Tue, 20 Jun 2023 11:13:08 -0400 Subject: [PATCH 49/66] Update modules/web/sites/slots/hybrid-connection-namespaces/relays/main.bicep Co-authored-by: Ahmad Abdalla <28486158+ahmadabdalla@users.noreply.github.com> --- .../sites/slots/hybrid-connection-namespaces/relays/main.bicep | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/web/sites/slots/hybrid-connection-namespaces/relays/main.bicep b/modules/web/sites/slots/hybrid-connection-namespaces/relays/main.bicep index a286c5aa60..aed06da975 100644 --- a/modules/web/sites/slots/hybrid-connection-namespaces/relays/main.bicep +++ b/modules/web/sites/slots/hybrid-connection-namespaces/relays/main.bicep @@ -1,4 +1,4 @@ -@description('Required. The resource id of the resource.') +@description('Required. The resource ID of the relay namespace hybrid connection.') param hybridConnectionResourceId string @description('Required. Slot name to be configured.') From 9d8db7ec896e6c69c188b4edd70bddccd93029c9 Mon Sep 17 00:00:00 2001 From: Jeremy Brun Date: Tue, 20 Jun 2023 11:13:23 -0400 Subject: [PATCH 50/66] Update modules/web/sites/slots/hybrid-connection-namespaces/relays/main.bicep Co-authored-by: Ahmad Abdalla <28486158+ahmadabdalla@users.noreply.github.com> --- .../sites/slots/hybrid-connection-namespaces/relays/main.bicep | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/web/sites/slots/hybrid-connection-namespaces/relays/main.bicep b/modules/web/sites/slots/hybrid-connection-namespaces/relays/main.bicep index aed06da975..c54e54731f 100644 --- a/modules/web/sites/slots/hybrid-connection-namespaces/relays/main.bicep +++ b/modules/web/sites/slots/hybrid-connection-namespaces/relays/main.bicep @@ -5,7 +5,7 @@ param hybridConnectionResourceId string param slotName string @description('Conditional. The name of the parent web site. Required if the template is used in a standalone deployment.') -param webAppName string +param appName string @description('Optional. Name of the authorization rule send key to use.') param sendKeyName string = 'defaultSender' From ed9c6a5d8811b187985ff8535553e377022fab27 Mon Sep 17 00:00:00 2001 From: Jeremy Brun Date: Tue, 20 Jun 2023 11:20:32 -0400 Subject: [PATCH 51/66] fix resource hierarchy --- .../relays/main.bicep | 6 ++-- .../relays/main.bicep | 34 +++++++++---------- 2 files changed, 19 insertions(+), 21 deletions(-) diff --git a/modules/web/sites/hybrid-connection-namespaces/relays/main.bicep b/modules/web/sites/hybrid-connection-namespaces/relays/main.bicep index 6861500110..13490ba328 100644 --- a/modules/web/sites/hybrid-connection-namespaces/relays/main.bicep +++ b/modules/web/sites/hybrid-connection-namespaces/relays/main.bicep @@ -41,11 +41,11 @@ resource namespace 'Microsoft.Relay/namespaces@2021-11-01' existing = { } resource hybridConnectionRelay 'Microsoft.Web/sites/hybridConnectionNamespaces/relays@2022-03-01' = { - name: '${appName}/${namespace::hybridConnection.name}/${namespace::hybridConnection::authorizationRule.name}' + name: '${appName}/${namespace.name}/${namespace::hybridConnection.name}' properties: { - serviceBusNamespace: splitResourceId[8] + serviceBusNamespace: namespace.name serviceBusSuffix: split(substring(namespace.properties.serviceBusEndpoint, indexOf(namespace.properties.serviceBusEndpoint, '.servicebus')), ':')[0] - relayName: splitResourceId[10] + relayName: namespace::hybridConnection.name relayArmUri: namespace::hybridConnection.id hostname: split(json(namespace::hybridConnection.properties.userMetadata)[0].value, ':')[0] port: int(split(json(namespace::hybridConnection.properties.userMetadata)[0].value, ':')[1]) diff --git a/modules/web/sites/slots/hybrid-connection-namespaces/relays/main.bicep b/modules/web/sites/slots/hybrid-connection-namespaces/relays/main.bicep index e5b2a45ea9..c76eda0973 100644 --- a/modules/web/sites/slots/hybrid-connection-namespaces/relays/main.bicep +++ b/modules/web/sites/slots/hybrid-connection-namespaces/relays/main.bicep @@ -1,5 +1,5 @@ @description('Required. The resource id of the resource.') -param resourceId string +param hybridConnectionResourceId string @description('Required. Slot name to be configured.') param slotName string @@ -16,7 +16,7 @@ param location string = resourceGroup().location @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true -var splitResourceId = split(resourceId, '/') +var splitResourceId = split(hybridConnectionResourceId, '/') resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' @@ -33,29 +33,27 @@ resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (ena resource namespace 'Microsoft.Relay/namespaces@2021-11-01' existing = { name: splitResourceId[8] scope: resourceGroup(splitResourceId[2], splitResourceId[4]) -} -resource hybridConnection 'Microsoft.Relay/namespaces/hybridConnections@2021-11-01' existing = { - name: splitResourceId[10] - parent: namespace -} + resource hybridConnection 'hybridConnections@2021-11-01' existing = { + name: splitResourceId[10] -resource authorizationRule 'Microsoft.Relay/namespaces/hybridConnections/authorizationRules@2021-11-01' existing = { - name: sendKeyName - parent: hybridConnection + resource authorizationRule 'authorizationRules@2021-11-01' existing = { + name: sendKeyName + } + } } resource hybridConnectionRelay 'Microsoft.Web/sites/slots/hybridConnectionNamespaces/relays@2022-03-01' = { - name: '${webAppName}/${slotName}/${splitResourceId[8]}/${splitResourceId[10]}' + name: '${webAppName}/${slotName}/${namespace.name}/${namespace::hybridConnection.name}' properties: { - serviceBusNamespace: splitResourceId[8] + serviceBusNamespace: namespace.name serviceBusSuffix: split(substring(namespace.properties.serviceBusEndpoint, indexOf(namespace.properties.serviceBusEndpoint, '.servicebus')), ':')[0] - relayName: splitResourceId[10] - relayArmUri: hybridConnection.id - hostname: split(json(hybridConnection.properties.userMetadata)[0].value, ':')[0] - port: int(split(json(hybridConnection.properties.userMetadata)[0].value, ':')[1]) - sendKeyName: authorizationRule.name - sendKeyValue: authorizationRule.listKeys().primaryKey + relayName: namespace::hybridConnection.name + relayArmUri: namespace::hybridConnection.id + hostname: split(json(namespace::hybridConnection.properties.userMetadata)[0].value, ':')[0] + port: int(split(json(namespace::hybridConnection.properties.userMetadata)[0].value, ':')[1]) + sendKeyName: namespace::hybridConnection::authorizationRule.name + sendKeyValue: namespace::hybridConnection::authorizationRule.listKeys().primaryKey } } From c6389ff29448aa8fb6a28e2e92a558266ad79b7c Mon Sep 17 00:00:00 2001 From: Jeremy Brun Date: Tue, 20 Jun 2023 11:22:51 -0400 Subject: [PATCH 52/66] update param name --- .../sites/slots/hybrid-connection-namespaces/relays/main.bicep | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/web/sites/slots/hybrid-connection-namespaces/relays/main.bicep b/modules/web/sites/slots/hybrid-connection-namespaces/relays/main.bicep index 936a4d5c71..505a393fa7 100644 --- a/modules/web/sites/slots/hybrid-connection-namespaces/relays/main.bicep +++ b/modules/web/sites/slots/hybrid-connection-namespaces/relays/main.bicep @@ -44,7 +44,7 @@ resource namespace 'Microsoft.Relay/namespaces@2021-11-01' existing = { } resource hybridConnectionRelay 'Microsoft.Web/sites/slots/hybridConnectionNamespaces/relays@2022-03-01' = { - name: '${webAppName}/${slotName}/${namespace.name}/${namespace::hybridConnection.name}' + name: '${appName}/${slotName}/${namespace.name}/${namespace::hybridConnection.name}' properties: { serviceBusNamespace: namespace.name serviceBusSuffix: split(substring(namespace.properties.serviceBusEndpoint, indexOf(namespace.properties.serviceBusEndpoint, '.servicebus')), ':')[0] From 22f35b06560174036df0b8df563a6e6abc058719 Mon Sep 17 00:00:00 2001 From: Jeremy Brun Date: Tue, 20 Jun 2023 11:27:22 -0400 Subject: [PATCH 53/66] fixed diag logs allowed --- modules/relay/namespaces/main.bicep | 1 + 1 file changed, 1 insertion(+) diff --git a/modules/relay/namespaces/main.bicep b/modules/relay/namespaces/main.bicep index 41a4191da8..9c7178f247 100644 --- a/modules/relay/namespaces/main.bicep +++ b/modules/relay/namespaces/main.bicep @@ -74,6 +74,7 @@ param wcfRelays array = [] @allowed([ 'allLogs' 'OperationalLogs' + 'hybridConnectionsEvent' ]) param diagnosticLogCategoriesToEnable array = [ 'allLogs' From d3dc28ad676aa71ad8c63754adef6efa8b6728b2 Mon Sep 17 00:00:00 2001 From: Jeremy Brun Date: Wed, 21 Jun 2023 09:00:28 -0400 Subject: [PATCH 54/66] Update modules/relay/namespaces/wcf-relays/metadata.json Co-authored-by: Ahmad Abdalla <28486158+ahmadabdalla@users.noreply.github.com> --- modules/relay/namespaces/wcf-relays/metadata.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/relay/namespaces/wcf-relays/metadata.json b/modules/relay/namespaces/wcf-relays/metadata.json index 996b74aaa6..38624f5631 100644 --- a/modules/relay/namespaces/wcf-relays/metadata.json +++ b/modules/relay/namespaces/wcf-relays/metadata.json @@ -1,6 +1,6 @@ { "$schema": "https://aka.ms/bicep-registry-module-metadata-file-schema-v2#", "name": "WCF Relay", - "summary": "This module deploys a wcf relay resource.", + "summary": "This module deploys a Relay Namespace WCF Relay.", "owner": "Azure/module-maintainers" } From 68984ddabdcffb59f297f73bdd1abb3105622026 Mon Sep 17 00:00:00 2001 From: Jeremy Brun Date: Wed, 21 Jun 2023 09:00:34 -0400 Subject: [PATCH 55/66] Update modules/relay/namespaces/wcf-relays/metadata.json Co-authored-by: Ahmad Abdalla <28486158+ahmadabdalla@users.noreply.github.com> --- modules/relay/namespaces/wcf-relays/metadata.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/relay/namespaces/wcf-relays/metadata.json b/modules/relay/namespaces/wcf-relays/metadata.json index 38624f5631..97d1f1e0b7 100644 --- a/modules/relay/namespaces/wcf-relays/metadata.json +++ b/modules/relay/namespaces/wcf-relays/metadata.json @@ -1,6 +1,6 @@ { "$schema": "https://aka.ms/bicep-registry-module-metadata-file-schema-v2#", - "name": "WCF Relay", + "name": "Relay Namespace WCF Relays", "summary": "This module deploys a Relay Namespace WCF Relay.", "owner": "Azure/module-maintainers" } From 347b1f0d3c573bffb7eeaa03720f2cc76b2daf7e Mon Sep 17 00:00:00 2001 From: Jeremy Brun Date: Wed, 21 Jun 2023 09:02:20 -0400 Subject: [PATCH 56/66] Update modules/web/sites/.test/webAppCommon/dependencies.bicep Co-authored-by: Ahmad Abdalla <28486158+ahmadabdalla@users.noreply.github.com> --- modules/web/sites/.test/webAppCommon/dependencies.bicep | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/web/sites/.test/webAppCommon/dependencies.bicep b/modules/web/sites/.test/webAppCommon/dependencies.bicep index 88fc4d8ea6..34a5252c06 100644 --- a/modules/web/sites/.test/webAppCommon/dependencies.bicep +++ b/modules/web/sites/.test/webAppCommon/dependencies.bicep @@ -11,7 +11,7 @@ param managedIdentityName string param serverFarmName string @description('Required. The name of the Relay Namespace to create.') -param namespaceName string +param relayNamespaceName string @description('Required. The name of the Hybrid Connection to create.') param hybridConnectionName string From 67c0437464655eee63b34878e01652a8dc1850ed Mon Sep 17 00:00:00 2001 From: Jeremy Brun Date: Wed, 21 Jun 2023 09:02:30 -0400 Subject: [PATCH 57/66] Update modules/web/sites/slots/config--appsettings/main.bicep Co-authored-by: Ahmad Abdalla <28486158+ahmadabdalla@users.noreply.github.com> --- modules/web/sites/slots/config--appsettings/main.bicep | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/web/sites/slots/config--appsettings/main.bicep b/modules/web/sites/slots/config--appsettings/main.bicep index 20f444436d..a38f1519c4 100644 --- a/modules/web/sites/slots/config--appsettings/main.bicep +++ b/modules/web/sites/slots/config--appsettings/main.bicep @@ -59,7 +59,7 @@ resource app 'Microsoft.Web/sites@2022-03-01' existing = { } } -resource appInsight 'microsoft.insights/components@2020-02-02' existing = if (!empty(appInsightResourceId)) { +resource appInsight 'Microsoft.Insights/components@2020-02-02' existing = if (!empty(appInsightResourceId)) { name: last(split(appInsightResourceId, '/'))! scope: resourceGroup(split(appInsightResourceId, '/')[2], split(appInsightResourceId, '/')[4]) } From d618dbd32d2217a8c2ece33da2e006e22401d431 Mon Sep 17 00:00:00 2001 From: Jeremy Brun Date: Wed, 21 Jun 2023 09:03:06 -0400 Subject: [PATCH 58/66] Update modules/web/sites/.test/webAppCommon/dependencies.bicep Co-authored-by: Ahmad Abdalla <28486158+ahmadabdalla@users.noreply.github.com> --- modules/web/sites/.test/webAppCommon/dependencies.bicep | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/web/sites/.test/webAppCommon/dependencies.bicep b/modules/web/sites/.test/webAppCommon/dependencies.bicep index 34a5252c06..ea7d3a2349 100644 --- a/modules/web/sites/.test/webAppCommon/dependencies.bicep +++ b/modules/web/sites/.test/webAppCommon/dependencies.bicep @@ -72,7 +72,7 @@ resource serverFarm 'Microsoft.Web/serverfarms@2022-03-01' = { properties: {} } -resource namespace 'Microsoft.Relay/namespaces@2021-11-01' = { +resource relayNamespace 'Microsoft.Relay/namespaces@2021-11-01' = { name: namespaceName location: location sku: { From c14ecbc8a5b0872488fc7cd8711c2a0b38ea348e Mon Sep 17 00:00:00 2001 From: Jeremy Brun Date: Wed, 21 Jun 2023 09:03:22 -0400 Subject: [PATCH 59/66] Update modules/web/sites/.test/webAppCommon/main.test.bicep Co-authored-by: Ahmad Abdalla <28486158+ahmadabdalla@users.noreply.github.com> --- modules/web/sites/.test/webAppCommon/main.test.bicep | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/web/sites/.test/webAppCommon/main.test.bicep b/modules/web/sites/.test/webAppCommon/main.test.bicep index 120235fe90..ed51e60a71 100644 --- a/modules/web/sites/.test/webAppCommon/main.test.bicep +++ b/modules/web/sites/.test/webAppCommon/main.test.bicep @@ -35,7 +35,7 @@ module nestedDependencies 'dependencies.bicep' = { virtualNetworkName: 'dep-<>-vnet-${serviceShort}' managedIdentityName: 'dep-<>-msi-${serviceShort}' serverFarmName: 'dep-<>-sf-${serviceShort}' - namespaceName: 'dep-<>-ns-${serviceShort}' + relayNamespaceName: 'dep-<>-ns-${serviceShort}' hybridConnectionName: 'dep-<>-hc-${serviceShort}' } } From 9730a7e2fbc681ed5e161b9d8fc46cac36f74f9a Mon Sep 17 00:00:00 2001 From: Jeremy Brun Date: Wed, 21 Jun 2023 09:06:36 -0400 Subject: [PATCH 60/66] Update modules/web/sites/config--appsettings/main.bicep Co-authored-by: Ahmad Abdalla <28486158+ahmadabdalla@users.noreply.github.com> --- modules/web/sites/config--appsettings/main.bicep | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/web/sites/config--appsettings/main.bicep b/modules/web/sites/config--appsettings/main.bicep index 0940137f1a..c82764b9bb 100644 --- a/modules/web/sites/config--appsettings/main.bicep +++ b/modules/web/sites/config--appsettings/main.bicep @@ -52,7 +52,7 @@ resource app 'Microsoft.Web/sites@2022-03-01' existing = { name: appName } -resource appInsight 'microsoft.Insights/components@2020-02-02' existing = if (!empty(appInsightResourceId)) { +resource appInsight 'Microsoft.Insights/components@2020-02-02' existing = if (!empty(appInsightResourceId)) { name: last(split(appInsightResourceId, '/'))! scope: resourceGroup(split(appInsightResourceId, '/')[2], split(appInsightResourceId, '/')[4]) } From 4d70bd6b4696835b34c3a972e16616df704907b7 Mon Sep 17 00:00:00 2001 From: Jeremy Brun Date: Wed, 21 Jun 2023 09:07:14 -0400 Subject: [PATCH 61/66] Update modules/web/sites/slots/hybrid-connection-namespaces/relays/main.bicep Co-authored-by: Ahmad Abdalla <28486158+ahmadabdalla@users.noreply.github.com> --- .../sites/slots/hybrid-connection-namespaces/relays/main.bicep | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/web/sites/slots/hybrid-connection-namespaces/relays/main.bicep b/modules/web/sites/slots/hybrid-connection-namespaces/relays/main.bicep index 505a393fa7..698f506fd8 100644 --- a/modules/web/sites/slots/hybrid-connection-namespaces/relays/main.bicep +++ b/modules/web/sites/slots/hybrid-connection-namespaces/relays/main.bicep @@ -1,7 +1,7 @@ @description('Required. The resource ID of the relay namespace hybrid connection.') param hybridConnectionResourceId string -@description('Required. Slot name to be configured.') +@description('Conditional. The name of the site slot. Required if the template is used in a standalone deployment.') param slotName string @description('Conditional. The name of the parent web site. Required if the template is used in a standalone deployment.') From 961c097d07ad29845ad11a971ab04405c5120cb9 Mon Sep 17 00:00:00 2001 From: Jeremy Brun Date: Wed, 21 Jun 2023 09:12:39 -0400 Subject: [PATCH 62/66] cleanup and add outputs --- modules/relay/namespaces/.test/common/dependencies.bicep | 3 --- modules/web/sites/.test/webAppCommon/dependencies.bicep | 4 ++-- .../sites/hybrid-connection-namespaces/relays/main.bicep | 9 +++++++++ .../slots/hybrid-connection-namespaces/relays/main.bicep | 9 +++++++++ 4 files changed, 20 insertions(+), 5 deletions(-) diff --git a/modules/relay/namespaces/.test/common/dependencies.bicep b/modules/relay/namespaces/.test/common/dependencies.bicep index e551480248..4df36073d0 100644 --- a/modules/relay/namespaces/.test/common/dependencies.bicep +++ b/modules/relay/namespaces/.test/common/dependencies.bicep @@ -56,8 +56,5 @@ output subnetResourceId string = virtualNetwork.properties.subnets[0].id @description('The principal ID of the created Managed Identity.') output managedIdentityPrincipalId string = managedIdentity.properties.principalId -@description('The resource ID of the created Managed Identity.') -output managedIdentityResourceId string = managedIdentity.id - @description('The resource ID of the created Private DNS Zone.') output privateDNSZoneResourceId string = privateDNSZone.id diff --git a/modules/web/sites/.test/webAppCommon/dependencies.bicep b/modules/web/sites/.test/webAppCommon/dependencies.bicep index 88fc4d8ea6..52752623a2 100644 --- a/modules/web/sites/.test/webAppCommon/dependencies.bicep +++ b/modules/web/sites/.test/webAppCommon/dependencies.bicep @@ -11,7 +11,7 @@ param managedIdentityName string param serverFarmName string @description('Required. The name of the Relay Namespace to create.') -param namespaceName string +param relayNamespaceName string @description('Required. The name of the Hybrid Connection to create.') param hybridConnectionName string @@ -73,7 +73,7 @@ resource serverFarm 'Microsoft.Web/serverfarms@2022-03-01' = { } resource namespace 'Microsoft.Relay/namespaces@2021-11-01' = { - name: namespaceName + name: relayNamespaceName location: location sku: { name: 'Standard' diff --git a/modules/web/sites/hybrid-connection-namespaces/relays/main.bicep b/modules/web/sites/hybrid-connection-namespaces/relays/main.bicep index 13490ba328..3b8750ff03 100644 --- a/modules/web/sites/hybrid-connection-namespaces/relays/main.bicep +++ b/modules/web/sites/hybrid-connection-namespaces/relays/main.bicep @@ -54,5 +54,14 @@ resource hybridConnectionRelay 'Microsoft.Web/sites/hybridConnectionNamespaces/r } } +// =========== // +// Outputs // +// =========== // +@description('The name of the hybrid connection relay..') +output name string = hybridConnectionRelay.name + +@description('The resource ID of the hybrid connection relay.') +output resourceId string = hybridConnectionRelay.id + @description('The name of the resource group the resource was deployed into.') output resourceGroupName string = resourceGroup().name diff --git a/modules/web/sites/slots/hybrid-connection-namespaces/relays/main.bicep b/modules/web/sites/slots/hybrid-connection-namespaces/relays/main.bicep index 505a393fa7..14ecf0255e 100644 --- a/modules/web/sites/slots/hybrid-connection-namespaces/relays/main.bicep +++ b/modules/web/sites/slots/hybrid-connection-namespaces/relays/main.bicep @@ -57,5 +57,14 @@ resource hybridConnectionRelay 'Microsoft.Web/sites/slots/hybridConnectionNamesp } } +// =========== // +// Outputs // +// =========== // +@description('The name of the hybrid connection relay..') +output name string = hybridConnectionRelay.name + +@description('The resource ID of the hybrid connection relay.') +output resourceId string = hybridConnectionRelay.id + @description('The name of the resource group the resource was deployed into.') output resourceGroupName string = resourceGroup().name From 4a5a87e0b525728861303af948ba837ebd2bc07c Mon Sep 17 00:00:00 2001 From: Jeremy Brun Date: Wed, 21 Jun 2023 09:16:38 -0400 Subject: [PATCH 63/66] further cleanup --- modules/web/sites/.test/webAppCommon/dependencies.bicep | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/web/sites/.test/webAppCommon/dependencies.bicep b/modules/web/sites/.test/webAppCommon/dependencies.bicep index 52752623a2..1642941bfb 100644 --- a/modules/web/sites/.test/webAppCommon/dependencies.bicep +++ b/modules/web/sites/.test/webAppCommon/dependencies.bicep @@ -72,7 +72,7 @@ resource serverFarm 'Microsoft.Web/serverfarms@2022-03-01' = { properties: {} } -resource namespace 'Microsoft.Relay/namespaces@2021-11-01' = { +resource relayNamespace 'Microsoft.Relay/namespaces@2021-11-01' = { name: relayNamespaceName location: location sku: { @@ -83,7 +83,7 @@ resource namespace 'Microsoft.Relay/namespaces@2021-11-01' = { resource hybridConnection 'Microsoft.Relay/namespaces/hybridConnections@2021-11-01' = { name: hybridConnectionName - parent: namespace + parent: relayNamespace properties: { requiresClientAuthorization: true userMetadata: '[{"key":"endpoint","value":"db-server.constoso.com:1433"}]' From 138f82664bee73d42bbe1507e1a45e9b69a5a291 Mon Sep 17 00:00:00 2001 From: Jeremy Brun Date: Wed, 21 Jun 2023 09:42:36 -0400 Subject: [PATCH 64/66] standardize param usage --- .../sites/hybrid-connection-namespaces/relays/main.bicep | 8 +++----- .../slots/hybrid-connection-namespaces/relays/main.bicep | 8 +++----- 2 files changed, 6 insertions(+), 10 deletions(-) diff --git a/modules/web/sites/hybrid-connection-namespaces/relays/main.bicep b/modules/web/sites/hybrid-connection-namespaces/relays/main.bicep index 3b8750ff03..62a4bedcea 100644 --- a/modules/web/sites/hybrid-connection-namespaces/relays/main.bicep +++ b/modules/web/sites/hybrid-connection-namespaces/relays/main.bicep @@ -13,8 +13,6 @@ param location string = resourceGroup().location @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true -var splitResourceId = split(hybridConnectionResourceId, '/') - resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' properties: { @@ -28,11 +26,11 @@ resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (ena } resource namespace 'Microsoft.Relay/namespaces@2021-11-01' existing = { - name: splitResourceId[8] - scope: resourceGroup(splitResourceId[2], splitResourceId[4]) + name: split(hybridConnectionResourceId, '/')[8] + scope: resourceGroup(split(hybridConnectionResourceId, '/')[2], split(hybridConnectionResourceId, '/')[4]) resource hybridConnection 'hybridConnections@2021-11-01' existing = { - name: splitResourceId[10] + name: split(hybridConnectionResourceId, '/')[10] resource authorizationRule 'authorizationRules@2021-11-01' existing = { name: sendKeyName diff --git a/modules/web/sites/slots/hybrid-connection-namespaces/relays/main.bicep b/modules/web/sites/slots/hybrid-connection-namespaces/relays/main.bicep index 1a6201c6af..e2b5416953 100644 --- a/modules/web/sites/slots/hybrid-connection-namespaces/relays/main.bicep +++ b/modules/web/sites/slots/hybrid-connection-namespaces/relays/main.bicep @@ -16,8 +16,6 @@ param location string = resourceGroup().location @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true -var splitResourceId = split(hybridConnectionResourceId, '/') - resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' properties: { @@ -31,11 +29,11 @@ resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (ena } resource namespace 'Microsoft.Relay/namespaces@2021-11-01' existing = { - name: splitResourceId[8] - scope: resourceGroup(splitResourceId[2], splitResourceId[4]) + name: split(hybridConnectionResourceId, '/')[8] + scope: resourceGroup(split(hybridConnectionResourceId, '/')[2], split(hybridConnectionResourceId, '/')[4]) resource hybridConnection 'hybridConnections@2021-11-01' existing = { - name: splitResourceId[10] + name: split(hybridConnectionResourceId, '/')[10] resource authorizationRule 'authorizationRules@2021-11-01' existing = { name: sendKeyName From 48eba1b40e78b29218b11d4be182839a535ac0e0 Mon Sep 17 00:00:00 2001 From: Jeremy Brun Date: Wed, 21 Jun 2023 09:51:52 -0400 Subject: [PATCH 65/66] updates to sites readme --- .../hybrid-connection-namespaces/relays/README.md | 6 ++++-- .../hybrid-connection-namespaces/relays/README.md | 12 +++++++----- 2 files changed, 11 insertions(+), 7 deletions(-) diff --git a/modules/web/sites/hybrid-connection-namespaces/relays/README.md b/modules/web/sites/hybrid-connection-namespaces/relays/README.md index 3bce7a338a..6a1e92b3e8 100644 --- a/modules/web/sites/hybrid-connection-namespaces/relays/README.md +++ b/modules/web/sites/hybrid-connection-namespaces/relays/README.md @@ -21,13 +21,13 @@ This module deploys a Site Hybrid Connection Namespace Relay. | Parameter Name | Type | Description | | :-- | :-- | :-- | -| `resourceId` | string | The resource id of the resource. | +| `hybridConnectionResourceId` | string | The resource ID of the relay namespace hybrid connection. | **Conditional parameters** | Parameter Name | Type | Description | | :-- | :-- | :-- | -| `webAppName` | string | The name of the parent web site. Required if the template is used in a standalone deployment. | +| `appName` | string | The name of the parent web site. Required if the template is used in a standalone deployment. | **Optional parameters** @@ -42,7 +42,9 @@ This module deploys a Site Hybrid Connection Namespace Relay. | Output Name | Type | Description | | :-- | :-- | :-- | +| `name` | string | The name of the hybrid connection relay.. | | `resourceGroupName` | string | The name of the resource group the resource was deployed into. | +| `resourceId` | string | The resource ID of the hybrid connection relay. | ## Cross-referenced modules diff --git a/modules/web/sites/slots/hybrid-connection-namespaces/relays/README.md b/modules/web/sites/slots/hybrid-connection-namespaces/relays/README.md index cd7eeeb13a..cad4fbb37d 100644 --- a/modules/web/sites/slots/hybrid-connection-namespaces/relays/README.md +++ b/modules/web/sites/slots/hybrid-connection-namespaces/relays/README.md @@ -1,6 +1,6 @@ -# Web/Function Apps Hybrid Connection Relay `[Microsoft.Web/sites/slots/hybridConnectionNamespaces/relays]` +# Web/Function Apps Slot Hybrid Connection Relay `[Microsoft.Web/sites/slots/hybridConnectionNamespaces/relays]` -This module configures a web or function app with a hybrid connection relay. +This module deploys a Site Slot Hybrid Connection Namespace Relay. ## Navigation @@ -21,14 +21,14 @@ This module configures a web or function app with a hybrid connection relay. | Parameter Name | Type | Description | | :-- | :-- | :-- | -| `resourceId` | string | The resource id of the resource. | -| `slotName` | string | Slot name to be configured. | +| `hybridConnectionResourceId` | string | The resource ID of the relay namespace hybrid connection. | **Conditional parameters** | Parameter Name | Type | Description | | :-- | :-- | :-- | -| `webAppName` | string | The name of the parent web site. Required if the template is used in a standalone deployment. | +| `appName` | string | The name of the parent web site. Required if the template is used in a standalone deployment. | +| `slotName` | string | The name of the site slot. Required if the template is used in a standalone deployment. | **Optional parameters** @@ -43,7 +43,9 @@ This module configures a web or function app with a hybrid connection relay. | Output Name | Type | Description | | :-- | :-- | :-- | +| `name` | string | The name of the hybrid connection relay.. | | `resourceGroupName` | string | The name of the resource group the resource was deployed into. | +| `resourceId` | string | The resource ID of the hybrid connection relay. | ## Cross-referenced modules From c21330d160bd80970c8ebe4e0e1e591867d283b9 Mon Sep 17 00:00:00 2001 From: Jeremy Brun Date: Wed, 21 Jun 2023 09:53:23 -0400 Subject: [PATCH 66/66] updates to relay readmes --- modules/relay/namespaces/README.md | 30 +++++++++---------- .../namespaces/hybrid-connections/README.md | 8 ++--- .../authorization-rules/README.md | 4 +-- .../namespaces/network-rule-sets/README.md | 2 +- modules/relay/namespaces/wcf-relays/README.md | 2 +- .../wcf-relays/authorization-rules/README.md | 2 +- 6 files changed, 24 insertions(+), 24 deletions(-) diff --git a/modules/relay/namespaces/README.md b/modules/relay/namespaces/README.md index 1ec0e00527..6bde94f50b 100644 --- a/modules/relay/namespaces/README.md +++ b/modules/relay/namespaces/README.md @@ -1,6 +1,6 @@ # Relay Namespaces `[Microsoft.Relay/namespaces]` -This module deploys a Relay Namespace. +This module deploys a Relay Namespace ## Navigation @@ -42,7 +42,7 @@ This module deploys a Relay Namespace. | `authorizationRules` | _[authorizationRules](authorization-rules/README.md)_ array | `[System.Management.Automation.OrderedHashtable]` | | Authorization Rules for the Relay namespace. | | `diagnosticEventHubAuthorizationRuleId` | string | `''` | | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | | `diagnosticEventHubName` | string | `''` | | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. | -| `diagnosticLogCategoriesToEnable` | array | `[allLogs]` | `[allLogs, OperationalLogs]` | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. | +| `diagnosticLogCategoriesToEnable` | array | `[allLogs, hybridConnectionsEvent]` | `[allLogs, hybridConnectionsEvent, OperationalLogs]` | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. | | `diagnosticLogsRetentionInDays` | int | `365` | | Specifies the number of days that logs will be kept for; a value of 0 will retain data indefinitely. | | `diagnosticMetricsToEnable` | array | `[AllMetrics]` | `[AllMetrics]` | The name of metrics that will be streamed. | | `diagnosticSettingsName` | string | `''` | | The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings". | @@ -292,10 +292,10 @@ The following module usage examples are retrieved from the content of the files ```bicep module namespaces './relay/namespaces/main.bicep' = { - name: '${uniqueString(deployment().name, location)}-test-relcom' + name: '${uniqueString(deployment().name, location)}-test-rncom' params: { // Required parameters - name: '<>relcom001' + name: '<>rncom001' // Non-required parameters authorizationRules: [ { @@ -322,7 +322,7 @@ module namespaces './relay/namespaces/main.bicep' = { enableDefaultTelemetry: '' hybridConnections: [ { - name: '<>relcomhc001' + name: '<>rncomhc001' roleAssignments: [ { principalIds: [ @@ -389,7 +389,7 @@ module namespaces './relay/namespaces/main.bicep' = { } wcfRelays: [ { - name: '<>relcomwcf001' + name: '<>rncomwcf001' relayType: 'NetTcp' roleAssignments: [ { @@ -420,7 +420,7 @@ module namespaces './relay/namespaces/main.bicep' = { "parameters": { // Required parameters "name": { - "value": "<>relcom001" + "value": "<>rncom001" }, // Non-required parameters "authorizationRules": { @@ -463,7 +463,7 @@ module namespaces './relay/namespaces/main.bicep' = { "hybridConnections": { "value": [ { - "name": "<>relcomhc001", + "name": "<>rncomhc001", "roleAssignments": [ { "principalIds": [ @@ -544,7 +544,7 @@ module namespaces './relay/namespaces/main.bicep' = { "wcfRelays": { "value": [ { - "name": "<>relcomwcf001", + "name": "<>rncomwcf001", "relayType": "NetTcp", "roleAssignments": [ { @@ -573,10 +573,10 @@ module namespaces './relay/namespaces/main.bicep' = { ```bicep module namespaces './relay/namespaces/main.bicep' = { - name: '${uniqueString(deployment().name, location)}-test-sbnmin' + name: '${uniqueString(deployment().name, location)}-test-rnmin' params: { // Required parameters - name: '<>sbnmin001' + name: '<>rnmin001' // Non-required parameters enableDefaultTelemetry: '' } @@ -597,7 +597,7 @@ module namespaces './relay/namespaces/main.bicep' = { "parameters": { // Required parameters "name": { - "value": "<>sbnmin001" + "value": "<>rnmin001" }, // Non-required parameters "enableDefaultTelemetry": { @@ -618,10 +618,10 @@ module namespaces './relay/namespaces/main.bicep' = { ```bicep module namespaces './relay/namespaces/main.bicep' = { - name: '${uniqueString(deployment().name, location)}-test-sbnpe' + name: '${uniqueString(deployment().name, location)}-test-rnpe' params: { // Required parameters - name: '<>sbnpe001' + name: '<>rnpe001' // Non-required parameters enableDefaultTelemetry: '' privateEndpoints: [ @@ -662,7 +662,7 @@ module namespaces './relay/namespaces/main.bicep' = { "parameters": { // Required parameters "name": { - "value": "<>sbnpe001" + "value": "<>rnpe001" }, // Non-required parameters "enableDefaultTelemetry": { diff --git a/modules/relay/namespaces/hybrid-connections/README.md b/modules/relay/namespaces/hybrid-connections/README.md index 025942234e..6b0c0fd16d 100644 --- a/modules/relay/namespaces/hybrid-connections/README.md +++ b/modules/relay/namespaces/hybrid-connections/README.md @@ -1,4 +1,4 @@ -# Hybrid Connection Relay `[Microsoft.Relay/namespaces/hybridConnections]` +# Relay Namespace Hybrid Connections `[Microsoft.Relay/namespaces/hybridConnections]` This module deploys a Relay Namespace Hybrid Connection. @@ -24,8 +24,8 @@ This module deploys a Relay Namespace Hybrid Connection. | Parameter Name | Type | Description | | :-- | :-- | :-- | -| `name` | string | Name of the Relay Hybrid Connection. | -| `userMetadata` | string | User-defined string data for the Relay Hybrid Connection. | +| `name` | string | The name of the hybrid connection. | +| `userMetadata` | string | The user metadata is a placeholder to store user-defined string data for the hybrid connection endpoint. For example, it can be used to store descriptive data, such as a list of teams and their contact information. Also, user-defined configuration settings can be stored. | **Conditional parameters** @@ -40,7 +40,7 @@ This module deploys a Relay Namespace Hybrid Connection. | `authorizationRules` | _[authorizationRules](authorization-rules/README.md)_ array | `[System.Management.Automation.OrderedHashtable, System.Management.Automation.OrderedHashtable, System.Management.Automation.OrderedHashtable]` | | Authorization Rules for the Relay Hybrid Connection. | | `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via a Globally Unique Identifier (GUID). | | `lock` | string | `''` | `['', CanNotDelete, ReadOnly]` | Specify the type of lock. | -| `requiresClientAuthorization` | bool | `True` | | A value indicating if this hybrid connection requires duplicate detection. | +| `requiresClientAuthorization` | bool | `True` | | A value indicating if this hybrid connection requires client authorization. | | `roleAssignments` | array | `[]` | | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | diff --git a/modules/relay/namespaces/hybrid-connections/authorization-rules/README.md b/modules/relay/namespaces/hybrid-connections/authorization-rules/README.md index 1beabcd068..cd97c6739b 100644 --- a/modules/relay/namespaces/hybrid-connections/authorization-rules/README.md +++ b/modules/relay/namespaces/hybrid-connections/authorization-rules/README.md @@ -1,4 +1,4 @@ -# Hybrid Connection Relay Authorization Rules `[Microsoft.Relay/namespaces/hybridConnections/authorizationRules]` +# Hybrid Connection Authorization Rules `[Microsoft.Relay/namespaces/hybridConnections/authorizationRules]` This module deploys a Hybrid Connection Authorization Rule. @@ -21,7 +21,7 @@ This module deploys a Hybrid Connection Authorization Rule. | Parameter Name | Type | Description | | :-- | :-- | :-- | -| `name` | string | The name of the relay namepace hybrid connection. | +| `name` | string | The name of the authorization rule. | **Conditional parameters** diff --git a/modules/relay/namespaces/network-rule-sets/README.md b/modules/relay/namespaces/network-rule-sets/README.md index 67cefac177..dbca72dddb 100644 --- a/modules/relay/namespaces/network-rule-sets/README.md +++ b/modules/relay/namespaces/network-rule-sets/README.md @@ -1,4 +1,4 @@ -# Relay Namespaces Network Rules Sets `[Microsoft.Relay/namespaces/networkRuleSets]` +# Relay Namespace Network Rules Sets `[Microsoft.Relay/namespaces/networkRuleSets]` This module deploys a Relay Namespace Network Rule Set. diff --git a/modules/relay/namespaces/wcf-relays/README.md b/modules/relay/namespaces/wcf-relays/README.md index a328bf6276..495e2f4fa2 100644 --- a/modules/relay/namespaces/wcf-relays/README.md +++ b/modules/relay/namespaces/wcf-relays/README.md @@ -1,4 +1,4 @@ -# WCF Relay `[Microsoft.Relay/namespaces/wcfRelays]` +# Relay Namespace WCF Relays `[Microsoft.Relay/namespaces/wcfRelays]` This module deploys a Relay Namespace WCF Relay. diff --git a/modules/relay/namespaces/wcf-relays/authorization-rules/README.md b/modules/relay/namespaces/wcf-relays/authorization-rules/README.md index 90e83395a2..bbdd6020cd 100644 --- a/modules/relay/namespaces/wcf-relays/authorization-rules/README.md +++ b/modules/relay/namespaces/wcf-relays/authorization-rules/README.md @@ -21,7 +21,7 @@ This module deploys a WCF Relay Authorization Rule. | Parameter Name | Type | Description | | :-- | :-- | :-- | -| `name` | string | The name of the relay namepace wcf relay. | +| `name` | string | The name of the authorization rule. | **Conditional parameters**