From b4a92b9d15563d5806d460566fe9ad265a606a71 Mon Sep 17 00:00:00 2001 From: AlexanderSehr Date: Thu, 12 Oct 2023 22:18:12 +0200 Subject: [PATCH 01/20] PE --- modules/network/private-endpoint/README.md | 326 +++++++-------------- 1 file changed, 102 insertions(+), 224 deletions(-) diff --git a/modules/network/private-endpoint/README.md b/modules/network/private-endpoint/README.md index 585231b095..51569056bc 100644 --- a/modules/network/private-endpoint/README.md +++ b/modules/network/private-endpoint/README.md @@ -19,16 +19,6 @@ This module deploys a Private Endpoint. | `Microsoft.Network/privateEndpoints` | [2023-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2023-04-01/privateEndpoints) | | `Microsoft.Network/privateEndpoints/privateDnsZoneGroups` | [2023-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2023-04-01/privateEndpoints/privateDnsZoneGroups) | -### Resource dependency - -The following resources are required to be able to deploy this resource: - -- `PrivateDNSZone` -- `VirtualNetwork/subnet` -- The service that needs to be connected through private endpoint - -**Important**: Destination subnet must be created with the following configuration option - `"privateEndpointNetworkPolicies": "Disabled"`. Setting this option acknowledges that NSG rules are not applied to Private Endpoints (this capability is coming soon). - ## Parameters **Required parameters** @@ -56,220 +46,6 @@ The following resources are required to be able to deploy this resource: | `roleAssignments` | array | `[]` | | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | | `tags` | object | `{object}` | | Tags to be applied on all resources/resource groups in this deployment. | - -### Parameter Usage: `tags` - -Tag names and tag values can be provided as needed. A tag can be left without a value. - -
- -Parameter JSON format - -```json -"tags": { - "value": { - "Environment": "Non-Prod", - "Contact": "test.user@testcompany.com", - "PurchaseOrder": "1234", - "CostCenter": "7890", - "ServiceName": "DeploymentValidation", - "Role": "DeploymentValidation" - } -} -``` - -
- -
- -Bicep format - -```bicep -tags: { - Environment: 'Non-Prod' - Contact: 'test.user@testcompany.com' - PurchaseOrder: '1234' - CostCenter: '7890' - ServiceName: 'DeploymentValidation' - Role: 'DeploymentValidation' -} -``` - -
-

- -### Parameter Usage: `roleAssignments` - -Create a role assignment for the given resource. If you want to assign a service principal / managed identity that is created in the same deployment, make sure to also specify the `'principalType'` parameter and set it to `'ServicePrincipal'`. This will ensure the role assignment waits for the principal's propagation in Azure. - -

- -Parameter JSON format - -```json -"roleAssignments": { - "value": [ - { - "roleDefinitionIdOrName": "Reader", - "description": "Reader Role Assignment", - "principalIds": [ - "12345678-1234-1234-1234-123456789012", // object 1 - "78945612-1234-1234-1234-123456789012" // object 2 - ] - }, - { - "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", - "principalIds": [ - "12345678-1234-1234-1234-123456789012" // object 1 - ], - "principalType": "ServicePrincipal" - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - description: 'Reader Role Assignment' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - '78945612-1234-1234-1234-123456789012' // object 2 - ] - } - { - roleDefinitionIdOrName: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - ] - principalType: 'ServicePrincipal' - } -] -``` - -
-

- -### Parameter Usage: `applicationSecurityGroups` - -You can attach multiple Application Security Groups to a private endpoint resource. - -

- -Parameter JSON format - -```json -"applicationSecurityGroups": { - "value": [ - { - "id": "" - }, - { - "id": "" - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -applicationSecurityGroups: [ - { - id: '' - } - { - id: '' - } -] -``` - -
-

- -### Parameter Usage: `customNetworkInterfaceName` - -You can customize the name of the private endpoint network interface instead of the default one that contains the string 'nic.GUID'. This helps with having consistent naming standards across all resources. Existing private endpoints cannot be renamed. See [documentation](https://learn.microsoft.com/en-us/azure/private-link/manage-private-endpoint?tabs=manage-private-link-powershell#network-interface-rename) for more details. - -

- -Parameter JSON format - -```json -"customNetworkInterfaceName": { - "value": "myPrivateEndpointName-Nic" -} -``` - -
- -
- -Bicep format - -```bicep -customNetworkInterfaceName: 'myPrivateEndpointName-Nic' -``` - -
-

- -### Parameter Usage: `ipConfigurations` - -You can use this property to define a static IP address for the private endpoint instead of the default dynamic one. To do that, first extract the `memberName` and `groupId` for the resource type you are creating the private endpoint for. See [documentation](https://learn.microsoft.com/en-us/azure/private-link/manage-private-endpoint?tabs=manage-private-link-powershell#determine-groupid-and-membername) for guidance on how to do that. Also provide the `privateIPAddress` for the private endpoint from the subnet range you are creating the private endpoint in. Note that static IP addresses [can be applied](https://learn.microsoft.com/en-us/azure/private-link/manage-private-endpoint?tabs=manage-private-link-powershell#custom-properties) when the private endpoint is created. - -

- -Parameter JSON format - -```json -"customNetworkInterfaceName": { - "value": [ - { - "name": "myIPconfig", - "properties": { - "memberName": "", // e.g. default, sites, blob - "groupId": "", // e.g. vault, registry, blob - "privateIPAddress": "10.10.10.10" - } - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -ipConfigurations: [ - { - name: 'myIPconfig' - properties: { - memberName: '' // e.g. default, sites, blob - groupId: '' // e.g. vault, registry, blob - privateIPAddress: '10.10.10.10' - } - } -] -``` - -
-

- ## Outputs | Output Name | Type | Description | @@ -497,3 +273,105 @@ module privateEndpoint './network/private-endpoint/main.bicep' = {

+ +## Notes + +### Parameter Usage: `tags` + +Tag names and tag values can be provided as needed. A tag can be left without a value. + +

+ +Parameter JSON format + +```json +"tags": { + "value": { + "Environment": "Non-Prod", + "Contact": "test.user@testcompany.com", + "PurchaseOrder": "1234", + "CostCenter": "7890", + "ServiceName": "DeploymentValidation", + "Role": "DeploymentValidation" + } +} +``` + +
+ +
+ +Bicep format + +```bicep +tags: { + Environment: 'Non-Prod' + Contact: 'test.user@testcompany.com' + PurchaseOrder: '1234' + CostCenter: '7890' + ServiceName: 'DeploymentValidation' + Role: 'DeploymentValidation' +} +``` + +
+

+ +### Parameter Usage: `roleAssignments` + +Create a role assignment for the given resource. If you want to assign a service principal / managed identity that is created in the same deployment, make sure to also specify the `'principalType'` parameter and set it to `'ServicePrincipal'`. This will ensure the role assignment waits for the principal's propagation in Azure. + +

+ +Parameter JSON format + +```json +"roleAssignments": { + "value": [ + { + "roleDefinitionIdOrName": "Reader", + "description": "Reader Role Assignment", + "principalIds": [ + "12345678-1234-1234-1234-123456789012", // object 1 + "78945612-1234-1234-1234-123456789012" // object 2 + ] + }, + { + "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", + "principalIds": [ + "12345678-1234-1234-1234-123456789012" // object 1 + ], + "principalType": "ServicePrincipal" + } + ] +} +``` + +
+ +
+ +Bicep format + +```bicep +roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + description: 'Reader Role Assignment' + principalIds: [ + '12345678-1234-1234-1234-123456789012' // object 1 + '78945612-1234-1234-1234-123456789012' // object 2 + ] + } + { + roleDefinitionIdOrName: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' + principalIds: [ + '12345678-1234-1234-1234-123456789012' // object 1 + ] + principalType: 'ServicePrincipal' + } +] +``` + +
+

From 9fc2d705fa78a695082ef3547e4b151805c5fa8a Mon Sep 17 00:00:00 2001 From: AlexanderSehr Date: Thu, 12 Oct 2023 22:19:08 +0200 Subject: [PATCH 02/20] dns zone --- .../network/private-dns-zone/txt/README.md | 50 ++++--------------- 1 file changed, 9 insertions(+), 41 deletions(-) diff --git a/modules/network/private-dns-zone/txt/README.md b/modules/network/private-dns-zone/txt/README.md index 55635b80c9..18f4ab62b2 100644 --- a/modules/network/private-dns-zone/txt/README.md +++ b/modules/network/private-dns-zone/txt/README.md @@ -40,39 +40,19 @@ This module deploys a Private DNS Zone TXT record. | `ttl` | int | `3600` | The TTL (time-to-live) of the records in the record set. | | `txtRecords` | array | `[]` | The list of TXT records in the record set. | +## Outputs -### Parameter Usage: `txtRecords` - -

- -Parameter JSON format - -```json -"txtRecords": { - "value": [ - { - "value": [ "string" ] - } - ] -} -``` - -
- -
+| Output Name | Type | Description | +| :-- | :-- | :-- | +| `name` | string | The name of the deployed TXT record. | +| `resourceGroupName` | string | The resource group of the deployed TXT record. | +| `resourceId` | string | The resource ID of the deployed TXT record. | -Bicep format +## Cross-referenced modules -```bicep -txtRecords: [ - { - value: [ 'string' ] - } -] -``` +_None_ -
-

+## Notes ### Parameter Usage: `roleAssignments` @@ -132,15 +112,3 @@ roleAssignments: [

- -## Outputs - -| Output Name | Type | Description | -| :-- | :-- | :-- | -| `name` | string | The name of the deployed TXT record. | -| `resourceGroupName` | string | The resource group of the deployed TXT record. | -| `resourceId` | string | The resource ID of the deployed TXT record. | - -## Cross-referenced modules - -_None_ From da1f0e5280e77d1e98cf6beb1592ab238bd34078 Mon Sep 17 00:00:00 2001 From: AlexanderSehr Date: Thu, 12 Oct 2023 22:25:12 +0200 Subject: [PATCH 03/20] network manager --- modules/network/network-manager/README.md | 614 +++++---------------- modules/network/network-manager/main.bicep | 6 +- 2 files changed, 153 insertions(+), 467 deletions(-) diff --git a/modules/network/network-manager/README.md b/modules/network/network-manager/README.md index ff90c8fbf9..36084eee32 100644 --- a/modules/network/network-manager/README.md +++ b/modules/network/network-manager/README.md @@ -10,6 +10,7 @@ This module deploys a Network Manager. - [Cross-referenced modules](#Cross-referenced-modules) - [Considerations](#Considerations) - [Deployment examples](#Deployment-examples) +- [Notes](#Notes) ## Resource Types @@ -40,7 +41,7 @@ This module deploys a Network Manager. | Parameter Name | Type | Description | | :-- | :-- | :-- | -| `networkGroups` | array | Network Groups and static members to create for the network manager. Required if using "connectivityConfigurations" or "securityAdminConfigurations" parameters. | +| `networkGroups` | array | Network Groups and static members to create for the network manager. Required if using "connectivityConfigurations" or "securityAdminConfigurations" parameters. A network group is global container that includes a set of virtual network resources from any region. Then, configurations are applied to target the network group, which applies the configuration to all members of the group. The two types are group memberships are static and dynamic memberships. Static membership allows you to explicitly add virtual networks to a group by manually selecting individual virtual networks, and is available as a child module, while dynamic membership is defined through Azure policy. See [How Azure Policy works with Network Groups](https://learn.microsoft.com/en-us/azure/virtual-network-manager/concept-azure-policy-integration) for more details. | **Optional parameters** @@ -52,472 +53,11 @@ This module deploys a Network Manager. | `location` | string | `[resourceGroup().location]` | | Location for all resources. | | `lock` | string | `''` | `['', CanNotDelete, ReadOnly]` | Specify the type of lock. | | `roleAssignments` | array | `[]` | | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -| `scopeConnections` | array | `[]` | | Scope Connections to create for the network manager. Allows network manager to manage resources from another tenant. | -| `securityAdminConfigurations` | array | `[]` | | Security Admin Configurations, Rule Collections and Rules to create for the network manager. | +| `scopeConnections` | array | `[]` | | Scope Connections to create for the network manager. Allows network manager to manage resources from another tenant. Supports management groups or subscriptions from another tenant. | +| `securityAdminConfigurations` | array | `[]` | | Security Admin Configurations, Rule Collections and Rules to create for the network manager. Azure Virtual Network Manager provides two different types of configurations you can deploy across your virtual networks, one of them being a SecurityAdmin configuration. A security admin configuration contains a set of rule collections. Each rule collection contains one or more security admin rules. You then associate the rule collection with the network groups that you want to apply the security admin rules to. | | `tags` | object | `{object}` | | Tags of the resource. | -### Parameter Usage: `` - -Features are scope access that you allow the Azure Virtual Network Manager to manage. Azure Virtual Network Manager currently has two feature scopes, which are `Connectivity` and `SecurityAdmin`. You can enable both feature scopes on the same Virtual Network Manager instance. - -

- -Parameter JSON format - -```json -"networkManagerScopeAccesses": { - "value": [ - "Connectivity" - "SecurityAdmin" - ] -} -``` - -
- -
- -Bicep format - -```bicep -networkManagerScopeAccesses: [ - 'Connectivity' - 'SecurityAdmin' -] -``` - -
-

- -### Parameter Usage: `` - -Contains a list of management groups or a list of subscriptions. This defines the boundary of network resources that this virtual network manager instance can manage. - -**Note**: You can't create multiple Azure Virtual Network Manager instances with an overlapping scope of the same hierarchy and the same features selected. - -

- -Parameter JSON format - -```json -"networkManagerScopes": { - "value": { - "subscriptions": [ - "/subscriptions/" - ], - "managementGroups": [ - "/providers/Microsoft.Management/managementGroups/" - ] - } -} -``` - -
- -
- -Bicep format - -```bicep -networkManagerScopes: { - subscriptions: [ - '/subscriptions/' - ] - managementGroups: [ - '/providers/Microsoft.Management/managementGroups/[[managementGroupId]]' - ] -} -``` - -
-

- -### Parameter Usage: `` - -A network group is global container that includes a set of virtual network resources from any region. Then, configurations are applied to target the network group, which applies the configuration to all members of the group. The two types are group memberships are static and dynamic memberships. Static membership allows you to explicitly add virtual networks to a group by manually selecting individual virtual networks, and is available as a child module, while dynamic membership is defined through Azure policy. See [How Azure Policy works with Network Groups](https://learn.microsoft.com/en-us/azure/virtual-network-manager/concept-azure-policy-integration) for more details. - -

- -Parameter JSON format - -```json -"networkGroups": { - "value": [ - { - "name": "network-group-test", - "description": "network-group-test description", - "staticMembers": [ - { - "name": "vnet1", - "resourceId": "" - }, - { - "name": "vnet2", - "resourceId": "" - } - ] - } - ] -}, -``` - -
- -
- -Bicep format - -```bicep -networkGroups: [ - { - name: 'network-group-test' - description: 'network-group-test description' - staticMembers: [ - { - name: 'vnet1' - resourceId: '' - } - { - name: 'vnet2' - resourceId: '' - } - ] - } -] -``` - -
-

- -### Parameter Usage: `` - -Connectivity configurations allow you to create different network topologies based on your network needs. You have two topologies to choose from, a mesh network and a hub and spoke. Connectivities between virtual networks are defined within the configuration settings. - -

- -Parameter JSON format - -```json -"connectivityConfigurations": { - "value": [ - { - "name": "hubSpokeConnectivity", - "description": "hubSpokeConnectivity description", - "connectivityTopology": "HubAndSpoke", - "hubs": [ - { - "resourceId": "", - "resourceType": "Microsoft.Network/virtualNetworks" - } - ], - "deleteExistingPeering": "True", - "isGlobal": "True", - "appliesToGroups": [ - { - "networkGroupId": "", - "useHubGateway": "False", - "groupConnectivity": "None", - "isGlobal": "False" - } - ] - }, - { - "name": "MeshConnectivity", - "description": "MeshConnectivity description", - "connectivityTopology": "Mesh", - "deleteExistingPeering": "True", - "isGlobal": "True", - "appliesToGroups": [ - { - "networkGroupId": "", - "useHubGateway": "False", - "groupConnectivity": "None", - "isGlobal": "False" - } - ] - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -connectivityConfigurations: [ - { - name: 'hubSpokeConnectivity' - description: 'hubSpokeConnectivity description' - connectivityTopology: 'HubAndSpoke' - hubs: [ - { - resourceId: '' - resourceType: 'Microsoft.Network/virtualNetworks' - } - ] - deleteExistingPeering: 'True' - isGlobal: 'True' - appliesToGroups: [ - { - networkGroupId: '' - useHubGateway: 'False' - groupConnectivity: 'None' - isGlobal: 'False' - } - ] - } - { - name: 'MeshConnectivity' - description: 'MeshConnectivity description' - connectivityTopology: 'Mesh' - deleteExistingPeering: 'True' - isGlobal: 'True' - appliesToGroups: [ - { - networkGroupId: '' - useHubGateway: 'False' - groupConnectivity: 'None' - isGlobal: 'False' - } - ] - } -] -``` - -
-

- -### Parameter Usage: `` - -Scope Connections to create for the network manager. Allows network manager to manage resources from another tenant. Supports management groups or subscriptions from another tenant. - -

- -Parameter JSON format - -```json -"scopeConnections": { - "value": [ - { - "name": "scope-connection-test", - "description": "description of the scope connection", - "resourceId": "/subscriptions/", // or "/providers/Microsoft.Management/managementGroups/" - "tenantid": "" - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -scopeConnections: [ - { - name: 'scope-connection-test' - description: 'description of the scope connection' - resourceId: '/subscriptions/', // or '/providers/Microsoft.Management/managementGroups/' - tenantid: t'' - } -] -``` - -
-

- -### Parameter Usage: `` - -Azure Virtual Network Manager provides two different types of configurations you can deploy across your virtual networks, one of them being a SecurityAdmin configuration. A security admin configuration contains a set of rule collections. Each rule collection contains one or more security admin rules. You then associate the rule collection with the network groups that you want to apply the security admin rules to. - -

- -Parameter JSON format - -```json -"securityAdminConfigurations": { - "value": [ - { - "name": "test-security-admin-config", - "description": "description of the security admin config", - "applyOnNetworkIntentPolicyBasedServices": [ - "AllowRulesOnly" - ], - "ruleCollections": [ - { - "name": "test-rule-collection-1", - "description": "test-rule-collection-description", - "appliesToGroups": [ - { - "networkGroupId": "" - } - ], - "rules": [ - { - "name": "test-inbound-allow-rule-1", - "description": "test-inbound-allow-rule-1-description", - "access": "Allow", - "direction": "Inbound", - "priority": 150, - "protocol": "Tcp" - } - ] - } - ] - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -securityAdminConfigurations: [ - { - name: 'test-security-admin-config' - description: 'description of the security admin config' - applyOnNetworkIntentPolicyBasedServices: [ - 'AllowRulesOnly' - ] - ruleCollections: [ - { - name: 'test-rule-collection-1' - description: 'test-rule-collection-description' - appliesToGroups: [ - { - networkGroupId: '' - } - ] - rules: [ - { - name: 'test-inbound-allow-rule-1' - description: 'test-inbound-allow-rule-1-description' - access: 'Allow' - direction: 'Inbound' - priority: 150 - protocol: 'Tcp' - } - ] - } - ] - } -] -``` - -
-

- - -### Parameter Usage: `roleAssignments` - -Create a role assignment for the given resource. If you want to assign a service principal / managed identity that is created in the same deployment, make sure to also specify the `'principalType'` parameter and set it to `'ServicePrincipal'`. This will ensure the role assignment waits for the principal's propagation in Azure. - -

- -Parameter JSON format - -```json -"roleAssignments": { - "value": [ - { - "roleDefinitionIdOrName": "Reader", - "description": "Reader Role Assignment", - "principalIds": [ - "12345678-1234-1234-1234-123456789012", // object 1 - "78945612-1234-1234-1234-123456789012" // object 2 - ] - }, - { - "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", - "principalIds": [ - "12345678-1234-1234-1234-123456789012" // object 1 - ], - "principalType": "ServicePrincipal" - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - description: 'Reader Role Assignment' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - '78945612-1234-1234-1234-123456789012' // object 2 - ] - } - { - roleDefinitionIdOrName: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - ] - principalType: 'ServicePrincipal' - } -] -``` - -
-

- -### Parameter Usage: `tags` - -Tag names and tag values can be provided as needed. A tag can be left without a value. - -

- -Parameter JSON format - -```json -"tags": { - "value": { - "Environment": "Non-Prod", - "Contact": "test.user@testcompany.com", - "PurchaseOrder": "1234", - "CostCenter": "7890", - "ServiceName": "DeploymentValidation", - "Role": "DeploymentValidation" - } -} -``` - -
- -
- -Bicep format - -```bicep -tags: { - Environment: 'Non-Prod' - Contact: 'test.user@testcompany.com' - PurchaseOrder: '1234' - CostCenter: '7890' - ServiceName: 'DeploymentValidation' - Role: 'DeploymentValidation' -} -``` - -
-

- ## Outputs | Output Name | Type | Description | @@ -986,3 +526,149 @@ module networkManager './network/network-manager/main.bicep' = {

+ + +## Notes + +### Parameter Usage: `networkManagerScopes` + +Contains a list of management groups or a list of subscriptions. This defines the boundary of network resources that this virtual network manager instance can manage. + +**Note**: You can't create multiple Azure Virtual Network Manager instances with an overlapping scope of the same hierarchy and the same features selected. + +

+ +Parameter JSON format + +```json +"networkManagerScopes": { + "value": { + "subscriptions": [ + "/subscriptions/" + ], + "managementGroups": [ + "/providers/Microsoft.Management/managementGroups/" + ] + } +} +``` + +
+ +
+ +Bicep format + +```bicep +networkManagerScopes: { + subscriptions: [ + '/subscriptions/' + ] + managementGroups: [ + '/providers/Microsoft.Management/managementGroups/[[managementGroupId]]' + ] +} +``` + +
+

+ +### Parameter Usage: `roleAssignments` + +Create a role assignment for the given resource. If you want to assign a service principal / managed identity that is created in the same deployment, make sure to also specify the `'principalType'` parameter and set it to `'ServicePrincipal'`. This will ensure the role assignment waits for the principal's propagation in Azure. + +

+ +Parameter JSON format + +```json +"roleAssignments": { + "value": [ + { + "roleDefinitionIdOrName": "Reader", + "description": "Reader Role Assignment", + "principalIds": [ + "12345678-1234-1234-1234-123456789012", // object 1 + "78945612-1234-1234-1234-123456789012" // object 2 + ] + }, + { + "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", + "principalIds": [ + "12345678-1234-1234-1234-123456789012" // object 1 + ], + "principalType": "ServicePrincipal" + } + ] +} +``` + +
+ +
+ +Bicep format + +```bicep +roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + description: 'Reader Role Assignment' + principalIds: [ + '12345678-1234-1234-1234-123456789012' // object 1 + '78945612-1234-1234-1234-123456789012' // object 2 + ] + } + { + roleDefinitionIdOrName: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' + principalIds: [ + '12345678-1234-1234-1234-123456789012' // object 1 + ] + principalType: 'ServicePrincipal' + } +] +``` + +
+

+ +### Parameter Usage: `tags` + +Tag names and tag values can be provided as needed. A tag can be left without a value. + +

+ +Parameter JSON format + +```json +"tags": { + "value": { + "Environment": "Non-Prod", + "Contact": "test.user@testcompany.com", + "PurchaseOrder": "1234", + "CostCenter": "7890", + "ServiceName": "DeploymentValidation", + "Role": "DeploymentValidation" + } +} +``` + +
+ +
+ +Bicep format + +```bicep +tags: { + Environment: 'Non-Prod' + Contact: 'test.user@testcompany.com' + PurchaseOrder: '1234' + CostCenter: '7890' + ServiceName: 'DeploymentValidation' + Role: 'DeploymentValidation' +} +``` + +
+

diff --git a/modules/network/network-manager/main.bicep b/modules/network/network-manager/main.bicep index 3a1164faca..21c5a261c0 100644 --- a/modules/network/network-manager/main.bicep +++ b/modules/network/network-manager/main.bicep @@ -34,16 +34,16 @@ param networkManagerScopeAccesses array @sys.description('Required. Scope of Network Manager. Contains a list of management groups or a list of subscriptions. This defines the boundary of network resources that this Network Manager instance can manage. If using Management Groups, ensure that the "Microsoft.Network" resource provider is registered for those Management Groups prior to deployment.') param networkManagerScopes object -@sys.description('Conditional. Network Groups and static members to create for the network manager. Required if using "connectivityConfigurations" or "securityAdminConfigurations" parameters.') +@sys.description('Conditional. Network Groups and static members to create for the network manager. Required if using "connectivityConfigurations" or "securityAdminConfigurations" parameters. A network group is global container that includes a set of virtual network resources from any region. Then, configurations are applied to target the network group, which applies the configuration to all members of the group. The two types are group memberships are static and dynamic memberships. Static membership allows you to explicitly add virtual networks to a group by manually selecting individual virtual networks, and is available as a child module, while dynamic membership is defined through Azure policy. See [How Azure Policy works with Network Groups](https://learn.microsoft.com/en-us/azure/virtual-network-manager/concept-azure-policy-integration) for more details.') param networkGroups array = [] @sys.description('Optional. Connectivity Configurations to create for the network manager. Network manager must contain at least one network group in order to define connectivity configurations.') param connectivityConfigurations array = [] -@sys.description('Optional. Scope Connections to create for the network manager. Allows network manager to manage resources from another tenant.') +@sys.description('Optional. Scope Connections to create for the network manager. Allows network manager to manage resources from another tenant. Supports management groups or subscriptions from another tenant.') param scopeConnections array = [] -@sys.description('Optional. Security Admin Configurations, Rule Collections and Rules to create for the network manager.') +@sys.description('Optional. Security Admin Configurations, Rule Collections and Rules to create for the network manager. Azure Virtual Network Manager provides two different types of configurations you can deploy across your virtual networks, one of them being a SecurityAdmin configuration. A security admin configuration contains a set of rule collections. Each rule collection contains one or more security admin rules. You then associate the rule collection with the network groups that you want to apply the security admin rules to.') param securityAdminConfigurations array = [] @sys.description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') From 74652e5dc06828defedfdd4e0b6ac05600e83a85 Mon Sep 17 00:00:00 2001 From: AlexanderSehr Date: Thu, 12 Oct 2023 22:25:49 +0200 Subject: [PATCH 04/20] network manager --- modules/network/network-manager/README.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/modules/network/network-manager/README.md b/modules/network/network-manager/README.md index 36084eee32..5d0079d172 100644 --- a/modules/network/network-manager/README.md +++ b/modules/network/network-manager/README.md @@ -71,10 +71,6 @@ This module deploys a Network Manager. _None_ -## Considerations - -In order to deploy a Network Manager with the `networkManagerScopes` property set to `managementGroups`, you need to register the `Microsoft.Network` resource provider at the Management Group first ([ref](https://learn.microsoft.com/en-us/rest/api/resources/providers/register-at-management-group-scope)). - ## Deployment examples The following module usage examples are retrieved from the content of the files hosted in the module's `.test` folder. @@ -530,6 +526,10 @@ module networkManager './network/network-manager/main.bicep' = { ## Notes +### Considerations + +In order to deploy a Network Manager with the `networkManagerScopes` property set to `managementGroups`, you need to register the `Microsoft.Network` resource provider at the Management Group first ([ref](https://learn.microsoft.com/en-us/rest/api/resources/providers/register-at-management-group-scope)). + ### Parameter Usage: `networkManagerScopes` Contains a list of management groups or a list of subscriptions. This defines the boundary of network resources that this virtual network manager instance can manage. From f0eaa1c66ec24ff9e4572e318c7704055ea44897 Mon Sep 17 00:00:00 2001 From: AlexanderSehr Date: Thu, 12 Oct 2023 22:26:46 +0200 Subject: [PATCH 05/20] NIC --- modules/network/network-interface/README.md | 224 +++++++++----------- 1 file changed, 102 insertions(+), 122 deletions(-) diff --git a/modules/network/network-interface/README.md b/modules/network/network-interface/README.md index 24748b8d68..ab8a22386d 100644 --- a/modules/network/network-interface/README.md +++ b/modules/network/network-interface/README.md @@ -51,128 +51,6 @@ This module deploys a Network Interface. | `roleAssignments` | array | `[]` | | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | | `tags` | object | `{object}` | | Tags of the resource. | - -### Parameter Usage: `ipConfigurations` - -The IP configurations to apply to the network interface. - -```json -{ - "name": "ipconfig01", - "subnetResourceId": "/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/adp-[[namePrefix]]-az-vnet-x-001/subnets/[[namePrefix]]-az-subnet-x-001", - "loadBalancerBackendAddressPools": [ - { - "id": "/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/loadBalancers/adp-[[namePrefix]]-az-lb-internal-001/backendAddressPools/servers" - } - ], - "applicationSecurityGroups": [ - { - "id": "/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/applicationSecurityGroups/adp-[[namePrefix]]-az-asg-x-001" - } - ] -} -``` - -### Parameter Usage: `roleAssignments` - -Create a role assignment for the given resource. If you want to assign a service principal / managed identity that is created in the same deployment, make sure to also specify the `'principalType'` parameter and set it to `'ServicePrincipal'`. This will ensure the role assignment waits for the principal's propagation in Azure. - -

- -Parameter JSON format - -```json -"roleAssignments": { - "value": [ - { - "roleDefinitionIdOrName": "Reader", - "description": "Reader Role Assignment", - "principalIds": [ - "12345678-1234-1234-1234-123456789012", // object 1 - "78945612-1234-1234-1234-123456789012" // object 2 - ] - }, - { - "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", - "principalIds": [ - "12345678-1234-1234-1234-123456789012" // object 1 - ], - "principalType": "ServicePrincipal" - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - description: 'Reader Role Assignment' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - '78945612-1234-1234-1234-123456789012' // object 2 - ] - } - { - roleDefinitionIdOrName: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - ] - principalType: 'ServicePrincipal' - } -] -``` - -
-

- -### Parameter Usage: `tags` - -Tag names and tag values can be provided as needed. A tag can be left without a value. - -

- -Parameter JSON format - -```json -"tags": { - "value": { - "Environment": "Non-Prod", - "Contact": "test.user@testcompany.com", - "PurchaseOrder": "1234", - "CostCenter": "7890", - "ServiceName": "DeploymentValidation", - "Role": "DeploymentValidation" - } -} -``` - -
- -
- -Bicep format - -```bicep -tags: { - Environment: 'Non-Prod' - Contact: 'test.user@testcompany.com' - PurchaseOrder: '1234' - CostCenter: '7890' - ServiceName: 'DeploymentValidation' - Role: 'DeploymentValidation' -} -``` - -
-

- ## Outputs | Output Name | Type | Description | @@ -398,3 +276,105 @@ module networkInterface './network/network-interface/main.bicep' = {

+ +## Notes + +### Parameter Usage: `roleAssignments` + +Create a role assignment for the given resource. If you want to assign a service principal / managed identity that is created in the same deployment, make sure to also specify the `'principalType'` parameter and set it to `'ServicePrincipal'`. This will ensure the role assignment waits for the principal's propagation in Azure. + +

+ +Parameter JSON format + +```json +"roleAssignments": { + "value": [ + { + "roleDefinitionIdOrName": "Reader", + "description": "Reader Role Assignment", + "principalIds": [ + "12345678-1234-1234-1234-123456789012", // object 1 + "78945612-1234-1234-1234-123456789012" // object 2 + ] + }, + { + "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", + "principalIds": [ + "12345678-1234-1234-1234-123456789012" // object 1 + ], + "principalType": "ServicePrincipal" + } + ] +} +``` + +
+ +
+ +Bicep format + +```bicep +roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + description: 'Reader Role Assignment' + principalIds: [ + '12345678-1234-1234-1234-123456789012' // object 1 + '78945612-1234-1234-1234-123456789012' // object 2 + ] + } + { + roleDefinitionIdOrName: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' + principalIds: [ + '12345678-1234-1234-1234-123456789012' // object 1 + ] + principalType: 'ServicePrincipal' + } +] +``` + +
+

+ +### Parameter Usage: `tags` + +Tag names and tag values can be provided as needed. A tag can be left without a value. + +

+ +Parameter JSON format + +```json +"tags": { + "value": { + "Environment": "Non-Prod", + "Contact": "test.user@testcompany.com", + "PurchaseOrder": "1234", + "CostCenter": "7890", + "ServiceName": "DeploymentValidation", + "Role": "DeploymentValidation" + } +} +``` + +
+ +
+ +Bicep format + +```bicep +tags: { + Environment: 'Non-Prod' + Contact: 'test.user@testcompany.com' + PurchaseOrder: '1234' + CostCenter: '7890' + ServiceName: 'DeploymentValidation' + Role: 'DeploymentValidation' +} +``` + +
+

From bfeaf9e005627194de64ff77eb6434db6714c3f3 Mon Sep 17 00:00:00 2001 From: AlexanderSehr Date: Thu, 12 Oct 2023 22:34:34 +0200 Subject: [PATCH 06/20] LB --- modules/network/load-balancer/README.md | 576 ++++++++---------------- 1 file changed, 179 insertions(+), 397 deletions(-) diff --git a/modules/network/load-balancer/README.md b/modules/network/load-balancer/README.md index 0f720fc744..493d0397fd 100644 --- a/modules/network/load-balancer/README.md +++ b/modules/network/load-balancer/README.md @@ -52,403 +52,6 @@ This module deploys a Load Balancer. | `skuName` | string | `'Standard'` | `[Basic, Standard]` | Name of a load balancer SKU. | | `tags` | object | `{object}` | | Tags of the resource. | - -### Parameter Usage: `frontendIPConfigurations` - -

- -Parameter JSON format - -```json -"frontendIPConfigurations": { - "value": [ - { - "name": "p_hub-bfw-server-feip", - "properties": { - "publicIPAddressId": "[reference(variables('deploymentPIP-VPN')).outputs.publicIPAddressResourceId.value]", - "subnetId": "", - "privateIPAddress": "" - } - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -frontendIPConfigurations: [ - { - name: 'p_hub-bfw-server-feip' - properties: { - publicIPAddressId: '[reference(variables('deploymentPIP-VPN')).outputs.publicIPAddressResourceId.value]' - subnetId: '' - privateIPAddress: '' - } - } -] -``` - -
-

- -### Parameter Usage: `backendAddressPools` - -

- -Parameter JSON format - -```json -"backendAddressPools": { - "value": [ - { - "name": "p_hub-bfw-server-bepool", - "properties": { - "loadBalancerBackendAddresses": [ - { - "name": "iacs-sh-main-pd-01-euw-rg-network_awefwa01p-nic-int-01ipconfig-internal", - "properties": { - "virtualNetwork": { - "id": "[reference(variables('deploymentVNET')).outputs.vNetResourceId.value]" - }, - "ipAddress": "172.22.232.5" - } - }, - { - "name": "iacs-sh-main-pd-01-euw-rg-network_awefwa01p-ha-nic-int-01ipconfig-internal", - "properties": { - "virtualNetwork": { - "id": "[reference(variables('deploymentVNET')).outputs.vNetResourceId.value]" - }, - "ipAddress": "172.22.232.6" - } - } - ] - } - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -backendAddressPools: [ - { - name: 'p_hub-bfw-server-bepool' - properties: { - loadBalancerBackendAddresses: [ - { - name: 'iacs-sh-main-pd-01-euw-rg-network_awefwa01p-nic-int-01ipconfig-internal' - properties: { - virtualNetwork: { - id: '[reference(variables('deploymentVNET')).outputs.vNetResourceId.value]' - } - ipAddress: '172.22.232.5' - } - } - { - name: 'iacs-sh-main-pd-01-euw-rg-network_awefwa01p-ha-nic-int-01ipconfig-internal' - properties: { - virtualNetwork: { - id: '[reference(variables('deploymentVNET')).outputs.vNetResourceId.value]' - } - ipAddress: '172.22.232.6' - } - } - ] - } - } -] -``` - -
-

- -### Parameter Usage: `loadBalancingRules` - -

- -Parameter JSON format - -```json -"loadBalancingRules": { - "value": [ - { - "name": "p_hub-bfw-server-IPSEC-IKE-lbrule", - "properties": { - "frontendIPConfigurationName": "p_hub-bfw-server-feip", - "backendAddressPoolName": "p_hub-bfw-server-bepool", - "protocol": "Udp", - "frontendPort": 500, - "backendPort": 500, - "enableFloatingIP": false, - "idleTimeoutInMinutes": 5, - "probeName": "p_hub-bfw-server-tcp-65001-probe" - } - }, - { - "name": "p_hub-bfw-server-IPSEC-NATT-lbrule", - "properties": { - "frontendIPConfigurationName": "p_hub-bfw-server-feip", - "backendAddressPoolName": "p_hub-bfw-server-bepool", - "protocol": "Udp", - "frontendPort": 4500, - "backendPort": 4500, - "enableFloatingIP": false, - "idleTimeoutInMinutes": 5, - "probeName": "p_hub-bfw-server-tcp-65001-probe" - } - }, - { - "name": "p_hub-bfw-server-TINA-UDP-lbrule", - "properties": { - "frontendIPConfigurationName": "p_hub-bfw-server-feip", - "backendAddressPoolName": "p_hub-bfw-server-bepool", - "protocol": "Udp", - "frontendPort": 691, - "backendPort": 691, - "enableFloatingIP": false, - "idleTimeoutInMinutes": 5, - "probeName": "p_hub-bfw-server-tcp-65001-probe" - } - }, - { - "name": "p_hub-bfw-server-TINA-TCP-lbrule", - "properties": { - "frontendIPConfigurationName": "p_hub-bfw-server-feip", - "backendAddressPoolName": "p_hub-bfw-server-bepool", - "protocol": "Tcp", - "frontendPort": 691, - "backendPort": 691, - "enableFloatingIP": false, - "idleTimeoutInMinutes": 5, - "probeName": "p_hub-bfw-server-tcp-65001-probe" - } - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -loadBalancingRules: [ - { - name: 'p_hub-bfw-server-IPSEC-IKE-lbrule' - properties: { - frontendIPConfigurationName: 'p_hub-bfw-server-feip' - backendAddressPoolName: 'p_hub-bfw-server-bepool' - protocol: 'Udp' - frontendPort: 500 - backendPort: 500 - enableFloatingIP: false - idleTimeoutInMinutes: 5 - probeName: 'p_hub-bfw-server-tcp-65001-probe' - } - } - { - name: 'p_hub-bfw-server-IPSEC-NATT-lbrule' - properties: { - frontendIPConfigurationName: 'p_hub-bfw-server-feip' - backendAddressPoolName: 'p_hub-bfw-server-bepool' - protocol: 'Udp' - frontendPort: 4500 - backendPort: 4500 - enableFloatingIP: false - idleTimeoutInMinutes: 5 - probeName: 'p_hub-bfw-server-tcp-65001-probe' - } - } - { - name: 'p_hub-bfw-server-TINA-UDP-lbrule' - properties: { - frontendIPConfigurationName: 'p_hub-bfw-server-feip' - backendAddressPoolName: 'p_hub-bfw-server-bepool' - protocol: 'Udp' - frontendPort: 691 - backendPort: 691 - enableFloatingIP: false - idleTimeoutInMinutes: 5 - probeName: 'p_hub-bfw-server-tcp-65001-probe' - } - } - { - name: 'p_hub-bfw-server-TINA-TCP-lbrule' - properties: { - frontendIPConfigurationName: 'p_hub-bfw-server-feip' - backendAddressPoolName: 'p_hub-bfw-server-bepool' - protocol: 'Tcp' - frontendPort: 691 - backendPort: 691 - enableFloatingIP: false - idleTimeoutInMinutes: 5 - probeName: 'p_hub-bfw-server-tcp-65001-probe' - } - } -] -``` - -
-

- -### Parameter Usage: `probes` - -

- -Parameter JSON format - -```json -"probes": { - "value": [ - { - "name": "p_hub-bfw-server-tcp-65001-probe", - "properties": { - "protocol": "Tcp", - "port": 65001, - "intervalInSeconds": 5, - "numberOfProbes": 2 - } - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -probes: [ - { - name: 'p_hub-bfw-server-tcp-65001-probe' - properties: { - protocol: 'Tcp' - port: 65001 - intervalInSeconds: 5 - numberOfProbes: 2 - } - } -] -``` - -
-

- -### Parameter Usage: `roleAssignments` - -Create a role assignment for the given resource. If you want to assign a service principal / managed identity that is created in the same deployment, make sure to also specify the `'principalType'` parameter and set it to `'ServicePrincipal'`. This will ensure the role assignment waits for the principal's propagation in Azure. - -

- -Parameter JSON format - -```json -"roleAssignments": { - "value": [ - { - "roleDefinitionIdOrName": "Reader", - "description": "Reader Role Assignment", - "principalIds": [ - "12345678-1234-1234-1234-123456789012", // object 1 - "78945612-1234-1234-1234-123456789012" // object 2 - ] - }, - { - "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", - "principalIds": [ - "12345678-1234-1234-1234-123456789012" // object 1 - ], - "principalType": "ServicePrincipal" - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - description: 'Reader Role Assignment' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - '78945612-1234-1234-1234-123456789012' // object 2 - ] - } - { - roleDefinitionIdOrName: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - ] - principalType: 'ServicePrincipal' - } -] -``` - -
-

- -### Parameter Usage: `tags` - -Tag names and tag values can be provided as needed. A tag can be left without a value. - -

- -Parameter JSON format - -```json -"tags": { - "value": { - "Environment": "Non-Prod", - "Contact": "test.user@testcompany.com", - "PurchaseOrder": "1234", - "CostCenter": "7890", - "ServiceName": "DeploymentValidation", - "Role": "DeploymentValidation" - } -} -``` - -
- -
- -Bicep format - -```bicep -tags: { - Environment: 'Non-Prod' - Contact: 'test.user@testcompany.com' - PurchaseOrder: '1234' - CostCenter: '7890' - ServiceName: 'DeploymentValidation' - Role: 'DeploymentValidation' -} -``` - -
-

- ## Outputs | Output Name | Type | Description | @@ -1012,3 +615,182 @@ module loadBalancer './network/load-balancer/main.bicep' = {

+ +## Notes + +### Parameter Usage: `backendAddressPools` + +

+ +Parameter JSON format + +```json +"backendAddressPools": { + "value": [ + { + "name": "p_hub-bfw-server-bepool", + "properties": { + "loadBalancerBackendAddresses": [ + { + "name": "iacs-sh-main-pd-01-euw-rg-network_awefwa01p-nic-int-01ipconfig-internal", + "properties": { + "virtualNetwork": { + "id": "[reference(variables('deploymentVNET')).outputs.vNetResourceId.value]" + }, + "ipAddress": "172.22.232.5" + } + }, + { + "name": "iacs-sh-main-pd-01-euw-rg-network_awefwa01p-ha-nic-int-01ipconfig-internal", + "properties": { + "virtualNetwork": { + "id": "[reference(variables('deploymentVNET')).outputs.vNetResourceId.value]" + }, + "ipAddress": "172.22.232.6" + } + } + ] + } + } + ] +} +``` + +
+ +
+ +Bicep format + +```bicep +backendAddressPools: [ + { + name: 'p_hub-bfw-server-bepool' + properties: { + loadBalancerBackendAddresses: [ + { + name: 'iacs-sh-main-pd-01-euw-rg-network_awefwa01p-nic-int-01ipconfig-internal' + properties: { + virtualNetwork: { + id: '[reference(variables('deploymentVNET')).outputs.vNetResourceId.value]' + } + ipAddress: '172.22.232.5' + } + } + { + name: 'iacs-sh-main-pd-01-euw-rg-network_awefwa01p-ha-nic-int-01ipconfig-internal' + properties: { + virtualNetwork: { + id: '[reference(variables('deploymentVNET')).outputs.vNetResourceId.value]' + } + ipAddress: '172.22.232.6' + } + } + ] + } + } +] +``` + +
+

+ +### Parameter Usage: `roleAssignments` + +Create a role assignment for the given resource. If you want to assign a service principal / managed identity that is created in the same deployment, make sure to also specify the `'principalType'` parameter and set it to `'ServicePrincipal'`. This will ensure the role assignment waits for the principal's propagation in Azure. + +

+ +Parameter JSON format + +```json +"roleAssignments": { + "value": [ + { + "roleDefinitionIdOrName": "Reader", + "description": "Reader Role Assignment", + "principalIds": [ + "12345678-1234-1234-1234-123456789012", // object 1 + "78945612-1234-1234-1234-123456789012" // object 2 + ] + }, + { + "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", + "principalIds": [ + "12345678-1234-1234-1234-123456789012" // object 1 + ], + "principalType": "ServicePrincipal" + } + ] +} +``` + +
+ +
+ +Bicep format + +```bicep +roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + description: 'Reader Role Assignment' + principalIds: [ + '12345678-1234-1234-1234-123456789012' // object 1 + '78945612-1234-1234-1234-123456789012' // object 2 + ] + } + { + roleDefinitionIdOrName: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' + principalIds: [ + '12345678-1234-1234-1234-123456789012' // object 1 + ] + principalType: 'ServicePrincipal' + } +] +``` + +
+

+ +### Parameter Usage: `tags` + +Tag names and tag values can be provided as needed. A tag can be left without a value. + +

+ +Parameter JSON format + +```json +"tags": { + "value": { + "Environment": "Non-Prod", + "Contact": "test.user@testcompany.com", + "PurchaseOrder": "1234", + "CostCenter": "7890", + "ServiceName": "DeploymentValidation", + "Role": "DeploymentValidation" + } +} +``` + +
+ +
+ +Bicep format + +```bicep +tags: { + Environment: 'Non-Prod' + Contact: 'test.user@testcompany.com' + PurchaseOrder: '1234' + CostCenter: '7890' + ServiceName: 'DeploymentValidation' + Role: 'DeploymentValidation' +} +``` + +
+

From ba4793a16a1fdd7d443c5d077b922cbb8123f350 Mon Sep 17 00:00:00 2001 From: AlexanderSehr Date: Thu, 12 Oct 2023 22:36:06 +0200 Subject: [PATCH 07/20] dns resolver --- modules/network/dns-resolver/README.md | 237 ++++++++----------------- 1 file changed, 78 insertions(+), 159 deletions(-) diff --git a/modules/network/dns-resolver/README.md b/modules/network/dns-resolver/README.md index 183db3d0ee..7c6b337f5f 100644 --- a/modules/network/dns-resolver/README.md +++ b/modules/network/dns-resolver/README.md @@ -41,89 +41,117 @@ This module deploys a DNS Resolver. | `roleAssignments` | array | `[]` | | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | | `tags` | object | `{object}` | | Tags of the resource. | +## Outputs -### Parameter Usage: `inboundEndpoints` +| Output Name | Type | Description | +| :-- | :-- | :-- | +| `location` | string | The location the resource was deployed into. | +| `name` | string | The name of the Private DNS Resolver. | +| `resourceGroupName` | string | The resource group the Private DNS Resolver was deployed into. | +| `resourceId` | string | The resource ID of the Private DNS Resolver. | -Create a inbound endpoint for Azure DNS Private Resolver +## Cross-referenced modules -

+_None_ -Parameter JSON format +## Deployment examples -```json - "inboundEndpoints": { - "value": [ - { - "name": "[[namePrefix]]-az-pdnsin-x-001", - "subnetId": "/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/adp-[[namePrefix]]-az-vnet-x-002/subnets/[[namePrefix]]-az-subnet-x-001" - } - ] - }, -``` +The following module usage examples are retrieved from the content of the files hosted in the module's `.test` folder. + >**Note**: The name of each example is based on the name of the file from which it is taken. -
+ >**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. + +

Example 1: Common

-Bicep format +via Bicep module ```bicep -inboundEndpoints: [ - { - name: '[[namePrefix]]-az-pdnsin-x-001' - subnetId: '/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/adp-[[namePrefix]]-az-vnet-x-002/subnets/[[namePrefix]]-az-subnet-x-001' - } - { - name: '[[namePrefix]]-az-pdnsin-x-002' - subnetId: '/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/adp-[[namePrefix]]-az-vnet-x-002/subnets/[[namePrefix]]-az-subnet-x-002' +module dnsResolver './network/dns-resolver/main.bicep' = { + name: '${uniqueString(deployment().name, location)}-test-ndrcom' + params: { + // Required parameters + name: 'ndrcom001' + virtualNetworkId: '' + // Non-required parameters + enableDefaultTelemetry: '' + inboundEndpoints: [ + { + name: 'az-pdnsin-x-001' + subnetId: '' + } + ] + outboundEndpoints: [ + { + name: 'az-pdnsout-x-001' + subnetId: '' + } + ] + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' } -] + } +} ```

-### Parameter Usage: `outboundEndpoints` - -Create a inbound endpoint for Azure DNS Private Resolver -

-Parameter JSON format +via JSON Parameter file ```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "name": { + "value": "ndrcom001" + }, + "virtualNetworkId": { + "value": "" + }, + // Non-required parameters + "enableDefaultTelemetry": { + "value": "" + }, + "inboundEndpoints": { + "value": [ + { + "name": "az-pdnsin-x-001", + "subnetId": "" + } + ] + }, "outboundEndpoints": { "value": [ { - "name": "[[namePrefix]]-az-pdnsout-x-001", - "subnetId": "/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/adp-[[namePrefix]]-az-vnet-x-002/subnets/[[namePrefix]]-az-subnet-x-001" + "name": "az-pdnsout-x-001", + "subnetId": "" } ] }, -``` - -
- -
- -Bicep format - -```bicep -outboundEndpoints: [ - { - name: '[[namePrefix]]-az-pdnsout-x-001' - subnetId: '/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/adp-[[namePrefix]]-az-vnet-x-002/subnets/[[namePrefix]]-az-subnet-x-001' - } - { - name: '[[namePrefix]]-az-pdnsout-x-002' - subnetId: '/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/adp-[[namePrefix]]-az-vnet-x-002/subnets/[[namePrefix]]-az-subnet-x-002' + "tags": { + "value": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } } -] + } +} ```

+## Notes + ### Parameter Usage: `roleAssignments` Create a role assignment for the given resource. If you want to assign a service principal / managed identity that is created in the same deployment, make sure to also specify the `'principalType'` parameter and set it to `'ServicePrincipal'`. This will ensure the role assignment waits for the principal's propagation in Azure. @@ -223,112 +251,3 @@ tags: {

- -## Outputs - -| Output Name | Type | Description | -| :-- | :-- | :-- | -| `location` | string | The location the resource was deployed into. | -| `name` | string | The name of the Private DNS Resolver. | -| `resourceGroupName` | string | The resource group the Private DNS Resolver was deployed into. | -| `resourceId` | string | The resource ID of the Private DNS Resolver. | - -## Cross-referenced modules - -_None_ - -## Deployment examples - -The following module usage examples are retrieved from the content of the files hosted in the module's `.test` folder. - >**Note**: The name of each example is based on the name of the file from which it is taken. - - >**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. - -

Example 1: Common

- -
- -via Bicep module - -```bicep -module dnsResolver './network/dns-resolver/main.bicep' = { - name: '${uniqueString(deployment().name, location)}-test-ndrcom' - params: { - // Required parameters - name: 'ndrcom001' - virtualNetworkId: '' - // Non-required parameters - enableDefaultTelemetry: '' - inboundEndpoints: [ - { - name: 'az-pdnsin-x-001' - subnetId: '' - } - ] - outboundEndpoints: [ - { - name: 'az-pdnsout-x-001' - subnetId: '' - } - ] - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "ndrcom001" - }, - "virtualNetworkId": { - "value": "" - }, - // Non-required parameters - "enableDefaultTelemetry": { - "value": "" - }, - "inboundEndpoints": { - "value": [ - { - "name": "az-pdnsin-x-001", - "subnetId": "" - } - ] - }, - "outboundEndpoints": { - "value": [ - { - "name": "az-pdnsout-x-001", - "subnetId": "" - } - ] - }, - "tags": { - "value": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - } - } -} -``` - -
-

From 0e66154d6afb850454385d90435fba9a8561a6a5 Mon Sep 17 00:00:00 2001 From: AlexanderSehr Date: Thu, 12 Oct 2023 22:38:09 +0200 Subject: [PATCH 08/20] connection --- modules/network/connection/README.md | 227 ++++++++++----------------- 1 file changed, 83 insertions(+), 144 deletions(-) diff --git a/modules/network/connection/README.md b/modules/network/connection/README.md index ce27fefeab..7b22a9bbf6 100644 --- a/modules/network/connection/README.md +++ b/modules/network/connection/README.md @@ -51,69 +51,117 @@ This module deploys a Virtual Network Gateway Connection. | `virtualNetworkGateway2` | object | `{object}` | | The remote Virtual Network Gateway. Used for connection connectionType [Vnet2Vnet]. | | `vpnSharedKey` | securestring | `''` | | Specifies a VPN shared key. The same value has to be specified on both Virtual Network Gateways. | +## Outputs -### Parameter Usage: `virtualNetworkGateway1` +| Output Name | Type | Description | +| :-- | :-- | :-- | +| `location` | string | The location the resource was deployed into. | +| `name` | string | The name of the remote connection. | +| `resourceGroupName` | string | The resource group the remote connection was deployed into. | +| `resourceId` | string | The resource ID of the remote connection. | -The primary virtual network gateway object. +## Cross-referenced modules -

+_None_ -Parameter JSON format +## Deployment examples -```json -"virtualNetworkGateway1": { - "value": { - "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/myRG/providers/Microsoft.Network/virtualNetworkGateways/myGateway01" - } -} -``` +The following module usage examples are retrieved from the content of the files hosted in the module's `.test` folder. + >**Note**: The name of each example is based on the name of the file from which it is taken. -
+ >**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. + +

Example 1: Vnet2vnet

-Bicep format +via Bicep module ```bicep -virtualNetworkGateway1: { - id: '/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/myRG/providers/Microsoft.Network/virtualNetworkGateways/myGateway01' +module connection './network/connection/main.bicep' = { + name: '${uniqueString(deployment().name, location)}-test-ncvtv' + params: { + // Required parameters + name: 'ncvtv001' + virtualNetworkGateway1: { + id: '' + } + // Non-required parameters + connectionType: 'Vnet2Vnet' + enableBgp: false + enableDefaultTelemetry: '' + lock: 'CanNotDelete' + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } + virtualNetworkGateway2: { + id: '' + } + vpnSharedKey: '' + } } ```

-### Parameter Usage: `virtualNetworkGateway2` - -The secondary virtual network gateway used for VNET to VNET connections. -

-Parameter JSON format +via JSON Parameter file ```json -"virtualNetworkGateway2" : { - "value": { - "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/myRG/providers/Microsoft.Network/virtualNetworkGateways/myGateway02" +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "name": { + "value": "ncvtv001" + }, + "virtualNetworkGateway1": { + "value": { + "id": "" + } + }, + // Non-required parameters + "connectionType": { + "value": "Vnet2Vnet" + }, + "enableBgp": { + "value": false + }, + "enableDefaultTelemetry": { + "value": "" + }, + "lock": { + "value": "CanNotDelete" + }, + "tags": { + "value": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } + }, + "virtualNetworkGateway2": { + "value": { + "id": "" + } + }, + "vpnSharedKey": { + "value": "" } -} -``` - -
- -
- -Bicep format - -```bicep -virtualNetworkGateway2 : { - id: '/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/myRG/providers/Microsoft.Network/virtualNetworkGateways/myGateway02' + } } ```

+## Notes + ### Parameter Usage: `localNetworkGateway2` The local virtual network gateway object. @@ -302,112 +350,3 @@ tags: {

- -## Outputs - -| Output Name | Type | Description | -| :-- | :-- | :-- | -| `location` | string | The location the resource was deployed into. | -| `name` | string | The name of the remote connection. | -| `resourceGroupName` | string | The resource group the remote connection was deployed into. | -| `resourceId` | string | The resource ID of the remote connection. | - -## Cross-referenced modules - -_None_ - -## Deployment examples - -The following module usage examples are retrieved from the content of the files hosted in the module's `.test` folder. - >**Note**: The name of each example is based on the name of the file from which it is taken. - - >**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. - -

Example 1: Vnet2vnet

- -
- -via Bicep module - -```bicep -module connection './network/connection/main.bicep' = { - name: '${uniqueString(deployment().name, location)}-test-ncvtv' - params: { - // Required parameters - name: 'ncvtv001' - virtualNetworkGateway1: { - id: '' - } - // Non-required parameters - connectionType: 'Vnet2Vnet' - enableBgp: false - enableDefaultTelemetry: '' - lock: 'CanNotDelete' - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - virtualNetworkGateway2: { - id: '' - } - vpnSharedKey: '' - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "ncvtv001" - }, - "virtualNetworkGateway1": { - "value": { - "id": "" - } - }, - // Non-required parameters - "connectionType": { - "value": "Vnet2Vnet" - }, - "enableBgp": { - "value": false - }, - "enableDefaultTelemetry": { - "value": "" - }, - "lock": { - "value": "CanNotDelete" - }, - "tags": { - "value": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - }, - "virtualNetworkGateway2": { - "value": { - "id": "" - } - }, - "vpnSharedKey": { - "value": "" - } - } -} -``` - -
-

From d0ab3d4516fb6366213220378860b0c0e6381257 Mon Sep 17 00:00:00 2001 From: AlexanderSehr Date: Thu, 12 Oct 2023 23:55:53 +0200 Subject: [PATCH 09/20] Bastion Host --- modules/network/bastion-host/README.md | 324 ++++++++----------------- 1 file changed, 102 insertions(+), 222 deletions(-) diff --git a/modules/network/bastion-host/README.md b/modules/network/bastion-host/README.md index f98ebf07f8..cc49c4e195 100644 --- a/modules/network/bastion-host/README.md +++ b/modules/network/bastion-host/README.md @@ -55,228 +55,6 @@ This module deploys a Bastion Host. | `skuName` | string | `'Basic'` | `[Basic, Standard]` | The SKU of this Bastion Host. | | `tags` | object | `{object}` | | Tags of the resource. | - -### Parameter Usage: `additionalPublicIpConfigurations` - -Create additional public ip configurations from existing public ips - -

- -Parameter JSON format - -```json -"additionalPublicIpConfigurations": { - "value": [ - { - "name": "ipConfig01", - "publicIPAddressResourceId": "/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/publicIPAddresses/adp-[[namePrefix]]-az-pip-x-fw-01" - }, - { - "name": "ipConfig02", - "publicIPAddressResourceId": "/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/publicIPAddresses/adp-[[namePrefix]]-az-pip-x-fw-02" - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -additionalPublicIpConfigurations: [ - { - name: 'ipConfig01' - publicIPAddressResourceId: '/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/publicIPAddresses/adp-[[namePrefix]]-az-pip-x-fw-01' - } - { - name: 'ipConfig02' - publicIPAddressResourceId: '/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/publicIPAddresses/adp-[[namePrefix]]-az-pip-x-fw-02' - } -] -``` - -
- - -### Parameter Usage: `publicIPAddressObject` - -The Public IP Address object to create as part of the module. This will be created if `isCreateDefaultPublicIP` is true (which it is by default). If not provided, the name and other configurations will be set by default. - - -
- -Parameter JSON format - -```json -"publicIPAddressObject": { - "value": { - "name": "adp-[[namePrefix]]-az-pip-custom-x-fw", - "publicIPPrefixResourceId": "", - "publicIPAllocationMethod": "Static", - "skuName": "Standard", - "skuTier": "Regional", - "roleAssignments": [ - { - "roleDefinitionIdOrName": "Reader", - "principalIds": [ - "" - ] - } - ], - "diagnosticMetricsToEnable": [ - "AllMetrics" - ], - "diagnosticLogCategoriesToEnable": [ - "DDoSProtectionNotifications", - "DDoSMitigationFlowLogs", - "DDoSMitigationReports" - ] - } -} -``` - -
- - - -
- -Bicep format - - -```bicep -publicIPAddressObject: { - name: 'mypip' - publicIPPrefixResourceId: '/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/publicIPPrefixes/myprefix' - publicIPAllocationMethod: 'Dynamic' - skuName: 'Basic' - skuTier: 'Regional' - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalIds: [ - '' - ] - } - ] - diagnosticMetricsToEnable: [ - 'AllMetrics' - ] - diagnosticLogCategoriesToEnable: [ - 'DDoSProtectionNotifications' - 'DDoSMitigationFlowLogs' - 'DDoSMitigationReports' - ] -} -``` - -
- - - -### Parameter Usage: `tags` - -Tag names and tag values can be provided as needed. A tag can be left without a value. - -
- -Parameter JSON format - -```json -"tags": { - "value": { - "Environment": "Non-Prod", - "Contact": "test.user@testcompany.com", - "PurchaseOrder": "1234", - "CostCenter": "7890", - "ServiceName": "DeploymentValidation", - "Role": "DeploymentValidation" - } -} -``` - -
- -
- -Bicep format - -```bicep -tags: { - Environment: 'Non-Prod' - Contact: 'test.user@testcompany.com' - PurchaseOrder: '1234' - CostCenter: '7890' - ServiceName: 'DeploymentValidation' - Role: 'DeploymentValidation' -} -``` - -
-

- -### Parameter Usage: `roleAssignments` - -Create a role assignment for the given resource. If you want to assign a service principal / managed identity that is created in the same deployment, make sure to also specify the `'principalType'` parameter and set it to `'ServicePrincipal'`. This will ensure the role assignment waits for the principal's propagation in Azure. - -

- -Parameter JSON format - -```json -"roleAssignments": { - "value": [ - { - "roleDefinitionIdOrName": "Reader", - "description": "Reader Role Assignment", - "principalIds": [ - "12345678-1234-1234-1234-123456789012", // object 1 - "78945612-1234-1234-1234-123456789012" // object 2 - ] - }, - { - "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", - "principalIds": [ - "12345678-1234-1234-1234-123456789012" // object 1 - ], - "principalType": "ServicePrincipal" - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - description: 'Reader Role Assignment' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - '78945612-1234-1234-1234-123456789012' // object 2 - ] - } - { - roleDefinitionIdOrName: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - ] - principalType: 'ServicePrincipal' - } -] -``` - -
-

- ## Outputs | Output Name | Type | Description | @@ -600,3 +378,105 @@ module bastionHost './network/bastion-host/main.bicep' = {

+ +## Notes + +### Parameter Usage: `tags` + +Tag names and tag values can be provided as needed. A tag can be left without a value. + +

+ +Parameter JSON format + +```json +"tags": { + "value": { + "Environment": "Non-Prod", + "Contact": "test.user@testcompany.com", + "PurchaseOrder": "1234", + "CostCenter": "7890", + "ServiceName": "DeploymentValidation", + "Role": "DeploymentValidation" + } +} +``` + +
+ +
+ +Bicep format + +```bicep +tags: { + Environment: 'Non-Prod' + Contact: 'test.user@testcompany.com' + PurchaseOrder: '1234' + CostCenter: '7890' + ServiceName: 'DeploymentValidation' + Role: 'DeploymentValidation' +} +``` + +
+

+ +### Parameter Usage: `roleAssignments` + +Create a role assignment for the given resource. If you want to assign a service principal / managed identity that is created in the same deployment, make sure to also specify the `'principalType'` parameter and set it to `'ServicePrincipal'`. This will ensure the role assignment waits for the principal's propagation in Azure. + +

+ +Parameter JSON format + +```json +"roleAssignments": { + "value": [ + { + "roleDefinitionIdOrName": "Reader", + "description": "Reader Role Assignment", + "principalIds": [ + "12345678-1234-1234-1234-123456789012", // object 1 + "78945612-1234-1234-1234-123456789012" // object 2 + ] + }, + { + "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", + "principalIds": [ + "12345678-1234-1234-1234-123456789012" // object 1 + ], + "principalType": "ServicePrincipal" + } + ] +} +``` + +
+ +
+ +Bicep format + +```bicep +roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + description: 'Reader Role Assignment' + principalIds: [ + '12345678-1234-1234-1234-123456789012' // object 1 + '78945612-1234-1234-1234-123456789012' // object 2 + ] + } + { + roleDefinitionIdOrName: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' + principalIds: [ + '12345678-1234-1234-1234-123456789012' // object 1 + ] + principalType: 'ServicePrincipal' + } +] +``` + +
+

From a7fc79d9549b1e43f1126019d18482be2a3a6fb4 Mon Sep 17 00:00:00 2001 From: AlexanderSehr Date: Thu, 12 Oct 2023 23:58:18 +0200 Subject: [PATCH 10/20] Firewall --- modules/network/azure-firewall/README.md | 327 +++++++---------------- 1 file changed, 102 insertions(+), 225 deletions(-) diff --git a/modules/network/azure-firewall/README.md b/modules/network/azure-firewall/README.md index 76a8aec9bb..11b460b154 100644 --- a/modules/network/azure-firewall/README.md +++ b/modules/network/azure-firewall/README.md @@ -67,227 +67,6 @@ This module deploys an Azure Firewall. | `threatIntelMode` | string | `'Deny'` | `[Alert, Deny, Off]` | The operation mode for Threat Intel. | | `zones` | array | `[1, 2, 3]` | | Zone numbers e.g. 1,2,3. | - -### Parameter Usage: `additionalPublicIpConfigurations` - -Create additional public ip configurations from existing public ips - -

- -Parameter JSON format - -```json -"additionalPublicIpConfigurations": { - "value": [ - { - "name": "ipConfig01", - "publicIPAddressResourceId": "/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/publicIPAddresses/adp-[[namePrefix]]-az-pip-x-fw-01" - }, - { - "name": "ipConfig02", - "publicIPAddressResourceId": "/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/publicIPAddresses/adp-[[namePrefix]]-az-pip-x-fw-02" - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -additionalPublicIpConfigurations: [ - { - name: 'ipConfig01' - publicIPAddressResourceId: '/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/publicIPAddresses/adp-[[namePrefix]]-az-pip-x-fw-01' - } - { - name: 'ipConfig02' - publicIPAddressResourceId: '/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/publicIPAddresses/adp-[[namePrefix]]-az-pip-x-fw-02' - } -] -``` - -
- - -### Parameter Usage: `publicIPAddressObject` - -The Public IP Address object to create as part of the module. This will be created if `isCreateDefaultPublicIP` is true (which it is by default). If not provided, the name and other configurations will be set by default. - - -
- -Parameter JSON format - -```json -"publicIPAddressObject": { - "value": { - "name": "adp-[[namePrefix]]-az-pip-custom-x-fw", - "publicIPPrefixResourceId": "", - "publicIPAllocationMethod": "Static", - "skuName": "Standard", - "skuTier": "Regional", - "roleAssignments": [ - { - "roleDefinitionIdOrName": "Reader", - "principalIds": [ - "" - ] - } - ], - "diagnosticMetricsToEnable": [ - "AllMetrics" - ], - "diagnosticLogCategoriesToEnable": [ - "DDoSProtectionNotifications", - "DDoSMitigationFlowLogs", - "DDoSMitigationReports" - ] - } -} -``` - -
- - - -
- -Bicep format - - -```bicep -publicIPAddressObject: { - name: 'mypip' - publicIPPrefixResourceId: '/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/publicIPPrefixes/myprefix' - publicIPAllocationMethod: 'Dynamic' - skuName: 'Basic' - skuTier: 'Regional' - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalIds: [ - '' - ] - } - ] - diagnosticMetricsToEnable: [ - 'AllMetrics' - ] - diagnosticLogCategoriesToEnable: [ - 'DDoSProtectionNotifications' - 'DDoSMitigationFlowLogs' - 'DDoSMitigationReports' - ] -} -``` - -
- - -### Parameter Usage: `roleAssignments` - -Create a role assignment for the given resource. If you want to assign a service principal / managed identity that is created in the same deployment, make sure to also specify the `'principalType'` parameter and set it to `'ServicePrincipal'`. This will ensure the role assignment waits for the principal's propagation in Azure. - -
- -Parameter JSON format - -```json -"roleAssignments": { - "value": [ - { - "roleDefinitionIdOrName": "Reader", - "description": "Reader Role Assignment", - "principalIds": [ - "12345678-1234-1234-1234-123456789012", // object 1 - "78945612-1234-1234-1234-123456789012" // object 2 - ] - }, - { - "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", - "principalIds": [ - "12345678-1234-1234-1234-123456789012" // object 1 - ], - "principalType": "ServicePrincipal" - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - description: 'Reader Role Assignment' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - '78945612-1234-1234-1234-123456789012' // object 2 - ] - } - { - roleDefinitionIdOrName: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - ] - principalType: 'ServicePrincipal' - } -] -``` - -
-

- -### Parameter Usage: `tags` - -Tag names and tag values can be provided as needed. A tag can be left without a value. - -

- -Parameter JSON format - -```json -"tags": { - "value": { - "Environment": "Non-Prod", - "Contact": "test.user@testcompany.com", - "PurchaseOrder": "1234", - "CostCenter": "7890", - "ServiceName": "DeploymentValidation", - "Role": "DeploymentValidation" - } -} -``` - -
- -
- -Bicep format - -```bicep -tags: { - Environment: 'Non-Prod' - Contact: 'test.user@testcompany.com' - PurchaseOrder: '1234' - CostCenter: '7890' - ServiceName: 'DeploymentValidation' - Role: 'DeploymentValidation' -} -``` - -
-

- ## Outputs | Output Name | Type | Description | @@ -302,10 +81,6 @@ tags: { | `resourceGroupName` | string | The resource group the Azure firewall was deployed into. | | `resourceId` | string | The resource ID of the Azure Firewall. | -## Considerations - -The `applicationRuleCollections` parameter accepts a JSON Array of AzureFirewallApplicationRule objects. -The `networkRuleCollections` parameter accepts a JSON Array of AzureFirewallNetworkRuleCollection objects. ## Cross-referenced modules @@ -1007,3 +782,105 @@ module azureFirewall './network/azure-firewall/main.bicep' = {

+ +## Notes + +### Parameter Usage: `roleAssignments` + +Create a role assignment for the given resource. If you want to assign a service principal / managed identity that is created in the same deployment, make sure to also specify the `'principalType'` parameter and set it to `'ServicePrincipal'`. This will ensure the role assignment waits for the principal's propagation in Azure. + +

+ +Parameter JSON format + +```json +"roleAssignments": { + "value": [ + { + "roleDefinitionIdOrName": "Reader", + "description": "Reader Role Assignment", + "principalIds": [ + "12345678-1234-1234-1234-123456789012", // object 1 + "78945612-1234-1234-1234-123456789012" // object 2 + ] + }, + { + "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", + "principalIds": [ + "12345678-1234-1234-1234-123456789012" // object 1 + ], + "principalType": "ServicePrincipal" + } + ] +} +``` + +
+ +
+ +Bicep format + +```bicep +roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + description: 'Reader Role Assignment' + principalIds: [ + '12345678-1234-1234-1234-123456789012' // object 1 + '78945612-1234-1234-1234-123456789012' // object 2 + ] + } + { + roleDefinitionIdOrName: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' + principalIds: [ + '12345678-1234-1234-1234-123456789012' // object 1 + ] + principalType: 'ServicePrincipal' + } +] +``` + +
+

+ +### Parameter Usage: `tags` + +Tag names and tag values can be provided as needed. A tag can be left without a value. + +

+ +Parameter JSON format + +```json +"tags": { + "value": { + "Environment": "Non-Prod", + "Contact": "test.user@testcompany.com", + "PurchaseOrder": "1234", + "CostCenter": "7890", + "ServiceName": "DeploymentValidation", + "Role": "DeploymentValidation" + } +} +``` + +
+ +
+ +Bicep format + +```bicep +tags: { + Environment: 'Non-Prod' + Contact: 'test.user@testcompany.com' + PurchaseOrder: '1234' + CostCenter: '7890' + ServiceName: 'DeploymentValidation' + Role: 'DeploymentValidation' +} +``` + +
+

From 859ee848571c12b0279b69fb202679cfef99cf40 Mon Sep 17 00:00:00 2001 From: AlexanderSehr Date: Thu, 12 Oct 2023 23:59:56 +0200 Subject: [PATCH 11/20] MgmtGroup --- modules/management/management-group/README.md | 157 +++++++++--------- 1 file changed, 79 insertions(+), 78 deletions(-) diff --git a/modules/management/management-group/README.md b/modules/management/management-group/README.md index 998c5b341b..3419ce58b4 100644 --- a/modules/management/management-group/README.md +++ b/modules/management/management-group/README.md @@ -38,66 +38,6 @@ This module has some known **limitations**: | `location` | string | `[deployment().location]` | Location deployment metadata. | | `parentId` | string | `[last(split(managementGroup().id, '/'))]` | The management group parent ID. Defaults to current scope. | - -### Parameter Usage: `roleAssignments` - -Create a role assignment for the given resource. If you want to assign a service principal / managed identity that is created in the same deployment, make sure to also specify the `'principalType'` parameter and set it to `'ServicePrincipal'`. This will ensure the role assignment waits for the principal's propagation in Azure. - -

- -Parameter JSON format - -```json -"roleAssignments": { - "value": [ - { - "roleDefinitionIdOrName": "Reader", - "description": "Reader Role Assignment", - "principalIds": [ - "12345678-1234-1234-1234-123456789012", // object 1 - "78945612-1234-1234-1234-123456789012" // object 2 - ] - }, - { - "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", - "principalIds": [ - "12345678-1234-1234-1234-123456789012" // object 1 - ], - "principalType": "ServicePrincipal" - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - description: 'Reader Role Assignment' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - '78945612-1234-1234-1234-123456789012' // object 2 - ] - } - { - roleDefinitionIdOrName: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - ] - principalType: 'ServicePrincipal' - } -] -``` - -
-

- ## Outputs | Output Name | Type | Description | @@ -105,24 +45,6 @@ roleAssignments: [ | `name` | string | The name of the management group. | | `resourceId` | string | The resource ID of the management group. | -## Considerations - -This template is using a **Tenant level deployment**, meaning the user/principal deploying it needs to have the [proper access](https://learn.microsoft.com/en-us/azure/azure-resource-manager/templates/deploy-to-tenant#required-access) - -If owner access is excessive, the following rights roles will grant enough rights: - -- **Automation Job Operator** at **tenant** level (scope '/') -- **Management Group Contributor** at the top management group that needs to be managed - -Consider using the following script: - -```powershell -$PrincipalID = "" -$TopMGID = "" -New-AzRoleAssignment -ObjectId $PrincipalID -Scope "/" -RoleDefinitionName "Automation Job Operator" -New-AzRoleAssignment -ObjectId $PrincipalID -Scope "/providers/Microsoft.Management/managementGroups/$TopMGID" -RoleDefinitionName "Management Group Contributor" -``` - ## Cross-referenced modules _None_ @@ -231,3 +153,82 @@ module managementGroup './management/management-group/main.bicep' = {

+ +## Notes + +### Considerations + +This template is using a **Tenant level deployment**, meaning the user/principal deploying it needs to have the [proper access](https://learn.microsoft.com/en-us/azure/azure-resource-manager/templates/deploy-to-tenant#required-access) + +If owner access is excessive, the following rights roles will grant enough rights: + +- **Automation Job Operator** at **tenant** level (scope '/') +- **Management Group Contributor** at the top management group that needs to be managed + +Consider using the following script: + +```powershell +$PrincipalID = "" +$TopMGID = "" +New-AzRoleAssignment -ObjectId $PrincipalID -Scope "/" -RoleDefinitionName "Automation Job Operator" +New-AzRoleAssignment -ObjectId $PrincipalID -Scope "/providers/Microsoft.Management/managementGroups/$TopMGID" -RoleDefinitionName "Management Group Contributor" +``` + +### Parameter Usage: `roleAssignments` + +Create a role assignment for the given resource. If you want to assign a service principal / managed identity that is created in the same deployment, make sure to also specify the `'principalType'` parameter and set it to `'ServicePrincipal'`. This will ensure the role assignment waits for the principal's propagation in Azure. + +

+ +Parameter JSON format + +```json +"roleAssignments": { + "value": [ + { + "roleDefinitionIdOrName": "Reader", + "description": "Reader Role Assignment", + "principalIds": [ + "12345678-1234-1234-1234-123456789012", // object 1 + "78945612-1234-1234-1234-123456789012" // object 2 + ] + }, + { + "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", + "principalIds": [ + "12345678-1234-1234-1234-123456789012" // object 1 + ], + "principalType": "ServicePrincipal" + } + ] +} +``` + +
+ +
+ +Bicep format + +```bicep +roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + description: 'Reader Role Assignment' + principalIds: [ + '12345678-1234-1234-1234-123456789012' // object 1 + '78945612-1234-1234-1234-123456789012' // object 2 + ] + } + { + roleDefinitionIdOrName: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' + principalIds: [ + '12345678-1234-1234-1234-123456789012' // object 1 + ] + principalType: 'ServicePrincipal' + } +] +``` + +
+

From 63c34be20f1f4564c95a4df0fe8de73fc9328933 Mon Sep 17 00:00:00 2001 From: AlexanderSehr Date: Fri, 13 Oct 2023 00:04:42 +0200 Subject: [PATCH 12/20] Lighthouse --- .../registration-definition/README.md | 158 +++++------------- 1 file changed, 42 insertions(+), 116 deletions(-) diff --git a/modules/managed-services/registration-definition/README.md b/modules/managed-services/registration-definition/README.md index ce0bce2b75..7851b5d696 100644 --- a/modules/managed-services/registration-definition/README.md +++ b/modules/managed-services/registration-definition/README.md @@ -41,74 +41,6 @@ remote/managing tenant. | `location` | string | `[deployment().location]` | Location deployment metadata. | | `resourceGroupName` | string | `''` | Specify the name of the Resource Group to delegate access to. If not provided, delegation will be done on the targeted subscription. | - -### Parameter Usage: `authorizations` - -| Parameter Name | Type | Default Value | Possible values | Description | -| :----------------------- | :----- | :------------ | :-------------- | :------------------------------------------------------------------------------------------ | -| `principalId` | string | | GUID | Required. The object ID of the principal in the managing tenant to delegate permissions to. | -| `principalIdDisplayName` | string | `principalId` | | Optional. A display name of the principal that is delegated permissions to. | -| `roleDefinitionId` | string | | GUID | Required. The role definition ID to delegate to the principal in the managing tenant. | - -

- -Parameter JSON format - -```json -"authorizations": { - "value": [ - // Delegates 'Reader' to a group in managing tenant (managedByTenantId) - { - "principalId": "9d949eef-00d5-45d9-8586-56be91a13398", - "principalIdDisplayName": "Reader-Group", - "roleDefinitionId": "acdd72a7-3385-48ef-bd42-f606fba81ae7" - }, - // Delegates 'Contributor' to a group in managing tenant (managedByTenantId) - { - "principalId": "06eb144f-1a10-4935-881b-757efd1d0b58", - "roleDefinitionId": "b24988ac-6180-42a0-ab88-20f7382dd24c" - }, - // Delegates 'Managed Services Registration assignment Delete Role' to a group in managing tenant (managedByTenantId) - { - "principalId": "9cd792b0-dc7c-4551-84f8-dd87388030fb", - "principalIdDisplayName": "LighthouseManagement-Group", - "roleDefinitionId": "91c1777a-f3dc-4fae-b103-61d183457e46" - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -authorizations: [ - // Delegates 'Reader' to a group in managing tenant (managedByTenantId) - { - principalId: '9d949eef-00d5-45d9-8586-56be91a13398' - principalIdDisplayName: 'Reader-Group' - roleDefinitionId: 'acdd72a7-3385-48ef-bd42-f606fba81ae7' - } - // Delegates 'Contributor' to a group in managing tenant (managedByTenantId) - { - principalId: '06eb144f-1a10-4935-881b-757efd1d0b58' - roleDefinitionId: 'b24988ac-6180-42a0-ab88-20f7382dd24c' - } - // Delegates 'Managed Services Registration assignment Delete Role' to a group in managing tenant (managedByTenantId) - { - principalId: '9cd792b0-dc7c-4551-84f8-dd87388030fb' - principalIdDisplayName: 'LighthouseManagement-Group' - roleDefinitionId: '91c1777a-f3dc-4fae-b103-61d183457e46' - } -] -``` - -
-

- ## Outputs | Output Name | Type | Description | @@ -118,54 +50,6 @@ authorizations: [ | `resourceId` | string | The resource ID of the registration definition. | | `subscriptionName` | string | The subscription the registration definition was deployed into. | -## Considerations - -This module can be deployed both at subscription and resource group level: - -- To deploy the module at resource group level, provide a valid name of an existing Resource Group in the `resourceGroupName` parameter. -- To deploy the module at the subscription level, leave the `resourceGroupName` parameter empty. - -### Permissions required to create delegations - -This deployment must be done by a non-guest account in the customer's tenant which has a role with the `Microsoft.Authorization/roleAssignments/write` permission, -such as [`Owner`](https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#owner) for the subscription being onboarded (or which contains the resource groups that are being onboarded). - -If the subscription was created through the Cloud Solution Provider (CSP) program, any user who has the AdminAgent role in your service provider tenant can perform the deployment. - -**More info on this topic:** - - -### Permissions required to remove delegations - -#### From customer side - -Users in the customer's tenant who have a role with the `Microsoft.Authorization/roleAssignments/write` permission, such as -[`Owner`](https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#owner) can remove service provider -access to that subscription (or to resource groups in that subscription). To do so, the user can go to the Service providers -page of the Azure portal and delete the delegation. - -#### From managing tenant side - -Users in a managing tenant can remove access to delegated resources if they were granted the -[`Managed Services Registration Assignment Delete Role`](https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#managed-services-registration-assignment-delete-role) -for the customer's resources. If this role was not assigned to any service provider users, the delegation can **only** be -removed by a user in the customer's tenant. - -**More info on this topic:** - - -### Limitations with Lighthouse and resource delegation - -There are a couple of limitations that you should be aware of with Lighthouse: - -- Only allows resource delegation within Azure Resource Manager. Excludes Azure Active Directory, Microsoft 365 and Dynamics 365. -- Only supports delegation of control plane permissions. Excludes data plane access. -- Only supports subscription and resource group scopes. Excludes tenant and management group delegations. -- Only supports built-in roles, with the exception of `Owner`. Excludes the use of custom roles. - -**More info on this topic:** - - ## Cross-referenced modules _None_ @@ -358,3 +242,45 @@ module registrationDefinition './managed-services/registration-definition/main.b

+ +## Notes + +### Considerations + +This module can be deployed both at subscription and resource group level: + +- To deploy the module at resource group level, provide a valid name of an existing Resource Group in the `resourceGroupName` parameter. +- To deploy the module at the subscription level, leave the `resourceGroupName` parameter empty. + +#### Permissions required to create delegations + +This deployment must be done by a non-guest account in the customer's tenant which has a role with the `Microsoft.Authorization/roleAssignments/write` permission, +such as [`Owner`](https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#owner) for the subscription being onboarded (or which contains the resource groups that are being onboarded). + +If the subscription was created through the Cloud Solution Provider (CSP) program, any user who has the AdminAgent role in your service provider tenant can perform the deployment. + + +#### Permissions required to remove delegations + +##### From customer side + +Users in the customer's tenant who have a role with the `Microsoft.Authorization/roleAssignments/write` permission, such as +[`Owner`](https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#owner) can remove service provider +access to that subscription (or to resource groups in that subscription). To do so, the user can go to the Service providers +page of the Azure portal and delete the delegation. + +##### From managing tenant side + +Users in a managing tenant can remove access to delegated resources if they were granted the +[`Managed Services Registration Assignment Delete Role`](https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#managed-services-registration-assignment-delete-role) +for the customer's resources. If this role was not assigned to any service provider users, the delegation can **only** be +removed by a user in the customer's tenant. + +#### Limitations with Lighthouse and resource delegation + +There are a couple of limitations that you should be aware of with Lighthouse: + +- Only allows resource delegation within Azure Resource Manager. Excludes Azure Active Directory, Microsoft 365 and Dynamics 365. +- Only supports delegation of control plane permissions. Excludes data plane access. +- Only supports subscription and resource group scopes. Excludes tenant and management group delegations. +- Only supports built-in roles, with the exception of `Owner`. Excludes the use of custom roles. From 68d8c486e7793ee3f7d793fe2e008423911a3764 Mon Sep 17 00:00:00 2001 From: AlexanderSehr Date: Fri, 13 Oct 2023 00:06:01 +0200 Subject: [PATCH 13/20] Maintenance Config --- .../maintenance-configuration/README.md | 239 ++++++++---------- 1 file changed, 102 insertions(+), 137 deletions(-) diff --git a/modules/maintenance/maintenance-configuration/README.md b/modules/maintenance/maintenance-configuration/README.md index 0b52632072..1e5b966185 100644 --- a/modules/maintenance/maintenance-configuration/README.md +++ b/modules/maintenance/maintenance-configuration/README.md @@ -42,143 +42,6 @@ This module deploys a Maintenance Configuration. | `tags` | object | `{object}` | | Gets or sets tags of the resource. | | `visibility` | string | `''` | `['', Custom, Public]` | Gets or sets the visibility of the configuration. The default value is 'Custom'. | - -### Parameter Usage: `maintenanceWindow` - -

- -Parameter JSON format - -```JSON -"maintenanceWindow": { - "value": { - "duration": "05:00", - "expirationDateTime": "9999-12-31 23:59:59", - "recurEvery": "Day", - "startDateTime": "2022-12-31 13:00", - "timeZone": "W. Europe Standard Time" - } -} -``` - -
- -
- -Bicep format - -```bicep -maintenanceWindow: { - duration: '05:00' - expirationDateTime: '9999-12-31 23:59:59' - recurEvery: 'Day' - startDateTime: '2022-12-31 13:00' - timeZone: 'W. Europe Standard Time' -} -``` - -
- -### Parameter Usage: `roleAssignments` - -Create a role assignment for the given resource. If you want to assign a service principal / managed identity that is created in the same deployment, make sure to also specify the `'principalType'` parameter and set it to `'ServicePrincipal'`. This will ensure the role assignment waits for the principal's propagation in Azure. - -
- -Parameter JSON format - -```json -"roleAssignments": { - "value": [ - { - "roleDefinitionIdOrName": "Reader", - "description": "Reader Role Assignment", - "principalIds": [ - "12345678-1234-1234-1234-123456789012", // object 1 - "78945612-1234-1234-1234-123456789012" // object 2 - ] - }, - { - "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", - "principalIds": [ - "12345678-1234-1234-1234-123456789012" // object 1 - ], - "principalType": "ServicePrincipal" - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - description: 'Reader Role Assignment' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - '78945612-1234-1234-1234-123456789012' // object 2 - ] - } - { - roleDefinitionIdOrName: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - ] - principalType: 'ServicePrincipal' - } -] -``` - -
-

- -### Parameter Usage: `tags` - -Tag names and tag values can be provided as needed. A tag can be left without a value. - -

- -Parameter JSON format - -```json -"tags": { - "value": { - "Environment": "Non-Prod", - "Contact": "test.user@testcompany.com", - "PurchaseOrder": "1234", - "CostCenter": "7890", - "ServiceName": "DeploymentValidation", - "Role": "DeploymentValidation" - } -} -``` - -
- -
- -Bicep format - -```bicep -tags: { - Environment: 'Non-Prod' - Contact: 'test.user@testcompany.com' - PurchaseOrder: '1234' - CostCenter: '7890' - ServiceName: 'DeploymentValidation' - Role: 'DeploymentValidation' -} -``` - -
-

- ## Outputs | Output Name | Type | Description | @@ -390,3 +253,105 @@ module maintenanceConfiguration './maintenance/maintenance-configuration/main.bi

+ +## Notes + +### Parameter Usage: `roleAssignments` + +Create a role assignment for the given resource. If you want to assign a service principal / managed identity that is created in the same deployment, make sure to also specify the `'principalType'` parameter and set it to `'ServicePrincipal'`. This will ensure the role assignment waits for the principal's propagation in Azure. + +

+ +Parameter JSON format + +```json +"roleAssignments": { + "value": [ + { + "roleDefinitionIdOrName": "Reader", + "description": "Reader Role Assignment", + "principalIds": [ + "12345678-1234-1234-1234-123456789012", // object 1 + "78945612-1234-1234-1234-123456789012" // object 2 + ] + }, + { + "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", + "principalIds": [ + "12345678-1234-1234-1234-123456789012" // object 1 + ], + "principalType": "ServicePrincipal" + } + ] +} +``` + +
+ +
+ +Bicep format + +```bicep +roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + description: 'Reader Role Assignment' + principalIds: [ + '12345678-1234-1234-1234-123456789012' // object 1 + '78945612-1234-1234-1234-123456789012' // object 2 + ] + } + { + roleDefinitionIdOrName: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' + principalIds: [ + '12345678-1234-1234-1234-123456789012' // object 1 + ] + principalType: 'ServicePrincipal' + } +] +``` + +
+

+ +### Parameter Usage: `tags` + +Tag names and tag values can be provided as needed. A tag can be left without a value. + +

+ +Parameter JSON format + +```json +"tags": { + "value": { + "Environment": "Non-Prod", + "Contact": "test.user@testcompany.com", + "PurchaseOrder": "1234", + "CostCenter": "7890", + "ServiceName": "DeploymentValidation", + "Role": "DeploymentValidation" + } +} +``` + +
+ +
+ +Bicep format + +```bicep +tags: { + Environment: 'Non-Prod' + Contact: 'test.user@testcompany.com' + PurchaseOrder: '1234' + CostCenter: '7890' + ServiceName: 'DeploymentValidation' + Role: 'DeploymentValidation' +} +``` + +
+

From b32efb89a3534158fa594199a2404cf3e60a95d7 Mon Sep 17 00:00:00 2001 From: AlexanderSehr Date: Fri, 13 Oct 2023 00:13:34 +0200 Subject: [PATCH 14/20] ML --- .../workspace/compute/README.md | 55 ++++--------------- .../workspace/compute/main.bicep | 2 +- .../workspace/compute/main.json | 4 +- 3 files changed, 15 insertions(+), 46 deletions(-) diff --git a/modules/machine-learning-services/workspace/compute/README.md b/modules/machine-learning-services/workspace/compute/README.md index d9f5d29a21..cf1efd3785 100644 --- a/modules/machine-learning-services/workspace/compute/README.md +++ b/modules/machine-learning-services/workspace/compute/README.md @@ -37,7 +37,7 @@ Attaching a compute is not idempotent and will fail in case you try to redeploy | Parameter Name | Type | Default Value | Allowed Values | Description | | :-- | :-- | :-- | :-- | :-- | | `computeLocation` | string | `[resourceGroup().location]` | | Location for the underlying compute. Ignored when attaching a compute resource, i.e. when you provide a resource ID. | -| `deployCompute` | bool | `True` | | Flag to specify whether to deploy the compute. Required only for attach (i.e. providing a resource ID), as in this case the operation is not idempontent, i.e. a second deployment will fail. Therefore, this flag needs to be set to "false" as long as the compute resource exists. | +| `deployCompute` | bool | `True` | | Flag to specify whether to deploy the compute. Required only for attach (i.e. providing a resource ID), as in this case the operation is not idempotent, i.e. a second deployment will fail. Therefore, this flag needs to be set to "false" as long as the compute resource exists. | | `description` | string | `''` | | The description of the Machine Learning compute. | | `disableLocalAuth` | bool | `False` | | Opt-out of local authentication and ensure customers can use only MSI and AAD exclusively for authentication. | | `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via a Globally Unique Identifier (GUID). | @@ -49,38 +49,21 @@ Attaching a compute is not idempotent and will fail in case you try to redeploy | `tags` | object | `{object}` | | Contains resource tags defined as key-value pairs. Ignored when attaching a compute resource, i.e. when you provide a resource ID. | | `userAssignedIdentities` | object | `{object}` | | The ID(s) to assign to the resource. Ignored when attaching a compute resource, i.e. when you provide a resource ID. | +## Outputs -### Parameter Usage: `properties` - -Properties for the compute resource to create. -Will be ignored in case a resource ID is provided. - -

- -Parameter JSON format - -```json -"properties": { - "value": { - // See https://learn.microsoft.com/en-us/azure/templates/microsoft.machinelearningservices/workspaces/computes?tabs=bicep#compute for the properties for the difference compute types - } -} -``` - -
- -
+| Output Name | Type | Description | +| :-- | :-- | :-- | +| `location` | string | The location the resource was deployed into. | +| `name` | string | The name of the compute. | +| `resourceGroupName` | string | The resource group the compute was deployed into. | +| `resourceId` | string | The resource ID of the compute. | +| `systemAssignedPrincipalId` | string | The principal ID of the system assigned identity. Is null in case of attaching a compute resource, i.e. when you provide a resource ID. | -Bicep format +## Cross-referenced modules -```bicep -properties: { - // See https://learn.microsoft.com/en-us/azure/templates/microsoft.machinelearningservices/workspaces/computes?tabs=bicep#compute for the properties for the difference compute types -} -``` +_None_ -
-

+## Notes ### Parameter Usage: `tags` @@ -155,17 +138,3 @@ userAssignedIdentities: {

- -## Outputs - -| Output Name | Type | Description | -| :-- | :-- | :-- | -| `location` | string | The location the resource was deployed into. | -| `name` | string | The name of the compute. | -| `resourceGroupName` | string | The resource group the compute was deployed into. | -| `resourceId` | string | The resource ID of the compute. | -| `systemAssignedPrincipalId` | string | The principal ID of the system assigned identity. Is null in case of attaching a compute resource, i.e. when you provide a resource ID. | - -## Cross-referenced modules - -_None_ diff --git a/modules/machine-learning-services/workspace/compute/main.bicep b/modules/machine-learning-services/workspace/compute/main.bicep index c28eeab57e..9d401399fa 100644 --- a/modules/machine-learning-services/workspace/compute/main.bicep +++ b/modules/machine-learning-services/workspace/compute/main.bicep @@ -31,7 +31,7 @@ param sku string = '' @sys.description('Optional. Contains resource tags defined as key-value pairs. Ignored when attaching a compute resource, i.e. when you provide a resource ID.') param tags object = {} -@sys.description('Optional. Flag to specify whether to deploy the compute. Required only for attach (i.e. providing a resource ID), as in this case the operation is not idempontent, i.e. a second deployment will fail. Therefore, this flag needs to be set to "false" as long as the compute resource exists.') +@sys.description('Optional. Flag to specify whether to deploy the compute. Required only for attach (i.e. providing a resource ID), as in this case the operation is not idempotent, i.e. a second deployment will fail. Therefore, this flag needs to be set to "false" as long as the compute resource exists.') param deployCompute bool = true @sys.description('Optional. Location for the underlying compute. Ignored when attaching a compute resource, i.e. when you provide a resource ID.') diff --git a/modules/machine-learning-services/workspace/compute/main.json b/modules/machine-learning-services/workspace/compute/main.json index 6a6d90b340..aaab4e1d50 100644 --- a/modules/machine-learning-services/workspace/compute/main.json +++ b/modules/machine-learning-services/workspace/compute/main.json @@ -58,7 +58,7 @@ "type": "bool", "defaultValue": true, "metadata": { - "description": "Optional. Flag to specify whether to deploy the compute. Required only for attach (i.e. providing a resource ID), as in this case the operation is not idempontent, i.e. a second deployment will fail. Therefore, this flag needs to be set to \"false\" as long as the compute resource exists." + "description": "Optional. Flag to specify whether to deploy the compute. Required only for attach (i.e. providing a resource ID), as in this case the operation is not idempotent, i.e. a second deployment will fail. Therefore, this flag needs to be set to \"false\" as long as the compute resource exists." } }, "computeLocation": { @@ -204,4 +204,4 @@ "value": "[reference(resourceId('Microsoft.MachineLearningServices/workspaces/computes', parameters('machineLearningWorkspaceName'), parameters('name')), '2022-10-01', 'full').location]" } } -} \ No newline at end of file +} From 90e385e8ad5dd28b174239f8aef3a1c81d41efb9 Mon Sep 17 00:00:00 2001 From: AlexanderSehr Date: Fri, 13 Oct 2023 00:24:41 +0200 Subject: [PATCH 15/20] LA --- .../workspace/README.md | 1259 +++++++++-------- 1 file changed, 630 insertions(+), 629 deletions(-) diff --git a/modules/machine-learning-services/workspace/README.md b/modules/machine-learning-services/workspace/README.md index 97b9351d56..79e00016fc 100644 --- a/modules/machine-learning-services/workspace/README.md +++ b/modules/machine-learning-services/workspace/README.md @@ -74,462 +74,313 @@ This module deploys a Machine Learning Services Workspace. | `sharedPrivateLinkResources` | array | `[]` | | The list of shared private link resources in this workspace. | | `tags` | object | `{object}` | | Resource tags. | +## Outputs -### Parameter Usage: `computes` +| Output Name | Type | Description | +| :-- | :-- | :-- | +| `location` | string | The location the resource was deployed into. | +| `name` | string | The name of the machine learning service. | +| `principalId` | string | The principal ID of the system assigned identity. | +| `resourceGroupName` | string | The resource group the machine learning service was deployed into. | +| `resourceId` | string | The resource ID of the machine learning service. | -Array to specify the compute resources to create respectively attach. -In case you provide a resource ID, it will attach the resource and ignore "properties". In this case "computeLocation", "sku", "systemAssignedIdentity", "userAssignedIdentities" as well as "tags" don't need to be provided respectively are being ignored. -Attaching a compute is not idempotent and will fail in case you try to redeploy over an existing compute in AML. I.e. for the first run set "deploy" to true, and after successful deployment to false. -For more information see https://learn.microsoft.com/en-us/azure/templates/microsoft.machinelearningservices/workspaces/computes?tabs=bicep +## Cross-referenced modules -

+This section gives you an overview of all local-referenced module files (i.e., other CARML modules that are referenced in this module) and all remote-referenced files (i.e., Bicep modules that are referenced from a Bicep Registry or Template Specs). -Parameter JSON format +| Reference | Type | +| :-- | :-- | +| `network/private-endpoint` | Local reference | -```json -"computes": { - "value": [ - // Attach existing resources - { - "name": "DefaultAKS", - "location": "westeurope", - "description": "Default AKS Cluster", - "disableLocalAuth": false, - "deployCompute": true, - "computeType": "AKS", - "resourceId": "/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.ContainerService/managedClusters/xxx" - }, - // Create new compute resource - { - "name": "DefaultCPU", - "location": "westeurope", - "computeLocation": "westeurope", - "sku": "Basic", - "systemAssignedIdentity": true, - "userAssignedIdentities": { - "/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-[[namePrefix]]-az-msi-x-001": {} - }, - "description": "Default CPU Cluster", - "disableLocalAuth": false, - "computeType": "AmlCompute", - "properties": { - "enableNodePublicIp": true, - "isolatedNetwork": false, - "osType": "Linux", - "remoteLoginPortPublicAccess": "Disabled", - "scaleSettings": { - "maxNodeCount": 3, - "minNodeCount": 0, - "nodeIdleTimeBeforeScaleDown": "PT5M" - }, - "vmPriority": "Dedicated", - "vmSize": "STANDARD_DS11_V2" - } - } - ] -} -``` +## Deployment examples -
+The following module usage examples are retrieved from the content of the files hosted in the module's `.test` folder. + >**Note**: The name of each example is based on the name of the file from which it is taken. + + >**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. + +

Example 1: Common

-Bicep format +via Bicep module ```bicep -computes: [ - // Attach existing resources - { - name: 'DefaultAKS' - location: 'westeurope' - description: 'Default AKS Cluster' +module workspace './machine-learning-services/workspace/main.bicep' = { + name: '${uniqueString(deployment().name, location)}-test-mlswcom' + params: { + // Required parameters + associatedApplicationInsightsResourceId: '' + associatedKeyVaultResourceId: '' + associatedStorageAccountResourceId: '' + name: 'mlswcom001' + sku: 'Premium' + // Non-required parameters + computes: [ + { + computeLocation: 'westeurope' + computeType: 'AmlCompute' + description: 'Default CPU Cluster' disableLocalAuth: false - deployCompute: true - computeType: 'AKS' - resourceId: '/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.ContainerService/managedClusters/xxx' - } - // Create new compute resource - { - name: 'DefaultCPU' location: 'westeurope' - computeLocation: 'westeurope' + name: 'DefaultCPU' + properties: { + enableNodePublicIp: true + isolatedNetwork: false + osType: 'Linux' + remoteLoginPortPublicAccess: 'Disabled' + scaleSettings: { + maxNodeCount: 3 + minNodeCount: 0 + nodeIdleTimeBeforeScaleDown: 'PT5M' + } + vmPriority: 'Dedicated' + vmSize: 'STANDARD_DS11_V2' + } sku: 'Basic' - systemAssignedIdentity: true + systemAssignedIdentity: false userAssignedIdentities: { - '/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-[[namePrefix]]-az-msi-x-001': {} + '': {} } - description: 'Default CPU Cluster' - disableLocalAuth: false - computeType: 'AmlCompute' - properties: { - enableNodePublicIp: true - isolatedNetwork: false - osType: 'Linux' - remoteLoginPortPublicAccess: 'Disabled' - scaleSettings: { - maxNodeCount: 3 - minNodeCount: 0 - nodeIdleTimeBeforeScaleDown: 'PT5M' - } - vmPriority: 'Dedicated' - vmSize: 'STANDARD_DS11_V2' + } + ] + description: 'The cake is a lie.' + diagnosticEventHubAuthorizationRuleId: '' + diagnosticEventHubName: '' + diagnosticStorageAccountId: '' + diagnosticWorkspaceId: '' + discoveryUrl: 'http://example.com' + enableDefaultTelemetry: '' + imageBuildCompute: 'testcompute' + lock: 'CanNotDelete' + primaryUserAssignedIdentity: '' + privateEndpoints: [ + { + privateDnsZoneGroup: { + privateDNSResourceIds: [ + '' + ] } - } -] -``` - -
-

- -### Parameter Usage: `roleAssignments` - -Create a role assignment for the given resource. If you want to assign a service principal / managed identity that is created in the same deployment, make sure to also specify the `'principalType'` parameter and set it to `'ServicePrincipal'`. This will ensure the role assignment waits for the principal's propagation in Azure. - -

- -Parameter JSON format - -```json -"roleAssignments": { - "value": [ - { - "roleDefinitionIdOrName": "Reader", - "description": "Reader Role Assignment", - "principalIds": [ - "12345678-1234-1234-1234-123456789012", // object 1 - "78945612-1234-1234-1234-123456789012" // object 2 - ] - }, - { - "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", - "principalIds": [ - "12345678-1234-1234-1234-123456789012" // object 1 - ], - "principalType": "ServicePrincipal" + service: 'amlworkspace' + subnetResourceId: '' + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' } + } ] -} -``` - -
- -
- -Bicep format - -```bicep -roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - description: 'Reader Role Assignment' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - '78945612-1234-1234-1234-123456789012' // object 2 - ] - } - { - roleDefinitionIdOrName: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' + roleAssignments: [ + { principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 + '' ] principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Reader' + } + ] + systemAssignedIdentity: false + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' } -] -``` - -
-

- -### Parameter Usage: `tags` - -Tag names and tag values can be provided as needed. A tag can be left without a value. - -

- -Parameter JSON format - -```json -"tags": { - "value": { - "Environment": "Non-Prod", - "Contact": "test.user@testcompany.com", - "PurchaseOrder": "1234", - "CostCenter": "7890", - "ServiceName": "DeploymentValidation", - "Role": "DeploymentValidation" + userAssignedIdentities: { + '': {} } + } } ```
+

-Bicep format - -```bicep -tags: { - Environment: 'Non-Prod' - Contact: 'test.user@testcompany.com' - PurchaseOrder: '1234' - CostCenter: '7890' - ServiceName: 'DeploymentValidation' - Role: 'DeploymentValidation' -} -``` - -
-

- -### Parameter Usage: `privateEndpoints` - -To use Private Endpoint the following dependencies must be deployed: - -- Destination subnet must be created with the following configuration option - `"privateEndpointNetworkPolicies": "Disabled"`. Setting this option acknowledges that NSG rules are not applied to Private Endpoints (this capability is coming soon). A full example is available in the Virtual Network Module. -- Although not strictly required, it is highly recommended to first create a private DNS Zone to host Private Endpoint DNS records. See [Azure Private Endpoint DNS configuration](https://learn.microsoft.com/en-us/azure/private-link/private-endpoint-dns) for more information. - -

- -Parameter JSON format +via JSON Parameter file ```json -"privateEndpoints": { - "value": [ - // Example showing all available fields +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "associatedApplicationInsightsResourceId": { + "value": "" + }, + "associatedKeyVaultResourceId": { + "value": "" + }, + "associatedStorageAccountResourceId": { + "value": "" + }, + "name": { + "value": "mlswcom001" + }, + "sku": { + "value": "Premium" + }, + // Non-required parameters + "computes": { + "value": [ { - "name": "sxx-az-pe", // Optional: Name will be automatically generated if one is not provided here - "subnetResourceId": "/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-x-001/subnets/sxx-az-subnet-x-001", - "service": "", // e.g. vault, registry, blob - "privateDnsZoneGroup": { - "privateDNSResourceIds": [ // Optional: No DNS record will be created if a private DNS zone Resource ID is not specified - "/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/privateDnsZones/" // e.g. privatelink.vaultcore.azure.net, privatelink.azurecr.io, privatelink.blob.core.windows.net - ] + "computeLocation": "westeurope", + "computeType": "AmlCompute", + "description": "Default CPU Cluster", + "disableLocalAuth": false, + "location": "westeurope", + "name": "DefaultCPU", + "properties": { + "enableNodePublicIp": true, + "isolatedNetwork": false, + "osType": "Linux", + "remoteLoginPortPublicAccess": "Disabled", + "scaleSettings": { + "maxNodeCount": 3, + "minNodeCount": 0, + "nodeIdleTimeBeforeScaleDown": "PT5M" }, - "ipConfigurations":[ - { - "name": "myIPconfigTest02", - "properties": { - "groupId": "blob", - "memberName": "blob", - "privateIPAddress": "10.0.0.30" - } - } - ], - "customDnsConfigs": [ - { - "fqdn": "customname.test.local", - "ipAddresses": [ - "10.10.10.10" - ] - } + "vmPriority": "Dedicated", + "vmSize": "STANDARD_DS11_V2" + }, + "sku": "Basic", + "systemAssignedIdentity": false, + "userAssignedIdentities": { + "": {} + } + } + ] + }, + "description": { + "value": "The cake is a lie." + }, + "diagnosticEventHubAuthorizationRuleId": { + "value": "" + }, + "diagnosticEventHubName": { + "value": "" + }, + "diagnosticStorageAccountId": { + "value": "" + }, + "diagnosticWorkspaceId": { + "value": "" + }, + "discoveryUrl": { + "value": "http://example.com" + }, + "enableDefaultTelemetry": { + "value": "" + }, + "imageBuildCompute": { + "value": "testcompute" + }, + "lock": { + "value": "CanNotDelete" + }, + "primaryUserAssignedIdentity": { + "value": "" + }, + "privateEndpoints": { + "value": [ + { + "privateDnsZoneGroup": { + "privateDNSResourceIds": [ + "" ] - }, - // Example showing only mandatory fields + }, + "service": "amlworkspace", + "subnetResourceId": "", + "tags": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } + } + ] + }, + "roleAssignments": { + "value": [ { - "subnetResourceId": "/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-x-001/subnets/sxx-az-subnet-x-001", - "service": "" // e.g. vault, registry, blob + "principalIds": [ + "" + ], + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Reader" } - ] + ] + }, + "systemAssignedIdentity": { + "value": false + }, + "tags": { + "value": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } + }, + "userAssignedIdentities": { + "value": { + "": {} + } + } + } } ```
+

+ +

Example 2: Encr

-Bicep format +via Bicep module ```bicep -privateEndpoints: [ - // Example showing all available fields - { - name: 'sxx-az-pe' // Optional: Name will be automatically generated if one is not provided here - subnetResourceId: '/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-x-001/subnets/sxx-az-subnet-x-001' - service: '' // e.g. vault, registry, blob +module workspace './machine-learning-services/workspace/main.bicep' = { + name: '${uniqueString(deployment().name, location)}-test-mlswecr' + params: { + // Required parameters + associatedApplicationInsightsResourceId: '' + associatedKeyVaultResourceId: '' + associatedStorageAccountResourceId: '' + name: 'mlswecr001' + sku: 'Basic' + // Non-required parameters + cMKKeyName: '' + cMKKeyVaultResourceId: '' + cMKUserAssignedIdentityResourceId: '' + enableDefaultTelemetry: '' + primaryUserAssignedIdentity: '' + privateEndpoints: [ + { privateDnsZoneGroup: { - privateDNSResourceIds: [ // Optional: No DNS record will be created if a private DNS zone Resource ID is not specified - '/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/privateDnsZones/' // e.g. privatelink.vaultcore.azure.net, privatelink.azurecr.io, privatelink.blob.core.windows.net - ] + privateDNSResourceIds: [ + '' + ] } - customDnsConfigs: [ - { - fqdn: 'customname.test.local' - ipAddresses: [ - '10.10.10.10' - ] - } - ] - ipConfigurations:[ - { - name: 'myIPconfigTest02' - properties: { - groupId: 'blob' - memberName: 'blob' - privateIPAddress: '10.0.0.30' - } - } - ] + service: 'amlworkspace' + subnetResourceId: '' + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } + } + ] + systemAssignedIdentity: false + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' } - // Example showing only mandatory fields - { - subnetResourceId: '/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-x-001/subnets/sxx-az-subnet-x-001' - service: '' // e.g. vault, registry, blob + userAssignedIdentities: { + '': {} } -] -``` - -
-

- -### Parameter Usage: `userAssignedIdentities` - -You can specify multiple user assigned identities to a resource by providing additional resource IDs using the following format: - -

- -Parameter JSON format - -```json -"userAssignedIdentities": { - "value": { - "/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-001": {}, - "/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-002": {} - } -} -``` - -
- -
- -Bicep format - -```bicep -userAssignedIdentities: { - '/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-001': {} - '/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-002': {} -} -``` - -
-

- -## Outputs - -| Output Name | Type | Description | -| :-- | :-- | :-- | -| `location` | string | The location the resource was deployed into. | -| `name` | string | The name of the machine learning service. | -| `principalId` | string | The principal ID of the system assigned identity. | -| `resourceGroupName` | string | The resource group the machine learning service was deployed into. | -| `resourceId` | string | The resource ID of the machine learning service. | - -## Cross-referenced modules - -This section gives you an overview of all local-referenced module files (i.e., other CARML modules that are referenced in this module) and all remote-referenced files (i.e., Bicep modules that are referenced from a Bicep Registry or Template Specs). - -| Reference | Type | -| :-- | :-- | -| `network/private-endpoint` | Local reference | - -## Deployment examples - -The following module usage examples are retrieved from the content of the files hosted in the module's `.test` folder. - >**Note**: The name of each example is based on the name of the file from which it is taken. - - >**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. - -

Example 1: Common

- -
- -via Bicep module - -```bicep -module workspace './machine-learning-services/workspace/main.bicep' = { - name: '${uniqueString(deployment().name, location)}-test-mlswcom' - params: { - // Required parameters - associatedApplicationInsightsResourceId: '' - associatedKeyVaultResourceId: '' - associatedStorageAccountResourceId: '' - name: 'mlswcom001' - sku: 'Premium' - // Non-required parameters - computes: [ - { - computeLocation: 'westeurope' - computeType: 'AmlCompute' - description: 'Default CPU Cluster' - disableLocalAuth: false - location: 'westeurope' - name: 'DefaultCPU' - properties: { - enableNodePublicIp: true - isolatedNetwork: false - osType: 'Linux' - remoteLoginPortPublicAccess: 'Disabled' - scaleSettings: { - maxNodeCount: 3 - minNodeCount: 0 - nodeIdleTimeBeforeScaleDown: 'PT5M' - } - vmPriority: 'Dedicated' - vmSize: 'STANDARD_DS11_V2' - } - sku: 'Basic' - systemAssignedIdentity: false - userAssignedIdentities: { - '': {} - } - } - ] - description: 'The cake is a lie.' - diagnosticEventHubAuthorizationRuleId: '' - diagnosticEventHubName: '' - diagnosticStorageAccountId: '' - diagnosticWorkspaceId: '' - discoveryUrl: 'http://example.com' - enableDefaultTelemetry: '' - imageBuildCompute: 'testcompute' - lock: 'CanNotDelete' - primaryUserAssignedIdentity: '' - privateEndpoints: [ - { - privateDnsZoneGroup: { - privateDNSResourceIds: [ - '' - ] - } - service: 'amlworkspace' - subnetResourceId: '' - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - } - ] - roleAssignments: [ - { - principalIds: [ - '' - ] - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] - systemAssignedIdentity: false - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - userAssignedIdentities: { - '': {} - } - } -} + } +} ```
@@ -555,69 +406,24 @@ module workspace './machine-learning-services/workspace/main.bicep' = { "value": "" }, "name": { - "value": "mlswcom001" + "value": "mlswecr001" }, "sku": { - "value": "Premium" + "value": "Basic" }, // Non-required parameters - "computes": { - "value": [ - { - "computeLocation": "westeurope", - "computeType": "AmlCompute", - "description": "Default CPU Cluster", - "disableLocalAuth": false, - "location": "westeurope", - "name": "DefaultCPU", - "properties": { - "enableNodePublicIp": true, - "isolatedNetwork": false, - "osType": "Linux", - "remoteLoginPortPublicAccess": "Disabled", - "scaleSettings": { - "maxNodeCount": 3, - "minNodeCount": 0, - "nodeIdleTimeBeforeScaleDown": "PT5M" - }, - "vmPriority": "Dedicated", - "vmSize": "STANDARD_DS11_V2" - }, - "sku": "Basic", - "systemAssignedIdentity": false, - "userAssignedIdentities": { - "": {} - } - } - ] - }, - "description": { - "value": "The cake is a lie." - }, - "diagnosticEventHubAuthorizationRuleId": { - "value": "" - }, - "diagnosticEventHubName": { - "value": "" - }, - "diagnosticStorageAccountId": { - "value": "" + "cMKKeyName": { + "value": "" }, - "diagnosticWorkspaceId": { - "value": "" + "cMKKeyVaultResourceId": { + "value": "" }, - "discoveryUrl": { - "value": "http://example.com" + "cMKUserAssignedIdentityResourceId": { + "value": "" }, "enableDefaultTelemetry": { "value": "" }, - "imageBuildCompute": { - "value": "testcompute" - }, - "lock": { - "value": "CanNotDelete" - }, "primaryUserAssignedIdentity": { "value": "" }, @@ -639,17 +445,6 @@ module workspace './machine-learning-services/workspace/main.bicep' = { } ] }, - "roleAssignments": { - "value": [ - { - "principalIds": [ - "" - ], - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - } - ] - }, "systemAssignedIdentity": { "value": false }, @@ -672,200 +467,406 @@ module workspace './machine-learning-services/workspace/main.bicep' = {

-

Example 2: Encr

+

Example 3: Min

+ +
+ +via Bicep module + +```bicep +module workspace './machine-learning-services/workspace/main.bicep' = { + name: '${uniqueString(deployment().name, location)}-test-mlswmin' + params: { + // Required parameters + associatedApplicationInsightsResourceId: '' + associatedKeyVaultResourceId: '' + associatedStorageAccountResourceId: '' + name: 'mlswmin001' + sku: 'Basic' + // Non-required parameters + enableDefaultTelemetry: '' + systemAssignedIdentity: true + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "associatedApplicationInsightsResourceId": { + "value": "" + }, + "associatedKeyVaultResourceId": { + "value": "" + }, + "associatedStorageAccountResourceId": { + "value": "" + }, + "name": { + "value": "mlswmin001" + }, + "sku": { + "value": "Basic" + }, + // Non-required parameters + "enableDefaultTelemetry": { + "value": "" + }, + "systemAssignedIdentity": { + "value": true + } + } +} +``` + +
+

+ +## Notes + +### Parameter Usage: `computes` + +Array to specify the compute resources to create respectively attach. +In case you provide a resource ID, it will attach the resource and ignore "properties". In this case "computeLocation", "sku", "systemAssignedIdentity", "userAssignedIdentities" as well as "tags" don't need to be provided respectively are being ignored. +Attaching a compute is not idempotent and will fail in case you try to redeploy over an existing compute in AML. I.e. for the first run set "deploy" to true, and after successful deployment to false. +For more information see https://learn.microsoft.com/en-us/azure/templates/microsoft.machinelearningservices/workspaces/computes?tabs=bicep + +

+ +Parameter JSON format + +```json +"computes": { + "value": [ + // Attach existing resources + { + "name": "DefaultAKS", + "location": "westeurope", + "description": "Default AKS Cluster", + "disableLocalAuth": false, + "deployCompute": true, + "computeType": "AKS", + "resourceId": "/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.ContainerService/managedClusters/xxx" + }, + // Create new compute resource + { + "name": "DefaultCPU", + "location": "westeurope", + "computeLocation": "westeurope", + "sku": "Basic", + "systemAssignedIdentity": true, + "userAssignedIdentities": { + "/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-[[namePrefix]]-az-msi-x-001": {} + }, + "description": "Default CPU Cluster", + "disableLocalAuth": false, + "computeType": "AmlCompute", + "properties": { + "enableNodePublicIp": true, + "isolatedNetwork": false, + "osType": "Linux", + "remoteLoginPortPublicAccess": "Disabled", + "scaleSettings": { + "maxNodeCount": 3, + "minNodeCount": 0, + "nodeIdleTimeBeforeScaleDown": "PT5M" + }, + "vmPriority": "Dedicated", + "vmSize": "STANDARD_DS11_V2" + } + } + ] +} +``` + +
+ +
+ +Bicep format + +```bicep +computes: [ + // Attach existing resources + { + name: 'DefaultAKS' + location: 'westeurope' + description: 'Default AKS Cluster' + disableLocalAuth: false + deployCompute: true + computeType: 'AKS' + resourceId: '/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.ContainerService/managedClusters/xxx' + } + // Create new compute resource + { + name: 'DefaultCPU' + location: 'westeurope' + computeLocation: 'westeurope' + sku: 'Basic' + systemAssignedIdentity: true + userAssignedIdentities: { + '/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-[[namePrefix]]-az-msi-x-001': {} + } + description: 'Default CPU Cluster' + disableLocalAuth: false + computeType: 'AmlCompute' + properties: { + enableNodePublicIp: true + isolatedNetwork: false + osType: 'Linux' + remoteLoginPortPublicAccess: 'Disabled' + scaleSettings: { + maxNodeCount: 3 + minNodeCount: 0 + nodeIdleTimeBeforeScaleDown: 'PT5M' + } + vmPriority: 'Dedicated' + vmSize: 'STANDARD_DS11_V2' + } + } +] +``` + +
+

+ +### Parameter Usage: `roleAssignments` + +Create a role assignment for the given resource. If you want to assign a service principal / managed identity that is created in the same deployment, make sure to also specify the `'principalType'` parameter and set it to `'ServicePrincipal'`. This will ensure the role assignment waits for the principal's propagation in Azure. + +

+ +Parameter JSON format + +```json +"roleAssignments": { + "value": [ + { + "roleDefinitionIdOrName": "Reader", + "description": "Reader Role Assignment", + "principalIds": [ + "12345678-1234-1234-1234-123456789012", // object 1 + "78945612-1234-1234-1234-123456789012" // object 2 + ] + }, + { + "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", + "principalIds": [ + "12345678-1234-1234-1234-123456789012" // object 1 + ], + "principalType": "ServicePrincipal" + } + ] +} +``` + +
+ +
+ +Bicep format + +```bicep +roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + description: 'Reader Role Assignment' + principalIds: [ + '12345678-1234-1234-1234-123456789012' // object 1 + '78945612-1234-1234-1234-123456789012' // object 2 + ] + } + { + roleDefinitionIdOrName: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' + principalIds: [ + '12345678-1234-1234-1234-123456789012' // object 1 + ] + principalType: 'ServicePrincipal' + } +] +``` + +
+

+ +### Parameter Usage: `tags` + +Tag names and tag values can be provided as needed. A tag can be left without a value. + +

+ +Parameter JSON format + +```json +"tags": { + "value": { + "Environment": "Non-Prod", + "Contact": "test.user@testcompany.com", + "PurchaseOrder": "1234", + "CostCenter": "7890", + "ServiceName": "DeploymentValidation", + "Role": "DeploymentValidation" + } +} +``` + +
+ +
+ +Bicep format + +```bicep +tags: { + Environment: 'Non-Prod' + Contact: 'test.user@testcompany.com' + PurchaseOrder: '1234' + CostCenter: '7890' + ServiceName: 'DeploymentValidation' + Role: 'DeploymentValidation' +} +``` + +
+

+ +### Parameter Usage: `privateEndpoints` + +To use Private Endpoint the following dependencies must be deployed: + +- Destination subnet must be created with the following configuration option - `"privateEndpointNetworkPolicies": "Disabled"`. Setting this option acknowledges that NSG rules are not applied to Private Endpoints (this capability is coming soon). A full example is available in the Virtual Network Module. +- Although not strictly required, it is highly recommended to first create a private DNS Zone to host Private Endpoint DNS records. See [Azure Private Endpoint DNS configuration](https://learn.microsoft.com/en-us/azure/private-link/private-endpoint-dns) for more information.

-via Bicep module +Parameter JSON format -```bicep -module workspace './machine-learning-services/workspace/main.bicep' = { - name: '${uniqueString(deployment().name, location)}-test-mlswecr' - params: { - // Required parameters - associatedApplicationInsightsResourceId: '' - associatedKeyVaultResourceId: '' - associatedStorageAccountResourceId: '' - name: 'mlswecr001' - sku: 'Basic' - // Non-required parameters - cMKKeyName: '' - cMKKeyVaultResourceId: '' - cMKUserAssignedIdentityResourceId: '' - enableDefaultTelemetry: '' - primaryUserAssignedIdentity: '' - privateEndpoints: [ - { - privateDnsZoneGroup: { - privateDNSResourceIds: [ - '' - ] - } - service: 'amlworkspace' - subnetResourceId: '' - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' +```json +"privateEndpoints": { + "value": [ + // Example showing all available fields + { + "name": "sxx-az-pe", // Optional: Name will be automatically generated if one is not provided here + "subnetResourceId": "/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-x-001/subnets/sxx-az-subnet-x-001", + "service": "", // e.g. vault, registry, blob + "privateDnsZoneGroup": { + "privateDNSResourceIds": [ // Optional: No DNS record will be created if a private DNS zone Resource ID is not specified + "/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/privateDnsZones/" // e.g. privatelink.vaultcore.azure.net, privatelink.azurecr.io, privatelink.blob.core.windows.net + ] + }, + "ipConfigurations":[ + { + "name": "myIPconfigTest02", + "properties": { + "groupId": "blob", + "memberName": "blob", + "privateIPAddress": "10.0.0.30" + } + } + ], + "customDnsConfigs": [ + { + "fqdn": "customname.test.local", + "ipAddresses": [ + "10.10.10.10" + ] + } + ] + }, + // Example showing only mandatory fields + { + "subnetResourceId": "/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-x-001/subnets/sxx-az-subnet-x-001", + "service": "" // e.g. vault, registry, blob } - } ] - systemAssignedIdentity: false - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - userAssignedIdentities: { - '': {} - } - } } ```
-

-via JSON Parameter file +Bicep format -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "associatedApplicationInsightsResourceId": { - "value": "" - }, - "associatedKeyVaultResourceId": { - "value": "" - }, - "associatedStorageAccountResourceId": { - "value": "" - }, - "name": { - "value": "mlswecr001" - }, - "sku": { - "value": "Basic" - }, - // Non-required parameters - "cMKKeyName": { - "value": "" - }, - "cMKKeyVaultResourceId": { - "value": "" - }, - "cMKUserAssignedIdentityResourceId": { - "value": "" - }, - "enableDefaultTelemetry": { - "value": "" - }, - "primaryUserAssignedIdentity": { - "value": "" - }, - "privateEndpoints": { - "value": [ - { - "privateDnsZoneGroup": { - "privateDNSResourceIds": [ - "" +```bicep +privateEndpoints: [ + // Example showing all available fields + { + name: 'sxx-az-pe' // Optional: Name will be automatically generated if one is not provided here + subnetResourceId: '/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-x-001/subnets/sxx-az-subnet-x-001' + service: '' // e.g. vault, registry, blob + privateDnsZoneGroup: { + privateDNSResourceIds: [ // Optional: No DNS record will be created if a private DNS zone Resource ID is not specified + '/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/privateDnsZones/' // e.g. privatelink.vaultcore.azure.net, privatelink.azurecr.io, privatelink.blob.core.windows.net ] - }, - "service": "amlworkspace", - "subnetResourceId": "", - "tags": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } } - ] - }, - "systemAssignedIdentity": { - "value": false - }, - "tags": { - "value": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - }, - "userAssignedIdentities": { - "value": { - "": {} - } + customDnsConfigs: [ + { + fqdn: 'customname.test.local' + ipAddresses: [ + '10.10.10.10' + ] + } + ] + ipConfigurations:[ + { + name: 'myIPconfigTest02' + properties: { + groupId: 'blob' + memberName: 'blob' + privateIPAddress: '10.0.0.30' + } + } + ] } - } -} + // Example showing only mandatory fields + { + subnetResourceId: '/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-x-001/subnets/sxx-az-subnet-x-001' + service: '' // e.g. vault, registry, blob + } +] ```

-

Example 3: Min

+### Parameter Usage: `userAssignedIdentities` + +You can specify multiple user assigned identities to a resource by providing additional resource IDs using the following format:
-via Bicep module +Parameter JSON format -```bicep -module workspace './machine-learning-services/workspace/main.bicep' = { - name: '${uniqueString(deployment().name, location)}-test-mlswmin' - params: { - // Required parameters - associatedApplicationInsightsResourceId: '' - associatedKeyVaultResourceId: '' - associatedStorageAccountResourceId: '' - name: 'mlswmin001' - sku: 'Basic' - // Non-required parameters - enableDefaultTelemetry: '' - systemAssignedIdentity: true - } +```json +"userAssignedIdentities": { + "value": { + "/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-001": {}, + "/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-002": {} + } } ```
-

-via JSON Parameter file +Bicep format -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "associatedApplicationInsightsResourceId": { - "value": "" - }, - "associatedKeyVaultResourceId": { - "value": "" - }, - "associatedStorageAccountResourceId": { - "value": "" - }, - "name": { - "value": "mlswmin001" - }, - "sku": { - "value": "Basic" - }, - // Non-required parameters - "enableDefaultTelemetry": { - "value": "" - }, - "systemAssignedIdentity": { - "value": true - } - } +```bicep +userAssignedIdentities: { + '/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-001': {} + '/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-002': {} } ``` From d9039fbcc1f3945181fc45edc10cd6124cbbb615 Mon Sep 17 00:00:00 2001 From: AlexanderSehr Date: Fri, 13 Oct 2023 00:33:32 +0200 Subject: [PATCH 16/20] kube --- .../extension/README.md | 38 +- .../flux-configuration/README.md | 38 +- modules/logic/workflow/README.md | 394 +++++++++--------- 3 files changed, 233 insertions(+), 237 deletions(-) diff --git a/modules/kubernetes-configuration/extension/README.md b/modules/kubernetes-configuration/extension/README.md index d5718433e2..70eb450f6a 100644 --- a/modules/kubernetes-configuration/extension/README.md +++ b/modules/kubernetes-configuration/extension/README.md @@ -11,24 +11,6 @@ This module deploys a Kubernetes Configuration Extension. - [Cross-referenced modules](#Cross-referenced-modules) - [Deployment examples](#Deployment-examples) -## Prerequisites - -Registration of your subscription with the AKS-ExtensionManager feature flag. Use the following command: - -```powershell -az feature register --namespace Microsoft.ContainerService --name AKS-ExtensionManager -``` - -Registration of the following Azure service providers. (It's OK to re-register an existing provider.) - -```powershell -az provider register --namespace Microsoft.Kubernetes -az provider register --namespace Microsoft.ContainerService -az provider register --namespace Microsoft.KubernetesConfiguration -``` - -For Details see [Prerequisites](https://learn.microsoft.com/en-us/azure/azure-arc/kubernetes/tutorial-use-gitops-flux2) - ## Resource Types | Resource Type | API Version | @@ -255,3 +237,23 @@ module extension './kubernetes-configuration/extension/main.bicep' = {

+ +## Notes + +### Prerequisites + +Registration of your subscription with the AKS-ExtensionManager feature flag. Use the following command: + +```powershell +az feature register --namespace Microsoft.ContainerService --name AKS-ExtensionManager +``` + +Registration of the following Azure service providers. (It's OK to re-register an existing provider.) + +```powershell +az provider register --namespace Microsoft.Kubernetes +az provider register --namespace Microsoft.ContainerService +az provider register --namespace Microsoft.KubernetesConfiguration +``` + +For Details see [Prerequisites](https://learn.microsoft.com/en-us/azure/azure-arc/kubernetes/tutorial-use-gitops-flux2) diff --git a/modules/kubernetes-configuration/flux-configuration/README.md b/modules/kubernetes-configuration/flux-configuration/README.md index ab26af9c42..83455535ff 100644 --- a/modules/kubernetes-configuration/flux-configuration/README.md +++ b/modules/kubernetes-configuration/flux-configuration/README.md @@ -11,24 +11,6 @@ This module deploys a Kubernetes Configuration Flux Configuration. - [Cross-referenced modules](#Cross-referenced-modules) - [Deployment examples](#Deployment-examples) -## Prerequisites - -Registration of your subscription with the AKS-ExtensionManager feature flag. Use the following command: - -```powershell -az feature register --namespace Microsoft.ContainerService --name AKS-ExtensionManager -``` - -Registration of the following Azure service providers. (It's OK to re-register an existing provider.) - -```powershell -az provider register --namespace Microsoft.Kubernetes -az provider register --namespace Microsoft.ContainerService -az provider register --namespace Microsoft.KubernetesConfiguration -``` - -For Details see [Prerequisites](https://learn.microsoft.com/en-us/azure/azure-arc/kubernetes/tutorial-use-gitops-flux2) - ## Resource Types | Resource Type | API Version | @@ -254,3 +236,23 @@ module fluxConfiguration './kubernetes-configuration/flux-configuration/main.bic

+ +## Notes + +### Prerequisites + +Registration of your subscription with the AKS-ExtensionManager feature flag. Use the following command: + +```powershell +az feature register --namespace Microsoft.ContainerService --name AKS-ExtensionManager +``` + +Registration of the following Azure service providers. (It's OK to re-register an existing provider.) + +```powershell +az provider register --namespace Microsoft.Kubernetes +az provider register --namespace Microsoft.ContainerService +az provider register --namespace Microsoft.KubernetesConfiguration +``` + +For Details see [Prerequisites](https://learn.microsoft.com/en-us/azure/azure-arc/kubernetes/tutorial-use-gitops-flux2) diff --git a/modules/logic/workflow/README.md b/modules/logic/workflow/README.md index 8b84f01653..cfea7a7528 100644 --- a/modules/logic/workflow/README.md +++ b/modules/logic/workflow/README.md @@ -61,6 +61,199 @@ This module deploys a Logic App (Workflow). | `workflowStaticResults` | object | `{object}` | | The definitions for one or more static results returned by actions as mock outputs when static results are enabled on those actions. In each action definition, the runtimeConfiguration.staticResult.name attribute references the corresponding definition inside staticResults. | | `workflowTriggers` | object | `{object}` | | The definitions for one or more triggers that instantiate your workflow. You can define more than one trigger, but only with the Workflow Definition Language, not visually through the Logic Apps Designer. | +## Outputs + +| Output Name | Type | Description | +| :-- | :-- | :-- | +| `location` | string | The location the resource was deployed into. | +| `name` | string | The name of the logic app. | +| `resourceGroupName` | string | The resource group the logic app was deployed into. | +| `resourceId` | string | The resource ID of the logic app. | +| `systemAssignedPrincipalId` | string | The principal ID of the system assigned identity. | + +## Cross-referenced modules + +_None_ + +## Deployment examples + +The following module usage examples are retrieved from the content of the files hosted in the module's `.test` folder. + >**Note**: The name of each example is based on the name of the file from which it is taken. + + >**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. + +

Example 1: Common

+ +
+ +via Bicep module + +```bicep +module workflow './logic/workflow/main.bicep' = { + name: '${uniqueString(deployment().name, location)}-test-lwcom' + params: { + // Required parameters + name: 'lwcom001' + // Non-required parameters + diagnosticEventHubAuthorizationRuleId: '' + diagnosticEventHubName: '' + diagnosticStorageAccountId: '' + diagnosticWorkspaceId: '' + enableDefaultTelemetry: '' + lock: 'CanNotDelete' + roleAssignments: [ + { + principalIds: [ + '' + ] + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Reader' + } + ] + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } + userAssignedIdentities: { + '': {} + } + workflowActions: { + HTTP: { + inputs: { + body: { + BeginPeakTime: '' + EndPeakTime: '' + HostPoolName: '' + LAWorkspaceName: '' + LimitSecondsToForceLogOffUser: '' + LogOffMessageBody: '' + LogOffMessageTitle: '' + MinimumNumberOfRDSH: 1 + ResourceGroupName: '' + SessionThresholdPerCPU: 1 + UtcOffset: '' + } + method: 'POST' + uri: 'https://testStringForValidation.com' + } + type: 'Http' + } + } + workflowTriggers: { + Recurrence: { + recurrence: { + frequency: 'Minute' + interval: 15 + } + type: 'Recurrence' + } + } + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "name": { + "value": "lwcom001" + }, + // Non-required parameters + "diagnosticEventHubAuthorizationRuleId": { + "value": "" + }, + "diagnosticEventHubName": { + "value": "" + }, + "diagnosticStorageAccountId": { + "value": "" + }, + "diagnosticWorkspaceId": { + "value": "" + }, + "enableDefaultTelemetry": { + "value": "" + }, + "lock": { + "value": "CanNotDelete" + }, + "roleAssignments": { + "value": [ + { + "principalIds": [ + "" + ], + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Reader" + } + ] + }, + "tags": { + "value": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } + }, + "userAssignedIdentities": { + "value": { + "": {} + } + }, + "workflowActions": { + "value": { + "HTTP": { + "inputs": { + "body": { + "BeginPeakTime": "", + "EndPeakTime": "", + "HostPoolName": "", + "LAWorkspaceName": "", + "LimitSecondsToForceLogOffUser": "", + "LogOffMessageBody": "", + "LogOffMessageTitle": "", + "MinimumNumberOfRDSH": 1, + "ResourceGroupName": "", + "SessionThresholdPerCPU": 1, + "UtcOffset": "" + }, + "method": "POST", + "uri": "https://testStringForValidation.com" + }, + "type": "Http" + } + } + }, + "workflowTriggers": { + "value": { + "Recurrence": { + "recurrence": { + "frequency": "Minute", + "interval": 15 + }, + "type": "Recurrence" + } + } + } + } +} +``` + +
+

+ +## Notes ### Parameter Usage `AccessControlConfiguration` @@ -160,15 +353,6 @@ This module deploys a Logic App (Workflow).

-### Parameter Usage `workflow*` - -- To use the below parameters, see the following [documentation.](https://learn.microsoft.com/en-us/azure/logic-apps/logic-apps-workflow-definition-language) - - `workflowActions` - - `workflowOutputs` - - `workflowParameters` - - `workflowStaticResults` - - `workflowTriggers` - ### Parameter Usage: `roleAssignments` Create a role assignment for the given resource. If you want to assign a service principal / managed identity that is created in the same deployment, make sure to also specify the `'principalType'` parameter and set it to `'ServicePrincipal'`. This will ensure the role assignment waits for the principal's propagation in Azure. @@ -301,195 +485,3 @@ userAssignedIdentities: {

- -## Outputs - -| Output Name | Type | Description | -| :-- | :-- | :-- | -| `location` | string | The location the resource was deployed into. | -| `name` | string | The name of the logic app. | -| `resourceGroupName` | string | The resource group the logic app was deployed into. | -| `resourceId` | string | The resource ID of the logic app. | -| `systemAssignedPrincipalId` | string | The principal ID of the system assigned identity. | - -## Cross-referenced modules - -_None_ - -## Deployment examples - -The following module usage examples are retrieved from the content of the files hosted in the module's `.test` folder. - >**Note**: The name of each example is based on the name of the file from which it is taken. - - >**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. - -

Example 1: Common

- -
- -via Bicep module - -```bicep -module workflow './logic/workflow/main.bicep' = { - name: '${uniqueString(deployment().name, location)}-test-lwcom' - params: { - // Required parameters - name: 'lwcom001' - // Non-required parameters - diagnosticEventHubAuthorizationRuleId: '' - diagnosticEventHubName: '' - diagnosticStorageAccountId: '' - diagnosticWorkspaceId: '' - enableDefaultTelemetry: '' - lock: 'CanNotDelete' - roleAssignments: [ - { - principalIds: [ - '' - ] - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - userAssignedIdentities: { - '': {} - } - workflowActions: { - HTTP: { - inputs: { - body: { - BeginPeakTime: '' - EndPeakTime: '' - HostPoolName: '' - LAWorkspaceName: '' - LimitSecondsToForceLogOffUser: '' - LogOffMessageBody: '' - LogOffMessageTitle: '' - MinimumNumberOfRDSH: 1 - ResourceGroupName: '' - SessionThresholdPerCPU: 1 - UtcOffset: '' - } - method: 'POST' - uri: 'https://testStringForValidation.com' - } - type: 'Http' - } - } - workflowTriggers: { - Recurrence: { - recurrence: { - frequency: 'Minute' - interval: 15 - } - type: 'Recurrence' - } - } - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "lwcom001" - }, - // Non-required parameters - "diagnosticEventHubAuthorizationRuleId": { - "value": "" - }, - "diagnosticEventHubName": { - "value": "" - }, - "diagnosticStorageAccountId": { - "value": "" - }, - "diagnosticWorkspaceId": { - "value": "" - }, - "enableDefaultTelemetry": { - "value": "" - }, - "lock": { - "value": "CanNotDelete" - }, - "roleAssignments": { - "value": [ - { - "principalIds": [ - "" - ], - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - } - ] - }, - "tags": { - "value": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - }, - "userAssignedIdentities": { - "value": { - "": {} - } - }, - "workflowActions": { - "value": { - "HTTP": { - "inputs": { - "body": { - "BeginPeakTime": "", - "EndPeakTime": "", - "HostPoolName": "", - "LAWorkspaceName": "", - "LimitSecondsToForceLogOffUser": "", - "LogOffMessageBody": "", - "LogOffMessageTitle": "", - "MinimumNumberOfRDSH": 1, - "ResourceGroupName": "", - "SessionThresholdPerCPU": 1, - "UtcOffset": "" - }, - "method": "POST", - "uri": "https://testStringForValidation.com" - }, - "type": "Http" - } - } - }, - "workflowTriggers": { - "value": { - "Recurrence": { - "recurrence": { - "frequency": "Minute", - "interval": 15 - }, - "type": "Recurrence" - } - } - } - } -} -``` - -
-

From 0ac17b12681c2c2387a9b1a8accd3baaacd8ddd1 Mon Sep 17 00:00:00 2001 From: AlexanderSehr Date: Fri, 13 Oct 2023 00:36:16 +0200 Subject: [PATCH 17/20] Secret --- modules/key-vault/vault/secret/README.md | 25 ++++++++++++------------ 1 file changed, 13 insertions(+), 12 deletions(-) diff --git a/modules/key-vault/vault/secret/README.md b/modules/key-vault/vault/secret/README.md index bb5b627773..d319f21780 100644 --- a/modules/key-vault/vault/secret/README.md +++ b/modules/key-vault/vault/secret/README.md @@ -43,6 +43,19 @@ This module deploys a Key Vault Secret. | `roleAssignments` | array | `[]` | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | | `tags` | object | `{object}` | Resource tags. | +## Outputs + +| Output Name | Type | Description | +| :-- | :-- | :-- | +| `name` | string | The name of the secret. | +| `resourceGroupName` | string | The name of the resource group the secret was created in. | +| `resourceId` | string | The resource ID of the secret. | + +## Cross-referenced modules + +_None_ + +## Notes ### Parameter Usage: `tags` @@ -143,15 +156,3 @@ roleAssignments: [

- -## Outputs - -| Output Name | Type | Description | -| :-- | :-- | :-- | -| `name` | string | The name of the secret. | -| `resourceGroupName` | string | The name of the resource group the secret was created in. | -| `resourceId` | string | The resource ID of the secret. | - -## Cross-referenced modules - -_None_ From d90b64349af4a114721bbeb4725874de04514dc2 Mon Sep 17 00:00:00 2001 From: AlexanderSehr Date: Fri, 13 Oct 2023 14:42:58 +0200 Subject: [PATCH 18/20] kvlt --- .../key-vault/vault/access-policy/README.md | 60 ------------------- modules/key-vault/vault/key/README.md | 26 ++++---- 2 files changed, 14 insertions(+), 72 deletions(-) diff --git a/modules/key-vault/vault/access-policy/README.md b/modules/key-vault/vault/access-policy/README.md index 6adabd23d8..ee2626f58f 100644 --- a/modules/key-vault/vault/access-policy/README.md +++ b/modules/key-vault/vault/access-policy/README.md @@ -30,66 +30,6 @@ This module deploys a Key Vault Access Policy. | `accessPolicies` | array | `[]` | An array of 0 to 16 identities that have access to the key vault. All identities in the array must use the same tenant ID as the key vault's tenant ID. | | `enableDefaultTelemetry` | bool | `True` | Enable telemetry via a Globally Unique Identifier (GUID). | - -### Parameter Usage: `accessPolicies` - -

- -Parameter JSON format - -```json -"accessPolicies": { - "value": [ - { - "tenantId": null, // Optional - "applicationId": null, // Optional - "objectId": null, - "permissions": { - "certificates": [ - "All" - ], - "keys": [ - "All" - ], - "secrets": [ - "All" - ] - } - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -accessPolicies: [ - { - tenantId: null // Optional - applicationId: null // Optional - objectId: null - permissions: { - certificates: [ - 'All' - ] - keys: [ - 'All' - ] - secrets: [ - 'All' - ] - } - } -] -``` - -
-

- ## Outputs | Output Name | Type | Description | diff --git a/modules/key-vault/vault/key/README.md b/modules/key-vault/vault/key/README.md index 8b892d702b..3ecf8de9f1 100644 --- a/modules/key-vault/vault/key/README.md +++ b/modules/key-vault/vault/key/README.md @@ -46,6 +46,20 @@ This module deploys a Key Vault Key. | `rotationPolicy` | object | `{object}` | | Key rotation policy properties object. | | `tags` | object | `{object}` | | Resource tags. | +## Outputs + +| Output Name | Type | Description | +| :-- | :-- | :-- | +| `name` | string | The name of the key. | +| `resourceGroupName` | string | The name of the resource group the key was created in. | +| `resourceId` | string | The resource ID of the key. | + +## Cross-referenced modules + +_None_ + +## Notes + ### Parameter Usage: `tags` @@ -223,15 +237,3 @@ rotationPolicy: {

- -## Outputs - -| Output Name | Type | Description | -| :-- | :-- | :-- | -| `name` | string | The name of the key. | -| `resourceGroupName` | string | The name of the resource group the key was created in. | -| `resourceId` | string | The resource ID of the key. | - -## Cross-referenced modules - -_None_ From f2be3a99ca98967330ab96f3324309129c150238 Mon Sep 17 00:00:00 2001 From: AlexanderSehr Date: Fri, 13 Oct 2023 23:11:04 +0200 Subject: [PATCH 19/20] Regen readmes --- modules/key-vault/vault/access-policy/README.md | 1 + modules/key-vault/vault/key/README.md | 2 ++ modules/key-vault/vault/secret/README.md | 2 ++ modules/kubernetes-configuration/extension/README.md | 3 ++- modules/kubernetes-configuration/flux-configuration/README.md | 3 ++- modules/logic/workflow/README.md | 3 +++ modules/machine-learning-services/workspace/README.md | 3 +++ modules/machine-learning-services/workspace/compute/README.md | 2 ++ modules/maintenance/maintenance-configuration/README.md | 3 +++ modules/managed-services/registration-definition/README.md | 4 +++- modules/management/management-group/README.md | 4 +++- modules/network/azure-firewall/README.md | 4 +++- modules/network/bastion-host/README.md | 3 +++ modules/network/connection/README.md | 3 +++ modules/network/dns-resolver/README.md | 3 +++ 15 files changed, 38 insertions(+), 5 deletions(-) diff --git a/modules/key-vault/vault/access-policy/README.md b/modules/key-vault/vault/access-policy/README.md index ee2626f58f..02445788a0 100644 --- a/modules/key-vault/vault/access-policy/README.md +++ b/modules/key-vault/vault/access-policy/README.md @@ -30,6 +30,7 @@ This module deploys a Key Vault Access Policy. | `accessPolicies` | array | `[]` | An array of 0 to 16 identities that have access to the key vault. All identities in the array must use the same tenant ID as the key vault's tenant ID. | | `enableDefaultTelemetry` | bool | `True` | Enable telemetry via a Globally Unique Identifier (GUID). | + ## Outputs | Output Name | Type | Description | diff --git a/modules/key-vault/vault/key/README.md b/modules/key-vault/vault/key/README.md index 3ecf8de9f1..b32023c755 100644 --- a/modules/key-vault/vault/key/README.md +++ b/modules/key-vault/vault/key/README.md @@ -8,6 +8,7 @@ This module deploys a Key Vault Key. - [Parameters](#Parameters) - [Outputs](#Outputs) - [Cross-referenced modules](#Cross-referenced-modules) +- [Notes](#Notes) ## Resource Types @@ -46,6 +47,7 @@ This module deploys a Key Vault Key. | `rotationPolicy` | object | `{object}` | | Key rotation policy properties object. | | `tags` | object | `{object}` | | Resource tags. | + ## Outputs | Output Name | Type | Description | diff --git a/modules/key-vault/vault/secret/README.md b/modules/key-vault/vault/secret/README.md index d319f21780..6ee8eaf639 100644 --- a/modules/key-vault/vault/secret/README.md +++ b/modules/key-vault/vault/secret/README.md @@ -8,6 +8,7 @@ This module deploys a Key Vault Secret. - [Parameters](#Parameters) - [Outputs](#Outputs) - [Cross-referenced modules](#Cross-referenced-modules) +- [Notes](#Notes) ## Resource Types @@ -43,6 +44,7 @@ This module deploys a Key Vault Secret. | `roleAssignments` | array | `[]` | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | | `tags` | object | `{object}` | Resource tags. | + ## Outputs | Output Name | Type | Description | diff --git a/modules/kubernetes-configuration/extension/README.md b/modules/kubernetes-configuration/extension/README.md index 70eb450f6a..996e27802e 100644 --- a/modules/kubernetes-configuration/extension/README.md +++ b/modules/kubernetes-configuration/extension/README.md @@ -4,12 +4,12 @@ This module deploys a Kubernetes Configuration Extension. ## Navigation -- [Prerequisites](#Prerequisites) - [Resource Types](#Resource-Types) - [Parameters](#Parameters) - [Outputs](#Outputs) - [Cross-referenced modules](#Cross-referenced-modules) - [Deployment examples](#Deployment-examples) +- [Notes](#Notes) ## Resource Types @@ -238,6 +238,7 @@ module extension './kubernetes-configuration/extension/main.bicep' = {

+ ## Notes ### Prerequisites diff --git a/modules/kubernetes-configuration/flux-configuration/README.md b/modules/kubernetes-configuration/flux-configuration/README.md index 83455535ff..dec2c843cf 100644 --- a/modules/kubernetes-configuration/flux-configuration/README.md +++ b/modules/kubernetes-configuration/flux-configuration/README.md @@ -4,12 +4,12 @@ This module deploys a Kubernetes Configuration Flux Configuration. ## Navigation -- [Prerequisites](#Prerequisites) - [Resource Types](#Resource-Types) - [Parameters](#Parameters) - [Outputs](#Outputs) - [Cross-referenced modules](#Cross-referenced-modules) - [Deployment examples](#Deployment-examples) +- [Notes](#Notes) ## Resource Types @@ -237,6 +237,7 @@ module fluxConfiguration './kubernetes-configuration/flux-configuration/main.bic

+ ## Notes ### Prerequisites diff --git a/modules/logic/workflow/README.md b/modules/logic/workflow/README.md index cfea7a7528..5429ff8eab 100644 --- a/modules/logic/workflow/README.md +++ b/modules/logic/workflow/README.md @@ -9,6 +9,7 @@ This module deploys a Logic App (Workflow). - [Outputs](#Outputs) - [Cross-referenced modules](#Cross-referenced-modules) - [Deployment examples](#Deployment-examples) +- [Notes](#Notes) ## Resource types @@ -61,6 +62,7 @@ This module deploys a Logic App (Workflow). | `workflowStaticResults` | object | `{object}` | | The definitions for one or more static results returned by actions as mock outputs when static results are enabled on those actions. In each action definition, the runtimeConfiguration.staticResult.name attribute references the corresponding definition inside staticResults. | | `workflowTriggers` | object | `{object}` | | The definitions for one or more triggers that instantiate your workflow. You can define more than one trigger, but only with the Workflow Definition Language, not visually through the Logic Apps Designer. | + ## Outputs | Output Name | Type | Description | @@ -253,6 +255,7 @@ module workflow './logic/workflow/main.bicep' = {

+ ## Notes ### Parameter Usage `AccessControlConfiguration` diff --git a/modules/machine-learning-services/workspace/README.md b/modules/machine-learning-services/workspace/README.md index 79e00016fc..7dcc69e3b8 100644 --- a/modules/machine-learning-services/workspace/README.md +++ b/modules/machine-learning-services/workspace/README.md @@ -9,6 +9,7 @@ This module deploys a Machine Learning Services Workspace. - [Outputs](#Outputs) - [Cross-referenced modules](#Cross-referenced-modules) - [Deployment examples](#Deployment-examples) +- [Notes](#Notes) ## Resource types @@ -74,6 +75,7 @@ This module deploys a Machine Learning Services Workspace. | `sharedPrivateLinkResources` | array | `[]` | | The list of shared private link resources in this workspace. | | `tags` | object | `{object}` | | Resource tags. | + ## Outputs | Output Name | Type | Description | @@ -532,6 +534,7 @@ module workspace './machine-learning-services/workspace/main.bicep' = {

+ ## Notes ### Parameter Usage: `computes` diff --git a/modules/machine-learning-services/workspace/compute/README.md b/modules/machine-learning-services/workspace/compute/README.md index cf1efd3785..3cd9156a16 100644 --- a/modules/machine-learning-services/workspace/compute/README.md +++ b/modules/machine-learning-services/workspace/compute/README.md @@ -10,6 +10,7 @@ Attaching a compute is not idempotent and will fail in case you try to redeploy - [Parameters](#Parameters) - [Outputs](#Outputs) - [Cross-referenced modules](#Cross-referenced-modules) +- [Notes](#Notes) ## Resource Types @@ -49,6 +50,7 @@ Attaching a compute is not idempotent and will fail in case you try to redeploy | `tags` | object | `{object}` | | Contains resource tags defined as key-value pairs. Ignored when attaching a compute resource, i.e. when you provide a resource ID. | | `userAssignedIdentities` | object | `{object}` | | The ID(s) to assign to the resource. Ignored when attaching a compute resource, i.e. when you provide a resource ID. | + ## Outputs | Output Name | Type | Description | diff --git a/modules/maintenance/maintenance-configuration/README.md b/modules/maintenance/maintenance-configuration/README.md index 1e5b966185..7747774f22 100644 --- a/modules/maintenance/maintenance-configuration/README.md +++ b/modules/maintenance/maintenance-configuration/README.md @@ -9,6 +9,7 @@ This module deploys a Maintenance Configuration. - [Outputs](#Outputs) - [Cross-referenced modules](#Cross-referenced-modules) - [Deployment examples](#Deployment-examples) +- [Notes](#Notes) ## Resource Types @@ -42,6 +43,7 @@ This module deploys a Maintenance Configuration. | `tags` | object | `{object}` | | Gets or sets tags of the resource. | | `visibility` | string | `''` | `['', Custom, Public]` | Gets or sets the visibility of the configuration. The default value is 'Custom'. | + ## Outputs | Output Name | Type | Description | @@ -254,6 +256,7 @@ module maintenanceConfiguration './maintenance/maintenance-configuration/main.bi

+ ## Notes ### Parameter Usage: `roleAssignments` diff --git a/modules/managed-services/registration-definition/README.md b/modules/managed-services/registration-definition/README.md index 7851b5d696..690c4c3720 100644 --- a/modules/managed-services/registration-definition/README.md +++ b/modules/managed-services/registration-definition/README.md @@ -11,9 +11,9 @@ remote/managing tenant. - [Resource types](#Resource-types) - [Parameters](#Parameters) - [Outputs](#Outputs) -- [Considerations](#Considerations) - [Cross-referenced modules](#Cross-referenced-modules) - [Deployment examples](#Deployment-examples) +- [Notes](#Notes) ## Resource types @@ -41,6 +41,7 @@ remote/managing tenant. | `location` | string | `[deployment().location]` | Location deployment metadata. | | `resourceGroupName` | string | `''` | Specify the name of the Resource Group to delegate access to. If not provided, delegation will be done on the targeted subscription. | + ## Outputs | Output Name | Type | Description | @@ -243,6 +244,7 @@ module registrationDefinition './managed-services/registration-definition/main.b

+ ## Notes ### Considerations diff --git a/modules/management/management-group/README.md b/modules/management/management-group/README.md index 3419ce58b4..1ca85fae64 100644 --- a/modules/management/management-group/README.md +++ b/modules/management/management-group/README.md @@ -11,9 +11,9 @@ This module has some known **limitations**: - [Resource types](#Resource-types) - [Parameters](#Parameters) - [Outputs](#Outputs) -- [Considerations](#Considerations) - [Cross-referenced modules](#Cross-referenced-modules) - [Deployment examples](#Deployment-examples) +- [Notes](#Notes) ## Resource types @@ -38,6 +38,7 @@ This module has some known **limitations**: | `location` | string | `[deployment().location]` | Location deployment metadata. | | `parentId` | string | `[last(split(managementGroup().id, '/'))]` | The management group parent ID. Defaults to current scope. | + ## Outputs | Output Name | Type | Description | @@ -154,6 +155,7 @@ module managementGroup './management/management-group/main.bicep' = {

+ ## Notes ### Considerations diff --git a/modules/network/azure-firewall/README.md b/modules/network/azure-firewall/README.md index 11b460b154..2b03642400 100644 --- a/modules/network/azure-firewall/README.md +++ b/modules/network/azure-firewall/README.md @@ -7,9 +7,9 @@ This module deploys an Azure Firewall. - [Resource types](#Resource-types) - [Parameters](#Parameters) - [Outputs](#Outputs) -- [Considerations](#Considerations) - [Cross-referenced modules](#Cross-referenced-modules) - [Deployment examples](#Deployment-examples) +- [Notes](#Notes) ## Resource types @@ -67,6 +67,7 @@ This module deploys an Azure Firewall. | `threatIntelMode` | string | `'Deny'` | `[Alert, Deny, Off]` | The operation mode for Threat Intel. | | `zones` | array | `[1, 2, 3]` | | Zone numbers e.g. 1,2,3. | + ## Outputs | Output Name | Type | Description | @@ -783,6 +784,7 @@ module azureFirewall './network/azure-firewall/main.bicep' = {

+ ## Notes ### Parameter Usage: `roleAssignments` diff --git a/modules/network/bastion-host/README.md b/modules/network/bastion-host/README.md index cc49c4e195..8cf520a554 100644 --- a/modules/network/bastion-host/README.md +++ b/modules/network/bastion-host/README.md @@ -9,6 +9,7 @@ This module deploys a Bastion Host. - [Outputs](#Outputs) - [Cross-referenced modules](#Cross-referenced-modules) - [Deployment examples](#Deployment-examples) +- [Notes](#Notes) ## Resource Types @@ -55,6 +56,7 @@ This module deploys a Bastion Host. | `skuName` | string | `'Basic'` | `[Basic, Standard]` | The SKU of this Bastion Host. | | `tags` | object | `{object}` | | Tags of the resource. | + ## Outputs | Output Name | Type | Description | @@ -379,6 +381,7 @@ module bastionHost './network/bastion-host/main.bicep' = {

+ ## Notes ### Parameter Usage: `tags` diff --git a/modules/network/connection/README.md b/modules/network/connection/README.md index 7b22a9bbf6..ca5e4810ad 100644 --- a/modules/network/connection/README.md +++ b/modules/network/connection/README.md @@ -9,6 +9,7 @@ This module deploys a Virtual Network Gateway Connection. - [Outputs](#Outputs) - [Cross-referenced modules](#Cross-referenced-modules) - [Deployment examples](#Deployment-examples) +- [Notes](#Notes) ## Resource types @@ -51,6 +52,7 @@ This module deploys a Virtual Network Gateway Connection. | `virtualNetworkGateway2` | object | `{object}` | | The remote Virtual Network Gateway. Used for connection connectionType [Vnet2Vnet]. | | `vpnSharedKey` | securestring | `''` | | Specifies a VPN shared key. The same value has to be specified on both Virtual Network Gateways. | + ## Outputs | Output Name | Type | Description | @@ -160,6 +162,7 @@ module connection './network/connection/main.bicep' = {

+ ## Notes ### Parameter Usage: `localNetworkGateway2` diff --git a/modules/network/dns-resolver/README.md b/modules/network/dns-resolver/README.md index 7c6b337f5f..48e410e323 100644 --- a/modules/network/dns-resolver/README.md +++ b/modules/network/dns-resolver/README.md @@ -9,6 +9,7 @@ This module deploys a DNS Resolver. - [Outputs](#Outputs) - [Cross-referenced modules](#Cross-referenced-modules) - [Deployment examples](#Deployment-examples) +- [Notes](#Notes) ## Resource Types @@ -41,6 +42,7 @@ This module deploys a DNS Resolver. | `roleAssignments` | array | `[]` | | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | | `tags` | object | `{object}` | | Tags of the resource. | + ## Outputs | Output Name | Type | Description | @@ -150,6 +152,7 @@ module dnsResolver './network/dns-resolver/main.bicep' = {

+ ## Notes ### Parameter Usage: `roleAssignments` From b3fc2b11a9d02c7d0464294fc774d7e6460eff5c Mon Sep 17 00:00:00 2001 From: AlexanderSehr Date: Fri, 13 Oct 2023 23:27:16 +0200 Subject: [PATCH 20/20] Compiled templates --- .../workspace/compute/main.json | 6 ++--- .../workspace/main.json | 26 +++++++++---------- 2 files changed, 16 insertions(+), 16 deletions(-) diff --git a/modules/machine-learning-services/workspace/compute/main.json b/modules/machine-learning-services/workspace/compute/main.json index aaab4e1d50..16e519cbef 100644 --- a/modules/machine-learning-services/workspace/compute/main.json +++ b/modules/machine-learning-services/workspace/compute/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "1887700101020083718" + "version": "0.22.6.54827", + "templateHash": "12652944532720556326" }, "name": "Machine Learning Services Workspaces Computes", "description": "This module deploys a Machine Learning Services Workspaces Compute.\r\n\r\nAttaching a compute is not idempotent and will fail in case you try to redeploy over an existing compute in AML (see parameter `deployCompute`).", @@ -204,4 +204,4 @@ "value": "[reference(resourceId('Microsoft.MachineLearningServices/workspaces/computes', parameters('machineLearningWorkspaceName'), parameters('name')), '2022-10-01', 'full').location]" } } -} +} \ No newline at end of file diff --git a/modules/machine-learning-services/workspace/main.json b/modules/machine-learning-services/workspace/main.json index 1cda09efa3..85a28a93ad 100644 --- a/modules/machine-learning-services/workspace/main.json +++ b/modules/machine-learning-services/workspace/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "11591223647718164676" + "version": "0.22.6.54827", + "templateHash": "15135710804774691863" }, "name": "Machine Learning Services Workspaces", "description": "This module deploys a Machine Learning Services Workspace.", @@ -431,8 +431,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "3258553383268163778" + "version": "0.22.6.54827", + "templateHash": "12652944532720556326" }, "name": "Machine Learning Services Workspaces Computes", "description": "This module deploys a Machine Learning Services Workspaces Compute.\r\n\r\nAttaching a compute is not idempotent and will fail in case you try to redeploy over an existing compute in AML (see parameter `deployCompute`).", @@ -485,7 +485,7 @@ "type": "bool", "defaultValue": true, "metadata": { - "description": "Optional. Flag to specify whether to deploy the compute. Required only for attach (i.e. providing a resource ID), as in this case the operation is not idempontent, i.e. a second deployment will fail. Therefore, this flag needs to be set to \"false\" as long as the compute resource exists." + "description": "Optional. Flag to specify whether to deploy the compute. Required only for attach (i.e. providing a resource ID), as in this case the operation is not idempotent, i.e. a second deployment will fail. Therefore, this flag needs to be set to \"false\" as long as the compute resource exists." } }, "computeLocation": { @@ -681,8 +681,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "14580007913383558904" + "version": "0.22.6.54827", + "templateHash": "2884140170473394983" }, "name": "Private Endpoints", "description": "This module deploys a Private Endpoint.", @@ -881,8 +881,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "2469208411936339153" + "version": "0.22.6.54827", + "templateHash": "5610247137574346230" }, "name": "Private Endpoint Private DNS Zone Groups", "description": "This module deploys a Private Endpoint Private DNS Zone Group.", @@ -1019,8 +1019,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "13032708393704093995" + "version": "0.22.6.54827", + "templateHash": "14351187799927334028" } }, "parameters": { @@ -1233,8 +1233,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "12944726350528933504" + "version": "0.22.6.54827", + "templateHash": "4724282348303599635" } }, "parameters": {