diff --git a/.github/workflows/ms.network.networkwatcherflowlogs.yml b/.github/workflows/ms.network.networkwatcherflowlogs.yml deleted file mode 100644 index ca3d4eb6f9..0000000000 --- a/.github/workflows/ms.network.networkwatcherflowlogs.yml +++ /dev/null @@ -1,216 +0,0 @@ -name: 'Network: Networkwatcherflowlogs' - -on: - workflow_dispatch: - inputs: - removeDeployment: - description: 'Remove deployed module' - required: false - default: 'true' - versioningOption: - description: 'The mode to handle the version increments [major|minor|patch]' - required: false - default: 'patch' - customVersion: - description: 'Custom version to apply. Used only if higher than latest' - required: false - default: '0.0.1' - push: - branches: - - main - paths: - - '.github/actions/templates/**' - - '.github/workflows/ms.network.networkwatcherflowlogs.yml' - - 'arm/Microsoft.Network/networkWatcherFlowLogs/**' - - '!arm/Microsoft.Network/networkWatcherFlowLogs/readme.md' - -env: - moduleName: 'networkWatcherFlowLogs' - modulePath: 'arm/Microsoft.Network/networkWatcherFlowLogs' - workflowPath: '.github/workflows/ms.network.networkwatcherflowlogs.yml' - AZURE_CREDENTIALS: ${{ secrets.AZURE_CREDENTIALS }} - ARM_SUBSCRIPTION_ID: ${{ secrets.ARM_SUBSCRIPTION_ID }} - ARM_MGMTGROUP_ID: ${{ secrets.ARM_MGMTGROUP_ID }} - -jobs: - ############################ - # SET INPUT PARAMETERS # - ############################ - job_set_workflow_param: - runs-on: ubuntu-20.04 - name: 'Set input parameters to output variables' - steps: - - name: 'Checkout' - uses: actions/checkout@v2 - with: - fetch-depth: 0 - - name: 'Set input parameters' - id: get-workflow-param - uses: ./.github/actions/templates/getWorkflowInput - with: - workflowPath: '${{ env.workflowPath}}' - outputs: - removeDeployment: ${{ steps.get-workflow-param.outputs.removeDeployment }} - versioningOption: ${{ steps.get-workflow-param.outputs.versioningOption }} - customVersion: ${{ steps.get-workflow-param.outputs.customVersion }} - - ################## - # UNIT TESTS # - ################## - # Global tests - # ------------ - job_tests_module_global: - runs-on: ubuntu-20.04 - name: 'Run global module tests' - steps: - - name: 'Checkout' - uses: actions/checkout@v2 - with: - fetch-depth: 0 - - name: 'Test module' - uses: ./.github/actions/templates/validateModuleGeneral - with: - modulePath: '${{ env.modulePath }}' - moduleName: '${{ env.moduleName}}' - - # Global API tests - # ---------------- - job_tests_module_global_api: - runs-on: ubuntu-20.04 - name: 'Run global API module tests' - steps: - - name: 'Checkout' - uses: actions/checkout@v2 - with: - fetch-depth: 0 - - name: 'Test module' - uses: ./.github/actions/templates/validateModuleApis - with: - modulePath: '${{ env.modulePath }}' - moduleName: '${{ env.moduleName}}' - - # Validate deployment module tests - # -------------------------------- - job_tests_module_deploy_validate: - runs-on: ubuntu-20.04 - name: 'Run deployment validation module tests' - strategy: - fail-fast: false - matrix: - parameterFilePaths: ['parameters.json'] - steps: - - name: 'Checkout' - uses: actions/checkout@v2 - with: - fetch-depth: 0 - - name: Set environment variables - uses: deep-mm/set-variables@v1.0 - with: - # Name of variable file - variableFileName: 'variables.module' # Don't write .json here - - name: 'Test module' - uses: ./.github/actions/templates/validateModuleDeploy - with: - templateFilePath: '${{ env.modulePath }}/deploy.bicep' - parameterFilePath: '${{ env.modulePath }}/.parameters/${{ matrix.parameterFilePaths }}' - location: '${{ env.defaultLocation }}' - resourceGroupName: '${{ env.resourceGroupName }}' - subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' - managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' - - #################### - # DEPLOY TESTS # - #################### - job_deploy_module: - runs-on: ubuntu-20.04 - name: 'Deploy module' - needs: - - job_set_workflow_param - - job_tests_module_global - - job_tests_module_global_api - - job_tests_module_deploy_validate - strategy: - fail-fast: false - matrix: - parameterFilePaths: ['parameters.json'] - steps: - - name: 'Checkout' - uses: actions/checkout@v2 - with: - fetch-depth: 0 - - name: Set environment variables - uses: deep-mm/set-variables@v1.0 - with: - # Name of variable file - variableFileName: 'variables.module' # Don't write .json here - - name: 'Deploy module' - uses: ./.github/actions/templates/deployModule - with: - moduleName: '${{ env.moduleName }}' - templateFilePath: '${{ env.modulePath }}/deploy.bicep' - parameterFilePath: '${{ env.modulePath }}/.parameters/${{ matrix.parameterFilePaths }}' - location: '${{ env.defaultLocation }}' - resourceGroupName: '${{ env.resourceGroupName }}' - subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' - managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' - removeDeployment: '${{ needs.job_set_workflow_param.outputs.removeDeployment }}' - - ############### - # PUBLISH # - ############### - job_publish_module: - name: 'Publish module' - if: contains(fromJson('["refs/heads/main", "refs/heads/master"]'), github.ref) - runs-on: ubuntu-20.04 - needs: - - job_set_workflow_param - - job_deploy_module - steps: - - name: 'Checkout' - uses: actions/checkout@v2 - with: - fetch-depth: 0 - - name: Set environment variables - uses: deep-mm/set-variables@v1.0 - with: - # Name of variable file - variableFileName: 'variables.module' # Don't write .json here - - name: 'Publish module' - uses: ./.github/actions/templates/publishModule - with: - templateFilePath: '${{ env.modulePath }}/deploy.bicep' - versioningOption: '${{ needs.job_set_workflow_param.outputs.versioningOption }}' - customVersion: '${{ needs.job_set_workflow_param.outputs.customVersion }}' - templateSpecsRGName: '${{ env.templateSpecsRGName }}' - templateSpecsRGLocation: '${{ env.templateSpecsRGLocation }}' - templateSpecsDescription: '${{ env.templateSpecsDescription }}' - templateSpecsDoPublish: '${{ env.templateSpecsDoPublish }}' - bicepRegistryName: '${{ env.bicepRegistryName }}' - bicepRegistryRGName: '${{ env.bicepRegistryRGName }}' - bicepRegistryDoPublish: '${{ env.bicepRegistryDoPublish }}' - - ############## - # REMOVE # - ############## - job_remove_module: - runs-on: ubuntu-20.04 - name: 'Remove module' - if: ${{ always() && !cancelled() && needs.job_set_workflow_param.outputs.removeDeployment == 'true' && (contains(needs.*.result, 'success') || contains(needs.*.result, 'failure')) }} - needs: - - job_deploy_module - steps: - - name: 'Checkout' - uses: actions/checkout@v2 - with: - fetch-depth: 0 - - name: Set environment variables - uses: deep-mm/set-variables@v1.0 - with: - # Name of variable file - variableFileName: 'variables.module' # Don't write .json here - - name: 'Remove module' - uses: ./.github/actions/templates/removeModule - with: - moduleName: '${{ env.moduleName }}' - templateFilePath: '${{ env.modulePath }}/deploy.bicep' - resourceGroupName: '${{ env.resourceGroupName }}' diff --git a/.github/workflows/ms.network.networkwatchers.yml b/.github/workflows/ms.network.networkwatchers.yml index 26cd840039..a1a3d38e5b 100644 --- a/.github/workflows/ms.network.networkwatchers.yml +++ b/.github/workflows/ms.network.networkwatchers.yml @@ -97,7 +97,7 @@ jobs: strategy: fail-fast: false matrix: - parameterFilePaths: ['parameters.json'] + parameterFilePaths: ['parameters.json', 'min.parameters.json'] steps: - name: 'Checkout' uses: actions/checkout@v2 @@ -132,7 +132,7 @@ jobs: strategy: fail-fast: false matrix: - parameterFilePaths: ['parameters.json'] + parameterFilePaths: ['parameters.json', 'min.parameters.json'] steps: - name: 'Checkout' uses: actions/checkout@v2 diff --git a/arm/Microsoft.Network/networkWatcherFlowLogs/.parameters/parameters.json b/arm/Microsoft.Network/networkWatcherFlowLogs/.parameters/parameters.json deleted file mode 100644 index 53f6efdc2a..0000000000 --- a/arm/Microsoft.Network/networkWatcherFlowLogs/.parameters/parameters.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "networkWatcherName": { - "value": "adp-sxx-az-nw-x-001" - }, - "networkSecurityGroupResourceId": { - "value": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/networkSecurityGroups/adp-sxx-az-nsg-x-001" - }, - "diagnosticStorageAccountId": { - "value": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Storage/storageAccounts/adpsxxazsaweux001" - }, - "retentionEnabled": { - "value": false - }, - "flowLogEnabled": { - "value": true - }, - "logFormatVersion": { - "value": 2 - }, - "flowLogIntervalInMinutes": { - "value": 10 - }, - "retentionInDays": { - "value": 8 - }, - "flowAnalyticsEnabled": { - "value": false - }, - "workspaceResourceId": { - "value": "/subscriptions/<>/resourcegroups/validation-rg/providers/microsoft.operationalinsights/workspaces/adp-sxx-az-la-x-001" - } - } -} diff --git a/arm/Microsoft.Network/networkWatchers/.parameters/min.parameters.json b/arm/Microsoft.Network/networkWatchers/.parameters/min.parameters.json new file mode 100644 index 0000000000..78acbb0c7e --- /dev/null +++ b/arm/Microsoft.Network/networkWatchers/.parameters/min.parameters.json @@ -0,0 +1,9 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "location": { + "value": "northeurope" + } + } +} diff --git a/arm/Microsoft.Network/networkWatchers/.parameters/parameters.json b/arm/Microsoft.Network/networkWatchers/.parameters/parameters.json index 5e823ee6bd..6c18a6c0a5 100644 --- a/arm/Microsoft.Network/networkWatchers/.parameters/parameters.json +++ b/arm/Microsoft.Network/networkWatchers/.parameters/parameters.json @@ -2,9 +2,82 @@ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", "contentVersion": "1.0.0.0", "parameters": { - "networkWatcherName": { + "name": { "value": "adp-sxx-az-nw-x-001" }, + "flowLogs": { + "value": [ + { + "targetResourceId": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/networkSecurityGroups/adp-sxx-az-nsg-x-001", + "storageId": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Storage/storageAccounts/adpsxxazsaweux001", + "enabled": false + }, + { + "name": "adp-sxx-az-nsg-x-apgw-flowlog", + "targetResourceId": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/networkSecurityGroups/adp-sxx-az-nsg-x-apgw", + "storageId": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Storage/storageAccounts/adpsxxazsaweux001", + "workspaceResourceId": "/subscriptions/<>/resourcegroups/validation-rg/providers/microsoft.operationalinsights/workspaces/adp-sxx-az-la-x-001", + "formatVersion": 1, + "trafficAnalyticsInterval": 10, + "retentionInDays": 8 + } + ] + }, + "connectionMonitors": { + "value": [ + { + "name": "adp-sxx-az-conn-mon-x-001", + "endpoints": [ + { + "name": "sxx-az-subnet-x-001(validation-rg)", + "type": "AzureVM", + "resourceId": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Compute/virtualMachines/adp-vm-001" + }, + { + "name": "Office Portal", + "type": "ExternalAddress", + "address": "www.office.com" + } + ], + "testConfigurations": [ + { + "name": "HTTP Test", + "testFrequencySec": 30, + "protocol": "Http", + "httpConfiguration": { + "port": 80, + "method": "Get", + "requestHeaders": [], + "validStatusCodeRanges": [ + "200" + ], + "preferHTTPS": false + }, + "successThreshold": { + "checksFailedPercent": 5, + "roundTripTimeMs": 100 + } + } + ], + "testGroups": [ + { + "name": "TestHTTPBing", + "disable": false, + "testConfigurations": [ + "HTTP Test" + ], + "sources": [ + "sxx-az-subnet-x-001(validation-rg)" + ], + "destinations": [ + "Office Portal" + ] + } + ], + "workspaceResourceId": "/subscriptions/<>/resourcegroups/validation-rg/providers/microsoft.operationalinsights/workspaces/adp-sxx-az-la-x-001" + } + ] + }, "roleAssignments": { "value": [ { diff --git a/arm/Microsoft.Network/networkWatcherFlowLogs/.bicep/nested_cuaId.bicep b/arm/Microsoft.Network/networkWatchers/connectionMonitors/.bicep/nested_cuaId.bicep similarity index 100% rename from arm/Microsoft.Network/networkWatcherFlowLogs/.bicep/nested_cuaId.bicep rename to arm/Microsoft.Network/networkWatchers/connectionMonitors/.bicep/nested_cuaId.bicep diff --git a/arm/Microsoft.Network/networkWatchers/connectionMonitors/deploy.bicep b/arm/Microsoft.Network/networkWatchers/connectionMonitors/deploy.bicep new file mode 100644 index 0000000000..6132a4293c --- /dev/null +++ b/arm/Microsoft.Network/networkWatchers/connectionMonitors/deploy.bicep @@ -0,0 +1,61 @@ +@description('Optional. Name of the network watcher resource. Must be in the resource group where the Flow log will be created and same region as the NSG') +param networkWatcherName string = 'NetworkWatcher_${resourceGroup().location}' + +@description('Optional. Name of the resource.') +param name string + +@description('Optional. Tags of the resource.') +param tags object = {} + +@description('Optional. Location for all resources.') +param location string = resourceGroup().location + +@description('Optional. List of connection monitor endpoints.') +param endpoints array = [] + +@description('Optional. List of connection monitor test configurations.') +param testConfigurations array = [] + +@description('Optional. List of connection monitor test groups.') +param testGroups array = [] + +@description('Optional. Specify the Log Analytics Workspace Resource ID') +param workspaceResourceId string = '' + +@description('Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered') +param cuaId string = '' + +var outputs = !empty(workspaceResourceId) ? [ + { + type: 'Workspace' + workspaceSettings: { + workspaceResourceId: workspaceResourceId + } + } +] : null + +module pid_cuaId '.bicep/nested_cuaId.bicep' = if (!empty(cuaId)) { + name: 'pid-${cuaId}' + params: {} +} + +resource connectionMonitor 'Microsoft.Network/networkWatchers/connectionMonitors@2021-03-01' = { + name: '${networkWatcherName}/${name}' + tags: tags + location: location + properties: { + endpoints: endpoints + testConfigurations: testConfigurations + testGroups: testGroups + outputs: outputs + } +} + +@description('The name of the deployed connection monitor') +output connectionMonitorName string = connectionMonitor.name + +@description('The resourceId of the deployed connection monitor') +output connectionMonitorResourceId string = connectionMonitor.id + +@description('The resource group the connection monitor was deployed into') +output connectionMonitorResourceGroup string = resourceGroup().name diff --git a/arm/Microsoft.Network/networkWatchers/connectionMonitors/readme.md b/arm/Microsoft.Network/networkWatchers/connectionMonitors/readme.md new file mode 100644 index 0000000000..ecf4254c05 --- /dev/null +++ b/arm/Microsoft.Network/networkWatchers/connectionMonitors/readme.md @@ -0,0 +1,35 @@ +# Network Watchers Connection Monitors `[Microsoft.Network/networkWatchers/connectionMonitors]` + +This template deploys Connection Monitors. + +## Resource Types + +| Resource Type | Api Version | +| :-- | :-- | +| `Microsoft.Network/networkWatchers/connectionMonitors` | 2021-03-01 | + +## Parameters + +| Parameter Name | Type | Default Value | Possible Values | Description | +| :-- | :-- | :-- | :-- | :-- | +| `cuaId` | string | | | Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered | +| `endpoints` | array | `[]` | | Optional. List of connection monitor endpoints. | +| `location` | string | `[resourceGroup().location]` | | Optional. Location for all resources. | +| `name` | string | | | Optional. Name of the resource. | +| `networkWatcherName` | string | `[format('NetworkWatcher_{0}', resourceGroup().location)]` | | Optional. Name of the network watcher resource. Must be in the resource group where the Flow log will be created and same region as the NSG | +| `tags` | object | `{object}` | | Optional. Tags of the resource. | +| `testConfigurations` | array | `[]` | | Optional. List of connection monitor test configurations. | +| `testGroups` | array | `[]` | | Optional. List of connection monitor test groups. | +| `workspaceResourceId` | string | | | Optional. Specify the Log Analytics Workspace Resource ID | + +## Outputs + +| Output Name | Type | Description | +| :-- | :-- | :-- | +| `connectionMonitorName` | string | The name of the deployed connection monitor | +| `connectionMonitorResourceGroup` | string | The resource group the connection monitor was deployed into | +| `connectionMonitorResourceId` | string | The resourceId of the deployed connection monitor | + +## Template references + +- [Networkwatchers/Connectionmonitors](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Network/2021-03-01/networkWatchers/connectionMonitors) diff --git a/arm/Microsoft.Network/networkWatchers/deploy.bicep b/arm/Microsoft.Network/networkWatchers/deploy.bicep index 19eb26e5dd..6f69d05a81 100644 --- a/arm/Microsoft.Network/networkWatchers/deploy.bicep +++ b/arm/Microsoft.Network/networkWatchers/deploy.bicep @@ -1,15 +1,15 @@ @description('Required. Name of the Network Watcher resource (hidden)') @minLength(1) -param networkWatcherName string = '' +param name string = 'NetworkWatcher_${location}' @description('Optional. Location for all resources.') param location string = resourceGroup().location -@description('Optional. Array that contains the monitors') -param monitors array = [] +@description('Optional. Array that contains the Connection Monitors') +param connectionMonitors array = [] -@description('Optional. Specify the Workspace Resource ID') -param workspaceResourceId string = '' +@description('Optional. Array that contains the Flow Logs') +param flowLogs array = [] @allowed([ 'CanNotDelete' @@ -28,36 +28,16 @@ param tags object = {} @description('Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered') param cuaId string = '' -var outputs = [ - { - type: 'Workspace' - workspaceSettings: { - workspaceResourceId: workspaceResourceId - } - } -] - module pid_cuaId '.bicep/nested_cuaId.bicep' = if (!empty(cuaId)) { name: 'pid-${cuaId}' params: {} } resource networkWatcher 'Microsoft.Network/networkWatchers@2021-02-01' = { + name: name location: location - name: networkWatcherName + tags: tags properties: {} - - resource connectionMonitors 'connectionMonitors@2021-02-01' = [for monitor in monitors: { - name: monitor.connectionMonitorName - location: location - tags: tags - properties: { - endpoints: !empty(monitors) ? monitor.endpoints : null - testConfigurations: !empty(monitors) ? monitor.testConfigurations : null - testGroups: !empty(monitors) ? monitor.testGroups : null - outputs: !empty(workspaceResourceId) ? outputs : null - } - }] } resource networkWatcher_lock 'Microsoft.Authorization/locks@2016-09-01' = if (lock != 'NotSpecified') { @@ -77,11 +57,39 @@ module networkWatcher_rbac '.bicep/nested_rbac.bicep' = [for (roleAssignment, in } }] -@description('The resource group the network watcher was deployed into') -output networkWatcherResourceGroup string = resourceGroup().name +module networkWatcher_connectionMonitors 'connectionMonitors/deploy.bicep' = [for connectionMonitor in connectionMonitors: { + name: connectionMonitor.name + params: { + endpoints: contains(connectionMonitor, 'endpoints') ? connectionMonitor.endpoints : [] + name: connectionMonitor.name + networkWatcherName: networkWatcher.name + testConfigurations: contains(connectionMonitor, 'testConfigurations') ? connectionMonitor.testConfigurations : [] + testGroups: contains(connectionMonitor, 'testGroups') ? connectionMonitor.testGroups : [] + workspaceResourceId: contains(connectionMonitor, 'workspaceResourceId') ? connectionMonitor.workspaceResourceId : '' + } +}] -@description('The resourceId of the deployed network watcher') -output networkWatcherResourceId string = networkWatcher.id +module networkWatcher_flowLogs 'flowLogs/deploy.bicep' = [for (flowLog, index) in flowLogs: { + name: '${deployment().name}-flowLog-${index}' + params: { + enabled: contains(flowLog, 'enabled') ? flowLog.enabled : true + formatVersion: contains(flowLog, 'formatVersion') ? flowLog.formatVersion : 2 + location: contains(flowLog, 'location') ? flowLog.location : location + name: contains(flowLog, 'name') ? flowLog.name : '${last(split(flowLog.targetResourceId, '/'))}-${split(flowLog.targetResourceId, '/')[4]}-flowlog' + networkWatcherName: networkWatcher.name + retentionInDays: contains(flowLog, 'retentionInDays') ? flowLog.retentionInDays : 365 + storageId: flowLog.storageId + targetResourceId: flowLog.targetResourceId + trafficAnalyticsInterval: contains(flowLog, 'trafficAnalyticsInterval') ? flowLog.trafficAnalyticsInterval : 60 + workspaceResourceId: contains(flowLog, 'workspaceResourceId') ? flowLog.workspaceResourceId : '' + } +}] @description('The name of the deployed network watcher') output networkWatcherName string = networkWatcher.name + +@description('The resourceId of the deployed network watcher') +output networkWatcherResourceId string = networkWatcher.id + +@description('The resource group the network watcher was deployed into') +output networkWatcherResourceGroup string = resourceGroup().name diff --git a/arm/Microsoft.Network/networkWatchers/flowLogs/.bicep/nested_cuaId.bicep b/arm/Microsoft.Network/networkWatchers/flowLogs/.bicep/nested_cuaId.bicep new file mode 100644 index 0000000000..8b13789179 --- /dev/null +++ b/arm/Microsoft.Network/networkWatchers/flowLogs/.bicep/nested_cuaId.bicep @@ -0,0 +1 @@ + diff --git a/arm/Microsoft.Network/networkWatcherFlowLogs/deploy.bicep b/arm/Microsoft.Network/networkWatchers/flowLogs/deploy.bicep similarity index 59% rename from arm/Microsoft.Network/networkWatcherFlowLogs/deploy.bicep rename to arm/Microsoft.Network/networkWatchers/flowLogs/deploy.bicep index aaf1a42f01..a7a121a482 100644 --- a/arm/Microsoft.Network/networkWatcherFlowLogs/deploy.bicep +++ b/arm/Microsoft.Network/networkWatchers/flowLogs/deploy.bicep @@ -1,35 +1,32 @@ -@description('Optional. Location for all resources.') -param location string = resourceGroup().location +@description('Optional. Name of the network watcher resource. Must be in the resource group where the Flow log will be created and same region as the NSG') +param networkWatcherName string = 'NetworkWatcher_${resourceGroup().location}' + +@description('Optional. Name of the resource.') +param name string = '${last(split(targetResourceId, '/'))}-${split(targetResourceId, '/')[4]}-flowlog' @description('Optional. Tags of the resource.') param tags object = {} -@description('Required. Name of the network watcher resource. Must be in the resource group where the Flow log will be created and same region as the NSG') -param networkWatcherName string +@description('Optional. Location for all resources.') +param location string = resourceGroup().location @description('Required. Resource ID of the NSG that must be enabled for Flow Logs.') -param networkSecurityGroupResourceId string +param targetResourceId string @description('Required. Resource identifier of the Diagnostic Storage Account.') -param diagnosticStorageAccountId string - -@description('Optional. If the flow log retention should be enabled') -param retentionEnabled bool = true +param storageId string @description('Optional. If the flow log should be enabled') -param flowLogEnabled bool = true +param enabled bool = true @description('Optional. The flow log format version') @allowed([ 1 2 ]) -param logFormatVersion int = 2 - -@description('Optional. Enables/disables flow analytics. If Flow Analytics was previously enabled, workspaceResourceID is mandatory (even when disabling it)') -param flowAnalyticsEnabled bool = false +param formatVersion int = 2 -@description('Optional. Resource identifier of Log Analytics.') +@description('Optional. Specify the Log Analytics Workspace Resource ID') param workspaceResourceId string = '' @description('Optional. The interval in minutes which would decide how frequently TA service should do flow analytics.') @@ -37,7 +34,7 @@ param workspaceResourceId string = '' 10 60 ]) -param flowLogIntervalInMinutes int = 60 +param trafficAnalyticsInterval int = 60 @description('Optional. Specifies the number of days that logs will be kept for; a value of 0 will retain data indefinitely.') @minValue(0) @@ -47,13 +44,15 @@ param retentionInDays int = 365 @description('Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered') param cuaId string = '' -var nsgName = split(networkSecurityGroupResourceId, '/')[8] -var fullFlowLogName = '${networkWatcherName}/${uniqueString(nsgName)}' -var flowAnalyticsConfig = { +var flowAnalyticsConfiguration = !empty(workspaceResourceId) && enabled == true ? { networkWatcherFlowAnalyticsConfiguration: { - enabled: flowAnalyticsEnabled + enabled: true workspaceResourceId: workspaceResourceId - trafficAnalyticsInterval: flowLogIntervalInMinutes + trafficAnalyticsInterval: trafficAnalyticsInterval + } +} : { + networkWatcherFlowAnalyticsConfiguration: { + enabled: false } } @@ -62,31 +61,30 @@ module pid_cuaId '.bicep/nested_cuaId.bicep' = if (!empty(cuaId)) { params: {} } -resource flowLog 'Microsoft.Network/networkWatchers/flowLogs@2021-05-01' = { - name: fullFlowLogName - location: location +resource flowLog 'Microsoft.Network/networkWatchers/flowLogs@2021-03-01' = { + name: '${networkWatcherName}/${name}' tags: tags + location: location properties: { - targetResourceId: networkSecurityGroupResourceId - storageId: diagnosticStorageAccountId - enabled: flowLogEnabled + targetResourceId: targetResourceId + storageId: storageId + enabled: enabled retentionPolicy: { days: retentionInDays - enabled: retentionEnabled + enabled: retentionInDays == 0 ? false : true } format: { type: 'JSON' - version: logFormatVersion + version: formatVersion } - flowAnalyticsConfiguration: empty(workspaceResourceId) ? null : flowAnalyticsConfig + flowAnalyticsConfiguration: flowAnalyticsConfiguration } } - -@description('The resource group the flow log was deployed into') -output flowLogResourceGroup string = resourceGroup().name +@description('The name of the flow log') +output flowLogName string = flowLog.name @description('The resourceId of the flow log') output flowLogResourceId string = flowLog.id -@description('The name of the flow log') -output flowLogName string = flowLog.name +@description('The resource group the flow log was deployed into') +output flowLogResourceGroup string = resourceGroup().name diff --git a/arm/Microsoft.Network/networkWatcherFlowLogs/readme.md b/arm/Microsoft.Network/networkWatchers/flowLogs/readme.md similarity index 57% rename from arm/Microsoft.Network/networkWatcherFlowLogs/readme.md rename to arm/Microsoft.Network/networkWatchers/flowLogs/readme.md index b387af3c9b..f0ad10647f 100644 --- a/arm/Microsoft.Network/networkWatcherFlowLogs/readme.md +++ b/arm/Microsoft.Network/networkWatchers/flowLogs/readme.md @@ -1,4 +1,4 @@ -# NSG Flow Logs `[Microsoft.Network/networkWatcherFlowLogs]` +# NSG Flow Logs `[Microsoft.Network/networkWatchers/flowLogs]` This module controls the Network Security Group Flow Logs and analytics settings **Note: this module must be run on the Resource Group where Network Watcher is deployed** @@ -7,25 +7,24 @@ This module controls the Network Security Group Flow Logs and analytics settings | Resource Type | Api Version | | :-- | :-- | -| `Microsoft.Network/networkWatchers/flowLogs` | 2021-05-01 | +| `Microsoft.Network/networkWatchers/flowLogs` | 2021-03-01 | ## Parameters | Parameter Name | Type | Default Value | Possible Values | Description | | :-- | :-- | :-- | :-- | :-- | | `cuaId` | string | | | Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered | -| `diagnosticStorageAccountId` | string | | | Required. Resource identifier of the Diagnostic Storage Account. | -| `flowAnalyticsEnabled` | bool | | | Optional. Enables/disables flow analytics. If Flow Analytics was previously enabled, workspaceResourceID is mandatory (even when disabling it) | -| `flowLogEnabled` | bool | `True` | | Optional. If the flow log should be enabled | -| `flowLogIntervalInMinutes` | int | `60` | `[10, 60]` | Optional. The interval in minutes which would decide how frequently TA service should do flow analytics. | +| `enabled` | bool | `True` | | Optional. If the flow log should be enabled | +| `formatVersion` | int | `2` | `[1, 2]` | Optional. The flow log format version | | `location` | string | `[resourceGroup().location]` | | Optional. Location for all resources. | -| `logFormatVersion` | int | `2` | `[1, 2]` | Optional. The flow log format version | -| `networkSecurityGroupResourceId` | string | | | Required. Resource ID of the NSG that must be enabled for Flow Logs. | -| `networkWatcherName` | string | | | Required. Name of the network watcher resource. Must be in the resource group where the Flow log will be created and same region as the NSG | -| `retentionEnabled` | bool | `True` | | Optional. If the flow log retention should be enabled | +| `name` | string | `[format('{0}-{1}-flowlog', last(split(parameters('targetResourceId'), '/')), split(parameters('targetResourceId'), '/')[4])]` | | Optional. Name of the resource. | +| `networkWatcherName` | string | `[format('NetworkWatcher_{0}', resourceGroup().location)]` | | Optional. Name of the network watcher resource. Must be in the resource group where the Flow log will be created and same region as the NSG | | `retentionInDays` | int | `365` | | Optional. Specifies the number of days that logs will be kept for; a value of 0 will retain data indefinitely. | +| `storageId` | string | | | Required. Resource identifier of the Diagnostic Storage Account. | | `tags` | object | `{object}` | | Optional. Tags of the resource. | -| `workspaceResourceId` | string | | | Optional. Resource identifier of Log Analytics. | +| `targetResourceId` | string | | | Required. Resource ID of the NSG that must be enabled for Flow Logs. | +| `trafficAnalyticsInterval` | int | `60` | `[10, 60]` | Optional. The interval in minutes which would decide how frequently TA service should do flow analytics. | +| `workspaceResourceId` | string | | | Optional. Specify the Log Analytics Workspace Resource ID | ### Parameter Usage: `tags` @@ -54,4 +53,4 @@ Tag names and tag values can be provided as needed. A tag can be left without a ## Template references -- [Networkwatchers/Flowlogs](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Network/2021-05-01/networkWatchers/flowLogs) +- [Networkwatchers/Flowlogs](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Network/2021-03-01/networkWatchers/flowLogs) diff --git a/arm/Microsoft.Network/networkWatchers/readme.md b/arm/Microsoft.Network/networkWatchers/readme.md index c8608b9cdb..f9495ca6af 100644 --- a/arm/Microsoft.Network/networkWatchers/readme.md +++ b/arm/Microsoft.Network/networkWatchers/readme.md @@ -9,20 +9,21 @@ This template deploys Network Watcher. | `Microsoft.Authorization/locks` | 2016-09-01 | | `Microsoft.Authorization/roleAssignments` | 2020-04-01-preview | | `Microsoft.Network/networkWatchers` | 2021-02-01 | -| `Microsoft.Network/networkWatchers/connectionMonitors` | 2021-02-01 | +| `Microsoft.Network/networkWatchers/connectionMonitors` | 2021-03-01 | +| `Microsoft.Network/networkWatchers/flowLogs` | 2021-03-01 | ## Parameters | Parameter Name | Type | Default Value | Possible Values | Description | | :-- | :-- | :-- | :-- | :-- | +| `connectionMonitors` | _[connectionMonitors](connectionMonitors/readme.md)_ array | `[]` | | Optional. Array that contains the Connection Monitors | | `cuaId` | string | | | Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered | +| `flowLogs` | _[flowLogs](flowLogs/readme.md)_ array | `[]` | | Optional. Array that contains the Flow Logs | | `location` | string | `[resourceGroup().location]` | | Optional. Location for all resources. | | `lock` | string | `NotSpecified` | `[CanNotDelete, NotSpecified, ReadOnly]` | Optional. Specify the type of lock. | -| `monitors` | array | `[]` | | Optional. Array that contains the monitors | -| `networkWatcherName` | string | | | Required. Name of the Network Watcher resource (hidden) | +| `name` | string | `[format('NetworkWatcher_{0}', parameters('location'))]` | | Required. Name of the Network Watcher resource (hidden) | | `roleAssignments` | array | `[]` | | Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' | | `tags` | object | `{object}` | | Optional. Tags of the resource. | -| `workspaceResourceId` | string | | | Optional. Specify the Workspace Resource ID | ### Parameter Usage: `monitors` @@ -141,4 +142,5 @@ Tag names and tag values can be provided as needed. A tag can be left without a - [Locks](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2016-09-01/locks) - [Roleassignments](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2020-04-01-preview/roleAssignments) - [Networkwatchers](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Network/2021-02-01/networkWatchers) -- [Networkwatchers/Connectionmonitors](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Network/2021-02-01/networkWatchers/connectionMonitors) +- [Networkwatchers/Connectionmonitors](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Network/2021-03-01/networkWatchers/connectionMonitors) +- [Networkwatchers/Flowlogs](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Network/2021-03-01/networkWatchers/flowLogs) diff --git a/utilities/dependencies/Microsoft.Compute/virtualMachines/parameters/parameters.json b/utilities/dependencies/Microsoft.Compute/virtualMachines/parameters/parameters.json index 595e0c005f..40255bdc39 100644 --- a/utilities/dependencies/Microsoft.Compute/virtualMachines/parameters/parameters.json +++ b/utilities/dependencies/Microsoft.Compute/virtualMachines/parameters/parameters.json @@ -48,6 +48,9 @@ ] } ] + }, + "enableNetworkWatcherWindows": { + "value": true } } }