diff --git a/azuredeploy.json b/azuredeploy.json index 14db4d74..13fa7f6b 100644 --- a/azuredeploy.json +++ b/azuredeploy.json @@ -5,7 +5,7 @@ "_generator": { "name": "bicep", "version": "0.26.170.59819", - "templateHash": "3570939801082945388" + "templateHash": "3854446754092335363" } }, "parameters": { @@ -119,11 +119,10 @@ "defaultValue": { "ingress": "", "serviceCidr": "", - "dockerBridgeCidr": "", "dnsServiceIP": "" }, "metadata": { - "description": "Cluster Network Overrides - {ingress} (Both/Internal/External), {serviceCidr}, {dockerBridgeCidr}, {dnsServiceIP}" + "description": "Cluster Network Overrides - {ingress} (Both/Internal/External), {serviceCidr}, {dnsServiceIP}" } }, "clusterNetworkPlugin": { @@ -184,7 +183,8 @@ "name": "opendes" } ] - } + }, + "rg_unique_id": "[format('{0}{1}', replace(variables('configuration').name, '-', ''), uniqueString(resourceGroup().id, variables('configuration').name))]" }, "resources": [ { @@ -198,7 +198,7 @@ "mode": "Incremental", "parameters": { "name": { - "value": "[format('id-{0}{1}', replace(variables('configuration').name, '-', ''), uniqueString(resourceGroup().id, variables('configuration').name))]" + "value": "[variables('rg_unique_id')]" }, "location": { "value": "[parameters('location')]" @@ -208,7 +208,8 @@ }, "tags": { "value": { - "layer": "[variables('configuration').displayName]" + "layer": "[variables('configuration').displayName]", + "id": "[variables('rg_unique_id')]" } } }, @@ -219,8 +220,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "17425686371279834860" + "version": "0.26.54.24096", + "templateHash": "998408512764899332" }, "name": "User Assigned Identities", "description": "This module deploys a User Assigned Identity.", @@ -294,7 +295,7 @@ "type": "string", "nullable": true, "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" + "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"." } }, "conditionVersion": { @@ -317,6 +318,42 @@ } }, "nullable": true + }, + "federatedIdentityCredentialsType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "name": { + "type": "string", + "metadata": { + "description": "Required. The name of the federated identity credential." + } + }, + "audiences": { + "type": "array", + "items": { + "type": "string" + }, + "metadata": { + "description": "Required. The list of audiences that can appear in the issued token." + } + }, + "issuer": { + "type": "string", + "metadata": { + "description": "Required. The URL of the issuer to be trusted." + } + }, + "subject": { + "type": "string", + "metadata": { + "description": "Required. The identifier of the external identity." + } + } + } + }, + "nullable": true } }, "parameters": { @@ -334,8 +371,7 @@ } }, "federatedIdentityCredentials": { - "type": "array", - "defaultValue": [], + "$ref": "#/definitions/federatedIdentityCredentialsType", "metadata": { "description": "Optional. The federated identity credentials list to indicate which token from the external IdP should be trusted by your application. Federated identity credentials are supported on applications only. A maximum of 20 federated identity credentials can be added per application object." } @@ -363,7 +399,7 @@ "type": "bool", "defaultValue": true, "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." + "description": "Optional. Enable/Disable usage telemetry for module." } } }, @@ -383,7 +419,7 @@ "condition": "[parameters('enableTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2023-07-01", - "name": "[format('46d3xbcp.res.managedidentity-userassignedidentity.{0}.{1}', replace('0.1.0', '.', '-'), substring(uniqueString(deployment().name, parameters('location')), 0, 4))]", + "name": "[format('46d3xbcp.res.managedidentity-userassignedidentity.{0}.{1}', replace('0.2.1', '.', '-'), substring(uniqueString(deployment().name, parameters('location')), 0, 4))]", "properties": { "mode": "Incremental", "template": { @@ -445,7 +481,9 @@ "userAssignedIdentity_federatedIdentityCredentials": { "copy": { "name": "userAssignedIdentity_federatedIdentityCredentials", - "count": "[length(parameters('federatedIdentityCredentials'))]" + "count": "[length(coalesce(parameters('federatedIdentityCredentials'), createArray()))]", + "mode": "serial", + "batchSize": 1 }, "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", @@ -457,19 +495,19 @@ "mode": "Incremental", "parameters": { "name": { - "value": "[parameters('federatedIdentityCredentials')[copyIndex()].name]" + "value": "[coalesce(parameters('federatedIdentityCredentials'), createArray())[copyIndex()].name]" }, "userAssignedIdentityName": { "value": "[parameters('name')]" }, "audiences": { - "value": "[parameters('federatedIdentityCredentials')[copyIndex()].audiences]" + "value": "[coalesce(parameters('federatedIdentityCredentials'), createArray())[copyIndex()].audiences]" }, "issuer": { - "value": "[parameters('federatedIdentityCredentials')[copyIndex()].issuer]" + "value": "[coalesce(parameters('federatedIdentityCredentials'), createArray())[copyIndex()].issuer]" }, "subject": { - "value": "[parameters('federatedIdentityCredentials')[copyIndex()].subject]" + "value": "[coalesce(parameters('federatedIdentityCredentials'), createArray())[copyIndex()].subject]" } }, "template": { @@ -478,8 +516,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "4906524580099045986" + "version": "0.26.54.24096", + "templateHash": "4317497001099502136" }, "name": "User Assigned Identity Federated Identity Credential", "description": "This module deploys a User Assigned Identity Federated Identity Credential.", @@ -617,7 +655,7 @@ "mode": "Incremental", "parameters": { "name": { - "value": "[format('log-{0}{1}', replace(variables('configuration').name, '-', ''), uniqueString(resourceGroup().id, variables('configuration').name))]" + "value": "[variables('rg_unique_id')]" }, "location": { "value": "[parameters('location')]" @@ -627,7 +665,8 @@ }, "tags": { "value": { - "layer": "[variables('configuration').displayName]" + "layer": "[variables('configuration').displayName]", + "id": "[variables('rg_unique_id')]" } }, "skuName": { @@ -641,8 +680,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "18160868089862776194" + "version": "0.25.53.49325", + "templateHash": "6354173151975740736" }, "name": "Log Analytics Workspaces", "description": "This module deploys a Log Analytics Workspace.", @@ -739,7 +778,7 @@ "type": "string", "nullable": true, "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" + "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"." } }, "conditionVersion": { @@ -791,14 +830,21 @@ "type": "string", "nullable": true, "metadata": { - "description": "Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs." + "description": "Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to `allLogs` to collect all logs." + } + }, + "enabled": { + "type": "bool", + "nullable": true, + "metadata": { + "description": "Optional. Enable or disable the category explicitly. Default is `true`." } } } }, "nullable": true, "metadata": { - "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." + "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to `[]` to disable log collection." } }, "metricCategories": { @@ -809,14 +855,21 @@ "category": { "type": "string", "metadata": { - "description": "Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics." + "description": "Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to `AllMetrics` to collect all metrics." + } + }, + "enabled": { + "type": "bool", + "nullable": true, + "metadata": { + "description": "Optional. Enable or disable the category explicitly. Default is `true`." } } } }, "nullable": true, "metadata": { - "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." + "description": "Optional. The name of metrics that will be streamed. \"allMetrics\" includes all possible metrics for the resource. Set to `[]` to disable metric collection." } }, "logAnalyticsDestinationType": { @@ -1060,7 +1113,7 @@ }, "variables": { "formattedUserAssignedIdentities": "[reduce(map(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createArray()), lambda('id', createObject(format('{0}', lambdaVariables('id')), createObject()))), createObject(), lambda('cur', 'next', union(lambdaVariables('cur'), lambdaVariables('next'))))]", - "identity": "[if(not(empty(parameters('managedIdentities'))), createObject('type', if(coalesce(tryGet(parameters('managedIdentities'), 'systemAssigned'), false()), 'SystemAssigned', if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createObject()))), 'UserAssigned', null())), 'userAssignedIdentities', if(not(empty(variables('formattedUserAssignedIdentities'))), variables('formattedUserAssignedIdentities'), null())), null())]", + "identity": "[if(not(empty(parameters('managedIdentities'))), createObject('type', if(coalesce(tryGet(parameters('managedIdentities'), 'systemAssigned'), false()), 'SystemAssigned', if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createObject()))), 'UserAssigned', 'None')), 'userAssignedIdentities', if(not(empty(variables('formattedUserAssignedIdentities'))), variables('formattedUserAssignedIdentities'), null())), null())]", "builtInRoleNames": { "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", "Log Analytics Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]", @@ -1080,7 +1133,7 @@ "condition": "[parameters('enableTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2023-07-01", - "name": "[format('46d3xbcp.res.operationalinsights-workspace.{0}.{1}', replace('0.2.1', '.', '-'), substring(uniqueString(deployment().name, parameters('location')), 0, 4))]", + "name": "[format('46d3xbcp.res.operationalinsights-workspace.{0}.{1}', replace('0.3.4', '.', '-'), substring(uniqueString(deployment().name, parameters('location')), 0, 4))]", "properties": { "mode": "Incremental", "template": { @@ -1131,12 +1184,30 @@ "scope": "[format('Microsoft.OperationalInsights/workspaces/{0}', parameters('name'))]", "name": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'name'), format('{0}-diagnosticSettings', parameters('name')))]", "properties": { + "copy": [ + { + "name": "metrics", + "count": "[length(coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'metricCategories'), createArray(createObject('category', 'AllMetrics'))))]", + "input": { + "category": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'metricCategories'), createArray(createObject('category', 'AllMetrics')))[copyIndex('metrics')].category]", + "enabled": "[coalesce(tryGet(coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'metricCategories'), createArray(createObject('category', 'AllMetrics')))[copyIndex('metrics')], 'enabled'), true())]", + "timeGrain": null + } + }, + { + "name": "logs", + "count": "[length(coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logCategoriesAndGroups'), createArray(createObject('categoryGroup', 'allLogs'))))]", + "input": { + "categoryGroup": "[tryGet(coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logCategoriesAndGroups'), createArray(createObject('categoryGroup', 'allLogs')))[copyIndex('logs')], 'categoryGroup')]", + "category": "[tryGet(coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logCategoriesAndGroups'), createArray(createObject('categoryGroup', 'allLogs')))[copyIndex('logs')], 'category')]", + "enabled": "[coalesce(tryGet(coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logCategoriesAndGroups'), createArray(createObject('categoryGroup', 'allLogs')))[copyIndex('logs')], 'enabled'), true())]" + } + } + ], "storageAccountId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'storageAccountResourceId')]", "workspaceId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'workspaceResourceId')]", "eventHubAuthorizationRuleId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubAuthorizationRuleResourceId')]", "eventHubName": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubName')]", - "metrics": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'metricCategories'), createArray(createObject('category', 'AllMetrics', 'timeGrain', null(), 'enabled', true())))]", - "logs": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logCategoriesAndGroups'), createArray(createObject('categoryGroup', 'AllLogs', 'enabled', true())))]", "marketplacePartnerId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'marketplacePartnerResourceId')]", "logAnalyticsDestinationType": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logAnalyticsDestinationType')]" }, @@ -1210,8 +1281,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "6927557037830407278" + "version": "0.25.53.49325", + "templateHash": "4862843187650272248" }, "name": "Log Analytics Workspace Storage Insight Configs", "description": "This module deploys a Log Analytics Workspace Storage Insight Config.", @@ -1350,8 +1421,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "14308828297239499350" + "version": "0.25.53.49325", + "templateHash": "14301767156435143002" }, "name": "Log Analytics Workspace Linked Services", "description": "This module deploys a Log Analytics Workspace Linked Service.", @@ -1472,8 +1543,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "10606325856723183085" + "version": "0.25.53.49325", + "templateHash": "6713282874166856483" }, "name": "Log Analytics Workspace Linked Storage Accounts", "description": "This module deploys a Log Analytics Workspace Linked Storage Account.", @@ -1566,7 +1637,9 @@ "name": { "value": "[format('{0}{1}', parameters('savedSearches')[copyIndex()].name, uniqueString(deployment().name))]" }, - "etag": "[if(contains(parameters('savedSearches')[copyIndex()], 'eTag'), createObject('value', parameters('savedSearches')[copyIndex()].etag), createObject('value', '*'))]", + "etag": { + "value": "[tryGet(parameters('savedSearches')[copyIndex()], 'etag')]" + }, "displayName": { "value": "[parameters('savedSearches')[copyIndex()].displayName]" }, @@ -1576,9 +1649,15 @@ "query": { "value": "[parameters('savedSearches')[copyIndex()].query]" }, - "functionAlias": "[if(contains(parameters('savedSearches')[copyIndex()], 'functionAlias'), createObject('value', parameters('savedSearches')[copyIndex()].functionAlias), createObject('value', ''))]", - "functionParameters": "[if(contains(parameters('savedSearches')[copyIndex()], 'functionParameters'), createObject('value', parameters('savedSearches')[copyIndex()].functionParameters), createObject('value', ''))]", - "version": "[if(contains(parameters('savedSearches')[copyIndex()], 'version'), createObject('value', parameters('savedSearches')[copyIndex()].version), createObject('value', 2))]" + "functionAlias": { + "value": "[tryGet(parameters('savedSearches')[copyIndex()], 'functionAlias')]" + }, + "functionParameters": { + "value": "[tryGet(parameters('savedSearches')[copyIndex()], 'functionParameters')]" + }, + "version": { + "value": "[tryGet(parameters('savedSearches')[copyIndex()], 'version')]" + } }, "template": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", @@ -1587,8 +1666,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "15380855553217354458" + "version": "0.25.53.49325", + "templateHash": "17950009471823327560" }, "name": "Log Analytics Workspace Saved Searches", "description": "This module deploys a Log Analytics Workspace Saved Search.", @@ -1648,7 +1727,7 @@ }, "version": { "type": "int", - "defaultValue": 2, + "nullable": true, "metadata": { "description": "Optional. The version number of the query language." } @@ -1747,8 +1826,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "10850607616619144958" + "version": "0.25.53.49325", + "templateHash": "12543023571728523937" }, "name": "Log Analytics Workspace Data Exports", "description": "This module deploys a Log Analytics Workspace Data Export.", @@ -1874,8 +1953,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "4434233073381873133" + "version": "0.25.53.49325", + "templateHash": "14032975851567807564" }, "name": "Log Analytics Workspace Datasources", "description": "This module deploys a Log Analytics Workspace Data Source.", @@ -2076,26 +2155,110 @@ "name": { "value": "[parameters('tables')[copyIndex()].name]" }, - "plan": "[if(contains(parameters('tables')[copyIndex()], 'plan'), createObject('value', parameters('tables')[copyIndex()].plan), createObject('value', 'Analytics'))]", - "schema": "[if(contains(parameters('tables')[copyIndex()], 'schema'), createObject('value', parameters('tables')[copyIndex()].schema), createObject('value', createObject()))]", - "retentionInDays": "[if(contains(parameters('tables')[copyIndex()], 'retentionInDays'), createObject('value', parameters('tables')[copyIndex()].retentionInDays), createObject('value', -1))]", - "totalRetentionInDays": "[if(contains(parameters('tables')[copyIndex()], 'totalRetentionInDays'), createObject('value', parameters('tables')[copyIndex()].totalRetentionInDays), createObject('value', -1))]", - "restoredLogs": "[if(contains(parameters('tables')[copyIndex()], 'restoredLogs'), createObject('value', parameters('tables')[copyIndex()].restoredLogs), createObject('value', createObject()))]", - "searchResults": "[if(contains(parameters('tables')[copyIndex()], 'searchResults'), createObject('value', parameters('tables')[copyIndex()].searchResults), createObject('value', createObject()))]" + "plan": { + "value": "[tryGet(parameters('tables')[copyIndex()], 'plan')]" + }, + "schema": { + "value": "[tryGet(parameters('tables')[copyIndex()], 'schema')]" + }, + "retentionInDays": { + "value": "[tryGet(parameters('tables')[copyIndex()], 'retentionInDays')]" + }, + "totalRetentionInDays": { + "value": "[tryGet(parameters('tables')[copyIndex()], 'totalRetentionInDays')]" + }, + "restoredLogs": { + "value": "[tryGet(parameters('tables')[copyIndex()], 'restoredLogs')]" + }, + "searchResults": { + "value": "[tryGet(parameters('tables')[copyIndex()], 'searchResults')]" + }, + "roleAssignments": { + "value": "[tryGet(parameters('tables')[copyIndex()], 'roleAssignments')]" + } }, "template": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "2244910007498205670" + "version": "0.25.53.49325", + "templateHash": "4932423807790181892" }, "name": "Log Analytics Workspace Tables", "description": "This module deploys a Log Analytics Workspace Table.", "owner": "Azure/module-maintainers" }, + "definitions": { + "roleAssignmentType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "roleDefinitionIdOrName": { + "type": "string", + "metadata": { + "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + } + }, + "principalId": { + "type": "string", + "metadata": { + "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." + } + }, + "principalType": { + "type": "string", + "allowedValues": [ + "Device", + "ForeignGroup", + "Group", + "ServicePrincipal", + "User" + ], + "nullable": true, + "metadata": { + "description": "Optional. The principal type of the assigned principal ID." + } + }, + "description": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The description of the role assignment." + } + }, + "condition": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"." + } + }, + "conditionVersion": { + "type": "string", + "allowedValues": [ + "2.0" + ], + "nullable": true, + "metadata": { + "description": "Optional. Version of the condition." + } + }, + "delegatedManagedIdentityResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The Resource Id of the delegated managed identity resource." + } + } + } + }, + "nullable": true + } + }, "parameters": { "name": { "type": "string", @@ -2158,10 +2321,35 @@ "metadata": { "description": "Optional. The table total retention in days, between 4 and 2555. Setting this property to -1 will default to table retention." } + }, + "roleAssignments": { + "$ref": "#/definitions/roleAssignmentType", + "metadata": { + "description": "Optional. Array of role assignments to create." + } } }, - "resources": [ - { + "variables": { + "builtInRoleNames": { + "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "Log Analytics Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]", + "Log Analytics Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893')]", + "Monitoring Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')]", + "Monitoring Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')]", + "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", + "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", + "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", + "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" + } + }, + "resources": { + "workspace": { + "existing": true, + "type": "Microsoft.OperationalInsights/workspaces", + "apiVersion": "2022-10-01", + "name": "[parameters('workspaceName')]" + }, + "table": { "type": "Microsoft.OperationalInsights/workspaces/tables", "apiVersion": "2022-10-01", "name": "[format('{0}/{1}', parameters('workspaceName'), parameters('name'))]", @@ -2172,9 +2360,34 @@ "schema": "[parameters('schema')]", "searchResults": "[parameters('searchResults')]", "totalRetentionInDays": "[parameters('totalRetentionInDays')]" - } + }, + "dependsOn": [ + "workspace" + ] + }, + "table_roleAssignments": { + "copy": { + "name": "table_roleAssignments", + "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" + }, + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "scope": "[format('Microsoft.OperationalInsights/workspaces/{0}/tables/{1}', parameters('workspaceName'), parameters('name'))]", + "name": "[guid(resourceId('Microsoft.OperationalInsights/workspaces/tables', parameters('workspaceName'), parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "properties": { + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", + "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", + "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", + "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", + "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", + "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", + "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" + }, + "dependsOn": [ + "table" + ] } - ], + }, "outputs": { "name": { "type": "string", @@ -2231,7 +2444,7 @@ "product": "[if(contains(parameters('gallerySolutions')[copyIndex()], 'product'), createObject('value', parameters('gallerySolutions')[copyIndex()].product), createObject('value', 'OMSGallery'))]", "publisher": "[if(contains(parameters('gallerySolutions')[copyIndex()], 'publisher'), createObject('value', parameters('gallerySolutions')[copyIndex()].publisher), createObject('value', 'Microsoft'))]", "enableTelemetry": { - "value": "[parameters('enableTelemetry')]" + "value": "[coalesce(tryGet(parameters('gallerySolutions')[copyIndex()], 'enableTelemetry'), parameters('enableTelemetry'))]" } }, "template": { @@ -2408,7 +2621,7 @@ "metadata": { "description": "The principal ID of the system assigned identity." }, - "value": "[if(and(coalesce(tryGet(parameters('managedIdentities'), 'systemAssigned'), false()), contains(reference('logAnalyticsWorkspace', '2022-10-01', 'full').identity, 'principalId')), reference('logAnalyticsWorkspace', '2022-10-01', 'full').identity.principalId, '')]" + "value": "[coalesce(tryGet(tryGet(reference('logAnalyticsWorkspace', '2022-10-01', 'full'), 'identity'), 'principalId'), '')]" } } } @@ -2430,6 +2643,11 @@ "displayName": "Network Resources" } }, + "tags": { + "value": { + "id": "[variables('rg_unique_id')]" + } + }, "location": { "value": "[parameters('location')]" }, @@ -2484,7 +2702,7 @@ "_generator": { "name": "bicep", "version": "0.26.170.59819", - "templateHash": "7368247160833872333" + "templateHash": "4603009188888777771" } }, "definitions": { @@ -2589,6 +2807,13 @@ "description": "The location of resources to deploy" } }, + "tags": { + "type": "object", + "defaultValue": {}, + "metadata": { + "description": "The tags to apply to the resources" + } + }, "enableTelemetry": { "type": "bool", "defaultValue": false, @@ -2780,7 +3005,7 @@ "mode": "Incremental", "parameters": { "name": { - "value": "[format('nsg-common{0}-aks', uniqueString(resourceGroup().id, 'common'))]" + "value": "[format('{0}{1}-aks', replace(parameters('bladeConfig').sectionName, '-', ''), uniqueString(resourceGroup().id, parameters('bladeConfig').sectionName))]" }, "location": { "value": "[parameters('location')]" @@ -2789,9 +3014,7 @@ "value": "[parameters('enableTelemetry')]" }, "tags": { - "value": { - "layer": "[parameters('bladeConfig').displayName]" - } + "value": "[union(parameters('tags'), createObject('layer', parameters('bladeConfig').displayName))]" }, "securityRules": { "value": "[union(array(variables('nsgRules').http_inbound_rule), array(variables('nsgRules').https_inbound_rule), array(variables('nsgRules').ssh_outbound))]" @@ -2804,8 +3027,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "9172306311946541571" + "version": "0.25.53.49325", + "templateHash": "18142542907146076409" }, "name": "Network Security Groups", "description": "This module deploys a Network security Group (NSG).", @@ -2931,14 +3154,21 @@ "type": "string", "nullable": true, "metadata": { - "description": "Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs." + "description": "Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to `allLogs` to collect all logs." + } + }, + "enabled": { + "type": "bool", + "nullable": true, + "metadata": { + "description": "Optional. Enable or disable the category explicitly. Default is `true`." } } } }, "nullable": true, "metadata": { - "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." + "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to `[]` to disable log collection." } }, "logAnalyticsDestinationType": { @@ -3049,7 +3279,7 @@ "type": "bool", "defaultValue": true, "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." + "description": "Optional. Enable/Disable usage telemetry for module." } } }, @@ -3068,7 +3298,7 @@ "condition": "[parameters('enableTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2023-07-01", - "name": "[format('46d3xbcp.res.network-networksecuritygroup.{0}.{1}', replace('0.1.0', '.', '-'), substring(uniqueString(deployment().name, parameters('location')), 0, 4))]", + "name": "[format('46d3xbcp.res.network-networksecuritygroup.{0}.{1}', replace('0.1.3', '.', '-'), substring(uniqueString(deployment().name, parameters('location')), 0, 4))]", "properties": { "mode": "Incremental", "template": { @@ -3144,11 +3374,21 @@ "scope": "[format('Microsoft.Network/networkSecurityGroups/{0}', parameters('name'))]", "name": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'name'), format('{0}-diagnosticSettings', parameters('name')))]", "properties": { + "copy": [ + { + "name": "logs", + "count": "[length(coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logCategoriesAndGroups'), createArray(createObject('categoryGroup', 'allLogs'))))]", + "input": { + "categoryGroup": "[tryGet(coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logCategoriesAndGroups'), createArray(createObject('categoryGroup', 'allLogs')))[copyIndex('logs')], 'categoryGroup')]", + "category": "[tryGet(coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logCategoriesAndGroups'), createArray(createObject('categoryGroup', 'allLogs')))[copyIndex('logs')], 'category')]", + "enabled": "[coalesce(tryGet(coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logCategoriesAndGroups'), createArray(createObject('categoryGroup', 'allLogs')))[copyIndex('logs')], 'enabled'), true())]" + } + } + ], "storageAccountId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'storageAccountResourceId')]", "workspaceId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'workspaceResourceId')]", "eventHubAuthorizationRuleId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubAuthorizationRuleResourceId')]", "eventHubName": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubName')]", - "logs": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logCategoriesAndGroups'), createArray(createObject('categoryGroup', 'AllLogs', 'enabled', true())))]", "marketplacePartnerId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'marketplacePartnerResourceId')]", "logAnalyticsDestinationType": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logAnalyticsDestinationType')]" }, @@ -3228,8 +3468,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "13132940167196258311" + "version": "0.25.53.49325", + "templateHash": "7870858269129613686" }, "name": "Network Security Group (NSG) Security Rules", "description": "This module deploys a Network Security Group (NSG) Security Rule.", @@ -3467,7 +3707,7 @@ "mode": "Incremental", "parameters": { "name": { - "value": "[format('nsg-common{0}-bastion', uniqueString(resourceGroup().id, 'common'))]" + "value": "[format('{0}{1}-bastion', replace(parameters('bladeConfig').sectionName, '-', ''), uniqueString(resourceGroup().id, parameters('bladeConfig').sectionName))]" }, "location": { "value": "[parameters('location')]" @@ -3476,9 +3716,7 @@ "value": "[parameters('enableTelemetry')]" }, "tags": { - "value": { - "layer": "[parameters('bladeConfig').displayName]" - } + "value": "[union(parameters('tags'), createObject('layer', parameters('bladeConfig').displayName))]" }, "securityRules": { "value": "[union(array(variables('nsgRules').https_inbound_rule), array(variables('nsgRules').load_balancer_inbound), array(variables('nsgRules').bastion_host_communication), array(variables('nsgRules').ssh_outbound), array(variables('nsgRules').cloud_outbound), array(variables('nsgRules').bastion_communication), array(variables('nsgRules').allow_http_outbound))]" @@ -3491,8 +3729,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "9172306311946541571" + "version": "0.25.53.49325", + "templateHash": "18142542907146076409" }, "name": "Network Security Groups", "description": "This module deploys a Network security Group (NSG).", @@ -3618,14 +3856,21 @@ "type": "string", "nullable": true, "metadata": { - "description": "Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs." + "description": "Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to `allLogs` to collect all logs." + } + }, + "enabled": { + "type": "bool", + "nullable": true, + "metadata": { + "description": "Optional. Enable or disable the category explicitly. Default is `true`." } } } }, "nullable": true, "metadata": { - "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." + "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to `[]` to disable log collection." } }, "logAnalyticsDestinationType": { @@ -3736,7 +3981,7 @@ "type": "bool", "defaultValue": true, "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." + "description": "Optional. Enable/Disable usage telemetry for module." } } }, @@ -3755,7 +4000,7 @@ "condition": "[parameters('enableTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2023-07-01", - "name": "[format('46d3xbcp.res.network-networksecuritygroup.{0}.{1}', replace('0.1.0', '.', '-'), substring(uniqueString(deployment().name, parameters('location')), 0, 4))]", + "name": "[format('46d3xbcp.res.network-networksecuritygroup.{0}.{1}', replace('0.1.3', '.', '-'), substring(uniqueString(deployment().name, parameters('location')), 0, 4))]", "properties": { "mode": "Incremental", "template": { @@ -3831,16 +4076,26 @@ "scope": "[format('Microsoft.Network/networkSecurityGroups/{0}', parameters('name'))]", "name": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'name'), format('{0}-diagnosticSettings', parameters('name')))]", "properties": { - "storageAccountId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'storageAccountResourceId')]", - "workspaceId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'workspaceResourceId')]", - "eventHubAuthorizationRuleId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubAuthorizationRuleResourceId')]", - "eventHubName": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubName')]", - "logs": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logCategoriesAndGroups'), createArray(createObject('categoryGroup', 'AllLogs', 'enabled', true())))]", - "marketplacePartnerId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'marketplacePartnerResourceId')]", - "logAnalyticsDestinationType": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logAnalyticsDestinationType')]" - }, - "dependsOn": [ - "networkSecurityGroup" + "copy": [ + { + "name": "logs", + "count": "[length(coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logCategoriesAndGroups'), createArray(createObject('categoryGroup', 'allLogs'))))]", + "input": { + "categoryGroup": "[tryGet(coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logCategoriesAndGroups'), createArray(createObject('categoryGroup', 'allLogs')))[copyIndex('logs')], 'categoryGroup')]", + "category": "[tryGet(coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logCategoriesAndGroups'), createArray(createObject('categoryGroup', 'allLogs')))[copyIndex('logs')], 'category')]", + "enabled": "[coalesce(tryGet(coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logCategoriesAndGroups'), createArray(createObject('categoryGroup', 'allLogs')))[copyIndex('logs')], 'enabled'), true())]" + } + } + ], + "storageAccountId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'storageAccountResourceId')]", + "workspaceId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'workspaceResourceId')]", + "eventHubAuthorizationRuleId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubAuthorizationRuleResourceId')]", + "eventHubName": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubName')]", + "marketplacePartnerId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'marketplacePartnerResourceId')]", + "logAnalyticsDestinationType": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logAnalyticsDestinationType')]" + }, + "dependsOn": [ + "networkSecurityGroup" ] }, "networkSecurityGroup_roleAssignments": { @@ -3915,8 +4170,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "13132940167196258311" + "version": "0.25.53.49325", + "templateHash": "7870858269129613686" }, "name": "Network Security Group (NSG) Security Rules", "description": "This module deploys a Network Security Group (NSG) Security Rule.", @@ -4154,7 +4409,7 @@ "mode": "Incremental", "parameters": { "name": { - "value": "[format('nsg-common{0}-vm', uniqueString(resourceGroup().id, 'common'))]" + "value": "[format('{0}{1}-vm', replace(parameters('bladeConfig').sectionName, '-', ''), uniqueString(resourceGroup().id, parameters('bladeConfig').sectionName))]" }, "location": { "value": "[parameters('location')]" @@ -4163,9 +4418,7 @@ "value": "[parameters('enableTelemetry')]" }, "tags": { - "value": { - "layer": "[parameters('bladeConfig').displayName]" - } + "value": "[union(parameters('tags'), createObject('layer', parameters('bladeConfig').displayName))]" }, "securityRules": { "value": [] @@ -4178,8 +4431,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "9172306311946541571" + "version": "0.25.53.49325", + "templateHash": "18142542907146076409" }, "name": "Network Security Groups", "description": "This module deploys a Network security Group (NSG).", @@ -4305,14 +4558,21 @@ "type": "string", "nullable": true, "metadata": { - "description": "Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs." + "description": "Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to `allLogs` to collect all logs." + } + }, + "enabled": { + "type": "bool", + "nullable": true, + "metadata": { + "description": "Optional. Enable or disable the category explicitly. Default is `true`." } } } }, "nullable": true, "metadata": { - "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." + "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to `[]` to disable log collection." } }, "logAnalyticsDestinationType": { @@ -4423,7 +4683,7 @@ "type": "bool", "defaultValue": true, "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." + "description": "Optional. Enable/Disable usage telemetry for module." } } }, @@ -4442,7 +4702,7 @@ "condition": "[parameters('enableTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2023-07-01", - "name": "[format('46d3xbcp.res.network-networksecuritygroup.{0}.{1}', replace('0.1.0', '.', '-'), substring(uniqueString(deployment().name, parameters('location')), 0, 4))]", + "name": "[format('46d3xbcp.res.network-networksecuritygroup.{0}.{1}', replace('0.1.3', '.', '-'), substring(uniqueString(deployment().name, parameters('location')), 0, 4))]", "properties": { "mode": "Incremental", "template": { @@ -4518,11 +4778,21 @@ "scope": "[format('Microsoft.Network/networkSecurityGroups/{0}', parameters('name'))]", "name": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'name'), format('{0}-diagnosticSettings', parameters('name')))]", "properties": { + "copy": [ + { + "name": "logs", + "count": "[length(coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logCategoriesAndGroups'), createArray(createObject('categoryGroup', 'allLogs'))))]", + "input": { + "categoryGroup": "[tryGet(coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logCategoriesAndGroups'), createArray(createObject('categoryGroup', 'allLogs')))[copyIndex('logs')], 'categoryGroup')]", + "category": "[tryGet(coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logCategoriesAndGroups'), createArray(createObject('categoryGroup', 'allLogs')))[copyIndex('logs')], 'category')]", + "enabled": "[coalesce(tryGet(coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logCategoriesAndGroups'), createArray(createObject('categoryGroup', 'allLogs')))[copyIndex('logs')], 'enabled'), true())]" + } + } + ], "storageAccountId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'storageAccountResourceId')]", "workspaceId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'workspaceResourceId')]", "eventHubAuthorizationRuleId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubAuthorizationRuleResourceId')]", "eventHubName": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubName')]", - "logs": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logCategoriesAndGroups'), createArray(createObject('categoryGroup', 'AllLogs', 'enabled', true())))]", "marketplacePartnerId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'marketplacePartnerResourceId')]", "logAnalyticsDestinationType": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logAnalyticsDestinationType')]" }, @@ -4602,8 +4872,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "13132940167196258311" + "version": "0.25.53.49325", + "templateHash": "7870858269129613686" }, "name": "Network Security Group (NSG) Security Rules", "description": "This module deploys a Network Security Group (NSG) Security Rule.", @@ -4841,7 +5111,7 @@ "mode": "Incremental", "parameters": { "name": { - "value": "[format('vnet-common{0}', uniqueString(resourceGroup().id, 'common'))]" + "value": "[format('{0}{1}', replace(parameters('bladeConfig').sectionName, '-', ''), uniqueString(resourceGroup().id, parameters('bladeConfig').sectionName))]" }, "location": { "value": "[parameters('location')]" @@ -4850,9 +5120,7 @@ "value": "[parameters('enableTelemetry')]" }, "tags": { - "value": { - "layer": "[parameters('bladeConfig').displayName]" - } + "value": "[union(parameters('tags'), createObject('layer', parameters('bladeConfig').displayName))]" }, "addressPrefixes": { "value": [ @@ -4892,8 +5160,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "7839005038128499146" + "version": "0.26.54.24096", + "templateHash": "3953414984134921258" }, "name": "Virtual Networks", "description": "This module deploys a Virtual Network (vNet).", @@ -4933,7 +5201,7 @@ "roleDefinitionIdOrName": { "type": "string", "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } }, "principalId": { @@ -4967,7 +5235,7 @@ "type": "string", "nullable": true, "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" + "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"." } }, "conditionVersion": { @@ -5019,14 +5287,21 @@ "type": "string", "nullable": true, "metadata": { - "description": "Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs." + "description": "Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to `allLogs` to collect all logs." + } + }, + "enabled": { + "type": "bool", + "nullable": true, + "metadata": { + "description": "Optional. Enable or disable the category explicitly. Default is `true`." } } } }, "nullable": true, "metadata": { - "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." + "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to `[]` to disable log collection." } }, "metricCategories": { @@ -5037,14 +5312,21 @@ "category": { "type": "string", "metadata": { - "description": "Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics." + "description": "Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to `AllMetrics` to collect all metrics." + } + }, + "enabled": { + "type": "bool", + "nullable": true, + "metadata": { + "description": "Optional. Enable or disable the category explicitly. Default is `true`." } } } }, "nullable": true, "metadata": { - "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." + "description": "Optional. The name of metrics that will be streamed. \"allMetrics\" includes all possible metrics for the resource. Set to `[]` to disable metric collection." } }, "logAnalyticsDestinationType": { @@ -5102,7 +5384,7 @@ "name": { "type": "string", "metadata": { - "description": "Required. The Virtual Network (vNet) Name." + "description": "Required. The name of the Virtual Network (vNet)." } }, "location": { @@ -5187,7 +5469,7 @@ "roleAssignments": { "$ref": "#/definitions/roleAssignmentType", "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + "description": "Optional. Array of role assignments to create." } }, "tags": { @@ -5206,12 +5488,6 @@ } }, "variables": { - "dnsServersVar": { - "dnsServers": "[array(parameters('dnsServers'))]" - }, - "ddosProtectionPlan": { - "id": "[parameters('ddosProtectionPlanResourceId')]" - }, "builtInRoleNames": { "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", @@ -5226,7 +5502,7 @@ "condition": "[parameters('enableTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2023-07-01", - "name": "[format('46d3xbcp.res.network-virtualnetwork.{0}.{1}', replace('0.1.0', '.', '-'), substring(uniqueString(deployment().name, parameters('location')), 0, 4))]", + "name": "[format('46d3xbcp.res.network-virtualnetwork.{0}.{1}', replace('0.1.5', '.', '-'), substring(uniqueString(deployment().name, parameters('location')), 0, 4))]", "properties": { "mode": "Incremental", "template": { @@ -5275,8 +5551,8 @@ "addressSpace": { "addressPrefixes": "[parameters('addressPrefixes')]" }, - "ddosProtectionPlan": "[if(not(empty(parameters('ddosProtectionPlanResourceId'))), variables('ddosProtectionPlan'), null())]", - "dhcpOptions": "[if(not(empty(parameters('dnsServers'))), variables('dnsServersVar'), null())]", + "ddosProtectionPlan": "[if(not(empty(parameters('ddosProtectionPlanResourceId'))), createObject('id', parameters('ddosProtectionPlanResourceId')), null())]", + "dhcpOptions": "[if(not(empty(parameters('dnsServers'))), createObject('dnsServers', array(parameters('dnsServers'))), null())]", "enableDdosProtection": "[not(empty(parameters('ddosProtectionPlanResourceId')))]", "encryption": "[if(equals(parameters('vnetEncryption'), true()), createObject('enabled', parameters('vnetEncryption'), 'enforcement', parameters('vnetEncryptionEnforcement')), null())]", "flowTimeoutInMinutes": "[if(not(equals(parameters('flowTimeoutInMinutes'), 0)), parameters('flowTimeoutInMinutes'), null())]" @@ -5306,12 +5582,30 @@ "scope": "[format('Microsoft.Network/virtualNetworks/{0}', parameters('name'))]", "name": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'name'), format('{0}-diagnosticSettings', parameters('name')))]", "properties": { + "copy": [ + { + "name": "metrics", + "count": "[length(coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'metricCategories'), createArray(createObject('category', 'AllMetrics'))))]", + "input": { + "category": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'metricCategories'), createArray(createObject('category', 'AllMetrics')))[copyIndex('metrics')].category]", + "enabled": "[coalesce(tryGet(coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'metricCategories'), createArray(createObject('category', 'AllMetrics')))[copyIndex('metrics')], 'enabled'), true())]", + "timeGrain": null + } + }, + { + "name": "logs", + "count": "[length(coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logCategoriesAndGroups'), createArray(createObject('categoryGroup', 'allLogs'))))]", + "input": { + "categoryGroup": "[tryGet(coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logCategoriesAndGroups'), createArray(createObject('categoryGroup', 'allLogs')))[copyIndex('logs')], 'categoryGroup')]", + "category": "[tryGet(coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logCategoriesAndGroups'), createArray(createObject('categoryGroup', 'allLogs')))[copyIndex('logs')], 'category')]", + "enabled": "[coalesce(tryGet(coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logCategoriesAndGroups'), createArray(createObject('categoryGroup', 'allLogs')))[copyIndex('logs')], 'enabled'), true())]" + } + } + ], "storageAccountId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'storageAccountResourceId')]", "workspaceId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'workspaceResourceId')]", "eventHubAuthorizationRuleId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubAuthorizationRuleResourceId')]", "eventHubName": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubName')]", - "metrics": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'metricCategories'), createArray(createObject('category', 'AllMetrics', 'timeGrain', null(), 'enabled', true())))]", - "logs": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logCategoriesAndGroups'), createArray(createObject('categoryGroup', 'AllLogs', 'enabled', true())))]", "marketplacePartnerId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'marketplacePartnerResourceId')]", "logAnalyticsDestinationType": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logAnalyticsDestinationType')]" }, @@ -5384,8 +5678,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "16295395838729593723" + "version": "0.26.54.24096", + "templateHash": "11309828149329550402" }, "name": "Virtual Network Subnets", "description": "This module deploys a Virtual Network Subnet.", @@ -5400,7 +5694,7 @@ "roleDefinitionIdOrName": { "type": "string", "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } }, "principalId": { @@ -5434,7 +5728,7 @@ "type": "string", "nullable": true, "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" + "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"." } }, "conditionVersion": { @@ -5568,7 +5862,7 @@ "roleAssignments": { "$ref": "#/definitions/roleAssignmentType", "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + "description": "Optional. Array of role assignments to create." } } }, @@ -5710,8 +6004,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "10220824930947117349" + "version": "0.26.54.24096", + "templateHash": "2926837656927862519" }, "name": "Virtual Network Peerings", "description": "This module deploys a Virtual Network Peering.", @@ -5855,8 +6149,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "10220824930947117349" + "version": "0.26.54.24096", + "templateHash": "2926837656927862519" }, "name": "Virtual Network Peerings", "description": "This module deploys a Virtual Network Peering.", @@ -6069,6 +6363,11 @@ "displayName": "Common Resources" } }, + "tags": { + "value": { + "id": "[variables('rg_unique_id')]" + } + }, "location": { "value": "[parameters('location')]" }, @@ -6120,7 +6419,7 @@ "_generator": { "name": "bicep", "version": "0.26.170.59819", - "templateHash": "9832607646947063937" + "templateHash": "3439112991696130367" } }, "definitions": { @@ -6149,6 +6448,13 @@ "description": "Optional. Indicates whether public access is enabled for all blobs or containers in the storage account. For security reasons, it is recommended to set it to false." } }, + "tags": { + "type": "object", + "defaultValue": {}, + "metadata": { + "description": "Optional. The tags to apply to the resources" + } + }, "location": { "type": "string", "metadata": { @@ -6272,7 +6578,7 @@ ] } }, - "name": "[format('kv-{0}{1}', replace(parameters('bladeConfig').sectionName, '-', ''), uniqueString(resourceGroup().id, parameters('bladeConfig').sectionName))]", + "name": "[format('{0}{1}', replace(parameters('bladeConfig').sectionName, '-', ''), uniqueString(resourceGroup().id, parameters('bladeConfig').sectionName))]", "vaultSecrets": [ { "secretName": "tenant-id", @@ -6348,7 +6654,7 @@ "mode": "Incremental", "parameters": { "name": { - "value": "[format('ai-{0}{1}', replace(parameters('bladeConfig').sectionName, '-', ''), uniqueString(resourceGroup().id, parameters('bladeConfig').sectionName))]" + "value": "[format('{0}{1}', replace(parameters('bladeConfig').sectionName, '-', ''), uniqueString(resourceGroup().id, parameters('bladeConfig').sectionName))]" }, "location": { "value": "[parameters('location')]" @@ -6989,9 +7295,7 @@ "value": "[parameters('enableTelemetry')]" }, "tags": { - "value": { - "layer": "[parameters('bladeConfig').displayName]" - } + "value": "[union(parameters('tags'), createObject('layer', parameters('bladeConfig').displayName))]" }, "enablePurgeProtection": { "value": false @@ -7024,8 +7328,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.24.24.22086", - "templateHash": "15629192251973726626" + "version": "0.26.54.24096", + "templateHash": "12538315610403519820" }, "name": "Key Vaults", "description": "This module deploys a Key Vault.", @@ -7062,12 +7366,19 @@ "metadata": { "description": "Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to `allLogs` to collect all logs." } + }, + "enabled": { + "type": "bool", + "nullable": true, + "metadata": { + "description": "Optional. Enable or disable the category explicitly. Default is `true`." + } } } }, "nullable": true, "metadata": { - "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." + "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to `[]` to disable log collection." } }, "metricCategories": { @@ -7080,12 +7391,19 @@ "metadata": { "description": "Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to `AllMetrics` to collect all metrics." } + }, + "enabled": { + "type": "bool", + "nullable": true, + "metadata": { + "description": "Optional. Enable or disable the category explicitly. Default is `true`." + } } } }, "nullable": true, "metadata": { - "description": "Optional. The name of metrics that will be streamed. \"allMetrics\" includes all possible metrics for the resource. Set to '' to disable metric collection." + "description": "Optional. The name of metrics that will be streamed. \"allMetrics\" includes all possible metrics for the resource. Set to `[]` to disable metric collection." } }, "logAnalyticsDestinationType": { @@ -7223,11 +7541,18 @@ "description": "Optional. The location to deploy the private endpoint to." } }, + "privateLinkServiceConnectionName": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The name of the private link connection to create." + } + }, "service": { "type": "string", "nullable": true, "metadata": { - "description": "Optional. The service (sub-) type to deploy the private endpoint for. For example \"vault\" or \"blob\"." + "description": "Optional. The subresource to deploy the private endpoint for. For example \"vault\", \"mysqlServer\" or \"dataFactory\"." } }, "subnetResourceId": { @@ -7253,6 +7578,21 @@ "description": "Optional. The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones." } }, + "isManualConnection": { + "type": "bool", + "nullable": true, + "metadata": { + "description": "Optional. If Manual Private Link Connection is required." + } + }, + "manualConnectionRequestMessage": { + "type": "string", + "nullable": true, + "maxLength": 140, + "metadata": { + "description": "Optional. A message passed to the owner of the remote resource with the manual connection request." + } + }, "customDnsConfigs": { "type": "array", "items": { @@ -7361,18 +7701,18 @@ "description": "Optional. Tags to be applied on all resources/resource groups in this deployment." } }, - "manualPrivateLinkServiceConnections": { - "type": "array", + "enableTelemetry": { + "type": "bool", "nullable": true, "metadata": { - "description": "Optional. Manual PrivateLink Service Connections." + "description": "Optional. Enable/Disable usage telemetry for module." } }, - "enableTelemetry": { - "type": "bool", + "resourceGroupName": { + "type": "string", "nullable": true, "metadata": { - "description": "Optional. Enable/Disable usage telemetry for module." + "description": "Optional. Specify if you want to deploy the Private Endpoint into a different resource group than the main resource." } } } @@ -7646,7 +7986,7 @@ "type": "object", "nullable": true, "metadata": { - "description": "Optional. Rules governing the accessibility of the resouce from specific network locations." + "description": "Optional. Rules governing the accessibility of the resource from specific network locations." } }, "publicNetworkAccess": { @@ -7736,7 +8076,7 @@ "condition": "[parameters('enableTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2023-07-01", - "name": "[format('46d3xbcp.res.keyvault-vault.{0}.{1}', replace('0.3.4', '.', '-'), substring(uniqueString(deployment().name, parameters('location')), 0, 4))]", + "name": "[format('46d3xbcp.res.keyvault-vault.{0}.{1}', replace('0.5.1', '.', '-'), substring(uniqueString(deployment().name, parameters('location')), 0, 4))]", "properties": { "mode": "Incremental", "template": { @@ -7801,12 +8141,30 @@ "scope": "[format('Microsoft.KeyVault/vaults/{0}', parameters('name'))]", "name": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'name'), format('{0}-diagnosticSettings', parameters('name')))]", "properties": { + "copy": [ + { + "name": "metrics", + "count": "[length(coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'metricCategories'), createArray(createObject('category', 'AllMetrics'))))]", + "input": { + "category": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'metricCategories'), createArray(createObject('category', 'AllMetrics')))[copyIndex('metrics')].category]", + "enabled": "[coalesce(tryGet(coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'metricCategories'), createArray(createObject('category', 'AllMetrics')))[copyIndex('metrics')], 'enabled'), true())]", + "timeGrain": null + } + }, + { + "name": "logs", + "count": "[length(coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logCategoriesAndGroups'), createArray(createObject('categoryGroup', 'allLogs'))))]", + "input": { + "categoryGroup": "[tryGet(coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logCategoriesAndGroups'), createArray(createObject('categoryGroup', 'allLogs')))[copyIndex('logs')], 'categoryGroup')]", + "category": "[tryGet(coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logCategoriesAndGroups'), createArray(createObject('categoryGroup', 'allLogs')))[copyIndex('logs')], 'category')]", + "enabled": "[coalesce(tryGet(coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logCategoriesAndGroups'), createArray(createObject('categoryGroup', 'allLogs')))[copyIndex('logs')], 'enabled'), true())]" + } + } + ], "storageAccountId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'storageAccountResourceId')]", "workspaceId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'workspaceResourceId')]", "eventHubAuthorizationRuleId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubAuthorizationRuleResourceId')]", "eventHubName": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubName')]", - "metrics": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'metricCategories'), createArray(createObject('category', 'AllMetrics', 'timeGrain', null(), 'enabled', true())))]", - "logs": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logCategoriesAndGroups'), createArray(createObject('categoryGroup', 'allLogs', 'enabled', true())))]", "marketplacePartnerId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'marketplacePartnerResourceId')]", "logAnalyticsDestinationType": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logAnalyticsDestinationType')]" }, @@ -7861,8 +8219,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.24.24.22086", - "templateHash": "5144103047835198105" + "version": "0.26.54.24096", + "templateHash": "10878813547461142217" }, "name": "Key Vault Access Policies", "description": "This module deploys a Key Vault Access Policy.", @@ -8105,7 +8463,7 @@ "value": "[parameters('name')]" }, "attributesEnabled": { - "value": "[coalesce(tryGet(variables('secretList')[copyIndex()], 'attributesEnabled'), true())]" + "value": "[tryGet(variables('secretList')[copyIndex()], 'attributesEnabled')]" }, "attributesExp": { "value": "[tryGet(variables('secretList')[copyIndex()], 'attributesExp')]" @@ -8130,8 +8488,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.24.24.22086", - "templateHash": "14698549572049105523" + "version": "0.26.54.24096", + "templateHash": "1877278864243602204" }, "name": "Key Vault Secrets", "description": "This module deploys a Key Vault Secret.", @@ -8382,7 +8740,7 @@ "value": "[parameters('name')]" }, "attributesEnabled": { - "value": "[coalesce(tryGet(coalesce(parameters('keys'), createArray())[copyIndex()], 'attributesEnabled'), true())]" + "value": "[tryGet(coalesce(parameters('keys'), createArray())[copyIndex()], 'attributesEnabled')]" }, "attributesExp": { "value": "[tryGet(coalesce(parameters('keys'), createArray())[copyIndex()], 'attributesExp')]" @@ -8419,8 +8777,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.24.24.22086", - "templateHash": "17466785154213688764" + "version": "0.26.54.24096", + "templateHash": "5903918450419813264" }, "name": "Key Vault Keys", "description": "This module deploys a Key Vault Key.", @@ -8703,29 +9061,19 @@ }, "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", - "name": "[format('{0}-KeyVault-PrivateEndpoint-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", + "name": "[format('{0}-keyVault-PrivateEndpoint-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", + "resourceGroup": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'resourceGroupName'), '')]", "properties": { "expressionEvaluationOptions": { "scope": "inner" }, "mode": "Incremental", "parameters": { - "privateLinkServiceConnections": { - "value": [ - { - "name": "[parameters('name')]", - "properties": { - "privateLinkServiceId": "[resourceId('Microsoft.KeyVault/vaults', parameters('name'))]", - "groupIds": [ - "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'service'), 'vault')]" - ] - } - } - ] - }, "name": { "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'name'), format('pep-{0}-{1}-{2}', last(split(resourceId('Microsoft.KeyVault/vaults', parameters('name')), '/')), coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'service'), 'vault'), copyIndex()))]" }, + "privateLinkServiceConnections": "[if(not(equals(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'isManualConnection'), true())), createObject('value', createArray(createObject('name', coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'privateLinkServiceConnectionName'), format('{0}-{1}-{2}', last(split(resourceId('Microsoft.KeyVault/vaults', parameters('name')), '/')), coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'service'), 'vault'), copyIndex())), 'properties', createObject('privateLinkServiceId', resourceId('Microsoft.KeyVault/vaults', parameters('name')), 'groupIds', createArray(coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'service'), 'vault')))))), createObject('value', null()))]", + "manualPrivateLinkServiceConnections": "[if(equals(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'isManualConnection'), true()), createObject('value', createArray(createObject('name', coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'privateLinkServiceConnectionName'), format('{0}-{1}-{2}', last(split(resourceId('Microsoft.KeyVault/vaults', parameters('name')), '/')), coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'service'), 'vault'), copyIndex())), 'properties', createObject('privateLinkServiceId', resourceId('Microsoft.KeyVault/vaults', parameters('name')), 'groupIds', createArray(coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'service'), 'vault')), 'requestMessage', coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'manualConnectionRequestMessage'), 'Manual approval required.'))))), createObject('value', null()))]", "subnetResourceId": { "value": "[coalesce(parameters('privateEndpoints'), createArray())[copyIndex()].subnetResourceId]" }, @@ -8750,9 +9098,6 @@ "tags": { "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'tags'), parameters('tags'))]" }, - "manualPrivateLinkServiceConnections": { - "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'manualPrivateLinkServiceConnections')]" - }, "customDnsConfigs": { "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'customDnsConfigs')]" }, @@ -8773,8 +9118,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "2821141217598568122" + "version": "0.25.53.49325", + "templateHash": "4120048060064073955" }, "name": "Private Endpoints", "description": "This module deploys a Private Endpoint.", @@ -8823,7 +9168,7 @@ "type": "string", "nullable": true, "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" + "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"." } }, "conditionVersion": { @@ -8901,7 +9246,7 @@ "privateIPAddress": { "type": "string", "metadata": { - "description": "Required. A private ip address obtained from the private endpoint's subnet." + "description": "Required. A private IP address obtained from the private endpoint's subnet." } } }, @@ -9004,7 +9349,7 @@ "fqdn": { "type": "string", "metadata": { - "description": "Required. Fqdn that resolves to private endpoint ip address." + "description": "Required. Fqdn that resolves to private endpoint IP address." } }, "ipAddresses": { @@ -9013,7 +9358,7 @@ "type": "string" }, "metadata": { - "description": "Required. A list of private ip addresses of the private endpoint." + "description": "Required. A list of private IP addresses of the private endpoint." } } } @@ -9139,7 +9484,7 @@ "condition": "[parameters('enableTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2023-07-01", - "name": "[format('46d3xbcp.res.network-privateendpoint.{0}.{1}', replace('0.3.1', '.', '-'), substring(uniqueString(deployment().name, parameters('location')), 0, 4))]", + "name": "[format('46d3xbcp.res.network-privateendpoint.{0}.{1}', replace('0.4.1', '.', '-'), substring(uniqueString(deployment().name, parameters('location')), 0, 4))]", "properties": { "mode": "Incremental", "template": { @@ -9244,8 +9589,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "18168683629401652671" + "version": "0.25.53.49325", + "templateHash": "11244630631275470040" }, "name": "Private Endpoint Private DNS Zone Groups", "description": "This module deploys a Private Endpoint Private DNS Zone Group.", @@ -9356,6 +9701,13 @@ "description": "The location the resource was deployed into." }, "value": "[reference('privateEndpoint', '2023-04-01', 'full').location]" + }, + "groupId": { + "type": "string", + "metadata": { + "description": "The group Id for the private endpoint Group." + }, + "value": "[if(not(empty(reference('privateEndpoint').manualPrivateLinkServiceConnections)), reference('privateEndpoint').manualPrivateLinkServiceConnections[0].properties.groupIds[0], reference('privateEndpoint').privateLinkServiceConnections[0].properties.groupIds[0])]" } } } @@ -10641,15 +10993,13 @@ "mode": "Incremental", "parameters": { "name": { - "value": "[format('sa{0}{1}', replace(parameters('bladeConfig').sectionName, '-', ''), uniqueString(resourceGroup().id, parameters('bladeConfig').sectionName))]" + "value": "[format('{0}{1}', replace(parameters('bladeConfig').sectionName, '-', ''), uniqueString(resourceGroup().id, parameters('bladeConfig').sectionName))]" }, "location": { "value": "[parameters('location')]" }, "tags": { - "value": { - "layer": "[parameters('bladeConfig').displayName]" - } + "value": "[union(parameters('tags'), createObject('layer', parameters('bladeConfig').displayName))]" }, "diagnosticWorkspaceId": { "value": "[parameters('workspaceResourceId')]" @@ -10692,7 +11042,7 @@ "_generator": { "name": "bicep", "version": "0.26.170.59819", - "templateHash": "4951021725059274736" + "templateHash": "5800989503858482527" } }, "parameters": { @@ -11046,7 +11396,7 @@ }, { "type": "Microsoft.Storage/storageAccounts/tableServices", - "apiVersion": "2022-05-01", + "apiVersion": "2023-01-01", "name": "[format('{0}/{1}', if(greater(length(parameters('name')), 24), substring(parameters('name'), 0, 24), parameters('name')), 'default')]", "properties": {}, "dependsOn": [ @@ -11055,7 +11405,7 @@ }, { "type": "Microsoft.Storage/storageAccounts/fileServices", - "apiVersion": "2022-05-01", + "apiVersion": "2023-01-01", "name": "[format('{0}/{1}', if(greater(length(parameters('name')), 24), substring(parameters('name'), 0, 24), parameters('name')), 'default')]", "properties": { "protocolSettings": {}, @@ -11074,7 +11424,7 @@ "count": "[length(parameters('containers'))]" }, "type": "Microsoft.Storage/storageAccounts/blobServices/containers", - "apiVersion": "2022-05-01", + "apiVersion": "2023-01-01", "name": "[format('{0}/{1}/{2}', if(greater(length(parameters('name')), 24), substring(parameters('name'), 0, 24), parameters('name')), 'default', parameters('containers')[copyIndex()])]", "properties": { "defaultEncryptionScope": "$account-encryption-key", @@ -11091,7 +11441,7 @@ "count": "[length(parameters('tables'))]" }, "type": "Microsoft.Storage/storageAccounts/tableServices/tables", - "apiVersion": "2022-05-01", + "apiVersion": "2023-01-01", "name": "[format('{0}/{1}/{2}', if(greater(length(parameters('name')), 24), substring(parameters('name'), 0, 24), parameters('name')), 'default', parameters('tables')[copyIndex()])]", "dependsOn": [ "[resourceId('Microsoft.Storage/storageAccounts/tableServices', if(greater(length(parameters('name')), 24), substring(parameters('name'), 0, 24), parameters('name')), 'default')]" @@ -11103,7 +11453,7 @@ "count": "[length(parameters('shares'))]" }, "type": "Microsoft.Storage/storageAccounts/fileServices/shares", - "apiVersion": "2022-05-01", + "apiVersion": "2023-01-01", "name": "[format('{0}/{1}/{2}', if(greater(length(parameters('name')), 24), substring(parameters('name'), 0, 24), parameters('name')), 'default', parameters('shares')[copyIndex()])]", "properties": { "shareQuota": "[parameters('shareQuota')]", @@ -11117,7 +11467,7 @@ { "condition": "[not(equals(parameters('lock'), 'NotSpecified'))]", "type": "Microsoft.Authorization/locks", - "apiVersion": "2017-04-01", + "apiVersion": "2020-05-01", "scope": "[format('Microsoft.Storage/storageAccounts/{0}', if(greater(length(parameters('name')), 24), substring(parameters('name'), 0, 24), parameters('name')))]", "name": "[format('{0}-{1}-lock', if(greater(length(parameters('name')), 24), substring(parameters('name'), 0, 24), parameters('name')), parameters('lock'))]", "properties": { @@ -12314,9 +12664,7 @@ "value": "[parameters('location')]" }, "tags": { - "value": { - "layer": "[parameters('bladeConfig').displayName]" - } + "value": "[union(parameters('tags'), createObject('layer', parameters('bladeConfig').displayName))]" }, "diagnosticWorkspaceId": { "value": "[parameters('workspaceResourceId')]" @@ -12382,7 +12730,7 @@ "_generator": { "name": "bicep", "version": "0.26.170.59819", - "templateHash": "14500331066971295756" + "templateHash": "2651088910698342173" } }, "parameters": { @@ -12788,7 +13136,7 @@ } } ], - "name": "[format('dba-{0}{1}', replace(parameters('resourceName'), '-', ''), uniqueString(resourceGroup().id, parameters('resourceName')))]", + "name": "[format('{0}{1}', replace(parameters('resourceName'), '-', ''), uniqueString(resourceGroup().id, parameters('resourceName')))]", "identityType": "[if(parameters('systemAssignedIdentity'), if(not(empty(parameters('userAssignedIdentities'))), 'SystemAssigned,UserAssigned', 'SystemAssigned'), if(not(empty(parameters('userAssignedIdentities'))), 'UserAssigned', 'None'))]", "consistencyPolicy": { "Eventual": { @@ -14446,6 +14794,11 @@ "displayName": "Manage Resources" } }, + "tags": { + "value": { + "id": "[variables('rg_unique_id')]" + } + }, "manageLayerConfig": { "value": { "machine": { @@ -14493,7 +14846,7 @@ "_generator": { "name": "bicep", "version": "0.26.170.59819", - "templateHash": "15539531548213272164" + "templateHash": "8338110543012077597" } }, "definitions": { @@ -14598,6 +14951,13 @@ "description": "The location of resources to deploy" } }, + "tags": { + "type": "object", + "defaultValue": {}, + "metadata": { + "description": "The tags to apply to the resources" + } + }, "enableTelemetry": { "type": "bool", "defaultValue": false, @@ -14680,7 +15040,7 @@ "skuName": { "value": "[parameters('manageLayerConfig').bastion.skuName]" }, - "vNetId": { + "virtualNetworkResourceId": { "value": "[parameters('vnetId')]" }, "location": { @@ -14688,6 +15048,9 @@ }, "enableTelemetry": { "value": "[parameters('enableTelemetry')]" + }, + "tags": { + "value": "[union(parameters('tags'), createObject('layer', parameters('bladeConfig').displayName))]" } }, "template": { @@ -14697,8 +15060,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.24.24.22086", - "templateHash": "18087298610689039063" + "version": "0.26.54.24096", + "templateHash": "13476650126267644156" }, "name": "Bastion Hosts", "description": "This module deploys a Bastion Host.", @@ -14824,14 +15187,21 @@ "type": "string", "nullable": true, "metadata": { - "description": "Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs." + "description": "Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to `allLogs` to collect all logs." + } + }, + "enabled": { + "type": "bool", + "nullable": true, + "metadata": { + "description": "Optional. Enable or disable the category explicitly. Default is `true`." } } } }, "nullable": true, "metadata": { - "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." + "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to `[]` to disable log collection." } }, "logAnalyticsDestinationType": { @@ -14899,10 +15269,10 @@ "description": "Optional. Location for all resources." } }, - "vNetId": { + "virtualNetworkResourceId": { "type": "string", "metadata": { - "description": "Required. Shared services Virtual Network resource identifier." + "description": "Required. Shared services Virtual Network resource Id." } }, "bastionSubnetPublicIpResourceId": { @@ -15021,7 +15391,7 @@ "condition": "[parameters('enableTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2023-07-01", - "name": "[format('46d3xbcp.res.network-bastionhost.{0}.{1}', replace('0.1.1', '.', '-'), substring(uniqueString(deployment().name, parameters('location')), 0, 4))]", + "name": "[format('46d3xbcp.res.network-bastionhost.{0}.{1}', replace('0.2.1', '.', '-'), substring(uniqueString(deployment().name, parameters('location')), 0, 4))]", "properties": { "mode": "Incremental", "template": { @@ -15046,7 +15416,7 @@ "sku": { "name": "[parameters('skuName')]" }, - "properties": "[union(createObject('scaleUnits', if(equals(parameters('skuName'), 'Basic'), 2, parameters('scaleUnits')), 'ipConfigurations', createArray(createObject('name', 'IpConfAzureBastionSubnet', 'properties', union(createObject('subnet', createObject('id', format('{0}/subnets/AzureBastionSubnet', parameters('vNetId')))), createObject('publicIPAddress', createObject('id', if(not(empty(parameters('bastionSubnetPublicIpResourceId'))), parameters('bastionSubnetPublicIpResourceId'), reference('publicIPAddress').outputs.resourceId.value)))))), 'enableKerberos', parameters('enableKerberos')), if(equals(parameters('skuName'), 'Standard'), createObject('enableTunneling', equals(parameters('skuName'), 'Standard'), 'disableCopyPaste', parameters('disableCopyPaste'), 'enableFileCopy', parameters('enableFileCopy'), 'enableIpConnect', parameters('enableIpConnect'), 'enableShareableLink', parameters('enableShareableLink')), createObject()))]", + "properties": "[union(createObject('scaleUnits', if(equals(parameters('skuName'), 'Basic'), 2, parameters('scaleUnits')), 'ipConfigurations', createArray(createObject('name', 'IpConfAzureBastionSubnet', 'properties', union(createObject('subnet', createObject('id', format('{0}/subnets/AzureBastionSubnet', parameters('virtualNetworkResourceId')))), createObject('publicIPAddress', createObject('id', if(not(empty(parameters('bastionSubnetPublicIpResourceId'))), parameters('bastionSubnetPublicIpResourceId'), reference('publicIPAddress').outputs.resourceId.value)))))), 'enableKerberos', parameters('enableKerberos')), if(equals(parameters('skuName'), 'Standard'), createObject('enableTunneling', equals(parameters('skuName'), 'Standard'), 'disableCopyPaste', parameters('disableCopyPaste'), 'enableFileCopy', parameters('enableFileCopy'), 'enableIpConnect', parameters('enableIpConnect'), 'enableShareableLink', parameters('enableShareableLink')), createObject()))]", "dependsOn": [ "publicIPAddress" ] @@ -15075,11 +15445,21 @@ "scope": "[format('Microsoft.Network/bastionHosts/{0}', parameters('name'))]", "name": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'name'), format('{0}-diagnosticSettings', parameters('name')))]", "properties": { + "copy": [ + { + "name": "logs", + "count": "[length(coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logCategoriesAndGroups'), createArray(createObject('categoryGroup', 'allLogs'))))]", + "input": { + "categoryGroup": "[tryGet(coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logCategoriesAndGroups'), createArray(createObject('categoryGroup', 'allLogs')))[copyIndex('logs')], 'categoryGroup')]", + "category": "[tryGet(coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logCategoriesAndGroups'), createArray(createObject('categoryGroup', 'allLogs')))[copyIndex('logs')], 'category')]", + "enabled": "[coalesce(tryGet(coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logCategoriesAndGroups'), createArray(createObject('categoryGroup', 'allLogs')))[copyIndex('logs')], 'enabled'), true())]" + } + } + ], "storageAccountId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'storageAccountResourceId')]", "workspaceId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'workspaceResourceId')]", "eventHubAuthorizationRuleId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubAuthorizationRuleResourceId')]", "eventHubName": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubName')]", - "logs": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logCategoriesAndGroups'), createArray(createObject('categoryGroup', 'AllLogs', 'enabled', true())))]", "marketplacePartnerId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'marketplacePartnerResourceId')]", "logAnalyticsDestinationType": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logAnalyticsDestinationType')]" }, @@ -15135,16 +15515,30 @@ "diagnosticSettings": { "value": "[tryGet(parameters('publicIPAddressObject'), 'diagnosticSettings')]" }, - "publicIPAddressVersion": "[if(contains(parameters('publicIPAddressObject'), 'publicIPAddressVersion'), createObject('value', parameters('publicIPAddressObject').publicIPAddressVersion), createObject('value', 'IPv4'))]", - "publicIPAllocationMethod": "[if(contains(parameters('publicIPAddressObject'), 'publicIPAllocationMethod'), createObject('value', parameters('publicIPAddressObject').publicIPAllocationMethod), createObject('value', 'Static'))]", - "publicIpPrefixResourceId": "[if(contains(parameters('publicIPAddressObject'), 'publicIPPrefixResourceId'), createObject('value', parameters('publicIPAddressObject').publicIPPrefixResourceId), createObject('value', ''))]", - "roleAssignments": "[if(contains(parameters('publicIPAddressObject'), 'roleAssignments'), createObject('value', parameters('publicIPAddressObject').roleAssignments), createObject('value', createArray()))]", - "skuName": "[if(contains(parameters('publicIPAddressObject'), 'skuName'), createObject('value', parameters('publicIPAddressObject').skuName), createObject('value', 'Standard'))]", - "skuTier": "[if(contains(parameters('publicIPAddressObject'), 'skuTier'), createObject('value', parameters('publicIPAddressObject').skuTier), createObject('value', 'Regional'))]", + "publicIPAddressVersion": { + "value": "[tryGet(parameters('publicIPAddressObject'), 'publicIPAddressVersion')]" + }, + "publicIPAllocationMethod": { + "value": "[tryGet(parameters('publicIPAddressObject'), 'publicIPAllocationMethod')]" + }, + "publicIpPrefixResourceId": { + "value": "[tryGet(parameters('publicIPAddressObject'), 'publicIPPrefixResourceId')]" + }, + "roleAssignments": { + "value": "[tryGet(parameters('publicIPAddressObject'), 'roleAssignments')]" + }, + "skuName": { + "value": "[tryGet(parameters('publicIPAddressObject'), 'skuName')]" + }, + "skuTier": { + "value": "[tryGet(parameters('publicIPAddressObject'), 'skuTier')]" + }, "tags": { "value": "[coalesce(tryGet(parameters('publicIPAddressObject'), 'tags'), parameters('tags'))]" }, - "zones": "[if(contains(parameters('publicIPAddressObject'), 'zones'), createObject('value', parameters('publicIPAddressObject').zones), createObject('value', createArray()))]" + "zones": { + "value": "[tryGet(parameters('publicIPAddressObject'), 'zones')]" + } }, "template": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", @@ -15153,8 +15547,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "3488076626994379707" + "version": "0.26.54.24096", + "templateHash": "4718335757080871925" }, "name": "Public IP Addresses", "description": "This module deploys a Public IP Address.", @@ -15203,7 +15597,7 @@ "type": "string", "nullable": true, "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" + "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"." } }, "conditionVersion": { @@ -15297,11 +15691,14 @@ "type": "object", "properties": { "id": { - "type": "string" - } + "type": "string", + "metadata": { + "description": "Required. The resource ID of the DDOS protection plan associated with the public IP address." + } + } }, "metadata": { - "description": "Required. The DDoS protection plan ID associated with the public IP address." + "description": "Required. The DDoS protection plan associated with the public IP address." } }, "protectionMode": { @@ -15345,12 +15742,19 @@ "metadata": { "description": "Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to `allLogs` to collect all logs." } + }, + "enabled": { + "type": "bool", + "nullable": true, + "metadata": { + "description": "Optional. Enable or disable the category explicitly. Default is `true`." + } } } }, "nullable": true, "metadata": { - "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." + "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to `[]` to disable log collection." } }, "metricCategories": { @@ -15363,12 +15767,19 @@ "metadata": { "description": "Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to `AllMetrics` to collect all metrics." } + }, + "enabled": { + "type": "bool", + "nullable": true, + "metadata": { + "description": "Optional. Enable or disable the category explicitly. Default is `true`." + } } } }, "nullable": true, "metadata": { - "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." + "description": "Optional. The name of metrics that will be streamed. \"allMetrics\" includes all possible metrics for the resource. Set to `[]` to disable metric collection." } }, "logAnalyticsDestinationType": { @@ -15449,7 +15860,19 @@ }, "zones": { "type": "array", - "nullable": true, + "items": { + "type": "int" + }, + "defaultValue": [ + 1, + 2, + 3 + ], + "allowedValues": [ + 1, + 2, + 3 + ], "metadata": { "description": "Optional. A list of availability zones denoting the IP allocated for the resource needs to come from." } @@ -15567,7 +15990,7 @@ "condition": "[parameters('enableTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2023-07-01", - "name": "[format('46d3xbcp.res.network-publicipaddress.{0}.{1}', replace('0.2.1', '.', '-'), substring(uniqueString(deployment().name, parameters('location')), 0, 4))]", + "name": "[format('46d3xbcp.res.network-publicipaddress.{0}.{1}', replace('0.4.0', '.', '-'), substring(uniqueString(deployment().name, parameters('location')), 0, 4))]", "properties": { "mode": "Incremental", "template": { @@ -15585,7 +16008,7 @@ }, "publicIpAddress": { "type": "Microsoft.Network/publicIPAddresses", - "apiVersion": "2023-04-01", + "apiVersion": "2023-09-01", "name": "[parameters('name')]", "location": "[parameters('location')]", "tags": "[parameters('tags')]", @@ -15593,7 +16016,7 @@ "name": "[parameters('skuName')]", "tier": "[parameters('skuTier')]" }, - "zones": "[parameters('zones')]", + "zones": "[map(parameters('zones'), lambda('zone', string(lambdaVariables('zone'))))]", "properties": { "ddosSettings": "[parameters('ddosSettings')]", "dnsSettings": "[parameters('dnsSettings')]", @@ -15601,7 +16024,7 @@ "publicIPAllocationMethod": "[parameters('publicIPAllocationMethod')]", "publicIPPrefix": "[if(not(empty(parameters('publicIpPrefixResourceId'))), createObject('id', parameters('publicIpPrefixResourceId')), null())]", "idleTimeoutInMinutes": "[parameters('idleTimeoutInMinutes')]", - "ipTags": [] + "ipTags": null } }, "publicIpAddress_lock": { @@ -15650,12 +16073,30 @@ "scope": "[format('Microsoft.Network/publicIPAddresses/{0}', parameters('name'))]", "name": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'name'), format('{0}-diagnosticSettings', parameters('name')))]", "properties": { + "copy": [ + { + "name": "metrics", + "count": "[length(coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'metricCategories'), createArray(createObject('category', 'AllMetrics'))))]", + "input": { + "category": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'metricCategories'), createArray(createObject('category', 'AllMetrics')))[copyIndex('metrics')].category]", + "enabled": "[coalesce(tryGet(coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'metricCategories'), createArray(createObject('category', 'AllMetrics')))[copyIndex('metrics')], 'enabled'), true())]", + "timeGrain": null + } + }, + { + "name": "logs", + "count": "[length(coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logCategoriesAndGroups'), createArray(createObject('categoryGroup', 'allLogs'))))]", + "input": { + "categoryGroup": "[tryGet(coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logCategoriesAndGroups'), createArray(createObject('categoryGroup', 'allLogs')))[copyIndex('logs')], 'categoryGroup')]", + "category": "[tryGet(coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logCategoriesAndGroups'), createArray(createObject('categoryGroup', 'allLogs')))[copyIndex('logs')], 'category')]", + "enabled": "[coalesce(tryGet(coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logCategoriesAndGroups'), createArray(createObject('categoryGroup', 'allLogs')))[copyIndex('logs')], 'enabled'), true())]" + } + } + ], "storageAccountId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'storageAccountResourceId')]", "workspaceId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'workspaceResourceId')]", "eventHubAuthorizationRuleId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubAuthorizationRuleResourceId')]", "eventHubName": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubName')]", - "metrics": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'metricCategories'), createArray(createObject('category', 'AllMetrics', 'timeGrain', null(), 'enabled', true())))]", - "logs": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logCategoriesAndGroups'), createArray(createObject('categoryGroup', 'allLogs', 'enabled', true())))]", "marketplacePartnerId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'marketplacePartnerResourceId')]", "logAnalyticsDestinationType": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logAnalyticsDestinationType')]" }, @@ -15691,14 +16132,14 @@ "metadata": { "description": "The public IP address of the public IP address resource." }, - "value": "[if(contains(reference('publicIpAddress'), 'ipAddress'), reference('publicIpAddress').ipAddress, '')]" + "value": "[coalesce(tryGet(reference('publicIpAddress'), 'ipAddress'), '')]" }, "location": { "type": "string", "metadata": { "description": "The location the resource was deployed into." }, - "value": "[reference('publicIpAddress', '2023-04-01', 'full').location]" + "value": "[reference('publicIpAddress', '2023-09-01', 'full').location]" } } } @@ -15763,9 +16204,7 @@ "value": "[parameters('manageLayerConfig').machine.vmSize]" }, "tags": { - "value": { - "layer": "[parameters('bladeConfig').displayName]" - } + "value": "[union(parameters('tags'), createObject('layer', parameters('bladeConfig').displayName))]" }, "vmSubnetId": { "value": "[parameters('vmSubnetId')]" @@ -16067,6 +16506,11 @@ "displayName": "Partition Resources" } }, + "tags": { + "value": { + "id": "[variables('rg_unique_id')]" + } + }, "location": { "value": "[parameters('location')]" }, @@ -16106,7 +16550,7 @@ "_generator": { "name": "bicep", "version": "0.26.170.59819", - "templateHash": "13735874341578879477" + "templateHash": "14071587013246093684" } }, "definitions": { @@ -16141,6 +16585,13 @@ "description": "The location of resources to deploy" } }, + "tags": { + "type": "object", + "defaultValue": {}, + "metadata": { + "description": "The tags to apply to the resources" + } + }, "enableBlobPublicAccess": { "type": "bool", "metadata": { @@ -16412,6 +16863,93 @@ ] } ] + }, + "servicebus": { + "sku": "Standard", + "defaultSize": 1024, + "topics": [ + { + "name": "indexing-progress", + "subscriptions": [ + { + "name": "indexing-progresssubscription" + } + ] + }, + { + "name": "legaltags", + "subscriptions": [ + { + "name": "legaltagssubscription" + } + ] + }, + { + "name": "recordstopic", + "subscriptions": [ + { + "name": "recordstopicsubscription" + } + ] + }, + { + "name": "recordstopicdownstream", + "subscriptions": [ + { + "name": "downstreamsub" + } + ] + }, + { + "name": "recordstopiceg", + "subscriptions": [ + { + "name": "eg_sb_wkssubscription" + } + ] + }, + { + "name": "schemachangedtopic", + "subscriptions": [ + { + "name": "schemachangedtopicsubscription" + } + ] + }, + { + "name": "schemachangedtopiceg", + "subscriptions": [ + { + "name": "eg_sb_schemasubscription" + } + ] + }, + { + "name": "legaltagschangedtopiceg", + "subscriptions": [ + { + "name": "eg_sb_legaltagssubscription" + } + ] + }, + { + "name": "statuschangedtopic", + "maxSizeInMegabytes": 5120, + "subscriptions": [ + { + "name": "eg_sb_statussubscription" + } + ] + }, + { + "name": "statuschangedtopiceg", + "subscriptions": [] + }, + { + "name": "replayrecordtopic", + "subscriptions": [] + } + ] } } }, @@ -16431,17 +16969,13 @@ "mode": "Incremental", "parameters": { "name": { - "value": "[format('sa{0}{1}', replace(format('data{0}{1}', copyIndex(), substring(uniqueString(parameters('partitions')[copyIndex()].name), 0, 6)), '-', ''), uniqueString(resourceGroup().id, format('data{0}{1}', copyIndex(), substring(uniqueString(parameters('partitions')[copyIndex()].name), 0, 6))))]" + "value": "[format('{0}{1}', replace(format('data{0}{1}', copyIndex(), substring(uniqueString(parameters('partitions')[copyIndex()].name), 0, 6)), '-', ''), uniqueString(resourceGroup().id, format('data{0}{1}', copyIndex(), substring(uniqueString(parameters('partitions')[copyIndex()].name), 0, 6))))]" }, "location": { "value": "[parameters('location')]" }, "tags": { - "value": { - "layer": "[parameters('bladeConfig').displayName]", - "partition": "[parameters('partitions')[copyIndex()].name]", - "purpose": "data" - } + "value": "[union(parameters('tags'), createObject('layer', parameters('bladeConfig').displayName, 'partition', parameters('partitions')[copyIndex()].name, 'purpose', 'data'))]" }, "diagnosticWorkspaceId": { "value": "[parameters('workspaceResourceId')]" @@ -16478,7 +17012,7 @@ "_generator": { "name": "bicep", "version": "0.26.170.59819", - "templateHash": "4951021725059274736" + "templateHash": "5800989503858482527" } }, "parameters": { @@ -16832,7 +17366,7 @@ }, { "type": "Microsoft.Storage/storageAccounts/tableServices", - "apiVersion": "2022-05-01", + "apiVersion": "2023-01-01", "name": "[format('{0}/{1}', if(greater(length(parameters('name')), 24), substring(parameters('name'), 0, 24), parameters('name')), 'default')]", "properties": {}, "dependsOn": [ @@ -16841,7 +17375,7 @@ }, { "type": "Microsoft.Storage/storageAccounts/fileServices", - "apiVersion": "2022-05-01", + "apiVersion": "2023-01-01", "name": "[format('{0}/{1}', if(greater(length(parameters('name')), 24), substring(parameters('name'), 0, 24), parameters('name')), 'default')]", "properties": { "protocolSettings": {}, @@ -16860,7 +17394,7 @@ "count": "[length(parameters('containers'))]" }, "type": "Microsoft.Storage/storageAccounts/blobServices/containers", - "apiVersion": "2022-05-01", + "apiVersion": "2023-01-01", "name": "[format('{0}/{1}/{2}', if(greater(length(parameters('name')), 24), substring(parameters('name'), 0, 24), parameters('name')), 'default', parameters('containers')[copyIndex()])]", "properties": { "defaultEncryptionScope": "$account-encryption-key", @@ -16877,7 +17411,7 @@ "count": "[length(parameters('tables'))]" }, "type": "Microsoft.Storage/storageAccounts/tableServices/tables", - "apiVersion": "2022-05-01", + "apiVersion": "2023-01-01", "name": "[format('{0}/{1}/{2}', if(greater(length(parameters('name')), 24), substring(parameters('name'), 0, 24), parameters('name')), 'default', parameters('tables')[copyIndex()])]", "dependsOn": [ "[resourceId('Microsoft.Storage/storageAccounts/tableServices', if(greater(length(parameters('name')), 24), substring(parameters('name'), 0, 24), parameters('name')), 'default')]" @@ -16889,7 +17423,7 @@ "count": "[length(parameters('shares'))]" }, "type": "Microsoft.Storage/storageAccounts/fileServices/shares", - "apiVersion": "2022-05-01", + "apiVersion": "2023-01-01", "name": "[format('{0}/{1}/{2}', if(greater(length(parameters('name')), 24), substring(parameters('name'), 0, 24), parameters('name')), 'default', parameters('shares')[copyIndex()])]", "properties": { "shareQuota": "[parameters('shareQuota')]", @@ -16903,7 +17437,7 @@ { "condition": "[not(equals(parameters('lock'), 'NotSpecified'))]", "type": "Microsoft.Authorization/locks", - "apiVersion": "2017-04-01", + "apiVersion": "2020-05-01", "scope": "[format('Microsoft.Storage/storageAccounts/{0}', if(greater(length(parameters('name')), 24), substring(parameters('name'), 0, 24), parameters('name')))]", "name": "[format('{0}-{1}-lock', if(greater(length(parameters('name')), 24), substring(parameters('name'), 0, 24), parameters('name')), parameters('lock'))]", "properties": { @@ -18105,11 +18639,7 @@ "value": "[parameters('location')]" }, "tags": { - "value": { - "layer": "[parameters('bladeConfig').displayName]", - "partition": "[parameters('partitions')[copyIndex()].name]", - "purpose": "data" - } + "value": "[union(parameters('tags'), createObject('layer', parameters('bladeConfig').displayName, 'partition', parameters('partitions')[copyIndex()].name, 'purpose', 'data'))]" }, "diagnosticWorkspaceId": { "value": "[parameters('workspaceResourceId')]" @@ -18157,7 +18687,7 @@ "_generator": { "name": "bicep", "version": "0.26.170.59819", - "templateHash": "14500331066971295756" + "templateHash": "2651088910698342173" } }, "parameters": { @@ -18563,7 +19093,7 @@ } } ], - "name": "[format('dba-{0}{1}', replace(parameters('resourceName'), '-', ''), uniqueString(resourceGroup().id, parameters('resourceName')))]", + "name": "[format('{0}{1}', replace(parameters('resourceName'), '-', ''), uniqueString(resourceGroup().id, parameters('resourceName')))]", "identityType": "[if(parameters('systemAssignedIdentity'), if(not(empty(parameters('userAssignedIdentities'))), 'SystemAssigned,UserAssigned', 'SystemAssigned'), if(not(empty(parameters('userAssignedIdentities'))), 'UserAssigned', 'None'))]", "consistencyPolicy": { "Eventual": { @@ -20174,384 +20704,4628 @@ "[format('partitionDb[{0}]', copyIndex())]", "[format('partitionDb[{0}]', copyIndex())]" ] - } - }, - "outputs": { - "partitionStorageNames": { - "type": "array", - "items": { - "type": "string" - }, + }, + "partitonNamespace": { "copy": { - "count": "[length(parameters('partitions'))]", - "input": "[reference(format('partitionStorage[{0}]', copyIndex())).outputs.name.value]" - } - } - } - } - }, - "dependsOn": [ - "[resourceId('Microsoft.Resources/deployments', 'common-blade')]", - "[resourceId('Microsoft.Resources/deployments', format('{0}-log-analytics', variables('configuration').name))]", - "[resourceId('Microsoft.Resources/deployments', 'network-blade')]" - ] - }, - { - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "service-blade", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "bladeConfig": { - "value": { - "sectionName": "serviceblade", - "displayName": "Service Resources" - } - }, - "location": { - "value": "[parameters('location')]" - }, - "enableTelemetry": { - "value": "[variables('enableTelemetry')]" - }, - "enableSoftwareLoad": { - "value": "[parameters('clusterSoftware').enable]" - }, - "applicationClientId": { - "value": "[parameters('applicationClientId')]" - }, - "applicationClientPrincipalOid": { - "value": "[parameters('applicationClientPrincipalOid')]" - }, - "workspaceResourceId": { - "value": "[reference(resourceId('Microsoft.Resources/deployments', format('{0}-log-analytics', variables('configuration').name)), '2022-09-01').outputs.resourceId.value]" - }, - "identityId": "[if(variables('enableVnetInjection'), createObject('value', reference(resourceId('Microsoft.Resources/deployments', 'network-blade'), '2022-09-01').outputs.networkConfiguration.value.identityId), createObject('value', reference(resourceId('Microsoft.Resources/deployments', format('{0}-user-managed-identity', variables('configuration').name)), '2022-09-01').outputs.resourceId.value))]", - "managedIdentityName": { - "value": "[reference(resourceId('Microsoft.Resources/deployments', format('{0}-user-managed-identity', variables('configuration').name)), '2022-09-01').outputs.name.value]" - }, - "kvName": { - "value": "[reference(resourceId('Microsoft.Resources/deployments', 'common-blade'), '2022-09-01').outputs.keyvaultName.value]" - }, - "kvUri": { - "value": "[reference(resourceId('Microsoft.Resources/deployments', 'common-blade'), '2022-09-01').outputs.keyvaultUri.value]" - }, - "storageName": { - "value": "[reference(resourceId('Microsoft.Resources/deployments', 'common-blade'), '2022-09-01').outputs.storageAccountName.value]" - }, - "partitionStorageNames": { - "value": "[reference(resourceId('Microsoft.Resources/deployments', 'partition-blade'), '2022-09-01').outputs.partitionStorageNames.value]" - }, - "aksSubnetId": { - "value": "[reference(resourceId('Microsoft.Resources/deployments', 'network-blade'), '2022-09-01').outputs.aksSubnetId.value]" - }, - "podSubnetId": "[if(parameters('enablePodSubnet'), createObject('value', reference(resourceId('Microsoft.Resources/deployments', 'network-blade'), '2022-09-01').outputs.podSubnetId.value), createObject('value', ''))]", - "clusterSize": { - "value": "[parameters('tier')]" - }, - "clusterAdminIds": { - "value": "[parameters('clusterAdminIds')]" - }, - "clusterIngress": "[if(equals(parameters('clusterNetwork').ingress, ''), createObject('value', 'Both'), createObject('value', parameters('clusterNetwork').ingress))]", - "serviceCidr": "[if(equals(parameters('clusterNetwork').serviceCidr, ''), createObject('value', '172.16.0.0/16'), createObject('value', parameters('clusterNetwork').serviceCidr))]", - "dnsServiceIP": "[if(equals(parameters('clusterNetwork').dnsServiceIP, ''), createObject('value', '172.16.0.10'), createObject('value', parameters('clusterNetwork').v))]", - "dockerBridgeCidr": "[if(equals(parameters('clusterNetwork').dockerBridgeCidr, ''), createObject('value', '172.17.0.1/16'), createObject('value', parameters('clusterNetwork').dockerBridgeCidr))]", - "networkPlugin": "[if(parameters('enablePodSubnet'), createObject('value', 'azure'), createObject('value', parameters('clusterNetworkPlugin')))]", - "softwareBranch": { - "value": "[parameters('clusterSoftware').branch]" - }, - "softwareRepository": { - "value": "[parameters('clusterSoftware').repository]" - }, - "softwareTag": { - "value": "[parameters('clusterSoftware').tag]" - }, - "appSettings": { - "value": [ - { - "name": "Settings:StorageAccountName", - "value": "[reference(resourceId('Microsoft.Resources/deployments', 'partition-blade'), '2022-09-01').outputs.partitionStorageNames.value[0]]", - "contentType": "text/plain", - "label": "configmap-devsample" + "name": "partitonNamespace", + "count": "[length(parameters('partitions'))]" }, - { - "name": "client_id", - "value": "[parameters('applicationClientId')]", - "contentType": "text/plain", - "label": "configmap-services" - } - ] - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.26.170.59819", - "templateHash": "5678982901420710417" - } - }, - "definitions": { - "bladeSettings": { - "type": "object", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2022-09-01", + "name": "[format('{0}-service-bus-{1}', parameters('bladeConfig').sectionName, copyIndex())]", "properties": { - "sectionName": { - "type": "string", - "metadata": { - "description": "The name of the section name" - } + "expressionEvaluationOptions": { + "scope": "inner" }, - "displayName": { - "type": "string", - "metadata": { - "description": "The display name of the section" - } - } - } - }, - "appConfigItem": { - "type": "object", - "properties": { - "name": { - "type": "string", - "metadata": { - "description": "The App Configuration Key" - } - }, - "value": { - "type": "string", - "metadata": { - "description": "The App Configuration Value" - } - }, - "contentType": { - "type": "string", - "metadata": { - "description": "The App Configuration Content Type" + "mode": "Incremental", + "parameters": { + "name": { + "value": "[format('{0}{1}', replace(format('data{0}{1}', copyIndex(), substring(uniqueString(parameters('partitions')[copyIndex()].name), 0, 6)), '-', ''), uniqueString(resourceGroup().id, format('data{0}{1}', copyIndex(), substring(uniqueString(parameters('partitions')[copyIndex()].name), 0, 6))))]" + }, + "location": { + "value": "[parameters('location')]" + }, + "tags": { + "value": "[union(parameters('tags'), createObject('layer', parameters('bladeConfig').displayName, 'partition', parameters('partitions')[copyIndex()].name, 'purpose', 'data'))]" + }, + "diagnosticSettings": { + "value": [ + { + "workspaceResourceId": "[parameters('workspaceResourceId')]" + } + ] + }, + "skuObject": { + "value": { + "name": "[variables('partitionLayerConfig').servicebus.sku]" + } + }, + "authorizationRules": { + "value": [ + { + "name": "RootManageSharedAccessKey", + "rights": [ + "Listen", + "Manage", + "Send" + ] + } + ] + }, + "topics": { + "copy": [ + { + "name": "value", + "count": "[length(variables('partitionLayerConfig').servicebus.topics)]", + "input": "[createObject('name', variables('partitionLayerConfig').servicebus.topics[copyIndex('value')].name, 'maxSizeInMegabytes', if(contains(variables('partitionLayerConfig').servicebus.topics[copyIndex('value')], 'maxSizeInMegabytes'), variables('partitionLayerConfig').servicebus.topics[copyIndex('value')].maxSizeInMegabytes, variables('partitionLayerConfig').servicebus.defaultSize), 'authorizationRules', createArray(createObject('name', 'RootManageSharedAccessKey', 'rights', createArray('Listen', 'Manage', 'Send'))), 'subscriptions', variables('partitionLayerConfig').servicebus.topics[copyIndex('value')].subscriptions)]" + } + ] } }, - "label": { - "type": "string", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", + "contentVersion": "1.0.0.0", "metadata": { - "description": "The App Configuration Label" - } - } - } - } - }, - "parameters": { - "bladeConfig": { - "$ref": "#/definitions/bladeSettings", - "metadata": { - "description": "The configuration for the blade section." - } - }, - "location": { - "type": "string", - "metadata": { - "description": "The location of resources to deploy" - } - }, - "enableTelemetry": { - "type": "bool", - "metadata": { - "description": "Feature Flag to Enable Telemetry" - } - }, - "workspaceResourceId": { - "type": "string", - "metadata": { - "description": "The workspace resource Id for diagnostics" - } - }, - "networkPlugin": { - "type": "string" - }, - "clusterSize": { - "type": "string" - }, - "kvName": { - "type": "string", - "metadata": { - "description": "The name of the Key Vault where the secret exists" - } - }, - "kvUri": { - "type": "string", - "metadata": { - "description": "The Uri of the Key Vault where the secret exists" - } - }, - "storageName": { - "type": "string", - "metadata": { - "description": "The name of the Storage Account" - } - }, - "applicationClientId": { - "type": "string", - "metadata": { - "description": "Specify the AD Application Client Id." - } - }, - "applicationClientPrincipalOid": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Specify the AD Application Principal Id." - } - }, - "softwareRepository": { - "type": "string", - "metadata": { - "description": "Software GIT Repository URL" - } - }, - "softwareBranch": { - "type": "string", - "metadata": { - "description": "Software GIT Repository Branch" - } - }, - "softwareTag": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Software GIT Repository Tag" - } - }, - "clusterIngress": { - "type": "string", - "allowedValues": [ - "Internal", - "External", - "Both" - ], - "metadata": { - "description": "The Cluster Ingress Mode" - } - }, - "clusterAdminIds": { - "type": "array", - "metadata": { - "description": "Optional: Specify the AD Users and/or Groups that can manage the cluster." - } - }, - "serviceCidr": { - "type": "string", - "minLength": 9, - "maxLength": 18, - "metadata": { - "description": "The address range to use for services" - } - }, - "dockerBridgeCidr": { - "type": "string", - "minLength": 9, - "maxLength": 18, - "metadata": { - "description": "The address range to use for the docker bridge" - } - }, - "dnsServiceIP": { - "type": "string", - "minLength": 7, - "maxLength": 15, - "metadata": { - "description": "The IP address to reserve for DNS" - } - }, - "aksSubnetId": { - "type": "string" - }, - "podSubnetId": { - "type": "string", - "defaultValue": "" - }, - "managedIdentityName": { - "type": "string", - "metadata": { - "description": "The managed identity name for deployment scripts" - } - }, - "identityId": { - "type": "string", - "metadata": { - "description": "The user managed identity for the cluster." - } - }, - "partitionStorageNames": { - "type": "array", - "items": { - "type": "string" - }, - "metadata": { - "description": "The name of the partition storage accounts" - } - }, - "enableSoftwareLoad": { - "type": "bool", - "metadata": { - "description": "Feature Flag to Load Software." - } - }, - "enableMonitoring": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Feature Flag to Enable Managed Observability." - } - }, - "appSettings": { - "type": "array", - "items": { - "$ref": "#/definitions/appConfigItem" - } - } - }, - "variables": { - "serviceLayerConfig": { - "cluster": { - "aksVersion": "1.28", - "meshVersion": "asm-1-19", - "networkPlugin": "[parameters('networkPlugin')]" - }, - "gitops": { - "name": "flux-system", - "url": "[if(equals(parameters('softwareRepository'), ''), 'https://github.com/azure/osdu-developer', parameters('softwareRepository'))]", - "branch": "[if(equals(parameters('softwareBranch'), ''), '', parameters('softwareBranch'))]", - "tag": "[if(and(equals(parameters('softwareTag'), ''), equals(parameters('softwareBranch'), '')), 'v0.10.0', parameters('softwareTag'))]", - "components": "./stamp/components", - "applications": "./stamp/applications" - } - }, - "elasticPoolPresets": { - "CostOptimised": { - "vmSize": "Standard_DS3_v2" - }, - "Standard": { - "vmSize": "Standard_DS4_v2" - }, - "HighSpec": { - "vmSize": "Standard_DS5_v2" - } - }, - "configMaps": { - "appConfigTemplate": "values.yaml: |\n serviceAccount:\n create: false\n name: \"workload-identity-sa\"\n azure:\n tenantId: {0}\n clientId: {1}\n configEndpoint: {2}\n keyvaultUri: {3}\n keyvaultName: {4}\n appId: {5}\n appOid: {6}\n " - }, - "name": "[format('amw{0}{1}', replace(parameters('bladeConfig').sectionName, '-', ''), uniqueString(resourceGroup().id, parameters('bladeConfig').sectionName))]" - }, - "resources": { - "keyVault": { - "existing": true, - "type": "Microsoft.KeyVault/vaults", + "_generator": { + "name": "bicep", + "version": "0.26.54.24096", + "templateHash": "2927652339165424940" + }, + "name": "Service Bus Namespaces", + "description": "This module deploys a Service Bus Namespace.", + "owner": "Azure/module-maintainers" + }, + "definitions": { + "managedIdentitiesType": { + "type": "object", + "properties": { + "systemAssigned": { + "type": "bool", + "nullable": true, + "metadata": { + "description": "Optional. Enables system assigned managed identity on the resource." + } + }, + "userAssignedResourcesIds": { + "type": "array", + "items": { + "type": "string" + }, + "nullable": true, + "metadata": { + "description": "Optional. The resource ID(s) to assign to the resource." + } + } + }, + "nullable": true + }, + "lockType": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Specify the name of lock." + } + }, + "kind": { + "type": "string", + "allowedValues": [ + "CanNotDelete", + "None", + "ReadOnly" + ], + "nullable": true, + "metadata": { + "description": "Optional. Specify the type of lock." + } + } + }, + "nullable": true + }, + "roleAssignmentType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "roleDefinitionIdOrName": { + "type": "string", + "metadata": { + "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + } + }, + "principalId": { + "type": "string", + "metadata": { + "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." + } + }, + "principalType": { + "type": "string", + "allowedValues": [ + "Device", + "ForeignGroup", + "Group", + "ServicePrincipal", + "User" + ], + "nullable": true, + "metadata": { + "description": "Optional. The principal type of the assigned principal ID." + } + }, + "description": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The description of the role assignment." + } + }, + "condition": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"." + } + }, + "conditionVersion": { + "type": "string", + "allowedValues": [ + "2.0" + ], + "nullable": true, + "metadata": { + "description": "Optional. Version of the condition." + } + }, + "delegatedManagedIdentityResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The Resource Id of the delegated managed identity resource." + } + } + } + }, + "nullable": true + }, + "privateEndpointType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The name of the private endpoint." + } + }, + "location": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The location to deploy the private endpoint to." + } + }, + "privateLinkServiceConnectionName": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The name of the private link connection to create." + } + }, + "service": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The subresource to deploy the private endpoint for. For example \"vault\", \"mysqlServer\" or \"dataFactory\"." + } + }, + "subnetResourceId": { + "type": "string", + "metadata": { + "description": "Required. Resource ID of the subnet where the endpoint needs to be created." + } + }, + "privateDnsZoneGroupName": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The name of the private DNS zone group to create if `privateDnsZoneResourceIds` were provided." + } + }, + "privateDnsZoneResourceIds": { + "type": "array", + "items": { + "type": "string" + }, + "nullable": true, + "metadata": { + "description": "Optional. The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones." + } + }, + "isManualConnection": { + "type": "bool", + "nullable": true, + "metadata": { + "description": "Optional. If Manual Private Link Connection is required." + } + }, + "manualConnectionRequestMessage": { + "type": "string", + "nullable": true, + "maxLength": 140, + "metadata": { + "description": "Optional. A message passed to the owner of the remote resource with the manual connection request." + } + }, + "customDnsConfigs": { + "type": "array", + "items": { + "type": "object", + "properties": { + "fqdn": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Required. Fqdn that resolves to private endpoint IP address." + } + }, + "ipAddresses": { + "type": "array", + "items": { + "type": "string" + }, + "metadata": { + "description": "Required. A list of private IP addresses of the private endpoint." + } + } + } + }, + "nullable": true, + "metadata": { + "description": "Optional. Custom DNS configurations." + } + }, + "ipConfigurations": { + "type": "array", + "items": { + "type": "object", + "properties": { + "name": { + "type": "string", + "metadata": { + "description": "Required. The name of the resource that is unique within a resource group." + } + }, + "properties": { + "type": "object", + "properties": { + "groupId": { + "type": "string", + "metadata": { + "description": "Required. The ID of a group obtained from the remote resource that this private endpoint should connect to." + } + }, + "memberName": { + "type": "string", + "metadata": { + "description": "Required. The member name of a group obtained from the remote resource that this private endpoint should connect to." + } + }, + "privateIPAddress": { + "type": "string", + "metadata": { + "description": "Required. A private IP address obtained from the private endpoint's subnet." + } + } + }, + "metadata": { + "description": "Required. Properties of private endpoint IP configurations." + } + } + } + }, + "nullable": true, + "metadata": { + "description": "Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints." + } + }, + "applicationSecurityGroupResourceIds": { + "type": "array", + "items": { + "type": "string" + }, + "nullable": true, + "metadata": { + "description": "Optional. Application security groups in which the private endpoint IP configuration is included." + } + }, + "customNetworkInterfaceName": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The custom name of the network interface attached to the private endpoint." + } + }, + "lock": { + "$ref": "#/definitions/lockType", + "metadata": { + "description": "Optional. Specify the type of lock." + } + }, + "roleAssignments": { + "$ref": "#/definitions/roleAssignmentType", + "metadata": { + "description": "Optional. Array of role assignments to create." + } + }, + "tags": { + "type": "object", + "nullable": true, + "metadata": { + "description": "Optional. Tags to be applied on all resources/resource groups in this deployment." + } + }, + "enableTelemetry": { + "type": "bool", + "nullable": true, + "metadata": { + "description": "Optional. Enable/Disable usage telemetry for module." + } + }, + "resourceGroupName": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Specify if you want to deploy the Private Endpoint into a different resource group than the main resource." + } + } + } + }, + "nullable": true + }, + "diagnosticSettingType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The name of diagnostic setting." + } + }, + "logCategoriesAndGroups": { + "type": "array", + "items": { + "type": "object", + "properties": { + "category": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here." + } + }, + "categoryGroup": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to `allLogs` to collect all logs." + } + }, + "enabled": { + "type": "bool", + "nullable": true, + "metadata": { + "description": "Optional. Enable or disable the category explicitly. Default is `true`." + } + } + } + }, + "nullable": true, + "metadata": { + "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to `[]` to disable log collection." + } + }, + "metricCategories": { + "type": "array", + "items": { + "type": "object", + "properties": { + "category": { + "type": "string", + "metadata": { + "description": "Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to `AllMetrics` to collect all metrics." + } + }, + "enabled": { + "type": "bool", + "nullable": true, + "metadata": { + "description": "Optional. Enable or disable the category explicitly. Default is `true`." + } + } + } + }, + "nullable": true, + "metadata": { + "description": "Optional. The name of metrics that will be streamed. \"allMetrics\" includes all possible metrics for the resource. Set to `[]` to disable metric collection." + } + }, + "logAnalyticsDestinationType": { + "type": "string", + "allowedValues": [ + "AzureDiagnostics", + "Dedicated" + ], + "nullable": true, + "metadata": { + "description": "Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type." + } + }, + "workspaceResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." + } + }, + "storageAccountResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." + } + }, + "eventHubAuthorizationRuleResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." + } + }, + "eventHubName": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." + } + }, + "marketplacePartnerResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs." + } + } + } + }, + "nullable": true + }, + "customerManagedKeyType": { + "type": "object", + "properties": { + "keyVaultResourceId": { + "type": "string", + "metadata": { + "description": "Required. The resource ID of a key vault to reference a customer managed key for encryption from." + } + }, + "keyName": { + "type": "string", + "metadata": { + "description": "Required. The name of the customer managed key to use for encryption." + } + }, + "keyVersion": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The version of the customer managed key to reference for encryption. If not provided, using 'latest'." + } + }, + "userAssignedIdentityResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. User assigned identity to use when fetching the customer managed key. Required if no system assigned identity is available for use." + } + } + }, + "nullable": true + }, + "skuType": { + "type": "object", + "properties": { + "name": { + "type": "string", + "allowedValues": [ + "Basic", + "Premium", + "Standard" + ], + "metadata": { + "description": "Required. Name of this SKU. - Basic, Standard, Premium." + } + }, + "capacity": { + "type": "int", + "nullable": true, + "metadata": { + "description": "Optional. The specified messaging units for the tier. Only used for Premium Sku tier." + } + } + } + }, + "authorizationRuleType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "name": { + "type": "string", + "metadata": { + "description": "Required. The name of the authorization rule." + } + }, + "rights": { + "type": "array", + "allowedValues": [ + "Listen", + "Manage", + "Send" + ], + "nullable": true, + "metadata": { + "description": "Optional. The rights associated with the rule." + } + } + } + } + }, + "disasterRecoveryConfigType": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The name of the disaster recovery config." + } + }, + "alternateName": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Primary/Secondary eventhub namespace name, which is part of GEO DR pairing." + } + }, + "partnerNamespace": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Resource ID of the Primary/Secondary event hub namespace name, which is part of GEO DR pairing." + } + } + }, + "nullable": true + }, + "migrationConfigurationsType": { + "type": "object", + "properties": { + "postMigrationName": { + "type": "string", + "metadata": { + "description": "Required. Name to access Standard Namespace after migration." + } + }, + "targetNamespace": { + "type": "string", + "metadata": { + "description": "Required. Existing premium Namespace resource ID which has no entities, will be used for migration." + } + } + }, + "nullable": true + }, + "networkRuleSetType": { + "type": "object", + "properties": { + "publicNetworkAccess": { + "type": "string", + "allowedValues": [ + "Disabled", + "Enabled" + ], + "nullable": true, + "metadata": { + "description": "Optional. This determines if traffic is allowed over public network. Default is \"Enabled\". If set to \"Disabled\", traffic to this namespace will be restricted over Private Endpoints only and network rules will not be applied." + } + }, + "defaultAction": { + "type": "string", + "allowedValues": [ + "Allow", + "Deny" + ], + "nullable": true, + "metadata": { + "description": "Optional. Default Action for Network Rule Set. Default is \"Allow\". It will not be set if publicNetworkAccess is \"Disabled\". Otherwise, it will be set to \"Deny\" if ipRules or virtualNetworkRules are being used." + } + }, + "trustedServiceAccessEnabled": { + "type": "bool", + "nullable": true, + "metadata": { + "description": "Optional. Value that indicates whether Trusted Service Access is enabled or not. Default is \"true\". It will not be set if publicNetworkAccess is \"Disabled\"." + } + }, + "ipRules": { + "type": "array", + "items": { + "type": "object", + "properties": { + "action": { + "type": "string", + "allowedValues": [ + "Allow", + "Deny" + ], + "metadata": { + "description": "Required. The IP filter action." + } + }, + "ipMask": { + "type": "string", + "metadata": { + "description": "Required. The IP mask." + } + } + } + }, + "nullable": true, + "metadata": { + "description": "Optional. List of IpRules. It will not be set if publicNetworkAccess is \"Disabled\". Otherwise, when used, defaultAction will be set to \"Deny\"." + } + }, + "virtualNetworkRules": { + "type": "array", + "items": { + "type": "object", + "properties": { + "ignoreMissingVnetServiceEndpoint": { + "type": "bool", + "metadata": { + "description": "Required. The virtual network rule name." + } + }, + "subnetResourceId": { + "type": "string", + "metadata": { + "description": "Required. The ID of the subnet." + } + } + } + }, + "nullable": true, + "metadata": { + "description": "Optional. List virtual network rules. It will not be set if publicNetworkAccess is \"Disabled\". Otherwise, when used, defaultAction will be set to \"Deny\"." + } + } + }, + "nullable": true + }, + "queueType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "name": { + "type": "string", + "metadata": { + "description": "Required. The name of the queue." + } + }, + "autoDeleteOnIdle": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. ISO 8061 timeSpan idle interval after which the queue is automatically deleted. The minimum duration is 5 minutes (PT5M)." + } + }, + "forwardDeadLetteredMessagesTo": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Queue/Topic name to forward the Dead Letter message." + } + }, + "forwardTo": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Queue/Topic name to forward the messages." + } + }, + "maxMessageSizeInKilobytes": { + "type": "int", + "nullable": true, + "metadata": { + "description": "Optional. Maximum size (in KB) of the message payload that can be accepted by the queue. This property is only used in Premium today and default is 1024." + } + }, + "authorizationRules": { + "$ref": "#/definitions/authorizationRuleType", + "nullable": true, + "metadata": { + "description": "Optional. Authorization Rules for the Service Bus Queue." + } + }, + "deadLetteringOnMessageExpiration": { + "type": "bool", + "nullable": true, + "metadata": { + "description": "Optional. A value that indicates whether this queue has dead letter support when a message expires." + } + }, + "defaultMessageTimeToLive": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. ISO 8601 default message timespan to live value. This is the duration after which the message expires, starting from when the message is sent to Service Bus. This is the default value used when TimeToLive is not set on a message itself." + } + }, + "duplicateDetectionHistoryTimeWindow": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. ISO 8601 timeSpan structure that defines the duration of the duplicate detection history. The default value is 10 minutes." + } + }, + "enableBatchedOperations": { + "type": "bool", + "nullable": true, + "metadata": { + "description": "Optional. Value that indicates whether server-side batched operations are enabled." + } + }, + "enableExpress": { + "type": "bool", + "nullable": true, + "metadata": { + "description": "Optional. A value that indicates whether Express Entities are enabled. An express queue holds a message in memory temporarily before writing it to persistent storage. This property is only used if the `service-bus/namespace` sku is Premium." + } + }, + "enablePartitioning": { + "type": "bool", + "nullable": true, + "metadata": { + "description": "Optional. A value that indicates whether the queue is to be partitioned across multiple message brokers." + } + }, + "lock": { + "$ref": "#/definitions/lockType", + "nullable": true, + "metadata": { + "description": "Optional. The lock settings of the service." + } + }, + "lockDuration": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. ISO 8601 timespan duration of a peek-lock; that is, the amount of time that the message is locked for other receivers. The maximum value for LockDuration is 5 minutes; the default value is 1 minute." + } + }, + "maxDeliveryCount": { + "type": "int", + "nullable": true, + "metadata": { + "description": "Optional. The maximum delivery count. A message is automatically deadlettered after this number of deliveries. default value is 10." + } + }, + "maxSizeInMegabytes": { + "type": "int", + "nullable": true, + "metadata": { + "description": "Optional. The maximum size of the queue in megabytes, which is the size of memory allocated for the queue. Default is 1024." + } + }, + "requiresDuplicateDetection": { + "type": "bool", + "nullable": true, + "metadata": { + "description": "Optional. A value indicating if this queue requires duplicate detection." + } + }, + "requiresSession": { + "type": "bool", + "nullable": true, + "metadata": { + "description": "Optional. A value that indicates whether the queue supports the concept of sessions." + } + }, + "roleAssignments": { + "$ref": "#/definitions/roleAssignmentType", + "nullable": true, + "metadata": { + "description": "Optional. Array of role assignments to create." + } + }, + "status": { + "type": "string", + "allowedValues": [ + "Active", + "Creating", + "Deleting", + "Disabled", + "ReceiveDisabled", + "Renaming", + "Restoring", + "SendDisabled", + "Unknown" + ], + "nullable": true, + "metadata": { + "description": "Optional. Enumerates the possible values for the status of a messaging entity. - Active, Disabled, Restoring, SendDisabled, ReceiveDisabled, Creating, Deleting, Renaming, Unknown." + } + } + } + }, + "nullable": true + }, + "topicType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "name": { + "type": "string", + "metadata": { + "description": "Required. The name of the topic." + } + }, + "authorizationRules": { + "$ref": "#/definitions/authorizationRuleType", + "nullable": true, + "metadata": { + "description": "Optional. Authorization Rules for the Service Bus Topic." + } + }, + "autoDeleteOnIdle": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. ISO 8601 timespan idle interval after which the topic is automatically deleted. The minimum duration is 5 minutes." + } + }, + "defaultMessageTimeToLive": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. ISO 8601 default message timespan to live value. This is the duration after which the message expires, starting from when the message is sent to Service Bus. This is the default value used when TimeToLive is not set on a message itself." + } + }, + "duplicateDetectionHistoryTimeWindow": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. ISO 8601 timeSpan structure that defines the duration of the duplicate detection history. The default value is 10 minutes." + } + }, + "enableBatchedOperations": { + "type": "bool", + "nullable": true, + "metadata": { + "description": "Optional. Value that indicates whether server-side batched operations are enabled." + } + }, + "enableExpress": { + "type": "bool", + "nullable": true, + "metadata": { + "description": "Optional. A value that indicates whether Express Entities are enabled. An express topic holds a message in memory temporarily before writing it to persistent storage. This property is only used if the `service-bus/namespace` sku is Premium." + } + }, + "enablePartitioning": { + "type": "bool", + "nullable": true, + "metadata": { + "description": "Optional. A value that indicates whether the topic is to be partitioned across multiple message brokers." + } + }, + "lock": { + "$ref": "#/definitions/lockType", + "nullable": true, + "metadata": { + "description": "Optional. The lock settings of the service." + } + }, + "maxMessageSizeInKilobytes": { + "type": "int", + "nullable": true, + "metadata": { + "description": "Optional. Maximum size (in KB) of the message payload that can be accepted by the topic. This property is only used in Premium today and default is 1024." + } + }, + "maxSizeInMegabytes": { + "type": "int", + "nullable": true, + "metadata": { + "description": "Optional. The maximum size of the topic in megabytes, which is the size of memory allocated for the topic. Default is 1024." + } + }, + "requiresDuplicateDetection": { + "type": "bool", + "nullable": true, + "metadata": { + "description": "Optional. A value indicating if this topic requires duplicate detection." + } + }, + "roleAssignments": { + "$ref": "#/definitions/roleAssignmentType", + "nullable": true, + "metadata": { + "description": "Optional. Array of role assignments to create." + } + }, + "status": { + "type": "string", + "allowedValues": [ + "Active", + "Creating", + "Deleting", + "Disabled", + "ReceiveDisabled", + "Renaming", + "Restoring", + "SendDisabled", + "Unknown" + ], + "nullable": true, + "metadata": { + "description": "Optional. Enumerates the possible values for the status of a messaging entity. - Active, Disabled, Restoring, SendDisabled, ReceiveDisabled, Creating, Deleting, Renaming, Unknown." + } + }, + "supportOrdering": { + "type": "bool", + "nullable": true, + "metadata": { + "description": "Optional. Value that indicates whether the topic supports ordering." + } + }, + "subscriptions": { + "type": "array", + "items": { + "type": "object", + "properties": { + "name": { + "type": "string", + "metadata": { + "description": "Required. The name of the service bus namespace topic subscription." + } + }, + "autoDeleteOnIdle": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. ISO 8601 timespan idle interval after which the syubscription is automatically deleted. The minimum duration is 5 minutes." + } + }, + "clientAffineProperties": { + "type": "object", + "properties": { + "clientId": { + "type": "string", + "metadata": { + "description": "Required. Indicates the Client ID of the application that created the client-affine subscription." + } + }, + "isDurable": { + "type": "bool", + "nullable": true, + "metadata": { + "description": "Optional. For client-affine subscriptions, this value indicates whether the subscription is durable or not." + } + }, + "isShared": { + "type": "bool", + "nullable": true, + "metadata": { + "description": "Optional. For client-affine subscriptions, this value indicates whether the subscription is shared or not." + } + } + }, + "nullable": true, + "metadata": { + "description": "Optional. The properties that are associated with a subscription that is client-affine." + } + }, + "deadLetteringOnMessageExpiration": { + "type": "bool", + "nullable": true, + "metadata": { + "description": "Optional. A value that indicates whether a subscription has dead letter support when a message expires." + } + }, + "deadLetteringOnFilterEvaluationExceptions": { + "type": "bool", + "nullable": true, + "metadata": { + "description": "Optional. A value that indicates whether a subscription has dead letter support when a message expires." + } + }, + "defaultMessageTimeToLive": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. ISO 8601 timespan idle interval after which the message expires. The minimum duration is 5 minutes." + } + }, + "duplicateDetectionHistoryTimeWindow": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. ISO 8601 timespan that defines the duration of the duplicate detection history. The default value is 10 minutes." + } + }, + "enableBatchedOperations": { + "type": "bool", + "nullable": true, + "metadata": { + "description": "Optional. A value that indicates whether server-side batched operations are enabled." + } + }, + "forwardDeadLetteredMessagesTo": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The name of the recipient entity to which all the messages sent to the subscription are forwarded to." + } + }, + "forwardTo": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The name of the recipient entity to which all the messages sent to the subscription are forwarded to." + } + }, + "isClientAffine": { + "type": "bool", + "nullable": true, + "metadata": { + "description": "Optional. A value that indicates whether the subscription supports the concept of session." + } + }, + "lockDuration": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. ISO 8601 timespan duration of a peek-lock; that is, the amount of time that the message is locked for other receivers. The maximum value for LockDuration is 5 minutes; the default value is 1 minute." + } + }, + "maxDeliveryCount": { + "type": "int", + "nullable": true, + "metadata": { + "description": "Optional. Number of maximum deliveries. A message is automatically deadlettered after this number of deliveries. Default value is 10." + } + }, + "requiresSession": { + "type": "bool", + "nullable": true, + "metadata": { + "description": "Optional. A value that indicates whether the subscription supports the concept of session." + } + }, + "status": { + "type": "string", + "allowedValues": [ + "Active", + "Creating", + "Deleting", + "Disabled", + "ReceiveDisabled", + "Renaming", + "Restoring", + "SendDisabled", + "Unknown" + ], + "nullable": true, + "metadata": { + "description": "Optional. Enumerates the possible values for the status of a messaging entity. - Active, Disabled, Restoring, SendDisabled, ReceiveDisabled, Creating, Deleting, Renaming, Unknown." + } + } + } + }, + "nullable": true, + "metadata": { + "description": "Optional. The subscriptions of the topic." + } + } + } + }, + "nullable": true + } + }, + "parameters": { + "name": { + "type": "string", + "maxLength": 260, + "metadata": { + "description": "Required. Name of the Service Bus Namespace." + } + }, + "location": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "Optional. Location for all resources." + } + }, + "skuObject": { + "$ref": "#/definitions/skuType", + "metadata": { + "description": "Required. The SKU of the Service Bus Namespace." + } + }, + "zoneRedundant": { + "type": "bool", + "defaultValue": false, + "metadata": { + "description": "Optional. Enabling this property creates a Premium Service Bus Namespace in regions supported availability zones." + } + }, + "minimumTlsVersion": { + "type": "string", + "defaultValue": "1.2", + "allowedValues": [ + "1.0", + "1.1", + "1.2" + ], + "metadata": { + "description": "Optional. The minimum TLS version for the cluster to support." + } + }, + "alternateName": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Alternate name for namespace." + } + }, + "premiumMessagingPartitions": { + "type": "int", + "defaultValue": 1, + "metadata": { + "description": "Optional. The number of partitions of a Service Bus namespace. This property is only applicable to Premium SKU namespaces. The default value is 1 and possible values are 1, 2 and 4." + } + }, + "authorizationRules": { + "$ref": "#/definitions/authorizationRuleType", + "defaultValue": [ + { + "name": "RootManageSharedAccessKey", + "rights": [ + "Listen", + "Manage", + "Send" + ] + } + ], + "metadata": { + "description": "Optional. Authorization Rules for the Service Bus namespace." + } + }, + "migrationConfiguration": { + "$ref": "#/definitions/migrationConfigurationsType", + "metadata": { + "description": "Optional. The migration configuration." + } + }, + "disasterRecoveryConfig": { + "$ref": "#/definitions/disasterRecoveryConfigType", + "metadata": { + "description": "Optional. The disaster recovery configuration." + } + }, + "diagnosticSettings": { + "$ref": "#/definitions/diagnosticSettingType", + "metadata": { + "description": "Optional. The diagnostic settings of the service." + } + }, + "lock": { + "$ref": "#/definitions/lockType", + "metadata": { + "description": "Optional. The lock settings of the service." + } + }, + "managedIdentities": { + "$ref": "#/definitions/managedIdentitiesType", + "metadata": { + "description": "Optional. The managed identity definition for this resource." + } + }, + "roleAssignments": { + "$ref": "#/definitions/roleAssignmentType", + "metadata": { + "description": "Optional. Array of role assignments to create." + } + }, + "publicNetworkAccess": { + "type": "string", + "defaultValue": "", + "allowedValues": [ + "", + "Disabled", + "Enabled", + "SecuredByPerimeter" + ], + "metadata": { + "description": "Optional. Whether or not public network access is allowed for this resource. For security reasons it should be disabled. If not specified, it will be disabled by default if private endpoints are set." + } + }, + "privateEndpoints": { + "$ref": "#/definitions/privateEndpointType", + "metadata": { + "description": "Optional. Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible." + } + }, + "networkRuleSets": { + "$ref": "#/definitions/networkRuleSetType", + "nullable": true, + "metadata": { + "description": "Optional. Configure networking options for Premium SKU Service Bus. This object contains IPs/Subnets to allow or restrict access to private endpoints only. For security reasons, it is recommended to configure this object on the Namespace." + } + }, + "disableLocalAuth": { + "type": "bool", + "defaultValue": true, + "metadata": { + "description": "Optional. This property disables SAS authentication for the Service Bus namespace." + } + }, + "tags": { + "type": "object", + "nullable": true, + "metadata": { + "description": "Optional. Tags of the resource." + } + }, + "enableTelemetry": { + "type": "bool", + "defaultValue": true, + "metadata": { + "description": "Optional. Enable/Disable usage telemetry for module." + } + }, + "queues": { + "$ref": "#/definitions/queueType", + "nullable": true, + "metadata": { + "description": "Optional. The queues to create in the service bus namespace." + } + }, + "topics": { + "$ref": "#/definitions/topicType", + "nullable": true, + "metadata": { + "description": "Optional. The topics to create in the service bus namespace." + } + }, + "customerManagedKey": { + "$ref": "#/definitions/customerManagedKeyType", + "metadata": { + "description": "Optional. The customer managed key definition." + } + }, + "requireInfrastructureEncryption": { + "type": "bool", + "defaultValue": true, + "metadata": { + "description": "Optional. Enable infrastructure encryption (double encryption). Note, this setting requires the configuration of Customer-Managed-Keys (CMK) via the corresponding module parameters." + } + } + }, + "variables": { + "formattedUserAssignedIdentities": "[reduce(map(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourcesIds'), createArray()), lambda('id', createObject(format('{0}', lambdaVariables('id')), createObject()))), createObject(), lambda('cur', 'next', union(lambdaVariables('cur'), lambdaVariables('next'))))]", + "identity": "[if(not(empty(parameters('managedIdentities'))), createObject('type', if(coalesce(tryGet(parameters('managedIdentities'), 'systemAssigned'), false()), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourcesIds'), createObject()))), 'SystemAssigned,UserAssigned', 'SystemAssigned'), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourcesIds'), createObject()))), 'UserAssigned', null())), 'userAssignedIdentities', if(not(empty(variables('formattedUserAssignedIdentities'))), variables('formattedUserAssignedIdentities'), null())), null())]", + "builtInRoleNames": { + "Azure Service Bus Data Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '090c5cfd-751d-490a-894a-3ce6f1109419')]", + "Azure Service Bus Data Receiver": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4f6d3b9b-027b-4f4c-9142-0e5a2a2247e0')]", + "Azure Service Bus Data Sender": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '69a216fc-b8fb-44d8-bc22-1f3c2cd27a39')]", + "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", + "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", + "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", + "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" + } + }, + "resources": { + "cMKKeyVault::cMKKey": { + "condition": "[and(not(empty(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'))), and(not(empty(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'))), not(empty(tryGet(parameters('customerManagedKey'), 'keyName')))))]", + "existing": true, + "type": "Microsoft.KeyVault/vaults/keys", + "apiVersion": "2023-02-01", + "subscriptionId": "[split(coalesce(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'), '//'), '/')[2]]", + "resourceGroup": "[split(coalesce(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'), '////'), '/')[4]]", + "name": "[format('{0}/{1}', last(split(coalesce(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'), 'dummyVault'), '/')), coalesce(tryGet(parameters('customerManagedKey'), 'keyName'), 'dummyKey'))]", + "dependsOn": [ + "cMKKeyVault" + ] + }, + "avmTelemetry": { + "condition": "[parameters('enableTelemetry')]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2023-07-01", + "name": "[format('46d3xbcp.res.servicebus-namespace.{0}.{1}', replace('0.4.2', '.', '-'), substring(uniqueString(deployment().name, parameters('location')), 0, 4))]", + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [], + "outputs": { + "telemetry": { + "type": "String", + "value": "For more information, see https://aka.ms/avm/TelemetryInfo" + } + } + } + } + }, + "cMKKeyVault": { + "condition": "[not(empty(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId')))]", + "existing": true, + "type": "Microsoft.KeyVault/vaults", + "apiVersion": "2023-02-01", + "subscriptionId": "[split(coalesce(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'), '//'), '/')[2]]", + "resourceGroup": "[split(coalesce(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'), '////'), '/')[4]]", + "name": "[last(split(coalesce(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'), 'dummyVault'), '/'))]" + }, + "cMKUserAssignedIdentity": { + "condition": "[not(empty(tryGet(parameters('customerManagedKey'), 'userAssignedIdentityResourceId')))]", + "existing": true, + "type": "Microsoft.ManagedIdentity/userAssignedIdentities", + "apiVersion": "2023-01-31", + "subscriptionId": "[split(coalesce(tryGet(parameters('customerManagedKey'), 'userAssignedIdentityResourceId'), '//'), '/')[2]]", + "resourceGroup": "[split(coalesce(tryGet(parameters('customerManagedKey'), 'userAssignedIdentityResourceId'), '////'), '/')[4]]", + "name": "[last(split(coalesce(tryGet(parameters('customerManagedKey'), 'userAssignedIdentityResourceId'), 'dummyMsi'), '/'))]" + }, + "serviceBusNamespace": { + "type": "Microsoft.ServiceBus/namespaces", + "apiVersion": "2022-10-01-preview", + "name": "[parameters('name')]", + "location": "[parameters('location')]", + "tags": "[parameters('tags')]", + "sku": { + "name": "[parameters('skuObject').name]", + "capacity": "[tryGet(parameters('skuObject'), 'capacity')]" + }, + "identity": "[variables('identity')]", + "properties": { + "publicNetworkAccess": "[if(not(empty(parameters('publicNetworkAccess'))), parameters('publicNetworkAccess'), if(and(not(empty(parameters('privateEndpoints'))), empty(parameters('networkRuleSets'))), 'Disabled', 'Enabled'))]", + "minimumTlsVersion": "[parameters('minimumTlsVersion')]", + "alternateName": "[parameters('alternateName')]", + "zoneRedundant": "[parameters('zoneRedundant')]", + "disableLocalAuth": "[parameters('disableLocalAuth')]", + "premiumMessagingPartitions": "[if(equals(parameters('skuObject').name, 'Premium'), parameters('premiumMessagingPartitions'), 0)]", + "encryption": "[if(not(empty(parameters('customerManagedKey'))), createObject('keySource', 'Microsoft.KeyVault', 'keyVaultProperties', createArray(createObject('identity', if(not(empty(tryGet(parameters('customerManagedKey'), 'userAssignedIdentityResourceId'))), createObject('userAssignedIdentity', extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', split(coalesce(tryGet(parameters('customerManagedKey'), 'userAssignedIdentityResourceId'), '//'), '/')[2], split(coalesce(tryGet(parameters('customerManagedKey'), 'userAssignedIdentityResourceId'), '////'), '/')[4]), 'Microsoft.ManagedIdentity/userAssignedIdentities', last(split(coalesce(tryGet(parameters('customerManagedKey'), 'userAssignedIdentityResourceId'), 'dummyMsi'), '/')))), null()), 'keyName', parameters('customerManagedKey').keyName, 'keyVaultUri', reference('cMKKeyVault').vaultUri, 'keyVersion', if(not(empty(coalesce(tryGet(parameters('customerManagedKey'), 'keyVersion'), ''))), parameters('customerManagedKey').keyVersion, last(split(reference('cMKKeyVault::cMKKey').keyUriWithVersion, '/'))))), 'requireInfrastructureEncryption', parameters('requireInfrastructureEncryption')), null())]" + }, + "dependsOn": [ + "cMKKeyVault", + "cMKUserAssignedIdentity" + ] + }, + "serviceBusNamespace_lock": { + "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", + "type": "Microsoft.Authorization/locks", + "apiVersion": "2020-05-01", + "scope": "[format('Microsoft.ServiceBus/namespaces/{0}', parameters('name'))]", + "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", + "properties": { + "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", + "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" + }, + "dependsOn": [ + "serviceBusNamespace" + ] + }, + "serviceBusNamespace_diagnosticSettings": { + "copy": { + "name": "serviceBusNamespace_diagnosticSettings", + "count": "[length(coalesce(parameters('diagnosticSettings'), createArray()))]" + }, + "type": "Microsoft.Insights/diagnosticSettings", + "apiVersion": "2021-05-01-preview", + "scope": "[format('Microsoft.ServiceBus/namespaces/{0}', parameters('name'))]", + "name": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'name'), format('{0}-diagnosticSettings', parameters('name')))]", + "properties": { + "copy": [ + { + "name": "metrics", + "count": "[length(coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'metricCategories'), createArray(createObject('category', 'AllMetrics'))))]", + "input": { + "category": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'metricCategories'), createArray(createObject('category', 'AllMetrics')))[copyIndex('metrics')].category]", + "enabled": "[coalesce(tryGet(coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'metricCategories'), createArray(createObject('category', 'AllMetrics')))[copyIndex('metrics')], 'enabled'), true())]", + "timeGrain": null + } + }, + { + "name": "logs", + "count": "[length(coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logCategoriesAndGroups'), createArray(createObject('categoryGroup', 'allLogs'))))]", + "input": { + "categoryGroup": "[tryGet(coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logCategoriesAndGroups'), createArray(createObject('categoryGroup', 'allLogs')))[copyIndex('logs')], 'categoryGroup')]", + "category": "[tryGet(coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logCategoriesAndGroups'), createArray(createObject('categoryGroup', 'allLogs')))[copyIndex('logs')], 'category')]", + "enabled": "[coalesce(tryGet(coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logCategoriesAndGroups'), createArray(createObject('categoryGroup', 'allLogs')))[copyIndex('logs')], 'enabled'), true())]" + } + } + ], + "storageAccountId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'storageAccountResourceId')]", + "workspaceId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'workspaceResourceId')]", + "eventHubAuthorizationRuleId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubAuthorizationRuleResourceId')]", + "eventHubName": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubName')]", + "marketplacePartnerId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'marketplacePartnerResourceId')]", + "logAnalyticsDestinationType": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logAnalyticsDestinationType')]" + }, + "dependsOn": [ + "serviceBusNamespace" + ] + }, + "serviceBusNamespace_roleAssignments": { + "copy": { + "name": "serviceBusNamespace_roleAssignments", + "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" + }, + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "scope": "[format('Microsoft.ServiceBus/namespaces/{0}', parameters('name'))]", + "name": "[guid(resourceId('Microsoft.ServiceBus/namespaces', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "properties": { + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", + "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", + "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", + "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", + "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", + "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", + "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" + }, + "dependsOn": [ + "serviceBusNamespace" + ] + }, + "serviceBusNamespace_authorizationRules": { + "copy": { + "name": "serviceBusNamespace_authorizationRules", + "count": "[length(parameters('authorizationRules'))]" + }, + "type": "Microsoft.Resources/deployments", + "apiVersion": "2022-09-01", + "name": "[format('{0}-AuthorizationRules-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", + "properties": { + "expressionEvaluationOptions": { + "scope": "inner" + }, + "mode": "Incremental", + "parameters": { + "namespaceName": { + "value": "[parameters('name')]" + }, + "name": { + "value": "[parameters('authorizationRules')[copyIndex()].name]" + }, + "rights": { + "value": "[tryGet(parameters('authorizationRules')[copyIndex()], 'rights')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "_generator": { + "name": "bicep", + "version": "0.26.54.24096", + "templateHash": "15856701624247874001" + }, + "name": "Service Bus Namespace Authorization Rules", + "description": "This module deploys a Service Bus Namespace Authorization Rule.", + "owner": "Azure/module-maintainers" + }, + "parameters": { + "namespaceName": { + "type": "string", + "minLength": 1, + "maxLength": 260, + "metadata": { + "description": "Conditional. The name of the parent Service Bus Namespace for the Service Bus Queue. Required if the template is used in a standalone deployment." + } + }, + "name": { + "type": "string", + "metadata": { + "description": "Required. The name of the authorization rule." + } + }, + "rights": { + "type": "array", + "defaultValue": [], + "allowedValues": [ + "Listen", + "Manage", + "Send" + ], + "metadata": { + "description": "Optional. The rights associated with the rule." + } + } + }, + "resources": [ + { + "type": "Microsoft.ServiceBus/namespaces/AuthorizationRules", + "apiVersion": "2022-10-01-preview", + "name": "[format('{0}/{1}', parameters('namespaceName'), parameters('name'))]", + "properties": { + "rights": "[parameters('rights')]" + } + } + ], + "outputs": { + "name": { + "type": "string", + "metadata": { + "description": "The name of the authorization rule." + }, + "value": "[parameters('name')]" + }, + "resourceId": { + "type": "string", + "metadata": { + "description": "The resource ID of the authorization rule." + }, + "value": "[resourceId('Microsoft.ServiceBus/namespaces/AuthorizationRules', parameters('namespaceName'), parameters('name'))]" + }, + "resourceGroupName": { + "type": "string", + "metadata": { + "description": "The name of the Resource Group the authorization rule was created in." + }, + "value": "[resourceGroup().name]" + } + } + } + }, + "dependsOn": [ + "serviceBusNamespace" + ] + }, + "serviceBusNamespace_disasterRecoveryConfig": { + "condition": "[not(empty(parameters('disasterRecoveryConfig')))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2022-09-01", + "name": "[format('{0}-DisasterRecoveryConfig', uniqueString(deployment().name, parameters('location')))]", + "properties": { + "expressionEvaluationOptions": { + "scope": "inner" + }, + "mode": "Incremental", + "parameters": { + "namespaceName": { + "value": "[parameters('name')]" + }, + "name": { + "value": "[coalesce(tryGet(parameters('disasterRecoveryConfig'), 'name'), 'default')]" + }, + "alternateName": { + "value": "[tryGet(parameters('disasterRecoveryConfig'), 'alternateName')]" + }, + "partnerNamespaceResourceID": { + "value": "[tryGet(parameters('disasterRecoveryConfig'), 'partnerNamespace')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "_generator": { + "name": "bicep", + "version": "0.26.54.24096", + "templateHash": "3332271240583753856" + }, + "name": "Service Bus Namespace Disaster Recovery Configs", + "description": "This module deploys a Service Bus Namespace Disaster Recovery Config", + "owner": "Azure/module-maintainers" + }, + "parameters": { + "namespaceName": { + "type": "string", + "minLength": 1, + "maxLength": 260, + "metadata": { + "description": "Conditional. The name of the parent Service Bus Namespace for the Service Bus Queue. Required if the template is used in a standalone deployment." + } + }, + "name": { + "type": "string", + "defaultValue": "default", + "metadata": { + "description": "Optional. The name of the disaster recovery config." + } + }, + "alternateName": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Primary/Secondary eventhub namespace name, which is part of GEO DR pairing." + } + }, + "partnerNamespaceResourceID": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Resource ID of the Primary/Secondary event hub namespace name, which is part of GEO DR pairing." + } + } + }, + "resources": [ + { + "type": "Microsoft.ServiceBus/namespaces/disasterRecoveryConfigs", + "apiVersion": "2022-10-01-preview", + "name": "[format('{0}/{1}', parameters('namespaceName'), parameters('name'))]", + "properties": { + "alternateName": "[parameters('alternateName')]", + "partnerNamespace": "[parameters('partnerNamespaceResourceID')]" + } + } + ], + "outputs": { + "name": { + "type": "string", + "metadata": { + "description": "The name of the disaster recovery config." + }, + "value": "[parameters('name')]" + }, + "resourceId": { + "type": "string", + "metadata": { + "description": "The Resource ID of the disaster recovery config." + }, + "value": "[resourceId('Microsoft.ServiceBus/namespaces/disasterRecoveryConfigs', parameters('namespaceName'), parameters('name'))]" + }, + "resourceGroupName": { + "type": "string", + "metadata": { + "description": "The name of the Resource Group the disaster recovery config was created in." + }, + "value": "[resourceGroup().name]" + } + } + } + }, + "dependsOn": [ + "serviceBusNamespace" + ] + }, + "serviceBusNamespace_migrationConfigurations": { + "condition": "[not(empty(coalesce(parameters('migrationConfiguration'), createObject())))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2022-09-01", + "name": "[format('{0}-MigrationConfigurations', uniqueString(deployment().name, parameters('location')))]", + "properties": { + "expressionEvaluationOptions": { + "scope": "inner" + }, + "mode": "Incremental", + "parameters": { + "namespaceName": { + "value": "[parameters('name')]" + }, + "postMigrationName": { + "value": "[parameters('migrationConfiguration').postMigrationName]" + }, + "targetNamespaceResourceId": { + "value": "[parameters('migrationConfiguration').targetNamespace]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "_generator": { + "name": "bicep", + "version": "0.26.54.24096", + "templateHash": "3812335497838251447" + }, + "name": "Service Bus Namespace Migration Configuration", + "description": "This module deploys a Service Bus Namespace Migration Configuration.", + "owner": "Azure/module-maintainers" + }, + "parameters": { + "namespaceName": { + "type": "string", + "minLength": 1, + "maxLength": 260, + "metadata": { + "description": "Conditional. The name of the parent Service Bus Namespace for the Service Bus Queue. Required if the template is used in a standalone deployment." + } + }, + "postMigrationName": { + "type": "string", + "metadata": { + "description": "Required. Name to access Standard Namespace after migration." + } + }, + "targetNamespaceResourceId": { + "type": "string", + "metadata": { + "description": "Required. Existing premium Namespace resource ID which has no entities, will be used for migration." + } + } + }, + "resources": [ + { + "type": "Microsoft.ServiceBus/namespaces/migrationConfigurations", + "apiVersion": "2022-10-01-preview", + "name": "[format('{0}/{1}', parameters('namespaceName'), '$default')]", + "properties": { + "targetNamespace": "[parameters('targetNamespaceResourceId')]", + "postMigrationName": "[parameters('postMigrationName')]" + } + } + ], + "outputs": { + "name": { + "type": "string", + "metadata": { + "description": "The name of the migration configuration." + }, + "value": "$default" + }, + "resourceId": { + "type": "string", + "metadata": { + "description": "The Resource ID of the migration configuration." + }, + "value": "[resourceId('Microsoft.ServiceBus/namespaces/migrationConfigurations', parameters('namespaceName'), '$default')]" + }, + "resourceGroupName": { + "type": "string", + "metadata": { + "description": "The name of the Resource Group the migration configuration was created in." + }, + "value": "[resourceGroup().name]" + } + } + } + }, + "dependsOn": [ + "serviceBusNamespace" + ] + }, + "serviceBusNamespace_networkRuleSet": { + "condition": "[or(not(empty(parameters('networkRuleSets'))), not(empty(parameters('privateEndpoints'))))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2022-09-01", + "name": "[format('{0}-NetworkRuleSet', uniqueString(deployment().name, parameters('location')))]", + "properties": { + "expressionEvaluationOptions": { + "scope": "inner" + }, + "mode": "Incremental", + "parameters": { + "namespaceName": { + "value": "[parameters('name')]" + }, + "publicNetworkAccess": { + "value": "[coalesce(tryGet(parameters('networkRuleSets'), 'publicNetworkAccess'), if(and(not(empty(parameters('privateEndpoints'))), empty(parameters('networkRuleSets'))), 'Disabled', 'Enabled'))]" + }, + "defaultAction": { + "value": "[coalesce(tryGet(parameters('networkRuleSets'), 'defaultAction'), 'Allow')]" + }, + "trustedServiceAccessEnabled": { + "value": "[coalesce(tryGet(parameters('networkRuleSets'), 'trustedServiceAccessEnabled'), true())]" + }, + "ipRules": { + "value": "[coalesce(tryGet(parameters('networkRuleSets'), 'ipRules'), createArray())]" + }, + "virtualNetworkRules": { + "value": "[coalesce(tryGet(parameters('networkRuleSets'), 'virtualNetworkRules'), createArray())]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "_generator": { + "name": "bicep", + "version": "0.26.54.24096", + "templateHash": "7745744247225628529" + }, + "name": "Service Bus Namespace Network Rule Sets", + "description": "This module deploys a ServiceBus Namespace Network Rule Set.", + "owner": "Azure/module-maintainers" + }, + "parameters": { + "namespaceName": { + "type": "string", + "minLength": 1, + "maxLength": 260, + "metadata": { + "description": "Conditional. The name of the parent Service Bus Namespace for the Service Bus Network Rule Set. Required if the template is used in a standalone deployment." + } + }, + "publicNetworkAccess": { + "type": "string", + "defaultValue": "Enabled", + "allowedValues": [ + "Enabled", + "Disabled" + ], + "metadata": { + "description": "Optional. This determines if traffic is allowed over public network. Default is \"Enabled\". If set to \"Disabled\", traffic to this namespace will be restricted over Private Endpoints only and network rules will not be applied." + } + }, + "defaultAction": { + "type": "string", + "defaultValue": "Allow", + "allowedValues": [ + "Allow", + "Deny" + ], + "metadata": { + "description": "Optional. Default Action for Network Rule Set. Default is \"Allow\". It will not be set if publicNetworkAccess is \"Disabled\". Otherwise, it will be set to \"Deny\" if ipRules or virtualNetworkRules are being used." + } + }, + "trustedServiceAccessEnabled": { + "type": "bool", + "defaultValue": true, + "metadata": { + "description": "Optional. Value that indicates whether Trusted Service Access is enabled or not. Default is \"true\". It will not be set if publicNetworkAccess is \"Disabled\"." + } + }, + "virtualNetworkRules": { + "type": "array", + "defaultValue": [], + "metadata": { + "description": "Optional. List virtual network rules. It will not be set if publicNetworkAccess is \"Disabled\". Otherwise, when used, defaultAction will be set to \"Deny\"." + } + }, + "ipRules": { + "type": "array", + "defaultValue": [], + "metadata": { + "description": "Optional. List of IpRules. It will not be set if publicNetworkAccess is \"Disabled\". Otherwise, when used, defaultAction will be set to \"Deny\"." + } + } + }, + "variables": { + "copy": [ + { + "name": "networkRules", + "count": "[length(parameters('virtualNetworkRules'))]", + "input": { + "ignoreMissingVnetServiceEndpoint": "[if(contains(parameters('virtualNetworkRules')[copyIndex('networkRules')], 'ignoreMissingVnetServiceEndpoint'), parameters('virtualNetworkRules')[copyIndex('networkRules')].ignoreMissingVnetServiceEndpoint, null())]", + "subnet": "[if(contains(parameters('virtualNetworkRules')[copyIndex('networkRules')], 'subnetResourceId'), createObject('id', parameters('virtualNetworkRules')[copyIndex('networkRules')].subnetResourceId), null())]" + } + } + ] + }, + "resources": [ + { + "type": "Microsoft.ServiceBus/namespaces/networkRuleSets", + "apiVersion": "2022-10-01-preview", + "name": "[format('{0}/{1}', parameters('namespaceName'), 'default')]", + "properties": { + "publicNetworkAccess": "[parameters('publicNetworkAccess')]", + "defaultAction": "[if(equals(parameters('publicNetworkAccess'), 'Enabled'), if(or(not(empty(parameters('ipRules'))), not(empty(parameters('virtualNetworkRules')))), 'Deny', parameters('defaultAction')), null())]", + "trustedServiceAccessEnabled": "[if(equals(parameters('publicNetworkAccess'), 'Enabled'), parameters('trustedServiceAccessEnabled'), null())]", + "ipRules": "[if(equals(parameters('publicNetworkAccess'), 'Enabled'), parameters('ipRules'), null())]", + "virtualNetworkRules": "[if(equals(parameters('publicNetworkAccess'), 'Enabled'), variables('networkRules'), null())]" + } + } + ], + "outputs": { + "name": { + "type": "string", + "metadata": { + "description": "The name of the network rule set." + }, + "value": "default" + }, + "resourceId": { + "type": "string", + "metadata": { + "description": "The resource ID of the network rule set." + }, + "value": "[resourceId('Microsoft.ServiceBus/namespaces/networkRuleSets', parameters('namespaceName'), 'default')]" + }, + "resourceGroupName": { + "type": "string", + "metadata": { + "description": "The name of the resource group the network rule set was created in." + }, + "value": "[resourceGroup().name]" + } + } + } + }, + "dependsOn": [ + "serviceBusNamespace" + ] + }, + "serviceBusNamespace_queues": { + "copy": { + "name": "serviceBusNamespace_queues", + "count": "[length(coalesce(parameters('queues'), createArray()))]" + }, + "type": "Microsoft.Resources/deployments", + "apiVersion": "2022-09-01", + "name": "[format('{0}-Queue-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", + "properties": { + "expressionEvaluationOptions": { + "scope": "inner" + }, + "mode": "Incremental", + "parameters": { + "namespaceName": { + "value": "[parameters('name')]" + }, + "name": { + "value": "[coalesce(parameters('queues'), createArray())[copyIndex()].name]" + }, + "autoDeleteOnIdle": { + "value": "[tryGet(coalesce(parameters('queues'), createArray())[copyIndex()], 'autoDeleteOnIdle')]" + }, + "forwardDeadLetteredMessagesTo": { + "value": "[tryGet(coalesce(parameters('queues'), createArray())[copyIndex()], 'forwardDeadLetteredMessagesTo')]" + }, + "forwardTo": { + "value": "[tryGet(coalesce(parameters('queues'), createArray())[copyIndex()], 'forwardTo')]" + }, + "maxMessageSizeInKilobytes": { + "value": "[tryGet(coalesce(parameters('queues'), createArray())[copyIndex()], 'maxMessageSizeInKilobytes')]" + }, + "authorizationRules": { + "value": "[tryGet(coalesce(parameters('queues'), createArray())[copyIndex()], 'authorizationRules')]" + }, + "deadLetteringOnMessageExpiration": { + "value": "[tryGet(coalesce(parameters('queues'), createArray())[copyIndex()], 'deadLetteringOnMessageExpiration')]" + }, + "defaultMessageTimeToLive": { + "value": "[tryGet(coalesce(parameters('queues'), createArray())[copyIndex()], 'defaultMessageTimeToLive')]" + }, + "duplicateDetectionHistoryTimeWindow": { + "value": "[tryGet(coalesce(parameters('queues'), createArray())[copyIndex()], 'duplicateDetectionHistoryTimeWindow')]" + }, + "enableBatchedOperations": { + "value": "[tryGet(coalesce(parameters('queues'), createArray())[copyIndex()], 'enableBatchedOperations')]" + }, + "enableExpress": { + "value": "[tryGet(coalesce(parameters('queues'), createArray())[copyIndex()], 'enableExpress')]" + }, + "enablePartitioning": { + "value": "[tryGet(coalesce(parameters('queues'), createArray())[copyIndex()], 'enablePartitioning')]" + }, + "lock": { + "value": "[coalesce(tryGet(coalesce(parameters('queues'), createArray())[copyIndex()], 'lock'), parameters('lock'))]" + }, + "lockDuration": { + "value": "[tryGet(coalesce(parameters('queues'), createArray())[copyIndex()], 'lockDuration')]" + }, + "maxDeliveryCount": { + "value": "[tryGet(coalesce(parameters('queues'), createArray())[copyIndex()], 'maxDeliveryCount')]" + }, + "maxSizeInMegabytes": { + "value": "[tryGet(coalesce(parameters('queues'), createArray())[copyIndex()], 'maxSizeInMegabytes')]" + }, + "requiresDuplicateDetection": { + "value": "[tryGet(coalesce(parameters('queues'), createArray())[copyIndex()], 'requiresDuplicateDetection')]" + }, + "requiresSession": { + "value": "[tryGet(coalesce(parameters('queues'), createArray())[copyIndex()], 'requiresSession')]" + }, + "roleAssignments": { + "value": "[tryGet(coalesce(parameters('queues'), createArray())[copyIndex()], 'roleAssignments')]" + }, + "status": { + "value": "[tryGet(coalesce(parameters('queues'), createArray())[copyIndex()], 'status')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", + "contentVersion": "1.0.0.0", + "metadata": { + "_generator": { + "name": "bicep", + "version": "0.26.54.24096", + "templateHash": "6465956085720113527" + }, + "name": "Service Bus Namespace Queue", + "description": "This module deploys a Service Bus Namespace Queue.", + "owner": "Azure/module-maintainers" + }, + "definitions": { + "lockType": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Specify the name of lock." + } + }, + "kind": { + "type": "string", + "allowedValues": [ + "CanNotDelete", + "None", + "ReadOnly" + ], + "nullable": true, + "metadata": { + "description": "Optional. Specify the type of lock." + } + } + }, + "nullable": true + }, + "roleAssignmentType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "roleDefinitionIdOrName": { + "type": "string", + "metadata": { + "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + } + }, + "principalId": { + "type": "string", + "metadata": { + "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." + } + }, + "principalType": { + "type": "string", + "allowedValues": [ + "Device", + "ForeignGroup", + "Group", + "ServicePrincipal", + "User" + ], + "nullable": true, + "metadata": { + "description": "Optional. The principal type of the assigned principal ID." + } + }, + "description": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The description of the role assignment." + } + }, + "condition": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"." + } + }, + "conditionVersion": { + "type": "string", + "allowedValues": [ + "2.0" + ], + "nullable": true, + "metadata": { + "description": "Optional. Version of the condition." + } + }, + "delegatedManagedIdentityResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The Resource Id of the delegated managed identity resource." + } + } + } + }, + "nullable": true + } + }, + "parameters": { + "namespaceName": { + "type": "string", + "minLength": 1, + "maxLength": 260, + "metadata": { + "description": "Conditional. The name of the parent Service Bus Namespace for the Service Bus Queue. Required if the template is used in a standalone deployment." + } + }, + "name": { + "type": "string", + "minLength": 1, + "maxLength": 260, + "metadata": { + "description": "Required. Name of the Service Bus Queue." + } + }, + "autoDeleteOnIdle": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. ISO 8061 timeSpan idle interval after which the queue is automatically deleted. The minimum duration is 5 minutes (PT5M)." + } + }, + "forwardDeadLetteredMessagesTo": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Queue/Topic name to forward the Dead Letter message." + } + }, + "forwardTo": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Queue/Topic name to forward the messages." + } + }, + "lockDuration": { + "type": "string", + "defaultValue": "PT1M", + "metadata": { + "description": "Optional. ISO 8601 timespan duration of a peek-lock; that is, the amount of time that the message is locked for other receivers. The maximum value for LockDuration is 5 minutes; the default value is 1 minute." + } + }, + "maxSizeInMegabytes": { + "type": "int", + "defaultValue": 1024, + "metadata": { + "description": "Optional. The maximum size of the queue in megabytes, which is the size of memory allocated for the queue. Default is 1024." + } + }, + "requiresDuplicateDetection": { + "type": "bool", + "defaultValue": false, + "metadata": { + "description": "Optional. A value indicating if this queue requires duplicate detection." + } + }, + "requiresSession": { + "type": "bool", + "defaultValue": false, + "metadata": { + "description": "Optional. A value that indicates whether the queue supports the concept of sessions." + } + }, + "defaultMessageTimeToLive": { + "type": "string", + "defaultValue": "P14D", + "metadata": { + "description": "Optional. ISO 8601 default message timespan to live value. This is the duration after which the message expires, starting from when the message is sent to Service Bus. This is the default value used when TimeToLive is not set on a message itself." + } + }, + "deadLetteringOnMessageExpiration": { + "type": "bool", + "defaultValue": true, + "metadata": { + "description": "Optional. A value that indicates whether this queue has dead letter support when a message expires." + } + }, + "enableBatchedOperations": { + "type": "bool", + "defaultValue": true, + "metadata": { + "description": "Optional. Value that indicates whether server-side batched operations are enabled." + } + }, + "duplicateDetectionHistoryTimeWindow": { + "type": "string", + "defaultValue": "PT10M", + "metadata": { + "description": "Optional. ISO 8601 timeSpan structure that defines the duration of the duplicate detection history. The default value is 10 minutes." + } + }, + "maxDeliveryCount": { + "type": "int", + "defaultValue": 10, + "metadata": { + "description": "Optional. The maximum delivery count. A message is automatically deadlettered after this number of deliveries. default value is 10." + } + }, + "maxMessageSizeInKilobytes": { + "type": "int", + "defaultValue": 1024, + "metadata": { + "description": "Optional. Maximum size (in KB) of the message payload that can be accepted by the queue. This property is only used in Premium today and default is 1024." + } + }, + "status": { + "type": "string", + "defaultValue": "Active", + "allowedValues": [ + "Active", + "Disabled", + "Restoring", + "SendDisabled", + "ReceiveDisabled", + "Creating", + "Deleting", + "Renaming", + "Unknown" + ], + "metadata": { + "description": "Optional. Enumerates the possible values for the status of a messaging entity. - Active, Disabled, Restoring, SendDisabled, ReceiveDisabled, Creating, Deleting, Renaming, Unknown." + } + }, + "enablePartitioning": { + "type": "bool", + "defaultValue": false, + "metadata": { + "description": "Optional. A value that indicates whether the queue is to be partitioned across multiple message brokers." + } + }, + "enableExpress": { + "type": "bool", + "defaultValue": false, + "metadata": { + "description": "Optional. A value that indicates whether Express Entities are enabled. An express queue holds a message in memory temporarily before writing it to persistent storage. This property is only used if the `service-bus/namespace` sku is Premium." + } + }, + "authorizationRules": { + "type": "array", + "defaultValue": [ + { + "name": "RootManageSharedAccessKey", + "properties": { + "rights": [ + "Listen", + "Manage", + "Send" + ] + } + } + ], + "metadata": { + "description": "Optional. Authorization Rules for the Service Bus Queue." + } + }, + "lock": { + "$ref": "#/definitions/lockType", + "metadata": { + "description": "Optional. The lock settings of the service." + } + }, + "roleAssignments": { + "$ref": "#/definitions/roleAssignmentType", + "metadata": { + "description": "Optional. Array of role assignments to create." + } + } + }, + "variables": { + "builtInRoleNames": { + "Azure Service Bus Data Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '090c5cfd-751d-490a-894a-3ce6f1109419')]", + "Azure Service Bus Data Receiver": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4f6d3b9b-027b-4f4c-9142-0e5a2a2247e0')]", + "Azure Service Bus Data Sender": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '69a216fc-b8fb-44d8-bc22-1f3c2cd27a39')]", + "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", + "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", + "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", + "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" + } + }, + "resources": { + "namespace": { + "existing": true, + "type": "Microsoft.ServiceBus/namespaces", + "apiVersion": "2022-10-01-preview", + "name": "[parameters('namespaceName')]" + }, + "queue": { + "type": "Microsoft.ServiceBus/namespaces/queues", + "apiVersion": "2022-10-01-preview", + "name": "[format('{0}/{1}', parameters('namespaceName'), parameters('name'))]", + "properties": { + "autoDeleteOnIdle": "[if(not(empty(parameters('autoDeleteOnIdle'))), parameters('autoDeleteOnIdle'), null())]", + "defaultMessageTimeToLive": "[parameters('defaultMessageTimeToLive')]", + "deadLetteringOnMessageExpiration": "[parameters('deadLetteringOnMessageExpiration')]", + "duplicateDetectionHistoryTimeWindow": "[parameters('duplicateDetectionHistoryTimeWindow')]", + "enableBatchedOperations": "[parameters('enableBatchedOperations')]", + "enableExpress": "[parameters('enableExpress')]", + "enablePartitioning": "[parameters('enablePartitioning')]", + "forwardDeadLetteredMessagesTo": "[if(not(empty(parameters('forwardDeadLetteredMessagesTo'))), parameters('forwardDeadLetteredMessagesTo'), null())]", + "forwardTo": "[if(not(empty(parameters('forwardTo'))), parameters('forwardTo'), null())]", + "lockDuration": "[parameters('lockDuration')]", + "maxDeliveryCount": "[parameters('maxDeliveryCount')]", + "maxMessageSizeInKilobytes": "[if(equals(reference('namespace', '2022-10-01-preview', 'full').sku.name, 'Premium'), parameters('maxMessageSizeInKilobytes'), null())]", + "maxSizeInMegabytes": "[parameters('maxSizeInMegabytes')]", + "requiresDuplicateDetection": "[parameters('requiresDuplicateDetection')]", + "requiresSession": "[parameters('requiresSession')]", + "status": "[parameters('status')]" + }, + "dependsOn": [ + "namespace" + ] + }, + "queue_lock": { + "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", + "type": "Microsoft.Authorization/locks", + "apiVersion": "2020-05-01", + "scope": "[format('Microsoft.ServiceBus/namespaces/{0}/queues/{1}', parameters('namespaceName'), parameters('name'))]", + "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", + "properties": { + "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", + "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" + }, + "dependsOn": [ + "queue" + ] + }, + "queue_roleAssignments": { + "copy": { + "name": "queue_roleAssignments", + "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" + }, + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "scope": "[format('Microsoft.ServiceBus/namespaces/{0}/queues/{1}', parameters('namespaceName'), parameters('name'))]", + "name": "[guid(resourceId('Microsoft.ServiceBus/namespaces/queues', parameters('namespaceName'), parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "properties": { + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", + "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", + "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", + "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", + "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", + "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", + "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" + }, + "dependsOn": [ + "queue" + ] + }, + "queue_authorizationRules": { + "copy": { + "name": "queue_authorizationRules", + "count": "[length(parameters('authorizationRules'))]" + }, + "type": "Microsoft.Resources/deployments", + "apiVersion": "2022-09-01", + "name": "[format('{0}-AuthRule-{1}', deployment().name, copyIndex())]", + "properties": { + "expressionEvaluationOptions": { + "scope": "inner" + }, + "mode": "Incremental", + "parameters": { + "namespaceName": { + "value": "[parameters('namespaceName')]" + }, + "queueName": { + "value": "[parameters('name')]" + }, + "name": { + "value": "[parameters('authorizationRules')[copyIndex()].name]" + }, + "rights": { + "value": "[coalesce(tryGet(parameters('authorizationRules')[copyIndex()], 'rights'), createArray())]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "_generator": { + "name": "bicep", + "version": "0.26.54.24096", + "templateHash": "11000394867797752922" + }, + "name": "Service Bus Namespace Queue Authorization Rules", + "description": "This module deploys a Service Bus Namespace Queue Authorization Rule.", + "owner": "Azure/module-maintainers" + }, + "parameters": { + "name": { + "type": "string", + "metadata": { + "description": "Required. The name of the service bus namepace queue." + } + }, + "namespaceName": { + "type": "string", + "metadata": { + "description": "Conditional. The name of the parent Service Bus Namespace. Required if the template is used in a standalone deployment." + } + }, + "queueName": { + "type": "string", + "metadata": { + "description": "Conditional. The name of the parent Service Bus Namespace Queue. Required if the template is used in a standalone deployment." + } + }, + "rights": { + "type": "array", + "defaultValue": [], + "allowedValues": [ + "Listen", + "Manage", + "Send" + ], + "metadata": { + "description": "Optional. The rights associated with the rule." + } + } + }, + "resources": [ + { + "type": "Microsoft.ServiceBus/namespaces/queues/authorizationRules", + "apiVersion": "2022-10-01-preview", + "name": "[format('{0}/{1}/{2}', parameters('namespaceName'), parameters('queueName'), parameters('name'))]", + "properties": { + "rights": "[parameters('rights')]" + } + } + ], + "outputs": { + "name": { + "type": "string", + "metadata": { + "description": "The name of the authorization rule." + }, + "value": "[parameters('name')]" + }, + "resourceId": { + "type": "string", + "metadata": { + "description": "The Resource ID of the authorization rule." + }, + "value": "[resourceId('Microsoft.ServiceBus/namespaces/queues/authorizationRules', parameters('namespaceName'), parameters('queueName'), parameters('name'))]" + }, + "resourceGroupName": { + "type": "string", + "metadata": { + "description": "The name of the Resource Group the authorization rule was created in." + }, + "value": "[resourceGroup().name]" + } + } + } + }, + "dependsOn": [ + "queue" + ] + } + }, + "outputs": { + "name": { + "type": "string", + "metadata": { + "description": "The name of the deployed queue." + }, + "value": "[parameters('name')]" + }, + "resourceId": { + "type": "string", + "metadata": { + "description": "The resource ID of the deployed queue." + }, + "value": "[resourceId('Microsoft.ServiceBus/namespaces/queues', parameters('namespaceName'), parameters('name'))]" + }, + "resourceGroupName": { + "type": "string", + "metadata": { + "description": "The resource group of the deployed queue." + }, + "value": "[resourceGroup().name]" + } + } + } + }, + "dependsOn": [ + "serviceBusNamespace" + ] + }, + "serviceBusNamespace_topics": { + "copy": { + "name": "serviceBusNamespace_topics", + "count": "[length(coalesce(parameters('topics'), createArray()))]" + }, + "type": "Microsoft.Resources/deployments", + "apiVersion": "2022-09-01", + "name": "[format('{0}-Topic-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", + "properties": { + "expressionEvaluationOptions": { + "scope": "inner" + }, + "mode": "Incremental", + "parameters": { + "namespaceName": { + "value": "[parameters('name')]" + }, + "name": { + "value": "[coalesce(parameters('topics'), createArray())[copyIndex()].name]" + }, + "authorizationRules": { + "value": "[tryGet(coalesce(parameters('topics'), createArray())[copyIndex()], 'authorizationRules')]" + }, + "autoDeleteOnIdle": { + "value": "[tryGet(coalesce(parameters('topics'), createArray())[copyIndex()], 'autoDeleteOnIdle')]" + }, + "defaultMessageTimeToLive": { + "value": "[tryGet(coalesce(parameters('topics'), createArray())[copyIndex()], 'defaultMessageTimeToLive')]" + }, + "duplicateDetectionHistoryTimeWindow": { + "value": "[tryGet(coalesce(parameters('topics'), createArray())[copyIndex()], 'duplicateDetectionHistoryTimeWindow')]" + }, + "enableBatchedOperations": { + "value": "[tryGet(coalesce(parameters('topics'), createArray())[copyIndex()], 'enableBatchedOperations')]" + }, + "enableExpress": { + "value": "[tryGet(coalesce(parameters('topics'), createArray())[copyIndex()], 'enableExpress')]" + }, + "enablePartitioning": { + "value": "[tryGet(coalesce(parameters('topics'), createArray())[copyIndex()], 'enablePartitioning')]" + }, + "lock": { + "value": "[coalesce(tryGet(coalesce(parameters('topics'), createArray())[copyIndex()], 'lock'), parameters('lock'))]" + }, + "maxMessageSizeInKilobytes": { + "value": "[tryGet(coalesce(parameters('topics'), createArray())[copyIndex()], 'maxMessageSizeInKilobytes')]" + }, + "requiresDuplicateDetection": { + "value": "[tryGet(coalesce(parameters('topics'), createArray())[copyIndex()], 'requiresDuplicateDetection')]" + }, + "roleAssignments": { + "value": "[tryGet(coalesce(parameters('topics'), createArray())[copyIndex()], 'roleAssignments')]" + }, + "status": { + "value": "[tryGet(coalesce(parameters('topics'), createArray())[copyIndex()], 'status')]" + }, + "supportOrdering": { + "value": "[tryGet(coalesce(parameters('topics'), createArray())[copyIndex()], 'supportOrdering')]" + }, + "subscriptions": { + "value": "[tryGet(coalesce(parameters('topics'), createArray())[copyIndex()], 'subscriptions')]" + }, + "maxSizeInMegabytes": { + "value": "[tryGet(coalesce(parameters('topics'), createArray())[copyIndex()], 'maxSizeInMegabytes')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", + "contentVersion": "1.0.0.0", + "metadata": { + "_generator": { + "name": "bicep", + "version": "0.26.54.24096", + "templateHash": "10365585985239248264" + }, + "name": "Service Bus Namespace Topic", + "description": "This module deploys a Service Bus Namespace Topic.", + "owner": "Azure/module-maintainers" + }, + "definitions": { + "lockType": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Specify the name of lock." + } + }, + "kind": { + "type": "string", + "allowedValues": [ + "CanNotDelete", + "None", + "ReadOnly" + ], + "nullable": true, + "metadata": { + "description": "Optional. Specify the type of lock." + } + } + }, + "nullable": true + }, + "roleAssignmentType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "roleDefinitionIdOrName": { + "type": "string", + "metadata": { + "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + } + }, + "principalId": { + "type": "string", + "metadata": { + "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." + } + }, + "principalType": { + "type": "string", + "allowedValues": [ + "Device", + "ForeignGroup", + "Group", + "ServicePrincipal", + "User" + ], + "nullable": true, + "metadata": { + "description": "Optional. The principal type of the assigned principal ID." + } + }, + "description": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The description of the role assignment." + } + }, + "condition": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"." + } + }, + "conditionVersion": { + "type": "string", + "allowedValues": [ + "2.0" + ], + "nullable": true, + "metadata": { + "description": "Optional. Version of the condition." + } + }, + "delegatedManagedIdentityResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The Resource Id of the delegated managed identity resource." + } + } + } + }, + "nullable": true + }, + "subscriptionsType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "name": { + "type": "string", + "metadata": { + "description": "Required. The name of the service bus namespace topic subscription." + } + }, + "autoDeleteOnIdle": { + "type": "string", + "metadata": { + "description": "Optional. ISO 8601 timespan idle interval after which the syubscription is automatically deleted. The minimum duration is 5 minutes." + } + }, + "clientAffineProperties": { + "type": "object", + "properties": { + "clientId": { + "type": "string", + "metadata": { + "description": "Required. Indicates the Client ID of the application that created the client-affine subscription." + } + }, + "isDurable": { + "type": "bool", + "nullable": true, + "metadata": { + "description": "Optional. For client-affine subscriptions, this value indicates whether the subscription is durable or not." + } + }, + "isShared": { + "type": "bool", + "nullable": true, + "metadata": { + "description": "Optional. For client-affine subscriptions, this value indicates whether the subscription is shared or not." + } + } + }, + "nullable": true, + "metadata": { + "description": "Optional. The properties that are associated with a subscription that is client-affine." + } + }, + "deadLetteringOnMessageExpiration": { + "type": "bool", + "nullable": true, + "metadata": { + "description": "Optional. A value that indicates whether a subscription has dead letter support when a message expires." + } + }, + "deadLetteringOnFilterEvaluationExceptions": { + "type": "bool", + "nullable": true, + "metadata": { + "description": "Optional. A value that indicates whether a subscription has dead letter support when a message expires." + } + }, + "defaultMessageTimeToLive": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. ISO 8601 timespan idle interval after which the message expires. The minimum duration is 5 minutes." + } + }, + "duplicateDetectionHistoryTimeWindow": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. ISO 8601 timespan that defines the duration of the duplicate detection history. The default value is 10 minutes." + } + }, + "enableBatchedOperations": { + "type": "bool", + "nullable": true, + "metadata": { + "description": "Optional. A value that indicates whether server-side batched operations are enabled." + } + }, + "forwardDeadLetteredMessagesTo": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The name of the recipient entity to which all the messages sent to the subscription are forwarded to." + } + }, + "forwardTo": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The name of the recipient entity to which all the messages sent to the subscription are forwarded to." + } + }, + "isClientAffine": { + "type": "bool", + "nullable": true, + "metadata": { + "description": "Optional. A value that indicates whether the subscription supports the concept of session." + } + }, + "lockDuration": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. ISO 8601 timespan duration of a peek-lock; that is, the amount of time that the message is locked for other receivers. The maximum value for LockDuration is 5 minutes; the default value is 1 minute." + } + }, + "maxDeliveryCount": { + "type": "int", + "nullable": true, + "metadata": { + "description": "Optional. Number of maximum deliveries. A message is automatically deadlettered after this number of deliveries. Default value is 10." + } + }, + "requiresSession": { + "type": "bool", + "nullable": true, + "metadata": { + "description": "Optional. A value that indicates whether the subscription supports the concept of session." + } + }, + "status": { + "type": "string", + "allowedValues": [ + "Active", + "Creating", + "Deleting", + "Disabled", + "ReceiveDisabled", + "Renaming", + "Restoring", + "SendDisabled", + "Unknown" + ], + "nullable": true, + "metadata": { + "description": "Optional. Enumerates the possible values for the status of a messaging entity. - Active, Disabled, Restoring, SendDisabled, ReceiveDisabled, Creating, Deleting, Renaming, Unknown." + } + } + } + }, + "nullable": true + } + }, + "parameters": { + "namespaceName": { + "type": "string", + "minLength": 1, + "maxLength": 260, + "metadata": { + "description": "Conditional. The name of the parent Service Bus Namespace for the Service Bus Topic. Required if the template is used in a standalone deployment." + } + }, + "name": { + "type": "string", + "minLength": 1, + "maxLength": 260, + "metadata": { + "description": "Required. Name of the Service Bus Topic." + } + }, + "maxSizeInMegabytes": { + "type": "int", + "defaultValue": 1024, + "metadata": { + "description": "Optional. The maximum size of the topic in megabytes, which is the size of memory allocated for the topic. Default is 1024." + } + }, + "requiresDuplicateDetection": { + "type": "bool", + "defaultValue": true, + "metadata": { + "description": "Optional. A value indicating if this topic requires duplicate detection." + } + }, + "defaultMessageTimeToLive": { + "type": "string", + "defaultValue": "P14D", + "metadata": { + "description": "Optional. ISO 8601 default message timespan to live value. This is the duration after which the message expires, starting from when the message is sent to Service Bus. This is the default value used when TimeToLive is not set on a message itself." + } + }, + "enableBatchedOperations": { + "type": "bool", + "defaultValue": true, + "metadata": { + "description": "Optional. Value that indicates whether server-side batched operations are enabled." + } + }, + "duplicateDetectionHistoryTimeWindow": { + "type": "string", + "defaultValue": "PT10M", + "metadata": { + "description": "Optional. ISO 8601 timeSpan structure that defines the duration of the duplicate detection history. The default value is 10 minutes." + } + }, + "maxMessageSizeInKilobytes": { + "type": "int", + "defaultValue": 1024, + "metadata": { + "description": "Optional. Maximum size (in KB) of the message payload that can be accepted by the topic. This property is only used in Premium today and default is 1024. This property is only used if the `service-bus/namespace` sku is Premium." + } + }, + "supportOrdering": { + "type": "bool", + "defaultValue": false, + "metadata": { + "description": "Optional. Value that indicates whether the topic supports ordering." + } + }, + "autoDeleteOnIdle": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. ISO 8601 timespan idle interval after which the topic is automatically deleted. The minimum duration is 5 minutes." + } + }, + "status": { + "type": "string", + "defaultValue": "Active", + "allowedValues": [ + "Active", + "Disabled", + "Restoring", + "SendDisabled", + "ReceiveDisabled", + "Creating", + "Deleting", + "Renaming", + "Unknown" + ], + "metadata": { + "description": "Optional. Enumerates the possible values for the status of a messaging entity. - Active, Disabled, Restoring, SendDisabled, ReceiveDisabled, Creating, Deleting, Renaming, Unknown." + } + }, + "enablePartitioning": { + "type": "bool", + "defaultValue": false, + "metadata": { + "description": "Optional. A value that indicates whether the topic is to be partitioned across multiple message brokers." + } + }, + "enableExpress": { + "type": "bool", + "defaultValue": false, + "metadata": { + "description": "Optional. A value that indicates whether Express Entities are enabled. An express topic holds a message in memory temporarily before writing it to persistent storage. This property is only used if the `service-bus/namespace` sku is Premium." + } + }, + "authorizationRules": { + "type": "array", + "defaultValue": [ + { + "name": "RootManageSharedAccessKey", + "properties": { + "rights": [ + "Listen", + "Manage", + "Send" + ] + } + } + ], + "metadata": { + "description": "Optional. Authorization Rules for the Service Bus Topic." + } + }, + "lock": { + "$ref": "#/definitions/lockType", + "metadata": { + "description": "Optional. The lock settings of the service." + } + }, + "roleAssignments": { + "$ref": "#/definitions/roleAssignmentType", + "metadata": { + "description": "Optional. Array of role assignments to create." + } + }, + "subscriptions": { + "type": "array", + "defaultValue": [], + "metadata": { + "description": "Optional. The subscriptions of the topic." + } + } + }, + "variables": { + "builtInRoleNames": { + "Azure Service Bus Data Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '090c5cfd-751d-490a-894a-3ce6f1109419')]", + "Azure Service Bus Data Receiver": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4f6d3b9b-027b-4f4c-9142-0e5a2a2247e0')]", + "Azure Service Bus Data Sender": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '69a216fc-b8fb-44d8-bc22-1f3c2cd27a39')]", + "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", + "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", + "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", + "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" + } + }, + "resources": { + "namespace": { + "existing": true, + "type": "Microsoft.ServiceBus/namespaces", + "apiVersion": "2022-10-01-preview", + "name": "[parameters('namespaceName')]" + }, + "topic": { + "type": "Microsoft.ServiceBus/namespaces/topics", + "apiVersion": "2022-10-01-preview", + "name": "[format('{0}/{1}', parameters('namespaceName'), parameters('name'))]", + "properties": "[union(createObject('autoDeleteOnIdle', parameters('autoDeleteOnIdle'), 'defaultMessageTimeToLive', parameters('defaultMessageTimeToLive'), 'duplicateDetectionHistoryTimeWindow', parameters('duplicateDetectionHistoryTimeWindow'), 'enableBatchedOperations', parameters('enableBatchedOperations'), 'enablePartitioning', parameters('enablePartitioning'), 'requiresDuplicateDetection', parameters('requiresDuplicateDetection'), 'status', parameters('status'), 'supportOrdering', parameters('supportOrdering'), 'maxSizeInMegabytes', parameters('maxSizeInMegabytes')), if(equals(reference('namespace', '2022-10-01-preview', 'full').sku.name, 'Premium'), createObject('enableExpress', parameters('enableExpress'), 'maxMessageSizeInKilobytes', parameters('maxMessageSizeInKilobytes')), createObject()))]", + "dependsOn": [ + "namespace" + ] + }, + "topic_lock": { + "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", + "type": "Microsoft.Authorization/locks", + "apiVersion": "2020-05-01", + "scope": "[format('Microsoft.ServiceBus/namespaces/{0}/topics/{1}', parameters('namespaceName'), parameters('name'))]", + "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", + "properties": { + "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", + "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" + }, + "dependsOn": [ + "topic" + ] + }, + "topic_roleAssignments": { + "copy": { + "name": "topic_roleAssignments", + "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" + }, + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "scope": "[format('Microsoft.ServiceBus/namespaces/{0}/topics/{1}', parameters('namespaceName'), parameters('name'))]", + "name": "[guid(resourceId('Microsoft.ServiceBus/namespaces/topics', parameters('namespaceName'), parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "properties": { + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", + "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", + "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", + "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", + "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", + "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", + "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" + }, + "dependsOn": [ + "topic" + ] + }, + "topic_authorizationRules": { + "copy": { + "name": "topic_authorizationRules", + "count": "[length(parameters('authorizationRules'))]" + }, + "type": "Microsoft.Resources/deployments", + "apiVersion": "2022-09-01", + "name": "[format('{0}-AuthRule-{1}', deployment().name, copyIndex())]", + "properties": { + "expressionEvaluationOptions": { + "scope": "inner" + }, + "mode": "Incremental", + "parameters": { + "namespaceName": { + "value": "[parameters('namespaceName')]" + }, + "topicName": { + "value": "[parameters('name')]" + }, + "name": { + "value": "[parameters('authorizationRules')[copyIndex()].name]" + }, + "rights": "[if(contains(parameters('authorizationRules')[copyIndex()], 'rights'), createObject('value', parameters('authorizationRules')[copyIndex()].rights), createObject('value', createArray()))]" + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "_generator": { + "name": "bicep", + "version": "0.26.54.24096", + "templateHash": "8469884519860433031" + }, + "name": "Service Bus Namespace Topic Authorization Rules", + "description": "This module deploys a Service Bus Namespace Topic Authorization Rule.", + "owner": "Azure/module-maintainers" + }, + "parameters": { + "name": { + "type": "string", + "metadata": { + "description": "Required. The name of the service bus namespace topic." + } + }, + "namespaceName": { + "type": "string", + "metadata": { + "description": "Conditional. The name of the parent Service Bus Namespace. Required if the template is used in a standalone deployment." + } + }, + "topicName": { + "type": "string", + "metadata": { + "description": "Conditional. The name of the parent Service Bus Namespace Topic. Required if the template is used in a standalone deployment." + } + }, + "rights": { + "type": "array", + "defaultValue": [], + "allowedValues": [ + "Listen", + "Manage", + "Send" + ], + "metadata": { + "description": "Optional. The rights associated with the rule." + } + } + }, + "resources": [ + { + "type": "Microsoft.ServiceBus/namespaces/topics/authorizationRules", + "apiVersion": "2022-10-01-preview", + "name": "[format('{0}/{1}/{2}', parameters('namespaceName'), parameters('topicName'), parameters('name'))]", + "properties": { + "rights": "[parameters('rights')]" + } + } + ], + "outputs": { + "name": { + "type": "string", + "metadata": { + "description": "The name of the authorization rule." + }, + "value": "[parameters('name')]" + }, + "resourceId": { + "type": "string", + "metadata": { + "description": "The Resource ID of the authorization rule." + }, + "value": "[resourceId('Microsoft.ServiceBus/namespaces/topics/authorizationRules', parameters('namespaceName'), parameters('topicName'), parameters('name'))]" + }, + "resourceGroupName": { + "type": "string", + "metadata": { + "description": "The name of the Resource Group the authorization rule was created in." + }, + "value": "[resourceGroup().name]" + } + } + } + }, + "dependsOn": [ + "topic" + ] + }, + "topic_subscription": { + "copy": { + "name": "topic_subscription", + "count": "[length(coalesce(parameters('subscriptions'), createArray()))]" + }, + "type": "Microsoft.Resources/deployments", + "apiVersion": "2022-09-01", + "name": "[format('{0}-subscription-{1}', deployment().name, copyIndex())]", + "properties": { + "expressionEvaluationOptions": { + "scope": "inner" + }, + "mode": "Incremental", + "parameters": { + "name": { + "value": "[coalesce(parameters('subscriptions'), createArray())[copyIndex()].name]" + }, + "namespaceName": { + "value": "[parameters('namespaceName')]" + }, + "topicName": { + "value": "[parameters('name')]" + }, + "autoDeleteOnIdle": { + "value": "[coalesce(tryGet(coalesce(parameters('subscriptions'), createArray())[copyIndex()], 'autoDeleteOnIdle'), 'PT1H')]" + }, + "defaultMessageTimeToLive": { + "value": "[coalesce(tryGet(coalesce(parameters('subscriptions'), createArray())[copyIndex()], 'defaultMessageTimeToLive'), 'P14D')]" + }, + "duplicateDetectionHistoryTimeWindow": { + "value": "[coalesce(tryGet(coalesce(parameters('subscriptions'), createArray())[copyIndex()], 'duplicateDetectionHistoryTimeWindow'), 'PT10M')]" + }, + "enableBatchedOperations": { + "value": "[coalesce(tryGet(coalesce(parameters('subscriptions'), createArray())[copyIndex()], 'enableBatchedOperations'), true())]" + }, + "clientAffineProperties": { + "value": "[coalesce(tryGet(coalesce(parameters('subscriptions'), createArray())[copyIndex()], 'clientAffineProperties'), createObject())]" + }, + "deadLetteringOnFilterEvaluationExceptions": { + "value": "[coalesce(tryGet(coalesce(parameters('subscriptions'), createArray())[copyIndex()], 'deadLetteringOnFilterEvaluationExceptions'), true())]" + }, + "deadLetteringOnMessageExpiration": { + "value": "[coalesce(tryGet(coalesce(parameters('subscriptions'), createArray())[copyIndex()], 'deadLetteringOnMessageExpiration'), false())]" + }, + "forwardDeadLetteredMessagesTo": { + "value": "[tryGet(coalesce(parameters('subscriptions'), createArray())[copyIndex()], 'forwardDeadLetteredMessagesTo')]" + }, + "forwardTo": { + "value": "[tryGet(coalesce(parameters('subscriptions'), createArray())[copyIndex()], 'forwardTo')]" + }, + "isClientAffine": { + "value": "[coalesce(tryGet(coalesce(parameters('subscriptions'), createArray())[copyIndex()], 'isClientAffine'), false())]" + }, + "lockDuration": { + "value": "[coalesce(tryGet(coalesce(parameters('subscriptions'), createArray())[copyIndex()], 'lockDuration'), 'PT1M')]" + }, + "maxDeliveryCount": { + "value": "[coalesce(tryGet(coalesce(parameters('subscriptions'), createArray())[copyIndex()], 'maxDeliveryCount'), 10)]" + }, + "requiresSession": { + "value": "[coalesce(tryGet(coalesce(parameters('subscriptions'), createArray())[copyIndex()], 'requiresSession'), false())]" + }, + "status": { + "value": "[coalesce(tryGet(coalesce(parameters('subscriptions'), createArray())[copyIndex()], 'status'), 'Active')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "_generator": { + "name": "bicep", + "version": "0.26.54.24096", + "templateHash": "14842378053022621119" + }, + "name": "Service Bus Namespace Topic Subscription", + "description": "This module deploys a Service Bus Namespace Topic Subscription.", + "owner": "Azure/module-maintainers" + }, + "parameters": { + "name": { + "type": "string", + "metadata": { + "description": "Required. The name of the service bus namespace topic subscription." + } + }, + "namespaceName": { + "type": "string", + "metadata": { + "description": "Conditional. The name of the parent Service Bus Namespace. Required if the template is used in a standalone deployment." + } + }, + "topicName": { + "type": "string", + "metadata": { + "description": "Conditional. The name of the parent Service Bus Namespace Topic. Required if the template is used in a standalone deployment." + } + }, + "autoDeleteOnIdle": { + "type": "string", + "defaultValue": "PT1H", + "metadata": { + "description": "Optional. ISO 8601 timespan idle interval after which the subscription is automatically deleted. The minimum duration is 5 minutes." + } + }, + "clientAffineProperties": { + "type": "object", + "defaultValue": {}, + "metadata": { + "description": "Optional. The properties that are associated with a subscription that is client-affine." + } + }, + "deadLetteringOnFilterEvaluationExceptions": { + "type": "bool", + "defaultValue": false, + "metadata": { + "description": "Optional. A value that indicates whether a subscription has dead letter support when a message expires." + } + }, + "deadLetteringOnMessageExpiration": { + "type": "bool", + "defaultValue": false, + "metadata": { + "description": "Optional. A value that indicates whether a subscription has dead letter support when a message expires." + } + }, + "defaultMessageTimeToLive": { + "type": "string", + "defaultValue": "P10675199DT2H48M5.4775807S", + "metadata": { + "description": "Optional. ISO 8601 timespan idle interval after which the message expires. The minimum duration is 5 minutes." + } + }, + "duplicateDetectionHistoryTimeWindow": { + "type": "string", + "defaultValue": "PT10M", + "metadata": { + "description": "Optional. ISO 8601 timespan that defines the duration of the duplicate detection history. The default value is 10 minutes." + } + }, + "enableBatchedOperations": { + "type": "bool", + "defaultValue": true, + "metadata": { + "description": "Optional. A value that indicates whether server-side batched operations are enabled." + } + }, + "forwardDeadLetteredMessagesTo": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. The name of the recipient entity to which all the messages sent to the subscription are forwarded to." + } + }, + "forwardTo": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. The name of the recipient entity to which all the messages sent to the subscription are forwarded to." + } + }, + "isClientAffine": { + "type": "bool", + "defaultValue": false, + "metadata": { + "description": "Optional. A value that indicates whether the subscription supports the concept of session." + } + }, + "lockDuration": { + "type": "string", + "defaultValue": "PT1M", + "metadata": { + "description": "Optional. ISO 8601 timespan duration of a peek-lock; that is, the amount of time that the message is locked for other receivers. The maximum value for LockDuration is 5 minutes; the default value is 1 minute." + } + }, + "maxDeliveryCount": { + "type": "int", + "defaultValue": 10, + "metadata": { + "description": "Optional. Number of maximum deliveries. A message is automatically deadlettered after this number of deliveries. Default value is 10." + } + }, + "requiresSession": { + "type": "bool", + "defaultValue": false, + "metadata": { + "description": "Optional. A value that indicates whether the subscription supports the concept of session." + } + }, + "status": { + "type": "string", + "defaultValue": "Active", + "allowedValues": [ + "Active", + "Creating", + "Deleting", + "Disabled", + "ReceiveDisabled", + "Renaming", + "Restoring", + "SendDisabled", + "Unknown" + ], + "metadata": { + "description": "Optional. Enumerates the possible values for the status of a messaging entity." + } + } + }, + "resources": [ + { + "type": "Microsoft.ServiceBus/namespaces/topics/subscriptions", + "apiVersion": "2021-11-01", + "name": "[format('{0}/{1}/{2}', parameters('namespaceName'), parameters('topicName'), parameters('name'))]", + "properties": { + "autoDeleteOnIdle": "[parameters('autoDeleteOnIdle')]", + "clientAffineProperties": "[parameters('clientAffineProperties')]", + "deadLetteringOnFilterEvaluationExceptions": "[parameters('deadLetteringOnFilterEvaluationExceptions')]", + "deadLetteringOnMessageExpiration": "[parameters('deadLetteringOnMessageExpiration')]", + "defaultMessageTimeToLive": "[parameters('defaultMessageTimeToLive')]", + "duplicateDetectionHistoryTimeWindow": "[parameters('duplicateDetectionHistoryTimeWindow')]", + "enableBatchedOperations": "[parameters('enableBatchedOperations')]", + "forwardDeadLetteredMessagesTo": "[parameters('forwardDeadLetteredMessagesTo')]", + "forwardTo": "[if(not(empty(parameters('forwardTo'))), parameters('forwardTo'), null())]", + "isClientAffine": "[parameters('isClientAffine')]", + "lockDuration": "[parameters('lockDuration')]", + "maxDeliveryCount": "[parameters('maxDeliveryCount')]", + "requiresSession": "[parameters('requiresSession')]", + "status": "[parameters('status')]" + } + } + ], + "outputs": { + "name": { + "type": "string", + "metadata": { + "description": "The name of the topic subscription." + }, + "value": "[parameters('name')]" + }, + "resourceId": { + "type": "string", + "metadata": { + "description": "The Resource ID of the topic subscription." + }, + "value": "[resourceId('Microsoft.ServiceBus/namespaces/topics/subscriptions', parameters('namespaceName'), parameters('topicName'), parameters('name'))]" + }, + "resourceGroupName": { + "type": "string", + "metadata": { + "description": "The name of the Resource Group the topic subscription was created in." + }, + "value": "[resourceGroup().name]" + } + } + } + }, + "dependsOn": [ + "namespace", + "topic" + ] + } + }, + "outputs": { + "name": { + "type": "string", + "metadata": { + "description": "The name of the deployed topic." + }, + "value": "[parameters('name')]" + }, + "resourceId": { + "type": "string", + "metadata": { + "description": "The resource ID of the deployed topic." + }, + "value": "[resourceId('Microsoft.ServiceBus/namespaces/topics', parameters('namespaceName'), parameters('name'))]" + }, + "resourceGroupName": { + "type": "string", + "metadata": { + "description": "The resource group of the deployed topic." + }, + "value": "[resourceGroup().name]" + } + } + } + }, + "dependsOn": [ + "serviceBusNamespace" + ] + }, + "serviceBusNamespace_privateEndpoints": { + "copy": { + "name": "serviceBusNamespace_privateEndpoints", + "count": "[length(coalesce(parameters('privateEndpoints'), createArray()))]" + }, + "type": "Microsoft.Resources/deployments", + "apiVersion": "2022-09-01", + "name": "[format('{0}-serviceBusNamespace-PrivateEndpoint-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", + "resourceGroup": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'resourceGroupName'), '')]", + "properties": { + "expressionEvaluationOptions": { + "scope": "inner" + }, + "mode": "Incremental", + "parameters": { + "name": { + "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'name'), format('pep-{0}-{1}-{2}', last(split(resourceId('Microsoft.ServiceBus/namespaces', parameters('name')), '/')), coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'service'), 'namespace'), copyIndex()))]" + }, + "privateLinkServiceConnections": "[if(not(equals(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'isManualConnection'), true())), createObject('value', createArray(createObject('name', coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'privateLinkServiceConnectionName'), format('{0}-{1}-{2}', last(split(resourceId('Microsoft.ServiceBus/namespaces', parameters('name')), '/')), coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'service'), 'namespace'), copyIndex())), 'properties', createObject('privateLinkServiceId', resourceId('Microsoft.ServiceBus/namespaces', parameters('name')), 'groupIds', createArray(coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'service'), 'namespace')))))), createObject('value', null()))]", + "manualPrivateLinkServiceConnections": "[if(equals(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'isManualConnection'), true()), createObject('value', createArray(createObject('name', coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'privateLinkServiceConnectionName'), format('{0}-{1}-{2}', last(split(resourceId('Microsoft.ServiceBus/namespaces', parameters('name')), '/')), coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'service'), 'namespace'), copyIndex())), 'properties', createObject('privateLinkServiceId', resourceId('Microsoft.ServiceBus/namespaces', parameters('name')), 'groupIds', createArray(coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'service'), 'namespace')), 'requestMessage', coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'manualConnectionRequestMessage'), 'Manual approval required.'))))), createObject('value', null()))]", + "subnetResourceId": { + "value": "[coalesce(parameters('privateEndpoints'), createArray())[copyIndex()].subnetResourceId]" + }, + "enableTelemetry": { + "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'enableTelemetry'), parameters('enableTelemetry'))]" + }, + "location": { + "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'location'), reference(split(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()].subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location)]" + }, + "lock": { + "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'lock'), parameters('lock'))]" + }, + "privateDnsZoneGroupName": { + "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'privateDnsZoneGroupName')]" + }, + "privateDnsZoneResourceIds": { + "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'privateDnsZoneResourceIds')]" + }, + "roleAssignments": { + "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'roleAssignments')]" + }, + "tags": { + "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'tags'), parameters('tags'))]" + }, + "customDnsConfigs": { + "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'customDnsConfigs')]" + }, + "ipConfigurations": { + "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'ipConfigurations')]" + }, + "applicationSecurityGroupResourceIds": { + "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'applicationSecurityGroupResourceIds')]" + }, + "customNetworkInterfaceName": { + "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'customNetworkInterfaceName')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", + "contentVersion": "1.0.0.0", + "metadata": { + "_generator": { + "name": "bicep", + "version": "0.25.53.49325", + "templateHash": "4120048060064073955" + }, + "name": "Private Endpoints", + "description": "This module deploys a Private Endpoint.", + "owner": "Azure/module-maintainers" + }, + "definitions": { + "roleAssignmentType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "roleDefinitionIdOrName": { + "type": "string", + "metadata": { + "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + } + }, + "principalId": { + "type": "string", + "metadata": { + "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." + } + }, + "principalType": { + "type": "string", + "allowedValues": [ + "Device", + "ForeignGroup", + "Group", + "ServicePrincipal", + "User" + ], + "nullable": true, + "metadata": { + "description": "Optional. The principal type of the assigned principal ID." + } + }, + "description": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The description of the role assignment." + } + }, + "condition": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"." + } + }, + "conditionVersion": { + "type": "string", + "allowedValues": [ + "2.0" + ], + "nullable": true, + "metadata": { + "description": "Optional. Version of the condition." + } + }, + "delegatedManagedIdentityResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The Resource Id of the delegated managed identity resource." + } + } + } + }, + "nullable": true + }, + "lockType": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Specify the name of lock." + } + }, + "kind": { + "type": "string", + "allowedValues": [ + "CanNotDelete", + "None", + "ReadOnly" + ], + "nullable": true, + "metadata": { + "description": "Optional. Specify the type of lock." + } + } + }, + "nullable": true + }, + "ipConfigurationsType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "name": { + "type": "string", + "metadata": { + "description": "Required. The name of the resource that is unique within a resource group." + } + }, + "properties": { + "type": "object", + "properties": { + "groupId": { + "type": "string", + "metadata": { + "description": "Required. The ID of a group obtained from the remote resource that this private endpoint should connect to." + } + }, + "memberName": { + "type": "string", + "metadata": { + "description": "Required. The member name of a group obtained from the remote resource that this private endpoint should connect to." + } + }, + "privateIPAddress": { + "type": "string", + "metadata": { + "description": "Required. A private IP address obtained from the private endpoint's subnet." + } + } + }, + "metadata": { + "description": "Required. Properties of private endpoint IP configurations." + } + } + } + }, + "nullable": true + }, + "manualPrivateLinkServiceConnectionsType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "name": { + "type": "string", + "metadata": { + "description": "Required. The name of the private link service connection." + } + }, + "properties": { + "type": "object", + "properties": { + "groupIds": { + "type": "array", + "metadata": { + "description": "Required. The ID of a group obtained from the remote resource that this private endpoint should connect to." + } + }, + "privateLinkServiceId": { + "type": "string", + "metadata": { + "description": "Required. The resource id of private link service." + } + }, + "requestMessage": { + "type": "string", + "metadata": { + "description": "Optional. A message passed to the owner of the remote resource with this connection request. Restricted to 140 chars." + } + } + }, + "metadata": { + "description": "Required. Properties of private link service connection." + } + } + } + }, + "nullable": true + }, + "privateLinkServiceConnectionsType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "name": { + "type": "string", + "metadata": { + "description": "Required. The name of the private link service connection." + } + }, + "properties": { + "type": "object", + "properties": { + "groupIds": { + "type": "array", + "metadata": { + "description": "Required. The ID of a group obtained from the remote resource that this private endpoint should connect to." + } + }, + "privateLinkServiceId": { + "type": "string", + "metadata": { + "description": "Required. The resource id of private link service." + } + }, + "requestMessage": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. A message passed to the owner of the remote resource with this connection request. Restricted to 140 chars." + } + } + }, + "metadata": { + "description": "Required. Properties of private link service connection." + } + } + } + }, + "nullable": true + }, + "customDnsConfigType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "fqdn": { + "type": "string", + "metadata": { + "description": "Required. Fqdn that resolves to private endpoint IP address." + } + }, + "ipAddresses": { + "type": "array", + "items": { + "type": "string" + }, + "metadata": { + "description": "Required. A list of private IP addresses of the private endpoint." + } + } + } + }, + "nullable": true + } + }, + "parameters": { + "name": { + "type": "string", + "metadata": { + "description": "Required. Name of the private endpoint resource to create." + } + }, + "subnetResourceId": { + "type": "string", + "metadata": { + "description": "Required. Resource ID of the subnet where the endpoint needs to be created." + } + }, + "applicationSecurityGroupResourceIds": { + "type": "array", + "nullable": true, + "metadata": { + "description": "Optional. Application security groups in which the private endpoint IP configuration is included." + } + }, + "customNetworkInterfaceName": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The custom name of the network interface attached to the private endpoint." + } + }, + "ipConfigurations": { + "$ref": "#/definitions/ipConfigurationsType", + "metadata": { + "description": "Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints." + } + }, + "privateDnsZoneGroupName": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The name of the private DNS zone group to create if `privateDnsZoneResourceIds` were provided." + } + }, + "privateDnsZoneResourceIds": { + "type": "array", + "nullable": true, + "metadata": { + "description": "Optional. The private DNS zone groups to associate the private endpoint. A DNS zone group can support up to 5 DNS zones." + } + }, + "location": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "Optional. Location for all Resources." + } + }, + "lock": { + "$ref": "#/definitions/lockType", + "metadata": { + "description": "Optional. The lock settings of the service." + } + }, + "roleAssignments": { + "$ref": "#/definitions/roleAssignmentType", + "metadata": { + "description": "Optional. Array of role assignments to create." + } + }, + "tags": { + "type": "object", + "nullable": true, + "metadata": { + "description": "Optional. Tags to be applied on all resources/resource groups in this deployment." + } + }, + "customDnsConfigs": { + "$ref": "#/definitions/customDnsConfigType", + "metadata": { + "description": "Optional. Custom DNS configurations." + } + }, + "manualPrivateLinkServiceConnections": { + "$ref": "#/definitions/manualPrivateLinkServiceConnectionsType", + "metadata": { + "description": "Optional. A grouping of information about the connection to the remote resource. Used when the network admin does not have access to approve connections to the remote resource." + } + }, + "privateLinkServiceConnections": { + "$ref": "#/definitions/privateLinkServiceConnectionsType", + "metadata": { + "description": "Optional. A grouping of information about the connection to the remote resource." + } + }, + "enableTelemetry": { + "type": "bool", + "defaultValue": true, + "metadata": { + "description": "Optional. Enable/Disable usage telemetry for module." + } + } + }, + "variables": { + "builtInRoleNames": { + "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "DNS Resolver Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d')]", + "DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314')]", + "Domain Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2')]", + "Domain Services Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb')]", + "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", + "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", + "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", + "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", + "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]" + } + }, + "resources": { + "avmTelemetry": { + "condition": "[parameters('enableTelemetry')]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2023-07-01", + "name": "[format('46d3xbcp.res.network-privateendpoint.{0}.{1}', replace('0.4.1', '.', '-'), substring(uniqueString(deployment().name, parameters('location')), 0, 4))]", + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [], + "outputs": { + "telemetry": { + "type": "String", + "value": "For more information, see https://aka.ms/avm/TelemetryInfo" + } + } + } + } + }, + "privateEndpoint": { + "type": "Microsoft.Network/privateEndpoints", + "apiVersion": "2023-04-01", + "name": "[parameters('name')]", + "location": "[parameters('location')]", + "tags": "[parameters('tags')]", + "properties": { + "copy": [ + { + "name": "applicationSecurityGroups", + "count": "[length(coalesce(parameters('applicationSecurityGroupResourceIds'), createArray()))]", + "input": { + "id": "[coalesce(parameters('applicationSecurityGroupResourceIds'), createArray())[copyIndex('applicationSecurityGroups')]]" + } + } + ], + "customDnsConfigs": "[coalesce(parameters('customDnsConfigs'), createArray())]", + "customNetworkInterfaceName": "[coalesce(parameters('customNetworkInterfaceName'), '')]", + "ipConfigurations": "[coalesce(parameters('ipConfigurations'), createArray())]", + "manualPrivateLinkServiceConnections": "[coalesce(parameters('manualPrivateLinkServiceConnections'), createArray())]", + "privateLinkServiceConnections": "[coalesce(parameters('privateLinkServiceConnections'), createArray())]", + "subnet": { + "id": "[parameters('subnetResourceId')]" + } + } + }, + "privateEndpoint_lock": { + "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", + "type": "Microsoft.Authorization/locks", + "apiVersion": "2020-05-01", + "scope": "[format('Microsoft.Network/privateEndpoints/{0}', parameters('name'))]", + "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", + "properties": { + "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", + "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" + }, + "dependsOn": [ + "privateEndpoint" + ] + }, + "privateEndpoint_roleAssignments": { + "copy": { + "name": "privateEndpoint_roleAssignments", + "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" + }, + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "scope": "[format('Microsoft.Network/privateEndpoints/{0}', parameters('name'))]", + "name": "[guid(resourceId('Microsoft.Network/privateEndpoints', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "properties": { + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", + "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", + "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", + "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", + "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", + "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", + "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" + }, + "dependsOn": [ + "privateEndpoint" + ] + }, + "privateEndpoint_privateDnsZoneGroup": { + "condition": "[not(empty(parameters('privateDnsZoneResourceIds')))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2022-09-01", + "name": "[format('{0}-PrivateEndpoint-PrivateDnsZoneGroup', uniqueString(deployment().name))]", + "properties": { + "expressionEvaluationOptions": { + "scope": "inner" + }, + "mode": "Incremental", + "parameters": { + "name": { + "value": "[coalesce(parameters('privateDnsZoneGroupName'), 'default')]" + }, + "privateDNSResourceIds": { + "value": "[coalesce(parameters('privateDnsZoneResourceIds'), createArray())]" + }, + "privateEndpointName": { + "value": "[parameters('name')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "_generator": { + "name": "bicep", + "version": "0.25.53.49325", + "templateHash": "11244630631275470040" + }, + "name": "Private Endpoint Private DNS Zone Groups", + "description": "This module deploys a Private Endpoint Private DNS Zone Group.", + "owner": "Azure/module-maintainers" + }, + "parameters": { + "privateEndpointName": { + "type": "string", + "metadata": { + "description": "Conditional. The name of the parent private endpoint. Required if the template is used in a standalone deployment." + } + }, + "privateDNSResourceIds": { + "type": "array", + "minLength": 1, + "maxLength": 5, + "metadata": { + "description": "Required. Array of private DNS zone resource IDs. A DNS zone group can support up to 5 DNS zones." + } + }, + "name": { + "type": "string", + "defaultValue": "default", + "metadata": { + "description": "Optional. The name of the private DNS zone group." + } + } + }, + "variables": { + "copy": [ + { + "name": "privateDnsZoneConfigs", + "count": "[length(parameters('privateDNSResourceIds'))]", + "input": { + "name": "[last(split(parameters('privateDNSResourceIds')[copyIndex('privateDnsZoneConfigs')], '/'))]", + "properties": { + "privateDnsZoneId": "[parameters('privateDNSResourceIds')[copyIndex('privateDnsZoneConfigs')]]" + } + } + } + ] + }, + "resources": [ + { + "type": "Microsoft.Network/privateEndpoints/privateDnsZoneGroups", + "apiVersion": "2023-04-01", + "name": "[format('{0}/{1}', parameters('privateEndpointName'), parameters('name'))]", + "properties": { + "privateDnsZoneConfigs": "[variables('privateDnsZoneConfigs')]" + } + } + ], + "outputs": { + "name": { + "type": "string", + "metadata": { + "description": "The name of the private endpoint DNS zone group." + }, + "value": "[parameters('name')]" + }, + "resourceId": { + "type": "string", + "metadata": { + "description": "The resource ID of the private endpoint DNS zone group." + }, + "value": "[resourceId('Microsoft.Network/privateEndpoints/privateDnsZoneGroups', parameters('privateEndpointName'), parameters('name'))]" + }, + "resourceGroupName": { + "type": "string", + "metadata": { + "description": "The resource group the private endpoint DNS zone group was deployed into." + }, + "value": "[resourceGroup().name]" + } + } + } + }, + "dependsOn": [ + "privateEndpoint" + ] + } + }, + "outputs": { + "resourceGroupName": { + "type": "string", + "metadata": { + "description": "The resource group the private endpoint was deployed into." + }, + "value": "[resourceGroup().name]" + }, + "resourceId": { + "type": "string", + "metadata": { + "description": "The resource ID of the private endpoint." + }, + "value": "[resourceId('Microsoft.Network/privateEndpoints', parameters('name'))]" + }, + "name": { + "type": "string", + "metadata": { + "description": "The name of the private endpoint." + }, + "value": "[parameters('name')]" + }, + "location": { + "type": "string", + "metadata": { + "description": "The location the resource was deployed into." + }, + "value": "[reference('privateEndpoint', '2023-04-01', 'full').location]" + }, + "groupId": { + "type": "string", + "metadata": { + "description": "The group Id for the private endpoint Group." + }, + "value": "[if(not(empty(reference('privateEndpoint').manualPrivateLinkServiceConnections)), reference('privateEndpoint').manualPrivateLinkServiceConnections[0].properties.groupIds[0], reference('privateEndpoint').privateLinkServiceConnections[0].properties.groupIds[0])]" + } + } + } + }, + "dependsOn": [ + "serviceBusNamespace" + ] + } + }, + "outputs": { + "resourceId": { + "type": "string", + "metadata": { + "description": "The resource ID of the deployed service bus namespace." + }, + "value": "[resourceId('Microsoft.ServiceBus/namespaces', parameters('name'))]" + }, + "resourceGroupName": { + "type": "string", + "metadata": { + "description": "The resource group of the deployed service bus namespace." + }, + "value": "[resourceGroup().name]" + }, + "name": { + "type": "string", + "metadata": { + "description": "The name of the deployed service bus namespace." + }, + "value": "[parameters('name')]" + }, + "systemAssignedMIPrincipalId": { + "type": "string", + "metadata": { + "description": "The principal ID of the system assigned identity." + }, + "value": "[coalesce(tryGet(tryGet(reference('serviceBusNamespace', '2022-10-01-preview', 'full'), 'identity'), 'principalId'), '')]" + }, + "location": { + "type": "string", + "metadata": { + "description": "The location the resource was deployed into." + }, + "value": "[reference('serviceBusNamespace', '2022-10-01-preview', 'full').location]" + } + } + } + } + } + }, + "outputs": { + "partitionStorageNames": { + "type": "array", + "items": { + "type": "string" + }, + "copy": { + "count": "[length(parameters('partitions'))]", + "input": "[reference(format('partitionStorage[{0}]', copyIndex())).outputs.name.value]" + } + }, + "partitionServiceBusNames": { + "type": "array", + "items": { + "type": "string" + }, + "copy": { + "count": "[length(parameters('partitions'))]", + "input": "[reference(format('partitonNamespace[{0}]', copyIndex())).outputs.name.value]" + } + } + } + } + }, + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', 'common-blade')]", + "[resourceId('Microsoft.Resources/deployments', format('{0}-log-analytics', variables('configuration').name))]", + "[resourceId('Microsoft.Resources/deployments', 'network-blade')]" + ] + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2022-09-01", + "name": "service-blade", + "properties": { + "expressionEvaluationOptions": { + "scope": "inner" + }, + "mode": "Incremental", + "parameters": { + "bladeConfig": { + "value": { + "sectionName": "serviceblade", + "displayName": "Service Resources" + } + }, + "tags": { + "value": { + "id": "[variables('rg_unique_id')]" + } + }, + "location": { + "value": "[parameters('location')]" + }, + "enableTelemetry": { + "value": "[variables('enableTelemetry')]" + }, + "enableSoftwareLoad": { + "value": "[parameters('clusterSoftware').enable]" + }, + "applicationClientId": { + "value": "[parameters('applicationClientId')]" + }, + "applicationClientPrincipalOid": { + "value": "[parameters('applicationClientPrincipalOid')]" + }, + "workspaceResourceId": { + "value": "[reference(resourceId('Microsoft.Resources/deployments', format('{0}-log-analytics', variables('configuration').name)), '2022-09-01').outputs.resourceId.value]" + }, + "identityId": "[if(variables('enableVnetInjection'), createObject('value', reference(resourceId('Microsoft.Resources/deployments', 'network-blade'), '2022-09-01').outputs.networkConfiguration.value.identityId), createObject('value', reference(resourceId('Microsoft.Resources/deployments', format('{0}-user-managed-identity', variables('configuration').name)), '2022-09-01').outputs.resourceId.value))]", + "managedIdentityName": { + "value": "[reference(resourceId('Microsoft.Resources/deployments', format('{0}-user-managed-identity', variables('configuration').name)), '2022-09-01').outputs.name.value]" + }, + "kvName": { + "value": "[reference(resourceId('Microsoft.Resources/deployments', 'common-blade'), '2022-09-01').outputs.keyvaultName.value]" + }, + "kvUri": { + "value": "[reference(resourceId('Microsoft.Resources/deployments', 'common-blade'), '2022-09-01').outputs.keyvaultUri.value]" + }, + "storageName": { + "value": "[reference(resourceId('Microsoft.Resources/deployments', 'common-blade'), '2022-09-01').outputs.storageAccountName.value]" + }, + "partitionStorageNames": { + "value": "[reference(resourceId('Microsoft.Resources/deployments', 'partition-blade'), '2022-09-01').outputs.partitionStorageNames.value]" + }, + "partitionServiceBusNames": { + "value": "[reference(resourceId('Microsoft.Resources/deployments', 'partition-blade'), '2022-09-01').outputs.partitionServiceBusNames.value]" + }, + "aksSubnetId": { + "value": "[reference(resourceId('Microsoft.Resources/deployments', 'network-blade'), '2022-09-01').outputs.aksSubnetId.value]" + }, + "podSubnetId": "[if(parameters('enablePodSubnet'), createObject('value', reference(resourceId('Microsoft.Resources/deployments', 'network-blade'), '2022-09-01').outputs.podSubnetId.value), createObject('value', ''))]", + "clusterSize": { + "value": "[parameters('tier')]" + }, + "clusterAdminIds": { + "value": "[parameters('clusterAdminIds')]" + }, + "clusterIngress": "[if(equals(parameters('clusterNetwork').ingress, ''), createObject('value', 'Both'), createObject('value', parameters('clusterNetwork').ingress))]", + "serviceCidr": "[if(equals(parameters('clusterNetwork').serviceCidr, ''), createObject('value', '172.16.0.0/16'), createObject('value', parameters('clusterNetwork').serviceCidr))]", + "dnsServiceIP": "[if(equals(parameters('clusterNetwork').dnsServiceIP, ''), createObject('value', '172.16.0.10'), createObject('value', parameters('clusterNetwork').v))]", + "networkPlugin": "[if(parameters('enablePodSubnet'), createObject('value', 'azure'), createObject('value', parameters('clusterNetworkPlugin')))]", + "softwareBranch": { + "value": "[parameters('clusterSoftware').branch]" + }, + "softwareRepository": { + "value": "[parameters('clusterSoftware').repository]" + }, + "softwareTag": { + "value": "[parameters('clusterSoftware').tag]" + }, + "appSettings": { + "value": [ + { + "name": "Settings:StorageAccountName", + "value": "[reference(resourceId('Microsoft.Resources/deployments', 'partition-blade'), '2022-09-01').outputs.partitionStorageNames.value[0]]", + "contentType": "text/plain", + "label": "configmap-devsample" + }, + { + "name": "client_id", + "value": "[parameters('applicationClientId')]", + "contentType": "text/plain", + "label": "configmap-services" + } + ] + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", + "contentVersion": "1.0.0.0", + "metadata": { + "_generator": { + "name": "bicep", + "version": "0.26.170.59819", + "templateHash": "14108948775829244242" + } + }, + "definitions": { + "bladeSettings": { + "type": "object", + "properties": { + "sectionName": { + "type": "string", + "metadata": { + "description": "The name of the section name" + } + }, + "displayName": { + "type": "string", + "metadata": { + "description": "The display name of the section" + } + } + } + }, + "appConfigItem": { + "type": "object", + "properties": { + "name": { + "type": "string", + "metadata": { + "description": "The App Configuration Key" + } + }, + "value": { + "type": "string", + "metadata": { + "description": "The App Configuration Value" + } + }, + "contentType": { + "type": "string", + "metadata": { + "description": "The App Configuration Content Type" + } + }, + "label": { + "type": "string", + "metadata": { + "description": "The App Configuration Label" + } + } + } + } + }, + "parameters": { + "bladeConfig": { + "$ref": "#/definitions/bladeSettings", + "metadata": { + "description": "The configuration for the blade section." + } + }, + "location": { + "type": "string", + "metadata": { + "description": "The location of resources to deploy" + } + }, + "tags": { + "type": "object", + "defaultValue": {}, + "metadata": { + "description": "The tags to apply to the resources" + } + }, + "enableTelemetry": { + "type": "bool", + "metadata": { + "description": "Feature Flag to Enable Telemetry" + } + }, + "workspaceResourceId": { + "type": "string", + "metadata": { + "description": "The workspace resource Id for diagnostics" + } + }, + "networkPlugin": { + "type": "string" + }, + "clusterSize": { + "type": "string" + }, + "kvName": { + "type": "string", + "metadata": { + "description": "The name of the Key Vault where the secret exists" + } + }, + "kvUri": { + "type": "string", + "metadata": { + "description": "The Uri of the Key Vault where the secret exists" + } + }, + "storageName": { + "type": "string", + "metadata": { + "description": "The name of the Storage Account" + } + }, + "applicationClientId": { + "type": "string", + "metadata": { + "description": "Specify the AD Application Client Id." + } + }, + "applicationClientPrincipalOid": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Specify the AD Application Principal Id." + } + }, + "softwareRepository": { + "type": "string", + "metadata": { + "description": "Software GIT Repository URL" + } + }, + "softwareBranch": { + "type": "string", + "metadata": { + "description": "Software GIT Repository Branch" + } + }, + "softwareTag": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Software GIT Repository Tag" + } + }, + "clusterIngress": { + "type": "string", + "allowedValues": [ + "Internal", + "External", + "Both" + ], + "metadata": { + "description": "The Cluster Ingress Mode" + } + }, + "clusterAdminIds": { + "type": "array", + "metadata": { + "description": "Optional: Specify the AD Users and/or Groups that can manage the cluster." + } + }, + "serviceCidr": { + "type": "string", + "minLength": 9, + "maxLength": 18, + "metadata": { + "description": "The address range to use for services" + } + }, + "dnsServiceIP": { + "type": "string", + "minLength": 7, + "maxLength": 15, + "metadata": { + "description": "The IP address to reserve for DNS" + } + }, + "aksSubnetId": { + "type": "string" + }, + "podSubnetId": { + "type": "string", + "defaultValue": "" + }, + "managedIdentityName": { + "type": "string", + "metadata": { + "description": "The managed identity name for deployment scripts" + } + }, + "identityId": { + "type": "string", + "metadata": { + "description": "The user managed identity for the cluster." + } + }, + "partitionStorageNames": { + "type": "array", + "items": { + "type": "string" + }, + "metadata": { + "description": "The name of the partition storage accounts" + } + }, + "partitionServiceBusNames": { + "type": "array", + "items": { + "type": "string" + }, + "metadata": { + "description": "The name of the partition service bus namespaces" + } + }, + "enableSoftwareLoad": { + "type": "bool", + "metadata": { + "description": "Feature Flag to Load Software." + } + }, + "enableMonitoring": { + "type": "bool", + "defaultValue": false, + "metadata": { + "description": "Feature Flag to Enable Managed Observability." + } + }, + "appSettings": { + "type": "array", + "items": { + "$ref": "#/definitions/appConfigItem" + } + } + }, + "variables": { + "copy": [ + { + "name": "partitionBusSettings", + "count": "[length(parameters('partitionServiceBusNames'))]", + "input": { + "name": "[format('partition_servicebus_name_{0}', copyIndex('partitionBusSettings'))]", + "value": "[parameters('partitionServiceBusNames')[copyIndex('partitionBusSettings')]]", + "contentType": "text/plain", + "label": "configmap-services" + } + }, + { + "name": "partitionStorageSettings", + "count": "[length(parameters('partitionStorageNames'))]", + "input": { + "name": "[format('partition_storage_name_{0}', copyIndex('partitionStorageSettings'))]", + "value": "[parameters('partitionStorageNames')[copyIndex('partitionStorageSettings')]]", + "contentType": "text/plain", + "label": "configmap-services" + } + } + ], + "serviceLayerConfig": { + "registry": { + "sku": "Basic" + }, + "cluster": { + "aksVersion": "1.28", + "meshVersion": "asm-1-19", + "networkPlugin": "[parameters('networkPlugin')]" + }, + "gitops": { + "name": "flux-system", + "url": "[if(equals(parameters('softwareRepository'), ''), 'https://github.com/azure/osdu-developer', parameters('softwareRepository'))]", + "branch": "[if(equals(parameters('softwareBranch'), ''), '', parameters('softwareBranch'))]", + "tag": "[if(and(equals(parameters('softwareTag'), ''), equals(parameters('softwareBranch'), '')), 'v0.11.0', parameters('softwareTag'))]", + "components": "./stamp/components", + "applications": "./stamp/applications" + } + }, + "elasticPoolPresets": { + "CostOptimised": { + "vmSize": "Standard_DS3_v2" + }, + "Standard": { + "vmSize": "Standard_DS4_v2" + }, + "HighSpec": { + "vmSize": "Standard_DS5_v2" + } + }, + "common_helm_values": [ + { + "name": "AZURE_ISTIOAUTH_ENABLED", + "value": "true", + "contentType": "text/plain", + "label": "configmap-common-values" + }, + { + "name": "AZURE_PAAS_PODIDENTITY_ISENABLED", + "value": "false", + "contentType": "text/plain", + "label": "configmap-common-values" + }, + { + "name": "ACCEPT_HTTP", + "value": "true", + "contentType": "text/plain", + "label": "configmap-common-values" + }, + { + "name": "SERVER_PORT", + "value": "80", + "contentType": "text/plain", + "label": "configmap-common-values" + } + ], + "configMaps": { + "appConfigTemplate": "values.yaml: |\n serviceAccount:\n create: false\n name: \"workload-identity-sa\"\n azure:\n tenantId: {0}\n clientId: {1}\n configEndpoint: {2}\n keyvaultUri: {3}\n keyvaultName: {4}\n appId: {5}\n appOid: {6}\n " + }, + "name": "[format('amw{0}{1}', replace(parameters('bladeConfig').sectionName, '-', ''), uniqueString(resourceGroup().id, parameters('bladeConfig').sectionName))]" + }, + "resources": { + "appIdentity": { + "existing": true, + "type": "Microsoft.ManagedIdentity/userAssignedIdentities", + "apiVersion": "2023-01-31", + "name": "[parameters('managedIdentityName')]" + }, + "keyVault": { + "existing": true, + "type": "Microsoft.KeyVault/vaults", "apiVersion": "2023-07-01", "name": "[parameters('kvName')]" }, @@ -20563,7 +25337,2166 @@ "value": "[parameters('applicationClientId')]" }, "dependsOn": [ - "keyVault" + "keyVault" + ] + }, + "registry": { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2022-09-01", + "name": "[format('{0}-container-registry', parameters('bladeConfig').sectionName)]", + "properties": { + "expressionEvaluationOptions": { + "scope": "inner" + }, + "mode": "Incremental", + "parameters": { + "name": { + "value": "[format('{0}{1}', replace(parameters('bladeConfig').sectionName, '-', ''), uniqueString(resourceGroup().id, parameters('bladeConfig').sectionName))]" + }, + "location": { + "value": "[parameters('location')]" + }, + "tags": { + "value": "[union(parameters('tags'), createObject('layer', parameters('bladeConfig').displayName))]" + }, + "enableTelemetry": { + "value": "[parameters('enableTelemetry')]" + }, + "diagnosticSettings": { + "value": [ + { + "workspaceResourceId": "[parameters('workspaceResourceId')]" + } + ] + }, + "acrSku": { + "value": "[variables('serviceLayerConfig').registry.sku]" + }, + "managedIdentities": { + "value": { + "systemAssigned": true, + "userAssignedResourceIds": [ + "[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('managedIdentityName'))]" + ] + } + }, + "roleAssignments": { + "value": [ + { + "principalId": "[reference('appIdentity').principalId]", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "AcrPull" + } + ] + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", + "contentVersion": "1.0.0.0", + "metadata": { + "_generator": { + "name": "bicep", + "version": "0.25.53.49325", + "templateHash": "14346813384269118868" + }, + "name": "Azure Container Registries (ACR)", + "description": "This module deploys an Azure Container Registry (ACR).", + "owner": "Azure/module-maintainers" + }, + "definitions": { + "managedIdentitiesType": { + "type": "object", + "properties": { + "systemAssigned": { + "type": "bool", + "nullable": true, + "metadata": { + "description": "Optional. Enables system assigned managed identity on the resource." + } + }, + "userAssignedResourceIds": { + "type": "array", + "items": { + "type": "string" + }, + "nullable": true, + "metadata": { + "description": "Optional. The resource ID(s) to assign to the resource." + } + } + }, + "nullable": true + }, + "lockType": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Specify the name of lock." + } + }, + "kind": { + "type": "string", + "allowedValues": [ + "CanNotDelete", + "None", + "ReadOnly" + ], + "nullable": true, + "metadata": { + "description": "Optional. Specify the type of lock." + } + } + }, + "nullable": true + }, + "roleAssignmentType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "roleDefinitionIdOrName": { + "type": "string", + "metadata": { + "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + } + }, + "principalId": { + "type": "string", + "metadata": { + "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." + } + }, + "principalType": { + "type": "string", + "allowedValues": [ + "Device", + "ForeignGroup", + "Group", + "ServicePrincipal", + "User" + ], + "nullable": true, + "metadata": { + "description": "Optional. The principal type of the assigned principal ID." + } + }, + "description": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The description of the role assignment." + } + }, + "condition": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"." + } + }, + "conditionVersion": { + "type": "string", + "allowedValues": [ + "2.0" + ], + "nullable": true, + "metadata": { + "description": "Optional. Version of the condition." + } + }, + "delegatedManagedIdentityResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The Resource Id of the delegated managed identity resource." + } + } + } + }, + "nullable": true + }, + "privateEndpointType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The name of the private endpoint." + } + }, + "location": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The location to deploy the private endpoint to." + } + }, + "service": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The service (sub-) type to deploy the private endpoint for. For example \"vault\" or \"blob\"." + } + }, + "subnetResourceId": { + "type": "string", + "metadata": { + "description": "Required. Resource ID of the subnet where the endpoint needs to be created." + } + }, + "privateDnsZoneGroupName": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided." + } + }, + "privateDnsZoneResourceIds": { + "type": "array", + "items": { + "type": "string" + }, + "nullable": true, + "metadata": { + "description": "Optional. The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones." + } + }, + "customDnsConfigs": { + "type": "array", + "items": { + "type": "object", + "properties": { + "fqdn": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Required. Fqdn that resolves to private endpoint ip address." + } + }, + "ipAddresses": { + "type": "array", + "items": { + "type": "string" + }, + "metadata": { + "description": "Required. A list of private ip addresses of the private endpoint." + } + } + } + }, + "nullable": true, + "metadata": { + "description": "Optional. Custom DNS configurations." + } + }, + "ipConfigurations": { + "type": "array", + "items": { + "type": "object", + "properties": { + "name": { + "type": "string", + "metadata": { + "description": "Required. The name of the resource that is unique within a resource group." + } + }, + "properties": { + "type": "object", + "properties": { + "groupId": { + "type": "string", + "metadata": { + "description": "Required. The ID of a group obtained from the remote resource that this private endpoint should connect to." + } + }, + "memberName": { + "type": "string", + "metadata": { + "description": "Required. The member name of a group obtained from the remote resource that this private endpoint should connect to." + } + }, + "privateIPAddress": { + "type": "string", + "metadata": { + "description": "Required. A private ip address obtained from the private endpoint's subnet." + } + } + }, + "metadata": { + "description": "Required. Properties of private endpoint IP configurations." + } + } + } + }, + "nullable": true, + "metadata": { + "description": "Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints." + } + }, + "applicationSecurityGroupResourceIds": { + "type": "array", + "items": { + "type": "string" + }, + "nullable": true, + "metadata": { + "description": "Optional. Application security groups in which the private endpoint IP configuration is included." + } + }, + "customNetworkInterfaceName": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The custom name of the network interface attached to the private endpoint." + } + }, + "lock": { + "$ref": "#/definitions/lockType", + "metadata": { + "description": "Optional. Specify the type of lock." + } + }, + "roleAssignments": { + "$ref": "#/definitions/roleAssignmentType", + "metadata": { + "description": "Optional. Array of role assignments to create." + } + }, + "tags": { + "type": "object", + "nullable": true, + "metadata": { + "description": "Optional. Tags to be applied on all resources/resource groups in this deployment." + } + }, + "manualPrivateLinkServiceConnections": { + "type": "array", + "nullable": true, + "metadata": { + "description": "Optional. Manual PrivateLink Service Connections." + } + }, + "enableTelemetry": { + "type": "bool", + "nullable": true, + "metadata": { + "description": "Optional. Enable/Disable usage telemetry for module." + } + } + } + }, + "nullable": true + }, + "diagnosticSettingType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The name of diagnostic setting." + } + }, + "logCategoriesAndGroups": { + "type": "array", + "items": { + "type": "object", + "properties": { + "category": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here." + } + }, + "categoryGroup": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to `allLogs` to collect all logs." + } + }, + "enabled": { + "type": "bool", + "nullable": true, + "metadata": { + "description": "Optional. Enable or disable the category explicitly. Default is `true`." + } + } + } + }, + "nullable": true, + "metadata": { + "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to `[]` to disable log collection." + } + }, + "metricCategories": { + "type": "array", + "items": { + "type": "object", + "properties": { + "category": { + "type": "string", + "metadata": { + "description": "Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to `AllMetrics` to collect all metrics." + } + }, + "enabled": { + "type": "bool", + "nullable": true, + "metadata": { + "description": "Optional. Enable or disable the category explicitly. Default is `true`." + } + } + } + }, + "nullable": true, + "metadata": { + "description": "Optional. The name of metrics that will be streamed. \"allMetrics\" includes all possible metrics for the resource. Set to `[]` to disable metric collection." + } + }, + "logAnalyticsDestinationType": { + "type": "string", + "allowedValues": [ + "AzureDiagnostics", + "Dedicated" + ], + "nullable": true, + "metadata": { + "description": "Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type." + } + }, + "workspaceResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." + } + }, + "storageAccountResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." + } + }, + "eventHubAuthorizationRuleResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." + } + }, + "eventHubName": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." + } + }, + "marketplacePartnerResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs." + } + } + } + }, + "nullable": true + }, + "customerManagedKeyType": { + "type": "object", + "properties": { + "keyVaultResourceId": { + "type": "string", + "metadata": { + "description": "Required. The resource ID of a key vault to reference a customer managed key for encryption from." + } + }, + "keyName": { + "type": "string", + "metadata": { + "description": "Required. The name of the customer managed key to use for encryption." + } + }, + "keyVersion": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The version of the customer managed key to reference for encryption. If not provided, using 'latest'." + } + }, + "userAssignedIdentityResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. User assigned identity to use when fetching the customer managed key. Required if no system assigned identity is available for use." + } + } + }, + "nullable": true + } + }, + "parameters": { + "name": { + "type": "string", + "minLength": 5, + "maxLength": 50, + "metadata": { + "description": "Required. Name of your Azure Container Registry." + } + }, + "acrAdminUserEnabled": { + "type": "bool", + "defaultValue": false, + "metadata": { + "description": "Optional. Enable admin user that have push / pull permission to the registry." + } + }, + "location": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "Optional. Location for all resources." + } + }, + "roleAssignments": { + "$ref": "#/definitions/roleAssignmentType", + "metadata": { + "description": "Optional. Array of role assignments to create." + } + }, + "acrSku": { + "type": "string", + "defaultValue": "Basic", + "allowedValues": [ + "Basic", + "Premium", + "Standard" + ], + "metadata": { + "description": "Optional. Tier of your Azure container registry." + } + }, + "exportPolicyStatus": { + "type": "string", + "defaultValue": "disabled", + "allowedValues": [ + "disabled", + "enabled" + ], + "metadata": { + "description": "Optional. The value that indicates whether the export policy is enabled or not." + } + }, + "quarantinePolicyStatus": { + "type": "string", + "defaultValue": "disabled", + "allowedValues": [ + "disabled", + "enabled" + ], + "metadata": { + "description": "Optional. The value that indicates whether the quarantine policy is enabled or not." + } + }, + "trustPolicyStatus": { + "type": "string", + "defaultValue": "disabled", + "allowedValues": [ + "disabled", + "enabled" + ], + "metadata": { + "description": "Optional. The value that indicates whether the trust policy is enabled or not." + } + }, + "retentionPolicyStatus": { + "type": "string", + "defaultValue": "enabled", + "allowedValues": [ + "disabled", + "enabled" + ], + "metadata": { + "description": "Optional. The value that indicates whether the retention policy is enabled or not." + } + }, + "retentionPolicyDays": { + "type": "int", + "defaultValue": 15, + "metadata": { + "description": "Optional. The number of days to retain an untagged manifest after which it gets purged." + } + }, + "azureADAuthenticationAsArmPolicyStatus": { + "type": "string", + "defaultValue": "enabled", + "allowedValues": [ + "disabled", + "enabled" + ], + "metadata": { + "description": "Optional. The value that indicates whether the policy for using ARM audience token for a container registr is enabled or not. Default is enabled." + } + }, + "softDeletePolicyStatus": { + "type": "string", + "defaultValue": "disabled", + "allowedValues": [ + "disabled", + "enabled" + ], + "metadata": { + "description": "Optional. Soft Delete policy status. Default is disabled." + } + }, + "softDeletePolicyDays": { + "type": "int", + "defaultValue": 7, + "metadata": { + "description": "Optional. The number of days after which a soft-deleted item is permanently deleted." + } + }, + "dataEndpointEnabled": { + "type": "bool", + "defaultValue": false, + "metadata": { + "description": "Optional. Enable a single data endpoint per region for serving data. Not relevant in case of disabled public access. Note, requires the 'acrSku' to be 'Premium'." + } + }, + "publicNetworkAccess": { + "type": "string", + "nullable": true, + "allowedValues": [ + "Enabled", + "Disabled" + ], + "metadata": { + "description": "Optional. Whether or not public network access is allowed for this resource. For security reasons it should be disabled. If not specified, it will be disabled by default if private endpoints are set and networkRuleSetIpRules are not set. Note, requires the 'acrSku' to be 'Premium'." + } + }, + "networkRuleBypassOptions": { + "type": "string", + "defaultValue": "AzureServices", + "allowedValues": [ + "AzureServices", + "None" + ], + "metadata": { + "description": "Optional. Whether to allow trusted Azure services to access a network restricted registry." + } + }, + "networkRuleSetDefaultAction": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Allow", + "Deny" + ], + "metadata": { + "description": "Optional. The default action of allow or deny when no other rules match." + } + }, + "networkRuleSetIpRules": { + "type": "array", + "nullable": true, + "metadata": { + "description": "Optional. The IP ACL rules. Note, requires the 'acrSku' to be 'Premium'." + } + }, + "privateEndpoints": { + "$ref": "#/definitions/privateEndpointType", + "metadata": { + "description": "Optional. Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. Note, requires the 'acrSku' to be 'Premium'." + } + }, + "zoneRedundancy": { + "type": "string", + "defaultValue": "Disabled", + "allowedValues": [ + "Disabled", + "Enabled" + ], + "metadata": { + "description": "Optional. Whether or not zone redundancy is enabled for this container registry." + } + }, + "replications": { + "type": "array", + "nullable": true, + "metadata": { + "description": "Optional. All replications to create." + } + }, + "webhooks": { + "type": "array", + "nullable": true, + "metadata": { + "description": "Optional. All webhooks to create." + } + }, + "lock": { + "$ref": "#/definitions/lockType", + "metadata": { + "description": "Optional. The lock settings of the service." + } + }, + "managedIdentities": { + "$ref": "#/definitions/managedIdentitiesType", + "metadata": { + "description": "Optional. The managed identity definition for this resource." + } + }, + "tags": { + "type": "object", + "nullable": true, + "metadata": { + "description": "Optional. Tags of the resource." + } + }, + "enableTelemetry": { + "type": "bool", + "defaultValue": true, + "metadata": { + "description": "Optional. Enable/Disable usage telemetry for module." + } + }, + "diagnosticSettings": { + "$ref": "#/definitions/diagnosticSettingType", + "metadata": { + "description": "Optional. The diagnostic settings of the service." + } + }, + "anonymousPullEnabled": { + "type": "bool", + "defaultValue": false, + "metadata": { + "description": "Optional. Enables registry-wide pull from unauthenticated clients. It's in preview and available in the Standard and Premium service tiers." + } + }, + "customerManagedKey": { + "$ref": "#/definitions/customerManagedKeyType", + "metadata": { + "description": "Optional. The customer managed key definition." + } + }, + "cacheRules": { + "type": "array", + "nullable": true, + "metadata": { + "description": "Optional. Array of Cache Rules. Note: This is a preview feature ([ref](https://learn.microsoft.com/en-us/azure/container-registry/tutorial-registry-cache#cache-for-acr-preview))." + } + } + }, + "variables": { + "formattedUserAssignedIdentities": "[reduce(map(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createArray()), lambda('id', createObject(format('{0}', lambdaVariables('id')), createObject()))), createObject(), lambda('cur', 'next', union(lambdaVariables('cur'), lambdaVariables('next'))))]", + "identity": "[if(not(empty(parameters('managedIdentities'))), createObject('type', if(coalesce(tryGet(parameters('managedIdentities'), 'systemAssigned'), false()), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createObject()))), 'SystemAssigned,UserAssigned', 'SystemAssigned'), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createObject()))), 'UserAssigned', null())), 'userAssignedIdentities', if(not(empty(variables('formattedUserAssignedIdentities'))), variables('formattedUserAssignedIdentities'), null())), null())]", + "builtInRoleNames": { + "AcrDelete": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c2f4ef07-c644-48eb-af81-4b1b4947fb11')]", + "AcrImageSigner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '6cef56e8-d556-48e5-a04f-b8e64114680f')]", + "AcrPull": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7f951dda-4ed3-4680-a7ca-43fe172d538d')]", + "AcrPush": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8311e382-0749-4cb8-b61a-304f252e45ec')]", + "AcrQuarantineReader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'cdda3590-29a3-44f6-95f2-9f980659eb04')]", + "AcrQuarantineWriter": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c8d4ff99-41c3-41a8-9f60-21dfdad59608')]", + "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", + "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", + "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", + "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" + } + }, + "resources": { + "cMKKeyVault::cMKKey": { + "condition": "[and(not(empty(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'))), and(not(empty(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'))), not(empty(tryGet(parameters('customerManagedKey'), 'keyName')))))]", + "existing": true, + "type": "Microsoft.KeyVault/vaults/keys", + "apiVersion": "2023-02-01", + "subscriptionId": "[split(coalesce(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'), '//'), '/')[2]]", + "resourceGroup": "[split(coalesce(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'), '////'), '/')[4]]", + "name": "[format('{0}/{1}', last(split(coalesce(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'), 'dummyVault'), '/')), coalesce(tryGet(parameters('customerManagedKey'), 'keyName'), 'dummyKey'))]", + "dependsOn": [ + "cMKKeyVault" + ] + }, + "avmTelemetry": { + "condition": "[parameters('enableTelemetry')]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2023-07-01", + "name": "[format('46d3xbcp.res.containerregistry-registry.{0}.{1}', replace('0.1.1', '.', '-'), substring(uniqueString(deployment().name, parameters('location')), 0, 4))]", + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [], + "outputs": { + "telemetry": { + "type": "String", + "value": "For more information, see https://aka.ms/avm/TelemetryInfo" + } + } + } + } + }, + "cMKKeyVault": { + "condition": "[not(empty(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId')))]", + "existing": true, + "type": "Microsoft.KeyVault/vaults", + "apiVersion": "2023-02-01", + "subscriptionId": "[split(coalesce(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'), '//'), '/')[2]]", + "resourceGroup": "[split(coalesce(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'), '////'), '/')[4]]", + "name": "[last(split(coalesce(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'), 'dummyVault'), '/'))]" + }, + "cMKUserAssignedIdentity": { + "condition": "[not(empty(tryGet(parameters('customerManagedKey'), 'userAssignedIdentityResourceId')))]", + "existing": true, + "type": "Microsoft.ManagedIdentity/userAssignedIdentities", + "apiVersion": "2023-01-31", + "subscriptionId": "[split(coalesce(tryGet(parameters('customerManagedKey'), 'userAssignedIdentityResourceId'), '//'), '/')[2]]", + "resourceGroup": "[split(coalesce(tryGet(parameters('customerManagedKey'), 'userAssignedIdentityResourceId'), '////'), '/')[4]]", + "name": "[last(split(coalesce(tryGet(parameters('customerManagedKey'), 'userAssignedIdentityResourceId'), 'dummyMsi'), '/'))]" + }, + "registry": { + "type": "Microsoft.ContainerRegistry/registries", + "apiVersion": "2023-06-01-preview", + "name": "[parameters('name')]", + "location": "[parameters('location')]", + "identity": "[variables('identity')]", + "tags": "[parameters('tags')]", + "sku": { + "name": "[parameters('acrSku')]" + }, + "properties": { + "anonymousPullEnabled": "[parameters('anonymousPullEnabled')]", + "adminUserEnabled": "[parameters('acrAdminUserEnabled')]", + "encryption": "[if(not(empty(parameters('customerManagedKey'))), createObject('status', 'enabled', 'keyVaultProperties', createObject('identity', if(not(empty(coalesce(tryGet(parameters('customerManagedKey'), 'userAssignedIdentityResourceId'), ''))), reference('cMKUserAssignedIdentity').clientId, null()), 'keyIdentifier', if(not(empty(coalesce(tryGet(parameters('customerManagedKey'), 'keyVersion'), ''))), format('{0}/{1}', reference('cMKKeyVault::cMKKey').keyUri, parameters('customerManagedKey').keyVersion), reference('cMKKeyVault::cMKKey').keyUriWithVersion))), null())]", + "policies": { + "azureADAuthenticationAsArmPolicy": { + "status": "[parameters('azureADAuthenticationAsArmPolicyStatus')]" + }, + "exportPolicy": "[if(equals(parameters('acrSku'), 'Premium'), createObject('status', parameters('exportPolicyStatus')), null())]", + "quarantinePolicy": { + "status": "[parameters('quarantinePolicyStatus')]" + }, + "trustPolicy": { + "type": "Notary", + "status": "[parameters('trustPolicyStatus')]" + }, + "retentionPolicy": "[if(equals(parameters('acrSku'), 'Premium'), createObject('days', parameters('retentionPolicyDays'), 'status', parameters('retentionPolicyStatus')), null())]", + "softDeletePolicy": { + "retentionDays": "[parameters('softDeletePolicyDays')]", + "status": "[parameters('softDeletePolicyStatus')]" + } + }, + "dataEndpointEnabled": "[parameters('dataEndpointEnabled')]", + "publicNetworkAccess": "[if(not(empty(parameters('publicNetworkAccess'))), parameters('publicNetworkAccess'), if(and(not(empty(parameters('privateEndpoints'))), empty(parameters('networkRuleSetIpRules'))), 'Disabled', null()))]", + "networkRuleBypassOptions": "[parameters('networkRuleBypassOptions')]", + "networkRuleSet": "[if(not(empty(parameters('networkRuleSetIpRules'))), createObject('defaultAction', parameters('networkRuleSetDefaultAction'), 'ipRules', parameters('networkRuleSetIpRules')), null())]", + "zoneRedundancy": "[if(equals(parameters('acrSku'), 'Premium'), parameters('zoneRedundancy'), null())]" + }, + "dependsOn": [ + "cMKKeyVault", + "cMKUserAssignedIdentity" + ] + }, + "registry_lock": { + "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", + "type": "Microsoft.Authorization/locks", + "apiVersion": "2020-05-01", + "scope": "[format('Microsoft.ContainerRegistry/registries/{0}', parameters('name'))]", + "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", + "properties": { + "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", + "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" + }, + "dependsOn": [ + "registry" + ] + }, + "registry_diagnosticSettings": { + "copy": { + "name": "registry_diagnosticSettings", + "count": "[length(coalesce(parameters('diagnosticSettings'), createArray()))]" + }, + "type": "Microsoft.Insights/diagnosticSettings", + "apiVersion": "2021-05-01-preview", + "scope": "[format('Microsoft.ContainerRegistry/registries/{0}', parameters('name'))]", + "name": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'name'), format('{0}-diagnosticSettings', parameters('name')))]", + "properties": { + "copy": [ + { + "name": "metrics", + "count": "[length(coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'metricCategories'), createArray(createObject('category', 'AllMetrics'))))]", + "input": { + "category": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'metricCategories'), createArray(createObject('category', 'AllMetrics')))[copyIndex('metrics')].category]", + "enabled": "[coalesce(tryGet(coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'metricCategories'), createArray(createObject('category', 'AllMetrics')))[copyIndex('metrics')], 'enabled'), true())]", + "timeGrain": null + } + }, + { + "name": "logs", + "count": "[length(coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logCategoriesAndGroups'), createArray(createObject('categoryGroup', 'allLogs'))))]", + "input": { + "categoryGroup": "[tryGet(coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logCategoriesAndGroups'), createArray(createObject('categoryGroup', 'allLogs')))[copyIndex('logs')], 'categoryGroup')]", + "category": "[tryGet(coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logCategoriesAndGroups'), createArray(createObject('categoryGroup', 'allLogs')))[copyIndex('logs')], 'category')]", + "enabled": "[coalesce(tryGet(coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logCategoriesAndGroups'), createArray(createObject('categoryGroup', 'allLogs')))[copyIndex('logs')], 'enabled'), true())]" + } + } + ], + "storageAccountId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'storageAccountResourceId')]", + "workspaceId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'workspaceResourceId')]", + "eventHubAuthorizationRuleId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubAuthorizationRuleResourceId')]", + "eventHubName": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubName')]", + "marketplacePartnerId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'marketplacePartnerResourceId')]", + "logAnalyticsDestinationType": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logAnalyticsDestinationType')]" + }, + "dependsOn": [ + "registry" + ] + }, + "registry_roleAssignments": { + "copy": { + "name": "registry_roleAssignments", + "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" + }, + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "scope": "[format('Microsoft.ContainerRegistry/registries/{0}', parameters('name'))]", + "name": "[guid(resourceId('Microsoft.ContainerRegistry/registries', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "properties": { + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", + "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", + "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", + "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", + "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", + "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", + "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" + }, + "dependsOn": [ + "registry" + ] + }, + "registry_replications": { + "copy": { + "name": "registry_replications", + "count": "[length(coalesce(parameters('replications'), createArray()))]" + }, + "type": "Microsoft.Resources/deployments", + "apiVersion": "2022-09-01", + "name": "[format('{0}-Registry-Replication-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", + "properties": { + "expressionEvaluationOptions": { + "scope": "inner" + }, + "mode": "Incremental", + "parameters": { + "name": { + "value": "[coalesce(parameters('replications'), createArray())[copyIndex()].name]" + }, + "registryName": { + "value": "[parameters('name')]" + }, + "location": { + "value": "[coalesce(parameters('replications'), createArray())[copyIndex()].location]" + }, + "regionEndpointEnabled": { + "value": "[tryGet(coalesce(parameters('replications'), createArray())[copyIndex()], 'regionEndpointEnabled')]" + }, + "zoneRedundancy": { + "value": "[tryGet(coalesce(parameters('replications'), createArray())[copyIndex()], 'zoneRedundancy')]" + }, + "tags": { + "value": "[coalesce(tryGet(coalesce(parameters('replications'), createArray())[copyIndex()], 'tags'), parameters('tags'))]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", + "contentVersion": "1.0.0.0", + "metadata": { + "_generator": { + "name": "bicep", + "version": "0.25.53.49325", + "templateHash": "10714256463183699741" + }, + "name": "Azure Container Registry (ACR) Replications", + "description": "This module deploys an Azure Container Registry (ACR) Replication.", + "owner": "Azure/module-maintainers" + }, + "parameters": { + "registryName": { + "type": "string", + "metadata": { + "description": "Conditional. The name of the parent registry. Required if the template is used in a standalone deployment." + } + }, + "name": { + "type": "string", + "metadata": { + "description": "Required. The name of the replication." + } + }, + "location": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "Optional. Location for all resources." + } + }, + "tags": { + "type": "object", + "nullable": true, + "metadata": { + "description": "Optional. Tags of the resource." + } + }, + "regionEndpointEnabled": { + "type": "bool", + "defaultValue": true, + "metadata": { + "description": "Optional. Specifies whether the replication regional endpoint is enabled. Requests will not be routed to a replication whose regional endpoint is disabled, however its data will continue to be synced with other replications." + } + }, + "zoneRedundancy": { + "type": "string", + "defaultValue": "Disabled", + "allowedValues": [ + "Disabled", + "Enabled" + ], + "metadata": { + "description": "Optional. Whether or not zone redundancy is enabled for this container registry." + } + } + }, + "resources": { + "registry": { + "existing": true, + "type": "Microsoft.ContainerRegistry/registries", + "apiVersion": "2023-06-01-preview", + "name": "[parameters('registryName')]" + }, + "replication": { + "type": "Microsoft.ContainerRegistry/registries/replications", + "apiVersion": "2023-06-01-preview", + "name": "[format('{0}/{1}', parameters('registryName'), parameters('name'))]", + "location": "[parameters('location')]", + "tags": "[parameters('tags')]", + "properties": { + "regionEndpointEnabled": "[parameters('regionEndpointEnabled')]", + "zoneRedundancy": "[parameters('zoneRedundancy')]" + }, + "dependsOn": [ + "registry" + ] + } + }, + "outputs": { + "name": { + "type": "string", + "metadata": { + "description": "The name of the replication." + }, + "value": "[parameters('name')]" + }, + "resourceId": { + "type": "string", + "metadata": { + "description": "The resource ID of the replication." + }, + "value": "[resourceId('Microsoft.ContainerRegistry/registries/replications', parameters('registryName'), parameters('name'))]" + }, + "resourceGroupName": { + "type": "string", + "metadata": { + "description": "The name of the resource group the replication was created in." + }, + "value": "[resourceGroup().name]" + }, + "location": { + "type": "string", + "metadata": { + "description": "The location the resource was deployed into." + }, + "value": "[reference('replication', '2023-06-01-preview', 'full').location]" + } + } + } + }, + "dependsOn": [ + "registry" + ] + }, + "registry_cacheRules": { + "copy": { + "name": "registry_cacheRules", + "count": "[length(coalesce(parameters('cacheRules'), createArray()))]" + }, + "type": "Microsoft.Resources/deployments", + "apiVersion": "2022-09-01", + "name": "[format('{0}-Registry-Cache-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", + "properties": { + "expressionEvaluationOptions": { + "scope": "inner" + }, + "mode": "Incremental", + "parameters": { + "registryName": { + "value": "[parameters('name')]" + }, + "sourceRepository": { + "value": "[coalesce(parameters('cacheRules'), createArray())[copyIndex()].sourceRepository]" + }, + "name": { + "value": "[coalesce(tryGet(coalesce(parameters('cacheRules'), createArray())[copyIndex()], 'name'), replace(replace(coalesce(parameters('cacheRules'), createArray())[copyIndex()].sourceRepository, '/', '-'), '.', '-'))]" + }, + "targetRepository": { + "value": "[coalesce(tryGet(coalesce(parameters('cacheRules'), createArray())[copyIndex()], 'targetRepository'), coalesce(parameters('cacheRules'), createArray())[copyIndex()].sourceRepository)]" + }, + "credentialSetResourceId": { + "value": "[tryGet(coalesce(parameters('cacheRules'), createArray())[copyIndex()], 'credentialSetResourceId')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", + "contentVersion": "1.0.0.0", + "metadata": { + "_generator": { + "name": "bicep", + "version": "0.25.53.49325", + "templateHash": "6942960102258463312" + }, + "name": "Container Registries Cache", + "description": "Cache for Azure Container Registry (Preview) feature allows users to cache container images in a private container registry. Cache for ACR, is a preview feature available in Basic, Standard, and Premium service tiers ([ref](https://learn.microsoft.com/en-us/azure/container-registry/tutorial-registry-cache)).", + "owner": "Azure/module-maintainers" + }, + "parameters": { + "registryName": { + "type": "string", + "metadata": { + "description": "Required. The name of the parent registry. Required if the template is used in a standalone deployment." + } + }, + "name": { + "type": "string", + "defaultValue": "[replace(replace(parameters('sourceRepository'), '/', '-'), '.', '-')]", + "metadata": { + "description": "Optional. The name of the cache rule. Will be dereived from the source repository name if not defined." + } + }, + "sourceRepository": { + "type": "string", + "metadata": { + "description": "Required. Source repository pulled from upstream." + } + }, + "targetRepository": { + "type": "string", + "defaultValue": "[parameters('sourceRepository')]", + "metadata": { + "description": "Optional. Target repository specified in docker pull command. E.g.: docker pull myregistry.azurecr.io/{targetRepository}:{tag}." + } + }, + "credentialSetResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The resource ID of the credential store which is associated with the cache rule." + } + } + }, + "resources": { + "registry": { + "existing": true, + "type": "Microsoft.ContainerRegistry/registries", + "apiVersion": "2023-06-01-preview", + "name": "[parameters('registryName')]" + }, + "cacheRule": { + "type": "Microsoft.ContainerRegistry/registries/cacheRules", + "apiVersion": "2023-06-01-preview", + "name": "[format('{0}/{1}', parameters('registryName'), parameters('name'))]", + "properties": { + "sourceRepository": "[parameters('sourceRepository')]", + "targetRepository": "[parameters('targetRepository')]", + "credentialSetResourceId": "[parameters('credentialSetResourceId')]" + }, + "dependsOn": [ + "registry" + ] + } + }, + "outputs": { + "name": { + "type": "string", + "metadata": { + "description": "The Name of the Cache Rule." + }, + "value": "[parameters('name')]" + }, + "resourceGroupName": { + "type": "string", + "metadata": { + "description": "The name of the Cache Rule." + }, + "value": "[resourceGroup().name]" + }, + "resourceId": { + "type": "string", + "metadata": { + "description": "The resource ID of the Cache Rule." + }, + "value": "[resourceId('Microsoft.ContainerRegistry/registries/cacheRules', parameters('registryName'), parameters('name'))]" + } + } + } + }, + "dependsOn": [ + "registry" + ] + }, + "registry_webhooks": { + "copy": { + "name": "registry_webhooks", + "count": "[length(coalesce(parameters('webhooks'), createArray()))]" + }, + "type": "Microsoft.Resources/deployments", + "apiVersion": "2022-09-01", + "name": "[format('{0}-Registry-Webhook-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", + "properties": { + "expressionEvaluationOptions": { + "scope": "inner" + }, + "mode": "Incremental", + "parameters": { + "name": { + "value": "[coalesce(parameters('webhooks'), createArray())[copyIndex()].name]" + }, + "registryName": { + "value": "[parameters('name')]" + }, + "location": { + "value": "[coalesce(tryGet(coalesce(parameters('webhooks'), createArray())[copyIndex()], 'location'), parameters('location'))]" + }, + "action": { + "value": "[coalesce(tryGet(coalesce(parameters('webhooks'), createArray())[copyIndex()], 'action'), createArray('chart_delete', 'chart_push', 'delete', 'push', 'quarantine'))]" + }, + "customHeaders": { + "value": "[tryGet(coalesce(parameters('webhooks'), createArray())[copyIndex()], 'customHeaders')]" + }, + "scope": { + "value": "[tryGet(coalesce(parameters('webhooks'), createArray())[copyIndex()], 'scope')]" + }, + "status": { + "value": "[tryGet(coalesce(parameters('webhooks'), createArray())[copyIndex()], 'status')]" + }, + "serviceUri": { + "value": "[coalesce(parameters('webhooks'), createArray())[copyIndex()].serviceUri]" + }, + "tags": { + "value": "[coalesce(tryGet(coalesce(parameters('webhooks'), createArray())[copyIndex()], 'tags'), parameters('tags'))]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", + "contentVersion": "1.0.0.0", + "metadata": { + "_generator": { + "name": "bicep", + "version": "0.25.53.49325", + "templateHash": "3986666280667981658" + }, + "name": "Azure Container Registry (ACR) Webhooks", + "description": "This module deploys an Azure Container Registry (ACR) Webhook.", + "owner": "Azure/module-maintainers" + }, + "parameters": { + "registryName": { + "type": "string", + "metadata": { + "description": "Conditional. The name of the parent registry. Required if the template is used in a standalone deployment." + } + }, + "name": { + "type": "string", + "defaultValue": "[format('{0}webhook', parameters('registryName'))]", + "minLength": 5, + "maxLength": 50, + "metadata": { + "description": "Optional. The name of the registry webhook." + } + }, + "serviceUri": { + "type": "string", + "metadata": { + "description": "Required. The service URI for the webhook to post notifications." + } + }, + "status": { + "type": "string", + "defaultValue": "enabled", + "allowedValues": [ + "disabled", + "enabled" + ], + "metadata": { + "description": "Optional. The status of the webhook at the time the operation was called." + } + }, + "action": { + "type": "array", + "defaultValue": [ + "chart_delete", + "chart_push", + "delete", + "push", + "quarantine" + ], + "metadata": { + "description": "Optional. The list of actions that trigger the webhook to post notifications." + } + }, + "location": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "Optional. Location for all resources." + } + }, + "tags": { + "type": "object", + "nullable": true, + "metadata": { + "description": "Optional. Tags of the resource." + } + }, + "customHeaders": { + "type": "object", + "nullable": true, + "metadata": { + "description": "Optional. Custom headers that will be added to the webhook notifications." + } + }, + "scope": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The scope of repositories where the event can be triggered. For example, 'foo:*' means events for all tags under repository 'foo'. 'foo:bar' means events for 'foo:bar' only. 'foo' is equivalent to 'foo:latest'. Empty means all events." + } + } + }, + "resources": { + "registry": { + "existing": true, + "type": "Microsoft.ContainerRegistry/registries", + "apiVersion": "2023-06-01-preview", + "name": "[parameters('registryName')]" + }, + "webhook": { + "type": "Microsoft.ContainerRegistry/registries/webhooks", + "apiVersion": "2023-06-01-preview", + "name": "[format('{0}/{1}', parameters('registryName'), parameters('name'))]", + "location": "[parameters('location')]", + "tags": "[parameters('tags')]", + "properties": { + "actions": "[parameters('action')]", + "customHeaders": "[parameters('customHeaders')]", + "scope": "[parameters('scope')]", + "serviceUri": "[parameters('serviceUri')]", + "status": "[parameters('status')]" + }, + "dependsOn": [ + "registry" + ] + } + }, + "outputs": { + "resourceId": { + "type": "string", + "metadata": { + "description": "The resource ID of the webhook." + }, + "value": "[resourceId('Microsoft.ContainerRegistry/registries/webhooks', parameters('registryName'), parameters('name'))]" + }, + "name": { + "type": "string", + "metadata": { + "description": "The name of the webhook." + }, + "value": "[parameters('name')]" + }, + "resourceGroupName": { + "type": "string", + "metadata": { + "description": "The name of the Azure container registry." + }, + "value": "[resourceGroup().name]" + }, + "actions": { + "type": "array", + "metadata": { + "description": "The actions of the webhook." + }, + "value": "[reference('webhook').actions]" + }, + "status": { + "type": "string", + "metadata": { + "description": "The status of the webhook." + }, + "value": "[reference('webhook').status]" + }, + "provistioningState": { + "type": "string", + "metadata": { + "description": "The provisioning state of the webhook." + }, + "value": "[reference('webhook').provisioningState]" + }, + "location": { + "type": "string", + "metadata": { + "description": "The location the resource was deployed into." + }, + "value": "[reference('webhook', '2023-06-01-preview', 'full').location]" + } + } + } + }, + "dependsOn": [ + "registry" + ] + }, + "registry_privateEndpoints": { + "copy": { + "name": "registry_privateEndpoints", + "count": "[length(coalesce(parameters('privateEndpoints'), createArray()))]" + }, + "type": "Microsoft.Resources/deployments", + "apiVersion": "2022-09-01", + "name": "[format('{0}-registry-PrivateEndpoint-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", + "properties": { + "expressionEvaluationOptions": { + "scope": "inner" + }, + "mode": "Incremental", + "parameters": { + "privateLinkServiceConnections": { + "value": [ + { + "name": "[parameters('name')]", + "properties": { + "privateLinkServiceId": "[resourceId('Microsoft.ContainerRegistry/registries', parameters('name'))]", + "groupIds": [ + "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'service'), 'registry')]" + ] + } + } + ] + }, + "name": { + "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'name'), format('pep-{0}-{1}-{2}', last(split(resourceId('Microsoft.ContainerRegistry/registries', parameters('name')), '/')), coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'service'), 'registry'), copyIndex()))]" + }, + "subnetResourceId": { + "value": "[coalesce(parameters('privateEndpoints'), createArray())[copyIndex()].subnetResourceId]" + }, + "enableTelemetry": { + "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'enableTelemetry'), parameters('enableTelemetry'))]" + }, + "location": { + "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'location'), reference(split(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()].subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location)]" + }, + "lock": { + "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'lock'), parameters('lock'))]" + }, + "privateDnsZoneGroupName": { + "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'privateDnsZoneGroupName')]" + }, + "privateDnsZoneResourceIds": { + "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'privateDnsZoneResourceIds')]" + }, + "roleAssignments": { + "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'roleAssignments')]" + }, + "tags": { + "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'tags'), parameters('tags'))]" + }, + "manualPrivateLinkServiceConnections": { + "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'manualPrivateLinkServiceConnections')]" + }, + "customDnsConfigs": { + "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'customDnsConfigs')]" + }, + "ipConfigurations": { + "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'ipConfigurations')]" + }, + "applicationSecurityGroupResourceIds": { + "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'applicationSecurityGroupResourceIds')]" + }, + "customNetworkInterfaceName": { + "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'customNetworkInterfaceName')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", + "contentVersion": "1.0.0.0", + "metadata": { + "_generator": { + "name": "bicep", + "version": "0.23.1.45101", + "templateHash": "2821141217598568122" + }, + "name": "Private Endpoints", + "description": "This module deploys a Private Endpoint.", + "owner": "Azure/module-maintainers" + }, + "definitions": { + "roleAssignmentType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "roleDefinitionIdOrName": { + "type": "string", + "metadata": { + "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + } + }, + "principalId": { + "type": "string", + "metadata": { + "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." + } + }, + "principalType": { + "type": "string", + "allowedValues": [ + "Device", + "ForeignGroup", + "Group", + "ServicePrincipal", + "User" + ], + "nullable": true, + "metadata": { + "description": "Optional. The principal type of the assigned principal ID." + } + }, + "description": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The description of the role assignment." + } + }, + "condition": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" + } + }, + "conditionVersion": { + "type": "string", + "allowedValues": [ + "2.0" + ], + "nullable": true, + "metadata": { + "description": "Optional. Version of the condition." + } + }, + "delegatedManagedIdentityResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The Resource Id of the delegated managed identity resource." + } + } + } + }, + "nullable": true + }, + "lockType": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Specify the name of lock." + } + }, + "kind": { + "type": "string", + "allowedValues": [ + "CanNotDelete", + "None", + "ReadOnly" + ], + "nullable": true, + "metadata": { + "description": "Optional. Specify the type of lock." + } + } + }, + "nullable": true + }, + "ipConfigurationsType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "name": { + "type": "string", + "metadata": { + "description": "Required. The name of the resource that is unique within a resource group." + } + }, + "properties": { + "type": "object", + "properties": { + "groupId": { + "type": "string", + "metadata": { + "description": "Required. The ID of a group obtained from the remote resource that this private endpoint should connect to." + } + }, + "memberName": { + "type": "string", + "metadata": { + "description": "Required. The member name of a group obtained from the remote resource that this private endpoint should connect to." + } + }, + "privateIPAddress": { + "type": "string", + "metadata": { + "description": "Required. A private IP address obtained from the private endpoint's subnet." + } + } + }, + "metadata": { + "description": "Required. Properties of private endpoint IP configurations." + } + } + } + }, + "nullable": true + }, + "manualPrivateLinkServiceConnectionsType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "name": { + "type": "string", + "metadata": { + "description": "Required. The name of the private link service connection." + } + }, + "properties": { + "type": "object", + "properties": { + "groupIds": { + "type": "array", + "metadata": { + "description": "Required. The ID of a group obtained from the remote resource that this private endpoint should connect to." + } + }, + "privateLinkServiceId": { + "type": "string", + "metadata": { + "description": "Required. The resource id of private link service." + } + }, + "requestMessage": { + "type": "string", + "metadata": { + "description": "Optional. A message passed to the owner of the remote resource with this connection request. Restricted to 140 chars." + } + } + }, + "metadata": { + "description": "Required. Properties of private link service connection." + } + } + } + }, + "nullable": true + }, + "privateLinkServiceConnectionsType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "name": { + "type": "string", + "metadata": { + "description": "Required. The name of the private link service connection." + } + }, + "properties": { + "type": "object", + "properties": { + "groupIds": { + "type": "array", + "metadata": { + "description": "Required. The ID of a group obtained from the remote resource that this private endpoint should connect to." + } + }, + "privateLinkServiceId": { + "type": "string", + "metadata": { + "description": "Required. The resource id of private link service." + } + }, + "requestMessage": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. A message passed to the owner of the remote resource with this connection request. Restricted to 140 chars." + } + } + }, + "metadata": { + "description": "Required. Properties of private link service connection." + } + } + } + }, + "nullable": true + }, + "customDnsConfigType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "fqdn": { + "type": "string", + "metadata": { + "description": "Required. Fqdn that resolves to private endpoint IP address." + } + }, + "ipAddresses": { + "type": "array", + "items": { + "type": "string" + }, + "metadata": { + "description": "Required. A list of private IP addresses of the private endpoint." + } + } + } + }, + "nullable": true + } + }, + "parameters": { + "name": { + "type": "string", + "metadata": { + "description": "Required. Name of the private endpoint resource to create." + } + }, + "subnetResourceId": { + "type": "string", + "metadata": { + "description": "Required. Resource ID of the subnet where the endpoint needs to be created." + } + }, + "applicationSecurityGroupResourceIds": { + "type": "array", + "nullable": true, + "metadata": { + "description": "Optional. Application security groups in which the private endpoint IP configuration is included." + } + }, + "customNetworkInterfaceName": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The custom name of the network interface attached to the private endpoint." + } + }, + "ipConfigurations": { + "$ref": "#/definitions/ipConfigurationsType", + "metadata": { + "description": "Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints." + } + }, + "privateDnsZoneGroupName": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The name of the private DNS zone group to create if `privateDnsZoneResourceIds` were provided." + } + }, + "privateDnsZoneResourceIds": { + "type": "array", + "nullable": true, + "metadata": { + "description": "Optional. The private DNS zone groups to associate the private endpoint. A DNS zone group can support up to 5 DNS zones." + } + }, + "location": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "Optional. Location for all Resources." + } + }, + "lock": { + "$ref": "#/definitions/lockType", + "metadata": { + "description": "Optional. The lock settings of the service." + } + }, + "roleAssignments": { + "$ref": "#/definitions/roleAssignmentType", + "metadata": { + "description": "Optional. Array of role assignments to create." + } + }, + "tags": { + "type": "object", + "nullable": true, + "metadata": { + "description": "Optional. Tags to be applied on all resources/resource groups in this deployment." + } + }, + "customDnsConfigs": { + "$ref": "#/definitions/customDnsConfigType", + "metadata": { + "description": "Optional. Custom DNS configurations." + } + }, + "manualPrivateLinkServiceConnections": { + "$ref": "#/definitions/manualPrivateLinkServiceConnectionsType", + "metadata": { + "description": "Optional. A grouping of information about the connection to the remote resource. Used when the network admin does not have access to approve connections to the remote resource." + } + }, + "privateLinkServiceConnections": { + "$ref": "#/definitions/privateLinkServiceConnectionsType", + "metadata": { + "description": "Optional. A grouping of information about the connection to the remote resource." + } + }, + "enableTelemetry": { + "type": "bool", + "defaultValue": true, + "metadata": { + "description": "Optional. Enable/Disable usage telemetry for module." + } + } + }, + "variables": { + "builtInRoleNames": { + "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "DNS Resolver Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d')]", + "DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314')]", + "Domain Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2')]", + "Domain Services Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb')]", + "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", + "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", + "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", + "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", + "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]" + } + }, + "resources": { + "avmTelemetry": { + "condition": "[parameters('enableTelemetry')]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2023-07-01", + "name": "[format('46d3xbcp.res.network-privateendpoint.{0}.{1}', replace('0.3.2', '.', '-'), substring(uniqueString(deployment().name, parameters('location')), 0, 4))]", + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [], + "outputs": { + "telemetry": { + "type": "String", + "value": "For more information, see https://aka.ms/avm/TelemetryInfo" + } + } + } + } + }, + "privateEndpoint": { + "type": "Microsoft.Network/privateEndpoints", + "apiVersion": "2023-04-01", + "name": "[parameters('name')]", + "location": "[parameters('location')]", + "tags": "[parameters('tags')]", + "properties": { + "copy": [ + { + "name": "applicationSecurityGroups", + "count": "[length(coalesce(parameters('applicationSecurityGroupResourceIds'), createArray()))]", + "input": { + "id": "[coalesce(parameters('applicationSecurityGroupResourceIds'), createArray())[copyIndex('applicationSecurityGroups')]]" + } + } + ], + "customDnsConfigs": "[coalesce(parameters('customDnsConfigs'), createArray())]", + "customNetworkInterfaceName": "[coalesce(parameters('customNetworkInterfaceName'), '')]", + "ipConfigurations": "[coalesce(parameters('ipConfigurations'), createArray())]", + "manualPrivateLinkServiceConnections": "[coalesce(parameters('manualPrivateLinkServiceConnections'), createArray())]", + "privateLinkServiceConnections": "[coalesce(parameters('privateLinkServiceConnections'), createArray())]", + "subnet": { + "id": "[parameters('subnetResourceId')]" + } + } + }, + "privateEndpoint_lock": { + "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", + "type": "Microsoft.Authorization/locks", + "apiVersion": "2020-05-01", + "scope": "[format('Microsoft.Network/privateEndpoints/{0}', parameters('name'))]", + "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", + "properties": { + "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", + "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" + }, + "dependsOn": [ + "privateEndpoint" + ] + }, + "privateEndpoint_roleAssignments": { + "copy": { + "name": "privateEndpoint_roleAssignments", + "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" + }, + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "scope": "[format('Microsoft.Network/privateEndpoints/{0}', parameters('name'))]", + "name": "[guid(resourceId('Microsoft.Network/privateEndpoints', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "properties": { + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", + "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", + "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", + "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", + "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", + "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", + "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" + }, + "dependsOn": [ + "privateEndpoint" + ] + }, + "privateEndpoint_privateDnsZoneGroup": { + "condition": "[not(empty(parameters('privateDnsZoneResourceIds')))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2022-09-01", + "name": "[format('{0}-PrivateEndpoint-PrivateDnsZoneGroup', uniqueString(deployment().name))]", + "properties": { + "expressionEvaluationOptions": { + "scope": "inner" + }, + "mode": "Incremental", + "parameters": { + "name": { + "value": "[coalesce(parameters('privateDnsZoneGroupName'), 'default')]" + }, + "privateDNSResourceIds": { + "value": "[coalesce(parameters('privateDnsZoneResourceIds'), createArray())]" + }, + "privateEndpointName": { + "value": "[parameters('name')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "_generator": { + "name": "bicep", + "version": "0.23.1.45101", + "templateHash": "18168683629401652671" + }, + "name": "Private Endpoint Private DNS Zone Groups", + "description": "This module deploys a Private Endpoint Private DNS Zone Group.", + "owner": "Azure/module-maintainers" + }, + "parameters": { + "privateEndpointName": { + "type": "string", + "metadata": { + "description": "Conditional. The name of the parent private endpoint. Required if the template is used in a standalone deployment." + } + }, + "privateDNSResourceIds": { + "type": "array", + "minLength": 1, + "maxLength": 5, + "metadata": { + "description": "Required. Array of private DNS zone resource IDs. A DNS zone group can support up to 5 DNS zones." + } + }, + "name": { + "type": "string", + "defaultValue": "default", + "metadata": { + "description": "Optional. The name of the private DNS zone group." + } + } + }, + "variables": { + "copy": [ + { + "name": "privateDnsZoneConfigs", + "count": "[length(parameters('privateDNSResourceIds'))]", + "input": { + "name": "[last(split(parameters('privateDNSResourceIds')[copyIndex('privateDnsZoneConfigs')], '/'))]", + "properties": { + "privateDnsZoneId": "[parameters('privateDNSResourceIds')[copyIndex('privateDnsZoneConfigs')]]" + } + } + } + ] + }, + "resources": [ + { + "type": "Microsoft.Network/privateEndpoints/privateDnsZoneGroups", + "apiVersion": "2023-04-01", + "name": "[format('{0}/{1}', parameters('privateEndpointName'), parameters('name'))]", + "properties": { + "privateDnsZoneConfigs": "[variables('privateDnsZoneConfigs')]" + } + } + ], + "outputs": { + "name": { + "type": "string", + "metadata": { + "description": "The name of the private endpoint DNS zone group." + }, + "value": "[parameters('name')]" + }, + "resourceId": { + "type": "string", + "metadata": { + "description": "The resource ID of the private endpoint DNS zone group." + }, + "value": "[resourceId('Microsoft.Network/privateEndpoints/privateDnsZoneGroups', parameters('privateEndpointName'), parameters('name'))]" + }, + "resourceGroupName": { + "type": "string", + "metadata": { + "description": "The resource group the private endpoint DNS zone group was deployed into." + }, + "value": "[resourceGroup().name]" + } + } + } + }, + "dependsOn": [ + "privateEndpoint" + ] + } + }, + "outputs": { + "resourceGroupName": { + "type": "string", + "metadata": { + "description": "The resource group the private endpoint was deployed into." + }, + "value": "[resourceGroup().name]" + }, + "resourceId": { + "type": "string", + "metadata": { + "description": "The resource ID of the private endpoint." + }, + "value": "[resourceId('Microsoft.Network/privateEndpoints', parameters('name'))]" + }, + "name": { + "type": "string", + "metadata": { + "description": "The name of the private endpoint." + }, + "value": "[parameters('name')]" + }, + "location": { + "type": "string", + "metadata": { + "description": "The location the resource was deployed into." + }, + "value": "[reference('privateEndpoint', '2023-04-01', 'full').location]" + } + } + } + }, + "dependsOn": [ + "registry" + ] + } + }, + "outputs": { + "name": { + "type": "string", + "metadata": { + "description": "The Name of the Azure container registry." + }, + "value": "[parameters('name')]" + }, + "loginServer": { + "type": "string", + "metadata": { + "description": "The reference to the Azure container registry." + }, + "value": "[reference(resourceId('Microsoft.ContainerRegistry/registries', parameters('name')), '2019-05-01').loginServer]" + }, + "resourceGroupName": { + "type": "string", + "metadata": { + "description": "The name of the Azure container registry." + }, + "value": "[resourceGroup().name]" + }, + "resourceId": { + "type": "string", + "metadata": { + "description": "The resource ID of the Azure container registry." + }, + "value": "[resourceId('Microsoft.ContainerRegistry/registries', parameters('name'))]" + }, + "systemAssignedMIPrincipalId": { + "type": "string", + "metadata": { + "description": "The principal ID of the system assigned identity." + }, + "value": "[coalesce(tryGet(tryGet(reference('registry', '2023-06-01-preview', 'full'), 'identity'), 'principalId'), '')]" + }, + "location": { + "type": "string", + "metadata": { + "description": "The location the resource was deployed into." + }, + "value": "[reference('registry', '2023-06-01-preview', 'full').location]" + } + } + } + }, + "dependsOn": [ + "appIdentity" ] }, "cluster": { @@ -20595,9 +27528,7 @@ "value": "[variables('serviceLayerConfig').cluster.networkPlugin]" }, "tags": { - "value": { - "layer": "[parameters('bladeConfig').displayName]" - } + "value": "[union(parameters('tags'), createObject('layer', parameters('bladeConfig').displayName))]" }, "aksSubnetId": { "value": "[parameters('aksSubnetId')]" @@ -20615,9 +27546,6 @@ "dnsServiceIP": { "value": "[parameters('dnsServiceIP')]" }, - "dockerBridgeCidr": { - "value": "[parameters('dockerBridgeCidr')]" - }, "serviceMeshProfile": "[if(parameters('enableMonitoring'), createObject('value', 'Istio'), createObject('value', null()))]", "istioRevision": "[if(parameters('enableMonitoring'), createObject('value', variables('serviceLayerConfig').cluster.meshVersion), createObject('value', null()))]", "istioIngressGatewayMode": "[if(parameters('enableMonitoring'), createObject('value', parameters('clusterIngress')), createObject('value', null()))]", @@ -20657,7 +27585,7 @@ "_generator": { "name": "bicep", "version": "0.26.170.59819", - "templateHash": "17906622395551002231" + "templateHash": "12126167964014128764" } }, "parameters": { @@ -20877,15 +27805,6 @@ "description": "The address range to use for services" } }, - "dockerBridgeCidr": { - "type": "string", - "defaultValue": "172.17.0.1/16", - "minLength": 9, - "maxLength": 18, - "metadata": { - "description": "The address range to use for the docker bridge" - } - }, "dnsServiceIP": { "type": "string", "defaultValue": "172.16.0.10", @@ -21206,7 +28125,7 @@ }, "variables": { "autoScale": "[greater(parameters('agentCountMax'), parameters('agentCount'))]", - "name": "[format('aks-{0}{1}', replace(parameters('resourceName'), '-', ''), uniqueString(resourceGroup().id, parameters('resourceName')))]", + "name": "[format('{0}{1}', replace(parameters('resourceName'), '-', ''), uniqueString(resourceGroup().id, parameters('resourceName')))]", "serviceMeshProfileObj": { "istio": { "components": { @@ -21358,7 +28277,7 @@ } } }, - "aksProperties": "[union(createObject('kubernetesVersion', parameters('aksVersion'), 'enableRBAC', true(), 'dnsPrefix', parameters('dnsPrefix'), 'aadProfile', if(parameters('enable_aad'), createObject('managed', true(), 'enableAzureRBAC', parameters('enableAzureRBAC'), 'tenantID', parameters('aad_tenant_id'), 'adminGroupObjectIDs', if(empty(parameters('admin_ids')), null(), parameters('admin_ids'))), null()), 'apiServerAccessProfile', if(not(empty(parameters('authorizedIPRanges'))), createObject('authorizedIPRanges', parameters('authorizedIPRanges')), createObject('enablePrivateCluster', parameters('enablePrivateCluster'), 'privateDNSZone', if(parameters('enablePrivateCluster'), variables('aksPrivateDnsZone'), ''), 'enablePrivateClusterPublicFQDN', and(parameters('enablePrivateCluster'), equals(parameters('privateClusterDnsMethod'), 'none')))), 'agentPoolProfiles', variables('agentPoolProfiles'), 'workloadAutoScalerProfile', createObject('keda', createObject('enabled', parameters('kedaEnabled'))), 'networkProfile', createObject('loadBalancerSku', 'standard', 'networkPlugin', parameters('networkPlugin'), 'networkPolicy', parameters('networkPolicy'), 'networkPluginMode', if(equals(parameters('networkPlugin'), 'azure'), parameters('networkPluginMode'), ''), 'podCidr', if(or(or(equals(parameters('networkPlugin'), 'kubenet'), equals(parameters('networkPluginMode'), 'Overlay')), parameters('cniDynamicIpAllocation')), parameters('podCidr'), null()), 'serviceCidr', parameters('serviceCidr'), 'dnsServiceIP', parameters('dnsServiceIP'), 'dockerBridgeCidr', parameters('dockerBridgeCidr'), 'outboundType', variables('outboundTrafficType'), 'ebpfDataplane', if(equals(parameters('networkPlugin'), 'azure'), parameters('ebpfDataplane'), '')), 'disableLocalAccounts', and(parameters('AksDisableLocalAccounts'), parameters('enable_aad')), 'autoUpgradeProfile', createObject('upgradeChannel', parameters('upgradeChannel')), 'addonProfiles', variables('aks_addons'), 'autoScalerProfile', if(variables('autoScale'), parameters('AutoscaleProfile'), createObject()), 'oidcIssuerProfile', createObject('enabled', parameters('oidcIssuer')), 'securityProfile', createObject('workloadIdentity', createObject('enabled', parameters('workloadIdentityEnabled')), 'defender', createObject('logAnalyticsWorkspaceResourceId', if(parameters('defenderEnabled'), parameters('workspaceId'), null()), 'securityMonitoring', createObject('enabled', parameters('defenderEnabled'))), 'imageCleaner', createObject('enabled', parameters('enableImageCleaner'), 'intervalHours', parameters('imageCleanerIntervalHours'))), 'ingressProfile', createObject('webAppRouting', createObject('enabled', parameters('warIngressNginx'))), 'storageProfile', createObject('blobCSIDriver', createObject('enabled', parameters('blobCSIDriver')), 'diskCSIDriver', createObject('enabled', parameters('diskCSIDriver')), 'fileCSIDriver', createObject('enabled', parameters('fileCSIDriver'))), 'nodeResourceGroupProfile', createObject('restrictionLevel', parameters('restrictionLevelNodeResourceGroup'))), if(equals(variables('outboundTrafficType'), 'managedNATGateway'), variables('managedNATGatewayProfile'), createObject()), if(parameters('defenderEnabled'), variables('azureDefenderSecurityProfile'), createObject()), if(not(empty(parameters('managedNodeResourceGroup'))), createObject('nodeResourceGroup', parameters('managedNodeResourceGroup')), createObject()), if(not(empty(parameters('serviceMeshProfile'))), createObject('serviceMeshProfile', variables('serviceMeshProfileObj')), createObject()))]", + "aksProperties": "[union(createObject('kubernetesVersion', parameters('aksVersion'), 'enableRBAC', true(), 'dnsPrefix', parameters('dnsPrefix'), 'aadProfile', if(parameters('enable_aad'), createObject('managed', true(), 'enableAzureRBAC', parameters('enableAzureRBAC'), 'tenantID', parameters('aad_tenant_id'), 'adminGroupObjectIDs', if(empty(parameters('admin_ids')), null(), parameters('admin_ids'))), null()), 'apiServerAccessProfile', if(not(empty(parameters('authorizedIPRanges'))), createObject('authorizedIPRanges', parameters('authorizedIPRanges')), createObject('enablePrivateCluster', parameters('enablePrivateCluster'), 'privateDNSZone', if(parameters('enablePrivateCluster'), variables('aksPrivateDnsZone'), ''), 'enablePrivateClusterPublicFQDN', and(parameters('enablePrivateCluster'), equals(parameters('privateClusterDnsMethod'), 'none')))), 'agentPoolProfiles', variables('agentPoolProfiles'), 'workloadAutoScalerProfile', createObject('keda', createObject('enabled', parameters('kedaEnabled'))), 'networkProfile', createObject('loadBalancerSku', 'standard', 'networkPlugin', parameters('networkPlugin'), 'networkPolicy', parameters('networkPolicy'), 'networkPluginMode', if(equals(parameters('networkPlugin'), 'azure'), parameters('networkPluginMode'), ''), 'podCidr', if(or(or(equals(parameters('networkPlugin'), 'kubenet'), equals(parameters('networkPluginMode'), 'Overlay')), parameters('cniDynamicIpAllocation')), parameters('podCidr'), null()), 'serviceCidr', parameters('serviceCidr'), 'dnsServiceIP', parameters('dnsServiceIP'), 'outboundType', variables('outboundTrafficType'), 'ebpfDataplane', if(equals(parameters('networkPlugin'), 'azure'), parameters('ebpfDataplane'), '')), 'disableLocalAccounts', and(parameters('AksDisableLocalAccounts'), parameters('enable_aad')), 'autoUpgradeProfile', createObject('upgradeChannel', parameters('upgradeChannel')), 'addonProfiles', variables('aks_addons'), 'autoScalerProfile', if(variables('autoScale'), parameters('AutoscaleProfile'), createObject()), 'oidcIssuerProfile', createObject('enabled', parameters('oidcIssuer')), 'securityProfile', createObject('workloadIdentity', createObject('enabled', parameters('workloadIdentityEnabled')), 'defender', createObject('logAnalyticsWorkspaceResourceId', if(parameters('defenderEnabled'), parameters('workspaceId'), null()), 'securityMonitoring', createObject('enabled', parameters('defenderEnabled'))), 'imageCleaner', createObject('enabled', parameters('enableImageCleaner'), 'intervalHours', parameters('imageCleanerIntervalHours'))), 'ingressProfile', createObject('webAppRouting', createObject('enabled', parameters('warIngressNginx'))), 'storageProfile', createObject('blobCSIDriver', createObject('enabled', parameters('blobCSIDriver')), 'diskCSIDriver', createObject('enabled', parameters('diskCSIDriver')), 'fileCSIDriver', createObject('enabled', parameters('fileCSIDriver'))), 'nodeResourceGroupProfile', createObject('restrictionLevel', parameters('restrictionLevelNodeResourceGroup'))), if(equals(variables('outboundTrafficType'), 'managedNATGateway'), variables('managedNATGatewayProfile'), createObject()), if(parameters('defenderEnabled'), variables('azureDefenderSecurityProfile'), createObject()), if(not(empty(parameters('managedNodeResourceGroup'))), createObject('nodeResourceGroup', parameters('managedNodeResourceGroup')), createObject()), if(not(empty(parameters('serviceMeshProfile'))), createObject('serviceMeshProfile', variables('serviceMeshProfileObj')), createObject()))]", "ingressModes": { "external": { "enabled": true, @@ -21376,7 +28295,7 @@ "resources": [ { "type": "Microsoft.ContainerService/managedClusters", - "apiVersion": "2023-10-01", + "apiVersion": "2023-11-01", "name": "[if(greater(length(variables('name')), 63), substring(variables('name'), 0, 63), variables('name'))]", "location": "[parameters('location')]", "tags": "[parameters('tags')]", @@ -21495,7 +28414,7 @@ }, "aksOidcIssuerUrl": { "type": "string", - "value": "[if(parameters('oidcIssuer'), reference(resourceId('Microsoft.ContainerService/managedClusters', if(greater(length(variables('name')), 63), substring(variables('name'), 0, 63), variables('name'))), '2023-10-01').oidcIssuerProfile.issuerURL, '')]" + "value": "[if(parameters('oidcIssuer'), reference(resourceId('Microsoft.ContainerService/managedClusters', if(greater(length(variables('name')), 63), substring(variables('name'), 0, 63), variables('name'))), '2023-11-01').oidcIssuerProfile.issuerURL, '')]" }, "userNodePoolName": { "type": "string", @@ -21511,11 +28430,11 @@ }, "privateFQDN": { "type": "string", - "value": "[if(and(parameters('enablePrivateCluster'), not(equals(parameters('privateClusterDnsMethod'), 'none'))), reference(resourceId('Microsoft.ContainerService/managedClusters', if(greater(length(variables('name')), 63), substring(variables('name'), 0, 63), variables('name'))), '2023-10-01').privateFQDN, '')]" + "value": "[if(and(parameters('enablePrivateCluster'), not(equals(parameters('privateClusterDnsMethod'), 'none'))), reference(resourceId('Microsoft.ContainerService/managedClusters', if(greater(length(variables('name')), 63), substring(variables('name'), 0, 63), variables('name'))), '2023-11-01').privateFQDN, '')]" }, "aksPrivateDnsZoneName": { "type": "string", - "value": "[if(and(parameters('enablePrivateCluster'), not(equals(parameters('privateClusterDnsMethod'), 'none'))), join(skip(split(reference(resourceId('Microsoft.ContainerService/managedClusters', if(greater(length(variables('name')), 63), substring(variables('name'), 0, 63), variables('name'))), '2023-10-01').privateFQDN, '.'), 1), '.'), '')]" + "value": "[if(and(parameters('enablePrivateCluster'), not(equals(parameters('privateClusterDnsMethod'), 'none'))), join(skip(split(reference(resourceId('Microsoft.ContainerService/managedClusters', if(greater(length(variables('name')), 63), substring(variables('name'), 0, 63), variables('name'))), '2023-11-01').privateFQDN, '.'), 1), '.'), '')]" }, "aksOidcFedIdentityProperties": { "type": "object", @@ -21523,7 +28442,7 @@ "description": "This output can be directly leveraged when creating a ManagedId Federated Identity" }, "value": { - "issuer": "[if(parameters('oidcIssuer'), reference(resourceId('Microsoft.ContainerService/managedClusters', if(greater(length(variables('name')), 63), substring(variables('name'), 0, 63), variables('name'))), '2023-10-01').oidcIssuerProfile.issuerURL, '')]", + "issuer": "[if(parameters('oidcIssuer'), reference(resourceId('Microsoft.ContainerService/managedClusters', if(greater(length(variables('name')), 63), substring(variables('name'), 0, 63), variables('name'))), '2023-11-01').oidcIssuerProfile.issuerURL, '')]", "audiences": [ "api://AzureADTokenExchange" ], @@ -21535,7 +28454,7 @@ "metadata": { "description": "The name of the managed resource group AKS uses" }, - "value": "[reference(resourceId('Microsoft.ContainerService/managedClusters', if(greater(length(variables('name')), 63), substring(variables('name'), 0, 63), variables('name'))), '2023-10-01').nodeResourceGroup]" + "value": "[reference(resourceId('Microsoft.ContainerService/managedClusters', if(greater(length(variables('name')), 63), substring(variables('name'), 0, 63), variables('name'))), '2023-11-01').nodeResourceGroup]" }, "aksResourceId": { "type": "string", @@ -21610,7 +28529,7 @@ "_generator": { "name": "bicep", "version": "0.26.170.59819", - "templateHash": "3027466160944421257" + "templateHash": "497969398024933647" } }, "parameters": { @@ -21713,7 +28632,7 @@ "resources": [ { "type": "Microsoft.ContainerService/managedClusters/agentPools", - "apiVersion": "2023-10-02-preview", + "apiVersion": "2023-11-01", "name": "[format('{0}/{1}', parameters('AksName'), parameters('PoolName'))]", "properties": { "mode": "User", @@ -21798,7 +28717,7 @@ "_generator": { "name": "bicep", "version": "0.26.170.59819", - "templateHash": "3027466160944421257" + "templateHash": "497969398024933647" } }, "parameters": { @@ -21901,7 +28820,7 @@ "resources": [ { "type": "Microsoft.ContainerService/managedClusters/agentPools", - "apiVersion": "2023-10-02-preview", + "apiVersion": "2023-11-01", "name": "[format('{0}/{1}', parameters('AksName'), parameters('PoolName'))]", "properties": { "mode": "User", @@ -21986,7 +28905,7 @@ "_generator": { "name": "bicep", "version": "0.26.170.59819", - "templateHash": "3027466160944421257" + "templateHash": "497969398024933647" } }, "parameters": { @@ -22089,7 +29008,7 @@ "resources": [ { "type": "Microsoft.ContainerService/managedClusters/agentPools", - "apiVersion": "2023-10-02-preview", + "apiVersion": "2023-11-01", "name": "[format('{0}/{1}', parameters('AksName'), parameters('PoolName'))]", "properties": { "mode": "User", @@ -22120,10 +29039,10 @@ "cluster" ] }, - "appIdentity": { + "federatedCredsDefaultNamespace": { "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", - "name": "[format('{0}-user-managed-identity', parameters('bladeConfig').sectionName)]", + "name": "[format('{0}-federated-cred-ns_default', parameters('bladeConfig').sectionName)]", "properties": { "expressionEvaluationOptions": { "scope": "inner" @@ -22131,430 +29050,111 @@ "mode": "Incremental", "parameters": { "name": { - "value": "[format('id-{0}{1}', replace(parameters('bladeConfig').sectionName, '-', ''), uniqueString(resourceGroup().id, parameters('bladeConfig').sectionName))]" - }, - "location": { - "value": "[parameters('location')]" - }, - "enableTelemetry": { - "value": "[parameters('enableTelemetry')]" + "value": "federated-ns_default" }, - "federatedIdentityCredentials": { + "audiences": { "value": [ - { - "audiences": [ - "api://AzureADTokenExchange" - ], - "issuer": "[reference('cluster').outputs.aksOidcIssuerUrl.value]", - "name": "federated-ns_default", - "subject": "system:serviceaccount:default:workload-identity-sa" - } + "api://AzureADTokenExchange" ] }, - "tags": { - "value": { - "layer": "[parameters('bladeConfig').displayName]" - } + "issuer": { + "value": "[reference('cluster').outputs.aksOidcIssuerUrl.value]" + }, + "userAssignedIdentityName": { + "value": "[parameters('managedIdentityName')]" + }, + "subject": { + "value": "system:serviceaccount:default:workload-identity-sa" } }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "17425686371279834860" - }, - "name": "User Assigned Identities", - "description": "This module deploys a User Assigned Identity.", - "owner": "Azure/module-maintainers" - }, - "definitions": { - "lockType": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Specify the name of lock." - } - }, - "kind": { - "type": "string", - "allowedValues": [ - "CanNotDelete", - "None", - "ReadOnly" - ], - "nullable": true, - "metadata": { - "description": "Optional. Specify the type of lock." - } - } - }, - "nullable": true - }, - "roleAssignmentType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." - } - }, - "principalId": { - "type": "string", - "metadata": { - "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." - } - }, - "principalType": { - "type": "string", - "allowedValues": [ - "Device", - "ForeignGroup", - "Group", - "ServicePrincipal", - "User" - ], - "nullable": true, - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" - } - }, - "conditionVersion": { - "type": "string", - "allowedValues": [ - "2.0" - ], - "nullable": true, - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The Resource Id of the delegated managed identity resource." - } - } - } - }, - "nullable": true - } + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "_generator": { + "name": "bicep", + "version": "0.26.170.59819", + "templateHash": "2772093595427161893" + }, + "name": "User Assigned Identity Federated Identity Credential", + "description": "This module deploys a User Assigned Identity Federated Identity Credential.", + "owner": "Azure/module-maintainers" }, "parameters": { - "name": { + "userAssignedIdentityName": { "type": "string", "metadata": { - "description": "Required. Name of the User Assigned Identity." + "description": "Conditional. The name of the parent user assigned identity. Required if the template is used in a standalone deployment." } }, - "location": { + "name": { "type": "string", - "defaultValue": "[resourceGroup().location]", "metadata": { - "description": "Optional. Location for all resources." + "description": "Required. The name of the secret." } }, - "federatedIdentityCredentials": { + "audiences": { "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. The federated identity credentials list to indicate which token from the external IdP should be trusted by your application. Federated identity credentials are supported on applications only. A maximum of 20 federated identity credentials can be added per application object." - } - }, - "lock": { - "$ref": "#/definitions/lockType", - "metadata": { - "description": "Optional. The lock settings of the service." - } - }, - "roleAssignments": { - "$ref": "#/definitions/roleAssignmentType", "metadata": { - "description": "Optional. Array of role assignments to create." + "description": "Required. The list of audiences that can appear in the issued token. Should be set to api://AzureADTokenExchange for Azure AD. It says what Microsoft identity platform should accept in the aud claim in the incoming token. This value represents Azure AD in your external identity provider and has no fixed value across identity providers - you might need to create a new application registration in your IdP to serve as the audience of this token." } }, - "tags": { - "type": "object", - "nullable": true, + "issuer": { + "type": "string", "metadata": { - "description": "Optional. Tags of the resource." + "description": "Required. The URL of the issuer to be trusted. Must match the issuer claim of the external token being exchanged." } }, - "enableTelemetry": { - "type": "bool", - "defaultValue": true, + "subject": { + "type": "string", "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." + "description": "Required. The identifier of the external software workload within the external identity provider. Like the audience value, it has no fixed format, as each IdP uses their own - sometimes a GUID, sometimes a colon delimited identifier, sometimes arbitrary strings. The value here must match the sub claim within the token presented to Azure AD." } } }, - "variables": { - "builtInRoleNames": { - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Managed Identity Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e40ec5ca-96e0-45a2-b4ff-59039f2c2b59')]", - "Managed Identity Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f1a07417-d97a-45cb-824c-7a7467783830')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" - } - }, - "resources": { - "avmTelemetry": { - "condition": "[parameters('enableTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2023-07-01", - "name": "[format('46d3xbcp.res.managedidentity-userassignedidentity.{0}.{1}', replace('0.1.0', '.', '-'), substring(uniqueString(deployment().name, parameters('location')), 0, 4))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [], - "outputs": { - "telemetry": { - "type": "String", - "value": "For more information, see https://aka.ms/avm/TelemetryInfo" - } - } - } - } - }, - "userAssignedIdentity": { - "type": "Microsoft.ManagedIdentity/userAssignedIdentities", + "resources": [ + { + "type": "Microsoft.ManagedIdentity/userAssignedIdentities/federatedIdentityCredentials", "apiVersion": "2023-01-31", - "name": "[parameters('name')]", - "location": "[parameters('location')]", - "tags": "[parameters('tags')]" - }, - "userAssignedIdentity_lock": { - "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", - "type": "Microsoft.Authorization/locks", - "apiVersion": "2020-05-01", - "scope": "[format('Microsoft.ManagedIdentity/userAssignedIdentities/{0}', parameters('name'))]", - "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", - "properties": { - "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", - "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" - }, - "dependsOn": [ - "userAssignedIdentity" - ] - }, - "userAssignedIdentity_roleAssignments": { - "copy": { - "name": "userAssignedIdentity_roleAssignments", - "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.ManagedIdentity/userAssignedIdentities/{0}', parameters('name'))]", - "name": "[guid(resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", - "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", - "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", - "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", - "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", - "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", - "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" - }, - "dependsOn": [ - "userAssignedIdentity" - ] - }, - "userAssignedIdentity_federatedIdentityCredentials": { - "copy": { - "name": "userAssignedIdentity_federatedIdentityCredentials", - "count": "[length(parameters('federatedIdentityCredentials'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-UserMSI-FederatedIdentityCredential-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", + "name": "[format('{0}/{1}', parameters('userAssignedIdentityName'), parameters('name'))]", "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "name": { - "value": "[parameters('federatedIdentityCredentials')[copyIndex()].name]" - }, - "userAssignedIdentityName": { - "value": "[parameters('name')]" - }, - "audiences": { - "value": "[parameters('federatedIdentityCredentials')[copyIndex()].audiences]" - }, - "issuer": { - "value": "[parameters('federatedIdentityCredentials')[copyIndex()].issuer]" - }, - "subject": { - "value": "[parameters('federatedIdentityCredentials')[copyIndex()].subject]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "4906524580099045986" - }, - "name": "User Assigned Identity Federated Identity Credential", - "description": "This module deploys a User Assigned Identity Federated Identity Credential.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "userAssignedIdentityName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent user assigned identity. Required if the template is used in a standalone deployment." - } - }, - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the secret." - } - }, - "audiences": { - "type": "array", - "metadata": { - "description": "Required. The list of audiences that can appear in the issued token. Should be set to api://AzureADTokenExchange for Azure AD. It says what Microsoft identity platform should accept in the aud claim in the incoming token. This value represents Azure AD in your external identity provider and has no fixed value across identity providers - you might need to create a new application registration in your IdP to serve as the audience of this token." - } - }, - "issuer": { - "type": "string", - "metadata": { - "description": "Required. The URL of the issuer to be trusted. Must match the issuer claim of the external token being exchanged." - } - }, - "subject": { - "type": "string", - "metadata": { - "description": "Required. The identifier of the external software workload within the external identity provider. Like the audience value, it has no fixed format, as each IdP uses their own - sometimes a GUID, sometimes a colon delimited identifier, sometimes arbitrary strings. The value here must match the sub claim within the token presented to Azure AD." - } - } - }, - "resources": [ - { - "type": "Microsoft.ManagedIdentity/userAssignedIdentities/federatedIdentityCredentials", - "apiVersion": "2023-01-31", - "name": "[format('{0}/{1}', parameters('userAssignedIdentityName'), parameters('name'))]", - "properties": { - "audiences": "[parameters('audiences')]", - "issuer": "[parameters('issuer')]", - "subject": "[parameters('subject')]" - } - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the federated identity credential." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the federated identity credential." - }, - "value": "[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities/federatedIdentityCredentials', parameters('userAssignedIdentityName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The name of the resource group the federated identity credential was created in." - }, - "value": "[resourceGroup().name]" - } - } - } - }, - "dependsOn": [ - "userAssignedIdentity" - ] + "audiences": "[parameters('audiences')]", + "issuer": "[parameters('issuer')]", + "subject": "[parameters('subject')]" + } } - }, + ], "outputs": { "name": { "type": "string", "metadata": { - "description": "The name of the user assigned identity." + "description": "The name of the federated identity credential." }, "value": "[parameters('name')]" }, "resourceId": { "type": "string", "metadata": { - "description": "The resource ID of the user assigned identity." - }, - "value": "[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('name'))]" - }, - "principalId": { - "type": "string", - "metadata": { - "description": "The principal ID (object ID) of the user assigned identity." - }, - "value": "[reference('userAssignedIdentity').principalId]" - }, - "clientId": { - "type": "string", - "metadata": { - "description": "The client ID (application ID) of the user assigned identity." + "description": "The resource ID of the federated identity credential." }, - "value": "[reference('userAssignedIdentity').clientId]" + "value": "[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities/federatedIdentityCredentials', parameters('userAssignedIdentityName'), parameters('name'))]" }, "resourceGroupName": { "type": "string", "metadata": { - "description": "The resource group the user assigned identity was deployed into." + "description": "The name of the resource group the federated identity credential was created in." }, "value": "[resourceGroup().name]" - }, - "location": { - "type": "string", - "metadata": { - "description": "The location the resource was deployed into." - }, - "value": "[reference('userAssignedIdentity', '2023-01-31', 'full').location]" } } } }, "dependsOn": [ + "appIdentity", "cluster" ] }, - "federatedCredsOsduAzure": { + "federatedCredsOsduCoreNamespace": { "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", "name": "[format('{0}-federated-cred-ns_osdu-core', parameters('bladeConfig').sectionName)]", @@ -22576,7 +29176,7 @@ "value": "[reference('cluster').outputs.aksOidcIssuerUrl.value]" }, "userAssignedIdentityName": { - "value": "[reference('appIdentity').outputs.name.value]" + "value": "[parameters('managedIdentityName')]" }, "subject": { "value": "system:serviceaccount:osdu-core:workload-identity-sa" @@ -22666,10 +29266,11 @@ }, "dependsOn": [ "appIdentity", - "cluster" + "cluster", + "federatedCredsDefaultNamespace" ] }, - "federatedCredsDevSample": { + "federatedCredsDevSampleNamespace": { "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", "name": "[format('{0}-federated-cred-ns_dev-sample', parameters('bladeConfig').sectionName)]", @@ -22691,7 +29292,7 @@ "value": "[reference('cluster').outputs.aksOidcIssuerUrl.value]" }, "userAssignedIdentityName": { - "value": "[reference('appIdentity').outputs.name.value]" + "value": "[parameters('managedIdentityName')]" }, "subject": { "value": "system:serviceaccount:dev-sample:workload-identity-sa" @@ -22782,10 +29383,10 @@ "dependsOn": [ "appIdentity", "cluster", - "federatedCredsOsduAzure" + "federatedCredsOsduCoreNamespace" ] }, - "federatedCredsConfigMaps": { + "federatedCredsConfigMapsNamespace": { "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", "name": "[format('{0}-federated-cred-ns_config-maps', parameters('bladeConfig').sectionName)]", @@ -22807,7 +29408,7 @@ "value": "[reference('cluster').outputs.aksOidcIssuerUrl.value]" }, "userAssignedIdentityName": { - "value": "[reference('appIdentity').outputs.name.value]" + "value": "[parameters('managedIdentityName')]" }, "subject": { "value": "system:serviceaccount:azappconfig-system:az-appconfig-k8s-provider" @@ -22898,7 +29499,7 @@ "dependsOn": [ "appIdentity", "cluster", - "federatedCredsDevSample" + "federatedCredsDevSampleNamespace" ] }, "appRoleAssignments": { @@ -22912,7 +29513,7 @@ "mode": "Incremental", "parameters": { "identityprincipalId": { - "value": "[reference('appIdentity').outputs.principalId.value]" + "value": "[reference('appIdentity').principalId]" }, "kvName": { "value": "[parameters('kvName')]" @@ -23030,7 +29631,10 @@ }, "dependsOn": [ "appIdentity", - "federatedCredsConfigMaps" + "federatedCredsConfigMapsNamespace", + "federatedCredsDefaultNamespace", + "federatedCredsDevSampleNamespace", + "federatedCredsOsduCoreNamespace" ] }, "appRoleAssignments2": { @@ -23048,7 +29652,7 @@ "mode": "Incremental", "parameters": { "identityprincipalId": { - "value": "[reference('appIdentity').outputs.principalId.value]" + "value": "[reference('appIdentity').principalId]" }, "storageName": { "value": "[parameters('partitionStorageNames')[copyIndex()]]" @@ -23163,7 +29767,10 @@ }, "dependsOn": [ "appIdentity", - "federatedCredsDevSample" + "federatedCredsConfigMapsNamespace", + "federatedCredsDefaultNamespace", + "federatedCredsDevSampleNamespace", + "federatedCredsOsduCoreNamespace" ] }, "helmAppConfigProvider": { @@ -23433,23 +30040,21 @@ "value": "[parameters('location')]" }, "tags": { - "value": { - "layer": "[parameters('bladeConfig').displayName]" - } + "value": "[union(parameters('tags'), createObject('layer', parameters('bladeConfig').displayName))]" }, "roleAssignments": { "value": [ { "roleDefinitionIdOrName": "App Configuration Data Reader", "principalIds": [ - "[reference('appIdentity').outputs.principalId.value]" + "[reference('appIdentity').principalId]" ], "principalType": "ServicePrincipal" } ] }, "keyValues": { - "value": "[concat(union(parameters('appSettings'), createArray(createObject('name', 'Settings:Message', 'value', 'Hello from App Configuration', 'contentType', 'text/plain', 'label', 'configmap-devsample'), createObject('name', 'tenant_id', 'value', subscription().tenantId, 'contentType', 'text/plain', 'label', 'configmap-services'), createObject('name', 'azure_msi_client_id', 'value', reference('appIdentity').outputs.clientId.value, 'contentType', 'text/plain', 'label', 'configmap-services'), createObject('name', 'keyvault_uri', 'value', reference('keyVault').vaultUri, 'contentType', 'text/plain', 'label', 'configmap-services'))))]" + "value": "[concat(union(parameters('appSettings'), createArray(createObject('name', 'Settings:Message', 'value', 'Hello from App Configuration', 'contentType', 'text/plain', 'label', 'configmap-devsample'), createObject('name', 'tenant_id', 'value', subscription().tenantId, 'contentType', 'text/plain', 'label', 'configmap-services'), createObject('name', 'azure_msi_client_id', 'value', reference('appIdentity').clientId, 'contentType', 'text/plain', 'label', 'configmap-services'), createObject('name', 'keyvault_uri', 'value', reference('keyVault').vaultUri, 'contentType', 'text/plain', 'label', 'configmap-services')), variables('partitionStorageSettings'), variables('partitionBusSettings'), variables('common_helm_values')))]" } }, "template": { @@ -23459,7 +30064,7 @@ "_generator": { "name": "bicep", "version": "0.26.170.59819", - "templateHash": "16053880052968178279" + "templateHash": "13319486303990973389" }, "name": "App Configuration", "description": "This module deploys an App Configuration.", @@ -23681,7 +30286,7 @@ "resources": [ { "type": "Microsoft.AppConfiguration/configurationStores", - "apiVersion": "2022-05-01", + "apiVersion": "2023-03-01", "name": "[if(greater(length(variables('name')), 50), substring(variables('name'), 0, 50), variables('name'))]", "location": "[parameters('location')]", "tags": "[parameters('tags')]", @@ -23698,7 +30303,7 @@ { "condition": "[not(equals(parameters('lock'), 'NotSpecified'))]", "type": "Microsoft.Authorization/locks", - "apiVersion": "2017-04-01", + "apiVersion": "2020-05-01", "scope": "[format('Microsoft.AppConfiguration/configurationStores/{0}', if(greater(length(variables('name')), 50), substring(variables('name'), 0, 50), variables('name')))]", "name": "[format('{0}-{1}-lock', if(greater(length(variables('name')), 50), substring(variables('name'), 0, 50), variables('name')), parameters('lock'))]", "properties": { @@ -23831,7 +30436,7 @@ "_generator": { "name": "bicep", "version": "0.26.170.59819", - "templateHash": "4283551197591373213" + "templateHash": "14560543269345781023" } }, "parameters": { @@ -23881,7 +30486,7 @@ "resources": [ { "type": "Microsoft.AppConfiguration/configurationStores/keyValues", - "apiVersion": "2022-05-01", + "apiVersion": "2023-03-01", "name": "[format('{0}/{1}', parameters('appConfigurationName'), variables('keyValueName'))]", "properties": { "contentType": "[parameters('contentType')]", @@ -24090,7 +30695,7 @@ "metadata": { "description": "The endpoint of the azure app configuration service." }, - "value": "[reference(resourceId('Microsoft.AppConfiguration/configurationStores', if(greater(length(variables('name')), 50), substring(variables('name'), 0, 50), variables('name'))), '2022-05-01').endpoint]" + "value": "[reference(resourceId('Microsoft.AppConfiguration/configurationStores', if(greater(length(variables('name')), 50), substring(variables('name'), 0, 50), variables('name'))), '2023-03-01').endpoint]" } } } @@ -24124,9 +30729,21 @@ "namespace": { "value": "default" }, + "newOrExistingManagedIdentity": { + "value": "existing" + }, + "managedIdentityName": { + "value": "[parameters('managedIdentityName')]" + }, + "existingManagedIdentitySubId": { + "value": "[subscription().subscriptionId]" + }, + "existingManagedIdentityResourceGroupName": { + "value": "[resourceGroup().name]" + }, "fileData": { "value": [ - "[format(variables('configMaps').appConfigTemplate, subscription().tenantId, reference('appIdentity').outputs.clientId.value, reference('app_config').outputs.endpoint.value, parameters('kvUri'), parameters('kvName'), parameters('applicationClientId'), parameters('applicationClientPrincipalOid'))]" + "[format(variables('configMaps').appConfigTemplate, subscription().tenantId, reference('appIdentity').clientId, reference('app_config').outputs.endpoint.value, parameters('kvUri'), parameters('kvName'), parameters('applicationClientId'), parameters('applicationClientPrincipalOid'))]" ] } }, @@ -24437,8 +31054,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "885928168160399718" + "version": "0.25.53.49325", + "templateHash": "14634783601382840988" }, "name": "Kubernetes Configuration Flux Configurations", "description": "This module deploys a Kubernetes Configuration Flux Configuration.", @@ -24537,7 +31154,7 @@ "condition": "[parameters('enableTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2023-07-01", - "name": "[format('46d3xbcp.res.kubernetesconfiguration-fluxconfig.{0}.{1}', replace('0.3.1', '.', '-'), substring(uniqueString(deployment().name, parameters('location')), 0, 4))]", + "name": "[format('46d3xbcp.res.kubernetesconfiguration-fluxconfig.{0}.{1}', replace('0.3.3', '.', '-'), substring(uniqueString(deployment().name, parameters('location')), 0, 4))]", "properties": { "mode": "Incremental", "template": { @@ -24629,9 +31246,7 @@ "value": "[parameters('location')]" }, "tags": { - "value": { - "layer": "[parameters('bladeConfig').displayName]" - } + "value": "[union(parameters('tags'), createObject('layer', parameters('bladeConfig').displayName))]" }, "publicNetworkAccess": { "value": "Enabled" @@ -25153,9 +31768,7 @@ "value": "[parameters('location')]" }, "tags": { - "value": { - "layer": "[parameters('bladeConfig').displayName]" - } + "value": "[union(parameters('tags'), createObject('layer', parameters('bladeConfig').displayName))]" }, "skuName": { "value": "Standard" @@ -25388,6 +32001,13 @@ "description": "The name of the azure keyvault." }, "value": "[reference('app_config').outputs.endpoint.value]" + }, + "registryName": { + "type": "string", + "metadata": { + "description": "The name of the container registry." + }, + "value": "[reference('registry').outputs.name.value]" } } } @@ -25405,6 +32025,10 @@ "KEYVAULT_NAME": { "type": "string", "value": "[reference(resourceId('Microsoft.Resources/deployments', 'common-blade'), '2022-09-01').outputs.keyvaultName.value]" + }, + "ACR_NAME": { + "type": "string", + "value": "[reference(resourceId('Microsoft.Resources/deployments', 'service-blade'), '2022-09-01').outputs.registryName.value]" } } } \ No newline at end of file diff --git a/bicep/main.bicep b/bicep/main.bicep index f747c89a..0e210c1a 100644 --- a/bicep/main.bicep +++ b/bicep/main.bicep @@ -68,11 +68,10 @@ param clusterSoftware object = { } // This would be a type but bugs exist for ARM Templates so is object instead. -@description('Cluster Network Overrides - {ingress} (Both/Internal/External), {serviceCidr}, {dockerBridgeCidr}, {dnsServiceIP}') +@description('Cluster Network Overrides - {ingress} (Both/Internal/External), {serviceCidr}, {dnsServiceIP}') param clusterNetwork object = { ingress: '' serviceCidr: '' - dockerBridgeCidr: '' dnsServiceIP: '' } @@ -146,21 +145,23 @@ var configuration = { ] } +var rg_unique_id = '${replace(configuration.name, '-', '')}${uniqueString(resourceGroup().id, configuration.name)}' //*****************************************************************// // Identity Resources // //*****************************************************************// -module stampIdentity 'br/public:avm/res/managed-identity/user-assigned-identity:0.1.0' = { +module stampIdentity 'br/public:avm/res/managed-identity/user-assigned-identity:0.2.1' = { name: '${configuration.name}-user-managed-identity' params: { // Required parameters - name: 'id-${replace(configuration.name, '-', '')}${uniqueString(resourceGroup().id, configuration.name)}' + name: rg_unique_id location: location enableTelemetry: enableTelemetry // Assign Tags tags: { layer: configuration.displayName + id: rg_unique_id } } } @@ -169,16 +170,17 @@ module stampIdentity 'br/public:avm/res/managed-identity/user-assigned-identity: //*****************************************************************// // Monitoring Resources // //*****************************************************************// -module logAnalytics 'br/public:avm/res/operational-insights/workspace:0.2.1' = { +module logAnalytics 'br/public:avm/res/operational-insights/workspace:0.3.4' = { name: '${configuration.name}-log-analytics' params: { - name: 'log-${replace(configuration.name, '-', '')}${uniqueString(resourceGroup().id, configuration.name)}' + name: rg_unique_id location: location enableTelemetry: enableTelemetry // Assign Tags tags: { layer: configuration.displayName + id: rg_unique_id } skuName: configuration.logs.sku @@ -197,6 +199,10 @@ module networkBlade 'modules/blade_network.bicep' = { displayName: 'Network Resources' } + tags: { + id: rg_unique_id + } + location: location enableTelemetry: enableTelemetry @@ -248,6 +254,10 @@ module commonBlade 'modules/blade_common.bicep' = { displayName: 'Common Resources' } + tags: { + id: rg_unique_id + } + location: location enableTelemetry: enableTelemetry deploymentScriptIdentity: stampIdentity.outputs.name @@ -285,6 +295,10 @@ module manageBlade 'modules/blade_manage.bicep' = { displayName: 'Manage Resources' } + tags: { + id: rg_unique_id + } + manageLayerConfig: { machine: { vmSize: 'Standard_DS3_v2' @@ -329,6 +343,10 @@ module partitionBlade 'modules/blade_partition.bicep' = { displayName: 'Partition Resources' } + tags: { + id: rg_unique_id + } + location: location workspaceResourceId: logAnalytics.outputs.resourceId @@ -362,6 +380,10 @@ module serviceBlade 'modules/blade_service.bicep' = { displayName: 'Service Resources' } + tags: { + id: rg_unique_id + } + location: location enableTelemetry: enableTelemetry @@ -376,6 +398,7 @@ module serviceBlade 'modules/blade_service.bicep' = { kvUri: commonBlade.outputs.keyvaultUri storageName: commonBlade.outputs.storageAccountName partitionStorageNames: partitionBlade.outputs.partitionStorageNames + partitionServiceBusNames: partitionBlade.outputs.partitionServiceBusNames aksSubnetId: networkBlade.outputs.aksSubnetId podSubnetId: enablePodSubnet ? networkBlade.outputs.podSubnetId : '' @@ -385,7 +408,6 @@ module serviceBlade 'modules/blade_service.bicep' = { clusterIngress: clusterNetwork.ingress == '' ? 'Both' : clusterNetwork.ingress serviceCidr: clusterNetwork.serviceCidr == '' ? '172.16.0.0/16' : clusterNetwork.serviceCidr dnsServiceIP: clusterNetwork.dnsServiceIP == '' ? '172.16.0.10' : clusterNetwork.v - dockerBridgeCidr: clusterNetwork.dockerBridgeCidr == '' ? '172.17.0.1/16' : clusterNetwork.dockerBridgeCidr networkPlugin: enablePodSubnet ? 'azure' : clusterNetworkPlugin softwareBranch: clusterSoftware.branch @@ -415,5 +437,6 @@ module serviceBlade 'modules/blade_service.bicep' = { } output KEYVAULT_NAME string = commonBlade.outputs.keyvaultName +output ACR_NAME string = serviceBlade.outputs.registryName //ACSCII Art link : https://textkool.com/en/ascii-art-generator?hl=default&vl=default&font=Star%20Wars&text=changeme diff --git a/bicep/modules/aks_agent_pool.bicep b/bicep/modules/aks_agent_pool.bicep index b8834b56..5aed2adf 100644 --- a/bicep/modules/aks_agent_pool.bicep +++ b/bicep/modules/aks_agent_pool.bicep @@ -43,11 +43,11 @@ param podSubnetId string ]) param osType string = 'Linux' -resource aks 'Microsoft.ContainerService/managedClusters@2021-10-01' existing = { +resource aks 'Microsoft.ContainerService/managedClusters@2024-01-01' existing = { name: AksName } -resource nodepool 'Microsoft.ContainerService/managedClusters/agentPools@2023-10-02-preview' = { +resource nodepool 'Microsoft.ContainerService/managedClusters/agentPools@2023-11-01' = { parent: aks name: PoolName properties: { diff --git a/bicep/modules/aks_cluster.bicep b/bicep/modules/aks_cluster.bicep index 3d67a027..f04b802f 100644 --- a/bicep/modules/aks_cluster.bicep +++ b/bicep/modules/aks_cluster.bicep @@ -158,11 +158,6 @@ param podCidr string = '192.168.0.0/16' @description('The address range to use for services') param serviceCidr string = '172.16.0.0/16' -@minLength(9) -@maxLength(18) -@description('The address range to use for the docker bridge') -param dockerBridgeCidr string = '172.17.0.1/16' - @minLength(7) @maxLength(15) @description('The IP address to reserve for DNS') @@ -331,7 +326,7 @@ param istioRevision string = 'asm-1-18' */ @description('The name of the AKS cluster.') -var name = 'aks-${replace(resourceName, '-', '')}${uniqueString(resourceGroup().id, resourceName)}' +var name = '${replace(resourceName, '-', '')}${uniqueString(resourceGroup().id, resourceName)}' var serviceMeshProfileObj = { istio: { @@ -576,7 +571,6 @@ var aksProperties = union({ podCidr: networkPlugin=='kubenet' || networkPluginMode=='Overlay' || cniDynamicIpAllocation ? podCidr : null serviceCidr: serviceCidr dnsServiceIP: dnsServiceIP - dockerBridgeCidr: dockerBridgeCidr outboundType: outboundTrafficType ebpfDataplane: networkPlugin=='azure' ? ebpfDataplane : '' } @@ -649,7 +643,7 @@ var ingressModes = { | _| `._____||_______|_______/ \______/ \______/ | _| `._____| \______||_______|_______/ */ -resource aks 'Microsoft.ContainerService/managedClusters@2023-10-01' = { +resource aks 'Microsoft.ContainerService/managedClusters@2023-11-01' = { name: length(name) > 63 ? substring(name, 0, 63) : name location: location tags: tags diff --git a/bicep/modules/app-configuration/.bicep/key_values.bicep b/bicep/modules/app-configuration/.bicep/key_values.bicep index ad695556..33acc51c 100644 --- a/bicep/modules/app-configuration/.bicep/key_values.bicep +++ b/bicep/modules/app-configuration/.bicep/key_values.bicep @@ -22,7 +22,7 @@ resource appConfiguration 'Microsoft.AppConfiguration/configurationStores@2022-0 var keyValueName = empty(label) ? name : '${name}$${label}' -resource keyValues 'Microsoft.AppConfiguration/configurationStores/keyValues@2022-05-01' = { +resource keyValues 'Microsoft.AppConfiguration/configurationStores/keyValues@2023-03-01' = { name: keyValueName parent: appConfiguration properties: { diff --git a/bicep/modules/app-configuration/main.bicep b/bicep/modules/app-configuration/main.bicep index fb1272cc..67862f9c 100644 --- a/bicep/modules/app-configuration/main.bicep +++ b/bicep/modules/app-configuration/main.bicep @@ -139,7 +139,7 @@ var diagnosticsMetrics = [for metric in metricsToEnable: { var identityType = systemAssignedIdentity ? 'SystemAssigned' : !empty(userAssignedIdentities) ? 'UserAssigned' : 'None' -resource configStore 'Microsoft.AppConfiguration/configurationStores@2022-05-01' = { +resource configStore 'Microsoft.AppConfiguration/configurationStores@2023-03-01' = { name: length(name) > 50 ? substring(name, 0, 50) : name location: location tags: tags @@ -178,7 +178,7 @@ module configurationStore_keyValues './.bicep/key_values.bicep' = [for (keyValue }] // Apply Resource Lock -resource resource_lock 'Microsoft.Authorization/locks@2017-04-01' = if (lock != 'NotSpecified') { +resource resource_lock 'Microsoft.Authorization/locks@2020-05-01' = if (lock != 'NotSpecified') { name: '${configStore.name}-${lock}-lock' properties: { level: lock diff --git a/bicep/modules/blade_common.bicep b/bicep/modules/blade_common.bicep index 53410fcb..53965c4c 100644 --- a/bicep/modules/blade_common.bicep +++ b/bicep/modules/blade_common.bicep @@ -13,6 +13,9 @@ type bladeSettings = { @description('Optional. Indicates whether public access is enabled for all blobs or containers in the storage account. For security reasons, it is recommended to set it to false.') param enableBlobPublicAccess bool +@description('Optional. The tags to apply to the resources') +param tags object = {} + @description('The location of resources to deploy') param location string @@ -96,7 +99,7 @@ var commonLayerConfig = { module insights 'br/public:avm/res/insights/component:0.3.0' = { name: '${bladeConfig.sectionName}-insights' params: { - name: 'ai-${replace(bladeConfig.sectionName, '-', '')}${uniqueString(resourceGroup().id, bladeConfig.sectionName)}' + name: '${replace(bladeConfig.sectionName, '-', '')}${uniqueString(resourceGroup().id, bladeConfig.sectionName)}' location: location enableTelemetry: enableTelemetry kind: commonLayerConfig.insights.sku @@ -125,7 +128,7 @@ module insights 'br/public:avm/res/insights/component:0.3.0' = { |__|\__\ |_______| |__| \__/ /__/ \__\ \______/ |_______| |__| */ -var name = 'kv-${replace(bladeConfig.sectionName, '-', '')}${uniqueString(resourceGroup().id, bladeConfig.sectionName)}' +var name = '${replace(bladeConfig.sectionName, '-', '')}${uniqueString(resourceGroup().id, bladeConfig.sectionName)}' @description('The list of secrets to persist to the Key Vault') var vaultSecrets = [ @@ -166,7 +169,7 @@ var roleAssignment = { principalType: 'ServicePrincipal' } -module keyvault 'br/public:avm/res/key-vault/vault:0.3.4' = { +module keyvault 'br/public:avm/res/key-vault/vault:0.5.1' = { name: '${bladeConfig.sectionName}-keyvault' params: { name: length(name) > 24 ? substring(name, 0, 24) : name @@ -174,9 +177,12 @@ module keyvault 'br/public:avm/res/key-vault/vault:0.3.4' = { enableTelemetry: enableTelemetry // Assign Tags - tags: { - layer: bladeConfig.displayName - } + tags: union( + tags, + { + layer: bladeConfig.displayName + } + ) enablePurgeProtection: false @@ -284,13 +290,16 @@ var storageDnsZoneName = 'privatelink.${storageDNSZoneForwarder}' module configStorage './storage-account/main.bicep' = { name: '${bladeConfig.sectionName}-storage' params: { - name: 'sa${replace(bladeConfig.sectionName, '-', '')}${uniqueString(resourceGroup().id, bladeConfig.sectionName)}' + name: '${replace(bladeConfig.sectionName, '-', '')}${uniqueString(resourceGroup().id, bladeConfig.sectionName)}' location: location // Assign Tags - tags: { - layer: bladeConfig.displayName - } + tags: union( + tags, + { + layer: bladeConfig.displayName + } + ) // Hook up Diagnostics diagnosticWorkspaceId: workspaceResourceId @@ -356,9 +365,12 @@ module database './cosmos-db/main.bicep' = { resourceLocation: location // Assign Tags - tags: { - layer: bladeConfig.displayName - } + tags: union( + tags, + { + layer: bladeConfig.displayName + } + ) // Hook up Diagnostics diagnosticWorkspaceId: workspaceResourceId diff --git a/bicep/modules/blade_manage.bicep b/bicep/modules/blade_manage.bicep index 4797ea55..f3ebcd3d 100644 --- a/bicep/modules/blade_manage.bicep +++ b/bicep/modules/blade_manage.bicep @@ -43,6 +43,9 @@ param bladeConfig bladeSettings @description('The location of resources to deploy') param location string +@description('The tags to apply to the resources') +param tags object = {} + @description('Feature Flag to Enable Telemetry') param enableTelemetry bool = false @@ -81,14 +84,21 @@ param manageLayerConfig manageSettings |______/ /__/ \__\ |_______/ |__| |__| \______/ |__| \__| */ -module bastionHost 'br/public:avm/res/network/bastion-host:0.1.1' = if (enableBastion) { +module bastionHost 'br/public:avm/res/network/bastion-host:0.2.1' = if (enableBastion) { name: '${bladeConfig.sectionName}-bastion' params: { name: 'bh-${replace(bladeConfig.sectionName, '-', '')}${uniqueString(resourceGroup().id, bladeConfig.sectionName)}' skuName: manageLayerConfig.bastion.skuName - vNetId: vnetId + virtualNetworkResourceId: vnetId location: location enableTelemetry: enableTelemetry + + tags: union( + tags, + { + layer: bladeConfig.displayName + } + ) } } @@ -113,9 +123,12 @@ module virtualMachine './virtual_machine.bicep' = if (enableBastion) { vmSize: manageLayerConfig.machine.vmSize // Assign Tags - tags: { - layer: bladeConfig.displayName - } + tags: union( + tags, + { + layer: bladeConfig.displayName + } + ) vmSubnetId: vmSubnetId vmAdminUsername: vmAdminUsername diff --git a/bicep/modules/blade_network.bicep b/bicep/modules/blade_network.bicep index 82623aca..ee0e2f10 100644 --- a/bicep/modules/blade_network.bicep +++ b/bicep/modules/blade_network.bicep @@ -42,6 +42,9 @@ param bladeConfig bladeSettings @description('The location of resources to deploy') param location string +@description('The tags to apply to the resources') +param tags object = {} + @description('Feature Flag to Enable Telemetry') param enableTelemetry bool = false @@ -285,17 +288,20 @@ var subnets = { } } -module clusterNetworkSecurityGroup 'br/public:avm/res/network/network-security-group:0.1.0' = if (!enableVnetInjection) { +module clusterNetworkSecurityGroup 'br/public:avm/res/network/network-security-group:0.1.3' = if (!enableVnetInjection) { name: '${bladeConfig.sectionName}-nsg-cluster' params: { - name: 'nsg-common${uniqueString(resourceGroup().id, 'common')}-aks' + name: '${replace(bladeConfig.sectionName, '-', '')}${uniqueString(resourceGroup().id, bladeConfig.sectionName)}-aks' location: location enableTelemetry: enableTelemetry // Assign Tags - tags: { - layer: bladeConfig.displayName - } + tags: union( + tags, + { + layer: bladeConfig.displayName + } + ) securityRules: union( array(nsgRules.http_inbound_rule), @@ -305,17 +311,20 @@ module clusterNetworkSecurityGroup 'br/public:avm/res/network/network-security-g } } -module bastionNetworkSecurityGroup 'br/public:avm/res/network/network-security-group:0.1.0' = if (!enableVnetInjection && enableBastion) { +module bastionNetworkSecurityGroup 'br/public:avm/res/network/network-security-group:0.1.3' = if (!enableVnetInjection && enableBastion) { name: '${bladeConfig.sectionName}-nsg-bastion' params: { - name: 'nsg-common${uniqueString(resourceGroup().id, 'common')}-bastion' + name: '${replace(bladeConfig.sectionName, '-', '')}${uniqueString(resourceGroup().id, bladeConfig.sectionName)}-bastion' location: location enableTelemetry: enableTelemetry // Assign Tags - tags: { - layer: bladeConfig.displayName - } + tags: union( + tags, + { + layer: bladeConfig.displayName + } + ) securityRules: union( array(nsgRules.https_inbound_rule), @@ -329,33 +338,39 @@ module bastionNetworkSecurityGroup 'br/public:avm/res/network/network-security-g } } -module machineNetworkSecurityGroup 'br/public:avm/res/network/network-security-group:0.1.0' = if (!enableVnetInjection && enableBastion) { +module machineNetworkSecurityGroup 'br/public:avm/res/network/network-security-group:0.1.3' = if (!enableVnetInjection && enableBastion) { name: '${bladeConfig.sectionName}-nsg-manage' params: { - name: 'nsg-common${uniqueString(resourceGroup().id, 'common')}-vm' + name: '${replace(bladeConfig.sectionName, '-', '')}${uniqueString(resourceGroup().id, bladeConfig.sectionName)}-vm' location: location enableTelemetry: enableTelemetry // Assign Tags - tags: { - layer: bladeConfig.displayName - } + tags: union( + tags, + { + layer: bladeConfig.displayName + } + ) securityRules: [] } } -module network 'br/public:avm/res/network/virtual-network:0.1.0' = if (!enableVnetInjection) { +module network 'br/public:avm/res/network/virtual-network:0.1.5' = if (!enableVnetInjection) { name: '${bladeConfig.sectionName}-virtual-network' params: { - name: 'vnet-common${uniqueString(resourceGroup().id, 'common')}' + name: '${replace(bladeConfig.sectionName, '-', '')}${uniqueString(resourceGroup().id, bladeConfig.sectionName)}' location: location enableTelemetry: enableTelemetry // Assign Tags - tags: { - layer: bladeConfig.displayName - } + tags: union( + tags, + { + layer: bladeConfig.displayName + } + ) addressPrefixes: [ networkConfiguration.prefix diff --git a/bicep/modules/blade_partition.bicep b/bicep/modules/blade_partition.bicep index ea5ce7bc..f5a0df09 100644 --- a/bicep/modules/blade_partition.bicep +++ b/bicep/modules/blade_partition.bicep @@ -16,6 +16,9 @@ param bladeConfig bladeSettings @description('The location of resources to deploy') param location string +@description('The tags to apply to the resources') +param tags object = {} + @description('Optional. Indicates whether public access is enabled for all blobs or containers in the storage account. For security reasons, it is recommended to set it to false.') param enableBlobPublicAccess bool @@ -256,6 +259,93 @@ var partitionLayerConfig = { } ] } + servicebus: { + sku: 'Standard' + defaultSize: 1024 + topics: [ + { + name: 'indexing-progress' + subscriptions: [ + { + name: 'indexing-progresssubscription' + } + ] + } + { + name: 'legaltags' + subscriptions: [ + { + name: 'legaltagssubscription' + } + ] + } + { + name: 'recordstopic' + subscriptions: [ + { + name: 'recordstopicsubscription' + } + ] + } + { + name: 'recordstopicdownstream' + subscriptions: [ + { + name: 'downstreamsub' + } + ] + } + { + name: 'recordstopiceg' + subscriptions: [ + { + name: 'eg_sb_wkssubscription' + } + ] + } + { + name: 'schemachangedtopic' + subscriptions: [ + { + name: 'schemachangedtopicsubscription' + } + ] + } + { + name: 'schemachangedtopiceg' + subscriptions: [ + { + name: 'eg_sb_schemasubscription' + } + ] + } + { + name: 'legaltagschangedtopiceg' + subscriptions: [ + { + name: 'eg_sb_legaltagssubscription' + } + ] + } + { + name: 'statuschangedtopic' + maxSizeInMegabytes: 5120 + subscriptions: [ + { + name: 'eg_sb_statussubscription' + } + ] + } + { + name: 'statuschangedtopiceg' + subscriptions: [] + } + { + name: 'replayrecordtopic' + subscriptions: [] + } + ] + } } @@ -273,15 +363,19 @@ module partitionStorage './storage-account/main.bicep' = [for (partition, index) name: '${bladeConfig.sectionName}-azure-storage-${index}' params: { #disable-next-line BCP335 BCP332 - name: 'sa${replace('data${index}${substring(uniqueString(partition.name), 0, 6)}', '-', '')}${uniqueString(resourceGroup().id, 'data${index}${substring(uniqueString(partition.name), 0, 6)}')}' + name: '${replace('data${index}${substring(uniqueString(partition.name), 0, 6)}', '-', '')}${uniqueString(resourceGroup().id, 'data${index}${substring(uniqueString(partition.name), 0, 6)}')}' location: location // Assign Tags - tags: { - layer: bladeConfig.displayName - partition: partition.name - purpose: 'data' - } + + tags: union( + tags, + { + layer: bladeConfig.displayName + partition: partition.name + purpose: 'data' + } + ) // Hook up Diagnostics diagnosticWorkspaceId: workspaceResourceId @@ -325,11 +419,14 @@ module partitionDb './cosmos-db/main.bicep' = [for (partition, index) in partiti resourceLocation: location // Assign Tags - tags: { - layer: bladeConfig.displayName - partition: partition.name - purpose: 'data' - } + tags: union( + tags, + { + layer: bladeConfig.displayName + partition: partition.name + purpose: 'data' + } + ) // Hook up Diagnostics diagnosticWorkspaceId: workspaceResourceId @@ -374,5 +471,65 @@ module partitionDbEndpoint './private-endpoint/main.bicep' = [for (partition, in } }] - // Output partitionStorage names + +module partitonNamespace 'br/public:avm/res/service-bus/namespace:0.4.2' = [for (partition, index) in partitions: { + name: '${bladeConfig.sectionName}-service-bus-${index}' + params: { + name: '${replace('data${index}${substring(uniqueString(partition.name), 0, 6)}', '-', '')}${uniqueString(resourceGroup().id, 'data${index}${substring(uniqueString(partition.name), 0, 6)}')}' + location: location + + // Assign Tags + tags: union( + tags, + { + layer: bladeConfig.displayName + partition: partition.name + purpose: 'data' + } + ) + + // Hook up Diagnostics + diagnosticSettings: [ + { + workspaceResourceId: workspaceResourceId + } + ] + + skuObject: { + name: partitionLayerConfig.servicebus.sku + } + + authorizationRules: [ + { + name: 'RootManageSharedAccessKey' + rights: [ + 'Listen' + 'Manage' + 'Send' + ] + } + ] + + topics: [ + for topic in partitionLayerConfig.servicebus.topics: { + name: topic.name + maxSizeInMegabytes: (contains(topic, 'maxSizeInMegabytes') ? topic.maxSizeInMegabytes : partitionLayerConfig.servicebus.defaultSize) + authorizationRules: [ + { + name: 'RootManageSharedAccessKey' + rights: [ + 'Listen' + 'Manage' + 'Send' + ] + } + ] + subscriptions: topic.subscriptions + } + ] + } +}] + +// Output partitionStorage names output partitionStorageNames string[] = [for (partition, index) in partitions: partitionStorage[index].outputs.name] +output partitionServiceBusNames string[] = [for (partition, index) in partitions: partitonNamespace[index].outputs.name] diff --git a/bicep/modules/blade_service.bicep b/bicep/modules/blade_service.bicep index ed1ee792..b9486415 100644 --- a/bicep/modules/blade_service.bicep +++ b/bicep/modules/blade_service.bicep @@ -27,6 +27,9 @@ param bladeConfig bladeSettings @description('The location of resources to deploy') param location string +@description('The tags to apply to the resources') +param tags object = {} + @description('Feature Flag to Enable Telemetry') param enableTelemetry bool @@ -77,10 +80,6 @@ param clusterAdminIds array @description('The address range to use for services') param serviceCidr string -@minLength(9) -@maxLength(18) -@description('The address range to use for the docker bridge') -param dockerBridgeCidr string @minLength(7) @maxLength(15) @@ -101,6 +100,9 @@ param identityId string @description('The name of the partition storage accounts') param partitionStorageNames string[] +@description('The name of the partition service bus namespaces') +param partitionServiceBusNames string[] + @description('Feature Flag to Load Software.') param enableSoftwareLoad bool @@ -114,8 +116,9 @@ param appSettings appConfigItem[] ///////////////////////////////// var serviceLayerConfig = { - // name: 'service' - // displayName: 'Service Resources' + registry: { + sku: 'Basic' + } cluster: { aksVersion: '1.28' meshVersion: 'asm-1-19' @@ -125,12 +128,88 @@ var serviceLayerConfig = { name: 'flux-system' url: softwareRepository == '' ? 'https://github.com/azure/osdu-developer' : softwareRepository branch: softwareBranch == '' ? '' : softwareBranch - tag: softwareTag == '' && softwareBranch == '' ? 'v0.10.0' : softwareTag + tag: softwareTag == '' && softwareBranch == '' ? 'v0.11.0' : softwareTag components: './stamp/components' applications: './stamp/applications' } } +///////////////////////////////// +// Existing Resources +///////////////////////////////// + +resource appIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-01-31' existing = { + name: managedIdentityName +} + +resource keyVault 'Microsoft.KeyVault/vaults@2023-07-01' existing = { + name: kvName +} + +resource keySecret 'Microsoft.KeyVault/vaults/secrets@2023-07-01' = { + name: 'app-dev-sp-username' + parent: keyVault + + properties: { + value: applicationClientId + } +} + +/* +.______ _______ _______ __ _______.___________..______ ____ ____ +| _ \ | ____| / _____|| | / | || _ \ \ \ / / +| |_) | | |__ | | __ | | | (----`---| |----`| |_) | \ \/ / +| / | __| | | |_ | | | \ \ | | | / \_ _/ +| |\ \----.| |____ | |__| | | | .----) | | | | |\ \----. | | +| _| `._____||_______| \______| |__| |_______/ |__| | _| `._____| |__| +*/ + + + +module registry 'br/public:avm/res/container-registry/registry:0.1.1' = { + name: '${bladeConfig.sectionName}-container-registry' + params: { + name: '${replace(bladeConfig.sectionName, '-', '')}${uniqueString(resourceGroup().id, bladeConfig.sectionName)}' + location: location + + // Assign Tags + tags: union( + tags, + { + layer: bladeConfig.displayName + } + ) + + enableTelemetry: enableTelemetry + + // Hook up Diagnostics + diagnosticSettings: [ + { + workspaceResourceId: workspaceResourceId + } + ] + + // Configure Service + acrSku: serviceLayerConfig.registry.sku + + managedIdentities: { + systemAssigned: true + userAssignedResourceIds: [ + appIdentity.id + ] + } + + // Add Role Assignment + roleAssignments: [ + { + principalId: appIdentity.properties.principalId + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'AcrPull' + } + ] + } +} + /* - __ ___ __ __ .______ _______ .______ .__ __. _______ .___________. _______ _______. @@ -156,9 +235,12 @@ module cluster './aks_cluster.bicep' = { networkPlugin: serviceLayerConfig.cluster.networkPlugin // Assign Tags - tags: { - layer: bladeConfig.displayName - } + tags: union( + tags, + { + layer: bladeConfig.displayName + } + ) // Configure Linking Items aksSubnetId: aksSubnetId @@ -169,7 +251,6 @@ module cluster './aks_cluster.bicep' = { // Configure VNET Injection serviceCidr: serviceCidr dnsServiceIP: dnsServiceIP - dockerBridgeCidr: dockerBridgeCidr // Configure Istio serviceMeshProfile: enableMonitoring ? 'Istio' : null @@ -271,48 +352,25 @@ module pool3 './aks_agent_pool.bicep' = { } -///////////////// -// Workload Identity Federated Credentials -///////////////// -module appIdentity 'br/public:avm/res/managed-identity/user-assigned-identity:0.1.0' = { - name: '${bladeConfig.sectionName}-user-managed-identity' - params: { - // Required parameters - name: 'id-${replace(bladeConfig.sectionName, '-', '')}${uniqueString(resourceGroup().id, bladeConfig.sectionName)}' - location: location - enableTelemetry: enableTelemetry - - // Only support 1. https://learn.microsoft.com/en-us/entra/workload-id/workload-identity-federation-considerations#concurrent-updates-arent-supported-user-assigned-managed-identities - federatedIdentityCredentials: [{ - audiences: [ - 'api://AzureADTokenExchange' - ] - issuer: cluster.outputs.aksOidcIssuerUrl - name: 'federated-ns_default' - subject: 'system:serviceaccount:default:workload-identity-sa' - }] - - // Assign Tags - tags: { - layer: bladeConfig.displayName - } - } -} - -resource keyVault 'Microsoft.KeyVault/vaults@2023-07-01' existing = { - name: kvName -} - -resource keySecret 'Microsoft.KeyVault/vaults/secrets@2023-07-01' = { - name: 'app-dev-sp-username' - parent: keyVault - properties: { - value: applicationClientId +// Federated Credentials have to be sequentially added. Ensure depends on to do sequentially. +module federatedCredsDefaultNamespace './federated_identity.bicep' = { + name: '${bladeConfig.sectionName}-federated-cred-ns_default' + params: { + name: 'federated-ns_default' + audiences: [ + 'api://AzureADTokenExchange' + ] + issuer: cluster.outputs.aksOidcIssuerUrl + userAssignedIdentityName: appIdentity.name + subject: 'system:serviceaccount:default:workload-identity-sa' } + dependsOn: [ + cluster + ] } -module federatedCredsOsduAzure './federated_identity.bicep' = { +module federatedCredsOsduCoreNamespace './federated_identity.bicep' = { name: '${bladeConfig.sectionName}-federated-cred-ns_osdu-core' params: { name: 'federated-ns_osdu-core' @@ -320,16 +378,15 @@ module federatedCredsOsduAzure './federated_identity.bicep' = { 'api://AzureADTokenExchange' ] issuer: cluster.outputs.aksOidcIssuerUrl - userAssignedIdentityName: appIdentity.outputs.name + userAssignedIdentityName: appIdentity.name subject: 'system:serviceaccount:osdu-core:workload-identity-sa' } dependsOn: [ - appIdentity + federatedCredsDefaultNamespace ] } -// Federated Credentials have to be sequentially added. Ensure depends on. -module federatedCredsDevSample './federated_identity.bicep' = { +module federatedCredsDevSampleNamespace './federated_identity.bicep' = { name: '${bladeConfig.sectionName}-federated-cred-ns_dev-sample' params: { name: 'federated-ns_dev-sample' @@ -337,15 +394,15 @@ module federatedCredsDevSample './federated_identity.bicep' = { 'api://AzureADTokenExchange' ] issuer: cluster.outputs.aksOidcIssuerUrl - userAssignedIdentityName: appIdentity.outputs.name + userAssignedIdentityName: appIdentity.name subject: 'system:serviceaccount:dev-sample:workload-identity-sa' } dependsOn: [ - federatedCredsOsduAzure + federatedCredsOsduCoreNamespace ] } -module federatedCredsConfigMaps './federated_identity.bicep' = { +module federatedCredsConfigMapsNamespace './federated_identity.bicep' = { name: '${bladeConfig.sectionName}-federated-cred-ns_config-maps' params: { name: 'federated-ns_azappconfig-system' @@ -353,34 +410,40 @@ module federatedCredsConfigMaps './federated_identity.bicep' = { 'api://AzureADTokenExchange' ] issuer: cluster.outputs.aksOidcIssuerUrl - userAssignedIdentityName: appIdentity.outputs.name + userAssignedIdentityName: appIdentity.name subject: 'system:serviceaccount:azappconfig-system:az-appconfig-k8s-provider' } dependsOn: [ - federatedCredsDevSample + federatedCredsDevSampleNamespace ] } module appRoleAssignments './app_assignments.bicep' = { name: '${bladeConfig.sectionName}-user-managed-identity-rbac' params: { - identityprincipalId: appIdentity.outputs.principalId + identityprincipalId: appIdentity.properties.principalId kvName: kvName storageName: storageName } dependsOn: [ - federatedCredsConfigMaps + federatedCredsDefaultNamespace + federatedCredsOsduCoreNamespace + federatedCredsDevSampleNamespace + federatedCredsConfigMapsNamespace ] } module appRoleAssignments2 './app_assignments.bicep' = [for (name, index) in partitionStorageNames: { name: '${bladeConfig.sectionName}-user-managed-identity-rbac-${name}' params: { - identityprincipalId: appIdentity.outputs.principalId + identityprincipalId: appIdentity.properties.principalId storageName: name } dependsOn: [ - federatedCredsDevSample + federatedCredsDefaultNamespace + federatedCredsOsduCoreNamespace + federatedCredsDevSampleNamespace + federatedCredsConfigMapsNamespace ] }] @@ -415,6 +478,35 @@ module helmAppConfigProvider './aks-run-command/main.bicep' = { /__/ \__\ | _| | _| \______| \______/ |__| \__| |__| |__| \______| */ +//--------------Config Map--------------- +// These are common service helm chart values. +var common_helm_values = [ + { + name: 'AZURE_ISTIOAUTH_ENABLED' + value: 'true' + contentType: 'text/plain' + label: 'configmap-common-values' + } + { + name: 'AZURE_PAAS_PODIDENTITY_ISENABLED' + value: 'false' + contentType: 'text/plain' + label: 'configmap-common-values' + } + { + name: 'ACCEPT_HTTP' + value: 'true' + contentType: 'text/plain' + label: 'configmap-common-values' + } + { + name: 'SERVER_PORT' + value: '80' + contentType: 'text/plain' + label: 'configmap-common-values' + } +] + var settings = [ { name: 'Settings:Message' @@ -430,7 +522,7 @@ var settings = [ } { name: 'azure_msi_client_id' - value: appIdentity.outputs.clientId + value: appIdentity.properties.clientId contentType: 'text/plain' label: 'configmap-services' } @@ -442,28 +534,46 @@ var settings = [ } ] +var partitionBusSettings = [for (name, i) in partitionServiceBusNames: { + name: 'partition_servicebus_name_${i}' + value: name + contentType: 'text/plain' + label: 'configmap-services' +}] + +var partitionStorageSettings = [for (name, i) in partitionStorageNames: { + name: 'partition_storage_name_${i}' + value: name + contentType: 'text/plain' + label: 'configmap-services' +}] + + module app_config './app-configuration/main.bicep' = { name: '${bladeConfig.sectionName}-appconfig' params: { resourceName: bladeConfig.sectionName location: location - tags: { - layer: bladeConfig.displayName - } + tags: union( + tags, + { + layer: bladeConfig.displayName + } + ) // Add Role Assignment roleAssignments: [ { roleDefinitionIdOrName: 'App Configuration Data Reader' principalIds: [ - appIdentity.outputs.principalId + appIdentity.properties.principalId ] principalType: 'ServicePrincipal' } ] // Add Configuration - keyValues: concat(union(appSettings, settings)) + keyValues: concat(union(appSettings, settings, partitionStorageSettings, partitionBusSettings, common_helm_values)) } dependsOn: [ appRoleAssignments @@ -503,16 +613,16 @@ module appConfigMap './aks-config-map/main.bicep' = { name: 'config-map-values' namespace: 'default' - // newOrExistingManagedIdentity: 'existing' - // managedIdentityName: managedIdentityName - // existingManagedIdentitySubId: subscription().subscriptionId - // existingManagedIdentityResourceGroupName:resourceGroup().name + newOrExistingManagedIdentity: 'existing' + managedIdentityName: managedIdentityName + existingManagedIdentitySubId: subscription().subscriptionId + existingManagedIdentityResourceGroupName:resourceGroup().name // Order of items matters here. fileData: [ format(configMaps.appConfigTemplate, subscription().tenantId, - appIdentity.outputs.clientId, + appIdentity.properties.clientId, app_config.outputs.endpoint, kvUri, kvName, @@ -533,7 +643,7 @@ module appConfigMap './aks-config-map/main.bicep' = { */ //--------------Flux Config--------------- -module fluxConfiguration 'br/public:avm/res/kubernetes-configuration/flux-configuration:0.3.1' = if(enableSoftwareLoad) { +module fluxConfiguration 'br/public:avm/res/kubernetes-configuration/flux-configuration:0.3.3' = if(enableSoftwareLoad) { name: '${bladeConfig.sectionName}-cluster-gitops' params: { name: serviceLayerConfig.gitops.name @@ -598,9 +708,12 @@ module prometheus 'aks_prometheus.bicep' = if(enableMonitoring) { // Basic Details name: length(name) > 23 ? substring(name, 0, 23) : name location: location - tags: { - layer: bladeConfig.displayName - } + tags: union( + tags, + { + layer: bladeConfig.displayName + } + ) publicNetworkAccess: 'Enabled' clusterName: cluster.outputs.aksClusterName @@ -614,9 +727,12 @@ module grafana 'aks_grafana.bicep' = if(enableMonitoring){ // Basic Details name: length(name) > 23 ? substring(name, 0, 23) : name location: location - tags: { - layer: bladeConfig.displayName - } + tags: union( + tags, + { + layer: bladeConfig.displayName + } + ) skuName: 'Standard' apiKey: 'Enabled' @@ -625,7 +741,8 @@ module grafana 'aks_grafana.bicep' = if(enableMonitoring){ publicNetworkAccess: 'Enabled' zoneRedundancy: 'Disabled' prometheusName: prometheus.outputs.name - // userId: userId - } } + +@description('The name of the container registry.') +output registryName string = registry.outputs.name diff --git a/bicep/modules/cosmos-db/main.bicep b/bicep/modules/cosmos-db/main.bicep index bbe07a8c..87e74c13 100644 --- a/bicep/modules/cosmos-db/main.bicep +++ b/bicep/modules/cosmos-db/main.bicep @@ -202,7 +202,7 @@ param kvKeyUri string = '' @description('Optional. Indicates if the module is used in a cross tenant scenario. If true, a resourceId must be provided in the role assignment\'s principal object.') param crossTenant bool = false -var name = 'dba-${replace(resourceName, '-', '')}${uniqueString(resourceGroup().id, resourceName)}' +var name = '${replace(resourceName, '-', '')}${uniqueString(resourceGroup().id, resourceName)}' var diagnosticsLogs = [for log in logsToEnable: { diff --git a/bicep/modules/storage-account/main.bicep b/bicep/modules/storage-account/main.bicep index f1dc16df..fd04bac5 100644 --- a/bicep/modules/storage-account/main.bicep +++ b/bicep/modules/storage-account/main.bicep @@ -261,13 +261,13 @@ resource blobServices 'Microsoft.Storage/storageAccounts/blobServices@2023-01-01 } } -resource tableServices 'Microsoft.Storage/storageAccounts/tableServices@2022-05-01' = { +resource tableServices 'Microsoft.Storage/storageAccounts/tableServices@2023-01-01' = { name: 'default' parent: storage properties: {} } -resource fileServices 'Microsoft.Storage/storageAccounts/fileServices@2022-05-01' = { +resource fileServices 'Microsoft.Storage/storageAccounts/fileServices@2023-01-01' = { name: 'default' parent: storage properties: { @@ -279,7 +279,7 @@ resource fileServices 'Microsoft.Storage/storageAccounts/fileServices@2022-05-01 } } -resource storage_containers 'Microsoft.Storage/storageAccounts/blobServices/containers@2022-05-01' = [for item in containers: { +resource storage_containers 'Microsoft.Storage/storageAccounts/blobServices/containers@2023-01-01' = [for item in containers: { parent: blobServices name: item properties: { @@ -289,12 +289,12 @@ resource storage_containers 'Microsoft.Storage/storageAccounts/blobServices/cont } }] -resource storage_tables 'Microsoft.Storage/storageAccounts/tableServices/tables@2022-05-01' = [for item in tables: { +resource storage_tables 'Microsoft.Storage/storageAccounts/tableServices/tables@2023-01-01' = [for item in tables: { parent: tableServices name: item }] -resource fileShare 'Microsoft.Storage/storageAccounts/fileServices/shares@2022-05-01' = [for item in shares: { +resource fileShare 'Microsoft.Storage/storageAccounts/fileServices/shares@2023-01-01' = [for item in shares: { parent: fileServices name: item properties: { @@ -305,7 +305,7 @@ resource fileShare 'Microsoft.Storage/storageAccounts/fileServices/shares@2022-0 }] // Apply Resource Lock -resource resource_lock 'Microsoft.Authorization/locks@2017-04-01' = if (lock != 'NotSpecified') { +resource resource_lock 'Microsoft.Authorization/locks@2020-05-01' = if (lock != 'NotSpecified') { name: '${storage.name}-${lock}-lock' properties: { level: lock diff --git a/charts/osdu-developer-base/templates/config-map-values.yaml b/charts/osdu-developer-base/templates/config-map-values.yaml new file mode 100644 index 00000000..8cc99cc5 --- /dev/null +++ b/charts/osdu-developer-base/templates/config-map-values.yaml @@ -0,0 +1,21 @@ +{{- $namespace := .Release.Namespace }} +apiVersion: azconfig.io/v1 +kind: AzureAppConfigurationProvider +metadata: + name: {{ include "osdu-developer.fullname" . }}-values + namespace: {{ $namespace }} +spec: + endpoint: {{ .Values.azure.configEndpoint }} + target: + configMapName: configmap-common-values + configMapData: + type: yaml + key: value.yaml + separator: "." + auth: + workloadIdentity: + managedIdentityClientId: {{ .Values.azure.clientId }} + configuration: + selectors: + - keyFilter: "*" + labelFilter: "configmap-common-values" \ No newline at end of file