From 784fd04c31e7440610b92fe362091942305c826f Mon Sep 17 00:00:00 2001 From: AlexanderSehr Date: Thu, 12 Oct 2023 20:40:28 +0200 Subject: [PATCH 01/20] Rollback of unrelated changes --- modules/web/site/README.md | 792 ++++++++---------- .../web/site/config--appsettings/README.md | 25 +- .../web/site/config--authsettingsv2/README.md | 32 - modules/web/site/slot/README.md | 126 +-- .../site/slot/config--appsettings/README.md | 58 +- .../slot/config--authsettingsv2/README.md | 32 - modules/web/static-site/README.md | 503 ++++++----- .../web/static-site/custom-domain/README.md | 7 +- .../web/static-site/custom-domain/main.json | 8 +- modules/web/static-site/main.json | 40 +- 10 files changed, 703 insertions(+), 920 deletions(-) diff --git a/modules/web/site/README.md b/modules/web/site/README.md index 089772fd28..ee1dc1b436 100644 --- a/modules/web/site/README.md +++ b/modules/web/site/README.md @@ -90,340 +90,6 @@ This module deploys a Web or Function App. | `vnetImagePullEnabled` | bool | `False` | | To enable pulling image over Virtual Network. | | `vnetRouteAllEnabled` | bool | `False` | | Virtual Network Route All enabled. This causes all outbound traffic to have Virtual Network Security Groups and User Defined Routes applied. | - -### Parameter Usage: `appSettingsKeyValuePairs` - -AzureWebJobsStorage, AzureWebJobsDashboard, APPINSIGHTS_INSTRUMENTATIONKEY and APPLICATIONINSIGHTS_CONNECTION_STRING are set separately (check parameters storageAccountId, setAzureWebJobsDashboard, appInsightId). -For all other app settings key-value pairs use this object. - -
- -Parameter JSON format - -```json -"appSettingsKeyValuePairs": { - "value": { - "AzureFunctionsJobHost__logging__logLevel__default": "Trace", - "EASYAUTH_SECRET": "https://adp-[[namePrefix]]-az-kv-x-001.vault.azure.net/secrets/Modules-Test-SP-Password", - "FUNCTIONS_EXTENSION_VERSION": "~4", - "FUNCTIONS_WORKER_RUNTIME": "dotnet" - } -} -``` - -
- -
- -Bicep format - -```bicep -appSettingsKeyValuePairs: { - AzureFunctionsJobHost__logging__logLevel__default: 'Trace' - EASYAUTH_SECRET: 'https://adp-[[namePrefix]]-az-kv-x-001.vault.azure.net/secrets/Modules-Test-SP-Password' - FUNCTIONS_EXTENSION_VERSION: '~4' - FUNCTIONS_WORKER_RUNTIME: 'dotnet' -} -``` - -
-

- -### Parameter Usage: `authSettingV2Configuration` - -The auth settings V2 configuration. - -

- -Parameter JSON format - -```json -"siteConfig": { - "value": [ - // Check out https://learn.microsoft.com/en-us/azure/templates/microsoft.web/sites/config-authsettingsv2?tabs=bicep#siteauthsettingsv2properties for possible properties - ] -} -``` - -
- -
- -Bicep format - -```bicep -siteConfig: [ - // Check out https://learn.microsoft.com/en-us/azure/templates/microsoft.web/sites/config-authsettingsv2?tabs=bicep#siteauthsettingsv2properties for possible properties -] -``` - -
-

- -### Parameter Usage: `siteConfig` - -The site config. - -

- -Parameter JSON format - -```json -"siteConfig": { - "value": [ - // Check out https://learn.microsoft.com/en-us/azure/templates/Microsoft.Web/sites?tabs=bicep#siteconfig for possible properties - ] -} -``` - -
- -
- -Bicep format - -```bicep -siteConfig: [ - // Check out https://learn.microsoft.com/en-us/azure/templates/Microsoft.Web/sites?tabs=bicep#siteconfig for possible properties -] -``` - -
-

- -### Parameter Usage: `privateEndpoints` - -To use Private Endpoint the following dependencies must be deployed: - -- Destination subnet must be created with the following configuration option - `"privateEndpointNetworkPolicies": "Disabled"`. Setting this option acknowledges that NSG rules are not applied to Private Endpoints (this capability is coming soon). A full example is available in the Virtual Network Module. -- Although not strictly required, it is highly recommended to first create a private DNS Zone to host Private Endpoint DNS records. See [Azure Private Endpoint DNS configuration](https://learn.microsoft.com/en-us/azure/private-link/private-endpoint-dns) for more information. - -

- -Parameter JSON format - -```json -"privateEndpoints": { - "value": [ - // Example showing all available fields - { - "name": "sxx-az-pe", // Optional: Name will be automatically generated if one is not provided here - "subnetResourceId": "/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-x-001/subnets/sxx-az-subnet-x-001", - "service": "", // e.g. vault, registry, blob - "privateDnsZoneGroup": { - "privateDNSResourceIds": [ // Optional: No DNS record will be created if a private DNS zone Resource ID is not specified - "/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/privateDnsZones/" // e.g. privatelink.vaultcore.azure.net, privatelink.azurecr.io, privatelink.blob.core.windows.net - ] - }, - "ipConfigurations":[ - { - "name": "myIPconfigTest02", - "properties": { - "groupId": "blob", - "memberName": "blob", - "privateIPAddress": "10.0.0.30" - } - } - ], - "customDnsConfigs": [ - { - "fqdn": "customname.test.local", - "ipAddresses": [ - "10.10.10.10" - ] - } - ] - }, - // Example showing only mandatory fields - { - "subnetResourceId": "/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-x-001/subnets/sxx-az-subnet-x-001", - "service": "" // e.g. vault, registry, blob - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -privateEndpoints: [ - // Example showing all available fields - { - name: 'sxx-az-pe' // Optional: Name will be automatically generated if one is not provided here - subnetResourceId: '/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-x-001/subnets/sxx-az-subnet-x-001' - service: '' // e.g. vault, registry, blob - privateDnsZoneGroup: { - privateDNSResourceIds: [ // Optional: No DNS record will be created if a private DNS zone Resource ID is not specified - '/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/privateDnsZones/' // e.g. privatelink.vaultcore.azure.net, privatelink.azurecr.io, privatelink.blob.core.windows.net - ] - } - customDnsConfigs: [ - { - fqdn: 'customname.test.local' - ipAddresses: [ - '10.10.10.10' - ] - } - ] - ipConfigurations:[ - { - name: 'myIPconfigTest02' - properties: { - groupId: 'blob' - memberName: 'blob' - privateIPAddress: '10.0.0.30' - } - } - ] - } - // Example showing only mandatory fields - { - subnetResourceId: '/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-x-001/subnets/sxx-az-subnet-x-001' - service: '' // e.g. vault, registry, blob - } -] -``` - -
-

- -### Parameter Usage: `roleAssignments` - -Create a role assignment for the given resource. If you want to assign a service principal / managed identity that is created in the same deployment, make sure to also specify the `'principalType'` parameter and set it to `'ServicePrincipal'`. This will ensure the role assignment waits for the principal's propagation in Azure. - -

- -Parameter JSON format - -```json -"roleAssignments": { - "value": [ - { - "roleDefinitionIdOrName": "Reader", - "description": "Reader Role Assignment", - "principalIds": [ - "12345678-1234-1234-1234-123456789012", // object 1 - "78945612-1234-1234-1234-123456789012" // object 2 - ] - }, - { - "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", - "principalIds": [ - "12345678-1234-1234-1234-123456789012" // object 1 - ], - "principalType": "ServicePrincipal" - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - description: 'Reader Role Assignment' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - '78945612-1234-1234-1234-123456789012' // object 2 - ] - } - { - roleDefinitionIdOrName: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - ] - principalType: 'ServicePrincipal' - } -] -``` - -
-

- -### Parameter Usage: `tags` - -Tag names and tag values can be provided as needed. A tag can be left without a value. - -

- -Parameter JSON format - -```json -"tags": { - "value": { - "Environment": "Non-Prod", - "Contact": "test.user@testcompany.com", - "PurchaseOrder": "1234", - "CostCenter": "7890", - "ServiceName": "DeploymentValidation", - "Role": "DeploymentValidation" - } -} -``` - -
- -
- -Bicep format - -```bicep -tags: { - Environment: 'Non-Prod' - Contact: 'test.user@testcompany.com' - PurchaseOrder: '1234' - CostCenter: '7890' - ServiceName: 'DeploymentValidation' - Role: 'DeploymentValidation' -} -``` - -
-

- -### Parameter Usage: `userAssignedIdentities` - -You can specify multiple user assigned identities to a resource by providing additional resource IDs using the following format: - -

- -Parameter JSON format - -```json -"userAssignedIdentities": { - "value": { - "/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-001": {}, - "/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-002": {} - } -} -``` - -
- -
- -Bicep format - -```bicep -userAssignedIdentities: { - '/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-001': {} - '/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-002': {} -} -``` - -
-

- ## Outputs | Output Name | Type | Description | @@ -1075,128 +741,402 @@ module site './web/site/main.bicep' = { "slots": { "value": [ { - "diagnosticEventHubAuthorizationRuleId": "", - "diagnosticEventHubName": "", - "diagnosticStorageAccountId": "", - "diagnosticWorkspaceId": "", - "hybridConnectionRelays": [ - { - "resourceId": "", - "sendKeyName": "defaultSender" - } - ], - "name": "slot1", - "privateEndpoints": [ + "diagnosticEventHubAuthorizationRuleId": "", + "diagnosticEventHubName": "", + "diagnosticStorageAccountId": "", + "diagnosticWorkspaceId": "", + "hybridConnectionRelays": [ + { + "resourceId": "", + "sendKeyName": "defaultSender" + } + ], + "name": "slot1", + "privateEndpoints": [ + { + "privateDnsZoneGroup": { + "privateDNSResourceIds": [ + "" + ] + }, + "service": "sites", + "subnetResourceId": "", + "tags": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } + } + ], + "roleAssignments": [ + { + "principalIds": [ + "" + ], + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Reader" + } + ], + "siteConfig": { + "alwaysOn": true, + "metadata": [ + { + "name": "CURRENT_STACK", + "value": "dotnetcore" + } + ] + } + }, + { + "name": "slot2" + } + ] + }, + "systemAssignedIdentity": { + "value": true + }, + "userAssignedIdentities": { + "value": { + "": {} + } + }, + "vnetContentShareEnabled": { + "value": true + }, + "vnetImagePullEnabled": { + "value": true + }, + "vnetRouteAllEnabled": { + "value": true + } + } +} +``` + + +

+ +

Example 4: Webappmin

+ +
+ +via Bicep module + +```bicep +module site './web/site/main.bicep' = { + name: '${uniqueString(deployment().name, location)}-test-wswamin' + params: { + // Required parameters + kind: 'app' + name: 'wswamin001' + serverFarmResourceId: '' + // Non-required parameters + enableDefaultTelemetry: '' + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "kind": { + "value": "app" + }, + "name": { + "value": "wswamin001" + }, + "serverFarmResourceId": { + "value": "" + }, + // Non-required parameters + "enableDefaultTelemetry": { + "value": "" + } + } +} +``` + +
+

+ +## Notes + + +### Parameter Usage: `appSettingsKeyValuePairs` + +AzureWebJobsStorage, AzureWebJobsDashboard, APPINSIGHTS_INSTRUMENTATIONKEY and APPLICATIONINSIGHTS_CONNECTION_STRING are set separately (check parameters storageAccountId, setAzureWebJobsDashboard, appInsightId). +For all other app settings key-value pairs use this object. + +

+ +Parameter JSON format + +```json +"appSettingsKeyValuePairs": { + "value": { + "AzureFunctionsJobHost__logging__logLevel__default": "Trace", + "EASYAUTH_SECRET": "https://adp-[[namePrefix]]-az-kv-x-001.vault.azure.net/secrets/Modules-Test-SP-Password", + "FUNCTIONS_EXTENSION_VERSION": "~4", + "FUNCTIONS_WORKER_RUNTIME": "dotnet" + } +} +``` + +
+ +
+ +Bicep format + +```bicep +appSettingsKeyValuePairs: { + AzureFunctionsJobHost__logging__logLevel__default: 'Trace' + EASYAUTH_SECRET: 'https://adp-[[namePrefix]]-az-kv-x-001.vault.azure.net/secrets/Modules-Test-SP-Password' + FUNCTIONS_EXTENSION_VERSION: '~4' + FUNCTIONS_WORKER_RUNTIME: 'dotnet' +} +``` + +
+

+ +### Parameter Usage: `privateEndpoints` + +To use Private Endpoint the following dependencies must be deployed: + +- Destination subnet must be created with the following configuration option - `"privateEndpointNetworkPolicies": "Disabled"`. Setting this option acknowledges that NSG rules are not applied to Private Endpoints (this capability is coming soon). A full example is available in the Virtual Network Module. +- Although not strictly required, it is highly recommended to first create a private DNS Zone to host Private Endpoint DNS records. See [Azure Private Endpoint DNS configuration](https://learn.microsoft.com/en-us/azure/private-link/private-endpoint-dns) for more information. + +

+ +Parameter JSON format + +```json +"privateEndpoints": { + "value": [ + // Example showing all available fields + { + "name": "sxx-az-pe", // Optional: Name will be automatically generated if one is not provided here + "subnetResourceId": "/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-x-001/subnets/sxx-az-subnet-x-001", + "service": "", // e.g. vault, registry, blob + "privateDnsZoneGroup": { + "privateDNSResourceIds": [ // Optional: No DNS record will be created if a private DNS zone Resource ID is not specified + "/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/privateDnsZones/" // e.g. privatelink.vaultcore.azure.net, privatelink.azurecr.io, privatelink.blob.core.windows.net + ] + }, + "ipConfigurations":[ + { + "name": "myIPconfigTest02", + "properties": { + "groupId": "blob", + "memberName": "blob", + "privateIPAddress": "10.0.0.30" + } + } + ], + "customDnsConfigs": [ + { + "fqdn": "customname.test.local", + "ipAddresses": [ + "10.10.10.10" + ] + } + ] + }, + // Example showing only mandatory fields + { + "subnetResourceId": "/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-x-001/subnets/sxx-az-subnet-x-001", + "service": "" // e.g. vault, registry, blob + } + ] +} +``` + +
+ +
+ +Bicep format + +```bicep +privateEndpoints: [ + // Example showing all available fields + { + name: 'sxx-az-pe' // Optional: Name will be automatically generated if one is not provided here + subnetResourceId: '/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-x-001/subnets/sxx-az-subnet-x-001' + service: '' // e.g. vault, registry, blob + privateDnsZoneGroup: { + privateDNSResourceIds: [ // Optional: No DNS record will be created if a private DNS zone Resource ID is not specified + '/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/privateDnsZones/' // e.g. privatelink.vaultcore.azure.net, privatelink.azurecr.io, privatelink.blob.core.windows.net + ] + } + customDnsConfigs: [ { - "privateDnsZoneGroup": { - "privateDNSResourceIds": [ - "" + fqdn: 'customname.test.local' + ipAddresses: [ + '10.10.10.10' ] - }, - "service": "sites", - "subnetResourceId": "", - "tags": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } } - ], - "roleAssignments": [ - { - "principalIds": [ - "" - ], - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" + ] + ipConfigurations:[ + { + name: 'myIPconfigTest02' + properties: { + groupId: 'blob' + memberName: 'blob' + privateIPAddress: '10.0.0.30' } - ], - "siteConfig": { - "alwaysOn": true, - "metadata": [ - { - "name": "CURRENT_STACK", - "value": "dotnetcore" - } - ] } + ] + } + // Example showing only mandatory fields + { + subnetResourceId: '/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-x-001/subnets/sxx-az-subnet-x-001' + service: '' // e.g. vault, registry, blob + } +] +``` + +
+

+ +### Parameter Usage: `roleAssignments` + +Create a role assignment for the given resource. If you want to assign a service principal / managed identity that is created in the same deployment, make sure to also specify the `'principalType'` parameter and set it to `'ServicePrincipal'`. This will ensure the role assignment waits for the principal's propagation in Azure. + +

+ +Parameter JSON format + +```json +"roleAssignments": { + "value": [ + { + "roleDefinitionIdOrName": "Reader", + "description": "Reader Role Assignment", + "principalIds": [ + "12345678-1234-1234-1234-123456789012", // object 1 + "78945612-1234-1234-1234-123456789012" // object 2 + ] }, { - "name": "slot2" + "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", + "principalIds": [ + "12345678-1234-1234-1234-123456789012" // object 1 + ], + "principalType": "ServicePrincipal" } - ] - }, - "systemAssignedIdentity": { - "value": true - }, - "userAssignedIdentities": { - "value": { - "": {} - } - }, - "vnetContentShareEnabled": { - "value": true - }, - "vnetImagePullEnabled": { - "value": true - }, - "vnetRouteAllEnabled": { - "value": true - } - } + ] } ``` +
+ +
+ +Bicep format + +```bicep +roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + description: 'Reader Role Assignment' + principalIds: [ + '12345678-1234-1234-1234-123456789012' // object 1 + '78945612-1234-1234-1234-123456789012' // object 2 + ] + } + { + roleDefinitionIdOrName: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' + principalIds: [ + '12345678-1234-1234-1234-123456789012' // object 1 + ] + principalType: 'ServicePrincipal' + } +] +``` +

-

Example 4: Webappmin

+### Parameter Usage: `tags` + +Tag names and tag values can be provided as needed. A tag can be left without a value.
-via Bicep module +Parameter JSON format + +```json +"tags": { + "value": { + "Environment": "Non-Prod", + "Contact": "test.user@testcompany.com", + "PurchaseOrder": "1234", + "CostCenter": "7890", + "ServiceName": "DeploymentValidation", + "Role": "DeploymentValidation" + } +} +``` + +
+ +
+ +Bicep format ```bicep -module site './web/site/main.bicep' = { - name: '${uniqueString(deployment().name, location)}-test-wswamin' - params: { - // Required parameters - kind: 'app' - name: 'wswamin001' - serverFarmResourceId: '' - // Non-required parameters - enableDefaultTelemetry: '' - } +tags: { + Environment: 'Non-Prod' + Contact: 'test.user@testcompany.com' + PurchaseOrder: '1234' + CostCenter: '7890' + ServiceName: 'DeploymentValidation' + Role: 'DeploymentValidation' } ```

+### Parameter Usage: `userAssignedIdentities` + +You can specify multiple user assigned identities to a resource by providing additional resource IDs using the following format: +

-via JSON Parameter file +Parameter JSON format ```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "kind": { - "value": "app" - }, - "name": { - "value": "wswamin001" - }, - "serverFarmResourceId": { - "value": "" - }, - // Non-required parameters - "enableDefaultTelemetry": { - "value": "" +"userAssignedIdentities": { + "value": { + "/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-001": {}, + "/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-002": {} } - } +} +``` + +
+ +
+ +Bicep format + +```bicep +userAssignedIdentities: { + '/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-001': {} + '/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-002': {} } ``` diff --git a/modules/web/site/config--appsettings/README.md b/modules/web/site/config--appsettings/README.md index 7400841fc1..9d41d316d6 100644 --- a/modules/web/site/config--appsettings/README.md +++ b/modules/web/site/config--appsettings/README.md @@ -39,6 +39,19 @@ This module deploys a Site App Setting. | `setAzureWebJobsDashboard` | bool | `[if(contains(parameters('kind'), 'functionapp'), true(), false())]` | For function apps. If true the app settings "AzureWebJobsDashboard" will be set. If false not. In case you use Application Insights it can make sense to not set it for performance reasons. | | `storageAccountResourceId` | string | `''` | Required if app of kind functionapp. Resource ID of the storage account to manage triggers and logging function executions. | +## Outputs + +| Output Name | Type | Description | +| :-- | :-- | :-- | +| `name` | string | The name of the site config. | +| `resourceGroupName` | string | The resource group the site config was deployed into. | +| `resourceId` | string | The resource ID of the site config. | + +## Cross-referenced modules + +_None_ + +## Notes ### Parameter Usage: `appSettingsKeyValuePairs` @@ -85,15 +98,3 @@ appSettingsKeyValuePairs: [

- -## Outputs - -| Output Name | Type | Description | -| :-- | :-- | :-- | -| `name` | string | The name of the site config. | -| `resourceGroupName` | string | The resource group the site config was deployed into. | -| `resourceId` | string | The resource ID of the site config. | - -## Cross-referenced modules - -_None_ diff --git a/modules/web/site/config--authsettingsv2/README.md b/modules/web/site/config--authsettingsv2/README.md index 827a7b7b85..1b41f1e041 100644 --- a/modules/web/site/config--authsettingsv2/README.md +++ b/modules/web/site/config--authsettingsv2/README.md @@ -36,38 +36,6 @@ This module deploys a Site Auth Settings V2 Configuration. | :-- | :-- | :-- | :-- | | `enableDefaultTelemetry` | bool | `True` | Enable telemetry via a Globally Unique Identifier (GUID). | - -### Parameter Usage: `authSettingV2Configuration` - -The auth settings V2 configuration. - -

- -Parameter JSON format - -```json -"siteConfig": { - "value": [ - // Check out https://learn.microsoft.com/en-us/azure/templates/microsoft.web/sites/config-authsettingsv2?tabs=bicep#siteauthsettingsv2properties for possible properties - ] -} -``` - -
- -
- -Bicep format - -```bicep -siteConfig: [ - // Check out https://learn.microsoft.com/en-us/azure/templates/microsoft.web/sites/config-authsettingsv2?tabs=bicep#siteauthsettingsv2properties for possible properties -] -``` - -
-

- ## Outputs | Output Name | Type | Description | diff --git a/modules/web/site/slot/README.md b/modules/web/site/slot/README.md index 3e3340731a..abfd53c9aa 100644 --- a/modules/web/site/slot/README.md +++ b/modules/web/site/slot/README.md @@ -8,6 +8,7 @@ This module deploys a Web or Function App Deployment Slot. - [Parameters](#Parameters) - [Outputs](#Outputs) - [Cross-referenced modules](#Cross-referenced-modules) +- [Notes](#Notes) ## Resource types @@ -89,65 +90,44 @@ This module deploys a Web or Function App Deployment Slot. | `vnetRouteAllEnabled` | bool | `False` | | Virtual Network Route All enabled. This causes all outbound traffic to have Virtual Network Security Groups and User Defined Routes applied. | -### Parameter Usage: `appSettingsKeyValuePairs` - -AzureWebJobsStorage, AzureWebJobsDashboard, APPINSIGHTS_INSTRUMENTATIONKEY and APPLICATIONINSIGHTS_CONNECTION_STRING are set separately (check parameters storageAccountId, setAzureWebJobsDashboard, appInsightId). -For all other app settings key-value pairs use this object. - -

- -Parameter JSON format +## Outputs -```json -"appSettingsKeyValuePairs": { - "value": [ - { - "name": "key1", - "value": "val1" - }, - { - "name": "key2", - "value": "val2" - } - ] -} -``` +| Output Name | Type | Description | +| :-- | :-- | :-- | +| `location` | string | The location the resource was deployed into. | +| `name` | string | The name of the slot. | +| `resourceGroupName` | string | The resource group the slot was deployed into. | +| `resourceId` | string | The resource ID of the slot. | +| `systemAssignedPrincipalId` | string | The principal ID of the system assigned identity. | -
+## Cross-referenced modules -
+This section gives you an overview of all local-referenced module files (i.e., other CARML modules that are referenced in this module) and all remote-referenced files (i.e., Bicep modules that are referenced from a Bicep Registry or Template Specs). -Bicep format +| Reference | Type | +| :-- | :-- | +| `network/private-endpoint` | Local reference | -```bicep -appSettingsKeyValuePairs: [ - { - name: 'key1' - value: 'val1' - } - { - name: 'key2' - value: 'val2' - } -] -``` +## Notes -
-

-### Parameter Usage: `authSettingV2Configuration` +### Parameter Usage: `appSettingsKeyValuePairs` -The auth settings V2 configuration. +AzureWebJobsStorage, AzureWebJobsDashboard, APPINSIGHTS_INSTRUMENTATIONKEY and APPLICATIONINSIGHTS_CONNECTION_STRING are set separately (check parameters storageAccountId, setAzureWebJobsDashboard, appInsightId). +For all other app settings key-value pairs use this object.

Parameter JSON format ```json -"siteConfig": { - "value": [ - // Check out https://learn.microsoft.com/en-us/azure/templates/microsoft.web/sites/config-authsettingsv2?tabs=bicep#siteauthsettingsv2properties for possible properties - ] +"appSettingsKeyValuePairs": { + "value": { + "AzureFunctionsJobHost__logging__logLevel__default": "Trace", + "EASYAUTH_SECRET": "https://adp-[[namePrefix]]-az-kv-x-001.vault.azure.net/secrets/Modules-Test-SP-Password", + "FUNCTIONS_EXTENSION_VERSION": "~4", + "FUNCTIONS_WORKER_RUNTIME": "dotnet" + } } ``` @@ -158,42 +138,14 @@ The auth settings V2 configuration. Bicep format ```bicep -siteConfig: [ - // Check out https://learn.microsoft.com/en-us/azure/templates/microsoft.web/sites/config-authsettingsv2?tabs=bicep#siteauthsettingsv2properties for possible properties -] -``` - -
-

- -### Parameter Usage: `siteConfig` - -The site config. - -

- -Parameter JSON format - -```json -"siteConfig": { - "value": [ - // Check out https://learn.microsoft.com/en-us/azure/templates/Microsoft.Web/sites?tabs=bicep#siteconfig for possible properties - ] +appSettingsKeyValuePairs: { + AzureFunctionsJobHost__logging__logLevel__default: 'Trace' + EASYAUTH_SECRET: 'https://adp-[[namePrefix]]-az-kv-x-001.vault.azure.net/secrets/Modules-Test-SP-Password' + FUNCTIONS_EXTENSION_VERSION: '~4' + FUNCTIONS_WORKER_RUNTIME: 'dotnet' } ``` -
- -
- -Bicep format - -```bicep -siteConfig: [ - // Check out https://learn.microsoft.com/en-us/azure/templates/Microsoft.Web/sites?tabs=bicep#siteconfig for possible properties -] -``` -

@@ -429,21 +381,3 @@ userAssignedIdentities: {

- -## Outputs - -| Output Name | Type | Description | -| :-- | :-- | :-- | -| `location` | string | The location the resource was deployed into. | -| `name` | string | The name of the slot. | -| `resourceGroupName` | string | The resource group the slot was deployed into. | -| `resourceId` | string | The resource ID of the slot. | -| `systemAssignedPrincipalId` | string | The principal ID of the system assigned identity. | - -## Cross-referenced modules - -This section gives you an overview of all local-referenced module files (i.e., other CARML modules that are referenced in this module) and all remote-referenced files (i.e., Bicep modules that are referenced from a Bicep Registry or Template Specs). - -| Reference | Type | -| :-- | :-- | -| `network/private-endpoint` | Local reference | diff --git a/modules/web/site/slot/config--appsettings/README.md b/modules/web/site/slot/config--appsettings/README.md index 1b098e1a68..7cc2fda84d 100644 --- a/modules/web/site/slot/config--appsettings/README.md +++ b/modules/web/site/slot/config--appsettings/README.md @@ -40,6 +40,19 @@ This module deploys a Site Slot App Setting. | `setAzureWebJobsDashboard` | bool | `[if(contains(parameters('kind'), 'functionapp'), true(), false())]` | For function apps. If true the app settings "AzureWebJobsDashboard" will be set. If false not. In case you use Application Insights it can make sense to not set it for performance reasons. | | `storageAccountResourceId` | string | `''` | Required if app of kind functionapp. Resource ID of the storage account to manage triggers and logging function executions. | +## Outputs + +| Output Name | Type | Description | +| :-- | :-- | :-- | +| `name` | string | The name of the slot config. | +| `resourceGroupName` | string | The resource group the slot config was deployed into. | +| `resourceId` | string | The resource ID of the slot config. | + +## Cross-referenced modules + +_None_ + +## Notes ### Parameter Usage: `appSettingsKeyValuePairs` @@ -52,16 +65,12 @@ For all other app settings key-value pairs use this object. ```json "appSettingsKeyValuePairs": { - "value": [ - { - "name": "key1", - "value": "val1" - }, - { - "name": "key2", - "value": "val2" - } - ] + "value": { + "AzureFunctionsJobHost__logging__logLevel__default": "Trace", + "EASYAUTH_SECRET": "https://adp-[[namePrefix]]-az-kv-x-001.vault.azure.net/secrets/Modules-Test-SP-Password", + "FUNCTIONS_EXTENSION_VERSION": "~4", + "FUNCTIONS_WORKER_RUNTIME": "dotnet" + } } ``` @@ -72,29 +81,16 @@ For all other app settings key-value pairs use this object.

Bicep format ```bicep -appSettingsKeyValuePairs: [ - { - name: 'key1' - value: 'val1' - } - { - name: 'key2' - value: 'val2' - } -] +appSettingsKeyValuePairs: { + AzureFunctionsJobHost__logging__logLevel__default: 'Trace' + EASYAUTH_SECRET: 'https://adp-[[namePrefix]]-az-kv-x-001.vault.azure.net/secrets/Modules-Test-SP-Password' + FUNCTIONS_EXTENSION_VERSION: '~4' + FUNCTIONS_WORKER_RUNTIME: 'dotnet' +} ```

-## Outputs - -| Output Name | Type | Description | -| :-- | :-- | :-- | -| `name` | string | The name of the slot config. | -| `resourceGroupName` | string | The resource group the slot config was deployed into. | -| `resourceId` | string | The resource ID of the slot config. | - -## Cross-referenced modules - -_None_ + +

diff --git a/modules/web/site/slot/config--authsettingsv2/README.md b/modules/web/site/slot/config--authsettingsv2/README.md index 1af48618ea..a89722f8d7 100644 --- a/modules/web/site/slot/config--authsettingsv2/README.md +++ b/modules/web/site/slot/config--authsettingsv2/README.md @@ -37,38 +37,6 @@ This module deploys a Site Auth Settings V2 Configuration. | :-- | :-- | :-- | :-- | | `enableDefaultTelemetry` | bool | `True` | Enable telemetry via the Customer Usage Attribution ID (GUID). | - -### Parameter Usage: `authSettingV2Configuration` - -The auth settings V2 configuration. - -

- -Parameter JSON format - -```json -"siteConfig": { - "value": [ - // Check out https://learn.microsoft.com/en-us/azure/templates/microsoft.web/sites/config-authsettingsv2?tabs=bicep#siteauthsettingsv2properties for possible properties - ] -} -``` - -
- -
- -Bicep format - -```bicep -siteConfig: [ - // Check out https://learn.microsoft.com/en-us/azure/templates/microsoft.web/sites/config-authsettingsv2?tabs=bicep#siteauthsettingsv2properties for possible properties -] -``` - -
-

- ## Outputs | Output Name | Type | Description | diff --git a/modules/web/static-site/README.md b/modules/web/static-site/README.md index b58b5ceebf..b471b37790 100644 --- a/modules/web/static-site/README.md +++ b/modules/web/static-site/README.md @@ -9,6 +9,7 @@ This module deploys a Static Web App. - [Outputs](#Outputs) - [Cross-referenced modules](#Cross-referenced-modules) - [Deployment examples](#Deployment-examples) +- [Notes](#Notes) ## Resource Types @@ -59,272 +60,6 @@ This module deploys a Static Web App. | `userAssignedIdentities` | object | `{object}` | | The ID(s) to assign to the resource. | -### Parameter Usage: `privateEndpoints` - -To use Private Endpoint the following dependencies must be deployed: - -- Destination subnet must be created with the following configuration option - `"privateEndpointNetworkPolicies": "Disabled"`. Setting this option acknowledges that NSG rules are not applied to Private Endpoints (this capability is coming soon). A full example is available in the Virtual Network Module. -- Although not strictly required, it is highly recommended to first create a private DNS Zone to host Private Endpoint DNS records. See [Azure Private Endpoint DNS configuration](https://learn.microsoft.com/en-us/azure/private-link/private-endpoint-dns) for more information. - -

- -Parameter JSON format - -```json -"privateEndpoints": { - "value": [ - // Example showing all available fields - { - "name": "sxx-az-pe", // Optional: Name will be automatically generated if one is not provided here - "subnetResourceId": "/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-x-001/subnets/sxx-az-subnet-x-001", - "service": "", // e.g. vault, registry, blob - "privateDnsZoneGroup": { - "privateDNSResourceIds": [ // Optional: No DNS record will be created if a private DNS zone Resource ID is not specified - "/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/privateDnsZones/" // e.g. privatelink.vaultcore.azure.net, privatelink.azurecr.io, privatelink.blob.core.windows.net - ] - }, - "ipConfigurations":[ - { - "name": "myIPconfigTest02", - "properties": { - "groupId": "blob", - "memberName": "blob", - "privateIPAddress": "10.0.0.30" - } - } - ], - "customDnsConfigs": [ - { - "fqdn": "customname.test.local", - "ipAddresses": [ - "10.10.10.10" - ] - } - ] - }, - // Example showing only mandatory fields - { - "subnetResourceId": "/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-x-001/subnets/sxx-az-subnet-x-001", - "service": "" // e.g. vault, registry, blob - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -privateEndpoints: [ - // Example showing all available fields - { - name: 'sxx-az-pe' // Optional: Name will be automatically generated if one is not provided here - subnetResourceId: '/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-x-001/subnets/sxx-az-subnet-x-001' - service: '' // e.g. vault, registry, blob - privateDnsZoneGroup: { - privateDNSResourceIds: [ // Optional: No DNS record will be created if a private DNS zone Resource ID is not specified - '/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/privateDnsZones/' // e.g. privatelink.vaultcore.azure.net, privatelink.azurecr.io, privatelink.blob.core.windows.net - ] - } - customDnsConfigs: [ - { - fqdn: 'customname.test.local' - ipAddresses: [ - '10.10.10.10' - ] - } - ] - ipConfigurations:[ - { - name: 'myIPconfigTest02' - properties: { - groupId: 'blob' - memberName: 'blob' - privateIPAddress: '10.0.0.30' - } - } - ] - } - // Example showing only mandatory fields - { - subnetResourceId: '/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-x-001/subnets/sxx-az-subnet-x-001' - service: '' // e.g. vault, registry, blob - } -] -``` - -
-

- -### Parameter Usage: `roleAssignments` - -Create a role assignment for the given resource. If you want to assign a service principal / managed identity that is created in the same deployment, make sure to also specify the `'principalType'` parameter and set it to `'ServicePrincipal'`. This will ensure the role assignment waits for the principal's propagation in Azure. - -

- -Parameter JSON format - -```json -"roleAssignments": { - "value": [ - { - "roleDefinitionIdOrName": "Reader", - "description": "Reader Role Assignment", - "principalIds": [ - "12345678-1234-1234-1234-123456789012", // object 1 - "78945612-1234-1234-1234-123456789012" // object 2 - ] - }, - { - "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", - "principalIds": [ - "12345678-1234-1234-1234-123456789012" // object 1 - ], - "principalType": "ServicePrincipal" - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - description: 'Reader Role Assignment' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - '78945612-1234-1234-1234-123456789012' // object 2 - ] - } - { - roleDefinitionIdOrName: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - ] - principalType: 'ServicePrincipal' - } -] -``` - -
-

- -### Parameter Usage: `tags` - -Tag names and tag values can be provided as needed. A tag can be left without a value. - -

- -Parameter JSON format - -```json -"tags": { - "value": { - "Environment": "Non-Prod", - "Contact": "test.user@testcompany.com", - "PurchaseOrder": "1234", - "CostCenter": "7890", - "ServiceName": "DeploymentValidation", - "Role": "DeploymentValidation" - } -} -``` - -
- -
- -Bicep format - -```bicep -tags: { - Environment: 'Non-Prod' - Contact: 'test.user@testcompany.com' - PurchaseOrder: '1234' - CostCenter: '7890' - ServiceName: 'DeploymentValidation' - Role: 'DeploymentValidation' -} -``` - -
-

- -### Parameter Usage: `userAssignedIdentities` - -You can specify multiple user assigned identities to a resource by providing additional resource IDs using the following format: - -

- -Parameter JSON format - -```json -"userAssignedIdentities": { - "value": { - "/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-001": {}, - "/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-002": {} - } -} -``` - -
- -
- -Bicep format - -```bicep -userAssignedIdentities: { - '/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-001': {} - '/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-002': {} -} -``` - -
-

- -### Parameter Usage: `customDomains` - -

- -Parameter JSON format - -```json -"customDomains": { - "value": [ - "[[namePrefix]]domain1.domain", - "[[namePrefix]]domain2.domain.domain", - "[[namePrefix]]domain3.domain.domain.domain" - ] -} -``` - -
- -
- -Bicep format - -```bicep -customDomains: [ - 'carmldomain1.domain' - 'carmldomain2.domain.domain' - 'carmldomain3.domain.domain.domain' -] -``` - -
-

- ## Outputs | Output Name | Type | Description | @@ -566,3 +301,239 @@ module staticSite './web/static-site/main.bicep' = {

+ + +## Notes + +### Parameter Usage: `privateEndpoints` + +To use Private Endpoint the following dependencies must be deployed: + +- Destination subnet must be created with the following configuration option - `"privateEndpointNetworkPolicies": "Disabled"`. Setting this option acknowledges that NSG rules are not applied to Private Endpoints (this capability is coming soon). A full example is available in the Virtual Network Module. +- Although not strictly required, it is highly recommended to first create a private DNS Zone to host Private Endpoint DNS records. See [Azure Private Endpoint DNS configuration](https://learn.microsoft.com/en-us/azure/private-link/private-endpoint-dns) for more information. + +

+ +Parameter JSON format + +```json +"privateEndpoints": { + "value": [ + // Example showing all available fields + { + "name": "sxx-az-pe", // Optional: Name will be automatically generated if one is not provided here + "subnetResourceId": "/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-x-001/subnets/sxx-az-subnet-x-001", + "service": "", // e.g. vault, registry, blob + "privateDnsZoneGroup": { + "privateDNSResourceIds": [ // Optional: No DNS record will be created if a private DNS zone Resource ID is not specified + "/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/privateDnsZones/" // e.g. privatelink.vaultcore.azure.net, privatelink.azurecr.io, privatelink.blob.core.windows.net + ] + }, + "ipConfigurations":[ + { + "name": "myIPconfigTest02", + "properties": { + "groupId": "blob", + "memberName": "blob", + "privateIPAddress": "10.0.0.30" + } + } + ], + "customDnsConfigs": [ + { + "fqdn": "customname.test.local", + "ipAddresses": [ + "10.10.10.10" + ] + } + ] + }, + // Example showing only mandatory fields + { + "subnetResourceId": "/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-x-001/subnets/sxx-az-subnet-x-001", + "service": "" // e.g. vault, registry, blob + } + ] +} +``` + +
+ +
+ +Bicep format + +```bicep +privateEndpoints: [ + // Example showing all available fields + { + name: 'sxx-az-pe' // Optional: Name will be automatically generated if one is not provided here + subnetResourceId: '/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-x-001/subnets/sxx-az-subnet-x-001' + service: '' // e.g. vault, registry, blob + privateDnsZoneGroup: { + privateDNSResourceIds: [ // Optional: No DNS record will be created if a private DNS zone Resource ID is not specified + '/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/privateDnsZones/' // e.g. privatelink.vaultcore.azure.net, privatelink.azurecr.io, privatelink.blob.core.windows.net + ] + } + customDnsConfigs: [ + { + fqdn: 'customname.test.local' + ipAddresses: [ + '10.10.10.10' + ] + } + ] + ipConfigurations:[ + { + name: 'myIPconfigTest02' + properties: { + groupId: 'blob' + memberName: 'blob' + privateIPAddress: '10.0.0.30' + } + } + ] + } + // Example showing only mandatory fields + { + subnetResourceId: '/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-x-001/subnets/sxx-az-subnet-x-001' + service: '' // e.g. vault, registry, blob + } +] +``` + +
+

+ +### Parameter Usage: `roleAssignments` + +Create a role assignment for the given resource. If you want to assign a service principal / managed identity that is created in the same deployment, make sure to also specify the `'principalType'` parameter and set it to `'ServicePrincipal'`. This will ensure the role assignment waits for the principal's propagation in Azure. + +

+ +Parameter JSON format + +```json +"roleAssignments": { + "value": [ + { + "roleDefinitionIdOrName": "Reader", + "description": "Reader Role Assignment", + "principalIds": [ + "12345678-1234-1234-1234-123456789012", // object 1 + "78945612-1234-1234-1234-123456789012" // object 2 + ] + }, + { + "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", + "principalIds": [ + "12345678-1234-1234-1234-123456789012" // object 1 + ], + "principalType": "ServicePrincipal" + } + ] +} +``` + +
+ +
+ +Bicep format + +```bicep +roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + description: 'Reader Role Assignment' + principalIds: [ + '12345678-1234-1234-1234-123456789012' // object 1 + '78945612-1234-1234-1234-123456789012' // object 2 + ] + } + { + roleDefinitionIdOrName: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' + principalIds: [ + '12345678-1234-1234-1234-123456789012' // object 1 + ] + principalType: 'ServicePrincipal' + } +] +``` + +
+

+ +### Parameter Usage: `tags` + +Tag names and tag values can be provided as needed. A tag can be left without a value. + +

+ +Parameter JSON format + +```json +"tags": { + "value": { + "Environment": "Non-Prod", + "Contact": "test.user@testcompany.com", + "PurchaseOrder": "1234", + "CostCenter": "7890", + "ServiceName": "DeploymentValidation", + "Role": "DeploymentValidation" + } +} +``` + +
+ +
+ +Bicep format + +```bicep +tags: { + Environment: 'Non-Prod' + Contact: 'test.user@testcompany.com' + PurchaseOrder: '1234' + CostCenter: '7890' + ServiceName: 'DeploymentValidation' + Role: 'DeploymentValidation' +} +``` + +
+

+ +### Parameter Usage: `userAssignedIdentities` + +You can specify multiple user assigned identities to a resource by providing additional resource IDs using the following format: + +

+ +Parameter JSON format + +```json +"userAssignedIdentities": { + "value": { + "/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-001": {}, + "/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-002": {} + } +} +``` + +
+ +
+ +Bicep format + +```bicep +userAssignedIdentities: { + '/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-001': {} + '/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-002': {} +} +``` + +
+

diff --git a/modules/web/static-site/custom-domain/README.md b/modules/web/static-site/custom-domain/README.md index 7f5142d327..cd8472bbfe 100644 --- a/modules/web/static-site/custom-domain/README.md +++ b/modules/web/static-site/custom-domain/README.md @@ -17,11 +17,16 @@ This module deploys a Static Web App Site Custom Domain. ## Parameters +**Required parameters** + +| Parameter Name | Type | Description | +| :-- | :-- | :-- | +| `name` | string | The custom domain name. | + **Conditional parameters** | Parameter Name | Type | Description | | :-- | :-- | :-- | -| `name` | string | The custom domain name. Required if the template is used in a standalone deployment. | | `staticSiteName` | string | The name of the parent Static Web App. Required if the template is used in a standalone deployment. | **Optional parameters** diff --git a/modules/web/static-site/custom-domain/main.json b/modules/web/static-site/custom-domain/main.json index df87e1cfb4..a5feab3051 100644 --- a/modules/web/static-site/custom-domain/main.json +++ b/modules/web/static-site/custom-domain/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "12334533883169216576" + "version": "0.22.6.54827", + "templateHash": "13208835708722733896" }, "name": "Static Web App Site Custom Domains", "description": "This module deploys a Static Web App Site Custom Domain.", @@ -15,7 +15,7 @@ "name": { "type": "string", "metadata": { - "description": "Conditional. The custom domain name. Required if the template is used in a standalone deployment." + "description": "Required. The custom domain name." } }, "staticSiteName": { @@ -93,4 +93,4 @@ "value": "[resourceGroup().name]" } } -} \ No newline at end of file +} diff --git a/modules/web/static-site/main.json b/modules/web/static-site/main.json index 3cdbd085fd..2d77bd8b8b 100644 --- a/modules/web/static-site/main.json +++ b/modules/web/static-site/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "18252581681683363361" + "version": "0.22.6.54827", + "templateHash": "12872096460250206815" }, "name": "Static Web Apps", "description": "This module deploys a Static Web App.", @@ -279,8 +279,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "16239200301217299333" + "version": "0.22.6.54827", + "templateHash": "13553590806488370796" }, "name": "Static Web App Site Linked Backends", "description": "This module deploys a Custom Function App into a Static Web App Site using the Linked Backends property.", @@ -412,8 +412,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "14542116541399181875" + "version": "0.22.6.54827", + "templateHash": "8340850851413090940" }, "name": "Static Web App Site Config", "description": "This module deploys a Static Web App Site Config.", @@ -538,8 +538,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "14542116541399181875" + "version": "0.22.6.54827", + "templateHash": "8340850851413090940" }, "name": "Static Web App Site Config", "description": "This module deploys a Static Web App Site Config.", @@ -665,8 +665,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "8695148534740362749" + "version": "0.22.6.54827", + "templateHash": "13208835708722733896" }, "name": "Static Web App Site Custom Domains", "description": "This module deploys a Static Web App Site Custom Domain.", @@ -676,7 +676,7 @@ "name": { "type": "string", "metadata": { - "description": "Conditional. The custom domain name. Required if the template is used in a standalone deployment." + "description": "Required. The custom domain name." } }, "staticSiteName": { @@ -790,8 +790,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "10006606949676096242" + "version": "0.22.6.54827", + "templateHash": "3353684850635934919" } }, "parameters": { @@ -901,8 +901,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "14580007913383558904" + "version": "0.22.6.54827", + "templateHash": "2884140170473394983" }, "name": "Private Endpoints", "description": "This module deploys a Private Endpoint.", @@ -1101,8 +1101,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "2469208411936339153" + "version": "0.22.6.54827", + "templateHash": "5610247137574346230" }, "name": "Private Endpoint Private DNS Zone Groups", "description": "This module deploys a Private Endpoint Private DNS Zone Group.", @@ -1239,8 +1239,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "13032708393704093995" + "version": "0.22.6.54827", + "templateHash": "14351187799927334028" } }, "parameters": { @@ -1464,4 +1464,4 @@ "value": "[reference(resourceId('Microsoft.Web/staticSites', parameters('name')), '2021-03-01').defaultHostname]" } } -} \ No newline at end of file +} From 1520fd4d07f617aef9ba069aa94c99c8b7a92a3a Mon Sep 17 00:00:00 2001 From: AlexanderSehr Date: Thu, 12 Oct 2023 20:43:30 +0200 Subject: [PATCH 02/20] Rollback of unrelated changes --- modules/web/static-site/custom-domain/main.json | 6 +++--- modules/web/static-site/main.json | 8 ++++---- 2 files changed, 7 insertions(+), 7 deletions(-) diff --git a/modules/web/static-site/custom-domain/main.json b/modules/web/static-site/custom-domain/main.json index a5feab3051..a4ca3dc072 100644 --- a/modules/web/static-site/custom-domain/main.json +++ b/modules/web/static-site/custom-domain/main.json @@ -5,7 +5,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "13208835708722733896" + "templateHash": "11845486297135693244" }, "name": "Static Web App Site Custom Domains", "description": "This module deploys a Static Web App Site Custom Domain.", @@ -15,7 +15,7 @@ "name": { "type": "string", "metadata": { - "description": "Required. The custom domain name." + "description": "Conditional. The custom domain name. Required if the template is used in a standalone deployment." } }, "staticSiteName": { @@ -93,4 +93,4 @@ "value": "[resourceGroup().name]" } } -} +} \ No newline at end of file diff --git a/modules/web/static-site/main.json b/modules/web/static-site/main.json index 2d77bd8b8b..8017ef3dbb 100644 --- a/modules/web/static-site/main.json +++ b/modules/web/static-site/main.json @@ -5,7 +5,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "12872096460250206815" + "templateHash": "6701608202439896587" }, "name": "Static Web Apps", "description": "This module deploys a Static Web App.", @@ -666,7 +666,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "13208835708722733896" + "templateHash": "11845486297135693244" }, "name": "Static Web App Site Custom Domains", "description": "This module deploys a Static Web App Site Custom Domain.", @@ -676,7 +676,7 @@ "name": { "type": "string", "metadata": { - "description": "Required. The custom domain name." + "description": "Conditional. The custom domain name. Required if the template is used in a standalone deployment." } }, "staticSiteName": { @@ -1464,4 +1464,4 @@ "value": "[reference(resourceId('Microsoft.Web/staticSites', parameters('name')), '2021-03-01').defaultHostname]" } } -} +} \ No newline at end of file From e60a4c04b2e254877c8380756a8e872a60a49265 Mon Sep 17 00:00:00 2001 From: AlexanderSehr Date: Thu, 12 Oct 2023 20:44:39 +0200 Subject: [PATCH 03/20] Update to latest --- modules/web/static-site/main.json | 38 +++++++++++++++---------------- 1 file changed, 19 insertions(+), 19 deletions(-) diff --git a/modules/web/static-site/main.json b/modules/web/static-site/main.json index 8017ef3dbb..007032280a 100644 --- a/modules/web/static-site/main.json +++ b/modules/web/static-site/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "6701608202439896587" + "version": "0.21.1.54444", + "templateHash": "18252581681683363361" }, "name": "Static Web Apps", "description": "This module deploys a Static Web App.", @@ -279,8 +279,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "13553590806488370796" + "version": "0.21.1.54444", + "templateHash": "16239200301217299333" }, "name": "Static Web App Site Linked Backends", "description": "This module deploys a Custom Function App into a Static Web App Site using the Linked Backends property.", @@ -412,8 +412,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "8340850851413090940" + "version": "0.21.1.54444", + "templateHash": "14542116541399181875" }, "name": "Static Web App Site Config", "description": "This module deploys a Static Web App Site Config.", @@ -538,8 +538,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "8340850851413090940" + "version": "0.21.1.54444", + "templateHash": "14542116541399181875" }, "name": "Static Web App Site Config", "description": "This module deploys a Static Web App Site Config.", @@ -665,8 +665,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "11845486297135693244" + "version": "0.21.1.54444", + "templateHash": "8695148534740362749" }, "name": "Static Web App Site Custom Domains", "description": "This module deploys a Static Web App Site Custom Domain.", @@ -790,8 +790,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "3353684850635934919" + "version": "0.21.1.54444", + "templateHash": "10006606949676096242" } }, "parameters": { @@ -901,8 +901,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "2884140170473394983" + "version": "0.21.1.54444", + "templateHash": "14580007913383558904" }, "name": "Private Endpoints", "description": "This module deploys a Private Endpoint.", @@ -1101,8 +1101,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "5610247137574346230" + "version": "0.21.1.54444", + "templateHash": "2469208411936339153" }, "name": "Private Endpoint Private DNS Zone Groups", "description": "This module deploys a Private Endpoint Private DNS Zone Group.", @@ -1239,8 +1239,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "14351187799927334028" + "version": "0.21.1.54444", + "templateHash": "13032708393704093995" } }, "parameters": { @@ -1464,4 +1464,4 @@ "value": "[reference(resourceId('Microsoft.Web/staticSites', parameters('name')), '2021-03-01').defaultHostname]" } } -} \ No newline at end of file +} From 77d189ba87b2b0ba7590e6e44c32a58f8a7c8a8f Mon Sep 17 00:00:00 2001 From: AlexanderSehr Date: Thu, 12 Oct 2023 20:44:58 +0200 Subject: [PATCH 04/20] Update to latest --- modules/web/static-site/custom-domain/main.json | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/modules/web/static-site/custom-domain/main.json b/modules/web/static-site/custom-domain/main.json index a4ca3dc072..376ae2ed30 100644 --- a/modules/web/static-site/custom-domain/main.json +++ b/modules/web/static-site/custom-domain/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "11845486297135693244" + "version": "0.20.4.51522", + "templateHash": "12334533883169216576" }, "name": "Static Web App Site Custom Domains", "description": "This module deploys a Static Web App Site Custom Domain.", @@ -93,4 +93,4 @@ "value": "[resourceGroup().name]" } } -} \ No newline at end of file +} From 3e4980488d2d22a6d69df517d87dc19b69228c84 Mon Sep 17 00:00:00 2001 From: AlexanderSehr Date: Thu, 12 Oct 2023 20:53:48 +0200 Subject: [PATCH 05/20] Update to latest --- modules/web/static-site/custom-domain/main.json | 2 +- modules/web/static-site/main.json | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/web/static-site/custom-domain/main.json b/modules/web/static-site/custom-domain/main.json index 376ae2ed30..df87e1cfb4 100644 --- a/modules/web/static-site/custom-domain/main.json +++ b/modules/web/static-site/custom-domain/main.json @@ -93,4 +93,4 @@ "value": "[resourceGroup().name]" } } -} +} \ No newline at end of file diff --git a/modules/web/static-site/main.json b/modules/web/static-site/main.json index 007032280a..3cdbd085fd 100644 --- a/modules/web/static-site/main.json +++ b/modules/web/static-site/main.json @@ -1464,4 +1464,4 @@ "value": "[reference(resourceId('Microsoft.Web/staticSites', parameters('name')), '2021-03-01').defaultHostname]" } } -} +} \ No newline at end of file From 269aa572ff27ffb5fd176ceb60537abe153400fa Mon Sep 17 00:00:00 2001 From: AlexanderSehr Date: Thu, 12 Oct 2023 20:58:04 +0200 Subject: [PATCH 06/20] Serverfarm --- modules/web/serverfarm/README.md | 240 +++++++++++++------------------ 1 file changed, 102 insertions(+), 138 deletions(-) diff --git a/modules/web/serverfarm/README.md b/modules/web/serverfarm/README.md index 21bd28da66..2897e382ae 100644 --- a/modules/web/serverfarm/README.md +++ b/modules/web/serverfarm/README.md @@ -52,144 +52,6 @@ This module deploys an App Service Plan. | `workerTierName` | string | `''` | | Target worker tier assigned to the App Service plan. | | `zoneRedundant` | bool | `False` | | When true, this App Service Plan will perform availability zone balancing. | - -### Parameter Usage: `sku` - -

- -Parameter JSON format - -```json -"sku": { - "value": { - "name": "P1v2", - "tier": "PremiumV2", - "size": "P1v2", - "family": "Pv2", - "capacity": 1 - } -} -``` - -
- -
- -Bicep format - -```bicep -sku: { - name: 'P1v2' - tier: 'PremiumV2' - size: 'P1v2' - family: 'Pv2' - capacity: 1 -} -``` - -
-

- -### Parameter Usage: `roleAssignments` - -Create a role assignment for the given resource. If you want to assign a service principal / managed identity that is created in the same deployment, make sure to also specify the `'principalType'` parameter and set it to `'ServicePrincipal'`. This will ensure the role assignment waits for the principal's propagation in Azure. - -

- -Parameter JSON format - -```json -"roleAssignments": { - "value": [ - { - "roleDefinitionIdOrName": "Reader", - "description": "Reader Role Assignment", - "principalIds": [ - "12345678-1234-1234-1234-123456789012", // object 1 - "78945612-1234-1234-1234-123456789012" // object 2 - ] - }, - { - "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", - "principalIds": [ - "12345678-1234-1234-1234-123456789012" // object 1 - ], - "principalType": "ServicePrincipal" - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - description: 'Reader Role Assignment' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - '78945612-1234-1234-1234-123456789012' // object 2 - ] - } - { - roleDefinitionIdOrName: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - ] - principalType: 'ServicePrincipal' - } -] -``` - -
-

- -### Parameter Usage: `tags` - -Tag names and tag values can be provided as needed. A tag can be left without a value. - -

- -Parameter JSON format - -```json -"tags": { - "value": { - "Environment": "Non-Prod", - "Contact": "test.user@testcompany.com", - "PurchaseOrder": "1234", - "CostCenter": "7890", - "ServiceName": "DeploymentValidation", - "Role": "DeploymentValidation" - } -} -``` - -
- -
- -Bicep format - -```bicep -tags: { - Environment: 'Non-Prod' - Contact: 'test.user@testcompany.com' - PurchaseOrder: '1234' - CostCenter: '7890' - ServiceName: 'DeploymentValidation' - Role: 'DeploymentValidation' -} -``` - -
-

- ## Outputs | Output Name | Type | Description | @@ -322,3 +184,105 @@ module serverfarm './web/serverfarm/main.bicep' = {

+ +## Notes + +### Parameter Usage: `roleAssignments` + +Create a role assignment for the given resource. If you want to assign a service principal / managed identity that is created in the same deployment, make sure to also specify the `'principalType'` parameter and set it to `'ServicePrincipal'`. This will ensure the role assignment waits for the principal's propagation in Azure. + +

+ +Parameter JSON format + +```json +"roleAssignments": { + "value": [ + { + "roleDefinitionIdOrName": "Reader", + "description": "Reader Role Assignment", + "principalIds": [ + "12345678-1234-1234-1234-123456789012", // object 1 + "78945612-1234-1234-1234-123456789012" // object 2 + ] + }, + { + "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", + "principalIds": [ + "12345678-1234-1234-1234-123456789012" // object 1 + ], + "principalType": "ServicePrincipal" + } + ] +} +``` + +
+ +
+ +Bicep format + +```bicep +roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + description: 'Reader Role Assignment' + principalIds: [ + '12345678-1234-1234-1234-123456789012' // object 1 + '78945612-1234-1234-1234-123456789012' // object 2 + ] + } + { + roleDefinitionIdOrName: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' + principalIds: [ + '12345678-1234-1234-1234-123456789012' // object 1 + ] + principalType: 'ServicePrincipal' + } +] +``` + +
+

+ +### Parameter Usage: `tags` + +Tag names and tag values can be provided as needed. A tag can be left without a value. + +

+ +Parameter JSON format + +```json +"tags": { + "value": { + "Environment": "Non-Prod", + "Contact": "test.user@testcompany.com", + "PurchaseOrder": "1234", + "CostCenter": "7890", + "ServiceName": "DeploymentValidation", + "Role": "DeploymentValidation" + } +} +``` + +
+ +
+ +Bicep format + +```bicep +tags: { + Environment: 'Non-Prod' + Contact: 'test.user@testcompany.com' + PurchaseOrder: '1234' + CostCenter: '7890' + ServiceName: 'DeploymentValidation' + Role: 'DeploymentValidation' +} +``` + +
+

From bfacc9b8959ae0bb73edb874c603dba3b19a02fd Mon Sep 17 00:00:00 2001 From: AlexanderSehr Date: Thu, 12 Oct 2023 21:04:35 +0200 Subject: [PATCH 07/20] host env --- modules/web/hosting-environment/README.md | 304 ++++++++++------------ 1 file changed, 135 insertions(+), 169 deletions(-) diff --git a/modules/web/hosting-environment/README.md b/modules/web/hosting-environment/README.md index 54a3e74821..02ad018a42 100644 --- a/modules/web/hosting-environment/README.md +++ b/modules/web/hosting-environment/README.md @@ -70,175 +70,6 @@ This module deploys an App Service Environment. | `userWhitelistedIpRanges` | array | `[]` | | User added IP ranges to whitelist on ASE DB. Cannot be used with 'kind' `ASEv3`. | | `zoneRedundant` | bool | `False` | | Switch to make the App Service Environment zone redundant. If enabled, the minimum App Service plan instance count will be three, otherwise 1. If enabled, the `dedicatedHostCount` must be set to `-1`. | - -### Parameter Usage: `clusterSettings` - -

- -Parameter JSON format - -```json -"clusterSettings": { - "value": [ - { - "name": "DisableTls1.0", - "value": "1" - } - ] -} -``` - -
- - -
- -Bicep format - -```bicep -clusterSettings: [ - { - name: 'DisableTls1.0' - value: '1' - } -] -``` - -
- -### Parameter Usage: `roleAssignments` - -Create a role assignment for the given resource. If you want to assign a service principal / managed identity that is created in the same deployment, make sure to also specify the `'principalType'` parameter and set it to `'ServicePrincipal'`. This will ensure the role assignment waits for the principal's propagation in Azure. - -
- -Parameter JSON format - -```json -"roleAssignments": { - "value": [ - { - "roleDefinitionIdOrName": "Reader", - "description": "Reader Role Assignment", - "principalIds": [ - "12345678-1234-1234-1234-123456789012", // object 1 - "78945612-1234-1234-1234-123456789012" // object 2 - ] - }, - { - "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", - "principalIds": [ - "12345678-1234-1234-1234-123456789012" // object 1 - ], - "principalType": "ServicePrincipal" - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - description: 'Reader Role Assignment' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - '78945612-1234-1234-1234-123456789012' // object 2 - ] - } - { - roleDefinitionIdOrName: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - ] - principalType: 'ServicePrincipal' - } -] -``` - -
-

- -### Parameter Usage: `tags` - -Tag names and tag values can be provided as needed. A tag can be left without a value. - -

- -Parameter JSON format - -```json -"tags": { - "value": { - "Environment": "Non-Prod", - "Contact": "test.user@testcompany.com", - "PurchaseOrder": "1234", - "CostCenter": "7890", - "ServiceName": "DeploymentValidation", - "Role": "DeploymentValidation" - } -} -``` - -
- -
- -Bicep format - -```bicep -tags: { - Environment: 'Non-Prod' - Contact: 'test.user@testcompany.com' - PurchaseOrder: '1234' - CostCenter: '7890' - ServiceName: 'DeploymentValidation' - Role: 'DeploymentValidation' -} -``` - -
-

- -### Parameter Usage: `userAssignedIdentities` - -You can specify multiple user assigned identities to a resource by providing additional resource IDs using the following format: - -

- -Parameter JSON format - -```json -"userAssignedIdentities": { - "value": { - "/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-001": {}, - "/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-002": {} - } -} -``` - -
- -
- -Bicep format - -```bicep -userAssignedIdentities: { - '/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-001': {} - '/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-002': {} -} -``` - -
-

- ## Outputs | Output Name | Type | Description | @@ -568,3 +399,138 @@ module hostingEnvironment './web/hosting-environment/main.bicep' = {

+ +## Notes + +### Parameter Usage: `roleAssignments` + +Create a role assignment for the given resource. If you want to assign a service principal / managed identity that is created in the same deployment, make sure to also specify the `'principalType'` parameter and set it to `'ServicePrincipal'`. This will ensure the role assignment waits for the principal's propagation in Azure. + +

+ +Parameter JSON format + +```json +"roleAssignments": { + "value": [ + { + "roleDefinitionIdOrName": "Reader", + "description": "Reader Role Assignment", + "principalIds": [ + "12345678-1234-1234-1234-123456789012", // object 1 + "78945612-1234-1234-1234-123456789012" // object 2 + ] + }, + { + "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", + "principalIds": [ + "12345678-1234-1234-1234-123456789012" // object 1 + ], + "principalType": "ServicePrincipal" + } + ] +} +``` + +
+ +
+ +Bicep format + +```bicep +roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + description: 'Reader Role Assignment' + principalIds: [ + '12345678-1234-1234-1234-123456789012' // object 1 + '78945612-1234-1234-1234-123456789012' // object 2 + ] + } + { + roleDefinitionIdOrName: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' + principalIds: [ + '12345678-1234-1234-1234-123456789012' // object 1 + ] + principalType: 'ServicePrincipal' + } +] +``` + +
+

+ +### Parameter Usage: `tags` + +Tag names and tag values can be provided as needed. A tag can be left without a value. + +

+ +Parameter JSON format + +```json +"tags": { + "value": { + "Environment": "Non-Prod", + "Contact": "test.user@testcompany.com", + "PurchaseOrder": "1234", + "CostCenter": "7890", + "ServiceName": "DeploymentValidation", + "Role": "DeploymentValidation" + } +} +``` + +
+ +
+ +Bicep format + +```bicep +tags: { + Environment: 'Non-Prod' + Contact: 'test.user@testcompany.com' + PurchaseOrder: '1234' + CostCenter: '7890' + ServiceName: 'DeploymentValidation' + Role: 'DeploymentValidation' +} +``` + +
+

+ +### Parameter Usage: `userAssignedIdentities` + +You can specify multiple user assigned identities to a resource by providing additional resource IDs using the following format: + +

+ +Parameter JSON format + +```json +"userAssignedIdentities": { + "value": { + "/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-001": {}, + "/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-002": {} + } +} +``` + +
+ +
+ +Bicep format + +```bicep +userAssignedIdentities: { + '/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-001': {} + '/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-002': {} +} +``` + +
+

From e4c1e2e7ad599fa942b81b8627bd4ca1d1bf4923 Mon Sep 17 00:00:00 2001 From: AlexanderSehr Date: Thu, 12 Oct 2023 21:07:49 +0200 Subject: [PATCH 08/20] IT --- .../image-template/README.md | 689 +++++++++--------- 1 file changed, 345 insertions(+), 344 deletions(-) diff --git a/modules/virtual-machine-images/image-template/README.md b/modules/virtual-machine-images/image-template/README.md index 03c7dc9eb8..104d657411 100644 --- a/modules/virtual-machine-images/image-template/README.md +++ b/modules/virtual-machine-images/image-template/README.md @@ -59,117 +59,394 @@ This module deploys a Virtual Machine Image Template that can be consumed by Azu | :-- | :-- | :-- | :-- | | `baseTime` | string | `[utcNow('yyyy-MM-dd-HH-mm-ss')]` | Do not provide a value! This date value is used to generate a unique image template name. | +## Outputs -### Parameter Usage: `imageSource` +| Output Name | Type | Description | +| :-- | :-- | :-- | +| `location` | string | The location the resource was deployed into. | +| `name` | string | The full name of the deployed image template. | +| `namePrefix` | string | The prefix of the image template name provided as input. | +| `resourceGroupName` | string | The resource group the image template was deployed into. | +| `resourceId` | string | The resource ID of the image template. | +| `runThisCommand` | string | The command to run in order to trigger the image build. | -Tag names and tag values can be provided as needed. A tag can be left without a value. +## Cross-referenced modules -#### Platform Image +_None_ -

+## Deployment examples -Parameter JSON format +The following module usage examples are retrieved from the content of the files hosted in the module's `.test` folder. + >**Note**: The name of each example is based on the name of the file from which it is taken. -```json -"source": { - "type": "PlatformImage", - "publisher": "MicrosoftWindowsDesktop", - "offer": "Windows-10", - "sku": "19h2-evd", - "version": "latest" -} -``` + >**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. -
+

Example 1: Common

-Bicep format +via Bicep module ```bicep -source: { - type: 'PlatformImage' - publisher: 'MicrosoftWindowsDesktop' - offer: 'Windows-10' - sku: '19h2-evd' - version: 'latest' +module imageTemplate './virtual-machine-images/image-template/main.bicep' = { + name: '${uniqueString(deployment().name, location)}-test-vmiitcom' + params: { + // Required parameters + customizationSteps: [ + { + restartTimeout: '10m' + type: 'WindowsRestart' + } + ] + imageSource: { + offer: 'Windows-11' + publisher: 'MicrosoftWindowsDesktop' + sku: 'win11-22h2-avd' + type: 'PlatformImage' + version: 'latest' + } + name: 'vmiitcom001' + userMsiName: '' + // Non-required parameters + buildTimeoutInMinutes: 60 + enableDefaultTelemetry: '' + imageReplicationRegions: [] + lock: 'CanNotDelete' + managedImageName: 'mi-vmiitcom-001' + osDiskSizeGB: 127 + roleAssignments: [ + { + principalIds: [ + '' + ] + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Reader' + } + ] + sigImageDefinitionId: '' + sigImageVersion: '' + stagingResourceGroup: '' + subnetId: '' + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } + unManagedImageName: 'umi-vmiitcom-001' + userAssignedIdentities: [ + '' + ] + userMsiResourceGroup: '' + vmSize: 'Standard_D2s_v3' + } } ```

-#### Managed Image -

-Parameter JSON format +via JSON Parameter file ```json -"source": { - "type": "ManagedImage", - "imageId": "/subscriptions//resourceGroups/{destinationResourceGroupName}/providers/Microsoft.Compute/images/" -} -``` - -
- -
- -Bicep format - -```bicep -source: { - type: 'ManagedImage' - imageId: '/subscriptions//resourceGroups/{destinationResourceGroupName}/providers/Microsoft.Compute/images/' +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "customizationSteps": { + "value": [ + { + "restartTimeout": "10m", + "type": "WindowsRestart" + } + ] + }, + "imageSource": { + "value": { + "offer": "Windows-11", + "publisher": "MicrosoftWindowsDesktop", + "sku": "win11-22h2-avd", + "type": "PlatformImage", + "version": "latest" + } + }, + "name": { + "value": "vmiitcom001" + }, + "userMsiName": { + "value": "" + }, + // Non-required parameters + "buildTimeoutInMinutes": { + "value": 60 + }, + "enableDefaultTelemetry": { + "value": "" + }, + "imageReplicationRegions": { + "value": [] + }, + "lock": { + "value": "CanNotDelete" + }, + "managedImageName": { + "value": "mi-vmiitcom-001" + }, + "osDiskSizeGB": { + "value": 127 + }, + "roleAssignments": { + "value": [ + { + "principalIds": [ + "" + ], + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Reader" + } + ] + }, + "sigImageDefinitionId": { + "value": "" + }, + "sigImageVersion": { + "value": "" + }, + "stagingResourceGroup": { + "value": "" + }, + "subnetId": { + "value": "" + }, + "tags": { + "value": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } + }, + "unManagedImageName": { + "value": "umi-vmiitcom-001" + }, + "userAssignedIdentities": { + "value": [ + "" + ] + }, + "userMsiResourceGroup": { + "value": "" + }, + "vmSize": { + "value": "Standard_D2s_v3" + } + } } ```

-#### Shared Image - -

- -Parameter JSON format - -```json -"source": { - "type": "SharedImageVersion", - "imageVersionID": "/subscriptions//resourceGroups//providers/Microsoft.Compute/galleries//images/" -} -``` - -
+

Example 2: Min

-Bicep format +via Bicep module ```bicep -source: { - type: 'SharedImageVersion' - imageVersionID: '/subscriptions//resourceGroups//providers/Microsoft.Compute/galleries//images/' +module imageTemplate './virtual-machine-images/image-template/main.bicep' = { + name: '${uniqueString(deployment().name, location)}-test-vmiitmin' + params: { + // Required parameters + customizationSteps: [ + { + restartTimeout: '30m' + type: 'WindowsRestart' + } + ] + imageSource: { + offer: 'Windows-10' + publisher: 'MicrosoftWindowsDesktop' + sku: 'win10-22h2-ent' + type: 'PlatformImage' + version: 'latest' + } + name: 'vmiitmin001' + userMsiName: '' + // Non-required parameters + enableDefaultTelemetry: '' + managedImageName: 'mi-vmiitmin-001' + userMsiResourceGroup: '' + } } ```

-### Parameter Usage: `tags` - -Tag names and tag values can be provided as needed. A tag can be left without a value. -

-Parameter JSON format +via JSON Parameter file ```json -"tags": { - "value": { - "Environment": "Non-Prod", - "Contact": "test.user@testcompany.com", +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "customizationSteps": { + "value": [ + { + "restartTimeout": "30m", + "type": "WindowsRestart" + } + ] + }, + "imageSource": { + "value": { + "offer": "Windows-10", + "publisher": "MicrosoftWindowsDesktop", + "sku": "win10-22h2-ent", + "type": "PlatformImage", + "version": "latest" + } + }, + "name": { + "value": "vmiitmin001" + }, + "userMsiName": { + "value": "" + }, + // Non-required parameters + "enableDefaultTelemetry": { + "value": "" + }, + "managedImageName": { + "value": "mi-vmiitmin-001" + }, + "userMsiResourceGroup": { + "value": "" + } + } +} +``` + +
+

+ +## Notes + +### Parameter Usage: `imageSource` + +Tag names and tag values can be provided as needed. A tag can be left without a value. + +#### Platform Image + +

+ +Parameter JSON format + +```json +"source": { + "type": "PlatformImage", + "publisher": "MicrosoftWindowsDesktop", + "offer": "Windows-10", + "sku": "19h2-evd", + "version": "latest" +} +``` + +
+ +
+ +Bicep format + +```bicep +source: { + type: 'PlatformImage' + publisher: 'MicrosoftWindowsDesktop' + offer: 'Windows-10' + sku: '19h2-evd' + version: 'latest' +} +``` + +
+

+ +#### Managed Image + +

+ +Parameter JSON format + +```json +"source": { + "type": "ManagedImage", + "imageId": "/subscriptions//resourceGroups/{destinationResourceGroupName}/providers/Microsoft.Compute/images/" +} +``` + +
+ +
+ +Bicep format + +```bicep +source: { + type: 'ManagedImage' + imageId: '/subscriptions//resourceGroups/{destinationResourceGroupName}/providers/Microsoft.Compute/images/' +} +``` + +
+

+ +#### Shared Image + +

+ +Parameter JSON format + +```json +"source": { + "type": "SharedImageVersion", + "imageVersionID": "/subscriptions//resourceGroups//providers/Microsoft.Compute/galleries//images/" +} +``` + +
+ +
+ +Bicep format + +```bicep +source: { + type: 'SharedImageVersion' + imageVersionID: '/subscriptions//resourceGroups//providers/Microsoft.Compute/galleries//images/' +} +``` + +
+

+ +### Parameter Usage: `tags` + +Tag names and tag values can be provided as needed. A tag can be left without a value. + +

+ +Parameter JSON format + +```json +"tags": { + "value": { + "Environment": "Non-Prod", + "Contact": "test.user@testcompany.com", "PurchaseOrder": "1234", "CostCenter": "7890", "ServiceName": "DeploymentValidation", @@ -322,279 +599,3 @@ userAssignedIdentities: {

- -## Outputs - -| Output Name | Type | Description | -| :-- | :-- | :-- | -| `location` | string | The location the resource was deployed into. | -| `name` | string | The full name of the deployed image template. | -| `namePrefix` | string | The prefix of the image template name provided as input. | -| `resourceGroupName` | string | The resource group the image template was deployed into. | -| `resourceId` | string | The resource ID of the image template. | -| `runThisCommand` | string | The command to run in order to trigger the image build. | - -## Cross-referenced modules - -_None_ - -## Deployment examples - -The following module usage examples are retrieved from the content of the files hosted in the module's `.test` folder. - >**Note**: The name of each example is based on the name of the file from which it is taken. - - >**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. - -

Example 1: Common

- -
- -via Bicep module - -```bicep -module imageTemplate './virtual-machine-images/image-template/main.bicep' = { - name: '${uniqueString(deployment().name, location)}-test-vmiitcom' - params: { - // Required parameters - customizationSteps: [ - { - restartTimeout: '10m' - type: 'WindowsRestart' - } - ] - imageSource: { - offer: 'Windows-11' - publisher: 'MicrosoftWindowsDesktop' - sku: 'win11-22h2-avd' - type: 'PlatformImage' - version: 'latest' - } - name: 'vmiitcom001' - userMsiName: '' - // Non-required parameters - buildTimeoutInMinutes: 60 - enableDefaultTelemetry: '' - imageReplicationRegions: [] - lock: 'CanNotDelete' - managedImageName: 'mi-vmiitcom-001' - osDiskSizeGB: 127 - roleAssignments: [ - { - principalIds: [ - '' - ] - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] - sigImageDefinitionId: '' - sigImageVersion: '' - stagingResourceGroup: '' - subnetId: '' - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - unManagedImageName: 'umi-vmiitcom-001' - userAssignedIdentities: [ - '' - ] - userMsiResourceGroup: '' - vmSize: 'Standard_D2s_v3' - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "customizationSteps": { - "value": [ - { - "restartTimeout": "10m", - "type": "WindowsRestart" - } - ] - }, - "imageSource": { - "value": { - "offer": "Windows-11", - "publisher": "MicrosoftWindowsDesktop", - "sku": "win11-22h2-avd", - "type": "PlatformImage", - "version": "latest" - } - }, - "name": { - "value": "vmiitcom001" - }, - "userMsiName": { - "value": "" - }, - // Non-required parameters - "buildTimeoutInMinutes": { - "value": 60 - }, - "enableDefaultTelemetry": { - "value": "" - }, - "imageReplicationRegions": { - "value": [] - }, - "lock": { - "value": "CanNotDelete" - }, - "managedImageName": { - "value": "mi-vmiitcom-001" - }, - "osDiskSizeGB": { - "value": 127 - }, - "roleAssignments": { - "value": [ - { - "principalIds": [ - "" - ], - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - } - ] - }, - "sigImageDefinitionId": { - "value": "" - }, - "sigImageVersion": { - "value": "" - }, - "stagingResourceGroup": { - "value": "" - }, - "subnetId": { - "value": "" - }, - "tags": { - "value": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - }, - "unManagedImageName": { - "value": "umi-vmiitcom-001" - }, - "userAssignedIdentities": { - "value": [ - "" - ] - }, - "userMsiResourceGroup": { - "value": "" - }, - "vmSize": { - "value": "Standard_D2s_v3" - } - } -} -``` - -
-

- -

Example 2: Min

- -
- -via Bicep module - -```bicep -module imageTemplate './virtual-machine-images/image-template/main.bicep' = { - name: '${uniqueString(deployment().name, location)}-test-vmiitmin' - params: { - // Required parameters - customizationSteps: [ - { - restartTimeout: '30m' - type: 'WindowsRestart' - } - ] - imageSource: { - offer: 'Windows-10' - publisher: 'MicrosoftWindowsDesktop' - sku: 'win10-22h2-ent' - type: 'PlatformImage' - version: 'latest' - } - name: 'vmiitmin001' - userMsiName: '' - // Non-required parameters - enableDefaultTelemetry: '' - managedImageName: 'mi-vmiitmin-001' - userMsiResourceGroup: '' - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "customizationSteps": { - "value": [ - { - "restartTimeout": "30m", - "type": "WindowsRestart" - } - ] - }, - "imageSource": { - "value": { - "offer": "Windows-10", - "publisher": "MicrosoftWindowsDesktop", - "sku": "win10-22h2-ent", - "type": "PlatformImage", - "version": "latest" - } - }, - "name": { - "value": "vmiitmin001" - }, - "userMsiName": { - "value": "" - }, - // Non-required parameters - "enableDefaultTelemetry": { - "value": "" - }, - "managedImageName": { - "value": "mi-vmiitmin-001" - }, - "userMsiResourceGroup": { - "value": "" - } - } -} -``` - -
-

From e4ac7a72bd6f333d738e8107c48b900deed67cfa Mon Sep 17 00:00:00 2001 From: AlexanderSehr Date: Thu, 12 Oct 2023 21:08:34 +0200 Subject: [PATCH 09/20] Synapse key --- modules/synapse/workspace/key/README.md | 4 ---- 1 file changed, 4 deletions(-) diff --git a/modules/synapse/workspace/key/README.md b/modules/synapse/workspace/key/README.md index eb2930be2a..309e6e80c1 100644 --- a/modules/synapse/workspace/key/README.md +++ b/modules/synapse/workspace/key/README.md @@ -48,10 +48,6 @@ This module deploys a Synapse Workspaces Key. | `resourceGroupName` | string | The resource group of the deployed key. | | `resourceId` | string | The resource ID of the deployed key. | -## Template references - -- [Workspaces/Keys](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Synapse/2021-06-01/workspaces/keys) - ## Cross-referenced modules _None_ From 63f12ed03e5b9eb811ef30f858c50ddcd22565c8 Mon Sep 17 00:00:00 2001 From: AlexanderSehr Date: Thu, 12 Oct 2023 21:09:53 +0200 Subject: [PATCH 10/20] Storage ManagePolicy --- .../management-policy/README.md | 82 ------------------- 1 file changed, 82 deletions(-) diff --git a/modules/storage/storage-account/management-policy/README.md b/modules/storage/storage-account/management-policy/README.md index 471cefa283..a5cf3253ee 100644 --- a/modules/storage/storage-account/management-policy/README.md +++ b/modules/storage/storage-account/management-policy/README.md @@ -35,88 +35,6 @@ This module deploys a Storage Account Management Policy. | :-- | :-- | :-- | :-- | | `enableDefaultTelemetry` | bool | `True` | Enable telemetry via a Globally Unique Identifier (GUID). | - -### Parameter Usage: `rules` - -

- -Parameter JSON format - -```json -"rules": { - "value": [ - { - "enabled": true, - "name": "retention-policy", - "type": "Lifecycle", - "definition": { - "actions": { - "baseBlob": { - "tierToArchive": { - "daysAfterModificationGreaterThan": 30 - }, - "delete": { - "daysAfterModificationGreaterThan": 1096 - } - }, - "snapshot": { - "delete": { - "daysAfterCreationGreaterThan": 1096 - } - } - }, - "filters": { - "blobTypes": [ - "blockBlob" - ] - } - } - } - ] -} -``` -
- - -
- -Bicep format - -```bicep -rules: [ - { - enabled: true - name: 'retention-policy' - type: 'Lifecycle' - definition: { - actions: { - baseBlob: { - tierToArchive: { - daysAfterModificationGreaterThan: 30 - } - delete: { - daysAfterModificationGreaterThan: 1096 - } - } - snapshot: { - delete: { - daysAfterCreationGreaterThan: 1096 - } - } - } - filters: { - blobTypes: [ - 'blockBlob' - ] - } - } - } -] -``` - -
-

- ## Outputs | Output Name | Type | Description | From e93f5d589241eb80d3f9200dd0cfb8742fa20bd1 Mon Sep 17 00:00:00 2001 From: AlexanderSehr Date: Thu, 12 Oct 2023 21:15:18 +0200 Subject: [PATCH 11/20] Storage --- modules/storage/storage-account/README.md | 524 ++++++++++------------ 1 file changed, 235 insertions(+), 289 deletions(-) diff --git a/modules/storage/storage-account/README.md b/modules/storage/storage-account/README.md index a32a026482..1daafd38bc 100644 --- a/modules/storage/storage-account/README.md +++ b/modules/storage/storage-account/README.md @@ -98,295 +98,6 @@ This module deploys a Storage Account. | `tags` | object | `{object}` | | Tags of the resource. | | `userAssignedIdentities` | object | `{object}` | | The ID(s) to assign to the resource. | - -### Parameter Usage: `roleAssignments` - -Create a role assignment for the given resource. If you want to assign a service principal / managed identity that is created in the same deployment, make sure to also specify the `'principalType'` parameter and set it to `'ServicePrincipal'`. This will ensure the role assignment waits for the principal's propagation in Azure. - -

- -Parameter JSON format - -```json -"roleAssignments": { - "value": [ - { - "roleDefinitionIdOrName": "Reader", - "description": "Reader Role Assignment", - "principalIds": [ - "12345678-1234-1234-1234-123456789012", // object 1 - "78945612-1234-1234-1234-123456789012" // object 2 - ] - }, - { - "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", - "principalIds": [ - "12345678-1234-1234-1234-123456789012" // object 1 - ], - "principalType": "ServicePrincipal" - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - description: 'Reader Role Assignment' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - '78945612-1234-1234-1234-123456789012' // object 2 - ] - } - { - roleDefinitionIdOrName: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - ] - principalType: 'ServicePrincipal' - } -] -``` - -
-

- -### Parameter Usage: `networkAcls` - -

- -Parameter JSON format - -```json -"networkAcls": { - "value": { - "bypass": "AzureServices", - "defaultAction": "Deny", - "virtualNetworkRules": [ - { - "action": "Allow", - "id": "/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-x-001/subnets/sxx-az-subnet-x-001" - } - ], - "ipRules": [ - { - "action": "Allow", - "value": "1.1.1.1" - } - ] - } -} -``` - -
- -
- -Bicep format - -```bicep -networkAcls: { - bypass: 'AzureServices' - defaultAction: 'Deny' - virtualNetworkRules: [ - { - action: 'Allow' - id: '/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-x-001/subnets/sxx-az-subnet-x-001' - } - ] - ipRules: [ - { - action: 'Allow' - value: '1.1.1.1' - } - ] -} -``` - -
-

- -### Parameter Usage: `tags` - -Tag names and tag values can be provided as needed. A tag can be left without a value. - -

- -Parameter JSON format - -```json -"tags": { - "value": { - "Environment": "Non-Prod", - "Contact": "test.user@testcompany.com", - "PurchaseOrder": "1234", - "CostCenter": "7890", - "ServiceName": "DeploymentValidation", - "Role": "DeploymentValidation" - } -} -``` - -
- -
- -Bicep format - -```bicep -tags: { - Environment: 'Non-Prod' - Contact: 'test.user@testcompany.com' - PurchaseOrder: '1234' - CostCenter: '7890' - ServiceName: 'DeploymentValidation' - Role: 'DeploymentValidation' -} -``` - -
-

- -### Parameter Usage: `privateEndpoints` - -To use Private Endpoint the following dependencies must be deployed: - -- Destination subnet must be created with the following configuration option - `"privateEndpointNetworkPolicies": "Disabled"`. Setting this option acknowledges that NSG rules are not applied to Private Endpoints (this capability is coming soon). A full example is available in the Virtual Network Module. -- Although not strictly required, it is highly recommended to first create a private DNS Zone to host Private Endpoint DNS records. See [Azure Private Endpoint DNS configuration](https://learn.microsoft.com/en-us/azure/private-link/private-endpoint-dns) for more information. - -

- -Parameter JSON format - -```json -"privateEndpoints": { - "value": [ - // Example showing all available fields - { - "name": "sxx-az-pe", // Optional: Name will be automatically generated if one is not provided here - "subnetResourceId": "/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-x-001/subnets/sxx-az-subnet-x-001", - "service": "", // e.g. vault, registry, blob - "privateDnsZoneGroup": { - "privateDNSResourceIds": [ // Optional: No DNS record will be created if a private DNS zone Resource ID is not specified - "/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/privateDnsZones/" // e.g. privatelink.vaultcore.azure.net, privatelink.azurecr.io, privatelink.blob.core.windows.net - ] - }, - "ipConfigurations":[ - { - "name": "myIPconfigTest02", - "properties": { - "groupId": "blob", - "memberName": "blob", - "privateIPAddress": "10.0.0.30" - } - } - ], - "customDnsConfigs": [ - { - "fqdn": "customname.test.local", - "ipAddresses": [ - "10.10.10.10" - ] - } - ] - }, - // Example showing only mandatory fields - { - "subnetResourceId": "/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-x-001/subnets/sxx-az-subnet-x-001", - "service": "" // e.g. vault, registry, blob - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -privateEndpoints: [ - // Example showing all available fields - { - name: 'sxx-az-pe' // Optional: Name will be automatically generated if one is not provided here - subnetResourceId: '/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-x-001/subnets/sxx-az-subnet-x-001' - service: '' // e.g. vault, registry, blob - privateDnsZoneGroup: { - privateDNSResourceIds: [ // Optional: No DNS record will be created if a private DNS zone Resource ID is not specified - '/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/privateDnsZones/' // e.g. privatelink.vaultcore.azure.net, privatelink.azurecr.io, privatelink.blob.core.windows.net - ] - } - customDnsConfigs: [ - { - fqdn: 'customname.test.local' - ipAddresses: [ - '10.10.10.10' - ] - } - ] - ipConfigurations:[ - { - name: 'myIPconfigTest02' - properties: { - groupId: 'blob' - memberName: 'blob' - privateIPAddress: '10.0.0.30' - } - } - ] - } - // Example showing only mandatory fields - { - subnetResourceId: '/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-x-001/subnets/sxx-az-subnet-x-001' - service: '' // e.g. vault, registry, blob - } -] -``` - -
-

- -### Parameter Usage: `userAssignedIdentities` - -You can specify multiple user assigned identities to a resource by providing additional resource IDs using the following format: - -

- -Parameter JSON format - -```json -"userAssignedIdentities": { - "value": { - "/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-001": {}, - "/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-002": {} - } -} -``` - -
- -
- -Bicep format - -```bicep -userAssignedIdentities: { - '/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-001': {} - '/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-002': {} -} -``` - -
-

- ## Outputs | Output Name | Type | Description | @@ -1374,3 +1085,238 @@ module storageAccount './storage/storage-account/main.bicep' = {

+ +## Notes + +### Parameter Usage: `roleAssignments` + +Create a role assignment for the given resource. If you want to assign a service principal / managed identity that is created in the same deployment, make sure to also specify the `'principalType'` parameter and set it to `'ServicePrincipal'`. This will ensure the role assignment waits for the principal's propagation in Azure. + +

+ +Parameter JSON format + +```json +"roleAssignments": { + "value": [ + { + "roleDefinitionIdOrName": "Reader", + "description": "Reader Role Assignment", + "principalIds": [ + "12345678-1234-1234-1234-123456789012", // object 1 + "78945612-1234-1234-1234-123456789012" // object 2 + ] + }, + { + "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", + "principalIds": [ + "12345678-1234-1234-1234-123456789012" // object 1 + ], + "principalType": "ServicePrincipal" + } + ] +} +``` + +
+ +
+ +Bicep format + +```bicep +roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + description: 'Reader Role Assignment' + principalIds: [ + '12345678-1234-1234-1234-123456789012' // object 1 + '78945612-1234-1234-1234-123456789012' // object 2 + ] + } + { + roleDefinitionIdOrName: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' + principalIds: [ + '12345678-1234-1234-1234-123456789012' // object 1 + ] + principalType: 'ServicePrincipal' + } +] +``` + +
+

+ +### Parameter Usage: `tags` + +Tag names and tag values can be provided as needed. A tag can be left without a value. + +

+ +Parameter JSON format + +```json +"tags": { + "value": { + "Environment": "Non-Prod", + "Contact": "test.user@testcompany.com", + "PurchaseOrder": "1234", + "CostCenter": "7890", + "ServiceName": "DeploymentValidation", + "Role": "DeploymentValidation" + } +} +``` + +
+ +
+ +Bicep format + +```bicep +tags: { + Environment: 'Non-Prod' + Contact: 'test.user@testcompany.com' + PurchaseOrder: '1234' + CostCenter: '7890' + ServiceName: 'DeploymentValidation' + Role: 'DeploymentValidation' +} +``` + +
+

+ +### Parameter Usage: `privateEndpoints` + +To use Private Endpoint the following dependencies must be deployed: + +- Destination subnet must be created with the following configuration option - `"privateEndpointNetworkPolicies": "Disabled"`. Setting this option acknowledges that NSG rules are not applied to Private Endpoints (this capability is coming soon). A full example is available in the Virtual Network Module. +- Although not strictly required, it is highly recommended to first create a private DNS Zone to host Private Endpoint DNS records. See [Azure Private Endpoint DNS configuration](https://learn.microsoft.com/en-us/azure/private-link/private-endpoint-dns) for more information. + +

+ +Parameter JSON format + +```json +"privateEndpoints": { + "value": [ + // Example showing all available fields + { + "name": "sxx-az-pe", // Optional: Name will be automatically generated if one is not provided here + "subnetResourceId": "/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-x-001/subnets/sxx-az-subnet-x-001", + "service": "", // e.g. vault, registry, blob + "privateDnsZoneGroup": { + "privateDNSResourceIds": [ // Optional: No DNS record will be created if a private DNS zone Resource ID is not specified + "/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/privateDnsZones/" // e.g. privatelink.vaultcore.azure.net, privatelink.azurecr.io, privatelink.blob.core.windows.net + ] + }, + "ipConfigurations":[ + { + "name": "myIPconfigTest02", + "properties": { + "groupId": "blob", + "memberName": "blob", + "privateIPAddress": "10.0.0.30" + } + } + ], + "customDnsConfigs": [ + { + "fqdn": "customname.test.local", + "ipAddresses": [ + "10.10.10.10" + ] + } + ] + }, + // Example showing only mandatory fields + { + "subnetResourceId": "/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-x-001/subnets/sxx-az-subnet-x-001", + "service": "" // e.g. vault, registry, blob + } + ] +} +``` + +
+ +
+ +Bicep format + +```bicep +privateEndpoints: [ + // Example showing all available fields + { + name: 'sxx-az-pe' // Optional: Name will be automatically generated if one is not provided here + subnetResourceId: '/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-x-001/subnets/sxx-az-subnet-x-001' + service: '' // e.g. vault, registry, blob + privateDnsZoneGroup: { + privateDNSResourceIds: [ // Optional: No DNS record will be created if a private DNS zone Resource ID is not specified + '/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/privateDnsZones/' // e.g. privatelink.vaultcore.azure.net, privatelink.azurecr.io, privatelink.blob.core.windows.net + ] + } + customDnsConfigs: [ + { + fqdn: 'customname.test.local' + ipAddresses: [ + '10.10.10.10' + ] + } + ] + ipConfigurations:[ + { + name: 'myIPconfigTest02' + properties: { + groupId: 'blob' + memberName: 'blob' + privateIPAddress: '10.0.0.30' + } + } + ] + } + // Example showing only mandatory fields + { + subnetResourceId: '/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-x-001/subnets/sxx-az-subnet-x-001' + service: '' // e.g. vault, registry, blob + } +] +``` + +
+

+ +### Parameter Usage: `userAssignedIdentities` + +You can specify multiple user assigned identities to a resource by providing additional resource IDs using the following format: + +

+ +Parameter JSON format + +```json +"userAssignedIdentities": { + "value": { + "/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-001": {}, + "/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-002": {} + } +} +``` + +
+ +
+ +Bicep format + +```bicep +userAssignedIdentities: { + '/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-001': {} + '/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-002': {} +} +``` + +
+

From efdaaf555e9df33e9ca4c57586263f85abf9c3e4 Mon Sep 17 00:00:00 2001 From: AlexanderSehr Date: Thu, 12 Oct 2023 21:17:29 +0200 Subject: [PATCH 12/20] Update to latest --- modules/storage/storage-account/README.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/modules/storage/storage-account/README.md b/modules/storage/storage-account/README.md index 1daafd38bc..169cb3cf76 100644 --- a/modules/storage/storage-account/README.md +++ b/modules/storage/storage-account/README.md @@ -109,11 +109,6 @@ This module deploys a Storage Account. | `resourceId` | string | The resource ID of the deployed storage account. | | `systemAssignedPrincipalId` | string | The principal ID of the system assigned identity. | -## Considerations - -This is a generic module for deploying a Storage Account. Any customization for different storage needs (such as a diagnostic or other storage account) need to be done through the Archetype. -The hierarchical namespace of the storage account (see parameter `enableHierarchicalNamespace`), can be only set at creation time. - ## Cross-referenced modules This section gives you an overview of all local-referenced module files (i.e., other CARML modules that are referenced in this module) and all remote-referenced files (i.e., Bicep modules that are referenced from a Bicep Registry or Template Specs). @@ -1088,6 +1083,11 @@ module storageAccount './storage/storage-account/main.bicep' = { ## Notes +## Considerations + +This is a generic module for deploying a Storage Account. Any customization for different storage needs (such as a diagnostic or other storage account) need to be done through the Archetype. +The hierarchical namespace of the storage account (see parameter `enableHierarchicalNamespace`), can be only set at creation time. + ### Parameter Usage: `roleAssignments` Create a role assignment for the given resource. If you want to assign a service principal / managed identity that is created in the same deployment, make sure to also specify the `'principalType'` parameter and set it to `'ServicePrincipal'`. This will ensure the role assignment waits for the principal's propagation in Azure. From bb769f5aa8d7696ea73124eb39ad7c1457d08bf1 Mon Sep 17 00:00:00 2001 From: AlexanderSehr Date: Thu, 12 Oct 2023 21:25:37 +0200 Subject: [PATCH 13/20] SQL --- modules/sql/server/README.md | 1305 +++++++++++++++++----------------- 1 file changed, 653 insertions(+), 652 deletions(-) diff --git a/modules/sql/server/README.md b/modules/sql/server/README.md index 18c05a8ea2..eefb499d67 100644 --- a/modules/sql/server/README.md +++ b/modules/sql/server/README.md @@ -72,503 +72,229 @@ This module deploys an Azure SQL Server. | `virtualNetworkRules` | array | `[]` | | The virtual network rules to create in the server. | | `vulnerabilityAssessmentsObj` | object | `{object}` | | The vulnerability assessment configuration. | +## Outputs -### Parameter Usage: `roleAssignments` +| Output Name | Type | Description | +| :-- | :-- | :-- | +| `location` | string | The location the resource was deployed into. | +| `name` | string | The name of the deployed SQL server. | +| `resourceGroupName` | string | The resource group of the deployed SQL server. | +| `resourceId` | string | The resource ID of the deployed SQL server. | +| `systemAssignedPrincipalId` | string | The principal ID of the system assigned identity. | -Create a role assignment for the given resource. If you want to assign a service principal / managed identity that is created in the same deployment, make sure to also specify the `'principalType'` parameter and set it to `'ServicePrincipal'`. This will ensure the role assignment waits for the principal's propagation in Azure. +## Cross-referenced modules -

+This section gives you an overview of all local-referenced module files (i.e., other CARML modules that are referenced in this module) and all remote-referenced files (i.e., Bicep modules that are referenced from a Bicep Registry or Template Specs). -Parameter JSON format +| Reference | Type | +| :-- | :-- | +| `network/private-endpoint` | Local reference | -```json -"roleAssignments": { - "value": [ - { - "roleDefinitionIdOrName": "Reader", - "description": "Reader Role Assignment", - "principalIds": [ - "12345678-1234-1234-1234-123456789012", // object 1 - "78945612-1234-1234-1234-123456789012" // object 2 - ] - }, - { - "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", - "principalIds": [ - "12345678-1234-1234-1234-123456789012" // object 1 - ], - "principalType": "ServicePrincipal" - } - ] -} -``` +## Deployment examples -
+The following module usage examples are retrieved from the content of the files hosted in the module's `.test` folder. + >**Note**: The name of each example is based on the name of the file from which it is taken. + + >**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. + +

Example 1: Admin

-Bicep format +via Bicep module ```bicep -roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - description: 'Reader Role Assignment' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - '78945612-1234-1234-1234-123456789012' // object 2 - ] - } - { - roleDefinitionIdOrName: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - ] - principalType: 'ServicePrincipal' +module server './sql/server/main.bicep' = { + name: '${uniqueString(deployment().name, location)}-test-sqlsadmin' + params: { + // Required parameters + name: 'sqlsadmin' + // Non-required parameters + administrators: { + azureADOnlyAuthentication: true + login: 'myspn' + principalType: 'Application' + sid: '' + tenantId: '' } -] + enableDefaultTelemetry: '' + } +} ```

-### Parameter Usage: `tags` - -Tag names and tag values can be provided as needed. A tag can be left without a value. -

-Parameter JSON format +via JSON Parameter file ```json -"tags": { - "value": { - "Environment": "Non-Prod", - "Contact": "test.user@testcompany.com", - "PurchaseOrder": "1234", - "CostCenter": "7890", - "ServiceName": "DeploymentValidation", - "Role": "DeploymentValidation" +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "name": { + "value": "sqlsadmin" + }, + // Non-required parameters + "administrators": { + "value": { + "azureADOnlyAuthentication": true, + "login": "myspn", + "principalType": "Application", + "sid": "", + "tenantId": "" + } + }, + "enableDefaultTelemetry": { + "value": "" } + } } ```
+

+ +

Example 2: Common

-Bicep format +via Bicep module ```bicep -tags: { - Environment: 'Non-Prod' - Contact: 'test.user@testcompany.com' - PurchaseOrder: '1234' - CostCenter: '7890' - ServiceName: 'DeploymentValidation' - Role: 'DeploymentValidation' +module server './sql/server/main.bicep' = { + name: '${uniqueString(deployment().name, location)}-test-sqlscom' + params: { + // Required parameters + name: 'sqlscom' + // Non-required parameters + administratorLogin: 'adminUserName' + administratorLoginPassword: '' + databases: [ + { + backupLongTermRetentionPolicy: { + monthlyRetention: 'P6M' + } + backupShortTermRetentionPolicy: { + retentionDays: 14 + } + capacity: 0 + collation: 'SQL_Latin1_General_CP1_CI_AS' + diagnosticEventHubAuthorizationRuleId: '' + diagnosticEventHubName: '' + diagnosticStorageAccountId: '' + diagnosticWorkspaceId: '' + elasticPoolId: '' + encryptionProtectorObj: { + serverKeyName: '' + serverKeyType: 'AzureKeyVault' + } + licenseType: 'LicenseIncluded' + maxSizeBytes: 34359738368 + name: 'sqlscomdb-001' + skuName: 'ElasticPool' + skuTier: 'GeneralPurpose' + } + ] + elasticPools: [ + { + maintenanceConfigurationId: '' + name: 'sqlscom-ep-001' + skuCapacity: 10 + skuName: 'GP_Gen5' + skuTier: 'GeneralPurpose' + } + ] + enableDefaultTelemetry: '' + firewallRules: [ + { + endIpAddress: '0.0.0.0' + name: 'AllowAllWindowsAzureIps' + startIpAddress: '0.0.0.0' + } + ] + keys: [ + { + name: '' + serverKeyType: 'AzureKeyVault' + uri: '' + } + ] + location: '' + lock: 'CanNotDelete' + primaryUserAssignedIdentityId: '' + privateEndpoints: [ + { + privateDnsZoneGroup: { + privateDNSResourceIds: [ + '' + ] + } + service: 'sqlServer' + subnetResourceId: '' + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } + } + ] + restrictOutboundNetworkAccess: 'Disabled' + roleAssignments: [ + { + principalIds: [ + '' + ] + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Reader' + } + ] + securityAlertPolicies: [ + { + emailAccountAdmins: true + name: 'Default' + state: 'Enabled' + } + ] + systemAssignedIdentity: true + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } + userAssignedIdentities: { + '': {} + } + virtualNetworkRules: [ + { + ignoreMissingVnetServiceEndpoint: true + name: 'newVnetRule1' + virtualNetworkSubnetId: '' + } + ] + vulnerabilityAssessmentsObj: { + emailSubscriptionAdmins: true + name: 'default' + recurringScansEmails: [ + 'test1@contoso.com' + 'test2@contoso.com' + ] + recurringScansIsEnabled: true + storageAccountResourceId: '' + } + } } ```

-### Parameter Usage: `userAssignedIdentities` - -You can specify multiple user assigned identities to a resource by providing additional resource IDs using the following format: -

-Parameter JSON format - -```json -"userAssignedIdentities": { - "value": { - "/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-001": {}, - "/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-002": {} - } -} -``` - -
- -
- -Bicep format - -```bicep -userAssignedIdentities: { - '/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-001': {} - '/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-002': {} -} -``` - -
-

- -### Parameter Usage: `administrators` - -Configure Azure Active Directory Authentication method for server administrator. - - -

- -Parameter JSON format - -```json -"administrators": { - "value": { - "azureADOnlyAuthentication": true - "login": "John Doe", // if application can be anything - "sid": "[[objectId]]", // if application, the object ID - "principalType" : "User", // options: "User", "Group", "Application" - "tenantId": "[[tenantId]]" - } -} -``` - -
- -
- -Bicep format - -```bicep -administrators: { - azureADOnlyAuthentication: true - login: 'John Doe' // if application can be anything - sid: '[[objectId]]' // if application the object ID - 'principalType' : 'User' // options: 'User' 'Group' 'Application' - tenantId: '[[tenantId]]' -} -``` - -
-

- -### Parameter Usage: `privateEndpoints` - -To use Private Endpoint the following dependencies must be deployed: - -- Destination subnet must be created with the following configuration option - `"privateEndpointNetworkPolicies": "Disabled"`. Setting this option acknowledges that NSG rules are not applied to Private Endpoints (this capability is coming soon). A full example is available in the Virtual Network Module. -- Although not strictly required, it is highly recommended to first create a private DNS Zone to host Private Endpoint DNS records. See [Azure Private Endpoint DNS configuration](https://learn.microsoft.com/en-us/azure/private-link/private-endpoint-dns) for more information. - -

- -Parameter JSON format - -```json -"privateEndpoints": { - "value": [ - // Example showing all available fields - { - "name": "sxx-az-pe", // Optional: Name will be automatically generated if one is not provided here - "subnetResourceId": "/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-x-001/subnets/sxx-az-subnet-x-001", - "service": "", // e.g. vault, registry, blob - "privateDnsZoneGroup": { - "privateDNSResourceIds": [ // Optional: No DNS record will be created if a private DNS zone Resource ID is not specified - "/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/privateDnsZones/" // e.g. privatelink.vaultcore.azure.net, privatelink.azurecr.io, privatelink.blob.core.windows.net - ] - }, - "ipConfigurations":[ - { - "name": "myIPconfigTest02", - "properties": { - "groupId": "blob", - "memberName": "blob", - "privateIPAddress": "10.0.0.30" - } - } - ], - "customDnsConfigs": [ - { - "fqdn": "customname.test.local", - "ipAddresses": [ - "10.10.10.10" - ] - } - ] - }, - // Example showing only mandatory fields - { - "subnetResourceId": "/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-x-001/subnets/sxx-az-subnet-x-001", - "service": "" // e.g. vault, registry, blob - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -privateEndpoints: [ - // Example showing all available fields - { - name: 'sxx-az-pe' // Optional: Name will be automatically generated if one is not provided here - subnetResourceId: '/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-x-001/subnets/sxx-az-subnet-x-001' - service: '' // e.g. vault, registry, blob - privateDnsZoneGroup: { - privateDNSResourceIds: [ // Optional: No DNS record will be created if a private DNS zone Resource ID is not specified - '/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/privateDnsZones/' // e.g. privatelink.vaultcore.azure.net, privatelink.azurecr.io, privatelink.blob.core.windows.net - ] - } - customDnsConfigs: [ - { - fqdn: 'customname.test.local' - ipAddresses: [ - '10.10.10.10' - ] - } - ] - ipConfigurations:[ - { - name: 'myIPconfigTest02' - properties: { - groupId: 'blob' - memberName: 'blob' - privateIPAddress: '10.0.0.30' - } - } - ] - } - // Example showing only mandatory fields - { - subnetResourceId: '/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-x-001/subnets/sxx-az-subnet-x-001' - service: '' // e.g. vault, registry, blob - } -] -``` - -
-

- -## Outputs - -| Output Name | Type | Description | -| :-- | :-- | :-- | -| `location` | string | The location the resource was deployed into. | -| `name` | string | The name of the deployed SQL server. | -| `resourceGroupName` | string | The resource group of the deployed SQL server. | -| `resourceId` | string | The resource ID of the deployed SQL server. | -| `systemAssignedPrincipalId` | string | The principal ID of the system assigned identity. | - -## Cross-referenced modules - -This section gives you an overview of all local-referenced module files (i.e., other CARML modules that are referenced in this module) and all remote-referenced files (i.e., Bicep modules that are referenced from a Bicep Registry or Template Specs). - -| Reference | Type | -| :-- | :-- | -| `network/private-endpoint` | Local reference | - -## Deployment examples - -The following module usage examples are retrieved from the content of the files hosted in the module's `.test` folder. - >**Note**: The name of each example is based on the name of the file from which it is taken. - - >**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. - -

Example 1: Admin

- -
- -via Bicep module - -```bicep -module server './sql/server/main.bicep' = { - name: '${uniqueString(deployment().name, location)}-test-sqlsadmin' - params: { - // Required parameters - name: 'sqlsadmin' - // Non-required parameters - administrators: { - azureADOnlyAuthentication: true - login: 'myspn' - principalType: 'Application' - sid: '' - tenantId: '' - } - enableDefaultTelemetry: '' - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "sqlsadmin" - }, - // Non-required parameters - "administrators": { - "value": { - "azureADOnlyAuthentication": true, - "login": "myspn", - "principalType": "Application", - "sid": "", - "tenantId": "" - } - }, - "enableDefaultTelemetry": { - "value": "" - } - } -} -``` - -
-

- -

Example 2: Common

- -
- -via Bicep module - -```bicep -module server './sql/server/main.bicep' = { - name: '${uniqueString(deployment().name, location)}-test-sqlscom' - params: { - // Required parameters - name: 'sqlscom' - // Non-required parameters - administratorLogin: 'adminUserName' - administratorLoginPassword: '' - databases: [ - { - backupLongTermRetentionPolicy: { - monthlyRetention: 'P6M' - } - backupShortTermRetentionPolicy: { - retentionDays: 14 - } - capacity: 0 - collation: 'SQL_Latin1_General_CP1_CI_AS' - diagnosticEventHubAuthorizationRuleId: '' - diagnosticEventHubName: '' - diagnosticStorageAccountId: '' - diagnosticWorkspaceId: '' - elasticPoolId: '' - encryptionProtectorObj: { - serverKeyName: '' - serverKeyType: 'AzureKeyVault' - } - licenseType: 'LicenseIncluded' - maxSizeBytes: 34359738368 - name: 'sqlscomdb-001' - skuName: 'ElasticPool' - skuTier: 'GeneralPurpose' - } - ] - elasticPools: [ - { - maintenanceConfigurationId: '' - name: 'sqlscom-ep-001' - skuCapacity: 10 - skuName: 'GP_Gen5' - skuTier: 'GeneralPurpose' - } - ] - enableDefaultTelemetry: '' - firewallRules: [ - { - endIpAddress: '0.0.0.0' - name: 'AllowAllWindowsAzureIps' - startIpAddress: '0.0.0.0' - } - ] - keys: [ - { - name: '' - serverKeyType: 'AzureKeyVault' - uri: '' - } - ] - location: '' - lock: 'CanNotDelete' - primaryUserAssignedIdentityId: '' - privateEndpoints: [ - { - privateDnsZoneGroup: { - privateDNSResourceIds: [ - '' - ] - } - service: 'sqlServer' - subnetResourceId: '' - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - } - ] - restrictOutboundNetworkAccess: 'Disabled' - roleAssignments: [ - { - principalIds: [ - '' - ] - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] - securityAlertPolicies: [ - { - emailAccountAdmins: true - name: 'Default' - state: 'Enabled' - } - ] - systemAssignedIdentity: true - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - userAssignedIdentities: { - '': {} - } - virtualNetworkRules: [ - { - ignoreMissingVnetServiceEndpoint: true - name: 'newVnetRule1' - virtualNetworkSubnetId: '' - } - ] - vulnerabilityAssessmentsObj: { - emailSubscriptionAdmins: true - name: 'default' - recurringScansEmails: [ - 'test1@contoso.com' - 'test2@contoso.com' - ] - recurringScansIsEnabled: true - storageAccountResourceId: '' - } - } -} -``` - -
-

- -

- -via JSON Parameter file +via JSON Parameter file ```json { @@ -647,11 +373,162 @@ module server './sql/server/main.bicep' = { "location": { "value": "" }, - "lock": { - "value": "CanNotDelete" + "lock": { + "value": "CanNotDelete" + }, + "primaryUserAssignedIdentityId": { + "value": "" + }, + "privateEndpoints": { + "value": [ + { + "privateDnsZoneGroup": { + "privateDNSResourceIds": [ + "" + ] + }, + "service": "sqlServer", + "subnetResourceId": "", + "tags": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } + } + ] + }, + "restrictOutboundNetworkAccess": { + "value": "Disabled" + }, + "roleAssignments": { + "value": [ + { + "principalIds": [ + "" + ], + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Reader" + } + ] + }, + "securityAlertPolicies": { + "value": [ + { + "emailAccountAdmins": true, + "name": "Default", + "state": "Enabled" + } + ] + }, + "systemAssignedIdentity": { + "value": true + }, + "tags": { + "value": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } + }, + "userAssignedIdentities": { + "value": { + "": {} + } + }, + "virtualNetworkRules": { + "value": [ + { + "ignoreMissingVnetServiceEndpoint": true, + "name": "newVnetRule1", + "virtualNetworkSubnetId": "" + } + ] + }, + "vulnerabilityAssessmentsObj": { + "value": { + "emailSubscriptionAdmins": true, + "name": "default", + "recurringScansEmails": [ + "test1@contoso.com", + "test2@contoso.com" + ], + "recurringScansIsEnabled": true, + "storageAccountResourceId": "" + } + } + } +} +``` + +
+

+ +

Example 3: Pe

+ +
+ +via Bicep module + +```bicep +module server './sql/server/main.bicep' = { + name: '${uniqueString(deployment().name, location)}-test-sqlspe' + params: { + // Required parameters + name: 'sqlspe' + // Non-required parameters + administratorLogin: 'adminUserName' + administratorLoginPassword: '' + enableDefaultTelemetry: '' + privateEndpoints: [ + { + privateDnsZoneGroup: { + privateDNSResourceIds: [ + '' + ] + } + service: 'sqlServer' + subnetResourceId: '' + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } + } + ] + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "name": { + "value": "sqlspe" + }, + // Non-required parameters + "administratorLogin": { + "value": "adminUserName" + }, + "administratorLoginPassword": { + "value": "" }, - "primaryUserAssignedIdentityId": { - "value": "" + "enableDefaultTelemetry": { + "value": "" }, "privateEndpoints": { "value": [ @@ -671,63 +548,98 @@ module server './sql/server/main.bicep' = { } ] }, - "restrictOutboundNetworkAccess": { - "value": "Disabled" - }, - "roleAssignments": { - "value": [ - { - "principalIds": [ - "" - ], - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - } - ] - }, - "securityAlertPolicies": { - "value": [ - { - "emailAccountAdmins": true, - "name": "Default", - "state": "Enabled" - } - ] - }, - "systemAssignedIdentity": { - "value": true - }, "tags": { "value": { "Environment": "Non-Prod", "hidden-title": "This is visible in the resource name", "Role": "DeploymentValidation" } - }, - "userAssignedIdentities": { - "value": { - "": {} + } + } +} +``` + +
+

+ +

Example 4: Secondary

+ +
+ +via Bicep module + +```bicep +module server './sql/server/main.bicep' = { + name: '${uniqueString(deployment().name, location)}-test-sqlsec' + params: { + // Required parameters + name: 'sqlsec-sec' + // Non-required parameters + administratorLogin: 'adminUserName' + administratorLoginPassword: '' + databases: [ + { + createMode: 'Secondary' + maxSizeBytes: 2147483648 + name: '' + skuName: 'Basic' + skuTier: 'Basic' + sourceDatabaseResourceId: '' } + ] + enableDefaultTelemetry: '' + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "name": { + "value": "sqlsec-sec" }, - "virtualNetworkRules": { + // Non-required parameters + "administratorLogin": { + "value": "adminUserName" + }, + "administratorLoginPassword": { + "value": "" + }, + "databases": { "value": [ { - "ignoreMissingVnetServiceEndpoint": true, - "name": "newVnetRule1", - "virtualNetworkSubnetId": "" + "createMode": "Secondary", + "maxSizeBytes": 2147483648, + "name": "", + "skuName": "Basic", + "skuTier": "Basic", + "sourceDatabaseResourceId": "" } ] }, - "vulnerabilityAssessmentsObj": { + "enableDefaultTelemetry": { + "value": "" + }, + "tags": { "value": { - "emailSubscriptionAdmins": true, - "name": "default", - "recurringScansEmails": [ - "test1@contoso.com", - "test2@contoso.com" - ], - "recurringScansIsEnabled": true, - "storageAccountResourceId": "" + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" } } } @@ -737,187 +649,276 @@ module server './sql/server/main.bicep' = {

-

Example 3: Pe

+## Notes + +### Parameter Usage: `roleAssignments` + +Create a role assignment for the given resource. If you want to assign a service principal / managed identity that is created in the same deployment, make sure to also specify the `'principalType'` parameter and set it to `'ServicePrincipal'`. This will ensure the role assignment waits for the principal's propagation in Azure. + +
+ +Parameter JSON format + +```json +"roleAssignments": { + "value": [ + { + "roleDefinitionIdOrName": "Reader", + "description": "Reader Role Assignment", + "principalIds": [ + "12345678-1234-1234-1234-123456789012", // object 1 + "78945612-1234-1234-1234-123456789012" // object 2 + ] + }, + { + "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", + "principalIds": [ + "12345678-1234-1234-1234-123456789012" // object 1 + ], + "principalType": "ServicePrincipal" + } + ] +} +``` + +
+ +
+ +Bicep format + +```bicep +roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + description: 'Reader Role Assignment' + principalIds: [ + '12345678-1234-1234-1234-123456789012' // object 1 + '78945612-1234-1234-1234-123456789012' // object 2 + ] + } + { + roleDefinitionIdOrName: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' + principalIds: [ + '12345678-1234-1234-1234-123456789012' // object 1 + ] + principalType: 'ServicePrincipal' + } +] +``` + +
+

+ +### Parameter Usage: `tags` + +Tag names and tag values can be provided as needed. A tag can be left without a value. + +

+ +Parameter JSON format + +```json +"tags": { + "value": { + "Environment": "Non-Prod", + "Contact": "test.user@testcompany.com", + "PurchaseOrder": "1234", + "CostCenter": "7890", + "ServiceName": "DeploymentValidation", + "Role": "DeploymentValidation" + } +} +``` + +
+ +
+ +Bicep format + +```bicep +tags: { + Environment: 'Non-Prod' + Contact: 'test.user@testcompany.com' + PurchaseOrder: '1234' + CostCenter: '7890' + ServiceName: 'DeploymentValidation' + Role: 'DeploymentValidation' +} +``` + +
+

+ +### Parameter Usage: `userAssignedIdentities` + +You can specify multiple user assigned identities to a resource by providing additional resource IDs using the following format: + +

+ +Parameter JSON format + +```json +"userAssignedIdentities": { + "value": { + "/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-001": {}, + "/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-002": {} + } +} +``` + +
+ +
+ +Bicep format + +```bicep +userAssignedIdentities: { + '/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-001': {} + '/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-002': {} +} +``` + +
+

+ +### Parameter Usage: `administrators` + +Configure Azure Active Directory Authentication method for server administrator. +

-via Bicep module +Parameter JSON format -```bicep -module server './sql/server/main.bicep' = { - name: '${uniqueString(deployment().name, location)}-test-sqlspe' - params: { - // Required parameters - name: 'sqlspe' - // Non-required parameters - administratorLogin: 'adminUserName' - administratorLoginPassword: '' - enableDefaultTelemetry: '' - privateEndpoints: [ - { - privateDnsZoneGroup: { - privateDNSResourceIds: [ - '' - ] - } - service: 'sqlServer' - subnetResourceId: '' - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - } - ] - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' +```json +"administrators": { + "value": { + "azureADOnlyAuthentication": true, + "login": "John Doe", // if application can be anything + "sid": "[[objectId]]", // if application, the object ID + "principalType" : "User", // options: "User", "Group", "Application" + "tenantId": "[[tenantId]]" } - } } ```
-

-via JSON Parameter file +Bicep format -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "sqlspe" - }, - // Non-required parameters - "administratorLogin": { - "value": "adminUserName" - }, - "administratorLoginPassword": { - "value": "" - }, - "enableDefaultTelemetry": { - "value": "" - }, - "privateEndpoints": { - "value": [ - { - "privateDnsZoneGroup": { - "privateDNSResourceIds": [ - "" - ] - }, - "service": "sqlServer", - "subnetResourceId": "", - "tags": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - } - ] - }, - "tags": { - "value": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - } - } +```bicep +administrators: { + azureADOnlyAuthentication: true + login: 'John Doe' // if application can be anything + sid: '[[objectId]]' // if application the object ID + 'principalType' : 'User' // options: 'User' 'Group' 'Application' + tenantId: '[[tenantId]]' } ```

-

Example 4: Secondary

+### Parameter Usage: `privateEndpoints` + +To use Private Endpoint the following dependencies must be deployed: + +- Destination subnet must be created with the following configuration option - `"privateEndpointNetworkPolicies": "Disabled"`. Setting this option acknowledges that NSG rules are not applied to Private Endpoints (this capability is coming soon). A full example is available in the Virtual Network Module. +- Although not strictly required, it is highly recommended to first create a private DNS Zone to host Private Endpoint DNS records. See [Azure Private Endpoint DNS configuration](https://learn.microsoft.com/en-us/azure/private-link/private-endpoint-dns) for more information.
-via Bicep module +Parameter JSON format -```bicep -module server './sql/server/main.bicep' = { - name: '${uniqueString(deployment().name, location)}-test-sqlsec' - params: { - // Required parameters - name: 'sqlsec-sec' - // Non-required parameters - administratorLogin: 'adminUserName' - administratorLoginPassword: '' - databases: [ - { - createMode: 'Secondary' - maxSizeBytes: 2147483648 - name: '' - skuName: 'Basic' - skuTier: 'Basic' - sourceDatabaseResourceId: '' - } +```json +"privateEndpoints": { + "value": [ + // Example showing all available fields + { + "name": "sxx-az-pe", // Optional: Name will be automatically generated if one is not provided here + "subnetResourceId": "/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-x-001/subnets/sxx-az-subnet-x-001", + "service": "", // e.g. vault, registry, blob + "privateDnsZoneGroup": { + "privateDNSResourceIds": [ // Optional: No DNS record will be created if a private DNS zone Resource ID is not specified + "/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/privateDnsZones/" // e.g. privatelink.vaultcore.azure.net, privatelink.azurecr.io, privatelink.blob.core.windows.net + ] + }, + "ipConfigurations":[ + { + "name": "myIPconfigTest02", + "properties": { + "groupId": "blob", + "memberName": "blob", + "privateIPAddress": "10.0.0.30" + } + } + ], + "customDnsConfigs": [ + { + "fqdn": "customname.test.local", + "ipAddresses": [ + "10.10.10.10" + ] + } + ] + }, + // Example showing only mandatory fields + { + "subnetResourceId": "/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-x-001/subnets/sxx-az-subnet-x-001", + "service": "" // e.g. vault, registry, blob + } ] - enableDefaultTelemetry: '' - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - } } ```
-

-via JSON Parameter file +Bicep format -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "sqlsec-sec" - }, - // Non-required parameters - "administratorLogin": { - "value": "adminUserName" - }, - "administratorLoginPassword": { - "value": "" - }, - "databases": { - "value": [ - { - "createMode": "Secondary", - "maxSizeBytes": 2147483648, - "name": "", - "skuName": "Basic", - "skuTier": "Basic", - "sourceDatabaseResourceId": "" +```bicep +privateEndpoints: [ + // Example showing all available fields + { + name: 'sxx-az-pe' // Optional: Name will be automatically generated if one is not provided here + subnetResourceId: '/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-x-001/subnets/sxx-az-subnet-x-001' + service: '' // e.g. vault, registry, blob + privateDnsZoneGroup: { + privateDNSResourceIds: [ // Optional: No DNS record will be created if a private DNS zone Resource ID is not specified + '/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/privateDnsZones/' // e.g. privatelink.vaultcore.azure.net, privatelink.azurecr.io, privatelink.blob.core.windows.net + ] } - ] - }, - "enableDefaultTelemetry": { - "value": "" - }, - "tags": { - "value": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } + customDnsConfigs: [ + { + fqdn: 'customname.test.local' + ipAddresses: [ + '10.10.10.10' + ] + } + ] + ipConfigurations:[ + { + name: 'myIPconfigTest02' + properties: { + groupId: 'blob' + memberName: 'blob' + privateIPAddress: '10.0.0.30' + } + } + ] } - } -} + // Example showing only mandatory fields + { + subnetResourceId: '/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-x-001/subnets/sxx-az-subnet-x-001' + service: '' // e.g. vault, registry, blob + } +] ```
From a1ef4d9ab82b88e0f3571955f11998364f6967bd Mon Sep 17 00:00:00 2001 From: AlexanderSehr Date: Thu, 12 Oct 2023 21:28:05 +0200 Subject: [PATCH 14/20] SQL MI --- modules/sql/managed-instance/README.md | 357 +++++++++--------- .../sql/managed-instance/database/README.md | 31 +- 2 files changed, 193 insertions(+), 195 deletions(-) diff --git a/modules/sql/managed-instance/README.md b/modules/sql/managed-instance/README.md index 9ed0a0f15f..b29111bdb6 100644 --- a/modules/sql/managed-instance/README.md +++ b/modules/sql/managed-instance/README.md @@ -27,18 +27,6 @@ This module deploys a SQL Managed Instance. | `Microsoft.Sql/managedInstances/securityAlertPolicies` | [2022-02-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Sql/2022-02-01-preview/managedInstances/securityAlertPolicies) | | `Microsoft.Sql/managedInstances/vulnerabilityAssessments` | [2022-02-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Sql/2022-02-01-preview/managedInstances/vulnerabilityAssessments) | -### Deployment prerequisites - -#### Networking - -SQL Managed Instance is deployed on a virtual network to a subnet that is delagated to the SQL MI service. This network is required to satisfy the requirements explained [here](https://learn.microsoft.com/en-us/azure/azure-sql/managed-instance/connectivity-architecture-overview?view=azuresql#network-requirements). - -SQL MI requires that the subnet have a Route Table and NSG assigned to it. The SQL MI service will automatically add Routes to the Route Table and Rules to the NSG once the SQL MI has been deployed. As a result, the parameter file for the Route Table and NSG will have to be updated afterwards with the created Routes & Rules, otherwise redeployment of the Route Table & NSG via Bicep/ARM will fail. - -#### Azure AD Authentication - -SQL MI allows for Azure AD Authentication via an [Azure AD Admin](https://learn.microsoft.com/en-us/azure/azure-sql/database/authentication-aad-configure?tabs=azure-powershell#provision-azure-ad-admin-sql-managed-instance). This requires a Service Principal to be assigned and granted Reader rights to Azure AD by an AD Admin. To do so via this module, the `servicePrincipal` parameter must be set to `SystemAssigned` and deploy the SQL MI. Afterwards an Azure AD Admin must go to the SQL MI Azure Active Directory admin page in the Azure Portal and assigned the Reader rights. Next the `administratorsObj` must be configured in the parameter file and be redeployed. - ## Parameters **Required parameters** @@ -100,172 +88,6 @@ SQL MI allows for Azure AD Authentication via an [Azure AD Admin](https://learn. | `vulnerabilityAssessmentsObj` | object | `{object}` | | The vulnerability assessment configuration. | | `zoneRedundant` | bool | `False` | | Whether or not multi-az is enabled. | - -### Parameter Usage : `userAssignedIdentities` - -
- -Parameter JSON format - -```json -"userAssignedIdentities": { - "value": { - "/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-001": {}, - "/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-002": {} - } -} -``` - -
- - -
- -Bicep format - -```bicep -userAssignedIdentities: { - '/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-001': {} - '/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-002': {} -} -``` - -
-

- -### Parameter Usage: `roleAssignments` - -Create a role assignment for the given resource. If you want to assign a service principal / managed identity that is created in the same deployment, make sure to also specify the `'principalType'` parameter and set it to `'ServicePrincipal'`. This will ensure the role assignment waits for the principal's propagation in Azure. - -

- -Parameter JSON format - -```json -"roleAssignments": { - "value": [ - { - "roleDefinitionIdOrName": "Reader", - "description": "Reader Role Assignment", - "principalIds": [ - "12345678-1234-1234-1234-123456789012", // object 1 - "78945612-1234-1234-1234-123456789012" // object 2 - ] - }, - { - "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", - "principalIds": [ - "12345678-1234-1234-1234-123456789012" // object 1 - ], - "principalType": "ServicePrincipal" - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - description: 'Reader Role Assignment' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - '78945612-1234-1234-1234-123456789012' // object 2 - ] - } - { - roleDefinitionIdOrName: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - ] - principalType: 'ServicePrincipal' - } -] -``` - -
-

- -### Parameter Usage: `tags` - -Tag names and tag values can be provided as needed. A tag can be left without a value. - -

- -Parameter JSON format - -```json -"tags": { - "value": { - "Environment": "Non-Prod", - "Contact": "test.user@testcompany.com", - "PurchaseOrder": "1234", - "CostCenter": "7890", - "ServiceName": "DeploymentValidation", - "Role": "DeploymentValidation" - } -} -``` - -
- -
- -Bicep format - -```bicep -tags: { - Environment: 'Non-Prod' - Contact: 'test.user@testcompany.com' - PurchaseOrder: '1234' - CostCenter: '7890' - ServiceName: 'DeploymentValidation' - Role: 'DeploymentValidation' -} -``` - -
-

- -### Parameter Usage: `userAssignedIdentities` - -You can specify multiple user assigned identities to a resource by providing additional resource IDs using the following format: - -

- -Parameter JSON format - -```json -"userAssignedIdentities": { - "value": { - "/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-001": {}, - "/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-002": {} - } -} -``` - -
- -
- -Bicep format - -```bicep -userAssignedIdentities: { - '/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-001': {} - '/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-002': {} -} -``` - -
-

- ## Outputs | Output Name | Type | Description | @@ -703,3 +525,182 @@ module managedInstance './sql/managed-instance/main.bicep' = {

+ +## Notes + +### Considerations + +#### Networking + +SQL Managed Instance is deployed on a virtual network to a subnet that is delagated to the SQL MI service. This network is required to satisfy the requirements explained [here](https://learn.microsoft.com/en-us/azure/azure-sql/managed-instance/connectivity-architecture-overview?view=azuresql#network-requirements). + +SQL MI requires that the subnet have a Route Table and NSG assigned to it. The SQL MI service will automatically add Routes to the Route Table and Rules to the NSG once the SQL MI has been deployed. As a result, the parameter file for the Route Table and NSG will have to be updated afterwards with the created Routes & Rules, otherwise redeployment of the Route Table & NSG via Bicep/ARM will fail. + +#### Azure AD Authentication + +SQL MI allows for Azure AD Authentication via an [Azure AD Admin](https://learn.microsoft.com/en-us/azure/azure-sql/database/authentication-aad-configure?tabs=azure-powershell#provision-azure-ad-admin-sql-managed-instance). This requires a Service Principal to be assigned and granted Reader rights to Azure AD by an AD Admin. To do so via this module, the `servicePrincipal` parameter must be set to `SystemAssigned` and deploy the SQL MI. Afterwards an Azure AD Admin must go to the SQL MI Azure Active Directory admin page in the Azure Portal and assigned the Reader rights. Next the `administratorsObj` must be configured in the parameter file and be redeployed. + +### Parameter Usage : `userAssignedIdentities` + +

+ +Parameter JSON format + +```json +"userAssignedIdentities": { + "value": { + "/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-001": {}, + "/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-002": {} + } +} +``` + +
+ + +
+ +Bicep format + +```bicep +userAssignedIdentities: { + '/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-001': {} + '/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-002': {} +} +``` + +
+

+ +### Parameter Usage: `roleAssignments` + +Create a role assignment for the given resource. If you want to assign a service principal / managed identity that is created in the same deployment, make sure to also specify the `'principalType'` parameter and set it to `'ServicePrincipal'`. This will ensure the role assignment waits for the principal's propagation in Azure. + +

+ +Parameter JSON format + +```json +"roleAssignments": { + "value": [ + { + "roleDefinitionIdOrName": "Reader", + "description": "Reader Role Assignment", + "principalIds": [ + "12345678-1234-1234-1234-123456789012", // object 1 + "78945612-1234-1234-1234-123456789012" // object 2 + ] + }, + { + "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", + "principalIds": [ + "12345678-1234-1234-1234-123456789012" // object 1 + ], + "principalType": "ServicePrincipal" + } + ] +} +``` + +
+ +
+ +Bicep format + +```bicep +roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + description: 'Reader Role Assignment' + principalIds: [ + '12345678-1234-1234-1234-123456789012' // object 1 + '78945612-1234-1234-1234-123456789012' // object 2 + ] + } + { + roleDefinitionIdOrName: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' + principalIds: [ + '12345678-1234-1234-1234-123456789012' // object 1 + ] + principalType: 'ServicePrincipal' + } +] +``` + +
+

+ +### Parameter Usage: `tags` + +Tag names and tag values can be provided as needed. A tag can be left without a value. + +

+ +Parameter JSON format + +```json +"tags": { + "value": { + "Environment": "Non-Prod", + "Contact": "test.user@testcompany.com", + "PurchaseOrder": "1234", + "CostCenter": "7890", + "ServiceName": "DeploymentValidation", + "Role": "DeploymentValidation" + } +} +``` + +
+ +
+ +Bicep format + +```bicep +tags: { + Environment: 'Non-Prod' + Contact: 'test.user@testcompany.com' + PurchaseOrder: '1234' + CostCenter: '7890' + ServiceName: 'DeploymentValidation' + Role: 'DeploymentValidation' +} +``` + +
+

+ +### Parameter Usage: `userAssignedIdentities` + +You can specify multiple user assigned identities to a resource by providing additional resource IDs using the following format: + +

+ +Parameter JSON format + +```json +"userAssignedIdentities": { + "value": { + "/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-001": {}, + "/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-002": {} + } +} +``` + +
+ +
+ +Bicep format + +```bicep +userAssignedIdentities: { + '/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-001': {} + '/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-002': {} +} +``` + +
+

diff --git a/modules/sql/managed-instance/database/README.md b/modules/sql/managed-instance/database/README.md index b347af31a0..c3a27fa85b 100644 --- a/modules/sql/managed-instance/database/README.md +++ b/modules/sql/managed-instance/database/README.md @@ -19,10 +19,6 @@ This module deploys a SQL Managed Instance Database. | `Microsoft.Sql/managedInstances/databases/backupLongTermRetentionPolicies` | [2022-02-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Sql/2022-02-01-preview/managedInstances/databases/backupLongTermRetentionPolicies) | | `Microsoft.Sql/managedInstances/databases/backupShortTermRetentionPolicies` | [2022-02-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Sql/2022-02-01-preview/managedInstances/databases/backupShortTermRetentionPolicies) | -### Deployment prerequisites - -The SQL Managed Instance Database is deployed on a SQL Managed Instance. - ## Parameters **Required parameters** @@ -64,6 +60,20 @@ The SQL Managed Instance Database is deployed on a SQL Managed Instance. | `restorableDroppedDatabaseId` | string | `''` | | The restorable dropped database resource ID to restore when creating this database. | | `tags` | object | `{object}` | | Tags of the resource. | +## Outputs + +| Output Name | Type | Description | +| :-- | :-- | :-- | +| `location` | string | The location the resource was deployed into. | +| `name` | string | The name of the deployed database. | +| `resourceGroupName` | string | The resource group the database was deployed into. | +| `resourceId` | string | The resource ID of the deployed database. | + +## Cross-referenced modules + +_None_ + +## Notes ### Parameter Usage: `tags` @@ -105,16 +115,3 @@ tags: {

- -## Outputs - -| Output Name | Type | Description | -| :-- | :-- | :-- | -| `location` | string | The location the resource was deployed into. | -| `name` | string | The name of the deployed database. | -| `resourceGroupName` | string | The resource group the database was deployed into. | -| `resourceId` | string | The resource ID of the deployed database. | - -## Cross-referenced modules - -_None_ From 74c30fb42abf717c7c065396f8d020748755c235 Mon Sep 17 00:00:00 2001 From: AlexanderSehr Date: Thu, 12 Oct 2023 21:29:40 +0200 Subject: [PATCH 15/20] Web pub sub --- .../signal-r-service/web-pub-sub/README.md | 542 ++++++++---------- 1 file changed, 236 insertions(+), 306 deletions(-) diff --git a/modules/signal-r-service/web-pub-sub/README.md b/modules/signal-r-service/web-pub-sub/README.md index e0cc720580..c968a398b4 100644 --- a/modules/signal-r-service/web-pub-sub/README.md +++ b/modules/signal-r-service/web-pub-sub/README.md @@ -49,312 +49,6 @@ This module deploys a SignalR Web PubSub Service. | `tags` | object | `{object}` | | Tags of the resource. | | `userAssignedIdentities` | object | `{object}` | | The ID(s) to assign to the resource. | - -### Parameter Usage: `privateEndpoints` - -To use Private Endpoint the following dependencies must be deployed: - -- Destination subnet must be created with the following configuration option - `"privateEndpointNetworkPolicies": "Disabled"`. Setting this option acknowledges that NSG rules are not applied to Private Endpoints (this capability is coming soon). A full example is available in the Virtual Network Module. -- Although not strictly required, it is highly recommended to first create a private DNS Zone to host Private Endpoint DNS records. See [Azure Private Endpoint DNS configuration](https://learn.microsoft.com/en-us/azure/private-link/private-endpoint-dns) for more information. - -

- -Parameter JSON format - -```json -"privateEndpoints": { - "value": [ - // Example showing all available fields - { - "name": "sxx-az-pe", // Optional: Name will be automatically generated if one is not provided here - "subnetResourceId": "/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-x-001/subnets/sxx-az-subnet-x-001", - "service": "", // e.g. vault, registry, blob - "privateDnsZoneGroup": { - "privateDNSResourceIds": [ // Optional: No DNS record will be created if a private DNS zone Resource ID is not specified - "/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/privateDnsZones/" // e.g. privatelink.vaultcore.azure.net, privatelink.azurecr.io, privatelink.blob.core.windows.net - ] - }, - "ipConfigurations":[ - { - "name": "myIPconfigTest02", - "properties": { - "groupId": "blob", - "memberName": "blob", - "privateIPAddress": "10.0.0.30" - } - } - ], - "customDnsConfigs": [ - { - "fqdn": "customname.test.local", - "ipAddresses": [ - "10.10.10.10" - ] - } - ] - }, - // Example showing only mandatory fields - { - "subnetResourceId": "/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-x-001/subnets/sxx-az-subnet-x-001", - "service": "" // e.g. vault, registry, blob - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -privateEndpoints: [ - // Example showing all available fields - { - name: 'sxx-az-pe' // Optional: Name will be automatically generated if one is not provided here - subnetResourceId: '/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-x-001/subnets/sxx-az-subnet-x-001' - service: '' // e.g. vault, registry, blob - privateDnsZoneGroup: { - privateDNSResourceIds: [ // Optional: No DNS record will be created if a private DNS zone Resource ID is not specified - '/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/privateDnsZones/' // e.g. privatelink.vaultcore.azure.net, privatelink.azurecr.io, privatelink.blob.core.windows.net - ] - } - customDnsConfigs: [ - { - fqdn: 'customname.test.local' - ipAddresses: [ - '10.10.10.10' - ] - } - ] - ipConfigurations:[ - { - name: 'myIPconfigTest02' - properties: { - groupId: 'blob' - memberName: 'blob' - privateIPAddress: '10.0.0.30' - } - } - ] - } - // Example showing only mandatory fields - { - subnetResourceId: '/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-x-001/subnets/sxx-az-subnet-x-001' - service: '' // e.g. vault, registry, blob - } -] -``` - -
-

- -### Parameter Usage: `roleAssignments` - -Create a role assignment for the given resource. If you want to assign a service principal / managed identity that is created in the same deployment, make sure to also specify the `'principalType'` parameter and set it to `'ServicePrincipal'`. This will ensure the role assignment waits for the principal's propagation in Azure. - -

- -Parameter JSON format - -```json -"roleAssignments": { - "value": [ - { - "roleDefinitionIdOrName": "Reader", - "description": "Reader Role Assignment", - "principalIds": [ - "12345678-1234-1234-1234-123456789012", // object 1 - "78945612-1234-1234-1234-123456789012" // object 2 - ] - }, - { - "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", - "principalIds": [ - "12345678-1234-1234-1234-123456789012" // object 1 - ], - "principalType": "ServicePrincipal" - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - description: 'Reader Role Assignment' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - '78945612-1234-1234-1234-123456789012' // object 2 - ] - } - { - roleDefinitionIdOrName: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - ] - principalType: 'ServicePrincipal' - } -] -``` - -
-

- -### Parameter Usage: `tags` - -Tag names and tag values can be provided as needed. A tag can be left without a value. - -

- -Parameter JSON format - -```json -"tags": { - "value": { - "Environment": "Non-Prod", - "Contact": "test.user@testcompany.com", - "PurchaseOrder": "1234", - "CostCenter": "7890", - "ServiceName": "DeploymentValidation", - "Role": "DeploymentValidation" - } -} -``` - -
- -
- -Bicep format - -```bicep -tags: { - Environment: 'Non-Prod' - Contact: 'test.user@testcompany.com' - PurchaseOrder: '1234' - CostCenter: '7890' - ServiceName: 'DeploymentValidation' - Role: 'DeploymentValidation' -} -``` - -
-

- -### Parameter Usage: `userAssignedIdentities` - -You can specify multiple user assigned identities to a resource by providing additional resource IDs using the following format: - -

- -Parameter JSON format - -```json -"userAssignedIdentities": { - "value": { - "/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-001": {}, - "/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-002": {} - } -} -``` - -
- -
- -Bicep format - -```bicep -userAssignedIdentities: { - '/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-001': {} - '/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-002': {} -} -``` - -
-

- -### Parameter Usage: `networkAcls` - -Using this object you can configure the service's firewall. Note, that the `defaultAction` either allows all / denies all communication via the `publicNetwork` and `privateEndpoints`. You can subsequently allow/deny individual actions using the corresponding arrays. - -Either block supports any array of values: - -- 'ClientConnection' -- 'RESTAPI' -- 'ServerConnection' -- 'Trace' - -

- -Parameter JSON format - -```json -"networkAcls": { - "value": { - "defaultAction": "Deny", - "privateEndpoints": [ - { - "name": "pe-[[namePrefix]]-az-pubsub-x-001-webpubsub-0", - "allow": [ - "ServerConnection", - "Trace" - ], - "deny": [] - } - ], - "publicNetwork": { - "allow": [ - "RESTAPI", - "Trace" - ], - "deny": [] - } - } -} -``` - -
- -
- -Bicep format - -```bicep -networkAcls: { - defaultAction: 'Deny' - privateEndpoints: [ - { - name: 'pe-[[namePrefix]]-az-pubsub-x-001-webpubsub-0' - allow: [ - 'ServerConnection' - 'Trace' - ], - deny: [] - } - ] - publicNetwork: { - allow: [ - 'RESTAPI' - 'Trace' - ] - deny: [] - } -} -``` - -
-

- ## Outputs | Output Name | Type | Description | @@ -713,3 +407,239 @@ module webPubSub './signal-r-service/web-pub-sub/main.bicep' = {

+ +## Notes + + +### Parameter Usage: `privateEndpoints` + +To use Private Endpoint the following dependencies must be deployed: + +- Destination subnet must be created with the following configuration option - `"privateEndpointNetworkPolicies": "Disabled"`. Setting this option acknowledges that NSG rules are not applied to Private Endpoints (this capability is coming soon). A full example is available in the Virtual Network Module. +- Although not strictly required, it is highly recommended to first create a private DNS Zone to host Private Endpoint DNS records. See [Azure Private Endpoint DNS configuration](https://learn.microsoft.com/en-us/azure/private-link/private-endpoint-dns) for more information. + +

+ +Parameter JSON format + +```json +"privateEndpoints": { + "value": [ + // Example showing all available fields + { + "name": "sxx-az-pe", // Optional: Name will be automatically generated if one is not provided here + "subnetResourceId": "/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-x-001/subnets/sxx-az-subnet-x-001", + "service": "", // e.g. vault, registry, blob + "privateDnsZoneGroup": { + "privateDNSResourceIds": [ // Optional: No DNS record will be created if a private DNS zone Resource ID is not specified + "/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/privateDnsZones/" // e.g. privatelink.vaultcore.azure.net, privatelink.azurecr.io, privatelink.blob.core.windows.net + ] + }, + "ipConfigurations":[ + { + "name": "myIPconfigTest02", + "properties": { + "groupId": "blob", + "memberName": "blob", + "privateIPAddress": "10.0.0.30" + } + } + ], + "customDnsConfigs": [ + { + "fqdn": "customname.test.local", + "ipAddresses": [ + "10.10.10.10" + ] + } + ] + }, + // Example showing only mandatory fields + { + "subnetResourceId": "/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-x-001/subnets/sxx-az-subnet-x-001", + "service": "" // e.g. vault, registry, blob + } + ] +} +``` + +
+ +
+ +Bicep format + +```bicep +privateEndpoints: [ + // Example showing all available fields + { + name: 'sxx-az-pe' // Optional: Name will be automatically generated if one is not provided here + subnetResourceId: '/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-x-001/subnets/sxx-az-subnet-x-001' + service: '' // e.g. vault, registry, blob + privateDnsZoneGroup: { + privateDNSResourceIds: [ // Optional: No DNS record will be created if a private DNS zone Resource ID is not specified + '/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/privateDnsZones/' // e.g. privatelink.vaultcore.azure.net, privatelink.azurecr.io, privatelink.blob.core.windows.net + ] + } + customDnsConfigs: [ + { + fqdn: 'customname.test.local' + ipAddresses: [ + '10.10.10.10' + ] + } + ] + ipConfigurations:[ + { + name: 'myIPconfigTest02' + properties: { + groupId: 'blob' + memberName: 'blob' + privateIPAddress: '10.0.0.30' + } + } + ] + } + // Example showing only mandatory fields + { + subnetResourceId: '/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-x-001/subnets/sxx-az-subnet-x-001' + service: '' // e.g. vault, registry, blob + } +] +``` + +
+

+ +### Parameter Usage: `roleAssignments` + +Create a role assignment for the given resource. If you want to assign a service principal / managed identity that is created in the same deployment, make sure to also specify the `'principalType'` parameter and set it to `'ServicePrincipal'`. This will ensure the role assignment waits for the principal's propagation in Azure. + +

+ +Parameter JSON format + +```json +"roleAssignments": { + "value": [ + { + "roleDefinitionIdOrName": "Reader", + "description": "Reader Role Assignment", + "principalIds": [ + "12345678-1234-1234-1234-123456789012", // object 1 + "78945612-1234-1234-1234-123456789012" // object 2 + ] + }, + { + "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", + "principalIds": [ + "12345678-1234-1234-1234-123456789012" // object 1 + ], + "principalType": "ServicePrincipal" + } + ] +} +``` + +
+ +
+ +Bicep format + +```bicep +roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + description: 'Reader Role Assignment' + principalIds: [ + '12345678-1234-1234-1234-123456789012' // object 1 + '78945612-1234-1234-1234-123456789012' // object 2 + ] + } + { + roleDefinitionIdOrName: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' + principalIds: [ + '12345678-1234-1234-1234-123456789012' // object 1 + ] + principalType: 'ServicePrincipal' + } +] +``` + +
+

+ +### Parameter Usage: `tags` + +Tag names and tag values can be provided as needed. A tag can be left without a value. + +

+ +Parameter JSON format + +```json +"tags": { + "value": { + "Environment": "Non-Prod", + "Contact": "test.user@testcompany.com", + "PurchaseOrder": "1234", + "CostCenter": "7890", + "ServiceName": "DeploymentValidation", + "Role": "DeploymentValidation" + } +} +``` + +
+ +
+ +Bicep format + +```bicep +tags: { + Environment: 'Non-Prod' + Contact: 'test.user@testcompany.com' + PurchaseOrder: '1234' + CostCenter: '7890' + ServiceName: 'DeploymentValidation' + Role: 'DeploymentValidation' +} +``` + +
+

+ +### Parameter Usage: `userAssignedIdentities` + +You can specify multiple user assigned identities to a resource by providing additional resource IDs using the following format: + +

+ +Parameter JSON format + +```json +"userAssignedIdentities": { + "value": { + "/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-001": {}, + "/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-002": {} + } +} +``` + +
+ +
+ +Bicep format + +```bicep +userAssignedIdentities: { + '/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-001': {} + '/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-002': {} +} +``` + +
+

From 856d66a2a27fd27fcafea8c0186ca2a4712cd57d Mon Sep 17 00:00:00 2001 From: AlexanderSehr Date: Thu, 12 Oct 2023 21:30:33 +0200 Subject: [PATCH 16/20] Update to latest --- modules/service-fabric/cluster/README.md | 309 ++++++++++++----------- 1 file changed, 155 insertions(+), 154 deletions(-) diff --git a/modules/service-fabric/cluster/README.md b/modules/service-fabric/cluster/README.md index 8c91416501..38ad984ba0 100644 --- a/modules/service-fabric/cluster/README.md +++ b/modules/service-fabric/cluster/README.md @@ -65,160 +65,6 @@ This module deploys a Service Fabric Cluster. | `vmssZonalUpgradeMode` | string | `'Hierarchical'` | `[Hierarchical, Parallel]` | This property defines the upgrade mode for the virtual machine scale set, it is mandatory if a node type with multiple Availability Zones is added. | | `waveUpgradePaused` | bool | `False` | | Boolean to pause automatic runtime version upgrades to the cluster. | - -### Parameter Usage: `notifications` - -

- -Parameter JSON format - -```json -"notifications": { - "value": [ - { - "isEnabled": true, // Required. Indicates if the notification is enabled. - "notificationCategory": "WaveProgress", // Required. The category of notification. Possible values include: "WaveProgress". - "notificationLevel": "Critical", // Required. The level of notification. Possible values include: "Critical", "All". - "notificationTargets": [ - { - "notificationChannel": "EmailUser", // Required. The notification channel indicates the type of receivers subscribed to the notification, either user or subscription. Possible values include: "EmailUser", "EmailSubscription". - "receivers": [ - "SomeReceiver" // Required. List of targets that subscribe to the notification. - ] - } - ] - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -notifications: [ - { - isEnabled: true // Required. Indicates if the notification is enabled. - notificationCategory: 'WaveProgress' // Required. The category of notification. Possible values include: 'WaveProgress'. - notificationLevel: 'Critical' // Required. The level of notification. Possible values include: 'Critical' 'All'. - notificationTargets: [ - { - notificationChannel: 'EmailUser' // Required. The notification channel indicates the type of receivers subscribed to the notification either user or subscription. Possible values include: 'EmailUser' 'EmailSubscription'. - receivers: [ - 'SomeReceiver' // Required. List of targets that subscribe to the notification. - ] - } - ] - } -] -``` - -
-

- -### Parameter Usage: `roleAssignments` - -Create a role assignment for the given resource. If you want to assign a service principal / managed identity that is created in the same deployment, make sure to also specify the `'principalType'` parameter and set it to `'ServicePrincipal'`. This will ensure the role assignment waits for the principal's propagation in Azure. - -

- -Parameter JSON format - -```json -"roleAssignments": { - "value": [ - { - "roleDefinitionIdOrName": "Reader", - "description": "Reader Role Assignment", - "principalIds": [ - "12345678-1234-1234-1234-123456789012", // object 1 - "78945612-1234-1234-1234-123456789012" // object 2 - ] - }, - { - "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", - "principalIds": [ - "12345678-1234-1234-1234-123456789012" // object 1 - ], - "principalType": "ServicePrincipal" - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - description: 'Reader Role Assignment' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - '78945612-1234-1234-1234-123456789012' // object 2 - ] - } - { - roleDefinitionIdOrName: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - ] - principalType: 'ServicePrincipal' - } -] -``` - -
-

- -### Parameter Usage: `tags` - -Tag names and tag values can be provided as needed. A tag can be left without a value. - -

- -Parameter JSON format - -```json -"tags": { - "value": { - "Environment": "Non-Prod", - "Contact": "test.user@testcompany.com", - "PurchaseOrder": "1234", - "CostCenter": "7890", - "ServiceName": "DeploymentValidation", - "Role": "DeploymentValidation" - } -} -``` - -
- -
- -Bicep format - -```bicep -tags: { - Environment: 'Non-Prod' - Contact: 'test.user@testcompany.com' - PurchaseOrder: '1234' - CostCenter: '7890' - ServiceName: 'DeploymentValidation' - Role: 'DeploymentValidation' -} -``` - -
-

- ## Outputs | Output Name | Type | Description | @@ -848,3 +694,158 @@ module cluster './service-fabric/cluster/main.bicep' = {

+ +## Notes + +### Parameter Usage: `notifications` + +

+ +Parameter JSON format + +```json +"notifications": { + "value": [ + { + "isEnabled": true, // Required. Indicates if the notification is enabled. + "notificationCategory": "WaveProgress", // Required. The category of notification. Possible values include: "WaveProgress". + "notificationLevel": "Critical", // Required. The level of notification. Possible values include: "Critical", "All". + "notificationTargets": [ + { + "notificationChannel": "EmailUser", // Required. The notification channel indicates the type of receivers subscribed to the notification, either user or subscription. Possible values include: "EmailUser", "EmailSubscription". + "receivers": [ + "SomeReceiver" // Required. List of targets that subscribe to the notification. + ] + } + ] + } + ] +} +``` + +
+ +
+ +Bicep format + +```bicep +notifications: [ + { + isEnabled: true // Required. Indicates if the notification is enabled. + notificationCategory: 'WaveProgress' // Required. The category of notification. Possible values include: 'WaveProgress'. + notificationLevel: 'Critical' // Required. The level of notification. Possible values include: 'Critical' 'All'. + notificationTargets: [ + { + notificationChannel: 'EmailUser' // Required. The notification channel indicates the type of receivers subscribed to the notification either user or subscription. Possible values include: 'EmailUser' 'EmailSubscription'. + receivers: [ + 'SomeReceiver' // Required. List of targets that subscribe to the notification. + ] + } + ] + } +] +``` + +
+

+ +### Parameter Usage: `roleAssignments` + +Create a role assignment for the given resource. If you want to assign a service principal / managed identity that is created in the same deployment, make sure to also specify the `'principalType'` parameter and set it to `'ServicePrincipal'`. This will ensure the role assignment waits for the principal's propagation in Azure. + +

+ +Parameter JSON format + +```json +"roleAssignments": { + "value": [ + { + "roleDefinitionIdOrName": "Reader", + "description": "Reader Role Assignment", + "principalIds": [ + "12345678-1234-1234-1234-123456789012", // object 1 + "78945612-1234-1234-1234-123456789012" // object 2 + ] + }, + { + "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", + "principalIds": [ + "12345678-1234-1234-1234-123456789012" // object 1 + ], + "principalType": "ServicePrincipal" + } + ] +} +``` + +
+ +
+ +Bicep format + +```bicep +roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + description: 'Reader Role Assignment' + principalIds: [ + '12345678-1234-1234-1234-123456789012' // object 1 + '78945612-1234-1234-1234-123456789012' // object 2 + ] + } + { + roleDefinitionIdOrName: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' + principalIds: [ + '12345678-1234-1234-1234-123456789012' // object 1 + ] + principalType: 'ServicePrincipal' + } +] +``` + +
+

+ +### Parameter Usage: `tags` + +Tag names and tag values can be provided as needed. A tag can be left without a value. + +

+ +Parameter JSON format + +```json +"tags": { + "value": { + "Environment": "Non-Prod", + "Contact": "test.user@testcompany.com", + "PurchaseOrder": "1234", + "CostCenter": "7890", + "ServiceName": "DeploymentValidation", + "Role": "DeploymentValidation" + } +} +``` + +
+ +
+ +Bicep format + +```bicep +tags: { + Environment: 'Non-Prod' + Contact: 'test.user@testcompany.com' + PurchaseOrder: '1234' + CostCenter: '7890' + ServiceName: 'DeploymentValidation' + Role: 'DeploymentValidation' +} +``` + +
+

From b064f509a6530e16a1151e729307cf286ea759b0 Mon Sep 17 00:00:00 2001 From: AlexanderSehr Date: Thu, 12 Oct 2023 21:31:34 +0200 Subject: [PATCH 17/20] Namepsace --- modules/service-bus/namespace/README.md | 505 +++++++++++------------- 1 file changed, 235 insertions(+), 270 deletions(-) diff --git a/modules/service-bus/namespace/README.md b/modules/service-bus/namespace/README.md index 4781e805c0..114f9d1533 100644 --- a/modules/service-bus/namespace/README.md +++ b/modules/service-bus/namespace/README.md @@ -75,276 +75,6 @@ This module deploys a Service Bus Namespace. | `userAssignedIdentities` | object | `{object}` | | The ID(s) to assign to the resource. | | `zoneRedundant` | bool | `False` | | Enabling this property creates a Premium Service Bus Namespace in regions supported availability zones. | - -### Parameter Usage: `roleAssignments` - -Create a role assignment for the given resource. If you want to assign a service principal / managed identity that is created in the same deployment, make sure to also specify the `'principalType'` parameter and set it to `'ServicePrincipal'`. This will ensure the role assignment waits for the principal's propagation in Azure. - -

- -Parameter JSON format - -```json -"roleAssignments": { - "value": [ - { - "roleDefinitionIdOrName": "Reader", - "description": "Reader Role Assignment", - "principalIds": [ - "12345678-1234-1234-1234-123456789012", // object 1 - "78945612-1234-1234-1234-123456789012" // object 2 - ] - }, - { - "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", - "principalIds": [ - "12345678-1234-1234-1234-123456789012" // object 1 - ], - "principalType": "ServicePrincipal" - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - description: 'Reader Role Assignment' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - '78945612-1234-1234-1234-123456789012' // object 2 - ] - } - { - roleDefinitionIdOrName: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - ] - principalType: 'ServicePrincipal' - } -] -``` - -
-

- -### Parameter Usage: `privateEndpoints` - -To use Private Endpoint the following dependencies must be deployed: - -- Destination subnet must be created with the following configuration option - `"privateEndpointNetworkPolicies": "Disabled"`. Setting this option acknowledges that NSG rules are not applied to Private Endpoints (this capability is coming soon). A full example is available in the Virtual Network Module. -- Although not strictly required, it is highly recommended to first create a private DNS Zone to host Private Endpoint DNS records. See [Azure Private Endpoint DNS configuration](https://learn.microsoft.com/en-us/azure/private-link/private-endpoint-dns) for more information. - -

- -Parameter JSON format - -```json -"privateEndpoints": { - "value": [ - // Example showing all available fields - { - "name": "sxx-az-pe", // Optional: Name will be automatically generated if one is not provided here - "subnetResourceId": "/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-x-001/subnets/sxx-az-subnet-x-001", - "service": "", // e.g. vault, registry, blob - "privateDnsZoneGroup": { - "privateDNSResourceIds": [ // Optional: No DNS record will be created if a private DNS zone Resource ID is not specified - "/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/privateDnsZones/" // e.g. privatelink.vaultcore.azure.net, privatelink.azurecr.io, privatelink.blob.core.windows.net - ] - }, - "ipConfigurations":[ - { - "name": "myIPconfigTest02", - "properties": { - "groupId": "blob", - "memberName": "blob", - "privateIPAddress": "10.0.0.30" - } - } - ], - "customDnsConfigs": [ - { - "fqdn": "customname.test.local", - "ipAddresses": [ - "10.10.10.10" - ] - } - ] - }, - // Example showing only mandatory fields - { - "subnetResourceId": "/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-x-001/subnets/sxx-az-subnet-x-001", - "service": "" // e.g. vault, registry, blob - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -privateEndpoints: [ - // Example showing all available fields - { - name: 'sxx-az-pe' // Optional: Name will be automatically generated if one is not provided here - subnetResourceId: '/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-x-001/subnets/sxx-az-subnet-x-001' - service: '' // e.g. vault, registry, blob - privateDnsZoneGroup: { - privateDNSResourceIds: [ // Optional: No DNS record will be created if a private DNS zone Resource ID is not specified - '/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/privateDnsZones/' // e.g. privatelink.vaultcore.azure.net, privatelink.azurecr.io, privatelink.blob.core.windows.net - ] - } - customDnsConfigs: [ - { - fqdn: 'customname.test.local' - ipAddresses: [ - '10.10.10.10' - ] - } - ] - ipConfigurations:[ - { - name: 'myIPconfigTest02' - properties: { - groupId: 'blob' - memberName: 'blob' - privateIPAddress: '10.0.0.30' - } - } - ] - } - // Example showing only mandatory fields - { - subnetResourceId: '/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-x-001/subnets/sxx-az-subnet-x-001' - service: '' // e.g. vault, registry, blob - } -] -``` - -
-

- -### Parameter Usage: `networkAcl` - -Configure networing options on premium SKU only. - -

- -Parameter JSON format - -```json -"networkAclConfig": { - "value" : { - "publicNetworkAccess": "Disabled", - "allowTrustedServices": true - } -} - - -``` - -
- -
- -Bicep format - -```bicep -networkingAclConfig: { - publicNetworkAccess: "Disabled" - allowTrustedServices: true -} - -``` - -
-

- -### Parameter Usage: `tags` - -Tag names and tag values can be provided as needed. A tag can be left without a value. - -

- -Parameter JSON format - -```json -"tags": { - "value": { - "Environment": "Non-Prod", - "Contact": "test.user@testcompany.com", - "PurchaseOrder": "1234", - "CostCenter": "7890", - "ServiceName": "DeploymentValidation", - "Role": "DeploymentValidation" - } -} -``` - -
- -
- -Bicep format - -```bicep -tags: { - Environment: 'Non-Prod' - Contact: 'test.user@testcompany.com' - PurchaseOrder: '1234' - CostCenter: '7890' - ServiceName: 'DeploymentValidation' - Role: 'DeploymentValidation' -} -``` - -
-

- -### Parameter Usage: `userAssignedIdentities` - -You can specify multiple user assigned identities to a resource by providing additional resource IDs using the following format: - -

- -Parameter JSON format - -```json -"userAssignedIdentities": { - "value": { - "/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-001": {}, - "/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-002": {} - } -} -``` - -
- -
- -Bicep format - -```bicep -userAssignedIdentities: { - '/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-001': {} - '/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-002': {} -} -``` - -
-

- ## Outputs | Output Name | Type | Description | @@ -1045,3 +775,238 @@ module namespace './service-bus/namespace/main.bicep' = {

+ +## Notes + +### Parameter Usage: `roleAssignments` + +Create a role assignment for the given resource. If you want to assign a service principal / managed identity that is created in the same deployment, make sure to also specify the `'principalType'` parameter and set it to `'ServicePrincipal'`. This will ensure the role assignment waits for the principal's propagation in Azure. + +

+ +Parameter JSON format + +```json +"roleAssignments": { + "value": [ + { + "roleDefinitionIdOrName": "Reader", + "description": "Reader Role Assignment", + "principalIds": [ + "12345678-1234-1234-1234-123456789012", // object 1 + "78945612-1234-1234-1234-123456789012" // object 2 + ] + }, + { + "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", + "principalIds": [ + "12345678-1234-1234-1234-123456789012" // object 1 + ], + "principalType": "ServicePrincipal" + } + ] +} +``` + +
+ +
+ +Bicep format + +```bicep +roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + description: 'Reader Role Assignment' + principalIds: [ + '12345678-1234-1234-1234-123456789012' // object 1 + '78945612-1234-1234-1234-123456789012' // object 2 + ] + } + { + roleDefinitionIdOrName: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' + principalIds: [ + '12345678-1234-1234-1234-123456789012' // object 1 + ] + principalType: 'ServicePrincipal' + } +] +``` + +
+

+ +### Parameter Usage: `privateEndpoints` + +To use Private Endpoint the following dependencies must be deployed: + +- Destination subnet must be created with the following configuration option - `"privateEndpointNetworkPolicies": "Disabled"`. Setting this option acknowledges that NSG rules are not applied to Private Endpoints (this capability is coming soon). A full example is available in the Virtual Network Module. +- Although not strictly required, it is highly recommended to first create a private DNS Zone to host Private Endpoint DNS records. See [Azure Private Endpoint DNS configuration](https://learn.microsoft.com/en-us/azure/private-link/private-endpoint-dns) for more information. + +

+ +Parameter JSON format + +```json +"privateEndpoints": { + "value": [ + // Example showing all available fields + { + "name": "sxx-az-pe", // Optional: Name will be automatically generated if one is not provided here + "subnetResourceId": "/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-x-001/subnets/sxx-az-subnet-x-001", + "service": "", // e.g. vault, registry, blob + "privateDnsZoneGroup": { + "privateDNSResourceIds": [ // Optional: No DNS record will be created if a private DNS zone Resource ID is not specified + "/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/privateDnsZones/" // e.g. privatelink.vaultcore.azure.net, privatelink.azurecr.io, privatelink.blob.core.windows.net + ] + }, + "ipConfigurations":[ + { + "name": "myIPconfigTest02", + "properties": { + "groupId": "blob", + "memberName": "blob", + "privateIPAddress": "10.0.0.30" + } + } + ], + "customDnsConfigs": [ + { + "fqdn": "customname.test.local", + "ipAddresses": [ + "10.10.10.10" + ] + } + ] + }, + // Example showing only mandatory fields + { + "subnetResourceId": "/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-x-001/subnets/sxx-az-subnet-x-001", + "service": "" // e.g. vault, registry, blob + } + ] +} +``` + +
+ +
+ +Bicep format + +```bicep +privateEndpoints: [ + // Example showing all available fields + { + name: 'sxx-az-pe' // Optional: Name will be automatically generated if one is not provided here + subnetResourceId: '/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-x-001/subnets/sxx-az-subnet-x-001' + service: '' // e.g. vault, registry, blob + privateDnsZoneGroup: { + privateDNSResourceIds: [ // Optional: No DNS record will be created if a private DNS zone Resource ID is not specified + '/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/privateDnsZones/' // e.g. privatelink.vaultcore.azure.net, privatelink.azurecr.io, privatelink.blob.core.windows.net + ] + } + customDnsConfigs: [ + { + fqdn: 'customname.test.local' + ipAddresses: [ + '10.10.10.10' + ] + } + ] + ipConfigurations:[ + { + name: 'myIPconfigTest02' + properties: { + groupId: 'blob' + memberName: 'blob' + privateIPAddress: '10.0.0.30' + } + } + ] + } + // Example showing only mandatory fields + { + subnetResourceId: '/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-x-001/subnets/sxx-az-subnet-x-001' + service: '' // e.g. vault, registry, blob + } +] +``` + +
+

+ +### Parameter Usage: `tags` + +Tag names and tag values can be provided as needed. A tag can be left without a value. + +

+ +Parameter JSON format + +```json +"tags": { + "value": { + "Environment": "Non-Prod", + "Contact": "test.user@testcompany.com", + "PurchaseOrder": "1234", + "CostCenter": "7890", + "ServiceName": "DeploymentValidation", + "Role": "DeploymentValidation" + } +} +``` + +
+ +
+ +Bicep format + +```bicep +tags: { + Environment: 'Non-Prod' + Contact: 'test.user@testcompany.com' + PurchaseOrder: '1234' + CostCenter: '7890' + ServiceName: 'DeploymentValidation' + Role: 'DeploymentValidation' +} +``` + +
+

+ +### Parameter Usage: `userAssignedIdentities` + +You can specify multiple user assigned identities to a resource by providing additional resource IDs using the following format: + +

+ +Parameter JSON format + +```json +"userAssignedIdentities": { + "value": { + "/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-001": {}, + "/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-002": {} + } +} +``` + +
+ +
+ +Bicep format + +```bicep +userAssignedIdentities: { + '/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-001': {} + '/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-002': {} +} +``` + +
+

From 8c86f99ea55e0adf5dac948937ca6fb43fc4dc91 Mon Sep 17 00:00:00 2001 From: AlexanderSehr Date: Thu, 12 Oct 2023 21:32:25 +0200 Subject: [PATCH 18/20] Security --- .../security/azure-security-center/README.md | 36 ------------------- 1 file changed, 36 deletions(-) diff --git a/modules/security/azure-security-center/README.md b/modules/security/azure-security-center/README.md index d132f0662b..a420dfeb62 100644 --- a/modules/security/azure-security-center/README.md +++ b/modules/security/azure-security-center/README.md @@ -54,42 +54,6 @@ This module deploys an Azure Security Center (Defender for Cloud) Configuration. | `storageAccountsPricingTier` | string | `'Free'` | `[Free, Standard]` | The pricing tier value for StorageAccounts. Azure Security Center is provided in two pricing tiers: free and standard, with the standard tier available with a trial period. The standard tier offers advanced security capabilities, while the free tier offers basic security features. - Free or Standard. | | `virtualMachinesPricingTier` | string | `'Free'` | `[Free, Standard]` | The pricing tier value for VMs. Azure Security Center is provided in two pricing tiers: free and standard, with the standard tier available with a trial period. The standard tier offers advanced security capabilities, while the free tier offers basic security features. - Free or Standard. | - -### Parameter Usage: `securityContactProperties` - -

- -Parameter JSON format - -```json -"securityContactProperties": { - "value": { - "email": "test@contoso.com", - "phone": "+12345678", - "alertNotifications": "On", - "alertsToAdmins": "Off" - } -} -``` - -
- -
- -Bicep format - -```bicep -securityContactProperties: { - email: 'test@contoso.com' - phone: '+12345678' - alertNotifications: 'On' - alertsToAdmins: 'Off' -} -``` - -
-

- ## Outputs | Output Name | Type | Description | From 3ce41e3cd95730ec93af239e717ec9d701151df5 Mon Sep 17 00:00:00 2001 From: AlexanderSehr Date: Fri, 13 Oct 2023 22:38:01 +0200 Subject: [PATCH 19/20] Update to latest --- modules/web/hosting-environment/README.md | 3 +++ modules/web/serverfarm/README.md | 3 +++ modules/web/site/README.md | 3 +++ modules/web/site/config--appsettings/README.md | 2 ++ modules/web/site/config--authsettingsv2/README.md | 1 + modules/web/site/slot/config--appsettings/README.md | 2 ++ modules/web/site/slot/config--authsettingsv2/README.md | 1 + 7 files changed, 15 insertions(+) diff --git a/modules/web/hosting-environment/README.md b/modules/web/hosting-environment/README.md index 02ad018a42..bcaf7288a6 100644 --- a/modules/web/hosting-environment/README.md +++ b/modules/web/hosting-environment/README.md @@ -9,6 +9,7 @@ This module deploys an App Service Environment. - [Outputs](#Outputs) - [Cross-referenced modules](#Cross-referenced-modules) - [Deployment examples](#Deployment-examples) +- [Notes](#Notes) ## Resource types @@ -70,6 +71,7 @@ This module deploys an App Service Environment. | `userWhitelistedIpRanges` | array | `[]` | | User added IP ranges to whitelist on ASE DB. Cannot be used with 'kind' `ASEv3`. | | `zoneRedundant` | bool | `False` | | Switch to make the App Service Environment zone redundant. If enabled, the minimum App Service plan instance count will be three, otherwise 1. If enabled, the `dedicatedHostCount` must be set to `-1`. | + ## Outputs | Output Name | Type | Description | @@ -400,6 +402,7 @@ module hostingEnvironment './web/hosting-environment/main.bicep' = {

+ ## Notes ### Parameter Usage: `roleAssignments` diff --git a/modules/web/serverfarm/README.md b/modules/web/serverfarm/README.md index 2897e382ae..c3fa426a14 100644 --- a/modules/web/serverfarm/README.md +++ b/modules/web/serverfarm/README.md @@ -9,6 +9,7 @@ This module deploys an App Service Plan. - [Outputs](#Outputs) - [Cross-referenced modules](#Cross-referenced-modules) - [Deployment examples](#Deployment-examples) +- [Notes](#Notes) ## Resource Types @@ -52,6 +53,7 @@ This module deploys an App Service Plan. | `workerTierName` | string | `''` | | Target worker tier assigned to the App Service plan. | | `zoneRedundant` | bool | `False` | | When true, this App Service Plan will perform availability zone balancing. | + ## Outputs | Output Name | Type | Description | @@ -185,6 +187,7 @@ module serverfarm './web/serverfarm/main.bicep' = {

+ ## Notes ### Parameter Usage: `roleAssignments` diff --git a/modules/web/site/README.md b/modules/web/site/README.md index ee1dc1b436..0591052d17 100644 --- a/modules/web/site/README.md +++ b/modules/web/site/README.md @@ -9,6 +9,7 @@ This module deploys a Web or Function App. - [Outputs](#Outputs) - [Cross-referenced modules](#Cross-referenced-modules) - [Deployment examples](#Deployment-examples) +- [Notes](#Notes) ## Resource types @@ -90,6 +91,7 @@ This module deploys a Web or Function App. | `vnetImagePullEnabled` | bool | `False` | | To enable pulling image over Virtual Network. | | `vnetRouteAllEnabled` | bool | `False` | | Virtual Network Route All enabled. This causes all outbound traffic to have Virtual Network Security Groups and User Defined Routes applied. | + ## Outputs | Output Name | Type | Description | @@ -869,6 +871,7 @@ module site './web/site/main.bicep' = {

+ ## Notes diff --git a/modules/web/site/config--appsettings/README.md b/modules/web/site/config--appsettings/README.md index 9d41d316d6..3be5e82252 100644 --- a/modules/web/site/config--appsettings/README.md +++ b/modules/web/site/config--appsettings/README.md @@ -8,6 +8,7 @@ This module deploys a Site App Setting. - [Parameters](#Parameters) - [Outputs](#Outputs) - [Cross-referenced modules](#Cross-referenced-modules) +- [Notes](#Notes) ## Resource Types @@ -39,6 +40,7 @@ This module deploys a Site App Setting. | `setAzureWebJobsDashboard` | bool | `[if(contains(parameters('kind'), 'functionapp'), true(), false())]` | For function apps. If true the app settings "AzureWebJobsDashboard" will be set. If false not. In case you use Application Insights it can make sense to not set it for performance reasons. | | `storageAccountResourceId` | string | `''` | Required if app of kind functionapp. Resource ID of the storage account to manage triggers and logging function executions. | + ## Outputs | Output Name | Type | Description | diff --git a/modules/web/site/config--authsettingsv2/README.md b/modules/web/site/config--authsettingsv2/README.md index 1b41f1e041..94dad58be5 100644 --- a/modules/web/site/config--authsettingsv2/README.md +++ b/modules/web/site/config--authsettingsv2/README.md @@ -36,6 +36,7 @@ This module deploys a Site Auth Settings V2 Configuration. | :-- | :-- | :-- | :-- | | `enableDefaultTelemetry` | bool | `True` | Enable telemetry via a Globally Unique Identifier (GUID). | + ## Outputs | Output Name | Type | Description | diff --git a/modules/web/site/slot/config--appsettings/README.md b/modules/web/site/slot/config--appsettings/README.md index 7cc2fda84d..e41825e801 100644 --- a/modules/web/site/slot/config--appsettings/README.md +++ b/modules/web/site/slot/config--appsettings/README.md @@ -8,6 +8,7 @@ This module deploys a Site Slot App Setting. - [Parameters](#Parameters) - [Outputs](#Outputs) - [Cross-referenced modules](#Cross-referenced-modules) +- [Notes](#Notes) ## Resource Types @@ -40,6 +41,7 @@ This module deploys a Site Slot App Setting. | `setAzureWebJobsDashboard` | bool | `[if(contains(parameters('kind'), 'functionapp'), true(), false())]` | For function apps. If true the app settings "AzureWebJobsDashboard" will be set. If false not. In case you use Application Insights it can make sense to not set it for performance reasons. | | `storageAccountResourceId` | string | `''` | Required if app of kind functionapp. Resource ID of the storage account to manage triggers and logging function executions. | + ## Outputs | Output Name | Type | Description | diff --git a/modules/web/site/slot/config--authsettingsv2/README.md b/modules/web/site/slot/config--authsettingsv2/README.md index a89722f8d7..ecd2214ba4 100644 --- a/modules/web/site/slot/config--authsettingsv2/README.md +++ b/modules/web/site/slot/config--authsettingsv2/README.md @@ -37,6 +37,7 @@ This module deploys a Site Auth Settings V2 Configuration. | :-- | :-- | :-- | :-- | | `enableDefaultTelemetry` | bool | `True` | Enable telemetry via the Customer Usage Attribution ID (GUID). | + ## Outputs | Output Name | Type | Description | From d655c9dec6fdef76c2e34bd2926c7c7e86b0d21b Mon Sep 17 00:00:00 2001 From: AlexanderSehr Date: Fri, 13 Oct 2023 22:47:08 +0200 Subject: [PATCH 20/20] Regen readmes --- modules/security/azure-security-center/README.md | 1 + modules/service-bus/namespace/README.md | 3 +++ modules/service-fabric/cluster/README.md | 3 +++ modules/signal-r-service/web-pub-sub/README.md | 3 +++ modules/sql/managed-instance/README.md | 3 +++ modules/sql/managed-instance/database/README.md | 2 ++ modules/sql/server/README.md | 3 +++ modules/storage/storage-account/README.md | 6 ++++-- modules/storage/storage-account/management-policy/README.md | 1 + modules/synapse/workspace/key/README.md | 1 - modules/virtual-machine-images/image-template/README.md | 3 +++ 11 files changed, 26 insertions(+), 3 deletions(-) diff --git a/modules/security/azure-security-center/README.md b/modules/security/azure-security-center/README.md index a420dfeb62..98bd54bdda 100644 --- a/modules/security/azure-security-center/README.md +++ b/modules/security/azure-security-center/README.md @@ -54,6 +54,7 @@ This module deploys an Azure Security Center (Defender for Cloud) Configuration. | `storageAccountsPricingTier` | string | `'Free'` | `[Free, Standard]` | The pricing tier value for StorageAccounts. Azure Security Center is provided in two pricing tiers: free and standard, with the standard tier available with a trial period. The standard tier offers advanced security capabilities, while the free tier offers basic security features. - Free or Standard. | | `virtualMachinesPricingTier` | string | `'Free'` | `[Free, Standard]` | The pricing tier value for VMs. Azure Security Center is provided in two pricing tiers: free and standard, with the standard tier available with a trial period. The standard tier offers advanced security capabilities, while the free tier offers basic security features. - Free or Standard. | + ## Outputs | Output Name | Type | Description | diff --git a/modules/service-bus/namespace/README.md b/modules/service-bus/namespace/README.md index 40c8e6f116..65c1ff3a6b 100644 --- a/modules/service-bus/namespace/README.md +++ b/modules/service-bus/namespace/README.md @@ -9,6 +9,7 @@ This module deploys a Service Bus Namespace. - [Outputs](#Outputs) - [Cross-referenced modules](#Cross-referenced-modules) - [Deployment examples](#Deployment-examples) +- [Notes](#Notes) ## Resource types @@ -81,6 +82,7 @@ This module deploys a Service Bus Namespace. | `userAssignedIdentities` | object | `{object}` | | The ID(s) to assign to the resource. | | `zoneRedundant` | bool | `False` | | Enabling this property creates a Premium Service Bus Namespace in regions supported availability zones. | + ## Outputs | Output Name | Type | Description | @@ -814,6 +816,7 @@ module namespace './service-bus/namespace/main.bicep' = {

+ ## Notes ### Parameter Usage: `roleAssignments` diff --git a/modules/service-fabric/cluster/README.md b/modules/service-fabric/cluster/README.md index 38ad984ba0..6a3174bddd 100644 --- a/modules/service-fabric/cluster/README.md +++ b/modules/service-fabric/cluster/README.md @@ -9,6 +9,7 @@ This module deploys a Service Fabric Cluster. - [Outputs](#Outputs) - [Cross-referenced modules](#Cross-referenced-modules) - [Deployment examples](#Deployment-examples) +- [Notes](#Notes) ## Resource Types @@ -65,6 +66,7 @@ This module deploys a Service Fabric Cluster. | `vmssZonalUpgradeMode` | string | `'Hierarchical'` | `[Hierarchical, Parallel]` | This property defines the upgrade mode for the virtual machine scale set, it is mandatory if a node type with multiple Availability Zones is added. | | `waveUpgradePaused` | bool | `False` | | Boolean to pause automatic runtime version upgrades to the cluster. | + ## Outputs | Output Name | Type | Description | @@ -695,6 +697,7 @@ module cluster './service-fabric/cluster/main.bicep' = {

+ ## Notes ### Parameter Usage: `notifications` diff --git a/modules/signal-r-service/web-pub-sub/README.md b/modules/signal-r-service/web-pub-sub/README.md index c968a398b4..d595076366 100644 --- a/modules/signal-r-service/web-pub-sub/README.md +++ b/modules/signal-r-service/web-pub-sub/README.md @@ -9,6 +9,7 @@ This module deploys a SignalR Web PubSub Service. - [Outputs](#Outputs) - [Cross-referenced modules](#Cross-referenced-modules) - [Deployment examples](#Deployment-examples) +- [Notes](#Notes) ## Resource Types @@ -49,6 +50,7 @@ This module deploys a SignalR Web PubSub Service. | `tags` | object | `{object}` | | Tags of the resource. | | `userAssignedIdentities` | object | `{object}` | | The ID(s) to assign to the resource. | + ## Outputs | Output Name | Type | Description | @@ -408,6 +410,7 @@ module webPubSub './signal-r-service/web-pub-sub/main.bicep' = {

+ ## Notes diff --git a/modules/sql/managed-instance/README.md b/modules/sql/managed-instance/README.md index b29111bdb6..f4585d78dc 100644 --- a/modules/sql/managed-instance/README.md +++ b/modules/sql/managed-instance/README.md @@ -9,6 +9,7 @@ This module deploys a SQL Managed Instance. - [Outputs](#Outputs) - [Cross-referenced modules](#Cross-referenced-modules) - [Deployment examples](#Deployment-examples) +- [Notes](#Notes) ## Resource types @@ -88,6 +89,7 @@ This module deploys a SQL Managed Instance. | `vulnerabilityAssessmentsObj` | object | `{object}` | | The vulnerability assessment configuration. | | `zoneRedundant` | bool | `False` | | Whether or not multi-az is enabled. | + ## Outputs | Output Name | Type | Description | @@ -526,6 +528,7 @@ module managedInstance './sql/managed-instance/main.bicep' = {

+ ## Notes ### Considerations diff --git a/modules/sql/managed-instance/database/README.md b/modules/sql/managed-instance/database/README.md index c3a27fa85b..4feb82d887 100644 --- a/modules/sql/managed-instance/database/README.md +++ b/modules/sql/managed-instance/database/README.md @@ -8,6 +8,7 @@ This module deploys a SQL Managed Instance Database. - [Parameters](#Parameters) - [Outputs](#Outputs) - [Cross-referenced modules](#Cross-referenced-modules) +- [Notes](#Notes) ## Resource types @@ -60,6 +61,7 @@ This module deploys a SQL Managed Instance Database. | `restorableDroppedDatabaseId` | string | `''` | | The restorable dropped database resource ID to restore when creating this database. | | `tags` | object | `{object}` | | Tags of the resource. | + ## Outputs | Output Name | Type | Description | diff --git a/modules/sql/server/README.md b/modules/sql/server/README.md index eefb499d67..b6a4646090 100644 --- a/modules/sql/server/README.md +++ b/modules/sql/server/README.md @@ -9,6 +9,7 @@ This module deploys an Azure SQL Server. - [Outputs](#Outputs) - [Cross-referenced modules](#Cross-referenced-modules) - [Deployment examples](#Deployment-examples) +- [Notes](#Notes) ## Resource Types @@ -72,6 +73,7 @@ This module deploys an Azure SQL Server. | `virtualNetworkRules` | array | `[]` | | The virtual network rules to create in the server. | | `vulnerabilityAssessmentsObj` | object | `{object}` | | The vulnerability assessment configuration. | + ## Outputs | Output Name | Type | Description | @@ -649,6 +651,7 @@ module server './sql/server/main.bicep' = {

+ ## Notes ### Parameter Usage: `roleAssignments` diff --git a/modules/storage/storage-account/README.md b/modules/storage/storage-account/README.md index 169cb3cf76..9222dae86d 100644 --- a/modules/storage/storage-account/README.md +++ b/modules/storage/storage-account/README.md @@ -7,9 +7,9 @@ This module deploys a Storage Account. - [Resource types](#Resource-types) - [Parameters](#Parameters) - [Outputs](#Outputs) -- [Considerations](#Considerations) - [Cross-referenced modules](#Cross-referenced-modules) - [Deployment examples](#Deployment-examples) +- [Notes](#Notes) ## Resource types @@ -98,6 +98,7 @@ This module deploys a Storage Account. | `tags` | object | `{object}` | | Tags of the resource. | | `userAssignedIdentities` | object | `{object}` | | The ID(s) to assign to the resource. | + ## Outputs | Output Name | Type | Description | @@ -1081,9 +1082,10 @@ module storageAccount './storage/storage-account/main.bicep' = {

+ ## Notes -## Considerations +### Considerations This is a generic module for deploying a Storage Account. Any customization for different storage needs (such as a diagnostic or other storage account) need to be done through the Archetype. The hierarchical namespace of the storage account (see parameter `enableHierarchicalNamespace`), can be only set at creation time. diff --git a/modules/storage/storage-account/management-policy/README.md b/modules/storage/storage-account/management-policy/README.md index a5cf3253ee..063b8d60fa 100644 --- a/modules/storage/storage-account/management-policy/README.md +++ b/modules/storage/storage-account/management-policy/README.md @@ -35,6 +35,7 @@ This module deploys a Storage Account Management Policy. | :-- | :-- | :-- | :-- | | `enableDefaultTelemetry` | bool | `True` | Enable telemetry via a Globally Unique Identifier (GUID). | + ## Outputs | Output Name | Type | Description | diff --git a/modules/synapse/workspace/key/README.md b/modules/synapse/workspace/key/README.md index 309e6e80c1..f540c885ba 100644 --- a/modules/synapse/workspace/key/README.md +++ b/modules/synapse/workspace/key/README.md @@ -7,7 +7,6 @@ This module deploys a Synapse Workspaces Key. - [Resource Types](#Resource-Types) - [Parameters](#Parameters) - [Outputs](#Outputs) -- [Template references](#Template-references) - [Cross-referenced modules](#Cross-referenced-modules) ## Resource Types diff --git a/modules/virtual-machine-images/image-template/README.md b/modules/virtual-machine-images/image-template/README.md index 104d657411..f0c979df4b 100644 --- a/modules/virtual-machine-images/image-template/README.md +++ b/modules/virtual-machine-images/image-template/README.md @@ -9,6 +9,7 @@ This module deploys a Virtual Machine Image Template that can be consumed by Azu - [Outputs](#Outputs) - [Cross-referenced modules](#Cross-referenced-modules) - [Deployment examples](#Deployment-examples) +- [Notes](#Notes) ## Resource types @@ -59,6 +60,7 @@ This module deploys a Virtual Machine Image Template that can be consumed by Azu | :-- | :-- | :-- | :-- | | `baseTime` | string | `[utcNow('yyyy-MM-dd-HH-mm-ss')]` | Do not provide a value! This date value is used to generate a unique image template name. | + ## Outputs | Output Name | Type | Description | @@ -335,6 +337,7 @@ module imageTemplate './virtual-machine-images/image-template/main.bicep' = {

+ ## Notes ### Parameter Usage: `imageSource`