From 83d32ac909ba4da3e0ce9be7a69e8b61fec2b9a9 Mon Sep 17 00:00:00 2001 From: Alexander Sehr Date: Fri, 22 Oct 2021 09:36:47 +0200 Subject: [PATCH] Updated diagnostic settings & tests (#200) * Updated all bicep * Minor fixes + Implemented new-readme script + updated output + outdated 2 example readme * Added documentation * Updated empty module handling + minor fixes * Minor cleanup * Refreshed all readme's * Fixed several tests * Minor fixes * Cleanup * Updated tests to work directly with bicep (and not write an ARM file); added more testing capabilities; update endpoint api versions; cleanup * Updated docs * Updated repo readme generation to work without identifiers * Small adjustment * Updated readme titles & added primary resource * Enforce UTF8 encoding * Updated to latest PR + removed 2 redundant arm files + updated ReadMes * Updated locks * Updated non converted modules * Minor update * Updated logic * Refreshed templates again * Minor change * Renamed parameters * Renamed parameters * Updated further script analyzer issues * Updated output * Cleanup * Cleanup dependencies * Cleanup * Re-added considerations * Re-added considerations * Dummy change * Minor change * Update to latest * cleanup * Update to latest * Renamed platform workflows * Updated API versions * Fixed remaining tests Co-authored-by: MrMCake --- .github/workflows/ms.eventgrid.topics.yml | 10 +- .github/workflows/ms.keyvault.vaults.yml | 10 +- ...teReadMe.yml => platform.updateReadMe.yml} | 26 +- .../{wiki-sync.yml => platform.wiki-sync.yml} | 0 .../scripts/Set-GitHubReadMeModuleTable.ps1 | 65 +- .../workflows/scripts/Set-ModuleReadMe.ps1 | 441 ++++++ .../Get-ModulesAsMarkdownTable.ps1 | 206 ++- .../helper/Merge-FileWithNewContent.ps1 | 189 +++ README.md | 5 +- arm/.global/global.module.tests.ps1 | 985 +++++-------- arm/.global/shared/helper.psm1 | 39 + .../servers/.bicep/nested_rbac.bicep | 2 +- .../servers/deploy.bicep | 60 +- .../servers/readme.md | Bin 22878 -> 4740 bytes .../service/.bicep/nested_rbac.bicep | 2 +- .../service/deploy.bicep | 56 +- arm/Microsoft.ApiManagement/service/readme.md | Bin 20824 -> 9925 bytes .../serviceResources/apis/readme.md | Bin 11278 -> 5166 bytes .../authorizationServers/readme.md | Bin 10596 -> 4325 bytes .../serviceResources/backends/readme.md | Bin 17356 -> 7956 bytes .../serviceResources/caches/readme.md | Bin 4538 -> 1672 bytes .../serviceResources/namedValues/readme.md | Bin 5778 -> 2255 bytes .../serviceResources/products/readme.md | Bin 9068 -> 3867 bytes .../serviceResources/subscriptions/readme.md | Bin 6278 -> 2546 bytes .../policyAssignments/readme.md | 65 +- .../policyDefinitions/readme.md | 50 +- .../policyExemptions/readme.md | 52 +- .../policySetDefinitions/readme.md | 46 +- .../roleAssignments/readme.md | 43 +- .../roleDefinitions/readme.md | 51 +- arm/Microsoft.Automanage/accounts/readme.md | Bin 8518 -> 1833 bytes .../.bicep/nested_privateEndpoint.bicep | 4 +- .../.bicep/nested_rbac.bicep | 2 +- .../automationAccounts/deploy.bicep | 64 +- .../automationAccounts/readme.md | 111 +- .../softwareUpdateConfigurations/readme.md | 105 +- .../batchAccounts/deploy.bicep | 46 +- arm/Microsoft.Batch/batchAccounts/readme.md | 69 +- .../.bicep/nested_privateEndpoints.bicep | 2 +- .../accounts/.bicep/nested_rbac.bicep | 3 +- .../accounts/deploy.bicep | 56 +- .../accounts/readme.md | 86 +- .../availabilitySets/.bicep/nested_rbac.bicep | 2 +- .../availabilitySets/readme.md | 56 +- .../.bicep/nested_rbac.bicep | 2 +- .../diskEncryptionSets/readme.md | 50 +- .../galleries/.bicep/nested_rbac.bicep | 2 +- arm/Microsoft.Compute/galleries/readme.md | 50 +- .../images/.bicep/nested_rbac.bicep | 2 +- .../galleriesResources/images/readme.md | 87 +- .../images/.bicep/nested_rbac.bicep | 2 +- arm/Microsoft.Compute/images/readme.md | 56 +- .../.bicep/nested_rbac.bicep | 2 +- .../proximityPlacementGroups/readme.md | 50 +- .../.bicep/nested_rbac.bicep | 2 +- .../virtualMachineScaleSets/deploy.bicep | 56 +- .../virtualMachineScaleSets/deploy.json | 1299 ----------------- .../virtualMachineScaleSets/readme.md | 224 +-- .../virtualMachines/readme.md | 151 +- arm/Microsoft.Consumption/budgets/readme.md | 43 +- .../containerGroups/readme.md | 68 +- .../registries/readme.md | 69 +- .../managedClusters/.bicep/nested_rbac.bicep | 2 +- .../managedClusters/deploy.bicep | 97 +- .../managedClusters/readme.md | 144 +- arm/Microsoft.DataFactory/factories/readme.md | 91 +- .../workspaces/.bicep/nested_rbac.bicep | 2 +- .../workspaces/deploy.bicep | 115 +- arm/Microsoft.Databricks/workspaces/readme.md | 78 +- .../applications/deploy.bicep | 3 + .../applications/deploy.json | 101 -- .../applications/readme.md | 29 +- .../.bicep/nested_rbac.bicep | 2 +- .../applicationgroups/deploy.bicep | 44 +- .../applicationgroups/deploy.json | 320 ---- .../applicationgroups/readme.md | 71 +- .../hostpools/.bicep/nested_rbac.bicep | 2 +- .../hostpools/deploy.bicep | 75 +- .../hostpools/deploy.json | 462 ------ .../hostpools/readme.md | 99 +- .../workspaces/.bicep/nested_rbac.bicep | 2 +- .../workspaces/deploy.bicep | 54 +- .../workspaces/deploy.json | 315 ---- .../workspaces/readme.md | 71 +- .../.bicep/nested_privateEndpoint.bicep | 4 +- .../topics/.bicep/nested_rbac.bicep | 2 +- arm/Microsoft.EventGrid/topics/deploy.bicep | 61 +- arm/Microsoft.EventGrid/topics/deploy.json | 575 -------- arm/Microsoft.EventGrid/topics/readme.md | 66 +- .../.bicep/nested_privateEndpoint.bicep | 2 +- .../namespaces/.bicep/nested_rbac.bicep | 2 +- .../namespaces/deploy.bicep | 109 +- arm/Microsoft.EventHub/namespaces/readme.md | 106 +- .../namespacesResources/eventhubs/readme.md | 56 +- .../healthBots/.bicep/nested_rbac.bicep | 2 +- .../healthBots/deploy.bicep | 2 +- arm/Microsoft.HealthBot/healthBots/readme.md | 46 +- .../actionGroups/.bicep/nested_rbac.bicep | 2 +- arm/Microsoft.Insights/actionGroups/readme.md | 69 +- .../.bicep/nested_rbac.bicep | 2 +- .../activityLogAlerts/readme.md | 56 +- .../components/.bicep/nested_rbac.bicep | 2 +- arm/Microsoft.Insights/components/readme.md | 58 +- .../diagnosticSettings/readme.md | 41 +- .../metricAlerts/.bicep/nested_rbac.bicep | 2 +- arm/Microsoft.Insights/metricAlerts/readme.md | 67 +- .../.bicep/nested_privateEndpoint.bicep | 2 +- .../.bicep/nested_rbac.bicep | 2 +- .../privateLinkScopes/readme.md | 67 +- .../.bicep/nested_rbac.bicep | 2 +- .../scheduledQueryRules/readme.md | 80 +- .../.bicep/nested_privateEndpoint.bicep | 4 +- .../vaults/.bicep/nested_rbac.bicep | 2 +- arm/Microsoft.KeyVault/vaults/deploy.bicep | 61 +- arm/Microsoft.KeyVault/vaults/deploy.json | 626 -------- arm/Microsoft.KeyVault/vaults/readme.md | 102 +- .../workflows/.bicep/nested_rbac.bicep | 2 +- arm/Microsoft.Logic/workflows/deploy.bicep | 47 +- arm/Microsoft.Logic/workflows/deploy.json | 414 ------ arm/Microsoft.Logic/workflows/readme.md | 99 +- .../.bicep/nested_privateEndpoint.bicep | 4 +- .../workspaces/.bicep/nested_rbac.bicep | 2 +- .../workspaces/deploy.bicep | 84 +- .../workspaces/readme.md | 88 +- .../.bicep/nested_rbac.bicep | 2 +- .../userAssignedIdentities/readme.md | 50 +- .../registrationDefinitions/readme.md | 42 +- .../managementGroups/readme.md | 55 +- .../.bicep/nested_capacityPool_rbac.bicep | 2 +- .../nested_capacityPool_volume_rbac.bicep | 2 +- .../netAppAccounts/.bicep/nested_rbac.bicep | 2 +- arm/Microsoft.NetApp/netAppAccounts/readme.md | 66 +- .../.bicep/nested_rbac.bicep | 2 +- .../applicationGateways/deploy.bicep | 66 +- .../applicationGateways/readme.md | Bin 44314 -> 10135 bytes .../.bicep/nested_rbac.bicep | 2 +- .../applicationSecurityGroups/readme.md | 47 +- .../azureFirewalls/.bicep/nested_rbac.bicep | 2 +- .../azureFirewalls/deploy.bicep | 108 +- .../azureFirewalls/readme.md | 85 +- .../bastionHosts/.bicep/nested_rbac.bicep | 2 +- .../bastionHosts/deploy.bicep | 96 +- arm/Microsoft.Network/bastionHosts/readme.md | 76 +- arm/Microsoft.Network/connections/readme.md | 63 +- .../.bicep/nested_rbac.bicep | 2 +- .../ddosProtectionPlans/readme.md | 49 +- .../.bicep/nested_rbac.bicep | 2 +- .../expressRouteCircuits/deploy.bicep | 48 +- .../expressRouteCircuits/readme.md | 87 +- .../ipGroups/.bicep/nested_rbac.bicep | 2 +- arm/Microsoft.Network/ipGroups/readme.md | 52 +- .../loadBalancers/.bicep/nested_rbac.bicep | 2 +- .../loadBalancers/deploy.bicep | 25 +- arm/Microsoft.Network/loadBalancers/readme.md | 71 +- .../.bicep/nested_rbac.bicep | 2 +- .../localNetworkGateways/readme.md | 60 +- .../natGateways/.bicep/nested_rbac.bicep | 2 +- .../natGateways/deploy.bicep | 76 +- arm/Microsoft.Network/natGateways/readme.md | 88 +- .../.bicep/nested_rbac.bicep | 2 +- .../networkSecurityGroups/deploy.bicep | 62 +- .../networkSecurityGroups/readme.md | 96 +- .../networkWatcherFlowLogs/deploy.bicep | 2 +- .../parameters/parameters.json | 10 - .../networkWatcherFlowLogs/readme.md | 60 +- .../networkWatchers/.bicep/nested_rbac.bicep | 2 +- .../networkWatchers/readme.md | 61 +- .../privateDnsZones/.bicep/nested_rbac.bicep | 2 +- .../privateDnsZones/readme.md | 48 +- .../privateEndpoints/.bicep/nested_rbac.bicep | 2 +- .../privateEndpoints/deploy.bicep | 2 +- .../privateEndpoints/readme.md | Bin 9450 -> 4365 bytes .../.bicep/nested_rbac.bicep | 2 +- .../publicIPAddresses/deploy.bicep | 66 +- .../publicIPAddresses/readme.md | Bin 9250 -> 4488 bytes .../publicIPPrefixes/.bicep/nested_rbac.bicep | 2 +- .../publicIPPrefixes/readme.md | 50 +- .../routeTables/.bicep/nested_rbac.bicep | 2 +- arm/Microsoft.Network/routeTables/readme.md | 51 +- .../.bicep/nested_rbac.bicep | 2 +- .../trafficmanagerprofiles/deploy.bicep | 48 +- .../trafficmanagerprofiles/readme.md | 70 +- .../.bicep/nested_rbac.bicep | 2 +- .../virtualNetworkGateways/deploy.bicep | 143 +- .../virtualNetworkGateways/readme.md | 99 +- .../virtualNetworks/.bicep/nested_rbac.bicep | 2 +- .../virtualNetworks/deploy.bicep | 57 +- .../virtualNetworks/readme.md | 77 +- .../virtualNetworkPeerings/readme.md | 51 +- .../virtualWans/.bicep/nested_rbac.bicep | 2 +- arm/Microsoft.Network/virtualWans/readme.md | 81 +- .../workspaces/.bicep/nested_rbac.bicep | 2 +- .../workspaces/readme.md | 84 +- .../vaults/.bicep/nested_rbac.bicep | 2 +- .../vaults/deploy.bicep | 178 +-- .../vaults/readme.md | 78 +- .../deploymentScripts/readme.md | 74 +- .../resourceGroups/readme.md | 52 +- .../azureSecurityCenter/readme.md | 77 +- .../.bicep/nested_privateEndpoints.bicep | 3 +- .../namespaces/.bicep/nested_rbac.bicep | 2 +- .../namespaces/deploy.bicep | 60 +- arm/Microsoft.ServiceBus/namespaces/readme.md | 104 +- .../namespacesResources/queues/deploy.bicep | 2 +- .../namespacesResources/queues/readme.md | 71 +- .../managedInstances/.bicep/nested_rbac.bicep | 2 +- .../managedInstances/deploy.bicep | 65 +- arm/Microsoft.Sql/managedInstances/readme.md | 136 +- .../databases/deploy.bicep | 2 +- .../databases/readme.md | 102 +- .../servers/.bicep/nested_rbac.bicep | 2 +- arm/Microsoft.Sql/servers/readme.md | 66 +- .../serversResources/databases/readme.md | 70 +- .../.bicep/nested_container_rbac.bicep | 2 +- .../.bicep/nested_fileShare_rbac.bicep | 2 +- .../.bicep/nested_privateEndpoint.bicep | 4 +- .../.bicep/nested_queue_rbac.bicep | 2 +- .../storageAccounts/.bicep/nested_rbac.bicep | 2 +- .../storageAccounts/deploy.bicep | 2 +- .../storageAccounts/readme.md | 131 +- .../imageTemplates/.bicep/nested_rbac.bicep | 2 +- .../imageTemplates/readme.md | 78 +- .../connections/.bicep/nested_rbac.bicep | 2 +- arm/Microsoft.Web/connections/readme.md | 67 +- .../.bicep/nested_rbac.bicep | 2 +- .../hostingEnvironments/deploy.bicep | 25 +- .../hostingEnvironments/readme.md | 92 +- .../serverfarms/.bicep/nested_rbac.bicep | 2 +- arm/Microsoft.Web/serverfarms/readme.md | 72 +- .../sites/.bicep/nested_privateEndpoint.bicep | 4 +- .../sites/.bicep/nested_rbac.bicep | 2 +- arm/Microsoft.Web/sites/deploy.bicep | 85 +- arm/Microsoft.Web/sites/readme.md | 129 +- arm/README.md | 4 +- .../readme.md | 36 +- .../managementGroup-structure/readme.md | 4 +- .../readme.md | 44 +- 237 files changed, 5402 insertions(+), 9544 deletions(-) rename .github/workflows/{updateReadMe.yml => platform.updateReadMe.yml} (71%) rename .github/workflows/{wiki-sync.yml => platform.wiki-sync.yml} (100%) create mode 100644 .github/workflows/scripts/Set-ModuleReadMe.ps1 rename .github/workflows/scripts/{ => helper}/Get-ModulesAsMarkdownTable.ps1 (75%) create mode 100644 .github/workflows/scripts/helper/Merge-FileWithNewContent.ps1 create mode 100644 arm/.global/shared/helper.psm1 delete mode 100644 arm/Microsoft.Compute/virtualMachineScaleSets/deploy.json delete mode 100644 arm/Microsoft.DesktopVirtualization/applicationGroupsResources/applications/deploy.json delete mode 100644 arm/Microsoft.DesktopVirtualization/applicationgroups/deploy.json delete mode 100644 arm/Microsoft.DesktopVirtualization/hostpools/deploy.json delete mode 100644 arm/Microsoft.DesktopVirtualization/workspaces/deploy.json delete mode 100644 arm/Microsoft.EventGrid/topics/deploy.json delete mode 100644 arm/Microsoft.KeyVault/vaults/deploy.json delete mode 100644 arm/Microsoft.Logic/workflows/deploy.json diff --git a/.github/workflows/ms.eventgrid.topics.yml b/.github/workflows/ms.eventgrid.topics.yml index 5a7f3a43ec..538b854eac 100644 --- a/.github/workflows/ms.eventgrid.topics.yml +++ b/.github/workflows/ms.eventgrid.topics.yml @@ -81,7 +81,7 @@ jobs: - name: "Test module" uses: ./.github/actions/templates/validateModuleDeploy with: - templateFilePath: '${{ env.modulePath }}/deploy.json' + templateFilePath: '${{ env.modulePath }}/deploy.bicep' parameterFilePath: '${{ env.modulePath }}/parameters/${{ matrix.parameterFilePaths }}' location: '${{ env.defaultLocation }}' resourceGroupName: '${{ env.resourceGroupName }}' @@ -116,7 +116,7 @@ jobs: uses: ./.github/actions/templates/deployModule with: moduleName: '${{ env.moduleName }}' - templateFilePath: '${{ env.modulePath }}/deploy.json' + templateFilePath: '${{ env.modulePath }}/deploy.bicep' parameterFilePath: '${{ env.modulePath }}/parameters/${{ matrix.parameterFilePaths }}' location: '${{ env.defaultLocation }}' resourceGroupName: '${{ env.resourceGroupName }}' @@ -146,7 +146,7 @@ jobs: - name: "Publish module" uses: ./.github/actions/templates/publishModule with: - templateFilePath: '${{ env.modulePath }}/deploy.json' + templateFilePath: '${{ env.modulePath }}/deploy.bicep' componentTemplateSpecRGName: '${{ env.componentTemplateSpecRGName }}' componentTemplateSpecRGLocation: '${{ env.componentTemplateSpecRGLocation }}' componentTemplateSpecName: '${{ env.moduleName }}' @@ -178,5 +178,5 @@ jobs: uses: ./.github/actions/templates/removeModule with: moduleName: '${{ env.moduleName }}' - templateFilePath: '${{ env.modulePath }}/deploy.json' - resourceGroupName: '${{ env.resourceGroupName }}' \ No newline at end of file + templateFilePath: '${{ env.modulePath }}/deploy.bicep' + resourceGroupName: '${{ env.resourceGroupName }}' diff --git a/.github/workflows/ms.keyvault.vaults.yml b/.github/workflows/ms.keyvault.vaults.yml index 57520c4a72..bd732050eb 100644 --- a/.github/workflows/ms.keyvault.vaults.yml +++ b/.github/workflows/ms.keyvault.vaults.yml @@ -81,7 +81,7 @@ jobs: - name: "Test module" uses: ./.github/actions/templates/validateModuleDeploy with: - templateFilePath: '${{ env.modulePath }}/deploy.json' + templateFilePath: '${{ env.modulePath }}/deploy.bicep' parameterFilePath: '${{ env.modulePath }}/parameters/${{ matrix.parameterFilePaths }}' location: '${{ env.defaultLocation }}' resourceGroupName: '${{ env.resourceGroupName }}' @@ -116,7 +116,7 @@ jobs: uses: ./.github/actions/templates/deployModule with: moduleName: '${{ env.moduleName }}' - templateFilePath: '${{ env.modulePath }}/deploy.json' + templateFilePath: '${{ env.modulePath }}/deploy.bicep' parameterFilePath: '${{ env.modulePath }}/parameters/${{ matrix.parameterFilePaths }}' location: '${{ env.defaultLocation }}' resourceGroupName: '${{ env.resourceGroupName }}' @@ -146,7 +146,7 @@ jobs: - name: "Publish module" uses: ./.github/actions/templates/publishModule with: - templateFilePath: '${{ env.modulePath }}/deploy.json' + templateFilePath: '${{ env.modulePath }}/deploy.bicep' componentTemplateSpecRGName: '${{ env.componentTemplateSpecRGName }}' componentTemplateSpecRGLocation: '${{ env.componentTemplateSpecRGLocation }}' componentTemplateSpecName: '${{ env.moduleName }}' @@ -178,5 +178,5 @@ jobs: uses: ./.github/actions/templates/removeModule with: moduleName: '${{ env.moduleName }}' - templateFilePath: '${{ env.modulePath }}/deploy.json' - resourceGroupName: '${{ env.resourceGroupName }}' \ No newline at end of file + templateFilePath: '${{ env.modulePath }}/deploy.bicep' + resourceGroupName: '${{ env.resourceGroupName }}' diff --git a/.github/workflows/updateReadMe.yml b/.github/workflows/platform.updateReadMe.yml similarity index 71% rename from .github/workflows/updateReadMe.yml rename to .github/workflows/platform.updateReadMe.yml index 33f9945621..35e5880119 100644 --- a/.github/workflows/updateReadMe.yml +++ b/.github/workflows/platform.updateReadMe.yml @@ -34,18 +34,18 @@ jobs: . "$env:GITHUB_WORKSPACE/.github/workflows/scripts/Set-GitHubReadMeModuleTable.ps1" $functionInput = @{ - modulesPath = Join-Path $env:GITHUB_WORKSPACE 'arm' - filePath = Join-Path $env:GITHUB_WORKSPACE 'README.md' - organization = ($env:GITHUB_REPOSITORY).split('/')[0] - repositoryName = ($env:GITHUB_REPOSITORY).split('/')[1] - columnsInOrder = @('Name', 'TemplateType', 'Status') - sortByColumn = 'Name' + ModulesPath = Join-Path $env:GITHUB_WORKSPACE 'arm' + FilePath = Join-Path $env:GITHUB_WORKSPACE 'README.md' + Organization = ($env:GITHUB_REPOSITORY).split('/')[0] + RepositoryName = ($env:GITHUB_REPOSITORY).split('/')[1] + ColumnsInOrder = @('Name', 'TemplateType', 'Status') + SortByColumn = 'Name' } Write-Verbose "Invoke task with" -Verbose Write-Verbose ($functionInput | ConvertTo-Json | Out-String) -Verbose - Set-GitHubReadMeModuleTable @functionInput + Set-GitHubReadMeModuleTable @functionInput -Verbose - name: "Update module folder ReadMe" shell: pwsh @@ -54,17 +54,17 @@ jobs: . "$env:GITHUB_WORKSPACE/.github/workflows/scripts/Set-GitHubReadMeModuleTable.ps1" $functionInput = @{ - modulesPath = Join-Path $env:GITHUB_WORKSPACE 'arm' - filePath = Join-Path $env:GITHUB_WORKSPACE 'arm/README.md' - organization = ($env:GITHUB_REPOSITORY).split('/')[0] - repositoryName = ($env:GITHUB_REPOSITORY).split('/')[1] - columnsInOrder = @('Name', 'ProviderNamespace','ResourceType','TemplateType') + ModulesPath = Join-Path $env:GITHUB_WORKSPACE 'arm' + FilePath = Join-Path $env:GITHUB_WORKSPACE 'arm/README.md' + Organization = ($env:GITHUB_REPOSITORY).split('/')[0] + RepositoryName = ($env:GITHUB_REPOSITORY).split('/')[1] + ColumnsInOrder = @('Name', 'ProviderNamespace','ResourceType','TemplateType') } Write-Verbose "Invoke task with" -Verbose Write-Verbose ($functionInput | ConvertTo-Json | Out-String) -Verbose - Set-GitHubReadMeModuleTable @functionInput + Set-GitHubReadMeModuleTable @functionInput -Verbose - name: "Push changes" shell: pwsh diff --git a/.github/workflows/wiki-sync.yml b/.github/workflows/platform.wiki-sync.yml similarity index 100% rename from .github/workflows/wiki-sync.yml rename to .github/workflows/platform.wiki-sync.yml diff --git a/.github/workflows/scripts/Set-GitHubReadMeModuleTable.ps1 b/.github/workflows/scripts/Set-GitHubReadMeModuleTable.ps1 index ae3e024116..91b067e796 100644 --- a/.github/workflows/scripts/Set-GitHubReadMeModuleTable.ps1 +++ b/.github/workflows/scripts/Set-GitHubReadMeModuleTable.ps1 @@ -1,3 +1,5 @@ +#region Helper functions + <# .SYNOPSIS Update the given ReadMe file with the latest module table @@ -9,24 +11,24 @@ Note that the ReadMe file should have the following lines right before & after t - '' - '' -.PARAMETER filePath +.PARAMETER FilePath Mandatory. The path to the ReadMe file to update -.PARAMETER modulesPath +.PARAMETER ModulesPath Mandatory. The path to the modules folder to process -.PARAMETER repositoryName +.PARAMETER RepositoryName Mandatory. The name of the repository the modules are in (required to generate the correct links) -.PARAMETER organization -Mandatory. The name of the organization the modules are in (required to generate the correct links) +.PARAMETER Organization +Mandatory. The name of the Organization the modules are in (required to generate the correct links) -.PARAMETER columnsInOrder +.PARAMETER ColumnsInOrder Mandatory. The set of columns to add to the table in the order you expect them in the table. Available are 'Name', 'ProviderNamespace', 'ResourceType', 'TemplateType', 'Deploy' & 'Status' .EXAMPLE -Set-GitHubReadMeModuleTable -filePath 'C:\readme.md' -modulesPath 'C:\arm' -repositoryName 'ResourceModules' -organization 'Azure' -columnsInOrder @('Name','Status') +Set-GitHubReadMeModuleTable -FilePath 'C:\readme.md' -ModulesPath 'C:\arm' -RepositoryName 'ResourceModules' -Organization 'Azure' -ColumnsInOrder @('Name','Status') Update the defined table section in the 'readme.md' file with a table that has the columns 'Name' & 'Status' #> @@ -35,52 +37,49 @@ function Set-GitHubReadMeModuleTable { [CmdletBinding(SupportsShouldProcess)] param ( [Parameter(Mandatory)] - [string] $filePath, + [string] $FilePath, [Parameter(Mandatory)] - [string] $modulesPath, + [string] $ModulesPath, [Parameter(Mandatory)] - [string] $repositoryName, + [string] $RepositoryName, [Parameter(Mandatory)] - [string] $organization, + [string] $Organization, [Parameter(Mandatory)] [ValidateSet('Name', 'ProviderNamespace', 'ResourceType', 'TemplateType', 'Deploy', 'Status')] - [string[]] $columnsInOrder, + [string[]] $ColumnsInOrder, [Parameter(Mandatory = $false)] - [string] $sortByColumn = 'ProviderNamespace' + [string] $SortByColumn = 'ProviderNamespace' ) - # Load functions - . (Join-Path $PSScriptRoot 'Get-ModulesAsMarkdownTable.ps1') + # Load external functions + . (Join-Path $PSScriptRoot 'helper/Get-ModulesAsMarkdownTable.ps1') + . (Join-Path $PSScriptRoot 'helper/Merge-FileWithNewContent.ps1') # Logic - $contentArray = Get-Content -Path $filePath - $startIndex = [array]::IndexOf($contentArray, '') - $endIndex = [array]::IndexOf($contentArray, '') - - $startContent = $contentArray[0..$startIndex] - $endContent = $contentArray[$endIndex..$contentArray.Count] + $contentArray = Get-Content -Path $FilePath $tableStringInputObject = @{ - Path = $modulesPath - RepositoryName = $repositoryName - Organization = $organization - ColumnsInOrder = $columnsInOrder - sortByColumn = $sortByColumn + Path = $ModulesPath + RepositoryName = $RepositoryName + Organization = $Organization + ColumnsInOrder = $ColumnsInOrder + SortByColumn = $SortByColumn } $tableString = Get-ModulesAsMarkdownTable @tableStringInputObject - $newContent = (($startContent + $tableString + $endContent) | Out-String).TrimEnd() + $newContent = Merge-FileWithNewContent -oldContent $contentArray -newContent $tableString -sectionStartIdentifier '# Available Resource Modules' + + Write-Verbose 'New content:' + Write-Verbose '============' + Write-Verbose ($newContent | Out-String) - if ($PSCmdlet.ShouldProcess("File in path [$filePath]", 'Overwrite')) { - Set-Content -Path $filePath -Value $newContent -Force -NoNewline - Write-Verbose "File [$filePath] updated" -Verbose - Write-Verbose 'New content:' -Verbose - Write-Verbose '============' -Verbose - Write-Verbose ($newContent | Out-String) -Verbose + if ($PSCmdlet.ShouldProcess("File in path [$FilePath]", 'Overwrite')) { + Set-Content -Path $FilePath -Value $newContent -Force + Write-Verbose "File [$FilePath] updated" -Verbose } } diff --git a/.github/workflows/scripts/Set-ModuleReadMe.ps1 b/.github/workflows/scripts/Set-ModuleReadMe.ps1 new file mode 100644 index 0000000000..4770e3f956 --- /dev/null +++ b/.github/workflows/scripts/Set-ModuleReadMe.ps1 @@ -0,0 +1,441 @@ +#requires -version 6.0 + +#region Helper functions +<# +.SYNOPSIS +Get a list of all resources (provider + service) in the given template content + +.DESCRIPTION +Get a list of all resources (provider + service) in the given template content. Crawls through any children & nested deployment templates. + +.PARAMETER TemplateFileContent +Mandatory. The template file content object to crawl data from + +.EXAMPLE +Get-NestedResourceList -TemplateFileContent @{ resource = @{}; ... } + +Returns a list of all resources in the given template object +#> +function Get-NestedResourceList { + + [CmdletBinding()] + param( + [Parameter(Mandatory)] + [hashtable] $TemplateFileContent + ) + + $res = @() + $currLevelResources = @() + if ($TemplateFileContent.resources) { + $currLevelResources += $TemplateFileContent.resources + } + foreach ($resource in $currLevelResources) { + $res += $resource + + if ($resource.type -eq 'Microsoft.Resources/deployments') { + $res += Get-NestedResourceList -TemplateFileContent $resource.properties.template + } else { + $res += Get-NestedResourceList -TemplateFileContent $resource + } + } + return $res +} + +<# +.SYNOPSIS +Update the 'Resource Types' section of the given readme file + +.DESCRIPTION +Update the 'Resource Types' section of the given readme file +The section is added at the end if it does not exist + +.PARAMETER TemplateFileContent +Mandatory. The template file content object to crawl data from + +.PARAMETER ReadMeFileContent +Mandatory. The readme file content array to update + +.PARAMETER SectionStartIdentifier +Optional. The identifier of the 'outputs' section. Defaults to '## Resource Types' + +.PARAMETER ResourceTypesToExclude +Optional. The resource types to exclude from the list. By default excludes 'Microsoft.Resources/deployments' + +.EXAMPLE +Set-ResourceTypesSection -TemplateFileContent @{ resource = @{}; ... } -ReadMeFileContent @('# Title', '', '## Section 1', ...) + +Update the given readme file's 'Resource Types' section based on the given template file content +#> +function Set-ResourceTypesSection { + + [CmdletBinding(SupportsShouldProcess)] + [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSReviewUnusedParameter', 'ResourceTypesToExclude', Justification = 'Variable used inside Where-Object block.')] + param ( + [Parameter(Mandatory)] + [hashtable] $TemplateFileContent, + + [Parameter(Mandatory)] + [object[]] $ReadMeFileContent, + + [Parameter(Mandatory = $false)] + [string] $SectionStartIdentifier = '## Resource Types', + + [Parameter(Mandatory = $false)] + [string[]] $ResourceTypesToExclude = @('Microsoft.Resources/deployments') + ) + + # Process content + $sectionContent = [System.Collections.ArrayList]@( + '| Resource Type | Api Version |', + '| :-- | :-- |' + ) + + $relevantResourceTypes = Get-NestedResourceList $TemplateFileContent | Where-Object { + $_.type -notin $ResourceTypesToExclude -and $_ + } | Select-Object 'Type', 'ApiVersion' -Unique | Sort-Object Type + + foreach ($resourceType in $relevantResourceTypes) { + $sectionContent += ('| `{0}` | {1} |' -f $resourceType.type, $resourceType.apiVersion) + } + + # Build result + if ($PSCmdlet.ShouldProcess('Original file with new resource type content', 'Merge')) { + $updatedFileContent = Merge-FileWithNewContent -oldContent $ReadMeFileContent -newContent $sectionContent -SectionStartIdentifier $SectionStartIdentifier + } + return $updatedFileContent +} + +<# +.SYNOPSIS +Update the 'parameters' section of the given readme file + +.DESCRIPTION +Update the 'parameters' section of the given readme file +The section is added at the end if it does not exist + +.PARAMETER TemplateFileContent +Mandatory. The template file content object to crawl data from + +.PARAMETER ReadMeFileContent +Mandatory. The readme file content array to update + +.PARAMETER SectionStartIdentifier +Optional. The identifier of the 'outputs' section. Defaults to '## Parameters' + +.EXAMPLE +Set-ParametersSection -TemplateFileContent @{ resource = @{}; ... } -ReadMeFileContent @('# Title', '', '## Section 1', ...) + +Update the given readme file's 'Parameters' section based on the given template file content +#> +function Set-ParametersSection { + + [CmdletBinding(SupportsShouldProcess)] + param ( + [Parameter(Mandatory)] + [hashtable] $TemplateFileContent, + + [Parameter(Mandatory)] + [object[]] $ReadMeFileContent, + + [Parameter(Mandatory = $false)] + [string] $SectionStartIdentifier = '## Parameters' + ) + + # Process content + $sectionContent = [System.Collections.ArrayList]@( + '| Parameter Name | Type | Default Value | Possible Values | Description |', + '| :-- | :-- | :-- | :-- | :-- |' + ) + + foreach ($paramName in ($templateFileContent.parameters.Keys | Sort-Object)) { + $param = $TemplateFileContent.parameters[$paramName] + $type = $param.type + $defaultValue = ($param.defaultValue -is [array]) ? ('[{0}]' -f ($param.defaultValue -join ', ')) : (($param.defaultValue -is [hashtable]) ? '{object}' : $param.defaultValue) + $allowed = ($param.allowedValues -is [array]) ? ('[{0}]' -f ($param.allowedValues -join ', ')) : (($param.allowedValues -is [hashtable]) ? '{object}' : $param.allowedValues) + $description = $param.metadata.description + $sectionContent += ('| `{0}` | {1} | {2} | {3} | {4} |' -f $paramName, $type, (($defaultValue) ? "``$defaultValue``" : ''), (($allowed) ? "``$allowed``" : ''), $description) + } + + # Build result + if ($PSCmdlet.ShouldProcess('Original file with new parameters content', 'Merge')) { + $updatedFileContent = Merge-FileWithNewContent -oldContent $ReadMeFileContent -newContent $sectionContent -SectionStartIdentifier $SectionStartIdentifier + } + return $updatedFileContent +} + +<# +.SYNOPSIS +Update the 'outputs' section of the given readme file + +.DESCRIPTION +Update the 'outputs' section of the given readme file +The section is added at the end if it does not exist + +.PARAMETER TemplateFileContent +Mandatory. The template file content object to crawl data from + +.PARAMETER ReadMeFileContent +Mandatory. The readme file content array to update + +.PARAMETER SectionStartIdentifier +Optional. The identifier of the 'outputs' section. Defaults to '## Outputs' + +.EXAMPLE +Set-OutputsSection -TemplateFileContent @{ resource = @{}; ... } -ReadMeFileContent @('# Title', '', '## Section 1', ...) + +Update the given readme file's 'Outputs' section based on the given template file content +#> +function Set-OutputsSection { + + [CmdletBinding(SupportsShouldProcess)] + param ( + [Parameter(Mandatory)] + [hashtable] $TemplateFileContent, + + [Parameter(Mandatory)] + [object[]] $ReadMeFileContent, + + [Parameter(Mandatory = $false)] + [string] $SectionStartIdentifier = '## Outputs' + ) + + # Process content + if ($TemplateFileContent.outputs.Values.metadata) { + # Template has output descriptions + $sectionContent = [System.Collections.ArrayList]@( + '| Output Name | Type | Description |', + '| :-- | :-- | :-- |' + ) + foreach ($outputName in ($templateFileContent.outputs.Keys | Sort-Object)) { + $output = $TemplateFileContent.outputs[$outputName] + $sectionContent += ("| ``{0}`` | {1} | {2} |" -f $outputName, $output.type, $output.metadata.description) + } + } else { + $sectionContent = [System.Collections.ArrayList]@( + '| Output Name | Type |', + '| :-- | :-- |' + ) + foreach ($outputName in ($templateFileContent.outputs.Keys | Sort-Object)) { + $output = $TemplateFileContent.outputs[$outputName] + $sectionContent += ("| ``{0}`` | {1} |" -f $outputName, $output.type) + } + } + + # Build result + if ($PSCmdlet.ShouldProcess('Original file with new output content', 'Merge')) { + $updatedFileContent = Merge-FileWithNewContent -oldContent $ReadMeFileContent -newContent $sectionContent -SectionStartIdentifier $SectionStartIdentifier + } + return $updatedFileContent +} + +<# +.SYNOPSIS +Update the 'Template references' section of the given readme file + +.DESCRIPTION +Update the 'Template references' section of the given readme file +The section is added at the end if it does not exist + +.PARAMETER TemplateFileContent +Mandatory. The template file content object to crawl data from + +.PARAMETER ReadMeFileContent +Mandatory. The readme file content array to update + +.PARAMETER SectionStartIdentifier +Optional. The identifier of the 'outputs' section. Defaults to '## Template references' + +.PARAMETER ResourceTypesToExclude +Optional. The resource types to exclude from the list. By default excludes 'Microsoft.Resources/deployments' + +.EXAMPLE +Set-ResourceTypesSection -TemplateFileContent @{ resource = @{}; ... } -ReadMeFileContent @('# Title', '', '## Section 1', ...) + +Update the given readme file's 'Template references' section based on the given template file content +#> +function Set-TemplateReferencesSection { + + [CmdletBinding(SupportsShouldProcess)] + [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSReviewUnusedParameter', 'ResourceTypesToExclude', Justification = 'Variable used inside Where-Object block.')] + param ( + [Parameter(Mandatory)] + [hashtable] $TemplateFileContent, + + [Parameter(Mandatory)] + [object[]] $ReadMeFileContent, + + [Parameter(Mandatory = $false)] + [string] $SectionStartIdentifier = '## Template references', + + [Parameter(Mandatory = $false)] + [string[]] $ResourceTypesToExclude = @('Microsoft.Resources/deployments') + ) + + # Process content + $sectionContent = [System.Collections.ArrayList]@() + + $relevantResourceTypes = Get-NestedResourceList $TemplateFileContent | Where-Object { + $_.type -notin $ResourceTypesToExclude -and $_ -and $_.type -notlike '*/providers/*' + } | Select-Object 'Type', 'ApiVersion' -Unique | Sort-Object Type + + $TextInfo = (Get-Culture).TextInfo + foreach ($resourceType in $relevantResourceTypes) { + $Type, $Resource = $resourceType.Type -split '/', 2 + $sectionContent += ('- [{0}](https://docs.microsoft.com/en-us/azure/templates/{1}/{2}/{3})' -f $TextInfo.ToTitleCase($Resource), $Type, $resourceType.ApiVersion, $Resource) + } + + # Build result + if ($PSCmdlet.ShouldProcess('Original file with new template references content', 'Merge')) { + $updatedFileContent = Merge-FileWithNewContent -oldContent $ReadMeFileContent -newContent $sectionContent -SectionStartIdentifier $SectionStartIdentifier -contentType 'list' + } + return $updatedFileContent +} +#endregion + +<# +.SYNOPSIS +Update/add the readme that matches the given template file + +.DESCRIPTION +Update/add the readme that matches the given template file +Supports both ARM & bicep templates. + +.PARAMETER TemplateFilePath +Mandatory. The path to the template to update + +.PARAMETER ReadMeFilePath +Optional. The path to the readme to update. If not provided assumes a 'readme.md' file in the same folder as the template + +.PARAMETER SectionsToRefresh +Optional. The sections to update. By default it refreshes all that are supported. +Currently supports: 'Resource Types', 'Parameters', 'Outputs', 'Template references' + +.EXAMPLE +Set-ModuleReadMe -TemplateFilePath 'C:\deploy.bicep' + +Update the readme in path 'C:\readme.md' based on the bicep template in path 'C:\deploy.bicep' +#> +function Set-ModuleReadMe { + + [CmdletBinding(SupportsShouldProcess = $true)] + param ( + [Parameter(Mandatory)] + [string] $TemplateFilePath, + + [Parameter(Mandatory = $false)] + [string] $ReadMeFilePath = (Join-Path (Split-Path $TemplateFilePath -Parent) 'readme.md'), + + [Parameter(Mandatory = $false)] + [ValidateSet( + 'Resource Types', + 'Parameters', + 'Outputs', + 'Template references' + )] + [string[]] $SectionsToRefresh = @( + 'Resource Types', + 'Parameters', + 'Outputs', + 'Template references' + ) + ) + + # Load external functions + . (Join-Path $PSScriptRoot 'helper/Merge-FileWithNewContent.ps1') + + # Check template + $null = Test-Path $TemplateFilePath -ErrorAction Stop + + if ((Split-Path -Path $TemplateFilePath -Extension) -eq '.bicep') { + $templateFileContent = az bicep build --file $TemplateFilePath --stdout | ConvertFrom-Json -AsHashtable + } else { + $templateFileContent = ConvertFrom-Json (Get-Content $TemplateFilePath -Encoding 'utf8' -Raw) -ErrorAction Stop -AsHashtable + } + + # Check readme + if (-not (Test-Path $ReadMeFilePath) -or ([String]::IsNullOrEmpty((Get-Content $ReadMeFilePath -Raw)))) { + # Create new readme file + + # Build resource name + $TextInfo = (Get-Culture).TextInfo + $serviceIdentifiers = (Split-Path $TemplateFilePath -Parent).Replace('\', '/').split('/arm/')[1].Replace('Microsoft.', '').Split('/') | ForEach-Object { $TextInfo.ToTitleCase($_) } + $assumedResourceName = $serviceIdentifiers -join '' + + $initialContent = @( + "# $assumedResourceName", + '', + '// TODO: Replace Resource and fill in description', + '' + '## Resource Types', + '', + '## Parameters', + '', + '### Parameter Usage: ``' + '' + '// TODO: Fill in Parameter usage' + '', + '## Outputs', + '', + '## Template references' + ) + # New-Item $path $ReadMeFilePath -ItemType 'File' -Force -Value $initialContent + $readMeFileContent = $initialContent + } else { + $readMeFileContent = Get-Content -Path $ReadMeFilePath -Encoding 'utf8' + } + + # Update title + $fullResourcePath = (Split-Path $TemplateFilePath -Parent).Replace('\', '/').Split('arm/')[1] + if ($readMeFileContent[0] -notlike "*$fullResourcePath*") { + $readMeFileContent[0] = '{0} `[{1}]`' -f $readMeFileContent[0], $fullResourcePath + } + + if ($SectionsToRefresh -contains 'Resource Types') { + # Handle [Resource Types] section + # =============================== + $inputObject = @{ + ReadMeFileContent = $readMeFileContent + TemplateFileContent = $templateFileContent + } + $readMeFileContent = Set-ResourceTypesSection @inputObject + } + + if ($SectionsToRefresh -contains 'Parameters') { + # Handle [Parameters] section + # =========================== + $inputObject = @{ + ReadMeFileContent = $readMeFileContent + TemplateFileContent = $templateFileContent + } + $readMeFileContent = Set-ParametersSection @inputObject + } + + if ($SectionsToRefresh -contains 'Outputs') { + # Handle [Outputs] section + # ======================== + $inputObject = @{ + ReadMeFileContent = $readMeFileContent + TemplateFileContent = $templateFileContent + } + $readMeFileContent = Set-OutputsSection @inputObject + } + + if ($SectionsToRefresh -contains 'Template references') { + # Handle [TemplateReferences] section + # =================================== + $inputObject = @{ + ReadMeFileContent = $readMeFileContent + TemplateFileContent = $templateFileContent + } + $readMeFileContent = Set-TemplateReferencesSection @inputObject + } + + Write-Verbose 'New content:' + Write-Verbose '============' + Write-Verbose ($readMeFileContent | Out-String) + + if ($PSCmdlet.ShouldProcess("File in path [$ReadMeFilePath]", 'Overwrite')) { + Set-Content -Path $ReadMeFilePath -Value $readMeFileContent -Force -Encoding 'utf8' + Write-Verbose "File [$ReadMeFilePath] updated" -Verbose + } +} diff --git a/.github/workflows/scripts/Get-ModulesAsMarkdownTable.ps1 b/.github/workflows/scripts/helper/Get-ModulesAsMarkdownTable.ps1 similarity index 75% rename from .github/workflows/scripts/Get-ModulesAsMarkdownTable.ps1 rename to .github/workflows/scripts/helper/Get-ModulesAsMarkdownTable.ps1 index 2283c90e20..76409404cc 100644 --- a/.github/workflows/scripts/Get-ModulesAsMarkdownTable.ps1 +++ b/.github/workflows/scripts/helper/Get-ModulesAsMarkdownTable.ps1 @@ -1,4 +1,4 @@ -#region Helper functions +#region Helper functions <# .SYNOPSIS Generate the status Url for GitHub module action workflows @@ -13,14 +13,14 @@ Mandatory. The name of the module to create the url for .PARAMETER provider Mandatory. The provider of the module to create the url for -.PARAMETER repositoryName +.PARAMETER RepositoryName Mandatory. The repository to create the url for -.PARAMETER organization -Mandatory. The organization the repository is hosted in to create the url for +.PARAMETER Organization +Mandatory. The Organization the repository is hosted in to create the url for .EXAMPLE -Get-PipelineStatusUrl -name 'servers' -provider 'Microsoft.AnalysisServices' -repositoryName 'ResourceModules' -organization 'Azure' +Get-PipelineStatusUrl -name 'servers' -provider 'Microsoft.AnalysisServices' -RepositoryName 'ResourceModules' -Organization 'Azure' Generate a status badge url for the 'service' module of the 'Microsoft.AnalysisServices' provider in repo 'Azure/ResourceModules' #> @@ -35,19 +35,19 @@ function Get-PipelineStatusUrl { [string] $provider, [Parameter(Mandatory)] - [string] $repositoryName, + [string] $RepositoryName, [Parameter(Mandatory)] - [string] $organization + [string] $Organization ) $shortProvider = $provider.Replace('Microsoft.', 'MS.') - $pipelineFileName = ('{0}.{1}.yml' -f $shortProvider, $name).Replace('\','/').Replace('/', '.').ToLower() + $pipelineFileName = ('{0}.{1}.yml' -f $shortProvider, $name).Replace('\', '/').Replace('/', '.').ToLower() $pipelineFileUri = ".github/workflows/$pipelineFileName" $pipelineName = (Get-Content -Path $pipelineFileUri)[0].TrimStart('name:').Replace('"', '').Trim() - $pipelineFileGitUri = 'https://github.com/{0}/{1}/actions/workflows/{2}' -f $organization, $repositoryName, $pipelineFileName + $pipelineFileGitUri = 'https://github.com/{0}/{1}/actions/workflows/{2}' -f $Organization, $RepositoryName, $pipelineFileName # Note: Bade name is automatically the pipeline name return ('[![{0}]({1}/badge.svg)]({1})' -f $pipelineName, $pipelineFileGitUri).Replace('\', '/') @@ -59,19 +59,19 @@ Get a properly formatted 'Deploy to Azure' button for the template in the given .DESCRIPTION Get a properly formatted 'Deploy to Azure' button for the template in the given path -NOTE: This function requires that the Repo lives inside the 'Azure' organization +NOTE: This function requires that the Repo lives inside the 'Azure' Organization .PARAMETER path Mandatory. The path to the module to generate the url for -.PARAMETER repositoryName +.PARAMETER RepositoryName Mandatory. The name of the repository the content is included in. .PARAMETER Organization -Mandatory. The name of the organization the code resides in +Mandatory. The name of the Organization the code resides in .EXAMPLE -Get-DeployToAzureUrl -path 'C:\Modules\MyModule' -repositoryName 'Modules' -organization 'Azure' +Get-DeployToAzureUrl -path 'C:\Modules\MyModule' -RepositoryName 'Modules' -Organization 'Azure' Generate an 'Deploy to Azure' button for module 'MyModule' #> @@ -79,26 +79,27 @@ function Get-DeployToAzureUrl { [CmdletBinding()] + [OutputType('System.String')] param ( [Parameter(Mandatory)] - [string] $path, + [string] $Path, [Parameter(Mandatory)] - [string] $repositoryName, + [string] $RepositoryName, [Parameter(Mandatory)] - [string] $organization + [string] $Organization ) - if (-not (Test-Path -Path "$path\deploy.json")) { - Write-Warning "ARM Template in path [$path\deploy.json] not found. Unable to generate 'Deploy to Azure' button." + if (-not (Test-Path -Path "$Path\deploy.json")) { + Write-Warning "ARM Template in path [$Path\deploy.json] not found. Unable to generate 'Deploy to Azure' button." return '' } - $baseUrl = "[![Deploy to Azure](/docs/media/deploytoazure.svg?sanitize=true)]()" -f $baseUrl, ([System.Web.HttpUtility]::UrlEncode($templateUri))) + return ('{0}{1}>)' -f $baseUrl, ([System.Web.HttpUtility]::UrlEncode($templateUri))) } <# @@ -119,24 +120,24 @@ Get the resource name defined in the KeyVault-Module's readme. E.g. 'Key Vault' function Get-ResourceModuleName { [CmdletBinding()] + [OutputType('System.String')] param ( [Parameter(Mandatory)] - [string] $path + [string] $Path ) - if (-not (Test-Path "$path/readme.md")) { - Write-Warning "No [readme.md] found in folder [$path]" - return "" + if (-not (Test-Path "$Path/readme.md")) { + Write-Warning "No [readme.md] found in folder [$Path]" + return '' } - $moduleReadMeContent = Get-Content -Path "$path/readme.md" - $moduleName = $moduleReadMeContent[0].TrimStart('# ') + $moduleReadMeContent = Get-Content -Path "$Path/readme.md" + $moduleName = $moduleReadMeContent[0].TrimStart('# ').Split('`')[0].Trim() if (-not [String]::IsNullOrEmpty($moduleName)) { return $moduleName - } - else { - return "" + } else { + return '' } } @@ -160,14 +161,15 @@ May return a string like ':heavy_check_mark: | :heavy_check_mark: |' if both ARM function Get-TypeColumnString { [CmdletBinding()] + [OutputType('System.String')] param ( [Parameter(Mandatory)] - [string] $path + [string] $Path ) - $moduleFiles = Get-ChildItem -Path $path -File + $moduleFiles = Get-ChildItem -Path $Path -File - $outputString = "" + $outputString = '' # if ($moduleFiles.Name -contains 'deploy.json') { # # ARM exists @@ -179,10 +181,9 @@ function Get-TypeColumnString { if ($moduleFiles.Name -contains 'deploy.bicep') { # bicep exists - $outputString += ":heavy_check_mark:" - } - else { - $outputString += "" + $outputString += ':heavy_check_mark:' + } else { + $outputString += '' } return $outputString @@ -208,18 +209,18 @@ Check if the path 'C:\dev\ApiManagement' contains any number of nested modules function Measure-FolderHasNestedModule { [CmdletBinding()] + [OutputType('System.Boolean')] param ( [Parameter(Mandatory)] - [string] $path + [string] $Path ) # Get all folder paths that exist in the given path as long as they are not '.bicep' or 'parameters' folders # This works as long as the folder structure is consistent (e.g. no empty folders are created etc.) - $foundFolders = (Get-Childitem $path -Directory -Recurse -Exclude @('.bicep', 'parameters')).fullName + $foundFolders = (Get-ChildItem $Path -Directory -Recurse -Exclude @('.bicep', 'parameters')).fullName if ($foundFolders) { return $true - } - else { + } else { return $false } } @@ -243,11 +244,11 @@ Mandatory. List to populate/concat with additional modules .PARAMETER provider Mandatory. The current provider for this path -.PARAMETER columnsInOrder +.PARAMETER ColumnsInOrder Mandatory. The set of columns to add to the table in the order you expect them in the table. Available are 'Name', 'ProviderNamespace', 'ResourceType', 'TemplateType', 'Deploy' & 'Status' -.PARAMETER sortByColumn +.PARAMETER SortByColumn Mandatory. The column to sort the table by. Can be either 'Name' or 'ProviderNamespace' @@ -255,10 +256,10 @@ Can be either 'Name' or 'ProviderNamespace' Mandatory. The name of the repository the code resides in .PARAMETER Organization -Mandatory. The name of the organization the code resides in +Mandatory. The name of the Organization the code resides in .EXAMPLE -> Get-ResolvedSubServiceRow -subPath 'C:\dev\Microsoft.ApiManagement\serviceResources' -concatedBase "Microsoft.ApiManagement\serviceResources" -output @() -provider 'Microsoft.ApiManagement' -columnsInOrder @('Name','ProviderNamespace') -sortByColumn 'Name' +> Get-ResolvedSubServiceRow -subPath 'C:\dev\Microsoft.ApiManagement\serviceResources' -concatedBase "Microsoft.ApiManagement\serviceResources" -output @() -provider 'Microsoft.ApiManagement' -ColumnsInOrder @('Name','ProviderNamespace') -SortByColumn 'Name' Adds a hashtable like @{ Name = 'Api Management'; 'Provider Namespace' = `Microsoft.ApiManagement` }. As the specified column for sorting is 'Name', the 'Provider Namespace' will be added to each entry. #> @@ -281,17 +282,17 @@ function Get-ResolvedSubServiceRow { [Parameter(Mandatory)] [ValidateSet('Name', 'ProviderNamespace', 'ResourceType', 'TemplateType', 'Deploy', 'Status')] - [string[]] $columnsInOrder, + [string[]] $ColumnsInOrder, [Parameter(Mandatory)] - [ValidateSet("Name", "ProviderNamespace")] - [string] $sortByColumn, + [ValidateSet('Name', 'ProviderNamespace')] + [string] $SortByColumn, [Parameter(Mandatory = $true)] - [string] $repositoryName, + [string] $RepositoryName, [Parameter(Mandatory = $true)] - [string] $organization + [string] $Organization ) $subFolders = Get-ChildItem -Path $subPath -Directory -Recurse -Exclude @('.bicep', 'parameters') @@ -301,42 +302,40 @@ function Get-ResolvedSubServiceRow { $subFolderName = (Split-Path $subfolder -Leaf) $relativePath = Join-Path $concatedBase $subFolderName - $subName = $relativePath.Replace('\','/').Replace("$provider/", '').Replace('Resources/', '/') + $subName = $relativePath.Replace('\', '/').Replace("$provider/", '').Replace('Resources/', '/') $row = @{} - foreach ($column in $columnsInOrder) { + foreach ($column in $ColumnsInOrder) { switch ($column) { 'Name' { - $row['Name'] = ('[{0}](https://github.com/{1}/{2}/tree/main/arm/{3})' -f (Get-ResourceModuleName -path $subfolder), $organization, $repositoryName, $relativePath.Replace('\', '/')) + $row['Name'] = ('[{0}](https://github.com/{1}/{2}/tree/main/arm/{3})' -f (Get-ResourceModuleName -path $subfolder), $Organization, $RepositoryName, $relativePath.Replace('\', '/')) } 'ProviderNamespace' { # If we don't sort by provider, we have to add the provider to each row to ensure readability of each row - if ($sortByColumn -eq "Name") { - if ($provider -like "Microsoft.*") { + if ($SortByColumn -eq 'Name') { + if ($provider -like 'Microsoft.*') { # Shorten Microsoft to save some space - $shortProvider = "MS.{0}" -f ($provider.TrimStart('Microsoft.')) + $shortProvider = 'MS.{0}' -f ($provider.TrimStart('Microsoft.')) $row['ProviderNamespace'] += "``$shortProvider``" - } - else { + } else { $row['ProviderNamespace'] += "``$provider``" } - } - else { + } else { $row['ProviderNamespace'] = '' } } 'ResourceType' { - $row['ResourceType'] = ('[{0}](https://github.com/{1}/{2}/tree/main/arm/{3})' -f $subName, $organization, $repositoryName, $relativePath.Replace('\', '/')) + $row['ResourceType'] = ('[{0}](https://github.com/{1}/{2}/tree/main/arm/{3})' -f $subName, $Organization, $RepositoryName, $relativePath.Replace('\', '/')) } 'TemplateType' { $row['TemplateType'] += Get-TypeColumnString -path $subfolder } 'Deploy' { - $row['Deploy'] += Get-DeployToAzureUrl -path $subfolder -repositoryName $repositoryName -organization $organization + $row['Deploy'] += Get-DeployToAzureUrl -path $subfolder -RepositoryName $RepositoryName -Organization $Organization } 'Status' { - $row['Status'] += Get-PipelineStatusUrl -name $subName -provider $provider -repositoryName $repositoryName -organization $organization + $row['Status'] += Get-PipelineStatusUrl -name $subName -provider $provider -RepositoryName $RepositoryName -Organization $Organization } Default { Write-Warning "Column [$column] not existing. Available are: [Name|ProviderNamespace|ResourceType|TemplateType|Deploy|Status]" @@ -354,7 +353,7 @@ function Get-ResolvedSubServiceRow { Generate a markdown table for all modules in the given path. .DESCRIPTION -Generate a markdown table for all modules in the given path. Returns an array with one row for each service provider. +Generate a markdown table for all modules in the given path. Returns an array with one row for each service provider Folders should follow the structure: Microsoft.Sql @@ -371,15 +370,15 @@ Results in a table like "| SQL Managed Instances | `Microsoft.Sql` | [managedInstances](Microsoft.Sql/managedInstances) | :heavy_check_mark: / | "| SQL Managed Instances Database | | [managedInstances\databases](Microsoft.Sql\managedInstancesResources\databases) | :heavy_check_mark: / :heavy_check_mark: | -.PARAMETER path +.PARAMETER Path Mandatory. The path to resolve -.PARAMETER columnsInOrder +.PARAMETER ColumnsInOrder Optional. The set of columns to add to the table in the order you expect them in the table. Available are 'Name', 'ProviderNamespace', 'ResourceType', 'TemplateType', 'Deploy' & 'Status' If no value is provided, all are added -.PARAMETER sortByColumn +.PARAMETER SortByColumn Optional. The column to sort the table by. Can be either 'Name' or 'ProviderNamespace' If no value is provided it defaults to 'ProviderNamespace' @@ -388,7 +387,7 @@ If no value is provided it defaults to 'ProviderNamespace' Mandatory. The name of the repository the code resides in .PARAMETER Organization -Mandatory. The name of the organization the code resides in +Mandatory. The name of the Organization the code resides in .EXAMPLE Get-ModulesAsMarkdownTable -path 'C:\dev\Modules' @@ -396,17 +395,17 @@ Get-ModulesAsMarkdownTable -path 'C:\dev\Modules' Generate a markdown table for all modules in path 'C:\dev\Modules' with all default columns, sorted by 'Provider Namespace' .EXAMPLE -Get-ModulesAsMarkdownTable -path 'C:\dev\Modules' -columnsInOrder @('Resource Type', 'Name') +Get-ModulesAsMarkdownTable -path 'C:\dev\Modules' -ColumnsInOrder @('Resource Type', 'Name') Generate a markdown table for all modules in path 'C:\dev\Modules' with only the 'Resource Type' & 'Name' columns, sorted by 'Provider Namespace' .EXAMPLE -Get-ModulesAsMarkdownTable -path 'C:\dev\Modules' -columnsInOrder @('Resource Type', 'Name') -sortByColumn 'Name' +Get-ModulesAsMarkdownTable -path 'C:\dev\Modules' -ColumnsInOrder @('Resource Type', 'Name') -SortByColumn 'Name' Generate a markdown table for all modules in path 'C:\dev\Modules' with only the 'Resource Type' & 'Name' columns, , sorted by 'Name' .EXAMPLE -Get-ModulesAsMarkdownTable -path 'C:\dev\ip\Azure-Modules\ResourceModules\arm' -repositoryName 'ResourceModules' -organization 'Azure' -columnsInOrder @('Name','TemplateType','Status','Deploy') +Get-ModulesAsMarkdownTable -path 'C:\dev\ip\Azure-Modules\ResourceModules\arm' -RepositoryName 'ResourceModules' -Organization 'Azure' -ColumnsInOrder @('Name','TemplateType','Status','Deploy') Generate a markdown table for all modules in path 'C:\dev\Modules' with only the 'Name','TemplateType','Status' &'Deploy' columns, sorted by 'Name' #> @@ -415,27 +414,27 @@ function Get-ModulesAsMarkdownTable { [CmdletBinding()] param ( [Parameter(Mandatory)] - [string] $path, + [string] $Path, [Parameter(Mandatory = $false)] [ValidateSet('Name', 'ProviderNamespace', 'ResourceType', 'TemplateType', 'Deploy', 'Status')] - [string[]] $columnsInOrder = @('Name', 'ProviderNamespace', 'ResourceType', 'TemplateType', 'Deploy'), + [string[]] $ColumnsInOrder = @('Name', 'ProviderNamespace', 'ResourceType', 'TemplateType', 'Deploy'), [Parameter(Mandatory = $false)] - [ValidateSet("Name", "ProviderNamespace")] - [string] $sortByColumn = 'ProviderNamespace', + [ValidateSet('Name', 'ProviderNamespace')] + [string] $SortByColumn = 'ProviderNamespace', [Parameter(Mandatory = $true)] - [string] $repositoryName, + [string] $RepositoryName, [Parameter(Mandatory = $true)] - [string] $organization + [string] $Organization ) # Header # ------ - $headerRow = "|" - foreach ($column in $columnsInOrder) { + $headerRow = '|' + foreach ($column in $ColumnsInOrder) { switch ($column) { 'Name' { $headerRow += ' Name |' } 'ProviderNamespace' { $headerRow += ' Provider namespace |' } @@ -449,15 +448,15 @@ function Get-ModulesAsMarkdownTable { } } - $headerSubRow = "|" - for ($index = 0; $index -lt $columnsInOrder.Count; $index++) { + $headerSubRow = '|' + for ($index = 0; $index -lt $ColumnsInOrder.Count; $index++) { $headerSubRow += ' - |' } # Content # ------- $output = [System.Collections.ArrayList]@() - if ($topLevelFolders = Get-ChildItem -Path $path -Depth 1 -Filter "Microsoft.*") { + if ($topLevelFolders = Get-ChildItem -Path $Path -Depth 1 -Filter 'Microsoft.*') { $topLevelFolders = $topLevelFolders.FullName | Sort-Object } @@ -477,48 +476,45 @@ function Get-ModulesAsMarkdownTable { concatedBase = $concatedBase output = $output provider = $provider - columnsInOrder = $columnsInOrder - repositoryName = $repositoryName - sortByColumn = $sortByColumn - organization = $organization + ColumnsInOrder = $ColumnsInOrder + RepositoryName = $RepositoryName + SortByColumn = $SortByColumn + Organization = $Organization } $output = Get-ResolvedSubServiceRow @recursiveSubServiceInputObject - } - else { + } else { $row = @{} - foreach ($column in $columnsInOrder) { + foreach ($column in $ColumnsInOrder) { switch ($column) { 'Name' { - $row['Name'] = ('[{0}](https://github.com/{1}/{2}/tree/main/arm/{3})' -f (Get-ResourceModuleName -path $containedFolder), $organization, $repositoryName, $concatedBase.Replace('\', '/')) + $row['Name'] = ('[{0}](https://github.com/{1}/{2}/tree/main/arm/{3})' -f (Get-ResourceModuleName -path $containedFolder), $Organization, $RepositoryName, $concatedBase.Replace('\', '/')) } 'ProviderNamespace' { - if ($previousProvider -eq $provider -and $sortByColumn -ne 'Name') { - $row['ProviderNamespace'] += "" - } - else { - if ($provider -like "Microsoft.*") { + if ($previousProvider -eq $provider -and $SortByColumn -ne 'Name') { + $row['ProviderNamespace'] += '' + } else { + if ($provider -like 'Microsoft.*') { # Shorten Microsoft to save some space - $shortProvider = "MS.{0}" -f ($provider.TrimStart('Microsoft.')) + $shortProvider = 'MS.{0}' -f ($provider.TrimStart('Microsoft.')) $row['ProviderNamespace'] += "``$shortProvider``" - } - else { + } else { $row['ProviderNamespace'] += "``$provider``" } $previousProvider = $provider } } 'ResourceType' { - $row['ResourceType'] += ('[{0}](https://github.com/{1}/{2}/tree/main/arm/{3})' -f $containedFolderName, $organization, $repositoryName, $concatedBase.Replace('\', '/')) + $row['ResourceType'] += ('[{0}](https://github.com/{1}/{2}/tree/main/arm/{3})' -f $containedFolderName, $Organization, $RepositoryName, $concatedBase.Replace('\', '/')) } 'TemplateType' { $row['TemplateType'] += Get-TypeColumnString -path $containedFolder } 'Deploy' { - $row['Deploy'] += Get-DeployToAzureUrl -path $containedFolder -repositoryName $repositoryName -organization $organization + $row['Deploy'] += Get-DeployToAzureUrl -path $containedFolder -RepositoryName $RepositoryName -Organization $Organization } 'Status' { - $row['Status'] += Get-PipelineStatusUrl -name $containedFolderName -provider $provider -repositoryName $repositoryName -organization $organization + $row['Status'] += Get-PipelineStatusUrl -name $containedFolderName -provider $provider -RepositoryName $RepositoryName -Organization $Organization } Default { Write-Warning "Column [$column] not existing. Available are: [Name|ProviderNamespace|ResourceType|TemplateType|Deploy|Status]" @@ -532,7 +528,7 @@ function Get-ModulesAsMarkdownTable { } # Validate order - if ($sortByColumn -eq 'Name') { + if ($SortByColumn -eq 'Name') { $output = $output | Sort-Object -Property 'Name' } @@ -542,12 +538,12 @@ function Get-ModulesAsMarkdownTable { $headerSubRow ) foreach ($rowColumns in $output) { - $rowString = "|" - foreach ($column in $columnsInOrder) { + $rowString = '|' + foreach ($column in $ColumnsInOrder) { $rowString += ' {0} |' -f $rowColumns[$column] } $table += $rowString } return $table -} \ No newline at end of file +} diff --git a/.github/workflows/scripts/helper/Merge-FileWithNewContent.ps1 b/.github/workflows/scripts/helper/Merge-FileWithNewContent.ps1 new file mode 100644 index 0000000000..b466969d88 --- /dev/null +++ b/.github/workflows/scripts/helper/Merge-FileWithNewContent.ps1 @@ -0,0 +1,189 @@ +#region Helper functions +<# +.SYNOPSIS +Find the array index that represents the end of the current section + +.DESCRIPTION +Find the array index that represents the end of the current section +This index is identified by iterating through the subsequent array positions until a new chapter character (#) is found + +.PARAMETER ReadMeFileContent +Mandatory. The content array to search in + +.PARAMETER startIndex +Mandatory. The index to start the search from. Should usually be the current section's header index + +.EXAMPLE +Get-EndIndex -ReadMeFileContent @('# Title', '', '## Section 1', ...) -startIndex = 13 + +Start from index '13' onward for the index that concludes the current section in the given content array +#> +function Get-EndIndex { + + param( + [Parameter(Mandatory)] + [object[]] $ReadMeFileContent, + + [Parameter(Mandatory)] + [int] $startIndex, + + [Parameter(Mandatory = $false)] + [ValidateSet('table', 'list')] + [string] $ContentType = 'table' + ) + + # shift one further + $endIndex = $startIndex + 1 + + if ($endIndex -ge $readMeFileContent.Count) { + # We are at the end of the file + return $startIndex + } + + switch ($ContentType) { + 'list' { + # Identify end of list + while ($ReadMeFileContent[$endIndex].StartsWith('- ') -and -not ($endIndex -ge $readMeFileContent.Count - 1) -and -not $ReadMeFileContent[$endIndex].StartsWith('#')) { + $endIndex++ + } + } + 'table' { + # Identify end of table + while ($ReadMeFileContent[$endIndex].StartsWith('|') -and -not ($endIndex -ge $readMeFileContent.Count - 1) -and -not $ReadMeFileContent[$endIndex].StartsWith('#')) { + $endIndex++ + } + } + Default { + # Identify next section + while (-not $ReadMeFileContent[$endIndex].StartsWith('#') -and -not ($endIndex -ge $readMeFileContent.Count - 1)) { + $endIndex++ + } + } + } + + if ($ReadMeFileContent[$endIndex].StartsWith('#')) { + # We're already in the next section. Hence the section was empty + $endIndex-- + } + + return $endIndex +} +#endregion + +<# +.SYNOPSIS +Merge the sections prior & after the updated content with the new content into on connected content array + +.DESCRIPTION +Merge the sections prior & after the updated content with the new content into on connected content array + +.PARAMETER OldContent +Mandatory. The original content to update + +.PARAMETER NewContent +Mandatory. The new content to merge into the original + +.PARAMETER SectionStartIdentifier +Mandatory. The identifier/header to search for. If not found, the new section is added at the end of the content array + +.EXAMPLE +Merge-FileWithNewContent -OldContent @('# Title', '', '## Section 1', ...) -NewContent @('# Title', '', '## Section 1', ...) -SectionStartIdentifier '## Resource Types' + +Update the original content of the '## Resource Types' section with the newly provided +#> +function Merge-FileWithNewContent { + + [CmdletBinding()] + param ( + [Parameter(Mandatory)] + [object[]] $OldContent, + + [Parameter(Mandatory)] + [object[]] $NewContent, + + [Parameter(Mandatory)] + [string] $SectionStartIdentifier, + + [Parameter(Mandatory = $false)] + [ValidateSet('table', 'list')] + [string] $ContentType = 'table' + ) + + $startIndex = 0 + while (-not ($OldContent[$startIndex] -like "*$SectionStartIdentifier") -and -not ($startIndex -ge $OldContent.Count - 1)) { + $startIndex++ + } + + if ($startIndex -eq $OldContent.Count - 1) { + # Section is not existing (end of file) + $startContent = $OldContent + if ($OldContent[$startIndex] -ne $SectionStartIdentifier ) { + # Add section header + $startContent = $startContent + @('', $SectionStartIdentifier) + } + $endContent = @() + } else { + switch ($ContentType) { + 'table' { + $tableStartIndex = $startIndex + 1 + while (-not $OldContent[$tableStartIndex].StartsWith('|') -and -not ($tableStartIndex -ge $OldContent.count) -and -not ($OldContent[$tableStartIndex].StartsWith('#'))) { + $tableStartIndex++ + } + if ($OldContent[$tableStartIndex].StartsWith('#')) { + # Seems like there is no table yet + $tableStartIndex = $startIndex + 1 + } + + $startContent = $OldContent[0..($tableStartIndex - 1)] + + if ($startIndex -eq $ReadMeFileContent.Count - 1) { + # Not found section until end of file. Assuming it does not exist + $endContent = @() + if ($ReadMeFileContent[$startIndex] -notcontains $SectionStartIdentifier) { + $NewContent = @('', $SectionStartIdentifier) + $NewContent + } + } else { + $endIndex = Get-EndIndex -ReadMeFileContent $OldContent -startIndex $tableStartIndex -ContentType $ContentType + if ($endIndex -ne $OldContent.Count - 1) { + $endContent = $OldContent[$endIndex..($OldContent.Count - 1)] + } + } + } + 'list' { + $listStartIndex = $startIndex + 1 + while (-not $OldContent[$listStartIndex].StartsWith('- ') -and -not ($listStartIndex -ge $OldContent.count) -and -not ($OldContent[$listStartIndex].StartsWith('# '))) { + $listStartIndex++ + } + if ($OldContent[$listStartIndex].StartsWith('#')) { + # Seems like there is no table yet + $listStartIndex = $listStartIndex + 1 + } + + + $startContent = $OldContent[0..($listStartIndex - 1)] + + if ($startIndex -eq $ReadMeFileContent.Count - 1) { + # Not found section until end of file. Assuming it does not exist + $endContent = @() + if ($ReadMeFileContent[$startIndex] -notcontains $SectionStartIdentifier) { + $NewContent = @('', $SectionStartIdentifier) + $NewContent + } + } else { + $endIndex = Get-EndIndex -ReadMeFileContent $OldContent -startIndex $listStartIndex -ContentType $ContentType + if ($endIndex -ne $OldContent.Count - 1) { + $endContent = $OldContent[$endIndex..($OldContent.Count - 1)] + } + } + } + Default {} + } + } + + # Add a little space + if ($startContent -and (-not [String]::IsNullOrEmpty($startContent[-1]))) { $startContent += @('') } + if ($endContent -and (-not [String]::IsNullOrEmpty($endContent[0]))) { $endContent = @('') + $endContent } + + # Build result + $NewContent = (($startContent + $NewContent + $endContent) | Out-String).TrimEnd().Replace("`r", '').Split("`n") + return $NewContent +} diff --git a/README.md b/README.md index 55cd961fc7..a51f674936 100644 --- a/README.md +++ b/README.md @@ -24,7 +24,7 @@ This repository includes a collection of advanced and curated Modules consisting * File an issue via [GitHub Issues](https://github.com/azure/ResourceModules/issues/new/choose) ## Available Resource Modules - + | Name | Bicep | Status | | - | - | - | | [Action Group](https://github.com/Azure/ResourceModules/tree/main/arm/Microsoft.Insights/actionGroups) | :heavy_check_mark: | [![Insights: Actiongroups](https://github.com/Azure/ResourceModules/actions/workflows/ms.insights.actiongroups.yml/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.insights.actiongroups.yml) | @@ -124,7 +124,6 @@ This repository includes a collection of advanced and curated Modules consisting | [VirtualNetworkGatewayConnection](https://github.com/Azure/ResourceModules/tree/main/arm/Microsoft.Network/connections) | :heavy_check_mark: | [![Network: Connections](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.connections.yml/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.connections.yml) | | [VirtualNetworkPeering](https://github.com/Azure/ResourceModules/tree/main/arm/Microsoft.Network/virtualNetworksResources/virtualNetworkPeerings) | :heavy_check_mark: | [![Network: Virtualnetworks Virtualnetworkpeerings](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.virtualnetworks.virtualnetworkpeerings.yml/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.virtualnetworks.virtualnetworkpeerings.yml) | | [Web/Function App](https://github.com/Azure/ResourceModules/tree/main/arm/Microsoft.Web/sites) | :heavy_check_mark: | [![Web: Sites](https://github.com/Azure/ResourceModules/actions/workflows/ms.web.sites.yml/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.web.sites.yml) | - [MicrosoftAzureDocs]: -[PowerShellDocs]: \ No newline at end of file +[PowerShellDocs]: diff --git a/arm/.global/global.module.tests.ps1 b/arm/.global/global.module.tests.ps1 index 73ec76cf63..17fda5d10a 100644 --- a/arm/.global/global.module.tests.ps1 +++ b/arm/.global/global.module.tests.ps1 @@ -1,444 +1,400 @@ #Requires -Version 7 param ( - [array] $moduleFolderPaths = ((Get-Childitem (Split-Path (Get-Location) -Parent) -Recurse -Directory).FullName | Where-Object { - (Get-Childitem $_ -File -Depth 0 -Include @('deploy.json', 'deploy.bicep')).Count -gt 0 + [array] $moduleFolderPaths = ((Get-ChildItem (Split-Path (Get-Location) -Parent) -Recurse -Directory).FullName | Where-Object { + (Get-ChildItem $_ -File -Depth 0 -Include @('deploy.json', 'deploy.bicep')).Count -gt 0 }) ) -$script:RGdeployment = "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#" -$script:Subscriptiondeployment = "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#" -$script:MGdeployment = "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#" -$script:Tenantdeployment = "https://schema.management.azure.com/schemas/2019-08-01/tenantDeploymentTemplate.json#" +$script:RGdeployment = 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' +$script:Subscriptiondeployment = 'https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#' +$script:MGdeployment = 'https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#' +$script:Tenantdeployment = 'https://schema.management.azure.com/schemas/2019-08-01/tenantDeploymentTemplate.json#' $script:moduleFolderPaths = $moduleFolderPaths +$script:moduleFolderPathsFiltered = $moduleFolderPaths | Where-Object { + (Split-Path $_ -Leaf) -notin @( 'AzureNetappFiles', 'TrafficManager', 'PrivateDnsZones', 'ManagementGroups') } -$locationTestExceptions = @( "AzureNetappFiles", "TrafficManager", "PrivateDnsZones", "ManagementGroups") -$script:folderPathsToScanExcludeRG = $moduleFolderPaths | Where-Object { (Split-Path $_ -Leaf) -notin $locationTestExceptions } +# Import any helper function used in this test script +Import-Module (Join-Path $PSScriptRoot 'shared\helper.psm1') -foreach ($moduleFolderPath in $moduleFolderPaths) { - $templateFiles = (Get-ChildItem -Path $moduleFolderPath -Include @('deploy.json', 'deploy.bicep') -Depth 0).Name - if ($templateFiles -contains 'deploy.bicep' -and $templateFiles -notcontains 'deploy.json') { - Write-Verbose "Generate ARM file for [$moduleFolderPath]" - az bicep build -f (Join-Path $moduleFolderPath 'deploy.bicep') - } -} - -Describe "File/folder tests" -Tag Modules { +Describe 'File/folder tests' -Tag Modules { - Context "General module folder tests" { + Context 'General module folder tests' { $moduleFolderTestCases = [System.Collections.ArrayList] @() - foreach ($folderPath in $moduleFolderPaths) { + foreach ($moduleFolderPath in $moduleFolderPaths) { $moduleFolderTestCases += @{ - moduleFolderName = Split-Path $folderPath -Leaf - moduleFolderPath = $folderPath + moduleFolderName = $moduleFolderPath.Split('\arm\')[1] + moduleFolderPath = $moduleFolderPath } } - It "[] Module should contain a [deploy.json/deploy.bicep] file" -TestCases $moduleFolderTestCases { - param( [string] $folderPath ) + It '[] Module should contain a [deploy.json/deploy.bicep] file' -TestCases $moduleFolderTestCases { + param( [string] $moduleFolderPath ) $hasARM = (Test-Path (Join-Path -Path $moduleFolderPath 'deploy.json')) $hasBicep = (Test-Path (Join-Path -Path $moduleFolderPath 'deploy.bicep')) ($hasARM -or $hasBicep) | Should -Be $true } - It "[] Module should contain a [readme.md] file" -TestCases $moduleFolderTestCases { - param( [string] $folderPath ) + It '[] Module should contain a [readme.md] file' -TestCases $moduleFolderTestCases { + param( [string] $moduleFolderPath ) (Test-Path (Join-Path -Path $moduleFolderPath 'readme.md')) | Should -Be $true } - It "[] Module should contain a [parameters] folder" -TestCases $moduleFolderTestCases { - param( [string] $folderPath ) + It '[] Module should contain a [parameters] folder' -TestCases $moduleFolderTestCases { + param( [string] $moduleFolderPath ) (Test-Path (Join-Path -Path $moduleFolderPath 'parameters')) | Should -Be $true } } - Context "parameters folder" { - - $parameterFolderTestCases = [System.Collections.ArrayList] @() - $FilepathParamJsonFolder = @() - foreach ($folderPath in $moduleFolderPaths) { - $ParameterFilecount = Get-ChildItem -Path (Join-Path -Path $folderPath \parameters\) - if ($ParameterFilecount.count -eq 0) { - $FilepathParamJsonFolder += Get-ChildItem -Path $folderPath - } - else { - $FilepathParamJsonFolder += Get-ChildItem -Path (Join-Path -Path $folderPath 'parameters') - } + Context 'parameters folder' { - } - foreach ($File in $FilepathParamJsonFolder) { - if ($File.Directory.Name -eq "parameters") { - $directoryPath = $File.DirectoryName - $modulePath = Split-Path -Parent -Path $directoryPath - $moduleName = Split-Path $modulePath -Leaf - $parameterFolderTestCases += @{ - moduleFolderName = $moduleName - moduleFolderPath = $modulePath - parametersFileName = $File.Name - fileContent = $File.FullName - } - } - else { - if ($File.Name -eq "parameters") { - $missingModulePath = (Split-Path -Parent -Path $File.FullName) - $missingModuleName = Split-Path $missingModulePath -Leaf - $parameterFolderTestCases += @{ - moduleFolderName = $missingModuleName - moduleFolderPath = $missingModulePath - parametersFileName = "MissingFile" - fileContent = $null - } - } + $folderTestCases = [System.Collections.ArrayList]@() + foreach ($moduleFolderPath in $moduleFolderPaths) { + $folderTestCases += @{ + moduleFolderName = $moduleFolderPath.Split('\arm\')[1] + moduleFolderPath = $moduleFolderPath } } - - - It "[] folder should contain one or more *parameters.json files" -TestCases $parameterFolderTestCases { - param( - $moduleFolderName, - $moduleFolderPath, - $parametersFileName, - $fileContent - ) - $parametersFileName | Should -BeLike "*parameters.json" - } - - It "[] *parameters.json files in the parameters folder should not be empty" -TestCases $parameterFolderTestCases { + It '[] folder should contain one or more *parameters.json files' -TestCases $folderTestCases { param( $moduleFolderName, - $moduleFolderPath, - $parametersFileName, - $fileContent + $moduleFolderPath ) - (Get-Content $fileContent) | Should -Not -Be $null + $parameterFolderPath = Join-Path $moduleFolderPath 'parameters' + (Get-ChildItem $parameterFolderPath -Filter '*parameters.json').Count | Should -BeGreaterThan 0 + } + + $parameterFolderFilesTestCases = [System.Collections.ArrayList] @() + foreach ($moduleFolderPath in $moduleFolderPaths) { + $parameterFolderPath = Join-Path $moduleFolderPath 'parameters' + if (Test-Path $parameterFolderPath) { + foreach ($parameterFile in (Get-ChildItem $parameterFolderPath -Filter '*parameters.json')) { + $parameterFolderFilesTestCases += @{ + moduleFolderName = Split-Path $moduleFolderPath -Leaf + parameterFilePath = $parameterFile.FullName + } + } + } } - It "[] *parameters.json files in the parameters folder should be valid JSON" -TestCases $parameterFolderTestCases { + It '[] *parameters.json files in the parameters folder should be valid json' -TestCases $parameterFolderFilesTestCases { param( $moduleFolderName, - $moduleFolderPath, - $parametersFileName, - $fileContent + $parameterFilePath ) - $TemplateContent = Get-Content $fileContent -Raw -ErrorAction SilentlyContinue - $TemplateContent | ConvertFrom-Json -ErrorAction SilentlyContinue | Should -Not -Be $Null - Test-Path $fileContent -PathType Leaf -Include '*.json' | Should -Be $true + (Get-Content $parameterFilePath) | ConvertFrom-Json } - } } -Describe "Readme tests" -Tag Readme { - Context "Readme content tests" { +Describe 'Readme tests' -Tag Readme { + + Context 'Readme content tests' { $readmeFolderTestCases = [System.Collections.ArrayList] @() - foreach ($folderPath in $moduleFolderPaths) { + foreach ($moduleFolderPath in $moduleFolderPaths) { + + if (Test-Path (Join-Path $moduleFolderPath 'deploy.bicep')) { + $templateContent = az bicep build --file (Join-Path $moduleFolderPath 'deploy.bicep') --stdout | ConvertFrom-Json -AsHashtable + } elseif (Test-Path (Join-Path $moduleFolderPath 'deploy.json')) { + $templateContent = Get-Content (Join-Path $moduleFolderPath 'deploy.json') -Raw | ConvertFrom-Json -AsHashtable + } else { + throw "No template file found in folder [$moduleFolderPath]" + } + $readmeFolderTestCases += @{ - moduleFolderName = Split-Path $folderPath -Leaf - moduleFolderPath = $folderPath - fileContent = (Join-Path -Path $folderPath \readme.md) + moduleFolderName = $moduleFolderPath.Split('\arm\')[1] + moduleFolderPath = $moduleFolderPath + templateContent = $templateContent + readMeContent = Get-Content (Join-Path -Path $moduleFolderPath 'readme.md') } } - - It "[] Readme.md file should not be empty" -TestCases $readmeFolderTestCases { + It '[] Readme.md file should not be empty' -TestCases $readmeFolderTestCases { param( $moduleFolderName, - $moduleFolderPath, - $fileContent + $readMeContent ) - (Get-Content $fileContent) | Should -Not -Be $null + $readMeContent | Should -Not -Be $null } - It "[] Readme.md file should contain the these Heading2 titles in order: Resource Types, parameters, Outputs, Considerations, Additional resources" -TestCases $readmeFolderTestCases { + It '[] Readme.md file should contain the these titles in order: Resource Types, Parameters, Outputs, Template references' -TestCases $readmeFolderTestCases { param( $moduleFolderName, - $moduleFolderPath, - $fileContent + $readMeContent ) - $TemplateReadme = Get-Content ($fileContent) -ErrorAction SilentlyContinue - $ReadmeHTML = ($TemplateReadme | ConvertFrom-Markdown -ErrorAction SilentlyContinue).Html - $Heading2Order = @("Resource Types", "parameters", "Outputs", "Considerations", "Additional resources") + $ReadmeHTML = ($readMeContent | ConvertFrom-Markdown -ErrorAction SilentlyContinue).Html + + $Heading2Order = @('Resource Types', 'parameters', 'Outputs', 'Template references') $Headings2List = @() foreach ($H in $ReadmeHTML) { - if ($H.Contains("") + 1 - $EndIndex = $H.LastIndexof("<") + if ($H.Contains('') + 1 + $EndIndex = $H.LastIndexof('<') $headings2List += ($H.Substring($StartingIndex, $EndIndex - $StartingIndex)) } } $differentiatingItems = $Heading2Order | Where-Object { $Headings2List -notcontains $_ } - $differentiatingItems.Count | Should -Be 0 -Because ("list of heading titles missing in the ReadMe file [{0}] should be empty" -f ($differentiatingItems -join ',')) - - $differentiatingItems = $Headings2List | Where-Object { $Heading2Order -notcontains $_ } - $differentiatingItems.Count | Should -Be 0 -Because ("list of excess heading titles in the ReadMe file [{0}] should be empty" -f ($differentiatingItems -join ',')) - - $Headings2List | Should -Be $Heading2Order -Because 'the order of items should match' + $differentiatingItems.Count | Should -Be 0 -Because ('list of heading titles missing in the ReadMe file [{0}] should be empty' -f ($differentiatingItems -join ',')) } - It "[] Resources section should contain all resources from the template file" -TestCases $readmeFolderTestCases { + It '[] Resources section should contain all resources from the template file' -TestCases $readmeFolderTestCases { param( $moduleFolderName, - $moduleFolderPath, - $fileContent + $templateContent, + $readMeContent ) - $TemplateReadme = Get-Content ($fileContent) -ErrorAction SilentlyContinue - $TemplateARM = Get-Content (Join-Path -Path $moduleFolderPath \deploy.json) -Raw -ErrorAction SilentlyContinue - $ReadmeHTML = ($TemplateReadme | ConvertFrom-Markdown -ErrorAction SilentlyContinue).Html - $Template = ConvertFrom-Json -InputObject $TemplateARM -ErrorAction SilentlyContinue - $ResourceTypes = @() - $ResourceTypes += $Template.resources.type - $ResourceTypesChild = $Template.resources.resources.type - $ResourceTypesInline = $Template.resources.properties.template.resources.type - $ResourceTypes += $ResourceTypesChild - $ResourceTypes += $ResourceTypesInline - $ResourceTypes = $ResourceTypes | Sort-object -Unique - $Headings = @(@()) - foreach ($H in $ReadmeHTML) { - if ($H.Contains("") + 1 - $EndIndex = $H.LastIndexof("<") - $Headings += , (@($H.Substring($StartingIndex, $EndIndex - $StartingIndex), $ReadmeHTML.IndexOf($H))) - } + + # Get ReadMe data + $resourcesSectionStartIndex = 0 + while ($readMeContent[$resourcesSectionStartIndex] -notlike '*# Resource Types' -and -not ($resourcesSectionStartIndex -ge $readMeContent.count)) { + $resourcesSectionStartIndex++ } - $HeadingIndex = $Headings | Where-Object { $_ -eq "Resource Types" } - if ($HeadingIndex -eq $null) { - Write-Verbose "Error during test [Resources section should contain all resources from the template file] at ($moduleFolderName)" -Verbose - $true | Should -Be $false + + $resourcesTableStartIndex = $resourcesSectionStartIndex + 1 + while ($readMeContent[$resourcesTableStartIndex] -notlike '*|*' -and -not ($resourcesTableStartIndex -ge $readMeContent.count)) { + $resourcesTableStartIndex++ } - $ResourcesList = @() - for ($j = $HeadingIndex[1] + 4; $ReadmeHTML[$j] -ne ""; $j++) { - $ResourcesList += $ReadmeHTML[$j].Replace(" ", "").Replace("

|", "").Replace("|

", "").Replace("", "").Split("|")[0].Trim() + + $resourcesTableEndIndex = $resourcesTableStartIndex + 2 + while ($readMeContent[$resourcesTableEndIndex] -like '|*' -and -not ($resourcesTableEndIndex -ge $readMeContent.count)) { + $resourcesTableEndIndex++ + } + + $ReadMeResourcesList = [System.Collections.ArrayList]@() + for ($index = $resourcesTableStartIndex + 2; $index -lt $resourcesTableEndIndex; $index++) { + $ReadMeResourcesList += $readMeContent[$index].Split('|')[1].Replace('`', '').Trim() } - $differentiatingItems = $ResourceTypes | Where-Object { $ResourcesList -notcontains $_ } + + # Get template data + $templateResources = (Get-NestedResourceList -TemplateContent $templateContent | Where-Object { + $_.type -notin @('Microsoft.Resources/deployments') -and $_ }).type | Select-Object -Unique + + # Compare + $differentiatingItems = $templateResources | Where-Object { $ReadMeResourcesList -notcontains $_ } $differentiatingItems.Count | Should -Be 0 -Because ("list of template resources missing from the ReadMe's list [{0}] should be empty" -f ($differentiatingItems -join ',')) } - It "[] Resources section should not contain more resources as in the template file" -TestCases $readmeFolderTestCases { + It '[] Resources section should not contain more resources as in the template file' -TestCases $readmeFolderTestCases { param( $moduleFolderName, - $moduleFolderPath, - $fileContent + $templateContent, + $readMeContent ) - $TemplateReadme = Get-Content ($fileContent) -ErrorAction SilentlyContinue - $TemplateARM = Get-Content (Join-Path -Path $moduleFolderPath \deploy.json) -Raw -ErrorAction SilentlyContinue - $ReadmeHTML = ($TemplateReadme | ConvertFrom-Markdown -ErrorAction SilentlyContinue).Html - $Template = ConvertFrom-Json -InputObject $TemplateARM -ErrorAction SilentlyContinue - $ResourceTypes = @() - $ResourceTypes += $Template.resources.type - $ResourceTypesChild = $Template.resources.resources.type - $ResourceTypesInline = $Template.resources.properties.template.resources.type - $ResourceTypes += $ResourceTypesChild - $ResourceTypes += $ResourceTypesInline - $ResourceTypes = $ResourceTypes | Sort-object -Unique - $Headings = @(@()) - foreach ($H in $ReadmeHTML) { - if ($H.Contains("") + 1 - $EndIndex = $H.LastIndexof("<") - $Headings += , (@($H.Substring($StartingIndex, $EndIndex - $StartingIndex), $ReadmeHTML.IndexOf($H))) - } + + # Get ReadMe data + $resourcesSectionStartIndex = 0 + while ($readMeContent[$resourcesSectionStartIndex] -notlike '*# Resource Types' -and -not ($resourcesSectionStartIndex -ge $readMeContent.count)) { + $resourcesSectionStartIndex++ } - $HeadingIndex = $Headings | Where-Object { $_ -eq "Resource Types" } - if ($HeadingIndex -eq $null) { - Write-Verbose "Error during test [Resources section should not contain more resources as in the template file] at ($moduleFolderName)" -Verbose - $true | Should -Be $false + + $resourcesTableStartIndex = $resourcesSectionStartIndex + 1 + while ($readMeContent[$resourcesTableStartIndex] -notlike '*|*' -and -not ($resourcesTableStartIndex -ge $readMeContent.count)) { + $resourcesTableStartIndex++ } - $ResourcesList = @() - for ($j = $HeadingIndex[1] + 4; $ReadmeHTML[$j] -ne ""; $j++) { - $ResourcesList += $ReadmeHTML[$j].Replace(" ", "").Replace("

|", "").Replace("|

", "").Replace("", "").Split("|")[0].Trim() + + $resourcesTableEndIndex = $resourcesTableStartIndex + 2 + while ($readMeContent[$resourcesTableEndIndex] -like '|*' -and -not ($resourcesTableEndIndex -ge $readMeContent.count)) { + $resourcesTableEndIndex++ + } + + $ReadMeResourcesList = [System.Collections.ArrayList]@() + for ($index = $resourcesTableStartIndex + 2; $index -lt $resourcesTableEndIndex; $index++) { + $ReadMeResourcesList += $readMeContent[$index].Split('|')[1].Replace('`', '').Trim() } - $differentiatingItems = $ResourcesList | Where-Object { $ResourceTypes -notcontains $_ } + + # Get template data + $templateResources = (Get-NestedResourceList -TemplateContent $templateContent | Where-Object { + $_.type -notin @('Microsoft.Resources/deployments') -and $_ }).type | Select-Object -Unique + + # Compare + $differentiatingItems = $templateResources | Where-Object { $ReadMeResourcesList -notcontains $_ } $differentiatingItems.Count | Should -Be 0 -Because ("list of resources in the ReadMe's list [{0}] not in the template file should be empty" -f ($differentiatingItems -join ',')) } - It "[] parameters section should contain a table with these column names in order: Parameter Name, Type, Description, Default Value, Possible values" -TestCases $readmeFolderTestCases { + It '[] parameters section should contain a table with these column names in order: Parameter Name, Type, Default Value, Possible values, Description' -TestCases $readmeFolderTestCases { param( $moduleFolderName, - $moduleFolderPath, - $fileContent + $readMeContent ) - $TemplateReadme = Get-Content ($fileContent) -ErrorAction SilentlyContinue - $ReadmeHTML = ($TemplateReadme | ConvertFrom-Markdown -ErrorAction SilentlyContinue).Html - $ParameterHeadingOrder = @("Parameter Name", "Type", "Default Value", "Possible values", "Description") - $ParameterHeadingOrderNewVersion = @("Parameter Name", "Type", "Description", "DefaultValue", "Allowed Values") - $ParameterHeadingOrderLatestVersion = @("Parameter Name", "Type", "Description", "DefaultValue", "Possible values") + + $ReadmeHTML = ($readMeContent | ConvertFrom-Markdown -ErrorAction SilentlyContinue).Html + $ParameterHeadingOrder = @('Parameter Name', 'Type', 'Default Value', 'Allowed Values', 'Description') $ComparisonFlag = 0 $Headings = @(@()) foreach ($H in $ReadmeHTML) { - if ($H.Contains("") + 1 - $EndIndex = $H.LastIndexof("<") + if ($H.Contains('') + 1 + $EndIndex = $H.LastIndexof('<') $Headings += , (@($H.Substring($StartingIndex, $EndIndex - $StartingIndex), $ReadmeHTML.IndexOf($H))) } } - $HeadingIndex = $Headings | Where-Object { $_ -eq "parameters" } + $HeadingIndex = $Headings | Where-Object { $_ -eq 'parameters' } if ($HeadingIndex -eq $null) { - Write-Verbose "[parameters section should contain a table with these column names in order: Parameter Name, Type, Description, Default Value, Possible values] Error At ($moduleFolderName)" -Verbose + Write-Verbose "[parameters section should contain a table with these column names in order: Parameter Name, Type, Default Value, Possible values, Description] Error At ($moduleFolderName)" -Verbose $true | Should -Be $false } - $ParameterHeadingsList = $ReadmeHTML[$HeadingIndex[1] + 2].Replace("

|", "").Replace("|

", "").Split("|").Trim() + $ParameterHeadingsList = $ReadmeHTML[$HeadingIndex[1] + 2].Replace('

|', '').Replace('|

', '').Split('|').Trim() if (Compare-Object -ReferenceObject $ParameterHeadingOrder -DifferenceObject $ParameterHeadingsList -SyncWindow 0) { $ComparisonFlag = $ComparisonFlag + 1 } - if (Compare-Object -ReferenceObject $ParameterHeadingOrderNewVersion -DifferenceObject $ParameterHeadingsList -SyncWindow 0) { - $ComparisonFlag = $ComparisonFlag + 1 - } - if (Compare-Object -ReferenceObject $ParameterHeadingOrderLatestVersion -DifferenceObject $ParameterHeadingsList -SyncWindow 0) { - $ComparisonFlag = $ComparisonFlag + 1 - } ($ComparisonFlag -gt 2) | Should -Be $false } - It "[] parameters section should contain all parameters from the deploy.json file" -TestCases $readmeFolderTestCases { + It '[] parameters section should contain all parameters from the deploy.json file' -TestCases $readmeFolderTestCases { param( $moduleFolderName, - $moduleFolderPath, - $fileContent + $templateContent, + $readMeContent ) - $TemplateReadme = Get-Content ($fileContent) -ErrorAction SilentlyContinue - $TemplateARM = Get-Content (Join-Path -Path $moduleFolderPath \deploy.json) -Raw -ErrorAction SilentlyContinue - $ReadmeHTML = ($TemplateReadme | ConvertFrom-Markdown -ErrorAction SilentlyContinue).Html - $Template = ConvertFrom-Json -InputObject $TemplateARM -ErrorAction SilentlyContinue - ##get param from deploy.json - $parameters = Get-Member -InputObject $Template.parameters -MemberType NoteProperty + + $ReadmeHTML = ($readMeContent | ConvertFrom-Markdown -ErrorAction SilentlyContinue).Html + $parameters = Get-Member -InputObject $templateContent.parameters -MemberType NoteProperty $Headings = @(@()) foreach ($H in $ReadmeHTML) { - if ($H.Contains("") + 1 - $EndIndex = $H.LastIndexof("<") + if ($H.Contains('') + 1 + $EndIndex = $H.LastIndexof('<') $Headings += , (@($H.Substring($StartingIndex, $EndIndex - $StartingIndex), $ReadmeHTML.IndexOf($H))) } } ##get param from readme.md - $HeadingIndex = $Headings | Where-Object { $_ -eq "parameters" } + $HeadingIndex = $Headings | Where-Object { $_ -eq 'parameters' } if ($HeadingIndex -eq $null) { Write-Verbose "[parameters section should contain all parameters from the deploy.json file] Error At ($moduleFolderName)" -Verbose $true | Should -Be $false } $parametersList = @() - for ($j = $HeadingIndex[1] + 4; $ReadmeHTML[$j] -ne ""; $j++) { - $parametersList += $ReadmeHTML[$j].Replace("

| ", "").Replace("|

", "").Replace("", "").Split("|")[0].Trim() + for ($j = $HeadingIndex[1] + 4; $ReadmeHTML[$j] -ne ''; $j++) { + $parametersList += $ReadmeHTML[$j].Replace('

| ', '').Replace('|

', '').Replace('', '').Split('|')[0].Trim() } $differentiatingItems = $parameters.Name | Where-Object { $parametersList -notcontains $_ } - $differentiatingItems.Count | Should -Be 0 -Because ("list of template parameters missing in the ReadMe file [{0}] should be empty" -f ($differentiatingItems -join ',')) + $differentiatingItems.Count | Should -Be 0 -Because ('list of template parameters missing in the ReadMe file [{0}] should be empty' -f ($differentiatingItems -join ',')) } - It "[] Outputs section should contain a table with these column names in order: Output Name, Value, Type" -TestCases $readmeFolderTestCases { + It '[] Outputs section should contain a table with these column names in order: Output Name, Type' -TestCases $readmeFolderTestCases { param( $moduleFolderName, - $moduleFolderPath, - $fileContent + $readMeContent ) - $TemplateReadme = Get-Content ($fileContent) -ErrorAction SilentlyContinue - $ReadmeHTML = ($TemplateReadme | ConvertFrom-Markdown -ErrorAction SilentlyContinue).Html - $Headings = @(@()) - foreach ($H in $ReadmeHTML) { - if ($H.Contains("") + 1 - $EndIndex = $H.LastIndexof("<") - $Headings += , (@($H.Substring($StartingIndex, $EndIndex - $StartingIndex), $ReadmeHTML.IndexOf($H))) - } + + # Get ReadMe data + $outputsSectionStartIndex = 0 + while ($readMeContent[$outputsSectionStartIndex] -notlike '*# Outputs' -and -not ($outputsSectionStartIndex -ge $readMeContent.count)) { + $outputsSectionStartIndex++ } - $OutputHeadingOrder = @("Output Name", "Type", "Description") - $HeadingIndex = $Headings | Where-Object { $_ -eq "Outputs" } - if ($HeadingIndex -eq $null) { - Write-Verbose "[Outputs section should contain a table with these column names in order: Output Name, Type, Description] Error At ($moduleFolderName)" -Verbose - $true | Should -Be $false + + $outputsTableStartIndex = $outputsSectionStartIndex + 1 + while ($readMeContent[$outputsTableStartIndex] -notlike '*|*' -and -not ($outputsTableStartIndex -ge $readMeContent.count)) { + $outputsTableStartIndex++ } - $OutputHeadingsList = $ReadmeHTML[$HeadingIndex[1] + 2].Replace("

|", "").Replace("|

", "").Split("|").Trim() - (Compare-Object -ReferenceObject $OutputHeadingOrder -DifferenceObject $OutputHeadingsList -SyncWindow 0) | Should -Be $null + + $outputsTableHeader = $readMeContent[$outputsTableStartIndex].Split('|').Trim() | Where-Object { -not [String]::IsNullOrEmpty($_) } + + # Test + $expectedOutputsTableOrder = @('Output Name', 'Type') + $differentiatingItems = $expectedOutputsTableOrder | Where-Object { $outputsTableHeader -notcontains $_ } + $differentiatingItems.Count | Should -Be 0 -Because ('list of "Outputs" table columns missing in the ReadMe file [{0}] should be empty' -f ($differentiatingItems -join ',')) } - It "[] Output section should contain all outputs defined in the deploy.json file" -TestCases $readmeFolderTestCases { + It '[] Output section should contain all outputs defined in the deploy.json file' -TestCases $readmeFolderTestCases { param( $moduleFolderName, - $moduleFolderPath, - $fileContent + $templateContent, + $readMeContent ) - $TemplateReadme = Get-Content ($fileContent) -ErrorAction SilentlyContinue - $TemplateARM = Get-Content (Join-Path -Path $moduleFolderPath 'deploy.json') -Raw -ErrorAction SilentlyContinue - $ReadmeHTML = ($TemplateReadme | ConvertFrom-Markdown -ErrorAction SilentlyContinue).Html - $Template = ConvertFrom-Json -InputObject $TemplateARM -ErrorAction SilentlyContinue - $Headings = @(@()) - foreach ($H in $ReadmeHTML) { - if ($H.Contains("") + 1 - $EndIndex = $H.LastIndexof("<") - $Headings += , (@($H.Substring($StartingIndex, $EndIndex - $StartingIndex), $ReadmeHTML.IndexOf($H))) - } + + # Get ReadMe data + $outputsSectionStartIndex = 0 + while ($readMeContent[$outputsSectionStartIndex] -notlike '*# Outputs' -and -not ($outputsSectionStartIndex -ge $readMeContent.count)) { + $outputsSectionStartIndex++ } - $Outputs = Get-Member -InputObject $Template.outputs -MemberType NoteProperty - $HeadingIndex = $Headings | Where-Object { $_ -eq "Outputs" } - if ($HeadingIndex -eq $null) { - Write-Verbose "[Output section should contain all outputs defined in the deploy.json file] Error At ($moduleFolderName)" -Verbose - $true | Should -Be $false + + $outputsTableStartIndex = $outputsSectionStartIndex + 1 + while ($readMeContent[$outputsTableStartIndex] -notlike '*|*' -and -not ($outputsTableStartIndex -ge $readMeContent.count)) { + $outputsTableStartIndex++ } - $OutputsList = @() - for ($j = $HeadingIndex[1] + 4; $ReadmeHTML[$j] -ne ""; $j++) { - $OutputsList += $ReadmeHTML[$j].Replace("

| ", "").Replace("|

", "").Replace("", "").Split("|")[0].Trim() + + $outputsTableEndIndex = $outputsTableStartIndex + 2 + while ($readMeContent[$outputsTableEndIndex] -like '|*' -and -not ($outputsTableEndIndex -ge $readMeContent.count)) { + $outputsTableEndIndex++ + } + + $ReadMeoutputsList = [System.Collections.ArrayList]@() + for ($index = $outputsTableStartIndex + 2; $index -lt $outputsTableEndIndex; $index++) { + $ReadMeoutputsList += $readMeContent[$index].Split('|')[1].Replace('`', '').Trim() } - $differentiatingItems = $Outputs.Name | Where-Object { $OutputsList -notcontains $_ } - $differentiatingItems.Count | Should -Be 0 -Because ("list of template outputs missing in the ReadMe file [{0}] should be empty" -f ($differentiatingItems -join ',')) + # Template data + $expectedOutputs = $templateContent.outputs.keys - $differentiatingItems = $OutputsList | Where-Object { $Outputs.Name -notcontains $_ } - $differentiatingItems.Count | Should -Be 0 -Because ("list of excess template outputs defined in the ReadMe file [{0}] should be empty" -f ($differentiatingItems -join ',')) + # Test + $differentiatingItems = $expectedOutputs | Where-Object { $ReadMeoutputsList -notcontains $_ } + $differentiatingItems.Count | Should -Be 0 -Because ('list of template outputs missing in the ReadMe file [{0}] should be empty' -f ($differentiatingItems -join ',')) + + $differentiatingItems = $ReadMeoutputsList | Where-Object { $expectedOutputs -notcontains $_ } + $differentiatingItems.Count | Should -Be 0 -Because ('list of excess template outputs defined in the ReadMe file [{0}] should be empty' -f ($differentiatingItems -join ',')) } - It "[] Additional resources section should contain at least one bullet point with a reference" -TestCases $readmeFolderTestCases { + It '[] Template References section should contain at least one bullet point with a reference' -TestCases $readmeFolderTestCases { param( $moduleFolderName, - $moduleFolderPath, - $fileContent + $readMeContent ) - $TemplateReadme = Get-Content ($fileContent) -ErrorAction SilentlyContinue - $ReadmeHTML = ($TemplateReadme | ConvertFrom-Markdown -ErrorAction SilentlyContinue).Html + + $ReadmeHTML = ($readMeContent | ConvertFrom-Markdown -ErrorAction SilentlyContinue).Html $Headings = @(@()) foreach ($H in $ReadmeHTML) { - if ($H.Contains("") + 1 - $EndIndex = $H.LastIndexof("<") + if ($H.Contains('') + 1 + $EndIndex = $H.LastIndexof('<') $Headings += , (@($H.Substring($StartingIndex, $EndIndex - $StartingIndex), $ReadmeHTML.IndexOf($H))) } } - $HeadingIndex = $Headings | Where-Object { $_ -eq "Additional resources" } + $HeadingIndex = $Headings | Where-Object { $_ -eq 'Template References' } if ($HeadingIndex -eq $null) { - Write-Verbose "[Additional resources section should contain at least one bullet point with a reference] Error At ($moduleFolderName)" -Verbose + Write-Verbose "[Template References should contain at least one bullet point with a reference] Error At ($moduleFolderName)" -Verbose $true | Should -Be $false } $StartIndex = $HeadingIndex[1] + 2 - ($ReadmeHTML[$StartIndex].Contains("
  • ")) | Should -Be $true - ($ReadmeHTML[$StartIndex].Contains("href")) | Should -Be $true + ($ReadmeHTML[$StartIndex].Contains('
  • ')) | Should -Be $true + ($ReadmeHTML[$StartIndex].Contains('href')) | Should -Be $true } } } -Describe "Deployment template tests" -Tag Template { +Describe 'Deployment template tests' -Tag Template { - Context "Deployment template tests" { + Context 'Deployment template tests' { $deploymentFolderTestCases = [System.Collections.ArrayList] @() $deploymentFolderTestCasesException = [System.Collections.ArrayList] @() - foreach ($folderPath in $moduleFolderPaths) { + foreach ($moduleFolderPath in $moduleFolderPaths) { + + if (Test-Path (Join-Path $moduleFolderPath 'deploy.bicep')) { + $templateContent = az bicep build --file (Join-Path $moduleFolderPath 'deploy.bicep') --stdout | ConvertFrom-Json -AsHashtable + } elseif (Test-Path (Join-Path $moduleFolderPath 'deploy.json')) { + $templateContent = Get-Content (Join-Path $moduleFolderPath 'deploy.json') -Raw | ConvertFrom-Json -AsHashtable + } else { + throw "No template file found in folder [$moduleFolderPath]" + } # Parameter file test cases $parameterFileTestCases = @() - $templateFile_Parameters = ((Get-Content (Join-Path $folderPath 'deploy.json')) | ConvertFrom-Json -ErrorAction SilentlyContinue).Parameters.PSObject.Properties - $TemplateFile_AllParameterNames = $templateFile_Parameters | Sort-Object -Property Name | ForEach-Object Name - $TemplateFile_RequiredParametersNames = $templateFile_Parameters | Where-Object -FilterScript { -not ($_.Value.PSObject.Properties.Name -eq "defaultValue") } | Sort-Object -Property Name | ForEach-Object Name + $templateFile_Parameters = $templateContent.parameters + $TemplateFile_AllParameterNames = $templateFile_Parameters.keys | Sort-Object + $TemplateFile_RequiredParametersNames = ($templateFile_Parameters.keys | Where-Object { -not $templateFile_Parameters[$_].ContainsKey('defaultValue') }) | Sort-Object - $ParameterFilePaths = (Get-ChildItem (Join-Path -Path $folderPath -ChildPath 'parameters' -AdditionalChildPath "*parameters.json") -Recurse).FullName + $ParameterFilePaths = (Get-ChildItem (Join-Path -Path $moduleFolderPath -ChildPath 'parameters' -AdditionalChildPath '*parameters.json') -Recurse).FullName foreach ($ParameterFilePath in $ParameterFilePaths) { - $parameterFile_AllParameterNames = (Get-Content $ParameterFilePath | ConvertFrom-Json -ErrorAction SilentlyContinue).Parameters.PSObject.Properties | Sort-Object -Property Name | ForEach-Object Name + $parameterFile_AllParameterNames = ((Get-Content $ParameterFilePath) | ConvertFrom-Json -AsHashtable).parameters.keys | Sort-Object $parameterFileTestCases += @{ - TemplateFileName = $TemplateFileName parameterFile_Path = $ParameterFilePath parameterFile_Name = Split-Path $ParameterFilePath -Leaf parameterFile_AllParameterNames = $parameterFile_AllParameterNames @@ -449,127 +405,78 @@ Describe "Deployment template tests" -Tag Template { # Test file setup $deploymentFolderTestCases += @{ - moduleFolderName = Split-Path $folderPath -Leaf - moduleFolderPath = $folderPath - fileContent = (Join-Path -Path $folderPath 'deploy.json') + moduleFolderName = Split-Path $moduleFolderPath -Leaf + templateContent = $templateContent parameterFileTestCases = $parameterFileTestCases } } - foreach ($folderPath in $folderPathsToScanExcludeRG) { + foreach ($moduleFolderPath in $moduleFolderPathsFiltered) { $deploymentFolderTestCasesException += @{ - moduleFolderNameException = Split-Path $folderPath -Leaf - moduleFolderPathException = $folderPath - fileContentException = (Join-Path -Path $folderPath \deploy.json) + moduleFolderNameException = Split-Path $moduleFolderPath -Leaf + templateContentException = $templateContent } } - It "[] The deploy.json file should not be empty" -TestCases $deploymentFolderTestCases { + It '[] The deploy.json file should not be empty' -TestCases $deploymentFolderTestCases { param( $moduleFolderName, - $moduleFolderPath, - $fileContent + $templateContent ) - (Get-Content $fileContent) | Should -Not -Be $null + $templateContent | Should -Not -Be $null } - It "[] The deploy.json file should be a valid JSON" -TestCases $deploymentFolderTestCases { - param( - $moduleFolderName, - $moduleFolderPath, - $fileContent - ) - $TemplateARM = Get-Content ($fileContent) -Raw -ErrorAction SilentlyContinue - Test-Path $fileContent -PathType Leaf -Include '*.json' | Should -Be $true - try { - ConvertFrom-Json -InputObject $TemplateARM -ErrorAction SilentlyContinue - } - catch { - Write-Verbose "[The deploy.json file should be a valid JSON] Error at ($moduleFolderName)" -Verbose - $false | Should -Be $true - Continue - } - } - - It "[] Template schema version should be the latest" -TestCases $deploymentFolderTestCases { + It '[] Template schema version should be the latest' -TestCases $deploymentFolderTestCases { # the actual value changes depending on the scope of the template (RG, subscription, MG, tenant) !! # https://docs.microsoft.com/en-us/azure/azure-resource-manager/templates/template-syntax param( $moduleFolderName, - $moduleFolderPath, - $fileContent + $templateContent ) - $TemplateARM = Get-Content ($fileContent) -Raw -ErrorAction SilentlyContinue - try { - $Template = ConvertFrom-Json -InputObject $TemplateARM -ErrorAction SilentlyContinue - } - catch { - Write-Verbose "[Template schema version should be the latest] Json conversion Error at ($moduleFolderName)" -Verbose - Continue - } - $Schemaverion = $Template.'$schema' + + $Schemaverion = $templateContent.'$schema' $SchemaArray = @() if ($Schemaverion -eq $RGdeployment) { $SchemaOutput = $true - } - elseif ($Schemaverion -eq $Subscriptiondeployment) { + } elseif ($Schemaverion -eq $Subscriptiondeployment) { $SchemaOutput = $true - } - elseif ($Schemaverion -eq $MGdeployment) { + } elseif ($Schemaverion -eq $MGdeployment) { $SchemaOutput = $true - } - elseif ($Schemaverion -eq $Tenantdeployment) { + } elseif ($Schemaverion -eq $Tenantdeployment) { $SchemaOutput = $true - } - else { + } else { $SchemaOutput = $false } $SchemaArray += $SchemaOutput $SchemaArray | Should -Not -Contain $false } - It "[] Template schema should use HTTPS reference" -TestCases $deploymentFolderTestCases { + It '[] Template schema should use HTTPS reference' -TestCases $deploymentFolderTestCases { param( $moduleFolderName, - $moduleFolderPath, - $fileContent + $templateContent ) - $TemplateARM = Get-Content ($fileContent) -Raw -ErrorAction SilentlyContinue - try { - $Template = ConvertFrom-Json -InputObject $TemplateARM -ErrorAction SilentlyContinue - } - catch { - Write-Verbose "[Template schema should use HTTPS reference] Json conversion Error at ($moduleFolderName)" -Verbose - Continue - } - $Schemaverion = $Template.'$schema' - ($Schemaverion.Substring(0, 5) -eq "https") | Should -Be $true + $Schemaverion = $templateContent.'$schema' + ($Schemaverion.Substring(0, 5) -eq 'https') | Should -Be $true } - It "[] All apiVersion properties should be set to a static, hard-coded value" -TestCases $deploymentFolderTestCases { + It '[] All apiVersion properties should be set to a static, hard-coded value' -TestCases $deploymentFolderTestCases { #https://docs.microsoft.com/en-us/azure/azure-resource-manager/templates/template-best-practices param( $moduleFolderName, - $moduleFolderPath, - $fileContent + $templateContent ) - $TemplateARM = Get-Content ($fileContent) -Raw -ErrorAction SilentlyContinue - try { - $Template = ConvertFrom-Json -InputObject $TemplateARM -ErrorAction SilentlyContinue - } - catch { - Write-Verbose "[All apiVersion properties should be set to a static, hard-coded value] Json conversion Error at ($moduleFolderName)" -Verbose - Continue - } - $ApiVersion = $Template.resources.apiVersion + $ApiVersion = $templateContent.resources.apiVersion $ApiVersionArray = @() foreach ($Api in $ApiVersion) { if ($Api.Substring(0, 2) -eq '20') { $ApiVersionOutput = $true - } - elseif ($Api.substring(1, 10) -eq "parameters") { + } elseif ($Api.substring(1, 10) -eq 'parameters') { + # An API version should not be referenced as a parameter $ApiVersionOutput = $false - } - else { + } elseif ($Api.substring(1, 10) -eq 'variables') { + # An API version should not be referenced as a variable + $ApiVersionOutput = $false + } else { $ApiVersionOutput = $false } $ApiVersionArray += $ApiVersionOutput @@ -577,43 +484,26 @@ Describe "Deployment template tests" -Tag Template { $ApiVersionArray | Should -Not -Contain $false } - It "[] The deploy.json file should contain required elements: schema, contentVersion, resources" -TestCases $deploymentFolderTestCases { + It '[] The deploy.json file should contain required elements: schema, contentVersion, resources' -TestCases $deploymentFolderTestCases { param( $moduleFolderName, - $moduleFolderPath, - $fileContent + $templateContent ) - $TemplateProperties = (Get-Content ($fileContent) -Raw -ErrorAction SilentlyContinue | ConvertFrom-Json -ErrorAction SilentlyContinue) | Get-Member -MemberType NoteProperty | Sort-Object -Property Name | ForEach-Object Name - $TemplateProperties | Should -Contain '$schema' - $TemplateProperties | Should -Contain 'contentVersion' - $TemplateProperties | Should -Contain 'resources' - } - - It "Tagging should be implemented - if the resource type supports them" { - } - - It "Delete lock should be implemented - if the resource type supports it" { + $templateContent.keys | Should -Contain '$schema' + $templateContent.keys | Should -Contain 'contentVersion' + $templateContent.keys | Should -Contain 'resources' } - It "[] If delete lock is implemented, the template should have a lockForDeletion parameter with the default value of false" -TestCases $deploymentFolderTestCases { + It '[] If delete lock is implemented, the template should have a lockForDeletion parameter with the default value of false' -TestCases $deploymentFolderTestCases { param( $moduleFolderName, - $moduleFolderPath, - $fileContent + $templateContent ) - $TemplateARM = Get-Content ($fileContent) -Raw -ErrorAction SilentlyContinue - try { - $Template = ConvertFrom-Json -InputObject $TemplateARM -ErrorAction SilentlyContinue - } - catch { - Write-Verbose "[If delete lock is implemented, the template should have a lockForDeletion parameter with the default value of false] Json conversion Error at ($moduleFolderName)" -Verbose - Continue - } $LockTypeFlag = $true - $ChildResourceType = $Template.resources.resources.type - $ParentResourceType = $Template.resources.type - $LockForDeletion = $Template.parameters.lockForDeletion.defaultValue - if (($ChildResourceType -like "*providers/locks" -or $ParentResourceType -like "*providers/locks") -and $LockForDeletion -ne $false) { + $ChildResourceType = $templateContent.resources.resources.type + $ParentResourceType = $templateContent.resources.type + $LockForDeletion = $templateContent.parameters.lockForDeletion.defaultValue + if (($ChildResourceType -like '*providers/locks' -or $ParentResourceType -like '*providers/locks') -and $LockForDeletion -ne $false) { $LockTypeFlag = $false } $LockTypeFlag | Should -Contain $true @@ -622,156 +512,99 @@ Describe "Deployment template tests" -Tag Template { It "[] If delete lock is implemented, it should have a deployment condition with the value of parameters('lockForDeletion')" -TestCases $deploymentFolderTestCases { param( $moduleFolderName, - $moduleFolderPath, - $fileContent + $templateContent ) - $TemplateARM = Get-Content ($fileContent) -Raw -ErrorAction SilentlyContinue - try { - $Template = ConvertFrom-Json -InputObject $TemplateARM -ErrorAction SilentlyContinue - } - catch { - Write-Verbose "[If delete lock is implemented, it should have a deployment condition with the value of parameters('lockForDeletion')] Json conversion Error at ($moduleFolderName)" -Verbose - Continue - } $LockFlag = @() - $ChildDeletelock = $Template.resources.resources.type - $ParentDeletelock = $Template.resources.type - $ChildDeletelockCondition = $Template.resources.resources.condition - $ParentDeletelockCondition = $Template.resources.condition - if ($ChildDeletelock -like "*providers/locks" -and $ChildDeletelockCondition -notcontains "[parameters('lockForDeletion')]") { + $ChildDeletelock = $templateContent.resources.resources.type + $ParentDeletelock = $templateContent.resources.type + $ChildDeletelockCondition = $templateContent.resources.resources.condition + $ParentDeletelockCondition = $templateContent.resources.condition + if ($ChildDeletelock -like '*providers/locks' -and $ChildDeletelockCondition -notcontains "[parameters('lockForDeletion')]") { $LockFlag += $false - } - elseif ($ParentDeletelock -like "*providers/locks" -and $ParentDeletelockCondition -notcontains "[parameters('lockForDeletion')]") { + } elseif ($ParentDeletelock -like '*providers/locks' -and $ParentDeletelockCondition -notcontains "[parameters('lockForDeletion')]") { $LockFlag += $false - } - else { + } else { $LockFlag += $true } $LockFlag | Should -Not -Contain $false } - It "Diagnostic logs & metrics should be implemented - if the resource type supports them" { - } - - It "Resource level RBAC should be implemented - if the resource type supports it" { - } - - It "[] Parameter names should be camel-cased (no dashes or underscores and must start with lower-case letter)" -TestCases $deploymentFolderTestCases { + It '[] Parameter names should be camel-cased (no dashes or underscores and must start with lower-case letter)' -TestCases $deploymentFolderTestCases { param( $moduleFolderName, - $moduleFolderPath, - $fileContent + $templateContent ) - $TemplateARM = Get-Content ($fileContent) -Raw -ErrorAction SilentlyContinue - try { - $Template = ConvertFrom-Json -InputObject $TemplateARM -ErrorAction SilentlyContinue - } - catch { - Write-Verbose "[Parameter names should be camel-cased (no dashes or underscores and must start with lower-case letter))] Json conversion Error at ($moduleFolderName)" -Verbose - Continue - } - if (-not $Template.parameters) { + if (-not $templateContent.parameters) { $true | Should -Be $true return } $CamelCasingFlag = @() - $Parameter = ($Template.parameters | Get-Member | Where-Object { $_.MemberType -eq "NoteProperty" }).Name + $Parameter = ($templateContent.parameters | Get-Member | Where-Object { $_.MemberType -eq 'NoteProperty' }).Name foreach ($Param in $Parameter) { if ($Param.substring(0, 1) -cnotmatch '[a-z]' -or $Param -match '-' -or $Param -match '_') { $CamelCasingFlag += $false - } - else { + } else { $CamelCasingFlag += $true } } $CamelCasingFlag | Should -Not -Contain $false } - It "[] Variable names should be camel-cased (no dashes or underscores and must start with lower-case letter)" -TestCases $deploymentFolderTestCases { + It '[] Variable names should be camel-cased (no dashes or underscores and must start with lower-case letter)' -TestCases $deploymentFolderTestCases { param( $moduleFolderName, - $moduleFolderPath, - $fileContent + $templateContent ) - $TemplateARM = Get-Content ($fileContent) -Raw -ErrorAction SilentlyContinue - try { - $Template = ConvertFrom-Json -InputObject $TemplateARM -ErrorAction SilentlyContinue - } - catch { - Write-Verbose "[Variable names should be camel-cased (no dashes or underscores and must start with lower-case letter))] Json conversion Error at ($moduleFolderName)" -Verbose - Continue - } - if (-not $Template.variables) { + if (-not $templateContent.variables) { $true | Should -Be $true return } $CamelCasingFlag = @() - $Variable = ($Template.variables | Get-Member | Where-Object { $_.MemberType -eq "NoteProperty" }).Name + $Variable = ($templateContent.variables | Get-Member | Where-Object { $_.MemberType -eq 'NoteProperty' }).Name foreach ($Variab in $Variable) { if ($Variab.substring(0, 1) -cnotmatch '[a-z]' -or $Variab -match '-') { $CamelCasingFlag += $false - } - else { + } else { $CamelCasingFlag += $true } } $CamelCasingFlag | Should -Not -Contain $false } - It "[] Output names should be camel-cased (no dashes or underscores and must start with lower-case letter)" -TestCases $deploymentFolderTestCases { + It '[] Output names should be camel-cased (no dashes or underscores and must start with lower-case letter)' -TestCases $deploymentFolderTestCases { param( $moduleFolderName, - $moduleFolderPath, - $fileContent + $templateContent ) - $TemplateARM = Get-Content ($fileContent) -Raw -ErrorAction SilentlyContinue - try { - $Template = ConvertFrom-Json -InputObject $TemplateARM -ErrorAction SilentlyContinue - } - catch { - Write-Verbose "[Output names should be camel-cased (no dashes or underscores and must start with lower-case letter))] Json conversion Error at ($moduleFolderName)" -Verbose - Continue - } $CamelCasingFlag = @() - $Outputs = ($Template.outputs | Get-Member | Where-Object { $_.MemberType -eq "NoteProperty" }).Name + $Outputs = ($templateContent.outputs | Get-Member | Where-Object { $_.MemberType -eq 'NoteProperty' }).Name foreach ($Output in $Outputs) { if ($Output.substring(0, 1) -cnotmatch '[a-z]' -or $Output -match '-' -or $Output -match '_') { $CamelCasingFlag += $false - } - else { + } else { $CamelCasingFlag += $true } } $CamelCasingFlag | Should -Not -Contain $false } - It "[] CUA ID deployment should be present in the template" -TestCases $deploymentFolderTestCases { + It '[] CUA ID deployment should be present in the template' -TestCases $deploymentFolderTestCases { param( $moduleFolderName, - $moduleFolderPath, - $fileContent + $templateContent ) - $TemplateARM = Get-Content ($fileContent) -Raw -ErrorAction SilentlyContinue - try { - $Template = ConvertFrom-Json -InputObject $TemplateARM -ErrorAction SilentlyContinue - } - catch { - Write-Verbose "[CUA ID deployment should be present in the template] Json conversion Error at ($moduleFolderName)" -Verbose - Continue - } $CuaIDFlag = @() - $Schemaverion = $Template.'$schema' + $Schemaverion = $templateContent.'$schema' if ((($Schemaverion.Split('/')[5]).Split('.')[0]) -eq (($RGdeployment.Split('/')[5]).Split('.')[0])) { - if (($Template.resources.type -ccontains "Microsoft.Resources/deployments" -and $Template.resources.condition -like "*[not(empty(parameters('cuaId')))]*") -or ($Template.resources.resources.type -ccontains "Microsoft.Resources/deployments" -and $Template.resources.resources.condition -like "*[not(empty(parameters('cuaId')))]*")) { + if (($templateContent.resources.type -ccontains 'Microsoft.Resources/deployments' -and $templateContent.resources.condition -like "*[not(empty(parameters('cuaId')))]*") -or ($templateContent.resources.resources.type -ccontains 'Microsoft.Resources/deployments' -and $templateContent.resources.resources.condition -like "*[not(empty(parameters('cuaId')))]*")) { $CuaIDFlag += $true - } - else { + } else { $CuaIDFlag += $false } } @@ -781,27 +614,17 @@ Describe "Deployment template tests" -Tag Template { It "[] The Location should be defined as a parameter, with the default value of 'resourceGroup().Location' or global for ResourceGroup deployment scope" -TestCases $deploymentFolderTestCases { param( $moduleFolderName, - $moduleFolderPath, - $fileContent + $templateContent ) - $TemplateARM = Get-Content ($fileContent) -Raw -ErrorAction SilentlyContinue - try { - $Template = ConvertFrom-Json -InputObject $TemplateARM -ErrorAction SilentlyContinue - } - catch { - Write-Verbose "[The Location should be defined as a parameter, with the default value of 'resourceGroup().Location' or global for ResourceGroup deployment scope ] Json conversion Error at ($moduleFolderName)" -Verbose - Continue - } $LocationFlag = $true - $Schemaverion = $Template.'$schema' + $Schemaverion = $templateContent.'$schema' if ((($Schemaverion.Split('/')[5]).Split('.')[0]) -eq (($RGdeployment.Split('/')[5]).Split('.')[0])) { - $Locationparamoutputvalue = $Template.parameters.Location.defaultValue - $Locationparamoutput = ($Template.parameters | Get-Member | Where-Object { $_.MemberType -eq "NoteProperty" }).Name - if ($Locationparamoutput -contains "Location") { - if ($Locationparamoutputvalue -eq "[resourceGroup().Location]" -or $Locationparamoutputvalue -eq "global") { + $Locationparamoutputvalue = $templateContent.parameters.Location.defaultValue + $Locationparamoutput = ($templateContent.parameters | Get-Member | Where-Object { $_.MemberType -eq 'NoteProperty' }).Name + if ($Locationparamoutput -contains 'Location') { + if ($Locationparamoutputvalue -eq '[resourceGroup().Location]' -or $Locationparamoutputvalue -eq 'global') { $LocationFlag = $true - } - else { + } else { $LocationFlag = $false } @@ -813,40 +636,26 @@ Describe "Deployment template tests" -Tag Template { It "[] All resources that have a Location property should refer to the Location parameter 'parameters('Location')'" -TestCases $deploymentFolderTestCasesException { param( $moduleFolderNameException, - $moduleFolderPathException, - $fileContentException + $templateContentException ) - $TemplateARM = Get-Content ($fileContentException) -Raw -ErrorAction SilentlyContinue - try { - $Template = ConvertFrom-Json -InputObject $TemplateARM -ErrorAction SilentlyContinue - } - catch { - Write-Verbose "[All resources that have a Location property should refer to the Location parameter 'parameters('Location')'] Json conversion Error at ($moduleFolderPathException)" -Verbose - Continue - } $LocationParamFlag = @() - $Locmandoutput = $Template.resources + $Locmandoutput = $templateContent.resources foreach ($Locmand in $Locmandoutput) { - if (($Locmand | Get-Member | Where-Object { $_.MemberType -eq "NoteProperty" }).Name -contains "Location" -and $Locmand.Location -eq "[parameters('Location')]") { + if (($Locmand | Get-Member | Where-Object { $_.MemberType -eq 'NoteProperty' }).Name -contains 'Location' -and $Locmand.Location -eq "[parameters('Location')]") { $LocationParamFlag += $true - } - elseif (($Locmand | Get-Member | Where-Object { $_.MemberType -eq "NoteProperty" }).Name -notcontains "Location") { + } elseif (($Locmand | Get-Member | Where-Object { $_.MemberType -eq 'NoteProperty' }).Name -notcontains 'Location') { $LocationParamFlag += $true - } - elseif (($Locmand | Get-Member | Where-Object { $_.MemberType -eq "NoteProperty" }).Name -notcontains "resourceGroup") { - $LocationParamFlag += $true - } - else { + } elseif (($Locmand | Get-Member | Where-Object { $_.MemberType -eq 'NoteProperty' }).Name -notcontains 'resourceGroup') { + $LocationParamFlag += $true + } else { $LocationParamFlag += $false } foreach ($Locm in $Locmand.resources) { - if (($Locm | Get-Member | Where-Object { $_.MemberType -eq "NoteProperty" }).Name -contains "Location" -and $Locm.Location -eq "[parameters('Location')]") { + if (($Locm | Get-Member | Where-Object { $_.MemberType -eq 'NoteProperty' }).Name -contains 'Location' -and $Locm.Location -eq "[parameters('Location')]") { $LocationParamFlag += $true - } - elseif (($Locm | Get-Member | Where-Object { $_.MemberType -eq "NoteProperty" }).Name -notcontains "Location") { + } elseif (($Locm | Get-Member | Where-Object { $_.MemberType -eq 'NoteProperty' }).Name -notcontains 'Location') { $LocationParamFlag += $true - } - else { + } else { $LocationParamFlag += $false } } @@ -854,37 +663,24 @@ Describe "Deployment template tests" -Tag Template { $LocationParamFlag | Should -Not -Contain $false } - It "The template should not have empty lines" { - } - - It "[] Standard outputs should be provided (e.g. resourceName, resourceId, resouceGroupName" -TestCases $deploymentFolderTestCases { + It '[] Standard outputs should be provided (e.g. resourceName, resourceId, resouceGroupName)' -TestCases $deploymentFolderTestCases { param( $moduleFolderName, - $moduleFolderPath, - $fileContent + $templateContent ) - $TemplateARM = Get-Content ($fileContent) -Raw -ErrorAction SilentlyContinue - try { - $Template = ConvertFrom-Json -InputObject $TemplateARM -ErrorAction SilentlyContinue - } - catch { - Write-Verbose "[Standard outputs should be provided (e.g. resourceName, resourceId, resouceGroupName] Json conversion Error at ($moduleFolderName)" -Verbose - Continue - } - $Stdoutput = ($Template.outputs | Get-Member | Where-Object { $_.MemberType -eq "NoteProperty" }).Name + $Stdoutput = $templateContent.outputs.keys $i = 0 - $Schemaverion = $Template.'$schema' + $Schemaverion = $templateContent.'$schema' if ((($Schemaverion.Split('/')[5]).Split('.')[0]) -eq (($RGdeployment.Split('/')[5]).Split('.')[0])) { foreach ($Stdo in $Stdoutput) { - if ($Stdo -like "*Name*" -or $Stdo -like "*ResourceId*" -or $Stdo -like "*ResourceGroup*") { - $true | should -Be $true + if ($Stdo -like '*Name*' -or $Stdo -like '*ResourceId*' -or $Stdo -like '*ResourceGroup*') { + $true | Should -Be $true $i = $i + 1 } } $i | Should -Not -BeLessThan 3 - } - ElseIf ((($schemaverion.Split('/')[5]).Split('.')[0]) -eq (($Subscriptiondeployment.Split('/')[5]).Split('.')[0])) { + } ElseIf ((($schemaverion.Split('/')[5]).Split('.')[0]) -eq (($Subscriptiondeployment.Split('/')[5]).Split('.')[0])) { $Stdoutput | Should -Not -BeNullOrEmpty } @@ -893,32 +689,22 @@ Describe "Deployment template tests" -Tag Template { It "[] parameters' description shoud start either by 'Optional.' or 'Required.' or 'Generated.'" -TestCases $deploymentFolderTestCases { param( $moduleFolderName, - $moduleFolderPath, - $fileContent + $templateContent ) - $TemplateARM = Get-Content ($fileContent) -Raw -ErrorAction SilentlyContinue - try { - $Template = ConvertFrom-Json -InputObject $TemplateARM -ErrorAction SilentlyContinue - } - catch { - Write-Verbose "[parameters' description shoud start either by 'Optional.' or 'Required.' or 'Generated.'] Json conversion Error at ($moduleFolderName)" -Verbose - Continue - } - if (-not $Template.parameters) { + if (-not $templateContent.parameters) { $true | Should -Be $true return } $ParamDescriptionFlag = @() - $Paramdescoutput = ($Template.parameters | Get-Member | Where-Object { $_.MemberType -eq "NoteProperty" }).Name + $Paramdescoutput = ($templateContent.parameters | Get-Member | Where-Object { $_.MemberType -eq 'NoteProperty' }).Name foreach ($Param in $Paramdescoutput) { - $Data = ($Template.parameters.$Param.metadata).description - if ($Data -like "Optional. [a-zA-Z]*" -or $Data -like "Required. [a-zA-Z]*" -or $Data -like "Generated. [a-zA-Z]*") { - $true | should -Be $true + $Data = ($templateContent.parameters.$Param.metadata).description + if ($Data -like 'Optional. [a-zA-Z]*' -or $Data -like 'Required. [a-zA-Z]*' -or $Data -like 'Generated. [a-zA-Z]*') { + $true | Should -Be $true $ParamDescriptionFlag += $true - } - else { + } else { $ParamDescriptionFlag += $false } } @@ -926,7 +712,7 @@ Describe "Deployment template tests" -Tag Template { } # PARAMETER Tests - It "All parameters in parameters files exist in template file (deploy.json)" -TestCases $deploymentFolderTestCases { + It '[] All parameters in parameters files exist in template file (deploy.json)' -TestCases $deploymentFolderTestCases { param ( [hashtable[]] $parameterFileTestCases ) @@ -936,11 +722,11 @@ Describe "Deployment template tests" -Tag Template { $templateFile_AllParameterNames = $parameterFileTestCase.templateFile_AllParameterNames $nonExistentParameters = $parameterFile_AllParameterNames | Where-Object { $templateFile_AllParameterNames -notcontains $_ } - $nonExistentParameters.Count | Should -Be 0 -Because ("no parameter in the parameter file should not exist in the template file. Found excess items: [{0}]" -f ($nonExistentParameters -join ', ')) + $nonExistentParameters.Count | Should -Be 0 -Because ('no parameter in the parameter file should not exist in the template file. Found excess items: [{0}]' -f ($nonExistentParameters -join ', ')) } } - It "All required parameters in template file (deploy.json) should exist in parameters files" -TestCases $deploymentFolderTestCases { + It '[] All required parameters in template file (deploy.json) should exist in parameters files' -TestCases $deploymentFolderTestCases { param ( [hashtable[]] $parameterFileTestCases ) @@ -950,83 +736,91 @@ Describe "Deployment template tests" -Tag Template { $parameterFile_AllParameterNames = $parameterFileTestCase.parameterFile_AllParameterNames $missingParameters = $templateFile_RequiredParametersNames | Where-Object { $parameterFile_AllParameterNames -notcontains $_ } - $missingParameters.Count | Should -Be 0 -Because ("no required parameters in the template file should be missing in the parameter file. Found missing items: [{0}]" -f ($missingParameters -join ', ')) + $missingParameters.Count | Should -Be 0 -Because ('no required parameters in the template file should be missing in the parameter file. Found missing items: [{0}]' -f ($missingParameters -join ', ')) } } } } Describe "Api version tests [All apiVersions in the template should be 'recent']" -Tag ApiCheck { + $testCases = @() $ApiVersions = Get-AzResourceProvider -ListAvailable - foreach ($TemplateLocation in $folderPathsToScanExcludeRG) { - $moduleName = Split-Path $TemplateLocation -Leaf - $TemplateARM = Get-Content (Join-Path -Path $TemplateLocation 'deploy.json') -Raw - try { - $Template = ConvertFrom-Json -InputObject $TemplateARM -ErrorAction 'SilentlyContinue' - } - catch { - Write-Verbose "[All apiVersions in the template should be 'recent] Json conversion Error at ($LocatTemplateLocationion)" -Verbose - Continue + foreach ($moduleFolderPath in $moduleFolderPathsFiltered) { + + $moduleFolderName = $moduleFolderPath.Split('\arm\')[1] + + if (Test-Path (Join-Path $moduleFolderPath 'deploy.bicep')) { + $templateContent = az bicep build --file (Join-Path $moduleFolderPath 'deploy.bicep') --stdout | ConvertFrom-Json -AsHashtable + } elseif (Test-Path (Join-Path $moduleFolderPath 'deploy.json')) { + $templateContent = Get-Content (Join-Path $moduleFolderPath 'deploy.json') -Raw | ConvertFrom-Json -AsHashtable + } else { + throw "No template file found in folder [$moduleFolderPath]" } - $ApiVer = $Template.resources.apiVersion - $ResourceType = $Template.resources.type - for ($i = 0; $i -lt $ApiVer.count; $i++) { - if ($ResourceType.Count -gt 1) { - if ($ResourceType[$i].Split('/').Count -ne 2 -and $ResourceType[$i] -like '*diagnosticsettings*') { + $nestedResources = Get-NestedResourceList -TemplateContent $templateContent | Where-Object { + $_.type -notin @('Microsoft.Resources/deployments') -and $_ + } | Select-Object 'Type', 'ApiVersion' -Unique | Sort-Object Type + + foreach ($resource in $nestedResources) { + + switch ($resource.type) { + { $PSItem -like '*diagnosticsettings*' } { $testCases += @{ - moduleName = $moduleName + moduleName = $moduleFolderName resourceType = 'diagnosticsettings' ProviderNamespace = 'Microsoft.insights' - TargetApi = $ApiVer[$i] + TargetApi = $resource.ApiVersion AvailableApiVersions = $ApiVersions } + break } - elseif ($ResourceType[$i].Split('/').Count -ne 2 -and $ResourceType[$i] -like '*locks*') { + { $PSItem -like '*locks' } { $testCases += @{ - moduleName = $moduleName + moduleName = $moduleFolderName resourceType = 'locks' ProviderNamespace = 'Microsoft.Authorization' - TargetApi = $ApiVer[$i] + TargetApi = $resource.ApiVersion AvailableApiVersions = $ApiVersions } + break } - elseif ($ResourceType[$i].Split('/').Count -ne 2 -and $ResourceType[$i] -like '*roleAssignments*') { + { $PSItem -like '*roleAssignments' } { $testCases += @{ - moduleName = $moduleName + moduleName = $moduleFolderName resourceType = 'roleassignments' ProviderNamespace = 'Microsoft.Authorization' - TargetApi = $ApiVer[$i] + TargetApi = $resource.ApiVersion AvailableApiVersions = $ApiVersions } + break } - elseif ($ResourceType[$i] -notlike '*diagnosticsettings*' -and $ResourceType[$i] -notlike '*locks*' -and $ResourceType[$i] -notlike '*roleAssignments*' -and $ResourceType[$i].Split('/').Count -ne 2) { - # not handled - } - else { + { $PSItem -like '*privateEndpoints' } { $testCases += @{ - moduleName = $moduleName - resourceType = $ResourceType[$i].Split('/')[1] - ProviderNamespace = $ResourceType[$i].Split('/')[0] - TargetApi = $ApiVer[$i] + moduleName = $moduleFolderName + resourceType = 'privateEndpoints' + ProviderNamespace = 'Microsoft.Network' + TargetApi = $resource.ApiVersion AvailableApiVersions = $ApiVersions } + break } - } - else { - $testCases += @{ - moduleName = $moduleName - resourceType = ($ResourceType.Split('/')[1]) - ProviderNamespace = $ResourceType.Split('/')[0] - TargetApi = $ApiVer - AvailableApiVersions = $ApiVersions + Default { + $ProviderNamespace, $rest = $resource.Type.Split('/') + $testCases += @{ + moduleName = $moduleFolderName + resourceType = $rest -join '/' + ProviderNamespace = $ProviderNamespace + TargetApi = $resource.ApiVersion + AvailableApiVersions = $ApiVersions + } + break } } } } - It "In [] used resource type [] should use on of the recent API version(s). Currently using []" -TestCases $TestCases { + It 'In [] used resource type [] should use on of the recent API version(s). Currently using []' -TestCases $TestCases { param( $moduleName, $resourceType, @@ -1037,17 +831,16 @@ Describe "Api version tests [All apiVersions in the template should be 'recent'] $namespaceResourceTypes = ($AvailableApiVersions | Where-Object { $_.ProviderNamespace -eq $ProviderNamespace }).ResourceTypes $resourceTypeApiVersions = ($namespaceResourceTypes | Where-Object { $_.ResourceTypeName -eq $resourceType }).ApiVersions - - # We allow the latest 5 including previews (in case somebody wants to use preview), or the latest 3 non-preview - $approvedApiVersions = $resourceTypeApiVersions | Select-Object -First 5 - $approvedApiVersions += $resourceTypeApiVersions | Where-Object { $_ -notlike "*-preview" } | Select-Object -First 3 - - # NOTE: This is a workaround to account for the 'assumed' deployments version used by bicep when building an ARM template from a bicep file with modules in it - # Ref: https://github.com/Azure/bicep/issues/3819 - if ($resourceType -eq 'deployments') { - $approvedApiVersions += '2019-10-01' + + if (-not $resourceTypeApiVersions) { + Write-Warning ('[Api Test] We are currently unable to determine the available API versions for resource type [{0}/{1}]' -f $ProviderNamespace, $resourceType) + continue } - $approvedApiVersions | Should -Contain $TargetApi + # We allow the latest 5 including previews (in case somebody wants to use preview), or the latest 3 non-preview + $approvedApiVersions = @() + $approvedApiVersions += $resourceTypeApiVersions | Select-Object -First 5 + $approvedApiVersions += $resourceTypeApiVersions | Where-Object { $_ -notlike '*-preview' } | Select-Object -First 3 + ($approvedApiVersions | Select-Object -Unique) | Should -Contain $TargetApi } -} \ No newline at end of file +} diff --git a/arm/.global/shared/helper.psm1 b/arm/.global/shared/helper.psm1 new file mode 100644 index 0000000000..d793e9afa9 --- /dev/null +++ b/arm/.global/shared/helper.psm1 @@ -0,0 +1,39 @@ +<# +.SYNOPSIS +Get a list of all resources (provider + service) in the given template content + +.DESCRIPTION +Get a list of all resources (provider + service) in the given template content. Crawls through any children & nested deployment templates. + +.PARAMETER TemplateFileContent +Mandatory. The template file content object to crawl data from + +.EXAMPLE +Get-NestedResourceList -TemplateFileContent @{ resource = @{}; ... } + +Returns a list of all resources in the given template object +#> +function Get-NestedResourceList { + + [CmdletBinding()] + param( + [Parameter(Mandatory)] + [hashtable] $TemplateContent + ) + + $res = @() + $currLevelResources = @() + if ($TemplateContent.resources) { + $currLevelResources += $TemplateContent.resources + } + foreach ($resource in $currLevelResources) { + $res += $resource + + if ($resource.type -eq 'Microsoft.Resources/deployments') { + $res += Get-NestedResourceList -TemplateContent $resource.properties.template + } else { + $res += Get-NestedResourceList -TemplateContent $resource + } + } + return $res +} diff --git a/arm/Microsoft.AnalysisServices/servers/.bicep/nested_rbac.bicep b/arm/Microsoft.AnalysisServices/servers/.bicep/nested_rbac.bicep index 9e3b3197e2..ad991a2a51 100644 --- a/arm/Microsoft.AnalysisServices/servers/.bicep/nested_rbac.bicep +++ b/arm/Microsoft.AnalysisServices/servers/.bicep/nested_rbac.bicep @@ -2,7 +2,7 @@ param roleAssignmentObj object param builtInRoleNames object param resourceName string -resource roleAssigment 'Microsoft.AnalysisServices/servers/providers/roleAssignments@2020-04-01-preview' = [for principalId in roleAssignmentObj.principalIds: { +resource roleAssigment 'Microsoft.AnalysisServices/servers/providers/roleAssignments@2021-04-01-preview' = [for principalId in roleAssignmentObj.principalIds: { name: '${resourceName}/Microsoft.Authorization/${guid(resourceName, principalId, roleAssignmentObj.roleDefinitionIdOrName)}' properties: { roleDefinitionId: contains(builtInRoleNames, roleAssignmentObj.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignmentObj.roleDefinitionIdOrName] : roleAssignmentObj.roleDefinitionIdOrName diff --git a/arm/Microsoft.AnalysisServices/servers/deploy.bicep b/arm/Microsoft.AnalysisServices/servers/deploy.bicep index 9adca05baf..c38ce61956 100644 --- a/arm/Microsoft.AnalysisServices/servers/deploy.bicep +++ b/arm/Microsoft.AnalysisServices/servers/deploy.bicep @@ -56,35 +56,42 @@ param tags object = {} @description('Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered') param cuaId string = '' -var diagnosticsMetrics = [ - { - category: 'AllMetrics' - timeGrain: null - enabled: true - retentionPolicy: { - enabled: true - days: diagnosticLogsRetentionInDays - } - } +@description('Optional. The name of logs that will be streamed.') +@allowed([ + 'Engine' + 'Service' +]) +param logsToEnable array = [ + 'Engine' + 'Service' +] + +@description('Optional. The name of metrics that will be streamed.') +@allowed([ + 'AllMetrics' +]) +param metricsToEnable array = [ + 'AllMetrics' ] -var diagnosticsLogs = [ - { - category: 'Engine' + +var diagnosticsLogs = [for log in logsToEnable: { + category: log + enabled: true + retentionPolicy: { enabled: true - retentionPolicy: { - enabled: true - days: diagnosticLogsRetentionInDays - } + days: diagnosticLogsRetentionInDays } - { - category: 'Service' +}] + +var diagnosticsMetrics = [for metric in metricsToEnable: { + category: metric + timeGrain: null + enabled: true + retentionPolicy: { enabled: true - retentionPolicy: { - enabled: true - days: diagnosticLogsRetentionInDays - } + days: diagnosticLogsRetentionInDays } -] +}] var builtInRoleNames = { 'Owner': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') @@ -129,8 +136,8 @@ resource server_lock 'Microsoft.Authorization/locks@2016-09-01' = if (lock != 'N scope: server } -resource server_diagnosticSettings 'Microsoft.AnalysisServices/servers/providers/diagnosticsettings@2017-05-01-preview' = if ((!empty(diagnosticStorageAccountId)) || (!empty(workspaceId)) || (!empty(eventHubAuthorizationRuleId)) || (!empty(eventHubName))) { - name: '${server.name}/Microsoft.Insights/service' +resource server_diagnosticSettings 'Microsoft.Insights/diagnosticsettings@2017-05-01-preview' = if ((!empty(diagnosticStorageAccountId)) || (!empty(workspaceId)) || (!empty(eventHubAuthorizationRuleId)) || (!empty(eventHubName))) { + name: '${server.name}-diagnosticSettings' properties: { storageAccountId: (empty(diagnosticStorageAccountId) ? json('null') : diagnosticStorageAccountId) workspaceId: (empty(workspaceId) ? json('null') : workspaceId) @@ -139,6 +146,7 @@ resource server_diagnosticSettings 'Microsoft.AnalysisServices/servers/providers metrics: ((empty(diagnosticStorageAccountId) && empty(workspaceId) && empty(eventHubAuthorizationRuleId) && empty(eventHubName)) ? json('null') : diagnosticsMetrics) logs: ((empty(diagnosticStorageAccountId) && empty(workspaceId) && empty(eventHubAuthorizationRuleId) && empty(eventHubName)) ? json('null') : diagnosticsLogs) } + scope: server } module server_rbac './.bicep/nested_rbac.bicep' = [for (roleAssignment, index) in roleAssignments: { diff --git a/arm/Microsoft.AnalysisServices/servers/readme.md b/arm/Microsoft.AnalysisServices/servers/readme.md index 5a62e0020ff39c9b15ccdd2c268715f64002d9f6..564ada8be940e5eeed61537864fae5ff7f679d2c 100644 GIT binary patch literal 4740 zcmd^DTTk0a6n@XIID!XSDTxy{<+d-I1=K}q0RinkAf!y}NixNmac9P$wD8~eJ7YU` z0&H1TecC8W?75u#`OcZyq@fn+!YN0W(%z|9IvQPnRIxSAOnkSRttKOfRnoefQLDAN zNf*+Y+{Tiw7MXOd*2C%uJy^cfqJ(e!}%gH8vd;TLbCA9EUE`F5|r+v)9fdi_A- z6}zI$nmd(%ab!&@ht8>~o=fdrL2tX?=?y@ylUaGEx%ASW6eX5K}K5>suQSMjCvUg>GI5gNQ(

    KlOqj?_>O|^z(P~}IBuz}3ntKo+ zTUyzXuo7=yb7f^h-q2W*7^jjSu{|{l@-w)y+R$yaI!zm&N`G(cZS+}LpNq77EnImn zte8s=i?JJ*Z*+=LxPTpuzau#jdFtu2NOOKaH?S;A5C&XW;bN;Yw%fYHo6fI8K$HPk zg%~qrCpm9f`3EY#7p2-=V&iC*%1ofHq~W(5W~m~zj^iR!**3A2!pm;qMmes&Gb(6kywNPQQAY#(QiBNSTuZVaV|3%tBFEpvbH*(k0Ba#Pp}n3 z!cz*Gbg$BsrMQ)uNATF+Nzh$z6V~>MX)C=@8aurpg`{nk`?A#iI) zhE#eY?7c$H>cY1mTu6kVEhGxA<+QK(cIj_yFuBJL<=P}P)e<8jD^XctDWDT5P>k@O z8e92!0{plaY1%|6GyWpu5QE=~$Hymu$cd-)7!i?BMIu-iVaNc4XhKpJsuaoBrIQJ1 zk7`^Ta#yR-gc{HH%}z|P!b64hJwp-$BYi8_*3jacQ1PrLszmAgtJb-ko;up9N)AVC8Uou`B zc%ElT63PO4USRu7(XEw!>bGGq2#m)2NGz*06`@$dTx@iJFSha)uS7Ls0AnCc&Mc?b z7V;sXtqi3jR+&golC4H;Ui>*cTxa2mh;3F)Iw@lKc@`wfdH}aAOpe^rK>pBekVI+% z{8&JQc9z1+m8WGfUQIZ)v69T4{h)_2H$mhB62ej2_Z5rKE z6Y)aJQ`^Qx@%CgOC%xTHyfYYd277Yc5tF@sXE5%M2m6EF$++L&Dhidm%?|}YQTYW& zYFU>0PcrQa>UiTt+9*h0b7{HsWvPkLeQ`#&Hki-G z0ex=~J{zG&SiXj#V|}Nr3H>rAHcpN1oLiG@w8M_D{?(nGaE$i`m`1{a$mnYz{eWc=J(ccDbKN->J~f zAe)-YF8~fNt_w;$wjS9ae2Up@bi0)+I8&R4hKBXlrod*+kk?Bq6%%YP{%r8hIxQ>6 zD&%yx-egoZ=Hyk!;#P$k_o8{YME&Z#F!8P{(sP``d_Foi04d<`MPs8~k3~uU7 zqqE#+xeq7I;&JtO`SgC^M~6c`Tdl9Djw7L6Y!;b+TfB(&)kl@ZT$oLa1N&c literal 22878 zcmeI4ZEqXL5y$s+fqsXB@k+B!w;fx z5P3Wm$MybyjvP|{NmzT&pCZgl2PGLD%6G$G;)o5xskl51`(YH;Cq`=+I$=+eIMaxq zYTS->e4>&=)vwEB@pI_-GCT+y;rEi^10D0bk!krly6ak5*U643HZ8SLZAN{f`%$FW zs9%omb4l|@$#$U8__r);q<=K76D8gYhc_f^Mkmqzb)@_8oyof+4MNlK66h0_g=QUy z<9Ff~9fb2<9H&t{KG7Z1vqZPa`{5PcYq8aSY_%UQB8Ri}dr>{f(+wv_;$lnm;RWF! zXBkd6I*w*U8^XMCHi(j*Mo(%X{_e4L9d&cw3`lOhlS&TLrUrk6+xAA-FjBxkw-V{hwxuSwL}#biE)K|xEyh<>zYSz z^hO+6C^p*HFA)}JTgnW`pY6Cx(`5cluPN8@*p29>ul9+m=(GK_61a~Nz((%=)3n#J z*XYGe=ee@9?h>5jy~c}DUV=x$f}g4%{L5+d83SGUo6gCn%}53R%9YK7QZ})+&f>Bv*yvRr;;h~TRp&#mT4(bH0C;B1<{7xIe_&B%!%S!+o`6_%J9_s(@ zKDX^PUdc+pRxJ|PlCAf2ejdF;H7bFU$qXguHSj=X4B6rc_ekbRlFx8|@=O+6$M?xs z%Jh-llqqa2`|dQc?P(baG_~Jl`m`tfay6}1Io2SGH{1QQ{K8vV;IvuDZQWr8sO&eI zcnvZRj{w|DBx(v}A<#q2FpVNI4x`Cqj1<3oJLanh#u?F#qbfs1CcE-AWJeZfT*R!W zr{B~@j+&uL;6aaKZew#}Wjuw93XkjF6r2Sd$LG^ppVmZkKaRQ|pVyd;e%42Aey`!} z&f_P@An+q*&+buj7H{*~Ws6T)jL(K!ER?JlyZ!rB57<9>jrBGRztb`Ja3MQ)Z<_p< zVJUSV!R$OYy6}Ih zh~OWp)r%4o`7^b3=Hnm+*J0im_I?7bGnkObS$%}W3qsq3Ie^26|rY!KWKEbUl2_@ZQA zufv;&*^wQ%p1zc>U#RRL{7Kqhodf+wbC<;9*iBPkRnAa&F4{BE@Xqc+dIBZ$;Tqr9 z`bjy3d8^6w%fr@c7aEJ3*Y38(+mQfP^Ey7O%ShjMy28`+Oml|J71k~DO+#(Cd9QIe zo)MYP2b5<-n9=kn|43evr@QAN#`$5if2dy7%2T3%a(!l0_H@U*;i~3n$q}p^t4zUC z@Vl!qPMFmK`Ne9S`Po&AFVqV29@cVNp)&7Eb|N^jn>$??=tJ zRKMqHlV>1pS69!IL0aC+Q#ti)@g?tS*m!y#>>6CBupIf)o=FnGakpB%z4wGr*}*C zwf-KxdJuSvpr?7C&A1|eQ*WR26$7n_s(l@A=x9^t8~SdB$NE0fb<>TL)bHgj za{5(l^{K|?Sn|R~{-tyCZ|CBL)%9p5V@Jk<*8-=+XI)%*tmHL@T6cdQeUl-gjPvE( zt5u+cktYAK4_9(tW9KR-!v?YUBbCd|F{4pvvactBL*4~p2AFmE)a+|i9D|{Ec*i#E zoinVk{j?IezY@Ska&L&;F2(fPNZ8I&@Xv=(7LDKz1#iU`f- zYLa?t-`2<(S7@Qf*7Uz0V+1k`o3r*<*~{$czRm92y8yPg!n9iKtoJ%bwDs&_sI>{7 zD<5KA$(i)`NsRCIG*;}cxUN3HtQb4;M%(w(vaF6MAg?1U>qrlL*O`u5s?x^&+!~F# zoGF*v;d9!qqF+SYHQwA-iLBlyPjyXpx{x9{t8-Z03$&v3M@@fHv;wlh)_hI*LK;8~d|;byKZYGtjQP(Ds|ujQ<0)nvO>R diff --git a/arm/Microsoft.ApiManagement/service/.bicep/nested_rbac.bicep b/arm/Microsoft.ApiManagement/service/.bicep/nested_rbac.bicep index 8731c0862e..c40c73a0d6 100644 --- a/arm/Microsoft.ApiManagement/service/.bicep/nested_rbac.bicep +++ b/arm/Microsoft.ApiManagement/service/.bicep/nested_rbac.bicep @@ -2,7 +2,7 @@ param roleAssignmentObj object param builtInRoleNames object param resourceName string -resource roleAssigment 'Microsoft.ApiManagement/service/providers/roleAssignments@2020-04-01-preview' = [for principalId in roleAssignmentObj.principalIds: { +resource roleAssigment 'Microsoft.ApiManagement/service/providers/roleAssignments@2021-04-01-preview' = [for principalId in roleAssignmentObj.principalIds: { name: '${resourceName}/Microsoft.Authorization/${guid(resourceName, principalId, roleAssignmentObj.roleDefinitionIdOrName)}' properties: { diff --git a/arm/Microsoft.ApiManagement/service/deploy.bicep b/arm/Microsoft.ApiManagement/service/deploy.bicep index f0d060bdef..f02eddc548 100644 --- a/arm/Microsoft.ApiManagement/service/deploy.bicep +++ b/arm/Microsoft.ApiManagement/service/deploy.bicep @@ -154,6 +154,41 @@ param workspaceId string = '' @description('Optional. A list of availability zones denoting where the resource needs to come from.') param zones array = [] +@description('Optional. The name of logs that will be streamed.') +@allowed([ + 'GatewayLogs' +]) +param logsToEnable array = [ + 'GatewayLogs' +] + +@description('Optional. The name of metrics that will be streamed.') +@allowed([ + 'AllMetrics' +]) +param metricsToEnable array = [ + 'AllMetrics' +] + +var diagnosticsLogs = [for log in logsToEnable: { + category: log + enabled: true + retentionPolicy: { + enabled: true + days: diagnosticLogsRetentionInDays + } +}] + +var diagnosticsMetrics = [for metric in metricsToEnable: { + category: metric + timeGrain: null + enabled: true + retentionPolicy: { + enabled: true + days: diagnosticLogsRetentionInDays + } +}] + var builtInRoleNames = { 'Owner': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') 'Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') @@ -172,26 +207,7 @@ var builtInRoleNames = { 'Resource Policy Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608') 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') } -var diagnosticsMetrics = [ - { - category: 'AllMetrics' - enabled: true - retentionPolicy: { - days: diagnosticLogsRetentionInDays - enabled: true - } - } -] -var diagnosticsLogs = [ - { - category: 'GatewayLogs' - enabled: true - retentionPolicy: { - days: diagnosticLogsRetentionInDays - enabled: true - } - } -] + var isAadB2C = (identityProviderType == 'aadB2C') module pid_cuaId './.bicep/nested_cuaId.bicep' = if (!empty(cuaId)) { diff --git a/arm/Microsoft.ApiManagement/service/readme.md b/arm/Microsoft.ApiManagement/service/readme.md index 5e418e20810c4b7242e04532a74bb9e5c8f3fbf5..1c6f50e9acb8f3f98372234775bba886dd402f77 100644 GIT binary patch literal 9925 zcmd^FTXWks7Jk>Sz_<@iI=Wb{lQh|Or>gCCy_<_CcCrti%m^YO2{lEq1Zh=i^WXP7 z2LLa+*y<+Tm-TpTi3HC54tym>nHH~PDrah;(n5@HUg;<|)=Y~&Ue#{~R^@j(QXj^h z&h=bdu`qF&C=shHF)J%%Dn^$VVo`zWcRF8vCEhA)$~;n{SY^s~I)BtpuJJ_t!34Zl zxz#2Wf8hO#UJp(Nh5F zWx2Z3YPlb<%p^L}>N8>Fg-om}3Z2e8q~Y^F!%`Ml8RRBWBWv|6C4C06hP|Vc`&cWB zxykiMSwIVe#6-7&3JB!+7QtSmz%VcDAl7o08e8b-s!jg0-qDjbMly#>nahPLAagQ> z>YI3tr_iJ~i8D2oWm1UuGAZftr2#_|7#lyZcygv}lRd7-BoI&m&|pF&@1TM+cq#vVYF zg-8{^7e-8!(5ZzlCit$?d-eND{w8dhWhO7MxJieD86hIJ;aM>}3S^h^BHm&Iwe_8r zwlE7A+&hcdEJg*aWm2-i>sUPc`Q63YV=@&)V)`r=SWoykc$v~BE0L=iI99MJXN(bp zMAXYj08UoO*B;5@F7y)UMwt>gwCCtF?!+#Zg0zli{w}TdMBy~!=|lL ztchR1ZAlEZ$OVjv*+aWHblWzm^K_092$B&z9#OiPi|minA{{(Fv*nS}l%r*Bav?Q2hPWFPGrl$e(jCaOx#BB!E@ z1V`A<37-H$%L&6~$Wlb-a;_l;T2X_sb5kY=qDn-$0)G%!PB};+(~uE*Qz?ubx=N`cLG+2todOP(#+jjPj?8z zMWhE@%qNmtZl!#bGQ2;R^$h%*aXF^YF)gdRcIs{CWBHFzK zUMW~}LDphb1UX-|>%Uq?o>Z*D`W@u%Cbi3yY(z8GVTg>M$Ihj+c4_h$Sx^~#Y2rR_`9=nQgvv;L%(BH14$ZwDMjJ@;dwvJd5nM~TTnuA?1Tk=$On_a5om zgY7sy$otXi6a}}RQMCjOw((m-eyJC_;2s)d7?CA1b@PEpCW#AeTU#cyD#ctN4e}5S z#Vb+}d<=;%RZCRikO@_rNHW~scxj}@cfM$=u8=-ee!h@8X%RTa0Aev)6us2s7}TwP zpcVZkIw7;PlCph2G7H+$;)Au)0FR7C@P(r70<#oYudS-k_9TKDVwt!AM1c1wjV^hM zu!t6vio+nx^H~FYm;Dz25mMFxmXk!=`8IhuL9|CPZKi$oV3uj!^Q{RWfZvf6+t7pY zQ?Y&zPzW5Q7{{_5z1BNuh`f8fIrI$`*DZxuVxH0%5zw5s=k}p^xuD7jRyIu}!n_sM z_u(<>aw=T8qq@#9lY>1A1CsORSRi;U)Cf{TF|=hMS%-?vXgA`C9HdP91S$7NKBO#W^CHx%1-)_-~h-T^A62 znV=Y=2tWgnSfEyhN6?O`p_-o(FbZRyy&Voh{b>h{F?qB1 zJvr%}e5)osIsJCnJDCh8C(lowO((Dpt zLr2cAD~`9I;CWt(w%F>Aexmvyj&hQ!B4pVI`U+x$l!nsUpLDn$USc>%U`Tx!OX<9z zsE!AyoNt{W(!mLJEYLg_V@hL#~vw7OKpTP|?F@CIXq&DdP^MLKv;_UW8sMSs*;L6Bsj)VuOkD1fFdJ

    -qHw)qf zM@Ee^BR2|vA;uIun`c~|&Uifj#hSEpu=eWUh4{TA@N>YG6TaT?S9;`L&?oxgopq!P zSp+){aM*NPm@JrrKPCe;DnIB};220F+t?N|#zAO?$KRYhdHU>IobG*dvi66bKR+5C zA9TfF5DKSZ3j<@pD!{;r=Y235AdXugK2+a6)zt4T3~CnsANl@^a_wJaKn>-$?Wdu9 zHiHkHPvks19E}qX&ihdgQk_bt{FoBp8+#MRvj~HH=EOA*%0vWY1bM3cM!e21NYoUi zr=RrtLmJ!<0OEhL*AkvhSFLUG;5Ia71NDdx(jm;<`EL?=pX# z;qT%*ola0`#rTAgy24>CdfVP))w@+IC>{;%_lL(%jt&vS(WT0yhr&>s`1`}Bc*cil zDyOyIAO7%&%5_XE`_%f7ZZ0w$t|Ru_$A@A71cMsaL`Ju0Ht`T;?h^H5FP!G^!umB1 z4FY|G=I4rorubdSeDLA`$Il1r;udepA}b5NlHfkJ?;~K^y>=;uy6T1jG|OZfjW=G0 z1j}QdJ=V4JHD95jIvcf!KiBAVdg5y;m%iqg*J^>@0$pFOrbwzNbiqbX+<59fJen6p zW?u{ju|X!UhFatd1C{nlJK!n6pzv^7okY{*2K6nQa24or1JU5ZkIbu<hqs@}eyg86J{tNfLGGFm bBdO241Mbh_^CDa>02rP0>C-*@`(JM~gJ!ikZVvSOt7fwq>1V&$ZI1LaYEGNq zH@{0i8_g4q8Ee#0^Q_rvo;QaYG0>-7J$@qA=F; z&zqBGJJCE9t>bhxX8*Z&+{R?wpy7T<@la2mh~j~0!pqNTK1O`hEb5;}=g-W+-N%yu zKpdRtIr!O=^h*<}eVSR;C}#R0J+<2`>o?j!YX|x{mkyxCeXhgP1!mftGQZfK9o*Yq$jkr za^w1F+h#dg3$I=kC-~34Y#DJ-^A@&y=f7aPuFuS;ljqX!6IuU668$8t$8m_<|1QLza7KJ z9EsV-h&#}!AD@hQM7raBTd^KU1x|vCdnw+)#WU#w?;fP+E|Cs2-Aq?~?;pazgY#OF#sLRN}X7Hn&A!9AL_g3?@XpS`ItqXoF<2Q+q&E)N;x(`-` zL||k0{y?-m-gsJL@n@p3r~71yQ$7DspAYp7&6pm3fzO0oKU|DJD~y50IN|YukTJZL zdx44>!>3{UwCh3Pv1Z*#-Wv4b^Gj)ITX*7Gj(x0kqC4jk9v|ov{!PAIYVJvz@AY|G zR~|LrO~zQ7dxZ?lv821JJ#&*$nR!!GoJ+9AKu@%J8tBTN?qGfN8acNwR}I8vnX8yR z>k%zb0rWjd)aD!)HV;ffc5uc1jnyoz|0gC(pJvvG59$nJvMohhrs<@Y=iS~;rWsh*1{u5DRsXj2~P>Txgm&#wF) zv?H=YOJHb7&3vWD5*<_#2Z{lzHZ)V#H8&fnUuq6~J!D#&GP`+)mqEf=OI0E{u>vJ9 z07OS>u4Sp`jbozrM?F6lz8>ozIztywo~EUePjtup&NTh}VXGBY16?aT*VF5o>uQM5 z7ddO<8;v|mctDhVtM6WgfNIo-V9b`r1tOy}%A zmCc%CEGyu1WX}EcEV|FD?%$+Io}60K+}`};^%I7;4! z?Ts1aK(8l}*zrULgvUXusED4h=u=UoLI|AwqdslwC)X4~_qMK5kNIh=Oe8w~BJVmL zsj!SptmSr-m$bdVPm>Qcnh3Q2t||h_1<#YlUMxX!2{DX!s8EFPuauwD~$!-lg+_B zFeKv-(zo@GjYIou;*y^~tYNM}0aFCw03-Yz7cmf32qjP%$Dj%_LQJJ4t9>nHjI22i6iPnIg8r?y

    n5ieVc zrfEHb`?^D9+%$5Lu>+Gsp3K!imVqzqK8-Uh7d^=ExuA6SLcT#`39(A7IL7ivudYI) zXQ^tiKLm|FZpIo1mLI0tz@AUP5O2!Y=Xh+Wa5^sMN<%+m0_%_mM{(^~R&f6Z6-r zW!A;FLD-DtbzMRqyeq}5)o)F$ZOyh6t{-xbeO1wkXPl+D+ei{SW4$cvw%3L=2UHKv z51_rPSNb(0X{Bvc&doz^b(5 z90K0Pw@5>oZ8O#eOl;}Yxe5-eW|2wyb1dA z>GwK%C0m77F0bL7m26ESIMA0UI+}N4yy0ZQ)`*Kk~Tt5QZ^ThrxGvTwj z*P3?_(9At~x>tSlq8%a8C!ofzBmAoIFc0=Qp2)&fymu2qfxKXH$@fj@h{%nZ2CcbX zZ!JBLM%dR|*U!yrB`7;~O4_fRrv#_ypv>;qkD3i-Ite7bVEU^xOOD_k`-C);1{PCcTQ8! zlRi2XMa=vr$xn^yWFL%*EHj3GLD^XEQdY9 zdhE>iQ?SM16Yq&UIm?PAAJo;cwx^zl!@v#e^Jzz7JZYqi%POrtO*P$mm#qd^B|(=e z!0R5g=#DYj9_@I&I=f%@u&}l&jA;)zMvpMt6f<0Q_>Sxs8vm$y`+%4OvNf zzm8QSpV62*6nt`JoOcu2KF%o@(3BV`eVsbkXGBhvs&g{v0hwCx;>Hvv)5*kZ>Di>eFpEW%z}F&hZ7TyRjd;$vhcFm z>-Xa%llMOZ-N~b&mHE37WSlrp2H&nvob4<}dBUu1yFPx%V>i!_a~Rs0%@3VV)`xT( z@y4roPHAtDqFe(aaoBs79bHR=74a-0l4z*!TxQ=k|MOJ=v$!A0_xjI_T#r}#usbQc z7Z$(nzR9|6ZcBCVZ#SU`B&Vptjv+b%wRqi4?15sn$ z(};)*GC8>h3oImylYOZo*rzy5T_ncXDp;I6<7|1q`BZs&O?P9)ektJF*$*D=3HE;c z%IB`Z36R*{LoN=QSCN8w>ysM0sa8Etp6f0>wDIVCCYsFRT?ivhXwcn3*9BN=TI2_Z zIgr3FzOwO0=7`Kz@s!GIxk2=R9(v&tom<%xf(f z702?F6Xj)(wLXy>^7LsOdfV!6?ltcuAGqCcW_DZWFW%9=Mg4rB>s$J?sWBhuybjm4 z^m|LcKh)3ry3Y5N$r>P^f*kAY*YgVm?Dps2hdPRi(J}9gbCvUted~;kgd_F_YNpUD zmTTu6d+R(q{&;eUGnS53vd>{eZtu$J6Ts|FUw*E0mR!gKb>f=cT-PN(rB6AV-h^ai zTd?4?^Bx5_GhNcMVwfdKM2vUJ%au|@i{)X5p56Z7Ch9Mr!(rFrbP{i_v{{o9n@{yz zMm8dzH%W5z&9md>IosC93gx>6C7zdB@aKMAm_oY}>O;`d@5tL(?yr-TLh4vWPqz>& zLZdvj{EK>Id+qm7otm#j*H~BX?arrhI3%|_Gv*WP&W&U$@3MLqoY}BXmhH_+j_f-t zeoG_c#7Sh{a*g;^iZ5(KUF*JuEB?B!;#seBKpg4`s+{oKQS!Hkm95~Am>WOyIgZMV8QE)~*JT7bkY#Ez+wzkAsB&km%P*Js=H;cnyPCYNil_(Ls1cUWr$t^2Pwz|rHG0~% zJ_8ipv+zp#R#XVf33=c&wBrOW6Q zL?og^=<)M7{rf)IY?Q7HFL`#DPUinJjU8w%{tXq8*pGFT??0;U$GG~bxEjCn%+z77 z{&SU!UzY0$&ofN8O65a#1yO4JsNV&%o~XQrs@jo1=5GHUik9E_s8=ZCneuh1@DAJC zs!88f{rbMDRln)SmD!(S{Dt`N5eEb)iIR)W?k?$FDLzc z+?mP8cfEIinPP>P;U^#yJ-z>1|F>xUZpXECr>-$LY?cUkW1p1RIQ8dswn22%3Epn z<%tCRwT`Y_TjGhohyaHnt9!k0OH?iD|MFBH_-;KdOaAWD#;>;imXmC!9ler`+cuaU z6=fG1Ul>l_+8tIkiaUcPs?d;&erVD!=dPKd?dMj_6|id5FCoZfIp zr+acMa{h8cqDA=vyFdAyNBP-^RC?v2Vh1kW89mXHCoR8SlpNt>rVbkJOPf(U-MY~3 zBjIS4t!wu(6Z-57-B|D4QPEf*d-?O9~d(RBH z7b(7>E)p2QE=A7e%*>hLJ`u;I7H?%Cmnv6<7ZYXII#IOj#O(5|PONce;fGjgw~bub zcCMVMY@*yqV*kfkuQy%cTyD}TQzBJmX14Aw6~kWd$rDkF5q?`L*Xv!iD^sk9D;DuV zS*J}QuJHTOV1QNrA8)gJ%w+3kIPmiD<>BD)m%-tSL21=ms|`zg(D_kmGM#AU9w{ig zF;V_@NdTpT3UE|Ks)}Sw_$sk5S!Oo6SPEO?FQip?`%-DEQsIr5D33(3SA^wl`8Ri`t}W=v$^!1 zq!w`OGYI8eQ0P>wYyg}`Ggn39hfaqFtT53ed>xEVpdMoEC1XZEG01jQSNl9fb z)fgRX^@&(Z*yX$|5;YX>Ofjf8H}Y4~iC^*dTOsfyg{u||{Z(vM3ZX9qf=g~U+lwln zlPOd!vs)Y-Q$}yeMKk}T5|4-3xA1sPtN3d%=FLcdN-0^E*_IwiWrs5EPH(MKwbyN@4y^SKN96Ar3E=IfRo9S2NXj*fZFv)5HEEGisMSFkYV5f zI1HkLK;jxE`Uglo0kNYDi6Id@xg&~Hv8 zn!Y&pAk}%rN_8rpzPdO&eKr)_$LU$*k;}MYn#!T@ty*e_j!*|C)vnCs_TCaF;-eC8 z3GxMH-_M7KB3Yr$B-CX@W{PDDO`z)?cV-675PU|9v&)T4v%%LqI}rSo>EiR?lQRXX zVk4JJW%u4X8#XSbWB7kSs|O+qZXSLLg5vV-CjO0=_A2iWZZLI9pP0fE*)qga=)5!*R1#g*?j*Dca&T@;Mt)9h#Uy~|w#eJMLe-GahM|a`Vy^*G&3e>O zO268H6jJfmwzYGWA$!+KT%5m&Eet`A1-s?mNwWm0ltn6JmXW{Ox8sE%9ZqaChK|tt zX!D&t?+hq`l1d(Rc!VLUrem0WN`qV%bLoOju2czi+Ek)`YiDQ`s9L2xZ zB@$WCXrPO=`AktC1X6}MM9z^$qB9pZyCG7o4aak5vdRZkV#A!vnI1L$gsBEz6yl88hHMJXL|H_G6GhF( zSQ7b=W@R<#T1zUgOy?T)%d&|J{+^t^p>>*4=hP!(Zl)%w=$c7d`Hs^BK6Ila9#uQt zxYwJ_X2iq2KA5cip?~zPC-AS&uGMe6LJg*W)bAgN(Ws6xMs@ID-L%n_J2~1mqyILo zvmLA%<&Tp0n31~%@lR=c`RN~tez?f6iJeh~P@??p*g0&ZvzT=li2kaS}HEzD-@h1t@oPrdO978 z74QGQ3=7isEb9yQwbWpT}%+Q!ja~%qYVIn$F4&^eyEo(`Yb09eQ2O=QeSbEJ**S%{h7{0f^uY6f~ zzO;wO-5WcG)xD1>D6l-<#;_s7}Ld}!J?CYC0u@y8(&vlT_*p7s6(D_i=R literal 11278 zcmds-S#Kjn5Xbu&iSJ;A7eHjgA@Km>AzH2omR*tn4+xR0ox_kg!FF~D$5#jbzpj+K zdZwK?$)ZKb@-@>_UFW}!nZN&fEe+CUI!|MLKT7*)qW4icNT+&F(p*P(^lO@)X~j^# zeDy57nqJB8-E^#TGo3k2XK9o!(n(%7(&xE;pQX!u_HMg8SnTs!g4b@d8zjyC9Z$4${+1ZC~FOhjuhd#!8P_d@1fw;tk)w zub1yFq%_Su$=vT}beU^sA}>a5|NJ0*rE9Q-MPePrAM5y`&VxB%)wlY6qJO^ni8M0P zYrN3Lv&9N@NhCvKmLqwr*qUqYYDlmQA>#28nHKFWWT^4gaLHwMkDrOJ>B1}E+IY85 zJUM#81D)MWPtumY9V-gLjjwzVNe}hL3S99>dSf5=pbPonIMYR&c%=Ca|AtyS&9p5? z_--xv2BI2~&uFm|*#-<}_ph?n*L#%v{2%K&Z1>@nY#(LL?AX4J&&1ndmh4ykd!C~U zDucYvG8O*Mkv{c_u0G8%WLhctU{Cvk*ew}bHpKS~)h`#wbtcL`Y3E_qbJvcKga6^j z=%rAx+~83TFJ#wCt+5DqnQC4<(?RPlvfSSj9p9)dERM;R#h2=T=KsrTk=m2mGHpx0 zR4eZBtHn@D_YoODRlLr%+}&j$Ye%U}4mjM($0s^J5MKqK%oEAxXPI9RdX(PMDt<*& z>wD=tT4mQ$fgFe`Xi5&~+qlbVl&av}i_ub{*Vc#CZ_zq!8#>A_=jvDz&lLfNfIEr< z5QVz+L3$jb?ECb?)tZ)teIMu6z0V>l>J~oV)Vu5(&stulR(_n3*JE-!eWGK#y3P?2 z8suBz7aT3t>(e;bDzewQBsrx{qvkBt?(K8cL;3ZIUY6gyjxt=NMl(+^FNqwu421`) z5r(35k>vu};ICvlLqGGLuGXne_JzBng_f_cpIYAkP&ByeEa$AL_Wwrztv4o`K_4oz zr&%tSl{grr*VAWOy`{?Xjhw@G6|=^#AE#HYtF6-2(c8`>Ihh@FILg;rwY)4MURDfH zW1@X(BKXBd#cG4}xv=k1`ch};Zl;o&Oyzb41<>d$(}?~G?#yz11Ks=AAdWI#gBZ`X z1<0x9U+<~kep~;BvK!sjzJ7VPGLU8H4~}{~M+ujs?wO<_3c-J7F4TZ`&0e1dop#Zd zSR`I7;>|Kv4TI?9kUlPh8q9v8g~qZO^NDGuHR?%?orsmv4Y=%2brpDEGVW?c>C0}H zbu44J4T*_ZK_DBPcY6}oaCdzdEy%Ly!uh@)E4HNv1N+84Rr0&R!pTD2wPi zQ(oqXq0@&0lf&htI|5Cp7}28P=vXU}7O7(2K9H464$d+`Fp3lX>sq?i!59X|IUli% zE@GFqrT?yP^lQFM=7H0K&h%C;2Oc=eK4b_^e@R`#8rKuCPS)`10cuPVOV8^v)E$8N zb>uSERF2BVm&Yd>MOzo*!}_zrhpp*bqwh0R?a&=&A1_%GyZ|vk!&PH@c{D^^_YTCS z6ZEwn$<{+eZi>wfZ{P^jg9;7+zcI z8?8NAF~(Z?cvIHG->C>dwPLfn@4~l+nPZEdnhPWc&!|y+zK4{p2t?k8Ss(OnWiG;$ zo9HwBnZB6P-X&+m2;LN5<9k*u9&ih?!Q)4vxk6W6VlkZ$W*i7rBCYNbz)d zZ`*t>%Yw!(dp{o*1XvZ}TDs}?-d;^c4=fXt<^0@ag>EfWX!?9`B5iDiO2;)7ZPWFk z=hEm%ey}55dC!COoX^{P{zF|&-lhj0%W@zLQzNp}X+Gol#XcaCVc&P+;p1Fy*m|FW z;xTxduk*+s={l+o>t>tL8seb=#S>?4oYu5B)lD45&H>Q!+u$KD;ao%9}I<3M1N$Pn9 z*S*XcIr?;I{d-ON2Q7(LJi=zg%e7RlL%u$)b0r#&F<&$ptC9Ys&k?MxQ@gL^`***w zakRwO@=pGj-tT(OTKM9*$h{wYG@4c`QxlcU<=Nb+gL}X>)fSqD^G6nAt#ks(zmg;`?NgiL6@c5Gn`r{ZbM1aj~u^p=3R#b*6U5 znYoBf^{g9YC+ZKI0+~m7odO3uFJT=8`Z`)J!9=$o*0SugX3?wqJHu$dYUVV(t%r!a-ZANN>)c?wj;Ya zPD@T}clYSH(DvG|mU1X~`d?vbd66ccSCLTRUJ0^QY(xo}j1l6gQX-4!@o1WcH z)>v0s<=1eMeHZ zlsHNII3P%5TI7BA-Q9P`yr5C7=uA{%DN9*7no4u4GD)Mx-Dsn}3a51CSEaFZ{pn0) zMq9mbDK>8R4Q<$WDXnfyChbsk58zX=|MT_U-t0zMDs|ozl5$xWdTqZ8L%O&3;sv#K z$gOK>_xA3#D>JOnoj>yeZB!@pHwUM_< zu5daKbs)hjS>>|I*6gjMg)R!cQq_`7%MJ-6@##yWjLgYtnoAOMFoMTG3OVMf-2kVP zXEB3Zz_<`bl+wX-W@Yn<&an#ok)30?5KZCeqbM3)zR=bx2H+PgR*t33jH-S3@A22= za?7ab=0i-QUKWKUU>r=Ob%rUqqwsSX$w=uG)H$_K(vV(&1~Ai2CE`qzCiOwR-evSz z3mlY+>4@jYKldtu?Vu7`LtPBxDzCMw+>?Gx*!g?dkr#erii(nS<6QlAICNSUHdWFs zQf-#Q8&?)Xv&i23^7F4Rtjst9$xrF)T|mwxsx-HZLl`60_G~J8;2;)CF;S<^k1@?!aVX~r(?Z5 zIFTZkrge0iKGRxeoITdNR?6%~RLYj@>*_{jh)4!`!nbUVJ*b7Xp$IwGMi-|kCH=4k zQ=|=jX`}(kEFf8-Km^B_(>3!t8Bq75@epBni<6HX+U|ZBn1HbjNJv*8?(wjxhfN9J za!uncNX$E7RYs!9hXDUh=j)XIfJOhvzS~GvKA_+aWe_BWBnq5R<)neofTLDa{IQX; zm4ZlBo@drF$(aHh6xT#u7m=9Z-^psVN*3CbNn;9Vqt3xOe-=olBm#{fy9A%+Oy{Fw zapa@Gp@B70ITUlLEYuIDGdzHMl(0@1Fa0j#gE;=C;*Mz#dkYw=&@mz10z@q(@(fEY zp%GfZ6)dpdj|1~LDGhTY^OTNs<%Fsbjk(oD<0M^Oeqdu9CAUUxhRzaUU`NNVsYE=3 zOv$VAQMubS(`qtyED^rM+-0@Qh%f3m-rU4j>pZuwZ|nD=X<> zSRh~ls67a}(q=xnLA7*=#J#c{kdcGm^Tziw#p;j&^&a^X$A*&q~zB2sH-oQUxx$2aafmV8cU8H+I{p9)Igcy z;fS`V_)86?HY!IY5_Yox&?PG5t%Q_MZ*)^&n}izcTg8PGD~@x<>q=WNSx6qXYHN|n zB$tIM6>EP`iOA^Eh|2M3aIcj-6tCY}6F}B&iR6zMM2%&{QBWGoQmk8ly)#`2exSBT zkcI)NlEp*00XBw_a)oCZM7U;cGV?f$(z0)WY!}H4jzzsy(Lyc~PS*>L~ z=U6x{R7p&23^r#UVk2?By2R49)+1C2kC4K6>N_ z0`B9Rx&D!Y?Z{D{D;7RcY;iNBc=w1S;CDVbG0Ng?mo&W#< literal 10596 zcmeI2U2hvj6o%&-iT|*q7i}dHLqSDU2+2*-HmI$m+9?-RMcjNf5XT{Q8dAz%2i|9n zk7sthcI-3}TvV2m_3V6{kN3Ri%V2r+g=X!CU5!7AGwtf{iLU$M zBHq0zIabD!+zROXLhBB+>Y1c8oraR&B(}QDA8Pw`M*WJweV6y8Mxw7<;X_=H9uLB@ zKGr*3vj%s!WpS)}Dp`j7kcOsv-MZXyYvY%C&)B?Rk*i}_>tZ|#T!F}a z+3qOf=v?+Z7JiGUQSM{V*Nv@q?{``5F#g`vouOtZ!kai-SN{#4)|zWZPscJg%U4J! z!{Z<8+wHNIW|_?>eK*GCP%G#01(qi77vZ_a;0yCX8M|w0-`9O&ktlzu>m&X0-kTAV zVA`$mZrlS~vLv0Du~O2={4lB0G>%%2QGFuYVgKQnEf)7lYn+v4+unF2t%$6k1E0N>1Vh>X zf!M5}tG+%*^43c9@le)TQOl{=r4jq~bhn}3`-*`3;k)o{_+A_~&|EtjZMk4Me4|nK zYWzISCeJh;jv-Gb{)D+s<*AE^7i1=5!UH|c-BOJHI$HNtcs=T42ySJONra>ElhDy; zQ&;aa>QtkN=z*gDL?3iyW_a;UToHLLLv@{HABT0VL)Jfw(k6yIQl3E@*0t<|-M|3y zZAznd9BEZUzeWc*_KD_iiiN(^bxWfzsy^H|S-A4q?Rrb2?5e4& zRn5t-HH~^2rC-;tJVMD4mPbz2zaM^!a)Ti>9M+Oi2qa}L6i?kD1TM?RyP z!-75CGf$qYl_-6ymahI&{S2ZPz`N;E#4-4#8}AtsEEoC;O<8dx`U*cxXS*kwzZ?0| zIFi5cDX23nC!XICI$={#;9PFMkT_MDxpkezuO1(Dw#`>?W_KOyB$_97a{C%q5)1hn zSl1BmtJT%mL<;q|=Z{T!4j)d-)L!*GjQ+%ycnq{QVyqY8q5kj6AH?3zk^%WrtK(r% zLELVPl-z5D=B6sLN(~N#aX_Z6hn|KYZ~(sGG|=i54LzBmiazQ(vksCu3h8NRf(ya8 z>4C&~Ke8(Oj53ZI;Sbfm=kc>F7RS~-wXiFo{-f4pKEuD?2Zz`R+~*c$bZ)bpGjbbI zJveF?&vUC;j9^XHH0{tC#>OTGy0+|K-YBG_+0SgZIL4-F^CDXfUwYnKkN8Rmzq-cN z{AC*MYh851N1(;nsjDkc#r_qYK{CC-W#X2q-RR*K%XP4Q1r}aBE)@gQGAetsW+$#ka$bk>uFq@oe7#^TlT4zMJ?0RS;N+t<}osrMQL7d(FX3x z28-6ivoHx)`D!}3}h!Tn@5>NC2W=J z3e%*Or?7s ztuR@CuEw#A(cH1HT&MElF#=QJ?TWPV>Z5A zI;$>-T%r&gT5hME+=P{Bx7ysQ|Ej;}Yv(q;i-#qdGv8Nx>|8w?)%mn3FL36Svs;}X z+N^uoxdx;Bx1wu&`e#^@EatT({eGZtYRTtbiX)e@ z)s{xRsq~TzOX06LGugN^2TI7x*az%zf?d|VT<;}st!qr~D@WSmSu;PwPxDWr0c*Le zm+hc8)R(!gwu3G-?$hW0X#uP0I6d}f$CJF5?{tZ$?eK%nt*h*~DW0``4|^?kT2viB zs<%I#=6Mh?)Kac(#aMeJ9!eRh{^=`Oz;@X_k3Gq4i3NGi#NYIe1lcpcbNSQT$vsvc zqv>sf{Hbbwolf5EsbepmWTZDeno+{K_dMFsLUscEB63-()}KpfGS9a3L8nO`=)`lm z^!7ykGeuv6Gg~s_bZN?Oos{i%GdeyNKG67N4lSM2^BjggRlD(o%4f~9jMpu*pTJ(- zTKV4SI&m=j%*rt^X$8hrZFRG{gAt2N%PKrcF%F=zwDYhOr)1M#R2h&f_jFZ`?fQzy zD#sKf<=I}1PZj-q!E+XS{R71lPx0QzD7c8Y;|#B<7CW)^$~2$Bsd`Sr3!Qop42mNgP7jqOe~aMsRy01#QO(G=c3p<_XDLAJHz7t^e@)LsVw+D4(zAE<0bzoP9OuX9$ zA5vKj^lbjR{Zc1K-CJcA6V$l6h)r^8SrVjJEos z7-DQQbY%U|6KQp65@|=%Fz3Uh*E^dlOADQrnWR)MGrh8REj8@*9zCLp92Kjjw7uR< z({qL%x^ZOQNn@4H=?35T2LtrF|9G3+!EVjv1e2caJ=+`X{XE$Faj-P-QgJXx_&k}h4J*Bj1!@zz zlgXgj4#F@s!M;KHmB=hFuBRVmQlK&U;+wbJi@!}a#?4F`>%1@m6OWBvN>eClEBd84 zOm~VkE^VO~($KlZNu+}U5Kl|DT`Hx=ug?!(JYjsHMck$Z#~tm@=Is zJyQwn%hEojS7n|!82FV%XD#M-*wdiJuf)`-WSn6?q`4;?;aHKUL4nAo`V^|jx(?o^ zI-c>!z+iE2Wj;GPjTZNN0?=9t272 zuq(M>qYN7mKR1Xwj93BF9na>+*o_^*WAL#ZXNrTrakCVBO}UsZ;phvt|K8<0zw)V+ z28Ms@6M2NKWB4GiKQUjw^BPgOlQ!YY&@nNWB4vBK>xmiJz1**k+OG9PS%mxQ4-b2H_whgS09`efrX4uKUi2_V@jp>xpy`!`{1Lm4JP(BmKJb!_&IicS^&QZ=+5x z)Ov3V>YABmm1K@g1^sHL`?_IKAS1{rADEtt0X+-XFZ$_vKHcxH8`EIIWEP+wCr!`G=hP#De2# zq)-P_tFy9@oE+dtaw@i>tGP<%r1B&y;Y?ftz_tU4`}xTs+?(dS38@2T20T&awh(zD zpN2V{@QN&>3nOM+D6u5+l$==$&e3|$R3b6p9C*@ZJbwGfqMirZTv$kSo^zIpCi7f_ zfFS_EImxB4_DUOMp1Yoyn=W{d1C?EidgQnJBWD@E&J($zwb}3RLC8qhd~aCzeuaGZ z*9wg2>mBBtkwhu1mEk>D_g$*=KYV+z?%$(zPh36`r4vP+O-x!!5*we^ht^A%S*l79 z^jLAR5rwf(h(ZgNAbm1CgIV;9P!zXfY?aucmTR2xTr~A>)OweilOAV57vdUmA?h!v zn{t5(ZpF1wos%dPZhdaxH3~U{GumW5nzZ@xrm5+?5!Y%_E+_}PAcQQ*bV z{Z*tYP2&0QIBk%OC^C$ZGFT|c2BX35vldyeA{oZDN~5iW*h}!|PkX;`?fJiA`qT$A zOtzJmyERZl%`$j@DC2gg8{}yDudnmLT{CyNO7a<@$~*57%qcuF`v{nnffO~%ML z2d!d)I_-=zP`^vvdUk(0^=_|CZE|Hk=6wzXS)4Jn2e(zccU6@%;$&ER^> zBpc6#%2}vanV7+Prmn^T+jcdVh;I#@o*u;~mlB@9xjIwgYb`t1WtMVvKh?S9c{z?S zn@20Ni-A?M93g(vl(@p-X4erep=hpA76DRItura|Xg^qrb)I=U@53@{!?)&meH-a* zSuD%KT_5^p`|c3cinaUGfJJqm^4jRq-5B|R+h=cUW7-!seEGCCfRUQOwbV5DZu1Q8 zD}xrmuU+8U3dt6@9MF5Ve2BY8&#UX?$9(%__eY~tCw91~ucKj;M=~Fjb|gNRMvmAY WGC@1qb_cw9-&@^c*Vn>NdVd3+w_x4? literal 17356 zcmeI4ZEqt<5y$&A65nBzdjThr1du@D5HCWwJyu#^+3X!is};_JlMN(xF3vt3dtV*+ z|GHA{o|zuIZSU?al4aQ*&vaK+|Es#XsvrE{|9lpja1d_7rM~|Zj>AOni!ct?dQZZg z?jGstHoQ`aQ(ZOT_bPE3{uQ5}g<1G<_)&a64KGw?rV`g-8qUJYa23m+>GMX{)9^Mv z-HhAboZn{w*`J8|OtfE0Mw9POd~V`hm+W1!+|&DVP2jmp^^I!YisGecPIUiWULbs}iJm* z(>Q8n9A4j-Z1l}*u}odWW?^62N;-1Q&(tPsZAk)023}~QtP7)yC2=(oK5ysx!(Onb zbD?z=?c=o&oXGl`*tT4&Sk-a7YtO!wzAxkNGd;Nzg+};6?O5MtcXl^#8719DK`-Z! z>}b52mjFvF78GVygCqFRi^wiBIZ+q0F`7U3)%lN)0 zp)Yivdg)Yh{Zr3RqeXNP`%9){>Os59_pnI635U@#&IV%BHb|Y1HVgIDf6*HbUXE@ASe-PE;;g@TGV*;ius%m3}BY|2)c;#wWke zNM-chdnB*Qh%ysSZ$$~zFT@2&XfZliWD(__wLS`6J(cNq@uw|QNj#O#@UX-DU#Qfb zw7IN@b>)EWb;NKYbWWw0q=PPZq{Fi&UQ@|OPn)Wq@lIaDYQGWsF7@Wt{W#(Q&033Y z>lnS~BgSTyUG_U)OGYBGwy%29;oPXqM5VqAZ-h7&iO;*zog=l*tn|8L^TbD#KugrM z(US2H-*}*>*ZS^rqLnVsBgsWSIE^)Kq_tW2nXVtGuQ0YJ?c-f}N=>xv-q!DTZM7W> zJ&=qist2b-No{?UcD_GrXpcU$A@RgMa;|m$j@I9)-gqwM;xVk`@47wg>6~U4F*q&q z{Wjj?3F(z%wa9(-dBoN4zR+{5>30zUXpX~grLnsDKKA9cb1zcY#z(T-GREy5Xg2IN zuozt|xf>xoiFS&fEIy#O(I?uyt*wKEdmicb<27s@|5hHO>tnq}G*)>r&ZpRrnjYH? z#fQVxskuqyI81r_WQ)LZ1X7G``8E0W<}d3JImP~+S}rv;Ys%E}+m_oRkRyO?r6`&C zF3Z32F@3aP{J_IAk3uF#9L(?aUNto-Q;Gl{X#{5U_K}xpiyYGC8_SW3<@YZ&a-S%& zw3z{B*lg6zV}TqYA^%1L|&}cB9OKKG5mF9BxTGm3O ze;i9%9KB8(s568K_m{nf+V{syw)I=cd>9!GImc!APObHfWVBSW8p%HeOE?&8Be`|b zF#X)nuzuCf&#jMmRO<7$CCf_lEnf)3(Lj8g<~uFRX7=A^iVkG255rGlE|_NK=`(q$~48dy3R@FT69*zQp-PHQRoyj(^EY)9iL>L?~*uPUtx29%InOc6^a$5v) z1h6f}61@IMqcQW8qh7p`dN}3s(bsGj_9e0+1pf~mb;RLzE%W6eELGy%tfEZI+oL<^;?f)S%+aA@QLC|Yc;Wt zt;yNCh_7lmNA7|SD<4FFtXbrIxMtS@YbeYIpNk%AjKoCbq>S^_WhEqKlx@UW|7`2b z)-*gm8maE;uaB=+;(avZa{KNI*7_!T`TDZ$u5hILwqR6VMOry7M13>8UW?wX5M2)! zLvje6S_>vZ%Vk-&t-0M>TRje3C9_IVJkbKQ@;`*&*T z*3_&iQ_F8#Zi_&U0JfDPeIj392`R6G5OH-^K}PeDFYkMHJrpDLOD?}t8&`GrUa%MM za=sVS_K3IV((Rtb31@M?-qScM$$pB22)`_AfSS)}lMR$mv7N$(<^;@1=Nh5ToBI*ocKFynS=yMgn{?0iBl2vtKr6#ogE9FC858^Pk-rA_GR2yj z?}}@5>`!|mN!TID&alb7)tN-LV}`6Nwb%1F+kMU23vIX-vf$R<*L|h=deZm`7g1xpNZ;kLoBPh8 zyDQyKtj$z{^Ey{?hTcv#oJE_*UX0&FSB&N!iQ*luG=8yb;Zo8vv(5Z|S&DW9;AaR= z)XsDgmi;%J{Y<;kPV}2mkX<{_TFuN03o4Sdg z?Gu^#lXN1_a*%2`)M0;IJBB) zP0P-6<6jq_ZtKeAb~zGf@W>-y$LoE_<$Q8vyJs=GvVA4o@C-LG8(%D4vj6sZkS@(e z=L(%F-i1>?tX!H$TNVAbzP)YOgPj~^1ZVYsv(L(=1E0nGZ%nvUtPeTvte8tI+Qs51(&wuHcoo0Z--s z#E{muKaL!we@E!zh`go$8W{S2g1l`<5nKP4ihb=p$j9cR@WZvzym4+Jj(xec-T!u2 K{!bBx!~Xzjj4-(X diff --git a/arm/Microsoft.ApiManagement/serviceResources/caches/readme.md b/arm/Microsoft.ApiManagement/serviceResources/caches/readme.md index 9d3cd3fcb97536e345c30a9461cf6ef3f4798534..8d0c879f0416dcfb06498a0bb01dc9232f6afd47 100644 GIT binary patch literal 1672 zcmbtVO;6iE5WVMDjKl$u>Nw@l1F9;aq9UYH5MLLBl#M+}R<(ECon5F)`0vcD?btxt z94bYQJ>H#t@6DU>4jfe)&XiFLEYWzlLieCEgs&=FB24ejbmlDCxgYbweqBn{50JHw#7K*EeDf>NizAAOg<)+!v~FzoR2XKKrnPPIhw2%N(ggX6!uY@ z1-OnhD2M#?D`o<|;a@pWp{a8GozC zG0s&eJlv`xNch4MX#o%e#F1m9%<0N+P;97Pub~>2xpjjaDyorp!hZ$L@3Lh+2GPd| zGCOC+>%TYNYCSWKrJF{>4B%}z;5_11#kjR&{)SAGV=KB-uA<4&y`Yh$hlNkT<{Mr} z$Ux^n-j+=GhIk^tk!S3)5Z%L+_fBq3kC|ZXaJh$)*9)rHL^e=SGr)x=HZB8{7M*tH z-*WP~(+h1>0l{f0Q&Sw!2Jkm$lQ&dz-m=jHDyxkr?zC3#K={qs^1IEHz}>*Im%Cdu zD4Vn_r)ZPUITQSs3z~5P=fPLO#~yBOUpMgk5f+Qx4Z;&=Lp5X~dcIomTGV&1-?l~^ zE!S99h4KR{F}?)u+GbB420=64O!oxAFUa N*mj?fb|UYOUI0oAM1BAO literal 4538 zcmc&&-%k@k5T0if|A$R@K#T?T!3SeZ2u4DpLI8OoCN0n(7u!;MSFnozy83-Hx82?2 zS{iC3%^i2Qv$Hebd^5AlpWkcZWLrj(;qOOj$q-jp+A_d3lmcIm@HCbyNSx!z$qppW zrHALo@<^{^yk(MOY#^6%ArtAV0}@=cPOsUJYEY^!@_(5msqyEZTBiN;>@Yzr{9H5zA!@(F!s0F<)#2 z?K5n+8e>r(4bw~(@o5Mzr?Uu>G2~JQc=eSb*T8TH<~j8+jw^Z9(yuo54H3`u{Q@He zG&ng^Z7uvY=GoWSH%fYz62o|fz$`|2)p#~%UK%n7YJE#Hs=&(RSj^Ac<4!(d4x?dQ zNcs8>-#Zv*mN7q1@Z86nmp)J)lE)s6tC<9`Bxk83SI%bOQ~}xLI6p5J;_rcjE$Gf_ zt4dl^ytkhFIV>7urtyLHn$>nEi(?LKV$}1A)yr^W9$L(aOZw(BzAigmB|E7-RDx!d ztE*eRS7rwB@8BXgsoCrWoZ*_H!o-!>;j3j?s_O~7>A`z)h1p_x(pDYJK(4p0 zGXta6)dr3jZ>X77@&~jqb1VzH&|#dZTX{q6OL3$05cAJxd^?KbeE--V!Y;$bB7d%S zr7JP2F{i9Pgu3g|9Kt)ph@N&7A*)^O62B=VTDUyZh)u{Z2b?qcswlC-Jj3Wu{N6KgwWM0`p~}9$#uUFqWV3Zk?U6EJ`%afL+Lbi}VxOh4db3 zgherQcmJJz-t>F4LSG`+a#%r}h#`4G?8!C5FlB}BeDxJ+6$HFyr~F=A?V4&`+!I#A ze;@iX^_@KF0}JL3_gGem;!I}ll6P(SUgG5EoehytU#GUb2o}<1eF79?|Cr*0`bHF2IJKg!V+}#aVx5uxstWCSh zvd2g;R);+}yKzr*&~~)*!e=&PQd*uw{qVx4RNYo1hEvmHqM+<;Z7 zKMl+b=h!i3-j?X%o5j$y+g`IV^Lay&B)X@GZ@1YH?;(i4+owA diff --git a/arm/Microsoft.ApiManagement/serviceResources/namedValues/readme.md b/arm/Microsoft.ApiManagement/serviceResources/namedValues/readme.md index 53f69fca5bb0516dff8a500430684c7798ca2e3e..5657a534569b05db05676b8156a4326db63ac051 100644 GIT binary patch literal 2255 zcma)8O-~~^5WV-Ws0{}|A_+T(J>-Ul6^d4~pyA_!klJ)t63@Er9@|Z}ci_M8E4%Z- zz=}nPbUWqpd#_%VIiRyv(-&pck{h;>uGv57is?_)a7}m0bR4L>|Dr4Jf?LE1;&Os(w8+aAiIxLN5yjjKDuRC8-wAO6pYlcG2{piNeaeaoRJo_8xZSfS^X z>W+QT&eAi!pN+>@O@HxLet>!(Y>9oJPCuQFPk$Sq{yJ_wKWSbgDS+%D0SC4<+o~6C zObcg>TWh-{zmb5HXS{vyw15o7z7 ziUs_GDCfLTor$@4SiW*0XaO)(^O?>$R9?679ohCJ+zF}ni#}LH93rZP=!O3?<=?LZ z^9hMQVh3^yFy4OrWVpdWlT^R5>eRe`C+lSbtIUKxcOkllJ>3R)md+xMf9w(!UDMIU z?fm>$&W6JBObz0t1gWB~3#NziOC6vh$|I&JYaLpn`VR@+TK&D-agz9K^$E=*HL9n| z*{HN7XK{?-D5W}~S}%3PXUkr@8t*EsPDt6BI(W&4%E2+!3dOBt!yv_9+}}wZMGg1( zjjM=<@<)DrkyZTebopZlC*vxW#Bf&~5T`!)iO^JE>)-SpIU z=R%plg9>R;*lt^)ytll*=yZK_{8om{XK0EYLs%O+Y#h`&qpP0yZ}=AN>nvS(L#ry_OML*LVLb$|wK2j+wnJqj1T7t2{C;yt5|VrqenD$7 z9Zp5@>!ffvq^ry8n>5uJCt;E;86Rls#9eeqb8t9u@{eZuEv@8=%`t?dUTF5C*$CbT5Se*HIbo~eTTEzA z3y#%FhE)D~GCE1gQ@R`)`_D#W&%8#u>mJjgIfLv=%XK~}OATTCoAtbt=Cvqat+L8{ zepVGO#z5fq3gl#zK)e($!avRT%PzKEOv61tzMkx`{7)C$uKzZ7<%M@$yYEHmleb~7 zhwS??V$D~XV*ZpuQOp~8e(Za*gD#kXg{WLJ hWjpS|RQ=O=ouR3fXvS+@ zRq02~V05VKSGvARH~Lkl&(ml2IZ2nATWj<>O*QLAGgvp&_e|H*bZ4WFbL#f$+$ZUY zPWj1fnd;Q}(%yy6n>8$a*E#QGIj>5Lhjp*CaxQzvvU{TY@9aEg?53Xne0IJD1xEWq z6U63PSL<^wEVq}tcHz9EStZUp7753>M7h5_@$2+u;?vXT8~grB-!q*zvRIAM?Q&+d zvbfu(Hez+!X~Zg+P|GLxw(IOb2LFjfcPyL(FpH~+@VQ&X58l9&bD?!*Jh>Hu6S1)} zuRt-P3cCh&*T;U>$k=|v%7tcD>CAQ;=)d#N@0KiNW^fhU$`dlLh;cV^&XI>iv%m7v zkvTH!J&zVT8HPpvz@GK-oOd3BCR?9tk8|xwu935uF+Tf9h}8NUuh4j-*^#+EhdpXz z>{vWnXzs%pe_tk)_j6VZwD-7EX_`6{DifTmWzk$KoeyB-R{J*`E;+ER(clw`28S#8 zbFOb-Lnq#h1reHI1r~FX6<2tFHvB>eeHpdQ?qrhJ1_OywHP&8 zEd4*zyd0ac&aBeY^g^=_((|-sd*Qh&aNI|WegDXdtQ2HbEi3M{6IpO!Yn_#@@};js z8%4(lTJiBwdZ~zxEq27D9jn-XSTGv24ukE6;4Dz$)JvT>*XQ->gf=sN)66@w-7_=zF;yP^ zsxelUJof7@eth5Bsgj3NtsiKI$W*k=QMi&1ZN3M#Z7iEy?wS=*2FWs~6 zWEHW8pIIZj_=MWKeb+jFqF*q^J$8jGEiYr{$}%uZvpv*f&la)=O}R3h93QXsb47^C z;z*H4Wc+mLI~J8SZ2e3|-Mcnl^4!3sjbfEf&C6S9CB4E>s=4(5UX+n)){m}eV%PqX z8EsXXS)AwzVeBZqHCBOpbeFYpps8(+Pw)(GgCILNetrr&;Bl#aZY>c-?Ko#9%jn^; zGS>*_w(FqpOy5NZ7SV~*oz-Y68Q|T)rtth$yKUMX-z95Ooxae0DjAI2RA(7%Kh~Y# za&4=Rl(Wa$DR*?(j8C3ZJeBw_uirW5nGI$4+0{c~iPzL!?b}c5`W#)@k!3tjFRsyh z>d6jdCs`8ega$|M#=5?C?MvI~B`4O?ZLFQLp=XCG{b{3>uK3$1bdmAqXv|_>sRHyI zO-bh|ATy3K(ELT>Vy}s7FZ}Rfo(5A*k&sDD8)(OuV_Gb&RvD_O@?Hf{V zDK@)}rDE^NFIaqGSvs_CDm*Ls?p&IyBYNNb@=Q7gIP2MfS6m0nyEU9#AzL`7TE_5x zJV68wlsItxSL3e#@^5EK@W!7D4#l^H@|5r96G1tW>!z#xiRo%+K05lbeLPlCKl&@K zmt6zhcKNIXwtdZJ#k%gIG}!jv9X5JUzGa9UYj+GD$Fd{MGqYB=Eex&xR941$VDe#D zzA)Xn5eMFHYk1!7^xEE6(rEe@c6HuU;d5W|IFWHr@z%M#Zwg3Gqce1B(Wz!;)9?JE zrwFuiq^o8&>}e(adaR@RcfAXURqS@Usy1}O^ovnHsFxSI$MeP?#>hLv1hw1K9o{X# zQ@%@f*Xk0U3NM}`W*XU572^#F-8U7R{;B<*hpK$7StwXfJM&IuusWl>?ya5I(@L!L zIyKkIwnaVp5%KihU88%l(0$%ABpr{^w{>Qe&%567d5^*K9bJRtK{db%-q?)(2Rt~5 z&L&O;uhIuJE#4jG_fd}@mo7WH-s81##NMvAV)wmCD}8G!-;PDT{oe2R6Jg%vtE)rF SlZZgK&+WI64}G)gnEVS?<<|TF diff --git a/arm/Microsoft.ApiManagement/serviceResources/products/readme.md b/arm/Microsoft.ApiManagement/serviceResources/products/readme.md index 1078fb9089c564fd1ebae130c256d6c0cccccbad..6cfed88890b9d5a026d39ca08b867296e04c1f1d 100644 GIT binary patch literal 3867 zcmcgv+iu%N5Pj!Y4CIFMMfTv^+aTy`%q)ViNm^ppAv zJu~F;;@D9h+5|!@u6Ae6%$zy1JfWA3p|`45H@ebwppV+^O|EI>Y!UO|X?^w9c&cEd)KuuEvs8vb$mB z5-W5kW9=T{E+|;qXi^F*E zP~Z}!14#b-Xzox~z*s4#DjiS(u1^0%@34xTc2zppTNTSdpH&%od1bvf3_unDH8`lt?_I zVk!n(sbF$dmIu-`YRB;vdap~{AopBI{!xPJI`5yq|3a6oE|K6 zRs>3L5lB=~nc5(EDp=U8q7PK5I*Qje3{VDX8^ZWDpq=uh2&Dn1P*BNdSF}8;i{b$)47GZN=xl{t zeDaVxdKti(O%(o_f}XtobaDQa2?L+}z0F38cyDa@XVH6y`i@V;u*k?Zq=Zz);AR)@YbH0p`3hLVgGLk}$=7@FHy{ z>!`NKokwt+0*X<>YB_u7g6Z4MOC?Vjl~khifea67-lOzA-|3)>;cR`#aVFX1hk zZ`wKw$XP3R5*AxeA%jjp*JE4IeDcib2baRCakHhC;6xqKAe8`5dTJ~}%m`9BhP7u> zv{KPBrT}%&(b8`c^++YS(MO4QdaGSGR?v?#{1kK^bTNYfK)Sd;(NNoRq80O*| zXeN~9Ie*7z5SBE8I2m=UHV`Jr=Rp|^x9CSLWvL@Z z3`oP_NtyVjL9s3w7QiF^*7U^R|1S2B;7Szt-rOIuvg+hkc5*_H0B+J@e!7DQBNIzz zH;N9HjVYC;ayPONF7vzRFtZkvY$SIcry0~}I36V5xviQK*QGYWqtbFqaVK)s<$gC@ zrDQ;zO~*@?rI7AVkStrT*S~mMXWWXcSUitrXY@x#_%{>A&CagmNmg)^nm?aCn=ZVV z$@6vgC)*p`wO3P;VfCe}c8q+@S+BBw>Ht^C_c1gv$UUE@Yvy#-U1679UH$cw zT?maoTP_Qm`$g5icY#7nUC*Oms^6p2%g`D0%g0`JzI?GsuWSAL&(nt>ESWjq7l*t< RJq)I;;CF^|Bln`G*}t0bSAhTk literal 9068 zcmds-O>Y!O5Qh64DL){$kvRk;Y{wjO;D$gUNC7MiI(t-luEI z-P7CSHP}WXLc5-w>8`GNtLm-l9{&C3Mrgvla2iJX`#224Sf8VC5Ki9KWyc({QYN@8i?Ut+sKt-i?6n z&m?^&*$Zi9`pvb@X}s&2eXNdq-i~Vm&t0pRnmLukkz|f_|6^Q_5qHD7{@Lhs%^Ex% z2t5!28}vC8HXE(f8m^lfmE*c8ox8Yh$`klyCfT;?o$y28v#!sN@q0_(%sYtwISB9C zkfk$>h|nOt=A$g}0=O?aX?_`kT*f%6twk-Cxd(HO(5~lCv1n6Jrh}|1|Q`MEnHq zr8aKEuGS>BP3NEDSS06`Jk7927Hj<)GlN(~3$$6tk2PPFnlwTT{}SCLK93?AM9p!u z@3zK`H4b*|TLD>QCHa{$ELne`ye2aj^43JC4`Uqd#WjwV>y6~&52Da>n~Z#`54Dqu zMlN^``^@CEZvFVKVeCES%cD4Jq&4yNzNE7@QdxB?UdVBhSkem*|{l z+g`-^kz{yYozD%mjJn@?ju^F^dLdn`CnTQc(bupgk?c%3ihAD+55o(^%7bt#W+yyj zS?2eN2ak*#Wx7jxxLJ!Zo<53mEjBHCa$CE;tTXiIqp+=5OFeEQ>uMDM{9#4&C^ehP z!q_JKES7y7e$kahu4O!kS>2vTOlJ|Ne!Gl&Q-48aC(~FFrr*&OKBiya2v6me-*ru2 z{wlm~$Jof4uS+Y9ExwPjmudri#2RI^bv^JfBG&B*uTxvoGOY?jdo{b5#!uSu7mJcI zt3jj0&n1>ffu3=0|5~St9OM33tY+{)s^vBBy^G^g?d$p@am=z@m=wGwtyi}zYj>p? z8yWvnL8!3QbQmJ_k-IT2$zrcn#=kYDKGpnb#KkK46a5}bs~Qgdy1*NG@0K{)dfM}< z6kdWi^6oHs%GtK`vGJK5BWFBNgmxR^}{l(c0qibXENm6{m}K*%jpduVFz{ zRsSee3f|6aLWLRM*c#Bz2tNLWkrUVY{JYNTh1g#fIwAMaE^IpCOJV z39r;K(79a>G3!Lf9h}@=vj}9b!Y1$KtWThRT4kln#s>NY@WV^1Jd?06FUtb`fx|d?DO6lO)tU(GxZkq^sMJB zK>mOTb;Hgbn)X+%ew2GBj|;l>6V)Q?{*1x<@bxa$IX`va^sv+iw-V{Ktj2$q1$M?k zuW5Ty@a76ccJw#p3L4rz%h=R?=WE$sV-ojk3t>V(U`QDUnD-k=u}ak+Kh~dp?fU{^ zdMX4`9|`l6X9lbKjcv`yd*US3Yo+0dzo@IVo$FLA>6O4Zq8nMB3!GAUJeC<&?y`9f z^VmMkJnRha%v7F$d1a!S`ASIO+OewdJ7IZeCVHR~aWSW8%yUWo@#M_yRWW5d=Rkfs zSUcl-Aq#C6c30~RiVBeS34T^qdTUj0@AC$dJe#!&wd?${T;teTi3m`IX|avA`1}r>HKoF zt!aNTlNO(E?{Wu>ywz6Ondnn7)m(`2-8~J>pR7Iyt(}XdT9e*sg0ahN zU5=(>q)Y6ccUg5yZ|-2q#NeN%kMC{!b#i|iKiJ6#d-C(&CU$j7G5l%TB_FTW51p*T z=%TfZX_9JZyToDQ_{-RttRtr^%kM|VWv2vN*mmz0!%DS3Z1|x_5f3BVjd`#1FB$z1OGx+J2dMcPy|OO4iL z2a(U|lu5T9WL+AX&9@?whDUDOa!hdEm)5d=!Fm8Y;W0dH&xtiu`m4u-ZX;h6ymA}p zzxFgGf&c5WV|X43J9_*jCy@54|jc4Nw@1ZiCwCr6^#U8pmuTQ6(w6+GhXzzM(!W zJ5I8f0*0)Q;mn&iZ-zXh>(bCiRj7N;xd=3`R$e<(24f3P%da1ecGlZ@xz7RmZQ;PV?5bRZEom{W zZI;=cDelR2`IB;tryrGZoKmo~Vp1!lj@u@C3PMP?0NGAn1q&7d<5oG9b3n>MNB=~B z<1O&FwA}DoRau}fDy!u6t@YjrfcV1W%?Sz^JoLQ4hX-hqyxyLbpGLPc5@-I zQ9ik+9QKk>l#8u=R->%<#)AOVUNpJ1yMo;-Vef#G&MUbhOsT@=0?Klr&*n62Cqm#A z3nSXG3W#9}vCJuv)js(pf3x)8CU)seu3Y^W*Dq#$+n60jdf<9Wvo#eqkS|%AwL!SF ziuDkAGg5~U?M#*l2ltFbBPLaWL=}vNY~Uo);I%CeE4oZjcrU;X3Og6W*z?jbdSk6; zxDPw#f)tp>9MNG+@Qq@70!^v|s0l8o)VRpZ15?u4gPHbD$ibQzyuV3)VIjVBU|HKD z{U6NDJHy}0T>z~wR&Z9BU{rR9!ppL@hO~{t0DSee93NWaQ>Uq&2^$&zxd|e%)=xi1 z;y)CLM5oQbQ z(2e8otig&T)!m=U=}ACr8qz=ri5aL;%twp~^ovE*OUY4lhM9QER}Xq`b&Nc=!Ld{R zS;jr+Bp*s|5X}Tn(G2a1A(uiiu>?DCkaDb_wDgoF`x2r^vFPJwrEt-6Kki8x4{~ZI zz~ET$>Uf_IjN_b_&Xg_iQx(c8#Qm?iJ>2}Bo&s7S#oehpQhac>Du)dvgZh-=;oN@C z>NuMSbisL<37wAD*bPu#fS%CTd9%SK!wmhm^Gyh)f1f0&)qa}yM=fphgo{b#6ZKE! XI0>y+pFDTEd3uQHPH2Y*o{Q0cj!}n| literal 6278 zcmdUz-)|d55Xbi!iT~lGzO)D@zyl8mfudHbB2*eBp)VC8j&n&2j%{MMA&9>n_fRHeN%Phmt?ZO4l?kHF}iZrPH)X zqjarVbB&GDOz#%y)AWg5$LUgI3(dXKn={Ry=<7;%wdPMWc581xRL{;@)02d~hmyOH z)OWIIWSW-JFt^dL>95Xt$E$f&;(gfjMqge_qWi@=q%h-~G|->V&iC>5M2L+Imzmjf zE^KyIQoFF+)hsl4*Vp#@rGDp)&bTI9UugVX@5wIm@{R5%dWzWxLS&)8@fwZy>lt7PpOLYd$r0Cn#`k4HIUatU zm{zj>CLPP`p%~yX4sM<59q|t@uM01H>~&FR@N#EmyW@Ce^6;dR4j4s@L6~Tl8Y}6h zrUg^rW3c7Sq~=`5Zt7rH<{p{!$lHig__Hvr!DCQ#FZ`F>E4hm=kq21g@t!HR&Q;>s ze2O~NWmzQ@%9?`o(x;KI9j1Nd;{B}cLjJjA;N#3}1?8Xg?CS(obh+~XRP$nWsDvbW z`ZT@N?0qrsncl1C_&XI2)TV{4#^n9EF87bV04sB~Co9Ne zzHmukIaa)>4PM*nMLee9?vkj1&PK*qfvFL&q|JV6-OOz1XTN8CRLK6EJzC2mPrcvZ zj&*2c450p!y;#1KC$;{F=};FD^4@5qcc0rRHhXTP-MPfvCVC^AOJ%~l(u#@3zzwc6 z#aw zFD%BAF_t8c*#r~&W&2m{N=1%R17mN%ddwQ&+1a#b zvn$E(;a+rjpV>XRF_ztM`g>hy;eMNi^ce9a9wCiy++XiRS&jaSOnS)s>d_ON(UCIi3DGShwonDt% zFX)vS!?Hk|F=BxK?5eJfCBC{>iipbz4{tSt3ZCUsJKP(jfSA`DEc#U!u?kFyRD1ls zaoX-7o{&dwg?s7!Af9_43CF!_q?Ws{SmkkKe@UHo3HL)j5Xy*j$=Zf_ptjx8I{jg_ z96avNa%Ph^aG9@Q82rf6e08NNvzPZ8<2+{m&58$Lob%6Td2h|GYBLLAcAj4wx3W%b z$u+6uJ)>==FxG`_*&FrMj)!;gN2)MgCnJ>*^S(Z>oUv!F(rfEp=Jwm%5teVZ?*$*a zkIVbDK7b;3H_*SLwP(i;pt+Z6?pE4;QO1j1)QPdD3*ok|?Xf&wtt8%W^`CW7 z?P8yI*SZrLKh)xv(!=g%eg~pqbFitsFKnYwX|EMhy_2S*=eqtlzGsg!r=QCgP6Wqd z2ngoNkr_@k_(dli%&c|C*IB}zzC5!U2rLXm6+oFN|h?u%`-$4ze+kJj!D1z?WhHr;0?3$bh z30C1N`8km!?j4VF-C+eMcXfJvJla~ptMuW8w8p7%K9~GBcDxc_+VO4Uh`n8>vVAA2 vrElzWa(&rdovpK{Yo4tieI(qw{Pil)b=K7Fcl$J&Q|+dgee26&759Gui1SM8 diff --git a/arm/Microsoft.Authorization/policyAssignments/readme.md b/arm/Microsoft.Authorization/policyAssignments/readme.md index 0e03112066..4a6b8cc3a1 100644 --- a/arm/Microsoft.Authorization/policyAssignments/readme.md +++ b/arm/Microsoft.Authorization/policyAssignments/readme.md @@ -1,33 +1,31 @@ -# PolicyAssignment +# PolicyAssignment `[Microsoft.Authorization/policyAssignments]` ## Resource types -|Resource Type|ApiVersion| -|:--|:--| -|`Microsoft.Resources/deployments`|2019-10-01| -|`Microsoft.Authorization/policyAssignments`|2020-09-01| -|`Microsoft.Authorization/roleAssignments`|2020-04-01-preview| +| Resource Type | Api Version | +| :-- | :-- | +| `Microsoft.Authorization/policyAssignments` | 2020-09-01 | +| `Microsoft.Authorization/roleAssignments` | 2020-04-01-preview | ## Parameters -| Parameter Name | Type | Description | DefaultValue | Possible values | +| Parameter Name | Type | Default Value | Possible Values | Description | | :-- | :-- | :-- | :-- | :-- | -| `policyAssignmentName` | string | Required. Specifies the name of the policy assignment. | | | -| `policyDefinitionID` | string | Required. Specifies the ID of the policy definition or policy set definition being assigned. | | | -| `parameters` | array | Optional. Parameters for the policy assignment if needed. | | | -| `identity` | string | Optional. The managed identity associated with the policy assignment. | | | -| `roleDefinitionIds` | array | Optional. The IDs Of the Azure Role Definition list that is used to assign permissions to the identity. You need to provide either the fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'.. See https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles for the list IDs for built in Roles. They must match on what is on the policy definition | | | -| `policyAssignmentDescription` | string | Optional. This message will be part of response in case of policy violation. | | | -| `displayName` | string | Optional. The display name of the policy assignment. | | | -| `metadata` | object | Optional. The policy assignment metadata. Metadata is an open ended object and is typically a collection of key value pairs. | | | -| `nonComplianceMessage` | string | Optional. The messages that describe why a resource is non-compliant with the policy. If not provided will be replaced with empty | | | -| `enforcementMode` | string | Optional. The policy assignment enforcement mode. Possible values are Default and DoNotEnforce. - Default or DoNotEnforce | | | -| `notScopes` | array | Optional. The policy excluded scopes | | | -| `location` | string | Optional. Location for all resources. | | | -| `resourceGroupName` | string | Optional. Specifies the name of the resource group where you want to assign the policy. If no Resource Group name is provided, and Subscription ID is provided, the module deploys at subscription level, therefore assigns the provided RBAC role to the subscription. | | -| `subscriptionId` | string | Optional. ID of the Subscription where you want to assign the policy. If no Resource Group name is provided, the module deploys at subscription level, therefore assigns the provided policy to the subscription. | | -| `managementGroupId` | string | Optional. ID of the Management Group where you want to assign the policy. If no Subscription is provided, the module deploys at management group level, therefore assigns the provided policy to the management group. | | - +| `displayName` | string | | | Optional. The display name of the policy assignment. If not provided, will be replaced with the Policy Assignment Name | +| `enforcementMode` | string | `Default` | `[Default, DoNotEnforce]` | Optional. The policy assignment enforcement mode. Possible values are Default and DoNotEnforce. - Default or DoNotEnforce | +| `identity` | string | `SystemAssigned` | `[SystemAssigned, None]` | Optional. The managed identity associated with the policy assignment. Policy assignments must include a resource identity when assigning 'Modify' policy definitions. | +| `location` | string | `[deployment().location]` | | Optional. Location for all resources. | +| `managementGroupId` | string | | | Optional. The Target Scope for the Policy. The name of the management group for the policy assignment | +| `metadata` | object | `{object}` | | Optional. The policy assignment metadata. Metadata is an open ended object and is typically a collection of key value pairs. | +| `nonComplianceMessage` | string | | | Optional. The messages that describe why a resource is non-compliant with the policy. If not provided will be replaced with empty | +| `notScopes` | array | `[]` | | Optional. The policy excluded scopes | +| `parameters` | object | `{object}` | | Optional. Parameters for the policy assignment if needed. | +| `policyAssignmentDescription` | string | | | Optional. This message will be part of response in case of policy violation. If not provided, will be replaced with the Policy Assignment Name | +| `policyAssignmentName` | string | | | Required. Specifies the name of the policy assignment. | +| `policyDefinitionID` | string | | | Required. Specifies the ID of the policy definition or policy set definition being assigned. | +| `resourceGroupName` | string | | | Optional. The Target Scope for the Policy. The name of the resource group for the policy assignment | +| `roleDefinitionIds` | array | `[]` | | Required. The IDs Of the Azure Role Definition list that is used to assign permissions to the identity. You need to provide either the fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'.. See https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles for the list IDs for built in Roles. They must match on what is on the policy definition | +| `subscriptionId` | string | | | Optional. The Target Scope for the Policy. The Id of the subscription for the policy assignment | ### Parameter Usage: `managementGroupId` @@ -39,7 +37,7 @@ To deploy resource to a Management Group, provide the `managementGroupId` as an } ``` -> The name of the Management Group in the deployment does not have to match the value of the `managementGroupId` in the input parameters. +> The name of the Management Group in the deployment does not have to match the value of the `managementGroupId` in the input parameters. ### Parameter Usage: `subscriptionId` @@ -67,16 +65,13 @@ To deploy resource to a Resource Group, provide the `subscriptionId` and `resour ## Outputs -| Output Name | Type | Description | -| :-- | :-- | :-- | -| `policyAssignmentId` | string | The ID of the Policy Assignment | -| `policyAssignmentPrincipalId` | string | The Principal ID Of the Managed Identity for the Policy Assignment | -| `policyAssignmentName` | string | Name of the Policy Assignment. | - -## Considerations +| Output Name | Type | +| :-- | :-- | +| `policyAssignmentId` | string | +| `policyAssignmentName` | string | +| `policyAssignmentPrincipalId` | string | -## Additional resources +## Template references -- [Deployments](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Resources/2018-02-01/deployments) -- [Policy Assignments](https://docs.microsoft.com/en-us/azure/templates/microsoft.authorization/policyassignments?tabs=bicep) -- [Role Assignments](https://docs.microsoft.com/en-us/azure/templates/microsoft.authorization/roleassignments?tabs=bicep) +- [Policyassignments](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2020-09-01/policyAssignments) +- [Roleassignments](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2020-04-01-preview/roleAssignments) diff --git a/arm/Microsoft.Authorization/policyDefinitions/readme.md b/arm/Microsoft.Authorization/policyDefinitions/readme.md index fa965bd8bd..ecd26d9b10 100644 --- a/arm/Microsoft.Authorization/policyDefinitions/readme.md +++ b/arm/Microsoft.Authorization/policyDefinitions/readme.md @@ -1,26 +1,25 @@ -# PolicyDefinition +# PolicyDefinition `[Microsoft.Authorization/policyDefinitions]` ## Resource types -|Resource Type|ApiVersion| -|:--|:--| -|`Microsoft.Resources/deployments`|2019-10-01| -|`Microsoft.Authorization/policyDefinitions`|2020-09-01| +| Resource Type | Api Version | +| :-- | :-- | +| `Microsoft.Authorization/policyDefinitions` | 2020-09-01 | ## Parameters -| Parameter Name | Type | Description | DefaultValue | Possible values | +| Parameter Name | Type | Default Value | Possible Values | Description | | :-- | :-- | :-- | :-- | :-- | -| `policyDefinitionName` | string | Required. Specifies the name of the policy definition. Space characters will be replaced by (-) and converted to lowercase | | | -| `displayName` | string | Optional. The display name of the policy definition. | | | -| `policyDescription` | string | Optional. The policy definition description. | | | -| `mode` | string | Optional. The policy definition mode. Default is All, Some examples are All, Indexed, Microsoft.KeyVault.Data. | All | | -| `metadata` | object | Optional. The policy Definition metadata. Metadata is an open ended object and is typically a collection of key value pairs. | | | -| `parameters` | array | Optional. The policy definition parameters that can be used in policy definition references. | | | -| `policyRule` | object | Required. The Policy Rule details for the Policy Definition' | | | -| `subscriptionId` | string | Optional. ID of the Subscription where you want to deploy the policy definition. Cannot use this parameter with the management group Id | | -| `managementGroupId` | string | Optional. ID of the Management Group where you want to deploy the policy definition. Cannot use this parameter with subscription Id | | -| `location` | string | Optional. Location for all resources. | | | +| `displayName` | string | | | Optional. The display name of the policy definition. | +| `location` | string | `[deployment().location]` | | Optional. Location for all resources. | +| `managementGroupId` | string | | | Optional. The ID of the Management Group (Scope). Cannot be used with subscriptionId and does not support tenant level deployment (i.e. '/') | +| `metadata` | object | `{object}` | | Optional. The policy Definition metadata. Metadata is an open ended object and is typically a collection of key value pairs. | +| `mode` | string | `All` | `[All, Indexed, Microsoft.KeyVault.Data, Microsoft.ContainerService.Data, Microsoft.Kubernetes.Data]` | Optional. The policy definition mode. Default is All, Some examples are All, Indexed, Microsoft.KeyVault.Data. | +| `parameters` | object | `{object}` | | Optional. The policy definition parameters that can be used in policy definition references. | +| `policyDefinitionName` | string | | | Required. Specifies the name of the policy definition. Space characters will be replaced by (-) and converted to lowercase | +| `policyDescription` | string | | | Optional. The policy definition description. | +| `policyRule` | object | | | Required. The Policy Rule details for the Policy Definition | +| `subscriptionId` | string | | | Optional. The ID of the Azure Subscription (Scope). Cannot be used with managementGroupId | ### Parameter Usage: `managementGroupId` @@ -32,7 +31,7 @@ To deploy resource to a Management Group, provide the `managementGroupId` as an } ``` -> The name of the Management Group in the deployment does not have to match the value of the `managementGroupId` in the input parameters. +> The name of the Management Group in the deployment does not have to match the value of the `managementGroupId` in the input parameters. ### Parameter Usage: `subscriptionId` @@ -46,15 +45,12 @@ To deploy resource to an Azure Subscription, provide the `subscriptionId` as an ## Outputs -| Output Name | Type | Description | -| :-- | :-- | :-- | -| `policyDefinitionId` | string | The ID of the Policy definition | -| `policyDefinitionName` | string | Name of the Policy definition | -| `roleDefinitionIds` | array | An array of the Role Definition Resource IDs that the policy definition uses. Only available if policy definition contains it | +| Output Name | Type | +| :-- | :-- | +| `policyDefinitionId` | string | +| `policyDefinitionName` | string | +| `roleDefinitionIds` | array | -## Considerations +## Template references -## Additional resources - -- [Deployments](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Resources/2018-02-01/deployments) -- [Policy Definitions](https://docs.microsoft.com/en-us/azure/templates/microsoft.authorization/policydefinitions?tabs=bicep) +- [Policydefinitions](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2020-09-01/policyDefinitions) diff --git a/arm/Microsoft.Authorization/policyExemptions/readme.md b/arm/Microsoft.Authorization/policyExemptions/readme.md index 39a27de210..9fe8a0973a 100644 --- a/arm/Microsoft.Authorization/policyExemptions/readme.md +++ b/arm/Microsoft.Authorization/policyExemptions/readme.md @@ -1,28 +1,27 @@ -# PolicyExemption +# PolicyExemption `[Microsoft.Authorization/policyExemptions]` ## Resource types -|Resource Type|ApiVersion| -|:--|:--| -|`Microsoft.Resources/deployments`|2019-10-01| -|`Microsoft.Authorization/policyExemptions`|2020-09-01| +| Resource Type | Api Version | +| :-- | :-- | +| `Microsoft.Authorization/policyExemptions` | 2020-07-01-preview | ## Parameters -| Parameter Name | Type | Description | DefaultValue | Possible values | +| Parameter Name | Type | Default Value | Possible Values | Description | | :-- | :-- | :-- | :-- | :-- | -| `policyExemptionName` | string | Required. Specifies the name of the policy exemption. Space characters will be replaced by (-) and converted to lowercase | | | -| `displayName` | string | Optional. The display name of the policy exemption. | | | -| `policyExemptionDescription` | string | Optional. The description of the policy exemption. | | | -| `metadata` | object | Optional. The policy Exemption metadata. Metadata is an open ended object and is typically a collection of key value pairs. | | | -| `exemptionCategory` | string | Optional. The policy exemption category. Possible values are Waiver and Mitigated. Default is Mitigated | Mitigated |Mitigated,Waiver | -| `policyAssignmentId` | string | Required. The ID of the policy assignment that is being exempted. | | | -| `policyDefinitionReferenceIds` | array | Optional. The policy definition reference ID list when the associated policy assignment is an assignment of a policy set definition.| | | -| `expiresOn` | string | Optional. The expiration date and time (in UTC ISO 8601 format yyyy-MM-ddTHH:mm:ssZ) of the policy exemption. e.g. 2021-10-02T03:57:00.000Z | | 2021-10-02T03:57:00.000Z | -| `resourceGroupName` | string | Optional. The name of the resource group to be exempted from the policy assignment. Must also use the subscription ID parameter. | | -| `subscriptionId` | string | Optional. The ID of the azure subscription to be exempted from the policy assignment. Cannot use with management group id parameter. | | -| `managementGroupId` | string | Optional. The ID of the management group to be exempted from the policy assignment. Cannot use with subscription id parameter. | | -| `location` | string | Optional. Location for all resources. | | | +| `displayName` | string | | | Optional. The display name of the policy exemption. | +| `exemptionCategory` | string | `Mitigated` | `[Mitigated, Waiver]` | Optional. The policy exemption category. Possible values are Waiver and Mitigated. Default is Mitigated | +| `expiresOn` | string | | | Optional. The expiration date and time (in UTC ISO 8601 format yyyy-MM-ddTHH:mm:ssZ) of the policy exemption. e.g. 2021-10-02T03:57:00.000Z | +| `location` | string | `[deployment().location]` | | Optional. Location for all resources. | +| `managementGroupId` | string | | | Optional. The ID of the management group to be exempted from the policy assignment. Cannot use with subscription id parameter. | +| `metadata` | object | `{object}` | | Optional. The policy exemption metadata. Metadata is an open ended object and is typically a collection of key value pairs. | +| `policyAssignmentId` | string | | | Required. The ID of the policy assignment that is being exempted. | +| `policyDefinitionReferenceIds` | array | `[]` | | Optional. The policy definition reference ID list when the associated policy assignment is an assignment of a policy set definition. | +| `policyExemptionDescription` | string | | | Optional. The description of the policy exemption. | +| `policyExemptionName` | string | | | Required. Specifies the name of the policy exemption. Space characters will be replaced by (-) and converted to lowercase | +| `resourceGroupName` | string | | | Optional. The name of the resource group to be exempted from the policy assignment. Must also use the subscription ID parameter. | +| `subscriptionId` | string | | | Optional. The ID of the azure subscription to be exempted from the policy assignment. Cannot use with management group id parameter. | ### Parameter Usage: `managementGroupId` @@ -34,7 +33,7 @@ To deploy resource to a Management Group, provide the `managementGroupId` as an } ``` -> The name of the Management Group in the deployment does not have to match the value of the `managementGroupId` in the input parameters. +> The name of the Management Group in the deployment does not have to match the value of the `managementGroupId` in the input parameters. ### Parameter Usage: `subscriptionId` @@ -61,17 +60,16 @@ To deploy resource to a Resource Group, provide the `subscriptionId` and `resour ## Outputs -| Output Name | Type | Description | -| :-- | :-- | :-- | -| `policyExemptionId` | string | The ID of the Policy Exemption | -| `policyExemptionName` | string | Name of the Policy Exemption | -| `policyExemptionScope` | string | The scope where the Policy Exemption is applied at | +| Output Name | Type | +| :-- | :-- | +| `policyExemptionId` | string | +| `policyExemptionName` | string | +| `policyExemptionScope` | string | ## Considerations - Policy Exemptions have a dependency on Policy Assignments being applied before creating an exemption. You can use the Policy Assignment [Module](../policyAssignments/deploy.bicep) to deploy a Policy Assignment and then create the exemption for it on the required scope. -## Additional resources +## Template references -- [Deployments](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Resources/2018-02-01/deployments) -- [Policy Exemption](https://docs.microsoft.com/en-us/azure/templates/microsoft.authorization/policyexemptions) +- [Policyexemptions](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2020-07-01-preview/policyExemptions) diff --git a/arm/Microsoft.Authorization/policySetDefinitions/readme.md b/arm/Microsoft.Authorization/policySetDefinitions/readme.md index e01b0f125e..c67530aac6 100644 --- a/arm/Microsoft.Authorization/policySetDefinitions/readme.md +++ b/arm/Microsoft.Authorization/policySetDefinitions/readme.md @@ -1,26 +1,25 @@ -# policySetDefinition +# policySetDefinition `[Microsoft.Authorization/policySetDefinitions]` ## Resource types -|Resource Type|ApiVersion| -|:--|:--| -|`Microsoft.Resources/deployments`|2019-10-01| -|`Microsoft.Authorization/policySetDefinitions`|2020-09-01| +| Resource Type | Api Version | +| :-- | :-- | +| `Microsoft.Authorization/policySetDefinitions` | 2020-09-01 | ## Parameters -| Parameter Name | Type | Description | DefaultValue | Possible values | +| Parameter Name | Type | Default Value | Possible Values | Description | | :-- | :-- | :-- | :-- | :-- | -| `policySetDefinitionName` | string | Required. Required. Specifies the name of the policy Set Definition (Initiative). Space characters will be replaced by (-) and converted to lowercase | | | -| `displayName` | string | Optional. Optional. The display name of the Set Definition (Initiative) | | | -| `policySetDescription` | string | Optional. The description name of the Set Definition (Initiative) | | | -| `metadata` | object | Optional. Optional. The Set Definition (Initiative) metadata. Metadata is an open ended object and is typically a collection of key value pairs. | | | -| `policyDefinitions` | array | Required. The array of Policy definitions object to include for this policy set. Each object must include the Policy definition ID, and optionally other properties like parameters | | | -| `policyDefinitionGroups` | string | Optional. The metadata describing groups of policy definition references within the Policy Set Definition (Initiative). | | | -| `parameters` | object | Optional. The Set Definition (Initiative) parameters that can be used in policy definition references.| | | -| `subscriptionId` | string | Optional. The ID of the azure subscription where the initiative is being deployed at. Cannot use with management group id parameter. | | -| `managementGroupId` | string | Optional. The ID of the management group where the initiative is being deployed at. Cannot use with subscription id parameter. | | -| `location` | string | Optional. Location for all resources. | | | +| `displayName` | string | | | Optional. The display name of the Set Definition (Initiative) | +| `location` | string | `[deployment().location]` | | Optional. Location for all resources. | +| `managementGroupId` | string | | | Optional. The ID of the Management Group (Scope). Cannot be used with subscriptionId and does not support tenant level deployment (i.e. '/') | +| `metadata` | object | `{object}` | | Optional. The Set Definition (Initiative) metadata. Metadata is an open ended object and is typically a collection of key value pairs. | +| `parameters` | object | `{object}` | | Optional. The Set Definition (Initiative) parameters that can be used in policy definition references. | +| `policyDefinitionGroups` | array | `[]` | | Optional. The metadata describing groups of policy definition references within the Policy Set Definition (Initiative). | +| `policyDefinitions` | array | | | Required. The array of Policy definitions object to include for this policy set. Each object must include the Policy definition ID, and optionally other properties like parameters | +| `policySetDefinitionName` | string | | | Required. Specifies the name of the policy Set Definition (Initiative). Space characters will be replaced by (-) and converted to lowercase | +| `policySetDescription` | string | | | Optional. The Description name of the Set Definition (Initiative) | +| `subscriptionId` | string | | | Optional. The ID of the Azure Subscription (Scope). Cannot be used with managementGroupId | ### Parameter Usage: `managementGroupId` @@ -32,7 +31,7 @@ To deploy resource to a Management Group, provide the `managementGroupId` as an } ``` -> The name of the Management Group in the deployment does not have to match the value of the `managementGroupId` in the input parameters. +> The name of the Management Group in the deployment does not have to match the value of the `managementGroupId` in the input parameters. ### Parameter Usage: `subscriptionId` @@ -46,16 +45,15 @@ To deploy resource to an Azure Subscription, provide the `subscriptionId` as an ## Outputs -| Output Name | Type | Description | -| :-- | :-- | :-- | -| `policySetDefinitionId` | string | The ID of the Policy Set Definitions (Initiatives) | -| `policySetDefinitionName` | string | Name of the Policy Set Definitions (Initiatives) | +| Output Name | Type | +| :-- | :-- | +| `policySetDefinitionId` | string | +| `policySetDefinitionName` | string | ## Considerations - Policy Set Definitions (Initiatives) have a dependency on Policy Assignments being applied before creating an initiative. You can use the Policy Assignment [Module](../policyDefinitions/deploy.bicep) to deploy a Policy Definition and then create an initiative for it on the required scope. -## Additional resources +## Template references -- [Deployments](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Resources/2018-02-01/deployments) -- [Policy Set Definitions (Initiatives)](https://docs.microsoft.com/en-us/azure/templates/microsoft.authorization/policysetdefinitions?tabs=bicep) +- [Policysetdefinitions](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2020-09-01/policySetDefinitions) diff --git a/arm/Microsoft.Authorization/roleAssignments/readme.md b/arm/Microsoft.Authorization/roleAssignments/readme.md index 9e9c9df7cd..a515a86287 100644 --- a/arm/Microsoft.Authorization/roleAssignments/readme.md +++ b/arm/Microsoft.Authorization/roleAssignments/readme.md @@ -1,24 +1,23 @@ -# Role Assignments +# Role Assignments `[Microsoft.Authorization/roleAssignments]` This module deploys Role Assignments. ## Resource types -|Resource Type|ApiVersion| -|:--|:--| -|`Microsoft.Authorization/roleAssignments`|2020-04-01-preview| -|`Microsoft.Resources/deployments`|2019-10-01| +| Resource Type | Api Version | +| :-- | :-- | +| `Microsoft.Authorization/roleAssignments` | 2020-04-01-preview | ## Parameters -| Parameter Name | Type | Default Value | Possible values | Description | -| :- | :- | :- | :- | :- | -| `roleDefinitionIdOrName` | string | | Owner | Required. You can provide either the display name of the role definition, or it's fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' -| `principalId` | string | | abcdefgh-1234-1234-1234-ec99e51285a3 | Required. The Principal or Object ID of the Security Principal (User, Group, Service Principal, Managed Identity) -| `resourceGroupName` | string | "" | | Optional. Name of the Resource Group to assign the RBAC role to. If no Resource Group name is provided, and Subscription ID is provided, the module deploys at subscription level, therefore assigns the provided RBAC role to the subscription. -| `subscriptionId` | string | "" | | Optional. ID of the Subscription to assign the RBAC role to. If no Resource Group name is provided, the module deploys at subscription level, therefore assigns the provided RBAC role to the subscription. -| `managementGroupId` | string | "" | | Optional. ID of the Management Group to assign the RBAC role to. If no Subscription is provided, the module deploys at management group level, therefore assigns the provided RBAC role to the management group. -| `location` | string | [deployment().location] | | Optional. Location for all resources. | +| Parameter Name | Type | Default Value | Possible Values | Description | +| :-- | :-- | :-- | :-- | :-- | +| `location` | string | `[deployment().location]` | | Optional. Location for all resources. | +| `managementGroupId` | string | | | Optional. ID of the Management Group to assign the RBAC role to. If no Subscription is provided, the module deploys at management group level, therefore assigns the provided RBAC role to the management group. | +| `principalId` | string | | | Required. The Principal or Object ID of the Security Principal (User, Group, Service Principal, Managed Identity) | +| `resourceGroupName` | string | | | Optional. Name of the Resource Group to assign the RBAC role to. If no Resource Group name is provided, and Subscription ID is provided, the module deploys at subscription level, therefore assigns the provided RBAC role to the subscription. | +| `roleDefinitionIdOrName` | string | | | Required. You can provide either the display name of the role definition, or it's fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' | +| `subscriptionId` | string | | | Optional. ID of the Subscription to assign the RBAC role to. If no Resource Group name is provided, the module deploys at subscription level, therefore assigns the provided RBAC role to the subscription. | ### Parameter Usage: `managementGroupId` @@ -30,7 +29,7 @@ To deploy resource to a Management Group, provide the `managementGroupId` as an } ``` -> The name of the Management Group in the deployment does not have to match the value of the `managementGroupId` in the input parameters. +> The name of the Management Group in the deployment does not have to match the value of the `managementGroupId` in the input parameters. ### Parameter Usage: `subscriptionId` @@ -58,18 +57,16 @@ To deploy resource to a Resource Group, provide the `subscriptionId` and `resour ## Outputs -| Output Name | Type | Description | -| :-- | :-- | :-- | -| `roleAssignmentName` | string | The name of the role assignment | -| `roleAssignmentScope` | string | The scope of the assignments defined in this module were created on. | -| `roleAssignmentId` | array | Role Assignment Resource ID | +| Output Name | Type | +| :-- | :-- | +| `roleAssignmentId` | string | +| `roleAssignmentName` | string | +| `roleAssignmentScope` | string | ## Considerations This module can be deployed at the management group, subscription or resource group level -## Additional resources +## Template references -- [What is Azure role-based access control (Azure RBAC)?](https://docs.microsoft.com/en-us/azure/role-based-access-control/overview) -- [Microsoft.Authorization roleAssignments template reference](https://docs.microsoft.com/en-us/azure/templates/microsoft.authorization/2018-09-01-preview/roleassignments) -- [Use tags to organize your Azure resources](https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-using-tags) \ No newline at end of file +- [Roleassignments](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2020-04-01-preview/roleAssignments) diff --git a/arm/Microsoft.Authorization/roleDefinitions/readme.md b/arm/Microsoft.Authorization/roleDefinitions/readme.md index bc810c19eb..06469aabf5 100644 --- a/arm/Microsoft.Authorization/roleDefinitions/readme.md +++ b/arm/Microsoft.Authorization/roleDefinitions/readme.md @@ -1,28 +1,27 @@ -# Role Definitions +# Role Definitions `[Microsoft.Authorization/roleDefinitions]` This module deploys custom RBAC Role Definitions. ## Resource types -|Resource Type|ApiVersion| -|:--|:--| -|`Microsoft.Authorization/roleDefinitions`|2018-07-01| -|`Microsoft.Resources/deployments`|2018-02-01| +| Resource Type | Api Version | +| :-- | :-- | +| `Microsoft.Authorization/roleDefinitions` | 2018-01-01-preview | ## Parameters -| Parameter Name | Type | Default Value | Possible values | Description | -| :- | :- | :- | :- | :- | -| `roleName` | string | | | Required. Name of the custom RBAC role to be created. -| `roleDescription` | string | [] | | Optional. Description of the custom RBAC role to be created. -| `actions` | array | [] | | Optional. List of allowed actions. -| `notActions` | array | [] | | Optional. List of denied actions. -| `dataActions` | array | [] | | Optional. List of allowed data actions. -| `notDataActions` | array | [] | | Optional. List of denied data actions. -| `managementGroupId` | string | "" | | Optional. The ID of the Management Group where the Role Definition and Target Scope will be applied to. Cannot use when Subscription or Resource Groups Parameters are used. -| `subscriptionId` | string | "" | | Optional. The Subscription ID where the Role Definition and Target Scope will be applied to. Use for both Subscription level and Resource Group Level. -| `resourceGroupName` | string | "" | | Optional. Name of the Resource Group to deploy the custom role in. If no Resource Group name is provided, the module deploys at subscription level, therefore registers the custom RBAC role definition in the subscription. -| `location` | string | "" | | Optional. Location for all resources. If not provided, will default to the deployment location. +| Parameter Name | Type | Default Value | Possible Values | Description | +| :-- | :-- | :-- | :-- | :-- | +| `actions` | array | `[]` | | Optional. List of allowed actions. | +| `dataActions` | array | `[]` | | Optional. List of allowed data actions. | +| `location` | string | `[deployment().location]` | | Optional. Location for all resources. | +| `managementGroupId` | string | | | Optional. The ID of the Management Group where the Role Definition and Target Scope will be applied to. Cannot use when Subscription or Resource Groups Parameters are used. | +| `notActions` | array | `[]` | | Optional. List of denied actions. | +| `notDataActions` | array | `[]` | | Optional. List of denied data actions. | +| `resourceGroupName` | string | | | Optional. The name of the Resource Group where the Role Definition and Target Scope will be applied to. | +| `roleDescription` | string | | | Optional. Description of the custom RBAC role to be created. | +| `roleName` | string | | | Required. Name of the custom RBAC role to be created. | +| `subscriptionId` | string | | | Optional. The Subscription ID where the Role Definition and Target Scope will be applied to. Use for both Subscription level and Resource Group Level. | ### Parameter Usage: `managementGroupId` @@ -34,7 +33,7 @@ To deploy resource to a Management Group, provide the `managementGroupId` as an } ``` -> The name of the Management Group in the deployment does not have to match the value of the `managementGroupId` in the input parameters. +> The name of the Management Group in the deployment does not have to match the value of the `managementGroupId` in the input parameters. ### Parameter Usage: `subscriptionId` @@ -62,11 +61,11 @@ To deploy resource to a Resource Group, provide the `subscriptionId` and `resour ## Outputs -| Output Name | Type | Description | -| :-- | :-- | :-- | -| `roleDefinitionName` | string | The name of the role definition | -| `roleDefinitionId` | string | The id of the role definition that was created. | -| `roleDefinitionScope` | string | The scope this definition was created on. | +| Output Name | Type | +| :-- | :-- | +| `roleDefinitionId` | string | +| `roleDefinitionName` | string | +| `roleDefinitionScope` | string | ## Considerations @@ -76,8 +75,6 @@ This module can be deployed both at subscription or resource group level: - To deploy the module at the subscription level, provide an existing subscription ID in the `subscriptionId` parameter. - To deploy the module at the management group level, provide an existing management group ID in the `managementGroupId` parameter. -## Additional resources +## Template references -- [Understand Azure role definitions](https://docs.microsoft.com/en-us/azure/role-based-access-control/role-definitions) -- [Microsoft.Authorization roleDefinitions template reference](https://docs.microsoft.com/en-us/azure/templates/microsoft.authorization/2018-01-01-preview/roledefinitions) -- [Use tags to organize your Azure resources](https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-using-tags) \ No newline at end of file +- [Roledefinitions](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2018-01-01-preview/roleDefinitions) diff --git a/arm/Microsoft.Automanage/accounts/readme.md b/arm/Microsoft.Automanage/accounts/readme.md index 07cebd4b5a711b7ed0c781fc30edc2d502c80520..c29c6585fe7d1b6e483e0df9ccaa020168d693da 100644 GIT binary patch literal 1833 zcmb_d!EV|>5WVviBjo@{F{WwNLvARMq8wQl>S{6An=!BoS8eR>f;g@LmDJl)F6>dVoW{GyU z#|OVgpNH=~c%$>uS&Y}pSSPZvkSkRn#ih|}l`{HR>SCdm&IELiMlaMm_*%z!k{*Q- zIa)5`2|C=tH;!^&o;v=y#f5O0g%^=IfB&et{W%XP1Sn*XG^+Icw5dF$^+>Kbh+N-EO}> z^Hurt5YUNi0FxC$;TzNo@Hi?JLai$=h2#uhEvGx9UHLKC?@OQae{h;w#i3>ed$U4= zr^q)d%V3Tm4e~0amG<6}MU!CGO6sJanU5#av1aY+$cRU869t4!z)7Tm}xM z6ZdK3$o3>|95MZ9;F-KVj4Tg-?t+R`3cb7M``f;s7h8hAhMe<#qhZOkqioAsSSn%x zV>+n%&a@1h&^S1mR$k&amX%WHyseG;-?w^N=V!C8ntH+?P6ZUF^0F*7HYTe*>VsMB zC$!E#7S&%AZpmX8obSO|wv4dR)n#*?&zbsl38If})rGZ@=_J&ND6@N>UzyL#UP W*jp3*>&dnASI3^(@Zr_h@B9Ydo`Ep{ literal 8518 zcmeHMTTc@~6h6-;{)Y*e6p5vv#zfy5Ob8DuLFC043uOzN^n%?20r9V^-#5c_X0Pt{ z;?~4W+TEQwGjncp&Y5$5{ahC%ZMl+(jO3l1$PmAC3FNUn(!V3QkWeB(4FGWl$Ua6D z-U7MA`$%r}C}(D`q_AQaZG^c)?8EON=JOe$jW8DCeS#Ia&oS^&a)Z7J_E!42HN|IL z*3oyUVY%WMvx(0U@VL~y7W4Z;IEB%A8}Vxc=Mc|hU_J)*A-F+4#@oH7p73v^xuQ); zS^Nk|84STD}G zdA^9>bJ^CvCY~?B`EA+3|0S>pzJaevLE~tp@eH1=^|UJuN|=VxE5^;{y%N zkzzS7j-I47A%4DnTaJDuW#s6gju}nke-h5>8_$rjh6mstIY>My5pvkKg6VN3?;qgP zs~7bUM{8*f9DCkk&mPvJZ=iiY#(N)Mw9EB2Vs`*dGq&PXYm|Z}TKwp5(#_HoY0DHs zf30q&VOOWeS=B{(iL^~m_pFjXnhm?zX4OqMv36dRaab2xZS}O1q19zHm6{)675d#F ze5>J2nVI##5Z~&Jvp#sIn$}|%e(%+S{<$y2mvbP~8S-VR7nJsT~qhju+ zJB<+H^XmE{z70g^v=4Fo8e)6~?-tj%j~(I3$b=Szvx@w8J~tKYA@{Pk%VLYaSg!c; zW{#_zhc3n;Ti(TU>KrA$)f;EgzkP!ShuXrP#o{$*u}z%DydkZz$s{sjv-UZiaja^k z%VVFEH!1MFPPT_GUjM(mDc53o(*yf_R$ly3%-#7$eR+4GsV5Tm#j~uQE$=m10~c1Y z&3?YK?D;OZNSn_a7qePQKH=NcCzv~*pz$_x3OIZ7wLX1A_5i()+!XI8=5A-|7`C4k z4YR(r4)hHsuglmlLR@!?ne02qF2sabFtX!{M&2$9_d#P}vZC?)n?EvJ=8b&K&by^= zWcBEU)Bbt0PsYFdtE7AC&AwRKQz{+kW4d})h zT4gYGh&JXh6J%{M^J>O^`ugD3X=3zqs+Q{{8_5@Bo-VN71aW(W>Ss$=W|-@YAgclP zO4be;`wsxcieOV)aaP*y@HR$Y3o8W}H<>EFv(}SUgG|bXaI6OI$ZM>-qw8k;Vns4f y-y`@Q`UgWNZ!)%G?kYu_J{`CK diff --git a/arm/Microsoft.Automation/automationAccounts/.bicep/nested_privateEndpoint.bicep b/arm/Microsoft.Automation/automationAccounts/.bicep/nested_privateEndpoint.bicep index 6160e54c1a..ea320c7f26 100644 --- a/arm/Microsoft.Automation/automationAccounts/.bicep/nested_privateEndpoint.bicep +++ b/arm/Microsoft.Automation/automationAccounts/.bicep/nested_privateEndpoint.bicep @@ -14,7 +14,7 @@ var privateEndpoint_var = { customDnsConfigs: (contains(privateEndpointObj, 'customDnsConfigs') ? (empty(privateEndpointObj.customDnsConfigs) ? json('null') : privateEndpointObj.customDnsConfigs) : json('null')) } -resource privateEndpoint 'Microsoft.Network/privateEndpoints@2020-05-01' = { +resource privateEndpoint 'Microsoft.Network/privateEndpoints@2021-05-01' = { name: privateEndpoint_var.name location: privateEndpointVnetLocation tags: tags @@ -36,7 +36,7 @@ resource privateEndpoint 'Microsoft.Network/privateEndpoints@2020-05-01' = { } } -resource privateDnsZoneGroups 'Microsoft.Network/privateEndpoints/privateDnsZoneGroups@2020-05-01' = { +resource privateDnsZoneGroups 'Microsoft.Network/privateEndpoints/privateDnsZoneGroups@2021-02-01' = { name: '${privateEndpoint_var.name}/default' properties: { privateDnsZoneConfigs: [for privateDnsZoneResourceId in privateEndpoint_var.privateDnsZoneResourceIds: { diff --git a/arm/Microsoft.Automation/automationAccounts/.bicep/nested_rbac.bicep b/arm/Microsoft.Automation/automationAccounts/.bicep/nested_rbac.bicep index 961e403210..754c08bbd0 100644 --- a/arm/Microsoft.Automation/automationAccounts/.bicep/nested_rbac.bicep +++ b/arm/Microsoft.Automation/automationAccounts/.bicep/nested_rbac.bicep @@ -2,7 +2,7 @@ param roleAssignmentObj object param builtInRoleNames object param resourceName string -resource roleAssigment 'Microsoft.Automation/automationAccounts/providers/roleAssignments@2020-04-01-preview' = [for principalId in roleAssignmentObj.principalIds: { +resource roleAssigment 'Microsoft.Automation/automationAccounts/providers/roleAssignments@2021-04-01-preview' = [for principalId in roleAssignmentObj.principalIds: { name: '${resourceName}/Microsoft.Authorization/${guid(resourceName, principalId, roleAssignmentObj.roleDefinitionIdOrName)}' properties: { roleDefinitionId: (contains(builtInRoleNames, roleAssignmentObj.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignmentObj.roleDefinitionIdOrName] : roleAssignmentObj.roleDefinitionIdOrName) diff --git a/arm/Microsoft.Automation/automationAccounts/deploy.bicep b/arm/Microsoft.Automation/automationAccounts/deploy.bicep index fda3bb2970..9fb0024fd5 100644 --- a/arm/Microsoft.Automation/automationAccounts/deploy.bicep +++ b/arm/Microsoft.Automation/automationAccounts/deploy.bicep @@ -79,44 +79,44 @@ var accountSasProperties = { signedProtocol: 'https' } -var diagnosticsMetrics = [ - { - category: 'AllMetrics' - timeGrain: null - enabled: true - retentionPolicy: { - enabled: true - days: diagnosticLogsRetentionInDays - } - } +@description('Optional. The name of logs that will be streamed.') +@allowed([ + 'JobLogs' + 'JobStreams' + 'DscNodeStatus' +]) +param logsToEnable array = [ + 'JobLogs' + 'JobStreams' + 'DscNodeStatus' ] -var diagnosticsLogs = [ - { - category: 'JobLogs' - enabled: true - retentionPolicy: { - enabled: true - days: diagnosticLogsRetentionInDays - } - } - { - category: 'JobStreams' +@description('Optional. The name of metrics that will be streamed.') +@allowed([ + 'AllMetrics' +]) +param metricsToEnable array = [ + 'AllMetrics' +] + +var diagnosticsLogs = [for log in logsToEnable: { + category: log + enabled: true + retentionPolicy: { enabled: true - retentionPolicy: { - enabled: true - days: diagnosticLogsRetentionInDays - } + days: diagnosticLogsRetentionInDays } - { - category: 'DscNodeStatus' +}] + +var diagnosticsMetrics = [for metric in metricsToEnable: { + category: metric + timeGrain: null + enabled: true + retentionPolicy: { enabled: true - retentionPolicy: { - enabled: true - days: diagnosticLogsRetentionInDays - } + days: diagnosticLogsRetentionInDays } -] +}] var builtInRoleNames = { 'Owner': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') diff --git a/arm/Microsoft.Automation/automationAccounts/readme.md b/arm/Microsoft.Automation/automationAccounts/readme.md index 606fada1b9..53e95f4fc0 100644 --- a/arm/Microsoft.Automation/automationAccounts/readme.md +++ b/arm/Microsoft.Automation/automationAccounts/readme.md @@ -1,46 +1,47 @@ -# AutomationAccounts +# AutomationAccounts `[Microsoft.Automation/automationAccounts]` This module deploys an Azure Automation Account, with resource lock. ## Resource Types -| Resource Type | Api Version | -| :------------------------------------------------------------------ | :----------------- | -| `Microsoft.Automation/automationAccounts` | 2020-01-13-preview | -| `Microsoft.Automation/automationAccounts/modules` | 2020-01-13-preview | -| `Microsoft.Automation/automationAccounts/schedules` | 2020-01-13-preview | -| `Microsoft.Automation/automationAccounts/runbooks` | 2019-06-01 | -| `Microsoft.Automation/automationAccounts/jobSchedules` | 2020-01-13-preview | -| `Microsoft.Authorization/locks` | 2016-09-01 | -| `Microsoft.Insights/diagnosticSettings` | 2017-05-01-preview | -| `Microsoft.Network/privateEndpoints` | 2020-05-01 | -| `Microsoft.Network/privateEndpoints/privateDnsZoneGroups` | 2020-05-01 | -| `Microsoft.Automation/automationAccounts/providers/roleAssignments` | 2020-04-01-preview | -| `Microsoft.Resources/deployments` | 2020-06-01 | +| Resource Type | Api Version | +| :-- | :-- | +| `Microsoft.Authorization/locks` | 2016-09-01 | +| `Microsoft.Automation/automationAccounts` | 2020-01-13-preview | +| `Microsoft.Automation/automationAccounts/jobSchedules` | 2020-01-13-preview | +| `Microsoft.Automation/automationAccounts/modules` | 2020-01-13-preview | +| `Microsoft.Automation/automationAccounts/providers/roleAssignments` | 2021-04-01-preview | +| `Microsoft.Automation/automationAccounts/runbooks` | 2019-06-01 | +| `Microsoft.Automation/automationAccounts/schedules` | 2020-01-13-preview | +| `Microsoft.Insights/diagnosticSettings` | 2017-05-01-preview | +| `Microsoft.Network/privateEndpoints` | 2021-05-01 | +| `Microsoft.Network/privateEndpoints/privateDnsZoneGroups` | 2021-02-01 | ## Parameters -| Parameter Name | Type | Default Value | Possible values | Description | -| :------------------------------ | :----- | :--------------------------- | :---------------------------- | :-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| `cuaId` | string | | | Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered | -| `automationAccountName` | string | | | Required. Name of the Azure Automation Account | -| `location` | string | `[resourceGroup().location]` | | Optional. Location for all resources. | -| `skuName` | string | `Basic` | `Free`, `Basic` | Optional. Specifies the SKU for the Automation Account | -| `modules` | array | [] | | Optional. List of modules to be created in the automation account. Complex structure, see below. | -| `schedules` | array | [] | | Optional. List of schedules to be created in the automation account. Complex structure, see below. | -| `runbooks` | array | [] | | Optional. List of runbooks to be created in the automation account. Complex structure, see below. | -| `jobSchedules` | array | [] | | Optional. List of jobSchedules to be created in the automation account. Complex structure, see below. | -| `baseTime` | string | [utcNow('u')] | | Optional. Time used as a basis for e.g. the schedule start date | -| `diagnosticLogsRetentionInDays` | int | `365` | | Optional. Specifies the number of days that logs will be kept for; a value of 0 will retain data indefinitely. | -| `diagnosticStorageAccountId` | string | | | Optional. Resource identifier of the Diagnostic Storage Account. | -| `workspaceId` | string | | | Optional. Resource identifier of Log Analytics. | -| `privateEndpoints` | array | System.Object[] | | Optional. Configuration Details for private endpoints. | -| `eventHubAuthorizationRuleId` | string | | | Optional. Resource ID of the event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | -| `eventHubName` | string | | | Optional. Name of the event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. | -| `lock` | string | 'NotSpecified' | 'CanNotDelete', 'NotSpecified', 'ReadOnly' | Optional. Specify the type of lock | -| `roleAssignments` | array | [] | Complex structure, see below. | Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or it's fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' | -| `tags` | object | | | Optional. Tags of the Automation Account resource. | -| `sasTokenValidityLength` | string | PT8H | | Optional. SAS token validity length. Usage: 'PT8H' - valid for 8 hours; 'P5D' - valid for 5 days; 'P1Y' - valid for 1 year. When not provided, the SAS token will be valid for 8 hours. | +| Parameter Name | Type | Default Value | Possible Values | Description | +| :-- | :-- | :-- | :-- | :-- | +| `automationAccountName` | string | | | Required. Name of the Automation Account | +| `baseTime` | string | `[utcNow('u')]` | | Optional. Time used as a basis for e.g. the schedule start date | +| `cuaId` | string | | | Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered | +| `diagnosticLogsRetentionInDays` | int | `365` | | Optional. Specifies the number of days that logs will be kept for; a value of 0 will retain data indefinitely. | +| `diagnosticStorageAccountId` | string | | | Optional. Resource identifier of the Diagnostic Storage Account. | +| `eventHubAuthorizationRuleId` | string | | | Optional. Resource ID of the event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | +| `eventHubName` | string | | | Optional. Name of the event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. | +| `jobSchedules` | array | `[]` | | Optional. List of jobSchedules to be created in the automation account | +| `location` | string | `[resourceGroup().location]` | | Optional. Location for all resources. | +| `lock` | string | `NotSpecified` | `[CanNotDelete, NotSpecified, ReadOnly]` | Optional. Specify the type of lock. | +| `logsToEnable` | array | `[JobLogs, JobStreams, DscNodeStatus]` | `[JobLogs, JobStreams, DscNodeStatus]` | Optional. The name of logs that will be streamed. | +| `metricsToEnable` | array | `[AllMetrics]` | `[AllMetrics]` | Optional. The name of metrics that will be streamed. | +| `modules` | array | `[]` | | Optional. List of modules to be created in the automation account | +| `privateEndpoints` | array | `[]` | | Optional. Configuration Details for private endpoints. | +| `roleAssignments` | array | `[]` | | Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' | +| `runbooks` | array | `[]` | | Optional. List of runbooks to be created in the automation account | +| `sasTokenValidityLength` | string | `PT8H` | | Optional. SAS token validity length. Usage: 'PT8H' - valid for 8 hours; 'P5D' - valid for 5 days; 'P1Y' - valid for 1 year. When not provided, the SAS token will be valid for 8 hours. | +| `schedules` | array | `[]` | | Optional. List of schedules to be created in the automation account | +| `skuName` | string | `Basic` | `[Free, Basic]` | Optional. SKU name of the account | +| `tags` | object | `{object}` | | Optional. Tags of the Automation Account resource. | +| `workspaceId` | string | | | Optional. Resource identifier of Log Analytics. | ### Parameter Usage: `modules` @@ -205,22 +206,24 @@ Tag names and tag values can be provided as needed. A tag can be left without a ## Outputs -| Output Name | Type | Description | -| :------------------------------- | :----- | :--------------------------------------------------------- | -| `automationAccountName` | string | The Name of the Automation Account. | -| `automationAccountResourceId` | string | The Resource Id of the Automation Account. | -| `automationAccountResourceGroup` | string | The Resource Group the Automation Account was deployed to. | -| `modules` | array | The array of the modules created. | -| `schedules` | array | The array of the schedules created. | -| `runbooks` | array | The array of the runbooks created. | -| `jobSchedules` | array | The array of the jobSchedules created. | - -## Considerations - -*N/A* - -## Additional resources - -- [An introduction to Azure Automation](https://docs.microsoft.com/en-us/azure/automation/automation-intro) -- [Microsoft.Automation automationAccounts template reference](https://docs.microsoft.com/en-us/azure/templates/microsoft.automation/allversions) -- [Use tags to organize your Azure resources](https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-using-tags) +| Output Name | Type | +| :-- | :-- | +| `automationAccountName` | string | +| `automationAccountResourceGroup` | string | +| `automationAccountResourceId` | string | +| `jobSchedules` | array | +| `modules` | array | +| `runbooks` | array | +| `schedules` | array | + +## Template references + +- [Locks](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2016-09-01/locks) +- [Automationaccounts](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Automation/2020-01-13-preview/automationAccounts) +- [Automationaccounts/Jobschedules](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Automation/2020-01-13-preview/automationAccounts/jobSchedules) +- [Automationaccounts/Modules](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Automation/2020-01-13-preview/automationAccounts/modules) +- [Automationaccounts/Runbooks](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Automation/2019-06-01/automationAccounts/runbooks) +- [Automationaccounts/Schedules](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Automation/2020-01-13-preview/automationAccounts/schedules) +- [Diagnosticsettings](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Insights/2017-05-01-preview/diagnosticSettings) +- [Privateendpoints](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Network/2021-05-01/privateEndpoints) +- [Privateendpoints/Privatednszonegroups](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Network/2021-02-01/privateEndpoints/privateDnsZoneGroups) diff --git a/arm/Microsoft.Automation/automationAccountsResources/softwareUpdateConfigurations/readme.md b/arm/Microsoft.Automation/automationAccountsResources/softwareUpdateConfigurations/readme.md index a5305c7ee1..18f385b954 100644 --- a/arm/Microsoft.Automation/automationAccountsResources/softwareUpdateConfigurations/readme.md +++ b/arm/Microsoft.Automation/automationAccountsResources/softwareUpdateConfigurations/readme.md @@ -1,60 +1,58 @@ -# Software Update Configuration +# Software Update Configuration `[Microsoft.Automation/automationAccountsResources/softwareUpdateConfigurations]` This module deploys a Software Update Configuration into an existing Automation Account. Also known as Patch Management, Update Management and patch deployment schedules. ## Resource types -| Resource Type | Api Version | -| :--------------------------------------------------------------------- | :---------- | -| `Microsoft.Resources/deployments` | 2020-06-01 | -| `Microsoft.Automation/automationAccounts/softwareUpdateConfigurations` | 2019-06-01 | +| Resource Type | Api Version | +| :-- | :-- | +| `Microsoft.Automation/automationAccounts/softwareUpdateConfigurations` | 2019-06-01 | ### Resource dependency The following resources are required to be able to deploy this resource. -- Microsoft.Automation/automationAccounts +- `Microsoft.Automation/automationAccounts` ## Parameters -| Parameter Name | Type | Default Value | Possible values | Description | -| :------------------------ | :----- | :-------------------------------------------------------------------------------------- | :---------------------------------------------------------------------------------------------------------------------------------------------------------- | :------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| `automationAccountName` | string | | | Required. Name of the Automation Account to deploy the schedule to. | -| `azureVirtualMachines` | array | [] | | Optional. List of azure resource Ids for azure virtual machines in scope for the deployment schedule. | -| `baseTime` | string | [utcNow('u')] | | Generated. Do not touch. Is used to provide the base time for time comparrison for startTime. If startTime is specified in HH:MM format, baseTime is used to check if the provided startTime has passed, adding one day before setting the deployment schedule. | -| `cuaId` | string | Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered | | Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered | -| `deploymentScheduleName` | string | | | Required. The name of the Deployment schedule. | -| `excludeUpdates` | array | [] | | Optional. KB numbers or Linux packages excluded in the deployment schedule. | -| `expiryTime` | string | | | Optional. The end time of the deployment schedule in ISO 8601 format. YYYY-MM-DDTHH:MM:SS, 2021-12-31T23:00:00 | -| `expiryTimeOffsetMinutes` | int | 0 | | Optional. The expiry time's offset in minutes. | -| `frequency` | string | | "OneTime","Hour","Day","Week","Month" | Required. The frequency of the deployment schedule. When using 'Hour', 'Day', 'Week' or 'Month', an interval needs to be provided. | -| `includeUpdates` | array | [] | | Optional. KB numbers or Linux packages included in the deployment schedule. | -| `interval` | int | 0 | 0-100 | Optional. The interval of the frequency for the deployment schedule. 1 Hour is every hour, 2 Day is every second day, etc. | -| `isEnabled` | bool | True | | Optional. Enables the deployment schedule. | -| `location` | string | [resourceGroup().location] | | Optional. Location for the resource. | -| `maintenanceWindow` | string | PT2H | [ISO 8601 Duration format](https://en.wikipedia.org/wiki/ISO_8601#Durations) | Required. Maximum time allowed for the deployment schedule to run. Duration needs to be specified using the format PT[n]H[n]M[n]S as per ISO8601 | -| `monthDays` | array | [] | 1-31 | Optional. Can be used with frequency 'Month'. Provides the specific days of the month to run the deployment schedule. | -| `monthlyOccurrences` | array | [] | | Optional. Can be used with frequency 'Month'. Provides the pattern/cadence for running the deployment schedule in a month. Takes objects formed like this {occurance(int),day(string)}. Day is the name of the day to run the deployment schedule, the occurance specifies which occurance of that day to run the deployment schedule. | -| `nextRun` | string | | | Optional. The next run time of the deployment schedule in ISO 8601 format. YYYY-MM-DDTHH:MM:SS, 2021-12-31T23:00:00 | -| `nextRunOffsetMinutes` | int | 0 | | Optional. The next run time's offset in minutes. | -| `nonAzureComputerNames` | array | [] | | Optional. List of names of non-azure machines in scope for the deployment schedule. | -| `nonAzureQueries` | array | [] | | Optional. Array of functions from a Log Analytics workspace, used to scope the deployment schedule. | -| `operatingSystem` | string | | 'Windows', 'Linux' | Required. The operating system to be configured by the deployment schedule. | -| `postTaskParameters` | object | | | Optional. Parameters provided to the task running after the deployment schedule. | -| `postTaskSource` | string | | | Optional. The source of the task running after the deployment schedule. | -| `preTaskParameters` | object | | | Optional. Parameters provided to the task running before the deployment schedule. | -| `preTaskSource` | string | | | Optional. The source of the task running before the deployment schedule. | -| `rebootSetting` | string | | 'IfRequired', 'Never', 'RebootOnly', 'Always' | Required. Reboot setting for the deployment schedule. | -| `scheduleDescription` | string | | | Optional. The schedules description. | -| `scopeByLocations` | array | [] | | Optional. Specify locations to which to scope the deployment schedule to. | -| `scopeByResources` | array | [subscription().id] | ResourceIDs of subscriptions, resourceGroups and virtual machines | Optional. Specify the resources to scope the deployment schedule to. | -| `scopeByTags` | object | | | Optional. Specify tags to which to scope the deployment schedule to. | -| `scopeByTagsOperation` | string | All | 'All', 'Any' | Optional. Enables the scopeByTags to require All (Tag A and Tag B) or Any (Tag A or Tag B). | -| `startTime` | string | | ISO 8601 [Date](https://en.wikipedia.org/wiki/ISO_8601#Dates) and [Time](https://en.wikipedia.org/wiki/ISO_8601#Times) format, YYYY-MM-DDTHH:MM:SS or HH:MM | Optional. The start time of the deployment schedule in ISO 8601 format. To specify a specific time use YYYY-MM-DDTHH:MM:SS, 2021-12-31T23:00:00. For schedules where we want to start the deployment as soon as possible, specify the time segment only in 24 hour format, HH:MM, 22:00. | -| `timeZone` | string | UTC | IANA ID or Windows Time Zone ID, i.e. Europe/London or America/New_York | Optional. Time zone for the deployment schedule. IANA ID or a Windows Time Zone ID. | -| `updateClassifications` | array | ['Critical','Security'] | 'Critical', 'Security', 'UpdateRollup', 'FeaturePack', 'ServicePack', 'Definition', 'Tools', 'Updates', 'Other' | Optional. Update classification included in the deployment schedule. | -| `weekDays` | array | [] | 'Monday', 'Tuesday', 'Wednesday', 'Thursday', 'Friday', 'Saturday', 'Sunday' | Optional. Required when used with frequency 'Week'. Specified the day of the week to run the deployment schedule. | +| Parameter Name | Type | Default Value | Possible Values | Description | +| :-- | :-- | :-- | :-- | :-- | +| `automationAccountName` | string | | | Required. Name of the Automation Account to deploy the schedule to. | +| `azureVirtualMachines` | array | `[]` | | Optional. List of azure resource Ids for azure virtual machines in scope for the deployment schedule. | +| `baseTime` | string | `[utcNow('u')]` | | Generated. Do not touch. Is used to provide the base time for time comparrison for startTime. If startTime is specified in HH:MM format, baseTime is used to check if the provided startTime has passed, adding one day before setting the deployment schedule. | +| `cuaId` | string | | | Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered | +| `deploymentScheduleName` | string | | | Required. The name of the Deployment schedule. | +| `excludeUpdates` | array | `[]` | | Optional. KB numbers or Linux packages excluded in the deployment schedule. | +| `expiryTime` | string | | | Optional. The end time of the deployment schedule in ISO 8601 format. YYYY-MM-DDTHH:MM:SS, 2021-12-31T23:00:00 | +| `expiryTimeOffsetMinutes` | int | | | Optional. The expiry time's offset in minutes. | +| `frequency` | string | | `[OneTime, Hour, Day, Week, Month]` | Required. The frequency of the deployment schedule. When using 'Hour', 'Day', 'Week' or 'Month', an interval needs to be provided. | +| `includeUpdates` | array | `[]` | | Optional. KB numbers or Linux packages included in the deployment schedule. | +| `interval` | int | | | Optional. The interval of the frequency for the deployment schedule. 1 Hour is every hour, 2 Day is every second day, etc. | +| `isEnabled` | bool | `True` | | Optional. Enables the deployment schedule. | +| `maintenanceWindow` | string | `PT2H` | | Required. Maximum time allowed for the deployment schedule to run. Duration needs to be specified using the format PT[n]H[n]M[n]S as per ISO8601 | +| `monthDays` | array | `[]` | `[1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31]` | Optional. Can be used with frequency 'Month'. Provides the specific days of the month to run the deployment schedule. | +| `monthlyOccurrences` | array | `[]` | | Optional. Can be used with frequency 'Month'. Provides the pattern/cadence for running the deployment schedule in a month. Takes objects formed like this {occurance(int),day(string)}. Day is the name of the day to run the deployment schedule, the occurance specifies which occurance of that day to run the deployment schedule. | +| `nextRun` | string | | | Optional. The next run time of the deployment schedule in ISO 8601 format. YYYY-MM-DDTHH:MM:SS, 2021-12-31T23:00:00 | +| `nextRunOffsetMinutes` | int | | | Optional. The next run time's offset in minutes. | +| `nonAzureComputerNames` | array | `[]` | | Optional. List of names of non-azure machines in scope for the deployment schedule. | +| `nonAzureQueries` | array | `[]` | | Optional. Array of functions from a Log Analytics workspace, used to scope the deployment schedule. | +| `operatingSystem` | string | | `[Windows, Linux]` | Required. The operating system to be configured by the deployment schedule. | +| `postTaskParameters` | object | `{object}` | | Optional. Parameters provided to the task running after the deployment schedule. | +| `postTaskSource` | string | | | Optional. The source of the task running after the deployment schedule. | +| `preTaskParameters` | object | `{object}` | | Optional. Parameters provided to the task running before the deployment schedule. | +| `preTaskSource` | string | | | Optional. The source of the task running before the deployment schedule. | +| `rebootSetting` | string | | `[IfRequired, Never, RebootOnly, Always]` | Required. Reboot setting for the deployment schedule. | +| `scheduleDescription` | string | | | Optional. The schedules description. | +| `scopeByLocations` | array | `[]` | | Optional. Specify locations to which to scope the deployment schedule to. | +| `scopeByResources` | array | `[[subscription().id]]` | | Optional. Specify the resources to scope the deployment schedule to. | +| `scopeByTags` | object | `{object}` | | Optional. Specify tags to which to scope the deployment schedule to. | +| `scopeByTagsOperation` | string | `All` | `[All, Any]` | Optional. Enables the scopeByTags to require All (Tag A and Tag B) or Any (Tag A or Tag B). | +| `startTime` | string | | | Optional. The start time of the deployment schedule in ISO 8601 format. To specify a specific time use YYYY-MM-DDTHH:MM:SS, 2021-12-31T23:00:00. For schedules where we want to start the deployment as soon as possible, specify the time segment only in 24 hour format, HH:MM, 22:00. | +| `timeZone` | string | `UTC` | | Optional. Time zone for the deployment schedule. IANA ID or a Windows Time Zone ID. | +| `updateClassifications` | array | `[Critical, Security]` | `[Critical, Security, UpdateRollup, FeaturePack, ServicePack, Definition, Tools, Updates, Other]` | Optional. Update classification included in the deployment schedule. | +| `weekDays` | array | `[]` | `[Monday, Tuesday, Wednesday, Thursday, Friday, Saturday, Sunday]` | Optional. Required when used with frequency 'Week'. Specified the day of the week to run the deployment schedule. | ### Parameter Usage: `scopeByTags` @@ -103,19 +101,12 @@ Occurrences of days within a month. ## Outputs -| Output Name | Type | Description | -| :----------------------------------------- | :----- | :------------------------------------------------------------------------ | -| `softwareUpdateConfigurationName` | string | The name of the Software Update Configuration. | -| `softwareUpdateConfigurationResourceGroup` | string | The Resource Group the Software Update Configuration was deployed to. | -| `softwareUpdateConfigurationResourceId` | string | The Resource Id of the Software Update Configuration. | +| Output Name | Type | +| :-- | :-- | +| `softwareUpdateConfigurationName` | string | +| `softwareUpdateConfigurationResourceGroup` | string | +| `softwareUpdateConfigurationResourceId` | string | -## Considerations +## Template references -- *None* - -## Additional resources - -- [Template reference](https://docs.microsoft.com/en-us/azure/templates/microsoft.automation/automationaccounts/softwareupdateconfigurations) -- [ISO 8601 Time format](https://en.wikipedia.org/wiki/ISO_8601) -- [IANA time zone list](https://en.wikipedia.org/wiki/List_of_tz_database_time_zones) -- [Update classifications - Update Management | Microsoft Docs](https://docs.microsoft.com/en-us/azure/automation/update-management/overview#update-classifications) +- [Automationaccounts/Softwareupdateconfigurations](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Automation/2019-06-01/automationAccounts/softwareUpdateConfigurations) diff --git a/arm/Microsoft.Batch/batchAccounts/deploy.bicep b/arm/Microsoft.Batch/batchAccounts/deploy.bicep index 239ca5fd70..e0026f79fc 100644 --- a/arm/Microsoft.Batch/batchAccounts/deploy.bicep +++ b/arm/Microsoft.Batch/batchAccounts/deploy.bicep @@ -35,26 +35,40 @@ param tags object = {} @description('Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered') param cuaId string = '' -var diagnosticsMetrics = [ - { - category: 'AllMetrics' +@description('Optional. The name of logs that will be streamed.') +@allowed([ + 'ServiceLog' +]) +param logsToEnable array = [ + 'ServiceLog' +] + +@description('Optional. The name of metrics that will be streamed.') +@allowed([ + 'AllMetrics' +]) +param metricsToEnable array = [ + 'AllMetrics' +] + +var diagnosticsLogs = [for log in logsToEnable: { + category: log + enabled: true + retentionPolicy: { enabled: true - retentionPolicy: { - days: diagnosticLogsRetentionInDays - enabled: true - } + days: diagnosticLogsRetentionInDays } -] -var diagnosticsLogs = [ - { - category: 'ServiceLog ' +}] + +var diagnosticsMetrics = [for metric in metricsToEnable: { + category: metric + timeGrain: null + enabled: true + retentionPolicy: { enabled: true - retentionPolicy: { - enabled: true - days: diagnosticLogsRetentionInDays - } + days: diagnosticLogsRetentionInDays } -] +}] module pid_cuaId './.bicep/nested_cuaId.bicep' = if (!empty(cuaId)) { name: 'pid-${cuaId}' diff --git a/arm/Microsoft.Batch/batchAccounts/readme.md b/arm/Microsoft.Batch/batchAccounts/readme.md index b4d9cd07ce..e2914fc924 100644 --- a/arm/Microsoft.Batch/batchAccounts/readme.md +++ b/arm/Microsoft.Batch/batchAccounts/readme.md @@ -1,32 +1,29 @@ -# Batch Accounts +# Batch Accounts `[Microsoft.Batch/batchAccounts]` ## Resource types -|Resource Type|Api Version| -|:--|:--| -|`Microsoft.Resources/deployments`|2018-02-01| -|`Microsoft.Batch/batchAccounts`|2020-03-01| -|`Microsoft.Authorization/locks`|2016-09-01| -|`Microsoft.Insights/diagnosticsettings`|2017-05-01-preview| - -### Resource dependency - -The following resources are required to be able to deploy this resource. +| Resource Type | Api Version | +| :-- | :-- | +| `Microsoft.Authorization/locks` | 2016-09-01 | +| `Microsoft.Batch/batchAccounts` | 2020-09-01 | +| `Microsoft.Insights/diagnosticSettings` | 2017-05-01-preview | ## Parameters -| Parameter Name | Type | Description | DefaultValue | Allowed Values | +| Parameter Name | Type | Default Value | Possible Values | Description | | :-- | :-- | :-- | :-- | :-- | -| `batchAccountName` | string | Required. Name of the Azure Batch | | | -| `cuaId` | string | Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered | | | -| `diagnosticLogsRetentionInDays` | int | Optional. Specifies the number of days that logs will be kept for; a value of 0 will retain data indefinitely. | 365 | | -| `diagnosticStorageAccountId` | string | Optional. Resource identifier of the Diagnostic Storage Account. | | | -| `eventHubAuthorizationRuleId` | string | Optional. Resource ID of the event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | | | -| `eventHubName` | string | Optional. Name of the event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. | | | -| `location` | string | Optional. Location for all Resources. | [resourceGroup().location] | | -| `lock` | string | Optional. Specify the type of lock. | 'NotSpecified' | 'CanNotDelete', 'NotSpecified', 'ReadOnly' | -| `tags` | object | Optional. Tags of the resource. | | | -| `workspaceId` | string | Optional. Resource identifier of Log Analytics. | | | +| `batchAccountName` | string | | | Required. Name of the Azure Batch | +| `cuaId` | string | | | Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered | +| `diagnosticLogsRetentionInDays` | int | `365` | | Optional. Specifies the number of days that logs will be kept for; a value of 0 will retain data indefinitely. | +| `diagnosticStorageAccountId` | string | | | Optional. Resource identifier of the Diagnostic Storage Account. | +| `eventHubAuthorizationRuleId` | string | | | Optional. Resource ID of the event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | +| `eventHubName` | string | | | Optional. Name of the event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. | +| `location` | string | `[resourceGroup().location]` | | Optional. Location for all Resources. | +| `lock` | string | `NotSpecified` | `[CanNotDelete, NotSpecified, ReadOnly]` | Optional. Specify the type of lock. | +| `logsToEnable` | array | `[ServiceLog]` | `[ServiceLog]` | Optional. The name of logs that will be streamed. | +| `metricsToEnable` | array | `[AllMetrics]` | `[AllMetrics]` | Optional. The name of metrics that will be streamed. | +| `tags` | object | `{object}` | | Optional. Tags of the resource. | +| `workspaceId` | string | | | Optional. Resource identifier of Log Analytics. | ### Parameter Usage: `tags` @@ -47,23 +44,15 @@ Tag names and tag values can be provided as needed. A tag can be left without a ## Outputs -| Output Name | Type | Description | -| :-- | :-- | :-- | -| `batchAccountName` | string | The Name of the Azure Batch Account | -| `batchAccountPrimaryKey` | string | The Azure Batch Account Primary Key | -| `batchAccountResourceGroup` | string | The name of the Resource Group with the Azure Batch Account | -| `batchAccountResourceId` | string | The Resource Id of the Azure Batch Account | - -### References - -### Template references - -- [Deployments](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Resources/2018-02-01/deployments) -- [BatchAccounts](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Batch/2020-03-01/batchAccounts) - -## Considerations +| Output Name | Type | +| :-- | :-- | +| `batchAccountName` | string | +| `batchAccountPrimaryKey` | string | +| `batchAccountResourceGroup` | string | +| `batchAccountResourceId` | string | -## Additional resources +## Template references -- [Deployments](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Resources/2018-02-01/deployments) -- [BatchAccounts](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Batch/2020-03-01/batchAccounts) +- [Locks](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2016-09-01/locks) +- [Batchaccounts](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Batch/2020-09-01/batchAccounts) +- [Diagnosticsettings](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Insights/2017-05-01-preview/diagnosticSettings) diff --git a/arm/Microsoft.CognitiveServices/accounts/.bicep/nested_privateEndpoints.bicep b/arm/Microsoft.CognitiveServices/accounts/.bicep/nested_privateEndpoints.bicep index f3571f36c4..963407983c 100644 --- a/arm/Microsoft.CognitiveServices/accounts/.bicep/nested_privateEndpoints.bicep +++ b/arm/Microsoft.CognitiveServices/accounts/.bicep/nested_privateEndpoints.bicep @@ -14,7 +14,7 @@ var privateEndpoint_var = { customDnsConfigs: (contains(privateEndpoint, 'customDnsConfigs') ? (empty(privateEndpoint.customDnsConfigs) ? json('null') : privateEndpoint.customDnsConfigs) : json('null')) } -resource privateEndpoint_resource 'Microsoft.Network/privateEndpoints@2021-02-01' = { +resource privateEndpoint_resource 'Microsoft.Network/privateEndpoints@2021-05-01' = { name: privateEndpoint_var.name location: privateEndpointVnetLocation tags: tags diff --git a/arm/Microsoft.CognitiveServices/accounts/.bicep/nested_rbac.bicep b/arm/Microsoft.CognitiveServices/accounts/.bicep/nested_rbac.bicep index 50874975ab..ef7081f823 100644 --- a/arm/Microsoft.CognitiveServices/accounts/.bicep/nested_rbac.bicep +++ b/arm/Microsoft.CognitiveServices/accounts/.bicep/nested_rbac.bicep @@ -2,11 +2,10 @@ param roleAssignmentObj object param builtInRoleNames object param resourceName string -resource roleAssignment 'Microsoft.CognitiveServices/accounts/providers/roleAssignments@2020-04-01-preview' = [for principalId in roleAssignmentObj.principalIds: { +resource roleAssignment 'Microsoft.CognitiveServices/accounts/providers/roleAssignments@2021-04-01-preview' = [for principalId in roleAssignmentObj.principalIds: { name: '${resourceName}/Microsoft.Authorization/${guid(resourceName, principalId, roleAssignmentObj.roleDefinitionIdOrName)}' properties: { roleDefinitionId: (contains(builtInRoleNames, roleAssignmentObj.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignmentObj.roleDefinitionIdOrName] : roleAssignmentObj.roleDefinitionIdOrName) principalId: principalId } }] - diff --git a/arm/Microsoft.CognitiveServices/accounts/deploy.bicep b/arm/Microsoft.CognitiveServices/accounts/deploy.bicep index 257487db6b..c1cb474781 100644 --- a/arm/Microsoft.CognitiveServices/accounts/deploy.bicep +++ b/arm/Microsoft.CognitiveServices/accounts/deploy.bicep @@ -110,35 +110,43 @@ param tags object = {} @description('Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered') param cuaId string = '' -var diagnosticsMetrics = [ - { - category: 'AllMetrics' - timeGrain: null - enabled: true - retentionPolicy: { - enabled: true - days: diagnosticLogsRetentionInDays - } - } +@description('Optional. The name of logs that will be streamed.') +@allowed([ + 'Audit' + 'RequestResponse' +]) +param logsToEnable array = [ + 'Audit' + 'RequestResponse' +] + +@description('Optional. The name of metrics that will be streamed.') +@allowed([ + 'AllMetrics' +]) +param metricsToEnable array = [ + 'AllMetrics' ] -var diagnosticsLogs = [ - { - category: 'Audit' + +var diagnosticsLogs = [for log in logsToEnable: { + category: log + enabled: true + retentionPolicy: { enabled: true - retentionPolicy: { - enabled: true - days: diagnosticLogsRetentionInDays - } + days: diagnosticLogsRetentionInDays } - { - category: 'RequestResponse' +}] + +var diagnosticsMetrics = [for metric in metricsToEnable: { + category: metric + timeGrain: null + enabled: true + retentionPolicy: { enabled: true - retentionPolicy: { - enabled: true - days: diagnosticLogsRetentionInDays - } + days: diagnosticLogsRetentionInDays } -] +}] + var builtInRoleNames = { 'Owner': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') 'Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') diff --git a/arm/Microsoft.CognitiveServices/accounts/readme.md b/arm/Microsoft.CognitiveServices/accounts/readme.md index 08014c4d75..76d9335e90 100644 --- a/arm/Microsoft.CognitiveServices/accounts/readme.md +++ b/arm/Microsoft.CognitiveServices/accounts/readme.md @@ -1,4 +1,4 @@ -# CognitiveServices +# CognitiveServices `[Microsoft.CognitiveServices/accounts]` This module deploys different kinds of Cognitive Services resources @@ -6,36 +6,37 @@ This module deploys different kinds of Cognitive Services resources | Resource Type | Api Version | | :-- | :-- | +| `Microsoft.Authorization/locks` | 2016-09-01 | | `Microsoft.CognitiveServices/accounts` | 2017-04-18 | -| `Microsoft.Insights/diagnosticsettings` | 2017-05-01-preview | -| `Microsoft.CognitiveServices/accounts/providers/roleAssignments` | 2020-04-01-preview | +| `Microsoft.CognitiveServices/accounts/providers/roleAssignments` | 2021-04-01-preview | +| `Microsoft.Insights/diagnosticSettings` | 2017-05-01-preview | +| `Microsoft.Network/privateEndpoints` | 2021-05-01 | | `Microsoft.Network/privateEndpoints/privateDnsZoneGroups` | 2021-02-01 | -| `Microsoft.Network/privateEndpoints` | 2021-02-01 | -| `Microsoft.Resources/deployments` | 2020-06-01 | -| `Microsoft.Authorization/locks` | 2016-09-01 | ## Parameters -| Parameter Name | Type | Description | DefaultValue | Possible values | +| Parameter Name | Type | Default Value | Possible Values | Description | | :-- | :-- | :-- | :-- | :-- | -| `accountName` | string | Required. The name of Cognitive Services account | | | -| `cuaId` | string | Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered | | | -| `customSubDomainName` | string | Optional. Subdomain name used for token-based authentication. Required if 'networkAcls' are set. | | | -| `diagnosticLogsRetentionInDays` | int | Optional. Specifies the number of days that logs will be kept for; a value of 0 will retain data indefinitely. | 365 | | -| `diagnosticStorageAccountId` | string | Optional. Resource identifier of the Diagnostic Storage Account. | | | -| `eventHubAuthorizationRuleId` | string | Optional. Resource ID of the event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | | | -| `eventHubName` | string | Optional. Name of the event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. | | | -| `kind` | string | Required. Kind of the Cognitive Services. Use `Get-AzCognitiveServicesAccountSku` to determine a valid pairs of 'kind' and 'sku' for your Azure region. | | "AnomalyDetector", "Bing.Autosuggest.v7", "Bing.CustomSearch", "Bing.EntitySearch", "Bing.Search.v7", "Bing.SpellCheck.v7", "CognitiveServices", "ComputerVision" "ContentModerator", "CustomVision.Prediction", "CustomVision.Training", "Face", "FormRecognizer", "ImmersiveReader", "Internal.AllInOne", "LUIS", "LUIS.Authoring", "Personalizer", "QnAMaker", "SpeechServices", "TextAnalytics", "TextTranslation" | -| `location` | string | Optional. Location for all Resources. | [resourceGroup().location] | | -| `lock` | string | Optional. Specify the type of lock. | 'NotSpecified' | 'CanNotDelete', 'NotSpecified', 'ReadOnly' | -| `managedIdentity` | string | Optional. Type of managed service identity. | None | "None", "SystemAssigned" | -| `networkAcls` | object | Optional. Service endpoint object information | | | -| `publicNetworkAccess` | string | Optional. Subdomain name used for token-based authentication. Must be set if 'networkAcls' are set. | Enabled | "Enabled", "Disabled" | -| `roleAssignments` | array | Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' | [] | | -| `privateEndpoints` | array | Optional. Configuration Details for private endpoints. | System.Object[] | | -| `sku` | string | Optional. SKU of the Cognitive Services resource. Use `Get-AzCognitiveServicesAccountSku` to determine a valid combinations of 'kind' and 'sku' for your Azure region. | S0 | "C2", "C3", "C4", "F0", "F1", "S", "S0", "S1", "S10", "S2", "S3", "S4", "S5", "S6", "S7", "S8", "S9" | -| `tags` | object | Optional. Tags of the resource. | | | -| `workspaceId` | string | Optional. Resource identifier of Log Analytics. | | | +| `accountName` | string | | | Required. The name of Cognitive Services account | +| `cuaId` | string | | | Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered | +| `customSubDomainName` | string | | | Optional. Subdomain name used for token-based authentication. Required if 'networkAcls' are set. | +| `diagnosticLogsRetentionInDays` | int | `365` | | Optional. Specifies the number of days that logs will be kept for; a value of 0 will retain data indefinitely. | +| `diagnosticStorageAccountId` | string | | | Optional. Resource identifier of the Diagnostic Storage Account. | +| `eventHubAuthorizationRuleId` | string | | | Optional. Resource ID of the event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | +| `eventHubName` | string | | | Optional. Name of the event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. | +| `kind` | string | | `[AnomalyDetector, Bing.Autosuggest.v7, Bing.CustomSearch, Bing.EntitySearch, Bing.Search.v7, Bing.SpellCheck.v7, CognitiveServices, ComputerVision, ContentModerator, CustomVision.Prediction, CustomVision.Training, Face, FormRecognizer, ImmersiveReader, Internal.AllInOne, LUIS, LUIS.Authoring, Personalizer, QnAMaker, SpeechServices, TextAnalytics, TextTranslation]` | Required. Kind of the Cognitive Services. Use 'Get-AzCognitiveServicesAccountSku' to determine a valid combinations of 'kind' and 'sku' for your Azure region. | +| `location` | string | `[resourceGroup().location]` | | Optional. Location for all Resources. | +| `lock` | string | `NotSpecified` | `[CanNotDelete, NotSpecified, ReadOnly]` | Optional. Specify the type of lock. | +| `logsToEnable` | array | `[Audit, RequestResponse]` | `[Audit, RequestResponse]` | Optional. The name of logs that will be streamed. | +| `managedIdentity` | string | `None` | `[None, SystemAssigned]` | Optional. Type of managed service identity. | +| `metricsToEnable` | array | `[AllMetrics]` | `[AllMetrics]` | Optional. The name of metrics that will be streamed. | +| `networkAcls` | object | `{object}` | | Optional. Service endpoint object information | +| `privateEndpoints` | array | `[]` | | Optional. Configuration Details for private endpoints. | +| `publicNetworkAccess` | string | `Enabled` | `[Enabled, Disabled]` | Optional. Subdomain name used for token-based authentication. Must be set if 'networkAcls' are set. | +| `roleAssignments` | array | `[]` | | Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' | +| `sku` | string | `S0` | `[C2, C3, C4, F0, F1, S, S0, S1, S10, S2, S3, S4, S5, S6, S7, S8, S9]` | Optional. SKU of the Cognitive Services resource. Use 'Get-AzCognitiveServicesAccountSku' to determine a valid combinations of 'kind' and 'sku' for your Azure region. | +| `tags` | object | `{object}` | | Optional. Tags of the resource. | +| `workspaceId` | string | | | Optional. Resource identifier of Log Analytics. | ### Parameter Usage: `roleAssignments` @@ -141,32 +142,23 @@ Tag names and tag values can be provided as needed. A tag can be left without a ## Outputs -| Output Name | Type | Description | -| :-- | :-- | :-- | -| `cognitiveServicesEndpoint` | string | Cognitive Services Endpoint | -| `cognitiveServicesKey1` | string | Cognitive Services Key1 | -| `cognitiveServicesKey2` | string | Cognitive Services Key2 | -| `cognitiveServicesKeys` | object | Cognitive Services Keys | -| `cognitiveServicesName` | string | The Name of the Cognitive Services | -| `cognitiveServicesResourceGroup` | string | The name of the Resource Group with the Cognitive Services | -| `cognitiveServicesResourceId` | string | The Resource Id of the Cognitive Services | -| `principalId` | string | Cognitive Services identity Principal ID (if applicable). | +| Output Name | Type | +| :-- | :-- | +| `cognitiveServicesEndpoint` | string | +| `cognitiveServicesName` | string | +| `cognitiveServicesResourceGroup` | string | +| `cognitiveServicesResourceId` | string | +| `principalId` | string | ## Considerations - Not all combinations of parameters `kind` and `sku` are valid and they may vary in different Azure Regions. Please use PowerShell CmdLet `Get-AzCognitiveServicesAccountSku` or another methods to determine valid values in your region. - Not all kinds of Cognitive Services support virtual networks. Please visit the link below to determine supported services. -### References - -#### Template references - -- [Cognitive Services Accounts](https://docs.microsoft.com/en-us/azure/templates/Microsoft.CognitiveServices/2017-04-18/accounts) -- [Deployments](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Resources/2020-06-01/deployments) - -## Additional resources +## Template references -- [What are Azure Cognitive Services?](https://docs.microsoft.com/en-us/azure/cognitive-services/welcome) -- [Get-AzCognitiveServicesAccountSku](https://docs.microsoft.com/en-us/powershell/module/az.cognitiveservices/get-azcognitiveservicesaccountsku) -- [Use tags to organize your Azure resources](https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-using-tags) -- [Azure Cognitive Services virtual networks](https://docs.microsoft.com/en-us/azure/cognitive-services/cognitive-services-virtual-networks) +- [Locks](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2016-09-01/locks) +- [Accounts](https://docs.microsoft.com/en-us/azure/templates/Microsoft.CognitiveServices/2017-04-18/accounts) +- [Diagnosticsettings](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Insights/2017-05-01-preview/diagnosticSettings) +- [Privateendpoints](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Network/2021-05-01/privateEndpoints) +- [Privateendpoints/Privatednszonegroups](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Network/2021-02-01/privateEndpoints/privateDnsZoneGroups) diff --git a/arm/Microsoft.Compute/availabilitySets/.bicep/nested_rbac.bicep b/arm/Microsoft.Compute/availabilitySets/.bicep/nested_rbac.bicep index 5794fba1fa..2d0cb108bc 100644 --- a/arm/Microsoft.Compute/availabilitySets/.bicep/nested_rbac.bicep +++ b/arm/Microsoft.Compute/availabilitySets/.bicep/nested_rbac.bicep @@ -2,7 +2,7 @@ param roleAssignmentObj object param builtInRoleNames object param resourceName string -resource roleAssigment 'Microsoft.Compute/availabilitySets/providers/roleAssignments@2020-04-01-preview' = [for principalId in roleAssignmentObj.principalIds: { +resource roleAssigment 'Microsoft.Compute/availabilitySets/providers/roleAssignments@2021-04-01-preview' = [for principalId in roleAssignmentObj.principalIds: { name: '${resourceName}/Microsoft.Authorization/${guid(resourceName, principalId, roleAssignmentObj.roleDefinitionIdOrName)}' properties: { roleDefinitionId: (contains(builtInRoleNames, roleAssignmentObj.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignmentObj.roleDefinitionIdOrName] : roleAssignmentObj.roleDefinitionIdOrName) diff --git a/arm/Microsoft.Compute/availabilitySets/readme.md b/arm/Microsoft.Compute/availabilitySets/readme.md index 901239e1d8..c5232c57e6 100644 --- a/arm/Microsoft.Compute/availabilitySets/readme.md +++ b/arm/Microsoft.Compute/availabilitySets/readme.md @@ -1,30 +1,29 @@ -# AvailabilitySet +# AvailabilitySet `[Microsoft.Compute/availabilitySets]` This template deploys an Availability Set ## Resource types -| Resource Type | ApiVersion | -| :------------------------------------------------------------- | :----------------- | -| `Microsoft.Compute/availabilitySets` | 2021-04-01 | -| `Microsoft.Authorization/locks` | 2016-09-01 | -| `Microsoft.Compute/availabilitySets/providers/roleAssignments` | 2020-04-01-preview | -| `Microsoft.Resources/deployments` | 2020-06-01 | +| Resource Type | Api Version | +| :-- | :-- | +| `Microsoft.Authorization/locks` | 2016-09-01 | +| `Microsoft.Compute/availabilitySets` | 2021-04-01 | +| `Microsoft.Compute/availabilitySets/providers/roleAssignments` | 2021-04-01-preview | ## Parameters -| Parameter Name | Type | Default Value | Possible values | Description | -| :---------------------------- | :----- | :------------ | :---------------------------- | :-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| `availabilitySetName` | string | | | Optional. The name of the availability set that is being created. | -| `availabilitySetFaultDomain` | int | 2 | | Optional. The number of fault domains to use. | -| `availabilitySetUpdateDomain` | int | 5 | | Optional. The number of update domains to use. | -| `availabilitySetSku` | string | Aligned | | Optional. Sku of the availability set. Use 'Aligned' for virtual machines with managed disks and 'Classic' for virtual machines with unmanaged disks. | -| `proximityPlacementGroupId` | string | | | Optional. Resource Id of a proximity placement group. | -| `location` | string | | | Optional. Resource location. | -| `lock` | string | 'NotSpecified' | 'CanNotDelete', 'NotSpecified', 'ReadOnly' | Optional. Specify the type of lock. | -| `roleAssignments` | array | [] | Complex structure, see below. | Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or it's fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' | -| `tags` | object | | | Optional. Tags of the availability set resource. | -| `cuaId` | string | "" | | Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered. | +| Parameter Name | Type | Default Value | Possible Values | Description | +| :-- | :-- | :-- | :-- | :-- | +| `availabilitySetFaultDomain` | int | `2` | | Optional. The number of fault domains to use. | +| `availabilitySetName` | string | | | Required. The name of the availability set that is being created. | +| `availabilitySetSku` | string | `Aligned` | | Optional. Sku of the availability set. Use 'Aligned' for virtual machines with managed disks and 'Classic' for virtual machines with unmanaged disks. | +| `availabilitySetUpdateDomain` | int | `5` | | Optional. The number of update domains to use. | +| `cuaId` | string | | | Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered | +| `location` | string | `[resourceGroup().location]` | | Optional. Resource location. | +| `lock` | string | `NotSpecified` | `[CanNotDelete, NotSpecified, ReadOnly]` | Optional. Specify the type of lock. | +| `proximityPlacementGroupId` | string | | | Optional. Resource Id of a proximity placement group. | +| `roleAssignments` | array | `[]` | | Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' | +| `tags` | object | `{object}` | | Optional. Tags of the availability set resource. | ### Parameter Usage: `roleAssignments` @@ -67,16 +66,13 @@ Tag names and tag values can be provided as needed. A tag can be left without a ## Outputs -| Output Name | Type | Description | -| :----------------------------- | :----- | :------------------------------------------------------- | -| `availabilitySetResourceName` | string | The Name of the Availability Set. | -| `availabilitySetResourceId` | string | The Resource Id of the Availability Set. | -| `availabilitySetResourceGroup` | string | The Resource Group the Availability Set was deployed to. | +| Output Name | Type | +| :-- | :-- | +| `availabilitySetResourceGroup` | string | +| `availabilitySetResourceId` | string | +| `availabilitySetResourceName` | string | -## Considerations +## Template references -N/A - -## Additional resources - -- [Microsoft.Compute availabilitySets template reference](https://docs.microsoft.com/en-us/azure/templates/microsoft.compute/availabilitysets) +- [Locks](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2016-09-01/locks) +- [Availabilitysets](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Compute/2021-04-01/availabilitySets) diff --git a/arm/Microsoft.Compute/diskEncryptionSets/.bicep/nested_rbac.bicep b/arm/Microsoft.Compute/diskEncryptionSets/.bicep/nested_rbac.bicep index 7aa63452ab..aa5c124ac4 100644 --- a/arm/Microsoft.Compute/diskEncryptionSets/.bicep/nested_rbac.bicep +++ b/arm/Microsoft.Compute/diskEncryptionSets/.bicep/nested_rbac.bicep @@ -2,7 +2,7 @@ param roleAssignmentObj object param builtInRoleNames object param resourceName string -resource roleAssigment 'Microsoft.Compute/diskEncryptionSets/providers/roleAssignments@2018-09-01-preview' = [for principalId in roleAssignmentObj.principalIds: { +resource roleAssigment 'Microsoft.Compute/diskEncryptionSets/providers/roleAssignments@2021-04-01-preview' = [for principalId in roleAssignmentObj.principalIds: { name: '${resourceName}/Microsoft.Authorization/${guid(resourceName, principalId, roleAssignmentObj.roleDefinitionIdOrName)}' properties: { roleDefinitionId: (contains(builtInRoleNames, roleAssignmentObj.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignmentObj.roleDefinitionIdOrName] : roleAssignmentObj.roleDefinitionIdOrName) diff --git a/arm/Microsoft.Compute/diskEncryptionSets/readme.md b/arm/Microsoft.Compute/diskEncryptionSets/readme.md index c50b0d5f45..b26a18b9e3 100644 --- a/arm/Microsoft.Compute/diskEncryptionSets/readme.md +++ b/arm/Microsoft.Compute/diskEncryptionSets/readme.md @@ -1,28 +1,27 @@ -# DiskEncryptionSet +# DiskEncryptionSet `[Microsoft.Compute/diskEncryptionSets]` This template deploys a Disk Encryption Set ## Resource types -|Resource Type|ApiVersion| -|:--|:--| -|`Microsoft.Resources/deployments`|2018-02-01| -|`Microsoft.KeyVault/vaults/accessPolicies`|2019-09-01| -|`Microsoft.Compute/diskEncryptionSets`|2020-12-01| -|`Microsoft.Compute/diskEncryptionSets/providers/roleAssignments`|2018-09-01-preview| +| Resource Type | Api Version | +| :-- | :-- | +| `Microsoft.Compute/diskEncryptionSets` | 2020-12-01 | +| `Microsoft.Compute/diskEncryptionSets/providers/roleAssignments` | 2021-04-01-preview | +| `Microsoft.KeyVault/vaults/accessPolicies` | 2019-09-01 | ## Parameters -| Parameter Name | Type | Description | DefaultValue | Possible values | +| Parameter Name | Type | Default Value | Possible Values | Description | | :-- | :-- | :-- | :-- | :-- | -| `cuaId` | string | Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered | | | -| `diskEncryptionSetName` | string | Required. The name of the disk encryption set that is being created. | | | -| `keyUrl` | string | Required. Key Url (with version) pointing to a key or secret in KeyVault. | | | -| `keyVaultId` | string | Required. Resource id of the KeyVault containing the key or secret. | | | -| `location` | string | Optional. Resource location. | [resourceGroup().location] | | -| `roleAssignments` | array | Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' | System.Object[] | | -| `tags` | object | Optional. Tags of the Automation Account resource. | | | +| `cuaId` | string | | | Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered | +| `diskEncryptionSetName` | string | | | Required. The name of the disk encryption set that is being created. | +| `keyUrl` | string | | | Required. Key Url (with version) pointing to a key or secret in KeyVault. | +| `keyVaultId` | string | | | Required. Resource id of the KeyVault containing the key or secret. | +| `location` | string | `[resourceGroup().location]` | | Optional. Resource location. | +| `roleAssignments` | array | `[]` | | Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' | +| `tags` | object | `{object}` | | Optional. Tags of the Automation Account resource. | ### Parameter Usage: `roleAssignments` @@ -72,17 +71,14 @@ Tag names and tag values can be provided as needed. A tag can be left without a ## Outputs -| Output Name | Type | Description | -| :-- | :-- | :-- | -| `diskEncryptionResourceGroup` | string | Name of the Resource Group. | -| `diskEncryptionSetResourceId` | string | Resourece ID of the resource. | -| `keyVaultName` | string | Name of the KeyVault. | -| `principalId` | string | Principal ID. | +| Output Name | Type | +| :-- | :-- | +| `diskEncryptionResourceGroup` | string | +| `diskEncryptionSetResourceId` | string | +| `keyVaultName` | string | +| `principalId` | string | -## Considerations +## Template references -N/A - -## Additional resources - -- [Microsoft.Compute diskEncryptionSets template reference](https://docs.microsoft.com/en-us/azure/templates/microsoft.compute/2020-12-01/diskencryptionsets) +- [Diskencryptionsets](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Compute/2020-12-01/diskEncryptionSets) +- [Vaults/Accesspolicies](https://docs.microsoft.com/en-us/azure/templates/Microsoft.KeyVault/2019-09-01/vaults/accessPolicies) diff --git a/arm/Microsoft.Compute/galleries/.bicep/nested_rbac.bicep b/arm/Microsoft.Compute/galleries/.bicep/nested_rbac.bicep index 69e4a5a6be..292a0c5b07 100644 --- a/arm/Microsoft.Compute/galleries/.bicep/nested_rbac.bicep +++ b/arm/Microsoft.Compute/galleries/.bicep/nested_rbac.bicep @@ -2,7 +2,7 @@ param roleAssignmentObj object param builtInRoleNames object param resourceName string -resource roleAssigment 'Microsoft.Compute/galleries/providers/roleAssignments@2020-04-01-preview' = [for principalId in roleAssignmentObj.principalIds: { +resource roleAssigment 'Microsoft.Compute/galleries/providers/roleAssignments@2021-04-01-preview' = [for principalId in roleAssignmentObj.principalIds: { name: '${resourceName}/Microsoft.Authorization/${guid(resourceName, principalId, roleAssignmentObj.roleDefinitionIdOrName)}' properties: { diff --git a/arm/Microsoft.Compute/galleries/readme.md b/arm/Microsoft.Compute/galleries/readme.md index c9c3de5e03..cba7746beb 100644 --- a/arm/Microsoft.Compute/galleries/readme.md +++ b/arm/Microsoft.Compute/galleries/readme.md @@ -1,28 +1,27 @@ -# Shared Image Gallery +# Shared Image Gallery `[Microsoft.Compute/galleries]` This module deploys Share Image Gallery, with resource lock. ## Resource types -|Resource Type|ApiVersion| -|:--|:--| -|`Microsoft.Resources/deployments`|2019-10-01| -|`Microsoft.Compute/galleries`|2020-09-30| -|`Microsoft.Authorization/locks`|2016-09-01| -|`Microsoft.Compute/galleries/providers/roleAssignments`|2018-09-01-preview| +| Resource Type | Api Version | +| :-- | :-- | +| `Microsoft.Authorization/locks` | 2016-09-01 | +| `Microsoft.Compute/galleries` | 2020-09-30 | +| `Microsoft.Compute/galleries/providers/roleAssignments` | 2021-04-01-preview | ## Parameters -| Parameter Name | Type | Description | DefaultValue | Possible values | +| Parameter Name | Type | Default Value | Possible Values | Description | | :-- | :-- | :-- | :-- | :-- | -| `cuaId` | string | Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered | | | -| `galleryDescription` | string | Optional. Description of the Azure Shared Image Gallery | | | -| `galleryName` | string | Required. Name of the Azure Shared Image Gallery | | | -| `location` | string | Optional. Location for all resources. | [resourceGroup().location] | | -| `lock` | string | Optional. Specify the type of lock. | 'NotSpecified' | 'CanNotDelete', 'NotSpecified', 'ReadOnly' | -| `roleAssignments` | array | Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' | System.Object[] | | -| `tags` | object | Optional. Tags for all resources. | | | +| `cuaId` | string | | | Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered | +| `galleryDescription` | string | | | Optional. Description of the Azure Shared Image Gallery | +| `galleryName` | string | | | Required. Name of the Azure Shared Image Gallery | +| `location` | string | `[resourceGroup().location]` | | Optional. Location for all resources. | +| `lock` | string | `NotSpecified` | `[CanNotDelete, NotSpecified, ReadOnly]` | Optional. Specify the type of lock. | +| `roleAssignments` | array | `[]` | | Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' | +| `tags` | object | `{object}` | | Optional. Tags for all resources. | ### Parameter Usage: `roleAssignments` @@ -72,18 +71,13 @@ Tag names and tag values can be provided as needed. A tag can be left without a ## Outputs -| Output Name | Type | Description | -| :-- | :-- | :-- | -| `galleryName` | string | The Name of the Shared Image Gallery. | -| `galleryResourceGroup` | string | The name of the Resource Group the Shared Image Gallery was created in.| -| `galleryResourceId` | string | The Resource Id of the Shared Image Gallery. | +| Output Name | Type | +| :-- | :-- | +| `galleryName` | string | +| `galleryResourceGroup` | string | +| `galleryResourceId` | string | -## Considerations +## Template references -*N/A* - -## Additional resources - -- [Shared Image Galleries overview](https://docs.microsoft.com/en-us/azure/virtual-machines/linux/shared-image-galleries) -- [Microsoft.Compute galleries template reference](https://docs.microsoft.com/en-us/azure/templates/microsoft.compute/2019-07-01/galleries) -- [Use tags to organize your Azure resources](https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-using-tags) +- [Locks](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2016-09-01/locks) +- [Galleries](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Compute/2020-09-30/galleries) diff --git a/arm/Microsoft.Compute/galleriesResources/images/.bicep/nested_rbac.bicep b/arm/Microsoft.Compute/galleriesResources/images/.bicep/nested_rbac.bicep index 934d961288..2df5fea701 100644 --- a/arm/Microsoft.Compute/galleriesResources/images/.bicep/nested_rbac.bicep +++ b/arm/Microsoft.Compute/galleriesResources/images/.bicep/nested_rbac.bicep @@ -2,7 +2,7 @@ param roleAssignmentObj object param builtInRoleNames object param resourceName string -resource roleAssigment 'Microsoft.Compute/galleries/images/providers/roleAssignments@2020-04-01-preview' = [for principalId in roleAssignmentObj.principalIds: { +resource roleAssigment 'Microsoft.Compute/galleries/images/providers/roleAssignments@2021-04-01-preview' = [for principalId in roleAssignmentObj.principalIds: { name: '${resourceName}/Microsoft.Authorization/${guid(resourceName, principalId, roleAssignmentObj.roleDefinitionIdOrName)}' properties: { roleDefinitionId: (contains(builtInRoleNames, roleAssignmentObj.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignmentObj.roleDefinitionIdOrName] : roleAssignmentObj.roleDefinitionIdOrName) diff --git a/arm/Microsoft.Compute/galleriesResources/images/readme.md b/arm/Microsoft.Compute/galleriesResources/images/readme.md index f68bb04f6f..fe904b42db 100644 --- a/arm/Microsoft.Compute/galleriesResources/images/readme.md +++ b/arm/Microsoft.Compute/galleriesResources/images/readme.md @@ -1,44 +1,43 @@ -# Shared Image Definition +# Shared Image Definition `[Microsoft.Compute/galleriesResources/images]` This module deploys an Image Definition in a Shared Image Gallery. ## Resource types -|Resource Type|ApiVersion| -|:--|:--| -|`Microsoft.Compute/galleries/images`|2020-09-30| -|`Microsoft.Compute/galleries/images/providers/roleAssignments`|2020-04-01-preview| -|`Microsoft.Resources/deployments`|2020-06-01| +| Resource Type | Api Version | +| :-- | :-- | +| `Microsoft.Compute/galleries/images` | 2020-09-30 | +| `Microsoft.Compute/galleries/images/providers/roleAssignments` | 2021-04-01-preview | ## Parameters -| Parameter Name | Type | Description | DefaultValue | Possible values | +| Parameter Name | Type | Default Value | Possible Values | Description | | :-- | :-- | :-- | :-- | :-- | -| `endOfLife` | string | Optional. The end of life date of the gallery Image Definition. This property can be used for decommissioning purposes. This property is updatable. Allowed format: 2020-01-10T23:00:00.000Z | | | -| `eula` | string | Optional. The Eula agreement for the gallery Image Definition. Has to be a valid URL. | | | -| `excludedDiskTypes` | array | Optional. List of the excluded disk types. E.g. Standard_LRS | System.Object[] | | -| `galleryName` | string | Required. Name of the Azure Shared Image Gallery | | | -| `hyperVGeneration` | string | Optional. The hypervisor generation of the Virtual Machine. Applicable to OS disks only. - V1 or V2 | V1 | System.Object[] | -| `imageDefinitionDescription` | string | Optional. The description of this gallery Image Definition resource. This property is updatable. | | | -| `imageDefinitionName` | string | Required. Name of the image definition. | | | -| `location` | string | Optional. Location for all resources. | [resourceGroup().location] | | -| `maxRecommendedMemory` | int | Optional. The maximum amount of RAM in GB recommended for this image. | 16 | | -| `maxRecommendedvCPUs` | int | Optional. The maximum number of the CPU cores recommended for this image. | 4 | | -| `minRecommendedMemory` | int | Optional. The minimum amount of RAM in GB recommended for this image. | 4 | | -| `minRecommendedvCPUs` | int | Optional. The minimum number of the CPU cores recommended for this image. | 1 | | -| `offer` | string | Optional. The name of the gallery Image Definition offer. | WindowsServer | | -| `osState` | string | Optional. This property allows the user to specify whether the virtual machines created under this image are 'Generalized' or 'Specialized'. | Generalized | System.Object[] | -| `osType` | string | Optional. OS type of the image to be created. | Windows | System.Object[] | -| `planName` | string | Optional. The plan ID. | | | -| `planPublisherName` | string | Optional. The publisher ID. | | | -| `privacyStatementUri` | string | Optional. The privacy statement uri. Has to be a valid URL. | | | -| `productName` | string | Optional. The product ID. | | | -| `publisher` | string | Optional. The name of the gallery Image Definition publisher. | MicrosoftWindowsServer | | -| `releaseNoteUri` | string | Optional. The release note uri. Has to be a valid URL. | | | -| `roleAssignments` | array | Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' | System.Object[] | | -| `sku` | string | Optional. The name of the gallery Image Definition SKU. | 2019-Datacenter | | -| `tags` | object | Optional. Tags for all resources. | | | -| `cuaId` | string | Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered | | | +| `cuaId` | string | | | Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered | +| `endOfLife` | string | | | Optional. The end of life date of the gallery Image Definition. This property can be used for decommissioning purposes. This property is updatable. Allowed format: 2020-01-10T23:00:00.000Z | +| `eula` | string | | | Optional. The Eula agreement for the gallery Image Definition. Has to be a valid URL. | +| `excludedDiskTypes` | array | `[]` | | Optional. List of the excluded disk types. E.g. Standard_LRS | +| `galleryName` | string | | | Required. Name of the Azure Shared Image Gallery | +| `hyperVGeneration` | string | `V1` | `[V1, V2]` | Optional. The hypervisor generation of the Virtual Machine. Applicable to OS disks only. - V1 or V2 | +| `imageDefinitionDescription` | string | | | Optional. The description of this gallery Image Definition resource. This property is updatable. | +| `imageDefinitionName` | string | | | Required. Name of the image definition. | +| `location` | string | `[resourceGroup().location]` | | Optional. Location for all resources. | +| `maxRecommendedMemory` | int | `16` | | Optional. The maximum amount of RAM in GB recommended for this image. | +| `maxRecommendedvCPUs` | int | `4` | | Optional. The maximum number of the CPU cores recommended for this image. | +| `minRecommendedMemory` | int | `4` | | Optional. The minimum amount of RAM in GB recommended for this image. | +| `minRecommendedvCPUs` | int | `1` | | Optional. The minimum number of the CPU cores recommended for this image. | +| `offer` | string | `WindowsServer` | | Optional. The name of the gallery Image Definition offer. | +| `osState` | string | `Generalized` | `[Generalized, Specialized]` | Optional. This property allows the user to specify whether the virtual machines created under this image are 'Generalized' or 'Specialized'. | +| `osType` | string | `Windows` | `[Windows, Linux]` | Optional. OS type of the image to be created. | +| `planName` | string | | | Optional. The plan ID. | +| `planPublisherName` | string | | | Optional. The publisher ID. | +| `privacyStatementUri` | string | | | Optional. The privacy statement uri. Has to be a valid URL. | +| `productName` | string | | | Optional. The product ID. | +| `publisher` | string | `MicrosoftWindowsServer` | | Optional. The name of the gallery Image Definition publisher. | +| `releaseNoteUri` | string | | | Optional. The release note uri. Has to be a valid URL. | +| `roleAssignments` | array | `[]` | | Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' | +| `sku` | string | `2019-Datacenter` | | Optional. The name of the gallery Image Definition SKU. | +| `tags` | object | `{object}` | | Optional. Tags for all resources. | ### Parameter Usage: `roleAssignments` @@ -88,20 +87,14 @@ Tag names and tag values can be provided as needed. A tag can be left without a ## Outputs -| Output Name | Type | Description | -| :-- | :-- | :-- | -| `galleryName` | string | The Name of the Shared Image Gallery. | -| `galleryResourceGroup` | string | The name of the Resource Group the Shared Image Gallery was created in. | -| `galleryResourceId` | string | The Resource Id of the Shared Image Gallery. | -| `imageDefinitionName` | string | The Name of the Shared Image Definition. | -| `imageDefinitionResourceId` | string | The Resource Id of the Shared Image Definition. | +| Output Name | Type | +| :-- | :-- | +| `galleryImageName` | string | +| `galleryImageResourceId` | string | +| `galleryName` | string | +| `galleryResourceGroup` | string | +| `galleryResourceId` | string | -## Considerations +## Template references -*N/A* - -## Additional resources - -- [Shared Image Galleries overview](https://docs.microsoft.com/en-us/azure/virtual-machines/linux/shared-image-galleries) -- [Microsoft.Compute galleries/images template reference](https://docs.microsoft.com/en-us/azure/templates/microsoft.compute/2019-07-01/galleries/images) -- [Use tags to organize your Azure resources](https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-using-tags) +- [Galleries/Images](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Compute/2020-09-30/galleries/images) diff --git a/arm/Microsoft.Compute/images/.bicep/nested_rbac.bicep b/arm/Microsoft.Compute/images/.bicep/nested_rbac.bicep index 0bce0456b2..3293b31f55 100644 --- a/arm/Microsoft.Compute/images/.bicep/nested_rbac.bicep +++ b/arm/Microsoft.Compute/images/.bicep/nested_rbac.bicep @@ -2,7 +2,7 @@ param roleAssignmentObj object param builtInRoleNames object param resourceName string -resource roleAssigment 'Microsoft.Compute/images/providers/roleAssignments@2018-09-01-preview' = [for principalId in roleAssignmentObj.principalIds: { +resource roleAssigment 'Microsoft.Compute/images/providers/roleAssignments@2021-04-01-preview' = [for principalId in roleAssignmentObj.principalIds: { name: '${resourceName}/Microsoft.Authorization/${guid(resourceName, principalId, roleAssignmentObj.roleDefinitionIdOrName)}' properties: { roleDefinitionId: (contains(builtInRoleNames, roleAssignmentObj.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignmentObj.roleDefinitionIdOrName] : roleAssignmentObj.roleDefinitionIdOrName) diff --git a/arm/Microsoft.Compute/images/readme.md b/arm/Microsoft.Compute/images/readme.md index 34329fce5f..ce5c5cdc85 100644 --- a/arm/Microsoft.Compute/images/readme.md +++ b/arm/Microsoft.Compute/images/readme.md @@ -1,31 +1,30 @@ -# Image +# Image `[Microsoft.Compute/images]` This module deploys Images. ## Resource types -|Resource Type|ApiVersion| -|:--|:--| -|`Microsoft.Resources/deployments`|2018-02-01| -|`Microsoft.Compute/images`|2021-04-01| -|`Microsoft.Compute/images/providers/roleAssignments`|2018-09-01-preview| +| Resource Type | Api Version | +| :-- | :-- | +| `Microsoft.Compute/images` | 2021-04-01 | +| `Microsoft.Compute/images/providers/roleAssignments` | 2021-04-01-preview | ## Parameters -| Parameter Name | Type | Description | DefaultValue | Possible values | +| Parameter Name | Type | Default Value | Possible Values | Description | | :-- | :-- | :-- | :-- | :-- | -| `cuaId` | string | Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered | | | -| `hyperVGeneration` | string | Optional. Gets the HyperVGenerationType of the VirtualMachine created from the image. - V1 or V2 | V1 | | -| `imageName` | string | Required. The name of the image. | | | -| `location` | string | Optional. Location for all resources. | [resourceGroup().location] | | -| `osAccountType` | string | Optional. Specifies the storage account type for the managed disk. NOTE: UltraSSD_LRS can only be used with data disks, it cannot be used with OS Disk. - Standard_LRS, Premium_LRS, StandardSSD_LRS, UltraSSD_LRS | Premium_LRS | | -| `osDiskBlobUri` | string | Required. The Virtual Hard Disk. | | | -| `osDiskCaching` | string | Optional. Specifies the caching requirements. Default: None for Standard storage. ReadOnly for Premium storage. - None, ReadOnly, ReadWrite | ReadWrite | | -| `osType` | string | Required. This property allows you to specify the type of the OS that is included in the disk if creating a VM from a custom image. - Windows or Linux | Windows | | -| `roleAssignments` | array | Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' | System.Object[] | | -| `tags` | object | Optional. Tags of the resource. | | | -| `zoneResilient` | bool | Optional. Default is false. Specifies whether an image is zone resilient or not. Zone resilient images can be created only in regions that provide Zone Redundant Storage (ZRS). | False | | +| `cuaId` | string | | | Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered | +| `hyperVGeneration` | string | `V1` | | Optional. Gets the HyperVGenerationType of the VirtualMachine created from the image. - V1 or V2 | +| `imageName` | string | | | Required. The name of the image. | +| `location` | string | `[resourceGroup().location]` | | Optional. Location for all resources. | +| `osAccountType` | string | | | Optional. Specifies the storage account type for the managed disk. NOTE: UltraSSD_LRS can only be used with data disks, it cannot be used with OS Disk. - Standard_LRS, Premium_LRS, StandardSSD_LRS, UltraSSD_LRS | +| `osDiskBlobUri` | string | | | Required. The Virtual Hard Disk. | +| `osDiskCaching` | string | | | Optional. Specifies the caching requirements. Default: None for Standard storage. ReadOnly for Premium storage. - None, ReadOnly, ReadWrite | +| `osType` | string | | | Required. This property allows you to specify the type of the OS that is included in the disk if creating a VM from a custom image. - Windows or Linux | +| `roleAssignments` | array | `[]` | | Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' | +| `tags` | object | `{object}` | | Optional. Tags of the resource. | +| `zoneResilient` | bool | | | Optional. Default is false. Specifies whether an image is zone resilient or not. Zone resilient images can be created only in regions that provide Zone Redundant Storage (ZRS). | ### Parameter Usage: `roleAssignments` @@ -75,19 +74,12 @@ Tag names and tag values can be provided as needed. A tag can be left without a ## Outputs -| Output Name | Type | Description | -| :-- | :-- | :-- | -| `imageName` | string | The Name of the resource. | -| `imageResourceGroup` | string | The name of the Resource Group the resource was created in. | -| `imageResourceId` | string | Resource ID | +| Output Name | Type | +| :-- | :-- | +| `imageName` | string | +| `imageResourceGroup` | string | +| `imageResourceId` | string | -## Considerations - -*N/A* - -## Additional resources - -- [Deployments](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Resources/2018-02-01/deployments) -- [Images](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Compute/2019-03-01/images) -- [Deployments](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Resources/2019-10-01/deployments) +## Template references +- [Images](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Compute/2021-04-01/images) diff --git a/arm/Microsoft.Compute/proximityPlacementGroups/.bicep/nested_rbac.bicep b/arm/Microsoft.Compute/proximityPlacementGroups/.bicep/nested_rbac.bicep index ae8894c71d..a1069c1ec4 100644 --- a/arm/Microsoft.Compute/proximityPlacementGroups/.bicep/nested_rbac.bicep +++ b/arm/Microsoft.Compute/proximityPlacementGroups/.bicep/nested_rbac.bicep @@ -2,7 +2,7 @@ param roleAssignmentObj object param builtInRoleNames object param resourceName string -resource roleAssigment 'Microsoft.Compute/proximityPlacementGroups/providers/roleAssignments@2020-04-01-preview' = [for principalId in roleAssignmentObj.principalIds: { +resource roleAssigment 'Microsoft.Compute/proximityPlacementGroups/providers/roleAssignments@2021-04-01-preview' = [for principalId in roleAssignmentObj.principalIds: { name: '${resourceName}/Microsoft.Authorization/${guid(resourceName, principalId, roleAssignmentObj.roleDefinitionIdOrName)}' properties: { roleDefinitionId: (contains(builtInRoleNames, roleAssignmentObj.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignmentObj.roleDefinitionIdOrName] : roleAssignmentObj.roleDefinitionIdOrName) diff --git a/arm/Microsoft.Compute/proximityPlacementGroups/readme.md b/arm/Microsoft.Compute/proximityPlacementGroups/readme.md index 54da200c87..cc1fea1f74 100644 --- a/arm/Microsoft.Compute/proximityPlacementGroups/readme.md +++ b/arm/Microsoft.Compute/proximityPlacementGroups/readme.md @@ -1,27 +1,26 @@ -# ProximityPlacementGroup +# ProximityPlacementGroup `[Microsoft.Compute/proximityPlacementGroups]` This template deploys a Proximity Placement Group ## Resource types -| Resource Type | ApiVersion | -| :--------------------------------------------------------------------- | :----------------- | -| `Microsoft.Compute/proximityPlacementGroups` | 2021-04-01 | -| `Microsoft.Authorization/locks` | 2016-09-01 | -| `Microsoft.Compute/proximityPlacementGroups/providers/roleAssignments` | 2020-04-01-preview | -| `Microsoft.Resources/deployments` | 2020-06-01 | +| Resource Type | Api Version | +| :-- | :-- | +| `Microsoft.Authorization/locks` | 2016-09-01 | +| `Microsoft.Compute/proximityPlacementGroups` | 2021-04-01 | +| `Microsoft.Compute/proximityPlacementGroups/providers/roleAssignments` | 2021-04-01-preview | ## Parameters -| Parameter Name | Type | Default Value | Possible values | Description | -| :---------------------------- | :----- | :------------ | :---------------------------- | :-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| `proximityPlacementGroupName` | string | | | Required. The name of the proximity placement group that is being created. | -| `proximityPlacementGroupType` | string | `Standard` | `Standard`/`Ultra` | Optional. Specifies the type of the proximity placement group. | -| `location` | string | | | Optional. Resource location. | -| `lock` | string | Optional. Specify the type of lock. | 'NotSpecified' | 'CanNotDelete', 'NotSpecified', 'ReadOnly' | -| `roleAssignments` | array | [] | Complex structure, see below. | Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or it's fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' | -| `tags` | object | | | Optional. Tags of the proximity placement group resource. | -| `cuaId` | string | "" | | Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered. | +| Parameter Name | Type | Default Value | Possible Values | Description | +| :-- | :-- | :-- | :-- | :-- | +| `cuaId` | string | | | Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered | +| `location` | string | `[resourceGroup().location]` | | Optional. Resource location. | +| `lock` | string | `NotSpecified` | `[CanNotDelete, NotSpecified, ReadOnly]` | Optional. Specify the type of lock. | +| `proximityPlacementGroupName` | string | | | Required. The name of the proximity placement group that is being created. | +| `proximityPlacementGroupType` | string | `Standard` | `[Standard, Ultra]` | Optional. Specifies the type of the proximity placement group. | +| `roleAssignments` | array | `[]` | | Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' | +| `tags` | object | `{object}` | | Optional. Tags of the proximity placement group resource. | ### Parameter Usage: `roleAssignments` @@ -64,16 +63,13 @@ Tag names and tag values can be provided as needed. A tag can be left without a ## Outputs -| Output Name | Type | Description | -| :------------------------------------- | :----- | :---------------------------------------------------------------- | -| `proximityPlacementGroupResourceName` | string | The Name of the Proximity Placement Group. | -| `proximityPlacementGroupResourceId` | string | The Resource Id of the Proximity Placement Group. | -| `proximityPlacementGroupResourceGroup` | string | The Resource Group the Proximity Placement Group was deployed to. | +| Output Name | Type | +| :-- | :-- | +| `proximityPlacementGroupResourceGroup` | string | +| `proximityPlacementGroupResourceId` | string | +| `proximityPlacementGroupResourceName` | string | -## Considerations +## Template references -N/A - -## Additional resources - -- [Microsoft.Compute proximityPlacementGroups template reference](https://docs.microsoft.com/en-us/azure/templates/microsoft.compute/proximityPlacementGroups) +- [Locks](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2016-09-01/locks) +- [Proximityplacementgroups](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Compute/2021-04-01/proximityPlacementGroups) diff --git a/arm/Microsoft.Compute/virtualMachineScaleSets/.bicep/nested_rbac.bicep b/arm/Microsoft.Compute/virtualMachineScaleSets/.bicep/nested_rbac.bicep index f87dcfbd16..1466c1f401 100644 --- a/arm/Microsoft.Compute/virtualMachineScaleSets/.bicep/nested_rbac.bicep +++ b/arm/Microsoft.Compute/virtualMachineScaleSets/.bicep/nested_rbac.bicep @@ -2,7 +2,7 @@ param roleAssignmentObj object param builtInRoleNames object param resourceName string -resource roleAssigment 'Microsoft.Compute/virtualMachineScaleSets/providers/roleAssignments@2020-04-01-preview' = [for principalId in roleAssignmentObj.principalIds: { +resource roleAssigment 'Microsoft.Compute/virtualMachineScaleSets/providers/roleAssignments@2021-04-01-preview' = [for principalId in roleAssignmentObj.principalIds: { name: '${resourceName}/Microsoft.Authorization/${guid(resourceName, principalId, roleAssignmentObj.roleDefinitionIdOrName)}' properties: { diff --git a/arm/Microsoft.Compute/virtualMachineScaleSets/deploy.bicep b/arm/Microsoft.Compute/virtualMachineScaleSets/deploy.bicep index 344d1a8ec6..8a69f46aa3 100644 --- a/arm/Microsoft.Compute/virtualMachineScaleSets/deploy.bicep +++ b/arm/Microsoft.Compute/virtualMachineScaleSets/deploy.bicep @@ -327,6 +327,24 @@ param managedIdentityType string = '' @description('Optional. The list of user identities associated with the virtual machine scale set. The user identity dictionary key references will be ARM resource ids in the form: \'/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{identityName}\'.') param managedIdentityIdentities object = {} +@description('Optional. The name of metrics that will be streamed.') +@allowed([ + 'AllMetrics' +]) +param metricsToEnable array = [ + 'AllMetrics' +] + +var diagnosticsMetrics = [for metric in metricsToEnable: { + category: metric + timeGrain: null + enabled: true + retentionPolicy: { + enabled: true + days: diagnosticLogsRetentionInDays + } +}] + var publicKeysFormatted = [for publicKey in publicKeys: { path: publicKey.path keyData: publicKey.keyData @@ -346,17 +364,7 @@ var windowsConfiguration = { additionalUnattendContent: (empty(additionalUnattendContent) ? json('null') : additionalUnattendContent) winRM: (empty(winRMListeners) ? json('null') : json('{"listeners": "${winRMListeners}"}')) } -var diagnosticsMetrics = [ - { - category: 'AllMetrics' - timeGrain: null - enabled: true - retentionPolicy: { - enabled: true - days: diagnosticLogsRetentionInDays - } - } -] + var accountSasProperties = { signedServices: 'b' signedPermission: 'r' @@ -364,7 +372,6 @@ var accountSasProperties = { signedResourceTypes: 'o' signedProtocol: 'https' } -var diagnosticLogs = [] var pidName_var = 'pid-${cuaId}' var builtInRoleNames = { 'Avere Contributor': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/4f8fab4f-1852-4a58-a46a-8eaf358af14a' @@ -520,7 +527,7 @@ resource vmss_lock 'Microsoft.Authorization/locks@2016-09-01' = if (lock != 'Not scope: vmss } -resource vmss_DomainJoin 'Microsoft.Compute/virtualMachineScaleSets/extensions@2020-06-01' = if (!empty(domainName)) { +resource vmss_DomainJoin 'Microsoft.Compute/virtualMachineScaleSets/extensions@2021-07-01' = if (!empty(domainName)) { parent: vmss name: 'DomainJoin' properties: { @@ -541,7 +548,7 @@ resource vmss_DomainJoin 'Microsoft.Compute/virtualMachineScaleSets/extensions@2 } } -resource vmss_MicrosoftAntiMalware 'Microsoft.Compute/virtualMachineScaleSets/extensions@2020-06-01' = if (enableMicrosoftAntiMalware) { +resource vmss_MicrosoftAntiMalware 'Microsoft.Compute/virtualMachineScaleSets/extensions@2021-07-01' = if (enableMicrosoftAntiMalware) { parent: vmss name: 'MicrosoftAntiMalware' properties: { @@ -556,7 +563,7 @@ resource vmss_MicrosoftAntiMalware 'Microsoft.Compute/virtualMachineScaleSets/ex ] } -resource vmss_WindowsMMAAgent 'Microsoft.Compute/virtualMachineScaleSets/extensions@2020-06-01' = if (enableWindowsMMAAgent) { +resource vmss_WindowsMMAAgent 'Microsoft.Compute/virtualMachineScaleSets/extensions@2021-07-01' = if (enableWindowsMMAAgent) { parent: vmss name: 'WindowsMMAAgent' properties: { @@ -576,7 +583,7 @@ resource vmss_WindowsMMAAgent 'Microsoft.Compute/virtualMachineScaleSets/extensi ] } -resource vmss_LinuxMMAAgent 'Microsoft.Compute/virtualMachineScaleSets/extensions@2020-06-01' = if (enableLinuxMMAAgent) { +resource vmss_LinuxMMAAgent 'Microsoft.Compute/virtualMachineScaleSets/extensions@2021-07-01' = if (enableLinuxMMAAgent) { parent: vmss name: 'LinuxMMAAgent' properties: { @@ -596,7 +603,7 @@ resource vmss_LinuxMMAAgent 'Microsoft.Compute/virtualMachineScaleSets/extension ] } -resource vmss_WindowsDiskEncryption 'Microsoft.Compute/virtualMachineScaleSets/extensions@2019-07-01' = if (enableWindowsDiskEncryption) { +resource vmss_WindowsDiskEncryption 'Microsoft.Compute/virtualMachineScaleSets/extensions@2021-07-01' = if (enableWindowsDiskEncryption) { parent: vmss name: 'WindowsDiskEncryption' properties: { @@ -621,7 +628,7 @@ resource vmss_WindowsDiskEncryption 'Microsoft.Compute/virtualMachineScaleSets/e ] } -resource vmss_LinuxDiskEncryption 'Microsoft.Compute/virtualMachineScaleSets/extensions@2020-06-01' = if (enableLinuxDiskEncryption) { +resource vmss_LinuxDiskEncryption 'Microsoft.Compute/virtualMachineScaleSets/extensions@2021-07-01' = if (enableLinuxDiskEncryption) { parent: vmss name: 'LinuxDiskEncryption' properties: { @@ -645,7 +652,7 @@ resource vmss_LinuxDiskEncryption 'Microsoft.Compute/virtualMachineScaleSets/ext ] } -resource vmss_DependencyAgentWindows 'Microsoft.Compute/virtualMachineScaleSets/extensions@2020-06-01' = if (enableWindowsDependencyAgent) { +resource vmss_DependencyAgentWindows 'Microsoft.Compute/virtualMachineScaleSets/extensions@2021-07-01' = if (enableWindowsDependencyAgent) { parent: vmss name: 'DependencyAgentWindows' properties: { @@ -659,7 +666,7 @@ resource vmss_DependencyAgentWindows 'Microsoft.Compute/virtualMachineScaleSets/ ] } -resource vmss_DependencyAgentLinux 'Microsoft.Compute/virtualMachineScaleSets/extensions@2020-06-01' = if (enableLinuxDependencyAgent) { +resource vmss_DependencyAgentLinux 'Microsoft.Compute/virtualMachineScaleSets/extensions@2021-07-01' = if (enableLinuxDependencyAgent) { parent: vmss name: 'DependencyAgentLinux' properties: { @@ -673,7 +680,7 @@ resource vmss_DependencyAgentLinux 'Microsoft.Compute/virtualMachineScaleSets/ex ] } -resource vmss_NetworkWatcherAgentWindows 'Microsoft.Compute/virtualMachineScaleSets/extensions@2020-06-01' = if (enableNetworkWatcherWindows) { +resource vmss_NetworkWatcherAgentWindows 'Microsoft.Compute/virtualMachineScaleSets/extensions@2021-07-01' = if (enableNetworkWatcherWindows) { parent: vmss name: 'NetworkWatcherAgentWindows' properties: { @@ -688,7 +695,7 @@ resource vmss_NetworkWatcherAgentWindows 'Microsoft.Compute/virtualMachineScaleS ] } -resource vmss_NetworkWatcherAgentLinux 'Microsoft.Compute/virtualMachineScaleSets/extensions@2020-06-01' = if (enableNetworkWatcherLinux) { +resource vmss_NetworkWatcherAgentLinux 'Microsoft.Compute/virtualMachineScaleSets/extensions@2021-07-01' = if (enableNetworkWatcherLinux) { parent: vmss name: 'NetworkWatcherAgentLinux' properties: { @@ -703,7 +710,7 @@ resource vmss_NetworkWatcherAgentLinux 'Microsoft.Compute/virtualMachineScaleSet ] } -resource vmss_windowsDsc 'Microsoft.Compute/virtualMachineScaleSets/extensions@2020-06-01' = if (!empty(dscConfiguration)) { +resource vmss_windowsDsc 'Microsoft.Compute/virtualMachineScaleSets/extensions@2021-07-01' = if (!empty(dscConfiguration)) { parent: vmss name: 'windowsDsc' properties: { @@ -719,7 +726,7 @@ resource vmss_windowsDsc 'Microsoft.Compute/virtualMachineScaleSets/extensions@2 ] } -resource vmss_WindowsCustomScriptExtension 'Microsoft.Compute/virtualMachineScaleSets/extensions@2019-07-01' = if ((!empty(windowsScriptExtensionFileData)) && (!empty(windowsScriptExtensionCommandToExecute))) { +resource vmss_WindowsCustomScriptExtension 'Microsoft.Compute/virtualMachineScaleSets/extensions@2021-07-01' = if ((!empty(windowsScriptExtensionFileData)) && (!empty(windowsScriptExtensionCommandToExecute))) { parent: vmss name: 'WindowsCustomScriptExtension' properties: { @@ -750,7 +757,6 @@ resource vmss_diagnosticSettings 'Microsoft.Insights/diagnosticSettings@2021-05- eventHubAuthorizationRuleId: (empty(eventHubAuthorizationRuleId) ? json('null') : eventHubAuthorizationRuleId) eventHubName: (empty(eventHubName) ? json('null') : eventHubName) metrics: ((empty(diagnosticStorageAccountId) && empty(workspaceId) && empty(eventHubAuthorizationRuleId) && empty(eventHubName)) ? json('null') : diagnosticsMetrics) - logs: ((empty(diagnosticStorageAccountId) && empty(workspaceId) && empty(eventHubAuthorizationRuleId) && empty(eventHubName)) ? json('null') : diagnosticLogs) } scope: vmss } diff --git a/arm/Microsoft.Compute/virtualMachineScaleSets/deploy.json b/arm/Microsoft.Compute/virtualMachineScaleSets/deploy.json deleted file mode 100644 index 03b34a01d3..0000000000 --- a/arm/Microsoft.Compute/virtualMachineScaleSets/deploy.json +++ /dev/null @@ -1,1299 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "vmssName": { - "type": "string", - "metadata": { - "description": "Optional. Name of the VMSS." - } - }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Optional. Location for all resources." - } - }, - "imageReference": { - "type": "object", - "defaultValue": { - }, - "metadata": { - "description": "Optional. OS image reference. In case of marketplace images, it's the combination of the publisher, offer, sku, version attributes. In case of custom images it's the resource ID of the custom image." - } - }, - "plan": { - "type": "object", - "defaultValue": { - }, - "metadata": { - "description": "Optional. Specifies information about the marketplace image used to create the virtual machine. This element is only used for marketplace images. Before you can use a marketplace image from an API, you must enable the image for programmatic use." - } - }, - "osDisk": { - "type": "object", - "metadata": { - "description": "Required. Specifies the OS disk." - } - }, - "dataDisks": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. Specifies the data disks." - } - }, - "ultraSSDEnabled": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. The flag that enables or disables a capability to have one or more managed data disks with UltraSSD_LRS storage account type on the VM or VMSS. Managed disks with storage account type UltraSSD_LRS can be added to a virtual machine or virtual machine scale set only if this property is enabled." - } - }, - "adminUsername": { - "type": "securestring", - "metadata": { - "description": "Required. Administrator username" - } - }, - "adminPassword": { - "type": "securestring", - "defaultValue": "", - "metadata": { - "description": "Required. When specifying a Windows Virtual Machine, this value should be passed" - } - }, - "customData": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Custom data associated to the VM, this value will be automatically converted into base64 to account for the expected VM format." - } - }, - "roleAssignments": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'" - } - }, - "scaleSetFaultDomain": { - "type": "int", - "defaultValue": 2, - "metadata": { - "description": "Optional. Fault Domain count for each placement group." - } - }, - "proximityPlacementGroupName": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Creates an proximity placement group and adds the VMs to it." - } - }, - "proximityPlacementGroupType": { - "type": "string", - "allowedValues": [ - "Standard", - "Ultra" - ], - "defaultValue": "Standard", - "metadata": { - "description": "Optional. Specifies the type of the proximity placement group." - } - }, - "nicConfigurations": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Required. Configures NICs and PIPs." - } - }, - "vmPriority": { - "type": "string", - "defaultValue": "Regular", - "allowedValues": [ - "Regular", - "Low", - "Spot" - ], - "metadata": { - "description": "Optional. Specifies the priority for the virtual machine." - } - }, - "enableEvictionPolicy": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Specifies the eviction policy for the low priority virtual machine. Will result in 'Deallocate' eviction policy." - } - }, - "maxPriceForLowPriorityVm": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Specifies the maximum price you are willing to pay for a low priority VM/VMSS. This price is in US Dollars." - } - }, - "licenseType": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "Windows_Client", - "Windows_Server", - "" - ], - "metadata": { - "description": "Optional. Specifies that the image or disk that is being used was licensed on-premises. This element is only used for images that contain the Windows Server operating system." - } - }, - "enableMicrosoftAntiMalware": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Enables Microsoft Windows Defender AV." - } - }, - "microsoftAntiMalwareSettings": { - "type": "object", - "defaultValue": { - }, - "metadata": { - "description": "Optional. Settings for Microsoft Windows Defender AV extension." - } - }, - "enableWindowsMMAAgent": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Specifies if MMA agent for Windows VM should be enabled." - } - }, - "enableLinuxMMAAgent": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Specifies if MMA agent for Linux VM should be enabled." - } - }, - "enableWindowsDependencyAgent": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Specifies if Azure Dependency Agent for Windows VM should be enabled. Requires WindowsMMAAgent to be enabled." - } - }, - "enableLinuxDependencyAgent": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Specifies if Azure Dependency Agent for Linux VM should be enabled. Requires LinuxMMAAgent to be enabled." - } - }, - "enableNetworkWatcherWindows": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Specifies if Azure Network Watcher Agent for Windows VM should be enabled." - } - }, - "enableNetworkWatcherLinux": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Specifies if Azure Network Watcher Agent for Linux VM should be enabled." - } - }, - "enableWindowsDiskEncryption": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Specifies if Windows VM disks should be encrypted. If enabled, boot diagnostics must be enabled as well." - } - }, - "enableServerSideEncryption": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Specifies if Windows VM disks should be encrypted with Server-side encryption + Customer managed Key." - } - }, - "enableLinuxDiskEncryption": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Specifies if Linux VM disks should be encrypted. If enabled, boot diagnostics must be enabled as well." - } - }, - "diskKeyEncryptionAlgorithm": { - "type": "string", - "defaultValue": "RSA-OAEP", - "allowedValues": [ - "RSA-OAEP", - "RSA-OAEP-256", - "RSA1_5" - ], - "metadata": { - "description": "Optional. Specifies disk key encryption algorithm." - } - }, - "keyEncryptionKeyURL": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. URL of the KeyEncryptionKey used to encrypt the volume encryption key" - } - }, - "keyVaultUri": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. URL of the Key Vault instance where the Key Encryption Key (KEK) resides" - } - }, - "keyVaultId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Resource identifier of the Key Vault instance where the Key Encryption Key (KEK) resides" - } - }, - "diskEncryptionVolumeType": { - "type": "string", - "defaultValue": "All", - "allowedValues": [ - "OS", - "Data", - "All" - ], - "metadata": { - "description": "Optional. Type of the volume OS or Data to perform encryption operation" - } - }, - "forceUpdateTag": { - "type": "string", - "defaultValue": "1.0", - "metadata": { - "description": "Optional. Pass in an unique value like a GUID everytime the operation needs to be force run" - } - }, - "resizeOSDisk": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Should the OS partition be resized to occupy full OS VHD before splitting system volume" - } - }, - "windowsScriptExtensionFileData": { - "type": "array", - "defaultValue": [ - ], - "metadata": { - "description": "Optional. Array of objects that specifies URIs and the storageAccountId of the scripts that need to be downloaded and run by the Custom Script Extension on a Windows VM." - } - }, - "windowsScriptExtensionCommandToExecute": { - "type": "securestring", - "defaultValue": "", - "metadata": { - "description": "Optional. Specifies the command that should be run on a Windows VM." - } - }, - "cseStorageAccountName": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The name of the storage account to access for the CSE script(s)." - } - }, - "cseStorageAccountKey": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The storage key of the storage account to access for the CSE script(s)." - } - }, - "cseManagedIdentity": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. A managed identity to use for the CSE." - } - }, - "domainName": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Specifies the FQDN the of the domain the VM will be joined to. Currently implemented for Windows VMs only" - } - }, - "domainJoinUser": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Mandatory if domainName is specified. User used for the join to the domain. Format: username@domainFQDN" - } - }, - "domainJoinOU": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Specifies an organizational unit (OU) for the domain account. Enter the full distinguished name of the OU in quotation marks. Example: \"OU=testOU; DC=domain; DC=Domain; DC=com\"" - } - }, - "domainJoinPassword": { - "type": "securestring", - "defaultValue": "", - "metadata": { - "description": "Optional. Required if domainName is specified. Password of the user specified in domainJoinUser parameter" - } - }, - "domainJoinRestart": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Controls the restart of vm after executing domain join" - } - }, - "domainJoinOptions": { - "type": "int", - "defaultValue": 3, - "metadata": { - "description": "Optional. Set of bit flags that define the join options. Default value of 3 is a combination of NETSETUP_JOIN_DOMAIN (0x00000001) & NETSETUP_ACCT_CREATE (0x00000002) i.e. will join the domain and create the account on the domain. For more information see https://msdn.microsoft.com/en-us/library/aa392154(v=vs.85).aspx" - } - }, - "dscConfiguration": { - "type": "object", - "defaultValue": { - }, - "metadata": { - "description": "Optional. The DSC configuration object" - } - }, - "bootDiagnosticStorageAccountUri": { - "type": "string", - "defaultValue": ".blob.core.windows.net/", - "metadata": { - "description": "Optional. Storage account boot diagnostic base URI." - } - }, - "bootDiagnosticStorageAccountName": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Storage account used to store boot diagnostic information. Boot diagnostics will be disabled if no value is provided." - } - }, - "diagnosticLogsRetentionInDays": { - "type": "int", - "defaultValue": 365, - "minValue": 0, - "maxValue": 365, - "metadata": { - "description": "Optional. Specifies the number of days that logs will be kept for; a value of 0 will retain data indefinitely." - } - }, - "diagnosticStorageAccountId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Resource identifier of the Diagnostic Storage Account." - } - }, - "workspaceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Resource identifier of Log Analytics." - } - }, - "eventHubAuthorizationRuleId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Resource ID of the event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." - } - }, - "eventHubName": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Name of the event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category." - } - }, - "lockForDeletion": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Switch to lock VM from deletion." - } - }, - "upgradePolicyMode": { - "defaultValue": "Manual", - "type": "string", - "allowedValues": [ - "Manual", - "Automatic", - "Rolling" - ], - "metadata": { - "description": "Optional. Specifies the mode of an upgrade to virtual machines in the scale set.' Manual - You control the application of updates to virtual machines in the scale set. You do this by using the manualUpgrade action. ; Automatic - All virtual machines in the scale set are automatically updated at the same time. - Automatic, Manual, Rolling" - } - }, - "maxBatchInstancePercent": { - "type": "int", - "defaultValue": 20, - "metadata": { - "description": "Optional. The maximum percent of total virtual machine instances that will be upgraded simultaneously by the rolling upgrade in one batch. As this is a maximum, unhealthy instances in previous or future batches can cause the percentage of instances in a batch to decrease to ensure higher reliability." - } - }, - "maxUnhealthyInstancePercent": { - "type": "int", - "defaultValue": 20, - "metadata": { - "description": "Optional. The maximum percentage of the total virtual machine instances in the scale set that can be simultaneously unhealthy, either as a result of being upgraded, or by being found in an unhealthy state by the virtual machine health checks before the rolling upgrade aborts. This constraint will be checked prior to starting any batch" - } - }, - "maxUnhealthyUpgradedInstancePercent": { - "type": "int", - "defaultValue": 20, - "metadata": { - "description": "Optional. The maximum percentage of the total virtual machine instances in the scale set that can be simultaneously unhealthy, either as a result of being upgraded, or by being found in an unhealthy state by the virtual machine health checks before the rolling upgrade aborts. This constraint will be checked prior to starting any batch." - } - }, - "pauseTimeBetweenBatches": { - "type": "string", - "defaultValue": "PT0S", - "metadata": { - "description": "Optional. The wait time between completing the update for all virtual machines in one batch and starting the next batch. The time duration should be specified in ISO 8601 format" - } - }, - "enableAutomaticOSUpgrade": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Indicates whether OS upgrades should automatically be applied to scale set instances in a rolling fashion when a newer version of the OS image becomes available. Default value is false. If this is set to true for Windows based scale sets, enableAutomaticUpdates is automatically set to false and cannot be set to true." - } - }, - "disableAutomaticRollback": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Whether OS image rollback feature should be disabled." - } - }, - "automaticRepairsPolicyEnabled": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Specifies whether automatic repairs should be enabled on the virtual machine scale set." - } - }, - "gracePeriod": { - "type": "string", - "defaultValue": "PT30M", - "metadata": { - "description": "Optional. The amount of time for which automatic repairs are suspended due to a state change on VM. The grace time starts after the state change has completed. This helps avoid premature or accidental repairs. The time duration should be specified in ISO 8601 format. The minimum allowed grace period is 30 minutes (PT30M). The maximum allowed grace period is 90 minutes (PT90M)." - } - }, - "vmNamePrefix": { - "type": "string", - "defaultValue": "vmssvm", - "minLength": 1, - "maxLength": 15, - "metadata": { - "description": "Optional. Specifies the computer name prefix for all of the virtual machines in the scale set." - } - }, - "provisionVMAgent": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Indicates whether virtual machine agent should be provisioned on the virtual machine. When this property is not specified in the request body, default behavior is to set it to true. This will ensure that VM Agent is installed on the VM so that extensions can be added to the VM later." - } - }, - "enableAutomaticUpdates": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Indicates whether Automatic Updates is enabled for the Windows virtual machine. Default value is true. For virtual machine scale sets, this property can be updated and updates will take effect on OS reprovisioning." - } - }, - "timeZone": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Specifies the time zone of the virtual machine. e.g. 'Pacific Standard Time'. Possible values can be TimeZoneInfo.Id value from time zones returned by TimeZoneInfo.GetSystemTimeZones." - } - }, - "additionalUnattendContent": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. Specifies additional base-64 encoded XML formatted information that can be included in the Unattend.xml file, which is used by Windows Setup. - AdditionalUnattendContent object" - } - }, - "winRMListeners": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. Specifies the Windows Remote Management listeners. This enables remote Windows PowerShell. - WinRMConfiguration object." - } - }, - "disablePasswordAuthentication": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Specifies whether password authentication should be disabled." - } - }, - "publicKeys": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. The list of SSH public keys used to authenticate with linux based VMs" - } - }, - "secrets": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. Specifies set of certificates that should be installed onto the virtual machines in the scale set." - } - }, - "scheduledEventsProfile": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. Specifies Scheduled Event related configurations" - } - }, - "overprovision": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Specifies whether the Virtual Machine Scale Set should be overprovisioned." - } - }, - "doNotRunExtensionsOnOverprovisionedVMs": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. When Overprovision is enabled, extensions are launched only on the requested number of VMs which are finally kept. This property will hence ensure that the extensions do not run on the extra overprovisioned VMs." - } - }, - "zoneBalance": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Whether to force strictly even Virtual Machine distribution cross x-zones in case there is zone outage." - } - }, - "singlePlacementGroup": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. When true this limits the scale set to a single placement group, of max size 100 virtual machines. NOTE: If singlePlacementGroup is true, it may be modified to false. However, if singlePlacementGroup is false, it may not be modified to true." - } - }, - "scaleInPolicy": { - "type": "object", - "defaultValue": { - "rules": [ - "Default" - ] - }, - "metadata": { - "description": "Optional. Specifies the scale-in policy that decides which virtual machines are chosen for removal when a Virtual Machine Scale Set is scaled-in" - } - }, - "instanceSize": { - "type": "string", - "defaultValue": {}, - "metadata": { - "description": "Optional. The SKU size of the VMs." - } - }, - "instanceCount": { - "type": "int", - "defaultValue": 1, - "metadata": { - "description": "Optional. The initial instance count of scale set VMs." - } - }, - "availabilityZones": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. The virtual machine scale set zones. NOTE: Availability zones can only be set when you create the scale set." - } - }, - "tags": { - "type": "object", - "defaultValue": { - }, - "metadata": { - "description": "Optional. Tags of the resource." - } - }, - "cuaId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered" - } - }, - "osType": { - "type": "string", - "allowedValues": [ - "Windows", - "Linux" - ], - "metadata": { - "description": "Optional. The chosen OS type" - } - }, - "baseTime": { - "type": "string", - "defaultValue": "[utcNow('u')]", - "metadata": { - "description": "Generated. Do not provide a value! This date value is used to generate a registration token." - } - }, - "sasTokenValidityLength": { - "defaultValue": "PT8H", - "type": "string", - "metadata": { - "description": "Optional. SAS token validity length to use to download files from storage accounts. Usage: 'PT8H' - valid for 8 hours; 'P5D' - valid for 5 days; 'P1Y' - valid for 1 year. When not provided, the SAS token will be valid for 8 hours." - } - }, - "managedIdentityType": { - "type": "string", - "allowedValues": [ - "SystemAssigned", - "UserAssigned", - "None", - "" - ], - "defaultValue": "", - "metadata": { - "description": "Optional. The type of identity used for the virtual machine scale set. The type 'SystemAssigned, UserAssigned' includes both an implicitly created identity and a set of user assigned identities. The type 'None' will remove any identities from the virtual machine scale set. - SystemAssigned, UserAssigned, SystemAssigned, UserAssigned, None" - } - }, - "managedIdentityIdentities": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. The list of user identities associated with the virtual machine scale set. The user identity dictionary key references will be ARM resource ids in the form: '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{identityName}'." - } - } - }, - "variables": { - "linuxConfiguration": { - "disablePasswordAuthentication": "[parameters('disablePasswordAuthentication')]", - "ssh": { - "copy": [ - { - "name": "publicKeys", - "count": "[length(parameters('publicKeys'))]", - "input": { - "path": "[parameters('publicKeys')[copyIndex('publicKeys')].path]", - "keyData": "[parameters('publicKeys')[copyIndex('publicKeys')].keyData]" - } - } - ] - }, - "provisionVMAgent": "[parameters('provisionVMAgent')]" - }, - "windowsConfiguration": { - "provisionVMAgent": "[parameters('provisionVMAgent')]", - "enableAutomaticUpdates": "[ parameters('enableAutomaticUpdates')]", - "timeZone": "[if(empty(parameters('timeZone')), json('null'), parameters('timeZone'))]", - "additionalUnattendContent": "[if(empty(parameters('additionalUnattendContent')), json('null'), parameters('additionalUnattendContent'))]", - "winRM": "[if(empty(parameters('winRMListeners')), json('null'), json(concat('{\"listeners\": \"', parameters('winRMListeners'), '\"}')))]" - }, - "diagnosticsMetrics": [ - { - "category": "AllMetrics", - "timeGrain": null, - "enabled": true, - "retentionPolicy": { - "enabled": true, - "days": "[parameters('diagnosticLogsRetentionInDays')]" - } - } - ], - "accountSasProperties": { - "signedServices": "b", //Blob (b), Queue (q), Table (t), File (f). - "signedPermission": "r", //Read (r), Write (w), Delete (d), List (l), Add (a), Create (c), Update (u) and Process (p) - "signedExpiry": "[dateTimeAdd(parameters('baseTime'), parameters('sasTokenValidityLength'))]", //format: 2017-05-24T10:42:03Z - "signedResourceTypes": "o", //Service (s): Access to service-level APIs; Container (c): Access to container-level APIs; Object (o): Access to object-level APIs for blobs, queue messages, table entities, and files. - "signedProtocol": "https" - }, - "diagnosticLogs": [], - "pidName": "[concat('pid-', parameters('cuaId'))]", - "builtInRoleNames": { - "Avere Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4f8fab4f-1852-4a58-a46a-8eaf358af14a')]", - "Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "DevTest Labs User": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '76283e04-6283-4c54-8f91-bcf1374a3c64')]", - "Log Analytics Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]", - "Log Analytics Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '73c42c96-874c-492b-b04d-ab87d138a893')]", - "Managed Application Contributor Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '641177b8-a67a-45b9-a033-47bc880bb21e')]", - "Managed Application Operator Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')]", - "Managed Applications Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')]", - "Monitoring Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')]", - "Monitoring Metrics Publisher": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '3913510d-42f4-4e42-8a64-420c390055eb')]", - "Monitoring Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')]", - "Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Resource Policy Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '36243c78-bf99-498c-9df9-86d9f8d28608')]", - "User Access Administrator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]", - "Virtual Machine Administrator Login": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '1c0163c0-47e6-4577-8991-ea5c82e286e4')]", - "Virtual Machine Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c')]", - "Virtual Machine User Login": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'fb879df8-f326-4884-b1cf-06f3ad86be52')]" - } - }, - "resources": [ - { - "name": "[variables('pidName')]", - "condition": "[not(empty(parameters('cuaId')))]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-01-01", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [ - ] - } - } - }, - { - "name": "[if(not(empty(parameters('proximityPlacementGroupName'))),parameters('proximityPlacementGroupName'),'dummyProximityGroup')]", - "type": "Microsoft.Compute/proximityPlacementGroups", - "apiVersion": "2021-04-01", - "condition": "[not(empty(parameters('proximityPlacementGroupName')))]", - "location": "[parameters('location')]", - "tags": "[parameters('tags')]", - "properties": { - "proximityPlacementGroupType": "[parameters('proximityPlacementGroupType')]" - } - }, - { - "type": "Microsoft.Compute/virtualMachineScaleSets", - "name": "[parameters('vmssName')]", - "apiVersion": "2021-04-01", - "condition": "[not(empty(parameters('vmssName')))]", - "location": "[parameters('location')]", - "tags": "[parameters('tags')]", - "dependsOn": [ - "[if(not(empty(parameters('proximityPlacementGroupName'))),parameters('proximityPlacementGroupName'),'dummyProximityGroup')]" - ], - "identity": "[if(empty(parameters('managedIdentityType')), json('null'), json(concat('{\"type\":\"', parameters('managedIdentityType'), if(not(empty(parameters('managedIdentityIdentities'))),concat(',\"userAssignedIdentities\":\"',parameters('managedIdentityIdentities') ),''), '\"}')))]", - "zones": "[parameters('availabilityZones')]", - "properties": { - "proximityPlacementGroup": "[if(empty(parameters('proximityPlacementGroupName')), json('null'), json(concat('{\"id\":\"', resourceId('Microsoft.Compute/proximityPlacementGroups', parameters('proximityPlacementGroupName')),'\"}')))]", - "upgradePolicy": { - "mode": "[parameters('upgradePolicyMode')]", - "rollingUpgradePolicy": { - "maxBatchInstancePercent": "[parameters('maxBatchInstancePercent')]", - "maxUnhealthyInstancePercent": "[parameters('maxUnhealthyInstancePercent')]", - "maxUnhealthyUpgradedInstancePercent": "[parameters('maxUnhealthyUpgradedInstancePercent')]", - "pauseTimeBetweenBatches": "[parameters('pauseTimeBetweenBatches')]" - }, - "automaticOSUpgradePolicy": { - "enableAutomaticOSUpgrade": "[parameters('enableAutomaticOSUpgrade')]", - "disableAutomaticRollback": "[parameters('disableAutomaticRollback')]" - } - }, - "automaticRepairsPolicy": { - "enabled": "[parameters('automaticRepairsPolicyEnabled')]", - "gracePeriod": "[parameters('gracePeriod')]" - }, - "virtualMachineProfile": { - "osProfile": { - "computerNamePrefix": "[parameters('vmNamePrefix')]", - "adminUsername": "[parameters('adminUsername')]", - "adminPassword": "[if(empty(parameters('adminPassword')), json('null'), parameters('adminPassword'))]", - "customData": "[if(empty(parameters('customData')), json('null'), base64(parameters('customData')))]", - "windowsConfiguration": "[if(equals(parameters('osType'), 'Windows'), variables('windowsConfiguration'), json('null'))]", - "linuxConfiguration": "[if(equals(parameters('osType'), 'Linux'), variables('linuxConfiguration'), json('null'))]", - "secrets": "[parameters('secrets')]" - }, - "storageProfile": { - "imageReference": "[parameters('imageReference')]", - "osDisk": { - "createOption": "[parameters('osDisk').createOption]", - "diskSizeGB": "[parameters('osDisk').diskSizeGB]", - "caching": "[if(contains(parameters('osDisk'), 'caching'), parameters('osDisk').caching, json('null'))]", - "writeAcceleratorEnabled": "[if(contains(parameters('osDisk'), 'writeAcceleratorEnabled'), parameters('osDisk').writeAcceleratorEnabled, json('null'))]", - "diffDiskSettings": "[if(contains(parameters('osDisk'), 'diffDiskSettings'), parameters('osDisk').diffDiskSettings, json('null'))]", - "osType": "[if(contains(parameters('osDisk'), 'osType'), parameters('osDisk').osType, json('null'))]", - "image": "[if(contains(parameters('osDisk'), 'image'), parameters('osDisk').image, json('null'))]", - "vhdContainers": "[if(contains(parameters('osDisk'), 'vhdContainers'), parameters('osDisk').vhdContainers, json('null'))]", - "managedDisk": { - "storageAccountType": "[parameters('osDisk').managedDisk.storageAccountType]", - "diskEncryptionSet": "[if(contains(parameters('osDisk'), 'diskEncryptionSet'), parameters('osDisk').diskEncryptionSet, json('null'))]" - } - }, - "copy": [ - { - "name": "dataDisks", - "count": "[length(parameters('dataDisks'))]", - "input": { - "lun": "[copyIndex('dataDisks')]", - "diskSizeGB": "[parameters('dataDisks')[copyIndex('dataDisks')].diskSizeGB]", - "createOption": "[parameters('dataDisks')[copyIndex('dataDisks')].createOption]", - "caching": "[parameters('dataDisks')[copyIndex('dataDisks')].caching]", - "writeAcceleratorEnabled": "[if(contains(parameters('osDisk'), 'writeAcceleratorEnabled'), parameters('osDisk').writeAcceleratorEnabled, json('null'))]", - "managedDisk": { - "storageAccountType": "[parameters('dataDisks')[copyIndex('dataDisks')].managedDisk.storageAccountType]", - "diskEncryptionSet": { - "id": "[if(parameters('enableServerSideEncryption'), parameters('dataDisks')[copyIndex('dataDisks')].managedDisk.diskEncryptionSet.id, json('null'))]" - } - }, - "diskIOPSReadWrite": "[if(contains(parameters('osDisk'), 'diskIOPSReadWrite'),parameters('dataDisks')[copyIndex('dataDisks')].diskIOPSReadWrite, json('null'))]", - "diskMBpsReadWrite": "[if(contains(parameters('osDisk'), 'diskMBpsReadWrite'),parameters('dataDisks')[copyIndex('dataDisks')].diskMBpsReadWrite, json('null'))]" - } - } - ] - }, - "networkProfile": { - "copy": [ - { - "name": "networkInterfaceConfigurations", - "count": "[length(parameters('nicConfigurations'))]", - "input": { - "name": "[concat(parameters('vmssName'), parameters('nicConfigurations')[copyIndex('networkInterfaceConfigurations')].nicSuffix, 'configuration-', copyIndex('networkInterfaceConfigurations'))]", - "properties": { - "primary": "[if(equals(copyIndex('networkInterfaceConfigurations'), 0), 'true', 'false')]", - "enableAcceleratedNetworking": "[if(contains(parameters('nicConfigurations'), 'enableAcceleratedNetworking'), parameters('nicConfigurations')[copyIndex('networkInterfaceConfigurations')].enableAcceleratedNetworking, json('null'))]", - "networkSecurityGroup": "[if(contains(parameters('nicConfigurations'), 'nsgId'), json(concat('{\"id\": \"', parameters('nicConfigurations')[copyIndex('networkInterfaceConfigurations')].nsgId, '\"}')), json('null'))]", - "ipConfigurations": "[parameters('nicConfigurations')[copyIndex('networkInterfaceConfigurations')].ipConfigurations]" - } - } - } - ] - }, - "diagnosticsProfile": { - "bootDiagnostics": { - "enabled": "[not(empty(parameters('bootDiagnosticStorageAccountName')))]", - "storageUri": "[if(empty(parameters('bootDiagnosticStorageAccountName')), json('null'), concat('https://', parameters('bootDiagnosticStorageAccountName'), parameters('bootDiagnosticStorageAccountUri')))]" - } - }, - "licenseType": "[if(empty(parameters('licenseType')), json('null'),parameters('licenseType'))]", - "priority": "[parameters('vmPriority')]", - "evictionPolicy": "[if(parameters('enableEvictionPolicy'), 'Deallocate', json('null'))]", - "billingProfile": "[if(and(not(empty(parameters('vmPriority'))),not(empty(parameters('maxPriceForLowPriorityVm')))), json(concat('{\"maxPrice\":\"',parameters('maxPriceForLowPriorityVm'),'\"}')), json('null'))]", - "scheduledEventsProfile": "[parameters('scheduledEventsProfile')]" - }, - "overprovision": "[parameters('overprovision')]", - "doNotRunExtensionsOnOverprovisionedVMs": "[parameters('doNotRunExtensionsOnOverprovisionedVMs')]", - "zoneBalance": "[if(equals(parameters('zoneBalance'), 'true'), parameters('zoneBalance'), json('null'))]", - "platformFaultDomainCount": "[parameters('scaleSetFaultDomain')]", - "singlePlacementGroup": "[parameters('singlePlacementGroup')]", - "additionalCapabilities": { - "ultraSSDEnabled": "[parameters('ultraSSDEnabled')]" - }, - "scaleInPolicy": "[parameters('scaleInPolicy')]" - }, - "sku": { - "name": "[parameters('instanceSize')]", - "capacity": "[parameters('instanceCount')]" - }, - "plan": "[if(empty(parameters('plan')), json('null'),parameters('plan'))]", - "resources": [ - { - "type": "providers/locks", - "apiVersion": "2016-09-01", - "condition": "[parameters('lockForDeletion')]", - "name": "Microsoft.Authorization/vmssDoNotDelete", - "dependsOn": [ - "[concat('Microsoft.Compute/virtualMachineScaleSets/', parameters('vmssName'))]" - ], - "comments": "Resource lock on VM Scale Set", - "properties": { - "level": "CannotDelete" - } - }, - { - "type": "Microsoft.Compute/virtualMachineScaleSets/extensions", - "name": "[concat(parameters('vmssName'),'/DomainJoin')]", - "apiVersion": "2020-06-01", - "location": "[parameters('location')]", - "condition": "[not(empty(parameters('domainName')))]", - "dependsOn": [ - "[concat('Microsoft.Compute/virtualMachineScaleSets/', parameters('vmssName'))]" - ], - "properties": { - "publisher": "Microsoft.Compute", - "type": "JsonADDomainExtension", - "typeHandlerVersion": "1.3", - "autoUpgradeMinorVersion": true, - "settings": { - "Name": "[parameters('domainName')]", - "User": "[parameters('domainJoinUser')]", - "OUPath": "[parameters('domainJoinOU')]", - "Restart": "[parameters('domainJoinRestart')]", - "Options": "[parameters('domainJoinOptions')]" - }, - "protectedSettings": { - "Password": "[parameters('domainJoinPassword')]" - } - } - }, - { - "type": "Microsoft.Compute/virtualMachineScaleSets/extensions", - "name": "[concat(parameters('vmssName'), '/MicrosoftAntiMalware')]", - "apiVersion": "2020-06-01", - "location": "[parameters('location')]", - "condition": "[parameters('enableMicrosoftAntiMalware')]", - "dependsOn": [ - "[concat('Microsoft.Compute/virtualMachineScaleSets/', parameters('vmssName'))]", - "[resourceId('Microsoft.Compute/virtualMachineScaleSets/extensions', parameters('vmssName'), 'DomainJoin')]" - ], - "properties": { - "publisher": "Microsoft.Azure.Security", - "type": "IaaSAntimalware", - "typeHandlerVersion": "1.3", - "autoUpgradeMinorVersion": true, - "settings": "[parameters('microsoftAntiMalwareSettings')]" - } - }, - { - "type": "Microsoft.Compute/virtualMachineScaleSets/extensions", - "name": "[concat(parameters('vmssName'), '/WindowsMMAAgent')]", - "apiVersion": "2020-06-01", - "location": "[parameters('location')]", - "condition": "[parameters('enableWindowsMMAAgent')]", - "dependsOn": [ - "[concat('Microsoft.Compute/virtualMachineScaleSets/', parameters('vmssName'))]", - "[resourceId('Microsoft.Compute/virtualMachineScaleSets/extensions', parameters('vmssName'), 'MicrosoftAntiMalware')]" - ], - "properties": { - "publisher": "Microsoft.EnterpriseCloud.Monitoring", - "type": "MicrosoftMonitoringAgent", - "typeHandlerVersion": "1.0", - "autoUpgradeMinorVersion": true, - "settings": { - "workspaceId": "[if(empty(parameters('workspaceId')), 'dummy', reference(parameters('workspaceId'), '2015-11-01-preview').customerId)]" - }, - "protectedSettings": { - "workspaceKey": "[if(empty(parameters('workspaceId')), 'dummy', listKeys(parameters('workspaceId'), '2015-11-01-preview').primarySharedKey)]" - } - } - }, - { - "type": "Microsoft.Compute/virtualMachineScaleSets/extensions", - "name": "[concat(parameters('vmssName'), '/LinuxMMAAgent')]", - "apiVersion": "2020-06-01", - "location": "[parameters('location')]", - "condition": "[parameters('enableLinuxMMAAgent')]", - "dependsOn": [ - "[concat('Microsoft.Compute/virtualMachineScaleSets/', parameters('vmssName'))]", - "[resourceId('Microsoft.Compute/virtualMachineScaleSets/extensions', parameters('vmssName'), 'WindowsMMAAgent')]" - ], - "properties": { - "publisher": "Microsoft.EnterpriseCloud.Monitoring", - "type": "OmsAgentForLinux", - "typeHandlerVersion": "1.7", - "autoUpgradeMinorVersion": true, - "settings": { - "workspaceId": "[if(empty(parameters('workspaceId')), 'dummy', reference(parameters('workspaceId'), '2015-11-01-preview').customerId)]" - }, - "protectedSettings": { - "workspaceKey": "[if(empty(parameters('workspaceId')), 'dummy', listKeys(parameters('workspaceId'), '2015-11-01-preview').primarySharedKey)]" - } - } - }, - { - "type": "Microsoft.Compute/virtualMachineScaleSets/extensions", - "name": "[concat(parameters('vmssName'), '/WindowsDiskEncryption')]", - "apiVersion": "2019-07-01", - "location": "[parameters('location')]", - "condition": "[parameters('enableWindowsDiskEncryption')]", - "dependsOn": [ - "[concat('Microsoft.Compute/virtualMachineScaleSets/', parameters('vmssName'))]", - "[resourceId('Microsoft.Compute/virtualMachineScaleSets/extensions', parameters('vmssName'), 'LinuxMMAAgent')]" - ], - "properties": { - "publisher": "Microsoft.Azure.Security", - "type": "AzureDiskEncryption", - "typeHandlerVersion": "2.2", - "autoUpgradeMinorVersion": true, - "forceUpdateTag": "[parameters('forceUpdateTag')]", - "settings": { - "EncryptionOperation": "EnableEncryption", - "KeyVaultURL": "[parameters('keyVaultUri')]", - "KeyVaultResourceId": "[parameters('keyVaultId')]", - "KeyEncryptionKeyURL": "[parameters('keyEncryptionKeyURL')]", - "KekVaultResourceId": "[parameters('keyVaultId')]", - "KeyEncryptionAlgorithm": "[parameters('diskKeyEncryptionAlgorithm')]", - "VolumeType": "[parameters('diskEncryptionVolumeType')]", - "ResizeOSDisk": "[parameters('resizeOSDisk')]" - } - } - }, - { - "type": "Microsoft.Compute/virtualMachineScaleSets/extensions", - "name": "[concat(parameters('vmssName'), '/LinuxDiskEncryption')]", - "apiVersion": "2020-06-01", - "location": "[parameters('location')]", - "condition": "[parameters('enableLinuxDiskEncryption')]", - "dependsOn": [ - "[concat('Microsoft.Compute/virtualMachineScaleSets/', parameters('vmssName'))]", - "[resourceId('Microsoft.Compute/virtualMachineScaleSets/extensions', parameters('vmssName'), 'WindowsDiskEncryption')]" - ], - "properties": { - "publisher": "Microsoft.Azure.Security", - "type": "AzureDiskEncryptionForLinux", - "typeHandlerVersion": "1.1", - "autoUpgradeMinorVersion": true, - "forceUpdateTag": "[parameters('forceUpdateTag')]", - "settings": { - "EncryptionOperation": "EnableEncryption", - "KeyVaultURL": "[parameters('keyVaultUri')]", - "KeyVaultResourceId": "[parameters('keyVaultId')]", - "KeyEncryptionKeyURL": "[parameters('keyEncryptionKeyURL')]", - "KekVaultResourceId": "[parameters('keyVaultId')]", - "KeyEncryptionAlgorithm": "[parameters('diskKeyEncryptionAlgorithm')]", - "VolumeType": "[parameters('diskEncryptionVolumeType')]" - } - } - }, - { - "type": "Microsoft.Compute/virtualMachineScaleSets/extensions", - "apiVersion": "2020-06-01", - "name": "[concat(parameters('vmssName'), '/DependencyAgentWindows')]", - "location": "[parameters('location')]", - "condition": "[parameters('enableWindowsDependencyAgent')]", - "dependsOn": [ - "[concat('Microsoft.Compute/virtualMachineScaleSets/', parameters('vmssName'))]", - "[resourceId('Microsoft.Compute/virtualMachineScaleSets/extensions', parameters('vmssName'), 'LinuxDiskEncryption')]" - ], - "properties": { - "publisher": "Microsoft.Azure.Monitoring.DependencyAgent", - "type": "DependencyAgentWindows", - "typeHandlerVersion": "9.5", - "autoUpgradeMinorVersion": true - } - }, - { - "type": "Microsoft.Compute/virtualMachineScaleSets/extensions", - "apiVersion": "2020-06-01", - "name": "[concat(parameters('vmssName'), '/DependencyAgentLinux')]", - "location": "[parameters('location')]", - "condition": "[parameters('enableLinuxDependencyAgent')]", - "dependsOn": [ - "[concat('Microsoft.Compute/virtualMachineScaleSets/', parameters('vmssName'))]", - "[resourceId('Microsoft.Compute/virtualMachineScaleSets/extensions', parameters('vmssName'), 'DependencyAgentWindows')]" - ], - "properties": { - "publisher": "Microsoft.Azure.Monitoring.DependencyAgent", - "type": "DependencyAgentLinux", - "typeHandlerVersion": "9.5", - "autoUpgradeMinorVersion": true - } - }, - { - "type": "Microsoft.Compute/virtualMachineScaleSets/extensions", - "name": "[concat(parameters('vmssName'), '/NetworkWatcherAgentWindows')]", - "apiVersion": "2020-06-01", - "location": "[parameters('location')]", - "condition": "[parameters('enableNetworkWatcherWindows')]", - "dependsOn": [ - "[concat('Microsoft.Compute/virtualMachineScaleSets/', parameters('vmssName'))]", - "[resourceId('Microsoft.Compute/virtualMachineScaleSets/extensions', parameters('vmssName'), 'DependencyAgentLinux')]" - ], - "properties": { - "publisher": "Microsoft.Azure.NetworkWatcher", - "type": "NetworkWatcherAgentWindows", - "typeHandlerVersion": "1.4", - "autoUpgradeMinorVersion": true, - "settings": { - } - } - }, - { - "type": "Microsoft.Compute/virtualMachineScaleSets/extensions", - "name": "[concat(parameters('vmssName'), '/NetworkWatcherAgentLinux')]", - "apiVersion": "2020-06-01", - "location": "[parameters('location')]", - "condition": "[parameters('enableNetworkWatcherLinux')]", - "dependsOn": [ - "[concat('Microsoft.Compute/virtualMachineScaleSets/', parameters('vmssName'))]", - "[resourceId('Microsoft.Compute/virtualMachineScaleSets/extensions', parameters('vmssName'), 'NetworkWatcherAgentWindows')]" - ], - "properties": { - "publisher": "Microsoft.Azure.NetworkWatcher", - "type": "NetworkWatcherAgentLinux", - "typeHandlerVersion": "1.4", - "autoUpgradeMinorVersion": true, - "settings": { - } - } - }, - { - "type": "Microsoft.Compute/virtualMachineScaleSets/extensions", - "name": "[concat(parameters('vmssName'), '/windowsDsc')]", - "apiVersion": "2020-06-01", - "location": "[parameters('location')]", - "condition": "[not(empty(parameters('dscConfiguration')))]", - "dependsOn": [ - "[concat('Microsoft.Compute/virtualMachineScaleSets/', parameters('vmssName'))]", - "[resourceId('Microsoft.Compute/virtualMachineScaleSets/extensions', parameters('vmssName'), 'NetworkWatcherAgentLinux')]" - ], - "properties": { - "publisher": "Microsoft.Powershell", - "type": "DSC", - "typeHandlerVersion": "2.77", - "autoUpgradeMinorVersion": true, - "settings": "[parameters('dscConfiguration').settings]", - "protectedSettings": "[if( contains(parameters('dscConfiguration'), 'protectedSettings'), parameters('dscConfiguration').protectedSettings, json('null') )]" - } - } - ] - }, - { - "type": "Microsoft.Compute/virtualMachineScaleSets/providers/diagnosticSettings", - "apiVersion": "2017-05-01-preview", - "location": "[parameters('location')]", - "tags": "[parameters('tags')]", - "name": "[concat(parameters('vmssName'), '/Microsoft.Insights/service')]", - "condition": "[or(not(empty(parameters('diagnosticStorageAccountId'))),not(empty(parameters('workspaceId'))),not(empty(parameters('eventHubAuthorizationRuleId'))),not(empty(parameters('eventHubName'))))]", - "dependsOn": [ - "[concat('Microsoft.Compute/virtualMachineScaleSets/', parameters('vmssName'))]" - ], - "properties": { - "storageAccountId": "[if(empty(parameters('diagnosticStorageAccountId')), json('null'), parameters('diagnosticStorageAccountId'))]", - "workspaceId": "[if(empty(parameters('workspaceId')), json('null'), parameters('workspaceId'))]", - "eventHubAuthorizationRuleId": "[if(empty(parameters('eventHubAuthorizationRuleId')), json('null'), parameters('eventHubAuthorizationRuleId'))]", - "eventHubName": "[if(empty(parameters('eventHubName')), json('null'), parameters('eventHubName'))]", - "metrics": "[if(and(empty(parameters('diagnosticStorageAccountId')), empty(parameters('workspaceId')), empty(parameters('eventHubAuthorizationRuleId')), empty(parameters('eventHubName'))), json('null'), variables('diagnosticsMetrics'))]", - "logs": "[if(and(empty(parameters('diagnosticStorageAccountId')), empty(parameters('workspaceId')), empty(parameters('eventHubAuthorizationRuleId')), empty(parameters('eventHubName'))), json('null'), variables('diagnosticLogs'))]" - } - }, - // This WindowsCustomScriptExtension has to be a top level resource, as the 'fileUris' property copy loop only works if this extension is not a nested resource within the VM. - { - "apiVersion": "2019-07-01", - "type": "Microsoft.Compute/virtualMachineScaleSets/extensions", - "name": "[concat(parameters('vmssName'), '/WindowsCustomScriptExtension')]", - "location": "[parameters('location')]", - "condition": "[and(not(empty(parameters('windowsScriptExtensionFileData'))),not(empty(parameters('windowsScriptExtensionCommandToExecute'))))]", - "dependsOn": [ - "[concat('Microsoft.Compute/virtualMachineScaleSets/', parameters('vmssName'))]", - "[resourceId('Microsoft.Compute/virtualMachineScaleSets/extensions', parameters('vmssName'), 'windowsDsc')]" - ], - "properties": { - "publisher": "Microsoft.Compute", - "type": "CustomScriptExtension", - "typeHandlerVersion": "1.9", - "autoUpgradeMinorVersion": true, - "settings": { - "copy": [ - { - "name": "fileUris", - "count": "[length(parameters('windowsScriptExtensionFileData'))]", - "input": "[concat(parameters('windowsScriptExtensionFileData')[copyIndex('fileUris')].uri,if(contains(parameters('windowsScriptExtensionFileData')[copyIndex('fileUris')], 'storageAccountId'),concat('?',listAccountSas(parameters('windowsScriptExtensionFileData')[copyIndex('fileUris')].storageAccountId, '2019-04-01', variables('accountSasProperties')).accountSasToken) , '' ))]" - } - ] - }, - "protectedSettings": { - "commandToExecute": "[parameters('windowsScriptExtensionCommandToExecute')]", - "storageAccountName": "[if(not(empty(parameters('cseStorageAccountName'))), parameters('cseStorageAccountName'), json('null'))]", - "storageAccountKey": "[if(not(empty(parameters('cseStorageAccountKey'))), parameters('cseStorageAccountKey'), json('null'))]", - "managedIdentity": "[if(not(empty(parameters('cseManagedIdentity'))), parameters('cseManagedIdentity'), json('null'))]" - } - } - }, - { - "name": "[concat('rbac-',deployment().name, copyIndex())]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-01-01", - "condition": "[not(empty(parameters('roleAssignments')))]", - "dependsOn": [ - "[parameters('vmssName')]" - ], - "copy": { - "name": "rbacDeplCopy", - "count": "[length(parameters('roleAssignments'))]" - }, - "properties": { - "mode": "Incremental", - "expressionEvaluationOptions": { - "scope": "inner" - }, - "parameters": { - "roleAssignment": { - "value": "[parameters('roleAssignments')[copyIndex()]]" - }, - "builtInRoleNames": { - "value": "[variables('builtInRoleNames')]" - }, - "vmssName": { - "value": "[parameters('vmssName')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "roleAssignment": { - "type": "object" - }, - "builtInRoleNames": { - "type": "object" - }, - "vmssName": { - "type": "string" - } - }, - "resources": [ - { - "type": "Microsoft.Compute/virtualMachineScaleSets/providers/roleAssignments", - "apiVersion": "2018-09-01-preview", - "name": "[concat(parameters('vmssName'), '/Microsoft.Authorization/', guid(uniqueString(concat(parameters('vmssName'), array(parameters('roleAssignment').principalIds)[copyIndex('innerRbacCopy')], parameters('roleAssignment').roleDefinitionIdOrName ))))]", - "dependsOn": [ - ], - "copy": { - "name": "innerRbacCopy", - "count": "[length(parameters('roleAssignment').principalIds)]" - }, - "properties": { - "roleDefinitionId": "[if(contains(parameters('builtInRoleNames'), parameters('roleAssignment').roleDefinitionIdOrName ), parameters('builtInRoleNames')[parameters('roleAssignment').roleDefinitionIdOrName] , parameters('roleAssignment').roleDefinitionIdOrName )]", - "principalId": "[array(parameters('roleAssignment').principalIds)[copyIndex()]]" - } - } - ] - } - } - } - ], - "functions": [ - ], - "outputs": { - "vmssResourceIds": { - "type": "string", - "value": "[resourceId('Microsoft.Compute/virtualMachineScaleSets', parameters('vmssName'))]", - "metadata": { - "description": "The Resource Id of the VMSS." - } - }, - "vmssResourceGroup": { - "type": "string", - "value": "[resourceGroup().name]", - "metadata": { - "description": "The name of the Resource Group the VMSS was/were created in." - } - }, - "vmssName": { - "type": "string", - "value": "[parameters('vmssName')]", - "metadata": { - "description": "The Names of the VMSS" - } - } - } -} \ No newline at end of file diff --git a/arm/Microsoft.Compute/virtualMachineScaleSets/readme.md b/arm/Microsoft.Compute/virtualMachineScaleSets/readme.md index 52bdfe419f..127aa6b916 100644 --- a/arm/Microsoft.Compute/virtualMachineScaleSets/readme.md +++ b/arm/Microsoft.Compute/virtualMachineScaleSets/readme.md @@ -1,4 +1,4 @@ -# Virtual Machine Scale Sets +# Virtual Machine Scale Sets `[Microsoft.Compute/virtualMachineScaleSets]` This module deploys a virtual machine scale set @@ -6,114 +6,115 @@ This module deploys a virtual machine scale set | Resource Type | Api Version | | :-- | :-- | -| `Microsoft.Compute/ProximityPlacementGroups` | 2021-04-01 | -| `Microsoft.Compute/virtualMachineScaleSets/extensions` | 2020-06-01 | -| `Microsoft.Compute/virtualMachineScaleSets/providers/diagnosticSettings` | 2017-05-01-preview | -| `Microsoft.Compute/virtualMachineScaleSets/providers/roleAssignments` | 2020-04-01-preview | +| `Microsoft.Authorization/locks` | 2016-09-01 | +| `Microsoft.Compute/proximityPlacementGroups` | 2021-04-01 | | `Microsoft.Compute/virtualMachineScaleSets` | 2021-04-01 | -| `Microsoft.Resources/deployments` | 2020-06-01 | -| `providers/locks` | 2016-09-01 | +| `Microsoft.Compute/virtualMachineScaleSets/extensions` | 2021-07-01 | +| `Microsoft.Compute/virtualMachineScaleSets/providers/roleAssignments` | 2021-04-01-preview | +| `Microsoft.Insights/diagnosticSettings` | 2021-05-01-preview | ### Resource dependency The following resources are required to be able to deploy this resource. -- VirtualNetwork + +- `Microsoft.Network/VirtualNetwork` ## Parameters -| Parameter Name | Type | Description | DefaultValue | Possible values | +| Parameter Name | Type | Default Value | Possible Values | Description | | :-- | :-- | :-- | :-- | :-- | -| `additionalUnattendContent` | array | Optional. Specifies additional base-64 encoded XML formatted information that can be included in the Unattend.xml file, which is used by Windows Setup. - AdditionalUnattendContent object | System.Object[] | | -| `adminPassword` | securestring | Required. When specifying a Windows Virtual Machine, this value should be passed | | | -| `adminUsername` | securestring | Required. Administrator username | | | -| `automaticRepairsPolicyEnabled` | bool | Optional. Specifies whether automatic repairs should be enabled on the virtual machine scale set. | False | | -| `availabilityZones` | array | Optional. The virtual machine scale set zones. NOTE: Availability zones can only be set when you create the scale set. | System.Object[] | | -| `baseTime` | string | Generated. Do not provide a value! This date value is used to generate a registration token. | [utcNow('u')] | | -| `bootDiagnosticStorageAccountName` | string | Optional. Storage account used to store boot diagnostic information. Boot diagnostics will be disabled if no value is provided. | | | -| `bootDiagnosticStorageAccountUri` | string | Optional. Storage account boot diagnostic base URI. | | | -| `cuaId` | string | Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered | | | -| `customData` | string | Optional. Custom data associated to the VM, this value will be automatically converted into base64 to account for the expected VM format. | | | -| `dataDisks` | array | Optional. Specifies the data disks. | System.Object[] | | -| `diagnosticLogsRetentionInDays` | int | Optional. Specifies the number of days that logs will be kept for; a value of 0 will retain data indefinitely. | 365 | | -| `diagnosticStorageAccountId` | string | Optional. Resource identifier of the Diagnostic Storage Account. | | | -| `disableAutomaticRollback` | bool | Optional. Whether OS image rollback feature should be disabled. | False | | -| `disablePasswordAuthentication` | bool | Optional. Specifies whether password authentication should be disabled. | False | | -| `diskEncryptionVolumeType` | string | Optional. Type of the volume OS or Data to perform encryption operation | All | System.Object[] | -| `diskKeyEncryptionAlgorithm` | string | Optional. Specifies disk key encryption algorithm. | RSA-OAEP | System.Object[] | -| `domainJoinOptions` | int | Optional. Set of bit flags that define the join options. Default value of 3 is a combination of NETSETUP_JOIN_DOMAIN (0x00000001) & NETSETUP_ACCT_CREATE (0x00000002) i.e. will join the domain and create the account on the domain. For more information see https://msdn.microsoft.com/en-us/library/aa392154(v=vs.85).aspx | 3 | | -| `domainJoinOU` | string | Optional. Specifies an organizational unit (OU) for the domain account. Enter the full distinguished name of the OU in quotation marks. Example: "OU=testOU; DC=domain; DC=Domain; DC=com" | | | -| `domainJoinPassword` | securestring | Optional. Required if domainName is specified. Password of the user specified in domainJoinUser parameter | | | -| `domainJoinRestart` | bool | Optional. Controls the restart of vm after executing domain join | False | | -| `domainJoinUser` | string | Optional. Mandatory if domainName is specified. User used for the join to the domain. Format: username@domainFQDN | | | -| `domainName` | string | Optional. Specifies the FQDN the of the domain the VM will be joined to. Currently implemented for Windows VMs only | | | -| `doNotRunExtensionsOnOverprovisionedVMs` | bool | Optional. When Overprovision is enabled, extensions are launched only on the requested number of VMs which are finally kept. This property will hence ensure that the extensions do not run on the extra overprovisioned VMs. | False | | -| `dscConfiguration` | object | Optional. The DSC configuration object | | | -| `enableAutomaticOSUpgrade` | bool | Optional. Indicates whether OS upgrades should automatically be applied to scale set instances in a rolling fashion when a newer version of the OS image becomes available. Default value is false. If this is set to true for Windows based scale sets, enableAutomaticUpdates is automatically set to false and cannot be set to true. | False | | -| `enableAutomaticUpdates` | bool | Optional. Indicates whether Automatic Updates is enabled for the Windows virtual machine. Default value is true. For virtual machine scale sets, this property can be updated and updates will take effect on OS reprovisioning. | True | | -| `enableEvictionPolicy` | bool | Optional. Specifies the eviction policy for the low priority virtual machine. Will result in 'Deallocate' eviction policy. | False | | -| `enableLinuxDependencyAgent` | bool | Optional. Specifies if Azure Dependency Agent for Linux VM should be enabled. Requires LinuxMMAAgent to be enabled. | False | | -| `enableLinuxDiskEncryption` | bool | Optional. Specifies if Linux VM disks should be encrypted. If enabled, boot diagnostics must be enabled as well. | False | | -| `enableLinuxMMAAgent` | bool | Optional. Specifies if MMA agent for Linux VM should be enabled. | False | | -| `enableMicrosoftAntiMalware` | bool | Optional. Enables Microsoft Windows Defender AV. | False | | -| `enableNetworkWatcherLinux` | bool | Optional. Specifies if Azure Network Watcher Agent for Linux VM should be enabled. | False | | -| `enableNetworkWatcherWindows` | bool | Optional. Specifies if Azure Network Watcher Agent for Windows VM should be enabled. | False | | -| `enableServerSideEncryption` | bool | Optional. Specifies if Windows VM disks should be encrypted with Server-side encryption + Customer managed Key. | False | | -| `enableWindowsDependencyAgent` | bool | Optional. Specifies if Azure Dependency Agent for Windows VM should be enabled. Requires WindowsMMAAgent to be enabled. | False | | -| `enableWindowsDiskEncryption` | bool | Optional. Specifies if Windows VM disks should be encrypted. If enabled, boot diagnostics must be enabled as well. | False | | -| `enableWindowsMMAAgent` | bool | Optional. Specifies if MMA agent for Windows VM should be enabled. | False | | -| `eventHubAuthorizationRuleId` | string | Optional. Resource ID of the event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | | | -| `eventHubName` | string | Optional. Name of the event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. | | | -| `forceUpdateTag` | string | Optional. Pass in an unique value like a GUID everytime the operation needs to be force run | 1.0 | | -| `gracePeriod` | string | Optional. The amount of time for which automatic repairs are suspended due to a state change on VM. The grace time starts after the state change has completed. This helps avoid premature or accidental repairs. The time duration should be specified in ISO 8601 format. The minimum allowed grace period is 30 minutes (PT30M). The maximum allowed grace period is 90 minutes (PT90M). | PT30M | | -| `imageReference` | object | Optional. OS image reference. In case of marketplace images, it's the combination of the publisher, offer, sku, version attributes. In case of custom images it's the resource ID of the custom image. | | | -| `instanceCount` | int | Optional. The initial instance count of scale set VMs. | 1 | | -| `instanceSize` | string | Optional. The SKU size of the VMs. | | | -| `keyEncryptionKeyURL` | string | Optional. URL of the KeyEncryptionKey used to encrypt the volume encryption key | | | -| `keyVaultId` | string | Optional. Resource identifier of the Key Vault instance where the Key Encryption Key (KEK) resides | | | -| `keyVaultUri` | string | Optional. URL of the Key Vault instance where the Key Encryption Key (KEK) resides | | | -| `licenseType` | string | Optional. Specifies that the image or disk that is being used was licensed on-premises. This element is only used for images that contain the Windows Server operating system. | | System.Object[] | -| `location` | string | Optional. Location for all resources. | [resourceGroup().location] | | -| `lock` | string | Optional. Specify the type of lock. | 'NotSpecified' | 'CanNotDelete', 'NotSpecified', 'ReadOnly' | -| `maxBatchInstancePercent` | int | Optional. The maximum percent of total virtual machine instances that will be upgraded simultaneously by the rolling upgrade in one batch. As this is a maximum, unhealthy instances in previous or future batches can cause the percentage of instances in a batch to decrease to ensure higher reliability. | 20 | | -| `maxPriceForLowPriorityVm` | string | Optional. Specifies the maximum price you are willing to pay for a low priority VM/VMSS. This price is in US Dollars. | | | -| `maxUnhealthyInstancePercent` | int | Optional. The maximum percentage of the total virtual machine instances in the scale set that can be simultaneously unhealthy, either as a result of being upgraded, or by being found in an unhealthy state by the virtual machine health checks before the rolling upgrade aborts. This constraint will be checked prior to starting any batch | 20 | | -| `maxUnhealthyUpgradedInstancePercent` | int | Optional. The maximum percentage of the total virtual machine instances in the scale set that can be simultaneously unhealthy, either as a result of being upgraded, or by being found in an unhealthy state by the virtual machine health checks before the rolling upgrade aborts. This constraint will be checked prior to starting any batch. | 20 | | -| `microsoftAntiMalwareSettings` | object | Optional. Settings for Microsoft Windows Defender AV extension. | | | -| `nicConfigurations` | array | Required. Configures NICs and PIPs. | System.Object[] | | -| `osDisk` | object | Required. Specifies the OS disk. | | | -| `osType` | string | Optional. The chosen OS type | | System.Object[] | -| `overprovision` | bool | Optional. Specifies whether the Virtual Machine Scale Set should be overprovisioned. | False | | -| `pauseTimeBetweenBatches` | string | Optional. The wait time between completing the update for all virtual machines in one batch and starting the next batch. The time duration should be specified in ISO 8601 format | PT0S | | -| `plan` | object | Optional. Specifies information about the marketplace image used to create the virtual machine. This element is only used for marketplace images. Before you can use a marketplace image from an API, you must enable the image for programmatic use. | | | -| `provisionVMAgent` | bool | Optional. Indicates whether virtual machine agent should be provisioned on the virtual machine. When this property is not specified in the request body, default behavior is to set it to true. This will ensure that VM Agent is installed on the VM so that extensions can be added to the VM later. | True | | -| `proximityPlacementGroupName` | string | Optional. Creates an proximity placement group and adds the VMs to it. | | | -| `proximityPlacementGroupType` | string | Optional. Specifies the type of the proximity placement group. | Standard | System.Object[] | -| `publicKeys` | array | Optional. The list of SSH public keys used to authenticate with linux based VMs | System.Object[] | | -| `resizeOSDisk` | bool | Optional. Should the OS partition be resized to occupy full OS VHD before splitting system volume | False | | -| `roleAssignments` | array | Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' | System.Object[] | | -| `sasTokenValidityLength` | string | Optional. SAS token validity length to use to download files from storage accounts. Usage: 'PT8H' - valid for 8 hours; 'P5D' - valid for 5 days; 'P1Y' - valid for 1 year. When not provided, the SAS token will be valid for 8 hours. | PT8H | | -| `scaleInPolicy` | object | Optional. Specifies the scale-in policy that decides which virtual machines are chosen for removal when a Virtual Machine Scale Set is scaled-in | | | -| `scaleSetFaultDomain` | int | Optional. Fault Domain count for each placement group. | 2 | | -| `scheduledEventsProfile` | object | Optional. Specifies Scheduled Event related configurations | | | -| `secrets` | array | Optional. Specifies set of certificates that should be installed onto the virtual machines in the scale set. | System.Object[] | | -| `singlePlacementGroup` | bool | Optional. When true this limits the scale set to a single placement group, of max size 100 virtual machines. NOTE: If singlePlacementGroup is true, it may be modified to false. However, if singlePlacementGroup is false, it may not be modified to true. | True | | -| `tags` | object | Optional. Tags of the resource. | | | -| `timeZone` | string | Optional. Specifies the time zone of the virtual machine. e.g. 'Pacific Standard Time'. Possible values can be TimeZoneInfo.Id value from time zones returned by TimeZoneInfo.GetSystemTimeZones. | | | -| `ultraSSDEnabled` | bool | Optional. The flag that enables or disables a capability to have one or more managed data disks with UltraSSD_LRS storage account type on the VM or VMSS. Managed disks with storage account type UltraSSD_LRS can be added to a virtual machine or virtual machine scale set only if this property is enabled. | False | | -| `upgradePolicyMode` | string | Optional. Specifies the mode of an upgrade to virtual machines in the scale set.' Manual - You control the application of updates to virtual machines in the scale set. You do this by using the manualUpgrade action. ; Automatic - All virtual machines in the scale set are automatically updated at the same time. - Automatic, Manual, Rolling | Manual | System.Object[] | -| `vmNamePrefix` | string | Optional. Specifies the computer name prefix for all of the virtual machines in the scale set. | vmssvm | | -| `vmPriority` | string | Optional. Specifies the priority for the virtual machine. | Regular | System.Object[] | -| `vmssName` | string | Optional. Name of the VMSS. | | | -| `windowsScriptExtensionCommandToExecute` | securestring | Optional. Specifies the command that should be run on a Windows VM. | | | -| `windowsScriptExtensionFileData` | array | Optional. Array of objects that specifies URIs and the storageAccountId of the scripts that need to be downloaded and run by the Custom Script Extension on a Windows VM. | System.Object[] | | -| `cseStorageAccountName` | string | Optional. The name of the storage account to fetch to blob data from | | | -| `cseStorageAccountKey` | string | Optional. The key of the storage account to fetch the FileData blobs from | | | -| `cseManagedIdentity` | string | Optional. The managed identity to use to fetch the blob data. | | | -| `winRMListeners` | object | Optional. Specifies the Windows Remote Management listeners. This enables remote Windows PowerShell. - WinRMConfiguration object. | | | -| `workspaceId` | string | Optional. Resource identifier of Log Analytics. | | | -| `zoneBalance` | bool | Optional. Whether to force strictly even Virtual Machine distribution cross x-zones in case there is zone outage. | False | | -| `managedIdentityType` | string | Optional. The type of identity used for the virtual machine scale set. The type 'SystemAssigned, UserAssigned' includes both an implicitly created identity and a set of user assigned identities. The type 'None' will remove any identities from the virtual machine scale set. - SystemAssigned, UserAssigned, SystemAssigned, UserAssigned, None | | | -| `managedIdentityIdentities`| object | Optional. The list of user identities associated with the virtual machine scale set. The user identity dictionary key references will be ARM resource ids in the form: `'/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{identityName}'`. | | | +| `additionalUnattendContent` | array | `[]` | | Optional. Specifies additional base-64 encoded XML formatted information that can be included in the Unattend.xml file, which is used by Windows Setup. - AdditionalUnattendContent object | +| `adminPassword` | secureString | | | Required. When specifying a Windows Virtual Machine, this value should be passed | +| `adminUsername` | secureString | | | Required. Administrator username | +| `automaticRepairsPolicyEnabled` | bool | | | Optional. Specifies whether automatic repairs should be enabled on the virtual machine scale set. | +| `availabilityZones` | array | `[]` | | Optional. The virtual machine scale set zones. NOTE: Availability zones can only be set when you create the scale set. | +| `baseTime` | string | `[utcNow('u')]` | | Generated. Do not provide a value! This date value is used to generate a registration token. | +| `bootDiagnosticStorageAccountName` | string | | | Optional. Storage account used to store boot diagnostic information. Boot diagnostics will be disabled if no value is provided. | +| `bootDiagnosticStorageAccountUri` | string | `[format('.blob.{0}/', environment().suffixes.storage)]` | | Optional. Storage account boot diagnostic base URI. | +| `cseManagedIdentity` | object | `{object}` | | Optional. A managed identity to use for the CSE. | +| `cseStorageAccountKey` | string | | | Optional. The storage key of the storage account to access for the CSE script(s). | +| `cseStorageAccountName` | string | | | Optional. The name of the storage account to access for the CSE script(s). | +| `cuaId` | string | | | Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered | +| `customData` | string | | | Optional. Custom data associated to the VM, this value will be automatically converted into base64 to account for the expected VM format. | +| `dataDisks` | array | `[]` | | Optional. Specifies the data disks. | +| `diagnosticLogsRetentionInDays` | int | `365` | | Optional. Specifies the number of days that logs will be kept for; a value of 0 will retain data indefinitely. | +| `diagnosticStorageAccountId` | string | | | Optional. Resource identifier of the Diagnostic Storage Account. | +| `disableAutomaticRollback` | bool | | | Optional. Whether OS image rollback feature should be disabled. | +| `disablePasswordAuthentication` | bool | | | Optional. Specifies whether password authentication should be disabled. | +| `diskEncryptionVolumeType` | string | `All` | `[OS, Data, All]` | Optional. Type of the volume OS or Data to perform encryption operation | +| `diskKeyEncryptionAlgorithm` | string | `RSA-OAEP` | `[RSA-OAEP, RSA-OAEP-256, RSA1_5]` | Optional. Specifies disk key encryption algorithm. | +| `domainJoinOptions` | int | `3` | | Optional. Set of bit flags that define the join options. Default value of 3 is a combination of NETSETUP_JOIN_DOMAIN (0x00000001) & NETSETUP_ACCT_CREATE (0x00000002) i.e. will join the domain and create the account on the domain. For more information see https://msdn.microsoft.com/en-us/library/aa392154(v=vs.85).aspx | +| `domainJoinOU` | string | | | Optional. Specifies an organizational unit (OU) for the domain account. Enter the full distinguished name of the OU in quotation marks. Example: "OU=testOU; DC=domain; DC=Domain; DC=com" | +| `domainJoinPassword` | secureString | | | Optional. Required if domainName is specified. Password of the user specified in domainJoinUser parameter | +| `domainJoinRestart` | bool | | | Optional. Controls the restart of vm after executing domain join | +| `domainJoinUser` | string | | | Optional. Mandatory if domainName is specified. User used for the join to the domain. Format: username@domainFQDN | +| `domainName` | string | | | Optional. Specifies the FQDN the of the domain the VM will be joined to. Currently implemented for Windows VMs only | +| `doNotRunExtensionsOnOverprovisionedVMs` | bool | | | Optional. When Overprovision is enabled, extensions are launched only on the requested number of VMs which are finally kept. This property will hence ensure that the extensions do not run on the extra overprovisioned VMs. | +| `dscConfiguration` | object | `{object}` | | Optional. The DSC configuration object | +| `enableAutomaticOSUpgrade` | bool | | | Optional. Indicates whether OS upgrades should automatically be applied to scale set instances in a rolling fashion when a newer version of the OS image becomes available. Default value is false. If this is set to true for Windows based scale sets, enableAutomaticUpdates is automatically set to false and cannot be set to true. | +| `enableAutomaticUpdates` | bool | `True` | | Optional. Indicates whether Automatic Updates is enabled for the Windows virtual machine. Default value is true. For virtual machine scale sets, this property can be updated and updates will take effect on OS reprovisioning. | +| `enableEvictionPolicy` | bool | | | Optional. Specifies the eviction policy for the low priority virtual machine. Will result in 'Deallocate' eviction policy. | +| `enableLinuxDependencyAgent` | bool | | | Optional. Specifies if Azure Dependency Agent for Linux VM should be enabled. Requires LinuxMMAAgent to be enabled. | +| `enableLinuxDiskEncryption` | bool | | | Optional. Specifies if Linux VM disks should be encrypted. If enabled, boot diagnostics must be enabled as well. | +| `enableLinuxMMAAgent` | bool | | | Optional. Specifies if MMA agent for Linux VM should be enabled. | +| `enableMicrosoftAntiMalware` | bool | | | Optional. Enables Microsoft Windows Defender AV. | +| `enableNetworkWatcherLinux` | bool | | | Optional. Specifies if Azure Network Watcher Agent for Linux VM should be enabled. | +| `enableNetworkWatcherWindows` | bool | | | Optional. Specifies if Azure Network Watcher Agent for Windows VM should be enabled. | +| `enableServerSideEncryption` | bool | | | Optional. Specifies if Windows VM disks should be encrypted with Server-side encryption + Customer managed Key. | +| `enableWindowsDependencyAgent` | bool | | | Optional. Specifies if Azure Dependency Agent for Windows VM should be enabled. Requires WindowsMMAAgent to be enabled. | +| `enableWindowsDiskEncryption` | bool | | | Optional. Specifies if Windows VM disks should be encrypted. If enabled, boot diagnostics must be enabled as well. | +| `enableWindowsMMAAgent` | bool | | | Optional. Specifies if MMA agent for Windows VM should be enabled. | +| `eventHubAuthorizationRuleId` | string | | | Optional. Resource ID of the event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | +| `eventHubName` | string | | | Optional. Name of the event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. | +| `forceUpdateTag` | string | `1.0` | | Optional. Pass in an unique value like a GUID everytime the operation needs to be force run | +| `gracePeriod` | string | `PT30M` | | Optional. The amount of time for which automatic repairs are suspended due to a state change on VM. The grace time starts after the state change has completed. This helps avoid premature or accidental repairs. The time duration should be specified in ISO 8601 format. The minimum allowed grace period is 30 minutes (PT30M). The maximum allowed grace period is 90 minutes (PT90M). | +| `imageReference` | object | `{object}` | | Optional. OS image reference. In case of marketplace images, it's the combination of the publisher, offer, sku, version attributes. In case of custom images it's the resource ID of the custom image. | +| `instanceCount` | int | `1` | | Optional. The initial instance count of scale set VMs. | +| `instanceSize` | string | | | Optional. The SKU size of the VMs. | +| `keyEncryptionKeyURL` | string | | | Optional. URL of the KeyEncryptionKey used to encrypt the volume encryption key | +| `keyVaultId` | string | | | Optional. Resource identifier of the Key Vault instance where the Key Encryption Key (KEK) resides | +| `keyVaultUri` | string | | | Optional. URL of the Key Vault instance where the Key Encryption Key (KEK) resides | +| `licenseType` | string | | `[Windows_Client, Windows_Server, ]` | Optional. Specifies that the image or disk that is being used was licensed on-premises. This element is only used for images that contain the Windows Server operating system. | +| `location` | string | `[resourceGroup().location]` | | Optional. Location for all resources. | +| `lock` | string | `NotSpecified` | `[CanNotDelete, NotSpecified, ReadOnly]` | Optional. Specify the type of lock. | +| `managedIdentityIdentities` | object | `{object}` | | Optional. The list of user identities associated with the virtual machine scale set. The user identity dictionary key references will be ARM resource ids in the form: '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{identityName}'. | +| `managedIdentityType` | string | | `[SystemAssigned, UserAssigned, None, ]` | Optional. The type of identity used for the virtual machine scale set. The type 'SystemAssigned, UserAssigned' includes both an implicitly created identity and a set of user assigned identities. The type 'None' will remove any identities from the virtual machine scale set. - SystemAssigned, UserAssigned, SystemAssigned, UserAssigned, None | +| `maxBatchInstancePercent` | int | `20` | | Optional. The maximum percent of total virtual machine instances that will be upgraded simultaneously by the rolling upgrade in one batch. As this is a maximum, unhealthy instances in previous or future batches can cause the percentage of instances in a batch to decrease to ensure higher reliability. | +| `maxPriceForLowPriorityVm` | string | | | Optional. Specifies the maximum price you are willing to pay for a low priority VM/VMSS. This price is in US Dollars. | +| `maxUnhealthyInstancePercent` | int | `20` | | Optional. The maximum percentage of the total virtual machine instances in the scale set that can be simultaneously unhealthy, either as a result of being upgraded, or by being found in an unhealthy state by the virtual machine health checks before the rolling upgrade aborts. This constraint will be checked prior to starting any batch | +| `maxUnhealthyUpgradedInstancePercent` | int | `20` | | Optional. The maximum percentage of the total virtual machine instances in the scale set that can be simultaneously unhealthy, either as a result of being upgraded, or by being found in an unhealthy state by the virtual machine health checks before the rolling upgrade aborts. This constraint will be checked prior to starting any batch. | +| `metricsToEnable` | array | `[AllMetrics]` | `[AllMetrics]` | Optional. The name of metrics that will be streamed. | +| `microsoftAntiMalwareSettings` | object | `{object}` | | Optional. Settings for Microsoft Windows Defender AV extension. | +| `nicConfigurations` | array | `[]` | | Required. Configures NICs and PIPs. | +| `osDisk` | object | | | Required. Specifies the OS disk. | +| `osType` | string | | `[Windows, Linux]` | Optional. The chosen OS type | +| `overprovision` | bool | | | Optional. Specifies whether the Virtual Machine Scale Set should be overprovisioned. | +| `pauseTimeBetweenBatches` | string | `PT0S` | | Optional. The wait time between completing the update for all virtual machines in one batch and starting the next batch. The time duration should be specified in ISO 8601 format | +| `plan` | object | `{object}` | | Optional. Specifies information about the marketplace image used to create the virtual machine. This element is only used for marketplace images. Before you can use a marketplace image from an API, you must enable the image for programmatic use. | +| `provisionVMAgent` | bool | `True` | | Optional. Indicates whether virtual machine agent should be provisioned on the virtual machine. When this property is not specified in the request body, default behavior is to set it to true. This will ensure that VM Agent is installed on the VM so that extensions can be added to the VM later. | +| `proximityPlacementGroupName` | string | | | Optional. Creates an proximity placement group and adds the VMs to it. | +| `proximityPlacementGroupType` | string | `Standard` | `[Standard, Ultra]` | Optional. Specifies the type of the proximity placement group. | +| `publicKeys` | array | `[]` | | Optional. The list of SSH public keys used to authenticate with linux based VMs | +| `resizeOSDisk` | bool | | | Optional. Should the OS partition be resized to occupy full OS VHD before splitting system volume | +| `roleAssignments` | array | `[]` | | Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' | +| `sasTokenValidityLength` | string | `PT8H` | | Optional. SAS token validity length to use to download files from storage accounts. Usage: 'PT8H' - valid for 8 hours; 'P5D' - valid for 5 days; 'P1Y' - valid for 1 year. When not provided, the SAS token will be valid for 8 hours. | +| `scaleInPolicy` | object | `{object}` | | Optional. Specifies the scale-in policy that decides which virtual machines are chosen for removal when a Virtual Machine Scale Set is scaled-in | +| `scaleSetFaultDomain` | int | `2` | | Optional. Fault Domain count for each placement group. | +| `scheduledEventsProfile` | object | `{object}` | | Optional. Specifies Scheduled Event related configurations | +| `secrets` | array | `[]` | | Optional. Specifies set of certificates that should be installed onto the virtual machines in the scale set. | +| `singlePlacementGroup` | bool | `True` | | Optional. When true this limits the scale set to a single placement group, of max size 100 virtual machines. NOTE: If singlePlacementGroup is true, it may be modified to false. However, if singlePlacementGroup is false, it may not be modified to true. | +| `tags` | object | `{object}` | | Optional. Tags of the resource. | +| `timeZone` | string | | | Optional. Specifies the time zone of the virtual machine. e.g. 'Pacific Standard Time'. Possible values can be TimeZoneInfo.Id value from time zones returned by TimeZoneInfo.GetSystemTimeZones. | +| `ultraSSDEnabled` | bool | | | Optional. The flag that enables or disables a capability to have one or more managed data disks with UltraSSD_LRS storage account type on the VM or VMSS. Managed disks with storage account type UltraSSD_LRS can be added to a virtual machine or virtual machine scale set only if this property is enabled. | +| `upgradePolicyMode` | string | `Manual` | `[Manual, Automatic, Rolling]` | Optional. Specifies the mode of an upgrade to virtual machines in the scale set.' Manual - You control the application of updates to virtual machines in the scale set. You do this by using the manualUpgrade action. ; Automatic - All virtual machines in the scale set are automatically updated at the same time. - Automatic, Manual, Rolling | +| `vmNamePrefix` | string | `vmssvm` | | Optional. Specifies the computer name prefix for all of the virtual machines in the scale set. | +| `vmPriority` | string | `Regular` | `[Regular, Low, Spot]` | Optional. Specifies the priority for the virtual machine. | +| `vmssName` | string | | | Optional. Name of the VMSS. | +| `windowsScriptExtensionCommandToExecute` | secureString | | | Optional. Specifies the command that should be run on a Windows VM. | +| `windowsScriptExtensionFileData` | array | `[]` | | Optional. Array of objects that specifies URIs and the storageAccountId of the scripts that need to be downloaded and run by the Custom Script Extension on a Windows VM. | +| `winRMListeners` | object | `{object}` | | Optional. Specifies the Windows Remote Management listeners. This enables remote Windows PowerShell. - WinRMConfiguration object. | +| `workspaceId` | string | | | Optional. Resource identifier of Log Analytics. | +| `zoneBalance` | bool | | | Optional. Whether to force strictly even Virtual Machine distribution cross x-zones in case there is zone outage. | #### Marketplace images @@ -375,17 +376,16 @@ Tag names and tag values can be provided as needed. A tag can be left without a ## Outputs -| Output Name | Type | Description | -| :-- | :-- | :-- | -| `vmssName` | string | The Names of the VMSS | -| `vmssResourceGroup` | string | The name of the Resource Group the VMSS was/were created in. | -| `vmssResourceIds` | string | The Resource Id of the VMSS. | - -## Considerations - +| Output Name | Type | +| :-- | :-- | +| `vmssName` | string | +| `vmssResourceGroup` | string | +| `vmssResourceIds` | string | -## Additional resources +## Template references -- [Deployments](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Resources/2020-06-01/deployments) -- [ProximityPlacementGroups](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Compute/2019-12-01/ProximityPlacementGroups) -- [VirtualMachineScaleSets](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Compute/2020-06-01/virtualMachineScaleSets) +- [Locks](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2016-09-01/locks) +- [Proximityplacementgroups](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Compute/2021-04-01/proximityPlacementGroups) +- [Virtualmachinescalesets](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Compute/2021-04-01/virtualMachineScaleSets) +- [Virtualmachinescalesets/Extensions](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Compute/2021-07-01/virtualMachineScaleSets/extensions) +- [Diagnosticsettings](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Insights/2021-05-01-preview/diagnosticSettings) diff --git a/arm/Microsoft.Compute/virtualMachines/readme.md b/arm/Microsoft.Compute/virtualMachines/readme.md index 09c6d8b326..815d25c8ff 100644 --- a/arm/Microsoft.Compute/virtualMachines/readme.md +++ b/arm/Microsoft.Compute/virtualMachines/readme.md @@ -1,105 +1,112 @@ -# Virtual Machines +# Virtual Machines `[Microsoft.Compute/virtualMachines]` This module deploys one or multiple Virtual Machines. ## Resource types - -|Resource Type|ApiVersion| -|:--|:--| +| Resource Type | Api Version | +| :-- | :-- | | `Microsoft.Compute/availabilitySets` | 2021-04-01 | | `Microsoft.Compute/proximityPlacementGroups` | 2021-04-01 | -| `Microsoft.Resources/deployments` | 2020-06-01 | +| `Microsoft.Compute/virtualMachines` | 2020-06-01 | +| `Microsoft.Compute/virtualMachines/extensions` | 2019-07-01 | +| `Microsoft.Compute/virtualMachines/extensions` | 2018-10-01 | +| `Microsoft.Compute/virtualMachines/providers/roleAssignments` | 2018-09-01-preview | +| `Microsoft.Network/networkInterfaces` | 2020-08-01 | +| `Microsoft.Network/networkInterfaces/providers/diagnosticSettings` | 2017-05-01-preview | +| `Microsoft.Network/publicIPAddresses` | 2020-08-01 | +| `Microsoft.Network/publicIPAddresses/providers/diagnosticSettings` | 2017-05-01-preview | +| `Microsoft.RecoveryServices/vaults/backupFabrics/protectionContainers/protectedItems` | 2016-12-01 | +| `providers/locks` | 2016-09-01 | ## Parameters - -| Parameter Name | Type | Default Value | Possible values | Description | +| Parameter Name | Type | Default Value | Possible Values | Description | | :-- | :-- | :-- | :-- | :-- | | `adminPassword` | securestring | | | Required. When specifying a Windows Virtual Machine, this value should be passed | | `adminUsername` | securestring | | | Required. Administrator username | -| `allowExtensionOperations` | bool | True | | Optional. Specifies whether extension operations should be allowed on the virtual machine. This may only be set to False when no extensions are present on the virtual machine. | -| `availabilitySetFaultDomain` | int | 2 | | Optional. The number of fault domains to use. | +| `allowExtensionOperations` | bool | `True` | | Optional. Specifies whether extension operations should be allowed on the virtual machine. This may only be set to False when no extensions are present on the virtual machine. | +| `availabilitySetFaultDomain` | int | `2` | | Optional. The number of fault domains to use. | | `availabilitySetName` | string | | | Optional. Creates an availability set with the given name and adds the VMs to it. Cannot be used in combination with availability zone nor scale set. | -| `availabilitySetNames` | array | System.Object[] | | Optional. Name(s) of the availability set(s). If no explicit names are provided, availability set name(s) will be generated based on the availabilitySetName, vmNumberOfInstances and maxNumberOfVmsPerAvSet parameters. | -| `availabilitySetSku` | string | Aligned | | Optional. Sku of the availability set. Use 'Aligned' for virtual machines with managed disks and 'Classic' for virtual machines with unmanaged disks. | -| `availabilitySetUpdateDomain` | int | 5 | | Optional. The number of update domains to use. | -| `availabilityZone` | int | 0 | System.Object[] | Optional. If set to 1, 2 or 3, the availability zone for all VMs is hardcoded to that value. If zero, then the automatic algorithm will be used to give every VM in a different zone (up to three zones). Cannot be used in combination with availability set nor scale set. | -| `backupPolicyName` | string | DefaultPolicy | | Optional. Backup policy the VMs should be using for backup. | +| `availabilitySetNames` | array | `[]` | | Optional. Name(s) of the availability set(s). If no explicit names are provided, availability set name(s) will be generated based on the availabilitySetName, vmNumberOfInstances and maxNumberOfVmsPerAvSet parameters. | +| `availabilitySetSku` | string | `Aligned` | | Optional. Sku of the availability set. Use 'Aligned' for virtual machines with managed disks and 'Classic' for virtual machines with unmanaged disks. | +| `availabilitySetUpdateDomain` | int | `5` | | Optional. The number of update domains to use. | +| `availabilityZone` | int | | `[0, 1, 2, 3]` | Optional. If set to 1, 2 or 3, the availability zone for all VMs is hardcoded to that value. If zero, then the automatic algorithm will be used to give every VM in a different zone (up to three zones). Cannot be used in combination with availability set nor scale set. | +| `backupPolicyName` | string | `DefaultPolicy` | | Optional. Backup policy the VMs should be using for backup. | | `backupVaultName` | string | | | Optional. Recovery service vault name to add VMs to backup. | | `backupVaultResourceGroup` | string | | | Optional. Resource group of the backup recovery service vault. | -| `baseTime` | string | [utcNow('u')] | | Generated. Do not provide a value! This date value is used to generate a registration token. | +| `baseTime` | string | `[utcNow('u')]` | | Generated. Do not provide a value! This date value is used to generate a registration token. | | `bootDiagnosticStorageAccountName` | string | | | Optional. Storage account used to store boot diagnostic information. Boot diagnostics will be disabled if no value is provided. | -| `bootDiagnosticStorageAccountUri` | string | .blob.core.windows.net/ | | Optional. Storage account boot diagnostic base URI. | -| `certificatesToBeInstalled` | array | System.Object[] | | Optional. Specifies set of certificates that should be installed onto the virtual machine. | -| `cseManagedIdentity` | object | | | Optional. A managed identity to use for the CSE. | +| `bootDiagnosticStorageAccountUri` | string | `.blob.core.windows.net/` | | Optional. Storage account boot diagnostic base URI. | +| `certificatesToBeInstalled` | array | `[]` | | Optional. Specifies set of certificates that should be installed onto the virtual machine. | +| `cseManagedIdentity` | object | `{object}` | | Optional. A managed identity to use for the CSE. | | `cseStorageAccountKey` | string | | | Optional. The storage key of the storage account to access for the CSE script(s). | | `cseStorageAccountName` | string | | | Optional. The name of the storage account to access for the CSE script(s). | | `cuaId` | string | | | Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered | | `customData` | string | | | Optional. Custom data associated to the VM, this value will be automatically converted into base64 to account for the expected VM format. | -| `dataDisks` | array | System.Object[] | | Optional. Specifies the data disks. | +| `dataDisks` | array | `[]` | | Optional. Specifies the data disks. | | `dedicatedHostId` | string | | | Optional. Specifies resource Id about the dedicated host that the virtual machine resides in. | -| `diagnosticLogsRetentionInDays` | int | 365 | | Optional. Specifies the number of days that logs will be kept for; a value of 0 will retain data indefinitely. | -| `diagnosticSettingName` | string | service | | Optional. The name of the Diagnostic setting. | +| `diagnosticLogsRetentionInDays` | int | `365` | | Optional. Specifies the number of days that logs will be kept for; a value of 0 will retain data indefinitely. | +| `diagnosticSettingName` | string | `service` | | Optional. The name of the Diagnostic setting. | | `diagnosticStorageAccountId` | string | | | Optional. Resource identifier of the Diagnostic Storage Account. | -| `diskEncryptionVolumeType` | string | All | System.Object[] | Optional. Type of the volume OS or Data to perform encryption operation | -| `diskKeyEncryptionAlgorithm` | string | RSA-OAEP | System.Object[] | Optional. Specifies disk key encryption algorithm. | -| `domainJoinOptions` | int | 3 | | Optional. Set of bit flags that define the join options. Default value of 3 is a combination of NETSETUP_JOIN_DOMAIN (0x00000001) & NETSETUP_ACCT_CREATE (0x00000002) i.e. will join the domain and create the account on the domain. For more information see https://msdn.microsoft.com/en-us/library/aa392154(v=vs.85).aspx | +| `diskEncryptionVolumeType` | string | `All` | `[OS, Data, All]` | Optional. Type of the volume OS or Data to perform encryption operation | +| `diskKeyEncryptionAlgorithm` | string | `RSA-OAEP` | `[RSA-OAEP, RSA-OAEP-256, RSA1_5]` | Optional. Specifies disk key encryption algorithm. | +| `domainJoinOptions` | int | `3` | | Optional. Set of bit flags that define the join options. Default value of 3 is a combination of NETSETUP_JOIN_DOMAIN (0x00000001) & NETSETUP_ACCT_CREATE (0x00000002) i.e. will join the domain and create the account on the domain. For more information see https://msdn.microsoft.com/en-us/library/aa392154(v=vs.85).aspx | | `domainJoinOU` | string | | | Optional. Specifies an organizational unit (OU) for the domain account. Enter the full distinguished name of the OU in quotation marks. Example: "OU=testOU; DC=domain; DC=Domain; DC=com" | | `domainJoinPassword` | securestring | | | Optional. Required if domainName is specified. Password of the user specified in domainJoinUser parameter | -| `domainJoinRestart` | bool | False | | Optional. Controls the restart of vm after executing domain join | +| `domainJoinRestart` | bool | | | Optional. Controls the restart of vm after executing domain join | | `domainJoinUser` | string | | | Optional. Mandatory if domainName is specified. User used for the join to the domain. Format: username@domainFQDN | | `domainName` | string | | | Optional. Specifies the FQDN the of the domain the VM will be joined to. Currently implemented for Windows VMs only | -| `dscConfiguration` | object | | | Optional. The DSC configuration object | -| `enableEvictionPolicy` | bool | False | | Optional. Specifies the eviction policy for the low priority virtual machine. Will result in 'Deallocate' eviction policy. | -| `enableLinuxDependencyAgent` | bool | False | | Optional. Specifies if Azure Dependency Agent for Linux VM should be enabled. Requires LinuxMMAAgent to be enabled. | -| `enableLinuxDiskEncryption` | bool | False | | Optional. Specifies if Linux VM disks should be encrypted. If enabled, boot diagnostics must be enabled as well. | -| `enableLinuxMMAAgent` | bool | False | | Optional. Specifies if MMA agent for Linux VM should be enabled. | -| `enableMicrosoftAntiMalware` | bool | False | | Optional. Enables Microsoft Windows Defender AV. | -| `enableNetworkWatcherLinux` | bool | False | | Optional. Specifies if Azure Network Watcher Agent for Linux VM should be enabled. | -| `enableNetworkWatcherWindows` | bool | False | | Optional. Specifies if Azure Network Watcher Agent for Windows VM should be enabled. | -| `enableServerSideEncryption` | bool | False | | Optional. Specifies if Windows VM disks should be encrypted with Server-side encryption + Customer managed Key. | -| `enableWindowsDependencyAgent` | bool | False | | Optional. Specifies if Azure Dependency Agent for Windows VM should be enabled. Requires WindowsMMAAgent to be enabled. | -| `enableWindowsDiskEncryption` | bool | False | | Optional. Specifies if Windows VM disks should be encrypted. If enabled, boot diagnostics must be enabled as well. | -| `enableWindowsMMAAgent` | bool | False | | Optional. Specifies if MMA agent for Windows VM should be enabled. | +| `dscConfiguration` | object | `{object}` | | Optional. The DSC configuration object | +| `enableEvictionPolicy` | bool | | | Optional. Specifies the eviction policy for the low priority virtual machine. Will result in 'Deallocate' eviction policy. | +| `enableLinuxDependencyAgent` | bool | | | Optional. Specifies if Azure Dependency Agent for Linux VM should be enabled. Requires LinuxMMAAgent to be enabled. | +| `enableLinuxDiskEncryption` | bool | | | Optional. Specifies if Linux VM disks should be encrypted. If enabled, boot diagnostics must be enabled as well. | +| `enableLinuxMMAAgent` | bool | | | Optional. Specifies if MMA agent for Linux VM should be enabled. | +| `enableMicrosoftAntiMalware` | bool | | | Optional. Enables Microsoft Windows Defender AV. | +| `enableNetworkWatcherLinux` | bool | | | Optional. Specifies if Azure Network Watcher Agent for Linux VM should be enabled. | +| `enableNetworkWatcherWindows` | bool | | | Optional. Specifies if Azure Network Watcher Agent for Windows VM should be enabled. | +| `enableServerSideEncryption` | bool | | | Optional. Specifies if Windows VM disks should be encrypted with Server-side encryption + Customer managed Key. | +| `enableWindowsDependencyAgent` | bool | | | Optional. Specifies if Azure Dependency Agent for Windows VM should be enabled. Requires WindowsMMAAgent to be enabled. | +| `enableWindowsDiskEncryption` | bool | | | Optional. Specifies if Windows VM disks should be encrypted. If enabled, boot diagnostics must be enabled as well. | +| `enableWindowsMMAAgent` | bool | | | Optional. Specifies if MMA agent for Windows VM should be enabled. | | `eventHubAuthorizationRuleId` | string | | | Optional. Resource ID of the event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | | `eventHubName` | string | | | Optional. Name of the event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. | -| `forceUpdateTag` | string | 1.0 | | Optional. Pass in an unique value like a GUID everytime the operation needs to be force run | -| `imageReference` | object | | | Optional. OS image reference. In case of marketplace images, it's the combination of the publisher, offer, sku, version attributes. In case of custom images it's the resource ID of the custom image. | +| `forceUpdateTag` | string | `1.0` | | Optional. Pass in an unique value like a GUID everytime the operation needs to be force run | +| `imageReference` | object | `{object}` | | Optional. OS image reference. In case of marketplace images, it's the combination of the publisher, offer, sku, version attributes. In case of custom images it's the resource ID of the custom image. | | `keyEncryptionKeyURL` | string | | | Optional. URL of the KeyEncryptionKey used to encrypt the volume encryption key | | `keyVaultId` | string | | | Optional. Resource identifier of the Key Vault instance where the Key Encryption Key (KEK) resides | | `keyVaultUri` | string | | | Optional. URL of the Key Vault instance where the Key Encryption Key (KEK) resides | -| `licenseType` | string | | System.Object[] | Optional. Specifies that the image or disk that is being used was licensed on-premises. This element is only used for images that contain the Windows Server operating system. | -| `linuxConfiguration` | object | | | Optional. Specifies the Linux operating system settings on the virtual machine. | -| `location` | string | [resourceGroup().location] | | Optional. Location for all resources. | -| `managedServiceIdentity` | string | None | None, SystemAssigned, UserAssigned, SystemAssigned, UserAssigned, UserAssigned, SystemAssigned | Optional. The type of identity used for the virtual machine. The type 'SystemAssigned, UserAssigned' includes both an implicitly created identity and a set of user assigned identities. The type 'None' (default) will remove any identities from the virtual machine. | -| `lock` | string | 'NotSpecified' | 'CanNotDelete', 'NotSpecified', 'ReadOnly' | Optional. Specify the type of lock. | -| `maxNumberOfVmsPerAvSet` | int | 200 | | Optional. The maximum number of VMs allowed in an availability set. The template will create additional availability sets if the number of VMs to be deployed exceeds this quota. | -| `maxNumberOfVmsPerDeployment` | int | 50 | | Optional. The maximum number of VMs allowed in a single deployment. The template will create additional deployments if the number of VMs to be deployed exceeds this quota. | +| `licenseType` | string | | `[Windows_Client, Windows_Server, ]` | Optional. Specifies that the image or disk that is being used was licensed on-premises. This element is only used for images that contain the Windows Server operating system. | +| `linuxConfiguration` | object | `{object}` | | Optional. Specifies the Linux operating system settings on the virtual machine. | +| `location` | string | `[resourceGroup().location]` | | Optional. Location for all resources. | +| `lockForDeletion` | bool | | | Optional. Switch to lock VM from deletion. | +| `managedServiceIdentity` | string | `None` | `[None, SystemAssigned, UserAssigned, SystemAssigned, UserAssigned, UserAssigned, SystemAssigned]` | Optional. The type of identity used for the virtual machine. The type 'SystemAssigned, UserAssigned' includes both an implicitly created identity and a set of user assigned identities. The type 'None' (default) will remove any identities from the virtual machine. | +| `maxNumberOfVmsPerAvSet` | int | `200` | | Optional. The maximum number of VMs allowed in an availability set. The template will create additional availability sets if the number of VMs to be deployed exceeds this quota. | +| `maxNumberOfVmsPerDeployment` | int | `50` | | Optional. The maximum number of VMs allowed in a single deployment. The template will create additional deployments if the number of VMs to be deployed exceeds this quota. | | `maxPriceForLowPriorityVm` | string | | | Optional. Specifies the maximum price you are willing to pay for a low priority VM/VMSS. This price is in US Dollars. | -| `microsoftAntiMalwareSettings` | object | | | Optional. Settings for Microsoft Windows Defender AV extension. | +| `microsoftAntiMalwareSettings` | object | `{object}` | | Optional. Settings for Microsoft Windows Defender AV extension. | | `nicConfigurations` | array | | | Required. Configures NICs and PIPs. | | `osDisk` | object | | | Required. Specifies the OS disk. | -| `plan` | object | | | Optional. Specifies information about the marketplace image used to create the virtual machine. This element is only used for marketplace images. Before you can use a marketplace image from an API, you must enable the image for programmatic use. | +| `plan` | object | `{object}` | | Optional. Specifies information about the marketplace image used to create the virtual machine. This element is only used for marketplace images. Before you can use a marketplace image from an API, you must enable the image for programmatic use. | | `proximityPlacementGroupName` | string | | | Optional. Creates an proximity placement group and adds the VMs to it. | -| `proximityPlacementGroupType` | string | Standard | System.Object[] | Optional. Specifies the type of the proximity placement group. | -| `resizeOSDisk` | bool | False | | Optional. Should the OS partition be resized to occupy full OS VHD before splitting system volume | -| `roleAssignments` | array | System.Object[] | | Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' | -| `sasTokenValidityLength` | string | PT8H | | Optional. SAS token validity length to use to download files from storage accounts. Usage: 'PT8H' - valid for 8 hours; 'P5D' - valid for 5 days; 'P1Y' - valid for 1 year. When not provided, the SAS token will be valid for 8 hours. | -| `tags` | object | | | Optional. Tags of the resource. | -| `ultraSSDEnabled` | bool | False | | Optional. The flag that enables or disables a capability to have one or more managed data disks with UltraSSD_LRS storage account type on the VM or VMSS. Managed disks with storage account type UltraSSD_LRS can be added to a virtual machine or virtual machine scale set only if this property is enabled. | -| `useAvailabilityZone` | bool | False | | Optional. Creates an availability zone and adds the VMs to it. Cannot be used in combination with availability set nor scale set. | -| `userAssignedIdentities` | object | | | Optional. Mandatory if 'managedServiceIdentity' contains 'UserAssigned'. The list of user identities associated with the Virtual Machine. | -| `vmComputerNames` | object | | | Optional. Specifies the VM computer names for the VMs. If the VM name is not in the object as key the VM name is used as computer name. Be aware of the maximum size of 15 characters and limitations regarding special characters for the computer name. Once set it can't be changed via template. | -| `vmComputerNamesTransformation` | string | none | | Optional. Specifies whether the computer names should be transformed. The transformation is performed on all computer names. Available transformations are 'none' (Default), 'uppercase' and 'lowercase'. | -| `vmInitialNumber` | int | 1 | | Optional. If no explicit values were provided in the vmNames parameter, this parameter will be used to generate VM names, using the vmNamePrefix and the vmNumberOfInstances values. | -| `vmNamePrefix` | string | [take(toLower(uniqueString(resourceGroup().name)),10)] | | Optional. If no explicit values were provided in the vmNames parameter, this prefix will be used in combination with the vmNumberOfInstances and the vmInitialNumber parameters to create unique VM names. You should use a unique prefix to reduce name collisions in Active Directory. If no value is provided, a 10 character long unique string will be generated based on the Resource Group's name. | -| `vmNames` | array | System.Object[] | | Optional. Name(s) of the virtual machine(s). If no explicit names are provided, VM name(s) will be generated based on the vmNamePrefix, vmNumberOfInstances and vmInitialNumber parameters. | -| `vmNumberOfInstances` | int | 1 | | Optional. If no explicit values were provided in the vmNames parameter, this parameter will be used to generate VM names, using the vmNamePrefix and the vmInitialNumber values. | -| `vmPriority` | string | Regular | System.Object[] | Optional. Specifies the priority for the virtual machine. | -| `vmSize` | string | Standard_D2s_v3 | | Optional. Specifies the size for the VMs | -| `windowsConfiguration` | object | | | Optional. Specifies Windows operating system settings on the virtual machine. | +| `proximityPlacementGroupType` | string | `Standard` | `[Standard, Ultra]` | Optional. Specifies the type of the proximity placement group. | +| `resizeOSDisk` | bool | | | Optional. Should the OS partition be resized to occupy full OS VHD before splitting system volume | +| `roleAssignments` | array | `[]` | | Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' | +| `sasTokenValidityLength` | string | `PT8H` | | Optional. SAS token validity length to use to download files from storage accounts. Usage: 'PT8H' - valid for 8 hours; 'P5D' - valid for 5 days; 'P1Y' - valid for 1 year. When not provided, the SAS token will be valid for 8 hours. | +| `tags` | object | `{object}` | | Optional. Tags of the resource. | +| `ultraSSDEnabled` | bool | | | Optional. The flag that enables or disables a capability to have one or more managed data disks with UltraSSD_LRS storage account type on the VM or VMSS. Managed disks with storage account type UltraSSD_LRS can be added to a virtual machine or virtual machine scale set only if this property is enabled. | +| `useAvailabilityZone` | bool | | | Optional. Creates an availability zone and adds the VMs to it. Cannot be used in combination with availability set nor scale set. | +| `userAssignedIdentities` | object | `{object}` | | Optional. Mandatory if 'managedServiceIdentity' contains UserAssigned. The list of user identities associated with the Virtual Machine. | +| `vmComputerNames` | object | `{object}` | | Optional. Specifies the VM computer names for the VMs. If the VM name is not in the object as key the VM name is used as computer name. Be aware of the maximum size of 15 characters and limitations regarding special characters for the computer name. Once set it can't be changed via template. | +| `vmComputerNamesTransformation` | string | `none` | | Optional. Specifies whether the computer names should be transformed. The transformation is performed on all computer names. Available transformations are 'none' (Default), 'uppercase' and 'lowercase'. | +| `vmInitialNumber` | int | `1` | | Optional. If no explicit values were provided in the vmNames parameter, this parameter will be used to generate VM names, using the vmNamePrefix and the vmNumberOfInstances values. | +| `vmNamePrefix` | string | `[take(toLower(uniqueString(resourceGroup().name)),10)]` | | Optional. If no explicit values were provided in the vmNames parameter, this prefix will be used in combination with the vmNumberOfInstances and the vmInitialNumber parameters to create unique VM names. You should use a unique prefix to reduce name collisions in Active Directory. If no value is provided, a 10 character long unique string will be generated based on the Resource Group's name. | +| `vmNames` | array | `[]` | | Optional. Name(s) of the virtual machine(s). If no explicit names are provided, VM name(s) will be generated based on the vmNamePrefix, vmNumberOfInstances and vmInitialNumber parameters. | +| `vmNumberOfInstances` | int | `1` | | Optional. If no explicit values were provided in the vmNames parameter, this parameter will be used to generate VM names, using the vmNamePrefix and the vmInitialNumber values. | +| `vmPriority` | string | `Regular` | `[Regular, Low, Spot]` | Optional. Specifies the priority for the virtual machine. | +| `vmSize` | string | `Standard_D2s_v3` | | Optional. Specifies the size for the VMs | +| `windowsConfiguration` | object | `{object}` | | Optional. Specifies Windows operating system settings on the virtual machine. | | `windowsScriptExtensionCommandToExecute` | securestring | | | Optional. Specifies the command that should be run on a Windows VM. | -| `windowsScriptExtensionFileData` | array | System.Object[] | | Optional. Array of objects that specifies URIs and the storageAccountId of the scripts that need to be downloaded and run by the Custom Script Extension on a Windows VM. | +| `windowsScriptExtensionFileData` | array | `[]` | | Optional. Array of objects that specifies URIs and the storageAccountId of the scripts that need to be downloaded and run by the Custom Script Extension on a Windows VM. | | `workspaceId` | string | | | Optional. Resource identifier of Log Analytics. | ### Parameter Usage: `imageReference` @@ -444,7 +451,6 @@ Tag names and tag values can be provided as needed. A tag can be left without a ``` ## Outputs - | Output Name | Type | Description | | :-- | :-- | :-- | | `deploymentCount` | int | The number of VM deployments. | @@ -472,3 +478,14 @@ The reason for this restriction is twofold: - [ProximityPlacementGroups](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Compute/2020-12-01/proximityPlacementGroups) - [Availability Sets](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Compute/2020-12-01/availabilitySets) - [Deployment Quota Exceeded](https://docs.microsoft.com/en-us/azure/azure-resource-manager/templates/deployment-quota-exceeded) + +## Template references +- [Availabilitysets](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Compute/2021-04-01/availabilitySets) +- [Proximityplacementgroups](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Compute/2021-04-01/proximityPlacementGroups) +- [Virtualmachines](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Compute/2020-06-01/virtualMachines) +- [Virtualmachines/Extensions](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Compute/2019-07-01/virtualMachines/extensions) +- [Virtualmachines/Extensions](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Compute/2018-10-01/virtualMachines/extensions) +- [Networkinterfaces](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Network/2020-08-01/networkInterfaces) +- [Publicipaddresses](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Network/2020-08-01/publicIPAddresses) +- [Vaults/Backupfabrics/Protectioncontainers/Protecteditems](https://docs.microsoft.com/en-us/azure/templates/Microsoft.RecoveryServices/2016-12-01/vaults/backupFabrics/protectionContainers/protectedItems) +- [Locks](https://docs.microsoft.com/en-us/azure/templates/providers/2016-09-01/locks) diff --git a/arm/Microsoft.Consumption/budgets/readme.md b/arm/Microsoft.Consumption/budgets/readme.md index d65728047d..d8f330c29d 100644 --- a/arm/Microsoft.Consumption/budgets/readme.md +++ b/arm/Microsoft.Consumption/budgets/readme.md @@ -1,4 +1,4 @@ -# Budgets +# Budgets `[Microsoft.Consumption/budgets]` This module deploys budgets for subscriptions. @@ -6,35 +6,30 @@ This module deploys budgets for subscriptions. | Resource Type | Api Version | | :-- | :-- | -| `Microsoft.Consumption/budgets` | 2019-10-01 | +| `Microsoft.Consumption/budgets` | 2019-05-01 | ## Parameters -| Parameter Name | Type | Description | DefaultValue | Possible values | +| Parameter Name | Type | Default Value | Possible Values | Description | | :-- | :-- | :-- | :-- | :-- | -| `budgetName` | string | Optional. The name of the budget. | '${resetPeriod}-${category}-Budget' | | -| `category` | string | Optional. The category of the budget, whether the budget tracks cost or usage. | "Cost" | "Cost", "Usage" | -| `amount` | int | Required. The total amount of cost or usage to track with the budget. | | | -| `resetPeriod` | string | Optional. The time covered by a budget. Tracking of the amount will be reset based on the time grain. BillingMonth, BillingQuarter, and BillingAnnual are only supported by WD customers. | "Monthly" | "Monthly", "Quarterly", "Annually", "BillingMonth", "BillingQuarter", "BillingAnnual" | -| `startDate` | string | Optional. The start date for the budget. Start date should be the first day of the month and cannot be in the past (except for the current month). | --01T00:00:00Z | | -| `endDate` | string | Optional. The end date for the budget. If not provided, it will default to 10 years from the start date. | "" | | -| `thresholds` | int | Optional. Percent thresholds of budget for when to get a notification. Can be up to 5 thresholds, where each must be between 1 and 1000. | \[50, 75, 90, 100, 110\] | | -| `contactEmails` | array | Optional. List of email addresses that will receive the alert. | | | -| `contactRoles` | array | Optional. The list of contact roles to send the budget notification to when the thresholds are exceeded. | | | -| `actionGroups` | array | Optional. List of fully qualified action group resource IDs that will receive the alert. | | | +| `actionGroups` | array | `[]` | | Optional. List of action group resource IDs that will receive the alert. | +| `amount` | int | | | Required. The total amount of cost or usage to track with the budget. | +| `budgetName` | string | | | Optional. The name of the budget. | +| `category` | string | `Cost` | `[Cost, Usage]` | Optional. The category of the budget, whether the budget tracks cost or usage. | +| `contactEmails` | array | `[]` | | Optional. The list of email addresses to send the budget notification to when the thresholds are exceeded. | +| `contactRoles` | array | `[]` | | Optional. The list of contact roles to send the budget notification to when the thresholds are exceeded. | +| `endDate` | string | | | Optional. The end date for the budget. If not provided, it will default to 10 years from the start date. | +| `resetPeriod` | string | `Monthly` | `[Monthly, Quarterly, Annually, BillingMonth, BillingQuarter, BillingAnnual]` | Optional. The time covered by a budget. Tracking of the amount will be reset based on the time grain. BillingMonth, BillingQuarter, and BillingAnnual are only supported by WD customers. | +| `startDate` | string | `[format('{0}-{1}-01T00:00:00Z', utcNow('yyyy'), utcNow('MM'))]` | | Required. The start date for the budget. Start date should be the first day of the month and cannot be in the past (except for the current month). | +| `thresholds` | array | `[50, 75, 90, 100, 110]` | | Optional. Percent thresholds of budget for when to get a notification. Can be up to 5 thresholds, where each must be between 1 and 1000. | ## Outputs -| Output Name | Type | Description | -| :-- | :-- | :-- | -| `budgetName` | string | The name of the budget. | -| `budgetResourceId` | string | The Resource Id of the budget. | - -## Considerations - -*N/A* +| Output Name | Type | +| :-- | :-- | +| `budgetName` | string | +| `budgetResourceId` | string | -## Additional resources +## Template references -- [Tutorial: Create and manage Azure budgets](https://docs.microsoft.com/en-us/azure/cost-management-billing/costs/tutorial-acm-create-budgets) -- [Microsoft.Consumption/budgets template reference](https://docs.microsoft.com/en-us/azure/templates/microsoft.consumption/2019-10-01/budgets) +- [Budgets](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Consumption/2019-05-01/budgets) diff --git a/arm/Microsoft.ContainerInstance/containerGroups/readme.md b/arm/Microsoft.ContainerInstance/containerGroups/readme.md index d6bae59f7f..8d1c5a509f 100644 --- a/arm/Microsoft.ContainerInstance/containerGroups/readme.md +++ b/arm/Microsoft.ContainerInstance/containerGroups/readme.md @@ -1,4 +1,4 @@ -# ContainerInstances +# ContainerInstances `[Microsoft.ContainerInstance/containerGroups]` ### Container groups in Azure Container Instances @@ -8,33 +8,28 @@ The top-level resource in Azure Container Instances is the container group. A co | Resource Type | Api Version | | :-- | :-- | -| `Microsoft.Resources/deployments` | 2018-02-01 | -| `Microsoft.ContainerInstance/containerGroups` | 2021-03-01 | | `Microsoft.Authorization/locks` | 2016-09-01 | - -### Resource dependency - -The following resources are required to be able to deploy this resource. +| `Microsoft.ContainerInstance/containerGroups` | 2021-03-01 | ## Parameters -| Parameter Name | Type | Description | DefaultValue | Allowed Values | +| Parameter Name | Type | Default Value | Possible Values | Description | | :-- | :-- | :-- | :-- | :-- | -| `containergroupname` | string | Required. Name for the container group. | | | -| `containername` | string | Required. Name for the container. | | | -| `cpuCores` | int | Optional. The number of CPU cores to allocate to the container. | 1 | | -| `cuaId` | string | Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered | | | -| `environmentVariables` | array | Optional. Envrionment variables of the container group. | System.Object[] | | -| `image` | string | Required. Name of the image. | | | -| `imageRegistryCredentials` | array | Optional. The image registry credentials by which the container group is created from. | System.Object[] | | -| `ipAddressType` | string | Optional. Specifies if the IP is exposed to the public internet or private VNET. - Public or Private | Public | | -| `location` | string | Optional. Location for all Resources. | [resourceGroup().location] | | -| `lock` | string | Optional. Specify the type of lock. | 'NotSpecified' | 'CanNotDelete', 'NotSpecified', 'ReadOnly' | -| `memoryInGB` | int | Optional. The amount of memory to allocate to the container in gigabytes. | 2 | | -| `osType` | string | Optional. The operating system type required by the containers in the container group. - Windows or Linux. | Linux | | -| `ports` | array | Optional. Port to open on the container and the public IP address. | System.Object[] | | -| `restartPolicy` | string | Optional. Restart policy for all containers within the container group. - Always: Always restart. OnFailure: Restart on failure. Never: Never restart. - Always, OnFailure, Never | Always | | -| `tags` | object | Optional. Tags of the resource. | | | +| `containergroupname` | string | | | Required. Name for the container group. | +| `containername` | string | | | Required. Name for the container. | +| `cpuCores` | int | `2` | | Optional. The number of CPU cores to allocate to the container. | +| `cuaId` | string | | | Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered | +| `environmentVariables` | array | `[]` | | Optional. Envrionment variables of the container group. | +| `image` | string | | | Required. Name of the image. | +| `imageRegistryCredentials` | array | `[]` | | Optional. The image registry credentials by which the container group is created from. | +| `ipAddressType` | string | `Public` | | Optional. Specifies if the IP is exposed to the public internet or private VNET. - Public or Private | +| `location` | string | `[resourceGroup().location]` | | Optional. Location for all Resources. | +| `lock` | string | `NotSpecified` | `[CanNotDelete, NotSpecified, ReadOnly]` | Optional. Specify the type of lock. | +| `memoryInGB` | int | `2` | | Optional. The amount of memory to allocate to the container in gigabytes. | +| `osType` | string | `Linux` | | Optional. The operating system type required by the containers in the container group. - Windows or Linux. | +| `ports` | array | `[System.Collections.Hashtable]` | | Optional. Port to open on the container and the public IP address. | +| `restartPolicy` | string | `Always` | | Optional. Restart policy for all containers within the container group. - Always: Always restart. OnFailure: Restart on failure. Never: Never restart. - Always, OnFailure, Never | +| `tags` | object | `{object}` | | Optional. Tags of the resource. | ### Parameter Usage: `imageRegistryCredentials` @@ -70,23 +65,14 @@ Tag names and tag values can be provided as needed. A tag can be left without a ## Outputs -| Output Name | Type | Description | -| :-- | :-- | :-- | -| `containerGroupIPv4Address` | string | | -| `containerGroupName` | string | The Name of the resource | -| `containerGroupResourceGroup` | string | The name of the Resource Group the resource resides | -| `containerGroupResourceId` | string | The Resource Id of the resource | - -### References - -#### Template references - -- [Deployments](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Resources/2018-02-01/deployments) -- [ContainerGroups](https://docs.microsoft.com/en-us/azure/templates/Microsoft.ContainerInstance/2021-03-01/containerGroups) - -## Considerations +| Output Name | Type | +| :-- | :-- | +| `containerGroupIPv4Address` | string | +| `containerGroupName` | string | +| `containerGroupResourceGroup` | string | +| `containerGroupResourceId` | string | -## Additional resources +## Template references -- [Deployments](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Resources/2020-06-01/deployments) -- [ContainerGroups](https://docs.microsoft.com/en-us/azure/templates/Microsoft.ContainerInstance/2021-03-01/containerGroups) +- [Locks](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2016-09-01/locks) +- [Containergroups](https://docs.microsoft.com/en-us/azure/templates/Microsoft.ContainerInstance/2021-03-01/containerGroups) diff --git a/arm/Microsoft.ContainerRegistry/registries/readme.md b/arm/Microsoft.ContainerRegistry/registries/readme.md index 61abdef5d0..b2c64fec3b 100644 --- a/arm/Microsoft.ContainerRegistry/registries/readme.md +++ b/arm/Microsoft.ContainerRegistry/registries/readme.md @@ -1,45 +1,42 @@ -# ContainerRegistry +# ContainerRegistry `[Microsoft.ContainerRegistry/registries]` Azure Container Registry is a managed, private Docker registry service based on the open-source Docker Registry 2.0. Create and maintain Azure container registries to store and manage your private Docker container images and related artifacts. ## Resource types - | Resource Type | Api Version | | :-- | :-- | -| `Microsoft.Resources/deployments` | 2020-06-01 | | `Microsoft.ContainerRegistry/registries` | 2020-11-01-preview | -| `Microsoft.ContainerRegistry/registries/providers/roleAssignments` | 2020-04-01-preview | | `Microsoft.ContainerRegistry/registries/providers/diagnosticsettings` | 2017-05-01-preview | -| `Microsoft.Network/privateEndpoints/privateDnsZoneGroups` | 2020-05-01 | +| `Microsoft.ContainerRegistry/registries/providers/roleAssignments` | 2020-04-01-preview | | `Microsoft.Network/privateEndpoints` | 2020-05-01 | +| `Microsoft.Network/privateEndpoints/privateDnsZoneGroups` | 2020-05-01 | | `providers/locks` | 2016-09-01 | ## Parameters - -| Parameter Name | Type | Description | DefaultValue | Allowed Values | +| Parameter Name | Type | Default Value | Possible Values | Description | | :-- | :-- | :-- | :-- | :-- | -| `acrName` | string | Required. Name of the container registry. | | | -| `acrAdminUserEnabled` | bool | Required. The value that indicates whether the admin user is enabled. | false | true, false | -| `location` | string | Optional. Location for all Resources. | [resourceGroup().location] | | -| `roleAssignments` | array | Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' | System.Object[] | | -| `privateEndpoints` | array | System.Object[] | | Optional. Configuration Details for private endpoints. | -| `acrSku` | enum | Required. The SKU name of the container registry. Required for registry creation. | Basic | Classic, Basic, Standard, Premium | -| `quarantinePolicyStatus` | string | Optional. The value that indicates whether the policy is enabled or not. | | Enabled, Disabled | -| `trustPolicyStatus` | string | Optional. The value that indicates whether the policy is enabled or not. | | Enabled, Disabled | -| `retentionPolicyStatus` | string | Optional. The value that indicates whether the policy is enabled or not.| | Enabled, Disabled | -| `retentionPolicyDays` | string | Optional. The number of days to retain an untagged manifest after which it gets purged. | | | -| `dataEndpointEnabled` | bool | Optional. Enable a single data endpoint per region for serving data. Not relevant in case of disabled public access. | false | true, false | -| `publicNetworkAccess` | string | Optional. Whether or not public network access is allowed for the container registry. | Enabled | Enabled, Disabled | -| `networkRuleBypassOptions` | string | Optional. Whether to allow trusted Azure services to access a network restricted registry. Not relevant in case of public access. | AzureServices | AzureServices, None | -| `lock` | string | Optional. Specify the type of lock. | 'NotSpecified' | 'CanNotDelete', 'NotSpecified', 'ReadOnly' | -| `tags` | object | Optional. Tags of the resource. | | | -| `cuaId` | string | Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered | | | -| `diagnosticSettingName` | string | Optional. The name of the Diagnostic setting. | service | | -| `diagnosticLogsRetentionInDays` | int | Optional. Specifies the number of days that logs will be kept for; a value of 0 will retain data indefinitely. | 365 | | -| `diagnosticStorageAccountId` | string | Optional. Resource identifier of the Diagnostic Storage Account. | | | -| `workspaceId` | string | Optional. Resource identifier of Log Analytics. | | -| `eventHubAuthorizationRuleId` | string | Optional. Resource ID of the event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | | | -| `eventHubName` | string | Optional. Name of the event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. | | | +| `acrAdminUserEnabled` | bool | | | Optional. Enable admin user that have push / pull permission to the registry. | +| `acrName` | string | | | Required. Name of your Azure Container Registry | +| `acrSku` | string | `Basic` | `[Basic, Standard, Premium]` | Optional. Tier of your Azure Container Registry. | +| `cuaId` | string | | | Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered | +| `dataEndpointEnabled` | bool | | | Optional. Enable a single data endpoint per region for serving data. Not relevant in case of disabled public access. | +| `diagnosticLogsRetentionInDays` | int | `365` | | Optional. Specifies the number of days that logs will be kept for; a value of 0 will retain data indefinitely. | +| `diagnosticSettingName` | string | `service` | | Optional. The name of the Diagnostic setting. | +| `diagnosticStorageAccountId` | string | | | Optional. Resource identifier of the Diagnostic Storage Account. | +| `eventHubAuthorizationRuleId` | string | | | Optional. Resource ID of the event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | +| `eventHubName` | string | | | Optional. Name of the event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. | +| `location` | string | `[resourceGroup().location]` | | Optional. Location for all resources. | +| `lockForDeletion` | bool | | | Optional. Switch to lock containter registry from deletion. | +| `networkRuleBypassOptions` | string | `AzureServices` | | Optional. Whether to allow trusted Azure services to access a network restricted registry. Not relevant in case of public access. - AzureServices or None | +| `privateEndpoints` | array | `[]` | | Optional. Configuration Details for private endpoints. | +| `publicNetworkAccess` | string | `Enabled` | | Optional. Whether or not public network access is allowed for the container registry. - Enabled or Disabled | +| `quarantinePolicyStatus` | string | | | Optional. The value that indicates whether the policy is enabled or not. | +| `retentionPolicyDays` | string | | | Optional. The number of days to retain an untagged manifest after which it gets purged. | +| `retentionPolicyStatus` | string | | | Optional. The value that indicates whether the policy is enabled or not. | +| `roleAssignments` | array | `[]` | | Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or it's fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' | +| `tags` | object | `{object}` | | Optional. Tags of the resource. | +| `trustPolicyStatus` | string | | | Optional. The value that indicates whether the policy is enabled or not. | +| `workspaceId` | string | | | Optional. Resource identifier of Log Analytics. | ### Parameter Usage: `imageRegistryCredentials` @@ -106,17 +103,15 @@ Tag names and tag values can be provided as needed. A tag can be left without a ``` ## Outputs - | Output Name | Type | Description | | :-- | :-- | :-- | +| `acrLoginServer` | string | The reference to the Azure Container Registry. | | `acrName` | string | The Name of the Azure Container Registry. | -| `acrLoginServer` | string | The reference to the Azure Container Registry login server. | | `acrResourceGroup` | string | The name of the Resource Group the Azure Container Registry was created in. | | `acrResourceId` | string | The Resource Id of the Azure Container Registry. | -## Considerations - -## Additional resources - -- [Deployments](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Resources/2018-02-01/deployments) -- [ContainerRegistry](https://docs.microsoft.com/en-us/azure/templates/microsoft.containerregistry/2019-05-01/registries) +## Template references +- [Registries](https://docs.microsoft.com/en-us/azure/templates/Microsoft.ContainerRegistry/2020-11-01-preview/registries) +- [Privateendpoints](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Network/2020-05-01/privateEndpoints) +- [Privateendpoints/Privatednszonegroups](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Network/2020-05-01/privateEndpoints/privateDnsZoneGroups) +- [Locks](https://docs.microsoft.com/en-us/azure/templates/providers/2016-09-01/locks) diff --git a/arm/Microsoft.ContainerService/managedClusters/.bicep/nested_rbac.bicep b/arm/Microsoft.ContainerService/managedClusters/.bicep/nested_rbac.bicep index 0729ddf876..3c7b9b9652 100644 --- a/arm/Microsoft.ContainerService/managedClusters/.bicep/nested_rbac.bicep +++ b/arm/Microsoft.ContainerService/managedClusters/.bicep/nested_rbac.bicep @@ -2,7 +2,7 @@ param roleAssignmentObj object param builtInRoleNames object param resourceName string -resource roleAssigment 'Microsoft.ContainerService/managedClusters/providers/roleAssignments@2020-04-01-preview' = [for principalId in roleAssignmentObj.principalIds: { +resource roleAssigment 'Microsoft.ContainerService/managedClusters/providers/roleAssignments@2021-04-01-preview' = [for principalId in roleAssignmentObj.principalIds: { name: '${resourceName}/Microsoft.Authorization/${guid(resourceName, principalId, roleAssignmentObj.roleDefinitionIdOrName)}' properties: { roleDefinitionId: (contains(builtInRoleNames, roleAssignmentObj.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignmentObj.roleDefinitionIdOrName] : roleAssignmentObj.roleDefinitionIdOrName) diff --git a/arm/Microsoft.ContainerService/managedClusters/deploy.bicep b/arm/Microsoft.ContainerService/managedClusters/deploy.bicep index a414625246..c7f9e5888b 100644 --- a/arm/Microsoft.ContainerService/managedClusters/deploy.bicep +++ b/arm/Microsoft.ContainerService/managedClusters/deploy.bicep @@ -185,6 +185,49 @@ param lock string = 'NotSpecified' @description('Optional. Tags of the resource.') param tags object = {} +@description('Optional. The name of logs that will be streamed.') +@allowed([ + 'kube-apiserver' + 'kube-audit' + 'kube-controller-manager' + 'kube-scheduler' + 'cluster-autoscaler' +]) +param logsToEnable array = [ + 'kube-apiserver' + 'kube-audit' + 'kube-controller-manager' + 'kube-scheduler' + 'cluster-autoscaler' +] + +@description('Optional. The name of metrics that will be streamed.') +@allowed([ + 'AllMetrics' +]) +param metricsToEnable array = [ + 'AllMetrics' +] + +var diagnosticsLogs = [for log in logsToEnable: { + category: log + enabled: true + retentionPolicy: { + enabled: true + days: diagnosticLogsRetentionInDays + } +}] + +var diagnosticsMetrics = [for metric in metricsToEnable: { + category: metric + timeGrain: null + enabled: true + retentionPolicy: { + enabled: true + days: diagnosticLogsRetentionInDays + } +}] + var aksClusterLinuxProfile = { adminUsername: aksClusterAdminUsername ssh: { @@ -195,59 +238,7 @@ var aksClusterLinuxProfile = { ] } } -var diagnosticsMetrics = [ - { - category: 'AllMetrics' - timeGrain: null - enabled: true - retentionPolicy: { - enabled: true - days: diagnosticLogsRetentionInDays - } - } -] -var diagnosticsLogs = [ - { - category: 'kube-apiserver' - enabled: true - retentionPolicy: { - enabled: true - days: diagnosticLogsRetentionInDays - } - } - { - category: 'kube-audit' - enabled: true - retentionPolicy: { - enabled: true - days: diagnosticLogsRetentionInDays - } - } - { - category: 'kube-controller-manager' - enabled: true - retentionPolicy: { - enabled: true - days: diagnosticLogsRetentionInDays - } - } - { - category: 'kube-scheduler' - enabled: true - retentionPolicy: { - enabled: true - days: diagnosticLogsRetentionInDays - } - } - { - category: 'cluster-autoscaler' - enabled: true - retentionPolicy: { - enabled: true - days: diagnosticLogsRetentionInDays - } - } -] + var lbProfile = { managedOutboundIPs: { count: managedOutboundIPCount diff --git a/arm/Microsoft.ContainerService/managedClusters/readme.md b/arm/Microsoft.ContainerService/managedClusters/readme.md index f184caa071..f93f412eb6 100644 --- a/arm/Microsoft.ContainerService/managedClusters/readme.md +++ b/arm/Microsoft.ContainerService/managedClusters/readme.md @@ -1,4 +1,4 @@ -# AzureKubernetesService +# AzureKubernetesService `[Microsoft.ContainerService/managedClusters]` This module deploys Azure Kubernetes Cluster (AKS). @@ -7,70 +7,70 @@ This module deploys Azure Kubernetes Cluster (AKS). | Resource Type | Api Version | | :-- | :-- | -| `Microsoft.ContainerService/managedClusters/agentPools` | 2021-05-01 | -| `Microsoft.Insights/diagnosticsettings` | 2017-05-01-preview | | `Microsoft.Authorization/locks` | 2016-09-01 | -| `Microsoft.ContainerService/managedClusters/providers/roleAssignments` | 2018-09-01-preview | | `Microsoft.ContainerService/managedClusters` | 2021-07-01 | -| `Microsoft.Resources/deployments` | 2020-06-01 | +| `Microsoft.ContainerService/managedClusters/agentPools` | 2021-05-01 | +| `Microsoft.ContainerService/managedClusters/providers/roleAssignments` | 2021-04-01-preview | +| `Microsoft.Insights/diagnosticSettings` | 2017-05-01-preview | ## Parameters -| Parameter Name | Type | Default Value | Possible values | Description | +| Parameter Name | Type | Default Value | Possible Values | Description | | :-- | :-- | :-- | :-- | :-- | +| `aadProfileAdminGroupObjectIDs` | array | `[]` | | Optional. Specifies the AAD group object IDs that will have admin role of the cluster. | +| `aadProfileClientAppID` | string | | | Optional. The client AAD application ID. | +| `aadProfileEnableAzureRBAC` | bool | `True` | | Optional. Specifies whether to enable Azure RBAC for Kubernetes authorization. | +| `aadProfileManaged` | bool | `True` | | Optional. Specifies whether to enable managed AAD integration. | +| `aadProfileServerAppID` | string | | | Optional. The server AAD application ID. | +| `aadProfileServerAppSecret` | string | | | Optional. The server AAD application secret. | +| `aadProfileTenantId` | string | `[subscription().tenantId]` | | Optional. Specifies the tenant id of the Azure Active Directory used by the AKS cluster for authentication. | +| `aciConnectorLinuxEnabled` | bool | | | Optional. Specifies whether the aciConnectorLinux add-on is enabled or not. | +| `additionalAgentPools` | array | `[]` | | Optional. Define one or multiple node pools | +| `aksClusterAdminUsername` | string | `azureuser` | | Optional. Specifies the administrator username of Linux virtual machines. | +| `aksClusterDnsPrefix` | string | `[parameters('aksClusterName')]` | | Optional. Specifies the DNS prefix specified when creating the managed cluster. | +| `aksClusterDnsServiceIP` | string | | | Optional. Specifies the IP address assigned to the Kubernetes DNS service. It must be within the Kubernetes service address range specified in serviceCidr. | +| `aksClusterDockerBridgeCidr` | string | | | Optional. Specifies the CIDR notation IP range assigned to the Docker bridge network. It must not overlap with any Subnet IP ranges or the Kubernetes service address range. | +| `aksClusterEnablePrivateCluster` | bool | | | Optional. Specifies whether to create the cluster as a private cluster or not. | +| `aksClusterKubernetesVersion` | string | | | Optional. Version of Kubernetes specified when creating the managed cluster. | +| `aksClusterLoadBalancerSku` | string | `standard` | `[basic, standard]` | Optional. Specifies the sku of the load balancer used by the virtual machine scale sets used by nodepools. | | `aksClusterName` | string | | | Required. Specifies the name of the AKS cluster. | -| `location` | string | [resourceGroup().location] | | Optional. Specifies the location of AKS cluster. It picks up Resource Group's location by default. | -| `aksClusterDnsPrefix` | string | [parameters('aksClusterName')] | | Optional. Specifies the DNS prefix specified when creating the managed cluster. | -| `identity` | object | { "type": "SystemAssigned" } | | Optional. The identity of the managed cluster. | -| `aksClusterNetworkPlugin` | string | "" | "", azure, kubenet | Optional. Specifies the network plugin used for building Kubernetes network. - azure or kubenet. | -| `aksClusterNetworkPolicy` | string | "" | "", azure, calico | Optional. Specifies the network policy used for building Kubernetes network. - calico or azure | -| `aksClusterPodCidr` | string | "" | | Optional. Specifies the CIDR notation IP range from which to assign pod IPs when kubenet is used. | -| `aksClusterServiceCidr` | string | "" | | Optional. A CIDR notation IP range from which to assign service cluster IPs. It must not overlap with any Subnet IP ranges. | -| `aksClusterDnsServiceIP` | string | "" | | Optional. Specifies the IP address assigned to the Kubernetes DNS service. It must be within the Kubernetes service address range specified in serviceCidr. | -| `aksClusterDockerBridgeCidr` | string | "" | | Optional. Specifies the CIDR notation IP range assigned to the Docker bridge network. It must not overlap with any Subnet IP ranges or the Kubernetes service address range. | -| `aksClusterLoadBalancerSku` | string | standard | basic, standard | Optional. Specifies the sku of the load balancer used by the virtual machine scale sets used by nodepools. | -| `managedOutboundIPCount` | int | 0 | | Optional. Outbound IP Count for the Load balancer. | -| `aksClusterOutboundType` | string | loadBalancer | loadBalancer, userDefinedRouting | Optional. Specifies outbound (egress) routing method. - loadBalancer or userDefinedRouting. | -| `aksClusterSkuTier` | string | Free | Free, Paid | Optional. Tier of a managed cluster SKU. - Free or Paid | -| `aksClusterKubernetesVersion` | string | "" | | Optional. Version of Kubernetes specified when creating the managed cluster. | -| `aksClusterAdminUsername` | string | azureuser | | Optional. Specifies the administrator username of Linux virtual machines. | +| `aksClusterNetworkPlugin` | string | | `[, azure, kubenet]` | Optional. Specifies the network plugin used for building Kubernetes network. - azure or kubenet. | +| `aksClusterNetworkPolicy` | string | | `[, azure, calico]` | Optional. Specifies the network policy used for building Kubernetes network. - calico or azure | +| `aksClusterOutboundType` | string | `loadBalancer` | `[loadBalancer, userDefinedRouting]` | Optional. Specifies outbound (egress) routing method. - loadBalancer or userDefinedRouting. | +| `aksClusterPodCidr` | string | | | Optional. Specifies the CIDR notation IP range from which to assign pod IPs when kubenet is used. | +| `aksClusterServiceCidr` | string | | | Optional. A CIDR notation IP range from which to assign service cluster IPs. It must not overlap with any Subnet IP ranges. | +| `aksClusterSkuTier` | string | `Free` | `[Free, Paid]` | Optional. Tier of a managed cluster SKU. - Free or Paid | | `aksClusterSshPublicKey` | string | | | Optional. Specifies the SSH RSA public key string for the Linux nodes. | -| `aksServicePrincipalProfile` | object | {} | | Optional. Information about a service principal identity for the cluster to use for manipulating Azure APIs. | -| `aadProfileClientAppID` | string | "" | | Optional. The client AAD application ID. | -| `aadProfileServerAppID` | string | "" | | Optional. The server AAD application ID. | -| `aadProfileServerAppSecret` | string | "" | | Optional. The server AAD application secret. | -| `aadProfileTenantId` | string | [subscription().tenantId] | | Optional. Specifies the tenant id of the Azure Active Directory used by the AKS cluster for authentication. | -| `aadProfileAdminGroupObjectIDs` | array | System.Object[] | | Optional. Specifies the AAD group object IDs that will have admin role of the cluster. | -| `aadProfileManaged` | bool | True | | Optional. Specifies whether to enable managed AAD integration. | -| `aadProfileEnableAzureRBAC` | bool | True | | Optional. Specifies whether to enable Azure RBAC for Kubernetes authorization. | -| `nodeResourceGroup` | string | concat(resourceGroup().name, '_aks_nodes') | | Optional. Name of the resource group containing agent pool nodes. | -| `aksClusterEnablePrivateCluster` | bool | False | | Optional. Specifies whether to create the cluster as a private cluster or not. | -| `primaryAgentPoolProfile` | array | | | Required. Properties of the primary agent pool. | -| `additionalAgentPools` | array | System.Object[] | | Optional. Define one or multiple node pools. | -| `httpApplicationRoutingEnabled` | bool | False | | Optional. Specifies whether the httpApplicationRouting add-on is enabled or not. | -| `aciConnectorLinuxEnabled` | bool | False | | Optional. Specifies whether the aciConnectorLinux add-on is enabled or not. | -| `azurePolicyEnabled` | bool | True | | Optional. Specifies whether the azurepolicy add-on is enabled or not. | -| `azurePolicyVersion` | string | v2 | | Optional. Specifies the azure policy version to use. | -| `kubeDashboardEnabled` | bool | False | | Optional. Specifies whether the kubeDashboard add-on is enabled or not. | -| `autoScalerProfileScanInterval` | string | 10s | | Optional. Specifies the scan interval of the auto-scaler of the AKS cluster. | -| `autoScalerProfileScaleDownDelayAfterAdd` | string | 10m | | Optional. Specifies the scale down delay after add of the auto-scaler of the AKS cluster. | -| `autoScalerProfileScaleDownDelayAfterDelete` | string | 20s | | Optional. Specifies the scale down delay after delete of the auto-scaler of the AKS cluster. | -| `autoScalerProfileScaleDownDelayAfterFailure` | string | 3m | | Optional. Specifies scale down delay after failure of the auto-scaler of the AKS cluster. | -| `autoScalerProfileScaleDownUnneededTime` | string | 10m | | Optional. Specifies the scale down unneeded time of the auto-scaler of the AKS cluster. | -| `autoScalerProfileScaleDownUnreadyTime` | string | 20m | | Optional. Specifies the scale down unready time of the auto-scaler of the AKS cluster. | -| `autoScalerProfileUtilizationThreshold` | string | 0.5 | | Optional. Specifies the utilization threshold of the auto-scaler of the AKS cluster. | -| `autoScalerProfileMaxGracefulTerminationSec` | string | 600 | | Optional. Specifies the max graceful termination time interval in seconds for the auto-scaler of the AKS cluster. | -| `diagnosticStorageAccountId` | string | "" | | Optional. Resource identifier of the Diagnostic Storage Account. | -| `workspaceId` | string | "" | | Optional. Resource identifier of Log Analytics. | -| `omsAgentEnabled` | bool | True | | Optional. Specifies whether the OMS agent is enabled. | -| `eventHubAuthorizationRuleId` | string | "" | | Optional. Resource ID of the event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | -| `eventHubName` | string | "" | | Optional. Name of the event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. | -| `diagnosticLogsRetentionInDays` | int | 365 | | Optional. Specifies the number of days that logs will be kept for; a value of 0 will retain data indefinitely. | -| `cuaId` | string | "" | | Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered. | -| `roleAssignments` | array | System.Object[] | | Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' | -| `lock` | string | 'NotSpecified' | 'CanNotDelete', 'NotSpecified', 'ReadOnly' | Optional. Specify the type of lock. | -| `tags` | object | {} | | Optional. Tags of the resource. | - +| `aksServicePrincipalProfile` | object | `{object}` | | Optional. Information about a service principal identity for the cluster to use for manipulating Azure APIs. | +| `autoScalerProfileMaxGracefulTerminationSec` | string | `600` | | Optional. Specifies the max graceful termination time interval in seconds for the auto-scaler of the AKS cluster. | +| `autoScalerProfileScaleDownDelayAfterAdd` | string | `10m` | | Optional. Specifies the scale down delay after add of the auto-scaler of the AKS cluster. | +| `autoScalerProfileScaleDownDelayAfterDelete` | string | `20s` | | Optional. Specifies the scale down delay after delete of the auto-scaler of the AKS cluster. | +| `autoScalerProfileScaleDownDelayAfterFailure` | string | `3m` | | Optional. Specifies scale down delay after failure of the auto-scaler of the AKS cluster. | +| `autoScalerProfileScaleDownUnneededTime` | string | `10m` | | Optional. Specifies the scale down unneeded time of the auto-scaler of the AKS cluster. | +| `autoScalerProfileScaleDownUnreadyTime` | string | `20m` | | Optional. Specifies the scale down unready time of the auto-scaler of the AKS cluster. | +| `autoScalerProfileScanInterval` | string | `10s` | | Optional. Specifies the scan interval of the auto-scaler of the AKS cluster. | +| `autoScalerProfileUtilizationThreshold` | string | `0.5` | | Optional. Specifies the utilization threshold of the auto-scaler of the AKS cluster. | +| `azurePolicyEnabled` | bool | `True` | | Optional. Specifies whether the azurepolicy add-on is enabled or not. | +| `azurePolicyVersion` | string | `v2` | | Optional. Specifies the azure policy version to use. | +| `cuaId` | string | | | Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered | +| `diagnosticLogsRetentionInDays` | int | `365` | | Optional. Specifies the number of days that logs will be kept for; a value of 0 will retain data indefinitely. | +| `diagnosticStorageAccountId` | string | | | Optional. Resource identifier of the Diagnostic Storage Account. | +| `eventHubAuthorizationRuleId` | string | | | Optional. Resource ID of the event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | +| `eventHubName` | string | | | Optional. Name of the event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. | +| `httpApplicationRoutingEnabled` | bool | | | Optional. Specifies whether the httpApplicationRouting add-on is enabled or not. | +| `identity` | object | `{object}` | | Optional. The identity of the managed cluster. | +| `kubeDashboardEnabled` | bool | | | Optional. Specifies whether the kubeDashboard add-on is enabled or not. | +| `location` | string | `[resourceGroup().location]` | | Optional. Specifies the location of AKS cluster. It picks up Resource Group's location by default. | +| `lock` | string | `NotSpecified` | `[CanNotDelete, NotSpecified, ReadOnly]` | Optional. Specify the type of lock. | +| `logsToEnable` | array | `[kube-apiserver, kube-audit, kube-controller-manager, kube-scheduler, cluster-autoscaler]` | `[kube-apiserver, kube-audit, kube-controller-manager, kube-scheduler, cluster-autoscaler]` | Optional. The name of logs that will be streamed. | +| `managedOutboundIPCount` | int | | | Optional. Outbound IP Count for the Load balancer. | +| `metricsToEnable` | array | `[AllMetrics]` | `[AllMetrics]` | Optional. The name of metrics that will be streamed. | +| `nodeResourceGroup` | string | `[format('{0}_aks_{1}_nodes', resourceGroup().name, parameters('aksClusterName'))]` | | Optional. Name of the resource group containing agent pool nodes. | +| `omsAgentEnabled` | bool | `True` | | Optional. Specifies whether the OMS agent is enabled. | +| `primaryAgentPoolProfile` | array | | | Required. Properties of the primary agent pool. | +| `roleAssignments` | array | `[]` | | Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' | +| `tags` | object | `{object}` | | Optional. Tags of the resource. | +| `workspaceId` | string | | | Optional. Resource identifier of Log Analytics. | ### Parameter Usage: `tags` @@ -214,26 +214,18 @@ For available properties check https://docs.microsoft.com/en-us/azure/templates/ } ``` - ## Outputs -| Output Name | Type | Description | -| :-- | :-- | :-- | -| `azureKubernetesServiceName` | string | The Name of the Azure Kubernetes Service. | -| `azureKubernetesServiceResourceGroup` | string | The name of the Resource Group the Azure Kubernetes Service was created in. | -| `azureKubernetesServiceResourceId` | string | The Resource Id of the Azure Kubernetes Service. | -| `controlPlaneFQDN` | string | The FQDN of the Azure Kubernetes Service. | - - -## Considerations - -- *None* - +| Output Name | Type | +| :-- | :-- | +| `azureKubernetesServiceName` | string | +| `azureKubernetesServiceResourceGroup` | string | +| `azureKubernetesServiceResourceId` | string | +| `controlPlaneFQDN` | string | -## Additional resources +## Template references -- [Use tags to organize your Azure resources](https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-using-tags) -- [Azure Resource Manager template reference](https://docs.microsoft.com/en-us/azure/templates/) -- [ManagedClusters](https://docs.microsoft.com/en-us/azure/templates/Microsoft.ContainerService/2020-11-01/managedClusters) -- [ManagedClusters/providers/diagnosticsettings](https://docs.microsoft.com/en-us/azure/templates/Microsoft.ContainerService/2017-05-01-preview/managedClusters/providers/diagnosticsettings) -- [Deployments](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Resources/2020-06-01/deployments) +- [Locks](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2016-09-01/locks) +- [Managedclusters](https://docs.microsoft.com/en-us/azure/templates/Microsoft.ContainerService/2021-07-01/managedClusters) +- [Managedclusters/Agentpools](https://docs.microsoft.com/en-us/azure/templates/Microsoft.ContainerService/2021-05-01/managedClusters/agentPools) +- [Diagnosticsettings](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Insights/2017-05-01-preview/diagnosticSettings) diff --git a/arm/Microsoft.DataFactory/factories/readme.md b/arm/Microsoft.DataFactory/factories/readme.md index 91552f7c96..0daff50cbd 100644 --- a/arm/Microsoft.DataFactory/factories/readme.md +++ b/arm/Microsoft.DataFactory/factories/readme.md @@ -1,57 +1,44 @@ -# DataFactory +# DataFactory `[Microsoft.DataFactory/factories]` ## Resource types -| Resource Type | Api Version | -|:--|:--| -| `Microsoft.Resources/deployments` | 2020-06-01 | +| Resource Type | Api Version | +| :-- | :-- | | `Microsoft.DataFactory/factories` | 2018-06-01 | -| `Microsoft.DataFactory/factories/managedVirtualNetworks` | 2018-06-01 | | `Microsoft.DataFactory/factories/integrationRuntimes` | 2018-06-01 | +| `Microsoft.DataFactory/factories/managedVirtualNetworks` | 2018-06-01 | | `Microsoft.DataFactory/factories/providers/diagnosticsettings` | 2017-05-01-preview | | `Microsoft.DataFactory/factories/providers/roleAssignments` | 2020-04-01-preview | -| `providers/locks` | 2016-09-01 | -| `Microsoft.Network/privateEndpoints/privateDnsZoneGroups` | 2020-05-01 | | `Microsoft.Network/privateEndpoints` | 2020-05-01 | - - -### Resource dependency - -The following resources are required to be able to deploy this resource. - -Only V2 is currently supported, not V1. - -If you enable git Repository the repository including branch has to exist beforehand. - +| `Microsoft.Network/privateEndpoints/privateDnsZoneGroups` | 2020-05-01 | +| `providers/locks` | 2016-09-01 | ## Parameters -| Parameter Name | Type | Description | DefaultValue | Possible values | +| Parameter Name | Type | Default Value | Possible Values | Description | | :-- | :-- | :-- | :-- | :-- | -| `dataFactoryName` | string | Required. The name of the Azure Factory to create | | | -| `location` | string | Optional. Location for all Resources. | [resourceGroup().location] | | -| `publicNetworkAccess` | bool | Optional. Enable or disable public network access. | true | | -| `gitConfigureLater` | bool | Optional. Boolean to define whether or not to configure git during template deployment. | true | | -| `gitRepoType` | string |Optional. Repo type - can be 'FactoryVSTSConfiguration' or 'FactoryGitHubConfiguration'. Default is 'FactoryVSTSConfiguration'. | FactoryVSTSConfiguration | | -| `gitAccountName` | string | Optional. The account name. | "" | | -| `gitProjectName` | string | Optional. The project name. Only relevant for 'FactoryVSTSConfiguration'. | "" | | -| `gitRepositoryName` | string | Optional. The repository name. | "" | | -| `gitCollaborationBranch` | string | Optional. The collaboration branch name. Default is 'main'. | main | | -| `gitRootFolder` | string | Optional. The root folder path name. Default is '/'. | / | | -| `vNetEnabled` | bool | Optional. Enable or disable managed virtual networks and related to that AutoResolveIntegrationRuntime. | false | | -| `roleAssignments` | string | Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or it's fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' | | -| `lock` | string | Optional. Specify the type of lock. | 'NotSpecified' | 'CanNotDelete', 'NotSpecified', 'ReadOnly' | -| `diagnosticSettingName` | string | Optional. The name of the Diagnostic setting. | service | | -| `diagnosticLogsRetentionInDays` | int | Optional. Specifies the number of days that logs will be kept for; a value of 0 will retain data indefinitely. | 365 | | -| `diagnosticStorageAccountId` | string | Optional. Resource identifier of the Diagnostic Storage Account. | | | -| `workspaceId` | string | Optional. Resource identifier of Log Analytics. | | -| `eventHubAuthorizationRuleId` | string | Optional. Resource ID of the event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | | | -| `eventHubName` | string | Optional. Name of the event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. | | | -| `privateEndpoints` | array | System.Object[] | | Optional. Configuration Details for private endpoints. | -| `tags` | object | Optional. Tags of the resource. | {} | | -| `cuaId` | string | Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered | | | - - +| `cuaId` | string | | | Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered | +| `dataFactoryName` | string | | | Required. The name of the Azure Factory to create | +| `diagnosticLogsRetentionInDays` | int | `365` | | Optional. Specifies the number of days that logs will be kept for; a value of 0 will retain data indefinitely. | +| `diagnosticSettingName` | string | `service` | | Optional. The name of the Diagnostic setting. | +| `diagnosticStorageAccountId` | string | | | Optional. Resource identifier of the Diagnostic Storage Account. | +| `eventHubAuthorizationRuleId` | string | | | Optional. Resource ID of the event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | +| `eventHubName` | string | | | Optional. Name of the event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. | +| `gitAccountName` | string | | | Optional. The account name. | +| `gitCollaborationBranch` | string | `main` | | Optional. The collaboration branch name. Default is 'main'. | +| `gitConfigureLater` | bool | `True` | | Optional. Boolean to define whether or not to configure git during template deployment. | +| `gitProjectName` | string | | | Optional. The project name. Only relevant for 'FactoryVSTSConfiguration'. | +| `gitRepositoryName` | string | | | Optional. The repository name. | +| `gitRepoType` | string | `FactoryVSTSConfiguration` | | Optional. Repo type - can be 'FactoryVSTSConfiguration' or 'FactoryGitHubConfiguration'. Default is 'FactoryVSTSConfiguration'. | +| `gitRootFolder` | string | `/` | | Optional. The root folder path name. Default is '/'. | +| `location` | string | `[resourceGroup().location]` | | Optional. Location for all Resources. | +| `lockForDeletion` | bool | | | Optional. Switch to lock resource from deletion. | +| `privateEndpoints` | array | `[]` | | Optional. Configuration Details for private endpoints. | +| `publicNetworkAccess` | bool | `True` | | Optional. Enable or disable public network access. | +| `roleAssignments` | array | `[]` | | Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or it's fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| `tags` | object | `{object}` | | Optional. Tags of the resource. | +| `vNetEnabled` | bool | | | Optional. Enable or disable managed virtual networks and related to that AutoResolveIntegrationRuntime. | +| `workspaceId` | string | | | Optional. Resource identifier of Log Analytics. | ### Parameter Usage: `roleAssignments` @@ -138,7 +125,6 @@ To use Private Endpoint the following dependencies must be deployed: } ``` - ## Outputs | Output Name | Type | Description | @@ -147,16 +133,11 @@ To use Private Endpoint the following dependencies must be deployed: | `dataFactoryResourceGroup` | string | The name of the Resource Group with the Data factory | | `dataFactoryResourceId` | string | The Resource Id of the Data factory | -### References - -### Template references - -- [Deployments](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Resources/2018-02-01/deployments) -- [Data Factory]https://docs.microsoft.com/en-us/azure/templates/microsoft.datafactory/2018-06-01/factories) - -## Considerations - -## Additional resources +## Template references -- [Data Factory Resources](https://docs.microsoft.com/en-us/azure/templates/microsoft.datafactory/allversions) -- [Documentation](https://docs.microsoft.com/en-us/azure/data-factory/) +- [Factories](https://docs.microsoft.com/en-us/azure/templates/Microsoft.DataFactory/2018-06-01/factories) +- [Factories/Integrationruntimes](https://docs.microsoft.com/en-us/azure/templates/Microsoft.DataFactory/2018-06-01/factories/integrationRuntimes) +- [Factories/Managedvirtualnetworks](https://docs.microsoft.com/en-us/azure/templates/Microsoft.DataFactory/2018-06-01/factories/managedVirtualNetworks) +- [Privateendpoints](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Network/2020-05-01/privateEndpoints) +- [Privateendpoints/Privatednszonegroups](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Network/2020-05-01/privateEndpoints/privateDnsZoneGroups) +- [Locks](https://docs.microsoft.com/en-us/azure/templates/providers/2016-09-01/locks) diff --git a/arm/Microsoft.Databricks/workspaces/.bicep/nested_rbac.bicep b/arm/Microsoft.Databricks/workspaces/.bicep/nested_rbac.bicep index 91b00f462f..a0af0f300d 100644 --- a/arm/Microsoft.Databricks/workspaces/.bicep/nested_rbac.bicep +++ b/arm/Microsoft.Databricks/workspaces/.bicep/nested_rbac.bicep @@ -2,7 +2,7 @@ param roleAssignmentObj object param builtInRoleNames object param resourceName string -resource roleAssigment 'Microsoft.Databricks/workspaces/providers/roleAssignments@2020-04-01-preview' = [for principalId in roleAssignmentObj.principalIds: { +resource roleAssigment 'Microsoft.Databricks/workspaces/providers/roleAssignments@2021-04-01-preview' = [for principalId in roleAssignmentObj.principalIds: { name: '${resourceName}/Microsoft.Authorization/${guid(resourceName, principalId, roleAssignmentObj.roleDefinitionIdOrName)}' properties: { roleDefinitionId: (contains(builtInRoleNames, roleAssignmentObj.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignmentObj.roleDefinitionIdOrName] : roleAssignmentObj.roleDefinitionIdOrName) diff --git a/arm/Microsoft.Databricks/workspaces/deploy.bicep b/arm/Microsoft.Databricks/workspaces/deploy.bicep index 516460f009..01a0697100 100644 --- a/arm/Microsoft.Databricks/workspaces/deploy.bicep +++ b/arm/Microsoft.Databricks/workspaces/deploy.bicep @@ -52,89 +52,41 @@ param tags object = {} @description('Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered') param cuaId string = '' -var diagnosticsMetrics = [] -var diagnosticsLogs = [ - { - category: 'dbfs' - enabled: true - retentionPolicy: { - enabled: true - days: diagnosticLogsRetentionInDays - } - } - { - category: 'clusters' - enabled: true - retentionPolicy: { - enabled: true - days: diagnosticLogsRetentionInDays - } - } - { - category: 'accounts' - enabled: true - retentionPolicy: { - enabled: true - days: diagnosticLogsRetentionInDays - } - } - { - category: 'jobs' - enabled: true - retentionPolicy: { - enabled: true - days: diagnosticLogsRetentionInDays - } - } - { - category: 'notebook' - enabled: true - retentionPolicy: { - enabled: true - days: diagnosticLogsRetentionInDays - } - } - { - category: 'ssh' - enabled: true - retentionPolicy: { - enabled: true - days: diagnosticLogsRetentionInDays - } - } - { - category: 'workspace' - enabled: true - retentionPolicy: { - enabled: true - days: diagnosticLogsRetentionInDays - } - } - { - category: 'secrets' - enabled: true - retentionPolicy: { - enabled: true - days: diagnosticLogsRetentionInDays - } - } - { - category: 'sqlPermissions' - enabled: true - retentionPolicy: { - enabled: true - days: diagnosticLogsRetentionInDays - } - } - { - category: 'instancePools' +@description('Optional. The name of logs that will be streamed.') +@allowed([ + 'dbfs' + 'clusters' + 'accounts' + 'jobs' + 'notebook' + 'ssh' + 'workspace' + 'secrets' + 'sqlPermissions' + 'instancePools' +]) +param logsToEnable array = [ + 'dbfs' + 'clusters' + 'accounts' + 'jobs' + 'notebook' + 'ssh' + 'workspace' + 'secrets' + 'sqlPermissions' + 'instancePools' +] + +var diagnosticsLogs = [for log in logsToEnable: { + category: log + enabled: true + retentionPolicy: { enabled: true - retentionPolicy: { - enabled: true - days: diagnosticLogsRetentionInDays - } + days: diagnosticLogsRetentionInDays } -] +}] + var managedResourceGroupName = '${workspaceName}-rg' var managedResourceGroupId_var = '${subscription().id}/resourceGroups/${managedResourceGroupName}' var builtInRoleNames = { @@ -189,7 +141,6 @@ resource workspace_diagnosticSettings 'Microsoft.Insights/diagnosticsettings@201 workspaceId: (empty(workspaceId) ? json('null') : workspaceId) eventHubAuthorizationRuleId: (empty(eventHubAuthorizationRuleId) ? json('null') : eventHubAuthorizationRuleId) eventHubName: (empty(eventHubName) ? json('null') : eventHubName) - metrics: ((empty(diagnosticStorageAccountId) && empty(workspaceId) && empty(eventHubAuthorizationRuleId) && empty(eventHubName)) ? json('null') : diagnosticsMetrics) logs: ((empty(diagnosticStorageAccountId) && empty(workspaceId) && empty(eventHubAuthorizationRuleId) && empty(eventHubName)) ? json('null') : diagnosticsLogs) } scope: workspace diff --git a/arm/Microsoft.Databricks/workspaces/readme.md b/arm/Microsoft.Databricks/workspaces/readme.md index 8303127fb2..5818ff545c 100644 --- a/arm/Microsoft.Databricks/workspaces/readme.md +++ b/arm/Microsoft.Databricks/workspaces/readme.md @@ -1,41 +1,33 @@ -# Azure Databricks +# Azure Databricks `[Microsoft.Databricks/workspaces]` ## Resource types -|Resource Type|Api Version| -|:--|:--| -|`Microsoft.Resources/deployments`|2020-06-01| -|`Microsoft.Databricks/workspaces`|2018-04-01| -|`Microsoft.Authorization/locks`|2016-09-01| -|`Microsoft.Insights/diagnosticsettings`|2017-05-01-preview| -|`Microsoft.Databricks/workspaces/providers/roleAssignments`|2020-04-01-preview| - - -### Resource dependency - -The following resources are required to be able to deploy this resource. +| Resource Type | Api Version | +| :-- | :-- | +| `Microsoft.Authorization/locks` | 2016-09-01 | +| `Microsoft.Databricks/workspaces` | 2018-04-01 | +| `Microsoft.Databricks/workspaces/providers/roleAssignments` | 2021-04-01-preview | +| `Microsoft.Insights/diagnosticSettings` | 2017-05-01-preview | ## Parameters -| Parameter Name | Type | Description | DefaultValue | Possible values | +| Parameter Name | Type | Default Value | Possible Values | Description | | :-- | :-- | :-- | :-- | :-- | -| `cuaId` | string | Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered | | | -| `diagnosticLogsRetentionInDays` | int | Optional. Specifies the number of days that logs will be kept for; a value of 0 will retain data indefinitely. | 365 | | -| `diagnosticStorageAccountId` | string | Optional. Resource identifier of the Diagnostic Storage Account. | | | -| `eventHubAuthorizationRuleId` | string | Optional. Resource ID of the event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | | | -| `eventHubName` | string | Optional. Name of the event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. | | | -| `location` | string | Optional. Location for all Resources. | [resourceGroup().location] | | -| `roleAssignments` | string | Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or it's fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' | | -| `lock` | string | Optional. Specify the type of lock. | 'NotSpecified' | 'CanNotDelete', 'NotSpecified', 'ReadOnly' | -| `managedResourceGroupId` | string | Optional. The managed resource group Id | | | -| `pricingTier` | string | Optional. The pricing tier of workspace | premium | System.Object[] | -| `tags` | object | Optional. Tags of the resource. | | | -| `workspaceId` | string | Optional. Resource identifier of Log Analytics. | | | -| `workspaceName` | string | Required. The name of the Azure Databricks workspace to create. | | | -| `workspaceParameters` | string | Optional. The workspace's custom parameters. | | | - - - +| `cuaId` | string | | | Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered | +| `diagnosticLogsRetentionInDays` | int | `365` | | Optional. Specifies the number of days that logs will be kept for; a value of 0 will retain data indefinitely. | +| `diagnosticStorageAccountId` | string | | | Optional. Resource identifier of the Diagnostic Storage Account. | +| `eventHubAuthorizationRuleId` | string | | | Optional. Resource ID of the event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | +| `eventHubName` | string | | | Optional. Name of the event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. | +| `location` | string | `[resourceGroup().location]` | | Optional. Location for all Resources. | +| `lock` | string | `NotSpecified` | `[CanNotDelete, NotSpecified, ReadOnly]` | Optional. Specify the type of lock. | +| `logsToEnable` | array | `[dbfs, clusters, accounts, jobs, notebook, ssh, workspace, secrets, sqlPermissions, instancePools]` | `[dbfs, clusters, accounts, jobs, notebook, ssh, workspace, secrets, sqlPermissions, instancePools]` | Optional. The name of logs that will be streamed. | +| `managedResourceGroupId` | string | | | Optional. The managed resource group Id | +| `pricingTier` | string | `premium` | `[trial, standard, premium]` | Optional. The pricing tier of workspace | +| `roleAssignments` | array | `[]` | | Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or it's fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| `tags` | object | `{object}` | | Optional. Tags of the resource. | +| `workspaceId` | string | | | Optional. Resource identifier of Log Analytics. | +| `workspaceName` | string | | | Required. The name of the Azure Databricks workspace to create | +| `workspaceParameters` | object | `{object}` | | Optional. The workspace's custom parameters. | ### Parameter Usage: `roleAssignments` @@ -114,22 +106,14 @@ Tag names and tag values can be provided as needed. A tag can be left without a ## Outputs -| Output Name | Type | Description | -| :-- | :-- | :-- | -| `databrickName` | string | The Name of the Azure Databricks | -| `databrickResourceGroup` | string | The name of the Resource Group with the Azure Databricks | -| `databrickResourceId` | string | The Resource Id of the Azure Databricks | - -### References - -### Template references - -- [Deployments](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Resources/2018-02-01/deployments) -- [Workspaces](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Databricks/2018-04-01/workspaces) - -## Considerations +| Output Name | Type | +| :-- | :-- | +| `databrickName` | string | +| `databrickResourceGroup` | string | +| `databrickResourceId` | string | -## Additional resources +## Template references -- [Deployments](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Resources/2018-02-01/deployments) +- [Locks](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2016-09-01/locks) - [Workspaces](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Databricks/2018-04-01/workspaces) +- [Diagnosticsettings](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Insights/2017-05-01-preview/diagnosticSettings) diff --git a/arm/Microsoft.DesktopVirtualization/applicationGroupsResources/applications/deploy.bicep b/arm/Microsoft.DesktopVirtualization/applicationGroupsResources/applications/deploy.bicep index 6fc60f3662..ea67523f15 100644 --- a/arm/Microsoft.DesktopVirtualization/applicationGroupsResources/applications/deploy.bicep +++ b/arm/Microsoft.DesktopVirtualization/applicationGroupsResources/applications/deploy.bicep @@ -28,6 +28,9 @@ resource applications_res 'Microsoft.DesktopVirtualization/applicationGroups/app } }] +@description('The list of the application resourceIds deployed.') output applicationResourceIds array = [for i in range(0, length(applications)): applications_res[i].id] +@description('The name of the Resource Group the AVD Applications were created in.') output applicationResourceGroup string = resourceGroup().name +@description('The Name of the Application Group to register the Application(s) in.') output appGroupName string = appGroupName diff --git a/arm/Microsoft.DesktopVirtualization/applicationGroupsResources/applications/deploy.json b/arm/Microsoft.DesktopVirtualization/applicationGroupsResources/applications/deploy.json deleted file mode 100644 index fd4724ef9d..0000000000 --- a/arm/Microsoft.DesktopVirtualization/applicationGroupsResources/applications/deploy.json +++ /dev/null @@ -1,101 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "applications": { - "type": "array", - "minLength": 1, - "metadata": { - "description": "Required. List of applications to be created in the Application Group." - } - }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Optional. Location for all resources." - } - }, - "appGroupName": { - "type": "string", - "minLength": 1, - "metadata": { - "description": "Required. Name of the Application Group to create the application(s) in." - } - }, - "cuaId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered" - } - } - }, - "variables": { - }, - "resources": [ - { - "condition": "[not(empty(parameters('cuaId')))]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-01-01", - "name": "[concat('pid-', parameters('cuaId'))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [ - ] - } - } - }, - { - "type": "Microsoft.DesktopVirtualization/applicationGroups/applications", - "apiVersion": "2021-07-12", - "copy": { - "name": "appCopy", - "count": "[length(parameters('applications'))]" - }, - "name": "[concat(parameters('appGroupName'), '/', parameters('applications')[copyIndex()].name)]", - "location": "[parameters('location')]", - "properties": { - "description": "[parameters('applications')[copyIndex()].description]", - "friendlyName": "[parameters('applications')[copyIndex()].friendlyName]", - "filePath": "[parameters('applications')[copyIndex()].filePath]", - "commandLineSetting": "[parameters('applications')[copyIndex()].commandLineSetting]", - "commandLineArguments": "[parameters('applications')[copyIndex()].commandLineArguments]", - "showInPortal": "[parameters('applications')[copyIndex()].showInPortal]", - "iconPath": "[parameters('applications')[copyIndex()].iconPath]", - "iconIndex": "[parameters('applications')[copyIndex()].iconIndex]" - } - } - ], - "functions": [ - ], - "outputs": { - "applicationResourceIds": { - "type": "array", - "metadata": { - "description": "The list of the application resourceIds deployed." - }, - "copy": { - "count": "[length(parameters('applications'))]", - "input": "[resourceId('Microsoft.DesktopVirtualization/applicationGroups/applications', parameters('appGroupName'), parameters('applications')[copyIndex()].name)]" - } - }, - "applicationResourceGroup": { - "type": "string", - "value": "[resourceGroup().name]", - "metadata": { - "description": "The name of the Resource Group the AVD Applications were created in." - } - }, - "appGroupName": { - "type": "string", - "value": "[parameters('appGroupName')]", - "metadata": { - "description": "The Name of the Application Group to register the Application(s) in." - } - } - } -} diff --git a/arm/Microsoft.DesktopVirtualization/applicationGroupsResources/applications/readme.md b/arm/Microsoft.DesktopVirtualization/applicationGroupsResources/applications/readme.md index 4414a633a2..f7354c7a36 100644 --- a/arm/Microsoft.DesktopVirtualization/applicationGroupsResources/applications/readme.md +++ b/arm/Microsoft.DesktopVirtualization/applicationGroupsResources/applications/readme.md @@ -1,21 +1,20 @@ -# AVD Applications +# AVD Applications `[Microsoft.DesktopVirtualization/applicationGroupsResources/applications]` This module deploys AVD Applications. ## Resource types -|Resource Type|ApiVersion| -|:--|:--| -|`Microsoft.Resources/deployments`|2018-02-01| -|`Microsoft.DesktopVirtualization/applicationGroups/applications`|2021-07-12| +| Resource Type | Api Version | +| :-- | :-- | +| `Microsoft.DesktopVirtualization/applicationGroups/applications` | 2021-07-12 | ## Parameters -| Parameter Name | Type | Description | DefaultValue | Possible values | +| Parameter Name | Type | Default Value | Possible Values | Description | | :-- | :-- | :-- | :-- | :-- | -| `appGroupName` | string | Required. Name of the Application Group to create the application(s) in. | | | -| `applications` | array | Required. List of applications to be created in the Application Group. | | | -| `cuaId` | string | Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered | | | +| `appGroupName` | string | | | Required. Name of the Application Group to create the application(s) in. | +| `applications` | array | | | Required. List of applications to be created in the Application Group. | +| `cuaId` | string | | | Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered | ### Parameter Usage: `applications` @@ -54,14 +53,8 @@ This module deploys AVD Applications. | :-- | :-- | :-- | | `appGroupName` | string | The Name of the Application Group to register the Application(s) in. | | `applicationResourceGroup` | string | The name of the Resource Group the AVD Applications were created in. | -| `applicationResourceIds` | array | The list of the application resourceIds deployed. | +| `applicationResourceIds` | array | | -## Considerations +## Template references -*N/A* - -## Additional resources - -- [What is Windows Virtual Desktop?](https://docs.microsoft.com/en-us/azure/virtual-desktop/overview) -- [Windows Virtual Desktop environment](https://docs.microsoft.com/en-us/azure/virtual-desktop/environment-setup) -- [Reference](https://docs.microsoft.com/en-us/azure/templates/microsoft.desktopvirtualization/2021-07-12/applicationgroups/applications) +- [Applicationgroups/Applications](https://docs.microsoft.com/en-us/azure/templates/Microsoft.DesktopVirtualization/2021-07-12/applicationGroups/applications) diff --git a/arm/Microsoft.DesktopVirtualization/applicationgroups/.bicep/nested_rbac.bicep b/arm/Microsoft.DesktopVirtualization/applicationgroups/.bicep/nested_rbac.bicep index 51d0a975a5..65d41d5714 100644 --- a/arm/Microsoft.DesktopVirtualization/applicationgroups/.bicep/nested_rbac.bicep +++ b/arm/Microsoft.DesktopVirtualization/applicationgroups/.bicep/nested_rbac.bicep @@ -2,7 +2,7 @@ param roleAssignmentObj object param builtInRoleNames object param resourceName string -resource roleAssigment 'Microsoft.DesktopVirtualization/applicationgroups/providers/roleAssignments@2020-04-01-preview' = [for principalId in roleAssignmentObj.principalIds: { +resource roleAssigment 'Microsoft.DesktopVirtualization/applicationgroups/providers/roleAssignments@2021-04-01-preview' = [for principalId in roleAssignmentObj.principalIds: { name: '${resourceName}/Microsoft.Authorization/${guid(resourceName, principalId, roleAssignmentObj.roleDefinitionIdOrName)}' properties: { roleDefinitionId: (contains(builtInRoleNames, roleAssignmentObj.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignmentObj.roleDefinitionIdOrName] : roleAssignmentObj.roleDefinitionIdOrName) diff --git a/arm/Microsoft.DesktopVirtualization/applicationgroups/deploy.bicep b/arm/Microsoft.DesktopVirtualization/applicationgroups/deploy.bicep index 5d480014dd..eb2294b202 100644 --- a/arm/Microsoft.DesktopVirtualization/applicationgroups/deploy.bicep +++ b/arm/Microsoft.DesktopVirtualization/applicationgroups/deploy.bicep @@ -55,33 +55,26 @@ param tags object = {} @description('Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered') param cuaId string = '' -var diagnosticsMetrics = [] -var diagnosticsLogs = [ - { - category: 'Checkpoint' - enabled: true - retentionPolicy: { - enabled: true - days: diagnosticLogsRetentionInDays - } - } - { - category: 'Error' - enabled: true - retentionPolicy: { - enabled: true - days: diagnosticLogsRetentionInDays - } - } - { - category: 'Management' +@description('Optional. The name of logs that will be streamed.') +@allowed([ + 'Checkpoint' + 'Error' + 'Management' +]) +param logsToEnable array = [ + 'Checkpoint' + 'Error' + 'Management' +] + +var diagnosticsLogs = [for log in logsToEnable: { + category: log + enabled: true + retentionPolicy: { enabled: true - retentionPolicy: { - enabled: true - days: diagnosticLogsRetentionInDays - } + days: diagnosticLogsRetentionInDays } -] +}] var builtInRoleNames = { 'Owner': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') 'Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') @@ -139,7 +132,6 @@ resource appGroup_diagnosticSettings 'Microsoft.Insights/diagnosticsettings@2017 workspaceId: (empty(workspaceId) ? json('null') : workspaceId) eventHubAuthorizationRuleId: (empty(eventHubAuthorizationRuleId) ? json('null') : eventHubAuthorizationRuleId) eventHubName: (empty(eventHubName) ? json('null') : eventHubName) - metrics: ((empty(diagnosticStorageAccountId) && empty(workspaceId) && empty(eventHubAuthorizationRuleId) && empty(eventHubName)) ? json('null') : diagnosticsMetrics) logs: ((empty(diagnosticStorageAccountId) && empty(workspaceId) && empty(eventHubAuthorizationRuleId) && empty(eventHubName)) ? json('null') : diagnosticsLogs) } scope: appGroup diff --git a/arm/Microsoft.DesktopVirtualization/applicationgroups/deploy.json b/arm/Microsoft.DesktopVirtualization/applicationgroups/deploy.json deleted file mode 100644 index 3643b138d6..0000000000 --- a/arm/Microsoft.DesktopVirtualization/applicationgroups/deploy.json +++ /dev/null @@ -1,320 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "appGroupName": { - "type": "string", - "minLength": 1, - "metadata": { - "description": "Required. Name of the Application Group to create this application in." - } - }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Optional. Location for all resources." - } - }, - "appGroupType": { - "allowedValues": [ - "RemoteApp", - "Desktop" - ], - "type": "string", - "metadata": { - "description": "Required. The type of the Application Group to be created. Allowed values: RemoteApp or Desktop" - } - }, - "hostpoolName": { - "type": "string", - "metadata": { - "description": "Required. Name of the Host Pool to be linked to this Application Group." - } - }, - "appGroupFriendlyName": { - "defaultValue": "", - "type": "string", - "metadata": { - "description": "Optional. The friendly name of the Application Group to be created." - } - }, - "appGroupDescription": { - "defaultValue": "", - "type": "string", - "metadata": { - "description": "Optional. The description of the Application Group to be created." - } - }, - "roleAssignments": { - "defaultValue": [ - ], - "type": "array", - "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalIds' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or it's fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'" - } - }, - "diagnosticLogsRetentionInDays": { - "type": "int", - "defaultValue": 365, - "minValue": 0, - "maxValue": 365, - "metadata": { - "description": "Optional. Specifies the number of days that logs will be kept for; a value of 0 will retain data indefinitely." - } - }, - "diagnosticStorageAccountId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Resource identifier of the Diagnostic Storage Account." - } - }, - "workspaceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Resource identifier of Log Analytics." - } - }, - "eventHubAuthorizationRuleId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Resource ID of the event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." - } - }, - "eventHubName": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Name of the event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category." - } - }, - "lockForDeletion": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Switch to lock Resource from deletion." - } - }, - "tags": { - "type": "object", - "defaultValue": { - }, - "metadata": { - "description": "Optional. Tags of the resource." - } - }, - "cuaId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered" - } - } - }, - "variables": { - "diagnosticsMetrics": [ - ], - "diagnosticsLogs": [ - { - "category": "Checkpoint", - "enabled": true, - "retentionPolicy": { - "enabled": true, - "days": "[parameters('diagnosticLogsRetentionInDays')]" - } - }, - { - "category": "Error", - "enabled": true, - "retentionPolicy": { - "enabled": true, - "days": "[parameters('diagnosticLogsRetentionInDays')]" - } - }, - { - "category": "Management", - "enabled": true, - "retentionPolicy": { - "enabled": true, - "days": "[parameters('diagnosticLogsRetentionInDays')]" - } - } - ], - "builtInRoleNames": { - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions','8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions','b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions','acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Application Group Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions','ca6382a4-1721-4bcf-a114-ff0c70227b6b')]", - "Desktop Virtualization Application Group Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions','86240b0e-9422-4c43-887b-b61143f32ba8')]", - "Desktop Virtualization Application Group Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions','aebf23d0-b568-4e86-b8f9-fe83a2c6ab55')]", - "Desktop Virtualization Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions','082f0a83-3be5-4ba1-904c-961cca79b387')]", - "Desktop Virtualization Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions','49a72310-ab8d-41df-bbb0-79b649203868')]", - "Desktop Virtualization User": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions','1d18fff3-a72a-46b5-b4a9-0b38a3cd7e63')]", - "Desktop Virtualization Workspace Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions','21efdde3-836f-432b-bf3d-3e8e734d4b2b')]", - "Desktop Virtualization Workspace Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions','0fa44ee9-7a7d-466b-9bb2-2bf446b1204d')]", - "Log Analytics Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions','92aaf0da-9dab-42b6-94a3-d43ce8d16293')]", - "Log Analytics Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions','73c42c96-874c-492b-b04d-ab87d138a893')]", - "Managed Application Contributor Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions','641177b8-a67a-45b9-a033-47bc880bb21e')]", - "Managed Application Operator Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions','c7393b34-138c-406f-901b-d8cf2b17e6ae')]", - "Managed Applications Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions','b9331d33-8a36-4f8c-b097-4f54124fdb44')]", - "Monitoring Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions','749f88d5-cbae-40b8-bcfc-e573ddc772fa')]", - "Monitoring Metrics Publisher": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions','3913510d-42f4-4e42-8a64-420c390055eb')]", - "Monitoring Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions','43d0d8ad-25c7-4714-9337-8ba259a9fe05')]", - "Resource Policy Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions','36243c78-bf99-498c-9df9-86d9f8d28608')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions','18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" - } - }, - "resources": [ - { - "condition": "[not(empty(parameters('cuaId')))]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-01-01", - "name": "[concat('pid-', parameters('cuaId'))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [ - ] - } - } - }, - { - "type": "Microsoft.DesktopVirtualization/applicationgroups", - "apiVersion": "2021-07-12", - "name": "[parameters('appGroupName')]", - "location": "[parameters('location')]", - "tags": "[parameters('tags')]", - "properties": { - "hostpoolarmpath": "[resourceId('Microsoft.DesktopVirtualization/hostpools/', parameters('hostpoolName'))]", - "friendlyName": "[parameters('appGroupFriendlyName')]", - "description": "[parameters('appGroupDescription')]", - "applicationGroupType": "[parameters('appGroupType')]" - }, - "resources": [ - { - "type": "providers/locks", - "apiVersion": "2016-09-01", - "condition": "[parameters('lockForDeletion')]", - "name": "Microsoft.Authorization/hostPoolDoNotDelete", - "dependsOn": [ - "[concat('Microsoft.DesktopVirtualization/applicationgroups/', parameters('appGroupName'))]" - ], - "comments": "Resource lock on the AVD Workspace", - "properties": { - "level": "CannotDelete" - } - }, - { - "type": "Microsoft.DesktopVirtualization/applicationgroups/providers/diagnosticsettings", - "apiVersion": "2017-05-01-preview", - "name": "[concat(parameters('appGroupName'), '/Microsoft.Insights/service')]", - "location": "[parameters('location')]", - "condition": "[or(not(empty(parameters('diagnosticStorageAccountId'))),not(empty(parameters('workspaceId'))),not(empty(parameters('eventHubAuthorizationRuleId'))),not(empty(parameters('eventHubName'))))]", - "dependsOn": [ - "[concat('Microsoft.DesktopVirtualization/applicationgroups/', parameters('appGroupName'))]" - ], - "properties": { - "storageAccountId": "[if(empty(parameters('diagnosticStorageAccountId')), json('null'), parameters('diagnosticStorageAccountId'))]", - "workspaceId": "[if(empty(parameters('workspaceId')), json('null'), parameters('workspaceId'))]", - "eventHubAuthorizationRuleId": "[if(empty(parameters('eventHubAuthorizationRuleId')), json('null'), parameters('eventHubAuthorizationRuleId'))]", - "eventHubName": "[if(empty(parameters('eventHubName')), json('null'), parameters('eventHubName'))]", - "metrics": "[if(and(empty(parameters('diagnosticStorageAccountId')), empty(parameters('workspaceId')), empty(parameters('eventHubAuthorizationRuleId')), empty(parameters('eventHubName'))), json('null'), variables('diagnosticsMetrics'))]", - "logs": "[if(and(empty(parameters('diagnosticStorageAccountId')), empty(parameters('workspaceId')), empty(parameters('eventHubAuthorizationRuleId')), empty(parameters('eventHubName'))), json('null'), variables('diagnosticsLogs'))]" - } - } - ] - }, - { - "name": "[concat('rbac-',deployment().name, copyIndex())]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-01-01", - "condition": "[not(empty(parameters('roleAssignments')))]", - "dependsOn": [ - "[parameters('appGroupName')]" - ], - "copy": { - "name": "rbacDeplCopy", - "count": "[length(parameters('roleAssignments'))]" - }, - "properties": { - "mode": "Incremental", - "expressionEvaluationOptions": { - "scope": "inner" - }, - "parameters": { - "roleAssignment": { - "value": "[parameters('roleAssignments')[copyIndex()]]" - }, - "builtInRoleNames": { - "value": "[variables('builtInRoleNames')]" - }, - "appGroupName": { - "value": "[parameters('appGroupName')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "roleAssignment": { - "type": "object" - }, - "builtInRoleNames": { - "type": "object" - }, - "appGroupName": { - "type": "string" - } - }, - "resources": [ - { - "type": "Microsoft.DesktopVirtualization/applicationgroups/providers/roleAssignments", - "apiVersion": "2018-09-01-preview", - "name": "[concat(parameters('appGroupName'), '/Microsoft.Authorization/', guid(parameters('appGroupName'), array(parameters('roleAssignment').principalIds)[copyIndex('innerRbacCopy')], parameters('roleAssignment').roleDefinitionIdOrName ))]", - "dependsOn": [ - ], - "copy": { - "name": "innerRbacCopy", - "count": "[length(parameters('roleAssignment').principalIds)]" - }, - "properties": { - "roleDefinitionId": "[if(contains(parameters('builtInRoleNames'), parameters('roleAssignment').roleDefinitionIdOrName ), parameters('builtInRoleNames')[parameters('roleAssignment').roleDefinitionIdOrName] , parameters('roleAssignment').roleDefinitionIdOrName )]", - "principalId": "[array(parameters('roleAssignment').principalIds)[copyIndex()]]" - } - } - ] - } - } - } - ], - "functions": [ - ], - "outputs": { - "appGroupResourceId": { - "type": "string", - "value": "[resourceId('Microsoft.DesktopVirtualization/applicationGroups', parameters('appGroupName'))]", - "metadata": { - "description": "The Resource ID of the Application Group deployed." - } - }, - "appGroupResourceGroup": { - "type": "string", - "value": "[resourceGroup().name]", - "metadata": { - "description": "The name of the Resource Group the AVD Application Group was created in." - } - }, - "appGroupName": { - "type": "string", - "value": "[parameters('appGroupName')]", - "metadata": { - "description": "The Name of the Application Group." - } - } - } -} diff --git a/arm/Microsoft.DesktopVirtualization/applicationgroups/readme.md b/arm/Microsoft.DesktopVirtualization/applicationgroups/readme.md index 707a1e0957..3402f76722 100644 --- a/arm/Microsoft.DesktopVirtualization/applicationgroups/readme.md +++ b/arm/Microsoft.DesktopVirtualization/applicationgroups/readme.md @@ -1,36 +1,36 @@ -# AVD Application Groups +# AVD Application Groups `[Microsoft.DesktopVirtualization/applicationgroups]` This module deploys AVD Application Groups, with resource lock and diagnostics configuration. ## Resource types -|Resource Type|ApiVersion| -|:--|:--| -|`Microsoft.Resources/deployments`|2018-02-01| -|`Microsoft.DesktopVirtualization/applicationgroups`|2021-07-12| -|`providers/locks`|2016-09-01| -|`Microsoft.DesktopVirtualization/applicationgroups/providers/diagnosticsettings`|2017-05-01-preview| -|`Microsoft.DesktopVirtualization/applicationgroups/providers/roleAssignments`|2020-04-01-preview| +| Resource Type | Api Version | +| :-- | :-- | +| `Microsoft.Authorization/locks` | 2016-09-01 | +| `Microsoft.DesktopVirtualization/applicationGroups` | 2021-07-12 | +| `Microsoft.DesktopVirtualization/applicationgroups/providers/roleAssignments` | 2021-04-01-preview | +| `Microsoft.Insights/diagnosticSettings` | 2017-05-01-preview | ## Parameters -| Parameter Name | Type | Description | DefaultValue | Possible values | +| Parameter Name | Type | Default Value | Possible Values | Description | | :-- | :-- | :-- | :-- | :-- | -| `appGroupDescription` | string | Optional. The description of the Application Group to be created. | | | -| `appGroupFriendlyName` | string | Optional. The friendly name of the Application Group to be created. | | | -| `appGroupName` | string | Required. Name of the Application Group to create this application in. | | | -| `appGroupType` | string | Required. The type of the Application Group to be created. Allowed values: RemoteApp or Desktop | | System.Object[] | -| `cuaId` | string | Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered | | | -| `diagnosticLogsRetentionInDays` | int | Optional. Specifies the number of days that logs will be kept for; a value of 0 will retain data indefinitely. | 365 | | -| `diagnosticStorageAccountId` | string | Optional. Resource identifier of the Diagnostic Storage Account. | | | -| `eventHubAuthorizationRuleId` | string | Optional. Resource ID of the event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | | | -| `eventHubName` | string | Optional. Name of the event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. | | | -| `hostpoolName` | string | Required. Name of the Host Pool to be linked to this Application Group. | | | -| `location` | string | Optional. Location for all resources. | [resourceGroup().location] | | -| `lock` | string | Optional. Specify the type of lock. | 'NotSpecified' | 'CanNotDelete', 'NotSpecified', 'ReadOnly' | -| `roleAssignments` | array | Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalIds' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or it's fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' | System.Object[] | | -| `tags` | object | Optional. Tags of the resource. | | | -| `workspaceId` | string | Optional. Resource identifier of Log Analytics. | | | +| `appGroupDescription` | string | | | Optional. The description of the Application Group to be created. | +| `appGroupFriendlyName` | string | | | Optional. The friendly name of the Application Group to be created. | +| `appGroupName` | string | | | Required. Name of the Application Group to create this application in. | +| `appGroupType` | string | | `[RemoteApp, Desktop]` | Required. The type of the Application Group to be created. Allowed values: RemoteApp or Desktop | +| `cuaId` | string | | | Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered | +| `diagnosticLogsRetentionInDays` | int | `365` | | Optional. Specifies the number of days that logs will be kept for; a value of 0 will retain data indefinitely. | +| `diagnosticStorageAccountId` | string | | | Optional. Resource identifier of the Diagnostic Storage Account. | +| `eventHubAuthorizationRuleId` | string | | | Optional. Resource ID of the event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | +| `eventHubName` | string | | | Optional. Name of the event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. | +| `hostpoolName` | string | | | Required. Name of the Host Pool to be linked to this Application Group. | +| `location` | string | `[resourceGroup().location]` | | Optional. Location for all resources. | +| `lock` | string | `NotSpecified` | `[CanNotDelete, NotSpecified, ReadOnly]` | Optional. Specify the type of lock. | +| `logsToEnable` | array | `[Checkpoint, Error, Management]` | `[Checkpoint, Error, Management]` | Optional. The name of logs that will be streamed. | +| `roleAssignments` | array | `[]` | | Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalIds' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or it's fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' | +| `tags` | object | `{object}` | | Optional. Tags of the resource. | +| `workspaceId` | string | | | Optional. Resource identifier of Log Analytics. | ### Parameter Usage: `roleAssignments` @@ -80,19 +80,14 @@ Tag names and tag values can be provided as needed. A tag can be left without a ## Outputs -| Output Name | Type | Description | -| :-- | :-- | :-- | -| `appGroupName` | string | The Name of the Application Group. | -| `appGroupResourceGroup` | string | The name of the Resource Group the AVD Application Group was created in. | -| `appGroupResourceId` | string | The Resource ID of the Application Group deployed. | +| Output Name | Type | +| :-- | :-- | +| `appGroupName` | string | +| `appGroupResourceGroup` | string | +| `appGroupResourceId` | string | -## Considerations +## Template references -*N/A* - -## Additional resources - -- [What is Windows Virtual Desktop?](https://docs.microsoft.com/en-us/azure/virtual-desktop/overview) -- [Windows Virtual Desktop environment](https://docs.microsoft.com/en-us/azure/virtual-desktop/environment-setup) -- [Use tags to organize your Azure resources](https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-using-tags) -- [Reference](https://docs.microsoft.com/en-us/azure/templates/microsoft.desktopvirtualization/2021-07-12/applicationgroups) +- [Locks](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2016-09-01/locks) +- [Applicationgroups](https://docs.microsoft.com/en-us/azure/templates/Microsoft.DesktopVirtualization/2021-07-12/applicationGroups) +- [Diagnosticsettings](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Insights/2017-05-01-preview/diagnosticSettings) diff --git a/arm/Microsoft.DesktopVirtualization/hostpools/.bicep/nested_rbac.bicep b/arm/Microsoft.DesktopVirtualization/hostpools/.bicep/nested_rbac.bicep index 0a0800f015..d742837503 100644 --- a/arm/Microsoft.DesktopVirtualization/hostpools/.bicep/nested_rbac.bicep +++ b/arm/Microsoft.DesktopVirtualization/hostpools/.bicep/nested_rbac.bicep @@ -2,7 +2,7 @@ param roleAssignmentObj object param builtInRoleNames object param resourceName string -resource roleAssigment 'Microsoft.DesktopVirtualization/hostpools/providers/roleAssignments@2020-04-01-preview' = [for principalId in roleAssignmentObj.principalIds: { +resource roleAssigment 'Microsoft.DesktopVirtualization/hostpools/providers/roleAssignments@2021-04-01-preview' = [for principalId in roleAssignmentObj.principalIds: { name: '${resourceName}/Microsoft.Authorization/${guid(resourceName, principalId, roleAssignmentObj.roleDefinitionIdOrName)}' properties: { roleDefinitionId: (contains(builtInRoleNames, roleAssignmentObj.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignmentObj.roleDefinitionIdOrName] : roleAssignmentObj.roleDefinitionIdOrName) diff --git a/arm/Microsoft.DesktopVirtualization/hostpools/deploy.bicep b/arm/Microsoft.DesktopVirtualization/hostpools/deploy.bicep index ee103234f3..570a8f9819 100644 --- a/arm/Microsoft.DesktopVirtualization/hostpools/deploy.bicep +++ b/arm/Microsoft.DesktopVirtualization/hostpools/deploy.bicep @@ -100,57 +100,33 @@ param validationEnvironment bool = false @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalIds\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or it\'s fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'') param roleAssignments array = [] -var diagnosticsMetrics = [] -var diagnosticsLogs = [ - { - category: 'Checkpoint' - enabled: true - retentionPolicy: { - enabled: true - days: diagnosticLogsRetentionInDays - } - } - { - category: 'Error' - enabled: true - retentionPolicy: { - enabled: true - days: diagnosticLogsRetentionInDays - } - } - { - category: 'Management' - enabled: true - retentionPolicy: { - enabled: true - days: diagnosticLogsRetentionInDays - } - } - { - category: 'Connection' - enabled: true - retentionPolicy: { - enabled: true - days: diagnosticLogsRetentionInDays - } - } - { - category: 'HostRegistration' - enabled: true - retentionPolicy: { - enabled: true - days: diagnosticLogsRetentionInDays - } - } - { - category: 'AgentHealthStatus' +@description('Optional. The name of logs that will be streamed.') +@allowed([ + 'Checkpoint' + 'Error' + 'Management' + 'Connection' + 'HostRegistration' + 'AgentHealthStatus' +]) +param logsToEnable array = [ + 'Checkpoint' + 'Error' + 'Management' + 'Connection' + 'HostRegistration' + 'AgentHealthStatus' +] + +var diagnosticsLogs = [for log in logsToEnable: { + category: log + enabled: true + retentionPolicy: { enabled: true - retentionPolicy: { - enabled: true - days: diagnosticLogsRetentionInDays - } + days: diagnosticLogsRetentionInDays } -] +}] + var tokenExpirationTime = dateTimeAdd(baseTime, tokenValidityLength) var builtInRoleNames = { @@ -224,7 +200,6 @@ resource hostPool_diagnosticSettings 'Microsoft.Insights/diagnosticsettings@2017 workspaceId: (empty(workspaceId) ? json('null') : workspaceId) eventHubAuthorizationRuleId: (empty(eventHubAuthorizationRuleId) ? json('null') : eventHubAuthorizationRuleId) eventHubName: (empty(eventHubName) ? json('null') : eventHubName) - metrics: ((empty(diagnosticStorageAccountId) && empty(workspaceId) && empty(eventHubAuthorizationRuleId) && empty(eventHubName)) ? json('null') : diagnosticsMetrics) logs: ((empty(diagnosticStorageAccountId) && empty(workspaceId) && empty(eventHubAuthorizationRuleId) && empty(eventHubName)) ? json('null') : diagnosticsLogs) } scope: hostPool diff --git a/arm/Microsoft.DesktopVirtualization/hostpools/deploy.json b/arm/Microsoft.DesktopVirtualization/hostpools/deploy.json deleted file mode 100644 index 5ee877de45..0000000000 --- a/arm/Microsoft.DesktopVirtualization/hostpools/deploy.json +++ /dev/null @@ -1,462 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "hostPoolName": { - "type": "string", - "minLength": 1, - "metadata": { - "description": "Required. Name of the Host Pool" - } - }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Optional. Location for all resources." - } - }, - "hostpoolFriendlyName": { - "defaultValue": "", - "type": "string", - "metadata": { - "description": "Optional. The friendly name of the Host Pool to be created." - } - }, - "hostpoolDescription": { - "defaultValue": "", - "type": "string", - "metadata": { - "description": "Optional. The description of the Host Pool to be created." - } - }, - "hostpoolType": { - "defaultValue": "Pooled", - "allowedValues": [ - "Personal", - "Pooled" - ], - "type": "string", - "metadata": { - "description": "Optional. Set this parameter to Personal if you would like to enable Persistent Desktop experience. Defaults to Pooled." - } - }, - "personalDesktopAssignmentType": { - "defaultValue": "", - "allowedValues": [ - "Automatic", - "Direct", - "" - ], - "type": "string", - "metadata": { - "description": "Optional. Set the type of assignment for a Personal Host Pool type" - } - }, - "loadBalancerType": { - "defaultValue": "BreadthFirst", - "allowedValues": [ - "BreadthFirst", - "DepthFirst", - "Persistent" - ], - "type": "string", - "metadata": { - "description": "Optional. Type of load balancer algorithm." - } - }, - "maxSessionLimit": { - "defaultValue": 99999, - "type": "int", - "metadata": { - "description": "Optional. Maximum number of sessions." - } - }, - "customRdpProperty": { - "defaultValue": "audiocapturemode:i:1;audiomode:i:0;drivestoredirect:s:;redirectclipboard:i:1;redirectcomports:i:1;redirectprinters:i:1;redirectsmartcards:i:1;screen mode id:i:2;", - "type": "string", - "metadata": { - "description": "Optional. Host Pool RDP properties" - } - }, - "validationEnviroment": { - "defaultValue": false, - "type": "bool", - "metadata": { - "description": "Optional. Whether to use validation enviroment. When set to true, the Host Pool will be deployed in a validation 'ring' (environment) that receives all the new features (might be less stable). Ddefaults to false that stands for the stable, production-ready environment." - } - }, - "vmTemplate": { - "type": "object", - "defaultValue": { - }, - "metadata": { - "description": "Optional. The necessary information for adding more VMs to this Host Pool." - } - }, - "tokenValidityLength": { - "defaultValue": "PT8H", - "type": "string", - "metadata": { - "description": "Optional. Host Pool token validity length. Usage: 'PT8H' - valid for 8 hours; 'P5D' - valid for 5 days; 'P1Y' - valid for 1 year. When not provided, the token will be valid for 8 hours." - } - }, - "baseTime": { - "type": "string", - "defaultValue": "[utcNow('u')]", - "metadata": { - "description": "Generated. Do not provide a value! This date value is used to generate a registration token." - } - }, - "diagnosticLogsRetentionInDays": { - "type": "int", - "defaultValue": 365, - "minValue": 0, - "maxValue": 365, - "metadata": { - "description": "Optional. Specifies the number of days that logs will be kept for; a value of 0 will retain data indefinitely." - } - }, - "diagnosticStorageAccountId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Resource identifier of the Diagnostic Storage Account." - } - }, - "workspaceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Resource identifier of Log Analytics." - } - }, - "eventHubAuthorizationRuleId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Resource ID of the event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." - } - }, - "eventHubName": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Name of the event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category." - } - }, - "preferredAppGroupType": { - "type": "string", - "defaultValue": "None", - "allowedValues": [ - "Desktop", - "None", - "RailApplications" - ], - "metadata": { - "description": "Optional. The type of preferred application group type, default to Desktop Application Group." - } - }, - "lockForDeletion": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Switch to lock Resource from deletion." - } - }, - "tags": { - "type": "object", - "defaultValue": { - }, - "metadata": { - "description": "Optional. Tags of the resource." - } - }, - "cuaId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered" - } - }, - "startVMOnConnect": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Enable Start VM on connect to allow users to start the virtual machine from a deallocated state. Important: Custom RBAC role required to power manage VMs." - } - }, - "validationEnvironment": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Validation host pool allows you to test service changes before they are deployed to production." - } - }, - "roleAssignments": { - "defaultValue": [ - ], - "type": "array", - "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalIds' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or it's fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'" - } - } - }, - "variables": { - "diagnosticsMetrics": [ - ], - "diagnosticsLogs": [ - { - "category": "Checkpoint", - "enabled": true, - "retentionPolicy": { - "enabled": true, - "days": "[parameters('diagnosticLogsRetentionInDays')]" - } - }, - { - "category": "Error", - "enabled": true, - "retentionPolicy": { - "enabled": true, - "days": "[parameters('diagnosticLogsRetentionInDays')]" - } - }, - { - "category": "Management", - "enabled": true, - "retentionPolicy": { - "enabled": true, - "days": "[parameters('diagnosticLogsRetentionInDays')]" - } - }, - { - "category": "Connection", - "enabled": true, - "retentionPolicy": { - "enabled": true, - "days": "[parameters('diagnosticLogsRetentionInDays')]" - } - }, - { - "category": "HostRegistration", - "enabled": true, - "retentionPolicy": { - "enabled": true, - "days": "[parameters('diagnosticLogsRetentionInDays')]" - } - }, - { - "category": "AgentHealthStatus", - "enabled": true, - "retentionPolicy": { - "enabled": true, - "days": "[parameters('diagnosticLogsRetentionInDays')]" - } - } - ], - "tokenExpirationTime": "[dateTimeAdd(parameters('baseTime'), parameters('tokenValidityLength'))]", - "builtInRoleNames": { - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions','8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions','b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions','acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Application Group Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions','ca6382a4-1721-4bcf-a114-ff0c70227b6b')]", - "Desktop Virtualization Application Group Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions','86240b0e-9422-4c43-887b-b61143f32ba8')]", - "Desktop Virtualization Application Group Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions','aebf23d0-b568-4e86-b8f9-fe83a2c6ab55')]", - "Desktop Virtualization Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions','082f0a83-3be5-4ba1-904c-961cca79b387')]", - "Desktop Virtualization Host Pool Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions','e307426c-f9b6-4e81-87de-d99efb3c32bc')]", - "Desktop Virtualization Host Pool Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions','ceadfde2-b300-400a-ab7b-6143895aa822')]", - "Desktop Virtualization Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions','49a72310-ab8d-41df-bbb0-79b649203868')]", - "Desktop Virtualization Session Host Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions','2ad6aaab-ead9-4eaa-8ac5-da422f562408')]", - "Desktop Virtualization User Session Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions','ea4bfff8-7fb4-485a-aadd-d4129a0ffaa6')]", - "Log Analytics Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions','92aaf0da-9dab-42b6-94a3-d43ce8d16293')]", - "Log Analytics Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions','73c42c96-874c-492b-b04d-ab87d138a893')]", - "Managed Application Contributor Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions','641177b8-a67a-45b9-a033-47bc880bb21e')]", - "Managed Application Operator Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions','c7393b34-138c-406f-901b-d8cf2b17e6ae')]", - "Managed Applications Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions','b9331d33-8a36-4f8c-b097-4f54124fdb44')]", - "Monitoring Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions','749f88d5-cbae-40b8-bcfc-e573ddc772fa')]", - "Monitoring Metrics Publisher": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions','3913510d-42f4-4e42-8a64-420c390055eb')]", - "Monitoring Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions','43d0d8ad-25c7-4714-9337-8ba259a9fe05')]", - "Resource Policy Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions','36243c78-bf99-498c-9df9-86d9f8d28608')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions','18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" - } - }, - "resources": [ - { - "condition": "[not(empty(parameters('cuaId')))]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-01-01", - "name": "[concat('pid-', parameters('cuaId'))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [ - ] - } - } - }, - { - "type": "Microsoft.DesktopVirtualization/hostpools", - "apiVersion": "2021-07-12", - "name": "[parameters('hostpoolName')]", - "location": "[parameters('location')]", - "tags": "[parameters('tags')]", - "properties": { - "friendlyName": "[parameters('hostpoolFriendlyName')]", - "description": "[parameters('hostpoolDescription')]", - "hostpoolType": "[parameters('hostpoolType')]", - "customRdpProperty": "[parameters('customRdpProperty')]", - "personalDesktopAssignmentType": "[parameters('personalDesktopAssignmentType')]", - "maxSessionLimit": "[parameters('maxSessionLimit')]", - "loadBalancerType": "[parameters('loadBalancerType')]", - "preferredAppGroupType": "[parameters('preferredAppGroupType')]", - "validationEnviroment": "[parameters('validationEnviroment')]", - "startVMOnConnect": "[parameters('startVMOnConnect')]", - "validationEnvironment": "[parameters('validationEnvironment')]", - "registrationInfo": { - "expirationTime": "[variables('tokenExpirationTime')]", - "token": null, - "registrationTokenOperation": "Update" - // "resetToken": false - }, - "vmTemplate": "[if(not(empty(parameters('vmTemplate'))), json('null'),string(parameters('vmTemplate')))]" - }, - "resources": [ - { - "type": "providers/locks", - "apiVersion": "2016-09-01", - "condition": "[parameters('lockForDeletion')]", - "name": "Microsoft.Authorization/hostPoolDoNotDelete", - "dependsOn": [ - "[concat('Microsoft.DesktopVirtualization/hostpools/', parameters('hostPoolName'))]" - ], - "comments": "Resource lock on Host Pool", - "properties": { - "level": "CannotDelete" - } - }, - { - "type": "Microsoft.DesktopVirtualization/hostpools/providers/diagnosticsettings", - "apiVersion": "2017-05-01-preview", - "name": "[concat(parameters('hostPoolName'), '/Microsoft.Insights/diagnosticsetting')]", - "location": "[parameters('location')]", - "condition": "[or(not(empty(parameters('diagnosticStorageAccountId'))),not(empty(parameters('workspaceId'))),not(empty(parameters('eventHubAuthorizationRuleId'))),not(empty(parameters('eventHubName'))))]", - "dependsOn": [ - "[concat('Microsoft.DesktopVirtualization/hostpools/', parameters('hostPoolName'))]" - ], - "properties": { - "storageAccountId": "[if(empty(parameters('diagnosticStorageAccountId')), json('null'), parameters('diagnosticStorageAccountId'))]", - "workspaceId": "[if(empty(parameters('workspaceId')), json('null'), parameters('workspaceId'))]", - "eventHubAuthorizationRuleId": "[if(empty(parameters('eventHubAuthorizationRuleId')), json('null'), parameters('eventHubAuthorizationRuleId'))]", - "eventHubName": "[if(empty(parameters('eventHubName')), json('null'), parameters('eventHubName'))]", - "metrics": "[if(and(empty(parameters('diagnosticStorageAccountId')), empty(parameters('workspaceId')), empty(parameters('eventHubAuthorizationRuleId')), empty(parameters('eventHubName'))), json('null'), variables('diagnosticsMetrics'))]", - "logs": "[if(and(empty(parameters('diagnosticStorageAccountId')), empty(parameters('workspaceId')), empty(parameters('eventHubAuthorizationRuleId')), empty(parameters('eventHubName'))), json('null'), variables('diagnosticsLogs'))]" - } - } - ] - }, - { - "name": "[concat('rbac-',deployment().name, copyIndex())]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-01-01", - "condition": "[not(empty(parameters('roleAssignments')))]", - "dependsOn": [ - "[parameters('hostPoolName')]" - ], - "copy": { - "name": "rbacDeplCopy", - "count": "[length(parameters('roleAssignments'))]" - }, - "properties": { - "mode": "Incremental", - "expressionEvaluationOptions": { - "scope": "inner" - }, - "parameters": { - "roleAssignment": { - "value": "[parameters('roleAssignments')[copyIndex()]]" - }, - "builtInRoleNames": { - "value": "[variables('builtInRoleNames')]" - }, - "hostPoolName": { - "value": "[parameters('hostPoolName')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "roleAssignment": { - "type": "object" - }, - "builtInRoleNames": { - "type": "object" - }, - "hostPoolName": { - "type": "string" - } - }, - "resources": [ - { - "type": "Microsoft.DesktopVirtualization/hostpools/providers/roleAssignments", - "apiVersion": "2018-09-01-preview", - "name": "[concat(parameters('hostPoolName'), '/Microsoft.Authorization/', guid(parameters('hostPoolName'), array(parameters('roleAssignment').principalIds)[copyIndex('innerRbacCopy')], parameters('roleAssignment').roleDefinitionIdOrName ))]", - "dependsOn": [ - ], - "copy": { - "name": "innerRbacCopy", - "count": "[length(parameters('roleAssignment').principalIds)]" - }, - "properties": { - "roleDefinitionId": "[if(contains(parameters('builtInRoleNames'), parameters('roleAssignment').roleDefinitionIdOrName ), parameters('builtInRoleNames')[parameters('roleAssignment').roleDefinitionIdOrName] , parameters('roleAssignment').roleDefinitionIdOrName )]", - "principalId": "[array(parameters('roleAssignment').principalIds)[copyIndex()]]" - } - } - ] - } - } - } - ], - "functions": [ - ], - "outputs": { - "hostPoolResourceId": { - "type": "string", - "value": "[resourceId('Microsoft.DesktopVirtualization/hostpools', parameters('hostPoolName'))]", - "metadata": { - "description": "The Resource Id of the Host Pool." - } - }, - "hostPoolResourceGroup": { - "type": "string", - "value": "[resourceGroup().name]", - "metadata": { - "description": "The name of the Resource Group the Host Pool was created in." - } - }, - "hostPoolName": { - "type": "string", - "value": "[parameters('hostPoolName')]", - "metadata": { - "description": "The Name of the Host Pool." - } - }, - "tokenExpirationTime": { - "type": "string", - "value": "[dateTimeAdd(parameters('baseTime'), parameters('tokenValidityLength'))]", - "metadata": { - "description": "The expiration time of the Host Pool registration token." - } - }, - "hostpoolToken": { - "type": "string", - "value": "[reference(parameters('hostpoolName')).registrationInfo.token]", - "metadata": { - "description": "The token that has to be used to register a VM to the Host Pool." - } - } - } -} \ No newline at end of file diff --git a/arm/Microsoft.DesktopVirtualization/hostpools/readme.md b/arm/Microsoft.DesktopVirtualization/hostpools/readme.md index d992906aa7..6441aa410d 100644 --- a/arm/Microsoft.DesktopVirtualization/hostpools/readme.md +++ b/arm/Microsoft.DesktopVirtualization/hostpools/readme.md @@ -1,49 +1,47 @@ -# AVD HostPools +# AVD HostPools `[Microsoft.DesktopVirtualization/hostpools]` This module deploys AVD Host Pools, with resource lock and diagnostics configuration. ## Resource types -|Resource Type|ApiVersion| -|:--|:--| -|`Microsoft.DesktopVirtualization/hostpools`|2021-07-12| -|`Microsoft.DesktopVirtualization/hostpools/providers/diagnosticsettings`|2017-05-01-preview| -|`providers/locks`|2016-09-01| -|`Microsoft.Resources/deployments`|2018-02-01| -|`Microsoft.DesktopVirtualization/hostpools/providers/roleAssignments`|2018-09-01-preview| - - +| Resource Type | Api Version | +| :-- | :-- | +| `Microsoft.Authorization/locks` | 2016-09-01 | +| `Microsoft.DesktopVirtualization/hostPools` | 2021-07-12 | +| `Microsoft.DesktopVirtualization/hostpools/providers/roleAssignments` | 2021-04-01-preview | +| `Microsoft.Insights/diagnosticSettings` | 2017-05-01-preview | ## Parameters -| Parameter Name | Type | Default Value | Possible values | Description | -| :- | :- | :- | :- | :- | -| `hostPoolName` | string | | | Required. Name of the Host Pool -| `location` | string | `[resourceGroup().location]` | | Optional. Location for all resources. -| `hostpoolFriendlyName` | string | "" | | Optional. The friendly name of the Host Pool to be created. -| `hostpoolDescription` | string | "" | | Optional. The description of the Host Pool to be created. -| `hostpoolType` | string | `Pooled` | "Personal", "Pooled" | Optional. Set this parameter to Personal if you would like to enable Persistent Desktop experience. Defaults to Pooled. -| `personalDesktopAssignmentType` | string | "" | "Automatic", "Direct", "" | Optional. Set the type of assignment for a Personal Host Pool type -| `loadBalancerType` | string | `true` | "BreadthFirst", "DepthFirst", "Persistent" | Optional. Type of load balancer algorithm. -| `maxSessionLimit` | int | `99999` | | Optional. Maximum number of sessions. | -| `customRdpProperty` | string | `audiocapturemode:i:1; audiomode:i:0; drivestoredirect:s:; redirectclipboard:i:1; redirectcomports:i:1; redirectprinters:i:1; redirectsmartcards:i:1; screen mode id:i:2;` | [Supported Remote desktop RDP file settings](https://docs.microsoft.com/en-us/windows-server/remote/remote-desktop-services/clients/rdp-files?context=/azure/virtual-desktop/context/context) | Optional. Host Pool RDP properties -| `validationEnviroment` | bool | `false` | | Optional. Whether to use validation enviroment. When set to true, the Host Pool will be deployed in a validation 'ring' (environment) that receives all the new features (might be less stable). Ddefaults to false that stands for the stable, production-ready environment. -| `preferredAppGroupType` | string | 'None' | ['Desktop'|'None'|'RailApplications'] | Optional. The type of preferred application group type, default to Desktop Application Group -| `vmTemplate` | object | {} | Complex structure, see below. | Optional. The necessary information for adding more VMs to this Host Pool -| `tokenValidityLength` | string | `PT8H` | Duration in ISO 8601 format. E.g. PT8H, P1Y, P5D | Optional. Host Pool token validity length. Usage: 'PT8H' - valid for 8 hours; 'P5D' - valid for 5 days; 'P1Y' - valid for 1 year. When not provided, the token will be valid for 8 hours. -| `baseTime` | string | `utcNow('u')` | | Generated. Do not provide a value! This date value is used to generate a registration token. -| `diagnosticLogsRetentionInDays` | int | `365` | | Optional. Specifies the number of days that logs will be kept for; a value of 0 will retain data indefinitely. -| `diagnosticStorageAccountId` | string | "" | | Optional. Resource identifier of the Diagnostic Storage Account. -| `workspaceId` | string | "" | | Optional. Resource identifier of Log Analytics. -| `eventHubAuthorizationRuleId` | string | "" | | Optional. Resource ID of the event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. -| `eventHubName` | string | "" | | Optional. Name of the event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. -| `lock` | string | 'NotSpecified' | 'CanNotDelete', 'NotSpecified', 'ReadOnly' | Optional. Specify the type of lock. | -| `roleAssignments` | array | Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalIds' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or it's fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' | System.Object[] | | -| `tags` | object | {} | Complex structure, see below. | Optional. Tags of the resource. -| `cuaId` | string | "" | | Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered -| `startVMOnConnect` | bool | `false` | | Optional. Enable Start VM on connect to allow users to start the virtual machine from a deallocated state. Important: Custom RBAC role required to power manage VMs -| `validationEnvironment` | bool | `false` | | Optional. Validation host pool allows you to test service changes before they are deployed to production +| Parameter Name | Type | Default Value | Possible Values | Description | +| :-- | :-- | :-- | :-- | :-- | +| `baseTime` | string | `[utcNow('u')]` | | Generated. Do not provide a value! This date value is used to generate a registration token. | +| `cuaId` | string | | | Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered | +| `customRdpProperty` | string | `audiocapturemode:i:1;audiomode:i:0;drivestoredirect:s:;redirectclipboard:i:1;redirectcomports:i:1;redirectprinters:i:1;redirectsmartcards:i:1;screen mode id:i:2;` | | Optional. Host Pool RDP properties | +| `diagnosticLogsRetentionInDays` | int | `365` | | Optional. Specifies the number of days that logs will be kept for; a value of 0 will retain data indefinitely. | +| `diagnosticStorageAccountId` | string | | | Optional. Resource identifier of the Diagnostic Storage Account. | +| `eventHubAuthorizationRuleId` | string | | | Optional. Resource ID of the event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | +| `eventHubName` | string | | | Optional. Name of the event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. | +| `hostpoolDescription` | string | | | Optional. The description of the Host Pool to be created. | +| `hostpoolFriendlyName` | string | | | Optional. The friendly name of the Host Pool to be created. | +| `hostPoolName` | string | | | Required. Name of the Host Pool | +| `hostpoolType` | string | `Pooled` | `[Personal, Pooled]` | Optional. Set this parameter to Personal if you would like to enable Persistent Desktop experience. Defaults to Pooled. | +| `loadBalancerType` | string | `BreadthFirst` | `[BreadthFirst, DepthFirst, Persistent]` | Optional. Type of load balancer algorithm. | +| `location` | string | `[resourceGroup().location]` | | Optional. Location for all resources. | +| `lock` | string | `NotSpecified` | `[CanNotDelete, NotSpecified, ReadOnly]` | Optional. Specify the type of lock. | +| `logsToEnable` | array | `[Checkpoint, Error, Management, Connection, HostRegistration, AgentHealthStatus]` | `[Checkpoint, Error, Management, Connection, HostRegistration, AgentHealthStatus]` | Optional. The name of logs that will be streamed. | +| `maxSessionLimit` | int | `99999` | | Optional. Maximum number of sessions. | +| `personalDesktopAssignmentType` | string | | `[Automatic, Direct, ]` | Optional. Set the type of assignment for a Personal Host Pool type | +| `preferredAppGroupType` | string | `None` | `[Desktop, None, RailApplications]` | Optional. The type of preferred application group type, default to Desktop Application Group | +| `roleAssignments` | array | `[]` | | Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalIds' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or it's fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' | +| `startVMOnConnect` | bool | | | Optional. Enable Start VM on connect to allow users to start the virtual machine from a deallocated state. Important: Custom RBAC role required to power manage VMs. | +| `tags` | object | `{object}` | | Optional. Tags of the resource. | +| `tokenValidityLength` | string | `PT8H` | | Optional. Host Pool token validity length. Usage: 'PT8H' - valid for 8 hours; 'P5D' - valid for 5 days; 'P1Y' - valid for 1 year. When not provided, the token will be valid for 8 hours. | +| `validationEnviroment` | bool | | | Optional. Whether to use validation enviroment. When set to true, the Host Pool will be deployed in a validation 'ring' (environment) that receives all the new features (might be less stable). Ddefaults to false that stands for the stable, production-ready environment. | +| `validationEnvironment` | bool | | | Optional. Validation host pool allows you to test service changes before they are deployed to production. | +| `vmTemplate` | object | `{object}` | | Optional. The necessary information for adding more VMs to this Host Pool. | +| `workspaceId` | string | | | Optional. Resource identifier of Log Analytics. | ### Parameter Usage: `roleAssignments` @@ -127,21 +125,16 @@ Tag names and tag values can be provided as needed. A tag can be left without a ## Outputs -| Output Name | Type | Description | -| :-- | :-- | :-- | -| `hostPoolName` | string | The Name of the Host Pool. | -| `hostPoolResourceGroup` | string | The name of the Resource Group the Host Pool was created in. | -| `hostPoolResourceId` | string | The Resource Id of the Host Pool. | -| `hostpoolToken` | string | The token that has to be used to register a VM to the Host Pool. | -| `tokenExpirationTime` | string | The expiration time of the Host Pool registration token. | - -## Considerations - -*N/A* +| Output Name | Type | +| :-- | :-- | +| `hostPoolName` | string | +| `hostPoolResourceGroup` | string | +| `hostPoolResourceId` | string | +| `hostpoolToken` | string | +| `tokenExpirationTime` | string | -## Additional resources +## Template references -- [What is Windows Virtual Desktop?](https://docs.microsoft.com/en-us/azure/virtual-desktop/overview) -- [Windows Virtual Desktop environment](https://docs.microsoft.com/en-us/azure/virtual-desktop/environment-setup) -- [Use tags to organize your Azure resources](https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-using-tags) -- [Reference](https://docs.microsoft.com/en-us/azure/templates/microsoft.desktopvirtualization/2021-07-12/hostpools) +- [Locks](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2016-09-01/locks) +- [Hostpools](https://docs.microsoft.com/en-us/azure/templates/Microsoft.DesktopVirtualization/2021-07-12/hostPools) +- [Diagnosticsettings](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Insights/2017-05-01-preview/diagnosticSettings) diff --git a/arm/Microsoft.DesktopVirtualization/workspaces/.bicep/nested_rbac.bicep b/arm/Microsoft.DesktopVirtualization/workspaces/.bicep/nested_rbac.bicep index c829a33eb0..791f10cfac 100644 --- a/arm/Microsoft.DesktopVirtualization/workspaces/.bicep/nested_rbac.bicep +++ b/arm/Microsoft.DesktopVirtualization/workspaces/.bicep/nested_rbac.bicep @@ -2,7 +2,7 @@ param roleAssignmentObj object param builtInRoleNames object param resourceName string -resource roleAssigment 'Microsoft.DesktopVirtualization/workspaces/providers/roleAssignments@2020-04-01-preview' = [for principalId in roleAssignmentObj.principalIds: { +resource roleAssigment 'Microsoft.DesktopVirtualization/workspaces/providers/roleAssignments@2021-04-01-preview' = [for principalId in roleAssignmentObj.principalIds: { name: '${resourceName}/Microsoft.Authorization/${guid(resourceName, principalId, roleAssignmentObj.roleDefinitionIdOrName)}' properties: { roleDefinitionId: (contains(builtInRoleNames, roleAssignmentObj.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignmentObj.roleDefinitionIdOrName] : roleAssignmentObj.roleDefinitionIdOrName) diff --git a/arm/Microsoft.DesktopVirtualization/workspaces/deploy.bicep b/arm/Microsoft.DesktopVirtualization/workspaces/deploy.bicep index d5de32aa9c..7b11d3f647 100644 --- a/arm/Microsoft.DesktopVirtualization/workspaces/deploy.bicep +++ b/arm/Microsoft.DesktopVirtualization/workspaces/deploy.bicep @@ -47,41 +47,28 @@ param cuaId string = '' @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalIds\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or it\'s fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'') param roleAssignments array = [] -var diagnosticsMetrics = [] -var diagnosticsLogs = [ - { - category: 'Checkpoint' - enabled: true - retentionPolicy: { - enabled: true - days: diagnosticLogsRetentionInDays - } - } - { - category: 'Error' - enabled: true - retentionPolicy: { - enabled: true - days: diagnosticLogsRetentionInDays - } - } - { - category: 'Management' - enabled: true - retentionPolicy: { - enabled: true - days: diagnosticLogsRetentionInDays - } - } - { - category: 'Feed' +@description('Optional. The name of logs that will be streamed.') +@allowed([ + 'Checkpoint' + 'Error' + 'Management' + 'Feed' +]) +param logsToEnable array = [ + 'Checkpoint' + 'Error' + 'Management' + 'Feed' +] + +var diagnosticsLogs = [for log in logsToEnable: { + category: log + enabled: true + retentionPolicy: { enabled: true - retentionPolicy: { - enabled: true - days: diagnosticLogsRetentionInDays - } + days: diagnosticLogsRetentionInDays } -] +}] var builtInRoleNames = { 'Owner': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') @@ -136,7 +123,6 @@ resource workspace_diagnosticSettings 'Microsoft.Insights/diagnosticsettings@201 workspaceId: (empty(workspaceId) ? json('null') : workspaceId) eventHubAuthorizationRuleId: (empty(eventHubAuthorizationRuleId) ? json('null') : eventHubAuthorizationRuleId) eventHubName: (empty(eventHubName) ? json('null') : eventHubName) - metrics: ((empty(diagnosticStorageAccountId) && empty(workspaceId) && empty(eventHubAuthorizationRuleId) && empty(eventHubName)) ? json('null') : diagnosticsMetrics) logs: ((empty(diagnosticStorageAccountId) && empty(workspaceId) && empty(eventHubAuthorizationRuleId) && empty(eventHubName)) ? json('null') : diagnosticsLogs) } scope: workspace diff --git a/arm/Microsoft.DesktopVirtualization/workspaces/deploy.json b/arm/Microsoft.DesktopVirtualization/workspaces/deploy.json deleted file mode 100644 index e2bf8d7a3c..0000000000 --- a/arm/Microsoft.DesktopVirtualization/workspaces/deploy.json +++ /dev/null @@ -1,315 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "workSpaceName": { - "type": "String", - "metadata": { - "description": "Required. The name of the workspace to be attach to new Application Group." - } - }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Optional. Location for all resources." - } - }, - "appGroupResourceIds": { - "defaultValue": [ - ], - "type": "array", - "metadata": { - "description": "Required. Resource IDs fo the existing Application groups this workspace will group together." - } - }, - "workspaceFriendlyName": { - "defaultValue": "", - "type": "string", - "metadata": { - "description": "Optional. The friendly name of the Workspace to be created." - } - }, - "workspaceDescription": { - "defaultValue": "", - "type": "string", - "metadata": { - "description": "Optional. The description of the Workspace to be created." - } - }, - "diagnosticLogsRetentionInDays": { - "type": "int", - "defaultValue": 365, - "minValue": 0, - "maxValue": 365, - "metadata": { - "description": "Optional. Specifies the number of days that logs will be kept for; a value of 0 will retain data indefinitely." - } - }, - "diagnosticStorageAccountId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Resource identifier of the Diagnostic Storage Account." - } - }, - "workspaceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Resource identifier of Log Analytics." - } - }, - "eventHubAuthorizationRuleId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Resource ID of the event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." - } - }, - "eventHubName": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Name of the event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category." - } - }, - "lockForDeletion": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Switch to lock Resource from deletion." - } - }, - "tags": { - "type": "object", - "defaultValue": { - }, - "metadata": { - "description": "Optional. Tags of the resource." - } - }, - "cuaId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered" - } - }, - "roleAssignments": { - "defaultValue": [ - ], - "type": "array", - "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalIds' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or it's fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'" - } - } - }, - "variables": { - "diagnosticsMetrics": [ - ], - "diagnosticsLogs": [ - { - "category": "Checkpoint", - "enabled": true, - "retentionPolicy": { - "enabled": true, - "days": "[parameters('diagnosticLogsRetentionInDays')]" - } - }, - { - "category": "Error", - "enabled": true, - "retentionPolicy": { - "enabled": true, - "days": "[parameters('diagnosticLogsRetentionInDays')]" - } - }, - { - "category": "Management", - "enabled": true, - "retentionPolicy": { - "enabled": true, - "days": "[parameters('diagnosticLogsRetentionInDays')]" - } - }, - { - "category": "Feed", - "enabled": true, - "retentionPolicy": { - "enabled": true, - "days": "[parameters('diagnosticLogsRetentionInDays')]" - } - } - ], - "builtInRoleNames": { - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions','8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions','b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions','acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Application Group Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions','ca6382a4-1721-4bcf-a114-ff0c70227b6b')]", - "Desktop Virtualization Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions','082f0a83-3be5-4ba1-904c-961cca79b387')]", - "Desktop Virtualization Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions','49a72310-ab8d-41df-bbb0-79b649203868')]", - "Desktop Virtualization Workspace Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions','21efdde3-836f-432b-bf3d-3e8e734d4b2b')]", - "Desktop Virtualization Workspace Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions','0fa44ee9-7a7d-466b-9bb2-2bf446b1204d')]", - "Log Analytics Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions','92aaf0da-9dab-42b6-94a3-d43ce8d16293')]", - "Log Analytics Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions','73c42c96-874c-492b-b04d-ab87d138a893')]", - "Managed Application Contributor Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions','641177b8-a67a-45b9-a033-47bc880bb21e')]", - "Managed Application Operator Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions','c7393b34-138c-406f-901b-d8cf2b17e6ae')]", - "Managed Applications Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions','b9331d33-8a36-4f8c-b097-4f54124fdb44')]", - "Monitoring Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions','749f88d5-cbae-40b8-bcfc-e573ddc772fa')]", - "Monitoring Metrics Publisher": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions','3913510d-42f4-4e42-8a64-420c390055eb')]", - "Monitoring Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions','43d0d8ad-25c7-4714-9337-8ba259a9fe05')]", - "Resource Policy Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions','36243c78-bf99-498c-9df9-86d9f8d28608')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions','18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" - } - }, - "resources": [ - { - "condition": "[not(empty(parameters('cuaId')))]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-01-01", - "name": "[concat('pid-', parameters('cuaId'))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [ - ] - } - } - }, - { - "type": "Microsoft.DesktopVirtualization/workspaces", - "apiVersion": "2021-07-12", - "name": "[parameters('workSpaceName')]", - "location": "[parameters('location')]", - "tags": "[parameters('tags')]", - "properties": { - "applicationGroupReferences": "[parameters('appGroupResourceIds')]", - "description": "[parameters('workspaceDescription')]", - "friendlyName": "[parameters('workspaceFriendlyName')]" - }, - "resources": [ - { - "type": "providers/locks", - "apiVersion": "2016-09-01", - "condition": "[parameters('lockForDeletion')]", - "name": "Microsoft.Authorization/hostPoolDoNotDelete", - "dependsOn": [ - "[concat('Microsoft.DesktopVirtualization/workspaces/', parameters('workSpaceName'))]" - ], - "comments": "Resource lock on the AVD Workspace", - "properties": { - "level": "CannotDelete" - } - }, - { - "type": "Microsoft.DesktopVirtualization/workspaces/providers/diagnosticsettings", - "apiVersion": "2017-05-01-preview", - "name": "[concat(parameters('workSpaceName'), '/Microsoft.Insights/service')]", - "location": "[parameters('location')]", - "condition": "[or(not(empty(parameters('diagnosticStorageAccountId'))),not(empty(parameters('workspaceId'))),not(empty(parameters('eventHubAuthorizationRuleId'))),not(empty(parameters('eventHubName'))))]", - "dependsOn": [ - "[concat('Microsoft.DesktopVirtualization/workspaces/', parameters('workSpaceName'))]" - ], - "properties": { - "storageAccountId": "[if(empty(parameters('diagnosticStorageAccountId')), json('null'), parameters('diagnosticStorageAccountId'))]", - "workspaceId": "[if(empty(parameters('workspaceId')), json('null'), parameters('workspaceId'))]", - "eventHubAuthorizationRuleId": "[if(empty(parameters('eventHubAuthorizationRuleId')), json('null'), parameters('eventHubAuthorizationRuleId'))]", - "eventHubName": "[if(empty(parameters('eventHubName')), json('null'), parameters('eventHubName'))]", - "metrics": "[if(and(empty(parameters('diagnosticStorageAccountId')), empty(parameters('workspaceId')), empty(parameters('eventHubAuthorizationRuleId')), empty(parameters('eventHubName'))), json('null'), variables('diagnosticsMetrics'))]", - "logs": "[if(and(empty(parameters('diagnosticStorageAccountId')), empty(parameters('workspaceId')), empty(parameters('eventHubAuthorizationRuleId')), empty(parameters('eventHubName'))), json('null'), variables('diagnosticsLogs'))]" - } - } - ] - }, - { - "name": "[concat('rbac-',deployment().name, copyIndex())]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-01-01", - "condition": "[not(empty(parameters('roleAssignments')))]", - "dependsOn": [ - "[parameters('workspaceName')]" - ], - "copy": { - "name": "rbacDeplCopy", - "count": "[length(parameters('roleAssignments'))]" - }, - "properties": { - "mode": "Incremental", - "expressionEvaluationOptions": { - "scope": "inner" - }, - "parameters": { - "roleAssignment": { - "value": "[parameters('roleAssignments')[copyIndex()]]" - }, - "builtInRoleNames": { - "value": "[variables('builtInRoleNames')]" - }, - "workspaceName": { - "value": "[parameters('workspaceName')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "roleAssignment": { - "type": "object" - }, - "builtInRoleNames": { - "type": "object" - }, - "workspaceName": { - "type": "string" - } - }, - "resources": [ - { - "type": "Microsoft.DesktopVirtualization/workspaces/providers/roleAssignments", - "apiVersion": "2018-09-01-preview", - "name": "[concat(parameters('workspaceName'), '/Microsoft.Authorization/', guid(parameters('workspaceName'), array(parameters('roleAssignment').principalIds)[copyIndex('innerRbacCopy')], parameters('roleAssignment').roleDefinitionIdOrName ))]", - "dependsOn": [ - ], - "copy": { - "name": "innerRbacCopy", - "count": "[length(parameters('roleAssignment').principalIds)]" - }, - "properties": { - "roleDefinitionId": "[if(contains(parameters('builtInRoleNames'), parameters('roleAssignment').roleDefinitionIdOrName ), parameters('builtInRoleNames')[parameters('roleAssignment').roleDefinitionIdOrName] , parameters('roleAssignment').roleDefinitionIdOrName )]", - "principalId": "[array(parameters('roleAssignment').principalIds)[copyIndex()]]" - } - } - ] - } - } - } - ], - "functions": [ - ], - "outputs": { - "workspaceResourceId": { - "type": "string", - "value": "[resourceId('Microsoft.DesktopVirtualization/workspaces', parameters('workSpaceName'))]", - "metadata": { - "description": "The Resource Id of the AVD Workspace." - } - }, - "workspaceResourceGroup": { - "type": "string", - "value": "[resourceGroup().name]", - "metadata": { - "description": "The name of the Resource Group the AVD Workspace was created in." - } - }, - "workspaceName": { - "type": "string", - "value": "[parameters('workSpaceName')]", - "metadata": { - "description": "The Name of the Workspace." - } - } - } -} diff --git a/arm/Microsoft.DesktopVirtualization/workspaces/readme.md b/arm/Microsoft.DesktopVirtualization/workspaces/readme.md index 4eaee9aceb..dd067dea4a 100644 --- a/arm/Microsoft.DesktopVirtualization/workspaces/readme.md +++ b/arm/Microsoft.DesktopVirtualization/workspaces/readme.md @@ -1,37 +1,35 @@ -# AVD Workspaces +# AVD Workspaces `[Microsoft.DesktopVirtualization/workspaces]` This module deploys AVD Workspaces, with resource lock and diagnostic configuration. - - ## Resource types -|Resource Type|ApiVersion| -|:--|:--| -|`Microsoft.DesktopVirtualization/workspaces`|2021-07-12| -|`Microsoft.DesktopVirtualization/workspaces/providers/diagnosticsettings`|2017-05-01-preview| -|`Microsoft.Resources/deployments`|2018-02-01| -|`providers/locks`|2016-09-01| -|`Microsoft.DesktopVirtualization/workspaces/providers/roleAssignments`|2018-09-01-preview| +| Resource Type | Api Version | +| :-- | :-- | +| `Microsoft.Authorization/locks` | 2016-09-01 | +| `Microsoft.DesktopVirtualization/workspaces` | 2021-07-12 | +| `Microsoft.DesktopVirtualization/workspaces/providers/roleAssignments` | 2021-04-01-preview | +| `Microsoft.Insights/diagnosticSettings` | 2017-05-01-preview | ## Parameters -| Parameter Name | Type | Description | DefaultValue | Possible values | +| Parameter Name | Type | Default Value | Possible Values | Description | | :-- | :-- | :-- | :-- | :-- | -| `appGroupResourceIds` | array | Required. Resource IDs fo the existing Application groups this workspace will group together. | System.Object[] | | -| `cuaId` | string | Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered | | | -| `diagnosticLogsRetentionInDays` | int | Optional. Specifies the number of days that logs will be kept for; a value of 0 will retain data indefinitely. | 365 | | -| `diagnosticStorageAccountId` | string | Optional. Resource identifier of the Diagnostic Storage Account. | | | -| `eventHubAuthorizationRuleId` | string | Optional. Resource ID of the event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | | | -| `eventHubName` | string | Optional. Name of the event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. | | | -| `location` | string | Optional. Location for all resources. | [resourceGroup().location] | | -| `lock` | string | Optional. Specify the type of lock. | 'NotSpecified' | 'CanNotDelete', 'NotSpecified', 'ReadOnly' | -| `roleAssignments` | array | Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalIds' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or it's fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' | System.Object[] | | -| `tags` | object | Optional. Tags of the resource. | | | -| `workspaceDescription` | string | Optional. The description of the Workspace to be created. | | | -| `workspaceFriendlyName` | string | Optional. The friendly name of the Workspace to be created. | | | -| `workspaceId` | string | Optional. Resource identifier of Log Analytics. | | | -| `workSpaceName` | String | Required. The name of the workspace to be attach to new Application Group. | | | +| `appGroupResourceIds` | array | `[]` | | Required. Resource IDs fo the existing Application groups this workspace will group together. | +| `cuaId` | string | | | Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered | +| `diagnosticLogsRetentionInDays` | int | `365` | | Optional. Specifies the number of days that logs will be kept for; a value of 0 will retain data indefinitely. | +| `diagnosticStorageAccountId` | string | | | Optional. Resource identifier of the Diagnostic Storage Account. | +| `eventHubAuthorizationRuleId` | string | | | Optional. Resource ID of the event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | +| `eventHubName` | string | | | Optional. Name of the event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. | +| `location` | string | `[resourceGroup().location]` | | Optional. Location for all resources. | +| `lock` | string | `NotSpecified` | `[CanNotDelete, NotSpecified, ReadOnly]` | Optional. Specify the type of lock. | +| `logsToEnable` | array | `[Checkpoint, Error, Management, Feed]` | `[Checkpoint, Error, Management, Feed]` | Optional. The name of logs that will be streamed. | +| `roleAssignments` | array | `[]` | | Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalIds' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or it's fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' | +| `tags` | object | `{object}` | | Optional. Tags of the resource. | +| `workspaceDescription` | string | | | Optional. The description of the Workspace to be created. | +| `workspaceFriendlyName` | string | | | Optional. The friendly name of the Workspace to be created. | +| `workspaceId` | string | | | Optional. Resource identifier of Log Analytics. | +| `workSpaceName` | string | | | Required. The name of the workspace to be attach to new Application Group. | ### Parameter Usage: `roleAssignments` @@ -81,19 +79,14 @@ Tag names and tag values can be provided as needed. A tag can be left without a ## Outputs -| Output Name | Type | Description | -| :-- | :-- | :-- | -| `workspaceName` | string | The Name of the Workspace. | -| `workspaceResourceGroup` | string | The name of the Resource Group the AVD Workspace was created in. | -| `workspaceResourceId` | string | The Resource Id of the AVD Workspace. | - -## Considerations - -*N/A* +| Output Name | Type | +| :-- | :-- | +| `workspaceName` | string | +| `workspaceResourceGroup` | string | +| `workspaceResourceId` | string | -## Additional resources +## Template references -- [What is Windows Virtual Desktop?](https://docs.microsoft.com/en-us/azure/virtual-desktop/overview) -- [Windows Virtual Desktop environment](https://docs.microsoft.com/en-us/azure/virtual-desktop/environment-setup) -- [Use tags to organize your Azure resources](https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-using-tags) -- [Reference](https://docs.microsoft.com/en-us/azure/templates/microsoft.desktopvirtualization/2021-07-12/workspaces) +- [Locks](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2016-09-01/locks) +- [Workspaces](https://docs.microsoft.com/en-us/azure/templates/Microsoft.DesktopVirtualization/2021-07-12/workspaces) +- [Diagnosticsettings](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Insights/2017-05-01-preview/diagnosticSettings) diff --git a/arm/Microsoft.EventGrid/topics/.bicep/nested_privateEndpoint.bicep b/arm/Microsoft.EventGrid/topics/.bicep/nested_privateEndpoint.bicep index 322642b0ca..29ca1a09f0 100644 --- a/arm/Microsoft.EventGrid/topics/.bicep/nested_privateEndpoint.bicep +++ b/arm/Microsoft.EventGrid/topics/.bicep/nested_privateEndpoint.bicep @@ -14,7 +14,7 @@ var privateEndpoint_var = { customDnsConfigs: (contains(privateEndpointObj, 'customDnsConfigs') ? (empty(privateEndpointObj.customDnsConfigs) ? json('null') : privateEndpointObj.customDnsConfigs) : json('null')) } -resource privateEndpoint 'Microsoft.Network/privateEndpoints@2020-05-01' = { +resource privateEndpoint 'Microsoft.Network/privateEndpoints@2021-05-01' = { name: privateEndpoint_var.name location: privateEndpointVnetLocation tags: tags @@ -36,7 +36,7 @@ resource privateEndpoint 'Microsoft.Network/privateEndpoints@2020-05-01' = { } } -resource privateDnsZoneGroups 'Microsoft.Network/privateEndpoints/privateDnsZoneGroups@2020-05-01' = if (!empty(privateEndpoint_var.privateDnsZoneResourceIds)) { +resource privateDnsZoneGroups 'Microsoft.Network/privateEndpoints/privateDnsZoneGroups@2021-02-01' = if (!empty(privateEndpoint_var.privateDnsZoneResourceIds)) { name: '${privateEndpoint_var.name}/default' properties: { privateDnsZoneConfigs: [for j in range(0, length(privateEndpoint_var.privateDnsZoneResourceIds)): { diff --git a/arm/Microsoft.EventGrid/topics/.bicep/nested_rbac.bicep b/arm/Microsoft.EventGrid/topics/.bicep/nested_rbac.bicep index f6ae25c88a..755172e5f1 100644 --- a/arm/Microsoft.EventGrid/topics/.bicep/nested_rbac.bicep +++ b/arm/Microsoft.EventGrid/topics/.bicep/nested_rbac.bicep @@ -2,7 +2,7 @@ param roleAssignmentObj object param builtInRoleNames object param resourceName string -resource roleAssigment 'Microsoft.EventGrid/topics/providers/roleAssignments@2020-04-01-preview' = [for principalId in roleAssignmentObj.principalIds: { +resource roleAssigment 'Microsoft.EventGrid/topics/providers/roleAssignments@2021-04-01-preview' = [for principalId in roleAssignmentObj.principalIds: { name: '${resourceName}/Microsoft.Authorization/${guid(resourceName, principalId, roleAssignmentObj.roleDefinitionIdOrName)}' properties: { roleDefinitionId: (contains(builtInRoleNames, roleAssignmentObj.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignmentObj.roleDefinitionIdOrName] : roleAssignmentObj.roleDefinitionIdOrName) diff --git a/arm/Microsoft.EventGrid/topics/deploy.bicep b/arm/Microsoft.EventGrid/topics/deploy.bicep index b09f560c95..68068e8bfb 100644 --- a/arm/Microsoft.EventGrid/topics/deploy.bicep +++ b/arm/Microsoft.EventGrid/topics/deploy.bicep @@ -50,35 +50,43 @@ param tags object = {} @description('Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered') param cuaId string = '' -var diagnosticsMetrics = [ - { - category: 'AllMetrics' - timeGrain: null - enabled: true - retentionPolicy: { - enabled: true - days: diagnosticLogsRetentionInDays - } - } +@description('Optional. The name of logs that will be streamed.') +@allowed([ + 'DeliveryFailures' + 'PublishFailures' +]) +param logsToEnable array = [ + 'DeliveryFailures' + 'PublishFailures' +] + +@description('Optional. The name of metrics that will be streamed.') +@allowed([ + 'AllMetrics' +]) +param metricsToEnable array = [ + 'AllMetrics' ] -var diagnosticsLogs = [ - { - category: 'DeliveryFailures' + +var diagnosticsLogs = [for log in logsToEnable: { + category: log + enabled: true + retentionPolicy: { enabled: true - retentionPolicy: { - enabled: true - days: diagnosticLogsRetentionInDays - } + days: diagnosticLogsRetentionInDays } - { - category: 'PublishFailures' +}] + +var diagnosticsMetrics = [for metric in metricsToEnable: { + category: metric + timeGrain: null + enabled: true + retentionPolicy: { enabled: true - retentionPolicy: { - enabled: true - days: diagnosticLogsRetentionInDays - } + days: diagnosticLogsRetentionInDays } -] +}] + var builtInRoleNames = { 'Owner': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') 'Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') @@ -152,6 +160,9 @@ module eventGrid_rbac './.bicep/nested_rbac.bicep' = [for (roleAssignment, index } }] -output eventGrid string = eventGrid.name +@description('The Name of the Event Grid Topic') +output eventGridName string = eventGrid.name +@description('The Resource Id of the Event Grid') output eventGridResourceId string = eventGrid.id +@description('The name of the Resource Group with the Event Grid') output eventGridResourceGroup string = resourceGroup().name diff --git a/arm/Microsoft.EventGrid/topics/deploy.json b/arm/Microsoft.EventGrid/topics/deploy.json deleted file mode 100644 index ac64fec1da..0000000000 --- a/arm/Microsoft.EventGrid/topics/deploy.json +++ /dev/null @@ -1,575 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "eventGridTopicName": { - "type": "string", - "metadata": { - "description": "Required. The name of the Event Grid Topic" - } - }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Optional. Location for all Resources." - } - }, - "publicNetworkAccess": { - "type": "string", - "defaultValue": "Enabled", - "metadata": { - "description": "Optional. Determines if traffic is allowed over public network." - } - }, - "inboundIpRules": { - "defaultValue":[], - "type": "array", - "metadata": { - "description": "Optional. Array of IPs to whitelist." - } - }, - "diagnosticLogsRetentionInDays": { - "type": "int", - "defaultValue": 365, - "minValue": 0, - "maxValue": 365, - "metadata": { - "description": "Optional. Specifies the number of days that logs will be kept for; a value of 0 will retain data indefinitely." - } - }, - "diagnosticStorageAccountId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Resource identifier of the Diagnostic Storage Account." - } - }, - "workspaceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Resource identifier of Log Analytics." - } - }, - "eventHubAuthorizationRuleId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Resource ID of the event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." - } - }, - "eventHubName": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Name of the event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category." - } - }, - "privateEndpoints": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. Configuration Details for private endpoints." - } - }, - "roleAssignments": { - "defaultValue": [ - ], - "type": "array", - "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'" - } - }, - "lockForDeletion": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Switch to lock Event Grid from deletion." - } - }, - "tags": { - "type": "object", - "defaultValue": { - }, - "metadata": { - "description": "Optional. Tags of the resource." - } - }, - "cuaId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered" - } - } - }, - "variables": { - "eventGridName": "[parameters('eventGridTopicName')]", - "eventGridResourceId": "[resourceId('Microsoft.EventGrid/topics',variables('eventGridName'))]", - "eventGridApiVersion": "[providers('Microsoft.EventGrid','topics').apiVersions[0]]", - "diagnosticsMetrics": [ - { - "category": "AllMetrics", - "timeGrain": null, - "enabled": true, - "retentionPolicy": { - "enabled": true, - "days": "[parameters('diagnosticLogsRetentionInDays')]" - } - } - ], - "diagnosticsLogs": [ - { - "category": "DeliveryFailures", - "enabled": true, - "retentionPolicy": { - "enabled": true, - "days": "[parameters('diagnosticLogsRetentionInDays')]" - } - }, - { - "category": "PublishFailures", - "enabled": true, - "retentionPolicy": { - "enabled": true, - "days": "[parameters('diagnosticLogsRetentionInDays')]" - } - } - ], - "builtInRoleNames": { - "AcrDelete": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c2f4ef07-c644-48eb-af81-4b1b4947fb11')]", - "AcrImageSigner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '6cef56e8-d556-48e5-a04f-b8e64114680f')]", - "AcrPull": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '7f951dda-4ed3-4680-a7ca-43fe172d538d')]", - "AcrPush": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8311e382-0749-4cb8-b61a-304f252e45ec')]", - "AcrQuarantineReader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'cdda3590-29a3-44f6-95f2-9f980659eb04')]", - "AcrQuarantineWriter": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c8d4ff99-41c3-41a8-9f60-21dfdad59608')]", - "API Management Service Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '312a565d-c81f-4fd8-895a-4e21e48d571c')]", - "API Management Service Operator Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'e022efe7-f5ba-4159-bbe4-b44f577e9b61')]", - "API Management Service Reader Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '71522526-b88f-4d52-b57f-d31fc3546d0d')]", - "App Configuration Data Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5ae67dd6-50cb-40e7-96ff-dc2bfa4b606b')]", - "App Configuration Data Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '516239f1-63e1-4d78-a4de-a74fb236a071')]", - "Application Insights Component Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ae349356-3a1b-4a5e-921d-050484c6347e')]", - "Application Insights Snapshot Debugger": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '08954f03-6346-4c2e-81c0-ec3a5cfae23b')]", - "Attestation Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'bbf86eb8-f7b4-4cce-96e4-18cddf81d86e')]", - "Attestation Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'fd1bd22b-8476-40bc-a0bc-69b95687b9f3')]", - "Automation Job Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4fe576fe-1146-4730-92eb-48519fa6bf9f')]", - "Automation Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'd3881f73-407a-4167-8283-e981cbba0404')]", - "Automation Runbook Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5fb5aef8-1081-4b8e-bb16-9d5d0385bab5')]", - "Avere Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4f8fab4f-1852-4a58-a46a-8eaf358af14a')]", - "Avere Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c025889f-8102-4ebf-b32c-fc0c6f0c6bd9')]", - "Azure Connected Machine Onboarding": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b64e21ea-ac4e-4cdf-9dc9-5b892992bee7')]", - "Azure Connected Machine Resource Administrator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'cd570a14-e51a-42ad-bac8-bafd67325302')]", - "Azure Digital Twins Owner (Preview)": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'bcd981a7-7f74-457b-83e1-cceb9e632ffe')]", - "Azure Digital Twins Reader (Preview)": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'd57506d4-4c8d-48b1-8587-93c323f6a5a3')]", - "Azure Event Hubs Data Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'f526a384-b230-433a-b45c-95f59c4a2dec')]", - "Azure Event Hubs Data Receiver": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'a638d3c7-ab3a-418d-83e6-5f17a39d4fde')]", - "Azure Event Hubs Data Sender": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '2b629674-e913-4c01-ae53-ef4638d8f975')]", - "Azure Kubernetes Service Cluster Admin Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '0ab0b1a8-8aac-4efd-b8c2-3ee1fb270be8')]", - "Azure Kubernetes Service Cluster User Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4abbcc35-e782-43d8-92c5-2d3f1bd2253f')]", - "Azure Kubernetes Service Contributor Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ed7f3fbd-7b88-4dd4-9017-9adb7ce333f8')]", - "Azure Maps Data Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8f5e0ce6-4f7b-4dcf-bddf-e6f48634a204')]", - "Azure Maps Data Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '423170ca-a8f6-4b0f-8487-9e4eb8f49bfa')]", - "Azure Sentinel Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ab8e14d6-4a74-4a29-9ba8-549422addade')]", - "Azure Sentinel Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8d289c81-5878-46d4-8554-54e1e3d8b5cb')]", - "Azure Sentinel Responder": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '3e150937-b8fe-4cfb-8069-0eaf05ecd056')]", - "Azure Service Bus Data Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '090c5cfd-751d-490a-894a-3ce6f1109419')]", - "Azure Service Bus Data Receiver": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4f6d3b9b-027b-4f4c-9142-0e5a2a2247e0')]", - "Azure Service Bus Data Sender": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '69a216fc-b8fb-44d8-bc22-1f3c2cd27a39')]", - "Azure Stack Registration Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '6f12a6df-dd06-4f3e-bcb1-ce8be600526a')]", - "Backup Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5e467623-bb1f-42f4-a55d-6e525e11384b')]", - "Backup Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '00c29273-979b-4161-815c-10b084fb9324')]", - "Backup Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'a795c7a0-d4a2-40c1-ae25-d81f01202912')]", - "Billing Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'fa23ad8b-c56e-40d8-ac0c-ce449e1d2c64')]", - "BizTalk Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5e3c6656-6cfa-4708-81fe-0de47ac73342')]", - "Blockchain Member Node Access (Preview)": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '31a002a1-acaf-453e-8a5b-297c9ca1ea24')]", - "Blueprint Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '41077137-e803-4205-871c-5a86e6a753b4')]", - "Blueprint Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '437d2ced-4a38-4302-8479-ed2bcb43d090')]", - "CDN Endpoint Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '426e0c7f-0c7e-4658-b36f-ff54d6c29b45')]", - "CDN Endpoint Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '871e35f6-b5c1-49cc-a043-bde969a0f2cd')]", - "CDN Profile Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ec156ff8-a8d1-4d15-830c-5b80698ca432')]", - "CDN Profile Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8f96442b-4075-438f-813d-ad51ab4019af')]", - "Classic Network Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b34d265f-36f7-4a0d-a4d4-e158ca92e90f')]", - "Classic Storage Account Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '86e8f5dc-a6e9-4c67-9d15-de283e8eac25')]", - "Classic Storage Account Key Operator Service Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '985d6b00-f706-48f5-a6fe-d0ca12fb668d')]", - "Classic Virtual Machine Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'd73bb868-a0df-4d4d-bd69-98a00b01fccb')]", - "ClearDB MySQL DB Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '9106cda0-8a86-4e81-b686-29a22c54effe')]", - "Cognitive Services Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '25fbc0a9-bd7c-42a3-aa1a-3b75d497ee68')]", - "Cognitive Services Custom Vision Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c1ff6cc2-c111-46fe-8896-e0ef812ad9f3')]", - "Cognitive Services Custom Vision Deployment": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5c4089e1-6d96-4d2f-b296-c1bc7137275f')]", - "Cognitive Services Custom Vision Labeler": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '88424f51-ebe7-446f-bc41-7fa16989e96c')]", - "Cognitive Services Custom Vision Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '93586559-c37d-4a6b-ba08-b9f0940c2d73')]", - "Cognitive Services Custom Vision Trainer": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '0a5ae4ab-0d65-4eeb-be61-29fc9b54394b')]", - "Cognitive Services Data Reader (Preview)": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b59867f0-fa02-499b-be73-45a86b5b3e1c')]", - "Cognitive Services QnA Maker Editor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'f4cc2bf9-21be-47a1-bdf1-5c5804381025')]", - "Cognitive Services QnA Maker Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '466ccd10-b268-4a11-b098-b4849f024126')]", - "Cognitive Services User": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'a97b65f3-24c7-4388-baec-2e87135dc908')]", - "Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Cosmos DB Account Reader Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'fbdf93bf-df7d-467e-a4d2-9458aa1360c8')]", - "Cosmos DB Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '230815da-be43-4aae-9cb4-875f7bd000aa')]", - "CosmosBackupOperator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'db7b14f2-5adf-42da-9f96-f2ee17bab5cb')]", - "Cost Management Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '434105ed-43f6-45c7-a02f-909b2ba83430')]", - "Cost Management Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '72fafb9e-0641-4937-9268-a91bfd8191a3')]", - "Data Box Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'add466c9-e687-43fc-8d98-dfcf8d720be5')]", - "Data Box Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '028f4ed7-e2a9-465e-a8f4-9c0ffdfdc027')]", - "Data Factory Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '673868aa-7521-48a0-acc6-0f60742d39f5')]", - "Data Lake Analytics Developer": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '47b7735b-770e-4598-a7da-8b91488b4c88')]", - "Data Purger": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '150f5e0c-0603-4f03-8c7f-cf70034c4e90')]", - "Desktop Virtualization User": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '1d18fff3-a72a-46b5-b4a9-0b38a3cd7e63')]", - "DevTest Labs User": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '76283e04-6283-4c54-8f91-bcf1374a3c64')]", - "DNS Zone Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'befefa01-2a29-4197-83a8-272ff33ce314')]", - "DocumentDB Account Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5bd9cd88-fe45-4216-938b-f97437e15450')]", - "EventGrid EventSubscription Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '428e0ff0-5e57-4d9c-a221-2c70d0e0a443')]", - "EventGrid EventSubscription Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '2414bbcf-6497-4faf-8c65-045460748405')]", - "Experimentation Administrator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '7f646f1b-fa08-80eb-a33b-edd6ce5c915c')]", - "Experimentation Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '7f646f1b-fa08-80eb-a22b-edd6ce5c915c')]", - "Experimentation Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '49632ef5-d9ac-41f4-b8e7-bbe587fa74a1')]", - "FHIR Data Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5a1fc7df-4bf1-4951-a576-89034ee01acd')]", - "FHIR Data Exporter": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '3db33094-8700-4567-8da5-1501d4e7e843')]", - "FHIR Data Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4c8d0bbc-75d3-4935-991f-5f3c56d81508')]", - "FHIR Data Writer": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '3f88fce4-5892-4214-ae73-ba5294559913')]", - "Graph Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b60367af-1334-4454-b71e-769d9a4f83d9')]", - "HDInsight Cluster Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '61ed4efc-fab3-44fd-b111-e24485cc132a')]", - "HDInsight Domain Services Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8d8d5a11-05d3-4bda-a417-a08778121c7c')]", - "Hierarchy Settings Administrator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '350f8d15-c687-4448-8ae1-157740a3936d')]", - "Hybrid Server Onboarding": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5d1e5ee4-7c68-4a71-ac8b-0739630a3dfb')]", - "Hybrid Server Resource Administrator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '48b40c6e-82e0-4eb3-90d5-19e40f49b624')]", - "Integration Service Environment Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'a41e2c5b-bd99-4a07-88f4-9bf657a760b8')]", - "Integration Service Environment Developer": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c7aa55d3-1abb-444a-a5ca-5e51e485d6ec')]", - "Intelligent Systems Account Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '03a6d094-3444-4b3d-88af-7477090a9e5e')]", - "Key Vault Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'f25e0fa2-a7c8-4377-a976-54943a77a395')]", - "Knowledge Consumer": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ee361c5d-f7b5-4119-b4b6-892157c8f64c')]", - "Kubernetes Cluster - Azure Arc Onboarding": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '34e09817-6cbe-4d01-b1a2-e0eac5743d41')]", - "Lab Creator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b97fb8bc-a8b2-4522-a38b-dd33c7e65ead')]", - "Log Analytics Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]", - "Log Analytics Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '73c42c96-874c-492b-b04d-ab87d138a893')]", - "Logic App Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '87a39d53-fc1b-424a-814c-f7e04687dc9e')]", - "Logic App Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '515c2055-d9d4-4321-b1b9-bd0c9a0f79fe')]", - "Managed Application Contributor Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '641177b8-a67a-45b9-a033-47bc880bb21e')]", - "Managed Application Operator Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')]", - "Managed Applications Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')]", - "Managed Identity Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'e40ec5ca-96e0-45a2-b4ff-59039f2c2b59')]", - "Managed Identity Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'f1a07417-d97a-45cb-824c-7a7467783830')]", - "Managed Services Registration assignment Delete ": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '91c1777a-f3dc-4fae-b103-61d183457e46')]", - "Management Group Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5d58bcaf-24a5-4b20-bdb6-eed9f69fbe4c')]", - "Management Group Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ac63b705-f282-497d-ac71-919bf39d939d')]", - "Marketplace Admin": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'dd920d6d-f481-47f1-b461-f338c46b2d9f')]", - "Monitoring Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')]", - "Monitoring Metrics Publisher": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '3913510d-42f4-4e42-8a64-420c390055eb')]", - "Monitoring Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')]", - "Network Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", - "New Relic APM Account Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5d28c62d-5b37-4476-8438-e587778df237')]", - "Object Understanding Account Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4dd61c23-6743-42fe-a388-d8bdd41cb745')]", - "Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Policy Insights Data Writer (Preview)": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '66bb4e9e-b016-4a94-8249-4c0511c2be84')]", - "Private DNS Zone Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", - "Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Reader and Data Access": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c12c1c16-33a1-487b-954d-41c89c60f349')]", - "Redis Cache Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'e0f68234-74aa-48ed-b826-c38b57376e17')]", - "Remote Rendering Administrator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '3df8b902-2a6f-47c7-8cc5-360e9b272a7e')]", - "Remote Rendering Client": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'd39065c4-c120-43c9-ab0a-63eed9795f0a')]", - "Resource Policy Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '36243c78-bf99-498c-9df9-86d9f8d28608')]", - "Scheduler Job Collections Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '188a0f2f-5c9e-469b-ae67-2aa5ce574b94')]", - "Search Service Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '7ca78c08-252a-4471-8644-bb5ff32d4ba0')]", - "Security Admin": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'fb1c8493-542b-48eb-b624-b4c8fea62acd')]", - "Security Assessment Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '612c2aa1-cb24-443b-ac28-3ab7272de6f5')]", - "Security Manager (Legacy)": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'e3d13bf0-dd5a-482e-ba6b-9b8433878d10')]", - "Security Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '39bc4728-0917-49c7-9d2c-d95423bc2eb4')]", - "SignalR AccessKey Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '04165923-9d83-45d5-8227-78b77b0a687e')]", - "SignalR Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8cf5e20a-e4b2-4e9d-b3a1-5ceb692c2761')]", - "Site Recovery Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '6670b86e-a3f7-4917-ac9b-5d6ab1be4567')]", - "Site Recovery Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '494ae006-db33-4328-bf46-533a6560a3ca')]", - "Site Recovery Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'dbaa88c4-0c30-4179-9fb3-46319faa6149')]", - "Spatial Anchors Account Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8bbe83f1-e2a6-4df7-8cb4-4e04d4e5c827')]", - "Spatial Anchors Account Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '70bbe301-9835-447d-afdd-19eb3167307c')]", - "Spatial Anchors Account Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5d51204f-eb77-4b1c-b86a-2ec626c49413')]", - "SQL DB Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '9b7fa17d-e63e-47b0-bb0a-15c516ac86ec')]", - "SQL Managed Instance Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4939a1f6-9ae0-4e48-a1e0-f2cbe897382d')]", - "SQL Security Manager": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '056cd41c-7e88-42e1-933e-88ba6a50c9c3')]", - "SQL Server Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '6d8ee4ec-f05a-4a1d-8b00-a9b17e38b437')]", - "Storage Account Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '17d1049b-9a84-46fb-8f53-869881c3d3ab')]", - "Storage Account Key Operator Service Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '81a9662b-bebf-436f-a333-f67b29880f12')]", - "Storage Blob Data Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ba92f5b4-2d11-453d-a403-e96b0029c9fe')]", - "Storage Blob Data Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b7e6dc6d-f1e8-4753-8033-0f276bb0955b')]", - "Storage Blob Data Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '2a2b9908-6ea1-4ae2-8e65-a410df84e7d1')]", - "Storage Blob Delegator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'db58b8e5-c6ad-4a2a-8342-4190687cbf4a')]", - "Storage File Data SMB Share Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '0c867c2a-1d8c-454a-a3db-ab2ea1bdc8bb')]", - "Storage File Data SMB Share Elevated Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'a7264617-510b-434b-a828-9731dc254ea7')]", - "Storage File Data SMB Share Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'aba4ae5f-2193-4029-9191-0cb91df5e314')]", - "Storage Queue Data Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '974c5e8b-45b9-4653-ba55-5f855dd0fb88')]", - "Storage Queue Data Message Processor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8a0f0c08-91a1-4084-bc3d-661d67233fed')]", - "Storage Queue Data Message Sender": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c6a89b2d-59bc-44d0-9896-0f6e12d7b80a')]", - "Storage Queue Data Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '19e7f393-937e-4f77-808e-94535e297925')]", - "Support Request Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'cfd33db0-3dd1-45e3-aa9d-cdbdf3b6f24e')]", - "Tag Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4a9ae827-6dc8-4573-8ac7-8239d42aa03f')]", - "Traffic Manager Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'a4b10055-b0c7-44c2-b00f-c7b5b3550cf7')]", - "User Access Administrator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]", - "Virtual Machine Administrator Login": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '1c0163c0-47e6-4577-8991-ea5c82e286e4')]", - "Virtual Machine Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c')]", - "Virtual Machine User Login": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'fb879df8-f326-4884-b1cf-06f3ad86be52')]", - "Web Plan Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '2cc479cb-7b4d-49a8-b449-8c00fd0f0a4b')]", - "Website Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'de139f84-1756-47ae-9be6-808fbbe84772')]", - "Workbook Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'e8ddcd69-c73f-4f9f-9844-4100522f16ad')]", - "Workbook Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b279062a-9be3-42a0-92ae-8b3cf002ec4d')]" - } - }, - "resources": [ - { - "condition": "[not(empty(parameters('cuaId')))]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2020-06-01", - "name": "[concat('pid-', parameters('cuaId'))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.EventGrid/topics", - "apiVersion": "2020-06-01", - "name": "[variables('eventGridName')]", - "location": "[parameters('location')]", - "tags": "[parameters('tags')]", - "properties": { - "publicNetworkAccess": "[parameters('publicNetworkAccess')]", - "inboundIpRules": "[if(empty(parameters('inboundIpRules')), json('null'), parameters('inboundIpRules'))]" - }, - "resources":[ - { - "type": "providers/locks", - "apiVersion": "2016-09-01", - "condition": "[parameters('lockForDeletion')]", - "name": "Microsoft.Authorization/eventGridTopicDoNotDelete", - "dependsOn": [ - "[concat('Microsoft.EventGrid/topics/', parameters('eventGridTopicName'))]" - ], - "comments": "Resource lock on the Event Grid Topic", - "properties": { - "level": "CannotDelete" - } - }, - { - "type": "Microsoft.EventGrid/topics/providers/diagnosticsettings", - "apiVersion": "2017-05-01-preview", - "name": "[concat(parameters('eventGridTopicName'), '/Microsoft.Insights/service')]", - "location": "[parameters('location')]", - "condition": "[or(not(empty(parameters('diagnosticStorageAccountId'))),not(empty(parameters('workspaceId'))),not(empty(parameters('eventHubAuthorizationRuleId'))),not(empty(parameters('eventHubName'))))]", - "dependsOn": [ - "[concat('Microsoft.EventGrid/topics/', variables('eventGridName'))]" - ], - "properties": { - "storageAccountId": "[if(empty(parameters('diagnosticStorageAccountId')), json('null'), parameters('diagnosticStorageAccountId'))]", - "workspaceId": "[if(empty(parameters('workspaceId')), json('null'), parameters('workspaceId'))]", - "eventHubAuthorizationRuleId": "[if(empty(parameters('eventHubAuthorizationRuleId')), json('null'), parameters('eventHubAuthorizationRuleId'))]", - "eventHubName": "[if(empty(parameters('eventHubName')), json('null'), parameters('eventHubName'))]", - "metrics": "[if(and(empty(parameters('diagnosticStorageAccountId')), empty(parameters('workspaceId')), empty(parameters('eventHubAuthorizationRuleId')), empty(parameters('eventHubName'))), json('null'), variables('diagnosticsMetrics'))]", - "logs": "[if(and(empty(parameters('diagnosticStorageAccountId')), empty(parameters('workspaceId')), empty(parameters('eventHubAuthorizationRuleId')), empty(parameters('eventHubName'))), json('null'), variables('diagnosticsLogs'))]" - } - } - ] - }, - // Private Endpoints - { - "type": "Microsoft.Resources/deployments", - "apiVersion": "2020-06-01", - "name": "[concat(uniqueString(deployment().name, parameters('location')), '-EventGrid-PrivateEndpoints','-',copyIndex())]", - "condition": "[not(empty(parameters('privateEndpoints')))]", - "dependsOn": [ - "[variables('eventGridName')]" - ], - "copy": { - "name": "privateEndpointsCopy", - "count": "[length(parameters('privateEndpoints'))]" - }, - "properties": { - "mode": "Incremental", - "expressionEvaluationOptions": { - "scope": "inner" - }, - "parameters": { - "privateEndpointResourceId": { - "value": "[resourceId('Microsoft.EventGrid/topics', variables('eventGridName'))]" - }, - "privateEndpointVnetLocation": { - "value": "[if(empty(parameters('privateEndpoints')),'dummy',reference(split(parameters('privateEndpoints')[copyIndex()].subnetResourceId,'/subnets/')[0],'2020-06-01', 'Full').location)]" - }, - "privateEndpoint": { - "value": "[parameters('privateEndpoints')[copyIndex()]]" - }, - "tags": { - "value": "[parameters('tags')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "privateEndpointResourceId": { - "type": "string" - }, - "privateEndpointVnetLocation": { - "type": "string" - }, - "privateEndpoint": { - "type": "object" - }, - "tags": { - "type": "object" - } - }, - "variables": { - "privateEndpointResourceName": "[last(split(parameters('privateEndpointResourceId'),'/'))]", - "privateEndpoint": { - "name": "[if(contains(parameters('privateEndpoint'), 'name'),if(empty(parameters('privateEndpoint').name),concat(variables('privateEndpointResourceName'),'-',parameters('privateEndpoint').service),parameters('privateEndpoint').name),concat(variables('privateEndpointResourceName'),'-',parameters('privateEndpoint').service))]", - "subnetResourceId": "[parameters('privateEndpoint').subnetResourceId]", - "service": [ - "[parameters('privateEndpoint').service]" - ], - "privateDnsZoneResourceIds": "[if(contains(parameters('privateEndpoint'), 'privateDnsZoneResourceIds'),if(empty(parameters('privateEndpoint').privateDnsZoneResourceIds),createArray(),parameters('privateEndpoint').privateDnsZoneResourceIds),createArray())]", - "customDnsConfigs": "[if(contains(parameters('privateEndpoint'), 'customDnsConfigs'),if(empty(parameters('privateEndpoint').customDnsConfigs),json('null'),parameters('privateEndpoint').customDnsConfigs),json('null'))]" - } - }, - "resources": [ - { - "type": "Microsoft.Network/privateEndpoints", - "apiVersion": "2020-05-01", - "name": "[variables('privateEndpoint').name]", - "location": "[parameters('privateEndpointVnetLocation')]", - "tags": "[parameters('tags')]", - "properties": { - "privateLinkServiceConnections": [ - { - "name": "[variables('privateEndpoint').name]", - "properties": { - "privateLinkServiceId": "[parameters('privateEndpointResourceId')]", - "groupIds": "[variables('privateEndpoint').service]" - } - } - ], - "manualPrivateLinkServiceConnections": [], - "subnet": { - "id": "[variables('privateEndpoint').subnetResourceId]" - }, - "customDnsConfigs": "[variables('privateEndpoint').customDnsConfigs]" - } - }, - { - "type": "Microsoft.Network/privateEndpoints/privateDnsZoneGroups", - "apiVersion": "2020-05-01", - "condition": "[not(empty(variables('privateEndpoint').privateDnsZoneResourceIds))]", - "name": "[concat(variables('privateEndpoint').name, '/default')]", - "dependsOn": [ - "[resourceId('Microsoft.Network/privateEndpoints', variables('privateEndpoint').name)]" - ], - "properties": { - "copy": [ - { - "name": "privateDnsZoneConfigs", - "count": "[length(variables('privateEndpoint').privateDnsZoneResourceIds)]", - "input": { - "name": "[last(split(variables('privateEndpoint').privateDnsZoneResourceIds[copyIndex('privateDnsZoneConfigs')],'/'))]", - "properties": { - "privateDnsZoneId": "[variables('privateEndpoint').privateDnsZoneResourceIds[copyIndex('privateDnsZoneConfigs')]]" - } - } - } - ] - } - } - ] - } - } - }, - { - "name": "[concat('rbac-',deployment().name, copyIndex())]", - "apiVersion": "2020-06-01", - "type": "Microsoft.Resources/deployments", - "condition": "[not(empty(parameters('roleAssignments')))]", - "dependsOn": [ - "[parameters('eventGridTopicName')]" - ], - "copy": { - "name": "rbacDeplCopy", - "count": "[length(parameters('roleAssignments'))]" - }, - "properties": { - "mode": "Incremental", - "expressionEvaluationOptions": { - "scope": "inner" - }, - "parameters": { - "roleAssignment": { - "value": "[parameters('roleAssignments')[copyIndex()]]" - }, - "builtInRoleNames": { - "value": "[variables('builtInRoleNames')]" - }, - "eventGridTopicName": { - "value": "[parameters('eventGridTopicName')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "roleAssignment": { - "type": "object" - }, - "builtInRoleNames": { - "type": "object" - }, - "eventGridTopicName": { - "type": "string" - } - }, - "resources": [ - { - "type": "Microsoft.EventGrid/topics/providers/roleAssignments", - "apiVersion": "2018-09-01-preview", - "name": "[concat(parameters('eventGridTopicName'), '/Microsoft.Authorization/', guid(uniqueString(concat(parameters('eventGridTopicName'), array(parameters('roleAssignment').principalIds)[copyIndex('innerRbacCopy')], parameters('roleAssignment').roleDefinitionIdOrName ) )))]", - "dependsOn": [ - ], - "copy": { - "name": "innerRbacCopy", - "count": "[length(parameters('roleAssignment').principalIds)]" - }, - "properties": { - "roleDefinitionId": "[if(contains(parameters('builtInRoleNames'), parameters('roleAssignment').roleDefinitionIdOrName ), parameters('builtInRoleNames')[parameters('roleAssignment').roleDefinitionIdOrName] , parameters('roleAssignment').roleDefinitionIdOrName )]", - "principalId": "[array(parameters('roleAssignment').principalIds)[copyIndex()]]" - } - } - ] - } - } - } - ], - "functions": [ - ], - "outputs": { - "eventGridName": { - "type": "string", - "value": "[variables('eventGridName')]", - "metadata": { - "description": "The Name of the Event Grid Topic" - } - }, - "eventGridResourceId": { - "type": "string", - "value": "[variables('eventGridResourceId')]", - "metadata": { - "description": "The Resource Id of the Event Grid" - } - }, - "eventGridResourceGroup": { - "type": "string", - "value": "[resourceGroup().name]", - "metadata": { - "description": "The name of the Resource Group with the Event Grid" - } - } - } -} diff --git a/arm/Microsoft.EventGrid/topics/readme.md b/arm/Microsoft.EventGrid/topics/readme.md index e34ee92feb..935c11de94 100644 --- a/arm/Microsoft.EventGrid/topics/readme.md +++ b/arm/Microsoft.EventGrid/topics/readme.md @@ -1,4 +1,4 @@ -# Event Grid +# Event Grid `[Microsoft.EventGrid/topics]` This module deploys Event Grid @@ -6,33 +6,33 @@ This module deploys Event Grid | Resource Type | Api Version | | :-- | :-- | -| `Microsoft.EventGrid/topics/providers/diagnosticsettings` | 2017-05-01-preview | -| `Microsoft.EventGrid/topics/providers/roleAssignments` | 2018-09-01-preview | -| `Microsoft.EventGrid/topics` | [variables('eventGridApiVersion')] | -| `Microsoft.Network/privateEndpoints/privateDnsZoneGroups` | 2020-05-01 | -| `Microsoft.Network/privateEndpoints` | 2020-05-01 | -| `Microsoft.Resources/deployments` | 2020-06-01 | -| `providers/locks` | 2016-09-01 | +| `Microsoft.Authorization/locks` | 2016-09-01 | +| `Microsoft.EventGrid/topics` | 2020-06-01 | +| `Microsoft.EventGrid/topics/providers/roleAssignments` | 2021-04-01-preview | +| `Microsoft.Insights/diagnosticSettings` | 2017-05-01-preview | +| `Microsoft.Network/privateEndpoints` | 2021-05-01 | +| `Microsoft.Network/privateEndpoints/privateDnsZoneGroups` | 2021-02-01 | ## Parameters -| Parameter Name | Type | Description | DefaultValue | Possible values | +| Parameter Name | Type | Default Value | Possible Values | Description | | :-- | :-- | :-- | :-- | :-- | -| `cuaId` | string | Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered | | | -| `diagnosticLogsRetentionInDays` | int | Optional. Specifies the number of days that logs will be kept for; a value of 0 will retain data indefinitely. | 365 | | -| `diagnosticStorageAccountId` | string | Optional. Resource identifier of the Diagnostic Storage Account. | | | -| `eventGridTopicName` | string | Required. The name of the Event Grid Topic | | | -| `eventHubAuthorizationRuleId` | string | Optional. Resource ID of the event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | | | -| `eventHubName` | string | Optional. Name of the event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. | | | -| `inboundIpRules` | array | Optional. Array of IPs to whitelist. | System.Object[] | | -| `location` | string | Optional. Location for all Resources. | [resourceGroup().location] | | -| `lock` | string | Optional. Specify the type of lock. | 'NotSpecified' | 'CanNotDelete', 'NotSpecified', 'ReadOnly' | -| `publicNetworkAccess` | string | | Enabled | | -| `privateEndpoints` | array | System.Object[] | | Optional. Configuration Details for private endpoints. | -| `roleAssignments` | array | Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' | System.Object[] | | -| `tags` | object | Optional. Tags of the resource. | | | -| `workspaceId` | string | Optional. Resource identifier of Log Analytics. | | | - +| `cuaId` | string | | | Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered | +| `diagnosticLogsRetentionInDays` | int | `365` | | Optional. Specifies the number of days that logs will be kept for; a value of 0 will retain data indefinitely. | +| `diagnosticStorageAccountId` | string | | | Optional. Resource identifier of the Diagnostic Storage Account. | +| `eventGridTopicName` | string | | | Required. The name of the Event Grid Topic | +| `eventHubAuthorizationRuleId` | string | | | Optional. Resource ID of the event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | +| `eventHubName` | string | | | Optional. Name of the event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. | +| `inboundIpRules` | array | `[]` | | Optional. Array of IPs to whitelist. | +| `location` | string | `[resourceGroup().location]` | | Optional. Location for all Resources. | +| `lock` | string | `NotSpecified` | `[CanNotDelete, NotSpecified, ReadOnly]` | Optional. Specify the type of lock. | +| `logsToEnable` | array | `[DeliveryFailures, PublishFailures]` | `[DeliveryFailures, PublishFailures]` | Optional. The name of logs that will be streamed. | +| `metricsToEnable` | array | `[AllMetrics]` | `[AllMetrics]` | Optional. The name of metrics that will be streamed. | +| `privateEndpoints` | array | `[]` | | Optional. Configuration Details for private endpoints. | +| `publicNetworkAccess` | string | `Enabled` | | Optional. Determines if traffic is allowed over public network. | +| `roleAssignments` | array | `[]` | | Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' | +| `tags` | object | `{object}` | | Optional. Tags of the resource. | +| `workspaceId` | string | | | Optional. Resource identifier of Log Analytics. | ### Parameter Usage: `privateEndpoints` @@ -120,16 +120,10 @@ Tag names and tag values can be provided as needed. A tag can be left without a | `eventGridResourceGroup` | string | The name of the Resource Group with the Event Grid | | `eventGridResourceId` | string | The Resource Id of the Event Grid | -### Scripts - -- There are no Scripts for this Module. - -## Considerations - -- There are no deployment considerations for this Module. - -## Additional resources +## Template references -- [What is Event Grid](https://docs.microsoft.com/en-us/azure/event-grid/overview) -- [Microsoft.EventGrid/topic template reference](https://docs.microsoft.com/en-us/azure/templates/microsoft.eventgrid/topics) -- [Use tags to organize your Azure resources](https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-using-tags) +- [Locks](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2016-09-01/locks) +- [Topics](https://docs.microsoft.com/en-us/azure/templates/Microsoft.EventGrid/2020-06-01/topics) +- [Diagnosticsettings](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Insights/2017-05-01-preview/diagnosticSettings) +- [Privateendpoints](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Network/2021-05-01/privateEndpoints) +- [Privateendpoints/Privatednszonegroups](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Network/2021-02-01/privateEndpoints/privateDnsZoneGroups) diff --git a/arm/Microsoft.EventHub/namespaces/.bicep/nested_privateEndpoint.bicep b/arm/Microsoft.EventHub/namespaces/.bicep/nested_privateEndpoint.bicep index 54fb61ef9a..e85633c233 100644 --- a/arm/Microsoft.EventHub/namespaces/.bicep/nested_privateEndpoint.bicep +++ b/arm/Microsoft.EventHub/namespaces/.bicep/nested_privateEndpoint.bicep @@ -14,7 +14,7 @@ var privateEndpoint_var = { customDnsConfigs: (contains(privateEndpointObj, 'customDnsConfigs') ? (empty(privateEndpointObj.customDnsConfigs) ? json('null') : privateEndpointObj.customDnsConfigs) : json('null')) } -resource privateEndpoint 'Microsoft.Network/privateEndpoints@2020-05-01' = { +resource privateEndpoint 'Microsoft.Network/privateEndpoints@2021-05-01' = { name: privateEndpoint_var.name location: privateEndpointVnetLocation tags: tags diff --git a/arm/Microsoft.EventHub/namespaces/.bicep/nested_rbac.bicep b/arm/Microsoft.EventHub/namespaces/.bicep/nested_rbac.bicep index a4d8bcf39e..a97319170b 100644 --- a/arm/Microsoft.EventHub/namespaces/.bicep/nested_rbac.bicep +++ b/arm/Microsoft.EventHub/namespaces/.bicep/nested_rbac.bicep @@ -2,7 +2,7 @@ param roleAssignmentObj object param builtInRoleNames object param resourceName string -resource roleAssignment 'Microsoft.EventHub/namespaces/providers/roleAssignments@2018-09-01-preview' = [for principalId in roleAssignmentObj.principalIds: { +resource roleAssignment 'Microsoft.EventHub/namespaces/providers/roleAssignments@2021-04-01-preview' = [for principalId in roleAssignmentObj.principalIds: { name: '${resourceName}/Microsoft.Authorization/${guid(resourceName, principalId, roleAssignmentObj.roleDefinitionIdOrName)}' properties: { roleDefinitionId: (contains(builtInRoleNames, roleAssignmentObj.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignmentObj.roleDefinitionIdOrName] : roleAssignmentObj.roleDefinitionIdOrName) diff --git a/arm/Microsoft.EventHub/namespaces/deploy.bicep b/arm/Microsoft.EventHub/namespaces/deploy.bicep index c7b2002eb8..6cb7857e7b 100644 --- a/arm/Microsoft.EventHub/namespaces/deploy.bicep +++ b/arm/Microsoft.EventHub/namespaces/deploy.bicep @@ -106,75 +106,54 @@ var networkAcls_var = { ipRules: (empty(networkAcls) ? json('null') : ((length(networkAcls.ipRules) == 0) ? json('null') : networkAcls.ipRules)) } var namespaceAlias_var = (empty(namespaceAlias) ? 'placeholder' : namespaceAlias) -var diagnosticsMetrics = [ - { - category: 'AllMetrics' - timeGrain: null - enabled: true - retentionPolicy: { - enabled: true - days: diagnosticLogsRetentionInDays - } - } + +@description('Optional. The name of logs that will be streamed.') +@allowed([ + 'ArchiveLogs' + 'OperationalLogs' + 'KafkaCoordinatorLogs' + 'KafkaUserErrorLogs' + 'EventHubVNetConnectionEvent' + 'CustomerManagedKeyUserLogs' + 'AutoScaleLogs' +]) +param logsToEnable array = [ + 'ArchiveLogs' + 'OperationalLogs' + 'KafkaCoordinatorLogs' + 'KafkaUserErrorLogs' + 'EventHubVNetConnectionEvent' + 'CustomerManagedKeyUserLogs' + 'AutoScaleLogs' ] -var diagnosticsLogs = [ - { - category: 'ArchiveLogs' - enabled: true - retentionPolicy: { - days: diagnosticLogsRetentionInDays - enabled: true - } - } - { - category: 'OperationalLogs' - enabled: true - retentionPolicy: { - days: diagnosticLogsRetentionInDays - enabled: true - } - } - { - category: 'AutoScaleLogs' - enabled: true - retentionPolicy: { - days: diagnosticLogsRetentionInDays - enabled: true - } - } - { - category: 'KafkaCoordinatorLogs' - enabled: true - retentionPolicy: { - days: diagnosticLogsRetentionInDays - enabled: true - } - } - { - category: 'KafkaUserErrorLogs' - enabled: true - retentionPolicy: { - days: diagnosticLogsRetentionInDays - enabled: true - } - } - { - category: 'EventHubVNetConnectionEvent' + +@description('Optional. The name of metrics that will be streamed.') +@allowed([ + 'AllMetrics' +]) +param metricsToEnable array = [ + 'AllMetrics' +] + +var diagnosticsLogs = [for log in logsToEnable: { + category: log + enabled: true + retentionPolicy: { enabled: true - retentionPolicy: { - days: diagnosticLogsRetentionInDays - enabled: true - } + days: diagnosticLogsRetentionInDays } - { - category: 'CustomerManagedKeyUserLogs' +}] + +var diagnosticsMetrics = [for metric in metricsToEnable: { + category: metric + timeGrain: null + enabled: true + retentionPolicy: { enabled: true - retentionPolicy: { - days: diagnosticLogsRetentionInDays - enabled: true - } + days: diagnosticLogsRetentionInDays } -] +}] + var builtInRoleNames = { 'Owner': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') 'Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') @@ -229,7 +208,6 @@ resource eventHubNamespace_lock 'Microsoft.Authorization/locks@2016-09-01' = if resource eventHubNamespace_diagnosticSettings 'Microsoft.Insights/diagnosticsettings@2017-05-01-preview' = if ((!empty(diagnosticStorageAccountId)) || (!empty(workspaceId))) { name: '${eventHubNamespace.name}-diagnosticSettings' - location: location properties: { storageAccountId: (empty(diagnosticStorageAccountId) ? json('null') : diagnosticStorageAccountId) workspaceId: (empty(workspaceId) ? json('null') : workspaceId) @@ -276,6 +254,5 @@ module eventHubNamespace_rbac './.bicep/nested_rbac.bicep' = [for (roleAssignmen output namespace string = eventHubNamespace.name output namespaceResourceId string = eventHubNamespace.id output namespaceResourceGroup string = resourceGroup().name -output defaultAuthorizationRuleId string = defaultAuthorizationRuleId output namespaceConnectionString string = listkeys(authRuleResourceId, '2017-04-01').primaryConnectionString output sharedAccessPolicyPrimaryKey string = listkeys(authRuleResourceId, '2017-04-01').primaryKey diff --git a/arm/Microsoft.EventHub/namespaces/readme.md b/arm/Microsoft.EventHub/namespaces/readme.md index 2d12559a05..4e81c2a520 100644 --- a/arm/Microsoft.EventHub/namespaces/readme.md +++ b/arm/Microsoft.EventHub/namespaces/readme.md @@ -1,45 +1,47 @@ -# EventHub Namespaces +# EventHub Namespaces `[Microsoft.EventHub/namespaces]` This module deploys EventHub Namespace. ## Resource types -|Resource Type|ApiVersion| -|:--|:--| -|`Microsoft.EventHub/namespaces`|2017-04-01| -|`Microsoft.Authorization/locks`|2016-09-01| -|`Microsoft.Insights/diagnosticsettings`|2017-05-01-preview| -|`Microsoft.EventHub/namespaces/disasterRecoveryConfigs`|2017-04-01| -|`Microsoft.EventHub/namespaces/AuthorizationRules`|2017-04-01| -|`Microsoft.Network/privateEndpoints`|2020-05-01| -|`Microsoft.Network/privateEndpoints/privateDnsZoneGroups`|2020-05-01| -|`Microsoft.EventHub/namespaces/providers/roleAssignments`|2018-09-01-preview| +| Resource Type | Api Version | +| :-- | :-- | +| `Microsoft.Authorization/locks` | 2016-09-01 | +| `Microsoft.EventHub/namespaces` | 2017-04-01 | +| `Microsoft.EventHub/namespaces/authorizationRules` | 2017-04-01 | +| `Microsoft.EventHub/namespaces/disasterRecoveryConfigs` | 2017-04-01 | +| `Microsoft.EventHub/namespaces/providers/roleAssignments` | 2021-04-01-preview | +| `Microsoft.Insights/diagnosticSettings` | 2017-05-01-preview | +| `Microsoft.Network/privateEndpoints` | 2021-05-01 | +| `Microsoft.Network/privateEndpoints/privateDnsZoneGroups` | 2020-05-01 | ## Parameters -| Parameter Name | Type | Description | DefaultValue | Possible values | +| Parameter Name | Type | Default Value | Possible Values | Description | | :-- | :-- | :-- | :-- | :-- | -| `authorizationRules` | array | Optional. Authorization Rules for the Event Hub namespace | System.Object[] | | -| `cuaId` | string | Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered | | | -| `diagnosticLogsRetentionInDays` | int | Optional. Specifies the number of days that logs will be kept for; a value of 0 will retain data indefinitely. | 365 | | -| `diagnosticStorageAccountId` | string | Optional. Resource identifier of the Diagnostic Storage Account. | | | -| `isAutoInflateEnabled` | bool | Optional. Switch to enable the Auto Inflate feature of Event Hub. | False | | -| `location` | string | Optional. Location for all resources. | [resourceGroup().location] | | -| `lock` | string | 'NotSpecified' | 'CanNotDelete', 'NotSpecified', 'ReadOnly' | Optional. Specify the type of lock. | -| `maximumThroughputUnits` | int | Optional. Upper limit of throughput units when AutoInflate is enabled, value should be within 0 to 20 throughput units. | 1 | | -| `namespaceAlias` | string | Optional. The Disaster Recovery configuration name | | | -| `namespaceName` | string | Optional. The name of the EventHub namespace. If no name is provided, then unique name will be created.| | | -| `networkAcls` | object | Optional. Service endpoint object information | | | -| `privateEndpoints` | array | System.Object[] | | Optional. Configuration Details for private endpoints. | -| `partnerNamespaceId` | string | Optional. ARM Id of the Primary/Secondary eventhub namespace name, which is part of GEO DR pairing | | | -| `roleAssignments` | array | Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' | System.Object[] | | -| `skuCapacity` | int | Optional. Event Hub Plan scale-out capacity of the resource | 1 | | -| `skuName` | string | Optional. EventHub Plan sku name | Standard | System.Object[] | -| `tags` | object | Optional. Tags of the resource. | | | -| `vNetId` | string | Optional. Virtual Network Id to lock down the Event Hub. | | | -| `workspaceId` | string | Optional. Resource identifier of Log Analytics. | | | -| `zoneRedundant` | bool | Optional. Switch to make the Event Hub Namespace zone redundant. | False | | -| `baseTime` | string | utcNow('u') | | Generated. Do not provide a value! This date value is used to generate a SAS token toaccess the modules. +| `authorizationRules` | array | `[System.Collections.Hashtable]` | | Optional. Authorization Rules for the Event Hub namespace | +| `baseTime` | string | `[utcNow('u')]` | | Generated. Do not provide a value! This date value is used to generate a SAS token to access the modules. | +| `cuaId` | string | | | Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered | +| `diagnosticLogsRetentionInDays` | int | `365` | | Optional. Specifies the number of days that logs will be kept for; a value of 0 will retain data indefinitely. | +| `diagnosticStorageAccountId` | string | | | Optional. Resource identifier of the Diagnostic Storage Account. | +| `isAutoInflateEnabled` | bool | | | Optional. Switch to enable the Auto Inflate feature of Event Hub. | +| `location` | string | `[resourceGroup().location]` | | Optional. Location for all resources. | +| `lock` | string | `NotSpecified` | `[CanNotDelete, NotSpecified, ReadOnly]` | Optional. Specify the type of lock. | +| `logsToEnable` | array | `[ArchiveLogs, OperationalLogs, KafkaCoordinatorLogs, KafkaUserErrorLogs, EventHubVNetConnectionEvent, CustomerManagedKeyUserLogs, AutoScaleLogs]` | `[ArchiveLogs, OperationalLogs, KafkaCoordinatorLogs, KafkaUserErrorLogs, EventHubVNetConnectionEvent, CustomerManagedKeyUserLogs, AutoScaleLogs]` | Optional. The name of logs that will be streamed. | +| `maximumThroughputUnits` | int | `1` | | Optional. Upper limit of throughput units when AutoInflate is enabled, value should be within 0 to 20 throughput units. | +| `metricsToEnable` | array | `[AllMetrics]` | `[AllMetrics]` | Optional. The name of metrics that will be streamed. | +| `namespaceAlias` | string | | | Optional. The Disaster Recovery configuration name | +| `namespaceName` | string | | | Optional. The name of the EventHub namespace. If no name is provided, then unique name will be created. | +| `networkAcls` | object | `{object}` | | Optional. Service endpoint object information | +| `partnerNamespaceId` | string | | | Optional. ARM Id of the Primary/Secondary eventhub namespace name, which is part of GEO DR pairing | +| `privateEndpoints` | array | `[]` | | Optional. Configuration Details for private endpoints. | +| `roleAssignments` | array | `[]` | | Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' | +| `skuCapacity` | int | `1` | | Optional. Event Hub Plan scale-out capacity of the resource | +| `skuName` | string | `Standard` | `[Basic, Standard]` | Optional. EventHub Plan sku name | +| `tags` | object | `{object}` | | Optional. Tags of the resource. | +| `vNetId` | string | | | Optional. Virtual Network Id to lock down the Event Hub. | +| `workspaceId` | string | | | Optional. Resource identifier of Log Analytics. | +| `zoneRedundant` | bool | | | Optional. Switch to make the Event Hub Namespace zone redundant. | ### Parameter Usage: `roleAssignments` @@ -172,24 +174,20 @@ To use Private Endpoint the following dependencies must be deployed: ## Outputs -| Output Name | Type | Description | -| :-- | :-- | :-- | -| `defaultAuthorizationRuleId` | string | The Id of the authorization rule marked by the variable with the same name. | -| `namespaceConnectionString` | securestring | The connection string of the EventHub Namespace | -| `namespaceName` | string | The Name of the EventHub Namespace | -| `namespaceResourceGroup` | string | The name of the Resource Group with the EventHub Namespace | -| `namespaceResourceId` | string | The Resource Id of the EventHub Namespace | -| `sharedAccessPolicyPrimaryKey` | securestring | The shared access policy primary key for the EventHub Namespace | - -### Scripts - -- There is no Scripts for this Module - -## Considerations - -- There is no deployment considerations for this Module - -## Additional resources - -- [Microsoft EventHub template reference](https://docs.microsoft.com/en-us/azure/templates/microsoft.eventhub/allversions) -- [Use tags to organize your Azure resources](https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-using-tags) +| Output Name | Type | +| :-- | :-- | +| `namespace` | string | +| `namespaceConnectionString` | string | +| `namespaceResourceGroup` | string | +| `namespaceResourceId` | string | +| `sharedAccessPolicyPrimaryKey` | string | + +## Template references + +- [Locks](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2016-09-01/locks) +- [Namespaces](https://docs.microsoft.com/en-us/azure/templates/Microsoft.EventHub/2017-04-01/namespaces) +- [Namespaces/Authorizationrules](https://docs.microsoft.com/en-us/azure/templates/Microsoft.EventHub/2017-04-01/namespaces/authorizationRules) +- [Namespaces/Disasterrecoveryconfigs](https://docs.microsoft.com/en-us/azure/templates/Microsoft.EventHub/2017-04-01/namespaces/disasterRecoveryConfigs) +- [Diagnosticsettings](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Insights/2017-05-01-preview/diagnosticSettings) +- [Privateendpoints](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Network/2021-05-01/privateEndpoints) +- [Privateendpoints/Privatednszonegroups](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Network/2020-05-01/privateEndpoints/privateDnsZoneGroups) diff --git a/arm/Microsoft.EventHub/namespacesResources/eventhubs/readme.md b/arm/Microsoft.EventHub/namespacesResources/eventhubs/readme.md index 9f3949d61d..d77b8a20be 100644 --- a/arm/Microsoft.EventHub/namespacesResources/eventhubs/readme.md +++ b/arm/Microsoft.EventHub/namespacesResources/eventhubs/readme.md @@ -1,31 +1,28 @@ -# EventHubs +# EventHubs `[Microsoft.EventHub/namespacesResources/eventhubs]` This module deploys EventHub. ## Resource types - -|Resource Type|ApiVersion| -|:--|:--| -|`Microsoft.Resources/deployments`|2018-02-01| -|`Microsoft.EventHub/namespaces/eventhubs`|2017-04-01| -|`Microsoft.EventHub/namespaces/eventhubs/consumergroups`|2017-04-01| -|`Microsoft.EventHub/namespaces/eventhubs/authorizationRules`|2017-04-01| -|`Microsoft.EventHub/namespaces/eventhubs/providers/locks`|2016-09-01| -|`Microsoft.EventHub/namespaces/eventhubs/providers/roleAssignments`|2018-09-01-preview| +| Resource Type | Api Version | +| :-- | :-- | +| `Microsoft.EventHub/namespaces/eventhubs` | 2017-04-01 | +| `Microsoft.EventHub/namespaces/eventhubs/authorizationRules` | 2017-04-01 | +| `Microsoft.EventHub/namespaces/eventhubs/consumergroups` | 2017-04-01 | +| `Microsoft.EventHub/namespaces/eventhubs/providers/locks` | 2016-09-01 | +| `Microsoft.EventHub/namespaces/eventhubs/providers/roleAssignments` | 2018-09-01-preview | ## Parameters - -| Parameter Name | Type | Description | DefaultValue | Possible values | +| Parameter Name | Type | Default Value | Possible Values | Description | | :-- | :-- | :-- | :-- | :-- | -| `authorizationRules` | array | Optional. Authorization Rules for the Event Hub | System.Object[] | | -| `cuaId` | string | Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered | | | -| `eventHubConfiguration` | object | Optional. Object to configure all properties of an Event Hub instance | properties=; consumerGroups=System.Object[] | | -| `eventHubName` | string | Required. The name of the EventHub | | | -| `location` | string | Optional. Location for all resources. | [resourceGroup().location] | | -| `lock` | string | Optional. Specify the type of lock. | 'NotSpecified' | 'CanNotDelete', 'NotSpecified', 'ReadOnly' | -| `namespaceName` | string | Required. The name of the EventHub namespace | | | -| `roleAssignments` | array | Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' | System.Object[] | | -| `tags` | object | Optional. Tags of the resource. | | | +| `authorizationRules` | array | `[System.Collections.Hashtable]` | | Optional. Authorization Rules for the Event Hub | +| `cuaId` | string | | | Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered | +| `eventHubConfiguration` | object | `{object}` | | Optional. Object to configure all properties of an Event Hub instance | +| `eventHubName` | string | | | Required. The name of the EventHub | +| `location` | string | `[resourceGroup().location]` | | Optional. Location for all resources. | +| `lockForDeletion` | bool | | | Optional. Switch to lock Event Hub from deletion. | +| `namespaceName` | string | | | Required. The name of the EventHub namespace | +| `roleAssignments` | array | `[]` | | Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' | +| `tags` | object | `{object}` | | Optional. Tags of the resource. | ### Parameter Usage: `eventHubConfiguration` @@ -159,7 +156,6 @@ Tag names and tag values can be provided as needed. A tag can be left without a ``` ## Outputs - | Output Name | Type | Description | | :-- | :-- | :-- | | `authRuleResourceId` | string | The Id of the authorization rule marked by the variable with the same name. | @@ -169,15 +165,7 @@ Tag names and tag values can be provided as needed. A tag can be left without a | `namespaceResourceGroup` | string | The name of the Resource Group with the EventHub Namespace | | `sharedAccessPolicyPrimaryKey` | securestring | The shared access policy primary key for the EventHub Namespace | -### Scripts - -- There is no Scripts for this Module - -## Considerations - -- There is no deployment considerations for this Module - -## Additional resources - -- [Microsoft EventHub template reference](https://docs.microsoft.com/en-us/azure/templates/microsoft.eventhub/allversions) -- [Use tags to organize your Azure resources](https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-using-tags) +## Template references +- [Namespaces/Eventhubs](https://docs.microsoft.com/en-us/azure/templates/Microsoft.EventHub/2017-04-01/namespaces/eventhubs) +- [Namespaces/Eventhubs/Authorizationrules](https://docs.microsoft.com/en-us/azure/templates/Microsoft.EventHub/2017-04-01/namespaces/eventhubs/authorizationRules) +- [Namespaces/Eventhubs/Consumergroups](https://docs.microsoft.com/en-us/azure/templates/Microsoft.EventHub/2017-04-01/namespaces/eventhubs/consumergroups) diff --git a/arm/Microsoft.HealthBot/healthBots/.bicep/nested_rbac.bicep b/arm/Microsoft.HealthBot/healthBots/.bicep/nested_rbac.bicep index e8e38052d3..774ad02bff 100644 --- a/arm/Microsoft.HealthBot/healthBots/.bicep/nested_rbac.bicep +++ b/arm/Microsoft.HealthBot/healthBots/.bicep/nested_rbac.bicep @@ -2,7 +2,7 @@ param roleAssignmentObj object param builtInRoleNames object param resourceName string -resource roleAssigment 'Microsoft.HealthBot/healthBots/providers/roleAssignments@2020-04-01-preview' = [for principalId in roleAssignmentObj.principalIds: { +resource roleAssigment 'Microsoft.HealthBot/healthBots/providers/roleAssignments@2021-04-01-preview' = [for principalId in roleAssignmentObj.principalIds: { name: '${resourceName}/Microsoft.Authorization/${guid(resourceName, principalId, roleAssignmentObj.roleDefinitionIdOrName)}' properties: { roleDefinitionId: (contains(builtInRoleNames, roleAssignmentObj.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignmentObj.roleDefinitionIdOrName] : roleAssignmentObj.roleDefinitionIdOrName) diff --git a/arm/Microsoft.HealthBot/healthBots/deploy.bicep b/arm/Microsoft.HealthBot/healthBots/deploy.bicep index 916bc052a7..a33793b7b2 100644 --- a/arm/Microsoft.HealthBot/healthBots/deploy.bicep +++ b/arm/Microsoft.HealthBot/healthBots/deploy.bicep @@ -45,7 +45,7 @@ module pid_cuaId '.bicep/nested_cuaId.bicep' = if (!empty(cuaId)) { params: {} } -resource azureHealthBot 'Microsoft.HealthBot/healthBots@2020-10-20-preview' = { +resource azureHealthBot 'Microsoft.HealthBot/healthBots@2020-12-08' = { name: azureHealthBotName location: location tags: tags diff --git a/arm/Microsoft.HealthBot/healthBots/readme.md b/arm/Microsoft.HealthBot/healthBots/readme.md index 08cd6c5664..6b1cb7a7b7 100644 --- a/arm/Microsoft.HealthBot/healthBots/readme.md +++ b/arm/Microsoft.HealthBot/healthBots/readme.md @@ -1,4 +1,4 @@ -# Azure Health Bot +# Azure Health Bot `[Microsoft.HealthBot/healthBots]` This module deploys an Azure Health Bot. @@ -6,22 +6,21 @@ This module deploys an Azure Health Bot. | Resource Type | Api Version | | :-- | :-- | -| `Microsoft.HealthBot/healthBots` | 2020-10-20-preview| -| `Microsoft.Authorization/roleAssignments` | 2020-04-01-preview | -| `Microsoft.Resources/deployments` | 2020-06-01 | | `Microsoft.Authorization/locks` | 2016-09-01 | +| `Microsoft.HealthBot/healthBots` | 2020-12-08 | +| `Microsoft.HealthBot/healthBots/providers/roleAssignments` | 2021-04-01-preview | ## Parameters -| Parameter Name | Type | Description | DefaultValue | Possible values | +| Parameter Name | Type | Default Value | Possible Values | Description | | :-- | :-- | :-- | :-- | :-- | -| `azureHealthBotName` | string | Required. Name of the resource | | | -| `cuaId` | string | Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered | | | -| `location` | string | Optional. Location for all resources. | [resourceGroup().location] | | -| `lock` | string | Optional. Specify the type of lock. | 'NotSpecified' | 'CanNotDelete', 'NotSpecified', 'ReadOnly' | -| `roleAssignments` | array | Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' | System.Object[] | | -| `sku` | string | Optional. The resource model definition representing SKU. | F0 | | -| `tags` | object | Optional. Tags of the resource. | | | +| `azureHealthBotName` | string | | | Required. Name of the resource | +| `cuaId` | string | | | Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered | +| `location` | string | `[resourceGroup().location]` | | Optional. Location for all resources. | +| `lock` | string | `NotSpecified` | `[CanNotDelete, NotSpecified, ReadOnly]` | Optional. Specify the type of lock. | +| `roleAssignments` | array | `[]` | | Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' | +| `sku` | string | `F0` | | Optional. The resource model definition representing SKU. | +| `tags` | object | `{object}` | | Optional. Tags of the resource. | ### Parameter Usage: `tags` @@ -64,20 +63,13 @@ Tag names and tag values can be provided as needed. A tag can be left without a ## Outputs -| Output Name | Type | Description | -| :-- | :-- | :-- | -| `azureHealthBotName` | string | The name of the resource. | -| `azureHealthBotResourceGroup` | string | The Resource Group the resource was deployed. | -| `azureHealthBotResourceId` | string | The Resource ID of the resource. | - -## Considerations - -*N/A* +| Output Name | Type | +| :-- | :-- | +| `azureHealthBotName` | string | +| `azureHealthBotResourceGroup` | string | +| `azureHealthBotResourceId` | string | -## Additional resources +## Template references -- [Use tags to organize your Azure resources](https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-using-tags) -- [Azure Resource Manager template reference](https://docs.microsoft.com/en-us/azure/templates/) -- [Deployments](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Resources/2020-06-01/deployments) -- [HealtHBots](https://docs.microsoft.com/en-us/azure/templates/Microsoft.HealthBot/2020-12-08/healthBots) -- [Deployments](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Resources/2020-06-01/deployments) +- [Locks](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2016-09-01/locks) +- [Healthbots](https://docs.microsoft.com/en-us/azure/templates/Microsoft.HealthBot/2020-12-08/healthBots) diff --git a/arm/Microsoft.Insights/actionGroups/.bicep/nested_rbac.bicep b/arm/Microsoft.Insights/actionGroups/.bicep/nested_rbac.bicep index 988bfbbab1..3f120a26ad 100644 --- a/arm/Microsoft.Insights/actionGroups/.bicep/nested_rbac.bicep +++ b/arm/Microsoft.Insights/actionGroups/.bicep/nested_rbac.bicep @@ -2,7 +2,7 @@ param roleAssignmentObj object param builtInRoleNames object param resourceName string -resource roleAssigment 'microsoft.insights/actionGroups/providers/roleAssignments@2020-04-01-preview' = [for principalId in roleAssignmentObj.principalIds: { +resource roleAssigment 'microsoft.insights/actionGroups/providers/roleAssignments@2021-04-01-preview' = [for principalId in roleAssignmentObj.principalIds: { name: '${resourceName}/Microsoft.Authorization/${guid(resourceName, principalId, roleAssignmentObj.roleDefinitionIdOrName)}' properties: { roleDefinitionId: contains(builtInRoleNames, roleAssignmentObj.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignmentObj.roleDefinitionIdOrName] : roleAssignmentObj.roleDefinitionIdOrName diff --git a/arm/Microsoft.Insights/actionGroups/readme.md b/arm/Microsoft.Insights/actionGroups/readme.md index 9daafc77b1..e333891336 100644 --- a/arm/Microsoft.Insights/actionGroups/readme.md +++ b/arm/Microsoft.Insights/actionGroups/readme.md @@ -1,36 +1,35 @@ -# Action Group +# Action Group `[Microsoft.Insights/actionGroups]` This module deploys an Action Group ## Resource Types -| Resource Type | Api Version | -| :---------------------------------------------------------- | :----------------- | -| `Microsoft.Resources/deployments` | 2018-02-01 | -| `microsoft.insights/actionGroups` | 2019-06-01 | -| `microsoft.insights/actionGroups/providers/roleAssignments` | 2020-04-01-preview | +| Resource Type | Api Version | +| :-- | :-- | +| `microsoft.insights/actionGroups` | 2019-06-01 | +| `microsoft.insights/actionGroups/providers/roleAssignments` | 2021-04-01-preview | ## Parameters -| Parameter Name | Type | Default Value | Possible values | Description | -| :--------------------------- | :----- | :------------ | :-------------------------------------- | :-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| `actionGroupName` | string | | | Required. The name of the action group. | -| `groupShortName` | string | | | Required. The short name of the action group. | -| `enabled` | bool | true | true, false | Optional. Indicates whether this action group is enabled. If an action group is not enabled, then none of its receivers will receive communications. | -| `roleAssignments` | array | [] | Complex structure, see below. | Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or it's fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' | -| `emailReceivers` | array | [] | Array of complex structures, see below. | Optional. The list of email receivers that are part of this action group. | -| `smsReceivers` | array | [] | Array of complex structures, see below. | Optional. The list of SMS receivers that are part of this action group. | -| `webhookReceivers` | array | [] | Array of complex structures, see below. | Optional. The list of webhook receivers that are part of this action group. | -| `itsmReceivers` | array | [] | Array of complex structures, see below. | Optional. The list of ITSM receivers that are part of this action group. | -| `azureAppPushReceivers` | array | [] | Array of complex structures, see below. | Optional. The list of AzureAppPush receivers that are part of this action group. | -| `automationRunbookReceivers` | array | [] | Array of complex structures, see below. | Optional. The list of AutomationRunbook receivers that are part of this action group. | -| `voiceReceivers` | array | [] | Array of complex structures, see below. | Optional. The list of voice receivers. **Only US numbers supported at the moment** | -| `logicAppReceivers` | array | [] | Array of complex structures, see below. | Optional. The list of logic app receivers that are part of this action group. | -| `azureFunctionReceivers` | array | [] | Array of complex structures, see below. | Optional. The list of Azure Function receivers that are part of this action group. | -| `armRoleReceivers` | array | [] | Array of complex structures, see below. | Optional. The list of ARM role receivers that are part of this action group. Roles are Azure RBAC roles and only built-in roles are supported. | -| `tags` | object | {} | Complex structure, see below. | Optional. Tags of the Action Group resource. | -| `cuaId` | string | {} | Complex structure, see below. | Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered. | -| `location` | string | global | Complex structure, see below. | Optional. Location for all resources. | +| Parameter Name | Type | Default Value | Possible Values | Description | +| :-- | :-- | :-- | :-- | :-- | +| `actionGroupName` | string | | | Required. The name of the action group. | +| `armRoleReceivers` | array | `[]` | | Optional. The list of ARM role receivers that are part of this action group. Roles are Azure RBAC roles and only built-in roles are supported. | +| `automationRunbookReceivers` | array | `[]` | | Optional. The list of AutomationRunbook receivers that are part of this action group. | +| `azureAppPushReceivers` | array | `[]` | | Optional. The list of AzureAppPush receivers that are part of this action group. | +| `azureFunctionReceivers` | array | `[]` | | Optional. The list of function receivers that are part of this action group. | +| `cuaId` | string | | | Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered | +| `emailReceivers` | array | `[]` | | Optional. The list of email receivers that are part of this action group. | +| `enabled` | bool | `True` | | Optional. Indicates whether this action group is enabled. If an action group is not enabled, then none of its receivers will receive communications. | +| `groupShortName` | string | | | Required. The short name of the action group. | +| `itsmReceivers` | array | `[]` | | Optional. The list of ITSM receivers that are part of this action group. | +| `location` | string | `global` | | Optional. Location for all resources. | +| `logicAppReceivers` | array | `[]` | | Optional. The list of logic app receivers that are part of this action group. | +| `roleAssignments` | array | `[]` | | Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' | +| `smsReceivers` | array | `[]` | | Optional. The list of SMS receivers that are part of this action group. | +| `tags` | object | `{object}` | | Optional. Tags of the resource. | +| `voiceReceivers` | array | `[]` | | Optional. The list of voice receivers that are part of this action group. | +| `webhookReceivers` | array | `[]` | | Optional. The list of webhook receivers that are part of this action group. | ### Parameter Usage: receivers @@ -124,18 +123,12 @@ Tag names and tag values can be provided as needed. A tag can be left without a ## Outputs -| Output Name | Type | Description | -| :------------------------ | :----- | :-------------------------------------------------------------- | -| `actionGroupName` | string | The Name of the Azure Action Group. | -| `actionGroupResourceId` | string | The Resource Ids of the Action Group deployed. | -| `deploymentResourceGroup` | string | The name of the Resource Group the Action Group was created in. | +| Output Name | Type | +| :-- | :-- | +| `actionGroupName` | string | +| `actionGroupResourceId` | string | +| `deploymentResourceGroup` | string | -## Considerations +## Template references -*N/A* - -## Additional resources - -- [Alerts in Azure](https://docs.microsoft.com/en-us/azure/azure-monitor/platform/alerts-overview) -- [Template reference](https://docs.microsoft.com/en-us/azure/templates/microsoft.insights/2019-06-01/actiongroups) -- [Azure monitor documentation](https://docs.microsoft.com/en-us/azure/azure-monitor/) +- [Actiongroups](https://docs.microsoft.com/en-us/azure/templates/microsoft.insights/2019-06-01/actionGroups) diff --git a/arm/Microsoft.Insights/activityLogAlerts/.bicep/nested_rbac.bicep b/arm/Microsoft.Insights/activityLogAlerts/.bicep/nested_rbac.bicep index bc4dd72866..48c84b0965 100644 --- a/arm/Microsoft.Insights/activityLogAlerts/.bicep/nested_rbac.bicep +++ b/arm/Microsoft.Insights/activityLogAlerts/.bicep/nested_rbac.bicep @@ -2,7 +2,7 @@ param roleAssignmentObj object param builtInRoleNames object param resourceName string -resource roleAssigment 'Microsoft.Insights/activityLogAlerts/providers/roleAssignments@2020-04-01-preview' = [for principalId in roleAssignmentObj.principalIds: { +resource roleAssigment 'Microsoft.Insights/activityLogAlerts/providers/roleAssignments@2021-04-01-preview' = [for principalId in roleAssignmentObj.principalIds: { name: '${resourceName}/Microsoft.Authorization/${guid(resourceName, principalId, roleAssignmentObj.roleDefinitionIdOrName)}' properties: { roleDefinitionId: contains(builtInRoleNames, roleAssignmentObj.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignmentObj.roleDefinitionIdOrName] : roleAssignmentObj.roleDefinitionIdOrName diff --git a/arm/Microsoft.Insights/activityLogAlerts/readme.md b/arm/Microsoft.Insights/activityLogAlerts/readme.md index a2df4ef362..803e0f41cf 100644 --- a/arm/Microsoft.Insights/activityLogAlerts/readme.md +++ b/arm/Microsoft.Insights/activityLogAlerts/readme.md @@ -1,29 +1,28 @@ -# Activity Log Alert +# Activity Log Alert `[Microsoft.Insights/activityLogAlerts]` This module deploys an Alert based on Activity Log ## Resource Types -| Resource Type | Api Version | -| :--------------------------------------------------------------- | :----------------- | -| `Microsoft.Resources/deployments` | 2018-02-01 | -| `Microsoft.Insights/ActivityLogAlerts` | 2020-10-01 | -| `Microsoft.Insights/activityLogAlerts/providers/roleAssignments` | 2020-04-01-preview | +| Resource Type | Api Version | +| :-- | :-- | +| `Microsoft.Insights/activityLogAlerts` | 2020-10-01 | +| `Microsoft.Insights/activityLogAlerts/providers/roleAssignments` | 2021-04-01-preview | ## Parameters -| Parameter Name | Type | Description | DefaultValue | Possible values | -| :----------------- | :----- | :------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | :---------------- | :-------------- | -| `actions` | array | Optional. The list of actions to take when alert triggers. | System.Object[] | | -| `alertDescription` | string | Optional. Description of the alert. | | | -| `alertName` | string | Required. The name of the Alert. | | | -| `conditions` | array | Required. The condition that will cause this alert to activate. Array of objects | | | -| `cuaId` | string | Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered | | | -| `enabled` | bool | Optional. Indicates whether this alert is enabled. | True | | -| `location` | string | Optional. Location for all resources. | global | | -| `roleAssignments` | array | Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' | System.Object[] | | -| `scopes` | array | Optional. the list of resource id\'s that this metric alert is scoped to. | subscription().id | | -| `tags` | object | Optional. Tags of the resource. | | | +| Parameter Name | Type | Default Value | Possible Values | Description | +| :-- | :-- | :-- | :-- | :-- | +| `actions` | array | `[]` | | Optional. The list of actions to take when alert triggers. | +| `alertDescription` | string | | | Optional. Description of the alert. | +| `alertName` | string | | | Required. The name of the Alert. | +| `conditions` | array | | | Required. The condition that will cause this alert to activate. Array of objects | +| `cuaId` | string | | | Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered | +| `enabled` | bool | `True` | | Optional. Indicates whether this alert is enabled. | +| `location` | string | `global` | | Optional. Location for all resources. | +| `roleAssignments` | array | `[]` | | Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' | +| `scopes` | array | `[[subscription().id]]` | | Required. the list of resource id's that this metric alert is scoped to. | +| `tags` | object | `{object}` | | Optional. Tags of the resource. | ### Parameter Usage: actions @@ -178,19 +177,12 @@ Tag names and tag values can be provided as needed. A tag can be left without a ## Outputs -| Output Name | Type | Description | -| :------------------------------ | :----- | :------------------------------------------------------- | -| `activityLogAlertResourceId` | string | The Resource Id of the Alert deployed. | -| `activityLogAlertName` | string | The Name of the Alert. | -| `activityLogAlertResourceGroup` | string | The name of the Resource Group the Alert was created in. | +| Output Name | Type | +| :-- | :-- | +| `activityLogAlertName` | string | +| `activityLogAlertResourceGroup` | string | +| `activityLogAlertResourceId` | string | -## Considerations +## Template references -*N/A* - -## Additional resources - -- [Activity Log alerts](https://docs.microsoft.com/en-us/azure/azure-monitor/platform/activity-log-alerts) -- [Template reference](https://docs.microsoft.com/en-us/azure/templates/microsoft.insights/2020-10-01/activitylogalerts) -- [Service Health notification properties](https://docs.microsoft.com/en-us/azure/service-health/service-health-notifications-properties) -- [Azure monitor documentation](https://docs.microsoft.com/en-us/azure/azure-monitor/) +- [Activitylogalerts](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Insights/2020-10-01/activityLogAlerts) diff --git a/arm/Microsoft.Insights/components/.bicep/nested_rbac.bicep b/arm/Microsoft.Insights/components/.bicep/nested_rbac.bicep index a864a1d86c..c1a4bd4341 100644 --- a/arm/Microsoft.Insights/components/.bicep/nested_rbac.bicep +++ b/arm/Microsoft.Insights/components/.bicep/nested_rbac.bicep @@ -2,7 +2,7 @@ param roleAssignmentObj object param builtInRoleNames object param resourceName string -resource roleAssigment 'Microsoft.Insights/components/providers/roleAssignments@2020-04-01-preview' = [for principalId in roleAssignmentObj.principalIds: { +resource roleAssigment 'Microsoft.Insights/components/providers/roleAssignments@2021-04-01-preview' = [for principalId in roleAssignmentObj.principalIds: { name: '${resourceName}/Microsoft.Authorization/${guid(resourceName, principalId, roleAssignmentObj.roleDefinitionIdOrName)}' properties: { roleDefinitionId: contains(builtInRoleNames, roleAssignmentObj.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignmentObj.roleDefinitionIdOrName] : roleAssignmentObj.roleDefinitionIdOrName diff --git a/arm/Microsoft.Insights/components/readme.md b/arm/Microsoft.Insights/components/readme.md index 0e4f2367cd..a44528095e 100644 --- a/arm/Microsoft.Insights/components/readme.md +++ b/arm/Microsoft.Insights/components/readme.md @@ -1,31 +1,26 @@ -# Application Insights +# Application Insights `[Microsoft.Insights/components]` ## Resource Types -| Resource Type | Api Version | -| :-------------------------------------------------------- | :----------------- | -| `Microsoft.Resources/deployments` | 2020-06-01 | -| `Microsoft.Insights/components` | 2020-02-02 | -| `Microsoft.Insights/components/providers/roleAssignments` | 2020-04-01-preview | - -### Resource dependency - -The following resources are required to be able to deploy this resource. +| Resource Type | Api Version | +| :-- | :-- | +| `Microsoft.Insights/components` | 2020-02-02 | +| `Microsoft.Insights/components/providers/roleAssignments` | 2021-04-01-preview | ## Parameters -| Parameter Name | Type | Description | DefaultValue | Possible values | -| :------------------------------------------- | :----- | :-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | :------------------------- | :---------------- | -| `appInsightsName` | string | Required. Name of the Application Insights | | | -| `appInsightsType` | string | Optional. Application type | web | System.Object[] | -| `appInsightsWorkspaceResourceId` | string | Required. Resource Id of the log analytics workspace which the data will be ingested to. This property is required to create an application with this API version. Applications from older versions will not have this property | | | -| `appInsightsPublicNetworkAccessForIngestion` | string | Optional. The network access type for accessing Application Insights ingestion | Enabled | Enabled, Disabled | -| `appInsightsPublicNetworkAccessForQuery` | string | Optional. The network access type for accessing Application Insights query | Enabled | Enabled, Disabled | -| `kind` | string | Optional. The kind of application that this component refers to, used to customize UI. This value is a freeform string, values should typically be one of the following: web, ios, other, store, java, phone.' | '' | | -| `location` | string | Optional. Location for all Resources | [resourceGroup().location] | | -| `roleAssignments` | string | Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or it's fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' | | | -| `tags` | object | Optional. Tags of the resource. | | | -| `cuaId` | string | Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered | | | +| Parameter Name | Type | Default Value | Possible Values | Description | +| :-- | :-- | :-- | :-- | :-- | +| `appInsightsName` | string | | | Required. Name of the Application Insights | +| `appInsightsPublicNetworkAccessForIngestion` | string | `Enabled` | `[Enabled, Disabled]` | Optional. The network access type for accessing Application Insights ingestion. - Enabled or Disabled | +| `appInsightsPublicNetworkAccessForQuery` | string | `Enabled` | `[Enabled, Disabled]` | Optional. The network access type for accessing Application Insights query. - Enabled or Disabled | +| `appInsightsType` | string | `web` | `[web, other]` | Optional. Application type | +| `appInsightsWorkspaceResourceId` | string | | | Required. Resource Id of the log analytics workspace which the data will be ingested to. This property is required to create an application with this API version. Applications from older versions will not have this property. | +| `cuaId` | string | | | Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered | +| `kind` | string | | | Optional. The kind of application that this component refers to, used to customize UI. This value is a freeform string, values should typically be one of the following: web, ios, other, store, java, phone. | +| `location` | string | `[resourceGroup().location]` | | Optional. Location for all Resources | +| `roleAssignments` | array | `[]` | | Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or it's fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| `tags` | object | `{object}` | | Optional. Tags of the resource. | ### Parameter Usage: `roleAssignments` @@ -69,17 +64,14 @@ Tag names and tag values can be provided as needed. A tag can be left without a ## Outputs -| Output Name | Type | Description | -| :------------------------- | :----- | :------------------------------------------------ | -| `appInsightsAppId` | string | Application Insights Application Id | -| `appInsightsKey` | string | Application Insights Resource Instrumentation Key | -| `appInsightsName` | string | Application Insights Resource Name | -| `appInsightsResourceGroup` | string | Application Insights ResourceGroup | -| `appInsightsResourceId` | string | Application Insights Resource Id | - -## Considerations +| Output Name | Type | +| :-- | :-- | +| `appInsightsAppId` | string | +| `appInsightsKey` | string | +| `appInsightsName` | string | +| `appInsightsResourceGroup` | string | +| `appInsightsResourceId` | string | -## Additional resources +## Template references -- [Deployments](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Resources/2018-02-01/deployments) - [Components](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Insights/2020-02-02/components) diff --git a/arm/Microsoft.Insights/diagnosticSettings/readme.md b/arm/Microsoft.Insights/diagnosticSettings/readme.md index 46adb0fd38..8639f01cd9 100644 --- a/arm/Microsoft.Insights/diagnosticSettings/readme.md +++ b/arm/Microsoft.Insights/diagnosticSettings/readme.md @@ -1,37 +1,32 @@ -# ActivityLog +# ActivityLog `[Microsoft.Insights/diagnosticSettings]` This module deploys a subscription wide export of the ActivityLog. ## Resource Types -| Resource Type | Api Version | -| :-------------------------------------- | :----------------- | +| Resource Type | Api Version | +| :-- | :-- | | `Microsoft.Insights/diagnosticSettings` | 2017-05-01-preview | ## Parameters -| Parameter Name | Type | Description | DefaultValue | Possible values | -| :------------------------------ | :------- | :---------------------------------------------------------------------------------------------------------------------------------------------- | :----------- | :-------------- | -| `diagnosticLogsRetentionInDays` | int | Optional. Specifies the number of days that logs will be kept for; a value of 0 will retain data indefinitely. | 365 | | -| `diagnosticsName` | string | Required. Name of the ActivityLog diagnostic settings. | | | -| `diagnosticStorageAccountId` | string | Optional. Resource identifier of the Diagnostic Storage Account. | | | -| `eventHubAuthorizationRuleId` | string | Optional. Resource ID of the event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | | | -| `eventHubName` | string | Optional. Name of the event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. | | | -| `logsToEnable` | string[] | Optional. The name of logs that will be streamed. | | | -| `workspaceId` | string | Optional. Resource identifier of Log Analytics. | | | +| Parameter Name | Type | Default Value | Possible Values | Description | +| :-- | :-- | :-- | :-- | :-- | +| `diagnosticLogsRetentionInDays` | int | `365` | | Optional. Specifies the number of days that logs will be kept for; a value of 0 will retain data indefinitely. | +| `diagnosticsName` | string | `[format('{0}-ActivityLog', uniqueString(subscription().id))]` | | Optional. Name of the ActivityLog diagnostic settings. | +| `diagnosticStorageAccountId` | string | | | Optional. Resource identifier of the Diagnostic Storage Account. | +| `eventHubAuthorizationRuleId` | string | | | Optional. Resource ID of the event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | +| `eventHubName` | string | | | Optional. Name of the event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. | +| `logsToEnable` | array | `[Administrative, Security, ServiceHealth, Alert, Recommendation, Policy, Autoscale, ResourceHealth]` | `[Administrative, Security, ServiceHealth, Alert, Recommendation, Policy, Autoscale, ResourceHealth]` | Optional. The name of logs that will be streamed. | +| `workspaceId` | string | | | Optional. Resource identifier of Log Analytics. | ## Outputs -| Output Name | Type | Description | -| :--------------------- | :----- | :----------------------------------- | -| `diagnosticResourceId` | string | The Resource Ids of the Diagnostics. | -| `diagnosticsName` | string | The Name of the Diagnostics. | +| Output Name | Type | +| :-- | :-- | +| `diagnosticResourceId` | string | +| `diagnosticsName` | string | -## Considerations +## Template references -*N/A* - -## Additional resources - -- [Collect Azure Activity log with diagnostic settings (preview)](https://docs.microsoft.com/en-us/azure/azure-monitor/platform/diagnostic-settings-subscription) -- [Microsoft.Insights template reference](https://docs.microsoft.com/en-us/azure/templates/microsoft.insights/allversions) +- [Diagnosticsettings](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Insights/2017-05-01-preview/diagnosticSettings) diff --git a/arm/Microsoft.Insights/metricAlerts/.bicep/nested_rbac.bicep b/arm/Microsoft.Insights/metricAlerts/.bicep/nested_rbac.bicep index 5302382cb3..f293b41c0a 100644 --- a/arm/Microsoft.Insights/metricAlerts/.bicep/nested_rbac.bicep +++ b/arm/Microsoft.Insights/metricAlerts/.bicep/nested_rbac.bicep @@ -2,7 +2,7 @@ param roleAssignmentObj object param builtInRoleNames object param resourceName string -resource roleAssigment 'Microsoft.Insights/metricAlerts/providers/roleAssignments@2020-04-01-preview' = [for principalId in roleAssignmentObj.principalIds: { +resource roleAssigment 'Microsoft.Insights/metricAlerts/providers/roleAssignments@2021-04-01-preview' = [for principalId in roleAssignmentObj.principalIds: { name: '${resourceName}/Microsoft.Authorization/${guid(resourceName, principalId, roleAssignmentObj.roleDefinitionIdOrName)}' properties: { roleDefinitionId: contains(builtInRoleNames, roleAssignmentObj.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignmentObj.roleDefinitionIdOrName] : roleAssignmentObj.roleDefinitionIdOrName diff --git a/arm/Microsoft.Insights/metricAlerts/readme.md b/arm/Microsoft.Insights/metricAlerts/readme.md index 7b8a823495..5f8de70c3d 100644 --- a/arm/Microsoft.Insights/metricAlerts/readme.md +++ b/arm/Microsoft.Insights/metricAlerts/readme.md @@ -1,36 +1,35 @@ -# Metric Alert +# Metric Alert `[Microsoft.Insights/metricAlerts]` This module deploys an Alert based on metrics ## Resource types -| Resource Type | ApiVersion | -| :---------------------------------------------------------- | :----------------- | -| `Microsoft.Resources/deployments` | 2018-02-01 | -| `Microsoft.Insights/metricAlerts` | 2018-03-01 | -| `Microsoft.Insights/metricAlerts/providers/roleAssignments` | 2020-04-01-preview | +| Resource Type | Api Version | +| :-- | :-- | +| `Microsoft.Insights/metricAlerts` | 2018-03-01 | +| `Microsoft.Insights/metricAlerts/providers/roleAssignments` | 2021-04-01-preview | ## Parameters -| Parameter Name | Type | Description | DefaultValue | Possible values | -| :--------------------- | :----- | :------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | :------------------------------------------------------------- | :-------------- | -| `actions` | array | Optional. The list of actions to take when alert triggers. | System.Object[] | | -| `alertCriteriaType` | string | Optional. Maps to the 'odata.type' field. Specifies the type of the alert criteria. | Microsoft.Azure.Monitor.MultipleResourceMultipleMetricCriteria | System.Object[] | -| `alertDescription` | string | Optional. Description of the alert. | | | -| `alertName` | string | Required. The name of the Alert. | | | -| `autoMitigate` | bool | Optional. The flag that indicates whether the alert should be auto resolved or not. | True | | -| `criterias` | array | Required. Criterias to trigger the alert. Array of 'Microsoft.Azure.Monitor.SingleResourceMultipleMetricCriteria' or 'Microsoft.Azure.Monitor.MultipleResourceMultipleMetricCriteria' objects | | | -| `cuaId` | string | Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered | | | -| `enabled` | bool | Optional. Indicates whether this alert is enabled. | True | | -| `evaluationFrequency` | string | Optional. how often the metric alert is evaluated represented in ISO 8601 duration format. | PT5M | System.Object[] | -| `location` | string | Optional. Location for all resources. | global | | -| `roleAssignments` | array | Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' | System.Object[] | | -| `scopes` | array | Optional. the list of resource id\'s that this metric alert is scoped to. | subscription().id | | -| `severity` | int | Optional. The severity of the alert. | 3 | System.Object[] | -| `tags` | object | Optional. Tags of the resource. | | | -| `targetResourceRegion` | string | Optional. The region of the target resource(s) on which the alert is created/updated. Mandatory for MultipleResourceMultipleMetricCriteria. | | | -| `targetResourceType` | string | Optional. The resource type of the target resource(s) on which the alert is created/updated. Mandatory for MultipleResourceMultipleMetricCriteria. | | | -| `windowSize` | string | Optional. the period of time (in ISO 8601 duration format) that is used to monitor alert activity based on the threshold. | PT15M | System.Object[] | +| Parameter Name | Type | Default Value | Possible Values | Description | +| :-- | :-- | :-- | :-- | :-- | +| `actions` | array | `[]` | | Optional. The list of actions to take when alert triggers. | +| `alertCriteriaType` | string | `Microsoft.Azure.Monitor.MultipleResourceMultipleMetricCriteria` | `[Microsoft.Azure.Monitor.SingleResourceMultipleMetricCriteria, Microsoft.Azure.Monitor.MultipleResourceMultipleMetricCriteria, Microsoft.Azure.Monitor.WebtestLocationAvailabilityCriteria]` | Optional. Maps to the 'odata.type' field. Specifies the type of the alert criteria. | +| `alertDescription` | string | | | Optional. Description of the alert. | +| `alertName` | string | | | Required. The name of the Alert. | +| `autoMitigate` | bool | `True` | | Optional. The flag that indicates whether the alert should be auto resolved or not. | +| `criterias` | array | | | Required. Criterias to trigger the alert. Array of 'Microsoft.Azure.Monitor.SingleResourceMultipleMetricCriteria' or 'Microsoft.Azure.Monitor.MultipleResourceMultipleMetricCriteria' objects | +| `cuaId` | string | | | Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered | +| `enabled` | bool | `True` | | Optional. Indicates whether this alert is enabled. | +| `evaluationFrequency` | string | `PT5M` | `[PT1M, PT5M, PT15M, PT30M, PT1H]` | Optional. how often the metric alert is evaluated represented in ISO 8601 duration format. | +| `location` | string | `global` | | Optional. Location for all resources. | +| `roleAssignments` | array | `[]` | | Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' | +| `scopes` | array | `[[subscription().id]]` | | Optional. the list of resource id's that this metric alert is scoped to. | +| `severity` | int | `3` | `[0, 1, 2, 3, 4]` | Optional. The severity of the alert. | +| `tags` | object | `{object}` | | Optional. Tags of the resource. | +| `targetResourceRegion` | string | | | Optional. The region of the target resource(s) on which the alert is created/updated. Mandatory for MultipleResourceMultipleMetricCriteria. | +| `targetResourceType` | string | | | Optional. The resource type of the target resource(s) on which the alert is created/updated. Mandatory for MultipleResourceMultipleMetricCriteria. | +| `windowSize` | string | `PT15M` | `[PT1M, PT5M, PT15M, PT30M, PT1H, PT6H, PT12H, P1D]` | Optional. the period of time (in ISO 8601 duration format) that is used to monitor alert activity based on the threshold. | ### Parameter Usage: actions @@ -168,16 +167,12 @@ Tag names and tag values can be provided as needed. A tag can be left without a ## Outputs -| Output Name | Type | Description | -| :------------------------ | :----- | :---------------------------------------------------------- | -| `metricAlertName` | string | The name of the created database. | -| `deploymentResourceGroup` | string | The name of the Resource Group the Resource was created in. | -| `metricAlertResourceId` | string | The Resource Id of the Alert deployed. | +| Output Name | Type | +| :-- | :-- | +| `deploymentResourceGroup` | string | +| `metricAlertName` | string | +| `metricAlertResourceId` | string | -## Considerations +## Template references -## Additional resources - -- [Metric alerts](https://docs.microsoft.com/en-us/azure/azure-monitor/platform/alerts-metric-overview) -- [Template reference](hhttps://docs.microsoft.com/en-us/azure/templates/microsoft.insights/2018-03-01/metricalerts) -- [Azure monitor documentation](https://docs.microsoft.com/en-us/azure/azure-monitor/) +- [Metricalerts](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Insights/2018-03-01/metricAlerts) diff --git a/arm/Microsoft.Insights/privateLinkScopes/.bicep/nested_privateEndpoint.bicep b/arm/Microsoft.Insights/privateLinkScopes/.bicep/nested_privateEndpoint.bicep index 076315af72..0705de5f3b 100644 --- a/arm/Microsoft.Insights/privateLinkScopes/.bicep/nested_privateEndpoint.bicep +++ b/arm/Microsoft.Insights/privateLinkScopes/.bicep/nested_privateEndpoint.bicep @@ -14,7 +14,7 @@ var privateEndpoint_var = { customDnsConfigs: (contains(privateEndpointObj, 'customDnsConfigs') ? (empty(privateEndpointObj.customDnsConfigs) ? json('null') : privateEndpointObj.customDnsConfigs) : json('null')) } -resource privateEndpoint 'Microsoft.Network/privateEndpoints@2020-05-01' = { +resource privateEndpoint 'Microsoft.Network/privateEndpoints@2021-05-01' = { name: privateEndpoint_var.name location: privateEndpointVnetLocation tags: tags diff --git a/arm/Microsoft.Insights/privateLinkScopes/.bicep/nested_rbac.bicep b/arm/Microsoft.Insights/privateLinkScopes/.bicep/nested_rbac.bicep index 401a3b01dc..debc55996f 100644 --- a/arm/Microsoft.Insights/privateLinkScopes/.bicep/nested_rbac.bicep +++ b/arm/Microsoft.Insights/privateLinkScopes/.bicep/nested_rbac.bicep @@ -2,7 +2,7 @@ param roleAssignmentObj object param builtInRoleNames object param resourceName string -resource roleAssigment 'Microsoft.Insights/privateLinkScopes/providers/roleAssignments@2020-04-01-preview' = [for principalId in roleAssignmentObj.principalIds: { +resource roleAssigment 'Microsoft.Insights/privateLinkScopes/providers/roleAssignments@2021-04-01-preview' = [for principalId in roleAssignmentObj.principalIds: { name: '${resourceName}/Microsoft.Authorization/${guid(resourceName, principalId, roleAssignmentObj.roleDefinitionIdOrName)}' properties: { roleDefinitionId: contains(builtInRoleNames, roleAssignmentObj.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignmentObj.roleDefinitionIdOrName] : roleAssignmentObj.roleDefinitionIdOrName diff --git a/arm/Microsoft.Insights/privateLinkScopes/readme.md b/arm/Microsoft.Insights/privateLinkScopes/readme.md index 2639d70fd3..c6bf02a666 100644 --- a/arm/Microsoft.Insights/privateLinkScopes/readme.md +++ b/arm/Microsoft.Insights/privateLinkScopes/readme.md @@ -1,31 +1,30 @@ -# Azure Monitor Private Link Scope +# Azure Monitor Private Link Scope `[Microsoft.Insights/privateLinkScopes]` This module deploys Azure Monitor Private Link Scope ## Resource types -| Resource Type | Api Version | -| :--------------------------------------------------------------- | :----------------- | -| `Microsoft.Insights/privateLinkScopes` | 2019-10-17-preview | -| `microsoft.insights/privatelinkscopes/scopedresources` | 2019-10-17-preview | -| `Microsoft.Network/privateEndpoints` | 2020-05-01 | -| `Microsoft.Network/privateEndpoints/privateDnsZoneGroups` | 2020-05-01 | -| `Microsoft.Insights/privateLinkScopes/providers/roleAssignments` | 2018-09-01-preview | -| `Microsoft.Resources/deployments` | 2020-06-01 | -| `Microsoft.Authorization/locks` | 2016-09-01 | +| Resource Type | Api Version | +| :-- | :-- | +| `Microsoft.Authorization/locks` | 2016-09-01 | +| `microsoft.insights/privateLinkScopes` | 2019-10-17-preview | +| `Microsoft.Insights/privateLinkScopes/providers/roleAssignments` | 2021-04-01-preview | +| `Microsoft.Insights/privateLinkScopes/scopedResources` | 2019-10-17-preview | +| `Microsoft.Network/privateEndpoints` | 2021-05-01 | +| `Microsoft.Network/privateEndpoints/privateDnsZoneGroups` | 2020-05-01 | ## Parameters -| Parameter Name | Type | Default Value | Possible values | Description | -| :--------------------- | :----- | :--------------------------- | :----------------------------------------- | :-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| `cuaId` | string | "" | | Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered. | -| `location` | string | `[resourceGroup().location]` | | Optional. Location for all resources. | -| `lock` | string | 'NotSpecified' | 'CanNotDelete', 'NotSpecified', 'ReadOnly' | Optional. Specify the type of lock. | -| `privateEndpoints` | array | System.Object[] | Complex structure, see below. | Optional. Configuration Details for private endpoints. | -| `privateLinkScopeName` | string | | | Required. Name of the Private Link Scope. | -| `roleAssignments` | array | [] | Complex structure, see below. | Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or it's fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' | -| `scopedResources` | array | [] | Complex structure, see below. | Optional. Configuration Details for Azure Monitor Resources. | -| `tags` | object | {} | Complex structure, see below. | Optional. Tags of the Azure Key Vault resource. | +| Parameter Name | Type | Default Value | Possible Values | Description | +| :-- | :-- | :-- | :-- | :-- | +| `cuaId` | string | | | Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered | +| `location` | string | `global` | | Optional. The location of the Private Link Scope. Should be global. | +| `lock` | string | `NotSpecified` | `[CanNotDelete, NotSpecified, ReadOnly]` | Optional. Specify the type of lock. | +| `privateEndpoints` | array | `[]` | | Optional. Configuration Details for private endpoints. | +| `privateLinkScopeName` | string | | | Required. Name of the Private Link Scope. | +| `roleAssignments` | array | `[]` | | Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' | +| `scopedResources` | array | `[]` | | Optional. Configuration Details for Azure Monitor Resources. | +| `tags` | object | `{object}` | | Optional. Resource tags. | ### Parameter Usage: `roleAssignments` @@ -127,22 +126,16 @@ Tag names and tag values can be provided as needed. A tag can be left without a ## Outputs -| Output Name | Type | Description | -| :------------------------------ | :----- | :-------------------------------------------------------------------- | -| `privateLinkScopeResourceId` | string | The Resource Id of the Private Link Scope. | -| `privateLinkScopeResourceGroup` | string | The name of the Resource Group the Private Link Scope was created in. | -| `privateLinkScopeName` | string | The Name of the Private Link Scope. | +| Output Name | Type | +| :-- | :-- | +| `privateLinkScopeName` | string | +| `privateLinkScopeResourceGroup` | string | +| `privateLinkScopeResourceId` | string | -## Considerations +## Template references -**N/A* - -## Additional resources - -- [Azure Monitor Private Link Scope Documentation](https://docs.microsoft.com/en-us/azure/azure-monitor/platform/private-link-security) -- [Microsoft.Insights privateLinkScopes template reference](https://docs.microsoft.com/en-us/azure/templates/microsoft.insights/privatelinkscopes) -- [Microsoft.Insights privateLinkScopes scopedResources template reference](https://docs.microsoft.com/en-us/azure/templates/microsoft.insights/privatelinkscopes/scopedresources) -- [Microsoft.Network privateEndpoints template reference](https://docs.microsoft.com/en-us/azure/templates/microsoft.network/privateendpoints) -- [Microsoft.Network privateEndpoints privateDnsZoneGroups template reference](https://docs.microsoft.com/en-us/azure/templates/microsoft.network/privateendpoints/privatednszonegroups) -- [Use tags to organize your Azure resources](https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-using-tags) -- [Deployments](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Resources/2020-06-01/deployments) +- [Locks](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2016-09-01/locks) +- [Privatelinkscopes](https://docs.microsoft.com/en-us/azure/templates/microsoft.insights/2019-10-17-preview/privateLinkScopes) +- [Privatelinkscopes/Scopedresources](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Insights/2019-10-17-preview/privateLinkScopes/scopedResources) +- [Privateendpoints](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Network/2021-05-01/privateEndpoints) +- [Privateendpoints/Privatednszonegroups](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Network/2020-05-01/privateEndpoints/privateDnsZoneGroups) diff --git a/arm/Microsoft.Insights/scheduledQueryRules/.bicep/nested_rbac.bicep b/arm/Microsoft.Insights/scheduledQueryRules/.bicep/nested_rbac.bicep index c42d7ff00a..fefca2d5bc 100644 --- a/arm/Microsoft.Insights/scheduledQueryRules/.bicep/nested_rbac.bicep +++ b/arm/Microsoft.Insights/scheduledQueryRules/.bicep/nested_rbac.bicep @@ -2,7 +2,7 @@ param roleAssignmentObj object param builtInRoleNames object param resourceName string -resource roleAssigment 'microsoft.insights/scheduledQueryRules/providers/roleAssignments@2020-04-01-preview' = [for principalId in roleAssignmentObj.principalIds: { +resource roleAssigment 'microsoft.insights/scheduledQueryRules/providers/roleAssignments@2021-04-01-preview' = [for principalId in roleAssignmentObj.principalIds: { name: '${resourceName}/Microsoft.Authorization/${guid(resourceName, principalId, roleAssignmentObj.roleDefinitionIdOrName)}' properties: { roleDefinitionId: contains(builtInRoleNames, roleAssignmentObj.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignmentObj.roleDefinitionIdOrName] : roleAssignmentObj.roleDefinitionIdOrName diff --git a/arm/Microsoft.Insights/scheduledQueryRules/readme.md b/arm/Microsoft.Insights/scheduledQueryRules/readme.md index 9676f4149e..786a7d4237 100644 --- a/arm/Microsoft.Insights/scheduledQueryRules/readme.md +++ b/arm/Microsoft.Insights/scheduledQueryRules/readme.md @@ -1,42 +1,41 @@ -# Scheduled Query Rules +# Scheduled Query Rules `[Microsoft.Insights/scheduledQueryRules]` This module deploys an Alert based on metrics ## Resource types -| Resource Type | ApiVersion | -| :----------------------------------------------------------------- | :----------------- | -| `Microsoft.Resources/deployments` | 2018-02-01 | -| `microsoft.insights/scheduledQueryRules` | 2018-04-16 | -| `microsoft.insights/scheduledQueryRules/providers/roleAssignments` | 2020-04-01-preview | +| Resource Type | Api Version | +| :-- | :-- | +| `Microsoft.Insights/scheduledQueryRules` | 2018-04-16 | +| `microsoft.insights/scheduledQueryRules/providers/roleAssignments` | 2021-04-01-preview | ## Parameters -| Parameter Name | Type | Description | DefaultValue | Possible values | -| :----------------------------------- | :----- | :-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | :------------------------- | :---------------------------- | -| `actions` | array | Optional. The list of actions to take when alert triggers. | System.Object[] | | -| `alertDescription` | string | Optional. Description of the alert. | | | -| `alertName` | string | Required. The name of the Alert. | | | -| `authorizedResources` | array | Optional. The list of resource id's referenced in the query. | System.Object[] | | -| `breachesThreshold` | int | Optional. Number of threadshold violation to trigger the alert | 3 | | -| `breachesThresholdOperator` | string | Optional. If `metricColumn` is specified, operator for the breaches count evaluation to trigger the alert. Not used if using result count trigger. | GreaterThan | System.Object[] | -| `breachesTriggerType` | string | Optional. Type of aggregation of threadshold violation | Consecutive | System.Object[] | -| `criterias` | array | Optional. The list of action alert creterias. | System.Object[] | | -| `cuaId` | string | Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered | | | -| `enabled` | string | Optional. Indicates whether this alert is enabled. | true | System.Object[] | -| `evaluationFrequency` | int | Optional. How often the metric alert is evaluated (in minutes). | 5 | System.Object[] | -| `location` | string | Optional. Location for all resources. | [resourceGroup().location] | | -| `metricColumn` | string | Optional. Variable (column) on which the query result will be grouped and then evaluated for trigger condition. Use comma to specify more than one. Leave empty to use "Number of results" type of alert logic | | | -| `metricResultCountThreshold` | int | Optional. Operator for metric or number of result evaluation. | 0 | | -| `metricResultCountThresholdOperator` | string | Optional. Operator of threshold breaches to trigger the alert. | GreaterThan | System.Object[] | -| `odataType` | string | Optional. Type of the alert criteria. | AlertingAction | System.Object[] | -| `query` | string | Optional. The query to execute | | | -| `roleAssignments` | array | Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or it's fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' | [] | Complex structure, see below. | -| `severity` | int | Optional. The severity of the alert. | 3 | System.Object[] | -| `suppressForMinutes` | int | Optional. Suppress Alert for (in minutes). | 0 | | -| `tags` | object | Optional. Tags of the resource. | | | -| `windowSize` | int | Optional. The period of time (in minutes) that is used to monitor alert activity based on the threshold. | 60 | System.Object[] | -| `workspaceResourceId` | string | Required. Resource ID of the Log Analytics workspace where the query needs to be executed | | | +| Parameter Name | Type | Default Value | Possible Values | Description | +| :-- | :-- | :-- | :-- | :-- | +| `actions` | array | `[]` | | Optional. The list of actions to take when alert triggers. | +| `alertDescription` | string | | | Optional. Description of the alert. | +| `alertName` | string | | | Required. The name of the Alert. | +| `authorizedResources` | array | `[]` | | Optional. The list of resource id's referenced in the query. | +| `breachesThreshold` | int | `3` | | Optional. Number of threadshold violation to trigger the alert | +| `breachesThresholdOperator` | string | `GreaterThan` | `[GreaterThan, Equal, LessThan]` | Optional. If `metricColumn` is specified, operator for the breaches count evaluation to trigger the alert. Not used if using result count trigger. | +| `breachesTriggerType` | string | `Consecutive` | `[Consecutive, Total]` | Optional. Type of aggregation of threadshold violation | +| `criterias` | array | `[]` | | Optional. The list of action alert creterias. | +| `cuaId` | string | | | Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered | +| `enabled` | string | `true` | `[true, false]` | Optional. Indicates whether this alert is enabled. | +| `evaluationFrequency` | int | `5` | `[5, 10, 15, 30, 45, 60, 120, 180, 240, 300, 360, 1440]` | Optional. How often the metric alert is evaluated (in minutes). | +| `location` | string | `[resourceGroup().location]` | | Optional. Location for all resources. | +| `metricColumn` | string | | | Optional. Variable (column) on which the query result will be grouped and then evaluated for trigger condition. Use comma to specify more than one. Leave empty to use "Number of results" type of alert logic | +| `metricResultCountThreshold` | int | | | Optional. Operator for metric or number of result evaluation. | +| `metricResultCountThresholdOperator` | string | `GreaterThan` | `[GreaterThan, Equal, LessThan]` | Optional. Operator of threshold breaches to trigger the alert. | +| `odataType` | string | `AlertingAction` | `[AlertingAction, LogToMetricAction]` | Optional. Type of the alert criteria. | +| `query` | string | | | Optional. The query to execute | +| `roleAssignments` | array | `[]` | | Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' | +| `severity` | int | `3` | `[0, 1, 2, 3, 4]` | Optional. The severity of the alert. | +| `suppressForMinutes` | int | | | Optional. Suppress Alert for (in minutes). | +| `tags` | object | `{object}` | | Optional. Tags of the resource. | +| `windowSize` | int | `60` | `[5, 10, 15, 30, 45, 60, 120, 180, 240, 300, 360, 1440, 2880]` | Optional. The period of time (in minutes) that is used to monitor alert activity based on the threshold. | +| `workspaceResourceId` | string | | | Required. Resource ID of the Log Analytics workspace where the query needs to be executed | ### Parameter Usage: `roleAssignments` @@ -86,17 +85,12 @@ Tag names and tag values can be provided as needed. A tag can be left without a ## Outputs -| Output Name | Type | Description | -| :------------------------ | :----- | :---------------------------------------------------------- | -| `queryAlertName` | string | The Deployment Name. | -| `queryAlertResourceId` | string | The Resource Id of the Alert deployed. | -| `deploymentResourceGroup` | string | The name of the Resource Group the Resource was created in. | +| Output Name | Type | +| :-- | :-- | +| `deploymentResourceGroup` | string | +| `queryAlertName` | string | +| `queryAlertResourceId` | string | -## Considerations +## Template references -## Additional resources - -- [Log query based alerts](https://docs.microsoft.com/en-us/azure/azure-monitor/platform/alerts-unified-log) -- [Template reference](https://docs.microsoft.com/en-us/azure/templates/microsoft.insights/2018-04-16/scheduledqueryrules) -- [Kusto language](https://docs.microsoft.com/en-us/azure/kusto/query/) -- [Azure monitor documentation](https://docs.microsoft.com/en-us/azure/azure-monitor/) +- [Scheduledqueryrules](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Insights/2018-04-16/scheduledQueryRules) diff --git a/arm/Microsoft.KeyVault/vaults/.bicep/nested_privateEndpoint.bicep b/arm/Microsoft.KeyVault/vaults/.bicep/nested_privateEndpoint.bicep index 322642b0ca..29ca1a09f0 100644 --- a/arm/Microsoft.KeyVault/vaults/.bicep/nested_privateEndpoint.bicep +++ b/arm/Microsoft.KeyVault/vaults/.bicep/nested_privateEndpoint.bicep @@ -14,7 +14,7 @@ var privateEndpoint_var = { customDnsConfigs: (contains(privateEndpointObj, 'customDnsConfigs') ? (empty(privateEndpointObj.customDnsConfigs) ? json('null') : privateEndpointObj.customDnsConfigs) : json('null')) } -resource privateEndpoint 'Microsoft.Network/privateEndpoints@2020-05-01' = { +resource privateEndpoint 'Microsoft.Network/privateEndpoints@2021-05-01' = { name: privateEndpoint_var.name location: privateEndpointVnetLocation tags: tags @@ -36,7 +36,7 @@ resource privateEndpoint 'Microsoft.Network/privateEndpoints@2020-05-01' = { } } -resource privateDnsZoneGroups 'Microsoft.Network/privateEndpoints/privateDnsZoneGroups@2020-05-01' = if (!empty(privateEndpoint_var.privateDnsZoneResourceIds)) { +resource privateDnsZoneGroups 'Microsoft.Network/privateEndpoints/privateDnsZoneGroups@2021-02-01' = if (!empty(privateEndpoint_var.privateDnsZoneResourceIds)) { name: '${privateEndpoint_var.name}/default' properties: { privateDnsZoneConfigs: [for j in range(0, length(privateEndpoint_var.privateDnsZoneResourceIds)): { diff --git a/arm/Microsoft.KeyVault/vaults/.bicep/nested_rbac.bicep b/arm/Microsoft.KeyVault/vaults/.bicep/nested_rbac.bicep index e5a34cad11..f6df4c7f74 100644 --- a/arm/Microsoft.KeyVault/vaults/.bicep/nested_rbac.bicep +++ b/arm/Microsoft.KeyVault/vaults/.bicep/nested_rbac.bicep @@ -2,7 +2,7 @@ param roleAssignmentObj object param builtInRoleNames object param resourceName string -resource roleAssigment 'Microsoft.KeyVault/vaults/providers/roleAssignments@2020-04-01-preview' = [for principalId in roleAssignmentObj.principalIds: { +resource roleAssigment 'Microsoft.KeyVault/vaults/providers/roleAssignments@2021-04-01-preview' = [for principalId in roleAssignmentObj.principalIds: { name: '${resourceName}/Microsoft.Authorization/${guid(resourceName, principalId, roleAssignmentObj.roleDefinitionIdOrName)}' properties: { roleDefinitionId: (contains(builtInRoleNames, roleAssignmentObj.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignmentObj.roleDefinitionIdOrName] : roleAssignmentObj.roleDefinitionIdOrName) diff --git a/arm/Microsoft.KeyVault/vaults/deploy.bicep b/arm/Microsoft.KeyVault/vaults/deploy.bicep index 31be26d74c..d4db6ecc48 100644 --- a/arm/Microsoft.KeyVault/vaults/deploy.bicep +++ b/arm/Microsoft.KeyVault/vaults/deploy.bicep @@ -112,6 +112,41 @@ param cuaId string = '' @description('Generated. Do not provide a value! This date value is used to generate a SAS token to access the modules.') param baseTime string = utcNow('u') +@description('Optional. The name of logs that will be streamed.') +@allowed([ + 'AuditEvent' +]) +param logsToEnable array = [ + 'AuditEvent' +] + +@description('Optional. The name of metrics that will be streamed.') +@allowed([ + 'AllMetrics' +]) +param metricsToEnable array = [ + 'AllMetrics' +] + +var diagnosticsLogs = [for log in logsToEnable: { + category: log + enabled: true + retentionPolicy: { + enabled: true + days: diagnosticLogsRetentionInDays + } +}] + +var diagnosticsMetrics = [for metric in metricsToEnable: { + category: metric + timeGrain: null + enabled: true + retentionPolicy: { + enabled: true + days: diagnosticLogsRetentionInDays + } +}] + var maxNameLength = 24 var uniqueKeyVaultNameUntrim = uniqueString('Key Vault${baseTime}') var uniqueKeyVaultName = ((length(uniqueKeyVaultNameUntrim) > maxNameLength) ? substring(uniqueKeyVaultNameUntrim, 0, maxNameLength) : uniqueKeyVaultNameUntrim) @@ -125,27 +160,7 @@ var networkAcls_var = { virtualNetworkRules: (empty(networkAcls) ? json('null') : virtualNetworkRules) ipRules: (empty(networkAcls) ? json('null') : ((length(networkAcls.ipRules) == 0) ? [] : networkAcls.ipRules)) } -var diagnosticsMetrics = [ - { - category: 'AllMetrics' - timeGrain: null - enabled: true - retentionPolicy: { - enabled: true - days: diagnosticLogsRetentionInDays - } - } -] -var diagnosticsLogs = [ - { - category: 'AuditEvent' - enabled: true - retentionPolicy: { - enabled: true - days: diagnosticLogsRetentionInDays - } - } -] + var builtInRoleNames = { Owner: '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635' Contributor: '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c' @@ -265,7 +280,11 @@ module keyVault_rbac './.bicep/nested_rbac.bicep' = [for (roleAssignment, index) } }] +@description('The Resource Id of the Key Vault.') output keyVaultResourceId string = keyVault.id +@description('The name of the Resource Group the Key Vault was created in.') output keyVaultResourceGroup string = resourceGroup().name +@description('The Name of the Key Vault.') output keyVaultName string = keyVault.name +@description('The URL of the Key Vault.') output keyVaultUrl string = reference(keyVault.id, '2016-10-01').vaultUri diff --git a/arm/Microsoft.KeyVault/vaults/deploy.json b/arm/Microsoft.KeyVault/vaults/deploy.json deleted file mode 100644 index 0ca53da702..0000000000 --- a/arm/Microsoft.KeyVault/vaults/deploy.json +++ /dev/null @@ -1,626 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "keyVaultName": { - "type": "string", - "defaultValue": "", - "maxLength": 24, - "metadata": { - "description": "Optional. Name of the Key Vault. If no name is provided, then unique name will be created." - } - }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Optional. Location for all resources." - } - }, - "accessPolicies": { - "type": "array", - "defaultValue": [ - ], - "metadata": { - "description": "Optional. Array of access policies object" - } - }, - "secretsObject": { - "type": "secureObject", - "defaultValue": { - "secrets": [ - ] - }, - "metadata": { - "description": "Optional. All secrets [{\"secretName\":\"\",\"secretValue\":\"\"} wrapped in a secure object]" - } - }, - "keysObject": { - "type": "secureObject", - "defaultValue": { - "keys": [ - ] - }, - "metadata": { - "description": "Optional. All keys [{\"keyName\":\"\",\"keyType\":\"\",\"keyOps\":\"\",\"keySize\":\"\",\"curvename\":\"\"} wrapped in a secure object]" - } - }, - "enableVaultForDeployment": { - "type": "bool", - "defaultValue": true, - "allowedValues": [ - true, - false - ], - "metadata": { - "description": "Optional. Specifies if the vault is enabled for deployment by script or compute" - } - }, - "enableVaultForTemplateDeployment": { - "type": "bool", - "defaultValue": true, - "allowedValues": [ - true, - false - ], - "metadata": { - "description": "Optional. Specifies if the vault is enabled for a template deployment" - } - }, - "enableVaultForDiskEncryption": { - "type": "bool", - "defaultValue": true, - "allowedValues": [ - true, - false - ], - "metadata": { - "description": "Optional. Specifies if the azure platform has access to the vault for enabling disk encryption scenarios." - } - }, - "enableSoftDelete": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Switch to enable/disable Key Vault's soft delete feature." - } - }, - "softDeleteRetentionInDays": { - "type": "int", - "defaultValue": 90, - "metadata": { - "description": "Optional. softDelete data retention days. It accepts >=7 and <=90." - } - }, - "enableRbacAuthorization": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Property that controls how data actions are authorized. When true, the key vault will use Role Based Access Control (RBAC) for authorization of data actions, and the access policies specified in vault properties will be ignored (warning: this is a preview feature). When false, the key vault will use the access policies specified in vault properties, and any policy stored on Azure Resource Manager will be ignored. If null or not specified, the vault is created with the default value of false. Note that management actions are always authorized with RBAC." - } - }, - "createMode": { - "type": "string", - "defaultValue": "default", - "metadata": { - "description": "Optional. The vault's create mode to indicate whether the vault need to be recovered or not. - recover or default." - } - }, - "enablePurgeProtection": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Provide 'true' to enable Key Vault's purge protection feature." - } - }, - "vaultSku": { - "type": "string", - "defaultValue": "Premium", - "allowedValues": [ - "Premium", - "Standard" - ], - "metadata": { - "description": "Optional. Specifies the SKU for the vault" - } - }, - "networkAcls": { - "type": "object", - "defaultValue": { - }, - "metadata": { - "description": "Optional. Service endpoint object information" - } - }, - "vNetId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Virtual Network resource identifier, if networkAcls is passed, this value must be passed as well" - } - }, - "diagnosticSettingName": { - "type": "string", - "defaultValue": "service", - "metadata": { - "description": "Optional. The name of the Diagnostic setting." - } - }, - "diagnosticLogsRetentionInDays": { - "type": "int", - "defaultValue": 365, - "minValue": 0, - "maxValue": 365, - "metadata": { - "description": "Optional. Specifies the number of days that logs will be kept for; a value of 0 will retain data indefinitely." - } - }, - "diagnosticStorageAccountId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Resource identifier of the Diagnostic Storage Account." - } - }, - "workspaceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Resource identifier of Log Analytics." - } - }, - "eventHubAuthorizationRuleId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Resource ID of the event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." - } - }, - "eventHubName": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Name of the event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category." - } - }, - "lockForDeletion": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Switch to lock Key Vault from deletion." - } - }, - "roleAssignments": { - "defaultValue": [ - ], - "type": "array", - "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'" - } - }, - "privateEndpoints": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. Configuration Details for private endpoints." - } - }, - "tags": { - "type": "object", - "defaultValue": { - }, - "metadata": { - "description": "Optional. Resource tags." - } - }, - "cuaId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered" - } - }, - "baseTime": { - "type": "string", - "defaultValue": "[utcNow('u')]", - "metadata": { - "description": "Generated. Do not provide a value! This date value is used to generate a SAS token to access the modules." - } - } - }, - - "variables": { - "moduleName": "Key Vault", - "maxNameLength": 24, - "uniqueKeyVaultNameUntrim": "[uniqueString(concat(variables('moduleName'),parameters('baseTime')))]", - "uniqueKeyVaultName": "[if(greater(length(variables('uniqueKeyVaultNameUntrim')),variables('maxNameLength')),substring(variables('uniqueKeyVaultNameUntrim'),0,variables('maxNameLength')),variables('uniqueKeyVaultNameUntrim'))]", - "keyVaultName": "[if(empty(parameters('keyVaultName')),variables('uniqueKeyVaultName'),parameters('keyVaultName'))]", - "deployServiceEndpoint": "[not(empty(parameters('networkAcls')))]", - "virtualNetworkRules": { - "copy": [ - { - "name": "virtualNetworkRules", - "count": "[if(not(variables('deployServiceEndpoint')), 0, length(parameters('networkAcls').virtualNetworkRules))]", - "input": { - "id": "[concat(parameters('vNetId'), '/subnets/', parameters('networkAcls').virtualNetworkRules[copyIndex('virtualNetworkRules')].subnet)]" - } - } - ] - }, - "networkAcls": { - "bypass": "[if(not(variables('deployServiceEndpoint')), json('null'), parameters('networkAcls').bypass)]", - "defaultAction": "[if(not(variables('deployServiceEndpoint')), json('null'), parameters('networkAcls').defaultAction)]", - "virtualNetworkRules": "[if(not(variables('deployServiceEndpoint')), json('null'), if(equals(length(parameters('networkAcls').virtualNetworkRules), 0), variables('emptyArray'), variables('virtualNetworkRules').virtualNetworkRules))]", - "ipRules": "[if(not(variables('deployServiceEndpoint')), json('null'), if(equals(length(parameters('networkAcls').ipRules), 0), variables('emptyArray'), parameters('networkAcls').ipRules))]" - }, - "emptyArray": [ - ], - "diagnosticsMetrics": [ - { - "category": "AllMetrics", - "timeGrain": null, - "enabled": true, - "retentionPolicy": { - "enabled": true, - "days": "[parameters('diagnosticLogsRetentionInDays')]" - } - } - ], - "diagnosticsLogs": [ - { - "category": "AuditEvent", - "enabled": true, - "retentionPolicy": { - "enabled": true, - "days": "[parameters('diagnosticLogsRetentionInDays')]" - } - } - ], - "builtInRoleNames": { - "Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Key Vault Administrator (preview)": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '00482a5a-887f-4fb3-b363-3b7fe8e74483')]", - "Key Vault Certificates Officer (preview)": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'a4417e6f-fecd-4de8-b567-7b0420556985')]", - "Key Vault Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'f25e0fa2-a7c8-4377-a976-54943a77a395')]", - "Key Vault Crypto Officer (preview)": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '14b46e9e-c2b7-41b4-b07b-48a6ebf60603')]", - "Key Vault Crypto Service Encryption User (preview)": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'e147488a-f6f5-4113-8e2d-b22465e65bf6')]", - "Key Vault Crypto User (preview)": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '12338af0-0e69-4776-bea7-57ae8d297424')]", - "Key Vault Reader (preview)": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '21090545-7ca7-4776-b22c-e363652d74d2')]", - "Key Vault Secrets Officer (preview)": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b86a8fe4-44ce-4948-aee5-eccb2c155cd7')]", - "Key Vault Secrets User (preview)": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4633458b-17de-408a-b874-0445c86b69e6')]", - "Log Analytics Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]", - "Log Analytics Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '73c42c96-874c-492b-b04d-ab87d138a893')]", - "Managed Application Contributor Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '641177b8-a67a-45b9-a033-47bc880bb21e')]", - "Managed Application Operator Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')]", - "Managed Applications Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')]", - "Monitoring Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')]", - "Monitoring Metrics Publisher": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '3913510d-42f4-4e42-8a64-420c390055eb')]", - "Monitoring Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')]", - "Resource Policy Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '36243c78-bf99-498c-9df9-86d9f8d28608')]", - "User Access Administrator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]", - "Azure Service Deploy Release Management Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '21d96096-b162-414a-8302-d8354f9d91b2')]", - "masterreader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'a48d7796-14b4-4889-afef-fbb65a93e5a2')]" - } - }, - "resources": [ - { - "condition": "[not(empty(parameters('cuaId')))]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-01-01", - "name": "[concat('pid-', parameters('cuaId'))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [ - ] - } - } - }, - // Key Vault - { - "type": "Microsoft.KeyVault/vaults", - "apiVersion": "2019-09-01", - "name": "[variables('keyVaultName')]", - "location": "[parameters('location')]", - "tags": "[parameters('tags')]", - "properties": { - "enabledForDeployment": "[parameters('enableVaultForDeployment')]", - "enabledForTemplateDeployment": "[parameters('enableVaultForTemplateDeployment')]", - "enabledForDiskEncryption": "[parameters('enableVaultForDiskEncryption')]", - "enableSoftDelete": "[parameters('enableSoftDelete')]", - "softDeleteRetentionInDays": "[parameters('softDeleteRetentionInDays')]", - "enableRbacAuthorization": "[parameters('enableRbacAuthorization')]", - "createMode": "[parameters('createMode')]", - "enablePurgeProtection": "[if(not(parameters('enablePurgeProtection')), json('null'), parameters('enablePurgeProtection'))]", - "tenantId": "[subscription().tenantId]", - "accessPolicies": "[parameters('accessPolicies')]", - "sku": { - "name": "[parameters('vaultSku')]", - "family": "A" - }, - "networkAcls": "[if(not(variables('deployServiceEndpoint')), json('null'), variables('networkAcls'))]" - }, - "resources": [ - { - "type": "providers/locks", - "apiVersion": "2016-09-01", - "condition": "[parameters('lockForDeletion')]", - "name": "Microsoft.Authorization/keyVaultDoNotDelete", - "dependsOn": [ - "[concat('Microsoft.KeyVault/vaults/', variables('keyVaultName'))]" - ], - "comments": "Resource lock on Azure Key Vault", - "properties": { - "level": "CannotDelete" - } - }, - { - "type": "Microsoft.KeyVault/vaults/providers/diagnosticsettings", - "apiVersion": "2017-05-01-preview", - "name": "[concat(variables('keyVaultName'), '/Microsoft.Insights/', parameters('diagnosticSettingName'))]", - "location": "[parameters('location')]", - "condition": "[or(not(empty(parameters('diagnosticStorageAccountId'))),not(empty(parameters('workspaceId'))),not(empty(parameters('eventHubAuthorizationRuleId'))),not(empty(parameters('eventHubName'))))]", - "dependsOn": [ - "[concat('Microsoft.KeyVault/vaults/', variables('keyVaultName'))]" - ], - "properties": { - "storageAccountId": "[if(empty(parameters('diagnosticStorageAccountId')), json('null'), parameters('diagnosticStorageAccountId'))]", - "workspaceId": "[if(empty(parameters('workspaceId')), json('null'), parameters('workspaceId'))]", - "eventHubAuthorizationRuleId": "[if(empty(parameters('eventHubAuthorizationRuleId')), json('null'), parameters('eventHubAuthorizationRuleId'))]", - "eventHubName": "[if(empty(parameters('eventHubName')), json('null'), parameters('eventHubName'))]", - "metrics": "[if(and(empty(parameters('diagnosticStorageAccountId')), empty(parameters('workspaceId')), empty(parameters('eventHubAuthorizationRuleId')), empty(parameters('eventHubName'))), json('null'), variables('diagnosticsMetrics'))]", - "logs": "[if(and(empty(parameters('diagnosticStorageAccountId')), empty(parameters('workspaceId')), empty(parameters('eventHubAuthorizationRuleId')), empty(parameters('eventHubName'))), json('null'), variables('diagnosticsLogs'))]" - } - } - ] - }, - // Key Vault Secrets - { - "type": "Microsoft.KeyVault/vaults/secrets", - "apiVersion": "2019-09-01", - "condition": "[not(empty(parameters('secretsObject').secrets))]", - "name": "[if(empty(parameters('secretsObject').secrets), concat(variables('keyVaultName'), '/', 'secretEntity'), concat(variables('keyVaultName'), '/', parameters('secretsObject').secrets[copyIndex()].secretName))]", - "properties": { - "value": "[parameters('secretsObject').secrets[copyIndex()].secretValue]" - }, - "dependsOn": [ - "[concat('Microsoft.KeyVault/vaults/', variables('keyVaultName'))]" - ], - "copy": { - "name": "secretsCopy", - "count": "[length(parameters('secretsObject').secrets)]" - } - }, - // Key Vault Keys - { - "type": "Microsoft.KeyVault/vaults/keys", - "apiVersion": "2019-09-01", - "condition": "[not(empty(parameters('keysObject').keys))]", - "name": "[if(empty(parameters('keysObject').keys), concat(variables('keyVaultName'), '/', 'keyEntity'), concat(variables('keyVaultName'), '/', parameters('keysObject').keys[copyIndex()].keyName))]", - "location": "[parameters('location')]", - "dependsOn": [ - "[resourceId('Microsoft.KeyVault/vaults', variables('keyVaultName'))]" - ], - "properties": { - "kty": "[parameters('keysObject').keys[copyIndex()].keyType]", - "keyOps": "[parameters('keysObject').keys[copyIndex()].keyOps]", - "keySize": "[parameters('keysObject').keys[copyIndex()].keySize]", - "curveName": "[parameters('keysObject').keys[copyIndex()].curveName]" - }, - "copy": { - "name": "keyCopy", - "count": "[length(parameters('keysObject').keys)]" - } - }, - // Private Endpoints - { - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-01-01", - "name": "[concat(uniqueString(deployment().name, parameters('location')), '-KeyVault-PrivateEndpoints','-',copyIndex())]", - "condition": "[not(empty(parameters('privateEndpoints')))]", - "dependsOn": [ - "[variables('keyVaultName')]" - ], - "copy": { - "name": "privateEndpointsCopy", - "count": "[length(parameters('privateEndpoints'))]" - }, - "properties": { - "mode": "Incremental", - "expressionEvaluationOptions": { - "scope": "inner" - }, - "parameters": { - "privateEndpointResourceId": { - "value": "[resourceId('Microsoft.KeyVault/vaults/', variables('keyVaultName'))]" - }, - "privateEndpointVnetLocation": { - "value": "[if(empty(parameters('privateEndpoints')),'dummy',reference(split(parameters('privateEndpoints')[copyIndex()].subnetResourceId,'/subnets/')[0],'2020-06-01', 'Full').location)]" - }, - "privateEndpoint": { - "value": "[parameters('privateEndpoints')[copyIndex()]]" - }, - "tags": { - "value": "[parameters('tags')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "privateEndpointResourceId": { - "type": "string" - }, - "privateEndpointVnetLocation": { - "type": "string" - }, - "privateEndpoint": { - "type": "object" - }, - "tags": { - "type": "object" - } - }, - "variables": { - "privateEndpointResourceName": "[last(split(parameters('privateEndpointResourceId'),'/'))]", - "privateEndpoint": { - "name": "[if(contains(parameters('privateEndpoint'), 'name'),if(empty(parameters('privateEndpoint').name),concat(variables('privateEndpointResourceName'),'-',parameters('privateEndpoint').service),parameters('privateEndpoint').name),concat(variables('privateEndpointResourceName'),'-',parameters('privateEndpoint').service))]", - "subnetResourceId": "[parameters('privateEndpoint').subnetResourceId]", - "service": [ - "[parameters('privateEndpoint').service]" - ], - "privateDnsZoneResourceIds": "[if(contains(parameters('privateEndpoint'), 'privateDnsZoneResourceIds'),if(empty(parameters('privateEndpoint').privateDnsZoneResourceIds),createArray(),parameters('privateEndpoint').privateDnsZoneResourceIds),createArray())]", - "customDnsConfigs": "[if(contains(parameters('privateEndpoint'), 'customDnsConfigs'),if(empty(parameters('privateEndpoint').customDnsConfigs),json('null'),parameters('privateEndpoint').customDnsConfigs),json('null'))]" - } - }, - "resources": [ - { - "type": "Microsoft.Network/privateEndpoints", - "apiVersion": "2020-05-01", - "name": "[variables('privateEndpoint').name]", - "location": "[parameters('privateEndpointVnetLocation')]", - "tags": "[parameters('tags')]", - "properties": { - "privateLinkServiceConnections": [ - { - "name": "[variables('privateEndpoint').name]", - "properties": { - "privateLinkServiceId": "[parameters('privateEndpointResourceId')]", - "groupIds": "[variables('privateEndpoint').service]" - } - } - ], - "manualPrivateLinkServiceConnections": [], - "subnet": { - "id": "[variables('privateEndpoint').subnetResourceId]" - }, - "customDnsConfigs": "[variables('privateEndpoint').customDnsConfigs]" - } - }, - { - "type": "Microsoft.Network/privateEndpoints/privateDnsZoneGroups", - "apiVersion": "2020-05-01", - "condition": "[not(empty(variables('privateEndpoint').privateDnsZoneResourceIds))]", - "name": "[concat(variables('privateEndpoint').name, '/default')]", - "dependsOn": [ - "[resourceId('Microsoft.Network/privateEndpoints', variables('privateEndpoint').name)]" - ], - "properties": { - "copy": [ - { - "name": "privateDnsZoneConfigs", - "count": "[length(variables('privateEndpoint').privateDnsZoneResourceIds)]", - "input": { - "name": "[last(split(variables('privateEndpoint').privateDnsZoneResourceIds[copyIndex('privateDnsZoneConfigs')],'/'))]", - "properties": { - "privateDnsZoneId": "[variables('privateEndpoint').privateDnsZoneResourceIds[copyIndex('privateDnsZoneConfigs')]]" - } - } - } - ] - } - } - ] - } - } - }, - // RBAC - { - "name": "[concat('rbac-',deployment().name, copyIndex())]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-01-01", - "condition": "[not(empty(parameters('roleAssignments')))]", - "dependsOn": [ - "[variables('keyVaultName')]" - ], - "copy": { - "name": "rbacDeplCopy", - "count": "[length(parameters('roleAssignments'))]" - }, - "properties": { - "mode": "Incremental", - "expressionEvaluationOptions": { - "scope": "inner" - }, - "parameters": { - "roleAssignment": { - "value": "[parameters('roleAssignments')[copyIndex()]]" - }, - "builtInRoleNames": { - "value": "[variables('builtInRoleNames')]" - }, - "keyVaultName": { - "value": "[variables('keyVaultName')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "roleAssignment": { - "type": "object" - }, - "builtInRoleNames": { - "type": "object" - }, - "keyVaultName": { - "type": "string" - } - }, - "resources": [ - { - "type": "Microsoft.KeyVault/vaults/providers/roleAssignments", - "apiVersion": "2018-09-01-preview", - "name": "[concat(parameters('keyVaultName'), '/Microsoft.Authorization/', guid(uniqueString(concat(parameters('keyVaultName'), array(parameters('roleAssignment').principalIds)[copyIndex('innerRbacCopy')], parameters('roleAssignment').roleDefinitionIdOrName ) )))]", - "dependsOn": [ - ], - "copy": { - "name": "innerRbacCopy", - "count": "[length(parameters('roleAssignment').principalIds)]" - }, - "properties": { - "roleDefinitionId": "[if(contains(parameters('builtInRoleNames'), parameters('roleAssignment').roleDefinitionIdOrName ), parameters('builtInRoleNames')[parameters('roleAssignment').roleDefinitionIdOrName] , parameters('roleAssignment').roleDefinitionIdOrName )]", - "principalId": "[array(parameters('roleAssignment').principalIds)[copyIndex()]]" - } - } - ] - } - } - } - ], - "functions": [ - ], - "outputs": { - "keyVaultResourceId": { - "type": "string", - "value": "[resourceId('Microsoft.KeyVault/vaults', variables('keyVaultName'))]", - "metadata": { - "description": "The Resource Id of the Key Vault." - } - }, - "keyVaultResourceGroup": { - "type": "string", - "value": "[resourceGroup().name]", - "metadata": { - "description": "The name of the Resource Group the Key Vault was created in." - } - }, - "keyVaultName": { - "type": "string", - "value": "[variables('keyVaultName')]", - "metadata": { - "description": "The Name of the Key Vault." - } - }, - "keyVaultUrl": { - "type": "string", - "value": "[reference(resourceId('Microsoft.KeyVault/vaults', variables('keyVaultName')),'2016-10-01').vaultUri]", - "metadata": { - "description": "The URL of the Key Vault." - } - } - } -} diff --git a/arm/Microsoft.KeyVault/vaults/readme.md b/arm/Microsoft.KeyVault/vaults/readme.md index 4b8d4eae23..77d4fa7db0 100644 --- a/arm/Microsoft.KeyVault/vaults/readme.md +++ b/arm/Microsoft.KeyVault/vaults/readme.md @@ -1,57 +1,54 @@ -# KeyVault +# KeyVault `[Microsoft.KeyVault/vaults]` -[![Deploy to Azure](/docs/media/deploytoazure.svg?sanitize=true)]() - -[![Deploy To Azure US Gov](/docs/media/deploytoazuregov.svg?sanitize=true)]() - -[![Visualize](/docs/media/visualizebutton.svg?sanitize=true)]() +This module deploys a key vault and it's child resources. ## Resource types | Resource Type | Api Version | | :-- | :-- | +| `Microsoft.Authorization/locks` | 2016-09-01 | +| `Microsoft.Insights/diagnosticSettings` | 2017-05-01-preview | +| `Microsoft.KeyVault/vaults` | 2019-09-01 | | `Microsoft.KeyVault/vaults/keys` | 2019-09-01 | -| `Microsoft.KeyVault/vaults/providers/diagnosticsettings` | 2017-05-01-preview | -| `Microsoft.KeyVault/vaults/providers/roleAssignments` | 2018-09-01-preview | +| `Microsoft.KeyVault/vaults/providers/roleAssignments` | 2021-04-01-preview | | `Microsoft.KeyVault/vaults/secrets` | 2019-09-01 | -| `Microsoft.KeyVault/vaults` | 2019-09-01 | -| `Microsoft.Network/privateEndpoints/privateDnsZoneGroups` | 2020-05-01 | -| `Microsoft.Network/privateEndpoints` | 2020-05-01 | -| `Microsoft.Resources/deployments` | 2020-06-01 | -| `providers/locks` | 2016-09-01 | +| `Microsoft.Network/privateEndpoints` | 2021-05-01 | +| `Microsoft.Network/privateEndpoints/privateDnsZoneGroups` | 2021-02-01 | ## Parameters -| Parameter Name | Type | Default Value | Possible values | Description | -| :- | :- | :- | :- | :- | -| `keyVaultName` | string | | | Optional. Name of the Key Vault Name. If no name is provided, then unique name will be created.| -| `location` | string | `[resourceGroup().location]` | | Optional. Location for all resources. -| `accessPolicies` | object | `{}` | Complex structure, see below. | Optional. Access policies object -| `secretsObject` | object | `{}` | Complex structure, see below. | Optional. All secrets {\"secretName\":\"\",\"secretValue\":\"\"} wrapped in a secure object -| `keysObject` | object | `{}` | Complex structure, see below. | Optional. All secrets {\"secretName\":\"\",\"secretValue\":\"\"} wrapped in a secure object -| `enableVaultForDeployment` | bool | `true` | | Optional. Specifies if the vault is enabled for deployment by script or compute -| `enableVaultForTemplateDeployment` | bool | `true` | | Optional. Specifies if the vault is enabled for a template deployment -| `enableVaultForDiskEncryption` | bool | `true` | | Optional. Specifies if the azure platform has access to the vault for enabling disk encryption scenarios. -| `enableSoftDelete` | bool | `true` | | Optional. Switch to enable Key Vault's soft delete feature. -| `softDeleteRetentionInDays` | int | 90 | | Optional. softDelete data retention days. It accepts >=7 and <=90. -| `enableRbacAuthorization` | bool | `false` | | Optional. Property that controls how data actions are authorized. When true, the key vault will use Role Based Access Control (RBAC) for authorization of data actions, and the access policies specified in vault properties will be ignored (warning: this is a preview feature). When false, the key vault will use the access policies specified in vault properties, and any policy stored on Azure Resource Manager will be ignored. If null or not specified, the vault is created with the default value of false. Note that management actions are always authorized with RBAC. -| `createMode` | bool | `true` | | Optional. The vault's create mode to indicate whether the vault need to be recovered or not. - recover or default. -| `enablePurgeProtection` | bool | `false` | | Optional. Switch to enable Key Vault's purge protection feature. -| `vaultSku` | string | `Premium` | Premium, Standard |Optional. Specifies the SKU for the vault -| `vNetId` | string | "" | | Optional. Virtual Network Identifier used to create a service endpoint. -| `networkAcls` | object | {} | Complex structure, see below. | Optional. Network ACLs, this value contains IPs to whitelist and/or Subnet information. -| `diagnosticSettingName` | string | `service` | | Optional. The name of the Diagnostic setting. -| `diagnosticLogsRetentionInDays` | int | `365` | | Optional. Specifies the number of days that logs will be kept for; a value of 0 will retain data indefinitely. -| `diagnosticStorageAccountId` | string | "" | | Optional. Resource identifier of the Diagnostic Storage Account. -| `workspaceId` | string | "" | | Optional. Resource identifier of Log Analytics. -| `eventHubAuthorizationRuleId` | string | "" | | Optional. Resource ID of the event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. -| `eventHubName` | string | "" | | Optional. Name of the event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. -| `lock` | string | 'NotSpecified' | 'CanNotDelete', 'NotSpecified', 'ReadOnly' | Optional. Specify the type of lock. | -| `roleAssignments` | array | [] | Complex structure, see below. | Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or it's fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' -| `privateEndpoints` | array | System.Object[] | | Optional. Configuration Details for private endpoints. | -| `tags` | object | {} | Complex structure, see below. | Optional. Tags of the Azure Key Vault resource. -| `cuaId` | string | "" | | Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered. -| `baseTime` | string | utcNow('u') | | Generated. Do not provide a value! This date value is used to generate a SAS token toaccess the modules. +| Parameter Name | Type | Default Value | Possible Values | Description | +| :-- | :-- | :-- | :-- | :-- | +| `accessPolicies` | array | `[]` | | Optional. Array of access policies object | +| `baseTime` | string | `[utcNow('u')]` | | Generated. Do not provide a value! This date value is used to generate a SAS token to access the modules. | +| `createMode` | string | `default` | | Optional. The vault's create mode to indicate whether the vault need to be recovered or not. - recover or default. | +| `cuaId` | string | | | Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered | +| `diagnosticLogsRetentionInDays` | int | `365` | | Optional. Specifies the number of days that logs will be kept for; a value of 0 will retain data indefinitely. | +| `diagnosticSettingName` | string | `service` | | Optional. The name of the Diagnostic setting. | +| `diagnosticStorageAccountId` | string | | | Optional. Resource identifier of the Diagnostic Storage Account. | +| `enablePurgeProtection` | bool | | | Optional. Provide 'true' to enable Key Vault's purge protection feature. | +| `enableRbacAuthorization` | bool | | | Optional. Property that controls how data actions are authorized. When true, the key vault will use Role Based Access Control (RBAC) for authorization of data actions, and the access policies specified in vault properties will be ignored (warning: this is a preview feature). When false, the key vault will use the access policies specified in vault properties, and any policy stored on Azure Resource Manager will be ignored. If null or not specified, the vault is created with the default value of false. Note that management actions are always authorized with RBAC. | +| `enableSoftDelete` | bool | `True` | | Optional. Switch to enable/disable Key Vault's soft delete feature. | +| `enableVaultForDeployment` | bool | `True` | `[True, False]` | Optional. Specifies if the vault is enabled for deployment by script or compute | +| `enableVaultForDiskEncryption` | bool | `True` | `[True, False]` | Optional. Specifies if the azure platform has access to the vault for enabling disk encryption scenarios. | +| `enableVaultForTemplateDeployment` | bool | `True` | `[True, False]` | Optional. Specifies if the vault is enabled for a template deployment | +| `eventHubAuthorizationRuleId` | string | | | Optional. Resource ID of the event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | +| `eventHubName` | string | | | Optional. Name of the event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. | +| `keysObject` | secureObject | `{object}` | | Optional. All keys [{"keyName":"","keyType":"","keyOps":"","keySize":"","curvename":""} wrapped in a secure object] | +| `keyVaultName` | string | | | Optional. Name of the Key Vault. If no name is provided, then unique name will be created. | +| `location` | string | `[resourceGroup().location]` | | Optional. Location for all resources. | +| `lock` | string | `NotSpecified` | `[CanNotDelete, NotSpecified, ReadOnly]` | Optional. Specify the type of lock. | +| `logsToEnable` | array | `[AuditEvent]` | `[AuditEvent]` | Optional. The name of logs that will be streamed. | +| `metricsToEnable` | array | `[AllMetrics]` | `[AllMetrics]` | Optional. The name of metrics that will be streamed. | +| `networkAcls` | object | `{object}` | | Optional. Service endpoint object information | +| `privateEndpoints` | array | `[]` | | Optional. Configuration Details for private endpoints. | +| `roleAssignments` | array | `[]` | | Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' | +| `secretsObject` | secureObject | `{object}` | | Optional. All secrets [{"secretName":"","secretValue":""} wrapped in a secure object] | +| `softDeleteRetentionInDays` | int | `90` | | Optional. softDelete data retention days. It accepts >=7 and <=90. | +| `tags` | object | `{object}` | | Optional. Resource tags. | +| `vaultSku` | string | `premium` | `[premium, standard]` | Optional. Specifies the SKU for the vault | +| `vNetId` | string | | | Optional. Virtual Network resource identifier, if networkAcls is passed, this value must be passed as well | +| `workspaceId` | string | | | Optional. Resource identifier of Log Analytics. | ### Parameter Usage: `roleAssignments` @@ -229,17 +226,12 @@ To use Private Endpoint the following dependencies must be deployed: | `keyVaultResourceId` | string | The Resource Id of the Key Vault. | | `keyVaultUrl` | string | The URL of the Key Vault. | -## Considerations - -**N/A* - -## Additional resources +## Template references -- [What is Azure Key Vault?](https://docs.microsoft.com/en-us/azure/key-vault/key-vault-whatis) -- [Microsoft.KeyVault vaults template reference](https://docs.microsoft.com/en-us/azure/templates/microsoft.keyvault/2018-02-14/vaults) -- [Use tags to organize your Azure resources](https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-using-tags) -- [Deployments](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Resources/2020-06-01/deployments) +- [Locks](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2016-09-01/locks) +- [Diagnosticsettings](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Insights/2017-05-01-preview/diagnosticSettings) - [Vaults](https://docs.microsoft.com/en-us/azure/templates/Microsoft.KeyVault/2019-09-01/vaults) -- [Vaults](https://docs.microsoft.com/en-us/azure/templates/Microsoft.KeyVault/2019-09-01/vaults/secrets) -- [Vaults](https://docs.microsoft.com/en-us/azure/templates/Microsoft.KeyVault/2019-09-01/vaults/keys) -- [Deployments](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Resources/2020-06-01/deployments) +- [Vaults/Keys](https://docs.microsoft.com/en-us/azure/templates/Microsoft.KeyVault/2019-09-01/vaults/keys) +- [Vaults/Secrets](https://docs.microsoft.com/en-us/azure/templates/Microsoft.KeyVault/2019-09-01/vaults/secrets) +- [Privateendpoints](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Network/2021-05-01/privateEndpoints) +- [Privateendpoints/Privatednszonegroups](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Network/2021-02-01/privateEndpoints/privateDnsZoneGroups) diff --git a/arm/Microsoft.Logic/workflows/.bicep/nested_rbac.bicep b/arm/Microsoft.Logic/workflows/.bicep/nested_rbac.bicep index 4ef6bce6a0..53d6c54c5f 100644 --- a/arm/Microsoft.Logic/workflows/.bicep/nested_rbac.bicep +++ b/arm/Microsoft.Logic/workflows/.bicep/nested_rbac.bicep @@ -2,7 +2,7 @@ param roleAssignmentObj object param builtInRoleNames object param resourceName string -resource roleAssigment 'Microsoft.Logic/workflows/providers/roleAssignments@2020-04-01-preview' = [for principalId in roleAssignmentObj.principalIds: { +resource roleAssigment 'Microsoft.Logic/workflows/providers/roleAssignments@2021-04-01-preview' = [for principalId in roleAssignmentObj.principalIds: { name: '${resourceName}/Microsoft.Authorization/${guid(resourceName, principalId, roleAssignmentObj.roleDefinitionIdOrName)}' properties: { roleDefinitionId: (contains(builtInRoleNames, roleAssignmentObj.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignmentObj.roleDefinitionIdOrName] : roleAssignmentObj.roleDefinitionIdOrName) diff --git a/arm/Microsoft.Logic/workflows/deploy.bicep b/arm/Microsoft.Logic/workflows/deploy.bicep index c7700cef1f..f91a0a218d 100644 --- a/arm/Microsoft.Logic/workflows/deploy.bicep +++ b/arm/Microsoft.Logic/workflows/deploy.bicep @@ -97,27 +97,40 @@ param workflowStaticResults object = {} @description('Optional. The definitions for one or more triggers that instantiate your workflow. You can define more than one trigger, but only with the Workflow Definition Language, not visually through the Logic Apps Designer.') param workflowTriggers object = {} -var diagnosticsMetrics = [ - { - category: 'AllMetrics' - timeGrain: null +@description('Optional. The name of logs that will be streamed.') +@allowed([ + 'WorkflowRuntime' +]) +param logsToEnable array = [ + 'WorkflowRuntime' +] + +@description('Optional. The name of metrics that will be streamed.') +@allowed([ + 'AllMetrics' +]) +param metricsToEnable array = [ + 'AllMetrics' +] + +var diagnosticsLogs = [for log in logsToEnable: { + category: log + enabled: true + retentionPolicy: { enabled: true - retentionPolicy: { - enabled: true - days: diagnosticLogsRetentionInDays - } + days: diagnosticLogsRetentionInDays } -] -var diagnosticsLogs = [ - { - category: 'WorkflowRuntime' +}] + +var diagnosticsMetrics = [for metric in metricsToEnable: { + category: metric + timeGrain: null + enabled: true + retentionPolicy: { enabled: true - retentionPolicy: { - enabled: true - days: diagnosticLogsRetentionInDays - } + days: diagnosticLogsRetentionInDays } -] +}] var builtInRoleNames = { 'Owner': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') diff --git a/arm/Microsoft.Logic/workflows/deploy.json b/arm/Microsoft.Logic/workflows/deploy.json deleted file mode 100644 index 5fe2fcc63f..0000000000 --- a/arm/Microsoft.Logic/workflows/deploy.json +++ /dev/null @@ -1,414 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "actionsAccessControlConfiguration": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. The access control configuration for workflow actions." - } - }, - "connectorEndpointsConfiguration": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. The endpoints configuration: Access endpoint and outgoing IP addresses for the connector." - } - }, - "contentsAccessControlConfiguration": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. The access control configuration for accessing workflow run contents." - } - }, - "cuaId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered." - } - }, - "definitionParameters": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. Parameters for the definition template." - } - }, - "diagnosticLogsRetentionInDays": { - "type": "int", - "defaultValue": 365, - "minValue": 0, - "maxValue": 365, - "metadata": { - "description": "Optional. Specifies the number of days that logs will be kept for; a value of 0 will retain data indefinitely." - } - }, - "diagnosticStorageAccountId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Resource identifier of the Diagnostic Storage Account." - } - }, - "workspaceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Resource identifier of Log Analytics." - } - }, - "eventHubAuthorizationRuleId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Resource ID of the event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." - } - }, - "eventHubName": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Name of the event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category." - } - }, - "identity": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. Type of managed identity for resource. SystemAssigned or UserAssigned." - } - }, - "integrationAccount": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. The integration account." - } - }, - "integrationServiceEnvironment": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. The integration service environment." - } - }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Optional. Location for all resources." - } - }, - "lockForDeletion": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Flag indicating if resource is locked for deletion." - } - }, - "logicAppName": { - "type": "string", - "metadata": { - "description": "Required. The logic app workflow name." - } - }, - "roleAssignments": { - "defaultValue": [], - "type": "array", - "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." - } - }, - "sku": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. Sku of Logic App. Only to be set when integrating with ISE." - } - }, - "state": { - "type": "string", - "defaultValue": "Enabled", - "allowedValues": [ "NotSpecified", "Completed", "Enabled", "Disabled", "Deleted", "Suspended" ], - "metadata": { - "description": "Optional. The state. - NotSpecified, Completed, Enabled, Disabled, Deleted, Suspended." - } - }, - "tags": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. Tags of the resource." - } - }, - "triggersAccessControlConfiguration": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. The access control configuration for invoking workflow triggers." - } - }, - "workflowActions": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. The definitions for one or more actions to execute at workflow runtime." - } - }, - "workflowEndpointsConfiguration": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. The endpoints configuration: Access endpoint and outgoing IP addresses for the workflow." - } - }, - "workflowManagementAccessControlConfiguration": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. The access control configuration for workflow management." - } - }, - "workflowOutputs": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. The definitions for the outputs to return from a workflow run." - } - }, - "workflowParameters": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. The definitions for one or more parameters that pass the values to use at your logic app's runtime." - } - }, - "workflowStaticResults": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. The definitions for one or more static results returned by actions as mock outputs when static results are enabled on those actions. In each action definition, the runtimeConfiguration.staticResult.name attribute references the corresponding definition inside staticResults." - } - }, - "workflowTriggers": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. The definitions for one or more triggers that instantiate your workflow. You can define more than one trigger, but only with the Workflow Definition Language, not visually through the Logic Apps Designer." - } - } - }, - "variables": { - "builtInRoleNames": { - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions','8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions','b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions','acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Azure Sentinel Automation Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions','f4c81013-99ee-4d62-a7ee-b3f1f648599a')]", - "Log Analytics Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions','92aaf0da-9dab-42b6-94a3-d43ce8d16293')]", - "Log Analytics Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions','73c42c96-874c-492b-b04d-ab87d138a893')]", - "Logic App Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions','87a39d53-fc1b-424a-814c-f7e04687dc9e')]", - "Logic App Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions','515c2055-d9d4-4321-b1b9-bd0c9a0f79fe')]", - "Managed Application Contributor Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions','641177b8-a67a-45b9-a033-47bc880bb21e')]", - "Managed Application Operator Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions','c7393b34-138c-406f-901b-d8cf2b17e6ae')]", - "Managed Applications Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions','b9331d33-8a36-4f8c-b097-4f54124fdb44')]", - "Monitoring Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions','749f88d5-cbae-40b8-bcfc-e573ddc772fa')]", - "Monitoring Metrics Publisher": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions','3913510d-42f4-4e42-8a64-420c390055eb')]", - "Monitoring Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions','43d0d8ad-25c7-4714-9337-8ba259a9fe05')]", - "Resource Policy Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions','36243c78-bf99-498c-9df9-86d9f8d28608')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions','18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" - }, - "diagnosticsMetrics": [ - { - "category": "AllMetrics", - "timeGrain": null, - "enabled": true, - "retentionPolicy": { - "enabled": true, - "days": "[parameters('diagnosticLogsRetentionInDays')]" - } - } - ], - "diagnosticsLogs": [ - { - "category": "WorkflowRuntime", - "enabled": true, - "retentionPolicy": { - "enabled": true, - "days": "[parameters('diagnosticLogsRetentionInDays')]" - } - } - ] - }, - "resources": [ - { - "condition": "[not(empty(parameters('cuaId')))]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2020-06-01", - "name": "[concat('pid-', parameters('cuaId'))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "name": "[parameters('logicAppName')]", - "type": "Microsoft.Logic/workflows", - "apiVersion": "2019-05-01", - "location": "[parameters('location')]", - "tags": "[if(empty(parameters('tags')), json('null'), parameters('tags'))]", - "identity": "[if(not(empty(parameters('identity'))),parameters('identity'), json('null'))]", - "properties": { - "state": "[parameters('state')]", - "endpointsConfiguration": { - "workflow": "[parameters('workflowEndpointsConfiguration')]", - "connector": "[parameters('connectorEndpointsConfiguration')]" - }, - "sku": "[if(not(empty(parameters('sku'))), parameters('sku'), json('null'))]", - "accessControl": { - "triggers": "[if(not(empty(parameters('triggersAccessControlConfiguration'))), parameters('triggersAccessControlConfiguration'), json('null'))]", - "contents": "[if(not(empty(parameters('contentsAccessControlConfiguration'))), parameters('contentsAccessControlConfiguration'), json('null'))]", - "actions": "[if(not(empty(parameters('actionsAccessControlConfiguration'))), parameters('actionsAccessControlConfiguration'), json('null'))]", - "workflowManagement": "[if(not(empty(parameters('workflowManagementAccessControlConfiguration'))), parameters('workflowManagementAccessControlConfiguration'), json('null'))]" - }, - "integrationAccount": "[if(not(empty(parameters('integrationAccount'))), parameters('integrationAccount'), json('null'))]", - "integrationServiceEnvironment": "[if(not(empty(parameters('integrationServiceEnvironment'))), parameters('integrationServiceEnvironment'), json('null'))]", - "definition": { - "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", - "actions": "[parameters('workflowActions')]", - "contentVersion": "1.0.0.0", - "outputs": "[parameters('workflowOutputs')]", - "parameters": "[parameters('workflowParameters')]", - "staticResults": "[parameters('workflowStaticResults')]", - "triggers": "[parameters('workflowTriggers')]" - }, - "parameters": "[parameters('definitionParameters')]" - }, - "resources": [ - { - "type": "providers/locks", - "apiVersion": "2016-09-01", - "condition": "[parameters('lockForDeletion')]", - "name": "Microsoft.Authorization/logicAppDoNotDelete", - "dependsOn": [ - "[resourceId('Microsoft.Logic/workflows/', parameters('logicAppName'))]" - ], - "comments": "Resource lock on the Azure Log App Workflow", - "properties": { - "level": "CannotDelete" - } - }, - { - "type": "Microsoft.Logic/workflows/providers/diagnosticsettings", - "apiVersion": "2017-05-01-preview", - "name": "[concat(parameters('logicAppName'), '/Microsoft.Insights/diagnosticsetting')]", - "location": "[parameters('location')]", - "condition": "[or(not(empty(parameters('diagnosticStorageAccountId'))),not(empty(parameters('workspaceId'))),not(empty(parameters('eventHubAuthorizationRuleId'))),not(empty(parameters('eventHubName'))))]", - "dependsOn": [ - "[concat('Microsoft.Logic/workflows/', parameters('logicAppName'))]" - ], - "properties": { - "storageAccountId": "[if(empty(parameters('diagnosticStorageAccountId')), json('null'), parameters('diagnosticStorageAccountId'))]", - "workspaceId": "[if(empty(parameters('workspaceId')), json('null'), parameters('workspaceId'))]", - "eventHubAuthorizationRuleId": "[if(empty(parameters('eventHubAuthorizationRuleId')), json('null'), parameters('eventHubAuthorizationRuleId'))]", - "eventHubName": "[if(empty(parameters('eventHubName')), json('null'), parameters('eventHubName'))]", - "metrics": "[if(and(empty(parameters('diagnosticStorageAccountId')), empty(parameters('workspaceId')), empty(parameters('eventHubAuthorizationRuleId')), empty(parameters('eventHubName'))), json('null'), variables('diagnosticsMetrics'))]", - "logs": "[if(and(empty(parameters('diagnosticStorageAccountId')), empty(parameters('workspaceId')), empty(parameters('eventHubAuthorizationRuleId')), empty(parameters('eventHubName'))), json('null'), variables('diagnosticsLogs'))]" - } - } - ] - }, - { - "name": "[concat('rbac-',deployment().name, copyIndex())]", - "apiVersion": "2020-06-01", - "type": "Microsoft.Resources/deployments", - "condition": "[not(empty(parameters('roleAssignments')))]", - "dependsOn": [ - "[parameters('logicAppName')]" - ], - "copy": { - "name": "rbacDeplCopy", - "count": "[length(parameters('roleAssignments'))]" - }, - "properties": { - "mode": "Incremental", - "expressionEvaluationOptions": { - "scope": "inner" - }, - "parameters": { - "roleAssignment": { - "value": "[parameters('roleAssignments')[copyIndex()]]" - }, - "builtInRoleNames": { - "value": "[variables('builtInRoleNames')]" - }, - "logicAppName": { - "value": "[parameters('logicAppName')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "roleAssignment": { - "type": "object" - }, - "builtInRoleNames": { - "type": "object" - }, - "logicAppName": { - "type": "string" - } - }, - "resources": [ - { - "type": "Microsoft.Logic/workflows/providers/roleAssignments", - "apiVersion": "2018-09-01-preview", - "name": "[concat(parameters('logicAppName'), '/Microsoft.Authorization/', guid(uniqueString(concat(parameters('logicAppName'), array(parameters('roleAssignment').principalIds)[copyIndex('innerRbacCopy')], parameters('roleAssignment').roleDefinitionIdOrName ) )))]", - "dependsOn": [ - ], - "copy": { - "name": "innerRbacCopy", - "count": "[length(parameters('roleAssignment').principalIds)]" - }, - "properties": { - "roleDefinitionId": "[if(contains(parameters('builtInRoleNames'), parameters('roleAssignment').roleDefinitionIdOrName ), parameters('builtInRoleNames')[parameters('roleAssignment').roleDefinitionIdOrName] , parameters('roleAssignment').roleDefinitionIdOrName )]", - "principalId": "[array(parameters('roleAssignment').principalIds)[copyIndex()]]" - } - } - ] - } - } - } - ], - "functions": [], - "outputs": { - "logicAppName": { - "type": "string", - "value": "[parameters('logicAppName')]", - "metadata": { - "description": "The Name of the Logic App." - } - }, - "logicAppResourceGroup": { - "type": "string", - "value": "[resourceGroup().name]", - "metadata": { - "description": "The name of the Resource Group the Logic App was created in." - } - }, - "logicAppResourceId": { - "type": "string", - "value": "[resourceId('Microsoft.Logic/workflows',parameters('logicAppName'))]", - "metadata": { - "description": "The Resource Id of the Logic App." - } - } - } -} \ No newline at end of file diff --git a/arm/Microsoft.Logic/workflows/readme.md b/arm/Microsoft.Logic/workflows/readme.md index 00fe2f98a2..cc606ac373 100644 --- a/arm/Microsoft.Logic/workflows/readme.md +++ b/arm/Microsoft.Logic/workflows/readme.md @@ -1,49 +1,50 @@ -# LogicApp +# LogicApp `[Microsoft.Logic/workflows]` This module deploys Logic App resource. ## Resource types -| Resource Type | Api Version | -| -------------------------------------------------------- | ------------------ | -| `Microsoft.Logic/workflows`| 2019-05-01 | -| `Microsoft.Logic/workflows/providers/diagnosticsettings` | 2017-05-01-preview | -| `Microsoft.Logic/workflows/providers/roleAssignments` | 2020-04-01-preview | -| `Microsoft.Resources/deployments` | 2020-06-01 | -| `providers/locks`| 2016-09-01 | +| Resource Type | Api Version | +| :-- | :-- | +| `Microsoft.Authorization/locks` | 2016-09-01 | +| `Microsoft.Insights/diagnosticSettings` | 2017-05-01-preview | +| `Microsoft.Logic/workflows` | 2019-05-01 | +| `Microsoft.Logic/workflows/providers/roleAssignments` | 2021-04-01-preview | ## Parameters -| Parameter Name | Type | Description | DefaultValue | Possible values | +| Parameter Name | Type | Default Value | Possible Values | Description | | :-- | :-- | :-- | :-- | :-- | -| `actionsAccessControlConfiguration` | object | Optional. The access control configuration for workflow actions. | | | -| `connectorEndpointsConfiguration` | object | Optional. The endpoints configuration: Access endpoint and outgoing IP addresses for the connector. | | | -| `contentsAccessControlConfiguration` | object | Optional. The access control configuration for accessing workflow run contents. | | | -| `cuaId` | string | Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered. | | | -| `definitionParameters` | object | Optional. Parameters for the definition template. | | | -| `diagnosticLogsRetentionInDays` | int | Optional. Specifies the number of days that logs will be kept for; a value of 0 will retain data indefinitely. | 365 | | -| `diagnosticStorageAccountId` | string | Optional. Resource identifier of the Diagnostic Storage Account. | | | -| `eventHubAuthorizationRuleId` | string | Optional. Resource ID of the event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | | | -| `eventHubName` | string | Optional. Name of the event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. | | | -| `identity` | object | Optional. Type of managed identity for resource. SystemAssigned or UserAssigned. | | | -| `integrationAccount` | object | Optional. The integration account. | | | -| `integrationServiceEnvironment` | object | Optional. The integration service environment. | | | -| `location` | string | Optional. Location for all resources. | [resourceGroup().location] | | -| `lock` | string | Optional. Specify the type of lock. | 'NotSpecified' | 'CanNotDelete', 'NotSpecified', 'ReadOnly' | -| `logicAppName` | string | Required. The logic app workflow name. | | | -| `roleAssignments` | array | Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | System.Object[] | | -| `sku` | object | Optional. Sku of Logic App. Only to be set when integrating with ISE. | | | -| `state` | string | Optional. The state. - NotSpecified, Completed, Enabled, Disabled, Deleted, Suspended. | Enabled | System.Object[] | -| `tags` | object | Optional. Tags of the resource. | | | -| `triggersAccessControlConfiguration` | object | Optional. The access control configuration for invoking workflow triggers. | | | -| `workflowActions` | object | Optional. The definitions for one or more actions to execute at workflow runtime. | | | -| `workflowEndpointsConfiguration` | object | Optional. The endpoints configuration: Access endpoint and outgoing IP addresses for the workflow. | | | -| `workflowManagementAccessControlConfiguration` | object | Optional. The access control configuration for workflow management. | | | -| `workflowOutputs` | object | Optional. The definitions for the outputs to return from a workflow run. | | | -| `workflowParameters` | object | Optional. The definitions for one or more parameters that pass the values to use at your logic app's runtime. | | | -| `workflowStaticResults` | object | Optional. The definitions for one or more static results returned by actions as mock outputs when static results are enabled on those actions. In each action definition, the runtimeConfiguration.staticResult.name attribute references the corresponding definition inside staticResults. | | | -| `workflowTriggers` | object | Optional. The definitions for one or more triggers that instantiate your workflow. You can define more than one trigger, but only with the Workflow Definition Language, not visually through the Logic Apps Designer. | | | -| `workspaceId` | string | Optional. Resource identifier of Log Analytics. | | | +| `actionsAccessControlConfiguration` | object | `{object}` | | Optional. The access control configuration for workflow actions. | +| `connectorEndpointsConfiguration` | object | `{object}` | | Optional. The endpoints configuration: Access endpoint and outgoing IP addresses for the connector. | +| `contentsAccessControlConfiguration` | object | `{object}` | | Optional. The access control configuration for accessing workflow run contents. | +| `cuaId` | string | | | Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered. | +| `definitionParameters` | object | `{object}` | | Optional. Parameters for the definition template. | +| `diagnosticLogsRetentionInDays` | int | `365` | | Optional. Specifies the number of days that logs will be kept for; a value of 0 will retain data indefinitely. | +| `diagnosticStorageAccountId` | string | | | Optional. Resource identifier of the Diagnostic Storage Account. | +| `eventHubAuthorizationRuleId` | string | | | Optional. Resource ID of the event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | +| `eventHubName` | string | | | Optional. Name of the event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. | +| `identity` | object | `{object}` | | Optional. Type of managed identity for resource. SystemAssigned or UserAssigned. | +| `integrationAccount` | object | `{object}` | | Optional. The integration account. | +| `integrationServiceEnvironment` | object | `{object}` | | Optional. The integration service environment. | +| `location` | string | `[resourceGroup().location]` | | Optional. Location for all resources. | +| `lock` | string | `NotSpecified` | `[CanNotDelete, NotSpecified, ReadOnly]` | Optional. Specify the type of lock. | +| `logicAppName` | string | | | Required. The logic app workflow name. | +| `logsToEnable` | array | `[WorkflowRuntime]` | `[WorkflowRuntime]` | Optional. The name of logs that will be streamed. | +| `metricsToEnable` | array | `[AllMetrics]` | `[AllMetrics]` | Optional. The name of metrics that will be streamed. | +| `roleAssignments` | array | `[]` | | Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| `sku` | object | `{object}` | | Optional. Sku of Logic App. Only to be set when integrating with ISE. | +| `state` | string | `Enabled` | `[NotSpecified, Completed, Enabled, Disabled, Deleted, Suspended]` | Optional. The state. - NotSpecified, Completed, Enabled, Disabled, Deleted, Suspended. | +| `tags` | object | `{object}` | | Optional. Tags of the resource. | +| `triggersAccessControlConfiguration` | object | `{object}` | | Optional. The access control configuration for invoking workflow triggers. | +| `workflowActions` | object | `{object}` | | Optional. The definitions for one or more actions to execute at workflow runtime. | +| `workflowEndpointsConfiguration` | object | `{object}` | | Optional. The endpoints configuration: Access endpoint and outgoing IP addresses for the workflow. | +| `workflowManagementAccessControlConfiguration` | object | `{object}` | | Optional. The access control configuration for workflow management. | +| `workflowOutputs` | object | `{object}` | | Optional. The definitions for the outputs to return from a workflow run. | +| `workflowParameters` | object | `{object}` | | Optional. The definitions for one or more parameters that pass the values to use at your logic app's runtime. | +| `workflowStaticResults` | object | `{object}` | | Optional. The definitions for one or more static results returned by actions as mock outputs when static results are enabled on those actions. In each action definition, the runtimeConfiguration.staticResult.name attribute references the corresponding definition inside staticResults. | +| `workflowTriggers` | object | `{object}` | | Optional. The definitions for one or more triggers that instantiate your workflow. You can define more than one trigger, but only with the Workflow Definition Language, not visually through the Logic Apps Designer. | +| `workspaceId` | string | | | Optional. Resource identifier of Log Analytics. | ### Parameter Usage: `identity` @@ -168,22 +169,16 @@ Tag names and tag values can be provided as needed. A tag can be left without a } ``` -### Parameter Usage: `encryption` - ## Outputs -| Output Name | Type | Description| -| ----------------------- | ------ | ------------------------------------------------------------ | -| `logicAppResourceId` | string | The Resource Id of the Logic App. | -| `logicAppResourceGroup` | string | The name of the Resource Group the Logic App was created in. | -| `logicAppName`| string | The Name of the Logic App. | - -## Considerations - -_N/A_ +| Output Name | Type | +| :-- | :-- | +| `logicAppName` | string | +| `logicAppResourceGroup` | string | +| `logicAppResourceId` | string | -## Additional resources +## Template references -- [Microsoft.Logic workflows template reference](https://docs.microsoft.com/en-us/azure/templates/microsoft.logic/workflows?tabs=json) -- [What is Logic App?](https://docs.microsoft.com/en-us/azure/logic-apps/logic-apps-overview) -- [Use tags to organize your Azure resources](https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-using-tags) +- [Locks](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2016-09-01/locks) +- [Diagnosticsettings](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Insights/2017-05-01-preview/diagnosticSettings) +- [Workflows](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Logic/2019-05-01/workflows) diff --git a/arm/Microsoft.MachineLearningServices/workspaces/.bicep/nested_privateEndpoint.bicep b/arm/Microsoft.MachineLearningServices/workspaces/.bicep/nested_privateEndpoint.bicep index 322642b0ca..29ca1a09f0 100644 --- a/arm/Microsoft.MachineLearningServices/workspaces/.bicep/nested_privateEndpoint.bicep +++ b/arm/Microsoft.MachineLearningServices/workspaces/.bicep/nested_privateEndpoint.bicep @@ -14,7 +14,7 @@ var privateEndpoint_var = { customDnsConfigs: (contains(privateEndpointObj, 'customDnsConfigs') ? (empty(privateEndpointObj.customDnsConfigs) ? json('null') : privateEndpointObj.customDnsConfigs) : json('null')) } -resource privateEndpoint 'Microsoft.Network/privateEndpoints@2020-05-01' = { +resource privateEndpoint 'Microsoft.Network/privateEndpoints@2021-05-01' = { name: privateEndpoint_var.name location: privateEndpointVnetLocation tags: tags @@ -36,7 +36,7 @@ resource privateEndpoint 'Microsoft.Network/privateEndpoints@2020-05-01' = { } } -resource privateDnsZoneGroups 'Microsoft.Network/privateEndpoints/privateDnsZoneGroups@2020-05-01' = if (!empty(privateEndpoint_var.privateDnsZoneResourceIds)) { +resource privateDnsZoneGroups 'Microsoft.Network/privateEndpoints/privateDnsZoneGroups@2021-02-01' = if (!empty(privateEndpoint_var.privateDnsZoneResourceIds)) { name: '${privateEndpoint_var.name}/default' properties: { privateDnsZoneConfigs: [for j in range(0, length(privateEndpoint_var.privateDnsZoneResourceIds)): { diff --git a/arm/Microsoft.MachineLearningServices/workspaces/.bicep/nested_rbac.bicep b/arm/Microsoft.MachineLearningServices/workspaces/.bicep/nested_rbac.bicep index d3d5e9dfdf..c873386b58 100644 --- a/arm/Microsoft.MachineLearningServices/workspaces/.bicep/nested_rbac.bicep +++ b/arm/Microsoft.MachineLearningServices/workspaces/.bicep/nested_rbac.bicep @@ -2,7 +2,7 @@ param roleAssignmentObj object param builtInRoleNames object param resourceName string -resource roleAssigment 'Microsoft.MachineLearningServices/workspaces/providers/roleAssignments@2020-04-01-preview' = [for principalId in roleAssignmentObj.principalIds: { +resource roleAssigment 'Microsoft.MachineLearningServices/workspaces/providers/roleAssignments@2021-04-01-preview' = [for principalId in roleAssignmentObj.principalIds: { name: '${resourceName}/Microsoft.Authorization/${guid(resourceName, principalId, roleAssignmentObj.roleDefinitionIdOrName)}' properties: { roleDefinitionId: (contains(builtInRoleNames, roleAssignmentObj.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignmentObj.roleDefinitionIdOrName] : roleAssignmentObj.roleDefinitionIdOrName) diff --git a/arm/Microsoft.MachineLearningServices/workspaces/deploy.bicep b/arm/Microsoft.MachineLearningServices/workspaces/deploy.bicep index 6dc9380125..ceb6487c6e 100644 --- a/arm/Microsoft.MachineLearningServices/workspaces/deploy.bicep +++ b/arm/Microsoft.MachineLearningServices/workspaces/deploy.bicep @@ -69,60 +69,48 @@ param eventHubAuthorizationRuleId string = '' @description('Optional. Name of the event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category.') param eventHubName string = '' -var diagnosticsMetrics = [ - { - category: 'AllMetrics' - timeGrain: null - enabled: true - retentionPolicy: { - enabled: true - days: diagnosticLogsRetentionInDays - } - } +@description('Optional. The name of logs that will be streamed.') +@allowed([ + 'AmlComputeClusterEvent' + 'AmlComputeClusterNodeEvent' + 'AmlComputeJobEvent' + 'AmlComputeCpuGpuUtilization' + 'AmlRunStatusChangedEvent' +]) +param logsToEnable array = [ + 'AmlComputeClusterEvent' + 'AmlComputeClusterNodeEvent' + 'AmlComputeJobEvent' + 'AmlComputeCpuGpuUtilization' + 'AmlRunStatusChangedEvent' ] -var diagnosticsLogs = [ - { - category: 'AmlComputeClusterEvent' - enabled: true - retentionPolicy: { - enabled: true - days: diagnosticLogsRetentionInDays - } - } - { - category: 'AmlComputeClusterNodeEvent' - enabled: true - retentionPolicy: { - enabled: true - days: diagnosticLogsRetentionInDays - } - } - { - category: 'AmlComputeJobEvent' - enabled: true - retentionPolicy: { - enabled: true - days: diagnosticLogsRetentionInDays - } - } - { - category: 'AmlComputeCpuGpuUtilization' +@description('Optional. The name of metrics that will be streamed.') +@allowed([ + 'AllMetrics' +]) +param metricsToEnable array = [ + 'AllMetrics' +] + +var diagnosticsLogs = [for log in logsToEnable: { + category: log + enabled: true + retentionPolicy: { enabled: true - retentionPolicy: { - enabled: true - days: diagnosticLogsRetentionInDays - } + days: diagnosticLogsRetentionInDays } - { - category: 'AmlRunStatusChangedEvent' +}] + +var diagnosticsMetrics = [for metric in metricsToEnable: { + category: metric + timeGrain: null + enabled: true + retentionPolicy: { enabled: true - retentionPolicy: { - enabled: true - days: diagnosticLogsRetentionInDays - } + days: diagnosticLogsRetentionInDays } -] +}] var builtInRoleNames = { 'AzureML Metrics Writer (preview)': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/635dd51f-9968-44d3-b7fb-6d9a6bd613ae' diff --git a/arm/Microsoft.MachineLearningServices/workspaces/readme.md b/arm/Microsoft.MachineLearningServices/workspaces/readme.md index 82a2de8a2f..86783d3235 100644 --- a/arm/Microsoft.MachineLearningServices/workspaces/readme.md +++ b/arm/Microsoft.MachineLearningServices/workspaces/readme.md @@ -1,43 +1,44 @@ -# Machine Learning Services +# Machine Learning Services `[Microsoft.MachineLearningServices/workspaces]` This module deploys a Machine Learning Services Workspace. ## Resource types -| Resource Type | Api Version | -| :----------------------------------------------------------------------- | :----------------- | -| `Microsoft.Authorization/locks` | 2016-09-01 | -| `Microsoft.Insights/diagnosticSettings` | 2017-05-01-preview | -| `Microsoft.MachineLearningServices/workspaces/providers/roleAssignments` | 2020-04-01-preview | -| `Microsoft.MachineLearningServices/workspaces` | 2021-04-01 | -| `Microsoft.Network/privateEndpoints/privateDnsZoneGroups` | 2020-05-01 | -| `Microsoft.Network/privateEndpoints` | 2020-05-01 | -| `Microsoft.Resources/deployments` | 2019-10-01 | +| Resource Type | Api Version | +| :-- | :-- | +| `Microsoft.Authorization/locks` | 2016-09-01 | +| `Microsoft.Insights/diagnosticSettings` | 2017-05-01-preview | +| `Microsoft.MachineLearningServices/workspaces` | 2021-04-01 | +| `Microsoft.MachineLearningServices/workspaces/providers/roleAssignments` | 2021-04-01-preview | +| `Microsoft.Network/privateEndpoints` | 2021-05-01 | +| `Microsoft.Network/privateEndpoints/privateDnsZoneGroups` | 2021-02-01 | ## Parameters -| Parameter Name | Type | Description | DefaultValue | Possible values | -| :---------------------------------------- | :----- | :------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | :------------------------- | :-------------- | -| `allowPublicAccessWhenBehindVnet` | bool | Optional. The flag to indicate whether to allow public access when behind VNet. | False | | -| `associatedApplicationInsightsResourceId` | string | Required. The resource id of the associated Application Insights. | | | -| `associatedContainerRegistryResourceId` | string | Optional. The resource id of the associated Container Registry. | | | -| `associatedKeyVaultResourceId` | string | Required. The resource id of the associated Key Vault. | | | -| `associatedStorageAccountResourceId` | string | Required. The resource id of the associated Storage Account. | | | -| `cuaId` | string | Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered | | | -| `diagnosticLogsRetentionInDays` | int | Optional. Specifies the number of days that logs will be kept for; a value of 0 will retain data indefinitely. | 365 | | -| `diagnosticSettingName` | string | Optional. The name of the Diagnostic setting. | service | | -| `diagnosticStorageAccountId` | string | Optional. Resource identifier of the Diagnostic Storage Account. | | | -| `eventHubAuthorizationRuleId` | string | Optional. Resource ID of the event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | | | -| `eventHubName` | string | Optional. Name of the event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. | | | -| `hbiWorkspace` | bool | Optional. The flag to signal HBI data in the workspace and reduce diagnostic data collected by the service. | False | | -| `location` | string | Optional. Location for all resources. | [resourceGroup().location] | | -| `lock` | string | Optional. Specify the type of lock. | 'NotSpecified' | 'CanNotDelete', 'NotSpecified', 'ReadOnly' | -| `privateEndpoints` | array | Optional. Configuration Details for private endpoints. | System.Object[] | | -| `roleAssignments` | array | Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' | System.Object[] | | -| `sku` | string | Required. Specifies the sku, also referred as 'edition' of the Azure Machine Learning workspace. | | System.Object[] | -| `tags` | object | Optional. Resource tags. | | | -| `workspaceId` | string | Optional. Resource identifier of Log Analytics. | | | -| `workspaceName` | string | Required. The name of the machine learning workspace. | | | +| Parameter Name | Type | Default Value | Possible Values | Description | +| :-- | :-- | :-- | :-- | :-- | +| `allowPublicAccessWhenBehindVnet` | bool | | | Optional. The flag to indicate whether to allow public access when behind VNet. | +| `associatedApplicationInsightsResourceId` | string | | | Required. The resource id of the associated Application Insights. | +| `associatedContainerRegistryResourceId` | string | | | Optional. The resource id of the associated Container Registry. | +| `associatedKeyVaultResourceId` | string | | | Required. The resource id of the associated Key Vault. | +| `associatedStorageAccountResourceId` | string | | | Required. The resource id of the associated Storage Account. | +| `cuaId` | string | | | Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered | +| `diagnosticLogsRetentionInDays` | int | `365` | | Optional. Specifies the number of days that logs will be kept for; a value of 0 will retain data indefinitely. | +| `diagnosticSettingName` | string | `service` | | Optional. The name of the Diagnostic setting. | +| `diagnosticStorageAccountId` | string | | | Optional. Resource identifier of the Diagnostic Storage Account. | +| `eventHubAuthorizationRuleId` | string | | | Optional. Resource ID of the event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | +| `eventHubName` | string | | | Optional. Name of the event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. | +| `hbiWorkspace` | bool | | | Optional. The flag to signal HBI data in the workspace and reduce diagnostic data collected by the service. | +| `location` | string | `[resourceGroup().location]` | | Optional. Location for all resources. | +| `lock` | string | `NotSpecified` | `[CanNotDelete, NotSpecified, ReadOnly]` | Optional. Specify the type of lock. | +| `logsToEnable` | array | `[AmlComputeClusterEvent, AmlComputeClusterNodeEvent, AmlComputeJobEvent, AmlComputeCpuGpuUtilization, AmlRunStatusChangedEvent]` | `[AmlComputeClusterEvent, AmlComputeClusterNodeEvent, AmlComputeJobEvent, AmlComputeCpuGpuUtilization, AmlRunStatusChangedEvent]` | Optional. The name of logs that will be streamed. | +| `metricsToEnable` | array | `[AllMetrics]` | `[AllMetrics]` | Optional. The name of metrics that will be streamed. | +| `privateEndpoints` | array | `[]` | | Optional. Configuration Details for private endpoints. | +| `roleAssignments` | array | `[]` | | Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' | +| `sku` | string | | `[Basic, Enterprise]` | Required. Specifies the sku, also referred as 'edition' of the Azure Machine Learning workspace. | +| `tags` | object | `{object}` | | Optional. Resource tags. | +| `workspaceId` | string | | | Optional. Resource identifier of Log Analytics. | +| `workspaceName` | string | | | Required. The name of the machine learning workspace. | ### Parameter Usage: `roleAssignments` @@ -120,19 +121,16 @@ To use Private Endpoint the following dependencies must be deployed: ## Outputs -| Output Name | Type | Description | -| :------------------------------------ | :----- | :------------------------------------------------------------------------------------ | -| `machineLearningServiceResourceId` | string | The Resource Id of the Machine Learning Service workspace. | -| `machineLearningServiceResourceGroup` | string | The name of the Resource Group the Machine Learning Service workspace was created in. | -| `machineLearningServiceName` | string | The name of the Machine Learning Service workspace. | +| Output Name | Type | +| :-- | :-- | +| `machineLearningServiceName` | string | +| `machineLearningServiceResourceGroup` | string | +| `machineLearningServiceResourceId` | string | -## Considerations +## Template references -## Additional resources - -- [What is Azure Machine Learning?](https://docs.microsoft.com/en-us/azure/machine-learning/overview-what-is-azure-ml) -- [Use tags to organize your Azure resources](https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-using-tags)- [Azure Resource Manager template reference](https://docs.microsoft.com/en-us/azure/templates/) -- [Workspaces](https://docs.microsoft.com/en-us/azure/templates/Microsoft.MachineLearningServices/2021-04-01/workspaces) - [Locks](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2016-09-01/locks) -- [DiagnosticSettings](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Insights/2017-05-01-preview/diagnosticSettings) -- [Deployments](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Resources/2019-10-01/deployments) +- [Diagnosticsettings](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Insights/2017-05-01-preview/diagnosticSettings) +- [Workspaces](https://docs.microsoft.com/en-us/azure/templates/Microsoft.MachineLearningServices/2021-04-01/workspaces) +- [Privateendpoints](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Network/2021-05-01/privateEndpoints) +- [Privateendpoints/Privatednszonegroups](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Network/2021-02-01/privateEndpoints/privateDnsZoneGroups) diff --git a/arm/Microsoft.ManagedIdentity/userAssignedIdentities/.bicep/nested_rbac.bicep b/arm/Microsoft.ManagedIdentity/userAssignedIdentities/.bicep/nested_rbac.bicep index 8d44c6b551..3dc51ba921 100644 --- a/arm/Microsoft.ManagedIdentity/userAssignedIdentities/.bicep/nested_rbac.bicep +++ b/arm/Microsoft.ManagedIdentity/userAssignedIdentities/.bicep/nested_rbac.bicep @@ -2,7 +2,7 @@ param roleAssignmentObj object param builtInRoleNames object param resourceName string -resource roleAssigment 'Microsoft.ManagedIdentity/userAssignedIdentities/providers/roleAssignments@2020-04-01-preview' = [for principalId in roleAssignmentObj.principalIds: { +resource roleAssigment 'Microsoft.ManagedIdentity/userAssignedIdentities/providers/roleAssignments@2021-04-01-preview' = [for principalId in roleAssignmentObj.principalIds: { name: '${resourceName}/Microsoft.Authorization/${guid(resourceName, principalId, roleAssignmentObj.roleDefinitionIdOrName)}' properties: { roleDefinitionId: (contains(builtInRoleNames, roleAssignmentObj.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignmentObj.roleDefinitionIdOrName] : roleAssignmentObj.roleDefinitionIdOrName) diff --git a/arm/Microsoft.ManagedIdentity/userAssignedIdentities/readme.md b/arm/Microsoft.ManagedIdentity/userAssignedIdentities/readme.md index faf8d4c61d..1cc7a0177c 100644 --- a/arm/Microsoft.ManagedIdentity/userAssignedIdentities/readme.md +++ b/arm/Microsoft.ManagedIdentity/userAssignedIdentities/readme.md @@ -1,27 +1,26 @@ -# User Assigned Identities +# User Assigned Identities `[Microsoft.ManagedIdentity/userAssignedIdentities]` This module deploys User Assigned Identities, with resource lock. ## Resource types -|Resource Type|ApiVersion| -|:--|:--| -|`Microsoft.Resources/deployments`|2018-02-01| -|`Microsoft.ManagedIdentity/userAssignedIdentities`|2018-11-30| -|`Microsoft.Authorization/locks`|2016-09-01| -|`Microsoft.ManagedIdentity/userAssignedIdentities/providers/roleAssignments`|2018-09-01-preview| +| Resource Type | Api Version | +| :-- | :-- | +| `Microsoft.Authorization/locks` | 2016-09-01 | +| `Microsoft.ManagedIdentity/userAssignedIdentities` | 2018-11-30 | +| `Microsoft.ManagedIdentity/userAssignedIdentities/providers/roleAssignments` | 2021-04-01-preview | ## Parameters -| Parameter Name | Type | Description | DefaultValue | Possible values | +| Parameter Name | Type | Default Value | Possible Values | Description | | :-- | :-- | :-- | :-- | :-- | -| `cuaId` | string | Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered | | | -| `location` | string | Optional. Location for all resources. | [resourceGroup().location] | | -| `lock` | string | Optional. Specify the type of lock. | 'NotSpecified' | 'CanNotDelete', 'NotSpecified', 'ReadOnly' | -| `roleAssignments` | array | Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' | System.Object[] | | -| `tags` | object | Optional. Tags of the resource. | | | -| `userMsiName` | string | Optional. Name of the User Assigned Identity. | [guid(resourceGroup().id)] | | +| `cuaId` | string | | | Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered | +| `location` | string | `[resourceGroup().location]` | | Optional. Location for all resources. | +| `lock` | string | `NotSpecified` | `[CanNotDelete, NotSpecified, ReadOnly]` | Optional. Specify the type of lock. | +| `roleAssignments` | array | `[]` | | Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' | +| `tags` | object | `{object}` | | Optional. Tags of the resource. | +| `userMsiName` | string | `[guid(resourceGroup().id)]` | | Optional. Name of the User Assigned Identity. | ### Parameter Usage: `roleAssignments` @@ -71,19 +70,14 @@ Tag names and tag values can be provided as needed. A tag can be left without a ## Outputs -| Output Name | Type | Description | -| :-- | :-- | :-- | -| `msiName` | string | The name of the User Assigned Identity. | -| `msiPrincipalId` | string | The Principal Id of the User Assigned Identity. | -| `msiResourceGroup` | string | The name of the Resource Group the User Assigned Identity was created in. | -| `msiResourceId` | string | The Resource Id of the User Assigned Identity. | +| Output Name | Type | +| :-- | :-- | +| `msiName` | string | +| `msiPrincipalId` | string | +| `msiResourceGroup` | string | +| `msiResourceId` | string | -## Considerations +## Template references -*N/A* - -## Additional resources - -- [What are managed identities for Azure resources?](https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/overview) -- [Microsoft.ManagedIdentity resource types](https://docs.microsoft.com/en-us/azure/templates/microsoft.managedidentity/allversions) -- [Use tags to organize your Azure resources](https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-using-tags) +- [Locks](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2016-09-01/locks) +- [Userassignedidentities](https://docs.microsoft.com/en-us/azure/templates/Microsoft.ManagedIdentity/2018-11-30/userAssignedIdentities) diff --git a/arm/Microsoft.ManagedServices/registrationDefinitions/readme.md b/arm/Microsoft.ManagedServices/registrationDefinitions/readme.md index b7bb6d21b2..9fca7e9437 100644 --- a/arm/Microsoft.ManagedServices/registrationDefinitions/readme.md +++ b/arm/Microsoft.ManagedServices/registrationDefinitions/readme.md @@ -1,4 +1,4 @@ -# registrationDefinitions +# registrationDefinitions `[Microsoft.ManagedServices/registrationDefinitions]` This module deploys `registrationDefinitions` and `registrationAssignments` (often refered to as 'Lighthouse' or 'resource delegation') on subscription or resource group scopes. This type of delegation is very similar to role assignments but here the principal that is @@ -8,21 +8,20 @@ remote/managing tenant. ## Resource types -| Resource Type | ApiVersion | -| :-------------------------------------------------- | :--------- | -| `Microsoft.ManagedServices/registrationDefinitions` | 2019-09-01 | +| Resource Type | Api Version | +| :-- | :-- | | `Microsoft.ManagedServices/registrationAssignments` | 2019-09-01 | -| `Microsoft.Resources/deployments` | 2020-06-01 | +| `Microsoft.ManagedServices/registrationDefinitions` | 2019-09-01 | ## Parameters -| Parameter Name | Type | Default Value | Possible values | Description | -| :--------------------------- | :----- | :------------ | :---------------------------- | :---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| `registrationDefinitionName` | string | | | Required. Specify a unique name for your offer/registration. i.e '\ - \ - \' | -| `registrationDescription` | string | | | Required. Description of the offer/registration. i.e. 'Managed by \' | -| `managedByTenantId` | string | | GUID | Required. Specify the tenant ID of the tenant which homes the principals you are delegating permissions to. | -| `authorizations` | array | | Complex structure, see below. | Required. Specify an array of objects, containing object of Azure Active Directory principalId, a Azure roleDefinitionId, and an optional principalIdDisplayName. The roleDefinition specified is granted to the principalId in the provider's Active Directory and the principalIdDisplayName is visible to customers. | -| `resourceGroupName` | string | "" | | Optional. Specify the name of the Resource Group to delegate access to. If not provided, delegation will be done on the targeted subscription. | +| Parameter Name | Type | Default Value | Possible Values | Description | +| :-- | :-- | :-- | :-- | :-- | +| `authorizations` | array | | | Required. Specify an array of objects, containing object of Azure Active Directory principalId, a Azure roleDefinitionId, and an optional principalIdDisplayName. The roleDefinition specified is granted to the principalId in the provider's Active Directory and the principalIdDisplayName is visible to customers. | +| `managedByTenantId` | string | | | Required. Specify the tenant ID of the tenant which homes the principals you are delegating permissions to. | +| `registrationDefinitionName` | string | | | Required. Specify a unique name for your offer/registration. i.e ' - - ' | +| `registrationDescription` | string | | | Required. Description of the offer/registration. i.e. 'Managed by ' | +| `resourceGroupName` | string | | | Optional. Specify the name of the Resource Group to delegate access to. If not provided, delegation will be done on the targeted subscription. | ### Parameter Usage: `authorizations` @@ -58,11 +57,12 @@ remote/managing tenant. ## Outputs -| Output Name | Type | Description | -| :--------------------------- | :----- | :---------------------------------- | -| `registrationDefinitionName` | string | The name of the offer/registration. | -| `registrationDefinitionId` | string | The ID of the offer/registration. | -| `registrationAssignmentId` | string | The ID of the resource delegation. | +| Output Name | Type | +| :-- | :-- | +| `registrationAssignmentId` | string | +| `registrationDefinitionId` | string | +| `registrationDefinitionName` | string | + ## Considerations @@ -116,9 +116,7 @@ There are a couple of limitations that you should be aware of with Lighthouse: - [Current limitations - Cross-tenant management experiences | Microsoft Docs](https://docs.microsoft.com/en-us/azure/lighthouse/concepts/cross-tenant-management-experience#current-limitations) - [Troubleshooting - Onboard a customer to Azure Lighthouse | Microsoft Docs](https://docs.microsoft.com/en-us/azure/lighthouse/how-to/onboard-customer#troubleshooting) -## Additional resources +## Template references -- [What is Azure Lighthouse? | Microsoft Docs](https://docs.microsoft.com/en-us/azure/lighthouse/overview) -- [Azure delegated resource management | Microsoft Docs](https://docs.microsoft.com/en-us/azure/lighthouse/concepts/azure-delegated-resource-management) -- [Cross-tenant management experiences | Microsoft Docs](https://docs.microsoft.com/en-us/azure/lighthouse/concepts/cross-tenant-management-experience) -- [Onboard a customer to Azure Lighthouse | Microsoft Docs](https://docs.microsoft.com/en-us/azure/lighthouse/how-to/onboard-customer) +- [Registrationassignments](https://docs.microsoft.com/en-us/azure/templates/Microsoft.ManagedServices/2019-09-01/registrationAssignments) +- [Registrationdefinitions](https://docs.microsoft.com/en-us/azure/templates/Microsoft.ManagedServices/2019-09-01/registrationDefinitions) diff --git a/arm/Microsoft.Management/managementGroups/readme.md b/arm/Microsoft.Management/managementGroups/readme.md index e9f14003c1..c5f59d6fc6 100644 --- a/arm/Microsoft.Management/managementGroups/readme.md +++ b/arm/Microsoft.Management/managementGroups/readme.md @@ -1,4 +1,4 @@ -# Management groups +# Management groups `[Microsoft.Management/managementGroups]` This template will prepare the Management group structure based on the provided parameter. @@ -9,20 +9,19 @@ This module has some known **limitations**: ## Resource types -| Resource Type | ApiVersion | -| :---------------------------------------- | :----------------- | -| `Microsoft.Management/managementGroups` | 2021-04-01 | +| Resource Type | Api Version | +| :-- | :-- | | `Microsoft.Authorization/roleAssignments` | 2020-04-01-preview | -| `Microsoft.Resources/deployments` | 2020-06-01 | +| `Microsoft.Management/managementGroups` | 2021-04-01 | ## Parameters -| Parameter Name | Type | Default Value | Possible values | Description | -| :-------------------- | :----- | :------------ | :-------------- | :------------------------------------------------------------------------------ | -| `managementGroupName` | string | | | Optional. The management group display name. Defaults to the managementGroupId. | -| `managementGroupId` | string | | | Required. The management group id. | -| `parentId` | string | '' | | Optional. The management group parent id. Defaults to current scope. | -| `roleAssignments` | array | [] | | Optional. Array of role assignment objects to define RBAC on this resource. | +| Parameter Name | Type | Default Value | Possible Values | Description | +| :-- | :-- | :-- | :-- | :-- | +| `managementGroupId` | string | | | Required. The management group id. | +| `managementGroupName` | string | | | Optional. The management group display name. Defaults to managementGroupId. | +| `parentId` | string | | | Optional. The management group parent id. Defaults to current scope. | +| `roleAssignments` | array | `[]` | | Optional. Array of role assignment objects to define RBAC on this resource. | ### Parameter Usage: `roleAssignments` @@ -60,26 +59,28 @@ This module has some known **limitations**: ## Outputs -| Output Name | Type | Description | -| :-------------------- | :--- | :--------------------------- | -| `managementGroupName` | int | Name of the management group | -| `managementGroupId` | int | Id of the management group | +| Output Name | Type | +| :-- | :-- | +| `managementGroupId` | string | +| `managementGroupName` | string | ## Considerations This template is using a **Tenant level deployment**, meaning the user/principal deploying it needs to have the [proper access](https://docs.microsoft.com/en-us/azure/azure-resource-manager/templates/deploy-to-tenant#required-access) -> If owner access is excessive, the following rights roles will grant enough rights: -> **Automation Job Operator** at **tenant** level (scope '/')
    -> **Management Group Contributor** at the top management group that needs to be managed -> ->> Consider using the following script:
    ->> `$PrincipalID = ""`
    ->> `$TopMGID = ""`
    ->> `New-AzRoleAssignment -ObjectId $PrincipalID -Scope "/" -RoleDefinitionName "Automation Job Operator"`
    ->> `New-AzRoleAssignment -ObjectId $PrincipalID -Scope "/providers/Microsoft.Management/managementGroups/$TopMGID" -RoleDefinitionName "Management Group Contributor"` +If owner access is excessive, the following rights roles will grant enough rights: +- **Automation Job Operator** at **tenant** level (scope '/') +- **Management Group Contributor** at the top management group that needs to be managed -## Additional resources +Consider using the following script: +```powershell +$PrincipalID = "" +$TopMGID = "" +New-AzRoleAssignment -ObjectId $PrincipalID -Scope "/" -RoleDefinitionName "Automation Job Operator" +New-AzRoleAssignment -ObjectId $PrincipalID -Scope "/providers/Microsoft.Management/managementGroups/$TopMGID" -RoleDefinitionName "Management Group Contributor" +``` + +## Template references -- [Management group](https://docs.microsoft.com/en-us/azure/governance/management-groups/) -- [Template reference](https://docs.microsoft.com/en-us/azure/templates/microsoft.management/managementgroups) +- [Roleassignments](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2020-04-01-preview/roleAssignments) +- [Managementgroups](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Management/2021-04-01/managementGroups) diff --git a/arm/Microsoft.NetApp/netAppAccounts/.bicep/nested_capacityPool_rbac.bicep b/arm/Microsoft.NetApp/netAppAccounts/.bicep/nested_capacityPool_rbac.bicep index b24daa1c3c..f416e71d92 100644 --- a/arm/Microsoft.NetApp/netAppAccounts/.bicep/nested_capacityPool_rbac.bicep +++ b/arm/Microsoft.NetApp/netAppAccounts/.bicep/nested_capacityPool_rbac.bicep @@ -2,7 +2,7 @@ param roleAssignmentObj object param builtInRoleNames object param resourceName string -resource roleAssigment 'Microsoft.NetApp/netAppAccounts/capacityPools/providers/roleAssignments@2020-04-01-preview' = [for principalId in roleAssignmentObj.principalIds: { +resource roleAssigment 'Microsoft.NetApp/netAppAccounts/capacityPools/providers/roleAssignments@2021-04-01-preview' = [for principalId in roleAssignmentObj.principalIds: { name: '${resourceName}/Microsoft.Authorization/${guid(resourceName, principalId, roleAssignmentObj.roleDefinitionIdOrName)}' properties: { roleDefinitionId: contains(builtInRoleNames, roleAssignmentObj.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignmentObj.roleDefinitionIdOrName] : roleAssignmentObj.roleDefinitionIdOrName diff --git a/arm/Microsoft.NetApp/netAppAccounts/.bicep/nested_capacityPool_volume_rbac.bicep b/arm/Microsoft.NetApp/netAppAccounts/.bicep/nested_capacityPool_volume_rbac.bicep index 38b1c8b1b7..9c057eca34 100644 --- a/arm/Microsoft.NetApp/netAppAccounts/.bicep/nested_capacityPool_volume_rbac.bicep +++ b/arm/Microsoft.NetApp/netAppAccounts/.bicep/nested_capacityPool_volume_rbac.bicep @@ -2,7 +2,7 @@ param roleAssignmentObj object param builtInRoleNames object param resourceName string -resource roleAssigment 'Microsoft.NetApp/netAppAccounts/capacityPools/volumes/providers/roleAssignments@2020-04-01-preview' = [for principalId in roleAssignmentObj.principalIds: { +resource roleAssigment 'Microsoft.NetApp/netAppAccounts/capacityPools/volumes/providers/roleAssignments@2021-04-01-preview' = [for principalId in roleAssignmentObj.principalIds: { name: '${resourceName}/Microsoft.Authorization/${guid(resourceName, principalId, roleAssignmentObj.roleDefinitionIdOrName)}' properties: { roleDefinitionId: contains(builtInRoleNames, roleAssignmentObj.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignmentObj.roleDefinitionIdOrName] : roleAssignmentObj.roleDefinitionIdOrName diff --git a/arm/Microsoft.NetApp/netAppAccounts/.bicep/nested_rbac.bicep b/arm/Microsoft.NetApp/netAppAccounts/.bicep/nested_rbac.bicep index c95c6353df..167984f205 100644 --- a/arm/Microsoft.NetApp/netAppAccounts/.bicep/nested_rbac.bicep +++ b/arm/Microsoft.NetApp/netAppAccounts/.bicep/nested_rbac.bicep @@ -2,7 +2,7 @@ param roleAssignmentObj object param builtInRoleNames object param resourceName string -resource roleAssigment 'Microsoft.NetApp/netAppAccounts/providers/roleAssignments@2020-04-01-preview' = [for principalId in roleAssignmentObj.principalIds: { +resource roleAssigment 'Microsoft.NetApp/netAppAccounts/providers/roleAssignments@2021-04-01-preview' = [for principalId in roleAssignmentObj.principalIds: { name: '${resourceName}/Microsoft.Authorization/${guid(resourceName, principalId, roleAssignmentObj.roleDefinitionIdOrName)}' properties: { roleDefinitionId: contains(builtInRoleNames, roleAssignmentObj.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignmentObj.roleDefinitionIdOrName] : roleAssignmentObj.roleDefinitionIdOrName diff --git a/arm/Microsoft.NetApp/netAppAccounts/readme.md b/arm/Microsoft.NetApp/netAppAccounts/readme.md index 211c6cbefc..44b9390d2a 100644 --- a/arm/Microsoft.NetApp/netAppAccounts/readme.md +++ b/arm/Microsoft.NetApp/netAppAccounts/readme.md @@ -1,34 +1,36 @@ -# AzureNetAppFiles +# AzureNetAppFiles `[Microsoft.NetApp/netAppAccounts]` This template deploys Azure NetApp Files. ## Resource types -| Resource Type | ApiVersion | +| Resource Type | Api Version | | :-- | :-- | +| `Microsoft.Authorization/locks` | 2016-09-01 | | `Microsoft.NetApp/netAppAccounts` | 2021-04-01 | | `Microsoft.NetApp/netAppAccounts/capacityPools` | 2021-04-01 | +| `Microsoft.NetApp/netAppAccounts/capacityPools/providers/roleAssignments` | 2021-04-01-preview | | `Microsoft.NetApp/netAppAccounts/capacityPools/volumes` | 2021-04-01 | -| `Microsoft.NetApp/netAppAccounts/providers/roleAssignments` | 2020-04-01-preview | -| `Microsoft.Authorization/locks` | 2016-09-01 | +| `Microsoft.NetApp/netAppAccounts/capacityPools/volumes/providers/roleAssignments` | 2021-04-01-preview | +| `Microsoft.NetApp/netAppAccounts/providers/roleAssignments` | 2021-04-01-preview | ## Parameters -| Parameter Name | Type | Description | DefaultValue | Possible values | +| Parameter Name | Type | Default Value | Possible Values | Description | | :-- | :-- | :-- | :-- | :-- | -| `capacityPools` | array | Optional. Capacity pools to create. | `[]` | Complex structure, see below. | -| `cuaId` | string | Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered. | `""` | | -| `dnsServers` | string | Optional. Required if domainName is specified. Comma separated list of DNS server IP addresses (IPv4 only) required for the Active Directory (AD) domain join and SMB authentication operations to succeed. | `""` | | -| `domainJoinOU` | string | Optional. Used only if domainName is specified. LDAP Path for the Organization Unit (OU) where SMB Server machine accounts will be created (i.e. `"OU=SecondLevel,OU=FirstLevel"`). | `""` | | -| `domainJoinPassword` | securestring | Optional. Required if domainName is specified. Password of the user specified in domainJoinUser parameter. | `""` | | -| `domainJoinUser` | string | Optional. Required if domainName is specified. Username of Active Directory domain administrator, with permissions to create SMB server machine account in the AD domain. | `""` | | -| `domainName` | string | Optional. Fully Qualified Active Directory DNS Domain Name (e.g. `"contoso.com"`). | `""` | | -| `location` | string | Optional. Location for all resources. | `"[resourceGroup().location]"` | | -| `lock` | string | Optional. Specify the type of lock. | 'NotSpecified' | 'CanNotDelete', 'NotSpecified', 'ReadOnly' | -| `netAppAccountName` | string | Required. The name of the NetApp account. | | | -| `roleAssignments` | array | Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'.| `[]` | Complex structure, see below. | -| `smbServerNamePrefix` | string | Optional. Required if domainName is specified. NetBIOS name of the SMB server. A computer account with this prefix will be registered in the AD and used to mount volumes. | `""` | | -| `tags` | object | Optional. Tags of all resources. | `{}` | Complex structure, see below. | +| `capacityPools` | array | `[]` | | Optional. Capacity pools to create. | +| `cuaId` | string | | | Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered | +| `dnsServers` | string | | | Optional. Required if domainName is specified. Comma separated list of DNS server IP addresses (IPv4 only) required for the Active Directory (AD) domain join and SMB authentication operations to succeed. | +| `domainJoinOU` | string | | | Optional. Used only if domainName is specified. LDAP Path for the Organization Unit (OU) where SMB Server machine accounts will be created (i.e. 'OU=SecondLevel,OU=FirstLevel'). | +| `domainJoinPassword` | secureString | | | Optional. Required if domainName is specified. Password of the user specified in domainJoinUser parameter | +| `domainJoinUser` | string | | | Optional. Required if domainName is specified. Username of Active Directory domain administrator, with permissions to create SMB server machine account in the AD domain. | +| `domainName` | string | | | Optional. Fully Qualified Active Directory DNS Domain Name (e.g. 'contoso.com') | +| `location` | string | `[resourceGroup().location]` | | Optional. Location for all resources. | +| `lock` | string | `NotSpecified` | `[CanNotDelete, NotSpecified, ReadOnly]` | Optional. Specify the type of lock. | +| `netAppAccountName` | string | | | Required. The name of the NetApp account. | +| `roleAssignments` | array | `[]` | | Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or it's fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' | +| `smbServerNamePrefix` | string | | | Optional. Required if domainName is specified. NetBIOS name of the SMB server. A computer account with this prefix will be registered in the AD and used to mount volumes | +| `tags` | object | `{object}` | | Optional. Tags for all resources. | ### Parameter Usage: `capacityPools` @@ -173,23 +175,15 @@ Tag names and tag values can be provided as needed. A tag can be left without a ## Outputs -| Output Name | Type | Description | -| :-- | :-- | :-- | -| `netAppAccountResourceGroup` | string | The name of the Resource Group the NetApp account was created in. | -| `netAppAccountResourceId` | string | The Resource Id of the NetApp account deployed. | -| `netAppAccountName` | string | The Name of the NetApp account deployed. | - -## Considerations - -This module allows the generic deployment of SMB, NFSv3 and NFSv4.1 NetApp volumes. Please refer to the Archetype for additional scenarios, such as creating a dual-protocol (NFSv3 and SMB) volumes and configuring NFSv4.1 Kerberos encryption. +| Output Name | Type | +| :-- | :-- | +| `netAppAccountName` | string | +| `netAppAccountResourceGroup` | string | +| `netAppAccountResourceId` | string | -## Additional resources +## Template references -- [Use tags to organize your Azure resources](https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-using-tags) -- [Azure Resource Manager template reference](https://docs.microsoft.com/en-us/azure/templates/) -- [Deployments](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Resources/2020-06-01/deployments) -- [NetAppAccountS](https://docs.microsoft.com/en-us/azure/templates/microsoft.netapp/2021-04-01/netappaccounts) -- [NetAppAccountS/capacityPoolS](https://docs.microsoft.com/en-us/azure/templates/microsoft.netapp/2021-04-01/netappaccounts/capacitypools) -- [NetAppAccountS/capacityPoolS/volumeS](https://docs.microsoft.com/en-us/azure/templates/microsoft.netapp/2021-04-01/netappaccounts/capacitypools/volumes) -- [Configure export policy for an NFS volume](https://docs.microsoft.com/en-us/azure/azure-netapp-files/azure-netapp-files-configure-export-policy) -- [Troubleshoot Azure NetApp Files Resource Provider errors](https://docs.microsoft.com/en-us/azure/azure-netapp-files/azure-netapp-files-troubleshoot-resource-provider-errors) +- [Locks](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2016-09-01/locks) +- [Netappaccounts](https://docs.microsoft.com/en-us/azure/templates/Microsoft.NetApp/2021-04-01/netAppAccounts) +- [Netappaccounts/Capacitypools](https://docs.microsoft.com/en-us/azure/templates/Microsoft.NetApp/2021-04-01/netAppAccounts/capacityPools) +- [Netappaccounts/Capacitypools/Volumes](https://docs.microsoft.com/en-us/azure/templates/Microsoft.NetApp/2021-04-01/netAppAccounts/capacityPools/volumes) diff --git a/arm/Microsoft.Network/applicationGateways/.bicep/nested_rbac.bicep b/arm/Microsoft.Network/applicationGateways/.bicep/nested_rbac.bicep index 9513118a8e..a8c69857c4 100644 --- a/arm/Microsoft.Network/applicationGateways/.bicep/nested_rbac.bicep +++ b/arm/Microsoft.Network/applicationGateways/.bicep/nested_rbac.bicep @@ -2,7 +2,7 @@ param roleAssignmentObj object param builtInRoleNames object param resourceName string -resource roleAssignment 'Microsoft.Network/applicationGateways/providers/roleAssignments@2020-04-01-preview' = [for principalId in roleAssignmentObj.principalIds: { +resource roleAssignment 'Microsoft.Network/applicationGateways/providers/roleAssignments@2021-04-01-preview' = [for principalId in roleAssignmentObj.principalIds: { name: '${resourceName}/Microsoft.Authorization/${guid(resourceName, principalId, roleAssignmentObj.roleDefinitionIdOrName)}' properties: { roleDefinitionId: (contains(builtInRoleNames, roleAssignmentObj.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignmentObj.roleDefinitionIdOrName] : roleAssignmentObj.roleDefinitionIdOrName) diff --git a/arm/Microsoft.Network/applicationGateways/deploy.bicep b/arm/Microsoft.Network/applicationGateways/deploy.bicep index 7dc0456a00..5d68be8e48 100644 --- a/arm/Microsoft.Network/applicationGateways/deploy.bicep +++ b/arm/Microsoft.Network/applicationGateways/deploy.bicep @@ -112,43 +112,45 @@ param tags object = {} @description('Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered.') param cuaId string = '' -var diagnosticsMetrics = [ - { - category: 'AllMetrics' - timeGrain: null - enabled: true - retentionPolicy: { - enabled: true - days: diagnosticLogsRetentionInDays - } - } +@description('Optional. The name of logs that will be streamed.') +@allowed([ + 'ApplicationGatewayAccessLog' + 'ApplicationGatewayPerformanceLog' + 'ApplicationGatewayFirewallLog' +]) +param logsToEnable array = [ + 'ApplicationGatewayAccessLog' + 'ApplicationGatewayPerformanceLog' + 'ApplicationGatewayFirewallLog' ] -var diagnosticsLogs = [ - { - category: 'ApplicationGatewayAccessLog' - enabled: true - retentionPolicy: { - enabled: true - days: diagnosticLogsRetentionInDays - } - } - { - category: 'ApplicationGatewayPerformanceLog' + +@description('Optional. The name of metrics that will be streamed.') +@allowed([ + 'AllMetrics' +]) +param metricsToEnable array = [ + 'AllMetrics' +] + +var diagnosticsLogs = [for log in logsToEnable: { + category: log + enabled: true + retentionPolicy: { enabled: true - retentionPolicy: { - enabled: true - days: diagnosticLogsRetentionInDays - } + days: diagnosticLogsRetentionInDays } - { - category: 'ApplicationGatewayFirewallLog' +}] + +var diagnosticsMetrics = [for metric in metricsToEnable: { + category: metric + timeGrain: null + enabled: true + retentionPolicy: { enabled: true - retentionPolicy: { - enabled: true - days: diagnosticLogsRetentionInDays - } + days: diagnosticLogsRetentionInDays } -] +}] + var applicationGatewayResourceId = resourceId('Microsoft.Network/applicationGateways', applicationGatewayName) var subnetResourceId = resourceId(vNetSubscriptionId, vNetResourceGroup, 'Microsoft.Network/virtualNetworks/subnets', vNetName, subnetName) var frontendPublicIPConfigurationName = 'public' diff --git a/arm/Microsoft.Network/applicationGateways/readme.md b/arm/Microsoft.Network/applicationGateways/readme.md index 68d3f8a2350e3ec98f5a4c27f10e0e43daaf8590..e41ca9079f8b674332869ee32533644b48981d62 100644 GIT binary patch literal 10135 zcmd^F*>c;q8ot+4VAKmIGnTbPS^Zi)3 zN{-?*SI6-<5(xbJPW-|qX&OfX*O5$q<67MEEt_Axje<-nxzs1`gua#8b)UDksZaAx z=NEP^l+3e0bUK&oNHHxoX$&|l6lpBCstTVu1SdFG9%Oo(3f1X+DL}DHtgtUQ8nKTe zQy`6f!Sffr9#+j?e4CdrK8|NXdNXhfADE<@E8YsX(nzWaoYrNhgdA;(Xcld?ZAA;!G4;_nZ7OA~PHH^NXo*C02-)WR4syvC<^fN6 z5a}%eixQ2$^AUZ5>u**3uu} z$dx*WStkT=nw;^ik(*=n(UZq5W-n3^M9YX+A~P%44sjGqT(cN3nOE$!NHwYKKa8^* z;}sCmz&_4|=25~zt~rDoie;2Q_wlwx<%O0Rn4biJ%oF_$f%#C$;N)Nnq#CslwP!^f zVh$v8Fda&9gCno=MJ?2w=dm~xClmnw2$uoH*7<_*YTRTQpcOX!lJGGgRK{TyjE(G` z-L9ix-2kK3GLJ)2ZIB7X{*b|?VKxGu9>TsFEbNIArD2)K)gtyb(rXZ4bPK?iA{eiw z$f%ZQqQHB?{=fm5Yn+JGG2=;vahRkhmBNqU;0X{I@}OAB%%VUlM12 zgR^bO#GTX`UoNA7&T(?fp0RX_$;9}}Bs2(A!GKd_m0Wdyxs-7C1|g4WmPI#E%`}~a zVJ4K(!QQw;f=TTGHl2a#!ftk?7^d zVrdy}`>ZTgfxrWLqGNj9w~zLp2gckdevTS0P{2p}XM{!Lyr9`6Vs z3md&mI7$VR4HigXaDe$`mYY;xOE-3(GHJ0tf@srJX4*kQS!SRUNrmp_S5T*^AAiea zo<4YZ;XP17KnlM|SpN_c@jdzdH1HQv0l6sGnb*@&t=#B1URCX4U7%fXBo4 zNxU_vOS~4s)s6~gzazw(x@kwlP}*VJl_sWWhKT8$lP`4|OfLSS z++#UGP%veXhUSlGCz=QJ7=je>DkSi)boGDnV15SC4+#01m~10e##NTKoE7A8t-hC5fif#_qZ zOCl=N^BBeF=bXn>goO;Xk*h40GLGdfmG;IJ^$T`XY0LI?oOQxgKNu~?VmWx)3!aR} zz40@#=<(&VVQ;(`F2>KtPnV0~@W>XthDpeCqQFH_f%#NdC$?P=)SvID11=gAW@3pp45`OTj;dmQ7z?r}9_}RA zlvyo8cbU0YolA@C!d7T>76Bhr8h_uR$fC8gv!|k|)ZC7BY;YrE{KtO$N|uS=O8muE z-zSyv$%NP&jBdV*elmoQQKk`Qm>c`tkAA}JQ==)9>Wh+l2^CS2X)0z&ni>!F0I;h-ILJm$>ubC?(et2J<(@V|4Epkkpg z4pAp)oVqm>Uu)k!72m#=l+GoDA2X|N7L&& zv`kI>X?;xDR(X39h_a$NSpO{;dyRp1DmUP68U=M|z&##6Ds^Nuj~YwM09FKPtqDN$ zWFX~r1bf2}cY-kj3d1e!J&Tm-7Mt7CD7b!&Q9DtIF4t?!jthM|x#6>eIUKsV)jO;7vvLzoRC26D34CpEQob+i#Efbn4XxCSXt)`G`+ zy}eu`-LGXFVo!Yw2K^LTG5N!znv--fLf5%EmEn$9+8qrBHS!R+$Ae)t-c;h_AxiT@ zDH3{R>{e0Y?j0ceAf6zcuXd&lxf}}zNg;W8zfsmjA#3NRLZC%=f@po z2QNi7{C2&ymz4qr?Pzmwn3n7BylaZCJ^Bt^*C#W6YDIAhue-0cOnryuE)ST2V=HEq z)2(*RY%F9rdNh9geQ5ll_2+}(sC&%%eK%lZ!$P}so_@O61sKCoYVD8Ft$73Ck|X=WaR`#OAOhCRy6aIt7#gX7gG zCamT?y&1BGm=Ci=h>+$f6Gr>ohFC1MdA)|x%D+U%-JYVoB|L3kEn`^sWpWeYeHTrh z$tB;(q&LfCSP@?ros{N*d5n%zpI}Iq{g*!B21d%0?Fs&`?w{c<(i$zv`-}`4K*=Mk z8%|MKo&uqLO0HRb>Y8XD=FiL}CZZ4bW+Ge%z!bT<{TxGa8%*f3Q)8b|#n-ZDWbbpG z=Gt7-u^;PqblNwZkRTd&vxu@z(eH;6^N&q&X$(5)i=>yUzL^*F{iQI~-#0-ouWH%rTMr3Ic_~7@Y`=f!sAGYga-NVlR0LrzUJpcdz literal 44314 zcmeI5ZF3aI5y$s+s`4GK&M&ZC5ki1%?7WEr*rrSj1=xN;xpG1hpjb#)52kSNS5NZ) zO{;HqXJ>ckbP_?ZbtRp&4?R7-{qOGS>6!iSe?F=v)q3?(pWSMw+N?IJBYp2zd(}7L z@9pZ9zF${=uKpB$xc))4T^;J0g74@kE&eDwDekZ;m0|Ali_euJvzB=qO))F12^<_N8dk+&jWF4@=dvT6MFEb zT6u>)<=i;;lWJD|Lp|J7PxsZ={pzWn(dFunG>V=-la3teuT^Qpjx_6;j&mJax2f-K z{l(vVI&&ymlL`r5t*%sS)fbY?mFlzbdriMzs*UaHH(iaEawR&z^?4q?57b|&y@To( zaj+o@LwXOVw6h=DL5q2UtKrD5{#)07)~`Kj{I>X}ckpeW$o-AL_m^*(`^brNw8*z} ze^t^)_E%51Z_^l(eQGmI1ENjH$*$eXVn-tPR|4OkpPKu1*}5ZXE}FAb{VvUME4dnM z+NSiW{?r%abMdRaXKR)9$+fCY$({?iz=Gy&sM%(8m%sLe!)WiZ>Dce5>icf!>#GxV zP9%$_AHc3}grj!uS4nLr{J*6$N1`yPo&;(e`UX9IwC)`^=6)n?A@v9MLwg$mdH5Ny zS@#3&^ONd(-GjEZWtBUEq?^8jBe!(_VX$#KvJS2bx%=@ z4SgRMqt3kkeOV0iu5K-Uo72J8xX(F@h^Zavw2z!cJ0p!z0`H3i&H^DNG#ux|^(8U8 zd-z$#$77oqZ4k#X#xP4mbXt#AF6+2QK6`4@;)Qwyb1W*`ikB=hI?y*!3sFVs$o50? z3S)mSsszByvY!$fb(}vD>KIkosN`Fr>qwFIO+^HI8jFxeAo~=@Vd?0L_85zB&FjED zNBVHyY;jV3D+}GYKJD@TiztB-j1Kjyghn^ciTF(m zXVTe{&+<5rnqP+N60XK;MhU#T5-7pw5cefC>Nsa+>7{-)<*k^rnH8ZsazT4|yrcPj z9JyD^zL8;wes`j4kL4Tj(M0FWLv+XHP{vbk1fPo69Bo0A{rK0#lmH01s-I;(i{t!Q zD7vECK^dMN84l=n8EWA@?Z7WhJNBqgU1e6bTr-#(uo)71Jy0G!+reEY$m+! z=?6JrDTqwQ&nSUqBmicvX~zGvB{bRkk zWnjtb5wIeL{TRu67VMVJrBy_es>va7f1Sq>i_2)?c<*^jpai2sJe1I=`*Z5(%wvBm zBtH>ix+^}=vj8T71gFd`t zB^Vu&N(qfR&Ywy{nJc$(_?A4M&7c!yGj>O#H+9U%<7xY}*PcJm<>4L)w|GzL`kAA* zoLI9B@D{6oyJpO9&+!CzbqdXqw_&*1Cb_;1jS?6qY>EeKj}f`$?N&t3N9E>&ql9it zPIzVS0r3H=VXz~_MCA2GZ=Gt$_} z&tEhNlwfqIPbD<^aDHF0=T4Z7BBr>bXm(vbcPqs2tc{r^5e4m)<=Z`OCq9lXOwr!anBBng0-MR3R7GHL%7#kuE>uWG&-{Md^1@+w%`dm_ug>KEgM zBRQPc=@UWws;|{h>r3R#t~Sh2vF}dWukrs;0`H3iK*%HM`6ByDqX&gVU-AteE`2YJL0WkAeIB$-KzX{_}yxqrP6-SE9=4{*P zaQ;ikua#rAUaQXP5U*tMT?)Mx#(4cD_-CkJ(ymndy1ITpweDLwV`KeG8aGgf?V1?QK2H;DAW2(bCuAxdfu&&4Pb7M5doa1b|%e5bY&xQ z(Mw9pa}TyY&nj_#kcG4rJ>&>|cRkA*HaTt92*WFxOX`TME+^LO`@Un)!-7*ajP%HR zc&;-(ud=b!7+t*&*5&`zhZ2i4#9IlCdNzVw|Gvf`Aj1KWtLZgmzP+qb-ZCAUrS5_^s zE{o!O?3fStwxJNcHpQo-PHeMSqBU;>tQ-TS!cE zFyGgcxP~|a&wfeKq3!gA$7lb6-4NYyja3NNs{$EO{ay2`H+8nZ7w`?Q7BN_ra2lUt zpYF`Bp<2;tmh^%?G*>WhhdA%G+C3I6#-Oxs7M(qi=?OK-R!ME~lS`0VN>)1T>Mmj= z&+vLY>eo4kwqJKDY2rw$e5MVXy=DD_t%PRY3Hkb3E#z-2JDOG9xt(OKqMF$5sQOCx zUFz6%Ik&TP_ez!3UWu~<@uqTSPpj)etFDCor8l*{?z%oJ`njRwPxKdcr8mM3$k+A% zntrZVU+U)z9q0eGlUVxgSO4+6Y;`+6)K}(|`}RD}iP6(pMEB>-7UQ}bLvozwPv;lh zV;ddY70cJ`aBmu^$GJ$uskdu5YVU5v`4^(ot|veviCM5eprXzx_4~fZ7+CV%hiop? zA`_5EZnk-CjAPQC#+j5cLh14^7x{RJFCOY&35~ixKa`dppDJQEPH1njxV_6mJgmOc z&KWTm>7HX8F%LcS@%+V-0GRnn(cstBKlMfn{MU{!h>t1%Kx1e{KojTeD|0jWDPQ&O zYs$XU(br)oZDKBRg{&(e>Wr)I%W+=6yP1P?L_bsucf~(%cwsKl;yUNX>=0Xw>~Vd%yYn>V|0N&eL8!FK#pHx%u-)CoQ!zx6SH^F%r(nc|7+1NT39xL%l7b zQOEgjnq^|VeHvd5FSNIuKlgF)j~b6NDz`ZoJUM*%yDjm_qdy;d`s4YFAb}E$4)vpi zMh@ph+Vxd%*(UJ=b8Gm9xAe^ zqe2dwlFK-LZ$5$Xzl$b;5{wS@sf32b?e#a@=id6xni5;zLVe*ZspqP{ch27*Khsq+ z?cPWHzZc#rKkdA08mbom9j@{|O~bA|_SS1V|G079uWR1rNBz62P0v6W<*E9{s$XXH z57aI;WLveY^_n&B<5YE|^wC>Lzta|*`wcN3>g$bD>+h9cHPzhXud?ZTCp78DGi5HU zH<$JOyZi*R60h`wzo7CI9xm%1G9J_3zWmX9_UG)`KRV>o-=kD&F75O=HFsP3Q8T?4 z;VI#vn|k1Sw^m)zv+$qm=kh%2+G@|to~t3$@%mB4XQJJ!s9d+vG`hl0&Hd>2y>V{_ zq~~_#prY2>8MX^0^h|zDojMqrV5$ao=eFXx=&<837HP<)ap%6OD2cy792Ll0(rMc<*xuChdQSP4uESsWE)K)= zUk01|i*{q!*PSs#Y`Z3Su9gJDYKGYMF2J513ho~{~h-Z5$u6c{^_Bq-%fBM~c zNj0i%^_&JC>-73_LzbsZUftR={A}NS-HA`VOd4I<<2qQkxQ@f7FFhMO9Cdlf!q%@m zAKRIFaM#ectL0PKGxE2m)7PnDC$m4@{<&L2XqyVn=W{!_+G|;-vU#?{JTWJB$6Eco z7nM`BuoEiWZ0(BOv!=IN^>N1ArO1@i3LL)H&L7VuDPlqT%v)HDQa>GgTe`=|L^x^U|pwJ)5Y`*J|4O$@;2P+TtfS zhVHuSZR-7LbgnyU!9%A}WmjHkc+Bm04qL`2ijv~GR<|hSaqKWJPP0A!uWM6`Q1UWr zdV0UwzsU`v6Bc2zo`3l11}71FLZvpHX4coT1-QzB;b|w!9-_jA6{$Gi3!%eV>Z5 z5k}PHHH|f{DW~?Cb}{%uzGX$@2|LpNmtX&77=c_3{7$q#!m4`MtV>?YMp({)e@{c} z?2!Ovc<66Go^5lI=i_QGAEwpLjenmuN*u%G-o~+tg(f&fXiw)gbQoY}H0wS;-zGzDJQ=J*mwWbJq9wvHj01C+OP5&N}w? z6y`t~Z~7{$b)9i~O$zwAr#fe=waB1Z_RV%TvFshQ50`^o?ef*$vof!okME{o-h#eZ zbmu!mxrb$k%RTvv`{6uUy?p#O4S6`CL!w=uQ6jsDhi30<+e7A{`rG{2rf9ziS zWiIPJ{_k#qY|VkLVn&)dm3#WnZ920p)46}`ra@c>KR0#1XG^`W_-K4?_uZbUv>E+0 zCcPz^zS7R+$eR1zV0U69(oO$?xI;IbqjHLM-24%=#(uYFW!cA^U5Z|Y--mMzqq?Jh zroJB0eRjz=bUe>y*K>rPwCl@C=q-DVSCX$ti zgw^mh*POb}&h$*$AD&cuMGU!pR-&#;XVC8^eQMm%ZGWpq)SKn2<`(T8abEWdf&Sj@ zsTZI&UCWo!Ol$gWhqt&VMwyh5&9c2~R!#QzuH6gnPWxKUds}zXBi1|Yl2wA(h?<%q zv)R!eMjQ00R!*%-&pw@7CA-&V=#jMPG&a@VY+QfZkdWf3V^uQdz3)~v Jhefe|{SOIYI*|YX diff --git a/arm/Microsoft.Network/applicationSecurityGroups/.bicep/nested_rbac.bicep b/arm/Microsoft.Network/applicationSecurityGroups/.bicep/nested_rbac.bicep index 48a8ebf85e..12e7a32413 100644 --- a/arm/Microsoft.Network/applicationSecurityGroups/.bicep/nested_rbac.bicep +++ b/arm/Microsoft.Network/applicationSecurityGroups/.bicep/nested_rbac.bicep @@ -2,7 +2,7 @@ param roleAssignmentObj object param builtInRoleNames object param resourceName string -resource roleAssignment 'Microsoft.Network/applicationSecurityGroups/providers/roleAssignments@2020-04-01-preview' = [for principalId in roleAssignmentObj.principalIds: { +resource roleAssignment 'Microsoft.Network/applicationSecurityGroups/providers/roleAssignments@2021-04-01-preview' = [for principalId in roleAssignmentObj.principalIds: { name: '${resourceName}/Microsoft.Authorization/${guid(resourceName, principalId, roleAssignmentObj.roleDefinitionIdOrName)}' properties: { roleDefinitionId: (contains(builtInRoleNames, roleAssignmentObj.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignmentObj.roleDefinitionIdOrName] : roleAssignmentObj.roleDefinitionIdOrName) diff --git a/arm/Microsoft.Network/applicationSecurityGroups/readme.md b/arm/Microsoft.Network/applicationSecurityGroups/readme.md index c136f46be1..c7564b687d 100644 --- a/arm/Microsoft.Network/applicationSecurityGroups/readme.md +++ b/arm/Microsoft.Network/applicationSecurityGroups/readme.md @@ -1,27 +1,26 @@ -# ApplicationSecurityGroups +# ApplicationSecurityGroups `[Microsoft.Network/applicationSecurityGroups]` This module deploys Application Security Groups. ## Resource Types -|Resource Type|Api Version|  -|:--|:--| -|`Microsoft.Resources/deployments`|2018-02-01| -|`Microsoft.Network/applicationSecurityGroups`|2021-02-01| -|`Microsoft.Authorization/locks`|2016-09-01| -|`Microsoft.Network/applicationSecurityGroups/providers/roleAssignments`|2018-09-01-preview| +| Resource Type | Api Version | +| :-- | :-- | +| `Microsoft.Authorization/locks` | 2016-09-01 | +| `Microsoft.Network/applicationSecurityGroups` | 2021-02-01 | +| `Microsoft.Network/applicationSecurityGroups/providers/roleAssignments` | 2021-04-01-preview | ## Parameters -| Parameter Name | Type | Description | DefaultValue | Possible values | +| Parameter Name | Type | Default Value | Possible Values | Description | | :-- | :-- | :-- | :-- | :-- | -| `applicationSecurityGroupName` | string | Required. Name of the Application Security Group. | | | -| `cuaId` | string | Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered | | | -| `location` | string | Optional. Location for all resources. | [resourceGroup().location] | | -| `lock` | string | Optional. Specify the type of lock. | 'NotSpecified' | 'CanNotDelete', 'NotSpecified', 'ReadOnly' | -| `roleAssignments` | array | Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' | System.Object[] | | -| `tags` | object | Optional. Tags of the resource. | | | +| `applicationSecurityGroupName` | string | | | Required. Name of the Application Security Group. | +| `cuaId` | string | | | Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered | +| `location` | string | `[resourceGroup().location]` | | Optional. Location for all resources. | +| `lock` | string | `NotSpecified` | `[CanNotDelete, NotSpecified, ReadOnly]` | Optional. Specify the type of lock. | +| `roleAssignments` | array | `[]` | | Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' | +| `tags` | object | `{object}` | | Optional. Tags of the resource. | ### Parameter Usage: `tags` @@ -71,17 +70,13 @@ Tag names and tag values can be provided as needed. A tag can be left without a ## Outputs -| Output Name | Type | Description | -| :-- | :-- | :-- | -| `applicationSecurityGroupsName` | string | The Name of the Application Security Group deployed. | -| `applicationSecurityGroupsResourceGroup` | string | The name of the Resource Group the Application Security Groups were created in. | -| `applicationSecurityGroupsResourceId` | string | The Resource Ids of the Application Security Group deployed. | +| Output Name | Type | +| :-- | :-- | +| `applicationSecurityGroupsName` | string | +| `applicationSecurityGroupsResourceGroup` | string | +| `applicationSecurityGroupsResourceId` | string | -## Considerations +## Template references -*N/A* - -## Additional resources - -- [Application Security Groups](https://docs.microsoft.com/en-us/azure/virtual-network/security-overview#application-security-groups) -- [Microsoft.Network applicationSecurityGroups template reference](https://docs.microsoft.com/en-us/azure/templates/microsoft.network/2018-08-01/applicationsecuritygroups) +- [Locks](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2016-09-01/locks) +- [Applicationsecuritygroups](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Network/2021-02-01/applicationSecurityGroups) diff --git a/arm/Microsoft.Network/azureFirewalls/.bicep/nested_rbac.bicep b/arm/Microsoft.Network/azureFirewalls/.bicep/nested_rbac.bicep index c6975a5461..d6e86bc1fd 100644 --- a/arm/Microsoft.Network/azureFirewalls/.bicep/nested_rbac.bicep +++ b/arm/Microsoft.Network/azureFirewalls/.bicep/nested_rbac.bicep @@ -2,7 +2,7 @@ param roleAssignmentObj object param builtInRoleNames object param resourceName string -resource roleAssignment 'Microsoft.Network/azureFirewalls/providers/roleAssignments@2018-09-01-preview' = [for principalId in roleAssignmentObj.principalIds: { +resource roleAssignment 'Microsoft.Network/azureFirewalls/providers/roleAssignments@2021-04-01-preview' = [for principalId in roleAssignmentObj.principalIds: { name: '${resourceName}/Microsoft.Authorization/${guid(resourceName, principalId, roleAssignmentObj.roleDefinitionIdOrName)}' properties: { roleDefinitionId: (contains(builtInRoleNames, roleAssignmentObj.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignmentObj.roleDefinitionIdOrName] : roleAssignmentObj.roleDefinitionIdOrName) diff --git a/arm/Microsoft.Network/azureFirewalls/deploy.bicep b/arm/Microsoft.Network/azureFirewalls/deploy.bicep index 3681ab60df..1d68fd4cf0 100644 --- a/arm/Microsoft.Network/azureFirewalls/deploy.bicep +++ b/arm/Microsoft.Network/azureFirewalls/deploy.bicep @@ -86,69 +86,67 @@ var publicIPPrefix = { var azureFirewallSubnetId = '${vNetId}/subnets/AzureFirewallSubnet' var azureFirewallPipName_var = (empty(azureFirewallPipName) ? '${azureFirewallName}-pip' : azureFirewallPipName) var azureFirewallPipId = azureFirewallPip.id -var diagnosticsMetrics = [ - { - category: 'AllMetrics' - timeGrain: null - enabled: true - retentionPolicy: { - enabled: true - days: diagnosticLogsRetentionInDays - } - } + +@description('Optional. The name of firewall logs that will be streamed.') +@allowed([ + 'AzureFirewallApplicationRule' + 'AzureFirewallNetworkRule' + 'AzureFirewallDnsProxy' +]) +param firewallLogsToEnable array = [ + 'AzureFirewallApplicationRule' + 'AzureFirewallNetworkRule' + 'AzureFirewallDnsProxy' ] -var diagnosticsLogsAzureFirewall = [ - { - category: 'AzureFirewallApplicationRule' - enabled: true - retentionPolicy: { - enabled: true - days: diagnosticLogsRetentionInDays - } - } - { - category: 'AzureFirewallNetworkRule' - enabled: true - retentionPolicy: { - enabled: true - days: diagnosticLogsRetentionInDays - } - } - { - category: 'AzureFirewallDnsProxy' - enabled: true - retentionPolicy: { - enabled: true - days: diagnosticLogsRetentionInDays - } - } + +@description('Optional. The name of public IP logs that will be streamed.') +@allowed([ + 'DDoSProtectionNotifications' + 'DDoSMitigationReports' + 'DDoSMitigationFlowLogs' +]) +param publicIPLogsToEnable array = [ + 'DDoSProtectionNotifications' + 'DDoSMitigationReports' + 'DDoSMitigationFlowLogs' +] + +@description('Optional. The name of metrics that will be streamed.') +@allowed([ + 'AllMetrics' +]) +param metricsToEnable array = [ + 'AllMetrics' ] -var diagnosticsLogsPublicIp = [ - { - category: 'DDoSProtectionNotifications' + +var diagnosticsLogsAzureFirewall = [for log in firewallLogsToEnable: { + category: log + enabled: true + retentionPolicy: { enabled: true - retentionPolicy: { - enabled: true - days: diagnosticLogsRetentionInDays - } + days: diagnosticLogsRetentionInDays } - { - category: 'DDoSMitigationFlowLogs' +}] + +var diagnosticsLogsPublicIp = [for log in publicIPLogsToEnable: { + category: log + enabled: true + retentionPolicy: { enabled: true - retentionPolicy: { - enabled: true - days: diagnosticLogsRetentionInDays - } + days: diagnosticLogsRetentionInDays } - { - category: 'DDoSMitigationReports' +}] + +var diagnosticsMetrics = [for metric in metricsToEnable: { + category: metric + timeGrain: null + enabled: true + retentionPolicy: { enabled: true - retentionPolicy: { - enabled: true - days: diagnosticLogsRetentionInDays - } + days: diagnosticLogsRetentionInDays } -] +}] + var builtInRoleNames = { 'Owner': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') 'Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') diff --git a/arm/Microsoft.Network/azureFirewalls/readme.md b/arm/Microsoft.Network/azureFirewalls/readme.md index 8db22e5852..e063fe918d 100644 --- a/arm/Microsoft.Network/azureFirewalls/readme.md +++ b/arm/Microsoft.Network/azureFirewalls/readme.md @@ -1,43 +1,45 @@ -# AzureFirewall +# AzureFirewall `[Microsoft.Network/azureFirewalls]` This module deploys Azure Firewall. ## Resource types -|Resource Type|Api Version| -|:--|:--| -|`Microsoft.Network/publicIPAddresses`|2021-02-01| -|`Microsoft.Network/azureFirewalls`|2021-02-01| -|`Microsoft.Resources/deployments`|2019-10-01| -|`Microsoft.Insights/diagnosticSettings`|2017-05-01-preview| -|`Microsoft.Network/azureFirewalls/providers/roleAssignments`|2018-09-01-preview| -|`Microsoft.Authorization/locks`|2016-09-01| +| Resource Type | Api Version | +| :-- | :-- | +| `Microsoft.Authorization/locks` | 2016-09-01 | +| `Microsoft.Insights/diagnosticSettings` | 2017-05-01-preview | +| `Microsoft.Network/azureFirewalls` | 2021-02-01 | +| `Microsoft.Network/azureFirewalls/providers/roleAssignments` | 2021-04-01-preview | +| `Microsoft.Network/publicIPAddresses` | 2021-02-01 | ## Parameters -| Parameter Name | Type | Default Value | Possible values | Description | -|---|---|---|---|---| +| Parameter Name | Type | Default Value | Possible Values | Description | +| :-- | :-- | :-- | :-- | :-- | +| `applicationRuleCollections` | array | `[]` | | Optional. Collection of application rule collections used by Azure Firewall. | +| `availabilityZones` | array | `[1, 2, 3]` | | Optional. Zone numbers e.g. 1,2,3. | | `azureFirewallName` | string | | | Required. Name of the Azure Firewall. | -| `azureSkuName` | string | `AZFW_VNet` | `AZFW_VNet`, `AZFW_Hub` | Optional. Name of an Azure Firewall SKU. | -| `azureSkuTier` | string | `Standard` | `Standard`, `Premium` | Optional. Tier of an Azure Firewall. | -| `enableDnsProxy` | bool | `true` | | Optional. Enable the preview feature for DNS proxy. | -| `applicationRuleCollections` | array | [] | | Optional. Collection of application rule collections used by Azure Firewall. | -| `networkRuleCollections` | array | [] | | Optional. Collection of network rule collections used by Azure Firewall. | -| `natRuleCollections` | array | [] | | Optional. Collection of NAT rule collections used by Azure Firewall. | -| `vNetId` | string | | | Required. Shared services Virtual Network resource Id | | `azureFirewallPipName` | string | | | Optional. Specifies the name of the Public IP used by Azure Firewall. If it's not provided, a '-pip' suffix will be appended to the Firewall's name. | -| `publicIPPrefixId` | string | | | Optional. Resource Id of the Public IP Prefix object. This is only needed if you want your Public IPs created in a PIP Prefix. | -| `diagnosticStorageAccountId` | string | | | Required. Diagnostic Storage Account resource identifier | -| `workspaceId` | string | | | Required. Log Analytics workspace resource identifier | +| `azureSkuName` | string | `AZFW_VNet` | `[AZFW_VNet, AZFW_Hub]` | Optional. Name of an Azure Firewall SKU. | +| `azureSkuTier` | string | `Standard` | `[Standard, Premium]` | Optional. Tier of an Azure Firewall. | +| `cuaId` | string | | | Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered | | `diagnosticLogsRetentionInDays` | int | `365` | | Optional. Specifies the number of days that logs will be kept for; a value of 0 will retain data indefinitely. | -| `roleAssignments` | array | [] | Complex structure, see below. | Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or it's fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' | -| `lock` | string | 'NotSpecified' | 'CanNotDelete', 'NotSpecified', 'ReadOnly' | Optional. Specify the type of lock. | -| `tags` | object | {} | Complex structure, see below. | Optional. Tags of the Azure Key Vault resource. | -| `cuaId` | string | "" | | Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered. | +| `diagnosticStorageAccountId` | string | | | Optional. Diagnostic Storage Account resource identifier | +| `enableDnsProxy` | bool | | | Optional. Enable the preview feature for DNS proxy. | | `eventHubAuthorizationRuleId` | string | | | Optional. Resource ID of the event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | | `eventHubName` | string | | | Optional. Name of the event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. | -| `location` | string | resourceGroup().location | | Optional. Location for all resources. | -| `availabilityZones` | array | ["1","2","3"] | | Optional. Availability Zones for deployment. | +| `firewallLogsToEnable` | array | `[AzureFirewallApplicationRule, AzureFirewallNetworkRule, AzureFirewallDnsProxy]` | `[AzureFirewallApplicationRule, AzureFirewallNetworkRule, AzureFirewallDnsProxy]` | Optional. The name of firewall logs that will be streamed. | +| `location` | string | `[resourceGroup().location]` | | Optional. Location for all resources. | +| `lock` | string | `NotSpecified` | `[CanNotDelete, NotSpecified, ReadOnly]` | Optional. Specify the type of lock. | +| `metricsToEnable` | array | `[AllMetrics]` | `[AllMetrics]` | Optional. The name of metrics that will be streamed. | +| `natRuleCollections` | array | `[]` | | Optional. Collection of NAT rule collections used by Azure Firewall. | +| `networkRuleCollections` | array | `[]` | | Optional. Collection of network rule collections used by Azure Firewall. | +| `publicIPLogsToEnable` | array | `[DDoSProtectionNotifications, DDoSMitigationReports, DDoSMitigationFlowLogs]` | `[DDoSProtectionNotifications, DDoSMitigationReports, DDoSMitigationFlowLogs]` | Optional. The name of public IP logs that will be streamed. | +| `publicIPPrefixId` | string | | | Optional. Resource Id of the Public IP Prefix object. This is only needed if you want your Public IPs created in a PIP Prefix. | +| `roleAssignments` | array | `[]` | | Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' | +| `tags` | object | `{object}` | | Optional. Tags of the Automation Account resource. | +| `vNetId` | string | | | Required. Shared services Virtual Network resource Id | +| `workspaceId` | string | | | Optional. Log Analytics workspace resource identifier | ### Parameter Usage: `roleAssignments` @@ -88,24 +90,25 @@ Tag names and tag values can be provided as needed. A tag can be left without a ## Outputs -| Output Name | Type | Description | -| :-- | :-- | :-- | -| `applicationRuleCollections` | array | List of Application Rule Collections. | -| `azureFirewallName` | string | The Name of the Azure Firewall. | -| `azureFirewallPrivateIp` | string | The private IP of the Azure Firewall. | -| `azureFirewallPublicIp` | string | The public IP of the Azure Firewall. | -| `azureFirewallResourceGroup` | string | The name of the Resource Group the Azure Firewall was created in. | -| `azureFirewallResourceId` | string | The Resource Id of the Azure Firewall. | -| `natRuleCollections` | array | Optional. Collection of NAT rule collections used by Azure Firewall. | -| `networkRuleCollections` | array | List of Network Rule Collections. | +| Output Name | Type | +| :-- | :-- | +| `applicationRuleCollections` | array | +| `azureFirewallName` | string | +| `azureFirewallPrivateIp` | string | +| `azureFirewallPublicIp` | string | +| `azureFirewallResourceGroup` | string | +| `azureFirewallResourceId` | string | +| `natRuleCollections` | array | +| `networkRuleCollections` | array | ## Considerations The `applicationRuleCollections` parameter accepts a JSON Array of AzureFirewallApplicationRule objects. - The `networkRuleCollections` parameter accepts a JSON Array of AzureFirewallNetworkRuleCollection objects. -## Additional resources +## Template references -- [Microsoft.Network azureFirewalls template reference](https://docs.microsoft.com/en-us/azure/templates/microsoft.network/2021-02-01/azurefirewalls) -- [Use tags to organize your Azure resources](https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-using-tags) +- [Locks](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2016-09-01/locks) +- [Diagnosticsettings](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Insights/2017-05-01-preview/diagnosticSettings) +- [Azurefirewalls](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Network/2021-02-01/azureFirewalls) +- [Publicipaddresses](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Network/2021-02-01/publicIPAddresses) diff --git a/arm/Microsoft.Network/bastionHosts/.bicep/nested_rbac.bicep b/arm/Microsoft.Network/bastionHosts/.bicep/nested_rbac.bicep index b5fe01f7ed..5809238bfd 100644 --- a/arm/Microsoft.Network/bastionHosts/.bicep/nested_rbac.bicep +++ b/arm/Microsoft.Network/bastionHosts/.bicep/nested_rbac.bicep @@ -2,7 +2,7 @@ param roleAssignmentObj object param builtInRoleNames object param resourceName string -resource roleAssignment 'Microsoft.Network/bastionHosts/providers/roleAssignments@2018-09-01-preview' = [for principalId in roleAssignmentObj.principalIds: { +resource roleAssignment 'Microsoft.Network/bastionHosts/providers/roleAssignments@2021-04-01-preview' = [for principalId in roleAssignmentObj.principalIds: { name: '${resourceName}/Microsoft.Authorization/${guid(resourceName, principalId, roleAssignmentObj.roleDefinitionIdOrName)}' properties: { roleDefinitionId: (contains(builtInRoleNames, roleAssignmentObj.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignmentObj.roleDefinitionIdOrName] : roleAssignmentObj.roleDefinitionIdOrName) diff --git a/arm/Microsoft.Network/bastionHosts/deploy.bicep b/arm/Microsoft.Network/bastionHosts/deploy.bicep index 13a9d280e1..8cb4fe8054 100644 --- a/arm/Microsoft.Network/bastionHosts/deploy.bicep +++ b/arm/Microsoft.Network/bastionHosts/deploy.bicep @@ -50,56 +50,66 @@ param tags object = {} @description('Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered') param cuaId string = '' -var publicIPPrefix = { - id: publicIPPrefixId -} -var diagnosticsMetrics = [ - { - category: 'AllMetrics' - timeGrain: null - enabled: true - retentionPolicy: { - enabled: true - days: diagnosticLogsRetentionInDays - } - } +@description('Optional. The name of public IP logs that will be streamed.') +@allowed([ + 'DDoSProtectionNotifications' + 'DDoSMitigationFlowLogs' + 'DDoSMitigationReports' +]) +param publicIpLogsToEnable array = [ + 'DDoSProtectionNotifications' + 'DDoSMitigationFlowLogs' + 'DDoSMitigationReports' ] -var publicIpDiagnosticsLogs = [ - { - category: 'DDoSProtectionNotifications' - enabled: true - retentionPolicy: { - enabled: true - days: diagnosticLogsRetentionInDays - } - } - { - category: 'DDoSMitigationFlowLogs' + +@description('Optional. Optional. The name of bastion logs that will be streamed.') +@allowed([ + 'BastionAuditLogs' +]) +param azureBastionpLogsToEnable array = [ + 'BastionAuditLogs' +] + +@description('Optional. The name of metrics that will be streamed.') +@allowed([ + 'AllMetrics' +]) +param metricsToEnable array = [ + 'AllMetrics' +] + +var publicIpDiagnosticsLogs = [for log in publicIpLogsToEnable: { + category: log + enabled: true + retentionPolicy: { enabled: true - retentionPolicy: { - enabled: true - days: diagnosticLogsRetentionInDays - } + days: diagnosticLogsRetentionInDays } - { - category: 'DDoSMitigationReports' +}] + +var azureBastionDiagnosticsLogs = [for log in azureBastionpLogsToEnable: { + category: log + enabled: true + retentionPolicy: { enabled: true - retentionPolicy: { - enabled: true - days: diagnosticLogsRetentionInDays - } + days: diagnosticLogsRetentionInDays } -] -var azureBastionDiagnosticsLogs = [ - { - category: 'BastionAuditLogs' +}] + +var diagnosticsMetrics = [for metric in metricsToEnable: { + category: metric + timeGrain: null + enabled: true + retentionPolicy: { enabled: true - retentionPolicy: { - enabled: true - days: diagnosticLogsRetentionInDays - } + days: diagnosticLogsRetentionInDays } -] +}] + +var publicIPPrefix = { + id: publicIPPrefixId +} + var builtInRoleNames = { 'Owner': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') 'Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') diff --git a/arm/Microsoft.Network/bastionHosts/readme.md b/arm/Microsoft.Network/bastionHosts/readme.md index b671e3af8e..2646b0985f 100644 --- a/arm/Microsoft.Network/bastionHosts/readme.md +++ b/arm/Microsoft.Network/bastionHosts/readme.md @@ -1,37 +1,39 @@ -# AzureBastion +# AzureBastion `[Microsoft.Network/bastionHosts]` This module deploys an Azure Bastion. ## Resource Types -|Resource Type|Api Version| -|:--|:--| -|`Microsoft.Resources/deployments`|2018-02-01| -|`Microsoft.Network/publicIPAddresses`|2021-02-01| -|`Microsoft.Network/bastionHosts`|2021-02-01| -|`Microsoft.Authorization/locks`|2016-09-01| -|`Microsoft.Insights/diagnosticSettings`|2017-05-01-preview| -|`Microsoft.Network/bastionHosts/providers/roleAssignments` |2018-09-01-preview| +| Resource Type | Api Version | +| :-- | :-- | +| `Microsoft.Authorization/locks` | 2016-09-01 | +| `Microsoft.Insights/diagnosticSettings` | 2017-05-01-preview | +| `Microsoft.Network/bastionHosts` | 2021-02-01 | +| `Microsoft.Network/bastionHosts/providers/roleAssignments` | 2021-04-01-preview | +| `Microsoft.Network/publicIPAddresses` | 2021-02-01 | ## Parameters -| Parameter Name | Type | Description | DefaultValue | Possible values | +| Parameter Name | Type | Default Value | Possible Values | Description | | :-- | :-- | :-- | :-- | :-- | -| `azureBastionName` | string | Required. Name of the Azure Bastion resource | | | -| `azureBastionPipName` | string | Optional. Specifies the name of the Public IP used by Azure Bastion. If it's not provided, a '-pip' suffix will be appended to the Bastion's name. | | | -| `cuaId` | string | Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered | | | -| `diagnosticLogsRetentionInDays` | int | Optional. Specifies the number of days that logs will be kept for; a value of 0 will retain data indefinitely. | 365 | | -| `diagnosticStorageAccountId` | string | Optional. Resource identifier of the Diagnostic Storage Account. | | | -| `domainNameLabel` | string | Optional. DNS name of the Public IP resource. A region specific suffix will be appended to it, e.g.: your-DNS-name.westeurope.cloudapp.azure.com | | | -| `eventHubAuthorizationRuleId` | string | Optional. Resource ID of the event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | | | -| `eventHubName` | string | Optional. Name of the event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. | | | -| `location` | string | Optional. Location for all resources. | [resourceGroup().location] | | -| `lock` | string | Optional. Specify the type of lock. | 'NotSpecified' | 'CanNotDelete', 'NotSpecified', 'ReadOnly' | -| `publicIPPrefixId` | string | Optional. Resource Id of the Public IP Prefix object. This is only needed if you want your Public IPs created in a PIP Prefix. | | | -| `roleAssignments` | array | Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' | System.Object[] | | -| `tags` | object | Optional. Tags of the resource. | | | -| `vNetId` | string | Required. Shared services Virtual Network resource identifier | | | -| `workspaceId` | string | Optional. Resource identifier of Log Analytics. | | | +| `azureBastionName` | string | | | Required. Name of the Azure Bastion resource | +| `azureBastionPipName` | string | | | Optional. Specifies the name of the Public IP used by Azure Bastion. If it's not provided, a '-pip' suffix will be appended to the Bastion's name. | +| `azureBastionpLogsToEnable` | array | `[BastionAuditLogs]` | `[BastionAuditLogs]` | Optional. Optional. The name of bastion logs that will be streamed. | +| `cuaId` | string | | | Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered | +| `diagnosticLogsRetentionInDays` | int | `365` | | Optional. Specifies the number of days that logs will be kept for; a value of 0 will retain data indefinitely. | +| `diagnosticStorageAccountId` | string | | | Optional. Resource identifier of the Diagnostic Storage Account. | +| `domainNameLabel` | string | | | Optional. DNS name of the Public IP resource. A region specific suffix will be appended to it, e.g.: your-DNS-name.westeurope.cloudapp.azure.com | +| `eventHubAuthorizationRuleId` | string | | | Optional. Resource ID of the event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | +| `eventHubName` | string | | | Optional. Name of the event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. | +| `location` | string | `[resourceGroup().location]` | | Optional. Location for all resources. | +| `lock` | string | `NotSpecified` | `[CanNotDelete, NotSpecified, ReadOnly]` | Optional. Specify the type of lock. | +| `metricsToEnable` | array | `[AllMetrics]` | `[AllMetrics]` | Optional. The name of metrics that will be streamed. | +| `publicIpLogsToEnable` | array | `[DDoSProtectionNotifications, DDoSMitigationFlowLogs, DDoSMitigationReports]` | `[DDoSProtectionNotifications, DDoSMitigationFlowLogs, DDoSMitigationReports]` | Optional. The name of public IP logs that will be streamed. | +| `publicIPPrefixId` | string | | | Optional. Resource Id of the Public IP Prefix object. This is only needed if you want your Public IPs created in a PIP Prefix. | +| `roleAssignments` | array | `[]` | | Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' | +| `tags` | object | `{object}` | | Optional. Tags of the resource. | +| `vNetId` | string | | | Required. Shared services Virtual Network resource identifier | +| `workspaceId` | string | | | Optional. Resource identifier of Log Analytics. | ### Parameter Usage: `tags` @@ -81,19 +83,15 @@ Tag names and tag values can be provided as needed. A tag can be left without a ## Outputs -| Output Name | Type | Description | -| :-- | :-- | :-- | -| `azureBastionName` | string | The Name of the Azure Bastion. | -| `azureBastionResourceGroup` | string | The Resource Group the Azure Bastion was deployed. | -| `azureBastionResourceId` | string | The Resource Id of the Azure Bastion. | +| Output Name | Type | +| :-- | :-- | +| `azureBastionName` | string | +| `azureBastionResourceGroup` | string | +| `azureBastionResourceId` | string | -## Considerations +## Template references -*N/A* - -## Additional resources - -- [Microsoft.Network bastionHosts template reference](https://docs.microsoft.com/en-us/azure/templates/microsoft.network/2021-02-01/bastionhosts) -- [What is Azure Bastion?](https://docs.microsoft.com/en-us/azure/bastion/bastion-overview) -- [Public IP address prefix](https://docs.microsoft.com/en-us/azure/virtual-network/public-ip-address-prefix) -- [Use tags to organize your Azure resources](https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-using-tags) +- [Locks](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2016-09-01/locks) +- [Diagnosticsettings](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Insights/2017-05-01-preview/diagnosticSettings) +- [Bastionhosts](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Network/2021-02-01/bastionHosts) +- [Publicipaddresses](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Network/2021-02-01/publicIPAddresses) diff --git a/arm/Microsoft.Network/connections/readme.md b/arm/Microsoft.Network/connections/readme.md index 4fefd793be..745a007859 100644 --- a/arm/Microsoft.Network/connections/readme.md +++ b/arm/Microsoft.Network/connections/readme.md @@ -1,35 +1,34 @@ -# VirtualNetworkGatewayConnection +# VirtualNetworkGatewayConnection `[Microsoft.Network/connections]` This template deploys Virtual Network Gateway Connection. ## Resource types -|Resource Type|ApiVersion| -|:--|:--| -|`Microsoft.Resources/deployments`|2018-02-01| -|`Microsoft.Network/connections`|2021-02-01| -|`Microsoft.Authorization/locks`|2016-09-01| +| Resource Type | Api Version | +| :-- | :-- | +| `Microsoft.Authorization/locks` | 2016-09-01 | +| `Microsoft.Network/connections` | 2021-02-01 | ## Parameters -| Parameter Name | Type | Description | DefaultValue | Possible values | +| Parameter Name | Type | Default Value | Possible Values | Description | | :-- | :-- | :-- | :-- | :-- | -| `connectionName` | string | Required. Remote connection name | | | -| `cuaId` | string | Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered | | | -| `customIPSecPolicy` | object | Optional. The IPSec Policies to be considered by this connection | @{saLifeTimeSeconds=0; saDataSizeKilobytes=0; ipsecEncryption=; ipsecIntegrity=; ikeEncryption=; ikeIntegrity=; dhGroup=; pfsGroup=} | | -| `enableBgp` | bool | Optional. Value to specify if BGP is enabled or not | False | | -| `localVirtualNetworkGatewayName` | string | Required. Specifies the local Virtual Network Gateway name | | | -| `location` | string | Optional. Location for all resources. | [resourceGroup().location] | | -| `lock` | string | Optional. Specify the type of lock. | 'NotSpecified' | 'CanNotDelete', 'NotSpecified', 'ReadOnly' | -| `remoteEntityName` | string | Required. Specifies the remote Virtual Network Gateway/ExpressRoute | | | -| `remoteEntityResourceGroup` | string | Optional. Remote Virtual Network Gateway/ExpressRoute resource group name | | | -| `remoteEntitySubscriptionId` | string | Optional. Remote Virtual Network Gateway/ExpressRoute Subscription Id | | | -| `routingWeight` | string | Optional. The weight added to routes learned from this BGP speaker. | | | -| `tags` | object | Optional. Tags of the resource. | | | -| `usePolicyBasedTrafficSelectors` | bool | Optional. Enable policy-based traffic selectors | False | | -| `virtualNetworkGatewayConnectionType` | string | Optional. Gateway connection type. | Ipsec | System.Object[] | -| `vpnSharedKey` | string | Required. Specifies a VPN shared key. The same value has to be specified on both Virtual Network Gateways | | | +| `connectionName` | string | | | Required. Remote connection name | +| `cuaId` | string | | | Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered | +| `customIPSecPolicy` | object | `{object}` | | Optional. The IPSec Policies to be considered by this connection | +| `enableBgp` | bool | | | Optional. Value to specify if BGP is enabled or not | +| `localVirtualNetworkGatewayName` | string | | | Required. Specifies the local Virtual Network Gateway name | +| `location` | string | `[resourceGroup().location]` | | Optional. Location for all resources. | +| `lock` | string | `NotSpecified` | `[CanNotDelete, NotSpecified, ReadOnly]` | Optional. Specify the type of lock. | +| `remoteEntityName` | string | | | Required. Specifies the remote Virtual Network Gateway/ExpressRoute | +| `remoteEntityResourceGroup` | string | | | Optional. Remote Virtual Network Gateway/ExpressRoute resource group name | +| `remoteEntitySubscriptionId` | string | | | Optional. Remote Virtual Network Gateway/ExpressRoute Subscription Id | +| `routingWeight` | string | | | Optional. The weight added to routes learned from this BGP speaker. | +| `tags` | object | `{object}` | | Optional. Tags of the resource. | +| `usePolicyBasedTrafficSelectors` | bool | | | Optional. Enable policy-based traffic selectors | +| `virtualNetworkGatewayConnectionType` | string | `Ipsec` | `[Ipsec, VNet2VNet, ExpressRoute, VPNClient]` | Optional. Gateway connection type. | +| `vpnSharedKey` | string | | | Required. Specifies a VPN shared key. The same value has to be specified on both Virtual Network Gateways | ### Parameter Usage: `customIPSecPolicy` @@ -86,17 +85,13 @@ Tag names and tag values can be provided as needed. A tag can be left without a ## Outputs -| Output Name | Type | Description | -| :-- | :-- | :-- | -| `connectionName` | string | The Name of the Virtual Network Gateway Connection. | -| `remoteConnectionResourceGroup` | string | The Resource Group deployed it. | -| `remoteConnectionResourceId` | string | The Resource Id of the Virtual Network Gateway Connection. | +| Output Name | Type | +| :-- | :-- | +| `connectionName` | string | +| `remoteConnectionResourceGroup` | string | +| `remoteConnectionResourceId` | string | -## Considerations +## Template references -*N/A* - -## Additional resources - -- [Microsoft.Network connections template reference](https://docs.microsoft.com/en-us/azure/templates/microsoft.network/2021-02-01/connections) -- [Use tags to organize your Azure resources](https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-using-tags) +- [Locks](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2016-09-01/locks) +- [Connections](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Network/2021-02-01/connections) diff --git a/arm/Microsoft.Network/ddosProtectionPlans/.bicep/nested_rbac.bicep b/arm/Microsoft.Network/ddosProtectionPlans/.bicep/nested_rbac.bicep index f8b686ee6f..14d8b56f2c 100644 --- a/arm/Microsoft.Network/ddosProtectionPlans/.bicep/nested_rbac.bicep +++ b/arm/Microsoft.Network/ddosProtectionPlans/.bicep/nested_rbac.bicep @@ -2,7 +2,7 @@ param roleAssignmentObj object param builtInRoleNames object param resourceName string -resource roleAssigment 'Microsoft.Network/ddosProtectionPlans/providers/roleAssignments@2020-04-01-preview' = [for principalId in roleAssignmentObj.principalIds: { +resource roleAssigment 'Microsoft.Network/ddosProtectionPlans/providers/roleAssignments@2021-04-01-preview' = [for principalId in roleAssignmentObj.principalIds: { name: '${resourceName}/Microsoft.Authorization/${guid(resourceName, principalId, roleAssignmentObj.roleDefinitionIdOrName)}' properties: { roleDefinitionId: (contains(builtInRoleNames, roleAssignmentObj.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignmentObj.roleDefinitionIdOrName] : roleAssignmentObj.roleDefinitionIdOrName) diff --git a/arm/Microsoft.Network/ddosProtectionPlans/readme.md b/arm/Microsoft.Network/ddosProtectionPlans/readme.md index 7d5bce3ff7..46c17167b2 100644 --- a/arm/Microsoft.Network/ddosProtectionPlans/readme.md +++ b/arm/Microsoft.Network/ddosProtectionPlans/readme.md @@ -1,27 +1,26 @@ -# DDoS Protection Plans +# DDoS Protection Plans `[Microsoft.Network/ddosProtectionPlans]` This template deploys a DDoS protection plan. ## Resource types -|Resource Type|Api Version| -|:--|:--| -|`Microsoft.Resources/deployments`|2018-02-01| -|`Microsoft.Network/ddosProtectionPlans`|2021-02-01| -|`Microsoft.Authorization/locks`|2016-09-01| -|`Microsoft.Network/ddosProtectionPlans/providers/roleAssignments`|2020-04-01-preview| +| Resource Type | Api Version | +| :-- | :-- | +| `Microsoft.Authorization/locks` | 2016-09-01 | +| `Microsoft.Network/ddosProtectionPlans` | 2021-02-01 | +| `Microsoft.Network/ddosProtectionPlans/providers/roleAssignments` | 2021-04-01-preview | ## Parameters -| Parameter Name | Type | Description | DefaultValue | Possible values | +| Parameter Name | Type | Default Value | Possible Values | Description | | :-- | :-- | :-- | :-- | :-- | -| `cuaId` | string | Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered | | | -| `ddosProtectionPlanName` | string | Required. Name of the DDoS protection plan to assign the VNET to. | | | -| `location` | string | Optional. Location for all resources. | [resourceGroup().location] | | -| `lock` | string | Optional. Specify the type of lock. | 'NotSpecified' | 'CanNotDelete', 'NotSpecified', 'ReadOnly' | -| `roleAssignments` | array | Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' | System.Object[] | | -| `tags` | object | Optional. Tags of the resource. | | | +| `cuaId` | string | | | Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered | +| `ddosProtectionPlanName` | string | | | Required. Name of the DDoS protection plan to assign the VNET to. | +| `location` | string | `[resourceGroup().location]` | | Optional. Location for all resources. | +| `lock` | string | `NotSpecified` | `[CanNotDelete, NotSpecified, ReadOnly]` | Optional. Specify the type of lock. | +| `roleAssignments` | array | `[]` | | Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' | +| `tags` | object | `{object}` | | Optional. Tags of the resource. | ### Parameter Usage: `roleAssignments` @@ -71,19 +70,13 @@ Tag names and tag values can be provided as needed. A tag can be left without a ## Outputs -| Output Name | Type | Description | -| :-- | :-- | :-- | -| `ddosProtectionPlanName` | string | The name of the DDoS Protection Plan deployed. | -| `ddosProtectionPlanResourceGroup` | string | The name of the Resource Group the DDoS Protection Plan was created in. | -| `ddosProtectionPlanResourceId` | string | The Resource id of the DDoS Protection Plan deployed. | +| Output Name | Type | +| :-- | :-- | +| `ddosProtectionPlanName` | string | +| `ddosProtectionPlanResourceGroup` | string | +| `ddosProtectionPlanResourceId` | string | -## Considerations +## Template references -N/A - -## Additional resources - -- [Microsoft.Network ddosProtectionPlans template reference](https://docs.microsoft.com/en-us/azure/templates/microsoft.network/2021-02-01/ddosprotectionplans) -- [Manage Azure DDoS Protection Standard using the Azure portal](https://docs.microsoft.com/en-us/azure/virtual-network/manage-ddos-protection) -- [Azure DDoS Protection Standard overview](https://docs.microsoft.com/en-us/azure/virtual-network/ddos-protection-overview) -- [Use tags to organize your Azure resources](https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-using-tags) +- [Locks](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2016-09-01/locks) +- [Ddosprotectionplans](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Network/2021-02-01/ddosProtectionPlans) diff --git a/arm/Microsoft.Network/expressRouteCircuits/.bicep/nested_rbac.bicep b/arm/Microsoft.Network/expressRouteCircuits/.bicep/nested_rbac.bicep index 2958920971..75b414e3b9 100644 --- a/arm/Microsoft.Network/expressRouteCircuits/.bicep/nested_rbac.bicep +++ b/arm/Microsoft.Network/expressRouteCircuits/.bicep/nested_rbac.bicep @@ -2,7 +2,7 @@ param roleAssignmentObj object param builtInRoleNames object param resourceName string -resource roleAssigment 'Microsoft.Network/expressRouteCircuits/providers/roleAssignments@2020-04-01-preview' = [for principalId in roleAssignmentObj.principalIds: { +resource roleAssigment 'Microsoft.Network/expressRouteCircuits/providers/roleAssignments@2021-04-01-preview' = [for principalId in roleAssignmentObj.principalIds: { name: '${resourceName}/Microsoft.Authorization/${guid(resourceName, principalId, roleAssignmentObj.roleDefinitionIdOrName)}' properties: { roleDefinitionId: (contains(builtInRoleNames, roleAssignmentObj.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignmentObj.roleDefinitionIdOrName] : roleAssignmentObj.roleDefinitionIdOrName) diff --git a/arm/Microsoft.Network/expressRouteCircuits/deploy.bicep b/arm/Microsoft.Network/expressRouteCircuits/deploy.bicep index 07a7b84818..096e329767 100644 --- a/arm/Microsoft.Network/expressRouteCircuits/deploy.bicep +++ b/arm/Microsoft.Network/expressRouteCircuits/deploy.bicep @@ -90,27 +90,41 @@ param tags object = {} @description('Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered') param cuaId string = '' -var diagnosticsMetrics = [ - { - category: 'AllMetrics' - timeGrain: null +@description('Optional. The name of logs that will be streamed.') +@allowed([ + 'PeeringRouteLog' +]) +param logsToEnable array = [ + 'PeeringRouteLog' +] + +@description('Optional. The name of metrics that will be streamed.') +@allowed([ + 'AllMetrics' +]) +param metricsToEnable array = [ + 'AllMetrics' +] + +var diagnosticsLogs = [for log in logsToEnable: { + category: log + enabled: true + retentionPolicy: { enabled: true - retentionPolicy: { - enabled: true - days: diagnosticLogsRetentionInDays - } + days: diagnosticLogsRetentionInDays } -] -var diagnosticsLogs = [ - { - category: 'PeeringRouteLog' +}] + +var diagnosticsMetrics = [for metric in metricsToEnable: { + category: metric + timeGrain: null + enabled: true + retentionPolicy: { enabled: true - retentionPolicy: { - enabled: true - days: diagnosticLogsRetentionInDays - } + days: diagnosticLogsRetentionInDays } -] +}] + var peeringConfiguration = [ { name: peeringType diff --git a/arm/Microsoft.Network/expressRouteCircuits/readme.md b/arm/Microsoft.Network/expressRouteCircuits/readme.md index 9e47919057..5cda9f889f 100644 --- a/arm/Microsoft.Network/expressRouteCircuits/readme.md +++ b/arm/Microsoft.Network/expressRouteCircuits/readme.md @@ -1,45 +1,46 @@ -# ExpressRoute Circuit +# ExpressRoute Circuit `[Microsoft.Network/expressRouteCircuits]` This template deploys a ExrepressRoute Circuit. ## Resource types -|Resource Type|ApiVersion| -|:--|:--| -|`Microsoft.Resources/deployments`|2018-02-01| -|`Microsoft.Network/expressRouteCircuits`|2021-02-01| -|`Microsoft.Authorization/locks`|2016-09-01| -|`Microsoft.Insights/diagnosticSettings`|2017-05-01-preview| -|`Microsoft.Network/expressRouteCircuits/providers/roleAssignments`|2018-09-01-preview| +| Resource Type | Api Version | +| :-- | :-- | +| `Microsoft.Authorization/locks` | 2016-09-01 | +| `Microsoft.Insights/diagnosticSettings` | 2017-05-01-preview | +| `Microsoft.Network/expressRouteCircuits` | 2021-02-01 | +| `Microsoft.Network/expressRouteCircuits/providers/roleAssignments` | 2021-04-01-preview | ## Parameters -| Parameter Name | Type | Description | DefaultValue | Possible values | +| Parameter Name | Type | Default Value | Possible Values | Description | | :-- | :-- | :-- | :-- | :-- | -| `bandwidthInMbps` | int | Required. This is the bandwidth in Mbps of the circuit being created. It must exactly match one of the available bandwidth offers List ExpressRoute Service Providers API call. | | | -| `circuitName` | string | Required. This is the name of the ExpressRoute circuit | | | -| `cuaId` | string | Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered | | | -| `diagnosticLogsRetentionInDays` | int | Optional. Specifies the number of days that logs will be kept for; a value of 0 will retain data indefinitely. | 365 | | -| `diagnosticStorageAccountId` | string | Optional. Resource identifier of the Diagnostic Storage Account. | | | -| `eventHubAuthorizationRuleId` | string | Optional. Resource ID of the event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | | | -| `eventHubName` | string | Optional. Name of the event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. | | | -| `location` | string | Optional. Location for all resources. | [resourceGroup().location] | | -| `lock` | string | Optional. Specify the type of lock. | 'NotSpecified' | 'CanNotDelete', 'NotSpecified', 'ReadOnly' | -| `peerASN` | int | Optional. The autonomous system number of the customer/connectivity provider. | 0 | | -| `peering` | bool | Optional. Enabled BGP peering type for the Circuit. | False | System.Object[] | -| `peeringLocation` | string | Required. This is the name of the peering location and not the ARM resource location. It must exactly match one of the available peering locations from List ExpressRoute Service Providers API call. | | | -| `peeringType` | string | Optional. BGP peering type for the Circuit. Choose from AzurePrivatePeering, AzurePublicPeering or MicrosoftPeering. | AzurePrivatePeering | System.Object[] | -| `primaryPeerAddressPrefix` | string | Optional. A /30 subnet used to configure IP addresses for interfaces on Link1. | | | -| `roleAssignments` | array | Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' | System.Object[] | | -| `secondaryPeerAddressPrefix` | string | Optional. A /30 subnet used to configure IP addresses for interfaces on Link2. | | | -| `serviceProviderName` | string | Required. This is the name of the ExpressRoute Service Provider. It must exactly match one of the Service Providers from List ExpressRoute Service Providers API call. | | | -| `sharedKey` | string | Optional. The shared key for peering configuration. Router does MD5 hash comparison to validate the packets sent by BGP connection. This parameter is optional and can be removed from peering configuration if not required. | | | -| `skuFamily` | string | Required. Chosen SKU family of ExpressRoute circuit. Choose from MeteredData or UnlimitedData SKU families. | MeteredData | System.Object[] | -| `skuTier` | string | Required. Chosen SKU Tier of ExpressRoute circuit. Choose from Premium or Standard SKU tiers. | Standard | System.Object[] | -| `tags` | object | Optional. Tags of the resource. | | | -| `vlanId` | int | Optional. Specifies the identifier that is used to identify the customer. | 0 | | -| `workspaceId` | string | Optional. Resource identifier of Log Analytics. | | | +| `bandwidthInMbps` | int | | | Required. This is the bandwidth in Mbps of the circuit being created. It must exactly match one of the available bandwidth offers List ExpressRoute Service Providers API call. | +| `circuitName` | string | | | Required. This is the name of the ExpressRoute circuit | +| `cuaId` | string | | | Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered | +| `diagnosticLogsRetentionInDays` | int | `365` | | Optional. Specifies the number of days that logs will be kept for; a value of 0 will retain data indefinitely. | +| `diagnosticStorageAccountId` | string | | | Optional. Resource identifier of the Diagnostic Storage Account. | +| `eventHubAuthorizationRuleId` | string | | | Optional. Resource ID of the event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | +| `eventHubName` | string | | | Optional. Name of the event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. | +| `location` | string | `[resourceGroup().location]` | | Optional. Location for all resources. | +| `lock` | string | `NotSpecified` | `[CanNotDelete, NotSpecified, ReadOnly]` | Optional. Specify the type of lock. | +| `logsToEnable` | array | `[PeeringRouteLog]` | `[PeeringRouteLog]` | Optional. The name of logs that will be streamed. | +| `metricsToEnable` | array | `[AllMetrics]` | `[AllMetrics]` | Optional. The name of metrics that will be streamed. | +| `peerASN` | int | | | Optional. The autonomous system number of the customer/connectivity provider. | +| `peering` | bool | | `[True, False]` | Optional. Enabled BGP peering type for the Circuit. | +| `peeringLocation` | string | | | Required. This is the name of the peering location and not the ARM resource location. It must exactly match one of the available peering locations from List ExpressRoute Service Providers API call. | +| `peeringType` | string | `AzurePrivatePeering` | `[AzurePrivatePeering, MicrosoftPeering]` | Optional. BGP peering type for the Circuit. Choose from AzurePrivatePeering, AzurePublicPeering or MicrosoftPeering. | +| `primaryPeerAddressPrefix` | string | | | Optional. A /30 subnet used to configure IP addresses for interfaces on Link1. | +| `roleAssignments` | array | `[]` | | Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' | +| `secondaryPeerAddressPrefix` | string | | | Optional. A /30 subnet used to configure IP addresses for interfaces on Link2. | +| `serviceProviderName` | string | | | Required. This is the name of the ExpressRoute Service Provider. It must exactly match one of the Service Providers from List ExpressRoute Service Providers API call. | +| `sharedKey` | string | | | Optional. The shared key for peering configuration. Router does MD5 hash comparison to validate the packets sent by BGP connection. This parameter is optional and can be removed from peering configuration if not required. | +| `skuFamily` | string | `MeteredData` | `[MeteredData, UnlimitedData]` | Required. Chosen SKU family of ExpressRoute circuit. Choose from MeteredData or UnlimitedData SKU families. | +| `skuTier` | string | `Standard` | `[Standard, Premium]` | Required. Chosen SKU Tier of ExpressRoute circuit. Choose from Premium or Standard SKU tiers. | +| `tags` | object | `{object}` | | Optional. Tags of the resource. | +| `vlanId` | int | | | Optional. Specifies the identifier that is used to identify the customer. | +| `workspaceId` | string | | | Optional. Resource identifier of Log Analytics. | ### Parameter Usage: `roleAssignments` @@ -89,17 +90,15 @@ Tag names and tag values can be provided as needed. A tag can be left without a ## Outputs -| Output Name | Type | Description | -| :-- | :-- | :-- | -| `expressRouteCircuitName` | string | The Name of the ExpressRoute Circuits.. | -| `expressRouteCircuitResourceGroup` | string | The name of the Resource Group the ExpressRoute Circuits was created in. | -| `expressRouteCircuitResourceId` | string | The Resource Id of the ExpressRoute Circuits. | -| `expressRouteCircuitServiceKey` | string | The URL of the Key Vault. | +| Output Name | Type | +| :-- | :-- | +| `expressRouteCircuitName` | string | +| `expressRouteCircuitResourceGroup` | string | +| `expressRouteCircuitResourceId` | string | +| `expressRouteCircuitServiceKey` | string | -## Considerations +## Template references -## Additional resources - -- [Microsoft.Network ExpressRoute template reference](https://docs.microsoft.com/en-us/azure/templates/microsoft.network/2021-02-01/expressroutecircuits) -- [What is Azure ExpressRoute?](https://docs.microsoft.com/de-de/azure/expressroute/) -- [Use tags to organize your Azure resources](https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-using-tags) +- [Locks](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2016-09-01/locks) +- [Diagnosticsettings](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Insights/2017-05-01-preview/diagnosticSettings) +- [Expressroutecircuits](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Network/2021-02-01/expressRouteCircuits) diff --git a/arm/Microsoft.Network/ipGroups/.bicep/nested_rbac.bicep b/arm/Microsoft.Network/ipGroups/.bicep/nested_rbac.bicep index 0283e5e29e..4786c4d226 100644 --- a/arm/Microsoft.Network/ipGroups/.bicep/nested_rbac.bicep +++ b/arm/Microsoft.Network/ipGroups/.bicep/nested_rbac.bicep @@ -2,7 +2,7 @@ param roleAssignmentObj object param builtInRoleNames object param resourceName string -resource roleAssigment 'Microsoft.Network/ipGroups/providers/roleAssignments@2020-04-01-preview' = [for principalId in roleAssignmentObj.principalIds: { +resource roleAssigment 'Microsoft.Network/ipGroups/providers/roleAssignments@2021-04-01-preview' = [for principalId in roleAssignmentObj.principalIds: { name: '${resourceName}/Microsoft.Authorization/${guid(resourceName, principalId, roleAssignmentObj.roleDefinitionIdOrName)}' properties: { roleDefinitionId: (contains(builtInRoleNames, roleAssignmentObj.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignmentObj.roleDefinitionIdOrName] : roleAssignmentObj.roleDefinitionIdOrName) diff --git a/arm/Microsoft.Network/ipGroups/readme.md b/arm/Microsoft.Network/ipGroups/readme.md index bd1358d84d..d8fd07136b 100644 --- a/arm/Microsoft.Network/ipGroups/readme.md +++ b/arm/Microsoft.Network/ipGroups/readme.md @@ -1,27 +1,26 @@ -# IP Groups +# IP Groups `[Microsoft.Network/ipGroups]` This module deploys an IP Group, with resource lock. ## Resource types -|Resource Type|ApiVersion| -|:--|:--| -|`Microsoft.Network/ipGroups`|2021-02-01| -|`Microsoft.Resources/deployments`|2021-02-01| -|`Microsoft.Authorization/locks`|2016-09-01| -|`Microsoft.Network/ipGroups/providers/roleAssignments`|2020-04-01-preview| +| Resource Type | Api Version | +| :-- | :-- | +| `Microsoft.Authorization/locks` | 2016-09-01 | +| `Microsoft.Network/ipGroups` | 2021-02-01 | +| `Microsoft.Network/ipGroups/providers/roleAssignments` | 2021-04-01-preview | ## Parameters -| Parameter Name | Type | Default Value | Possible values | Description | -| :- | :- | :- | :- | :- | -| `ipGroupName` | string | | | Required. The name of the ipGroups. -| `location` | string | `[resourceGroup().location]` | | Optional. Location for all resources. -| `ipAddresses` | array | `[]` | | Optional. IpAddresses/IpAddressPrefixes in the IpGroups resource. -| `lock` | string | 'NotSpecified' | 'CanNotDelete', 'NotSpecified', 'ReadOnly' | Optional. Specify the type of lock. | -| `roleAssignments` | array | [] | Complex structure, see below. | Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or it's fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' -| `tags` | object | {} | Complex structure, see below. | Optional. Tags of the Azure Key Vault resource. -| `cuaId` | string | "" | | Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered. +| Parameter Name | Type | Default Value | Possible Values | Description | +| :-- | :-- | :-- | :-- | :-- | +| `cuaId` | string | | | Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered | +| `ipAddresses` | array | `[]` | | Optional. IpAddresses/IpAddressPrefixes in the IpGroups resource. | +| `ipGroupName` | string | | | Required. The name of the ipGroups. | +| `location` | string | `[resourceGroup().location]` | | Optional. Location for all resources. | +| `lock` | string | `NotSpecified` | `[CanNotDelete, NotSpecified, ReadOnly]` | Optional. Specify the type of lock. | +| `roleAssignments` | array | `[]` | | Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' | +| `tags` | object | `{object}` | | Optional. Resource tags. | ### Parameter Usage: `roleAssignments` @@ -71,18 +70,13 @@ Tag names and tag values can be provided as needed. A tag can be left without a ## Outputs -| Output Name | Type | Description | -| :-- | :-- | :-- | -| `ipGroupsResourceId` | string | The Resource Id of the IP Group. | -| `ipGroupsResourceGroup` | string | The name of the Resource Group the IP Group was created in. | -| `ipGroupName` | string | The Name of the IP Group. | +| Output Name | Type | +| :-- | :-- | +| `ipGroupName` | string | +| `ipGroupsResourceGroup` | string | +| `ipGroupsResourceId` | string | -## Considerations +## Template references -*N/A* - -## Additional resources - -- [IP Groups in Azure Firewall](https://docs.microsoft.com/en-us/azure/firewall/ip-groups) -- [Microsoft.Network ipGroups template reference](https://docs.microsoft.com/en-us/azure/templates/microsoft.network/2021-02-01/ipgroups) -- [Use tags to organize your Azure resources](https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-using-tags) +- [Locks](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2016-09-01/locks) +- [Ipgroups](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Network/2021-02-01/ipGroups) diff --git a/arm/Microsoft.Network/loadBalancers/.bicep/nested_rbac.bicep b/arm/Microsoft.Network/loadBalancers/.bicep/nested_rbac.bicep index 6c37b53413..719dfe24de 100644 --- a/arm/Microsoft.Network/loadBalancers/.bicep/nested_rbac.bicep +++ b/arm/Microsoft.Network/loadBalancers/.bicep/nested_rbac.bicep @@ -2,7 +2,7 @@ param roleAssignmentObj object param builtInRoleNames object param resourceName string -resource roleAssigment 'Microsoft.Network/loadBalancers/providers/roleAssignments@2020-04-01-preview' = [for principalId in roleAssignmentObj.principalIds: { +resource roleAssigment 'Microsoft.Network/loadBalancers/providers/roleAssignments@2021-04-01-preview' = [for principalId in roleAssignmentObj.principalIds: { name: '${resourceName}/Microsoft.Authorization/${guid(resourceName, principalId, roleAssignmentObj.roleDefinitionIdOrName)}' properties: { roleDefinitionId: (contains(builtInRoleNames, roleAssignmentObj.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignmentObj.roleDefinitionIdOrName] : roleAssignmentObj.roleDefinitionIdOrName) diff --git a/arm/Microsoft.Network/loadBalancers/deploy.bicep b/arm/Microsoft.Network/loadBalancers/deploy.bicep index fe11df80a1..4868491bdb 100644 --- a/arm/Microsoft.Network/loadBalancers/deploy.bicep +++ b/arm/Microsoft.Network/loadBalancers/deploy.bicep @@ -116,17 +116,24 @@ var probes_var = [for probe in probes: { } }] -var diagnosticsMetrics = [ - { - category: 'AllMetrics' - timeGrain: null +@description('Optional. The name of metrics that will be streamed.') +@allowed([ + 'AllMetrics' +]) +param metricsToEnable array = [ + 'AllMetrics' +] + +var diagnosticsMetrics = [for metric in metricsToEnable: { + category: metric + timeGrain: null + enabled: true + retentionPolicy: { enabled: true - retentionPolicy: { - enabled: true - days: diagnosticLogsRetentionInDays - } + days: diagnosticLogsRetentionInDays } -] +}] + var builtInRoleNames = { 'Owner': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') 'Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') diff --git a/arm/Microsoft.Network/loadBalancers/readme.md b/arm/Microsoft.Network/loadBalancers/readme.md index f28407706a..59400be29a 100644 --- a/arm/Microsoft.Network/loadBalancers/readme.md +++ b/arm/Microsoft.Network/loadBalancers/readme.md @@ -1,37 +1,37 @@ -# LoadBalancer +# LoadBalancer `[Microsoft.Network/loadBalancers]` This module deploys a Load Balancer ## Resource types -|Resource Type|ApiVersion| -|:--|:--| -|`Microsoft.Resources/deployments`|2018-02-01| -|`Microsoft.Network/loadBalancers`|2021-02-01| -|`Microsoft.Insights/diagnosticSettings`|2017-05-01-preview| -|`Microsoft.Authorization/locks`|2016-09-01| -|`Microsoft.Network/loadBalancers/providers/roleAssignments`|2018-09-01-preview| +| Resource Type | Api Version | +| :-- | :-- | +| `Microsoft.Authorization/locks` | 2016-09-01 | +| `Microsoft.Insights/diagnosticSettings` | 2017-05-01-preview | +| `Microsoft.Network/loadBalancers` | 2021-02-01 | +| `Microsoft.Network/loadBalancers/providers/roleAssignments` | 2021-04-01-preview | ## Parameters -| Parameter Name | Type | Description | DefaultValue | Possible values | +| Parameter Name | Type | Default Value | Possible Values | Description | | :-- | :-- | :-- | :-- | :-- | -| `backendAddressPools` | array | Required. Collection of backend address pools used by a load balancer. | | | -| `cuaId` | string | Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered | | | -| `diagnosticLogsRetentionInDays` | int | Optional. Specifies the number of days that logs will be kept for; a value of 0 will retain data indefinitely. | 365 | | -| `diagnosticStorageAccountId` | string | Optional. Resource identifier of the Diagnostic Storage Account. | | | -| `eventHubAuthorizationRuleId` | string | Optional. Resource ID of the event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | | | -| `eventHubName` | string | Optional. Name of the event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. | | | -| `frontendIPConfigurations` | array | Required. Array of objects containing all frontend IP configurations | | | -| `loadBalancerName` | string | Required. The Proximity Placement Groups Name | | | -| `loadBalancingRules` | array | Required. Array of objects containing all load balancing rules | | | -| `loadBalancerSku` | string | Optional. Name of a load balancer SKU. | "Standard" | "Basic", "Standard" | -| `location` | string | Optional. Location for all resources. | [resourceGroup().location] | | -| `lock` | string | Optional. Specify the type of lock. | 'NotSpecified' | 'CanNotDelete', 'NotSpecified', 'ReadOnly' | -| `probes` | array | Required. Array of objects containing all probes, these are references in the load balancing rules | | | -| `roleAssignments` | array | Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' | System.Object[] | | -| `tags` | object | Optional. Tags of the resource. | | | -| `workspaceId` | string | Optional. Resource identifier of Log Analytics. | | | +| `backendAddressPools` | array | | | Required. Collection of backend address pools used by a load balancer. | +| `cuaId` | string | | | Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered | +| `diagnosticLogsRetentionInDays` | int | `365` | | Optional. Specifies the number of days that logs will be kept for; a value of 0 will retain data indefinitely. | +| `diagnosticStorageAccountId` | string | | | Optional. Resource identifier of the Diagnostic Storage Account. | +| `eventHubAuthorizationRuleId` | string | | | Optional. Resource ID of the event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | +| `eventHubName` | string | | | Optional. Name of the event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. | +| `frontendIPConfigurations` | array | | | Required. Array of objects containing all frontend IP configurations | +| `loadBalancerName` | string | | | Required. The Proximity Placement Groups Name | +| `loadBalancerSku` | string | `Standard` | `[Basic, Standard]` | Optional. Name of a load balancer SKU. | +| `loadBalancingRules` | array | | | Required. Array of objects containing all load balancing rules | +| `location` | string | `[resourceGroup().location]` | | Optional. Location for all resources. | +| `lock` | string | `NotSpecified` | `[CanNotDelete, NotSpecified, ReadOnly]` | Optional. Specify the type of lock. | +| `metricsToEnable` | array | `[AllMetrics]` | `[AllMetrics]` | Optional. The name of metrics that will be streamed. | +| `probes` | array | | | Required. Array of objects containing all probes, these are references in the load balancing rules | +| `roleAssignments` | array | `[]` | | Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' | +| `tags` | object | `{object}` | | Optional. Tags of the resource. | +| `workspaceId` | string | | | Optional. Resource identifier of Log Analytics. | ### Parameter Usage: `frontendIPConfigurations` @@ -211,17 +211,14 @@ Tag names and tag values can be provided as needed. A tag can be left without a ## Outputs -| Output Name | Type | Description | -| :-- | :-- | :-- | -| `loadBalancerName` | string | The Name of the Load Balancer. | -| `loadBalancerResourceGroup` | string | The resource Group name in which the reosurce is created. | -| `loadBalancerResourceId` | string | The Resource ID of the Load Balancer. | +| Output Name | Type | +| :-- | :-- | +| `loadBalancerName` | string | +| `loadBalancerResourceGroup` | string | +| `loadBalancerResourceId` | string | -## Considerations +## Template references -*N/A* - -## Additional resources - -- [Microsoft.Network loadBalancers template reference](https://docs.microsoft.com/en-us/azure/templates/microsoft.network/2021-02-01/loadbalancers) -- [What is Azure Load Balancer?](https://docs.microsoft.com/en-us/azure/load-balancer/load-balancer-overview) +- [Locks](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2016-09-01/locks) +- [Diagnosticsettings](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Insights/2017-05-01-preview/diagnosticSettings) +- [Loadbalancers](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Network/2021-02-01/loadBalancers) diff --git a/arm/Microsoft.Network/localNetworkGateways/.bicep/nested_rbac.bicep b/arm/Microsoft.Network/localNetworkGateways/.bicep/nested_rbac.bicep index 193909a62c..5f9fa309e3 100644 --- a/arm/Microsoft.Network/localNetworkGateways/.bicep/nested_rbac.bicep +++ b/arm/Microsoft.Network/localNetworkGateways/.bicep/nested_rbac.bicep @@ -2,7 +2,7 @@ param roleAssignmentObj object param builtInRoleNames object param resourceName string -resource roleAssigment 'Microsoft.Network/localNetworkGateways/providers/roleAssignments@2020-04-01-preview' = [for principalId in roleAssignmentObj.principalIds: { +resource roleAssigment 'Microsoft.Network/localNetworkGateways/providers/roleAssignments@2021-04-01-preview' = [for principalId in roleAssignmentObj.principalIds: { name: '${resourceName}/Microsoft.Authorization/${guid(resourceName, principalId, roleAssignmentObj.roleDefinitionIdOrName)}' properties: { roleDefinitionId: (contains(builtInRoleNames, roleAssignmentObj.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignmentObj.roleDefinitionIdOrName] : roleAssignmentObj.roleDefinitionIdOrName) diff --git a/arm/Microsoft.Network/localNetworkGateways/readme.md b/arm/Microsoft.Network/localNetworkGateways/readme.md index 99bcf73e8f..050805cf0a 100644 --- a/arm/Microsoft.Network/localNetworkGateways/readme.md +++ b/arm/Microsoft.Network/localNetworkGateways/readme.md @@ -1,32 +1,31 @@ -# Local Network Gateway +# Local Network Gateway `[Microsoft.Network/localNetworkGateways]` This module deploys Local Network Gateway, with resource lock. ## Resource types -|Resource Type|ApiVersion| -|:--|:--| -|`Microsoft.Resources/deployments`|2018-02-01| -|`Microsoft.Network/localNetworkGateways`|2021-02-01| -|`providers/locks`|2016-09-01| -|`Microsoft.Network/localNetworkGateways/providers/roleAssignments`|2018-09-01-preview| +| Resource Type | Api Version | +| :-- | :-- | +| `Microsoft.Authorization/locks` | 2016-09-01 | +| `Microsoft.Network/localNetworkGateways` | 2021-02-01 | +| `Microsoft.Network/localNetworkGateways/providers/roleAssignments` | 2021-04-01-preview | ## Parameters -| Parameter Name | Type | Description | DefaultValue | Possible values | +| Parameter Name | Type | Default Value | Possible Values | Description | | :-- | :-- | :-- | :-- | :-- | -| `cuaId` | string | Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered | | | -| `localAddressPrefixes` | array | Required. List of the local (on-premises) IP address ranges | | | -| `localAsn` | string | Optional. The BGP speaker's ASN. Not providing this value will automatically disable BGP on this Local Network Gateway resource. | | | -| `localBgpPeeringAddress` | string | Optional. The BGP peering address and BGP identifier of this BGP speaker. Not providing this value will automatically disable BGP on this Local Network Gateway resource. | | | -| `localGatewayPublicIpAddress` | string | Required. Public IP of the local gateway | | | -| `localNetworkGatewayName` | string | Required. Name of the Local Network Gateway | | | -| `localPeerWeight` | string | Optional. The weight added to routes learned from this BGP speaker. This will only take effect if both the localAsn and the localBgpPeeringAddress values are provided. | | | -| `location` | string | Optional. Location for all resources. | [resourceGroup().location] | | -| `lock` | string | Optional. Specify the type of lock. | 'NotSpecified' | 'CanNotDelete', 'NotSpecified', 'ReadOnly' | -| `roleAssignments` | array | Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' | System.Object[] | | -| `tags` | object | Optional. Tags of the resource. | | | -| `fqdn` | string | Optional. FQDN for local gateway (on-prem gateway). | | | +| `cuaId` | string | | | Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered | +| `fqdn` | string | | | Optional. FQDN of local network gateway. | +| `localAddressPrefixes` | array | | | Required. List of the local (on-premises) IP address ranges | +| `localAsn` | string | | | Optional. The BGP speaker's ASN. Not providing this value will automatically disable BGP on this Local Network Gateway resource. | +| `localBgpPeeringAddress` | string | | | Optional. The BGP peering address and BGP identifier of this BGP speaker. Not providing this value will automatically disable BGP on this Local Network Gateway resource. | +| `localGatewayPublicIpAddress` | string | | | Required. Public IP of the local gateway | +| `localNetworkGatewayName` | string | | | Required. Name of the Local Network Gateway | +| `localPeerWeight` | string | | | Optional. The weight added to routes learned from this BGP speaker. This will only take effect if both the localAsn and the localBgpPeeringAddress values are provided. | +| `location` | string | `[resourceGroup().location]` | | Optional. Location for all resources. | +| `lock` | string | `NotSpecified` | `[CanNotDelete, NotSpecified, ReadOnly]` | Optional. Specify the type of lock. | +| `roleAssignments` | array | `[]` | | Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' | +| `tags` | object | `{object}` | | Optional. Tags of the resource. | ### Parameter Usage: `roleAssignments` @@ -76,18 +75,13 @@ Tag names and tag values can be provided as needed. A tag can be left without a ## Outputs -| Output Name | Type | Description | -| :-- | :-- | :-- | -| `localNetworkGatewayName` | string | The Name of the Local Network Gateway. | -| `localNetworkGatewayResourceGroup` | string | The name of the Resource Group the Local Network Gateway was created in. | -| `localNetworkGatewayResourceId` | string | The Resource Id of the Local Network Gateway. | +| Output Name | Type | +| :-- | :-- | +| `localNetworkGatewayName` | string | +| `localNetworkGatewayResourceGroup` | string | +| `localNetworkGatewayResourceId` | string | -## Considerations +## Template references -*N/A* - -## Additional resources - -- [What is VPN Gateway?](https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-vpngateways) -- [Use tags to organize your Azure resources](https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-using-tags) -- [Microsoft.Network localnetworkgateways template reference](https://docs.microsoft.com/en-us/azure/templates/microsoft.network/2021-02-01/localnetworkgateways) +- [Locks](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2016-09-01/locks) +- [Localnetworkgateways](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Network/2021-02-01/localNetworkGateways) diff --git a/arm/Microsoft.Network/natGateways/.bicep/nested_rbac.bicep b/arm/Microsoft.Network/natGateways/.bicep/nested_rbac.bicep index 0116127953..155901a70d 100644 --- a/arm/Microsoft.Network/natGateways/.bicep/nested_rbac.bicep +++ b/arm/Microsoft.Network/natGateways/.bicep/nested_rbac.bicep @@ -2,7 +2,7 @@ param roleAssignmentObj object param builtInRoleNames object param resourceName string -resource roleAssigment 'Microsoft.Network/natGateways/providers/roleAssignments@2020-04-01-preview' = [for principalId in roleAssignmentObj.principalIds: { +resource roleAssigment 'Microsoft.Network/natGateways/providers/roleAssignments@2021-04-01-preview' = [for principalId in roleAssignmentObj.principalIds: { name: '${resourceName}/Microsoft.Authorization/${guid(resourceName, principalId, roleAssignmentObj.roleDefinitionIdOrName)}' properties: { roleDefinitionId: (contains(builtInRoleNames, roleAssignmentObj.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignmentObj.roleDefinitionIdOrName] : roleAssignmentObj.roleDefinitionIdOrName) diff --git a/arm/Microsoft.Network/natGateways/deploy.bicep b/arm/Microsoft.Network/natGateways/deploy.bicep index 065ea8ab78..4d8951cfb6 100644 --- a/arm/Microsoft.Network/natGateways/deploy.bicep +++ b/arm/Microsoft.Network/natGateways/deploy.bicep @@ -62,47 +62,49 @@ param tags object = {} @description('Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered') param cuaId string = '' -var natGatewayPipName_var = (empty(natGatewayPipName) ? '${natGatewayName}-pip' : natGatewayPipName) -var natGatewayPublicIPPrefix = { - id: natGatewayPublicIPPrefixId -} -var diagnosticsMetrics = [ - { - category: 'AllMetrics' - timeGrain: null - enabled: true - retentionPolicy: { - enabled: true - days: diagnosticLogsRetentionInDays - } - } +@description('Optional. The name of logs that will be streamed.') +@allowed([ + 'DDoSProtectionNotifications' + 'DDoSMitigationFlowLogs' + 'DDoSMitigationReports' +]) +param logsToEnable array = [ + 'DDoSProtectionNotifications' + 'DDoSMitigationFlowLogs' + 'DDoSMitigationReports' ] -var publicIpDiagnosticsLogs = [ - { - category: 'DDoSProtectionNotifications' - enabled: true - retentionPolicy: { - enabled: true - days: diagnosticLogsRetentionInDays - } - } - { - category: 'DDoSMitigationFlowLogs' + +@description('Optional. The name of metrics that will be streamed.') +@allowed([ + 'AllMetrics' +]) +param metricsToEnable array = [ + 'AllMetrics' +] + +var diagnosticsLogs = [for log in logsToEnable: { + category: log + enabled: true + retentionPolicy: { enabled: true - retentionPolicy: { - enabled: true - days: diagnosticLogsRetentionInDays - } + days: diagnosticLogsRetentionInDays } - { - category: 'DDoSMitigationReports' +}] + +var diagnosticsMetrics = [for metric in metricsToEnable: { + category: metric + timeGrain: null + enabled: true + retentionPolicy: { enabled: true - retentionPolicy: { - enabled: true - days: diagnosticLogsRetentionInDays - } + days: diagnosticLogsRetentionInDays } -] +}] + +var natGatewayPipName_var = (empty(natGatewayPipName) ? '${natGatewayName}-pip' : natGatewayPipName) +var natGatewayPublicIPPrefix = { + id: natGatewayPublicIPPrefixId +} var natGatewayPropertyPublicIPPrefixes = [for publicIpPrefix in publicIpPrefixes: { id: resourceId('Microsoft.Network/publicIPPrefixes', publicIpPrefix) @@ -171,7 +173,7 @@ resource publicIP_diagnosticSettings 'Microsoft.Insights/diagnosticSettings@2017 eventHubAuthorizationRuleId: (empty(eventHubAuthorizationRuleId) ? json('null') : eventHubAuthorizationRuleId) eventHubName: (empty(eventHubName) ? json('null') : eventHubName) metrics: ((empty(diagnosticStorageAccountId) && empty(workspaceId) && empty(eventHubAuthorizationRuleId) && empty(eventHubName)) ? json('null') : diagnosticsMetrics) - logs: ((empty(diagnosticStorageAccountId) && empty(workspaceId) && empty(eventHubAuthorizationRuleId) && empty(eventHubName)) ? json('null') : publicIpDiagnosticsLogs) + logs: ((empty(diagnosticStorageAccountId) && empty(workspaceId) && empty(eventHubAuthorizationRuleId) && empty(eventHubName)) ? json('null') : diagnosticsLogs) } scope: publicIP } diff --git a/arm/Microsoft.Network/natGateways/readme.md b/arm/Microsoft.Network/natGateways/readme.md index f9760d808a..626e51acc5 100644 --- a/arm/Microsoft.Network/natGateways/readme.md +++ b/arm/Microsoft.Network/natGateways/readme.md @@ -1,4 +1,4 @@ -# NAT Gateway +# NAT Gateway `[Microsoft.Network/natGateways]` This module deploys a NAT Gateway. @@ -6,40 +6,37 @@ This module deploys a NAT Gateway. | Resource Type | Api Version | | :-- | :-- | -| `Microsoft.Network/natGateways` | 2021-02-01 | -| `Microsoft.Network/publicIPAddresses` | 2021-02-01 | -| `Microsoft.Resources/deployments` | 2020-06-01 | | `Microsoft.Authorization/locks` | 2016-09-01 | | `Microsoft.Insights/diagnosticSettings` | 2017-05-01-preview | -| `Microsoft.Network/natGateways/providers/roleAssignments` | 2020-04-01-preview | - -### Resource dependency - -The following resources are required to be able to deploy this resource. +| `Microsoft.Network/natGateways` | 2021-02-01 | +| `Microsoft.Network/natGateways/providers/roleAssignments` | 2021-04-01-preview | +| `Microsoft.Network/publicIPAddresses` | 2021-02-01 | ## Parameters -| Parameter Name | Type | Description | DefaultValue | Possible values | +| Parameter Name | Type | Default Value | Possible Values | Description | | :-- | :-- | :-- | :-- | :-- | -| `cuaId` | string | Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered | | | -| `diagnosticLogsRetentionInDays` | int | Optional. Specifies the number of days that logs will be kept for; a value of 0 will retain data indefinitely. | 365 | | -| `diagnosticStorageAccountId` | string | Optional. Resource identifier of the Diagnostic Storage Account. | | | -| `eventHubAuthorizationRuleId` | string | Optional. Resource ID of the event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | | | -| `eventHubName` | string | Optional. Name of the event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. | | | -| `idleTimeoutInMinutes` | int | Optional. The idle timeout of the nat gateway. | 5 | | -| `location` | string | Optional. Location for all resources. | [resourceGroup().location] | | -| `lock` | string | Optional. Specify the type of lock. | 'NotSpecified' | 'CanNotDelete', 'NotSpecified', 'ReadOnly' | -| `natGatewayDomainNameLabel` | string | Optional. DNS name of the Public IP resource. A region specific suffix will be appended to it, e.g.: your-DNS-name.westeurope.cloudapp.azure.com | | | -| `natGatewayName` | string | Required. Name of the Azure NAT Gateway resource | | | -| `natGatewayPipName` | string | Optional. Specifies the name of the Public IP used by the NAT Gateway. If it's not provided, a '-pip' suffix will be appended to the NAT Gateway's name. | | | -| `natGatewayPublicIpAddress` | bool | Optional. Use to have a new Public IP Address created for the NAT Gateway. | False | | -| `natGatewayPublicIPPrefixId` | string | Optional. Resource Id of the Public IP Prefix object. This is only needed if you want your Public IPs created in a PIP Prefix. | | | -| `publicIpAddresses` | array | Optional. Existing Public IP Address resource names to use for the NAT Gateway. | System.Object[] | | -| `publicIpPrefixes` | array | Optional. Existing Public IP Prefixes resource names to use for the NAT Gateway. | System.Object[] | | -| `roleAssignments` | array | Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' | System.Object[] | | -| `tags` | object | Optional. Tags for the resource. | | | -| `workspaceId` | string | Optional. Resource identifier of Log Analytics. | | | -| `zones` | array | Optional. A list of availability zones denoting the zone in which Nat Gateway should be deployed. | System.Object[] | | +| `cuaId` | string | | | Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered | +| `diagnosticLogsRetentionInDays` | int | `365` | | Optional. Specifies the number of days that logs will be kept for; a value of 0 will retain data indefinitely. | +| `diagnosticStorageAccountId` | string | | | Optional. Resource identifier of the Diagnostic Storage Account. | +| `eventHubAuthorizationRuleId` | string | | | Optional. Resource ID of the event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | +| `eventHubName` | string | | | Optional. Name of the event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. | +| `idleTimeoutInMinutes` | int | `5` | | Optional. The idle timeout of the nat gateway. | +| `location` | string | `[resourceGroup().location]` | | Optional. Location for all resources. | +| `lock` | string | `NotSpecified` | `[CanNotDelete, NotSpecified, ReadOnly]` | Optional. Specify the type of lock. | +| `logsToEnable` | array | `[DDoSProtectionNotifications, DDoSMitigationFlowLogs, DDoSMitigationReports]` | `[DDoSProtectionNotifications, DDoSMitigationFlowLogs, DDoSMitigationReports]` | Optional. The name of logs that will be streamed. | +| `metricsToEnable` | array | `[AllMetrics]` | `[AllMetrics]` | Optional. The name of metrics that will be streamed. | +| `natGatewayDomainNameLabel` | string | | | Optional. DNS name of the Public IP resource. A region specific suffix will be appended to it, e.g.: your-DNS-name.westeurope.cloudapp.azure.com | +| `natGatewayName` | string | | | Required. Name of the Azure Bastion resource | +| `natGatewayPipName` | string | | | Optional. Specifies the name of the Public IP used by the NAT Gateway. If it's not provided, a '-pip' suffix will be appended to the Bastion's name. | +| `natGatewayPublicIpAddress` | bool | | | Optional. Use to have a new Public IP Address created for the NAT Gateway. | +| `natGatewayPublicIPPrefixId` | string | | | Optional. Resource Id of the Public IP Prefix object. This is only needed if you want your Public IPs created in a PIP Prefix. | +| `publicIpAddresses` | array | `[]` | | Optional. Existing Public IP Address resource names to use for the NAT Gateway. | +| `publicIpPrefixes` | array | `[]` | | Optional. Existing Public IP Prefixes resource names to use for the NAT Gateway. | +| `roleAssignments` | array | `[]` | | Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' | +| `tags` | object | `{object}` | | Optional. Tags for the resource. | +| `workspaceId` | string | | | Optional. Resource identifier of Log Analytics. | +| `zones` | array | `[]` | | Optional. A list of availability zones denoting the zone in which Nat Gateway should be deployed. | ### Parameter Usage: `roleAssignments` @@ -89,28 +86,15 @@ Tag names and tag values can be provided as needed. A tag can be left without a ## Outputs -| Output Name | Type | Description | -| :-- | :-- | :-- | -| `natGatewayName` | string | The Name of the Load Balancer. | -| `natGatewayResourceGroup` | string | The resource Group name in which the reosurce is created. | -| `natGatewayResourceId` | string | The Resource ID of the Load Balancer. | - -## Considerations - -*N/A* - -### References - -#### Template references - -- [Deployments](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Resources/2020-06-01/deployments) -- [PublicIPAddresses](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Network/2021-02-01/publicIPAddresses) -- [NatGateways](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Network/2021-02-01/natGateways) -- [Deployments](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Resources/2020-06-01/deployments) +| Output Name | Type | +| :-- | :-- | +| `natGatewayName` | string | +| `natGatewayResourceGroup` | string | +| `natGatewayResourceId` | string | -## Additional resources +## Template references -- [Deployments](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Resources/2020-06-01/deployments) -- [PublicIPAddresses](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Network/2021-02-01/publicIPAddresses) -- [NatGateways](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Network/2021-02-01/natGateways) -- [Deployments](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Resources/2020-06-01/deployments) +- [Locks](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2016-09-01/locks) +- [Diagnosticsettings](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Insights/2017-05-01-preview/diagnosticSettings) +- [Natgateways](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Network/2021-02-01/natGateways) +- [Publicipaddresses](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Network/2021-02-01/publicIPAddresses) diff --git a/arm/Microsoft.Network/networkSecurityGroups/.bicep/nested_rbac.bicep b/arm/Microsoft.Network/networkSecurityGroups/.bicep/nested_rbac.bicep index fcf97fe5ca..539359684f 100644 --- a/arm/Microsoft.Network/networkSecurityGroups/.bicep/nested_rbac.bicep +++ b/arm/Microsoft.Network/networkSecurityGroups/.bicep/nested_rbac.bicep @@ -2,7 +2,7 @@ param roleAssignmentObj object param builtInRoleNames object param resourceName string -resource roleAssigment 'Microsoft.Network/networkSecurityGroups/providers/roleAssignments@2020-04-01-preview' = [for principalId in roleAssignmentObj.principalIds: { +resource roleAssigment 'Microsoft.Network/networkSecurityGroups/providers/roleAssignments@2021-04-01-preview' = [for principalId in roleAssignmentObj.principalIds: { name: '${resourceName}/Microsoft.Authorization/${guid(resourceName, principalId, roleAssignmentObj.roleDefinitionIdOrName)}' properties: { roleDefinitionId: (contains(builtInRoleNames, roleAssignmentObj.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignmentObj.roleDefinitionIdOrName] : roleAssignmentObj.roleDefinitionIdOrName) diff --git a/arm/Microsoft.Network/networkSecurityGroups/deploy.bicep b/arm/Microsoft.Network/networkSecurityGroups/deploy.bicep index 1deaa33796..c6663c5a56 100644 --- a/arm/Microsoft.Network/networkSecurityGroups/deploy.bicep +++ b/arm/Microsoft.Network/networkSecurityGroups/deploy.bicep @@ -76,7 +76,43 @@ param cuaId string = '' @description('Required. Resource Group Name of the network watcher in whcih the NSG flow log would be created.') param networkwatcherResourceGroup string = 'NetworkWatcherRG' -var emptyArray = [] +@description('Optional. The name of logs that will be streamed.') +@allowed([ + 'NetworkSecurityGroupEvent' + 'NetworkSecurityGroupRuleCounter' +]) +param logsToEnable array = [ + 'NetworkSecurityGroupEvent' + 'NetworkSecurityGroupRuleCounter' +] + +@description('Optional. The name of metrics that will be streamed.') +@allowed([ + 'AllMetrics' +]) +param metricsToEnable array = [ + 'AllMetrics' +] + +var diagnosticsLogs = [for log in logsToEnable: { + category: log + enabled: true + retentionPolicy: { + enabled: true + days: diagnosticLogsRetentionInDays + } +}] + +var diagnosticsMetrics = [for metric in metricsToEnable: { + category: metric + timeGrain: null + enabled: true + retentionPolicy: { + enabled: true + days: diagnosticLogsRetentionInDays + } +}] + var nsgResourceGroup = resourceGroup().name var flowLogName_var = ((!empty(flowLogName)) ? '${networkWatcherName}/${flowLogName}' : 'dummy/dummy') var flowAnalyticsConfig = { @@ -86,25 +122,7 @@ var flowAnalyticsConfig = { trafficAnalyticsInterval: flowLogIntervalInMinutes } } -var diagnosticsMetrics = [] -var diagnosticsLogs = [ - { - category: 'NetworkSecurityGroupEvent' - enabled: true - retentionPolicy: { - days: diagnosticLogsRetentionInDays - enabled: true - } - } - { - category: 'NetworkSecurityGroupRuleCounter' - enabled: true - retentionPolicy: { - days: diagnosticLogsRetentionInDays - enabled: true - } - } -] + var builtInRoleNames = { 'Owner': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') 'Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') @@ -152,8 +170,8 @@ resource networkSecurityGroup 'Microsoft.Network/networkSecurityGroups@2021-02-0 destinationPortRanges: (contains(nsgSecurityRule.properties, 'destinationPortRanges') ? nsgSecurityRule.properties.destinationPortRanges : json('null')) sourceAddressPrefixes: (contains(nsgSecurityRule.properties, 'sourceAddressPrefixes') ? nsgSecurityRule.properties.sourceAddressPrefixes : json('null')) destinationAddressPrefixes: (contains(nsgSecurityRule.properties, 'destinationAddressPrefixes') ? nsgSecurityRule.properties.destinationAddressPrefixes : json('null')) - sourceApplicationSecurityGroups: ((contains(nsgSecurityRule.properties, 'sourceApplicationSecurityGroupIds') && (!empty(nsgSecurityRule.properties.sourceApplicationSecurityGroupIds))) ? concat(emptyArray, array(json('{"id": "${nsgSecurityRule.properties.sourceApplicationSecurityGroupIds[0]}", "location": "${location}"}'))) : json('null')) - destinationApplicationSecurityGroups: ((contains(nsgSecurityRule.properties, 'destinationApplicationSecurityGroupIds') && (!empty(nsgSecurityRule.properties.destinationApplicationSecurityGroupIds))) ? concat(emptyArray, array(json('{"id": "${nsgSecurityRule.properties.destinationApplicationSecurityGroupIds[0]}", "location": "${location}"}'))) : json('null')) + sourceApplicationSecurityGroups: ((contains(nsgSecurityRule.properties, 'sourceApplicationSecurityGroupIds') && (!empty(nsgSecurityRule.properties.sourceApplicationSecurityGroupIds))) ? concat([], array(json('{"id": "${nsgSecurityRule.properties.sourceApplicationSecurityGroupIds[0]}", "location": "${location}"}'))) : json('null')) + destinationApplicationSecurityGroups: ((contains(nsgSecurityRule.properties, 'destinationApplicationSecurityGroupIds') && (!empty(nsgSecurityRule.properties.destinationApplicationSecurityGroupIds))) ? concat([], array(json('{"id": "${nsgSecurityRule.properties.destinationApplicationSecurityGroupIds[0]}", "location": "${location}"}'))) : json('null')) } }] } diff --git a/arm/Microsoft.Network/networkSecurityGroups/readme.md b/arm/Microsoft.Network/networkSecurityGroups/readme.md index 54f9251d14..e850afe411 100644 --- a/arm/Microsoft.Network/networkSecurityGroups/readme.md +++ b/arm/Microsoft.Network/networkSecurityGroups/readme.md @@ -1,43 +1,44 @@ -# NetworkSecurityGroups +# NetworkSecurityGroups `[Microsoft.Network/networkSecurityGroups]` This template deploys a Network Security Groups (NSG) with optional security rules. ## Resource types -|Resource Type|ApiVersion| -|:--|:--| -|`Microsoft.Resources/deployments`|2018-02-01| -|`Microsoft.Network/networkSecurityGroups`|2021-02-01| -|`Microsoft.Authorization/locks`|2016-09-01| -|`Microsoft.Insights/diagnosticsettings`|2017-05-01-preview| -|`Microsoft.Network/networkSecurityGroups/providers/roleAssignments`|2020-04-01-preview| -|`Microsoft.Network/networkWatchers/flowLogs`|2021-02-01| +| Resource Type | Api Version | +| :-- | :-- | +| `Microsoft.Authorization/locks` | 2016-09-01 | +| `Microsoft.Insights/diagnosticSettings` | 2017-05-01-preview | +| `Microsoft.Network/networkSecurityGroups` | 2021-02-01 | +| `Microsoft.Network/networkSecurityGroups/providers/roleAssignments` | 2021-04-01-preview | +| `Microsoft.Network/networkWatchers/flowLogs` | 2021-02-01 | ## Parameters -| Parameter Name | Type | Description | DefaultValue | Possible values | +| Parameter Name | Type | Default Value | Possible Values | Description | | :-- | :-- | :-- | :-- | :-- | -| `cuaId` | string | Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered | | | -| `diagnosticLogsRetentionInDays` | int | Optional. Specifies the number of days that logs will be kept for; a value of 0 will retain data indefinitely. | 365 | | -| `diagnosticStorageAccountId` | string | Optional. Resource identifier of the Diagnostic Storage Account. | | | -| `eventHubAuthorizationRuleId` | string | Optional. Resource ID of the event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | | | -| `eventHubName` | string | Optional. Name of the event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. | | | -| `location` | string | Optional. Location for all resources. | [resourceGroup().location] | | -| `lock` | string | Optional. Specify the type of lock. | 'NotSpecified' | 'CanNotDelete', 'NotSpecified', 'ReadOnly' | -| `networkSecurityGroupName` | string | Required. Name of the Network Security Group. | | | -| `networkSecurityGroupSecurityRules` | array | Optional. Array of Security Rules to deploy to the Network Security Group. When not provided, an NSG including only the built-in roles will be deployed. | System.Object[] | | -| `roleAssignments` | array | Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' | System.Object[] | | -| `tags` | object | Optional. Tags of the NSG resource. | | | -| `workspaceId` | string | Optional. Resource identifier of Log Analytics. | | | -| `flowAnalyticsEnabled`| bool | Optional. Enables/disables flow analytics. If Flow Analytics was previously enabled, workspaceResourceID is mandatory (even when disabling it) | false | | -| `flowLogEnabled` | bool | Optional. If the flow log should be enabled | false | | -| `flowLogIntervalInMinutes` | int | Optional. The interval in minutes which would decide how frequently TA service should do flow analytics | 60 | 10,60 | -| `flowLogName` | string | Optional. Name of the NSG flow log. If empty, no flow log will be deployed. | | | -| `flowLogworkspaceId` | string | Optional. Resource identifier of Log Analytics for the flow logs. | | | -| `logFormatVersion` | int | Optional. The flow log format version | 2 | | -| `networkWatcherName`| string | Optional. Name of the network watcher resource. Must be in the resource group where the Flow log will be created and same region as the NSG | | | -| `retentionEnabled`| bool | Optional. If the flow log retention should be enabled | true | | -| `networkwatcherResourceGroup`| string | Required. Resource Group Name of the network watcher in whcih the NSG flow log would be created. | NetworkWatcherRG | | +| `cuaId` | string | | | Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered | +| `diagnosticLogsRetentionInDays` | int | `365` | | Optional. Specifies the number of days that logs will be kept for; a value of 0 will retain data indefinitely. | +| `diagnosticStorageAccountId` | string | | | Optional. Resource identifier of the Diagnostic Storage Account. | +| `eventHubAuthorizationRuleId` | string | | | Optional. Resource ID of the event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | +| `eventHubName` | string | | | Optional. Name of the event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. | +| `flowAnalyticsEnabled` | bool | | | Optional. Enables/disables flow analytics. If Flow Analytics was previously enabled, workspaceResourceID is mandatory (even when disabling it) | +| `flowLogEnabled` | bool | | | Optional. If the flow log should be enabled | +| `flowLogIntervalInMinutes` | int | `60` | `[10, 60]` | Optional. The interval in minutes which would decide how frequently TA service should do flow analytics. | +| `flowLogName` | string | | | Optional. Name of the NSG flow log. If empty, no flow log will be deployed. | +| `flowLogworkspaceId` | string | | | Optional. Resource identifier of Log Analytics for the flow logs. | +| `location` | string | `[resourceGroup().location]` | | Optional. Location for all resources. | +| `lock` | string | `NotSpecified` | `[CanNotDelete, NotSpecified, ReadOnly]` | Optional. Specify the type of lock. | +| `logFormatVersion` | int | `2` | `[1, 2]` | Optional. The flow log format version | +| `logsToEnable` | array | `[NetworkSecurityGroupEvent, NetworkSecurityGroupRuleCounter]` | `[NetworkSecurityGroupEvent, NetworkSecurityGroupRuleCounter]` | Optional. The name of logs that will be streamed. | +| `metricsToEnable` | array | `[AllMetrics]` | `[AllMetrics]` | Optional. The name of metrics that will be streamed. | +| `networkSecurityGroupName` | string | | | Required. Name of the Network Security Group. | +| `networkSecurityGroupSecurityRules` | array | `[]` | | Optional. Array of Security Rules to deploy to the Network Security Group. When not provided, an NSG including only the built-in roles will be deployed. | +| `networkWatcherName` | string | | | Optional. Name of the network watcher resource. Must be in the resource group where the Flow log will be created and same region as the NSG | +| `networkwatcherResourceGroup` | string | `NetworkWatcherRG` | | Required. Resource Group Name of the network watcher in whcih the NSG flow log would be created. | +| `retentionEnabled` | bool | `True` | | Optional. If the flow log retention should be enabled | +| `roleAssignments` | array | `[]` | | Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' | +| `tags` | object | `{object}` | | Optional. Tags of the NSG resource. | +| `workspaceId` | string | | | Optional. Resource identifier of Log Analytics. | ### Parameter Usage: `networkSecurityGroupSecurityRules` @@ -167,26 +168,17 @@ Tag names and tag values can be provided as needed. A tag can be left without a ## Outputs -| Output Name | Type | Description | -| :-- | :-- | :-- | -| `networkSecurityGroupsName` | string | The Name of the Network Security Group deployed. | -| `networkSecurityGroupsResourceGroup` | string | The name of the Resource Group the Network Security Groups were created in. | -| `networkSecurityGroupsResourceId` | string | The Resource Ids of the Network Security Group deployed. | -| `flowLogName` | string | The Name of the FlowLog deployed | -| `flowLogResourceId` | string | The Resource Ids of the Network Security Group deployed. | +| Output Name | Type | +| :-- | :-- | +| `flowLogName` | string | +| `flowLogResourceId` | string | +| `networkSecurityGroupsName` | string | +| `networkSecurityGroupsResourceGroup` | string | +| `networkSecurityGroupsResourceId` | string | -## Considerations +## Template references -When specifying the Security Rules for the Network Security Group (NSG) with the `networkSecurityGroupSecurityRules` parameter, pass in the Security Rules as a JSON Array in the same format as would be used for the `securityRules` property of the `Microsoft.Network/networkSecurityGroups` resource provider in an ARM Template. - -If Flow Logs traffic analytic has ever been enabled for the considered Network Security Group, even when disabling it WorkspaceResourceId must be specified targeting an existing Log Analytics workspace.
    -If no Log Analytics Workspace exists or you don't want it to remain stored in the Flow Log configuration, delete the Flow Log resource. - -## Additional resources - -- [Azure Network Security Groups](https://docs.microsoft.com/en-us/azure/virtual-network/security-overview) -- [Microsoft.Network networkSecurityGroups template reference](https://docs.microsoft.com/en-us/azure/templates/microsoft.network/2021-02-01/networksecuritygroups) -- [Microsoft.Network networkSecurityGroups/securityRules template reference](https://docs.microsoft.com/en-us/azure/templates/microsoft.network/2021-02-01/networksecuritygroups/securityrules) -- [Azure Flow Logs](https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-nsg-flow-logging-overview) -- [Microsoft.Network networkWatchers/flowLogs template reference](https://docs.microsoft.com/en-us/azure/templates/microsoft.network/2021-02-01/networkwatchers/flowlogs) -- [Use tags to organize your Azure resources](https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-using-tags) +- [Locks](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2016-09-01/locks) +- [Diagnosticsettings](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Insights/2017-05-01-preview/diagnosticSettings) +- [Networksecuritygroups](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Network/2021-02-01/networkSecurityGroups) +- [Networkwatchers/Flowlogs](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Network/2021-02-01/networkWatchers/flowLogs) diff --git a/arm/Microsoft.Network/networkWatcherFlowLogs/deploy.bicep b/arm/Microsoft.Network/networkWatcherFlowLogs/deploy.bicep index 6d650e5638..5270617ef5 100644 --- a/arm/Microsoft.Network/networkWatcherFlowLogs/deploy.bicep +++ b/arm/Microsoft.Network/networkWatcherFlowLogs/deploy.bicep @@ -62,7 +62,7 @@ module pid_cuaId './.bicep/nested_cuaId.bicep' = if (!empty(cuaId)) { params: {} } -resource flowLog 'Microsoft.Network/networkWatchers/flowLogs@2020-05-01' = { +resource flowLog 'Microsoft.Network/networkWatchers/flowLogs@2021-05-01' = { name: fullFlowLogName location: location tags: tags diff --git a/arm/Microsoft.Network/networkWatcherFlowLogs/parameters/parameters.json b/arm/Microsoft.Network/networkWatcherFlowLogs/parameters/parameters.json index 532e5fc20f..a69038d966 100644 --- a/arm/Microsoft.Network/networkWatcherFlowLogs/parameters/parameters.json +++ b/arm/Microsoft.Network/networkWatcherFlowLogs/parameters/parameters.json @@ -31,16 +31,6 @@ }, "workspaceResourceId": { "value": "/subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2/resourcegroups/validation-rg/providers/microsoft.operationalinsights/workspaces/adp-sxx-az-la-weu-x-001" - }, - "roleAssignments": { - "value": [ - { - "roleDefinitionIdOrName": "Reader", - "principalIds": [ - "5545f7a0-51f4-46af-b3b4-baecf5176a56" - ] - } - ] } } } diff --git a/arm/Microsoft.Network/networkWatcherFlowLogs/readme.md b/arm/Microsoft.Network/networkWatcherFlowLogs/readme.md index 3510db24ab..2f12025f78 100644 --- a/arm/Microsoft.Network/networkWatcherFlowLogs/readme.md +++ b/arm/Microsoft.Network/networkWatcherFlowLogs/readme.md @@ -1,32 +1,31 @@ -# NSG Flow Logs +# NSG Flow Logs `[Microsoft.Network/networkWatcherFlowLogs]` This module controls the Network Security Group Flow Logs and analytics settings **Note: this module must be run on the Resource Group where Network Watcher is deployed** ## Resource types -|Resource Type|Api Version| -|:--|:--| -|`Microsoft.Network/networkWatchers/flowLogs`|2019-11-01| -|`Microsoft.Resources/deployments`|2020-06-01| +| Resource Type | Api Version | +| :-- | :-- | +| `Microsoft.Network/networkWatchers/flowLogs` | 2021-05-01 | ## Parameters -| Parameter Name | Type | Default Value | Possible values | Description | -| :------------------------------- | :----- | :--------------------------- | :---------------------------- | :----------------------------------------------------------- | -| `networkWatcherName` | string | | | Required. The name of the Network Watcher in the same region as the NSG. | -| `networkSecurityGroupResourceId` | string | | | Required. The Resource ID of the NSG that FlowLog must be configured | -| `diagnosticStorageAccountId` | string | | | Required. Resource ID of the storage account which is used to store the flow log. | -| `location` | string | `[resourceGroup().location]` | Azure Regions | Optional. Must be the same location as the NSG. | -| `tags` | object | {} | Complex structure, see below. | Optional. Tags of the FlowLog resource. | -| `retentionEnabled` | bool | true | true, false | Optional. Flag to enable/disable retention. Storage v2 must be specified if enabled. | -| `flowLogEnabled` | bool | true | true, false | Optional. Flag to enable/disable flow logging. | -| `logFormatVersion` | int | 2 | 1, 2 | Optional. The version (revision) of the flow log. | -| `flowAnalyticsEnabled` | bool | false | true, false | Optional. Flag to enable/disable traffic analytics. | -| `workspaceResourceId` | string | "" | | Optional. Resource Id of the attached Log Analytics. is Mandatory if flowAnalyticsEnabled=true or flowLogs has ever been enabled | -| `flowLogIntervalInMinutes` | int | 60 | 10, 60 | Optional. The interval in minutes which would decide how frequently TA service should do flow analytics | -| `retentionInDays` | int | 365 | 0..365 | Optional. Number of days to retain flow log records. | -| `cuaId` | string | | | Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered | +| Parameter Name | Type | Default Value | Possible Values | Description | +| :-- | :-- | :-- | :-- | :-- | +| `cuaId` | string | | | Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered | +| `diagnosticStorageAccountId` | string | | | Required. Resource identifier of the Diagnostic Storage Account. | +| `flowAnalyticsEnabled` | bool | | | Optional. Enables/disables flow analytics. If Flow Analytics was previously enabled, workspaceResourceID is mandatory (even when disabling it) | +| `flowLogEnabled` | bool | `True` | | Optional. If the flow log should be enabled | +| `flowLogIntervalInMinutes` | int | `60` | `[10, 60]` | Optional. The interval in minutes which would decide how frequently TA service should do flow analytics. | +| `location` | string | `[resourceGroup().location]` | | Optional. Location for all resources. | +| `logFormatVersion` | int | `2` | `[1, 2]` | Optional. The flow log format version | +| `networkSecurityGroupResourceId` | string | | | Required. Resource ID of the NSG that must be enabled for Flow Logs. | +| `networkWatcherName` | string | | | Required. Name of the network watcher resource. Must be in the resource group where the Flow log will be created and same region as the NSG | +| `retentionEnabled` | bool | `True` | | Optional. If the flow log retention should be enabled | +| `retentionInDays` | int | `365` | | Optional. Specifies the number of days that logs will be kept for; a value of 0 will retain data indefinitely. | +| `tags` | object | `{object}` | | Optional. Tags of the resource. | +| `workspaceResourceId` | string | | | Optional. Resource identifier of Log Analytics. | ### Parameter Usage: `tags` @@ -47,19 +46,12 @@ Tag names and tag values can be provided as needed. A tag can be left without a ## Outputs -| Output Name | Type | Description | -| :-- | :-- | :-- | -| `deploymentResourceGroup` | string | The name of the Resource Group the Network Security Groups were created in. | -| `flowLogName` | string | The Name of the FlowLog deployed. | -| `flowLogResourceId` | string | The Resource Ids of the Network Security Group deployed. | +| Output Name | Type | +| :-- | :-- | +| `deploymentResourceGroup` | string | +| `flowLogName` | string | +| `flowLogResourceId` | string | -## Considerations +## Template references -If Flow Logs traffic analytic has ever been enabled for the considered Network Security Group, even when disabling it WorkspaceResourceId must be specified targeting an existing Log Analytics workspace.
    -If no Log Analytics Workspace exists or you don't want it to remain stored in the Flow Log configuration, delete the Flow Log resource - -## Additional resources - -- [Azure Flow Logs](https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-nsg-flow-logging-overview) -- [Microsoft.Network networkWatchers/flowLogs template reference](https://docs.microsoft.com/en-us/azure/templates/microsoft.network/2019-11-01/networkwatchers/flowlogs) -- [Use tags to organize your Azure resources](https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-using-tags) \ No newline at end of file +- [Networkwatchers/Flowlogs](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Network/2021-05-01/networkWatchers/flowLogs) diff --git a/arm/Microsoft.Network/networkWatchers/.bicep/nested_rbac.bicep b/arm/Microsoft.Network/networkWatchers/.bicep/nested_rbac.bicep index c4b137ca72..83baaad500 100644 --- a/arm/Microsoft.Network/networkWatchers/.bicep/nested_rbac.bicep +++ b/arm/Microsoft.Network/networkWatchers/.bicep/nested_rbac.bicep @@ -2,7 +2,7 @@ param roleAssignmentObj object param builtInRoleNames object param resourceName string -resource roleAssigment 'Microsoft.Network/networkWatchers/providers/roleAssignments@2020-04-01-preview' = [for principalId in roleAssignmentObj.principalIds: { +resource roleAssigment 'Microsoft.Network/networkWatchers/providers/roleAssignments@2021-04-01-preview' = [for principalId in roleAssignmentObj.principalIds: { name: '${resourceName}/Microsoft.Authorization/${guid(resourceName, principalId, roleAssignmentObj.roleDefinitionIdOrName)}' properties: { roleDefinitionId: (contains(builtInRoleNames, roleAssignmentObj.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignmentObj.roleDefinitionIdOrName] : roleAssignmentObj.roleDefinitionIdOrName) diff --git a/arm/Microsoft.Network/networkWatchers/readme.md b/arm/Microsoft.Network/networkWatchers/readme.md index 02805d9322..2084e3036e 100644 --- a/arm/Microsoft.Network/networkWatchers/readme.md +++ b/arm/Microsoft.Network/networkWatchers/readme.md @@ -1,42 +1,29 @@ -# Network Watcher +# Network Watcher `[Microsoft.Network/networkWatchers]` This template deploys Network Watcher. ## Resource types -|Resource Type|ApiVersion| -|:--|:--| -|`Microsoft.Resources/deployments`|2018-02-01| -|`Microsoft.Network/networkWatchers`|2021-02-01| -|`Microsoft.Network/networkWatchers/connectionMonitors`|2021-02-01| +| Resource Type | Api Version | +| :-- | :-- | | `Microsoft.Authorization/locks` | 2016-09-01 | -| `Microsoft.Network/networkWatchers/providers/roleAssignments` | 2020-04-01-preview | +| `Microsoft.Network/networkWatchers` | 2021-02-01 | +| `Microsoft.Network/networkWatchers/connectionMonitors` | 2021-02-01 | +| `Microsoft.Network/networkWatchers/providers/roleAssignments` | 2021-04-01-preview | ## Parameters -| Parameter Name | Type | Default Value | Possible values | Description | -| :- | :- | :-| :-| :-| -| `networkWatcherName` | string | | Required. Name of the Network Watcher resource (hidden) -| `location` | string | `[resourceGroup().location]` | | Optional. Location for all resources. -| `monitors` | array | [] | complex structure see below | Optional. Array that contains the monitors| -| `workspaceResourceId` | string | "" | ID of Workspace Resource| Optional. Specify the Workspace Resource ID. If not specified a default workspace will be created | -| `tags`| object | {} | Complex structure, see below. | Optional. Tags of the Virtual Network Gateway resource. | -| `lock` | string | Optional. Specify the type of lock. | 'NotSpecified' | 'CanNotDelete', 'NotSpecified', 'ReadOnly' | -| `roleAssignments` | array | Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' | System.Object[] | | -| `cuaId` | string | {} | | Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered" | - -## Outputs - -| Output Name | Type | Description | -| :-- | :-- | :-- | -| `networkWatcherName` | string | The name of the Network Watcher deployed. | -| `networkWatcherResourceGroup` | string | The name of the Resource Group the Network Watcher was created in. | -| `networkWatcherResourceId` | string | The Resource id of the Network Watcher deployed. | - -## Considerations - -N/A +| Parameter Name | Type | Default Value | Possible Values | Description | +| :-- | :-- | :-- | :-- | :-- | +| `cuaId` | string | | | Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered | +| `location` | string | `[resourceGroup().location]` | | Optional. Location for all resources. | +| `lock` | string | `NotSpecified` | `[CanNotDelete, NotSpecified, ReadOnly]` | Optional. Specify the type of lock. | +| `monitors` | array | `[]` | | Optional. Array that contains the monitors | +| `networkWatcherName` | string | | | Required. Name of the Network Watcher resource (hidden) | +| `roleAssignments` | array | `[]` | | Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' | +| `tags` | object | `{object}` | | Optional. Tags of the resource. | +| `workspaceResourceId` | string | | | Optional. Specify the Workspace Resource ID | ### Parameter Usage: `monitors` @@ -142,8 +129,16 @@ Tag names and tag values can be provided as needed. A tag can be left without a } ``` -## Additional resources +## Outputs + +| Output Name | Type | +| :-- | :-- | +| `networkWatcherName` | string | +| `networkWatcherResourceGroup` | string | +| `networkWatcherResourceId` | string | + +## Template references -- [Microsoft.Network networkWatchers template reference](https://docs.microsoft.com/en-us/azure/templates/microsoft.network/2021-02-01/networkwatchers) -- [What is Azure Network Watcher?](https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-monitoring-overview) -- [Network Connectivity Monitoring with Connection Monitor (Preview)](https://docs.microsoft.com/en-us/azure/network-watcher/connection-monitor-preview) +- [Locks](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2016-09-01/locks) +- [Networkwatchers](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Network/2021-02-01/networkWatchers) +- [Networkwatchers/Connectionmonitors](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Network/2021-02-01/networkWatchers/connectionMonitors) diff --git a/arm/Microsoft.Network/privateDnsZones/.bicep/nested_rbac.bicep b/arm/Microsoft.Network/privateDnsZones/.bicep/nested_rbac.bicep index 0ce86e7398..d276cb0422 100644 --- a/arm/Microsoft.Network/privateDnsZones/.bicep/nested_rbac.bicep +++ b/arm/Microsoft.Network/privateDnsZones/.bicep/nested_rbac.bicep @@ -2,7 +2,7 @@ param roleAssignmentObj object param builtInRoleNames object param resourceName string -resource roleAssigment 'Microsoft.Network/privateDnsZones/providers/roleAssignments@2020-04-01-preview' = [for principalId in roleAssignmentObj.principalIds: { +resource roleAssigment 'Microsoft.Network/privateDnsZones/providers/roleAssignments@2021-04-01-preview' = [for principalId in roleAssignmentObj.principalIds: { name: '${resourceName}/Microsoft.Authorization/${guid(resourceName, principalId, roleAssignmentObj.roleDefinitionIdOrName)}' properties: { roleDefinitionId: (contains(builtInRoleNames, roleAssignmentObj.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignmentObj.roleDefinitionIdOrName] : roleAssignmentObj.roleDefinitionIdOrName) diff --git a/arm/Microsoft.Network/privateDnsZones/readme.md b/arm/Microsoft.Network/privateDnsZones/readme.md index facd86cf38..82b90ecfd5 100644 --- a/arm/Microsoft.Network/privateDnsZones/readme.md +++ b/arm/Microsoft.Network/privateDnsZones/readme.md @@ -1,4 +1,4 @@ -# PrivateDnsZones +# PrivateDnsZones `[Microsoft.Network/privateDnsZones]` # Resource @@ -8,27 +8,22 @@ This template deploys private DNS zone. | Resource Type | Api Version | | :-- | :-- | -| `Microsoft.Resources/deployments`| 2020-06-01 | +| `Microsoft.Authorization/locks` | 2016-09-01 | | `Microsoft.Network/privateDnsZones` | 2018-09-01 | +| `Microsoft.Network/privateDnsZones/providers/roleAssignments` | 2021-04-01-preview | | `Microsoft.Network/privateDnsZones/virtualNetworkLinks` | 2018-09-01 | -| `Microsoft.Network/privateDnsZones/providers/roleAssignments` | 2020-04-01-preview | -| `Microsoft.Authorization/locks` | 2016-09-01 | - -### Resource dependency - -The following resources are required to be able to deploy this resource. ## Parameters -| Parameter Name | Type | Description | DefaultValue | Possible values | +| Parameter Name | Type | Default Value | Possible Values | Description | | :-- | :-- | :-- | :-- | :-- | -| `cuaId` | string | Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered | | | -| `location` | string | "Optional. The location of the PrivateDNSZone. Should be global. | `Global` | `Global` | -| `privateDnsZoneName` | string | Required. Private DNS zone name. | | | -| `roleAssignments` | array | Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' | System.Object[] | | -| `tags` | object | Optional. Tags of the resource. | | | -| `vnetLinks` | array | Optional. Array of custom objects describing vNet links of the DNS zone. Each object should contain properties 'vnetResourceId' and 'registrationEnabled'. The 'vnetResourceId' is a resource Id of a vNet to link, 'registrationEnabled' (bool) enables automatic DNS registration in the zone for the linked vNet. | [] | | -| `lock` | string | Optional. Specify the type of lock. | 'NotSpecified' | 'CanNotDelete', 'NotSpecified', 'ReadOnly' | +| `cuaId` | string | | | Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered | +| `location` | string | `global` | | Optional. The location of the PrivateDNSZone. Should be global. | +| `lock` | string | `NotSpecified` | `[CanNotDelete, NotSpecified, ReadOnly]` | Optional. Specify the type of lock. | +| `privateDnsZoneName` | string | | | Required. Private DNS zone name. | +| `roleAssignments` | array | `[]` | | Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' | +| `tags` | object | `{object}` | | Optional. Tags of the resource. | +| `vnetLinks` | array | `[]` | | Optional. Array of custom objects describing vNet links of the DNS zone. Each object should contain properties 'vnetResourceId' and 'registrationEnabled'. The 'vnetResourceId' is a resource Id of a vNet to link, 'registrationEnabled' (bool) enables automatic DNS registration in the zone for the linked vNet. | ### Parameter Usage: `vnetLinks` @@ -95,17 +90,14 @@ Tag names and tag values can be provided as needed. A tag can be left without a ## Outputs -| Output Name | Type | Description | -| :-- | :-- | :-- | -| `privateDnsZoneResourceGroup` | string | The name of the Resource Group the resources was deployed to. | -| `privateDnsZoneName` | string | The name of the resource deployed. | -| `privateDnsZoneResourceId` | string | The Resource id of the resource deployed. | - -## Considerations - -*N/A* +| Output Name | Type | +| :-- | :-- | +| `privateDnsZoneName` | string | +| `privateDnsZoneResourceGroup` | string | +| `privateDnsZoneResourceId` | string | -## Additional resources +## Template references -- [PrivateDnsZones](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Network/2018-09-01/privateDnsZones) -- [PrivateDnsZones](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Network/2018-09-01/privateDnsZones) +- [Locks](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2016-09-01/locks) +- [Privatednszones](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Network/2018-09-01/privateDnsZones) +- [Privatednszones/Virtualnetworklinks](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Network/2018-09-01/privateDnsZones/virtualNetworkLinks) diff --git a/arm/Microsoft.Network/privateEndpoints/.bicep/nested_rbac.bicep b/arm/Microsoft.Network/privateEndpoints/.bicep/nested_rbac.bicep index 9a0c576382..c0bb71a0d2 100644 --- a/arm/Microsoft.Network/privateEndpoints/.bicep/nested_rbac.bicep +++ b/arm/Microsoft.Network/privateEndpoints/.bicep/nested_rbac.bicep @@ -2,7 +2,7 @@ param roleAssignmentObj object param builtInRoleNames object param resourceName string -resource roleAssigment 'Microsoft.Network/privateEndpoints/providers/roleAssignments@2020-04-01-preview' = [for principalId in roleAssignmentObj.principalIds: { +resource roleAssigment 'Microsoft.Network/privateEndpoints/providers/roleAssignments@2021-04-01-preview' = [for principalId in roleAssignmentObj.principalIds: { name: '${resourceName}/Microsoft.Authorization/${guid(resourceName, principalId, roleAssignmentObj.roleDefinitionIdOrName)}' properties: { roleDefinitionId: (contains(builtInRoleNames, roleAssignmentObj.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignmentObj.roleDefinitionIdOrName] : roleAssignmentObj.roleDefinitionIdOrName) diff --git a/arm/Microsoft.Network/privateEndpoints/deploy.bicep b/arm/Microsoft.Network/privateEndpoints/deploy.bicep index 5d3fa7fef4..03cdaf0c8e 100644 --- a/arm/Microsoft.Network/privateEndpoints/deploy.bicep +++ b/arm/Microsoft.Network/privateEndpoints/deploy.bicep @@ -56,7 +56,7 @@ module pid_cuaId './.bicep/nested_pid.bicep' = if (!empty(cuaId)) { params: {} } -resource privateEndpoint 'Microsoft.Network/privateEndpoints@2021-02-01' = { +resource privateEndpoint 'Microsoft.Network/privateEndpoints@2021-05-01' = { name: privateEndpointName location: location tags: tags diff --git a/arm/Microsoft.Network/privateEndpoints/readme.md b/arm/Microsoft.Network/privateEndpoints/readme.md index 7f048eff8cfff7847f4bb83100592825b007d687..8b0312950464a0a0c25028096ea76a29d20b1e30 100644 GIT binary patch literal 4365 zcmd^CS#R4o5PtWs7`P8P5cyiSIi5Bf7e#<>VkBuFHV7bEq8&CesghIzx5s0r}G9b zxKWkPc&Br9D-2k^EDK}>IWG&fG7wHdwA&$9H)fHvU#RTPq)0g$4BsV#!(=dY z$6E(pv(ld$4U@s!A2=1AHIe2oCHV)fsxl}*tVTb^O5KYbjqYnz@MB}dLM}N*sZni= z{E|}hd%+*jF!W{1nHUK!b1t(L#fW17ib6dIxd0tvXMkyrZ(l2+c@9>=j02k$oF083 z!BTYNful|WX#maS?2=4OY3Z}jwqix}rKx6;TiPMHA=Jo;S&*FPh!!U)Q&RHGlH^-- z)Z(@V4eIRx+3D==o-RwJEt7V4_XsB3SRq|-!ApTFN^q;CiWP+RS5p*ZQkVEor+5@=c7Nsw|PXZg3-AVO;6bp`ak%?!Q zA3#?HzLIyPvcSr+5Z=MTd39PC*mfSySjlFh5OxLV?@TR8j!{bP_!OBk&6eCE8Yn&L zH#oyp#CJ%O37@m7u<)4`6)jH{qK4w>77VVS12ZkW2R0I^om5R~WfeQk330}1(&-WW z_uTPdMGsCe0BXrKd@^jo;n*VKta3gUIc$IUbUNATArjCodaeWJaH}d)tPo!dVbD1A z5h;}}C~v%2rZrpDQZE8ldvICJs9J2B9Z+)@?*J!?ZNQgD1j$BN6Znz;J-NmZx)EeR zw75x}B2HsrJIzt8IXWD<^}JeGP8@{R+>u_#>~Pt>z0-?iH$;cu##J8!178e_qONnM zk#M)p{Y=@*l4oL$0HU4r`h-bbobUqSum|n^J>K5U~Ca3W|feF0DYRDYtnQJ7=mXDZI_uSS#g?g zk#0E=a=7^8_+(Rr@lb2k(jJ_8883?f7V-#VyiyfpOk#O-9RWC&ILtRfZY~V=-4#fx z1HpgJI;V?MdJnMk3bbxs6_{&Zu~0iS0p?;bvuO?3rI*Ye!4`J1*nVE?uIq}Mem0tq z`FyaSWbek~WPHG937a1blksdg8y}AM=dOJXk%z$=!Dn1 zigGT(Rz!15fQ)4e*Fb&9DWSgm$0x!kew(bhLefx5Vg<)~frX?7B(~O73j_t9Ti0n-h3(Cs#zvK<=@+A9r%Q6MeSYr%e!8ya z)~{~qy}TD%xp{`#?3t3uRI9wZ=T1116UxKP(zeC6->VQbztaqQ{=Ahx5+QCFuY3V zjCkrikwg4c_B<4nJ?){c<-Lt96tm&T>)K0xgZxFG?s`hba^>|jcUF}UMzt^@W6wr! zG){L+T4jxb*a&knNDO)Q?YsShgdR42X#H?79Ci1g-w%})hPA>q52QjK!_mfZ_geF4 zu^6qfxT)Ws8twnHGpJ4eAMO4{Mg126s1^Km{Ir7aU~to98k|?QtgM@o{p0$G{QT}1 z2AJ0-6&go3NMbv3^Im(Z`3KtdlJ9Q4SMkd1#!S4Y(bYGBYa9~q%+2<#wWT@g_j8q* z-m<=xW6|q#nN+6FzEzs{^M$vAx>%=BHHrT+rG~n zAJ5G0+96d@L8>ChyR$Rr`@HAOtpED+QmDdin1oSy6Z&BmhT;1#4hP{hoM>#Uk!kom zd=@{kA1kg*N$+=dHLSwafa4sMPhS!rpvd6?nd>H6wjLjohZX zK9LkWg9rirBZ*ZN4Zeg8caWk9uB9EKlM&Q#48}a`Q zedjW?b9pE#vv3w|_);87dpG^tn`>d*HpC6C{QnT#>hf$$<7xOg+IJZ4%g;pDsmA^b zxlWV^qv(@~Bl-WjXpRVsId;@J+>3INWhF*!hlkD7!`hm7S9f~7Q4)pMP$!wjTs%hX4vOBOs8No(EPlLxU5p< z<7kE?y>sKqH1x_qUZ9ah2NbC5ISvs=$u894lmTU3Z02VZ@mLE6#Ue3dh--*mN1uyf8~T~1rJf~n)@A)r+M-$B zg_=+Q31Z_-G8ao(ZScM+`L)#eNOrXjCD#sbldoj@vN*Ij@P72NG`OPKr60?>;#i;8 z(meJKB2MnjMe+EaM`LOx{=kEaaJSn-m^u_KNlLmkPI`e znX1NgW0y_;G}TJb7aQh%xuJ45%H9z-I={X;Ff6%gVvd4ws_yV9P@TW*ZT@6K+g4 z!g?xszTRs2x~LE_>tRb$kLUBKe8e6Vc0KB}iUK;X#|qPz?mMDFY#ZfN!H6tquHG@^ z`G8z)R@ju~9aBtSr%i4&_ao%ne)vVa@tftQcRz+J_?5^_7F`zylh?Wcp3*5A@_=wV zn&A}`U9leMvObSv_7C(F_>TF^F}wnC=q15bD)V=;$(F91W4ji}ozTh76zVaJzaJEO zIL-Ib0=}RFox{Ge0`KG7x8nO+-}GcC!2^v>HJ9@aVwEl(3`2{& zLc4@^9%6P$mWIFOB4gO#P_lsM(4?cmzT|`VrVo^X*yb{m4?8Fsv)blBwx?GO+ zp)Qw8pHL1YIg(vm;v9KwcAG8t=Bt{yQMa*sv+mPD%!G@3k?sV4v-`6AeWH7Gz&D$E zlH-B*UFPY_I+c1NyxESn;iS-adOqIVe-jUO_5-F&=XuQ7k$i1&%pH-`)D=7X`AyqS zFUd|_?n!p{1}piPr4t(Ac}H%WUGEPa_3Xr^#6F~?;-o!;cVU|vb9yBOY9Obc>FfbZ z*e*NgolbCj(xj)XCfmkQi?xMjc2@9v93>|BTgy7!w&!Uc=MtRjfm!MN&d(p{8OB1O z-T0jIhie6&L}x3`L|-bbuLqOx==JDnqU&4T*_d^fRL8OK>$=tvfy+7UiUud^)NS@w zRA1`oWWjAixcY?M`ej~BvRK`#_kh#6ciZ*z)&9MvDsM6U zr8)#6l=mGrvii#B6Va?d-b%ekSO3e3w9#s5m%zW*B6s=^C_`~I|MaveNxK|3SIY6c z_367Mc=RFS7K<7to-$Y_3L)Jk?-RS2RU!0+oIdd&j9N(tlqu2 zM)g(g`_8)LO?f#hd4E~G-#g#pKC`};qjq?QX!a_t(|pg8Buueuoi^vgR*O<+nIieB zy3?-qZdYT~Olvo_hEo~e7qc5~?s*d(-eo?kyZ&|wPvG}z~`KuGFL+Lk3NS$XCw9BYE(2VKgv?aZx;T;Q+ F@i$4r@$~=z diff --git a/arm/Microsoft.Network/publicIPAddresses/.bicep/nested_rbac.bicep b/arm/Microsoft.Network/publicIPAddresses/.bicep/nested_rbac.bicep index 34751823ec..deac1ced83 100644 --- a/arm/Microsoft.Network/publicIPAddresses/.bicep/nested_rbac.bicep +++ b/arm/Microsoft.Network/publicIPAddresses/.bicep/nested_rbac.bicep @@ -2,7 +2,7 @@ param roleAssignmentObj object param builtInRoleNames object param resourceName string -resource roleAssigment 'Microsoft.Network/publicIPAddresses/providers/roleAssignments@2020-04-01-preview' = [for principalId in roleAssignmentObj.principalIds: { +resource roleAssigment 'Microsoft.Network/publicIPAddresses/providers/roleAssignments@2021-04-01-preview' = [for principalId in roleAssignmentObj.principalIds: { name: '${resourceName}/Microsoft.Authorization/${guid(resourceName, principalId, roleAssignmentObj.roleDefinitionIdOrName)}' properties: { roleDefinitionId: (contains(builtInRoleNames, roleAssignmentObj.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignmentObj.roleDefinitionIdOrName] : roleAssignmentObj.roleDefinitionIdOrName) diff --git a/arm/Microsoft.Network/publicIPAddresses/deploy.bicep b/arm/Microsoft.Network/publicIPAddresses/deploy.bicep index aa9f7c2c1f..0d56a0929f 100644 --- a/arm/Microsoft.Network/publicIPAddresses/deploy.bicep +++ b/arm/Microsoft.Network/publicIPAddresses/deploy.bicep @@ -50,43 +50,45 @@ param cuaId string = '' @description('Optional. Tags of the resource.') param tags object = {} -var diagnosticsMetrics = [ - { - category: 'AllMetrics' - timeGrain: null - enabled: true - retentionPolicy: { - enabled: true - days: diagnosticLogsRetentionInDays - } - } +@description('Optional. The name of logs that will be streamed.') +@allowed([ + 'DDoSProtectionNotifications' + 'DDoSMitigationFlowLogs' + 'DDoSMitigationReports' +]) +param logsToEnable array = [ + 'DDoSProtectionNotifications' + 'DDoSMitigationFlowLogs' + 'DDoSMitigationReports' ] -var diagnosticsLogs = [ - { - category: 'DDoSProtectionNotifications' - enabled: true - retentionPolicy: { - enabled: true - days: diagnosticLogsRetentionInDays - } - } - { - category: 'DDoSMitigationFlowLogs' + +@description('Optional. The name of metrics that will be streamed.') +@allowed([ + 'AllMetrics' +]) +param metricsToEnable array = [ + 'AllMetrics' +] + +var diagnosticsLogs = [for log in logsToEnable: { + category: log + enabled: true + retentionPolicy: { enabled: true - retentionPolicy: { - enabled: true - days: diagnosticLogsRetentionInDays - } + days: diagnosticLogsRetentionInDays } - { - category: 'DDoSMitigationReports' +}] + +var diagnosticsMetrics = [for metric in metricsToEnable: { + category: metric + timeGrain: null + enabled: true + retentionPolicy: { enabled: true - retentionPolicy: { - enabled: true - days: diagnosticLogsRetentionInDays - } + days: diagnosticLogsRetentionInDays } -] +}] + var publicIPPrefix = { id: publicIPPrefixId } diff --git a/arm/Microsoft.Network/publicIPAddresses/readme.md b/arm/Microsoft.Network/publicIPAddresses/readme.md index 1cf37f8eda4005d6731e8d55adf1c2e1288bc0ec..57c8f49cc492303408875d5e201219e477cb6919 100644 GIT binary patch literal 4488 zcmd^D+iu%95PkPo4AO@*K;&E9q|GiCaO<{fplyuA?LGtnOiQ%QMiy0)ir2mT`<|gL zw&kQ7pxdVnj6kBux$(@IAs^8wo5m`n;fVTCWTdsy(&Xx$3XQgU=9=%NTWNFCO8vay zsG4;>X*3=^q6=wtWSu1D zjrt-SrnX`o-q;CdcH5nkp#3~(cl`3L1;fOu`NG*&q{KYY)~WDPI;WC(x$rb-KgGfz zHS$);Rb9Zn&gFW$ouJ*lL+`!ITB*^uDuS~uqhr~(urFE4#1;0iz}~Js9K(??VksS# zar~+`dXG^Aporr@&O{bF`Y7UzhesOXr?JcjEJg;>hDN0vzIvp$qrQoKn2BM;zFKDx zH9X|Mb1y^0O?sJGr_YaB$S5@j_YRXIf%DO(pq&>&(V$ zGIFjgoRd)={>^5+)pL6RzY~@>Oa@}@Mq!TK^N+(Dqk({YSIT^2;bt^BO zHt@Y4hB`~!zr?Fb2cQ6M!BlS_TRW&gN`*)&WELvrEtdS5O?UF(B8%libt3-ok9B!b zw8*9;wv&nsq;Wv}q*ttupwLnRq}fy;jS-U7LWPT(7`xC}9C1uTBZb3WLI_YJu`nX1 zYc4Qye~2p&?LA{x$}M1k-`mO}rwfbx)(Rsly-oTH3v}kNLfK;y$(G|lWN9ipECqam z1PWpOT$^&AK{K9jcC4LTfeAgWy)imVA0IW#Y1ey@d|L?cVHLn#xzrXhVItd={$9Hh z$UgffS1(0^!GVmC4acfx_wv@Ws!HqJj`gcVfFW4BFh;C7 zt*!x^6!PswSl{J79xMBwpJJK0se*joGCCMQ{~1d#`#|T z&FQBS8<)s~{R_QI)|0^+;ZflpCRs@?feX9H3p)XvC05}Xgf%Gu6=A1C&gMc`5zf+p zkpVOQ{a^+HFXRlg@hg`=din{7D{2LjQv=eJNEv}Y)Qr|Tqm=+3;lXU8vPoj_f}j!H z$>kMh-ce>ZNZ(J^zRv=f$m>W{^|`RFKv<{~UmJLT4tXX@FINYyQqj5LJw624M0A*< zY=$Zo@i00B3z9D*k}h8KU)EKy$DXGuf@sn(=eoO9kSK~R7=fb`g5HY$f+Tnkm4ywA zlucu#c9|$V=DjOQ8jL>X?N!dwEQ=BJ&zXq1GDU=fQPAy70~{;v0YH{Z;m+uAtC_j4 zN82^rw!-eLCui-`AUx^yg5EPZ4aDqOC+JN()86ym>1^8R9OeMGH`!jUOkN0k2bwof zDwy6VXeN@IVGV}f)?n!fST#55Sw$jb+DDyg4O{e>$_w?lS zS-=mqe?0!Y-RT}26GBt$ZD&V=*MeD)(dpKf``1dwmWb|-i0kU@`^NeQ2ZM|K|IzPX zL^i(&KwF!?i=VB{_b|9_eCOohL*9Aj(#-i2UjDdyyaVmj4#s5#E=aG=mdsPNDdpkA zH?7-r_=CB-+~kk+W4S~{aVR5lhGSb2^0_{stG9e2zka-MF12T^R-{2o=st>zf>1A8 zG6^!<5??YSTdt5|TlZCu&A~oD>>sg`%_+$iNBN)9SX~i7S?x05j#~q7L0%wG)XV#j TpE97lE9kb%+l2kAl%vK!vWv#p literal 9250 zcmeI2Yj0ac5Qg_N693^S{oqz2&86uTgp?8}k!TaO0X{^P;y6wk;yA%}S_0``2i|AL z<2^oSeF+3nL}eZOoW0D>ymQ%^J^thOTcHTs;UesZPB;!NJ#Ff_2!LddZ{j+~;n&dAlcBN{C248(vJ4L* z?ZM5`FFs^ccxYnXDz%t%yWLwC%)@}+v zFh<7Eyt}ARVNA|xX46*k^aoCBP zc{fC?h^Szh?iGEFYsOaV`&m85@%bQn%$dITBeiDqK=UJ7%NC4pz0o|VnMbA-?vD6! ziSTFEY({hjq7HuUy;q`9?=QlO;rK$@EP{KfJ#C0aUl{bn!+Eq1d^PnQYVL)Q7|5HO z`n`w}*-BU!+9JLn-P_R!q;bnBh8}M;&HLxQx7bj~yIWehsrYrEdz+1A!!`D7En6iC z;PtNBztTKLo<+oZYWZHzcn2J>tH-G9Yn=OJA*$%`c6g@In_(l|iL|f|)0DRtqH6SA z*U5X(V_#fciV~VVigQh8?MNRKjdQ+}tU3SvP7>g^#Aav^^(=zm{~MC%QoW81s0@a* zbEv!$Qf*;+EKA4F(HC|ICSCD;8Z8&Jh{RZ|(YH}VuR@X;M}?xqv7S0=GkZS~9c;<` zs24uhT~k-G52w4V)-)TG1{w+XwkA(#!+aH9ySk7cT+uHW-U|=H{o(y=BwuMh@!o7; zT`08ld?Ct%zhGbJqZ}2?c3eM(Zo<(q-jEd42wjA6&alohZ!T@lVu;ta=C_h$Uo$7| zH!szLw_e|q>XPCau1S|HaZ<>h;04`J;s(z!e%w})9ezEMsR$+&R@xOccKyCAtSNl3 zShJUR(K}oEPBe1d^fdx~ccKrP#S;J8qK9SS`PfIHHHZzgv!X}!>*&EFuluD@gx_f~ z%V*7lE#3q6hJkA#hZ0tgw=vdGN*?U{SXE+V{c*SgnBmj5T0eZI`=%r*gpFHY(z(US zDz5CSAPc5t9tu4f`bTj@^6i|p!?%sM2zWhoiKOM($@17Uh+^ox?9=^Gq}i?YJyQ$F zoNKpWm#FggTJ${5rwDJOPDb&1KD#JKZFUvcwrA&VFHYSpwV@2)Ory*5iTVejG32hH zeG*;TIC27F1m4hydY(oBJ7~mxsVRzEqC#vo%1PqsnYCN|WK9x%${7~2?Z}pG$1)Ff z`5l+pwNKJb5s{e2ujPYf%XuC#BAQ$`D{;=tsCab-im5uo$LcGScc33z8!Q%ey;2Ka zWVN1o+J7!%vdDr8#Z^7HRC8 z+|@F!u0~Zc~k47G=pvwuJ(~pKZ^P!D=seWZIvmKaPEUioqPma>jEVSu6ay3RdhgKCJ(bRHcz29tnl@As&~qFEp3(z;T4wHT}FPcm9%29PqTg@P&4b>M724j1<%}?CI1d z=;up~hC0`hKIA-Gs=Bsxrc#7&#Fb^N=I?c?g)GreJDkpSIQ8f>>0Hif?upMmc^+AF zH*&i$iUj$&3sHjK;#hJoJ`1H20_)!$>-TZvv%J-R)5^IRgzc2~E?Z|om|~G9()5|4 zcA?WQ&hiGM2wOh0wKF92v!ERU41DeC??T)y(9Za7*w;)nn3u0kWkpf*p5otq#ma~A zgxgyd6$`B|cjx0D$FuO&$Zs*Uq;U^knJR~Kv=CP(5<{7lbF1ds>YU{HSe?qp>um4) z30n9k?1WfJhW=6e|3~dFRkFViJ4gEOMW=jBm>!!Z#e{NPwlVKx^sv2(UVB5dr5Hbu zUilt>ms0Mj=5zDDMPVIstl959eB@r_#oyW1-$KqlE7_TGE>f+V#@|R$Fit)N&dnw-Z%6&&I9cLM zps)Jrwk(O7_*_pKndQ?XM)YhzRzY5#EGbfH}Tp{=q7H;~#F diff --git a/arm/Microsoft.Network/publicIPPrefixes/.bicep/nested_rbac.bicep b/arm/Microsoft.Network/publicIPPrefixes/.bicep/nested_rbac.bicep index fdcc4558dc..fb39bec66c 100644 --- a/arm/Microsoft.Network/publicIPPrefixes/.bicep/nested_rbac.bicep +++ b/arm/Microsoft.Network/publicIPPrefixes/.bicep/nested_rbac.bicep @@ -2,7 +2,7 @@ param roleAssignmentObj object param builtInRoleNames object param resourceName string -resource roleAssigment 'Microsoft.Network/publicIPPrefixes/providers/roleAssignments@2020-04-01-preview' = [for principalId in roleAssignmentObj.principalIds: { +resource roleAssigment 'Microsoft.Network/publicIPPrefixes/providers/roleAssignments@2021-04-01-preview' = [for principalId in roleAssignmentObj.principalIds: { name: '${resourceName}/Microsoft.Authorization/${guid(resourceName, principalId, roleAssignmentObj.roleDefinitionIdOrName)}' properties: { roleDefinitionId: (contains(builtInRoleNames, roleAssignmentObj.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignmentObj.roleDefinitionIdOrName] : roleAssignmentObj.roleDefinitionIdOrName) diff --git a/arm/Microsoft.Network/publicIPPrefixes/readme.md b/arm/Microsoft.Network/publicIPPrefixes/readme.md index 8d3dec613c..ceb7609f31 100644 --- a/arm/Microsoft.Network/publicIPPrefixes/readme.md +++ b/arm/Microsoft.Network/publicIPPrefixes/readme.md @@ -1,27 +1,26 @@ -# Public IP Prefixes +# Public IP Prefixes `[Microsoft.Network/publicIPPrefixes]` This template deploys Public IP Prefixes. ## Resource types -|Resource Type|ApiVersion| -|:--|:--| -|`Microsoft.Resources/deployments`|2018-02-01| -|`Microsoft.Network/publicIPPrefixes`|2021-02-01| -|`Microsoft.Authorization/locks`|2016-09-01| -|`Microsoft.Network/publicIPPrefixes/providers/roleAssignments`|2018-09-01-preview| +| Resource Type | Api Version | +| :-- | :-- | +| `Microsoft.Authorization/locks` | 2016-09-01 | +| `Microsoft.Network/publicIPPrefixes` | 2021-02-01 | +| `Microsoft.Network/publicIPPrefixes/providers/roleAssignments` | 2021-04-01-preview | ## Parameters -| Parameter Name | Type | Description | DefaultValue | Possible values | +| Parameter Name | Type | Default Value | Possible Values | Description | | :-- | :-- | :-- | :-- | :-- | -| `cuaId` | string | Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered | | | -| `location` | string | Optional. Location for all resources. | [resourceGroup().location] | | -| `lock` | string | Optional. Specify the type of lock. | 'NotSpecified' | 'CanNotDelete', 'NotSpecified', 'ReadOnly' | -| `prefixLength` | int | Required. Length of the Public IP Prefix | | | -| `publicIpPrefixName` | string | Required. Name of the Public IP Prefix | | | -| `roleAssignments` | array | Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' | System.Object[] | | -| `tags` | object | Optional. Tags of the resource. | | | +| `cuaId` | string | | | Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered | +| `location` | string | `[resourceGroup().location]` | | Optional. Location for all resources. | +| `lock` | string | `NotSpecified` | `[CanNotDelete, NotSpecified, ReadOnly]` | Optional. Specify the type of lock. | +| `prefixLength` | int | | | Required. Length of the Public IP Prefix | +| `publicIpPrefixName` | string | | | Required. Name of the Public IP Prefix | +| `roleAssignments` | array | `[]` | | Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' | +| `tags` | object | `{object}` | | Optional. Tags of the resource. | ### Parameter Usage: `roleAssignments` @@ -71,18 +70,13 @@ Tag names and tag values can be provided as needed. A tag can be left without a ## Outputs -| Output Name | Type | Description | -| :-- | :-- | :-- | -| `publicIpPrefixName` | string | The Name of the Public IP Prefix. | -| `publicIpPrefixResourceGroup` | string | The name of the Resource Group the Public IP Prefix was created in. | -| `publicIpPrefixResourceId` | string | The Resource Id of the Public IP Prefix. | +| Output Name | Type | +| :-- | :-- | +| `publicIpPrefixName` | string | +| `publicIpPrefixResourceGroup` | string | +| `publicIpPrefixResourceId` | string | -## Considerations +## Template references -*N/A* - -## Additional resources - -- [Public IP address prefix](https://docs.microsoft.com/en-us/azure/virtual-network/public-ip-address-prefix) -- [Template reference](https://docs.microsoft.com/en-us/azure/templates/microsoft.network/2021-02-01/publicipprefixes) -- [Use tags to organize your Azure resources](https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-using-tags) +- [Locks](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2016-09-01/locks) +- [Publicipprefixes](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Network/2021-02-01/publicIPPrefixes) diff --git a/arm/Microsoft.Network/routeTables/.bicep/nested_rbac.bicep b/arm/Microsoft.Network/routeTables/.bicep/nested_rbac.bicep index c375ce5799..41dbcf257a 100644 --- a/arm/Microsoft.Network/routeTables/.bicep/nested_rbac.bicep +++ b/arm/Microsoft.Network/routeTables/.bicep/nested_rbac.bicep @@ -2,7 +2,7 @@ param roleAssignmentObj object param builtInRoleNames object param resourceName string -resource roleAssigment 'Microsoft.Network/routeTables/providers/roleAssignments@2020-04-01-preview' = [for principalId in roleAssignmentObj.principalIds: { +resource roleAssigment 'Microsoft.Network/routeTables/providers/roleAssignments@2021-04-01-preview' = [for principalId in roleAssignmentObj.principalIds: { name: '${resourceName}/Microsoft.Authorization/${guid(resourceName, principalId, roleAssignmentObj.roleDefinitionIdOrName)}' properties: { roleDefinitionId: (contains(builtInRoleNames, roleAssignmentObj.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignmentObj.roleDefinitionIdOrName] : roleAssignmentObj.roleDefinitionIdOrName) diff --git a/arm/Microsoft.Network/routeTables/readme.md b/arm/Microsoft.Network/routeTables/readme.md index 2459134c24..8a32eb75c2 100644 --- a/arm/Microsoft.Network/routeTables/readme.md +++ b/arm/Microsoft.Network/routeTables/readme.md @@ -1,28 +1,27 @@ -# RouteTables +# RouteTables `[Microsoft.Network/routeTables]` This template deploys User Defined Route Tables. ## Resource types -|Resource Type|ApiVersion| -|:--|:--| -|`Microsoft.Resources/deployments`|2018-02-01| -|`Microsoft.Network/routeTables`|2021-02-01| -|`Microsoft.Authorization/locks`|2016-09-01| -|`Microsoft.Network/routeTables/providers/roleAssignments`|2018-09-01-preview| +| Resource Type | Api Version | +| :-- | :-- | +| `Microsoft.Authorization/locks` | 2016-09-01 | +| `Microsoft.Network/routeTables` | 2021-02-01 | +| `Microsoft.Network/routeTables/providers/roleAssignments` | 2021-04-01-preview | ## Parameters -| Parameter Name | Type | Description | DefaultValue | Possible values | +| Parameter Name | Type | Default Value | Possible Values | Description | | :-- | :-- | :-- | :-- | :-- | -| `cuaId` | string | Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered | | | -| `disableBgpRoutePropagation` | bool | Optional. Switch to disable BGP route propagation. | False | | -| `location` | string | Optional. Location for all resources. | [resourceGroup().location] | | -| `lock` | string | Optional. Specify the type of lock. | 'NotSpecified' | 'CanNotDelete', 'NotSpecified', 'ReadOnly' | -| `roleAssignments` | array | Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' | System.Object[] | | -| `routes` | array | Optional. An Array of Routes to be established within the hub route table. | System.Object[] | | -| `routeTableName` | string | Required. Name given for the hub route table. | | | -| `tags` | object | Optional. Tags of the resource. | | | +| `cuaId` | string | | | Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered | +| `disableBgpRoutePropagation` | bool | | | Optional. Switch to disable BGP route propagation. | +| `location` | string | `[resourceGroup().location]` | | Optional. Location for all resources. | +| `lock` | string | `NotSpecified` | `[CanNotDelete, NotSpecified, ReadOnly]` | Optional. Specify the type of lock. | +| `roleAssignments` | array | `[]` | | Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' | +| `routes` | array | `[]` | | Optional. An Array of Routes to be established within the hub route table. | +| `routeTableName` | string | | | Required. Name given for the hub route table. | +| `tags` | object | `{object}` | | Optional. Tags of the resource. | ### Parameter Usage: `routes` @@ -114,17 +113,13 @@ Tag names and tag values can be provided as needed. A tag can be left without a ## Outputs -| Output Name | Type | Description | -| :-- | :-- | :-- | -| `routeTablesName` | string | The name of the Route Table deployed. | -| `routeTablesResourceGroup` | string | The name of the Resource Group the Route Table was deployed to. | -| `routeTablesResourceId` | string | The Resource id of the Virtual Network deployed. | +| Output Name | Type | +| :-- | :-- | +| `routeTablesName` | string | +| `routeTablesResourceGroup` | string | +| `routeTablesResourceId` | string | -## Considerations +## Template references -*N/A* - -## Additional resources - -- [Microsoft.Network routeTables template reference](https://docs.microsoft.com/en-us/azure/templates/microsoft.network/2021-02-01/routetables) -- [Use tags to organize your Azure resources](https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-using-tags) +- [Locks](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2016-09-01/locks) +- [Routetables](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Network/2021-02-01/routeTables) diff --git a/arm/Microsoft.Network/trafficmanagerprofiles/.bicep/nested_rbac.bicep b/arm/Microsoft.Network/trafficmanagerprofiles/.bicep/nested_rbac.bicep index 905c4a217b..d0106bf469 100644 --- a/arm/Microsoft.Network/trafficmanagerprofiles/.bicep/nested_rbac.bicep +++ b/arm/Microsoft.Network/trafficmanagerprofiles/.bicep/nested_rbac.bicep @@ -2,7 +2,7 @@ param roleAssignmentObj object param builtInRoleNames object param resourceName string -resource roleAssigment 'Microsoft.Network/trafficmanagerprofiles/providers/roleAssignments@2020-04-01-preview' = [for principalId in roleAssignmentObj.principalIds: { +resource roleAssigment 'Microsoft.Network/trafficmanagerprofiles/providers/roleAssignments@2021-04-01-preview' = [for principalId in roleAssignmentObj.principalIds: { name: '${resourceName}/Microsoft.Authorization/${guid(resourceName, principalId, roleAssignmentObj.roleDefinitionIdOrName)}' properties: { roleDefinitionId: (contains(builtInRoleNames, roleAssignmentObj.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignmentObj.roleDefinitionIdOrName] : roleAssignmentObj.roleDefinitionIdOrName) diff --git a/arm/Microsoft.Network/trafficmanagerprofiles/deploy.bicep b/arm/Microsoft.Network/trafficmanagerprofiles/deploy.bicep index 320595d3f0..1595f9c192 100644 --- a/arm/Microsoft.Network/trafficmanagerprofiles/deploy.bicep +++ b/arm/Microsoft.Network/trafficmanagerprofiles/deploy.bicep @@ -80,27 +80,41 @@ param tags object = {} @description('Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered') param cuaId string = '' -var diagnosticsMetrics = [ - { - category: 'AllMetrics' - timeGrain: null +@description('Optional. The name of logs that will be streamed.') +@allowed([ + 'ProbeHealthStatusEvents' +]) +param logsToEnable array = [ + 'ProbeHealthStatusEvents' +] + +@description('Optional. The name of metrics that will be streamed.') +@allowed([ + 'AllMetrics' +]) +param metricsToEnable array = [ + 'AllMetrics' +] + +var diagnosticsLogs = [for log in logsToEnable: { + category: log + enabled: true + retentionPolicy: { enabled: true - retentionPolicy: { - enabled: true - days: diagnosticLogsRetentionInDays - } + days: diagnosticLogsRetentionInDays } -] -var diagnosticsLogs = [ - { - category: 'ProbeHealthStatusEvents' +}] + +var diagnosticsMetrics = [for metric in metricsToEnable: { + category: metric + timeGrain: null + enabled: true + retentionPolicy: { enabled: true - retentionPolicy: { - enabled: true - days: diagnosticLogsRetentionInDays - } + days: diagnosticLogsRetentionInDays } -] +}] + var builtInRoleNames = { 'Owner': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') 'Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') diff --git a/arm/Microsoft.Network/trafficmanagerprofiles/readme.md b/arm/Microsoft.Network/trafficmanagerprofiles/readme.md index c8c8f0a20a..9fbba38d3a 100644 --- a/arm/Microsoft.Network/trafficmanagerprofiles/readme.md +++ b/arm/Microsoft.Network/trafficmanagerprofiles/readme.md @@ -1,4 +1,4 @@ -# TrafficManager +# TrafficManager `[Microsoft.Network/trafficmanagerprofiles]` This module deploys Traffic Manager, with resource lock. @@ -6,35 +6,35 @@ This module deploys Traffic Manager, with resource lock. | Resource Type | Api Version | | :-- | :-- | -| `Microsoft.Resources/deployments` | 2021-04-01 | -| `Microsoft.Network/trafficmanagerprofiles` | 2018-08-01 | -| `Microsoft.Network/trafficmanagerprofiles/providers/roleAssignments` | 2018-09-01-preview | | `Microsoft.Authorization/locks` | 2016-09-01 | | `Microsoft.Insights/diagnosticSettings` | 2017-05-01-preview | +| `Microsoft.Network/trafficmanagerprofiles` | 2018-08-01 | +| `Microsoft.Network/trafficmanagerprofiles/providers/roleAssignments` | 2021-04-01-preview | ## Parameters -| Parameter Name | Type | Description | DefaultValue | Possible values | +| Parameter Name | Type | Default Value | Possible Values | Description | | :-- | :-- | :-- | :-- | :-- | -| `cuaId` | string | Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered | | | -| `diagnosticLogsRetentionInDays` | int | Optional. Specifies the number of days that logs will be kept for; a value of 0 will retain data indefinitely. | 365 | | -| `diagnosticStorageAccountId` | string | Optional. Resource identifier of the Diagnostic Storage Account. | | | -| `endpoints` | array | Optional. The list of endpoints in the Traffic Manager profile. | System.Object[] | | -| `eventHubAuthorizationRuleId` | string | Optional. Resource ID of the event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | | | -| `eventHubName` | string | Optional. Name of the event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. | | | -| `lock` | string | Optional. Specify the type of lock. | 'NotSpecified' | 'CanNotDelete', 'NotSpecified', 'ReadOnly' | -| `maxReturn` | int | Optional. Maximum number of endpoints to be returned for MultiValue routing type. | 1 | | -| `monitorConfig` | object | Optional. The endpoint monitoring settings of the Traffic Manager profile. | protocol=http; port=80; path=/ | | -| `profileStatus` | string | Optional. The status of the Traffic Manager profile. | Enabled | System.Object[] | -| `relativeName` | string | The relative DNS name provided by this Traffic Manager profile. This value is combined with the DNS domain name used by Azure Traffic Manager to form the fully-qualified domain name (FQDN) of the profile. | | | -| `roleAssignments` | array | Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' | System.Object[] | | -| `tags` | object | Optional. Resource tags. | | | -| `trafficManagerName` | string | Name of the Traffic Manager | | | -| `trafficRoutingMethod` | string | Optional. The traffic routing method of the Traffic Manager profile. | Performance | System.Object[] | -| `trafficViewEnrollmentStatus` | string | Optional. Indicates whether Traffic View is 'Enabled' or 'Disabled' for the Traffic Manager profile. Null, indicates 'Disabled'. Enabling this feature will increase the cost of the Traffic Manage profile. | Disabled | System.Object[] | -| `ttl` | int | Optional. The DNS Time-To-Live (TTL), in seconds. This informs the local DNS resolvers and DNS clients how long to cache DNS responses provided by this Traffic Manager profile. | 60 | | -| `workspaceId` | string | Optional. Resource identifier of Log Analytics. | | | - +| `cuaId` | string | | | Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered | +| `diagnosticLogsRetentionInDays` | int | `365` | | Optional. Specifies the number of days that logs will be kept for; a value of 0 will retain data indefinitely. | +| `diagnosticStorageAccountId` | string | | | Optional. Resource identifier of the Diagnostic Storage Account. | +| `endpoints` | array | `[]` | | Optional. The list of endpoints in the Traffic Manager profile. | +| `eventHubAuthorizationRuleId` | string | | | Optional. Resource ID of the event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | +| `eventHubName` | string | | | Optional. Name of the event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. | +| `lock` | string | `NotSpecified` | `[CanNotDelete, NotSpecified, ReadOnly]` | Optional. Specify the type of lock. | +| `logsToEnable` | array | `[ProbeHealthStatusEvents]` | `[ProbeHealthStatusEvents]` | Optional. The name of logs that will be streamed. | +| `maxReturn` | int | `1` | | Optional. Maximum number of endpoints to be returned for MultiValue routing type. | +| `metricsToEnable` | array | `[AllMetrics]` | `[AllMetrics]` | Optional. The name of metrics that will be streamed. | +| `monitorConfig` | object | `{object}` | | Optional. The endpoint monitoring settings of the Traffic Manager profile. | +| `profileStatus` | string | `Enabled` | `[Enabled, Disabled]` | Optional. The status of the Traffic Manager profile. | +| `relativeName` | string | | | Required. The relative DNS name provided by this Traffic Manager profile. This value is combined with the DNS domain name used by Azure Traffic Manager to form the fully-qualified domain name (FQDN) of the profile. | +| `roleAssignments` | array | `[]` | | Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' | +| `tags` | object | `{object}` | | Optional. Resource tags. | +| `trafficManagerName` | string | | | Required. Name of the Traffic Manager | +| `trafficRoutingMethod` | string | `Performance` | `[Performance, Priority, Weighted, Geographic, MultiValue, Subnet]` | Optional. The traffic routing method of the Traffic Manager profile. | +| `trafficViewEnrollmentStatus` | string | `Disabled` | `[Disabled, Enabled]` | Optional. Indicates whether Traffic View is 'Enabled' or 'Disabled' for the Traffic Manager profile. Null, indicates 'Disabled'. Enabling this feature will increase the cost of the Traffic Manage profile. | +| `ttl` | int | `60` | | Optional. The DNS Time-To-Live (TTL), in seconds. This informs the local DNS resolvers and DNS clients how long to cache DNS responses provided by this Traffic Manager profile. | +| `workspaceId` | string | | | Optional. Resource identifier of Log Analytics. | ### Parameter Usage: `monitorConfig` @@ -121,18 +121,14 @@ Tag names and tag values can be provided as needed. A tag can be left without a ``` ## Outputs -| Output Name | Type | Description | -| :- | :- | -| `trafficManagerResourceId` | string | The Resource Id of the Traffic Manager. -| `trafficManagerResourceGroup` | string | The name of the Resource Group the Traffic Manager was created in. -| `trafficManagerName` | string | The Name of the Traffic Manager. - -## Considerations - -*N/A* +| Output Name | Type | +| :-- | :-- | +| `trafficManagerName` | string | +| `trafficManagerResourceGroup` | string | +| `trafficManagerResourceId` | string | -## Additional resources +## Template references -- [What is Traffic Manager?](https://docs.microsoft.com/en-us/azure/traffic-manager/traffic-manager-overview) -- [Microsoft.Network/trafficmanagerprofiles template reference](https://docs.microsoft.com/en-us/azure/templates/microsoft.network/2018-08-01/trafficmanagerprofiles) -- [Use tags to organize your Azure resources](https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-using-tags) +- [Locks](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2016-09-01/locks) +- [Diagnosticsettings](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Insights/2017-05-01-preview/diagnosticSettings) +- [Trafficmanagerprofiles](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Network/2018-08-01/trafficmanagerprofiles) diff --git a/arm/Microsoft.Network/virtualNetworkGateways/.bicep/nested_rbac.bicep b/arm/Microsoft.Network/virtualNetworkGateways/.bicep/nested_rbac.bicep index fd15a4abcf..4348e0cca4 100644 --- a/arm/Microsoft.Network/virtualNetworkGateways/.bicep/nested_rbac.bicep +++ b/arm/Microsoft.Network/virtualNetworkGateways/.bicep/nested_rbac.bicep @@ -2,7 +2,7 @@ param roleAssignmentObj object param builtInRoleNames object param resourceName string -resource roleAssigment 'Microsoft.Network/virtualNetworkGateways/providers/roleAssignments@2020-04-01-preview' = [for principalId in roleAssignmentObj.principalIds: { +resource roleAssigment 'Microsoft.Network/virtualNetworkGateways/providers/roleAssignments@2021-04-01-preview' = [for principalId in roleAssignmentObj.principalIds: { name: '${resourceName}/Microsoft.Authorization/${guid(resourceName, principalId, roleAssignmentObj.roleDefinitionIdOrName)}' properties: { roleDefinitionId: (contains(builtInRoleNames, roleAssignmentObj.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignmentObj.roleDefinitionIdOrName] : roleAssignmentObj.roleDefinitionIdOrName) diff --git a/arm/Microsoft.Network/virtualNetworkGateways/deploy.bicep b/arm/Microsoft.Network/virtualNetworkGateways/deploy.bicep index 376045acf9..610249390b 100644 --- a/arm/Microsoft.Network/virtualNetworkGateways/deploy.bicep +++ b/arm/Microsoft.Network/virtualNetworkGateways/deploy.bicep @@ -102,6 +102,69 @@ param tags object = {} @description('Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered') param cuaId string = '' +@description('Optional. The name of logs that will be streamed.') +@allowed([ + 'DDoSProtectionNotifications' + 'DDoSMitigationFlowLogs' + 'DDoSMitigationReports' +]) +param publicIpLogsToEnable array = [ + 'DDoSProtectionNotifications' + 'DDoSMitigationFlowLogs' + 'DDoSMitigationReports' +] + +@description('Optional. The name of logs that will be streamed.') +@allowed([ + 'GatewayDiagnosticLog' + 'TunnelDiagnosticLog' + 'RouteDiagnosticLog' + 'IKEDiagnosticLog' + 'P2SDiagnosticLog' +]) +param virtualNetworkGatewayLogsToEnable array = [ + 'GatewayDiagnosticLog' + 'TunnelDiagnosticLog' + 'RouteDiagnosticLog' + 'IKEDiagnosticLog' + 'P2SDiagnosticLog' +] + +@description('Optional. The name of metrics that will be streamed.') +@allowed([ + 'AllMetrics' +]) +param metricsToEnable array = [ + 'AllMetrics' +] + +var virtualNetworkGatewayDiagnosticsLogs = [for log in virtualNetworkGatewayLogsToEnable: { + category: log + enabled: true + retentionPolicy: { + enabled: true + days: diagnosticLogsRetentionInDays + } +}] +var publicIpDiagnosticsLogs = [for log in publicIpLogsToEnable: { + category: log + enabled: true + retentionPolicy: { + enabled: true + days: diagnosticLogsRetentionInDays + } +}] + +var diagnosticsMetrics = [for metric in metricsToEnable: { + category: metric + timeGrain: null + enabled: true + retentionPolicy: { + enabled: true + days: diagnosticLogsRetentionInDays + } +}] + var zoneRedundantSkus = [ 'VpnGw1AZ' 'VpnGw2AZ' @@ -203,85 +266,7 @@ var vpnClientConfiguration = { vpnClientRootCertificates: (empty(clientRootCertData) ? json('null') : vpnClientRootCertificates) vpnClientRevokedCertificates: (empty(clientRevokedCertThumbprint) ? json('null') : vpmClientRevokedCertificates) } -var diagnosticsMetrics = [ - { - category: 'AllMetrics' - timeGrain: null - enabled: true - retentionPolicy: { - enabled: true - days: diagnosticLogsRetentionInDays - } - } -] -var publicIpDiagnosticsLogs = [ - { - category: 'DDoSProtectionNotifications' - enabled: true - retentionPolicy: { - enabled: true - days: diagnosticLogsRetentionInDays - } - } - { - category: 'DDoSMitigationFlowLogs' - enabled: true - retentionPolicy: { - enabled: true - days: diagnosticLogsRetentionInDays - } - } - { - category: 'DDoSMitigationReports' - enabled: true - retentionPolicy: { - enabled: true - days: diagnosticLogsRetentionInDays - } - } -] -var virtualNetworkGatewayDiagnosticsLogs = [ - { - category: 'GatewayDiagnosticLog' - enabled: true - retentionPolicy: { - enabled: true - days: diagnosticLogsRetentionInDays - } - } - { - category: 'TunnelDiagnosticLog' - enabled: true - retentionPolicy: { - enabled: true - days: diagnosticLogsRetentionInDays - } - } - { - category: 'RouteDiagnosticLog' - enabled: true - retentionPolicy: { - enabled: true - days: diagnosticLogsRetentionInDays - } - } - { - category: 'IKEDiagnosticLog' - enabled: true - retentionPolicy: { - enabled: true - days: diagnosticLogsRetentionInDays - } - } - { - category: 'P2SDiagnosticLog' - enabled: true - retentionPolicy: { - enabled: true - days: diagnosticLogsRetentionInDays - } - } -] + var builtInRoleNames = { 'Owner': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') 'Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') diff --git a/arm/Microsoft.Network/virtualNetworkGateways/readme.md b/arm/Microsoft.Network/virtualNetworkGateways/readme.md index c952425571..c225d900f0 100644 --- a/arm/Microsoft.Network/virtualNetworkGateways/readme.md +++ b/arm/Microsoft.Network/virtualNetworkGateways/readme.md @@ -1,48 +1,50 @@ -# VirtualNetworkGateway +# VirtualNetworkGateway `[Microsoft.Network/virtualNetworkGateways]` This module deploys a Virtual Network Gateway. ## Resource types -|Resource Type|ApiVersion| -|:--|:--| -|`Microsoft.Resources/deployments`|2018-02-01| -|`Microsoft.Network/publicIPAddresses`|2021-02-01| -|`Microsoft.Network/virtualNetworkGateways`|2021-02-01| -|`Microsoft.Insights/diagnosticSettings`|2017-05-01-preview| -|`Microsoft.Authorization/locks`|2016-09-01| -|`Microsoft.Network/virtualNetworkGateways/providers/roleAssignments`|2018-09-01-preview| +| Resource Type | Api Version | +| :-- | :-- | +| `Microsoft.Authorization/locks` | 2016-09-01 | +| `Microsoft.Insights/diagnosticSettings` | 2017-05-01-preview | +| `Microsoft.Network/publicIPAddresses` | 2021-02-01 | +| `Microsoft.Network/virtualNetworkGateways` | 2021-02-01 | +| `Microsoft.Network/virtualNetworkGateways/providers/roleAssignments` | 2021-04-01-preview | ## Parameters -| Parameter Name | Type | Description | DefaultValue | Possible values | +| Parameter Name | Type | Default Value | Possible Values | Description | | :-- | :-- | :-- | :-- | :-- | -| `activeActive` | bool | Optional. Value to specify if the Gateway should be deployed in active-active or active-passive configuration | True | | -| `asn` | int | Optional. ASN value | 65815 | | -| `clientRevokedCertThumbprint` | string | Optional. Thumbprint of the revoked certificate. This would revoke VPN client certificates matching this thumbprint from connecting to the VNet. | | | -| `clientRootCertData` | string | Optional. Client root certificate data used to authenticate VPN clients. | | | -| `cuaId` | string | Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered | | | -| `diagnosticLogsRetentionInDays` | int | Optional. Specifies the number of days that logs will be kept for; a value of 0 will retain data indefinitely. | 365 | | -| `diagnosticStorageAccountId` | string | Required. Resource identifier of the Diagnostic Storage Account. | | | -| `domainNameLabel` | array | Optional. DNS name(s) of the Public IP resource(s). If you enabled active-active configuration, you need to provide 2 DNS names, if you want to use this feature. A region specific suffix will be appended to it, e.g.: your-DNS-name.westeurope.cloudapp.azure.com | System.Object[] | | -| `enableBgp` | bool | Optional. Value to specify if BGP is enabled or not | True | | -| `eventHubAuthorizationRuleId` | string | Optional. Resource ID of the event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | | | -| `eventHubName` | string | Optional. Name of the event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. | | | -| `gatewayPipName` | array | Optional. Specifies the name of the Public IP used by the Virtual Network Gateway. If it's not provided, a '-pip' suffix will be appended to the gateway's name. | | | -| `location` | string | Optional. Location for all resources. | [resourceGroup().location] | | -| `lock` | string | Optional. Specify the type of lock. | 'NotSpecified' | 'CanNotDelete', 'NotSpecified', 'ReadOnly' | -| `publicIPPrefixId` | string | Optional. Resource Id of the Public IP Prefix object. This is only needed if you want your Public IPs created in a PIP Prefix. | | | -| `publicIpZones` | string | Optional. Specifies the zones of the Public IP address. | "1" | | -| `roleAssignments` | array | Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' | System.Object[] | | -| `tags` | object | Optional. Tags of the resource. | | | -| `virtualNetworkGatewayName` | string | Required. Specifies the Virtual Network Gateway name. | | | -| `virtualNetworkGatewaySku` | string | Required. The Sku of the Gateway. | | System.Object[] | -| `virtualNetworkGatewayType` | string | Required. Specifies the gateway type. E.g. VPN, ExpressRoute | | System.Object[] | -| `vNetId` | string | Required. Virtual Network resource Id | | | -| `vpnClientAddressPoolPrefix` | string | Optional. The IP address range from which VPN clients will receive an IP address when connected. Range specified must not overlap with on-premise network. | | | -| `vpnType` | string | Required. Specifies the VPN type | RouteBased | System.Object[] | -| `workspaceId` | string | Required. Resource identifier of Log Analytics. | | | +| `activeActive` | bool | `True` | | Optional. Value to specify if the Gateway should be deployed in active-active or active-passive configuration | +| `asn` | int | `65815` | | Optional. ASN value | +| `clientRevokedCertThumbprint` | string | | | Optional. Thumbprint of the revoked certificate. This would revoke VPN client certificates matching this thumbprint from connecting to the VNet. | +| `clientRootCertData` | string | | | Optional. Client root certificate data used to authenticate VPN clients. | +| `cuaId` | string | | | Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered | +| `diagnosticLogsRetentionInDays` | int | `365` | | Optional. Specifies the number of days that logs will be kept for; a value of 0 will retain data indefinitely. | +| `diagnosticStorageAccountId` | string | | | Required. Resource identifier of the Diagnostic Storage Account. | +| `domainNameLabel` | array | `[]` | | Optional. DNS name(s) of the Public IP resource(s). If you enabled active-active configuration, you need to provide 2 DNS names, if you want to use this feature. A region specific suffix will be appended to it, e.g.: your-DNS-name.westeurope.cloudapp.azure.com | +| `enableBgp` | bool | `True` | | Optional. Value to specify if BGP is enabled or not | +| `eventHubAuthorizationRuleId` | string | | | Optional. Resource ID of the event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | +| `eventHubName` | string | | | Optional. Name of the event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. | +| `gatewayPipName` | array | `[]` | | Optional. Specifies the name of the Public IP used by the Virtual Network Gateway. If it's not provided, a '-pip' suffix will be appended to the gateway's name. | +| `location` | string | `[resourceGroup().location]` | | Optional. Location for all resources. | +| `lock` | string | `NotSpecified` | `[CanNotDelete, NotSpecified, ReadOnly]` | Optional. Specify the type of lock. | +| `metricsToEnable` | array | `[AllMetrics]` | `[AllMetrics]` | Optional. The name of metrics that will be streamed. | +| `publicIpLogsToEnable` | array | `[DDoSProtectionNotifications, DDoSMitigationFlowLogs, DDoSMitigationReports]` | `[DDoSProtectionNotifications, DDoSMitigationFlowLogs, DDoSMitigationReports]` | Optional. The name of logs that will be streamed. | +| `publicIPPrefixId` | string | | | Optional. Resource Id of the Public IP Prefix object. This is only needed if you want your Public IPs created in a PIP Prefix. | +| `publicIpZones` | array | `[1]` | | Optional. Specifies the zones of the Public IP address. | +| `roleAssignments` | array | `[]` | | Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' | +| `tags` | object | `{object}` | | Optional. Tags of the resource. | +| `virtualNetworkGatewayLogsToEnable` | array | `[GatewayDiagnosticLog, TunnelDiagnosticLog, RouteDiagnosticLog, IKEDiagnosticLog, P2SDiagnosticLog]` | `[GatewayDiagnosticLog, TunnelDiagnosticLog, RouteDiagnosticLog, IKEDiagnosticLog, P2SDiagnosticLog]` | Optional. The name of logs that will be streamed. | +| `virtualNetworkGatewayName` | string | | | Required. Specifies the Virtual Network Gateway name. | +| `virtualNetworkGatewaySku` | string | | `[Basic, VpnGw1, VpnGw2, VpnGw3, VpnGw1AZ, VpnGw2AZ, VpnGw3AZ, ErGw1AZ, ErGw2AZ, ErGw3AZ]` | Required. The Sku of the Gateway. | +| `virtualNetworkGatewayType` | string | | `[Vpn, ExpressRoute]` | Required. Specifies the gateway type. E.g. VPN, ExpressRoute | +| `vNetId` | string | | | Required. Virtual Network resource Id | +| `vpnClientAddressPoolPrefix` | string | | | Optional. The IP address range from which VPN clients will receive an IP address when connected. Range specified must not overlap with on-premise network. | +| `vpnType` | string | `RouteBased` | `[PolicyBased, RouteBased]` | Required. Specifies the VPN type | +| `workspaceId` | string | | | Required. Resource identifier of Log Analytics. | ### Parameter Usage: `subnets` @@ -123,21 +125,16 @@ Tag names and tag values can be provided as needed. A tag can be left without a ## Outputs -| Output Name | Type | Description | -| :-- | :-- | :-- | -| `activeActive` | bool | Shows if the VNet gateway is configured in active-active mode. | -| `virtualNetworkGatewayName` | string | The Name of the Virtual Network Gateway. | -| `virtualNetworkGatewayResourceGroup` | string | The Resource Group the Virtual Network Gateway was deployed. | -| `virtualNetworkGatewayResourceId` | string | The Resource Id of the Virtual Network Gateway. | +| Output Name | Type | +| :-- | :-- | +| `activeActive` | bool | +| `virtualNetworkGatewayName` | string | +| `virtualNetworkGatewayResourceGroup` | string | +| `virtualNetworkGatewayResourceId` | string | -## Considerations +## Template references -*N/A* - -## Additional resources - -- [Microsoft.Network virtualNetworkGateways template reference](https://docs.microsoft.com/en-us/azure/templates/microsoft.network/2021-02-01/virtualnetworkgateways) -- [What is VPN Gateway?](https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-vpngateways) -- [ExpressRoute virtual network gateway and FastPath](https://docs.microsoft.com/en-us/azure/expressroute/expressroute-about-virtual-network-gateways) -- [Public IP address prefix](https://docs.microsoft.com/en-us/azure/virtual-network/public-ip-address-prefix) -- [Use tags to organize your Azure resources](https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-using-tags) +- [Locks](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2016-09-01/locks) +- [Diagnosticsettings](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Insights/2017-05-01-preview/diagnosticSettings) +- [Publicipaddresses](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Network/2021-02-01/publicIPAddresses) +- [Virtualnetworkgateways](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Network/2021-02-01/virtualNetworkGateways) diff --git a/arm/Microsoft.Network/virtualNetworks/.bicep/nested_rbac.bicep b/arm/Microsoft.Network/virtualNetworks/.bicep/nested_rbac.bicep index bfaed96999..279490a7b0 100644 --- a/arm/Microsoft.Network/virtualNetworks/.bicep/nested_rbac.bicep +++ b/arm/Microsoft.Network/virtualNetworks/.bicep/nested_rbac.bicep @@ -2,7 +2,7 @@ param roleAssignmentObj object param builtInRoleNames object param resourceName string -resource roleAssigment 'Microsoft.Network/virtualNetworks/providers/roleAssignments@2020-04-01-preview' = [for principalId in roleAssignmentObj.principalIds: { +resource roleAssigment 'Microsoft.Network/virtualNetworks/providers/roleAssignments@2021-04-01-preview' = [for principalId in roleAssignmentObj.principalIds: { name: '${resourceName}/Microsoft.Authorization/${guid(resourceName, principalId, roleAssignmentObj.roleDefinitionIdOrName)}' properties: { roleDefinitionId: (contains(builtInRoleNames, roleAssignmentObj.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignmentObj.roleDefinitionIdOrName] : roleAssignmentObj.roleDefinitionIdOrName) diff --git a/arm/Microsoft.Network/virtualNetworks/deploy.bicep b/arm/Microsoft.Network/virtualNetworks/deploy.bicep index f172bbc946..4e12059a1f 100644 --- a/arm/Microsoft.Network/virtualNetworks/deploy.bicep +++ b/arm/Microsoft.Network/virtualNetworks/deploy.bicep @@ -51,33 +51,48 @@ param tags object = {} @description('Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered') param cuaId string = '' +@description('Optional. The name of logs that will be streamed.') +@allowed([ + 'VMProtectionAlerts' +]) +param logsToEnable array = [ + 'VMProtectionAlerts' +] + +@description('Optional. The name of metrics that will be streamed.') +@allowed([ + 'AllMetrics' +]) +param metricsToEnable array = [ + 'AllMetrics' +] + +var diagnosticsLogs = [for log in logsToEnable: { + category: log + enabled: true + retentionPolicy: { + enabled: true + days: diagnosticLogsRetentionInDays + } +}] + +var diagnosticsMetrics = [for metric in metricsToEnable: { + category: metric + timeGrain: null + enabled: true + retentionPolicy: { + enabled: true + days: diagnosticLogsRetentionInDays + } +}] + var dnsServers_var = { dnsServers: array(dnsServers) } var ddosProtectionPlan = { id: ddosProtectionPlanId } -var diagnosticsMetrics = [ - { - category: 'AllMetrics' - timeGrain: null - enabled: true - retentionPolicy: { - enabled: true - days: diagnosticLogsRetentionInDays - } - } -] -var diagnosticsLogs = [ - { - category: 'VMProtectionAlerts' - enabled: true - retentionPolicy: { - enabled: true - days: diagnosticLogsRetentionInDays - } - } -] + var builtInRoleNames = { 'Owner': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') 'Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') diff --git a/arm/Microsoft.Network/virtualNetworks/readme.md b/arm/Microsoft.Network/virtualNetworks/readme.md index cb05e8ded6..9a93da73a4 100644 --- a/arm/Microsoft.Network/virtualNetworks/readme.md +++ b/arm/Microsoft.Network/virtualNetworks/readme.md @@ -1,37 +1,38 @@ -# Virtual Network +# Virtual Network `[Microsoft.Network/virtualNetworks]` This template deploys a Virtual Network (vNet) with 2 optional Subnets. ## Resource types -|Resource Type|ApiVersion| -|:--|:--| -|`Microsoft.Resources/deployments`|2018-02-01| -|`Microsoft.Network/virtualNetworks`|2021-05-01| -|`Microsoft.Authorization/locks`|2016-09-01| -|`Microsoft.Insights/diagnosticsettings`|2017-05-01-preview| -|`Microsoft.Network/virtualNetworks/providers/roleAssignments`|2018-09-01-preview| +| Resource Type | Api Version | +| :-- | :-- | +| `Microsoft.Authorization/locks` | 2016-09-01 | +| `Microsoft.Insights/diagnosticSettings` | 2017-05-01-preview | +| `Microsoft.Network/virtualNetworks` | 2021-05-01 | +| `Microsoft.Network/virtualNetworks/providers/roleAssignments` | 2021-04-01-preview | ## Parameters -| Parameter Name | Type | Description | DefaultValue | Possible values | +| Parameter Name | Type | Default Value | Possible Values | Description | | :-- | :-- | :-- | :-- | :-- | -| `cuaId` | string | Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered | | | -| `ddosProtectionPlanId` | string | Optional. Resource Id of the DDoS protection plan to assign the VNET to. If it's left blank, DDoS protection will not be configured. If it's provided, the VNET created by this template will be attached to the referenced DDoS protection plan. The DDoS protection plan can exist in the same or in a different subscription. | | | -| `diagnosticLogsRetentionInDays` | int | Optional. Specifies the number of days that logs will be kept for; a value of 0 will retain data indefinitely. | 365 | | -| `diagnosticStorageAccountId` | string | Optional. Resource identifier of the Diagnostic Storage Account. | | | -| `dnsServers` | array | Optional. DNS Servers associated to the Virtual Network. | System.Object[] | | -| `eventHubAuthorizationRuleId` | string | Optional. Resource ID of the event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | | | -| `eventHubName` | string | Optional. Name of the event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. | | | -| `location` | string | Optional. Location for all resources. | [resourceGroup().location] | | -| `lock` | string | Optional. Specify the type of lock. | 'NotSpecified' | 'CanNotDelete', 'NotSpecified', 'ReadOnly' | -| `roleAssignments` | array | Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' | System.Object[] | | -| `subnets` | array | Required. An Array of subnets to deploy to the Virual Network. | | | -| `tags` | object | Optional. Tags of the resource. | | | -| `vNetAddressPrefixes` | array | Required. An Array of 1 or more IP Address Prefixes for the Virtual Network. | | | -| `vNetName` | string | Required. The Virtual Network (vNet) Name. | | | -| `workspaceId` | string | Optional. Resource identifier of Log Analytics. | | | +| `cuaId` | string | | | Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered | +| `ddosProtectionPlanId` | string | | | Optional. Resource Id of the DDoS protection plan to assign the VNET to. If it's left blank, DDoS protection will not be configured. If it's provided, the VNET created by this template will be attached to the referenced DDoS protection plan. The DDoS protection plan can exist in the same or in a different subscription. | +| `diagnosticLogsRetentionInDays` | int | `365` | | Optional. Specifies the number of days that logs will be kept for; a value of 0 will retain data indefinitely. | +| `diagnosticStorageAccountId` | string | | | Optional. Resource identifier of the Diagnostic Storage Account. | +| `dnsServers` | array | `[]` | | Optional. DNS Servers associated to the Virtual Network. | +| `eventHubAuthorizationRuleId` | string | | | Optional. Resource ID of the event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | +| `eventHubName` | string | | | Optional. Name of the event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. | +| `location` | string | `[resourceGroup().location]` | | Optional. Location for all resources. | +| `lock` | string | `NotSpecified` | `[CanNotDelete, NotSpecified, ReadOnly]` | Optional. Specify the type of lock. | +| `logsToEnable` | array | `[VMProtectionAlerts]` | `[VMProtectionAlerts]` | Optional. The name of logs that will be streamed. | +| `metricsToEnable` | array | `[AllMetrics]` | `[AllMetrics]` | Optional. The name of metrics that will be streamed. | +| `roleAssignments` | array | `[]` | | Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' | +| `subnets` | array | | | Required. An Array of subnets to deploy to the Virual Network. | +| `tags` | object | `{object}` | | Optional. Tags of the resource. | +| `vNetAddressPrefixes` | array | | | Required. An Array of 1 or more IP Address Prefixes for the Virtual Network. | +| `vNetName` | string | | | Required. The Virtual Network (vNet) Name. | +| `workspaceId` | string | | | Optional. Resource identifier of Log Analytics. | ### Parameter Usage: `vNetAddressPrefixes` @@ -142,24 +143,24 @@ Tag names and tag values can be provided as needed. A tag can be left without a } ``` -## Outputs - -| Output Name | Type | Description | -| :-- | :-- | :-- | -| `subnetIds` | array | The Resource Ids of the Subnets deployed to the Virtual Network. | -| `subnetNames` | array | The Names of the Subnets deployed to the Virtual Network. | -| `virtualNetworkName` | string | The name of the Virtual Network deployed. | -| `virtualNetworkResourceGroup` | string | The name of the Resource Group the Virtual Network was created in. | -| `virtualNetworkResourceId` | string | The Resource id of the Virtual Network deployed. | - ## Considerations When defining the Subnets to deploy using the `subnets` parameter, the JSON format to pass it must match the Subnet object that is normally passed in to the `subnets` property of a `virtualNetwork` within an ARM Template. The network security group and route table resources must reside in the same resource group as the virtual network. -## Additional resources +## Outputs + +| Output Name | Type | +| :-- | :-- | +| `subnetIds` | array | +| `subnetNames` | array | +| `virtualNetworkName` | string | +| `virtualNetworkResourceGroup` | string | +| `virtualNetworkResourceId` | string | + +## Template references -- [Microsoft.Network virtualNetworks template reference](https://docs.microsoft.com/en-us/azure/templates/microsoft.network/2019-04-01/virtualnetworks) -- [What is Azure Virtual Network?](https://docs.microsoft.com/en-us/azure/virtual-network/virtual-networks-overview) -- [Use tags to organize your Azure resources](https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-using-tags) +- [Locks](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2016-09-01/locks) +- [Diagnosticsettings](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Insights/2017-05-01-preview/diagnosticSettings) +- [Virtualnetworks](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Network/2021-05-01/virtualNetworks) diff --git a/arm/Microsoft.Network/virtualNetworksResources/virtualNetworkPeerings/readme.md b/arm/Microsoft.Network/virtualNetworksResources/virtualNetworkPeerings/readme.md index b620dc294f..5b621b6b2e 100644 --- a/arm/Microsoft.Network/virtualNetworksResources/virtualNetworkPeerings/readme.md +++ b/arm/Microsoft.Network/virtualNetworksResources/virtualNetworkPeerings/readme.md @@ -1,13 +1,12 @@ -# VirtualNetworkPeering +# VirtualNetworkPeering `[Microsoft.Network/virtualNetworksResources/virtualNetworkPeerings]` This template deploys Virtual Network Peering. ## Resource types -| Resource Type | Api Version | -| :--------------------------------------------------------- | :---------- | -| `Microsoft.Network/virtualNetworks/virtualNetworkPeerings` | 2021-02-01 | -| `Microsoft.Resources/deployments` | 2019-10-01 | +| Resource Type | Api Version | +| :-- | :-- | +| `Microsoft.Network/virtualNetworks/virtualNetworkPeerings` | 2021-02-01 | ### Resource dependency @@ -18,32 +17,26 @@ The following resources are required to be able to deploy this resource. ## Parameters -| Parameter Name | Type | Description | DefaultValue | Possible values | -| :-------------------------- | :----- | :----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | :--------------------------- | :-------------- | -| `peeringName` | string | Optional. The Name of Vnet Peering resource. If not provided, default value will be localVnetName-remoteVnetName | localVnetName-remoteVnetName | | -| `localVnetName` | string | Required. The Name of the Virtual Network to add the peering to. | | | -| `remoteVirtualNetworkId` | string | Required. The Resource ID of the VNet that is this Local VNet is being peered to. Should be in the format of a Resource ID. | | | -| `allowForwardedTraffic` | bool | Optional. Whether the forwarded traffic from the VMs in the local virtual network will be allowed/disallowed in remote virtual network. Default is true. | `true` | | -| `allowGatewayTransit` | bool | Optional. If gateway links can be used in remote virtual networking to link to this virtual network. Default is false. | `false` | | -| `allowVirtualNetworkAccess` | bool | Optional. Whether the VMs in the local virtual network space would be able to access the VMs in remote virtual network space. Default is true. | `true` | | -| `doNotVerifyRemoteGateways` | bool | Optional. If we need to verify the provisioning state of the remote gateway. Default is true'. | `true` | | -| `useRemoteGateways` | bool | Optional. If remote gateways can be used on this virtual network. If the flag is set to true, and allowGatewayTransit on remote peering is also true, virtual network will use gateways of remote virtual network for transit. Only one peering can have this flag set to true. This flag cannot be set if virtual network already has a gateway. Default is false | `false` | | -| `cuaId` | string | Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered | | | +| Parameter Name | Type | Default Value | Possible Values | Description | +| :-- | :-- | :-- | :-- | :-- | +| `allowForwardedTraffic` | bool | `True` | | Optional. Whether the forwarded traffic from the VMs in the local virtual network will be allowed/disallowed in remote virtual network. Default is true | +| `allowGatewayTransit` | bool | | | Optional. If gateway links can be used in remote virtual networking to link to this virtual network. Default is false | +| `allowVirtualNetworkAccess` | bool | `True` | | Optional. Whether the VMs in the local virtual network space would be able to access the VMs in remote virtual network space. Default is true | +| `cuaId` | string | | | Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered | +| `doNotVerifyRemoteGateways` | bool | `True` | | Optional. If we need to verify the provisioning state of the remote gateway. Default is true | +| `localVnetName` | string | | | Required. The Name of the Virtual Network to add the peering to. | +| `peeringName` | string | `[format('{0}-{1}', parameters('localVnetName'), last(split(parameters('remoteVirtualNetworkId'), '/')))]` | | Optional. The Name of Vnet Peering resource. If not provided, default value will be localVnetName-remoteVnetName | +| `remoteVirtualNetworkId` | string | | | Required. The Resource ID of the VNet that is this Local VNet is being peered to. Should be in the format of a Resource ID | +| `useRemoteGateways` | bool | | | Optional. If remote gateways can be used on this virtual network. If the flag is set to true, and allowGatewayTransit on remote peering is also true, virtual network will use gateways of remote virtual network for transit. Only one peering can have this flag set to true. This flag cannot be set if virtual network already has a gateway. Default is false | ## Outputs -| Output Name | Type | Description | -| :----------------------------------- | :----- | :-------------------------------------------------------------------- | -| `virtualNetworkPeeringResourceId` | array | The Resource ID of the Local VNet Peering created in this deployment. | -| `virtualNetworkPeeringName` | array | The name of the VNet Peering resource . | -| `virtualNetworkPeeringResourceGroup` | string | The Resource Group name of the local VNet Peering resource/. | +| Output Name | Type | +| :-- | :-- | +| `virtualNetworkPeeringName` | string | +| `virtualNetworkPeeringResourceGroup` | string | +| `virtualNetworkPeeringResourceId` | string | -## Considerations +## Template references -- *None* - -## Additional resources - -- [Azure Resource Manager template reference](https://docs.microsoft.com/en-us/azure/templates/) -- [VirtualNetworks/VirtualNetworkPeerings](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Network/2020-05-01/virtualNetworks/virtualNetworkPeerings) -- [Deployments](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Resources/2019-10-01/deployments) +- [Virtualnetworks/Virtualnetworkpeerings](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Network/2021-02-01/virtualNetworks/virtualNetworkPeerings) diff --git a/arm/Microsoft.Network/virtualWans/.bicep/nested_rbac.bicep b/arm/Microsoft.Network/virtualWans/.bicep/nested_rbac.bicep index a08be3e328..34eca76b87 100644 --- a/arm/Microsoft.Network/virtualWans/.bicep/nested_rbac.bicep +++ b/arm/Microsoft.Network/virtualWans/.bicep/nested_rbac.bicep @@ -2,7 +2,7 @@ param roleAssignmentObj object param builtInRoleNames object param resourceName string -resource roleAssigment 'Microsoft.Network/virtualWans/providers/roleAssignments@2020-04-01-preview' = [for principalId in roleAssignmentObj.principalIds: { +resource roleAssigment 'Microsoft.Network/virtualWans/providers/roleAssignments@2021-04-01-preview' = [for principalId in roleAssignmentObj.principalIds: { name: '${resourceName}/Microsoft.Authorization/${guid(resourceName, principalId, roleAssignmentObj.roleDefinitionIdOrName)}' properties: { roleDefinitionId: (contains(builtInRoleNames, roleAssignmentObj.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignmentObj.roleDefinitionIdOrName] : roleAssignmentObj.roleDefinitionIdOrName) diff --git a/arm/Microsoft.Network/virtualWans/readme.md b/arm/Microsoft.Network/virtualWans/readme.md index 04c081558f..e8c609c12d 100644 --- a/arm/Microsoft.Network/virtualWans/readme.md +++ b/arm/Microsoft.Network/virtualWans/readme.md @@ -1,42 +1,40 @@ -# Virtual Wan +# Virtual Wan `[Microsoft.Network/virtualWans]` This template deploys Virtual Wan ## Resource types -|ResourceType|ApiVersion| -|:--|:--| -|`Microsoft.Resources/deployments`|2018-02-01| -|`Microsoft.Network/virtualWans`|2021-05-01| -|`Microsoft.Network/virtualHubs`|2021-05-01| -|`Microsoft.Network/vpnSites`|2021-05-01| -|`Microsoft.Network/vpnGateways`|2021-05-01| -|`Microsoft.Network/virtualWans/providers/roleAssignments`|2018-09-01-preview| -|`Microsoft.Authorization/locks` | 2016-09-01 | +| Resource Type | Api Version | +| :-- | :-- | +| `Microsoft.Authorization/locks` | 2016-09-01 | +| `Microsoft.Network/virtualHubs` | 2021-05-01 | +| `Microsoft.Network/virtualWans` | 2021-05-01 | +| `Microsoft.Network/virtualWans/providers/roleAssignments` | 2021-04-01-preview | +| `Microsoft.Network/vpnGateways` | 2021-05-01 | +| `Microsoft.Network/vpnSites` | 2021-05-01 | ## Parameters -| Parameter Name | Type | Default Value | Possible values | Description | -| :- | :- | :- | :- | :- | -| `location` | string | `[resourceGroup().location]` | | Optional. Location for all resources. -| `virtualWanSku` | string | Standard | | Optional. Sku of the Virtual Wan. -| `hubName` | string | SampleVirtualHub | | Optional. Name of the Virtual Hub. A virtual hub is created inside a virtual wan. -| `vpnGatewayName` | string | SampleVpnGateway | | Optional. Name of the Vpn Gateway. A vpn gateway is created inside a virtual hub. -| `vpnSiteName` | string | SampleVpnSite | | Optional. Name of the vpnsite. A vpnsite represents the on-premise vpn device. A public ip address is mandatory for a vpn site creation. -| `connectionName` | string | SampleVpnsiteVpnGwConnection | | Optional. Name of the vpnconnection. A vpn connection is established between a vpnsite and a vpn gateway. -| `virtualHubName` | string | SampleVirtualHub | | Name of the Virtual Hub. A virtual hub is created inside a virtual wan. | -| `virtualWanName` | string | | Required. Name of the Virtual Wan | -| `vpnsiteAddressspaceList` | array | [] | | Optional. A list of static routes corresponding to the vpn site. These are configured on the vpn gateway. -| `vpnsitePublicIPAddress` | string | | | Required. he public IP address of a vpn site. -| `vpnsiteBgpAsn` | int | | | Required. The bgp asn number of a vpnsite. -| `vpnsiteBgpPeeringAddress` | string | | | Required. The bgp peer IP address of a vpnsite. -| `addressPrefix` | string | 192.168.0.0/24 | | Optional. The hub address prefix. This address prefix will be used as the address prefix for the hub vnet -| `enableBgp` | string | false | | Optional. his needs to be set to true if BGP needs to enabled on the vpn connection. -| `roleAssignments` | array | [] | Complex structure, see below. | Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or it's fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' -| `tags` | object | {} | Complex structure, see below. | Optional. Tags of the Virtual Wan resource. -| `cuaId` | string | "" | | Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered. -| `lock` | string | 'NotSpecified' | 'CanNotDelete', 'NotSpecified', 'ReadOnly' | Optional. Specify the type of lock. | +| Parameter Name | Type | Default Value | Possible Values | Description | +| :-- | :-- | :-- | :-- | :-- | +| `addressPrefix` | string | `192.168.0.0/24` | | Optional. The hub address prefix. This address prefix will be used as the address prefix for the hub vnet | +| `connectionName` | string | `SampleVpnsiteVpnGwConnection` | | Optional. Name of the vpnconnection. A vpn connection is established between a vpnsite and a vpn gateway. | +| `cuaId` | string | | | Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered | +| `enableBgp` | string | `false` | `[true, false]` | Optional. his needs to be set to true if BGP needs to enabled on the vpn connection. | +| `location` | string | `[resourceGroup().location]` | | Optional. Location where all resources will be created. | +| `lock` | string | `NotSpecified` | `[CanNotDelete, NotSpecified, ReadOnly]` | Optional. Specify the type of lock. | +| `roleAssignments` | array | `[]` | | Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' | +| `tags` | object | `{object}` | | Optional. Tags of the resource. | +| `virtualHubName` | string | `SampleVirtualHub` | | Optional. Name of the Virtual Hub. A virtual hub is created inside a virtual wan. | +| `virtualWanName` | string | | | Required. Name of the Virtual Wan. | +| `virtualWanSku` | string | `Standard` | `[Standard, Basic]` | Optional. Sku of the Virtual Wan. | +| `vpnGatewayName` | string | `SampleVpnGateway` | | Optional. Name of the Vpn Gateway. A vpn gateway is created inside a virtual hub. | +| `vpnsiteAddressspaceList` | array | `[]` | | Optional. A list of static routes corresponding to the vpn site. These are configured on the vpn gateway. | +| `vpnsiteBgpAsn` | int | | | Required. The bgp asn number of a vpnsite. | +| `vpnsiteBgpPeeringAddress` | string | | | Required. The bgp peer IP address of a vpnsite. | +| `vpnSiteName` | string | `SampleVpnSite` | | Optional. Name of the vpnsite. A vpnsite represents the on-premise vpn device. A public ip address is mandatory for a vpn site creation. | +| `vpnsitePublicIPAddress` | string | | | Required. he public IP address of a vpn site. | ### Parameter Usage: `roleAssignments` @@ -86,17 +84,16 @@ Tag names and tag values can be provided as needed. A tag can be left without a ## Outputs -| Output Name | Type | Description | -| :-- | :-- | :-- | -| `virtualWanName` | string | The name of the WAN. | -| `virtualWanNameResourceGroup` | string | The Resource Group in which the resource is created. | -| `virtualWanNameResourceId` | string | The Reeosurce ID of the WAN. | +| Output Name | Type | +| :-- | :-- | +| `virtualWanName` | string | +| `virtualWanNameResourceGroup` | string | +| `virtualWanNameResourceId` | string | -## Considerations +## Template references -- Please note that this module is using a customized removal step. Instead of using a global removal step (Modules\ARM\.global\PipelineTemplates\pipeline.jobs.remove.yml), the module has its own, customized removal, located in the module's 'Pipeline' folder: (Modules\ARM\VirtualWan\Pipeline\pipeline.jobs.remove.VirtualWAN.yml) - -## Additional resources - -- [Microsoft.Network virtualWans template reference](https://docs.microsoft.com/en-us/azure/templates/microsoft.network/2019-09-01/virtualwans) -- [About Azure Virtual Wan](https://docs.microsoft.com/en-us/azure/virtual-wan/virtual-wan-about) +- [Locks](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2016-09-01/locks) +- [Virtualhubs](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Network/2021-05-01/virtualHubs) +- [Virtualwans](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Network/2021-05-01/virtualWans) +- [Vpngateways](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Network/2021-05-01/vpnGateways) +- [Vpnsites](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Network/2021-05-01/vpnSites) diff --git a/arm/Microsoft.OperationalInsights/workspaces/.bicep/nested_rbac.bicep b/arm/Microsoft.OperationalInsights/workspaces/.bicep/nested_rbac.bicep index ca646a8522..4c64652e07 100644 --- a/arm/Microsoft.OperationalInsights/workspaces/.bicep/nested_rbac.bicep +++ b/arm/Microsoft.OperationalInsights/workspaces/.bicep/nested_rbac.bicep @@ -2,7 +2,7 @@ param roleAssignmentObj object param builtInRoleNames object param resourceName string -resource roleAssigment 'Microsoft.OperationalInsights/workspaces/providers/roleAssignments@2020-04-01-preview' = [for principalId in roleAssignmentObj.principalIds: { +resource roleAssigment 'Microsoft.OperationalInsights/workspaces/providers/roleAssignments@2021-04-01-preview' = [for principalId in roleAssignmentObj.principalIds: { name: '${resourceName}/Microsoft.Authorization/${guid(resourceName, principalId, roleAssignmentObj.roleDefinitionIdOrName)}' properties: { roleDefinitionId: (contains(builtInRoleNames, roleAssignmentObj.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignmentObj.roleDefinitionIdOrName] : roleAssignmentObj.roleDefinitionIdOrName) diff --git a/arm/Microsoft.OperationalInsights/workspaces/readme.md b/arm/Microsoft.OperationalInsights/workspaces/readme.md index 83fc19cb41..4da78b5302 100644 --- a/arm/Microsoft.OperationalInsights/workspaces/readme.md +++ b/arm/Microsoft.OperationalInsights/workspaces/readme.md @@ -1,41 +1,40 @@ -# LogAnalytics +# LogAnalytics `[Microsoft.OperationalInsights/workspaces]` This template deploys Log Analytics. ## Resource types -|ResourceType|ApiVersion| -|:--|:--| -| `Microsoft.OperationalInsights/workspaces/datasources` | 2020-03-01-preview | -| `Microsoft.OperationalInsights/workspaces/linkedServices` | 2020-03-01-preview | +| Resource Type | Api Version | +| :-- | :-- | | `Microsoft.Authorization/locks` | 2016-09-01 | -| `Microsoft.OperationalInsights/workspaces/providers/roleAssignments` | 2020-03-01-preview | -| `Microsoft.OperationalInsights/workspaces/storageinsightconfigs` | 2020-03-01-preview | | `Microsoft.OperationalInsights/workspaces` | 2020-08-01 | -| `Microsoft.OperationsManagement/solutions` | 2015-11-01-preview | -| `Microsoft.Resources/deployments` | 2021-01-01 | +| `Microsoft.OperationalInsights/workspaces/dataSources` | 2020-03-01-preview | +| `Microsoft.OperationalInsights/workspaces/linkedServices` | 2020-03-01-preview | +| `Microsoft.OperationalInsights/workspaces/providers/roleAssignments` | 2021-04-01-preview | | `Microsoft.OperationalInsights/workspaces/savedSearches` | 2020-03-01-preview | +| `Microsoft.OperationalInsights/workspaces/storageInsightConfigs` | 2020-03-01-preview | +| `Microsoft.OperationsManagement/solutions` | 2015-11-01-preview | ## Parameters -| Parameter Name | Type | Description | DefaultValue | Possible values | +| Parameter Name | Type | Default Value | Possible Values | Description | | :-- | :-- | :-- | :-- | :-- | -| `activityLogAdditionalSubscriptionIDs` | array | Optional. List of additional Subscription IDs to collect Activity logs from. The subscription holding the Log Analytics workspace is added by default. The user/SPN/managed identity has to have reader access on the subscription you'd like to collect Activity logs from. | System.Object[] | | -| `automationAccountId` | string | Optional. Automation Account resource identifier, value used to create a LinkedService between Log Analytics and an Automation Account. | | | -| `cuaId` | string | Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered | | | -| `dailyQuotaGb` | int | Optional. The workspace daily quota for ingestion. | -1 | | -| `dataRetention` | int | Required. Number of days data will be retained for | 365 | | -| `diagnosticStorageAccountId` | string | Optional. Log Analytics workspace resource identifier | | | -| `gallerySolutions` | array | Optional. LAW gallerySolutions from the gallery. | System.Object[] | | -| `location` | string | Optional. Location for all resources. | [resourceGroup().location] | | -| `lock` | string | Optional. Specify the type of lock. | 'NotSpecified' | 'CanNotDelete', 'NotSpecified', 'ReadOnly' | -| `logAnalyticsWorkspaceName` | string | Required. Name of the Log Analytics workspace | | | -| `publicNetworkAccessForIngestion` | string | Optional. The network access type for accessing Log Analytics ingestion. | Enabled | System.Object[] | -| `publicNetworkAccessForQuery` | string | Optional. The network access type for accessing Log Analytics query. | Enabled | System.Object[] | -| `roleAssignments` | array | Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' | System.Object[] | | -| `serviceTier` | string | Required. Service Tier: PerGB2018, Free, Standalone, PerGB or PerNode | PerGB2018 | System.Object[] | -| `tags` | object | Optional. Tags of the resource. | | | -| `useResourcePermissions` | bool | Optional. Set to 'true' to use resource or workspace permissions and 'false' (or leave empty) to require workspace permissions. | False | | +| `activityLogAdditionalSubscriptionIDs` | array | `[]` | | Optional. List of additional Subscription IDs to collect Activity logs from. The subscription holding the Log Analytics workspace is added by default. The user/SPN/managed identity has to have reader access on the subscription you'd like to collect Activity logs from. | +| `automationAccountId` | string | | | Optional. Automation Account resource identifier, value used to create a LinkedService between Log Analytics and an Automation Account. | +| `cuaId` | string | | | Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered | +| `dailyQuotaGb` | int | `-1` | | Optional. The workspace daily quota for ingestion. | +| `dataRetention` | int | `365` | | Required. Number of days data will be retained for | +| `diagnosticStorageAccountId` | string | | | Optional. Log Analytics workspace resource identifier | +| `gallerySolutions` | array | `[]` | | Optional. LAW gallerySolutions from the gallery. | +| `location` | string | `[resourceGroup().location]` | | Optional. Location for all resources. | +| `lock` | string | `NotSpecified` | `[CanNotDelete, NotSpecified, ReadOnly]` | Optional. Specify the type of lock. | +| `logAnalyticsWorkspaceName` | string | | | Required. Name of the Log Analytics workspace | +| `publicNetworkAccessForIngestion` | string | `Enabled` | `[Enabled, Disabled]` | Optional. The network access type for accessing Log Analytics ingestion. | +| `publicNetworkAccessForQuery` | string | `Enabled` | `[Enabled, Disabled]` | Optional. The network access type for accessing Log Analytics query. | +| `roleAssignments` | array | `[]` | | Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' | +| `serviceTier` | string | `PerGB2018` | `[Free, Standalone, PerNode, PerGB2018]` | Required. Service Tier: PerGB2018, Free, Standalone, PerGB or PerNode | +| `tags` | object | `{object}` | | Optional. Tags of the resource. | +| `useResourcePermissions` | bool | | | Optional. Set to 'true' to use resource or workspace permissions and 'false' (or leave empty) to require workspace permissions. | ### Parameter Usage: `gallerySolutions` @@ -119,26 +118,19 @@ Tag names and tag values can be provided as needed. A tag can be left without a ## Outputs -| Output Name | Type | Description | -| :-- | :-- | :-- | -| `logAnalyticsName` | string | The Name of the Log Analytics workspace deployed. | -| `logAnalyticsResourceGroup` | string | The Resource Group log analytics was deployed to. | -| `logAnalyticsResourceId` | string | The Resource Id of the Log Analytics workspace deployed. | -| `logAnalyticsWorkspaceId` | string | The Workspace Id for Log Analytics. | - -## Considerations - -*N/A* +| Output Name | Type | +| :-- | :-- | +| `logAnalyticsName` | string | +| `logAnalyticsResourceGroup` | string | +| `logAnalyticsResourceId` | string | +| `logAnalyticsWorkspaceId` | string | -## Additional resources +## Template references -- [Use tags to organize your Azure resources](https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-using-tags) -- [Azure Resource Manager template reference](https://docs.microsoft.com/en-us/azure/templates/) -- [Deployments](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Resources/2021-01-01/deployments) +- [Locks](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2016-09-01/locks) - [Workspaces](https://docs.microsoft.com/en-us/azure/templates/Microsoft.OperationalInsights/2020-08-01/workspaces) -- [Workspaces/datasources](https://docs.microsoft.com/en-us/azure/templates/Microsoft.OperationalInsights/2020-03-01-preview/workspaces/datasources) -- [Workspaces/storageinsightconfigs](https://docs.microsoft.com/en-us/azure/templates/Microsoft.OperationalInsights/2020-03-01-preview/workspaces/storageinsightconfigs) -- [SolutionS](https://docs.microsoft.com/en-us/azure/templates/Microsoft.OperationsManagement/2015-11-01-preview/solutions) -- [Workspaces/linkedServices](https://docs.microsoft.com/en-us/azure/templates/Microsoft.OperationalInsights/2020-03-01-preview/workspaces/linkedServices) -- [Workspaces/providers/locks](https://docs.microsoft.com/en-us/azure/templates/Microsoft.OperationalInsights/2016-09-01/workspaces/providers/locks) -- [Deployments](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Resources/2021-01-01/deployments) +- [Workspaces/Datasources](https://docs.microsoft.com/en-us/azure/templates/Microsoft.OperationalInsights/2020-03-01-preview/workspaces/dataSources) +- [Workspaces/Linkedservices](https://docs.microsoft.com/en-us/azure/templates/Microsoft.OperationalInsights/2020-03-01-preview/workspaces/linkedServices) +- [Workspaces/Savedsearches](https://docs.microsoft.com/en-us/azure/templates/Microsoft.OperationalInsights/2020-03-01-preview/workspaces/savedSearches) +- [Workspaces/Storageinsightconfigs](https://docs.microsoft.com/en-us/azure/templates/Microsoft.OperationalInsights/2020-03-01-preview/workspaces/storageInsightConfigs) +- [Solutions](https://docs.microsoft.com/en-us/azure/templates/Microsoft.OperationsManagement/2015-11-01-preview/solutions) diff --git a/arm/Microsoft.RecoveryServices/vaults/.bicep/nested_rbac.bicep b/arm/Microsoft.RecoveryServices/vaults/.bicep/nested_rbac.bicep index 2ae6fcbd74..848306a8ba 100644 --- a/arm/Microsoft.RecoveryServices/vaults/.bicep/nested_rbac.bicep +++ b/arm/Microsoft.RecoveryServices/vaults/.bicep/nested_rbac.bicep @@ -2,7 +2,7 @@ param roleAssignmentObj object param builtInRoleNames object param resourceName string -resource roleAssigment 'Microsoft.RecoveryServices/vaults/providers/roleAssignments@2020-04-01-preview' = [for principalId in roleAssignmentObj.principalIds: { +resource roleAssigment 'Microsoft.RecoveryServices/vaults/providers/roleAssignments@2021-04-01-preview' = [for principalId in roleAssignmentObj.principalIds: { name: '${resourceName}/Microsoft.Authorization/${guid(resourceName, principalId, roleAssignmentObj.roleDefinitionIdOrName)}' properties: { roleDefinitionId: (contains(builtInRoleNames, roleAssignmentObj.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignmentObj.roleDefinitionIdOrName] : roleAssignmentObj.roleDefinitionIdOrName) diff --git a/arm/Microsoft.RecoveryServices/vaults/deploy.bicep b/arm/Microsoft.RecoveryServices/vaults/deploy.bicep index fc296bdab5..1c53577261 100644 --- a/arm/Microsoft.RecoveryServices/vaults/deploy.bicep +++ b/arm/Microsoft.RecoveryServices/vaults/deploy.bicep @@ -56,131 +56,67 @@ param lock string = 'NotSpecified' @description('Optional. Tags of the Recovery Service Vault resource.') param tags object = {} -var diagnosticsMetrics = [ - { - category: 'Health' - timeGrain: null - enabled: true - retentionPolicy: { - enabled: true - days: diagnosticLogsRetentionInDays - } - } +@description('Optional. The name of logs that will be streamed.') +@allowed([ + 'AzureBackupReport' + 'CoreAzureBackup' + 'AddonAzureBackupJobs' + 'AddonAzureBackupAlerts' + 'AddonAzureBackupPolicy' + 'AddonAzureBackupStorage' + 'AddonAzureBackupProtectedInstance' + 'AzureSiteRecoveryJobs' + 'AzureSiteRecoveryEvents' + 'AzureSiteRecoveryReplicatedItems' + 'AzureSiteRecoveryReplicationStats' + 'AzureSiteRecoveryRecoveryPoints' + 'AzureSiteRecoveryReplicationDataUploadRate' + 'AzureSiteRecoveryProtectedDiskDataChurn' +]) +param logsToEnable array = [ + 'AzureBackupReport' + 'CoreAzureBackup' + 'AddonAzureBackupJobs' + 'AddonAzureBackupAlerts' + 'AddonAzureBackupPolicy' + 'AddonAzureBackupStorage' + 'AddonAzureBackupProtectedInstance' + 'AzureSiteRecoveryJobs' + 'AzureSiteRecoveryEvents' + 'AzureSiteRecoveryReplicatedItems' + 'AzureSiteRecoveryReplicationStats' + 'AzureSiteRecoveryRecoveryPoints' + 'AzureSiteRecoveryReplicationDataUploadRate' + 'AzureSiteRecoveryProtectedDiskDataChurn' ] -var diagnosticLogs = [ - { - category: 'AzureBackupReport' - enabled: true - retentionPolicy: { - days: diagnosticLogsRetentionInDays - enabled: true - } - } - { - category: 'CoreAzureBackup' - enabled: true - retentionPolicy: { - days: diagnosticLogsRetentionInDays - enabled: true - } - } - { - category: 'AddonAzureBackupJobs' - enabled: true - retentionPolicy: { - days: diagnosticLogsRetentionInDays - enabled: true - } - } - { - category: 'AddonAzureBackupAlerts' - enabled: true - retentionPolicy: { - days: diagnosticLogsRetentionInDays - enabled: true - } - } - { - category: 'AddonAzureBackupPolicy' - enabled: true - retentionPolicy: { - days: diagnosticLogsRetentionInDays - enabled: true - } - } - { - category: 'AddonAzureBackupStorage' - enabled: true - retentionPolicy: { - days: diagnosticLogsRetentionInDays - enabled: true - } - } - { - category: 'AddonAzureBackupProtectedInstance' - enabled: true - retentionPolicy: { - days: diagnosticLogsRetentionInDays - enabled: true - } - } - { - category: 'AzureSiteRecoveryJobs' - enabled: true - retentionPolicy: { - days: diagnosticLogsRetentionInDays - enabled: true - } - } - { - category: 'AzureSiteRecoveryEvents' - enabled: true - retentionPolicy: { - days: diagnosticLogsRetentionInDays - enabled: true - } - } - { - category: 'AzureSiteRecoveryReplicatedItems' - enabled: true - retentionPolicy: { - days: diagnosticLogsRetentionInDays - enabled: true - } - } - { - category: 'AzureSiteRecoveryReplicationStats' - enabled: true - retentionPolicy: { - days: diagnosticLogsRetentionInDays - enabled: true - } - } - { - category: 'AzureSiteRecoveryRecoveryPoints' - enabled: true - retentionPolicy: { - days: diagnosticLogsRetentionInDays - enabled: true - } - } - { - category: 'AzureSiteRecoveryReplicationDataUploadRate' + +@description('Optional. The name of metrics that will be streamed.') +@allowed([ + 'Health' +]) +param metricsToEnable array = [ + 'Health' +] + +var diagnosticsLogs = [for log in logsToEnable: { + category: log + enabled: true + retentionPolicy: { enabled: true - retentionPolicy: { - days: diagnosticLogsRetentionInDays - enabled: true - } + days: diagnosticLogsRetentionInDays } - { - category: 'AzureSiteRecoveryProtectedDiskDataChurn' +}] + +var diagnosticsMetrics = [for metric in metricsToEnable: { + category: metric + timeGrain: null + enabled: true + retentionPolicy: { enabled: true - retentionPolicy: { - days: diagnosticLogsRetentionInDays - enabled: true - } + days: diagnosticLogsRetentionInDays } -] +}] + var builtInRoleNames = { 'Owner': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') 'Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') @@ -262,7 +198,7 @@ resource rsv_diagnosticSettings 'Microsoft.Insights/diagnosticSettings@2021-05-0 eventHubAuthorizationRuleId: (empty(eventHubAuthorizationRuleId) ? json('null') : eventHubAuthorizationRuleId) eventHubName: (empty(eventHubName) ? json('null') : eventHubName) metrics: ((empty(diagnosticStorageAccountId) && empty(workspaceId) && empty(eventHubAuthorizationRuleId) && empty(eventHubName)) ? json('null') : diagnosticsMetrics) - logs: ((empty(diagnosticStorageAccountId) && empty(workspaceId) && empty(eventHubAuthorizationRuleId) && empty(eventHubName)) ? json('null') : diagnosticLogs) + logs: ((empty(diagnosticStorageAccountId) && empty(workspaceId) && empty(eventHubAuthorizationRuleId) && empty(eventHubName)) ? json('null') : diagnosticsLogs) } scope: rsv } diff --git a/arm/Microsoft.RecoveryServices/vaults/readme.md b/arm/Microsoft.RecoveryServices/vaults/readme.md index 3971cf582f..5630e5fe94 100644 --- a/arm/Microsoft.RecoveryServices/vaults/readme.md +++ b/arm/Microsoft.RecoveryServices/vaults/readme.md @@ -1,40 +1,41 @@ -# RecoveryServicesVaults +# RecoveryServicesVaults `[Microsoft.RecoveryServices/vaults]` This module deploys Recovery Service Vault, with resource lock. ## Resource types -|Resource Type|ApiVersion| -|:--|:--| -|`Microsoft.RecoveryServices/vaults`|2021-08-01| -|`Microsoft.RecoveryServices/vaults/backupstorageconfig` | 2020-02-02 | -|`Microsoft.Resources/deployments`|2019-10-01| -|`Microsoft.Authorization/locks`|2016-09-01| -|`Microsoft.Insights/diagnosticsettings`|2017-05-01-preview| -|`Microsoft.RecoveryServices/vaults/backupPolicies`|2019-05-13| -|`Microsoft.RecoveryServices/vaults/protectionContainers`|2016-12-01| -|`Microsoft.RecoveryServices/vaults/providers/roleAssignments`|2018-09-01-preview| +| Resource Type | Api Version | +| :-- | :-- | +| `Microsoft.Authorization/locks` | 2016-09-01 | +| `Microsoft.Insights/diagnosticSettings` | 2021-05-01-preview | +| `Microsoft.RecoveryServices/vaults` | 2021-08-01 | +| `Microsoft.RecoveryServices/vaults/backupPolicies` | 2019-06-15 | +| `Microsoft.RecoveryServices/vaults/backupstorageconfig` | 2020-02-02 | +| `Microsoft.RecoveryServices/vaults/protectionContainers` | 2016-12-01 | +| `Microsoft.RecoveryServices/vaults/providers/roleAssignments` | 2021-04-01-preview | ## Parameters -| Parameter Name | Type | Description | DefaultValue | Possible values | +| Parameter Name | Type | Default Value | Possible Values | Description | | :-- | :-- | :-- | :-- | :-- | -| `backupPolicies` | array | Optional. List of all backup policies. | System.Object[] | | -| `diagnosticLogsRetentionInDays` | int | Optional. Specifies the number of days that logs will be kept for; a value of 0 will retain data indefinitely. | 365 | | -| `diagnosticStorageAccountId` | string | Optional. Resource identifier of the Diagnostic Storage Account. | | | -| `eventHubAuthorizationRuleId` | string | Optional. Resource ID of the event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | | | -| `eventHubName` | string | Optional. Name of the event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. | | | -| `location` | string | Optional. Location for all resources. | [resourceGroup().location] | | -| `lock` | string | Optional. Specify the type of lock. | 'NotSpecified' | 'CanNotDelete', 'NotSpecified', 'ReadOnly' | -| `protectionContainers` | array | Optional. List of all protection containers. | System.Object[] | | -| `recoveryVaultName` | string | Required. Name of the Azure Recovery Service Vault | | | -| `enableCRR` | bool | Optional. Enable CRR (Works if vault has not registered any backup instance) | True | | -| `vaultStorageType` | string | Optional. Change Vault Storage Type (Works if vault has not registered any backup instance) | GeoRedundant | System.Object[] | -| `roleAssignments` | array | Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' | System.Object[] | | -| `tags` | object | Optional. Tags of the Recovery Service Vault resource. | | | -| `workspaceId` | string | Optional. Resource identifier of Log Analytics. | | | -| `cuaId` | string | Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered | | | +| `backupPolicies` | array | `[]` | | Optional. List of all backup policies. | +| `cuaId` | string | | | Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered | +| `diagnosticLogsRetentionInDays` | int | `365` | | Optional. Specifies the number of days that logs will be kept for; a value of 0 will retain data indefinitely. | +| `diagnosticStorageAccountId` | string | | | Optional. Resource identifier of the Diagnostic Storage Account. | +| `enableCRR` | bool | `True` | | Optional. Enable CRR (Works if vault has not registered any backup instance) | +| `eventHubAuthorizationRuleId` | string | | | Optional. Resource ID of the event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | +| `eventHubName` | string | | | Optional. Name of the event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. | +| `location` | string | `[resourceGroup().location]` | | Optional. Location for all resources. | +| `lock` | string | `NotSpecified` | `[CanNotDelete, NotSpecified, ReadOnly]` | Optional. Specify the type of lock. | +| `logsToEnable` | array | `[AzureBackupReport, CoreAzureBackup, AddonAzureBackupJobs, AddonAzureBackupAlerts, AddonAzureBackupPolicy, AddonAzureBackupStorage, AddonAzureBackupProtectedInstance, AzureSiteRecoveryJobs, AzureSiteRecoveryEvents, AzureSiteRecoveryReplicatedItems, AzureSiteRecoveryReplicationStats, AzureSiteRecoveryRecoveryPoints, AzureSiteRecoveryReplicationDataUploadRate, AzureSiteRecoveryProtectedDiskDataChurn]` | `[AzureBackupReport, CoreAzureBackup, AddonAzureBackupJobs, AddonAzureBackupAlerts, AddonAzureBackupPolicy, AddonAzureBackupStorage, AddonAzureBackupProtectedInstance, AzureSiteRecoveryJobs, AzureSiteRecoveryEvents, AzureSiteRecoveryReplicatedItems, AzureSiteRecoveryReplicationStats, AzureSiteRecoveryRecoveryPoints, AzureSiteRecoveryReplicationDataUploadRate, AzureSiteRecoveryProtectedDiskDataChurn]` | Optional. The name of logs that will be streamed. | +| `metricsToEnable` | array | `[Health]` | `[Health]` | Optional. The name of metrics that will be streamed. | +| `protectionContainers` | array | `[]` | | Optional. List of all protection containers. | +| `recoveryVaultName` | string | | | Required. Name of the Azure Recovery Service Vault | +| `roleAssignments` | array | `[]` | | Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' | +| `tags` | object | `{object}` | | Optional. Tags of the Recovery Service Vault resource. | +| `vaultStorageType` | string | `GeoRedundant` | `[LocallyRedundant, GeoRedundant]` | Optional. Change Vault Storage Type (Works if vault has not registered any backup instance) | +| `workspaceId` | string | | | Optional. Resource identifier of Log Analytics. | ### Parameter Usage: `roleAssignments` @@ -326,16 +327,17 @@ Array of backup policies. They need to be properly formatted and can be VM backu ## Outputs -| Output Name | Type | Description | -| :-- | :-- | :-- | -| `recoveryServicesVaultName` | string | The Name of the Recovery Services Vault. | -| `recoveryServicesVaultResourceGroup` | string | The Resource Group the Recovery Services Vault was deployed to. | -| `recoveryServicesVaultResourceId` | string | The Resource Id of the Recovery Services Vault. | +| Output Name | Type | +| :-- | :-- | +| `recoveryServicesVaultName` | string | +| `recoveryServicesVaultResourceGroup` | string | +| `recoveryServicesVaultResourceId` | string | -## Considerations +## Template references -## Additional resources - -- [Recovery Services vaults overview](https://docs.microsoft.com/en-us/azure/backup/backup-azure-recovery-services-vault-overview) -- [Microsoft.RecoveryServices vaults template reference](https://docs.microsoft.com/en-gb/azure/templates/microsoft.recoveryservices/allversions) -- [Use tags to organize your Azure resources](https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-using-tags) +- [Locks](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2016-09-01/locks) +- [Diagnosticsettings](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Insights/2021-05-01-preview/diagnosticSettings) +- [Vaults](https://docs.microsoft.com/en-us/azure/templates/Microsoft.RecoveryServices/2021-08-01/vaults) +- [Vaults/Backuppolicies](https://docs.microsoft.com/en-us/azure/templates/Microsoft.RecoveryServices/2019-06-15/vaults/backupPolicies) +- [Vaults/Backupstorageconfig](https://docs.microsoft.com/en-us/azure/templates/Microsoft.RecoveryServices/2020-02-02/vaults/backupstorageconfig) +- [Vaults/Protectioncontainers](https://docs.microsoft.com/en-us/azure/templates/Microsoft.RecoveryServices/2016-12-01/vaults/protectionContainers) diff --git a/arm/Microsoft.Resources/deploymentScripts/readme.md b/arm/Microsoft.Resources/deploymentScripts/readme.md index c056bf83e5..1581523089 100644 --- a/arm/Microsoft.Resources/deploymentScripts/readme.md +++ b/arm/Microsoft.Resources/deploymentScripts/readme.md @@ -1,40 +1,39 @@ -# Deployment Scripts +# Deployment Scripts `[Microsoft.Resources/deploymentScripts]` This module deploys Deployment Scripts. ## Resource types -|Resource Type|ApiVersion| -|:--|:--| -|`Microsoft.Resources/deployments`|2018-02-01| -|`Microsoft.Authorization/locks`|2016-09-01| -|`Microsoft.Resources/deploymentScripts`|2020-10-01| +| Resource Type | Api Version | +| :-- | :-- | +| `Microsoft.Authorization/locks` | 2016-09-01 | +| `Microsoft.Resources/deploymentScripts` | 2020-10-01 | ## Parameters -| Parameter Name | Type | Default Value | Possible values | Description | -| :- | :- | :- | :- | :- | -| `scriptName` | string | | | Required. Display name of the script to be run. -| `userMsiName` | string | "" | | Required. Name of the User Assigned Identity to be used to deploy Image Templates in Azure Image Builder. -| `userMsiResourceGroup` | string | `resourceGroup().name` | | Optional. Resource group of the user assigned identity. | -| `location` | string | `[resourceGroup().location]` | | Optional. Location for all resources. -| `kind` | string | AzurePowerShell | AzurePowerShell, AzureCLI | Optional. Type of the script. AzurePowerShell, AzureCLI. -| `azPowerShellVersion` | string | 3.0 | | Optional. Azure PowerShell module version to be used. -| `azCliVersion` | string | | | Optional. Azure CLI module version to be used. -| `scriptContent` | string | "" | | Optional. Script body. Max length: 32000 characters. To run an external script, use primaryScriptURI instead. -| `primaryScriptUri` | string | "" | | Optional. Uri for the external script. This is the entry point for the external script. To run an internal script, use the scriptContent instead. -| `environmentVariables` | array | [] | | Optional. The environment variables to pass over to the script. Must have a 'name' and a 'value' or a 'secretValue' property. -| `supportingScriptUris` | array | [] | | Optional. List of supporting files for the external script (defined in primaryScriptUri). Does not work with internal scripts (code defined in scriptContent). -| `arguments` | string | "" | | Optional. Command line arguments to pass to the script. Arguments are separated by spaces. -| `retentionInterval` | string | P1D | | Optional. Interval for which the service retains the script resource after it reaches a terminal state. Resource will be deleted when this duration expires. Duration is based on ISO 8601 pattern (for example P7D means one week). -| `runOnce` | bool | false | | Optional. When set to false, script will run every time the template is deployed. When set to true, the script will only run once. -| `cleanupPreference` | string | Always | Always, OnSuccess, OnExpiration | Optional. The clean up preference when the script execution gets in a terminal state. Specify the preference on when to delete the deployment script resources. The default value is Always, which means the deployment script resources are deleted despite the terminal state (Succeeded, Failed, canceled). -| `containerGroupName` | string | | | Optional. Container group name, if not specified then the name will get auto-generated. Not specifying a 'containerGroupName' indicates the system to generate a unique name which might end up flagging an Azure Policy as non-compliant. Use 'containerGroupName' when you have an Azure Policy that expects a specific naming convention or when you want to fully control the name. 'containerGroupName' property must be between 1 and 63 characters long, must contain only lowercase letters, numbers, and dashes and it cannot start or end with a dash and consecutive dashes are not allowed. -| `timeout` | string | PT1H | | Optional. Maximum allowed script execution time specified in ISO 8601 format. Default value is PT1H - 1 hour; 'PT30M' - 30 minutes; 'P5D' - 5 days; 'P1Y' 1 year. -| `baseTime` | string | `utcNow('yyyy-MM-dd-HH-mm-ss')` | | Generated. Do not provide a value! This date value is used to make sure the script run every time the template is deployed. -| `lock` | string | 'NotSpecified' | 'CanNotDelete', 'NotSpecified', 'ReadOnly' | Optional. Specify the type of lock. | -| `tags` | object | {} | Complex structure, see below. | Optional. Tags of the Virtual Network Gateway resource. -| `cuaId` | string | "" | | Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered +| Parameter Name | Type | Default Value | Possible Values | Description | +| :-- | :-- | :-- | :-- | :-- | +| `arguments` | string | | | Optional. Command line arguments to pass to the script. Arguments are separated by spaces. | +| `azCliVersion` | string | | | Optional. Azure CLI module version to be used. | +| `azPowerShellVersion` | string | `3.0` | | Optional. Azure PowerShell module version to be used. | +| `baseTime` | string | `[utcNow('yyyy-MM-dd-HH-mm-ss')]` | | Generated. Do not provide a value! This date value is used to make sure the script run every time the template is deployed. | +| `cleanupPreference` | string | `Always` | `[Always, OnSuccess, OnExpiration]` | Optional. The clean up preference when the script execution gets in a terminal state. Specify the preference on when to delete the deployment script resources. The default value is Always, which means the deployment script resources are deleted despite the terminal state (Succeeded, Failed, canceled). | +| `containerGroupName` | string | | | Optional. Container group name, if not specified then the name will get auto-generated. Not specifying a 'containerGroupName' indicates the system to generate a unique name which might end up flagging an Azure Policy as non-compliant. Use 'containerGroupName' when you have an Azure Policy that expects a specific naming convention or when you want to fully control the name. 'containerGroupName' property must be between 1 and 63 characters long, must contain only lowercase letters, numbers, and dashes and it cannot start or end with a dash and consecutive dashes are not allowed. | +| `cuaId` | string | | | Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered | +| `environmentVariables` | array | `[]` | | Optional. The environment variables to pass over to the script. Must have a 'name' and a 'value' or a 'secretValue' property. | +| `kind` | string | `AzurePowerShell` | `[AzurePowerShell, AzureCLI]` | Optional. Type of the script. AzurePowerShell, AzureCLI. | +| `location` | string | `[resourceGroup().location]` | | Optional. Location for all resources. | +| `lock` | string | `NotSpecified` | `[CanNotDelete, NotSpecified, ReadOnly]` | Optional. Specify the type of lock. | +| `primaryScriptUri` | string | | | Optional. Uri for the external script. This is the entry point for the external script. To run an internal script, use the scriptContent instead. | +| `retentionInterval` | string | `P1D` | | Optional. Interval for which the service retains the script resource after it reaches a terminal state. Resource will be deleted when this duration expires. Duration is based on ISO 8601 pattern (for example P7D means one week). | +| `runOnce` | bool | | | Optional. When set to false, script will run every time the template is deployed. When set to true, the script will only run once. | +| `scriptContent` | string | | | Optional. Script body. Max length: 32000 characters. To run an external script, use primaryScriptURI instead. | +| `scriptName` | string | | | Required. Display name of the script to be run. | +| `supportingScriptUris` | array | `[]` | | Optional. List of supporting files for the external script (defined in primaryScriptUri). Does not work with internal scripts (code defined in scriptContent). | +| `tags` | object | `{object}` | | Optional. Tags of the resource. | +| `timeout` | string | `PT1H` | | Optional. Maximum allowed script execution time specified in ISO 8601 format. Default value is PT1H - 1 hour; 'PT30M' - 30 minutes; 'P5D' - 5 days; 'P1Y' 1 year. | +| `userMsiName` | string | | | Required. Name of the User Assigned Identity to be used to deploy Image Templates in Azure Image Builder. | +| `userMsiResourceGroup` | string | `[resourceGroup().name]` | | Optional. Resource group of the user assigned identity. | ### Parameter Usage: `tags` @@ -55,18 +54,17 @@ Tag names and tag values can be provided as needed. A tag can be left without a ## Outputs -| Output Name | Type | Description | -| :-- | :-- | :-- | -| `deploymentScriptName` | string | The Name of the Deployment Script. | -| `deploymentScriptResourceGroup` | string | The Resource Group the Deployment Script was deployed to. | -| `deploymentScriptResourceId` | string | The Resource Id of the Deployment Script. | +| Output Name | Type | +| :-- | :-- | +| `deploymentScriptName` | string | +| `deploymentScriptResourceGroup` | string | +| `deploymentScriptResourceId` | string | ## Considerations This module requires a User Assigned Identity (MSI, managed service identity) to exist, and this MSI has to have contributor rights on the subscription - that allows the Deployment Script to create the required Storage Account and the Azure Container Instance. -## Additional resources +## Template references -- [Tutorial: Use deployment scripts to create a self-signed certificate (Preview)](https://docs.microsoft.com/en-us/azure/azure-resource-manager/templates/template-tutorial-deployment-script) -- [Microsoft.Resources deploymentScripts template reference](https://docs.microsoft.com/en-us/azure/templates/microsoft.resources/2019-10-01-preview/deploymentscripts) -- [Use tags to organize your Azure resources](https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-using-tags) +- [Locks](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2016-09-01/locks) +- [Deploymentscripts](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Resources/2020-10-01/deploymentScripts) diff --git a/arm/Microsoft.Resources/resourceGroups/readme.md b/arm/Microsoft.Resources/resourceGroups/readme.md index 839e122abb..564e12e34a 100644 --- a/arm/Microsoft.Resources/resourceGroups/readme.md +++ b/arm/Microsoft.Resources/resourceGroups/readme.md @@ -1,25 +1,24 @@ -# Resource Group +# Resource Group `[Microsoft.Resources/resourceGroups]` This module deploys Resource Groups. ## Resource types -| Resource Type | ApiVersion | -| :---------------------------------------- | :----------------- | -| `Microsoft.Resources/resourceGroups` | 2018-05-01 | -| `Microsoft.Resources/deployments` | 2018-05-01 | -| `Microsoft.Authorization/locks` | 2016-09-01 | -| `Microsoft.Authorization/roleAssignments` | 2018-09-01-preview | +| Resource Type | Api Version | +| :-- | :-- | +| `Microsoft.Authorization/locks` | 2016-09-01 | +| `Microsoft.Authorization/roleAssignments` | 2020-04-01-preview | +| `Microsoft.Resources/resourceGroups` | 2019-05-01 | ## Parameters -| Parameter Name | Type | Description | DefaultValue | Possible values | -| :------------------ | :----- | :------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | :---------------------- | :----------------------------------------- | -| `location` | string | Optional. Location of the Resource Group. It uses the deployment's location when not provided. | [deployment().location] | | -| `lock` | string | Optional. Specify the type of lock. | 'NotSpecified' | 'CanNotDelete', 'NotSpecified', 'ReadOnly' | -| `resourceGroupName` | string | Required. The name of the Resource Group | | | -| `roleAssignments` | array | Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' | System.Object[] | | -| `tags` | object | Optional. Tags of the storage account resource. | | | +| Parameter Name | Type | Default Value | Possible Values | Description | +| :-- | :-- | :-- | :-- | :-- | +| `location` | string | `[deployment().location]` | | Optional. Location of the Resource Group. It uses the deployment's location when not provided. | +| `lock` | string | `NotSpecified` | `[CanNotDelete, NotSpecified, ReadOnly]` | Optional. Specify the type of lock. | +| `resourceGroupName` | string | | | Required. The name of the Resource Group | +| `roleAssignments` | array | `[]` | | Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' | +| `tags` | object | `{object}` | | Optional. Tags of the storage account resource. | ### Parameter Usage: `roleAssignments` @@ -67,22 +66,19 @@ Tag names and tag values can be provided as needed. A tag can be left without a } ``` -## Outputs - -| Output Name | Type | Description | -| :------------------------ | :----- | :------------------------------------ | -| `resourceGroupName` | string | The name of the Resource Group | -| `resourceGroupResourceId` | string | The resource id of the Resource Group | - -### Scripts +## Considerations -- There is no Scripts for this Module +This module requires a User Assigned Identity (MSI, managed service identity) to exist, and this MSI has to have contributor rights on the subscription - that allows the Deployment Script to create the required Storage Account and the Azure Container Instance. -## Considerations +## Outputs -- There is no deployment considerations for this Module +| Output Name | Type | +| :-- | :-- | +| `resourceGroupName` | string | +| `resourceGroupResourceId` | string | -## Additional resources +## Template references -- [Microsoft Resource Group template reference](https://docs.microsoft.com/en-us/azure/templates/microsoft.resources/2019-05-01/resourcegroups) -- [Use tags to organize your Azure resources](https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-using-tags) +- [Locks](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2016-09-01/locks) +- [Roleassignments](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2020-04-01-preview/roleAssignments) +- [Resourcegroups](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Resources/2019-05-01/resourceGroups) diff --git a/arm/Microsoft.Security/azureSecurityCenter/readme.md b/arm/Microsoft.Security/azureSecurityCenter/readme.md index e25190cffc..05fa4ac073 100644 --- a/arm/Microsoft.Security/azureSecurityCenter/readme.md +++ b/arm/Microsoft.Security/azureSecurityCenter/readme.md @@ -1,41 +1,41 @@ -# AzureSecurityCenter +# AzureSecurityCenter `[Microsoft.Security/azureSecurityCenter]` This template enables Azure Security Center - Standard tier by default, could be overridden. ## Resource types -| Resource Type | ApiVersion | -| :-------------------------------------------- | :----------------- | -| `Microsoft.Resources/deployments` | 2019-10-01 | +| Resource Type | Api Version | +| :-- | :-- | +| `Microsoft.Security/advancedThreatProtectionSettings` | 2019-01-01 | | `Microsoft.Security/autoProvisioningSettings` | 2017-08-01-preview | -| `Microsoft.Security/deviceSecurityGroups` | 2019-08-01 | -| `Microsoft.Security/iotSecuritySolutions` | 2019-08-01 | -| `Microsoft.Security/pricings` | 2018-06-01 | -| `Microsoft.Security/securityContacts` | 2017-08-01-preview | -| `Microsoft.Security/workspaceSettings` | 2017-08-01-preview | +| `Microsoft.Security/deviceSecurityGroups` | 2019-08-01 | +| `Microsoft.Security/iotSecuritySolutions` | 2019-08-01 | +| `Microsoft.Security/pricings` | 2018-06-01 | +| `Microsoft.Security/securityContacts` | 2017-08-01-preview | +| `Microsoft.Security/workspaceSettings` | 2017-08-01-preview | ## Parameters -| Parameter Name | Type | Description | DefaultValue | Possible values | -| :------------------------------------ | :----- | :----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | :----------- | :----------------- | -| `appServicesPricingTier` | string | Optional. The pricing tier value for AppServices. Azure Security Center is provided in two pricing tiers: free and standard, with the standard tier available with a trial period. The standard tier offers advanced security capabilities, while the free tier offers basic security features. - Free or Standard | 'Free' | 'Free', 'Standard' | -| `autoProvision` | string | Optional. Describes what kind of security agent provisioning action to take. - On or Off | On | System.Object[] | -| `containerRegistryPricingTier` | string | Optional. The pricing tier value for ContainerRegistry. Azure Security Center is provided in two pricing tiers: free and standard, with the standard tier available with a trial period. The standard tier offers advanced security capabilities, while the free tier offers basic security features. - Free or Standard | 'Free' | 'Free', 'Standard' | -| `deviceSecurityGroupProperties` | object | Optional. Device Security group data | | | -| `ioTSecuritySolutionProperties` | object | Optional. Security Solution data | | | -| `kubernetesServicePricingTier` | string | Optional. The pricing tier value for KubernetesService. Azure Security Center is provided in two pricing tiers: free and standard, with the standard tier available with a trial period. The standard tier offers advanced security capabilities, while the free tier offers basic security features. - Free or Standard | 'Free' | 'Free', 'Standard' | -| `scope` | string | Required. All the VMs in this scope will send their security data to the mentioned workspace unless overridden by a setting with more specific scope. | | | -| `securityContactProperties` | object | Optional. Security contact data | | | -| `sqlServersPricingTier` | string | Optional. The pricing tier value for SqlServers. Azure Security Center is provided in two pricing tiers: free and standard, with the standard tier available with a trial period. The standard tier offers advanced security capabilities, while the free tier offers basic security features. - Free or Standard | 'Free' | 'Free', 'Standard' | -| `sqlServerVirtualMachinesPricingTier` | string | Optional. The pricing tier value for SqlServerVirtualMachines. Azure Security Center is provided in two pricing tiers: free and standard, with the standard tier available with a trial period. The standard tier offers advanced security capabilities, while the free tier offers basic security features. - Free or Standard | 'Free' | 'Free', 'Standard' | -| `storageAccountsPricingTier` | string | Optional. The pricing tier value for StorageAccounts. Azure Security Center is provided in two pricing tiers: free and standard, with the standard tier available with a trial period. The standard tier offers advanced security capabilities, while the free tier offers basic security features. - Free or Standard | 'Free' | 'Free', 'Standard' | -| `virtualMachinesPricingTier` | string | Optional. The pricing tier value for VMs. Azure Security Center is provided in two pricing tiers: free and standard, with the standard tier available with a trial period. The standard tier offers advanced security capabilities, while the free tier offers basic security features. - Free or Standard | 'Free' | 'Free', 'Standard' | -| `keyVaultsPricingTier` | string | Optional. The pricing tier value for KeayVaults. Azure Security Center is provided in two pricing tiers: free and standard, with the standard tier available with a trial period. The standard tier offers advanced security capabilities, while the free tier offers basic security features. - Free or Standard | 'Free' | 'Free', 'Standard' | -| `dnsPricingTier` | string | Optional. The pricing tier value for DNS. Azure Security Center is provided in two pricing tiers: free and standard, with the standard tier available with a trial period. The standard tier offers advanced security capabilities, while the free tier offers basic security features. - Free or Standard | 'Free' | 'Free', 'Standard' | -| `armPricingTier` | string | Optional. The pricing tier value for ARM. Azure Security Center is provided in two pricing tiers: free and standard, with the standard tier available with a trial period. The standard tier offers advanced security capabilities, while the free tier offers basic security features. - Free or Standard | 'Free' | 'Free', 'Standard' | -| `openSourceRelationalDatabasesTier` | string | Optional. The pricing tier value for OpenSourceRelationalDatabases. Azure Security Center is provided in two pricing tiers: free and standard, with the standard tier available with a trial period. The standard tier offers advanced security capabilities, while the free tier offers basic security features. - Free or Standard | 'Free' | 'Free', 'Standard' | -| `workspaceId` | string | Required. The full Azure ID of the workspace to save the data in. | | | -| `enableAtp` | bool | Optional. Indicates whether Advanced Threat Protection is enabled. | False | bool | +| Parameter Name | Type | Default Value | Possible Values | Description | +| :-- | :-- | :-- | :-- | :-- | +| `appServicesPricingTier` | string | `Free` | `[Free, Standard]` | Optional. The pricing tier value for AppServices. Azure Security Center is provided in two pricing tiers: free and standard, with the standard tier available with a trial period. The standard tier offers advanced security capabilities, while the free tier offers basic security features. - Free or Standard | +| `armPricingTier` | string | `Free` | `[Free, Standard]` | Optional. The pricing tier value for ARM. Azure Security Center is provided in two pricing tiers: free and standard, with the standard tier available with a trial period. The standard tier offers advanced security capabilities, while the free tier offers basic security features. - Free or Standard | +| `autoProvision` | string | `On` | `[On, Off]` | Optional. Describes what kind of security agent provisioning action to take. - On or Off | +| `containerRegistryPricingTier` | string | `Free` | `[Free, Standard]` | Optional. The pricing tier value for ContainerRegistry. Azure Security Center is provided in two pricing tiers: free and standard, with the standard tier available with a trial period. The standard tier offers advanced security capabilities, while the free tier offers basic security features. - Free or Standard | +| `deviceSecurityGroupProperties` | object | `{object}` | | Optional. Device Security group data | +| `dnsPricingTier` | string | `Free` | `[Free, Standard]` | Optional. The pricing tier value for DNS. Azure Security Center is provided in two pricing tiers: free and standard, with the standard tier available with a trial period. The standard tier offers advanced security capabilities, while the free tier offers basic security features. - Free or Standard | +| `enableAtp` | bool | | | Optional. Indicates whether Advanced Threat Protection is enabled. | +| `ioTSecuritySolutionProperties` | object | `{object}` | | Optional. Security Solution data | +| `keyVaultsPricingTier` | string | `Free` | `[Free, Standard]` | Optional. The pricing tier value for KeyVaults. Azure Security Center is provided in two pricing tiers: free and standard, with the standard tier available with a trial period. The standard tier offers advanced security capabilities, while the free tier offers basic security features. - Free or Standard | +| `kubernetesServicePricingTier` | string | `Free` | `[Free, Standard]` | Optional. The pricing tier value for KubernetesService. Azure Security Center is provided in two pricing tiers: free and standard, with the standard tier available with a trial period. The standard tier offers advanced security capabilities, while the free tier offers basic security features. - Free or Standard | +| `openSourceRelationalDatabasesTier` | string | `Free` | `[Free, Standard]` | Optional. The pricing tier value for OpenSourceRelationalDatabases. Azure Security Center is provided in two pricing tiers: free and standard, with the standard tier available with a trial period. The standard tier offers advanced security capabilities, while the free tier offers basic security features. - Free or Standard | +| `scope` | string | | | Required. All the VMs in this scope will send their security data to the mentioned workspace unless overridden by a setting with more specific scope. | +| `securityContactProperties` | object | `{object}` | | Optional. Security contact data | +| `sqlServersPricingTier` | string | `Free` | `[Free, Standard]` | Optional. The pricing tier value for SqlServers. Azure Security Center is provided in two pricing tiers: free and standard, with the standard tier available with a trial period. The standard tier offers advanced security capabilities, while the free tier offers basic security features. - Free or Standard | +| `sqlServerVirtualMachinesPricingTier` | string | `Free` | `[Free, Standard]` | Optional. The pricing tier value for SqlServerVirtualMachines. Azure Security Center is provided in two pricing tiers: free and standard, with the standard tier available with a trial period. The standard tier offers advanced security capabilities, while the free tier offers basic security features. - Free or Standard | +| `storageAccountsPricingTier` | string | `Free` | `[Free, Standard]` | Optional. The pricing tier value for StorageAccounts. Azure Security Center is provided in two pricing tiers: free and standard, with the standard tier available with a trial period. The standard tier offers advanced security capabilities, while the free tier offers basic security features. - Free or Standard | +| `virtualMachinesPricingTier` | string | `Free` | `[Free, Standard]` | Optional. The pricing tier value for VMs. Azure Security Center is provided in two pricing tiers: free and standard, with the standard tier available with a trial period. The standard tier offers advanced security capabilities, while the free tier offers basic security features. - Free or Standard | +| `workspaceId` | string | | | Required. The full Azure ID of the workspace to save the data in. | ### Parameter Usage: `deviceSecurityGroupProperties` @@ -130,13 +130,16 @@ This template enables Azure Security Center - Standard tier by default, could be ## Outputs -| Output Name | Type | Description | -| :------------ | :----- | :---------------------- | -| `workspaceId` | string | This is the workspaceid | +| Output Name | Type | +| :-- | :-- | +| `workspaceId` | string | -## Considerations +## Template references -## Additional resources - -- [What is Azure Security Center?](https://docs.microsoft.com/en-us/azure/security-center/security-center-intro) -- [Microsoft.Security template reference](https://docs.microsoft.com/en-us/azure/templates/microsoft.security/allversions) +- [Advancedthreatprotectionsettings](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Security/2019-01-01/advancedThreatProtectionSettings) +- [Autoprovisioningsettings](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Security/2017-08-01-preview/autoProvisioningSettings) +- [Devicesecuritygroups](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Security/2019-08-01/deviceSecurityGroups) +- [Iotsecuritysolutions](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Security/2019-08-01/iotSecuritySolutions) +- [Pricings](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Security/2018-06-01/pricings) +- [Securitycontacts](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Security/2017-08-01-preview/securityContacts) +- [Workspacesettings](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Security/2017-08-01-preview/workspaceSettings) diff --git a/arm/Microsoft.ServiceBus/namespaces/.bicep/nested_privateEndpoints.bicep b/arm/Microsoft.ServiceBus/namespaces/.bicep/nested_privateEndpoints.bicep index 06fa3f6ba1..3c1c340afd 100644 --- a/arm/Microsoft.ServiceBus/namespaces/.bicep/nested_privateEndpoints.bicep +++ b/arm/Microsoft.ServiceBus/namespaces/.bicep/nested_privateEndpoints.bicep @@ -14,7 +14,7 @@ var privateEndpoint_var = { customDnsConfigs: (contains(privateEndpoint, 'customDnsConfigs') ? (empty(privateEndpoint.customDnsConfigs) ? json('null') : privateEndpoint.customDnsConfigs) : json('null')) } -resource privateEndpoint_name 'Microsoft.Network/privateEndpoints@2020-05-01' = { +resource privateEndpoint_name 'Microsoft.Network/privateEndpoints@2021-05-01' = { name: privateEndpoint_var.name location: privateEndpointVnetLocation tags: tags @@ -47,4 +47,3 @@ resource privateEndpoint_name 'Microsoft.Network/privateEndpoints@2020-05-01' = } } } - diff --git a/arm/Microsoft.ServiceBus/namespaces/.bicep/nested_rbac.bicep b/arm/Microsoft.ServiceBus/namespaces/.bicep/nested_rbac.bicep index 6b695d072d..556685f1d1 100644 --- a/arm/Microsoft.ServiceBus/namespaces/.bicep/nested_rbac.bicep +++ b/arm/Microsoft.ServiceBus/namespaces/.bicep/nested_rbac.bicep @@ -2,7 +2,7 @@ param roleAssignmentObj object param builtInRoleNames object param resourceName string -resource roleAssigment 'Microsoft.ServiceBus/namespaces/providers/roleAssignments@2020-04-01-preview' = [for principalId in roleAssignmentObj.principalIds: { +resource roleAssigment 'Microsoft.ServiceBus/namespaces/providers/roleAssignments@2021-04-01-preview' = [for principalId in roleAssignmentObj.principalIds: { name: '${resourceName}/Microsoft.Authorization/${guid(resourceName, principalId, roleAssignmentObj.roleDefinitionIdOrName)}' properties: { roleDefinitionId: (contains(builtInRoleNames, roleAssignmentObj.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignmentObj.roleDefinitionIdOrName] : roleAssignmentObj.roleDefinitionIdOrName) diff --git a/arm/Microsoft.ServiceBus/namespaces/deploy.bicep b/arm/Microsoft.ServiceBus/namespaces/deploy.bicep index 6762728411..6430fdaa4d 100644 --- a/arm/Microsoft.ServiceBus/namespaces/deploy.bicep +++ b/arm/Microsoft.ServiceBus/namespaces/deploy.bicep @@ -88,34 +88,48 @@ param cuaId string = '' @description('Generated. Do not provide a value! This date value is used to generate a SAS token to access the modules.') param baseTime string = utcNow('u') -var moduleName = 'Service Bus Namespace' +@description('Optional. The name of logs that will be streamed.') +@allowed([ + 'OperationalLogs' +]) +param logsToEnable array = [ + 'OperationalLogs' +] + +@description('Optional. The name of metrics that will be streamed.') +@allowed([ + 'AllMetrics' +]) +param metricsToEnable array = [ + 'AllMetrics' +] + +var diagnosticsLogs = [for log in logsToEnable: { + category: log + enabled: true + retentionPolicy: { + enabled: true + days: diagnosticLogsRetentionInDays + } +}] + +var diagnosticsMetrics = [for metric in metricsToEnable: { + category: metric + timeGrain: null + enabled: true + retentionPolicy: { + enabled: true + days: diagnosticLogsRetentionInDays + } +}] + var maxNameLength = 50 -var uniqueServiceBusNamespaceNameUntrim = uniqueString('${moduleName}${baseTime}') +var uniqueServiceBusNamespaceNameUntrim = uniqueString('Service Bus Namespace${baseTime}') var uniqueServiceBusNamespaceName = ((length(uniqueServiceBusNamespaceNameUntrim) > maxNameLength) ? substring(uniqueServiceBusNamespaceNameUntrim, 0, maxNameLength) : uniqueServiceBusNamespaceNameUntrim) var serviceBusNamespaceName_var = (empty(serviceBusNamespaceName) ? uniqueServiceBusNamespaceName : serviceBusNamespaceName) var defaultAuthorizationRuleId = resourceId('Microsoft.ServiceBus/namespaces/AuthorizationRules', serviceBusNamespaceName_var, 'RootManageSharedAccessKey') var namespaceAlias_var = (empty(namespaceAlias) ? 'placeholder' : namespaceAlias) -var diagnosticsMetrics = [ - { - category: 'AllMetrics' - timeGrain: null - enabled: true - retentionPolicy: { - enabled: true - days: diagnosticLogsRetentionInDays - } - } -] -var diagnosticsLogs = [ - { - category: 'OperationalLogs' - enabled: true - retentionPolicy: { - days: diagnosticLogsRetentionInDays - enabled: true - } - } -] + var builtInRoleNames = { 'Owner': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') 'Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') diff --git a/arm/Microsoft.ServiceBus/namespaces/readme.md b/arm/Microsoft.ServiceBus/namespaces/readme.md index e5f51c80b7..9b0ba006ff 100644 --- a/arm/Microsoft.ServiceBus/namespaces/readme.md +++ b/arm/Microsoft.ServiceBus/namespaces/readme.md @@ -1,4 +1,4 @@ -# ServiceBusNamespaces +# ServiceBusNamespaces `[Microsoft.ServiceBus/namespaces]` This module deploys Service Bus Namespace resource. @@ -6,45 +6,46 @@ This module deploys Service Bus Namespace resource. | Resource Type | Api Version | | :-- | :-- | -| `Microsoft.Resources/deployments` | 2020-06-01 | +| `Microsoft.Authorization/locks` | 2016-09-01 | +| `Microsoft.Insights/diagnosticSettings` | 2017-05-01-preview | +| `Microsoft.Network/privateEndpoints` | 2021-05-01 | | `Microsoft.Network/privateEndpoints/privateDnsZoneGroups` | 2020-05-01 | -| `Microsoft.Network/privateEndpoints` | 2020-05-01 | +| `Microsoft.ServiceBus/namespaces` | 2018-01-01-preview | | `Microsoft.ServiceBus/namespaces/AuthorizationRules` | 2017-04-01 | | `Microsoft.ServiceBus/namespaces/disasterRecoveryConfigs` | 2017-04-01 | -| `Microsoft.ServiceBus/namespaces/ipFilterRules` | 2018-01-01-preview | +| `Microsoft.ServiceBus/namespaces/ipfilterrules` | 2018-01-01-preview | | `Microsoft.ServiceBus/namespaces/migrationConfigurations` | 2017-04-01 | -| `Microsoft.ServiceBus/namespaces/virtualNetworkRules` | 2018-01-01-preview | -| `Microsoft.Insights/diagnosticSettings` | 2017-05-01-preview | -| `Microsoft.ServiceBus/namespaces/providers/roleAssignments` | 2018-09-01-preview | -| `Microsoft.ServiceBus/namespaces` | 2018-01-01-preview | -| `Microsoft.Authorization/locks` | 2016-09-01 | +| `Microsoft.ServiceBus/namespaces/providers/roleAssignments` | 2021-04-01-preview | +| `Microsoft.ServiceBus/namespaces/virtualnetworkrules` | 2018-01-01-preview | ## Parameters -| Parameter Name | Type | Default Value | Possible values | Description | -| :--| :--| :-| :--| :----------------------------------------------------------------------------------------------------------------- | -| `serviceBusNamespaceName`| string | | | Optional. Name of the Service Bus Namespace.If no name is provided, then unique name will be created.| -| `location`| string | | | Required. The Geo-location where the resource lives. | | -| `skuName`| string | | | Required. Name of this SKU. - Basic, Standard, Premium. | Basic, Standard, Premium | -| `zoneRedundant`| string | | | Optional. Enabling this property creates a Premium Service Bus Namespace in regions supported availability zones. | | -| `partnerNamespaceId` | string | Optional. ARM Id of the Primary/Secondary Service Bus namespace name, which is part of GEO DR pairing. | | | -| `namespaceAlias` | string | Optional. The Disaster Recovery configuration name. | | | -| `authorizationRules` | array | Optional. Authorization Rules for the Event Hub namespace. | System.Object[] | | -| `ipFilterRules` | array | Optional. IP Filter Rules for the Service Bus namespace (requires Premium sku). | System.Object[] | | -| `targetNamespace` | string | Optional. Existing premium Namespace ARM Id name which has no entities, will be used for migration. | | | -| `postMigrationName` | string | Optional. Name to access Standard Namespace after migration. | | | -| `virtualNetworkRuleSubnetIds` | array | Optional. vNet Rules SubnetIds for the Service Bus namespace. | System.Object[] | | -| `diagnosticLogsRetentionInDays` | int | Optional. Specifies the number of days that logs will be kept for; a value of 0 will retain data indefinitely. | 365 | | -| `diagnosticStorageAccountId` | string | Optional. Resource identifier of the Diagnostic Storage Account. | | | -| `workspaceId` | string | Optional. Resource identifier of Log Analytics. | | | -| `eventHubAuthorizationRuleId` | string | "" | | Optional. Resource ID of the event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. -| `eventHubName` | string | "" | | Optional. Name of the event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. -| `lock` | string | Optional. Specify the type of lock. | 'NotSpecified' | 'CanNotDelete', 'NotSpecified', 'ReadOnly' | -| `roleAssignments` | array | Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' | System.Object[] | | -| `privateEndpoints` | array | System.Object[] | | Optional. Configuration Details for private endpoints. | -| `tags`| string | | | Optional. Tag names and tag values can be provided as needed (see below) | | -| `cuaId`| string | | | Customer Usage Attribution id (GUID). This GUID must be previously registered | | -| `baseTime` | string | utcNow('u') | | Generated. Do not provide a value! This date value is used to generate a SAS token toaccess the modules. +| Parameter Name | Type | Default Value | Possible Values | Description | +| :-- | :-- | :-- | :-- | :-- | +| `authorizationRules` | array | `[System.Collections.Hashtable]` | | Optional. Authorization Rules for the Service Bus namespace | +| `baseTime` | string | `[utcNow('u')]` | | Generated. Do not provide a value! This date value is used to generate a SAS token to access the modules. | +| `cuaId` | string | | | Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered | +| `diagnosticLogsRetentionInDays` | int | `365` | | Optional. Specifies the number of days that logs will be kept for; a value of 0 will retain data indefinitely. | +| `diagnosticStorageAccountId` | string | | | Optional. Resource identifier of the Diagnostic Storage Account. | +| `eventHubAuthorizationRuleId` | string | | | Optional. Resource ID of the event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | +| `eventHubName` | string | | | Optional. Name of the event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. | +| `ipFilterRules` | array | `[]` | | Optional. IP Filter Rules for the Service Bus namespace | +| `location` | string | `[resourceGroup().location]` | | Optional. Location for all resources. | +| `lock` | string | `NotSpecified` | `[CanNotDelete, NotSpecified, ReadOnly]` | Optional. Specify the type of lock. | +| `logsToEnable` | array | `[OperationalLogs]` | `[OperationalLogs]` | Optional. The name of logs that will be streamed. | +| `metricsToEnable` | array | `[AllMetrics]` | `[AllMetrics]` | Optional. The name of metrics that will be streamed. | +| `namespaceAlias` | string | | | Optional. The Disaster Recovery configuration name | +| `partnerNamespaceId` | string | | | Optional. ARM Id of the Primary/Secondary Service Bus namespace name, which is part of GEO DR pairing | +| `postMigrationName` | string | | | Optional. Name to access Standard Namespace after migration. | +| `privateEndpoints` | array | `[]` | | Optional. Configuration Details for private endpoints. | +| `roleAssignments` | array | `[]` | | Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' | +| `serviceBusNamespaceName` | string | | | Optional. Name of the Service Bus Namespace. If no name is provided, then unique name will be created. | +| `skuName` | string | `Basic` | `[Basic, Standard, Premium]` | Required. Name of this SKU. - Basic, Standard, Premium | +| `tags` | object | `{object}` | | Optional. Tags of the resource. | +| `targetNamespace` | string | | | Optional. Existing premium Namespace ARM Id name which has no entities, will be used for migration. | +| `virtualNetworkRuleSubnetIds` | array | `[]` | | Optional. vNet Rules SubnetIds for the Service Bus namespace. | +| `workspaceId` | string | | | Optional. Resource identifier of Log Analytics. | +| `zoneRedundant` | bool | | | Optional. Enabling this property creates a Premium Service Bus Namespace in regions supported availability zones. | ### Parameter Usage: `authorizationRules` @@ -176,20 +177,23 @@ Tag names and tag values can be provided as needed. A tag can be left without a ## Outputs -| Output Name | Type | Description | -| :-- | :-- | :-- | -| `defaultAuthorizationRuleId` | string | The Id of the authorization rule marked by the variable with the same name. | -| `serviceBusConnectionString` | string | The Service Bus Namespace connection string. | -| `serviceBusNamespaceName` | string | The Name of the Service Bus Namespace. | -| `serviceBusNamespaceResourceGroup` | string | The name of the Resource Group the Service Bus Namespace was created in. | -| `serviceBusNamespaceResourceId` | string | The Resource Id of the Service Bus Namespace. | - -## Considerations - -*N/A* - -## Additional resources - -- [Microsoft.ServiceBus Namespace template reference](https://docs.microsoft.com/en-us/azure/templates/Microsoft.ServiceBus/2018-01-01-preview/namespaces) -- [What is Azure Service Bus?](https://docs.microsoft.com/en-us/azure/service-bus-messaging/service-bus-messaging-overview) -- [Use tags to organize your Azure resources](https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-using-tags) +| Output Name | Type | +| :-- | :-- | +| `defaultAuthorizationRuleId` | string | +| `serviceBusConnectionString` | string | +| `serviceBusNamespaceName` | string | +| `serviceBusNamespaceResourceGroup` | string | +| `serviceBusNamespaceResourceId` | string | + +## Template references + +- [Locks](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2016-09-01/locks) +- [Diagnosticsettings](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Insights/2017-05-01-preview/diagnosticSettings) +- [Privateendpoints](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Network/2021-05-01/privateEndpoints) +- [Privateendpoints/Privatednszonegroups](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Network/2020-05-01/privateEndpoints/privateDnsZoneGroups) +- [Namespaces](https://docs.microsoft.com/en-us/azure/templates/Microsoft.ServiceBus/2018-01-01-preview/namespaces) +- [Namespaces/Authorizationrules](https://docs.microsoft.com/en-us/azure/templates/Microsoft.ServiceBus/2017-04-01/namespaces/AuthorizationRules) +- [Namespaces/Disasterrecoveryconfigs](https://docs.microsoft.com/en-us/azure/templates/Microsoft.ServiceBus/2017-04-01/namespaces/disasterRecoveryConfigs) +- [Namespaces/Ipfilterrules](https://docs.microsoft.com/en-us/azure/templates/Microsoft.ServiceBus/2018-01-01-preview/namespaces/ipfilterrules) +- [Namespaces/Migrationconfigurations](https://docs.microsoft.com/en-us/azure/templates/Microsoft.ServiceBus/2017-04-01/namespaces/migrationConfigurations) +- [Namespaces/Virtualnetworkrules](https://docs.microsoft.com/en-us/azure/templates/Microsoft.ServiceBus/2018-01-01-preview/namespaces/virtualnetworkrules) diff --git a/arm/Microsoft.ServiceBus/namespacesResources/queues/deploy.bicep b/arm/Microsoft.ServiceBus/namespacesResources/queues/deploy.bicep index 9f272e3e0f..9d0d6760fd 100644 --- a/arm/Microsoft.ServiceBus/namespacesResources/queues/deploy.bicep +++ b/arm/Microsoft.ServiceBus/namespacesResources/queues/deploy.bicep @@ -133,7 +133,7 @@ resource serviceBusNamespaceQueue 'Microsoft.ServiceBus/namespaces/queues@2021-0 } resource serviceBusNamespaceQueue_lock 'Microsoft.Authorization/locks@2016-09-01' = if (lock != 'NotSpecified') { - name: '${serviceBusNamespaceQueue.name}-${lock}-lock' + name: '${split(serviceBusNamespaceQueue.name, '/')[1]}-${lock}-lock' properties: { level: lock notes: (lock == 'CanNotDelete') ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.' diff --git a/arm/Microsoft.ServiceBus/namespacesResources/queues/readme.md b/arm/Microsoft.ServiceBus/namespacesResources/queues/readme.md index f4750944fa..5d31c49ec2 100644 --- a/arm/Microsoft.ServiceBus/namespacesResources/queues/readme.md +++ b/arm/Microsoft.ServiceBus/namespacesResources/queues/readme.md @@ -1,4 +1,4 @@ -# ServiceBusQueues +# ServiceBusQueues `[Microsoft.ServiceBus/namespacesResources/queues]` This module deploys Service Bus Queue. @@ -6,38 +6,33 @@ This module deploys Service Bus Queue. | Resource Type | Api Version | | :-- | :-- | -| `Microsoft.Resources/deployments` | 2020-06-01 | -| `Microsoft.ServiceBus/namespaces/queues/authorizationRules` | 2017-04-01 | +| `Microsoft.Authorization/locks` | 2016-09-01 | | `Microsoft.ServiceBus/namespaces/providers/queues/roleAssignments` | 2020-04-01-preview | | `Microsoft.ServiceBus/namespaces/queues` | 2021-06-01-preview | -| `Microsoft.Authorization/locks` | 2016-09-01 | - -- Microsoft.ServiceBus/namespaces +| `Microsoft.ServiceBus/namespaces/queues/authorizationRules` | 2017-04-01 | ## Parameters -| Parameter Name | Type | Description | DefaultValue | Possible values | +| Parameter Name | Type | Default Value | Possible Values | Description | | :-- | :-- | :-- | :-- | :-- | -| `authorizationRules` | array | Optional. Authorization Rules for the Service Bus Queue | System.Object[] | | -| `cuaId` | string | Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered | | | -| `deadLetteringOnMessageExpiration` | bool | Optional. A value that indicates whether this queue has dead letter support when a message expires. | True | | -| `defaultMessageTimeToLive` | string | Optional. ISO 8601 default message timespan to live value. This is the duration after which the message expires, starting from when the message is sent to Service Bus. This is the default value used when TimeToLive is not set on a message itself. | P14D | | -| `duplicateDetectionHistoryTimeWindow` | string | Optional. ISO 8601 timeSpan structure that defines the duration of the duplicate detection history. The default value is 10 minutes. | PT10M | | -| `enableBatchedOperations` | bool | Optional. Value that indicates whether server-side batched operations are enabled. | True | | -| `enableExpress` | bool | Optional. A value that indicates whether Express Entities are enabled. An express queue holds a message in memory temporarily before writing it to persistent storage. | False | | -| `enablePartitioning` | bool | Optional. A value that indicates whether the queue is to be partitioned across multiple message brokers. | False | | -| `location` | string | Optional. Location for all resources. | [resourceGroup().location] | | -| `lockDuration` | string | Optional. ISO 8601 timespan duration of a peek-lock; that is, the amount of time that the message is locked for other receivers. The maximum value for LockDuration is 5 minutes; the default value is 1 minute. | PT1M | | -| `lock` | string | Optional. Specify the type of lock. | 'NotSpecified' | 'CanNotDelete', 'NotSpecified', 'ReadOnly' | -| `maxDeliveryCount` | int | Optional. The maximum delivery count. A message is automatically deadlettered after this number of deliveries. default value is 10. | 10 | | -| `maxSizeInMegabytes` | int | Optional. The maximum size of the queue in megabytes, which is the size of memory allocated for the queue. Default is 1024. | 1024 | | -| `namespaceName` | string | Required. Name of the parent Service Bus Namespace for the Service Bus Queue. | | | -| `queueName` | string | Required. Name of the Service Bus Queue. | | | -| `requiresDuplicateDetection` | bool | Optional. A value indicating if this queue requires duplicate detection. | False | | -| `requiresSession` | bool | Optional. A value that indicates whether the queue supports the concept of sessions. | False | | -| `roleAssignments` | array | Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' | System.Object[] | | -| `status` | string | Optional. Enumerates the possible values for the status of a messaging entity. - Active, Disabled, Restoring, SendDisabled, ReceiveDisabled, Creating, Deleting, Renaming, Unknown | Active | System.Object[] | -| `tags` | object | Optional. Tags of the resource. | | | +| `authorizationRules` | array | `[System.Collections.Hashtable]` | | Optional. Authorization Rules for the Service Bus Queue | +| `cuaId` | string | | | Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered | +| `deadLetteringOnMessageExpiration` | bool | `True` | | Optional. A value that indicates whether this queue has dead letter support when a message expires. | +| `defaultMessageTimeToLive` | string | `P14D` | | Optional. ISO 8601 default message timespan to live value. This is the duration after which the message expires, starting from when the message is sent to Service Bus. This is the default value used when TimeToLive is not set on a message itself. | +| `duplicateDetectionHistoryTimeWindow` | string | `PT10M` | | Optional. ISO 8601 timeSpan structure that defines the duration of the duplicate detection history. The default value is 10 minutes. | +| `enableBatchedOperations` | bool | `True` | | Optional. Value that indicates whether server-side batched operations are enabled. | +| `enableExpress` | bool | | | Optional. A value that indicates whether Express Entities are enabled. An express queue holds a message in memory temporarily before writing it to persistent storage. | +| `enablePartitioning` | bool | | | Optional. A value that indicates whether the queue is to be partitioned across multiple message brokers. | +| `lock` | string | `NotSpecified` | `[CanNotDelete, NotSpecified, ReadOnly]` | Optional. Specify the type of lock. | +| `lockDuration` | string | `PT1M` | | Optional. ISO 8601 timespan duration of a peek-lock; that is, the amount of time that the message is locked for other receivers. The maximum value for LockDuration is 5 minutes; the default value is 1 minute. | +| `maxDeliveryCount` | int | `10` | | Optional. The maximum delivery count. A message is automatically deadlettered after this number of deliveries. default value is 10. | +| `maxSizeInMegabytes` | int | `1024` | | Optional. The maximum size of the queue in megabytes, which is the size of memory allocated for the queue. Default is 1024. | +| `namespaceName` | string | | | Required. Name of the parent Service Bus Namespace for the Service Bus Queue. | +| `queueName` | string | | | Required. Name of the Service Bus Queue. | +| `requiresDuplicateDetection` | bool | | | Optional. A value indicating if this queue requires duplicate detection. | +| `requiresSession` | bool | | | Optional. A value that indicates whether the queue supports the concept of sessions. | +| `roleAssignments` | array | `[]` | | Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' | +| `status` | string | `Active` | `[Active, Disabled, Restoring, SendDisabled, ReceiveDisabled, Creating, Deleting, Renaming, Unknown]` | Optional. Enumerates the possible values for the status of a messaging entity. - Active, Disabled, Restoring, SendDisabled, ReceiveDisabled, Creating, Deleting, Renaming, Unknown | ### Parameter Usage: `authorizationRules` @@ -136,18 +131,14 @@ Tag names and tag values can be provided as needed. A tag can be left without a ## Outputs -| Output Name | Type | Description | -| :-- | :-- | :-- | -| `namespaceQueueName` | string | The Name of the Service Bus Namespace. | -| `namespaceQueueResourceGroup` | string | The name of the Resource Group with the Service Bus Namespace. | -| `namespaceQueueResourceId` | string | The Resource Id of the Service Bus Queue. | - -## Considerations - -*N/A* +| Output Name | Type | +| :-- | :-- | +| `namespaceQueueName` | string | +| `namespaceQueueResourceGroup` | string | +| `namespaceQueueResourceId` | string | -## Additional resources +## Template references -- [About Service Bus Queue] (https://docs.microsoft.com/en-us/azure/service-bus-messaging/service-bus-queues-topics-subscriptions) -- [Microsoft.ServiceBus/namespaces/queues template reference](https://docs.microsoft.com/en-us/azure/templates/microsoft.servicebus/namespaces/queues) -- [Use tags to organize your Azure resources](https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-using-tags) +- [Locks](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2016-09-01/locks) +- [Namespaces/Queues](https://docs.microsoft.com/en-us/azure/templates/Microsoft.ServiceBus/2021-06-01-preview/namespaces/queues) +- [Namespaces/Queues/Authorizationrules](https://docs.microsoft.com/en-us/azure/templates/Microsoft.ServiceBus/2017-04-01/namespaces/queues/authorizationRules) diff --git a/arm/Microsoft.Sql/managedInstances/.bicep/nested_rbac.bicep b/arm/Microsoft.Sql/managedInstances/.bicep/nested_rbac.bicep index f12a1050c1..bd5352226e 100644 --- a/arm/Microsoft.Sql/managedInstances/.bicep/nested_rbac.bicep +++ b/arm/Microsoft.Sql/managedInstances/.bicep/nested_rbac.bicep @@ -2,7 +2,7 @@ param roleAssignmentObj object param builtInRoleNames object param resourceName string -resource roleAssigment 'Microsoft.Sql/managedInstances/providers/roleAssignments@2020-04-01-preview' = [for principalId in roleAssignmentObj.principalIds: { +resource roleAssigment 'Microsoft.Sql/managedInstances/providers/roleAssignments@2021-04-01-preview' = [for principalId in roleAssignmentObj.principalIds: { name: '${resourceName}/Microsoft.Authorization/${guid(resourceName, principalId, roleAssignmentObj.roleDefinitionIdOrName)}' properties: { roleDefinitionId: (contains(builtInRoleNames, roleAssignmentObj.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignmentObj.roleDefinitionIdOrName] : roleAssignmentObj.roleDefinitionIdOrName) diff --git a/arm/Microsoft.Sql/managedInstances/deploy.bicep b/arm/Microsoft.Sql/managedInstances/deploy.bicep index 71adea962c..9c868ebbca 100644 --- a/arm/Microsoft.Sql/managedInstances/deploy.bicep +++ b/arm/Microsoft.Sql/managedInstances/deploy.bicep @@ -138,37 +138,46 @@ param managedServiceIdentity string = 'SystemAssigned' @description('Optional. Mandatory if "managedServiceIdentity" contains UserAssigned. The list of user identities associated with the managed instance.') param userAssignedIdentities object = {} -var splittedKeyUri = split(customerManagedEnryptionKeyUri, '/') -var serverKeyName = (empty(customerManagedEnryptionKeyUri) ? 'ServiceManaged' : '${split(splittedKeyUri[2], '.')[0]}_${splittedKeyUri[4]}_${splittedKeyUri[5]}') -var diagnosticsMetrics = [ - { - category: 'AllMetrics' - timeGrain: null - enabled: true - retentionPolicy: { - enabled: true - days: diagnosticLogsRetentionInDays - } - } +@description('Optional. The name of logs that will be streamed.') +@allowed([ + 'ResourceUsageStats' + 'SQLSecurityAuditEvents' +]) +param logsToEnable array = [ + 'ResourceUsageStats' + 'SQLSecurityAuditEvents' +] + +@description('Optional. The name of metrics that will be streamed.') +@allowed([ + 'AllMetrics' +]) +param metricsToEnable array = [ + 'AllMetrics' ] -var diagnosticsLogs = [ - { - category: 'ResourceUsageStats' + +var diagnosticsLogs = [for log in logsToEnable: { + category: log + enabled: true + retentionPolicy: { enabled: true - retentionPolicy: { - enabled: true - days: diagnosticLogsRetentionInDays - } + days: diagnosticLogsRetentionInDays } - { - category: 'SQLSecurityAuditEvents' +}] + +var diagnosticsMetrics = [for metric in metricsToEnable: { + category: metric + timeGrain: null + enabled: true + retentionPolicy: { enabled: true - retentionPolicy: { - enabled: true - days: diagnosticLogsRetentionInDays - } + days: diagnosticLogsRetentionInDays } -] +}] + +var splittedKeyUri = split(customerManagedEnryptionKeyUri, '/') +var serverKeyName = (empty(customerManagedEnryptionKeyUri) ? 'ServiceManaged' : '${split(splittedKeyUri[2], '.')[0]}_${splittedKeyUri[4]}_${splittedKeyUri[5]}') + var builtInRoleNames = { 'Owner': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') 'Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') @@ -249,7 +258,7 @@ resource managedInstance 'Microsoft.Sql/managedInstances@2020-08-01-preview' = { } } - resource vulnerabilityAssessments 'vulnerabilityAssessments@2018-06-01-preview' = if (enableAdvancedDataSecurity) { + resource vulnerabilityAssessments 'vulnerabilityAssessments@2021-02-01-preview' = if (enableAdvancedDataSecurity) { name: 'default' properties: { storageContainerPath: (enableAdvancedDataSecurity ? 'https://${split(vulnerabilityAssessmentsStorageAccountId, '/')[8]}.blob.core.windows.net/vulnerability-assessment/' : '') @@ -262,7 +271,7 @@ resource managedInstance 'Microsoft.Sql/managedInstances@2020-08-01-preview' = { } } - resource administrators 'administrators@2017-03-01-preview' = if (!empty(azureAdAdmin)) { + resource administrators 'administrators@2021-02-01-preview' = if (!empty(azureAdAdmin)) { name: 'ActiveDirectory' properties: { administratorType: 'ActiveDirectory' diff --git a/arm/Microsoft.Sql/managedInstances/readme.md b/arm/Microsoft.Sql/managedInstances/readme.md index 254e78ac66..ff1a2945c7 100644 --- a/arm/Microsoft.Sql/managedInstances/readme.md +++ b/arm/Microsoft.Sql/managedInstances/readme.md @@ -1,68 +1,69 @@ -# SQL Managed Instances +# SQL Managed Instances `[Microsoft.Sql/managedInstances]` This template deploys an SQL Managed Instance, with resource lock. ## Resource types -|Resource Type|ApiVersion| -|:--|:--| -|`Microsoft.Sql/managedInstances`|2020-08-01-preview| -|`Microsoft.Sql/managedInstances/keys`|2017-10-01-preview| -|`Microsoft.Sql/managedInstances/encryptionProtector`|2017-10-01-preview| -|`Microsoft.Sql/managedInstances/securityAlertPolicies`|2017-03-01-preview| -|`Microsoft.Sql/managedInstances/vulnerabilityAssessments`|2018-06-01-preview| -|`Microsoft.Sql/managedInstances/administrators`|2017-03-01-preview| -|`Microsoft.Insights/diagnosticsettings`|2017-05-01-preview| -|`Microsoft.Authorization/locks`|2016-09-01| -|`Microsoft.Sql/managedInstances/providers/roleAssignments`|2020-04-01-preview| -|`Microsoft.Resources/deployments`|2019-10-01| +| Resource Type | Api Version | +| :-- | :-- | +| `Microsoft.Authorization/locks` | 2016-09-01 | +| `Microsoft.Insights/diagnosticSettings` | 2017-05-01-preview | +| `Microsoft.Sql/managedInstances` | 2020-08-01-preview | +| `Microsoft.Sql/managedInstances/administrators` | 2021-02-01-preview | +| `Microsoft.Sql/managedInstances/encryptionProtector` | 2017-10-01-preview | +| `Microsoft.Sql/managedInstances/keys` | 2017-10-01-preview | +| `Microsoft.Sql/managedInstances/providers/roleAssignments` | 2021-04-01-preview | +| `Microsoft.Sql/managedInstances/securityAlertPolicies` | 2017-03-01-preview | +| `Microsoft.Sql/managedInstances/vulnerabilityAssessments` | 2021-02-01-preview | ### Deployment prerequisites SQL Managed Instance is deployed on a virtual network. This network is required to satisfy the requirements explained [here](https://docs.microsoft.com/en-us/azure/sql-database/sql-database-managed-instance-connectivity-architecture#network-requirements). In the module is a second ARM template UpdateSubnet.deploy.json, which configures a subnet to be ready for the SQL managed instance. ## Parameters -| Parameter Name | Type | Description | DefaultValue | Possible values | +| Parameter Name | Type | Default Value | Possible Values | Description | | :-- | :-- | :-- | :-- | :-- | -| `administratorLogin` | string | Required. The username used to establish jumpbox VMs. | | | -| `administratorLoginPassword` | securestring | Required. The password given to the admin user. | | | -| `azureAdAdmin` | object | Optional. An Azure Active Directory administrator account. | | | -| `collation` | string | Optional. Collation of the managed instance. | SQL_Latin1_General_CP1_CI_AS | | -| `cuaId` | string | Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered | | | -| `customerManagedEnryptionKeyUri` | string | Optional. The URI of the key (in Azure Key Vault) for transparent data encryption. The key vault must have SoftDelete enabled and must reside in the same region as the SQL MI. The managed identity of the SQL managed instance needs to have the following key permissions in the key vault: Get, Unwrap Key, Wrap Key. If blank, service managed key will be used. | | | -| `diagnosticLogsRetentionInDays` | int | Optional. Specifies the number of days that logs will be kept for; a value of 0 will retain data indefinitely. | 365 | | -| `diagnosticStorageAccountId` | string | Optional. Resource identifier of the Diagnostic Storage Account. | | | -| `dnsZonePartner` | string | Optional. The resource id of another managed instance whose DNS zone this managed instance will share after creation. | | | -| `enableAdvancedDataSecurity` | bool | Optional. Enables advanced data security features, like recuring vulnerability assesment scans and ATP. If enabled, storage account must be provided. | False | | -| `enableRecuringVulnerabilityAssessmentsScans` | bool | Optional. Recurring scans state. | False | | -| `eventHubAuthorizationRuleId` | string | Optional. Resource ID of the event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | | | -| `eventHubName` | string | Optional. Name of the event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. | | | -| `hardwareFamily` | string | Optional. If the service has different generations of hardware, for the same SKU, then that can be captured here. | Gen5 | | -| `instancePoolId` | string | Optional. The Id of the instance pool this managed server belongs to. | | | -| `licenseType` | string | Optional. The license type. Possible values are 'LicenseIncluded' (regular price inclusive of a new SQL license) and 'BasePrice' (discounted AHB price for bringing your own SQL licenses). | LicenseIncluded | | -| `location` | string | Optional. Location for all resources. | [resourceGroup().location] | | -| `lock` | string | Optional. Specify the type of lock. | 'NotSpecified' | 'CanNotDelete', 'NotSpecified', 'ReadOnly' | -| `managedInstanceCreateMode` | string | Optional. Specifies the mode of database creation. Default: Regular instance creation. Restore: Creates an instance by restoring a set of backups to specific point in time. RestorePointInTime and SourceManagedInstanceId must be specified. | Default | | -| `managedInstanceName` | string | Required. The name of the SQL managed instance. | | | -| `proxyOverride` | string | Optional. Connection type used for connecting to the instance. | Proxy | -| `publicDataEndpointEnabled` | bool | Optional. Whether or not the public data endpoint is enabled. | False | | -| `restorePointInTime` | string | Optional. Specifies the point in time (ISO8601 format) of the source database that will be restored to create the new database. | | | -| `roleAssignments` | array | Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' | System.Object[] | | -| `sendScanReportEmailsToSubscriptionAdmins` | bool | Optional. Specifies that the schedule scan notification will be is sent to the subscription administrators. | False | | -| `sendScanReportToEmailAddresses` | array | Optional. Specifies an array of e-mail addresses to which the scan notification is sent. | System.Object[] | | -| `skuName` | string | Optional. The name of the SKU, typically, a letter + Number code, e.g. P3. | GP_Gen5 | | -| `skuTier` | string | Optional. The tier or edition of the particular SKU, e.g. Basic, Premium. | GeneralPurpose | | -| `sourceManagedInstanceId` | string | Optional. The resource identifier of the source managed instance associated with create operation of this instance. | | | -| `storageSizeInGB` | int | Optional. Storage size in GB. Minimum value: 32. Maximum value: 8192. Increments of 32 GB allowed only. | 32 | | -| `subnetId` | string | Required. The fully qualified resource ID of the subnet on which the SQL managed instance will be placed. | | | -| `tags` | object | Optional. Tags of the resource. | | | -| `timezoneId` | string | Optional. Id of the timezone. Allowed values are timezones supported by Windows. | UTC | | -| `vCores` | int | Optional. The number of vCores. | 4 | 8, 16, 24, 32, 40, 64, 80 | -| `vulnerabilityAssessmentsStorageAccountId` | string | Optional. A blob storage to hold the scan results. | | | -| `workspaceId` | string | Optional. Resource identifier of Log Analytics. | | | -| `managedServiceIdentity` | string | Optional. The type of identity used for the managed instance. The type "None" (default) will remove any identities from the managed instance. | None | None, SystemAssigned, UserAssigned | -| `userAssignedIdentities` | object | Optional. Mandatory if "managedServiceIdentity" contains UserAssigned. The list of user identities associated with the managed instance. | {} | | +| `administratorLogin` | string | | | Required. The username used to establish jumpbox VMs. | +| `administratorLoginPassword` | secureString | | | Required. The password given to the admin user. | +| `azureAdAdmin` | object | `{object}` | | Optional. An Azure Active Directory administrator account. | +| `collation` | string | `SQL_Latin1_General_CP1_CI_AS` | | Optional. Collation of the managed instance. | +| `cuaId` | string | | | Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered | +| `customerManagedEnryptionKeyUri` | string | | | Optional. The URI of the key (in Azure Key Vault) for transparent data encryption. The key vault must have SoftDelete enabled and must reside in the same region as the SQL MI. The managed identity of the SQL managed instance needs to have the following key permissions in the key vault: Get, Unwrap Key, Wrap Key. If blank, service managed key will be used. | +| `diagnosticLogsRetentionInDays` | int | `365` | | Optional. Specifies the number of days that logs will be kept for; a value of 0 will retain data indefinitely. | +| `diagnosticStorageAccountId` | string | | | Optional. Resource identifier of the Diagnostic Storage Account. | +| `dnsZonePartner` | string | | | Optional. The resource id of another managed instance whose DNS zone this managed instance will share after creation. | +| `enableAdvancedDataSecurity` | bool | | | Optional. Enables advanced data security features, like recuring vulnerability assesment scans and ATP. If enabled, storage account must be provided. | +| `enableRecuringVulnerabilityAssessmentsScans` | bool | | | Optional. Recurring scans state. | +| `eventHubAuthorizationRuleId` | string | | | Optional. Resource ID of the event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | +| `eventHubName` | string | | | Optional. Name of the event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. | +| `hardwareFamily` | string | `Gen5` | | Optional. If the service has different generations of hardware, for the same SKU, then that can be captured here. | +| `instancePoolId` | string | | | Optional. The Id of the instance pool this managed server belongs to. | +| `licenseType` | string | `LicenseIncluded` | `[LicenseIncluded, BasePrice]` | Optional. The license type. Possible values are 'LicenseIncluded' (regular price inclusive of a new SQL license) and 'BasePrice' (discounted AHB price for bringing your own SQL licenses). | +| `location` | string | `[resourceGroup().location]` | | Optional. Location for all resources. | +| `lock` | string | `NotSpecified` | `[CanNotDelete, NotSpecified, ReadOnly]` | Optional. Specify the type of lock. | +| `logsToEnable` | array | `[ResourceUsageStats, SQLSecurityAuditEvents]` | `[ResourceUsageStats, SQLSecurityAuditEvents]` | Optional. The name of logs that will be streamed. | +| `managedInstanceCreateMode` | string | `Default` | `[Default, PointInTimeRestore]` | Optional. Specifies the mode of database creation. Default: Regular instance creation. Restore: Creates an instance by restoring a set of backups to specific point in time. RestorePointInTime and SourceManagedInstanceId must be specified. | +| `managedInstanceName` | string | | | Required. The name of the SQL managed instance. | +| `managedServiceIdentity` | string | `SystemAssigned` | `[None, SystemAssigned, UserAssigned]` | Optional. The type of identity used for the managed instance. The type "None" (default) will remove any identities from the managed instance. | +| `metricsToEnable` | array | `[AllMetrics]` | `[AllMetrics]` | Optional. The name of metrics that will be streamed. | +| `proxyOverride` | string | `Proxy` | `[Proxy, Redirect, Default]` | Optional. Connection type used for connecting to the instance. | +| `publicDataEndpointEnabled` | bool | | | Optional. Whether or not the public data endpoint is enabled. | +| `restorePointInTime` | string | | | Optional. Specifies the point in time (ISO8601 format) of the source database that will be restored to create the new database. | +| `roleAssignments` | array | `[]` | | Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' | +| `sendScanReportEmailsToSubscriptionAdmins` | bool | | | Optional. Specifies that the schedule scan notification will be is sent to the subscription administrators. | +| `sendScanReportToEmailAddresses` | array | `[]` | | Optional. Specifies an array of e-mail addresses to which the scan notification is sent. | +| `skuName` | string | `GP_Gen5` | | Optional. The name of the SKU, typically, a letter + Number code, e.g. P3. | +| `skuTier` | string | `GeneralPurpose` | | Optional. The tier or edition of the particular SKU, e.g. Basic, Premium. | +| `sourceManagedInstanceId` | string | | | Optional. The resource identifier of the source managed instance associated with create operation of this instance. | +| `storageSizeInGB` | int | `32` | | Optional. Storage size in GB. Minimum value: 32. Maximum value: 8192. Increments of 32 GB allowed only. | +| `subnetId` | string | | | Required. The fully qualified resource ID of the subnet on which the SQL managed instance will be placed. | +| `tags` | object | `{object}` | | Optional. Tags of the resource. | +| `timezoneId` | string | `UTC` | | Optional. Id of the timezone. Allowed values are timezones supported by Windows. | +| `userAssignedIdentities` | object | `{object}` | | Optional. Mandatory if "managedServiceIdentity" contains UserAssigned. The list of user identities associated with the managed instance. | +| `vCores` | int | `4` | | Optional. The number of vCores. Allowed values: 8, 16, 24, 32, 40, 64, 80. | +| `vulnerabilityAssessmentsStorageAccountId` | string | | | Optional. A blob storage to hold the scan results. | +| `workspaceId` | string | | | Optional. Resource identifier of Log Analytics. | ### Parameter Usage: `azureAdAdmin` @@ -124,18 +125,19 @@ Tag names and tag values can be provided as needed. A tag can be left without a ## Outputs -| Output Name | Type | Description | -| :-- | :-- | :-- | -| `managedInstanceName` | string | The name of the SQL managed instance. | -| `managedInstanceResourceGroup` | string | The Resource grpup in which this resource has been created. | -| `managedInstanceResourceId` | string | The Resource ID of the Managed instance. | - -## Considerations - -*N/A* - -## Additional resources - -- [Introduction to Azure SQL Managed Instance](https://docs.microsoft.com/en-us/azure/sql-database/sql-database-managed-instance-index) -- [ARM Template schema for SQL Managed Instance](https://docs.microsoft.com/en-us/azure/templates/microsoft.sql/2018-06-01-preview/managedinstances) -- [Use tags to organize your Azure resources](https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-using-tags) +| Output Name | Type | +| :-- | :-- | +| `managedInstanceName` | string | +| `managedInstanceResourceGroup` | string | +| `managedInstanceResourceId` | string | + +## Template references + +- [Locks](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2016-09-01/locks) +- [Diagnosticsettings](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Insights/2017-05-01-preview/diagnosticSettings) +- [Managedinstances](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Sql/2020-08-01-preview/managedInstances) +- [Managedinstances/Administrators](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Sql/2021-02-01-preview/managedInstances/administrators) +- [Managedinstances/Encryptionprotector](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Sql/2017-10-01-preview/managedInstances/encryptionProtector) +- [Managedinstances/Keys](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Sql/2017-10-01-preview/managedInstances/keys) +- [Managedinstances/Securityalertpolicies](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Sql/2017-03-01-preview/managedInstances/securityAlertPolicies) +- [Managedinstances/Vulnerabilityassessments](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Sql/2021-02-01-preview/managedInstances/vulnerabilityAssessments) diff --git a/arm/Microsoft.Sql/managedInstancesResources/databases/deploy.bicep b/arm/Microsoft.Sql/managedInstancesResources/databases/deploy.bicep index b867c788c4..2a85b19498 100644 --- a/arm/Microsoft.Sql/managedInstancesResources/databases/deploy.bicep +++ b/arm/Microsoft.Sql/managedInstancesResources/databases/deploy.bicep @@ -172,7 +172,7 @@ resource managedInstanceDatabase 'Microsoft.Sql/managedInstances/databases@2020- } resource managedInstanceDatabase_lock 'Microsoft.Authorization/locks@2016-09-01' = if (lock != 'NotSpecified') { - name: '${managedInstanceDatabase.name}-${lock}-lock' + name: '${split(managedInstanceDatabase.name, '/')[1]}-${lock}-lock' properties: { level: lock notes: (lock == 'CanNotDelete') ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.' diff --git a/arm/Microsoft.Sql/managedInstancesResources/databases/readme.md b/arm/Microsoft.Sql/managedInstancesResources/databases/readme.md index 430ab48cdc..a9b658f965 100644 --- a/arm/Microsoft.Sql/managedInstancesResources/databases/readme.md +++ b/arm/Microsoft.Sql/managedInstancesResources/databases/readme.md @@ -1,19 +1,17 @@ -# SQL Managed Instances Database +# SQL Managed Instances Database `[Microsoft.Sql/managedInstancesResources/databases]` This template deploys an SQL Managed Instances Database. ## Resource types -|Resource Type|Api Version| -|:--|:--| -|`Microsoft.Sql/managedInstances/databases`|2020-02-02-preview| -|`Microsoft.Sql/managedInstances/databases/backupShortTermRetentionPolicies`|2017-03-01-preview| -|`Microsoft.Sql/managedInstances/databases/backupLongTermRetentionPolicies`|2021-02-01-preview| -|`Microsoft.Insights/diagnosticsettings`|2017-05-01-preview| -|`Microsoft.Authorization/locks`|2016-09-01| -|`Microsoft.Resources/deployments`|2018-02-01| - +| Resource Type | Api Version | +| :-- | :-- | +| `Microsoft.Authorization/locks` | 2016-09-01 | +| `Microsoft.Insights/diagnosticSettings` | 2017-05-01-preview | +| `Microsoft.Sql/managedInstances/databases` | 2020-02-02-preview | +| `Microsoft.Sql/managedInstances/databases/backupLongTermRetentionPolicies` | 2021-02-01-preview | +| `Microsoft.Sql/managedInstances/databases/backupShortTermRetentionPolicies` | 2017-03-01-preview | ### Deployment prerequisites @@ -21,36 +19,36 @@ The SQL Managed Instance Database is deployed on a SQL Managed Instance. ## Parameters -| Parameter Name | Type | Description | DefaultValue | Possible values | +| Parameter Name | Type | Default Value | Possible Values | Description | | :-- | :-- | :-- | :-- | :-- | -| `backupLongTermRetentionPoliciesName` | string | Required. The name of the Long Term Retention backup policy. | LTRdefault | | -| `backupShortTermRetentionPoliciesName` | string | Required. The name of the Short Term Retention backup policy. | Default | | -| `catalogCollation` | string | Optional. Collation of the managed instance. | SQL_Latin1_General_CP1_CI_AS | | -| `collation` | string | Optional. Collation of the managed instance database. | SQL_Latin1_General_CP1_CI_AS | | -| `createMode` | string | Optional. Managed database create mode. PointInTimeRestore: Create a database by restoring a point in time backup of an existing database. SourceDatabaseName, SourceManagedInstanceName and PointInTime must be specified. RestoreExternalBackup: Create a database by restoring from external backup files. Collation, StorageContainerUri and StorageContainerSasToken must be specified. Recovery: Creates a database by restoring a geo-replicated backup. RecoverableDatabaseId must be specified as the recoverable database resource ID to restore. | Default | | -| `cuaId` | string | Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered | | | -| `databaseName` | string | Required. The name of the SQL managed instance database. | | | -| `diagnosticLogsRetentionInDays` | int | Optional. Specifies the number of days that logs will be kept for; a value of 0 will retain data indefinitely. | 365 | | -| `diagnosticStorageAccountId` | string | Optional. Resource identifier of the Diagnostic Storage Account. | | | -| `eventHubAuthorizationRuleId` | string | Optional. Resource ID of the event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | | | -| `eventHubName` | string | Optional. Name of the event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. | | | -| `location` | string | Optional. Location for all resources. | [resourceGroup().location] | | -| `lock` | string | Optional. Specify the type of lock. | 'NotSpecified' | 'CanNotDelete', 'NotSpecified', 'ReadOnly' | -| `longTermRetentionBackupResourceId` | string | Optional. Conditional. The name of the Long Term Retention backup to be used for restore of this managed database. | | | -| `managedInstanceName` | string | Required. The name of the SQL managed instance. | | | -| `monthlyRetention` | string | Required. The monthly retention policy for an LTR backup in an ISO 8601 format. | P1Y | | -| `recoverableDatabaseId` | string | Optional. Conditional. The resource identifier of the recoverable database associated with create operation of this database. | | | -| `restorableDroppedDatabaseId` | string | Optional. Conditional. The restorable dropped database resource id to restore when creating this database. | | | -| `restorePointInTime` | string | Optional. Conditional. If createMode is PointInTimeRestore, this value is required. Specifies the point in time (ISO8601 format) of the source database that will be restored to create the new database. | | | -| `retentionDays` | int | Required. The backup retention period in days. This is how many days Point-in-Time Restore will be supported. | 35 | | -| `sourceDatabaseId` | string | Optional. Conditional. The resource identifier of the source database associated with create operation of this database. | | | -| `storageContainerSasToken` | string | Optional. Conditional. If createMode is RestoreExternalBackup, this value is required. Specifies the storage container sas token. | | | -| `storageContainerUri` | string | Optional. Conditional. If createMode is RestoreExternalBackup, this value is required. Specifies the uri of the storage container where backups for this restore are stored. | | | -| `tags` | object | Optional. Tags of the resource. | | | -| `weeklyRetention` | string | Required. The weekly retention policy for an LTR backup in an ISO 8601 format. | P1M | | -| `weekOfYear` | int | Required. The week of year to take the yearly backup in an ISO 8601 format. | 5 | | -| `workspaceId` | string | Optional. Resource identifier of Log Analytics. | | | -| `yearlyRetention` | string | Required. The yearly retention policy for an LTR backup in an ISO 8601 format. | P5Y | | +| `backupLongTermRetentionPoliciesName` | string | `default` | | Required. The name of the Long Term Retention backup policy. | +| `backupShortTermRetentionPoliciesName` | string | `Default` | | Required. The name of the Short Term Retention backup policy. | +| `catalogCollation` | string | `SQL_Latin1_General_CP1_CI_AS` | | Optional. Collation of the managed instance. | +| `collation` | string | `SQL_Latin1_General_CP1_CI_AS` | | Optional. Collation of the managed instance database. | +| `createMode` | string | `Default` | `[Default, RestoreExternalBackup, PointInTimeRestore, Recovery, RestoreLongTermRetentionBackup]` | Optional. Managed database create mode. PointInTimeRestore: Create a database by restoring a point in time backup of an existing database. SourceDatabaseName, SourceManagedInstanceName and PointInTime must be specified. RestoreExternalBackup: Create a database by restoring from external backup files. Collation, StorageContainerUri and StorageContainerSasToken must be specified. Recovery: Creates a database by restoring a geo-replicated backup. RecoverableDatabaseId must be specified as the recoverable database resource ID to restore. | +| `cuaId` | string | | | Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered | +| `databaseName` | string | | | Required. The name of the SQL managed instance database. | +| `diagnosticLogsRetentionInDays` | int | `365` | | Optional. Specifies the number of days that logs will be kept for; a value of 0 will retain data indefinitely. | +| `diagnosticStorageAccountId` | string | | | Optional. Resource identifier of the Diagnostic Storage Account. | +| `eventHubAuthorizationRuleId` | string | | | Optional. Resource ID of the event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | +| `eventHubName` | string | | | Optional. Name of the event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. | +| `location` | string | `[resourceGroup().location]` | | Optional. Location for all resources. | +| `lock` | string | `NotSpecified` | `[CanNotDelete, NotSpecified, ReadOnly]` | Optional. Specify the type of lock. | +| `longTermRetentionBackupResourceId` | string | | | Optional. Conditional. The name of the Long Term Retention backup to be used for restore of this managed database. | +| `managedInstanceName` | string | | | Required. The name of the SQL managed instance. | +| `monthlyRetention` | string | `P1Y` | | Required. The monthly retention policy for an LTR backup in an ISO 8601 format. | +| `recoverableDatabaseId` | string | | | Optional. Conditional. The resource identifier of the recoverable database associated with create operation of this database. | +| `restorableDroppedDatabaseId` | string | | | Optional. Conditional. The restorable dropped database resource id to restore when creating this database. | +| `restorePointInTime` | string | | | Optional. Conditional. If createMode is PointInTimeRestore, this value is required. Specifies the point in time (ISO8601 format) of the source database that will be restored to create the new database. | +| `retentionDays` | int | `35` | | Required. The backup retention period in days. This is how many days Point-in-Time Restore will be supported. | +| `sourceDatabaseId` | string | | | Optional. Conditional. The resource identifier of the source database associated with create operation of this database. | +| `storageContainerSasToken` | string | | | Optional. Conditional. If createMode is RestoreExternalBackup, this value is required. Specifies the storage container sas token. | +| `storageContainerUri` | string | | | Optional. Conditional. If createMode is RestoreExternalBackup, this value is required. Specifies the uri of the storage container where backups for this restore are stored. | +| `tags` | object | `{object}` | | Optional. Tags of the resource. | +| `weeklyRetention` | string | `P1M` | | Required. The weekly retention policy for an LTR backup in an ISO 8601 format. | +| `weekOfYear` | int | `5` | | Required. The week of year to take the yearly backup in an ISO 8601 format. | +| `workspaceId` | string | | | Optional. Resource identifier of Log Analytics. | +| `yearlyRetention` | string | `P5Y` | | Required. The yearly retention policy for an LTR backup in an ISO 8601 format. | ### Parameter Usage: `tags` @@ -85,20 +83,16 @@ Tag names and tag values can be provided as needed. A tag can be left without a ## Outputs -| Output Name | Type | Description | -| :-- | :-- | :-- | -| `managedInstanceDatabaseName` | string | The name of the SQL managed instance database. | -| `managedInstanceDatabaseResourceGroup` | string | The Resource Group in which the resource has been created. | -| `managedInstanceDatabaseResourceId` | string | The Resource ID of the Manged Instance database. | - -## Considerations - -*N/A* - +| Output Name | Type | +| :-- | :-- | +| `managedInstanceDatabaseName` | string | +| `managedInstanceDatabaseResourceGroup` | string | +| `managedInstanceDatabaseResourceId` | string | -## Additional resources +## Template references -- [Introduction to Azure SQL Managed Instance](https://docs.microsoft.com/en-us/azure/sql-database/sql-database-managed-instance-index) -- [ARM Template schema for SQL Managed Instance Database](https://docs.microsoft.com/en-us/azure/templates/microsoft.sql/2019-06-01-preview/managedinstances/databases) -- [ARM Template schema for SQL Managed Instance](https://docs.microsoft.com/en-us/azure/templates/microsoft.sql/2018-06-01-preview/managedinstances) -- [Use tags to organize your Azure resources](https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-using-tags) +- [Locks](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2016-09-01/locks) +- [Diagnosticsettings](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Insights/2017-05-01-preview/diagnosticSettings) +- [Managedinstances/Databases](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Sql/2020-02-02-preview/managedInstances/databases) +- [Managedinstances/Databases/Backuplongtermretentionpolicies](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Sql/2021-02-01-preview/managedInstances/databases/backupLongTermRetentionPolicies) +- [Managedinstances/Databases/Backupshorttermretentionpolicies](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Sql/2017-03-01-preview/managedInstances/databases/backupShortTermRetentionPolicies) diff --git a/arm/Microsoft.Sql/servers/.bicep/nested_rbac.bicep b/arm/Microsoft.Sql/servers/.bicep/nested_rbac.bicep index 0db687e04f..3b68f4a481 100644 --- a/arm/Microsoft.Sql/servers/.bicep/nested_rbac.bicep +++ b/arm/Microsoft.Sql/servers/.bicep/nested_rbac.bicep @@ -2,7 +2,7 @@ param roleAssignmentObj object param builtInRoleNames object param resourceName string -resource roleAssigment 'Microsoft.Sql/servers/providers/roleAssignments@2020-04-01-preview' = [for principalId in roleAssignmentObj.principalIds: { +resource roleAssigment 'Microsoft.Sql/servers/providers/roleAssignments@2021-04-01-preview' = [for principalId in roleAssignmentObj.principalIds: { name: '${resourceName}/Microsoft.Authorization/${guid(resourceName, principalId, roleAssignmentObj.roleDefinitionIdOrName)}' properties: { roleDefinitionId: (contains(builtInRoleNames, roleAssignmentObj.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignmentObj.roleDefinitionIdOrName] : roleAssignmentObj.roleDefinitionIdOrName) diff --git a/arm/Microsoft.Sql/servers/readme.md b/arm/Microsoft.Sql/servers/readme.md index 6edeccd6e7..72b4821bc9 100644 --- a/arm/Microsoft.Sql/servers/readme.md +++ b/arm/Microsoft.Sql/servers/readme.md @@ -1,35 +1,31 @@ -# AzureSQLServer +# AzureSQLServer `[Microsoft.Sql/servers]` This module deploys an Azure SQL Server. - ## Resource types -|Resource Type|Api Version| -|:--|:--| -|`Microsoft.Resources/deployments`|2018-02-01| -|`Microsoft.Sql/servers`|2015-05-01-preview| -|`Microsoft.Sql/servers/firewallRules`|2021-02-01-preview| -|`Microsoft.Sql/servers/securityAlertPolicies`|2021-02-01-preview| -|`Microsoft.Sql/servers/providers/roleAssignments`|2018-09-01-preview| -|`Microsoft.Authorization/locks` |2016-09-01| - - +| Resource Type | Api Version | +| :-- | :-- | +| `Microsoft.Authorization/locks` | 2016-09-01 | +| `Microsoft.Sql/servers` | 2020-02-02-preview | +| `Microsoft.Sql/servers/firewallRules` | 2021-02-01-preview | +| `Microsoft.Sql/servers/providers/roleAssignments` | 2021-04-01-preview | +| `Microsoft.Sql/servers/securityAlertPolicies` | 2021-02-01-preview | ## Parameters -| Parameter Name | Type | Description | DefaultValue | Possible values | +| Parameter Name | Type | Default Value | Possible Values | Description | | :-- | :-- | :-- | :-- | :-- | -| `administratorLogin` | string | Required. Administrator username for the server. | | | -| `administratorLoginPassword` | securestring | Required. The administrator login password. | | | -| `allowAzureIps` | bool | Required. Whether or not Azure IP's are allowed. | False | | -| `cuaId` | string | Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered | | | -| `enableADS` | bool | Optional. Whether or not ADS should be enabled. | False | | -| `location` | string | Optional. Location for all resources. | [resourceGroup().location] | | -| `roleAssignments` | array | Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' | System.Object[] | | -| `serverName` | string | Required. The name of the server. | | | -| `tags` | object | Optional. Tags of the resource. | | | -| `lock` | string | 'NotSpecified' | 'CanNotDelete', 'NotSpecified', 'ReadOnly' | Optional. Specify the type of lock. | +| `administratorLogin` | string | | | Required. Administrator username for the server. | +| `administratorLoginPassword` | secureString | | | Required. The administrator login password. | +| `allowAzureIps` | bool | | | Required. Whether or not Azure IP's are allowed. | +| `cuaId` | string | | | Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered | +| `enableADS` | bool | | | Optional. Whether or not ADS should be enabled. | +| `location` | string | `[resourceGroup().location]` | | Optional. Location for all resources. | +| `lock` | string | `NotSpecified` | `[CanNotDelete, NotSpecified, ReadOnly]` | Optional. Specify the type of lock. | +| `roleAssignments` | array | `[]` | | Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' | +| `serverName` | string | | | Required. The name of the server. | +| `tags` | object | `{object}` | | Optional. Tags of the resource. | ### Parameter Usage: `roleAssignments` @@ -79,19 +75,15 @@ Tag names and tag values can be provided as needed. A tag can be left without a ## Outputs -| Output Name | Type | Description | -| :-- | :-- | :-- | -| `serverName` | string | The name of the target SQL Server instance. | -| `serverResourceGroup` | string | The Resource Group in which the server is created. | -| `serverResourceId` | string | The resource ID of the server. | - -## Considerations - -*N/A* +| Output Name | Type | +| :-- | :-- | +| `serverName` | string | +| `serverResourceGroup` | string | +| `serverResourceId` | string | -## Additional resources +## Template references -- [Microsoft.Network bastionHosts template reference](https://docs.microsoft.com/en-us/azure/templates/microsoft.network/2019-09-01/bastionhosts) -- [What is Azure Bastion?](https://docs.microsoft.com/en-us/azure/bastion/bastion-overview) -- [Public IP address prefix](https://docs.microsoft.com/en-us/azure/virtual-network/public-ip-address-prefix) -- [Use tags to organize your Azure resources](https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-using-tags) +- [Locks](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2016-09-01/locks) +- [Servers](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Sql/2020-02-02-preview/servers) +- [Servers/Firewallrules](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Sql/2021-02-01-preview/servers/firewallRules) +- [Servers/Securityalertpolicies](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Sql/2021-02-01-preview/servers/securityAlertPolicies) diff --git a/arm/Microsoft.Sql/serversResources/databases/readme.md b/arm/Microsoft.Sql/serversResources/databases/readme.md index b9ea03dd19..e217628074 100644 --- a/arm/Microsoft.Sql/serversResources/databases/readme.md +++ b/arm/Microsoft.Sql/serversResources/databases/readme.md @@ -1,37 +1,36 @@ -# AzureSQLDatabase +# AzureSQLDatabase `[Microsoft.Sql/serversResources/databases]` This module deploys an Azure SQL Server. ## Resource types -|Resource Type|Api Version| -|:--|:--| -|`Microsoft.Resources/deployments`|2018-02-01| -|`Microsoft.Sql/servers/databases`|2017-10-01-preview| +| Resource Type | Api Version | +| :-- | :-- | +| `Microsoft.Sql/servers/databases` | 2021-02-01-preview | ## Parameters -| Parameter Name | Type | Description | DefaultValue | Possible values | +| Parameter Name | Type | Default Value | Possible Values | Description | | :-- | :-- | :-- | :-- | :-- | -| `autoPauseDelay` | string | Optional. Time in minutes after which database is automatically paused. | | | -| `collation` | string | Optional. The collation of the database. | | | -| `cuaId` | string | Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered | | | -| `databaseName` | string | Required. The name of the database. | | | -| `licenseType` | string | Optional. The license type to apply for this database. | | | -| `location` | string | Optional. Location for all resources. | [resourceGroup().location] | | -| `maxSizeBytes` | int | Optional. The max size of the database expressed in bytes. | | | -| `minCapacity` | string | Optional. Minimal capacity that database will always have allocated. | | | -| `numberOfReplicas` | int | Optional. The number of readonly secondary replicas associated with the database. | 0 | | -| `readScaleOut` | string | Optional. The state of read-only routing. | Disabled | | -| `sampleName` | string | Optional. The name of the sample schema to apply when creating this database. | | | -| `serverName` | string | Required. The Name of SQL Server | | | -| `skuName` | string | Required. The name of the SKU. | | | -| `tags` | object | Optional. Tags of the resource. | | | -| `tier` | string | Optional. The tier or edition of the particular SKU. | | | -| `zoneRedundant` | bool | Optional. Whether or not this database is zone redundant. | False | | -| `requestedBackupStorageRedundancy` | string | Optional. The storage account type to be used to store backups for this database | | `Geo`, `Local`, `Zone` | -| `enableSqlLedger` | bool | Optional.Whether or not this database is a ledger database, which means all tables in the database are ledger tables. Note: the value of this property cannot be changed after the database has been created. | False | | -| `maintenanceConfigurationId` | bool | Maintenance configuration id assigned to the database. This configuration defines the period when the maintenance updates will occur | False | | +| `autoPauseDelay` | string | | | Optional. Time in minutes after which database is automatically paused. | +| `collation` | string | | | Optional. The collation of the database. | +| `cuaId` | string | | | Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered | +| `databaseName` | string | | | Required. The name of the database. | +| `enableSqlLedger` | bool | | | Optional. Whether or not this database is a ledger database, which means all tables in the database are ledger tables. Note: the value of this property cannot be changed after the database has been created. | +| `licenseType` | string | | | Optional. The license type to apply for this database. | +| `location` | string | `[resourceGroup().location]` | | Optional. Location for all resources. | +| `maintenanceConfigurationId` | string | | | Optional. Maintenance configuration id assigned to the database. This configuration defines the period when the maintenance updates will occur. | +| `maxSizeBytes` | int | | | Optional. The max size of the database expressed in bytes. | +| `minCapacity` | string | | | Optional. Minimal capacity that database will always have allocated. | +| `numberOfReplicas` | int | | | Optional. The number of readonly secondary replicas associated with the database. | +| `readScaleOut` | string | `Disabled` | | Optional. The state of read-only routing. | +| `requestedBackupStorageRedundancy` | string | | `[Geo, Local, Zone, ]` | Optional. The storage account type to be used to store backups for this database. | +| `sampleName` | string | | | Optional. The name of the sample schema to apply when creating this database. | +| `serverName` | string | | | Required. The Name of SQL Server | +| `skuName` | string | | | Required. The name of the SKU. | +| `tags` | object | `{object}` | | Optional. Tags of the resource. | +| `tier` | string | | | Optional. The tier or edition of the particular SKU. | +| `zoneRedundant` | bool | | | Optional. Whether or not this database is zone redundant. | ### Parameter Usage: `tags` @@ -52,19 +51,12 @@ Tag names and tag values can be provided as needed. A tag can be left without a ## Outputs -| Output Name | Type | Description | -| :-- | :-- | :-- | -| `databaseName` | string | The name of the created database. | -| `databaseResourceGroup` | string | Name of the Databse ResourceGroup. | -| `serverName` | string | The name of the target SQL Server instance. | +| Output Name | Type | +| :-- | :-- | +| `databaseName` | string | +| `databaseResourceGroup` | string | +| `serverName` | string | -## Considerations +## Template references -*N/A* - -## Additional resources - -- [Microsoft.Network bastionHosts template reference](https://docs.microsoft.com/en-us/azure/templates/microsoft.network/2019-09-01/bastionhosts) -- [What is Azure Bastion?](https://docs.microsoft.com/en-us/azure/bastion/bastion-overview) -- [Public IP address prefix](https://docs.microsoft.com/en-us/azure/virtual-network/public-ip-address-prefix) -- [Use tags to organize your Azure resources](https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-using-tags) +- [Servers/Databases](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Sql/2021-02-01-preview/servers/databases) diff --git a/arm/Microsoft.Storage/storageAccounts/.bicep/nested_container_rbac.bicep b/arm/Microsoft.Storage/storageAccounts/.bicep/nested_container_rbac.bicep index 9466c4626b..4c88de4083 100644 --- a/arm/Microsoft.Storage/storageAccounts/.bicep/nested_container_rbac.bicep +++ b/arm/Microsoft.Storage/storageAccounts/.bicep/nested_container_rbac.bicep @@ -2,7 +2,7 @@ param roleAssignmentObj object param builtInRoleNames object param resourceName string -resource roleAssignment 'Microsoft.Storage/storageAccounts/blobServices/containers/providers/roleAssignments@2020-04-01-preview' = [for principalId in roleAssignmentObj.principalIds: { +resource roleAssignment 'Microsoft.Storage/storageAccounts/blobServices/containers/providers/roleAssignments@2021-04-01-preview' = [for principalId in roleAssignmentObj.principalIds: { name: '${resourceName}/Microsoft.Authorization/${(empty(roleAssignmentObj) ? guid(resourceName) : guid(resourceName, principalId, roleAssignmentObj.roleDefinitionIdOrName))}' properties: { roleDefinitionId: contains(builtInRoleNames, roleAssignmentObj.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignmentObj.roleDefinitionIdOrName] : roleAssignmentObj.roleDefinitionIdOrName diff --git a/arm/Microsoft.Storage/storageAccounts/.bicep/nested_fileShare_rbac.bicep b/arm/Microsoft.Storage/storageAccounts/.bicep/nested_fileShare_rbac.bicep index 9c3702a19a..334edd6a79 100644 --- a/arm/Microsoft.Storage/storageAccounts/.bicep/nested_fileShare_rbac.bicep +++ b/arm/Microsoft.Storage/storageAccounts/.bicep/nested_fileShare_rbac.bicep @@ -2,7 +2,7 @@ param roleAssignmentObj object param builtInRoleNames object param resourceName string -resource roleAssignment 'Microsoft.Storage/storageAccounts/fileServices/fileshares/providers/roleAssignments@2020-04-01-preview' = [for principalId in roleAssignmentObj.principalIds: { +resource roleAssignment 'Microsoft.Storage/storageAccounts/fileServices/fileshares/providers/roleAssignments@2021-04-01-preview' = [for principalId in roleAssignmentObj.principalIds: { name: '${resourceName}/Microsoft.Authorization/${(empty(roleAssignmentObj) ? guid(resourceName) : guid(resourceName, principalId, roleAssignmentObj.roleDefinitionIdOrName))}' properties: { roleDefinitionId: (contains(builtInRoleNames, roleAssignmentObj.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignmentObj.roleDefinitionIdOrName] : roleAssignmentObj.roleDefinitionIdOrName) diff --git a/arm/Microsoft.Storage/storageAccounts/.bicep/nested_privateEndpoint.bicep b/arm/Microsoft.Storage/storageAccounts/.bicep/nested_privateEndpoint.bicep index 6160e54c1a..ea320c7f26 100644 --- a/arm/Microsoft.Storage/storageAccounts/.bicep/nested_privateEndpoint.bicep +++ b/arm/Microsoft.Storage/storageAccounts/.bicep/nested_privateEndpoint.bicep @@ -14,7 +14,7 @@ var privateEndpoint_var = { customDnsConfigs: (contains(privateEndpointObj, 'customDnsConfigs') ? (empty(privateEndpointObj.customDnsConfigs) ? json('null') : privateEndpointObj.customDnsConfigs) : json('null')) } -resource privateEndpoint 'Microsoft.Network/privateEndpoints@2020-05-01' = { +resource privateEndpoint 'Microsoft.Network/privateEndpoints@2021-05-01' = { name: privateEndpoint_var.name location: privateEndpointVnetLocation tags: tags @@ -36,7 +36,7 @@ resource privateEndpoint 'Microsoft.Network/privateEndpoints@2020-05-01' = { } } -resource privateDnsZoneGroups 'Microsoft.Network/privateEndpoints/privateDnsZoneGroups@2020-05-01' = { +resource privateDnsZoneGroups 'Microsoft.Network/privateEndpoints/privateDnsZoneGroups@2021-02-01' = { name: '${privateEndpoint_var.name}/default' properties: { privateDnsZoneConfigs: [for privateDnsZoneResourceId in privateEndpoint_var.privateDnsZoneResourceIds: { diff --git a/arm/Microsoft.Storage/storageAccounts/.bicep/nested_queue_rbac.bicep b/arm/Microsoft.Storage/storageAccounts/.bicep/nested_queue_rbac.bicep index 2e55859cec..6b94f4c23f 100644 --- a/arm/Microsoft.Storage/storageAccounts/.bicep/nested_queue_rbac.bicep +++ b/arm/Microsoft.Storage/storageAccounts/.bicep/nested_queue_rbac.bicep @@ -2,7 +2,7 @@ param resourceName string param roleAssignmentObj object param builtInRoleNames object -resource roleAssignment 'Microsoft.Storage/storageAccounts/queueServices/queues/providers/roleAssignments@2020-04-01-preview' = [for principalId in roleAssignmentObj.principalIds: { +resource roleAssignment 'Microsoft.Storage/storageAccounts/queueServices/queues/providers/roleAssignments@2021-04-01-preview' = [for principalId in roleAssignmentObj.principalIds: { name: '${resourceName}/Microsoft.Authorization/${(empty(roleAssignmentObj) ? guid(resourceName) : guid(resourceName, principalId, roleAssignmentObj.roleDefinitionIdOrName))}' properties: { roleDefinitionId: (contains(builtInRoleNames, roleAssignmentObj.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignmentObj.roleDefinitionIdOrName] : roleAssignmentObj.roleDefinitionIdOrName) diff --git a/arm/Microsoft.Storage/storageAccounts/.bicep/nested_rbac.bicep b/arm/Microsoft.Storage/storageAccounts/.bicep/nested_rbac.bicep index 1478f0cd76..abb09e3279 100644 --- a/arm/Microsoft.Storage/storageAccounts/.bicep/nested_rbac.bicep +++ b/arm/Microsoft.Storage/storageAccounts/.bicep/nested_rbac.bicep @@ -2,7 +2,7 @@ param roleAssignmentObj object param builtInRoleNames object param resourceName string -resource roleAssigment 'Microsoft.Storage/storageAccounts/providers/roleAssignments@2020-04-01-preview' = [for principalId in roleAssignmentObj.principalIds: { +resource roleAssigment 'Microsoft.Storage/storageAccounts/providers/roleAssignments@2021-04-01-preview' = [for principalId in roleAssignmentObj.principalIds: { name: '${resourceName}/Microsoft.Authorization/${guid(resourceName, principalId, roleAssignmentObj.roleDefinitionIdOrName)}' properties: { roleDefinitionId: (contains(builtInRoleNames, roleAssignmentObj.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignmentObj.roleDefinitionIdOrName] : roleAssignmentObj.roleDefinitionIdOrName) diff --git a/arm/Microsoft.Storage/storageAccounts/deploy.bicep b/arm/Microsoft.Storage/storageAccounts/deploy.bicep index a59f75bc91..e6be70bf24 100644 --- a/arm/Microsoft.Storage/storageAccounts/deploy.bicep +++ b/arm/Microsoft.Storage/storageAccounts/deploy.bicep @@ -291,7 +291,7 @@ module storageAccount_privateEndpoints './.bicep/nested_privateEndpoint.bicep' = }] // Containers -resource storageAccount_nested_blob_services 'Microsoft.Storage/storageAccounts/blobServices@2019-06-01' = if (!empty(blobContainers)) { +resource storageAccount_nested_blob_services 'Microsoft.Storage/storageAccounts/blobServices@2021-08-01' = if (!empty(blobContainers)) { name: 'default' parent: storageAccount properties: { diff --git a/arm/Microsoft.Storage/storageAccounts/readme.md b/arm/Microsoft.Storage/storageAccounts/readme.md index 0d643eb7fe..92e65c345e 100644 --- a/arm/Microsoft.Storage/storageAccounts/readme.md +++ b/arm/Microsoft.Storage/storageAccounts/readme.md @@ -1,4 +1,4 @@ -# StorageAccounts +# StorageAccounts `[Microsoft.Storage/storageAccounts]` This module is used to deploy an Azure Storage Account, with resource lock and the ability to deploy 1 or more Blob Containers and 1 or more File Shares. Optional ACLs can be configured on the Storage Account and optional RBAC can be assigned on the Storage Account and on each Blob Container and File Share. @@ -8,53 +8,54 @@ The default parameter values are based on the needs of deploying a diagnostic st | Resource Type | Api Version | | :-- | :-- | -| `Microsoft.Network/privateEndpoints/privateDnsZoneGroups` | 2020-05-01 | -| `Microsoft.Network/privateEndpoints` | 2020-05-01 | -| `Microsoft.Resources/deployments` | 2020-06-01 | +| `Microsoft.Authorization/locks` | 2016-09-01 | +| `Microsoft.Network/privateEndpoints` | 2021-05-01 | +| `Microsoft.Network/privateEndpoints/privateDnsZoneGroups` | 2021-02-01 | +| `Microsoft.Storage/storageAccounts` | 2021-06-01 | +| `Microsoft.Storage/storageAccounts/blobServices` | 2021-08-01 | | `Microsoft.Storage/storageAccounts/blobServices/containers` | 2019-06-01 | -| `Microsoft.Storage/storageAccounts/blobServices` | 2019-06-01 | +| `Microsoft.Storage/storageAccounts/blobServices/containers/immutabilityPolicies` | 2019-06-01 | +| `Microsoft.Storage/storageAccounts/blobServices/containers/providers/roleAssignments` | 2021-04-01-preview | +| `Microsoft.Storage/storageAccounts/fileServices/fileshares/providers/roleAssignments` | 2021-04-01-preview | | `Microsoft.Storage/storageAccounts/fileServices/shares` | 2019-06-01 | | `Microsoft.Storage/storageAccounts/managementPolicies` | 2019-06-01 | -| `Microsoft.Storage/storageAccounts/providers/roleAssignments` | 2020-04-01-preview | +| `Microsoft.Storage/storageAccounts/providers/roleAssignments` | 2021-04-01-preview | | `Microsoft.Storage/storageAccounts/queueServices/queues` | 2019-06-01 | +| `Microsoft.Storage/storageAccounts/queueServices/queues/providers/roleAssignments` | 2021-04-01-preview | | `Microsoft.Storage/storageAccounts/tableServices/tables` | 2019-06-01 | -| `Microsoft.Storage/storageAccounts` | 2021-06-01 | -| `Microsoft.Authorization/locks` | 2016-09-01 | -| `Microsoft.Storage/storageAccounts/blobServices/containers/immutabilityPolicies` | 2019-06-01 | ## Parameters -| Parameter Name | Type | Default Value | Possible values | Description | +| Parameter Name | Type | Default Value | Possible Values | Description | | :-- | :-- | :-- | :-- | :-- | -| `allowBlobPublicAccess` | bool | True | | Optional. Indicates whether public access is enabled for all blobs or containers in the storage account. | -| `automaticSnapshotPolicyEnabled` | bool | False | | Optional. Automatic Snapshot is enabled if set to true. | -| `azureFilesIdentityBasedAuthentication` | object | | | Optional. Provides the identity based authentication settings for Azure Files. | -| `baseTime` | string | [utcNow('u')] | | Generated. Do not provide a value! This date value is used to generate values if e.g. no `storageAccountName` was provided. | -| `blobContainers` | array | System.Object[] | | Optional. Blob containers to create. | +| `allowBlobPublicAccess` | bool | `True` | | Optional. Indicates whether public access is enabled for all blobs or containers in the storage account. | +| `automaticSnapshotPolicyEnabled` | bool | | | Optional. Automatic Snapshot is enabled if set to true. | +| `azureFilesIdentityBasedAuthentication` | object | `{object}` | | Optional. Provides the identity based authentication settings for Azure Files. | +| `basetime` | string | `[utcNow('u')]` | | Generated. Do not provide a value! This date value is used to generate a SAS token to access the modules. | +| `blobContainers` | array | `[]` | | Optional. Blob containers to create. | | `cuaId` | string | | | Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered | -| `deleteBlobsAfter` | int | 1096 | | Optional. Set up the amount of days after which the blobs will be deleted | -| `deleteRetentionPolicy` | bool | True | | Optional. Indicates whether DeleteRetentionPolicy is enabled for the Blob service. | -| `deleteRetentionPolicyDays` | int | 7 | | Optional. Indicates the number of days that the deleted blob should be retained. The minimum specified value can be 1 and the maximum value can be 365. | -| `enableArchiveAndDelete` | bool | False | | Optional. If true, enables move to archive tier and auto-delete | -| `enableHierarchicalNamespace` | bool | False | | Optional. If true, enables Hierarchical Namespace for the storage account | -| `fileShares` | array | System.Object[] | | Optional. File shares to create. | -| `location` | string | [resourceGroup().location] | | Optional. Location for all resources. | -| `lock` | string | 'NotSpecified' | 'CanNotDelete', 'NotSpecified', 'ReadOnly' | Optional. Specify the type of lock. | -| `minimumTlsVersion` | string | TLS1_2 | System.Object[] | Optional. Set the minimum TLS version on request to storage. | -| `moveToArchiveAfter` | int | 30 | | Optional. Set up the amount of days after which the blobs will be moved to archive tier | -| `networkAcls` | object | | | Optional. Networks ACLs, this value contains IPs to whitelist and/or Subnet information. | -| `privateEndpoints` | array | System.Object[] | | Optional. Configuration Details for private endpoints. | -| `queues` | array | System.Object[] | | Optional. Queues to create. | -| `roleAssignments` | array | System.Object[] | | Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or it's fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' | -| `managedServiceIdentity` | string | None | System.Object[] | Optional. Type of managed service identity. | -| `userAssignedIdentities` | object | | System.Object[] | Optional. Mandatory 'managedServiceIdentity' contains UserAssigned. The identy to assign to the resource. | -| `sasTokenValidityLength` | string | PT8H | | Optional. SAS token validity length. Usage: 'PT8H' - valid for 8 hours; 'P5D' - valid for 5 days; 'P1Y' - valid for 1 year. When not provided, the SAS token will be valid for 8 hours. | -| `storageAccountAccessTier` | string | Hot | System.Object[] | Optional. Storage Account Access Tier. | -| `storageAccountKind` | string | StorageV2 | System.Object[] | Optional. Type of Storage Account to create. | -| `storageAccountName` | string | | | Optional. Name of the Storage Account. If no name is provided, then unique name will be created.| -| `storageAccountSku` | string | Standard_GRS | System.Object[] | Optional. Storage Account Sku Name. | -| `tables` | array | System.Object[] | | Optional. Tables to create. | -| `tags` | object | | | Optional. Tags of the resource. | +| `deleteBlobsAfter` | int | `1096` | | Optional. Set up the amount of days after which the blobs will be deleted | +| `deleteRetentionPolicy` | bool | `True` | | Optional. Indicates whether DeleteRetentionPolicy is enabled for the Blob service. | +| `deleteRetentionPolicyDays` | int | `7` | | Optional. Indicates the number of days that the deleted blob should be retained. The minimum specified value can be 1 and the maximum value can be 365. | +| `enableArchiveAndDelete` | bool | | | Optional. If true, enables move to archive tier and auto-delete | +| `enableHierarchicalNamespace` | bool | | | Optional. If true, enables Hierarchical Namespace for the storage account | +| `fileShares` | array | `[]` | | Optional. File shares to create. | +| `location` | string | `[resourceGroup().location]` | | Optional. Location for all resources. | +| `lock` | string | `NotSpecified` | `[CanNotDelete, NotSpecified, ReadOnly]` | Optional. Specify the type of lock. | +| `managedServiceIdentity` | string | `None` | `[None, SystemAssigned, SystemAssigned,UserAssigned, UserAssigned]` | Optional. Type of managed service identity. | +| `minimumTlsVersion` | string | `TLS1_2` | `[TLS1_0, TLS1_1, TLS1_2]` | Optional. Set the minimum TLS version on request to storage. | +| `moveToArchiveAfter` | int | `30` | | Optional. Set up the amount of days after which the blobs will be moved to archive tier | +| `networkAcls` | object | `{object}` | | Optional. Networks ACLs, this value contains IPs to whitelist and/or Subnet information. | +| `privateEndpoints` | array | `[]` | | Optional. Configuration Details for private endpoints. | +| `queues` | array | `[]` | | Optional. Queues to create. | +| `roleAssignments` | array | `[]` | | Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or it's fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' | +| `storageAccountAccessTier` | string | `Hot` | `[Hot, Cool]` | Optional. Storage Account Access Tier. | +| `storageAccountKind` | string | `StorageV2` | `[Storage, StorageV2, BlobStorage, FileStorage, BlockBlobStorage]` | Optional. Type of Storage Account to create. | +| `storageAccountName` | string | | | Required. Name of the Storage Account. | +| `storageAccountSku` | string | `Standard_GRS` | `[Standard_LRS, Standard_GRS, Standard_RAGRS, Standard_ZRS, Premium_LRS, Premium_ZRS, Standard_GZRS, Standard_RAGZRS]` | Optional. Storage Account Sku Name. | +| `tables` | array | `[]` | | Optional. Tables to create. | +| `tags` | object | `{object}` | | Optional. Tags of the resource. | +| `userAssignedIdentities` | object | `{object}` | | Optional. Mandatory 'managedServiceIdentity' contains UserAssigned. The identy to assign to the resource. | | `vNetId` | string | | | Optional. Virtual Network Identifier used to create a service endpoint. | ### Parameter Usage: `roleAssignments` @@ -255,38 +256,34 @@ To use Private Endpoint the following dependencies must be deployed: ## Outputs -| Output Name | Type | Description | -| :-- | :-- | :-- | -| `blobContainers` | array | The array of the blob containers created. | -| `fileShares` | array | The array of the file shares created. | -| `queues` | array | The array of the queues created. | -| `storageAccountName` | string | The Name of the Storage Account. | -| `storageAccountPrimaryBlobEndpoint` | string | The public endpoint of the Storage Account. | -| `storageAccountRegion` | string | The Region of the Storage Account. | -| `storageAccountResourceGroup` | string | The name of the Resource Group the Storage Account was created in. | -| `storageAccountResourceId` | string | The Resource Id of the Storage Account. | -| `tables` | array | The array of the tables created. | -| `assignedIdentityID` | string | User id of the created system assigned identity. | +| Output Name | Type | +| :-- | :-- | +| `assignedIdentityID` | string | +| `blobContainers` | array | +| `fileShares` | array | +| `queues` | array | +| `storageAccountName` | string | +| `storageAccountPrimaryBlobEndpoint` | string | +| `storageAccountRegion` | string | +| `storageAccountResourceGroup` | string | +| `storageAccountResourceId` | string | +| `tables` | array | ## Considerations This is a generic module for deploying a Storage Account. Any customization for different storage needs (such as a diagnostic or other storage account) need to be done through the Archetype. The hierarchical namespace of the storage account (see parameter `enableHierarchicalNamespace`), can be only set at creation time. -## Additional resources - -- [Use tags to organize your Azure resources](https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-using-tags) -- [Azure Resource Manager template reference](https://docs.microsoft.com/en-us/azure/templates/) -- [Deployments](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Resources/2020-06-01/deployments) -- [StorageAccountS](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Storage/2019-06-01/storageAccounts) -- [Deployments](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Resources/2020-06-01/deployments) -- [Deployments](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Resources/2020-06-01/deployments) -- [StorageAccountS/blobServiceS](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Storage/2019-06-01/storageAccounts/blobServices) -- [StorageAccountS/blobServiceS/containerS](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Storage/2019-06-01/storageAccounts/blobServices/containers) -- [StorageAccountS/managementPolicieS](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Storage/2019-06-01/storageAccounts/managementPolicies) -- [Deployments](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Resources/2020-06-01/deployments) -- [StorageAccountS/fileServiceS/ShareS](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Storage/2019-06-01/storageAccounts/fileServices/shares) -- [Deployments](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Resources/2020-06-01/deployments) -- [StorageAccountS/queueServiceS/queueS](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Storage/2019-06-01/storageAccounts/queueServices/queues) -- [Deployments](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Resources/2020-06-01/deployments) -- [StorageAccountS/tableServiceS/tableS](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Storage/2019-06-01/storageAccounts/tableServices/tables) +## Template references + +- [Locks](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2016-09-01/locks) +- [Privateendpoints](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Network/2021-05-01/privateEndpoints) +- [Privateendpoints/Privatednszonegroups](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Network/2021-02-01/privateEndpoints/privateDnsZoneGroups) +- [Storageaccounts](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Storage/2021-06-01/storageAccounts) +- [Storageaccounts/Blobservices](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Storage/2021-08-01/storageAccounts/blobServices) +- [Storageaccounts/Blobservices/Containers](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Storage/2019-06-01/storageAccounts/blobServices/containers) +- [Storageaccounts/Blobservices/Containers/Immutabilitypolicies](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Storage/2019-06-01/storageAccounts/blobServices/containers/immutabilityPolicies) +- [Storageaccounts/Fileservices/Shares](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Storage/2019-06-01/storageAccounts/fileServices/shares) +- [Storageaccounts/Managementpolicies](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Storage/2019-06-01/storageAccounts/managementPolicies) +- [Storageaccounts/Queueservices/Queues](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Storage/2019-06-01/storageAccounts/queueServices/queues) +- [Storageaccounts/Tableservices/Tables](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Storage/2019-06-01/storageAccounts/tableServices/tables) diff --git a/arm/Microsoft.VirtualMachineImages/imageTemplates/.bicep/nested_rbac.bicep b/arm/Microsoft.VirtualMachineImages/imageTemplates/.bicep/nested_rbac.bicep index 689dabf4b9..99d6cea55a 100644 --- a/arm/Microsoft.VirtualMachineImages/imageTemplates/.bicep/nested_rbac.bicep +++ b/arm/Microsoft.VirtualMachineImages/imageTemplates/.bicep/nested_rbac.bicep @@ -2,7 +2,7 @@ param roleAssignmentObj object param builtInRoleNames object param resourceName string -resource roleAssigment 'Microsoft.VirtualMachineImages/imageTemplates/providers/roleAssignments@2020-04-01-preview' = [for principalId in roleAssignmentObj.principalIds: { +resource roleAssigment 'Microsoft.VirtualMachineImages/imageTemplates/providers/roleAssignments@2021-04-01-preview' = [for principalId in roleAssignmentObj.principalIds: { name: '${resourceName}/Microsoft.Authorization/${guid(resourceName, principalId, roleAssignmentObj.roleDefinitionIdOrName)}' properties: { roleDefinitionId: (contains(builtInRoleNames, roleAssignmentObj.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignmentObj.roleDefinitionIdOrName] : roleAssignmentObj.roleDefinitionIdOrName) diff --git a/arm/Microsoft.VirtualMachineImages/imageTemplates/readme.md b/arm/Microsoft.VirtualMachineImages/imageTemplates/readme.md index 37527a6ca4..d474ba6e59 100644 --- a/arm/Microsoft.VirtualMachineImages/imageTemplates/readme.md +++ b/arm/Microsoft.VirtualMachineImages/imageTemplates/readme.md @@ -1,40 +1,38 @@ -# Image Templates +# Image Templates `[Microsoft.VirtualMachineImages/imageTemplates]` This module deploys an Image Template (for Azure Image Builder service) that can be consumed by the Azure Image Builder service ## Resource types -|Resource Type|Api Version| -|:--|:--| -|`Microsoft.VirtualMachineImages/imageTemplates`|2020-02-14| -|`Microsoft.Authorization/locks`|2016-09-01| -|`Microsoft.Resources/deployments`|2018-02-01| -|`Microsoft.VirtualMachineImages/imageTemplates/providers/roleAssignments` | 2020-04-01-preview | - +| Resource Type | Api Version | +| :-- | :-- | +| `Microsoft.Authorization/locks` | 2016-09-01 | +| `Microsoft.VirtualMachineImages/imageTemplates` | 2020-02-14 | +| `Microsoft.VirtualMachineImages/imageTemplates/providers/roleAssignments` | 2021-04-01-preview | ## Parameters -| Parameter Name | Type | Default Value | Possible values | Description | -| :- | :- | :- | :- | :- | -| `imageTemplateName` | string | | | Required. Name of the Image Template to be built by the Azure Image Builder service. -| `location` | string | `[resourceGroup().location]` | | Optional. Location for all resources. -| `userMsiName` | string | | | Required. Name of the User Assigned Identity to be used to deploy Image Templates in Azure Image Builder. -| `userMsiResourceGroup` | string | Optional. ResourceGroup of the MSI. By default the same of the current deployment -| `buildTimeoutInMinutes` | int | 0 | 0-960 | Optional. Image build timeout in minutes. Allowed values: 0-960. 0 means the default 240 minutes -| `vmSize` | string | "Standard_D2s_v3" | | Optional. Specifies the size for the VM. -| `osDiskSizeGB` | int | 127 | | Optional. Specifies the size of OS disk. -| `subnetId` | string | "" | | Optional. Resource Id of an already existing subnet, e.g. `/subscriptions//resourceGroups//providers/Microsoft.Network/virtualNetworks//subnets/`. If no value is provided, a new VNET will be created in the target Resource Group. -| `imageSource` | object | | Complex structure, see below. | Required. Image source definition in object format. -| `customizationSteps` | array | | | Required. Customization steps to be run when building the VM image. -| `unManagedImageName` | string | "" | | Optional. Name of the unmanaged image that will be created in the AIB resourcegroup. -| `sigImageDefinitionId` | string | "" | | Optional. Resource Id of Shared Image Gallery to distribute image to, e.g.: `/subscriptions//resourceGroups//providers/Microsoft.Compute/galleries//images/` -| `imageReplicationRegions` | string | "" | | Optional. List of the regions the image produced by this solution should be stored in the Shared Image Gallery. When left empty, the deployment's location will be taken as a default value. -| `managedImageName` | string | "" | | Optional. Name of the managed image that will be created in the AIB resourcegroup. -| `lock` | string | 'NotSpecified' | 'CanNotDelete', 'NotSpecified', 'ReadOnly' | Optional. Specify the type of lock. | -| `tags` | object | {} | Complex structure, see below. | Optional. Tags of the resource. -| `baseTime` | string | `utcNow('yyyy-MM-dd-HH-mm-ss')` | | Generated. Do not provide a value! This date value is used to generate a unique image template name. -| `cuaId` | string | "" | | Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered -| `roleAssignments` | array | [] | Complex structure, see below. | Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or it's fully qualified ID in the following format: '/providers/Microsoft.Authorization/locks/locks/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' +| Parameter Name | Type | Default Value | Possible Values | Description | +| :-- | :-- | :-- | :-- | :-- | +| `baseTime` | string | `[utcNow('yyyy-MM-dd-HH-mm-ss')]` | | Generated. Do not provide a value! This date value is used to generate a unique image template name. | +| `buildTimeoutInMinutes` | int | | | Optional. Image build timeout in minutes. Allowed values: 0-960. 0 means the default 240 minutes | +| `cuaId` | string | | | Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered | +| `customizationSteps` | array | | | Required. Customization steps to be run when building the VM image. | +| `imageReplicationRegions` | array | `[]` | | Optional. List of the regions the image produced by this solution should be stored in the Shared Image Gallery. When left empty, the deployment's location will be taken as a default value. | +| `imageSource` | object | | | Required. Image source definition in object format. | +| `imageTemplateName` | string | | | Required. Name of the Image Template to be built by the Azure Image Builder service. | +| `location` | string | `[resourceGroup().location]` | | Optional. Location for all resources. | +| `lock` | string | `NotSpecified` | `[CanNotDelete, NotSpecified, ReadOnly]` | Optional. Specify the type of lock. | +| `managedImageName` | string | | | Optional. Name of the managed image that will be created in the AIB resourcegroup. | +| `osDiskSizeGB` | int | `128` | | Optional. Specifies the size of OS disk. | +| `roleAssignments` | array | `[]` | | Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' | +| `sigImageDefinitionId` | string | | | Optional. Resource Id of Shared Image Gallery to distribute image to, e.g.: /subscriptions//resourceGroups//providers/Microsoft.Compute/galleries//images/ | +| `subnetId` | string | | | Optional. Resource Id of an already existing subnet, e.g. '/subscriptions//resourceGroups//providers/Microsoft.Network/virtualNetworks//subnets/'. If no value is provided, a new VNET will be created in the target Resource Group. | +| `tags` | object | `{object}` | | Optional. Tags of the resource. | +| `unManagedImageName` | string | | | Optional. Name of the unmanaged image that will be created in the AIB resourcegroup. | +| `userMsiName` | string | | | Required. Name of the User Assigned Identity to be used to deploy Image Templates in Azure Image Builder. | +| `userMsiResourceGroup` | string | `[resourceGroup().name]` | | Optional. Resource group of the user assigned identity. | +| `vmSize` | string | `Standard_D2s_v3` | | Optional. Specifies the size for the VM. | ### Parameter Usage: `imageSource` @@ -118,18 +116,14 @@ Tag names and tag values can be provided as needed. A tag can be left without a ## Outputs -| Output Name | Type | Description | -| :-- | :-- | :-- | -| `imageTemplateName` | string | The Name of the Image Template. | -| `imageTemplateResourceGroup` | string | The Resource Group the Image Template was deployed to. | -| `imageTemplateResourceId` | string | The Resource Id of the Image Template. | -| `runThisCommand` | string | Cmdlet to invoke an action on specified Azure resource | - -## Considerations - -az network vnet subnet update --name aib --resource-group AVDCustomerEnvironment --vnet-name avd-vnet --disable-private-link-service-network-policies true +| Output Name | Type | +| :-- | :-- | +| `imageTemplateName` | string | +| `imageTemplateResourceGroup` | string | +| `imageTemplateResourceId` | string | +| `runThisCommand` | string | -## Additional resources +## Template references -- [Preview: Create an Azure Image Builder template](https://docs.microsoft.com/en-us/azure/virtual-machines/linux/image-builder-json) -- [Use tags to organize your Azure resources](https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-using-tags) +- [Locks](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2016-09-01/locks) +- [Imagetemplates](https://docs.microsoft.com/en-us/azure/templates/Microsoft.VirtualMachineImages/2020-02-14/imageTemplates) diff --git a/arm/Microsoft.Web/connections/.bicep/nested_rbac.bicep b/arm/Microsoft.Web/connections/.bicep/nested_rbac.bicep index d3de407f69..a6990501c7 100644 --- a/arm/Microsoft.Web/connections/.bicep/nested_rbac.bicep +++ b/arm/Microsoft.Web/connections/.bicep/nested_rbac.bicep @@ -2,7 +2,7 @@ param roleAssignmentObj object param builtInRoleNames object param resourceName string -resource roleAssigment 'Microsoft.Web/connections/providers/roleAssignments@2020-04-01-preview' = [for principalId in roleAssignmentObj.principalIds: { +resource roleAssigment 'Microsoft.Web/connections/providers/roleAssignments@2021-04-01-preview' = [for principalId in roleAssignmentObj.principalIds: { name: '${resourceName}/Microsoft.Authorization/${guid(resourceName, principalId, roleAssignmentObj.roleDefinitionIdOrName)}' properties: { roleDefinitionId: (contains(builtInRoleNames, roleAssignmentObj.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignmentObj.roleDefinitionIdOrName] : roleAssignmentObj.roleDefinitionIdOrName) diff --git a/arm/Microsoft.Web/connections/readme.md b/arm/Microsoft.Web/connections/readme.md index 8bd351d65a..b10a3b65da 100644 --- a/arm/Microsoft.Web/connections/readme.md +++ b/arm/Microsoft.Web/connections/readme.md @@ -1,36 +1,35 @@ -# API Connection +# API Connection `[Microsoft.Web/connections]` This module deploys an Azure API Connection. ## Resource types -| Resource Type | Api Version | -| ---------------------------------------------------- | ------------------ | -| `Microsoft.Resources/deployments` | 2020-06-01 | -| `Microsoft.Web/connections` | 2016-06-01 | -| `Microsoft.Web/connections/providers/roleAssignments` | 2020-04-01-preview | +| Resource Type | Api Version | +| :-- | :-- | | `Microsoft.Authorization/locks` | 2016-09-01 | +| `Microsoft.Web/connections` | 2016-06-01 | +| `Microsoft.Web/connections/providers/roleAssignments` | 2021-04-01-preview | ## Parameters -| Parameter Name | Type | Description | DefaultValue | Possible values | -| ---------------------------- | ------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ------------------------ | --------------------------------------- | -| `alternativeParameterValues` | object | **Optional**. Alternative parameter values. | System.Object | | -| `connectionApi` | object | **Optional**. Specific values for some API connections. | System.Object | Complex structure, see below. | -| `connectionKind` | string | **Required**. Connection Kind. Example: 'V1' when using blobs. It can change depending on the resource. | | | -| `connectionName` | string | **Required**. Connection name for connection. Example: 'azureblob' when using blobs. It can change depending on the resource. | | | -| `cuaId` | string | **Optional**. Customer Usage Attribution id (GUID). This GUID must be previously registered. | | | -| `customParameterValues` | object | **Optional**. Customized parameter values for specific connections | System.Object | Complex structure, see below. | -| `displayName` | string | **Required**. Display name connection. Example: 'blobconnection' when using blobs. It can change depending on the resource. | | | -| `location` | string | **Optional**. Location of the deployment. | resourceGroup().location | | -| `nonSecretParameterValues` | object | **Optional**. Dictionary of nonsecret parameter values. | System.Object | | -| `parameterValues` | secureobject | **Optional**. Connection strings or access keys for connection. Example: 'accountName' and 'accessKey' when using blobs. It can change depending on the resource. | System.Object | | -| `parameterValueType` | string | **Optional**. Value Type of parameter, in case alternativeParameterValues is used. | | "Alternative" | -| `roleAssignments` | array | **Optional**. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID. | System.Object[] | Array of complex structures, see below. | -| `statuses` | array | **Optional**. Status of the connection. | System.Object[] | Array of complex structures, see below. | -| `tags` | object | **Optional**. Tags of the resource. | System.Object | Complex structure, see below. | -| `testLinks` | array | **Optional**. Links to test the API connection. | System.Object[] | Array of complex structures, see below. | -| `lock` | string | Optional. Specify the type of lock. | 'NotSpecified' | 'CanNotDelete', 'NotSpecified', 'ReadOnly' | +| Parameter Name | Type | Default Value | Possible Values | Description | +| :-- | :-- | :-- | :-- | :-- | +| `alternativeParameterValues` | object | `{object}` | | Optional. Alternative parameter values. | +| `connectionApi` | object | `{object}` | | Optional. Specific values for some API connections. | +| `connectionKind` | string | | | Required. Connection Kind. Example: 'V1' when using blobs. It can change depending on the resource. | +| `connectionName` | string | | | Required. Connection name for connection. Example: 'azureblob' when using blobs. It can change depending on the resource. | +| `cuaId` | string | | | Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered. | +| `customParameterValues` | object | `{object}` | | Optional. Customized parameter values for specific connections. | +| `displayName` | string | | | Required. Display name connection. Example: 'blobconnection' when using blobs. It can change depending on the resource. | +| `location` | string | `[resourceGroup().location]` | | Optional. Location of the deployment. | +| `lock` | string | `NotSpecified` | `[CanNotDelete, NotSpecified, ReadOnly]` | Optional. Specify the type of lock. | +| `nonSecretParameterValues` | object | `{object}` | | Optional. Dictionary of nonsecret parameter values. | +| `parameterValues` | secureObject | `{object}` | | Optional. Connection strings or access keys for connection. Example: 'accountName' and 'accessKey' when using blobs. It can change depending on the resource. | +| `parameterValueType` | string | | | Optional. Value Type of parameter, in case alternativeParameterValues is used. | +| `roleAssignments` | array | `[]` | | Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| `statuses` | array | `[]` | | Optional. Status of the connection. | +| `tags` | object | `{object}` | | Optional. Tags of the resource. | +| `testLinks` | array | `[]` | | Optional. Links to test the API connection. | ### Parameter Usage: `connectionApi` @@ -102,17 +101,13 @@ Tag names and tag values can be provided as needed. A tag can be left without a ## Outputs -| Output Name | Type | Description | -| ------------------------- | ------ | ----------------------------------------------------------------- | -| `connectionResourceId` | string | The Resource Id of the API Connection. | -| `connectionResourceGroup` | string | The name of the Resource Group the API Connection was created in. | -| `connectionName` | string | The Name of the API Connection. | +| Output Name | Type | +| :-- | :-- | +| `connectionName` | string | +| `connectionResourceGroup` | string | +| `connectionResourceId` | string | -## Considerations +## Template references -- _None_ - -## Additional resources - -- [Microsoft.Logic workflows template reference](https://docs.microsoft.com/en-us/azure/templates/microsoft.web/connections?tabs=json) -- [Use tags to organize your Azure resources](https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-using-tags) +- [Locks](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2016-09-01/locks) +- [Connections](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Web/2016-06-01/connections) diff --git a/arm/Microsoft.Web/hostingEnvironments/.bicep/nested_rbac.bicep b/arm/Microsoft.Web/hostingEnvironments/.bicep/nested_rbac.bicep index 9ea7e1ad81..6d5a664554 100644 --- a/arm/Microsoft.Web/hostingEnvironments/.bicep/nested_rbac.bicep +++ b/arm/Microsoft.Web/hostingEnvironments/.bicep/nested_rbac.bicep @@ -2,7 +2,7 @@ param roleAssignmentObj object param builtInRoleNames object param resourceName string -resource roleAssigment 'Microsoft.Web/hostingEnvironments/providers/roleAssignments@2020-04-01-preview' = [for principalId in roleAssignmentObj.principalIds: { +resource roleAssigment 'Microsoft.Web/hostingEnvironments/providers/roleAssignments@2021-04-01-preview' = [for principalId in roleAssignmentObj.principalIds: { name: '${resourceName}/Microsoft.Authorization/${guid(resourceName, principalId, roleAssignmentObj.roleDefinitionIdOrName)}' properties: { roleDefinitionId: (contains(builtInRoleNames, roleAssignmentObj.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignmentObj.roleDefinitionIdOrName] : roleAssignmentObj.roleDefinitionIdOrName) diff --git a/arm/Microsoft.Web/hostingEnvironments/deploy.bicep b/arm/Microsoft.Web/hostingEnvironments/deploy.bicep index e8ef64a247..2db0767341 100644 --- a/arm/Microsoft.Web/hostingEnvironments/deploy.bicep +++ b/arm/Microsoft.Web/hostingEnvironments/deploy.bicep @@ -104,17 +104,23 @@ param tags object = {} @description('Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered') param cuaId string = '' -var diagnosticsMetrics = [] -var diagnosticsLogs = [ - { - category: 'AppServiceEnvironmentPlatformLogs' +@description('Optional. The name of logs that will be streamed.') +@allowed([ + 'AppServiceEnvironmentPlatformLogs' +]) +param logsToEnable array = [ + 'AppServiceEnvironmentPlatformLogs' +] + +var diagnosticsLogs = [for log in logsToEnable: { + category: log + enabled: true + retentionPolicy: { enabled: true - retentionPolicy: { - enabled: true - days: diagnosticLogsRetentionInDays - } + days: diagnosticLogsRetentionInDays } -] +}] + var vnetResourceId = split(subnetResourceId, '/') var builtInRoleNames = { 'Owner': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') @@ -183,7 +189,6 @@ resource appServiceEnvironment_diagnosticSettings 'Microsoft.Insights/diagnostic workspaceId: (empty(workspaceId) ? json('null') : workspaceId) eventHubAuthorizationRuleId: (empty(eventHubAuthorizationRuleId) ? json('null') : eventHubAuthorizationRuleId) eventHubName: (empty(eventHubName) ? json('null') : eventHubName) - metrics: ((empty(diagnosticStorageAccountId) && empty(workspaceId) && empty(eventHubAuthorizationRuleId) && empty(eventHubName)) ? json('null') : diagnosticsMetrics) logs: ((empty(diagnosticStorageAccountId) && empty(workspaceId) && empty(eventHubAuthorizationRuleId) && empty(eventHubName)) ? json('null') : diagnosticsLogs) } scope: appServiceEnvironment diff --git a/arm/Microsoft.Web/hostingEnvironments/readme.md b/arm/Microsoft.Web/hostingEnvironments/readme.md index 8d67e2b2d4..6a2653a976 100644 --- a/arm/Microsoft.Web/hostingEnvironments/readme.md +++ b/arm/Microsoft.Web/hostingEnvironments/readme.md @@ -1,4 +1,4 @@ -# App Service Environment +# App Service Environment `[Microsoft.Web/hostingEnvironments]` This module deploys App Service Environment, with resource lock. @@ -6,43 +6,43 @@ This module deploys App Service Environment, with resource lock. | Resource Type | Api Version | | :-- | :-- | -| `Microsoft.Web/hostingEnvironments` | 2021-02-01 | -| `Microsoft.Insights/diagnosticSettings` | 2017-05-01-preview | -| `Microsoft.Web/hostingEnvironments/providers/roleAssignments` | 2020-04-01-preview | -| `Microsoft.Resources/deployments` | 2020-06-01 | | `Microsoft.Authorization/locks` | 2016-09-01 | +| `Microsoft.Insights/diagnosticSettings` | 2017-05-01-preview | +| `Microsoft.Web/hostingEnvironments` | 2021-02-01 | +| `Microsoft.Web/hostingEnvironments/providers/roleAssignments` | 2021-04-01-preview | ## Parameters -| Parameter Name | Type | Default Value | Possible values | Description | -| :- | :- | :- | :- | :- | -| `appServiceEnvironmentName` | string | | | Required. Name of the Azure App Service Environment -| `location` | string | `[resourceGroup().location]` | | Optional. Location for all resources. -| `kind` | string | `ASEV2` | | Optional. Kind of resource. -| `subnetResourceId` | string | | | Required. ResourceId for the sub net. -| `internalLoadBalancingMode` | string | `None` | ` "None", "Web", "Publishing" ` | Optional. Specifies which endpoints to serve internally in the Virtual Network for the App Service Environment. - None, Web, Publishing, Web,Publishing -| `multiSize` | string | `Standard_D1_V2` | ` "Medium","Large","ExtraLarge","Standard_D2","Standard_D3", "Standard_D4","Standard_D1_V2","Standard_D2_V2", "Standard_D3_V2","Standard_D4_V2"` | Optional: Front-end VM size, e.g. Medium, Large -| `multiRoleCount` | int | `2` | | Optional. Number of front-end instances -| `ipsslAddressCount` | int | `2` | | Optional. Number of IP SSL addresses reserved for the App Service Environment. -| `workerPools` | array | `[]` | Complex structure, see below. | Optional. Description of worker pools with worker size IDs, VM sizes, and number of workers in each pool. -| `dnsSuffix` | string | `""` | | Optional. DNS suffix of the App Service Environment. -| `networkAccessControlList` | array | `[]` | | Optional. Access control list for controlling traffic to the App Service Environment. -| `frontEndScaleFactor` | int | `15` | | Optional. Scale factor for front-ends. -| `apiManagementAccountId` | string | `""` | | Optional. API Management Account associated with the App Service Environment. -| `suspended` | bool | `false` | | Optional. true if the App Service Environment is suspended; otherwise, false. The environment can be suspended, e.g. when the management endpoint is no longer available (most likely because NSG blocked the incoming traffic). -| `dynamicCacheEnabled` | bool | `false` | | Optional. True/false indicating whether the App Service Environment is suspended. The environment can be suspended e.g. when the management endpoint is no longer available(most likely because NSG blocked the incoming traffic). -| `userWhitelistedIpRanges` | array | `[]` | | Optional. User added ip ranges to whitelist on ASE db - string. -| `hasLinuxWorkers` | bool | `false` | | Optional. Flag that displays whether an ASE has linux workers or not -| `clusterSettings` | array | `[]` | | Optional. Custom settings for changing the behavior of the App Service Environment. -| `diagnosticLogsRetentionInDays` | int | `365` | | Optional. Specifies the number of days that logs will be kept for; a value of 0 will retain data indefinitely. -| `diagnosticStorageAccountId` | string | "" | | Optional. Resource identifier of the Diagnostic Storage Account. -| `workspaceId` | string | "" | | Optional. Resource identifier of Log Analytics. -| `eventHubAuthorizationRuleId` | string | "" | | Optional. Resource ID of the event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. -| `eventHubName` | string | "" | | Optional. Name of the event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. -| `lock` | string | 'NotSpecified' | 'CanNotDelete', 'NotSpecified', 'ReadOnly' | Optional. Specify the type of lock. | -| `roleAssignments` | array | [] | Complex structure, see below. | Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or it's fully qualified ID in the following format: '/providers/Microsoft.Authorization/locks/locks/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' -| `tags` | object | {} | Complex structure, see below. | Optional. Tags of the Azure Key Vault resource. -| `cuaId` | string | "" | | Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered. +| Parameter Name | Type | Default Value | Possible Values | Description | +| :-- | :-- | :-- | :-- | :-- | +| `apiManagementAccountId` | string | | | Optional. API Management Account associated with the App Service Environment. | +| `appServiceEnvironmentName` | string | | | Required. Name of the App Service Environment | +| `clusterSettings` | array | `[]` | | Optional. Custom settings for changing the behavior of the App Service Environment | +| `cuaId` | string | | | Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered | +| `diagnosticLogsRetentionInDays` | int | `365` | | Optional. Specifies the number of days that logs will be kept for; a value of 0 will retain data indefinitely. | +| `diagnosticStorageAccountId` | string | | | Optional. Resource identifier of the Diagnostic Storage Account. | +| `dnsSuffix` | string | | | Optional. DNS suffix of the App Service Environment. | +| `dynamicCacheEnabled` | bool | | | Optional. True/false indicating whether the App Service Environment is suspended. The environment can be suspended e.g. when the management endpoint is no longer available(most likely because NSG blocked the incoming traffic). | +| `eventHubAuthorizationRuleId` | string | | | Optional. Resource ID of the event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | +| `eventHubName` | string | | | Optional. Name of the event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. | +| `frontEndScaleFactor` | int | `15` | | Optional. Scale factor for front-ends. | +| `hasLinuxWorkers` | bool | | | Optional. Flag that displays whether an ASE has linux workers or not | +| `internalLoadBalancingMode` | string | `None` | `[None, Web, Publishing]` | Optional. Specifies which endpoints to serve internally in the Virtual Network for the App Service Environment. - None, Web, Publishing, Web,Publishing | +| `ipsslAddressCount` | int | `2` | | Optional. Number of IP SSL addresses reserved for the App Service Environment. | +| `kind` | string | `ASEV2` | | Optional. Kind of resource. | +| `location` | string | `[resourceGroup().location]` | | Optional. Location for all resources. | +| `lock` | string | `NotSpecified` | `[CanNotDelete, NotSpecified, ReadOnly]` | Optional. Specify the type of lock. | +| `logsToEnable` | array | `[AppServiceEnvironmentPlatformLogs]` | `[AppServiceEnvironmentPlatformLogs]` | Optional. The name of logs that will be streamed. | +| `multiRoleCount` | int | `2` | | Optional. Number of front-end instances. | +| `multiSize` | string | `Standard_D1_V2` | `[Medium, Large, ExtraLarge, Standard_D2, Standard_D3, Standard_D4, Standard_D1_V2, Standard_D2_V2, Standard_D3_V2, Standard_D4_V2]` | Optional. Front-end VM size, e.g. Medium, Large | +| `networkAccessControlList` | array | `[]` | | Optional. Access control list for controlling traffic to the App Service Environment.. | +| `roleAssignments` | array | `[]` | | Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' | +| `subnetResourceId` | string | | | Required. ResourceId for the sub net | +| `suspended` | bool | | | Optional. true if the App Service Environment is suspended; otherwise, false. The environment can be suspended, e.g. when the management endpoint is no longer available (most likely because NSG blocked the incoming traffic). | +| `tags` | object | `{object}` | | Optional. Resource tags. | +| `userWhitelistedIpRanges` | array | `[]` | | Optional. User added ip ranges to whitelist on ASE db - string | +| `workerPools` | array | `[]` | | Optional. Description of worker pools with worker size IDs, VM sizes, and number of workers in each pool.. | +| `workspaceId` | string | | | Optional. Resource identifier of Log Analytics. | ### Parameter Usage: `roleAssignments` @@ -140,20 +140,14 @@ workerPools can have two properties workerSize and workerCount: ## Outputs -| Output Name | Type | Description | -| :-- | :-- | :-- | -| `appServiceEnvironmentName` | string | The Name of the AppServiceEnvironment | -| `appServiceEnvironmentResourceGroup` | string | The name of the Resource Group the AppServiceEnvironment was created in. | -| `appServiceEnvironmentResourceId` | string | The Resource Id of the AppServiceEnvironment. | - -## Considerations - -**N/A* - -## Additional resources +| Output Name | Type | +| :-- | :-- | +| `appServiceEnvironmentName` | string | +| `appServiceEnvironmentResourceGroup` | string | +| `appServiceEnvironmentResourceId` | string | -- [Introduction to App Service Environment?](https://docs.microsoft.com/en-us/azure/app-service/environment/intro) -- [Microsoft.Web hostingEnvironments template reference](https://docs.microsoft.com/en-us/azure/templates/microsoft.web/2020-06-01/hostingenvironments) -- [Use tags to organize your Azure resources](https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-using-tags) -- [Deployments](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Resources/2020-06-01/deployments) +## Template references +- [Locks](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2016-09-01/locks) +- [Diagnosticsettings](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Insights/2017-05-01-preview/diagnosticSettings) +- [Hostingenvironments](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Web/2021-02-01/hostingEnvironments) diff --git a/arm/Microsoft.Web/serverfarms/.bicep/nested_rbac.bicep b/arm/Microsoft.Web/serverfarms/.bicep/nested_rbac.bicep index 93ffb1b4a3..2ec3cbdf38 100644 --- a/arm/Microsoft.Web/serverfarms/.bicep/nested_rbac.bicep +++ b/arm/Microsoft.Web/serverfarms/.bicep/nested_rbac.bicep @@ -2,7 +2,7 @@ param roleAssignmentObj object param builtInRoleNames object param resourceName string -resource roleAssigment 'Microsoft.Web/serverfarms/providers/roleAssignments@2020-04-01-preview' = [for principalId in roleAssignmentObj.principalIds: { +resource roleAssigment 'Microsoft.Web/serverfarms/providers/roleAssignments@2021-04-01-preview' = [for principalId in roleAssignmentObj.principalIds: { name: '${resourceName}/Microsoft.Authorization/${guid(resourceName, principalId, roleAssignmentObj.roleDefinitionIdOrName)}' properties: { roleDefinitionId: (contains(builtInRoleNames, roleAssignmentObj.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignmentObj.roleDefinitionIdOrName] : roleAssignmentObj.roleDefinitionIdOrName) diff --git a/arm/Microsoft.Web/serverfarms/readme.md b/arm/Microsoft.Web/serverfarms/readme.md index b5da59bb59..6410e5a9fb 100644 --- a/arm/Microsoft.Web/serverfarms/readme.md +++ b/arm/Microsoft.Web/serverfarms/readme.md @@ -1,42 +1,33 @@ -# AppServicePlan +# AppServicePlan `[Microsoft.Web/serverfarms]` This module deploys an App Service Plan. -[![Deploy to Azure](/docs/media/deploytoazure.svg?sanitize=true)]() - -[![Deploy To Azure US Gov](/docs/media/deploytoazuregov.svg?sanitize=true)]() - -[![Visualize](/docs/media/visualizebutton.svg?sanitize=true)]() - - ## Resource Types -|Resource Type|Api Version| -|:--|:--| -|`Microsoft.Resources/deployments`|2018-02-01| -|`Microsoft.Web/serverfarms`|2021-02-01| -|`Microsoft.Authorization/locks`|2016-09-01|  -|`Microsoft.Web/serverfarms/providers/roleAssignments`|2020-04-01-preview| - +| Resource Type | Api Version | +| :-- | :-- | +| `Microsoft.Authorization/locks` | 2016-09-01 | +| `Microsoft.Web/serverfarms` | 2021-02-01 | +| `Microsoft.Web/serverfarms/providers/roleAssignments` | 2021-04-01-preview | ## Parameters -| Parameter Name | Type | Description | DefaultValue | Possible values | +| Parameter Name | Type | Default Value | Possible Values | Description | | :-- | :-- | :-- | :-- | :-- | -| `appServiceEnvironmentId` | string | Optional. The Resource Id of the App Service Environment to use for the App Service Plan. | | | -| `appServicePlanName` | string | Required. The Name of the App Service Plan to deploy. | | | -| `cuaId` | string | Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered | | | -| `location` | string | Optional. Location for all resources. | [resourceGroup().location] | | -| `lock` | string | Optional. Specify the type of lock. | 'NotSpecified' | 'CanNotDelete', 'NotSpecified', 'ReadOnly' | -| `maximumElasticWorkerCount` | int | Optional. Maximum number of total workers allowed for this ElasticScaleEnabled App Service Plan. | 1 | | -| `perSiteScaling` | bool | Optional. If true, apps assigned to this App Service plan can be scaled independently. If false, apps assigned to this App Service plan will scale to all instances of the plan. | False | | -| `roleAssignments` | array | Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' | System.Object[] | | -| `serverOS` | string | Optional. Kind of server OS. | Windows | System.Object[] | -| `sku` | object | Required. Defines the name, tier, size, family and capacity of the App Service Plan. | | | -| `tags` | object | Optional. Tags of the resource. | | | -| `targetWorkerCount` | int | Optional. Scaling worker count. | 0 | | -| `targetWorkerSize` | int | Optional. The instance size of the hosting plan (small, medium, or large). | 0 | System.Object[] | -| `workerTierName` | string | Optional. Target worker tier assigned to the App Service plan. | | | +| `appServiceEnvironmentId` | string | | | Optional. The Resource Id of the App Service Environment to use for the App Service Plan. | +| `appServicePlanName` | string | | | Required. The Name of the App Service Plan to deploy. | +| `cuaId` | string | | | Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered | +| `location` | string | `[resourceGroup().location]` | | Optional. Location for all resources. | +| `lock` | string | `NotSpecified` | `[CanNotDelete, NotSpecified, ReadOnly]` | Optional. Specify the type of lock. | +| `maximumElasticWorkerCount` | int | `1` | | Optional. Maximum number of total workers allowed for this ElasticScaleEnabled App Service Plan. | +| `perSiteScaling` | bool | | | Optional. If true, apps assigned to this App Service plan can be scaled independently. If false, apps assigned to this App Service plan will scale to all instances of the plan. | +| `roleAssignments` | array | `[]` | | Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' | +| `serverOS` | string | `Windows` | `[Windows, Linux]` | Optional. Kind of server OS. | +| `sku` | object | | | Required. Defines the name, tier, size, family and capacity of the App Service Plan. | +| `tags` | object | `{object}` | | Optional. Tags of the resource. | +| `targetWorkerCount` | int | | | Optional. Scaling worker count. | +| `targetWorkerSize` | int | | `[0, 1, 2]` | Optional. The instance size of the hosting plan (small, medium, or large). | +| `workerTierName` | string | | | Optional. Target worker tier assigned to the App Service plan. | ### Parameter Usage: `sku` @@ -100,18 +91,13 @@ Tag names and tag values can be provided as needed. A tag can be left without a ## Outputs -| Output Name | Type | Description | -| :-- | :-- | :-- | -| `appServicePlanName` | string | The Name of the App Service Plan that was deployed. | -| `appServicePlanResourceGroup` | string | The Resource Group the App Service Plan was deployed to. | -| `appServicePlanResourceId` | string | The Resource Id of the App Service Plan that was deployed. | - -## Considerations - -*N/A* +| Output Name | Type | +| :-- | :-- | +| `appServicePlanName` | string | +| `appServicePlanResourceGroup` | string | +| `appServicePlanResourceId` | string | -## Additional resources +## Template references -- [Azure App Service plan overview](https://docs.microsoft.com/en-us/azure/app-service/overview-hosting-plans) -- [Microsoft.Web serverfarms template reference](https://docs.microsoft.com/en-us/azure/templates/microsoft.web/2019-08-01/serverfarms) -- [Use tags to organize your Azure resources](https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-using-tags) +- [Locks](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2016-09-01/locks) +- [Serverfarms](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Web/2021-02-01/serverfarms) diff --git a/arm/Microsoft.Web/sites/.bicep/nested_privateEndpoint.bicep b/arm/Microsoft.Web/sites/.bicep/nested_privateEndpoint.bicep index 322642b0ca..29ca1a09f0 100644 --- a/arm/Microsoft.Web/sites/.bicep/nested_privateEndpoint.bicep +++ b/arm/Microsoft.Web/sites/.bicep/nested_privateEndpoint.bicep @@ -14,7 +14,7 @@ var privateEndpoint_var = { customDnsConfigs: (contains(privateEndpointObj, 'customDnsConfigs') ? (empty(privateEndpointObj.customDnsConfigs) ? json('null') : privateEndpointObj.customDnsConfigs) : json('null')) } -resource privateEndpoint 'Microsoft.Network/privateEndpoints@2020-05-01' = { +resource privateEndpoint 'Microsoft.Network/privateEndpoints@2021-05-01' = { name: privateEndpoint_var.name location: privateEndpointVnetLocation tags: tags @@ -36,7 +36,7 @@ resource privateEndpoint 'Microsoft.Network/privateEndpoints@2020-05-01' = { } } -resource privateDnsZoneGroups 'Microsoft.Network/privateEndpoints/privateDnsZoneGroups@2020-05-01' = if (!empty(privateEndpoint_var.privateDnsZoneResourceIds)) { +resource privateDnsZoneGroups 'Microsoft.Network/privateEndpoints/privateDnsZoneGroups@2021-02-01' = if (!empty(privateEndpoint_var.privateDnsZoneResourceIds)) { name: '${privateEndpoint_var.name}/default' properties: { privateDnsZoneConfigs: [for j in range(0, length(privateEndpoint_var.privateDnsZoneResourceIds)): { diff --git a/arm/Microsoft.Web/sites/.bicep/nested_rbac.bicep b/arm/Microsoft.Web/sites/.bicep/nested_rbac.bicep index 0c9d9aacfe..222a3c353e 100644 --- a/arm/Microsoft.Web/sites/.bicep/nested_rbac.bicep +++ b/arm/Microsoft.Web/sites/.bicep/nested_rbac.bicep @@ -2,7 +2,7 @@ param roleAssignmentObj object param builtInRoleNames object param resourceName string -resource roleAssigment 'Microsoft.Web/sites/providers/roleAssignments@2020-04-01-preview' = [for principalId in roleAssignmentObj.principalIds: { +resource roleAssigment 'Microsoft.Web/sites/providers/roleAssignments@2021-04-01-preview' = [for principalId in roleAssignmentObj.principalIds: { name: '${resourceName}/Microsoft.Authorization/${guid(resourceName, principalId, roleAssignmentObj.roleDefinitionIdOrName)}' properties: { roleDefinitionId: (contains(builtInRoleNames, roleAssignmentObj.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignmentObj.roleDefinitionIdOrName] : roleAssignmentObj.roleDefinitionIdOrName) diff --git a/arm/Microsoft.Web/sites/deploy.bicep b/arm/Microsoft.Web/sites/deploy.bicep index 70d4a7d333..b82a135b58 100644 --- a/arm/Microsoft.Web/sites/deploy.bicep +++ b/arm/Microsoft.Web/sites/deploy.bicep @@ -138,58 +138,49 @@ param clientAffinityEnabled bool = true @description('Required. Configuration of the app.') param siteConfig object = {} -var diagnosticsMetrics = [ - { - category: 'AllMetrics' - enabled: true - retentionPolicy: { - days: diagnosticLogsRetentionInDays - enabled: true - } - } +@description('Optional. The name of logs that will be streamed.') +@allowed([ + 'AppServiceHTTPLogs' + 'AppServiceConsoleLogs' + 'AppServiceAppLogs' + 'AppServiceFileAuditLogs' + 'AppServiceAuditLogs' +]) +param logsToEnable array = [ + 'AppServiceHTTPLogs' + 'AppServiceConsoleLogs' + 'AppServiceAppLogs' + 'AppServiceFileAuditLogs' + 'AppServiceAuditLogs' ] -var diagnosticsLogs = [ - { - category: 'AppServiceHTTPLogs' - enabled: true - retentionPolicy: { - enabled: true - days: diagnosticLogsRetentionInDays - } - } - { - category: 'AppServiceConsoleLogs' - enabled: true - retentionPolicy: { - enabled: true - days: diagnosticLogsRetentionInDays - } - } - { - category: 'AppServiceAppLogs' - enabled: true - retentionPolicy: { - enabled: true - days: diagnosticLogsRetentionInDays - } - } - { - category: 'AppServiceFileAuditLogs' + +@description('Optional. The name of metrics that will be streamed.') +@allowed([ + 'AllMetrics' +]) +param metricsToEnable array = [ + 'AllMetrics' +] + +var diagnosticsLogs = [for log in logsToEnable: { + category: log + enabled: true + retentionPolicy: { enabled: true - retentionPolicy: { - enabled: true - days: diagnosticLogsRetentionInDays - } + days: diagnosticLogsRetentionInDays } - { - category: 'AppServiceAuditLogs' +}] + +var diagnosticsMetrics = [for metric in metricsToEnable: { + category: metric + timeGrain: null + enabled: true + retentionPolicy: { enabled: true - retentionPolicy: { - enabled: true - days: diagnosticLogsRetentionInDays - } + days: diagnosticLogsRetentionInDays } -] +}] + var builtInRoleNames = { 'Owner': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') 'Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') diff --git a/arm/Microsoft.Web/sites/readme.md b/arm/Microsoft.Web/sites/readme.md index c21a8ae9cd..adfb9808f7 100644 --- a/arm/Microsoft.Web/sites/readme.md +++ b/arm/Microsoft.Web/sites/readme.md @@ -1,4 +1,4 @@ -# Web/Function App +# Web/Function App `[Microsoft.Web/sites]` This module deploys a Web or Function App @@ -6,59 +6,54 @@ This module deploys a Web or Function App | Resource Type | Api Version | | :-- | :-- | -| `Microsoft.Web/sites/config` | 2019-08-01 | -| `microsoft.Insights/components` | 2018-05-01-preview | -| `Microsoft.Network/privateEndpoints/privateDnsZoneGroups` | 2020-05-01 | -| `Microsoft.Network/privateEndpoints` | 2020-05-01 | -| `Microsoft.Resources/deployments` | 2021-01-01 | -| `Microsoft.Web/serverfarms` | 2021-02-01 | -| `Microsoft.Insights/diagnosticSettings` | 2017-05-01-preview | -| `Microsoft.Web/sites/providers/roleAssignments` | 2020-04-01-preview | -| `Microsoft.Web/sites` | 2021-02-01 | | `Microsoft.Authorization/locks` | 2016-09-01 | - -### Resource dependency - -The following resources are required to be able to deploy this resource. - -- *None* +| `Microsoft.Insights/components` | 2020-02-02 | +| `Microsoft.Insights/diagnosticSettings` | 2017-05-01-preview | +| `Microsoft.Network/privateEndpoints` | 2021-05-01 | +| `Microsoft.Network/privateEndpoints/privateDnsZoneGroups` | 2021-02-01 | +| `Microsoft.Web/serverfarms` | 2021-02-01 | +| `Microsoft.Web/sites` | 2020-12-01 | +| `Microsoft.Web/sites/config` | 2019-08-01 | +| `Microsoft.Web/sites/providers/roleAssignments` | 2021-04-01-preview | ## Parameters -| Parameter Name | Type | Description | DefaultValue | Possible values | +| Parameter Name | Type | Default Value | Possible Values | Description | | :-- | :-- | :-- | :-- | :-- | -| `appName` | string | Required. Name of the Web Application Portal Name | | | -| `appServiceEnvironmentId` | string | Optional. The Resource Id of the App Service Environment to use for the Function App. | | | -| `appServicePlanFamily` | string | Optional. SkuFamily of app service plan deployed if no appServicePlanId was provided. | | | -| `appServicePlanId` | string | Optional. The Resource Id of the App Service Plan to use for the App. If not provided, the hosting plan name is used to create a new plan. | | | -| `appServicePlanName` | string | Optional. Required if no appServicePlanId is provided to deploy a new app service plan. | | | -| `appServicePlanSize` | string | Optional. SkuSize of app service plan deployed if no appServicePlanId was provided. | | | -| `appServicePlanSkuName` | string | Optional. The pricing tier for the hosting plan. | F1 | System.Object[] | -| `appServicePlanTier` | string | Optional. SkuTier of app service plan deployed if no appServicePlanId was provided. | | | -| `appServicePlanType` | string | Optional. SkuType of app service plan deployed if no appServicePlanId was provided. | linux | System.Object[] | -| `appServicePlanWorkerSize` | int | Optional. Defines the number of workers from the worker pool that will be used by the app service plan | 2 | | -| `appType` | string | Required. Type of site to deploy | | System.Object[] | -| `clientAffinityEnabled` | bool | Optional. If Client Affinity is enabled. | True | | -| `cuaId` | string | Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered | | | -| `diagnosticLogsRetentionInDays` | int | Optional. Specifies the number of days that logs will be kept for; a value of 0 will retain data indefinitely. | 365 | | -| `diagnosticStorageAccountId` | string | Optional. Resource identifier of the Diagnostic Storage Account. | | | -| `enableMonitoring` | bool | Optional. If true, ApplicationInsights will be configured for the Function App. | True | | -| `eventHubAuthorizationRuleId` | string | Optional. Resource ID of the event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | | | -| `eventHubName` | string | Optional. Name of the event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. | | | -| `functionsExtensionVersion` | string | Optional. Version if the function extension. | ~3 | | -| `functionsWorkerRuntime` | string | Optional. Runtime of the function worker. | | System.Object[] | -| `httpsOnly` | bool | Optional. Configures a web site to accept only https requests. Issues redirect for http requests. | True | | -| `location` | string | Optional. Location for all Resources. | [resourceGroup().location] | | -| `lock` | string | Optional. Specify the type of lock. | 'NotSpecified' | 'CanNotDelete', 'NotSpecified', 'ReadOnly' | -| `managedServiceIdentity` | string | Optional. Type of managed service identity. | None | System.Object[] | -| `privateEndpoints` | array | Optional. Configuration Details for private endpoints. | System.Object[] | | -| `roleAssignments` | array | Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' | System.Object[] | | -| `siteConfig` | object | Required. Configuration of the app. | | | -| `storageAccountName` | string | Optional. The name of the storage account to managing triggers and logging function executions. | | | -| `storageAccountResourceGroupName` | string | Optional. Resource group of the storage account to use. Required if the storage account is in a different resource group than the function app itself. | [resourceGroup().name] | | -| `tags` | object | Optional. Tags of the resource. | | | -| `userAssignedIdentities` | object | Optional. Mandatory 'managedServiceIdentity' contains UserAssigned. The identy to assign to the resource. | | | -| `workspaceId` | string | Optional. Resource identifier of Log Analytics. | | | +| `appName` | string | | | Required. Name of the Web Application Portal Name | +| `appServiceEnvironmentId` | string | | | Optional. The Resource Id of the App Service Environment to use for the Function App. | +| `appServicePlanFamily` | string | | | Optional. SkuFamily of app service plan deployed if no appServicePlanId was provided. | +| `appServicePlanId` | string | | | Optional. The Resource Id of the App Service Plan to use for the App. If not provided, the hosting plan name is used to create a new plan. | +| `appServicePlanName` | string | | | Optional. Required if no appServicePlanId is provided to deploy a new app service plan. | +| `appServicePlanSize` | string | | | Optional. SkuSize of app service plan deployed if no appServicePlanId was provided. | +| `appServicePlanSkuName` | string | `F1` | `[F1, D1, B1, B2, B3, S1, S2, S3, P1, P1v2, P2, P3, P4]` | Optional. The pricing tier for the hosting plan. | +| `appServicePlanTier` | string | | | Optional. SkuTier of app service plan deployed if no appServicePlanId was provided. | +| `appServicePlanType` | string | `linux` | `[linux, windows]` | Optional. SkuType of app service plan deployed if no appServicePlanId was provided. | +| `appServicePlanWorkerSize` | int | `2` | | Optional. Defines the number of workers from the worker pool that will be used by the app service plan | +| `appType` | string | | `[functionapp, app]` | Required. Type of site to deploy | +| `clientAffinityEnabled` | bool | `True` | | Optional. If Client Affinity is enabled. | +| `cuaId` | string | | | Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered | +| `diagnosticLogsRetentionInDays` | int | `365` | | Optional. Specifies the number of days that logs will be kept for; a value of 0 will retain data indefinitely. | +| `diagnosticStorageAccountId` | string | | | Optional. Resource identifier of the Diagnostic Storage Account. | +| `enableMonitoring` | bool | `True` | | Optional. If true, ApplicationInsights will be configured for the Function App. | +| `eventHubAuthorizationRuleId` | string | | | Optional. Resource ID of the event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | +| `eventHubName` | string | | | Optional. Name of the event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. | +| `functionsExtensionVersion` | string | `~3` | | Optional. Version if the function extension. | +| `functionsWorkerRuntime` | string | | `[dotnet, node, python, java, powershell, ]` | Optional. Runtime of the function worker. | +| `httpsOnly` | bool | `True` | | Optional. Configures a web site to accept only https requests. Issues redirect for http requests. | +| `location` | string | `[resourceGroup().location]` | | Optional. Location for all Resources. | +| `lock` | string | `NotSpecified` | `[CanNotDelete, NotSpecified, ReadOnly]` | Optional. Specify the type of lock. | +| `logsToEnable` | array | `[AppServiceHTTPLogs, AppServiceConsoleLogs, AppServiceAppLogs, AppServiceFileAuditLogs, AppServiceAuditLogs]` | `[AppServiceHTTPLogs, AppServiceConsoleLogs, AppServiceAppLogs, AppServiceFileAuditLogs, AppServiceAuditLogs]` | Optional. The name of logs that will be streamed. | +| `managedServiceIdentity` | string | `None` | `[None, SystemAssigned, SystemAssigned, UserAssigned, UserAssigned]` | Optional. Type of managed service identity. | +| `metricsToEnable` | array | `[AllMetrics]` | `[AllMetrics]` | Optional. The name of metrics that will be streamed. | +| `privateEndpoints` | array | `[]` | | Optional. Configuration Details for private endpoints. | +| `roleAssignments` | array | `[]` | | Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' | +| `siteConfig` | object | `{object}` | | Required. Configuration of the app. | +| `storageAccountName` | string | | | Optional. The name of the storage account to managing triggers and logging function executions. | +| `storageAccountResourceGroupName` | string | `[resourceGroup().name]` | | Optional. Resource group of the storage account to use. Required if the storage account is in a different resource group than the function app itself. | +| `tags` | object | `{object}` | | Optional. Tags of the resource. | +| `userAssignedIdentities` | object | `{object}` | | Optional. Mandatory 'managedServiceIdentity' contains UserAssigned. The identy to assign to the resource. | +| `workspaceId` | string | | | Optional. Resource identifier of Log Analytics. | ### Parameter Usage: `roleAssignments` @@ -108,23 +103,19 @@ Tag names and tag values can be provided as needed. A tag can be left without a ## Outputs -| Output Name | Type | Description | -| :-- | :-- | :-- | -| `siteName` | string | The Name of the Application Web Services | -| `siteResourceGroup` | string | The name of the Resource Group with the Application Web Services | -| `siteResourceId` | string | The Resource Id of the Application Web Services | - -## Considerations - -- *None* - -## Additional resources - -- [Use tags to organize your Azure resources](https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-using-tags) -- [Azure Resource Manager template reference](https://docs.microsoft.com/en-us/azure/templates/) -- [Deployments](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Resources/2020-06-01/deployments) -- [Serverfarms](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Web/2019-08-01/serverfarms) -- [Sites](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Web/2019-08-01/sites) -- [Components](https://docs.microsoft.com/en-us/azure/templates/microsoft.insights/2018-05-01-preview/components) -- [Deployments](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Resources/2021-01-01/deployments) -- [Deployments](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Resources/2020-06-01/deployments) +| Output Name | Type | +| :-- | :-- | +| `siteName` | string | +| `siteResourceGroup` | string | +| `siteResourceId` | string | + +## Template references + +- [Locks](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2016-09-01/locks) +- [Components](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Insights/2020-02-02/components) +- [Diagnosticsettings](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Insights/2017-05-01-preview/diagnosticSettings) +- [Privateendpoints](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Network/2021-05-01/privateEndpoints) +- [Privateendpoints/Privatednszonegroups](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Network/2021-02-01/privateEndpoints/privateDnsZoneGroups) +- [Serverfarms](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Web/2021-02-01/serverfarms) +- [Sites](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Web/2020-12-01/sites) +- [Sites/Config](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Web/2019-08-01/sites/config) diff --git a/arm/README.md b/arm/README.md index 0d0e82f5ba..8d28da99ee 100644 --- a/arm/README.md +++ b/arm/README.md @@ -1,9 +1,8 @@ In this section you can find useful information regarding the Modules that are contained in this repository. -# Available Modules +# Available Resource Modules The following table provides you with an outline of all Modules that are currently available for use. Several sub-resources may be their own Modules and are hence displayed as a child path (e.g. `service/caches`). - | Name | Provider namespace | Resource Type | Bicep | | - | - | - | - | | [Analysis Services](https://github.com/Azure/ResourceModules/tree/main/arm/Microsoft.AnalysisServices/servers) | `MS.AnalysisServices` | [servers](https://github.com/Azure/ResourceModules/tree/main/arm/Microsoft.AnalysisServices/servers) | :heavy_check_mark: | @@ -103,4 +102,3 @@ The following table provides you with an outline of all Modules that are current | [App Service Environment](https://github.com/Azure/ResourceModules/tree/main/arm/Microsoft.Web/hostingEnvironments) | | [hostingEnvironments](https://github.com/Azure/ResourceModules/tree/main/arm/Microsoft.Web/hostingEnvironments) | :heavy_check_mark: | | [AppServicePlan](https://github.com/Azure/ResourceModules/tree/main/arm/Microsoft.Web/serverfarms) | | [serverfarms](https://github.com/Azure/ResourceModules/tree/main/arm/Microsoft.Web/serverfarms) | :heavy_check_mark: | | [Web/Function App](https://github.com/Azure/ResourceModules/tree/main/arm/Microsoft.Web/sites) | | [sites](https://github.com/Azure/ResourceModules/tree/main/arm/Microsoft.Web/sites) | :heavy_check_mark: | - \ No newline at end of file diff --git a/constructs/Microsoft.Authorization/roleAssignments-multiRolesMultiPrincipals/readme.md b/constructs/Microsoft.Authorization/roleAssignments-multiRolesMultiPrincipals/readme.md index 04dd9949d1..f2fe769fb4 100644 --- a/constructs/Microsoft.Authorization/roleAssignments-multiRolesMultiPrincipals/readme.md +++ b/constructs/Microsoft.Authorization/roleAssignments-multiRolesMultiPrincipals/readme.md @@ -4,21 +4,20 @@ This module deploys Role Assignments. ## Resource types -| Resource Type | ApiVersion | -| :---------------------------------------- | :----------------- | +| Resource Type | Api Version | +| :-- | :-- | | `Microsoft.Authorization/roleAssignments` | 2020-04-01-preview | -| `Microsoft.Resources/deployments` | 2018-02-01 | ## Parameters -| Parameter Name | Type | Default Value | Possible values | Description | -| :------------------ | :----- | :---------------------- | :---------------------------- | :--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| `roleAssignments` | array | [] | Complex structure, see below. | Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalIds' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or it's fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' | | -| `cuaId` | string | "" | | Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered | -| `resourceGroupName` | string | "" | | Optional. Name of the Resource Group to assign the RBAC role to. If no Resource Group name is provided, and Subscription ID is provided, the module deploys at subscription level, therefore assigns the provided RBAC role to the resource group. | -| `subscriptionId` | string | "" | | Optional. ID of the Subscription to assign the RBAC role to. If no Resource Group name is provided, the module deploys at subscription level, therefore assigns the provided RBAC role to the subscription. | -| `managementGroupId` | string | "" | | Optional. ID of the Management Group to assign the RBAC role to. If no Subscription is provided, the module deploys at management group level, therefore assigns the provided RBAC role to the management group. | -| `location` | string | [deployment().location] | | Optional. Location for all resources. | | +| Parameter Name | Type | Default Value | Possible Values | Description | +| :-- | :-- | :-- | :-- | :-- | +| `cuaId` | string | | | Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered | +| `location` | string | `[deployment().location]` | | Optional. Location for all resources. | +| `managementGroupId` | string | | | Optional. ID of the Management Group to assign the RBAC role to. If no Subscription is provided, the module deploys at management group level, therefore assigns the provided RBAC role to the management group. | +| `resourceGroupName` | string | | | Optional. Name of the Resource Group to assign the RBAC role to. If no Resource Group name is provided, and Subscription ID is provided, the module deploys at subscription level, therefore assigns the provided RBAC role to the subscription. | +| `roleAssignments` | array | `[]` | | Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalIds' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or it's fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' | +| `subscriptionId` | string | | | Optional. ID of the Subscription to assign the RBAC role to. If no Resource Group name is provided, the module deploys at subscription level, therefore assigns the provided RBAC role to the subscription. | ### Parameter Usage: `roleAssignments` @@ -87,10 +86,10 @@ To deploy resource to a Resource Group, provide the `subscriptionId` and `resour ## Outputs -| Output Name | Type | Description | -| :---------------- | :----- | :---------------------------------------------------------------------------------------------------------------------- | -| `assignmentScope` | string | The scope (management group, subscription or resource group) of the assignments defined in this module were created on. | -| `roleAssignments` | array | Array of role assignment objects. | +| Output Name | Type | +| :-- | :-- | +| `roleAssignments` | array | +| `roleAssignmentScope` | string | ## Considerations @@ -100,8 +99,7 @@ This module can be deployed both at management group, subscription or resource g - To deploy the module at the subscription level, only provide the `subscriptionId` parameter. - To deploy the module at the management group level, only provide the `managementGroupId` parameter. -## Additional resources -- [What is Azure role-based access control (Azure RBAC)?](https://docs.microsoft.com/en-us/azure/role-based-access-control/overview) -- [Microsoft.Authorization roleAssignments template reference](https://docs.microsoft.com/en-us/azure/templates/microsoft.authorization/2018-09-01-preview/roleassignments) -- [Use tags to organize your Azure resources](https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-using-tags) +## Template references + +- [Roleassignments](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2020-04-01-preview/roleAssignments) diff --git a/constructs/Microsoft.Management/managementGroup-structure/readme.md b/constructs/Microsoft.Management/managementGroup-structure/readme.md index 1baf9391db..59ba14be05 100644 --- a/constructs/Microsoft.Management/managementGroup-structure/readme.md +++ b/constructs/Microsoft.Management/managementGroup-structure/readme.md @@ -64,7 +64,7 @@ Describes the Management groups to be created. Each management group is represen | :- | :- | :- | :- | :- | | `name` | string | | | Mandatory. The ID of the Management group | | `parentId` | string | | A MG name | Mandatory. The template will concatenate `/providers/Microsoft.Management/managementGroups/` to create the resource ID of the parent management group the deployed one is child of | -| `displayName` | string | `name` | | Optional. The display name of the management group. If not specified, the id (name) will be used | +| `displayName` | string | `name` | | Optional. The display name of the management group. If not specified, the id (name) will be used | | `parentNotManagedInThisTemplate` | bool | `false` | | Optional. `true` if the parent management group is existing and defined elsewhere, `false` if the parent MG is also managed in this template. This parameter is used to define the deployment sequence | | `roleAssignments` | array | | | Optional. Array of role assignment objects | @@ -125,4 +125,4 @@ This template is using a **Tenant level deployment**, meaning the user/principal ## Additional resources - [Management group](https://docs.microsoft.com/en-us/azure/governance/management-groups/) -- [Template reference](https://docs.microsoft.com/en-us/azure/templates/microsoft.management/managementgroups) \ No newline at end of file +- [Template reference](https://docs.microsoft.com/en-us/azure/templates/microsoft.management/managementgroups) diff --git a/constructs/Microsoft.Network/virtualNetwork/virtualNetworkPeerings-multiRemoteVnets/readme.md b/constructs/Microsoft.Network/virtualNetwork/virtualNetworkPeerings-multiRemoteVnets/readme.md index bc7c1e7c50..a964992e70 100644 --- a/constructs/Microsoft.Network/virtualNetwork/virtualNetworkPeerings-multiRemoteVnets/readme.md +++ b/constructs/Microsoft.Network/virtualNetwork/virtualNetworkPeerings-multiRemoteVnets/readme.md @@ -4,24 +4,17 @@ This template deploys Virtual Network Peering. ## Resource types -| Resource Type | Api Version | -| :--------------------------------------------------------- | :---------- | -| `Microsoft.Network/virtualNetworks/virtualNetworkPeerings` | 2021-02-01 | -| `Microsoft.Resources/deployments` | 2019-10-01 | - -### Resource dependency - -The following resources are required to be able to deploy this resource. - -- *None* +| Resource Type | Api Version | +| :-- | :-- | +| `Microsoft.Network/virtualNetworks/virtualNetworkPeerings` | 2021-02-01 | ## Parameters -| Parameter Name | Type | Description | DefaultValue | Possible values | -| :---------------------- | :----- | :------------------------------------------------------------------------------------------------------------------- | :-------------- | :-------------- | -| `cuaId` | string | Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered | | | -| `localVnetName` | string | Required. The Name of the Virtual Network to add the peering to. | | | -| `peeringConfigurations` | array | Optional. The list of remote networks to peering peer with, including the configuration. See below for instructions. | System.Object[] | | +| Parameter Name | Type | Default Value | Possible Values | Description | +| :-- | :-- | :-- | :-- | :-- | +| `cuaId` | string | | | Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered | +| `localVnetName` | string | | | Required. The Name of the Virtual Network to add the peering to. | +| `peeringConfigurations` | array | `[]` | | Optional. Optional. The list of remote networks to peering peer with, including the configuration. | ### Parameter Usage: `peeringConfigurations` @@ -44,19 +37,12 @@ Array containing multiple objects for different VNETs to peer with. ## Outputs -| Output Name | Type | Description | -| :-------------------------------------- | :----- | :---------- | -| `localVirtualNetworkPeeringResourceIds` | array | | -| `virtualNetworkPeeringNames` | array | | -| `virtualNetworkPeeringResourceGroup` | string | | - -## Considerations - -- *None* +| Output Name | Type | +| :-- | :-- | +| `localVirtualNetworkPeeringResourceIds` | array | +| `virtualNetworkPeeringNames` | array | +| `virtualNetworkPeeringResourceGroup` | string | -## Additional resources +## Template references -- [Use tags to organize your Azure resources](https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-using-tags) -- [Azure Resource Manager template reference](https://docs.microsoft.com/en-us/azure/templates/) -- [VirtualNetworks/VirtualNetworkPeerings](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Network/2020-05-01/virtualNetworks/virtualNetworkPeerings) -- [Deployments](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Resources/2019-10-01/deployments) +- [Virtualnetworks/Virtualnetworkpeerings](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Network/2021-02-01/virtualNetworks/virtualNetworkPeerings)