diff --git a/.github/workflows/ms.network.firewallpolicies.yml b/.github/workflows/ms.network.firewallpolicies.yml new file mode 100644 index 0000000000..424b2aec2d --- /dev/null +++ b/.github/workflows/ms.network.firewallpolicies.yml @@ -0,0 +1,180 @@ +name: 'Network: FirewallPolicies' + +on: + workflow_dispatch: + inputs: + removeDeployment: + type: boolean + description: 'Remove deployed module' + required: false + default: 'true' + versioningOption: + type: choice + description: 'The mode to handle the version increments [major|minor|patch]' + required: false + default: 'patch' + options: + - major + - minor + - patch + customVersion: + description: 'Custom version to apply. Used only if higher than latest' + required: false + default: '0.0.1' + push: + branches: + - main + paths: + - '.github/actions/templates/**' + - '.github/workflows/ms.network.firewallpolicies.yml' + - 'arm/Microsoft.Network/firewallPolicies/**' + - '!*/**/readme.md' + +env: + modulePath: 'arm/Microsoft.Network/firewallPolicies' + workflowPath: '.github/workflows/ms.network.firewallpolicies.yml' + AZURE_CREDENTIALS: ${{ secrets.AZURE_CREDENTIALS }} + ARM_SUBSCRIPTION_ID: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + ARM_MGMTGROUP_ID: '${{ secrets.ARM_MGMTGROUP_ID }}' + ARM_TENANT_ID: '${{ secrets.ARM_TENANT_ID }}' + DEPLOYMENT_SP_ID: '${{ secrets.DEPLOYMENT_SP_ID }}' + +jobs: + ############################ + # SET INPUT PARAMETERS # + ############################ + job_set_workflow_param: + runs-on: ubuntu-20.04 + name: 'Set input parameters to output variables' + steps: + - name: 'Checkout' + uses: actions/checkout@v2 + with: + fetch-depth: 0 + - name: 'Set input parameters' + id: get-workflow-param + uses: ./.github/actions/templates/getWorkflowInput + with: + workflowPath: '${{ env.workflowPath}}' + outputs: + removeDeployment: ${{ steps.get-workflow-param.outputs.removeDeployment }} + versioningOption: ${{ steps.get-workflow-param.outputs.versioningOption }} + customVersion: ${{ steps.get-workflow-param.outputs.customVersion }} + + ################## + # UNIT TESTS # + ################## + # Global tests + # ------------ + job_tests_module_global: + runs-on: ubuntu-20.04 + name: 'Run global module tests' + steps: + - name: 'Checkout' + uses: actions/checkout@v2 + with: + fetch-depth: 0 + - name: 'Test module' + uses: ./.github/actions/templates/validateModuleGeneral + with: + modulePath: '${{ env.modulePath }}' + + # Global API tests + # ---------------- + job_tests_module_global_api: + runs-on: ubuntu-20.04 + name: 'Run global API module tests' + steps: + - name: 'Checkout' + uses: actions/checkout@v2 + with: + fetch-depth: 0 + - name: 'Test module' + uses: ./.github/actions/templates/validateModuleApis + with: + modulePath: '${{ env.modulePath }}' + + ########################### + # Deployment module tests # + ########################### + job_module_deploy_validation: + runs-on: ubuntu-20.04 + name: 'Run deployment validation module tests' + needs: + - job_set_workflow_param + - job_tests_module_global + - job_tests_module_global_api + strategy: + fail-fast: false + matrix: + parameterFilePaths: ['min.parameters.json', 'parameters.json'] + steps: + - name: 'Checkout' + uses: actions/checkout@v2 + with: + fetch-depth: 0 + - name: Set environment variables + uses: deep-mm/set-variables@v1.0 + with: + # Name of variable file + variableFileName: 'variables.module' # Don't write .json here + # ----------- # + ## Dry Run ## + # ----------- # + - name: 'Test module with parameter file [${{ matrix.parameterFilePaths }}]' + uses: ./.github/actions/templates/validateModuleDeploy + with: + templateFilePath: '${{ env.modulePath }}/deploy.bicep' + parameterFilePath: '${{ env.modulePath }}/.parameters/${{ matrix.parameterFilePaths }}' + location: '${{ env.defaultLocation }}' + resourceGroupName: '${{ env.resourceGroupName }}' + subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' + # ------------------- # + ## Deploy & Remove ## + # ------------------- # + - name: 'Deploy module with parameter file [${{ matrix.parameterFilePaths }}]' + id: step_deploy + uses: ./.github/actions/templates/deployModule + with: + templateFilePath: '${{ env.modulePath }}/deploy.bicep' + parameterFilePath: '${{ env.modulePath }}/.parameters/${{ matrix.parameterFilePaths }}' + location: '${{ env.defaultLocation }}' + resourceGroupName: '${{ env.resourceGroupName }}' + subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' + removeDeployment: '${{ needs.job_set_workflow_param.outputs.removeDeployment }}' + + ############### + # PUBLISH # + ############### + job_publish_module: + name: 'Publish module' + if: contains(fromJson('["refs/heads/main", "refs/heads/master"]'), github.ref) + runs-on: ubuntu-20.04 + needs: + - job_set_workflow_param + - job_module_deploy_validation + steps: + - name: 'Checkout' + uses: actions/checkout@v2 + with: + fetch-depth: 0 + - name: Set environment variables + uses: deep-mm/set-variables@v1.0 + with: + # Name of variable file + variableFileName: 'variables.module' # Don't write .json here + - name: 'Publish module' + uses: ./.github/actions/templates/publishModule + with: + templateFilePath: '${{ env.modulePath }}/deploy.bicep' + versioningOption: '${{ needs.job_set_workflow_param.outputs.versioningOption }}' + customVersion: '${{ needs.job_set_workflow_param.outputs.customVersion }}' + templateSpecsRGName: '${{ env.templateSpecsRGName }}' + templateSpecsRGLocation: '${{ env.templateSpecsRGLocation }}' + templateSpecsDescription: '${{ env.templateSpecsDescription }}' + templateSpecsDoPublish: '${{ env.templateSpecsDoPublish }}' + bicepRegistryName: '${{ env.bicepRegistryName }}' + bicepRegistryRGName: '${{ env.bicepRegistryRGName }}' + bicepRegistryDoPublish: '${{ env.bicepRegistryDoPublish }}' diff --git a/arm/Microsoft.Network/azureFirewalls/deploy.bicep b/arm/Microsoft.Network/azureFirewalls/deploy.bicep index bca8a54621..15301cd15a 100644 --- a/arm/Microsoft.Network/azureFirewalls/deploy.bicep +++ b/arm/Microsoft.Network/azureFirewalls/deploy.bicep @@ -74,7 +74,7 @@ param lock string = 'NotSpecified' @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'') param roleAssignments array = [] -@description('Optional. Tags of the Automation Account resource.') +@description('Optional. Tags of the Azure Firewall resource.') param tags object = {} @description('Optional. Customer Usage Attribution ID (GUID). This GUID must be previously registered') @@ -188,7 +188,7 @@ resource azureFirewallPip_diagnosticSettings 'Microsoft.Insights/diagnosticSetti scope: azureFirewallPip } -resource azureFirewall 'Microsoft.Network/azureFirewalls@2021-02-01' = { +resource azureFirewall 'Microsoft.Network/azureFirewalls@2021-03-01' = { name: name location: location zones: length(availabilityZones) == 0 ? null : availabilityZones diff --git a/arm/Microsoft.Network/azureFirewalls/readme.md b/arm/Microsoft.Network/azureFirewalls/readme.md index 3faeb9743a..4e03e4cc3b 100644 --- a/arm/Microsoft.Network/azureFirewalls/readme.md +++ b/arm/Microsoft.Network/azureFirewalls/readme.md @@ -9,7 +9,7 @@ This module deploys a firewall. | `Microsoft.Authorization/locks` | 2016-09-01 | | `Microsoft.Authorization/roleAssignments` | 2020-04-01-preview | | `Microsoft.Insights/diagnosticSettings` | 2021-05-01-preview | -| `Microsoft.Network/azureFirewalls` | 2021-02-01 | +| `Microsoft.Network/azureFirewalls` | 2021-03-01 | | `Microsoft.Network/publicIPAddresses` | 2021-02-01 | ## Parameters @@ -103,5 +103,5 @@ The `networkRuleCollections` parameter accepts a JSON Array of AzureFirewallNetw - [Locks](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2016-09-01/locks) - [Roleassignments](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2020-04-01-preview/roleAssignments) - [Diagnosticsettings](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Insights/2021-05-01-preview/diagnosticSettings) -- [Azurefirewalls](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Network/2021-02-01/azureFirewalls) +- [Azurefirewalls](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Network/2021-03-01/azureFirewalls) - [Publicipaddresses](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Network/2021-02-01/publicIPAddresses) diff --git a/arm/Microsoft.Network/firewallPolicies/.bicep/nested_cuaId.bicep b/arm/Microsoft.Network/firewallPolicies/.bicep/nested_cuaId.bicep new file mode 100644 index 0000000000..8b13789179 --- /dev/null +++ b/arm/Microsoft.Network/firewallPolicies/.bicep/nested_cuaId.bicep @@ -0,0 +1 @@ + diff --git a/arm/Microsoft.Network/firewallPolicies/.parameters/min.parameters.json b/arm/Microsoft.Network/firewallPolicies/.parameters/min.parameters.json new file mode 100644 index 0000000000..93d66698ea --- /dev/null +++ b/arm/Microsoft.Network/firewallPolicies/.parameters/min.parameters.json @@ -0,0 +1,9 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "name": { + "value": "sxx-az-fwpol-x-001" + } + } +} diff --git a/arm/Microsoft.Network/firewallPolicies/.parameters/parameters.json b/arm/Microsoft.Network/firewallPolicies/.parameters/parameters.json new file mode 100644 index 0000000000..a3254fca0e --- /dev/null +++ b/arm/Microsoft.Network/firewallPolicies/.parameters/parameters.json @@ -0,0 +1,49 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "name": { + "value": "sxx-az-fwpol-x-002" + }, + "ruleCollectionGroups": { + "value": [ + { + "name": "sxx-rule-001", + "priority": 5000, + "ruleCollections": [ + { + "name": "collection002", + "priority": 5555, + "action": { + "type": "Allow" + }, + "rules": [ + { + "name": "rule002", + "ipProtocols": [ + "TCP", + "UDP" + ], + "destinationPorts": [ + "80" + ], + "sourceAddresses": [ + "*" + ], + "sourceIpGroups": [], + "ruleType": "NetworkRule", + "destinationIpGroups": [], + "destinationAddresses": [ + "*" + ], + "destinationFqdns": [] + } + ], + "ruleCollectionType": "FirewallPolicyFilterRuleCollection" + } + ] + } + ] + } + } +} diff --git a/arm/Microsoft.Network/firewallPolicies/deploy.bicep b/arm/Microsoft.Network/firewallPolicies/deploy.bicep new file mode 100644 index 0000000000..9de4789a19 --- /dev/null +++ b/arm/Microsoft.Network/firewallPolicies/deploy.bicep @@ -0,0 +1,189 @@ +@description('Required. Name of the Firewall Policy.') +param name string + +@description('Optional. Location for all resources.') +param location string = resourceGroup().location + +@description('Optional. Tags of the Firewall policy resource.') +param tags object = {} + +@description('Optional. Enables system assigned managed identity on the resource.') +param systemAssignedIdentity bool = false + +@description('Optional. The ID(s) to assign to the resource.') +param userAssignedIdentities object = {} + +@description('Optional. Resource ID of the base policy.') +param basePolicyResourceId string = '' + +@description('Optional. Enable DNS Proxy on Firewalls attached to the Firewall Policy.') +param enableProxy bool = false + +@description('Optional. FQDNs in Network Rules are supported when set to true.') +param requireProxyForNetworkRules bool = false + +@description('Optional. List of Custom DNS Servers.') +param servers array = [] + +@description('Optional. A flag to indicate if the insights are enabled on the policy.') +param insightsIsEnabled bool = false + +@description('Optional. Default Log Analytics Resource ID for Firewall Policy Insights.') +param defaultWorkspaceId string = '' + +@description('Optional. List of workspaces for Firewall Policy Insights.') +param workspaces array = [] + +@description('Optional. Number of days the insights should be enabled on the policy.') +param retentionDays int = 365 + +@description('Optional. List of rules for traffic to bypass.') +param bypassTrafficSettings array = [] + +@description('Optional. List of specific signatures states.') +param signatureOverrides array = [] + +@description('Optional. The configuring of intrusion detection.') +@allowed([ + 'Alert' + 'Deny' + 'Off' +]) +param mode string = 'Off' + +@description('Optional. Tier of Firewall Policy.') +@allowed([ + 'Premium' + 'Standard' +]) +param tier string = 'Standard' + +@description('Optional. List of private IP addresses/IP address ranges to not be SNAT.') +param privateRanges array = [] + +@description('Optional. The operation mode for Threat Intel.') +@allowed([ + 'Alert' + 'Deny' + 'Off' +]) +param threatIntelMode string = 'Off' + +@description('Optional. List of FQDNs for the ThreatIntel Allowlist.') +param fqdns array = [] + +@description('Optional. List of IP addresses for the ThreatIntel Allowlist.') +param ipAddresses array = [] + +@description('Optional. Secret Id of (base-64 encoded unencrypted pfx) Secret or Certificate object stored in KeyVault. ') +param keyVaultSecretId string = '' + +@description('Optional. Name of the CA certificate.') +param certificateName string = '' + +@description('Optional. Customer Usage Attribution ID (GUID). This GUID must be previously registered') +param cuaId string = '' + +@description('Optional. Rule collection groups.') +param ruleCollectionGroups array = [] + +@description('Optional. Rule groups.') +param ruleGroups array = [] + +var identityType = systemAssignedIdentity ? (!empty(userAssignedIdentities) ? 'SystemAssigned,UserAssigned' : 'SystemAssigned') : (!empty(userAssignedIdentities) ? 'UserAssigned' : 'None') + +var identity = identityType != 'None' ? { + type: identityType + userAssignedIdentities: !empty(userAssignedIdentities) ? userAssignedIdentities : null +} : null + +module pid_cuaId '.bicep/nested_cuaId.bicep' = if (!empty(cuaId)) { + name: 'pid-${cuaId}' + params: {} +} + +resource firewallPolicy 'Microsoft.Network/firewallPolicies@2021-03-01' = { + name: name + location: location + tags: tags + identity: identity + properties: { + basePolicy: !empty(basePolicyResourceId) ? { + id: basePolicyResourceId + } : null + dnsSettings: enableProxy ? { + enableProxy: enableProxy + requireProxyForNetworkRules: requireProxyForNetworkRules + servers: servers + } : null + insights: insightsIsEnabled ? { + isEnabled: insightsIsEnabled + logAnalyticsResources: { + defaultWorkspaceId: { + id: !empty(defaultWorkspaceId) ? defaultWorkspaceId : null + } + workspaces: !empty(workspaces) ? workspaces : null + } + retentionDays: retentionDays + } : null + intrusionDetection: (mode != 'Off') ? { + configuration: { + bypassTrafficSettings: !empty(bypassTrafficSettings) ? bypassTrafficSettings : null + signatureOverrides: !empty(signatureOverrides) ? signatureOverrides : null + } + mode: mode + } : null + sku: { + tier: tier + } + snat: !empty(privateRanges) ? { + privateRanges: privateRanges + } : null + threatIntelMode: threatIntelMode + threatIntelWhitelist: { + fqdns: fqdns + ipAddresses: ipAddresses + } + transportSecurity: (!empty(keyVaultSecretId) || !empty(certificateName)) ? { + certificateAuthority: { + keyVaultSecretId: !empty(keyVaultSecretId) ? keyVaultSecretId : null + name: !empty(certificateName) ? certificateName : null + } + } : null + } +} + +module firewallPolicy_ruleCollectionGroups 'ruleCollectionGroups/deploy.bicep' = [for (ruleCollectionGroup, index) in ruleCollectionGroups: { + name: '${uniqueString(deployment().name, location)}-firewallPolicy_ruleCollectionGroups-${index}' + params: { + firewallPolicyName: firewallPolicy.name + name: ruleCollectionGroup.name + priority: ruleCollectionGroup.priority + ruleCollections: ruleCollectionGroup.ruleCollections + } + dependsOn: [ + firewallPolicy + ] +}] + +module firewallPolicy_ruleGroups 'ruleGroups/deploy.bicep' = [for (ruleGroup, index) in ruleGroups: { + name: '${uniqueString(deployment().name, location)}-firewallPolicy_ruleGroups-${index}' + params: { + firewallPolicyName: firewallPolicy.name + name: ruleGroup.name + priority: ruleGroup.priority + rules: ruleGroup.rules + } + dependsOn: [ + firewallPolicy + ] +}] + +@description('The name of the deployed firewall policy') +output firewallPolicyName string = firewallPolicy.name + +@description('The resource ID of the deployed firewall policy') +output firewallPolicyResourceId string = firewallPolicy.id + +@description('The resource group of the deployed firewall policy') +output firewallPolicyResourceGroup string = resourceGroup().name diff --git a/arm/Microsoft.Network/firewallPolicies/readme.md b/arm/Microsoft.Network/firewallPolicies/readme.md new file mode 100644 index 0000000000..b73761e0e2 --- /dev/null +++ b/arm/Microsoft.Network/firewallPolicies/readme.md @@ -0,0 +1,86 @@ +# Network Firewall Policies `[Microsoft.Network/firewallPolicies]` + +This module deploys Network Firewall Policies. + +## Resource Types + +| Resource Type | API Version | +| :-- | :-- | +| `Microsoft.Network/firewallPolicies` | 2021-03-01 | +| `Microsoft.Network/firewallPolicies/ruleCollectionGroups` | 2021-03-01 | +| `Microsoft.Network/firewallPolicies/ruleGroups` | 2020-04-01 | + +## Parameters + +| Parameter Name | Type | Default Value | Possible Values | Description | +| :-- | :-- | :-- | :-- | :-- | +| `basePolicyResourceId` | string | | | Optional. Resource ID of the base policy. | +| `bypassTrafficSettings` | array | `[]` | | Optional. List of rules for traffic to bypass. | +| `certificateName` | string | | | Optional. Name of the CA certificate. | +| `cuaId` | string | | | Optional. Customer Usage Attribution ID (GUID). This GUID must be previously registered | +| `defaultWorkspaceId` | string | | | Optional. Default Log Analytics Resource ID for Firewall Policy Insights. | +| `enableProxy` | bool | | | Optional. Enable DNS Proxy on Firewalls attached to the Firewall Policy. | +| `fqdns` | array | `[]` | | Optional. List of FQDNs for the ThreatIntel Allowlist. | +| `insightsIsEnabled ` | bool | | | Optional. A flag to indicate if the insights are enabled on the policy. | +| `ipAddresses` | array | `[]` | | Optional. List of IP addresses for the ThreatIntel Allowlist. | +| `keyVaultSecretId` | string | | | Optional. Secret Id of (base-64 encoded unencrypted pfx) Secret or Certificate object stored in KeyVault. | +| `location` | string | `[resourceGroup().location]` | | Optional. Location for all resources. | +| `mode` | string | `Off` | `[Alert, Deny, Off]` | Optional. The configuring of intrusion detection. | +| `name` | string | | | Required. Name of the Firewall Policy. | +| `privateRanges` | array | `[]` | | Optional. List of private IP addresses/IP address ranges to not be SNAT. | +| `requireProxyForNetworkRules` | bool | | | Optional. FQDNs in Network Rules are supported when set to true. | +| `retentionDays` | int | `365` | | Optional. Number of days the insights should be enabled on the policy. | +| `ruleCollectionGroups` | _[ruleCollectionGroups](ruleCollectionGroups/readme.md)_ array | `[]` | | Optional. Rule collection groups. | +| `ruleGroups` | _[ruleGroups](ruleGroups/readme.md)_ array | `[]` | | Optional. Rule groups. | +| `servers` | array | `[]` | | Optional. List of Custom DNS Servers. | +| `signatureOverrides` | array | `[]` | | Optional. List of specific signatures states. | +| `systemAssignedIdentity` | bool | | | Optional. Enables system assigned managed identity on the resource. | +| `tags` | object | `{object}` | | Optional. Tags of the Firewall policy resource. | +| `threatIntelMode` | string | `Off` | `[Alert, Deny, Off]` | Optional. The operation mode for Threat Intel. | +| `tier` | string | `Standard` | `[Premium, Standard]` | Optional. Tier of Firewall Policy. | +| `userAssignedIdentities` | object | `{object}` | | Optional. The ID(s) to assign to the resource. | +| `workspaces` | array | `[]` | | Optional. List of workspaces for Firewall Policy Insights. | + +### Parameter Usage: `tags` + +Tag names and tag values can be provided as needed. A tag can be left without a value. + +```json +"tags": { + "value": { + "Environment": "Non-Prod", + "Contact": "test.user@testcompany.com", + "PurchaseOrder": "1234", + "CostCenter": "7890", + "ServiceName": "DeploymentValidation", + "Role": "DeploymentValidation" + } +} +``` + +### Parameter Usage: `userAssignedIdentities` + +You can specify multiple user assigned identities to a resource by providing additional resource IDs using the following format: + +```json +"userAssignedIdentities": { + "value": { + "/subscriptions/12345678-1234-1234-1234-123456789012/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-001": {}, + "/subscriptions/12345678-1234-1234-1234-123456789012/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-002": {} + } +}, +``` + +## Outputs + +| Output Name | Type | Description | +| :-- | :-- | :-- | +| `firewallPolicyName` | string | The name of the deployed firewall policy | +| `firewallPolicyResourceGroup` | string | The resource group of the deployed firewall policy | +| `firewallPolicyResourceId` | string | The resource ID of the deployed firewall policy | + +## Template references + +- [Firewallpolicies](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Network/2021-03-01/firewallPolicies) +- [Firewallpolicies/Rulecollectiongroups](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Network/2021-03-01/firewallPolicies/ruleCollectionGroups) +- [Firewallpolicies/Rulegroups](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Network/2020-04-01/firewallPolicies/ruleGroups) diff --git a/arm/Microsoft.Network/firewallPolicies/ruleCollectionGroups/.bicep/nested_cuaId.bicep b/arm/Microsoft.Network/firewallPolicies/ruleCollectionGroups/.bicep/nested_cuaId.bicep new file mode 100644 index 0000000000..8b13789179 --- /dev/null +++ b/arm/Microsoft.Network/firewallPolicies/ruleCollectionGroups/.bicep/nested_cuaId.bicep @@ -0,0 +1 @@ + diff --git a/arm/Microsoft.Network/firewallPolicies/ruleCollectionGroups/deploy.bicep b/arm/Microsoft.Network/firewallPolicies/ruleCollectionGroups/deploy.bicep new file mode 100644 index 0000000000..e34b330d2c --- /dev/null +++ b/arm/Microsoft.Network/firewallPolicies/ruleCollectionGroups/deploy.bicep @@ -0,0 +1,41 @@ +@description('Required. Name of the Firewall Policy.') +param firewallPolicyName string + +@description('Required. The name of the rule collection group to deploy') +param name string + +@description('Required. Priority of the Firewall Policy Rule Collection Group resource.') +param priority int + +@description('Optional. Group of Firewall Policy rule collections.') +param ruleCollections array = [] + +@description('Optional. Customer Usage Attribution ID (GUID). This GUID must be previously registered') +param cuaId string = '' + +module pid_cuaId '.bicep/nested_cuaId.bicep' = if (!empty(cuaId)) { + name: 'pid-${cuaId}' + params: {} +} + +resource firewallPolicy 'Microsoft.Network/firewallPolicies@2021-03-01' existing = { + name: firewallPolicyName +} + +resource ruleCollectionGroup 'Microsoft.Network/firewallPolicies/ruleCollectionGroups@2021-03-01' = { + name: name + parent: firewallPolicy + properties: { + priority: priority + ruleCollections: ruleCollections + } +} + +@description('The name of the deployed rule collection group') +output ruleCollectionGroupName string = ruleCollectionGroup.name + +@description('The resource ID of the deployed rule collection group') +output ruleCollectionGroupResourceId string = ruleCollectionGroup.id + +@description('The resource group of the deployed rule collection group') +output ruleCollectionGroupResourceGroup string = resourceGroup().name diff --git a/arm/Microsoft.Network/firewallPolicies/ruleCollectionGroups/readme.md b/arm/Microsoft.Network/firewallPolicies/ruleCollectionGroups/readme.md new file mode 100644 index 0000000000..058596d729 --- /dev/null +++ b/arm/Microsoft.Network/firewallPolicies/ruleCollectionGroups/readme.md @@ -0,0 +1,46 @@ +# Network Firewall Policies Rule Collection Groups `[Microsoft.Network/firewallPolicies/ruleCollectionGroups]` + +This module deploys Network Firewall Policies Rule Collection Groups. + +## Resource Types + +| Resource Type | API Version | +| :-- | :-- | +| `Microsoft.Network/firewallPolicies/ruleCollectionGroups` | 2021-03-01 | + +## Parameters + +| Parameter Name | Type | Default Value | Possible Values | Description | +| :-- | :-- | :-- | :-- | :-- | +| `cuaId` | string | | | Optional. Customer Usage Attribution ID (GUID). This GUID must be previously registered | +| `firewallPolicyName` | string | | | Required. Name of the Firewall Policy. | +| `name` | string | | | Required. The name of the rule collection group to deploy | +| `priority` | int | | | Required. Priority of the Firewall Policy Rule Collection Group resource. | +| `ruleCollections` | array | `[]` | | Optional. Group of Firewall Policy rule collections. | + +### Parameter Usage: `ruleCollections` + +For remaining properties, see [FirewallPolicyRuleCollection objects](https://docs.microsoft.com/en-us/azure/templates/microsoft.network/firewallpolicies/rulecollectiongroups?tabs=json#firewallpolicyrulecollection-objects) + +```json +"ruleCollections": [ + { + "name": "string", + "priority": "int", + "ruleCollectionType": "string" + // For remaining properties, see FirewallPolicyRuleCollection objects + } +] +``` + +## Outputs + +| Output Name | Type | Description | +| :-- | :-- | :-- | +| `ruleCollectionGroupName` | string | The name of the deployed rule collection group | +| `ruleCollectionGroupResourceGroup` | string | The resource group of the deployed rule collection group | +| `ruleCollectionGroupResourceId` | string | The resource ID of the deployed rule collection group | + +## Template references + +- [Firewallpolicies/Rulecollectiongroups](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Network/2021-03-01/firewallPolicies/ruleCollectionGroups) diff --git a/arm/Microsoft.Network/firewallPolicies/ruleGroups/.bicep/nested_cuaId.bicep b/arm/Microsoft.Network/firewallPolicies/ruleGroups/.bicep/nested_cuaId.bicep new file mode 100644 index 0000000000..8b13789179 --- /dev/null +++ b/arm/Microsoft.Network/firewallPolicies/ruleGroups/.bicep/nested_cuaId.bicep @@ -0,0 +1 @@ + diff --git a/arm/Microsoft.Network/firewallPolicies/ruleGroups/deploy.bicep b/arm/Microsoft.Network/firewallPolicies/ruleGroups/deploy.bicep new file mode 100644 index 0000000000..f5e365f7df --- /dev/null +++ b/arm/Microsoft.Network/firewallPolicies/ruleGroups/deploy.bicep @@ -0,0 +1,41 @@ +@description('Required. Name of the Firewall Policy.') +param firewallPolicyName string + +@description('Required. The name of the rule group to deploy') +param name string + +@description('Required. Priority of the Firewall Policy Rule Group resource.') +param priority int + +@description('Optional. Group of Firewall rules.') +param rules array = [] + +@description('Optional. Customer Usage Attribution ID (GUID). This GUID must be previously registered') +param cuaId string = '' + +module pid_cuaId '.bicep/nested_cuaId.bicep' = if (!empty(cuaId)) { + name: 'pid-${cuaId}' + params: {} +} + +resource firewallPolicy 'Microsoft.Network/firewallPolicies@2021-03-01' existing = { + name: firewallPolicyName +} + +resource ruleGroup 'Microsoft.Network/firewallPolicies/ruleGroups@2020-04-01' = { + name: name + parent: firewallPolicy + properties: { + priority: priority + rules: rules + } +} + +@description('The name of the deployed rule group') +output ruleGroupName string = ruleGroup.name + +@description('The resource ID of the deployed rule group') +output ruleGroupResourceId string = ruleGroup.id + +@description('The resource group of the deployed rule group') +output ruleGroupResourceGroup string = resourceGroup().name diff --git a/arm/Microsoft.Network/firewallPolicies/ruleGroups/readme.md b/arm/Microsoft.Network/firewallPolicies/ruleGroups/readme.md new file mode 100644 index 0000000000..24cdf44aa1 --- /dev/null +++ b/arm/Microsoft.Network/firewallPolicies/ruleGroups/readme.md @@ -0,0 +1,46 @@ +# Network Firewall Policies Rule Groups `[Microsoft.Network/firewallPolicies/ruleGroups]` + +This module deploys Network FirewallPolicies Rule Groups. + +## Resource Types + +| Resource Type | API Version | +| :-- | :-- | +| `Microsoft.Network/firewallPolicies/ruleGroups` | 2020-04-01 | + +## Parameters + +| Parameter Name | Type | Default Value | Possible Values | Description | +| :-- | :-- | :-- | :-- | :-- | +| `cuaId` | string | | | Optional. Customer Usage Attribution ID (GUID). This GUID must be previously registered | +| `firewallPolicyName` | string | | | Required. Name of the Firewall Policy. | +| `name` | string | | | Required. The name of the rule group to deploy | +| `priority` | int | | | Required. Priority of the Firewall Policy Rule Group resource. | +| `rules` | array | `[]` | | Optional. Group of Firewall rules. | + +### Parameter Usage: `rules` + +For remaining properties, see [FirewallPolicyRule objects](https://docs.microsoft.com/en-us/azure/templates/microsoft.network/2020-04-01/firewallpolicies/rulegroups?tabs=json#firewallpolicyrule-objects) + +```json +"rules": [ + { + "name": "string", + "priority": "int", + "ruleType": "string" + // For remaining properties, see FirewallPolicyRule objects + } +] +``` + +## Outputs + +| Output Name | Type | Description | +| :-- | :-- | :-- | +| `ruleGroupName` | string | The name of the deployed rule group | +| `ruleGroupResourceGroup` | string | The resource group of the deployed rule group | +| `ruleGroupResourceId` | string | The resource ID of the deployed rule group | + +## Template references + +- [Firewallpolicies/Rulegroups](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Network/2020-04-01/firewallPolicies/ruleGroups) diff --git a/arm/Microsoft.Storage/storageAccounts/queueServices/queues/deploy.bicep b/arm/Microsoft.Storage/storageAccounts/queueServices/queues/deploy.bicep index 946f15b004..0a7841ac89 100644 --- a/arm/Microsoft.Storage/storageAccounts/queueServices/queues/deploy.bicep +++ b/arm/Microsoft.Storage/storageAccounts/queueServices/queues/deploy.bicep @@ -5,10 +5,10 @@ param storageAccountName string @description('Optional. The name of the queue service') param queueServicesName string = 'default' -@description('The name of the storage queue to deploy') +@description('Required. The name of the storage queue to deploy') param name string -@description('A name-value pair that represents queue metadata.') +@description('Required. A name-value pair that represents queue metadata.') param metadata object = {} @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or it\'s fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'') diff --git a/arm/Microsoft.Storage/storageAccounts/queueServices/queues/readme.md b/arm/Microsoft.Storage/storageAccounts/queueServices/queues/readme.md index 3104ca58c9..0664c92dc1 100644 --- a/arm/Microsoft.Storage/storageAccounts/queueServices/queues/readme.md +++ b/arm/Microsoft.Storage/storageAccounts/queueServices/queues/readme.md @@ -14,8 +14,8 @@ This module deployes a storage account queue | Parameter Name | Type | Default Value | Possible Values | Description | | :-- | :-- | :-- | :-- | :-- | | `cuaId` | string | | | Optional. Customer Usage Attribution ID (GUID). This GUID must be previously registered | -| `metadata` | object | `{object}` | | A name-value pair that represents queue metadata. | -| `name` | string | | | The name of the storage queue to deploy | +| `metadata` | object | `{object}` | | Required. A name-value pair that represents queue metadata. | +| `name` | string | | | Required. The name of the storage queue to deploy | | `queueServicesName` | string | `default` | | Optional. The name of the queue service | | `roleAssignments` | array | `[]` | | Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or it's fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' | | `storageAccountName` | string | | | Required. Name of the Storage Account. |