Azure · AlexanderSehr · Sep 27, 2021 · Sep 22, 2021 · Sep 22, 2021 · Sep 22, 2021
@@ -80,7 +80,7 @@ jobs:
       - name: "Test module"
         uses: ./.github/actions/templates/validateModuleDeploy
         with:
-          templateFilePath: '${{ env.modulePath }}/deploy.json'
+          templateFilePath: '${{ env.modulePath }}/deploy.bicep'
           parameterFilePath: '${{ env.modulePath }}/parameters/${{ matrix.parameterFilePaths }}'
           location: '${{ env.defaultLocation }}'
           resourceGroupName: '${{ env.resourceGroupName }}'
@@ -114,7 +114,7 @@ jobs:
         uses: ./.github/actions/templates/deployModule
         with:
           moduleName: '${{ env.moduleName }}'
-          templateFilePath: '${{ env.modulePath }}/deploy.json'
+          templateFilePath: '${{ env.modulePath }}/deploy.bicep'
           parameterFilePath: '${{ env.modulePath }}/parameters/${{ matrix.parameterFilePaths }}'
           location: '${{ env.defaultLocation }}'
           resourceGroupName: '${{ env.resourceGroupName }}'
@@ -144,7 +144,7 @@ jobs:
       - name: "Publish module"
         uses: ./.github/actions/templates/publishModule
         with:
-          templateFilePath: '${{ env.modulePath }}/deploy.json'
+          templateFilePath: '${{ env.modulePath }}/deploy.bicep'
           componentTemplateSpecRGName: '${{ env.componentTemplateSpecRGName }}'
           componentTemplateSpecRGLocation: '${{ env.componentTemplateSpecRGLocation }}'
           componentTemplateSpecName: '${{ env.moduleName }}'
@@ -176,5 +176,5 @@ jobs:
         uses: ./.github/actions/templates/removeModule
         with:
           moduleName: '${{ env.moduleName }}'
-          templateFilePath: '${{ env.modulePath }}/deploy.json'
+          templateFilePath: '${{ env.modulePath }}/deploy.bicep'
           resourceGroupName: '${{ env.resourceGroupName }}'
@@ -0,0 +1,12 @@
+param roleAssignment object
+param builtInRoleNames object
+param serverName string
+
+resource nested_rbac  'Microsoft.Web/sites/providers/roleAssignments@2020-04-01-preview' = [for principalId in roleAssignment.principalIds: {
+  name: '${serverName}/Microsoft.Authorization/${guid(serverName, principalId, roleAssignment.roleDefinitionIdOrName)}'
+  properties: {
+    roleDefinitionId: (contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName)
+    principalId: principalId
+  }
+  dependsOn: []
+}]
@@ -0,0 +1,110 @@
+@description('Required. Administrator username for the server.')
+param administratorLogin string
+
+@description('Required. The administrator login password.')
+@secure()
+param administratorLoginPassword string
+
+@description('Optional. Location for all resources.')
+param location string = resourceGroup().location
+
+@description('Required. The name of the server.')
+param serverName string
+
+@description('Optional. Whether or not ADS should be enabled.')
+param enableADS bool = false
+
+@description('Required. Whether or not Azure IP\'s are allowed.')
+param allowAzureIps bool = false
+
+@description('Optional. Switch to lock Key Vault from deletion.')
+param lockForDeletion bool = false
+
+@description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'')
+param roleAssignments array = []
+
+@description('Optional. Tags of the resource.')
+param tags object = {}
+
+@description('Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered')
+param cuaId string = ''
+
+var builtInRoleNames = {
+  'Owner': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','8e3af657-a8ff-443c-a75c-2fe8c4bcb635')
+  'Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','b24988ac-6180-42a0-ab88-20f7382dd24c')
+  'Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','acdd72a7-3385-48ef-bd42-f606fba81ae7')
+  'Log Analytics Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','92aaf0da-9dab-42b6-94a3-d43ce8d16293')
+  'Log Analytics Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','73c42c96-874c-492b-b04d-ab87d138a893')
+  'Managed Application Contributor Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','641177b8-a67a-45b9-a033-47bc880bb21e')     
+  'Managed Application Operator Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','c7393b34-138c-406f-901b-d8cf2b17e6ae')        
+  'Managed Applications Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','b9331d33-8a36-4f8c-b097-4f54124fdb44')
+  'Monitoring Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','749f88d5-cbae-40b8-bcfc-e573ddc772fa')
+  'Monitoring Metrics Publisher': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','3913510d-42f4-4e42-8a64-420c390055eb')
+  'Monitoring Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','43d0d8ad-25c7-4714-9337-8ba259a9fe05')
+  'Reservation Purchaser': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','f7b75c60-3036-4b75-91c3-6b41c27c1689')
+  'Resource Policy Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','36243c78-bf99-498c-9df9-86d9f8d28608')
+  'SQL DB Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','9b7fa17d-e63e-47b0-bb0a-15c516ac86ec')
+  'SQL Security Manager': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','056cd41c-7e88-42e1-933e-88ba6a50c9c3')
+  'SQL Server Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','6d8ee4ec-f05a-4a1d-8b00-a9b17e38b437')
+  'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')
+}
+
+module pid_cuaId './.bicep/nested_cuaId.bicep' = if (!empty(cuaId)) {
+  name: 'pid-${cuaId}'
+  params: {}
+}
+
+resource server 'Microsoft.Sql/servers@2020-02-02-preview' = {
+  location: location
+  name: serverName
+  tags: tags
+  properties: {
+    administratorLogin: administratorLogin
+    administratorLoginPassword: administratorLoginPassword
+    version: '12.0'
+  }
+}
+
+resource server_lock 'Microsoft.Authorization/locks@2016-09-01' = if (lockForDeletion) {
+  name: '${serverName}-serverDoNotDelete'
+  properties: {
+    level: 'CanNotDelete'
+  }
+  scope: server
+}
+
+resource server_AllowAllWindowsAzureIps 'Microsoft.Sql/servers/firewallrules@2021-02-01-preview' = if (allowAzureIps) {
+  parent: server
+  name: 'AllowAllWindowsAzureIps'
+  properties: {
+    endIpAddress: '0.0.0.0'
+    startIpAddress: '0.0.0.0'
+  }
+}
+
+resource server_Default 'Microsoft.Sql/servers/securityAlertPolicies@2021-02-01-preview' = if (enableADS) {
+  parent: server
+  name: 'Default'
+  properties: {
+    state: 'Enabled'
+    disabledAlerts: []
+    emailAddresses: []
+    emailAccountAdmins: true
+  }
+}
+
+module server_rbac './.bicep/nested_rbac.bicep' = [for (item, i) in roleAssignments: {
+  name: 'rbac-${deployment().name}${i}'
+  params: {
+    roleAssignment: item
+    builtInRoleNames: builtInRoleNames
+    serverName: serverName
+  }
+  dependsOn: [
+    server
+  ]
+}]
+
+output serverName string = serverName
+output serverResourceId string = server.id
+output serverResourceGroup string = resourceGroup().name