From b0f3d3f7030db92b728e23bfc9604b8d88475d74 Mon Sep 17 00:00:00 2001 From: Javier Cevallos Date: Fri, 3 Dec 2021 15:22:23 -0800 Subject: [PATCH 1/4] Target NSGs in seperate resource group In some scenarios, net sec teams are separate from network operations teams. --- arm/Microsoft.Network/virtualNetworks/deploy.bicep | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/arm/Microsoft.Network/virtualNetworks/deploy.bicep b/arm/Microsoft.Network/virtualNetworks/deploy.bicep index 45bc866028..890d255ed0 100644 --- a/arm/Microsoft.Network/virtualNetworks/deploy.bicep +++ b/arm/Microsoft.Network/virtualNetworks/deploy.bicep @@ -11,6 +11,10 @@ param addressPrefixes array @minLength(1) param subnets array +@description('Optional. Resource Group where NSGs are deployed, if different than VNET Resource Group.') +@minLength(1) +param nsgResourceGroup string = resourceGroup().name + @description('Optional. DNS Servers associated to the Virtual Network.') param dnsServers array = [] @@ -116,7 +120,7 @@ resource virtualNetwork 'Microsoft.Network/virtualNetworks@2021-05-01' = { name: item.name properties: { addressPrefix: item.addressPrefix - networkSecurityGroup: contains(item, 'networkSecurityGroupName') ? (empty(item.networkSecurityGroupName) ? null : json('{"id": "${resourceId('Microsoft.Network/networkSecurityGroups', item.networkSecurityGroupName)}"}')) : null + networkSecurityGroup: contains(item, 'networkSecurityGroupName') ? (empty(item.networkSecurityGroupName) ? null : json('{"id": "${resourceId(nsgResourceGroup, 'Microsoft.Network/networkSecurityGroups', item.networkSecurityGroupName)}"}')) : null routeTable: contains(item, 'routeTableName') ? (empty(item.routeTableName) ? null : json('{"id": "${resourceId('Microsoft.Network/routeTables', item.routeTableName)}"}')) : null serviceEndpoints: contains(item, 'serviceEndpoints') ? (empty(item.serviceEndpoints) ? null : item.serviceEndpoints) : null delegations: contains(item, 'delegations') ? (empty(item.delegations) ? null : item.delegations) : null From 76f440d844f7bc7b3c71977f130ac8208599db6d Mon Sep 17 00:00:00 2001 From: Javier Cevallos Date: Fri, 3 Dec 2021 15:25:44 -0800 Subject: [PATCH 2/4] Notes --- arm/Microsoft.Network/virtualNetworks/readme.md | 1 + 1 file changed, 1 insertion(+) diff --git a/arm/Microsoft.Network/virtualNetworks/readme.md b/arm/Microsoft.Network/virtualNetworks/readme.md index 7c5811cb68..6aedcafce3 100644 --- a/arm/Microsoft.Network/virtualNetworks/readme.md +++ b/arm/Microsoft.Network/virtualNetworks/readme.md @@ -31,6 +31,7 @@ This template deploys a virtual network (vNet). | `name` | string | | | Required. The Virtual Network (vNet) Name. | | `roleAssignments` | array | `[]` | | Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' | | `subnets` | array | | | Required. An Array of subnets to deploy to the Virual Network. | +| `nsgResourceGroup` | array | | | Optional. Resource Group where NSGs are deployed, if different than VNET Resource Group. | | `tags` | object | `{object}` | | Optional. Tags of the resource. | | `virtualNetworkPeerings` | _[virtualNetworkPeerings](virtualNetworkPeerings/readme.md)_ array | `[]` | | Optional. Virtual Network Peerings configurations | | `workspaceId` | string | | | Optional. Resource ID of log analytics. | From 2a8ded0b17b27542e9ff4d0db63fc4c55c50aabd Mon Sep 17 00:00:00 2001 From: Javier Cevallos Date: Fri, 3 Dec 2021 15:26:31 -0800 Subject: [PATCH 3/4] change type --- arm/Microsoft.Network/virtualNetworks/readme.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/arm/Microsoft.Network/virtualNetworks/readme.md b/arm/Microsoft.Network/virtualNetworks/readme.md index 6aedcafce3..5ca70a6c50 100644 --- a/arm/Microsoft.Network/virtualNetworks/readme.md +++ b/arm/Microsoft.Network/virtualNetworks/readme.md @@ -31,7 +31,7 @@ This template deploys a virtual network (vNet). | `name` | string | | | Required. The Virtual Network (vNet) Name. | | `roleAssignments` | array | `[]` | | Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' | | `subnets` | array | | | Required. An Array of subnets to deploy to the Virual Network. | -| `nsgResourceGroup` | array | | | Optional. Resource Group where NSGs are deployed, if different than VNET Resource Group. | +| `nsgResourceGroup` | string | | | Optional. Resource Group where NSGs are deployed, if different than VNET Resource Group. | | `tags` | object | `{object}` | | Optional. Tags of the resource. | | `virtualNetworkPeerings` | _[virtualNetworkPeerings](virtualNetworkPeerings/readme.md)_ array | `[]` | | Optional. Virtual Network Peerings configurations | | `workspaceId` | string | | | Optional. Resource ID of log analytics. | From 6dba8422fcfe9acb61a9e75c3c20f4af4bf3b6db Mon Sep 17 00:00:00 2001 From: Javier Cevallos Date: Fri, 3 Dec 2021 15:27:49 -0800 Subject: [PATCH 4/4] Update readme.md --- arm/Microsoft.Network/virtualNetworks/readme.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/arm/Microsoft.Network/virtualNetworks/readme.md b/arm/Microsoft.Network/virtualNetworks/readme.md index 5ca70a6c50..4fe7f5e8bd 100644 --- a/arm/Microsoft.Network/virtualNetworks/readme.md +++ b/arm/Microsoft.Network/virtualNetworks/readme.md @@ -31,7 +31,7 @@ This template deploys a virtual network (vNet). | `name` | string | | | Required. The Virtual Network (vNet) Name. | | `roleAssignments` | array | `[]` | | Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' | | `subnets` | array | | | Required. An Array of subnets to deploy to the Virual Network. | -| `nsgResourceGroup` | string | | | Optional. Resource Group where NSGs are deployed, if different than VNET Resource Group. | +| `nsgResourceGroup` | string | `[resourceGroup().name]` | | Optional. Resource Group where NSGs are deployed, if different than VNET Resource Group. | | `tags` | object | `{object}` | | Optional. Tags of the resource. | | `virtualNetworkPeerings` | _[virtualNetworkPeerings](virtualNetworkPeerings/readme.md)_ array | `[]` | | Optional. Virtual Network Peerings configurations | | `workspaceId` | string | | | Optional. Resource ID of log analytics. |