From 1f30db64628616a4f5001122be1542191d136768 Mon Sep 17 00:00:00 2001 From: Peter Budai Date: Mon, 30 Dec 2024 17:24:17 +0000 Subject: [PATCH 1/8] feat: Add Network Security Perimeter module with associated tests --- .../network-security-perimeter/README.md | 868 ++++++++++++++++++ .../network-security-perimeter/main.bicep | 241 +++++ .../network-security-perimeter/main.json | 797 ++++++++++++++++ .../profile/README.md | 155 ++++ .../profile/main.bicep | 71 ++ .../profile/main.json | 171 ++++ .../tests/e2e/defaults/main.test.bicep | 48 + .../tests/e2e/max/dependencies.bicep | 25 + .../tests/e2e/max/main.test.bicep | 115 +++ .../network-security-perimeter/version.json | 7 + 10 files changed, 2498 insertions(+) create mode 100644 avm/res/network/network-security-perimeter/README.md create mode 100644 avm/res/network/network-security-perimeter/main.bicep create mode 100644 avm/res/network/network-security-perimeter/main.json create mode 100644 avm/res/network/network-security-perimeter/profile/README.md create mode 100644 avm/res/network/network-security-perimeter/profile/main.bicep create mode 100644 avm/res/network/network-security-perimeter/profile/main.json create mode 100644 avm/res/network/network-security-perimeter/tests/e2e/defaults/main.test.bicep create mode 100644 avm/res/network/network-security-perimeter/tests/e2e/max/dependencies.bicep create mode 100644 avm/res/network/network-security-perimeter/tests/e2e/max/main.test.bicep create mode 100644 avm/res/network/network-security-perimeter/version.json diff --git a/avm/res/network/network-security-perimeter/README.md b/avm/res/network/network-security-perimeter/README.md new file mode 100644 index 0000000000..179c0810c7 --- /dev/null +++ b/avm/res/network/network-security-perimeter/README.md @@ -0,0 +1,868 @@ +# Network Security Perimeter `[Microsoft.Network/networkSecurityPerimeters]` + +This module deploys a Network Security Perimeter (NSP). + +## Navigation + +- [Resource Types](#Resource-Types) +- [Usage examples](#Usage-examples) +- [Parameters](#Parameters) +- [Outputs](#Outputs) +- [Cross-referenced modules](#Cross-referenced-modules) +- [Data Collection](#Data-Collection) + +## Resource Types + +| Resource Type | API Version | +| :-- | :-- | +| `Microsoft.Authorization/locks` | [2020-05-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2020-05-01/locks) | +| `Microsoft.Authorization/roleAssignments` | [2022-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-04-01/roleAssignments) | +| `Microsoft.Insights/diagnosticSettings` | [2021-05-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Insights/2021-05-01-preview/diagnosticSettings) | +| `Microsoft.Network/networkSecurityPerimeters` | [2023-08-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2023-08-01-preview/networkSecurityPerimeters) | +| `Microsoft.Network/networkSecurityPerimeters/profiles` | [2023-08-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2023-08-01-preview/networkSecurityPerimeters/profiles) | +| `Microsoft.Network/networkSecurityPerimeters/profiles/accessRules` | [2023-08-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2023-08-01-preview/networkSecurityPerimeters/profiles/accessRules) | +| `Microsoft.Network/networkSecurityPerimeters/resourceAssociations` | [2023-08-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2023-08-01-preview/networkSecurityPerimeters/resourceAssociations) | + +## Usage examples + +The following section provides usage examples for the module, which were used to validate and deploy the module successfully. For a full reference, please review the module's test folder in its repository. + +>**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. + +>**Note**: To reference the module, please use the following syntax `br/public:avm/res/network/network-security-perimeter:`. + +- [Using only defaults](#example-1-using-only-defaults) +- [Using only defaults](#example-2-using-only-defaults) +- [Waf-Aligned](#example-3-waf-aligned) + +### Example 1: _Using only defaults_ + +This instance deploys the module with the minimum set of required parameters. + + +
+ +via Bicep module + +```bicep +module networkSecurityPerimeter 'br/public:avm/res/network/network-security-perimeter:' = { + name: 'networkSecurityPerimeterDeployment' + params: { + // Required parameters + name: 'nnspmin001' + // Non-required parameters + location: '' + } +} +``` + +
+

+ +

+ +via JSON parameters file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "name": { + "value": "nnspmin001" + }, + // Non-required parameters + "location": { + "value": "" + } + } +} +``` + +
+

+ +

+ +via Bicep parameters file + +```bicep-params +using 'br/public:avm/res/network/network-security-perimeter:' + +// Required parameters +param name = 'nnspmin001' +// Non-required parameters +param location = '' +``` + +
+

+ +### Example 2: _Using only defaults_ + +This instance deploys the module with the minimum set of required parameters. + + +

+ +via Bicep module + +```bicep +module networkSecurityPerimeter 'br/public:avm/res/network/network-security-perimeter:' = { + name: 'networkSecurityPerimeterDeployment' + params: { + // Required parameters + name: 'nnspmax001' + // Non-required parameters + diagnosticSettings: [ + { + eventHubAuthorizationRuleResourceId: '' + eventHubName: '' + name: 'customSetting' + storageAccountResourceId: '' + workspaceResourceId: '' + } + ] + location: '' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + profiles: [ + { + accessRules: [ + { + direction: 'Outbound' + fullyQualifiedDomainNames: [ + 'www.contoso.com' + ] + name: 'rule-outbound-01' + } + { + addressPrefixes: [ + '198.168.1.0/24' + ] + direction: 'Inbound' + name: 'rule-inbound-01' + } + ] + name: 'profile-01' + } + ] + resourceAssociations: [ + { + accessMode: 'Learning' + privateLinkResource: '' + profile: 'profile-01' + } + ] + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } + } +} +``` + +
+

+ +

+ +via JSON parameters file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "name": { + "value": "nnspmax001" + }, + // Non-required parameters + "diagnosticSettings": { + "value": [ + { + "eventHubAuthorizationRuleResourceId": "", + "eventHubName": "", + "name": "customSetting", + "storageAccountResourceId": "", + "workspaceResourceId": "" + } + ] + }, + "location": { + "value": "" + }, + "lock": { + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } + }, + "profiles": { + "value": [ + { + "accessRules": [ + { + "direction": "Outbound", + "fullyQualifiedDomainNames": [ + "www.contoso.com" + ], + "name": "rule-outbound-01" + }, + { + "addressPrefixes": [ + "198.168.1.0/24" + ], + "direction": "Inbound", + "name": "rule-inbound-01" + } + ], + "name": "profile-01" + } + ] + }, + "resourceAssociations": { + "value": [ + { + "accessMode": "Learning", + "privateLinkResource": "", + "profile": "profile-01" + } + ] + }, + "tags": { + "value": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } + } + } +} +``` + +
+

+ +

+ +via Bicep parameters file + +```bicep-params +using 'br/public:avm/res/network/network-security-perimeter:' + +// Required parameters +param name = 'nnspmax001' +// Non-required parameters +param diagnosticSettings = [ + { + eventHubAuthorizationRuleResourceId: '' + eventHubName: '' + name: 'customSetting' + storageAccountResourceId: '' + workspaceResourceId: '' + } +] +param location = '' +param lock = { + kind: 'CanNotDelete' + name: 'myCustomLockName' +} +param profiles = [ + { + accessRules: [ + { + direction: 'Outbound' + fullyQualifiedDomainNames: [ + 'www.contoso.com' + ] + name: 'rule-outbound-01' + } + { + addressPrefixes: [ + '198.168.1.0/24' + ] + direction: 'Inbound' + name: 'rule-inbound-01' + } + ] + name: 'profile-01' + } +] +param resourceAssociations = [ + { + accessMode: 'Learning' + privateLinkResource: '' + profile: 'profile-01' + } +] +param tags = { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' +} +``` + +
+

+ +### Example 3: _Waf-Aligned_ + +

+ +via Bicep module + +```bicep +module networkSecurityPerimeter 'br/public:avm/res/network/network-security-perimeter:' = { + name: 'networkSecurityPerimeterDeployment' + params: { + // Required parameters + name: 'nnspwaf001' + // Non-required parameters + location: '' + } +} +``` + +
+

+ +

+ +via JSON parameters file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "name": { + "value": "nnspwaf001" + }, + // Non-required parameters + "location": { + "value": "" + } + } +} +``` + +
+

+ +

+ +via Bicep parameters file + +```bicep-params +using 'br/public:avm/res/network/network-security-perimeter:' + +// Required parameters +param name = 'nnspwaf001' +// Non-required parameters +param location = '' +``` + +
+

+ +## Parameters + +**Required parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`name`](#parameter-name) | string | Name of the Network Security Perimeter. | +| [`resourceAssociations`](#parameter-resourceassociations) | array | Array of resource associations to create. | + +**Optional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`diagnosticSettings`](#parameter-diagnosticsettings) | array | The diagnostic settings of the service. | +| [`enableTelemetry`](#parameter-enabletelemetry) | bool | Enable/Disable usage telemetry for module. | +| [`location`](#parameter-location) | string | Location for all resources. | +| [`lock`](#parameter-lock) | object | The lock settings of the service. | +| [`profiles`](#parameter-profiles) | array | Array of Security Rules to deploy to the Network Security Group. When not provided, an NSG including only the built-in roles will be deployed. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. | +| [`tags`](#parameter-tags) | object | Tags of the NSG resource. | + +### Parameter: `name` + +Name of the Network Security Perimeter. + +- Required: Yes +- Type: string + +### Parameter: `resourceAssociations` + +Array of resource associations to create. + +- Required: No +- Type: array + +**Required parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`privateLinkResource`](#parameter-resourceassociationsprivatelinkresource) | string | The resource identifier of the resource association. | +| [`profile`](#parameter-resourceassociationsprofile) | string | The name of the resource association. | + +**Optional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`accessMode`](#parameter-resourceassociationsaccessmode) | string | The access mode of the resource association. | + +### Parameter: `resourceAssociations.privateLinkResource` + +The resource identifier of the resource association. + +- Required: Yes +- Type: string + +### Parameter: `resourceAssociations.profile` + +The name of the resource association. + +- Required: Yes +- Type: string + +### Parameter: `resourceAssociations.accessMode` + +The access mode of the resource association. + +- Required: Yes +- Type: string +- Allowed: + ```Bicep + [ + 'Audit' + 'Enforced' + 'Learning' + ] + ``` + +### Parameter: `diagnosticSettings` + +The diagnostic settings of the service. + +- Required: No +- Type: array + +**Optional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`eventHubAuthorizationRuleResourceId`](#parameter-diagnosticsettingseventhubauthorizationruleresourceid) | string | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | +| [`eventHubName`](#parameter-diagnosticsettingseventhubname) | string | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| [`logAnalyticsDestinationType`](#parameter-diagnosticsettingsloganalyticsdestinationtype) | string | A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. | +| [`logCategoriesAndGroups`](#parameter-diagnosticsettingslogcategoriesandgroups) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to `[]` to disable log collection. | +| [`marketplacePartnerResourceId`](#parameter-diagnosticsettingsmarketplacepartnerresourceid) | string | The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. | +| [`name`](#parameter-diagnosticsettingsname) | string | The name of diagnostic setting. | +| [`storageAccountResourceId`](#parameter-diagnosticsettingsstorageaccountresourceid) | string | Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| [`workspaceResourceId`](#parameter-diagnosticsettingsworkspaceresourceid) | string | Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | + +### Parameter: `diagnosticSettings.eventHubAuthorizationRuleResourceId` + +Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. + +- Required: No +- Type: string + +### Parameter: `diagnosticSettings.eventHubName` + +Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. + +- Required: No +- Type: string + +### Parameter: `diagnosticSettings.logAnalyticsDestinationType` + +A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. + +- Required: No +- Type: string +- Allowed: + ```Bicep + [ + 'AzureDiagnostics' + 'Dedicated' + ] + ``` + +### Parameter: `diagnosticSettings.logCategoriesAndGroups` + +The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to `[]` to disable log collection. + +- Required: No +- Type: array + +**Optional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`category`](#parameter-diagnosticsettingslogcategoriesandgroupscategory) | string | Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here. | +| [`categoryGroup`](#parameter-diagnosticsettingslogcategoriesandgroupscategorygroup) | string | Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to `allLogs` to collect all logs. | +| [`enabled`](#parameter-diagnosticsettingslogcategoriesandgroupsenabled) | bool | Enable or disable the category explicitly. Default is `true`. | + +### Parameter: `diagnosticSettings.logCategoriesAndGroups.category` + +Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here. + +- Required: No +- Type: string + +### Parameter: `diagnosticSettings.logCategoriesAndGroups.categoryGroup` + +Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to `allLogs` to collect all logs. + +- Required: No +- Type: string + +### Parameter: `diagnosticSettings.logCategoriesAndGroups.enabled` + +Enable or disable the category explicitly. Default is `true`. + +- Required: No +- Type: bool + +### Parameter: `diagnosticSettings.marketplacePartnerResourceId` + +The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. + +- Required: No +- Type: string + +### Parameter: `diagnosticSettings.name` + +The name of diagnostic setting. + +- Required: No +- Type: string + +### Parameter: `diagnosticSettings.storageAccountResourceId` + +Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. + +- Required: No +- Type: string + +### Parameter: `diagnosticSettings.workspaceResourceId` + +Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. + +- Required: No +- Type: string + +### Parameter: `enableTelemetry` + +Enable/Disable usage telemetry for module. + +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `location` + +Location for all resources. + +- Required: No +- Type: string +- Default: `[resourceGroup().location]` + +### Parameter: `lock` + +The lock settings of the service. + +- Required: No +- Type: object + +**Optional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`kind`](#parameter-lockkind) | string | Specify the type of lock. | +| [`name`](#parameter-lockname) | string | Specify the name of lock. | + +### Parameter: `lock.kind` + +Specify the type of lock. + +- Required: No +- Type: string +- Allowed: + ```Bicep + [ + 'CanNotDelete' + 'None' + 'ReadOnly' + ] + ``` + +### Parameter: `lock.name` + +Specify the name of lock. + +- Required: No +- Type: string + +### Parameter: `profiles` + +Array of Security Rules to deploy to the Network Security Group. When not provided, an NSG including only the built-in roles will be deployed. + +- Required: No +- Type: array + +**Required parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`accessRules`](#parameter-profilesaccessrules) | array | Whether network traffic is allowed or denied. | +| [`name`](#parameter-profilesname) | string | The name of the network security perimeter profile. | + +### Parameter: `profiles.accessRules` + +Whether network traffic is allowed or denied. + +- Required: Yes +- Type: array + +**Required parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`direction`](#parameter-profilesaccessrulesdirection) | string | Direction that specifies whether the access rules is inbound/outbound. | +| [`name`](#parameter-profilesaccessrulesname) | string | The name of the access rule. | + +**Optional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`addressPrefixes`](#parameter-profilesaccessrulesaddressprefixes) | array | Inbound address prefixes (IPv4/IPv6).s | +| [`emailAddresses`](#parameter-profilesaccessrulesemailaddresses) | array | Outbound rules email address format. | +| [`fullyQualifiedDomainNames`](#parameter-profilesaccessrulesfullyqualifieddomainnames) | array | Outbound rules fully qualified domain name format. | +| [`phoneNumbers`](#parameter-profilesaccessrulesphonenumbers) | array | Outbound rules phone number format. | +| [`serviceTags`](#parameter-profilesaccessrulesservicetags) | array | Inbound rules service tag names. | +| [`subscriptions`](#parameter-profilesaccessrulessubscriptions) | array | List of subscription ids. | + +### Parameter: `profiles.accessRules.direction` + +Direction that specifies whether the access rules is inbound/outbound. + +- Required: Yes +- Type: string +- Allowed: + ```Bicep + [ + 'Inbound' + 'Outbound' + ] + ``` + +### Parameter: `profiles.accessRules.name` + +The name of the access rule. + +- Required: Yes +- Type: string + +### Parameter: `profiles.accessRules.addressPrefixes` + +Inbound address prefixes (IPv4/IPv6).s + +- Required: No +- Type: array + +### Parameter: `profiles.accessRules.emailAddresses` + +Outbound rules email address format. + +- Required: No +- Type: array + +### Parameter: `profiles.accessRules.fullyQualifiedDomainNames` + +Outbound rules fully qualified domain name format. + +- Required: No +- Type: array + +### Parameter: `profiles.accessRules.phoneNumbers` + +Outbound rules phone number format. + +- Required: No +- Type: array + +### Parameter: `profiles.accessRules.serviceTags` + +Inbound rules service tag names. + +- Required: No +- Type: array + +### Parameter: `profiles.accessRules.subscriptions` + +List of subscription ids. + +- Required: No +- Type: array + +**Required parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`id`](#parameter-profilesaccessrulessubscriptionsid) | string | The subscription id. | + +### Parameter: `profiles.accessRules.subscriptions.id` + +The subscription id. + +- Required: Yes +- Type: string + +### Parameter: `profiles.name` + +The name of the network security perimeter profile. + +- Required: Yes +- Type: string + +### Parameter: `roleAssignments` + +Array of role assignments to create. + +- Required: No +- Type: array +- Roles configurable by name: + - `'Contributor'` + - `'Network Contributor'` + - `'Owner'` + - `'Reader'` + - `'Role Based Access Control Administrator'` + - `'User Access Administrator'` + +**Required parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`principalId`](#parameter-roleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | string | The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | + +**Optional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`condition`](#parameter-roleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container". | +| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | string | Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-roleassignmentsdescription) | string | The description of the role assignment. | +| [`name`](#parameter-roleassignmentsname) | string | The name (as GUID) of the role assignment. If not provided, a GUID will be generated. | +| [`principalType`](#parameter-roleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | + +### Parameter: `roleAssignments.principalId` + +The principal ID of the principal (user/group/identity) to assign the role to. + +- Required: Yes +- Type: string + +### Parameter: `roleAssignments.roleDefinitionIdOrName` + +The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. + +- Required: Yes +- Type: string + +### Parameter: `roleAssignments.condition` + +The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container". + +- Required: No +- Type: string + +### Parameter: `roleAssignments.conditionVersion` + +Version of the condition. + +- Required: No +- Type: string +- Allowed: + ```Bicep + [ + '2.0' + ] + ``` + +### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` + +The Resource Id of the delegated managed identity resource. + +- Required: No +- Type: string + +### Parameter: `roleAssignments.description` + +The description of the role assignment. + +- Required: No +- Type: string + +### Parameter: `roleAssignments.name` + +The name (as GUID) of the role assignment. If not provided, a GUID will be generated. + +- Required: No +- Type: string + +### Parameter: `roleAssignments.principalType` + +The principal type of the assigned principal ID. + +- Required: No +- Type: string +- Allowed: + ```Bicep + [ + 'Device' + 'ForeignGroup' + 'Group' + 'ServicePrincipal' + 'User' + ] + ``` + +### Parameter: `tags` + +Tags of the NSG resource. + +- Required: No +- Type: object + +## Outputs + +| Output | Type | Description | +| :-- | :-- | :-- | +| `location` | string | The location the resource was deployed into. | +| `name` | string | The name of the network security perimeter. | +| `resourceGroupName` | string | The resource group the network security perimeter was deployed into. | +| `resourceId` | string | The resource ID of the network security perimeter. | + +## Cross-referenced modules + +This section gives you an overview of all local-referenced module files (i.e., other modules that are referenced in this module) and all remote-referenced files (i.e., Bicep modules that are referenced from a Bicep Registry or Template Specs). + +| Reference | Type | +| :-- | :-- | +| `br/public:avm/utl/types/avm-common-types:0.4.1` | Remote reference | + +## Data Collection + +The software may collect information about you and your use of the software and send it to Microsoft. Microsoft may use this information to provide services and improve our products and services. You may turn off the telemetry as described in the [repository](https://aka.ms/avm/telemetry). There are also some features in the software that may enable you and Microsoft to collect data from users of your applications. If you use these features, you must comply with applicable law, including providing appropriate notices to users of your applications together with a copy of Microsoft’s privacy statement. Our privacy statement is located at . You can learn more about data collection and use in the help documentation and our privacy statement. Your use of the software operates as your consent to these practices. diff --git a/avm/res/network/network-security-perimeter/main.bicep b/avm/res/network/network-security-perimeter/main.bicep new file mode 100644 index 0000000000..5d136ef030 --- /dev/null +++ b/avm/res/network/network-security-perimeter/main.bicep @@ -0,0 +1,241 @@ +metadata name = 'Network Security Perimeter' +metadata description = 'This module deploys a Network Security Perimeter (NSP).' +metadata owner = 'Azure/module-maintainers' + +@description('Required. Name of the Network Security Perimeter.') +param name string + +@description('Optional. Location for all resources.') +param location string = resourceGroup().location + +@description('Optional. Array of Security Rules to deploy to the Network Security Group. When not provided, an NSG including only the built-in roles will be deployed.') +param profiles profilesType + +@description('Required. Array of resource associations to create.') +param resourceAssociations resourceAssociationsType + +@description('Optional. The diagnostic settings of the service.') +param diagnosticSettings diagnosticSettingLogsOnlyType[]? + +@description('Optional. The lock settings of the service.') +param lock lockType + +@description('Optional. Array of role assignments to create.') +param roleAssignments roleAssignmentType + +@description('Optional. Tags of the NSG resource.') +param tags object? + +@description('Optional. Enable/Disable usage telemetry for module.') +param enableTelemetry bool = true + +var builtInRoleNames = { + Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') + 'Network Contributor': subscriptionResourceId( + 'Microsoft.Authorization/roleDefinitions', + '4d97b98b-1d4f-4787-a291-c67834d212e7' + ) + Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') + Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') + 'Role Based Access Control Administrator': subscriptionResourceId( + 'Microsoft.Authorization/roleDefinitions', + 'f58310d9-a9f6-439a-9e8d-f62e7b41a168' + ) + 'User Access Administrator': subscriptionResourceId( + 'Microsoft.Authorization/roleDefinitions', + '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9' + ) +} + +var formattedRoleAssignments = [ + for (roleAssignment, index) in (roleAssignments ?? []): union(roleAssignment, { + roleDefinitionId: builtInRoleNames[?roleAssignment.roleDefinitionIdOrName] ?? (contains( + roleAssignment.roleDefinitionIdOrName, + '/providers/Microsoft.Authorization/roleDefinitions/' + ) + ? roleAssignment.roleDefinitionIdOrName + : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName)) + }) +] + +#disable-next-line no-deployments-resources +resource avmTelemetry 'Microsoft.Resources/deployments@2024-03-01' = if (enableTelemetry) { + name: '46d3xbcp.res.network-networksecuritygroup.${replace('-..--..-', '.', '-')}.${substring(uniqueString(deployment().name, location), 0, 4)}' + properties: { + mode: 'Incremental' + template: { + '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' + contentVersion: '1.0.0.0' + resources: [] + outputs: { + telemetry: { + type: 'String' + value: 'For more information, see https://aka.ms/avm/TelemetryInfo' + } + } + } + } +} + +resource networkSecurityPerimeter 'Microsoft.Network/networkSecurityPerimeters@2023-08-01-preview' = { + name: name + location: location + tags: tags +} + +module networkSecurityPerimeter_profiles 'profile/main.bicep' = [ + for (profile, index) in (profiles ?? []): { + name: '${uniqueString(deployment().name, location)}-nsp-profile-${index}' + params: { + networkPerimeterName: name + name: profile.name + accessRules: profile.accessRules + } + } +] + +resource networkSecurityPerimeter_resourceAssociations 'Microsoft.Network/networkSecurityPerimeters/resourceAssociations@2023-08-01-preview' = [ + for (resourceAssociation, index) in (resourceAssociations ?? []): { + name: '${guid(resourceAssociation.privateLinkResource, name, resourceAssociation.profile)}-nsp-ra' + parent: networkSecurityPerimeter + properties: { + privateLinkResource: { + id: resourceAssociation.privateLinkResource + } + profile: { + #disable-next-line use-resource-id-functions + id: '${resourceId('Microsoft.Network/networkSecurityPerimeters/profiles', name, resourceAssociation.profile)}' + } + accessMode: resourceAssociation.accessMode + } + dependsOn: [ + networkSecurityPerimeter_profiles + ] + } +] + +resource networkSecurityPerimeter_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock ?? {}) && lock.?kind != 'None') { + name: lock.?name ?? 'lock-${name}' + scope: networkSecurityPerimeter + properties: { + level: lock.?kind ?? '' + notes: lock.?kind == 'CanNotDelete' + ? 'Cannot delete resource or child resources.' + : 'Cannot delete or modify the resource or child resources.' + } +} + +resource networkSecurityPerimeter_diagnosticSettings 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = [ + for (diagnosticSetting, index) in (diagnosticSettings ?? []): { + name: diagnosticSetting.?name ?? '${name}-diagnosticSettings' + scope: networkSecurityPerimeter + properties: { + storageAccountId: diagnosticSetting.?storageAccountResourceId + workspaceId: diagnosticSetting.?workspaceResourceId + eventHubAuthorizationRuleId: diagnosticSetting.?eventHubAuthorizationRuleResourceId + eventHubName: diagnosticSetting.?eventHubName + logs: [ + for group in (diagnosticSetting.?logCategoriesAndGroups ?? [{ categoryGroup: 'allLogs' }]): { + categoryGroup: group.?categoryGroup + category: group.?category + enabled: group.?enabled ?? true + } + ] + marketplacePartnerId: diagnosticSetting.?marketplacePartnerResourceId + logAnalyticsDestinationType: diagnosticSetting.?logAnalyticsDestinationType + } + } +] + +resource networkSecurityPerimeter_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [ + for (roleAssignment, index) in (formattedRoleAssignments ?? []): { + name: roleAssignment.?name ?? guid( + networkSecurityPerimeter.id, + roleAssignment.principalId, + roleAssignment.roleDefinitionId + ) + scope: networkSecurityPerimeter + properties: { + roleDefinitionId: roleAssignment.roleDefinitionId + principalId: roleAssignment.principalId + description: roleAssignment.?description + principalType: roleAssignment.?principalType + condition: roleAssignment.?condition + conditionVersion: !empty(roleAssignment.?condition) ? (roleAssignment.?conditionVersion ?? '2.0') : null // Must only be set if condtion is set + delegatedManagedIdentityResourceId: roleAssignment.?delegatedManagedIdentityResourceId + } + } +] + +@description('The resource group the network security perimeter was deployed into.') +output resourceGroupName string = resourceGroup().name + +@description('The resource ID of the network security perimeter.') +output resourceId string = networkSecurityPerimeter.id + +@description('The name of the network security perimeter.') +output name string = networkSecurityPerimeter.name + +@description('The location the resource was deployed into.') +output location string = networkSecurityPerimeter.location + +// =============== // +// Definitions // +// =============== // + +type lockType = { + @description('Optional. Specify the name of lock.') + name: string? + + @description('Optional. Specify the type of lock.') + kind: ('CanNotDelete' | 'ReadOnly' | 'None')? +}? + +type roleAssignmentType = { + @description('Optional. The name (as GUID) of the role assignment. If not provided, a GUID will be generated.') + name: string? + + @description('Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') + roleDefinitionIdOrName: string + + @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') + principalId: string + + @description('Optional. The principal type of the assigned principal ID.') + principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')? + + @description('Optional. The description of the role assignment.') + description: string? + + @description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container".') + condition: string? + + @description('Optional. Version of the condition.') + conditionVersion: '2.0'? + + @description('Optional. The Resource Id of the delegated managed identity resource.') + delegatedManagedIdentityResourceId: string? +}[]? + +import { diagnosticSettingLogsOnlyType } from 'br/public:avm/utl/types/avm-common-types:0.4.1' + +import { accessRulesType } from 'profile/main.bicep' + +type profilesType = { + @description('Required. The name of the network security perimeter profile.') + name: string + + @description('Required. Whether network traffic is allowed or denied.') + accessRules: accessRulesType +}[]? + +type resourceAssociationsType = { + @description('Required. The resource identifier of the resource association.') + privateLinkResource: string + + @description('Required. The name of the resource association.') + profile: string + + @description('Optional. The access mode of the resource association.') + accessMode: 'Learning' | 'Audit' | 'Enforced' +}[]? diff --git a/avm/res/network/network-security-perimeter/main.json b/avm/res/network/network-security-perimeter/main.json new file mode 100644 index 0000000000..28cab46a0c --- /dev/null +++ b/avm/res/network/network-security-perimeter/main.json @@ -0,0 +1,797 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", + "contentVersion": "1.0.0.0", + "metadata": { + "_generator": { + "name": "bicep", + "version": "0.32.4.45862", + "templateHash": "8183748185340254689" + }, + "name": "Network Security Perimeter", + "description": "This module deploys a Network Security Perimeter (NSP).", + "owner": "Azure/module-maintainers" + }, + "definitions": { + "lockType": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Specify the name of lock." + } + }, + "kind": { + "type": "string", + "allowedValues": [ + "CanNotDelete", + "None", + "ReadOnly" + ], + "nullable": true, + "metadata": { + "description": "Optional. Specify the type of lock." + } + } + }, + "nullable": true + }, + "roleAssignmentType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The name (as GUID) of the role assignment. If not provided, a GUID will be generated." + } + }, + "roleDefinitionIdOrName": { + "type": "string", + "metadata": { + "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + } + }, + "principalId": { + "type": "string", + "metadata": { + "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." + } + }, + "principalType": { + "type": "string", + "allowedValues": [ + "Device", + "ForeignGroup", + "Group", + "ServicePrincipal", + "User" + ], + "nullable": true, + "metadata": { + "description": "Optional. The principal type of the assigned principal ID." + } + }, + "description": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The description of the role assignment." + } + }, + "condition": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"." + } + }, + "conditionVersion": { + "type": "string", + "allowedValues": [ + "2.0" + ], + "nullable": true, + "metadata": { + "description": "Optional. Version of the condition." + } + }, + "delegatedManagedIdentityResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The Resource Id of the delegated managed identity resource." + } + } + } + }, + "nullable": true + }, + "profilesType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "name": { + "type": "string", + "metadata": { + "description": "Required. The name of the network security perimeter profile." + } + }, + "accessRules": { + "$ref": "#/definitions/accessRulesType", + "metadata": { + "description": "Required. Whether network traffic is allowed or denied." + } + } + } + }, + "nullable": true + }, + "resourceAssociationsType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "privateLinkResource": { + "type": "string", + "metadata": { + "description": "Required. The resource identifier of the resource association." + } + }, + "profile": { + "type": "string", + "metadata": { + "description": "Required. The name of the resource association." + } + }, + "accessMode": { + "type": "string", + "allowedValues": [ + "Audit", + "Enforced", + "Learning" + ], + "metadata": { + "description": "Optional. The access mode of the resource association." + } + } + } + }, + "nullable": true + }, + "_1.subscriptionIdType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "id": { + "type": "string", + "metadata": { + "description": "Required. The subscription id." + } + } + } + }, + "nullable": true, + "metadata": { + "__bicep_imported_from!": { + "sourceTemplate": "profile/main.bicep" + } + } + }, + "accessRulesType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "name": { + "type": "string", + "metadata": { + "description": "Required. The name of the access rule." + } + }, + "direction": { + "type": "string", + "allowedValues": [ + "Inbound", + "Outbound" + ], + "metadata": { + "description": "Required. Direction that specifies whether the access rules is inbound/outbound." + } + }, + "addressPrefixes": { + "type": "array", + "items": { + "type": "string" + }, + "nullable": true, + "metadata": { + "description": "Optional. Inbound address prefixes (IPv4/IPv6).s" + } + }, + "emailAddresses": { + "type": "array", + "items": { + "type": "string" + }, + "nullable": true, + "metadata": { + "description": "Optional. Outbound rules email address format." + } + }, + "fullyQualifiedDomainNames": { + "type": "array", + "items": { + "type": "string" + }, + "nullable": true, + "metadata": { + "description": "Optional. Outbound rules fully qualified domain name format." + } + }, + "phoneNumbers": { + "type": "array", + "items": { + "type": "string" + }, + "nullable": true, + "metadata": { + "description": "Optional. Outbound rules phone number format." + } + }, + "serviceTags": { + "type": "array", + "items": { + "type": "string" + }, + "nullable": true, + "metadata": { + "description": "Optional. Inbound rules service tag names." + } + }, + "subscriptions": { + "$ref": "#/definitions/_1.subscriptionIdType", + "metadata": { + "description": "Optional. List of subscription ids." + } + } + } + }, + "metadata": { + "description": "The access rule type.", + "__bicep_imported_from!": { + "sourceTemplate": "profile/main.bicep" + } + } + }, + "diagnosticSettingLogsOnlyType": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The name of diagnostic setting." + } + }, + "logCategoriesAndGroups": { + "type": "array", + "items": { + "type": "object", + "properties": { + "category": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here." + } + }, + "categoryGroup": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to `allLogs` to collect all logs." + } + }, + "enabled": { + "type": "bool", + "nullable": true, + "metadata": { + "description": "Optional. Enable or disable the category explicitly. Default is `true`." + } + } + } + }, + "nullable": true, + "metadata": { + "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to `[]` to disable log collection." + } + }, + "logAnalyticsDestinationType": { + "type": "string", + "allowedValues": [ + "AzureDiagnostics", + "Dedicated" + ], + "nullable": true, + "metadata": { + "description": "Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type." + } + }, + "workspaceResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." + } + }, + "storageAccountResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." + } + }, + "eventHubAuthorizationRuleResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." + } + }, + "eventHubName": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." + } + }, + "marketplacePartnerResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs." + } + } + }, + "metadata": { + "description": "An AVM-aligned type for a diagnostic setting. To be used if only logs are supported by the resource provider.", + "__bicep_imported_from!": { + "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.4.1" + } + } + } + }, + "parameters": { + "name": { + "type": "string", + "metadata": { + "description": "Required. Name of the Network Security Perimeter." + } + }, + "location": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "Optional. Location for all resources." + } + }, + "profiles": { + "$ref": "#/definitions/profilesType", + "metadata": { + "description": "Optional. Array of Security Rules to deploy to the Network Security Group. When not provided, an NSG including only the built-in roles will be deployed." + } + }, + "resourceAssociations": { + "$ref": "#/definitions/resourceAssociationsType", + "metadata": { + "description": "Required. Array of resource associations to create." + } + }, + "diagnosticSettings": { + "type": "array", + "items": { + "$ref": "#/definitions/diagnosticSettingLogsOnlyType" + }, + "nullable": true, + "metadata": { + "description": "Optional. The diagnostic settings of the service." + } + }, + "lock": { + "$ref": "#/definitions/lockType", + "metadata": { + "description": "Optional. The lock settings of the service." + } + }, + "roleAssignments": { + "$ref": "#/definitions/roleAssignmentType", + "metadata": { + "description": "Optional. Array of role assignments to create." + } + }, + "tags": { + "type": "object", + "nullable": true, + "metadata": { + "description": "Optional. Tags of the NSG resource." + } + }, + "enableTelemetry": { + "type": "bool", + "defaultValue": true, + "metadata": { + "description": "Optional. Enable/Disable usage telemetry for module." + } + } + }, + "variables": { + "copy": [ + { + "name": "formattedRoleAssignments", + "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]", + "input": "[union(coalesce(parameters('roleAssignments'), createArray())[copyIndex('formattedRoleAssignments')], createObject('roleDefinitionId', coalesce(tryGet(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex('formattedRoleAssignments')].roleDefinitionIdOrName), if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex('formattedRoleAssignments')].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex('formattedRoleAssignments')].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex('formattedRoleAssignments')].roleDefinitionIdOrName)))))]" + } + ], + "builtInRoleNames": { + "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", + "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", + "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", + "Role Based Access Control Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", + "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" + } + }, + "resources": { + "avmTelemetry": { + "condition": "[parameters('enableTelemetry')]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2024-03-01", + "name": "[format('46d3xbcp.res.network-networksecuritygroup.{0}.{1}', replace('-..--..-', '.', '-'), substring(uniqueString(deployment().name, parameters('location')), 0, 4))]", + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [], + "outputs": { + "telemetry": { + "type": "String", + "value": "For more information, see https://aka.ms/avm/TelemetryInfo" + } + } + } + } + }, + "networkSecurityPerimeter": { + "type": "Microsoft.Network/networkSecurityPerimeters", + "apiVersion": "2023-08-01-preview", + "name": "[parameters('name')]", + "location": "[parameters('location')]", + "tags": "[parameters('tags')]" + }, + "networkSecurityPerimeter_resourceAssociations": { + "copy": { + "name": "networkSecurityPerimeter_resourceAssociations", + "count": "[length(coalesce(parameters('resourceAssociations'), createArray()))]" + }, + "type": "Microsoft.Network/networkSecurityPerimeters/resourceAssociations", + "apiVersion": "2023-08-01-preview", + "name": "[format('{0}/{1}', parameters('name'), format('{0}-nsp-ra', guid(coalesce(parameters('resourceAssociations'), createArray())[copyIndex()].privateLinkResource, parameters('name'), coalesce(parameters('resourceAssociations'), createArray())[copyIndex()].profile)))]", + "properties": { + "privateLinkResource": { + "id": "[coalesce(parameters('resourceAssociations'), createArray())[copyIndex()].privateLinkResource]" + }, + "profile": { + "id": "[format('{0}', resourceId('Microsoft.Network/networkSecurityPerimeters/profiles', parameters('name'), coalesce(parameters('resourceAssociations'), createArray())[copyIndex()].profile))]" + }, + "accessMode": "[coalesce(parameters('resourceAssociations'), createArray())[copyIndex()].accessMode]" + }, + "dependsOn": [ + "networkSecurityPerimeter", + "networkSecurityPerimeter_profiles" + ] + }, + "networkSecurityPerimeter_lock": { + "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", + "type": "Microsoft.Authorization/locks", + "apiVersion": "2020-05-01", + "scope": "[format('Microsoft.Network/networkSecurityPerimeters/{0}', parameters('name'))]", + "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", + "properties": { + "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", + "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" + }, + "dependsOn": [ + "networkSecurityPerimeter" + ] + }, + "networkSecurityPerimeter_diagnosticSettings": { + "copy": { + "name": "networkSecurityPerimeter_diagnosticSettings", + "count": "[length(coalesce(parameters('diagnosticSettings'), createArray()))]" + }, + "type": "Microsoft.Insights/diagnosticSettings", + "apiVersion": "2021-05-01-preview", + "scope": "[format('Microsoft.Network/networkSecurityPerimeters/{0}', parameters('name'))]", + "name": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'name'), format('{0}-diagnosticSettings', parameters('name')))]", + "properties": { + "copy": [ + { + "name": "logs", + "count": "[length(coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logCategoriesAndGroups'), createArray(createObject('categoryGroup', 'allLogs'))))]", + "input": { + "categoryGroup": "[tryGet(coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logCategoriesAndGroups'), createArray(createObject('categoryGroup', 'allLogs')))[copyIndex('logs')], 'categoryGroup')]", + "category": "[tryGet(coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logCategoriesAndGroups'), createArray(createObject('categoryGroup', 'allLogs')))[copyIndex('logs')], 'category')]", + "enabled": "[coalesce(tryGet(coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logCategoriesAndGroups'), createArray(createObject('categoryGroup', 'allLogs')))[copyIndex('logs')], 'enabled'), true())]" + } + } + ], + "storageAccountId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'storageAccountResourceId')]", + "workspaceId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'workspaceResourceId')]", + "eventHubAuthorizationRuleId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubAuthorizationRuleResourceId')]", + "eventHubName": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubName')]", + "marketplacePartnerId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'marketplacePartnerResourceId')]", + "logAnalyticsDestinationType": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logAnalyticsDestinationType')]" + }, + "dependsOn": [ + "networkSecurityPerimeter" + ] + }, + "networkSecurityPerimeter_roleAssignments": { + "copy": { + "name": "networkSecurityPerimeter_roleAssignments", + "count": "[length(coalesce(variables('formattedRoleAssignments'), createArray()))]" + }, + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "scope": "[format('Microsoft.Network/networkSecurityPerimeters/{0}', parameters('name'))]", + "name": "[coalesce(tryGet(coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()], 'name'), guid(resourceId('Microsoft.Network/networkSecurityPerimeters', parameters('name')), coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()].principalId, coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()].roleDefinitionId))]", + "properties": { + "roleDefinitionId": "[coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()].roleDefinitionId]", + "principalId": "[coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()].principalId]", + "description": "[tryGet(coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()], 'description')]", + "principalType": "[tryGet(coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()], 'principalType')]", + "condition": "[tryGet(coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()], 'condition')]", + "conditionVersion": "[if(not(empty(tryGet(coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", + "delegatedManagedIdentityResourceId": "[tryGet(coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" + }, + "dependsOn": [ + "networkSecurityPerimeter" + ] + }, + "networkSecurityPerimeter_profiles": { + "copy": { + "name": "networkSecurityPerimeter_profiles", + "count": "[length(coalesce(parameters('profiles'), createArray()))]" + }, + "type": "Microsoft.Resources/deployments", + "apiVersion": "2022-09-01", + "name": "[format('{0}-nsp-profile-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", + "properties": { + "expressionEvaluationOptions": { + "scope": "inner" + }, + "mode": "Incremental", + "parameters": { + "networkPerimeterName": { + "value": "[parameters('name')]" + }, + "name": { + "value": "[coalesce(parameters('profiles'), createArray())[copyIndex()].name]" + }, + "accessRules": { + "value": "[coalesce(parameters('profiles'), createArray())[copyIndex()].accessRules]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", + "contentVersion": "1.0.0.0", + "metadata": { + "_generator": { + "name": "bicep", + "version": "0.32.4.45862", + "templateHash": "5096305151549437249" + }, + "name": "Network Security Perimeter Profile", + "description": "This module deploys a Network Security Perimeter Profile.", + "owner": "Azure/module-maintainers" + }, + "definitions": { + "subscriptionIdType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "id": { + "type": "string", + "metadata": { + "description": "Required. The subscription id." + } + } + } + }, + "nullable": true + }, + "accessRulesType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "name": { + "type": "string", + "metadata": { + "description": "Required. The name of the access rule." + } + }, + "direction": { + "type": "string", + "allowedValues": [ + "Inbound", + "Outbound" + ], + "metadata": { + "description": "Required. Direction that specifies whether the access rules is inbound/outbound." + } + }, + "addressPrefixes": { + "type": "array", + "items": { + "type": "string" + }, + "nullable": true, + "metadata": { + "description": "Optional. Inbound address prefixes (IPv4/IPv6).s" + } + }, + "emailAddresses": { + "type": "array", + "items": { + "type": "string" + }, + "nullable": true, + "metadata": { + "description": "Optional. Outbound rules email address format." + } + }, + "fullyQualifiedDomainNames": { + "type": "array", + "items": { + "type": "string" + }, + "nullable": true, + "metadata": { + "description": "Optional. Outbound rules fully qualified domain name format." + } + }, + "phoneNumbers": { + "type": "array", + "items": { + "type": "string" + }, + "nullable": true, + "metadata": { + "description": "Optional. Outbound rules phone number format." + } + }, + "serviceTags": { + "type": "array", + "items": { + "type": "string" + }, + "nullable": true, + "metadata": { + "description": "Optional. Inbound rules service tag names." + } + }, + "subscriptions": { + "$ref": "#/definitions/subscriptionIdType", + "metadata": { + "description": "Optional. List of subscription ids." + } + } + } + }, + "metadata": { + "__bicep_export!": true, + "description": "The access rule type." + } + } + }, + "parameters": { + "networkPerimeterName": { + "type": "string", + "metadata": { + "description": "Conditional. The name of the parent network perimeter. Required if the template is used in a standalone deployment." + } + }, + "name": { + "type": "string", + "maxLength": 64, + "metadata": { + "description": "Required. The name of the network security perimeter profile." + } + }, + "accessRules": { + "$ref": "#/definitions/accessRulesType", + "metadata": { + "description": "Optional. Static Members to create for the network group. Contains virtual networks to add to the network group." + } + } + }, + "resources": { + "networkSecurityPerimeter": { + "existing": true, + "type": "Microsoft.Network/networkSecurityPerimeters", + "apiVersion": "2023-08-01-preview", + "name": "[parameters('networkPerimeterName')]" + }, + "networkSecurityPerimeter_profile": { + "type": "Microsoft.Network/networkSecurityPerimeters/profiles", + "apiVersion": "2023-08-01-preview", + "name": "[format('{0}/{1}', parameters('networkPerimeterName'), parameters('name'))]" + }, + "nsp_accessRules": { + "copy": { + "name": "nsp_accessRules", + "count": "[length(parameters('accessRules'))]" + }, + "type": "Microsoft.Network/networkSecurityPerimeters/profiles/accessRules", + "apiVersion": "2023-08-01-preview", + "name": "[format('{0}/{1}/{2}', parameters('networkPerimeterName'), parameters('name'), parameters('accessRules')[copyIndex()].name)]", + "properties": { + "addressPrefixes": "[tryGet(parameters('accessRules')[copyIndex()], 'addressPrefixes')]", + "direction": "[parameters('accessRules')[copyIndex()].direction]", + "emailAddresses": "[tryGet(parameters('accessRules')[copyIndex()], 'emailAddresses')]", + "fullyQualifiedDomainNames": "[tryGet(parameters('accessRules')[copyIndex()], 'fullyQualifiedDomainNames')]", + "phoneNumbers": "[tryGet(parameters('accessRules')[copyIndex()], 'phoneNumbers')]", + "serviceTags": "[tryGet(parameters('accessRules')[copyIndex()], 'serviceTags')]", + "subscriptions": "[tryGet(parameters('accessRules')[copyIndex()], 'subscriptions')]" + }, + "dependsOn": [ + "networkSecurityPerimeter_profile" + ] + } + } + } + } + } + }, + "outputs": { + "resourceGroupName": { + "type": "string", + "metadata": { + "description": "The resource group the network security perimeter was deployed into." + }, + "value": "[resourceGroup().name]" + }, + "resourceId": { + "type": "string", + "metadata": { + "description": "The resource ID of the network security perimeter." + }, + "value": "[resourceId('Microsoft.Network/networkSecurityPerimeters', parameters('name'))]" + }, + "name": { + "type": "string", + "metadata": { + "description": "The name of the network security perimeter." + }, + "value": "[parameters('name')]" + }, + "location": { + "type": "string", + "metadata": { + "description": "The location the resource was deployed into." + }, + "value": "[reference('networkSecurityPerimeter', '2023-08-01-preview', 'full').location]" + } + } +} \ No newline at end of file diff --git a/avm/res/network/network-security-perimeter/profile/README.md b/avm/res/network/network-security-perimeter/profile/README.md new file mode 100644 index 0000000000..97bc3f3bd1 --- /dev/null +++ b/avm/res/network/network-security-perimeter/profile/README.md @@ -0,0 +1,155 @@ +# Network Security Perimeter Profile `[Microsoft.Network/networkSecurityPerimeters/profiles]` + +This module deploys a Network Security Perimeter Profile. + +## Navigation + +- [Resource Types](#Resource-Types) +- [Parameters](#Parameters) +- [Outputs](#Outputs) + +## Resource Types + +| Resource Type | API Version | +| :-- | :-- | +| `Microsoft.Network/networkSecurityPerimeters/profiles` | [2023-08-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2023-08-01-preview/networkSecurityPerimeters/profiles) | +| `Microsoft.Network/networkSecurityPerimeters/profiles/accessRules` | [2023-08-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2023-08-01-preview/networkSecurityPerimeters/profiles/accessRules) | + +## Parameters + +**Required parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`name`](#parameter-name) | string | The name of the network security perimeter profile. | + +**Conditional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`networkPerimeterName`](#parameter-networkperimetername) | string | The name of the parent network perimeter. Required if the template is used in a standalone deployment. | + +**Optional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`accessRules`](#parameter-accessrules) | array | Static Members to create for the network group. Contains virtual networks to add to the network group. | + +### Parameter: `name` + +The name of the network security perimeter profile. + +- Required: Yes +- Type: string + +### Parameter: `networkPerimeterName` + +The name of the parent network perimeter. Required if the template is used in a standalone deployment. + +- Required: Yes +- Type: string + +### Parameter: `accessRules` + +Static Members to create for the network group. Contains virtual networks to add to the network group. + +- Required: Yes +- Type: array + +**Required parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`direction`](#parameter-accessrulesdirection) | string | Direction that specifies whether the access rules is inbound/outbound. | +| [`name`](#parameter-accessrulesname) | string | The name of the access rule. | + +**Optional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`addressPrefixes`](#parameter-accessrulesaddressprefixes) | array | Inbound address prefixes (IPv4/IPv6).s | +| [`emailAddresses`](#parameter-accessrulesemailaddresses) | array | Outbound rules email address format. | +| [`fullyQualifiedDomainNames`](#parameter-accessrulesfullyqualifieddomainnames) | array | Outbound rules fully qualified domain name format. | +| [`phoneNumbers`](#parameter-accessrulesphonenumbers) | array | Outbound rules phone number format. | +| [`serviceTags`](#parameter-accessrulesservicetags) | array | Inbound rules service tag names. | +| [`subscriptions`](#parameter-accessrulessubscriptions) | array | List of subscription ids. | + +### Parameter: `accessRules.direction` + +Direction that specifies whether the access rules is inbound/outbound. + +- Required: Yes +- Type: string +- Allowed: + ```Bicep + [ + 'Inbound' + 'Outbound' + ] + ``` + +### Parameter: `accessRules.name` + +The name of the access rule. + +- Required: Yes +- Type: string + +### Parameter: `accessRules.addressPrefixes` + +Inbound address prefixes (IPv4/IPv6).s + +- Required: No +- Type: array + +### Parameter: `accessRules.emailAddresses` + +Outbound rules email address format. + +- Required: No +- Type: array + +### Parameter: `accessRules.fullyQualifiedDomainNames` + +Outbound rules fully qualified domain name format. + +- Required: No +- Type: array + +### Parameter: `accessRules.phoneNumbers` + +Outbound rules phone number format. + +- Required: No +- Type: array + +### Parameter: `accessRules.serviceTags` + +Inbound rules service tag names. + +- Required: No +- Type: array + +### Parameter: `accessRules.subscriptions` + +List of subscription ids. + +- Required: No +- Type: array + +**Required parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`id`](#parameter-accessrulessubscriptionsid) | string | The subscription id. | + +### Parameter: `accessRules.subscriptions.id` + +The subscription id. + +- Required: Yes +- Type: string + +## Outputs + +_None_ diff --git a/avm/res/network/network-security-perimeter/profile/main.bicep b/avm/res/network/network-security-perimeter/profile/main.bicep new file mode 100644 index 0000000000..f99360ddcd --- /dev/null +++ b/avm/res/network/network-security-perimeter/profile/main.bicep @@ -0,0 +1,71 @@ +metadata name = 'Network Security Perimeter Profile' +metadata description = 'This module deploys a Network Security Perimeter Profile.' +metadata owner = 'Azure/module-maintainers' + +@description('Conditional. The name of the parent network perimeter. Required if the template is used in a standalone deployment.') +param networkPerimeterName string + +@maxLength(64) +@description('Required. The name of the network security perimeter profile.') +param name string + +@description('Optional. Static Members to create for the network group. Contains virtual networks to add to the network group.') +param accessRules accessRulesType + +resource networkSecurityPerimeter 'Microsoft.Network/networkSecurityPerimeters@2023-08-01-preview' existing = { + name: networkPerimeterName +} + +resource networkSecurityPerimeter_profile 'Microsoft.Network/networkSecurityPerimeters/profiles@2023-08-01-preview' = { + name: name + parent: networkSecurityPerimeter +} + +resource nsp_accessRules 'Microsoft.Network/networkSecurityPerimeters/profiles/accessRules@2023-08-01-preview' = [ + for (accessRule, index) in accessRules: { + name: accessRule.name + parent: networkSecurityPerimeter_profile + properties: { + addressPrefixes: accessRule.?addressPrefixes + direction: accessRule.direction + emailAddresses: accessRule.?emailAddresses + fullyQualifiedDomainNames: accessRule.?fullyQualifiedDomainNames + phoneNumbers: accessRule.?phoneNumbers + serviceTags: accessRule.?serviceTags + subscriptions: accessRule.?subscriptions + } + } +] + +type subscriptionIdType = { + @description('Required. The subscription id.') + id: string +}[]? + +@export() +@description('The access rule type.') +type accessRulesType = { + @description('Required. The name of the access rule.') + name: string + + @description('Required. Direction that specifies whether the access rules is inbound/outbound.') + direction: 'Inbound' | 'Outbound' + + @description('Optional. Inbound address prefixes (IPv4/IPv6).s') + addressPrefixes: string[]? + + @description('Optional. Outbound rules email address format.') + emailAddresses: string[]? + + @description('Optional. Outbound rules fully qualified domain name format.') + fullyQualifiedDomainNames: string[]? + + @description('Optional. Outbound rules phone number format.') + phoneNumbers: string[]? + + @description('Optional. Inbound rules service tag names.') + serviceTags: string[]? + + @description('Optional. List of subscription ids.') + subscriptions: subscriptionIdType +}[] diff --git a/avm/res/network/network-security-perimeter/profile/main.json b/avm/res/network/network-security-perimeter/profile/main.json new file mode 100644 index 0000000000..b3b4ee50e7 --- /dev/null +++ b/avm/res/network/network-security-perimeter/profile/main.json @@ -0,0 +1,171 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", + "contentVersion": "1.0.0.0", + "metadata": { + "_generator": { + "name": "bicep", + "version": "0.32.4.45862", + "templateHash": "5096305151549437249" + }, + "name": "Network Security Perimeter Profile", + "description": "This module deploys a Network Security Perimeter Profile.", + "owner": "Azure/module-maintainers" + }, + "definitions": { + "subscriptionIdType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "id": { + "type": "string", + "metadata": { + "description": "Required. The subscription id." + } + } + } + }, + "nullable": true + }, + "accessRulesType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "name": { + "type": "string", + "metadata": { + "description": "Required. The name of the access rule." + } + }, + "direction": { + "type": "string", + "allowedValues": [ + "Inbound", + "Outbound" + ], + "metadata": { + "description": "Required. Direction that specifies whether the access rules is inbound/outbound." + } + }, + "addressPrefixes": { + "type": "array", + "items": { + "type": "string" + }, + "nullable": true, + "metadata": { + "description": "Optional. Inbound address prefixes (IPv4/IPv6).s" + } + }, + "emailAddresses": { + "type": "array", + "items": { + "type": "string" + }, + "nullable": true, + "metadata": { + "description": "Optional. Outbound rules email address format." + } + }, + "fullyQualifiedDomainNames": { + "type": "array", + "items": { + "type": "string" + }, + "nullable": true, + "metadata": { + "description": "Optional. Outbound rules fully qualified domain name format." + } + }, + "phoneNumbers": { + "type": "array", + "items": { + "type": "string" + }, + "nullable": true, + "metadata": { + "description": "Optional. Outbound rules phone number format." + } + }, + "serviceTags": { + "type": "array", + "items": { + "type": "string" + }, + "nullable": true, + "metadata": { + "description": "Optional. Inbound rules service tag names." + } + }, + "subscriptions": { + "$ref": "#/definitions/subscriptionIdType", + "metadata": { + "description": "Optional. List of subscription ids." + } + } + } + }, + "metadata": { + "__bicep_export!": true, + "description": "The access rule type." + } + } + }, + "parameters": { + "networkPerimeterName": { + "type": "string", + "metadata": { + "description": "Conditional. The name of the parent network perimeter. Required if the template is used in a standalone deployment." + } + }, + "name": { + "type": "string", + "maxLength": 64, + "metadata": { + "description": "Required. The name of the network security perimeter profile." + } + }, + "accessRules": { + "$ref": "#/definitions/accessRulesType", + "metadata": { + "description": "Optional. Static Members to create for the network group. Contains virtual networks to add to the network group." + } + } + }, + "resources": { + "networkSecurityPerimeter": { + "existing": true, + "type": "Microsoft.Network/networkSecurityPerimeters", + "apiVersion": "2023-08-01-preview", + "name": "[parameters('networkPerimeterName')]" + }, + "networkSecurityPerimeter_profile": { + "type": "Microsoft.Network/networkSecurityPerimeters/profiles", + "apiVersion": "2023-08-01-preview", + "name": "[format('{0}/{1}', parameters('networkPerimeterName'), parameters('name'))]" + }, + "nsp_accessRules": { + "copy": { + "name": "nsp_accessRules", + "count": "[length(parameters('accessRules'))]" + }, + "type": "Microsoft.Network/networkSecurityPerimeters/profiles/accessRules", + "apiVersion": "2023-08-01-preview", + "name": "[format('{0}/{1}/{2}', parameters('networkPerimeterName'), parameters('name'), parameters('accessRules')[copyIndex()].name)]", + "properties": { + "addressPrefixes": "[tryGet(parameters('accessRules')[copyIndex()], 'addressPrefixes')]", + "direction": "[parameters('accessRules')[copyIndex()].direction]", + "emailAddresses": "[tryGet(parameters('accessRules')[copyIndex()], 'emailAddresses')]", + "fullyQualifiedDomainNames": "[tryGet(parameters('accessRules')[copyIndex()], 'fullyQualifiedDomainNames')]", + "phoneNumbers": "[tryGet(parameters('accessRules')[copyIndex()], 'phoneNumbers')]", + "serviceTags": "[tryGet(parameters('accessRules')[copyIndex()], 'serviceTags')]", + "subscriptions": "[tryGet(parameters('accessRules')[copyIndex()], 'subscriptions')]" + }, + "dependsOn": [ + "networkSecurityPerimeter_profile" + ] + } + } +} \ No newline at end of file diff --git a/avm/res/network/network-security-perimeter/tests/e2e/defaults/main.test.bicep b/avm/res/network/network-security-perimeter/tests/e2e/defaults/main.test.bicep new file mode 100644 index 0000000000..f6149b6dbe --- /dev/null +++ b/avm/res/network/network-security-perimeter/tests/e2e/defaults/main.test.bicep @@ -0,0 +1,48 @@ +targetScope = 'subscription' + +metadata name = 'Using only defaults' +metadata description = 'This instance deploys the module with the minimum set of required parameters.' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'dep-${namePrefix}-network.networksecurityperimeter-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param resourceLocation string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'nnspmin' + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '#_namePrefix_#' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2024-07-01' = { + name: resourceGroupName + location: resourceLocation +} + +// ============== // +// Test Execution // +// ============== // + +@batchSize(1) +module testDeployment '../../../main.bicep' = [ + for iteration in ['init', 'idem']: { + scope: resourceGroup + name: '${uniqueString(deployment().name, resourceLocation)}-test-${serviceShort}-${iteration}' + params: { + name: '${namePrefix}${serviceShort}001' + location: resourceLocation + } + } +] diff --git a/avm/res/network/network-security-perimeter/tests/e2e/max/dependencies.bicep b/avm/res/network/network-security-perimeter/tests/e2e/max/dependencies.bicep new file mode 100644 index 0000000000..6dd99e1ed6 --- /dev/null +++ b/avm/res/network/network-security-perimeter/tests/e2e/max/dependencies.bicep @@ -0,0 +1,25 @@ +@description('Required. The name of the Storage Account to create.') +param storageAccountName string + +@description('Optional. The location to deploy resources to.') +param location string = resourceGroup().location + +resource storageAccount 'Microsoft.Storage/storageAccounts@2023-01-01' = { + name: storageAccountName + location: location + sku: { + name: 'Standard_LRS' + } + kind: 'StorageV2' + properties: { + allowBlobPublicAccess: false + publicNetworkAccess: 'Disabled' + networkAcls: { + defaultAction: 'Allow' + bypass: 'AzureServices' + } + } +} + +@description('The resource ID of the created Storage Account.') +output storageAccountResourceId string = storageAccount.id diff --git a/avm/res/network/network-security-perimeter/tests/e2e/max/main.test.bicep b/avm/res/network/network-security-perimeter/tests/e2e/max/main.test.bicep new file mode 100644 index 0000000000..4f644585ff --- /dev/null +++ b/avm/res/network/network-security-perimeter/tests/e2e/max/main.test.bicep @@ -0,0 +1,115 @@ +targetScope = 'subscription' + +metadata name = 'Using only defaults' +metadata description = 'This instance deploys the module with the minimum set of required parameters.' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'dep-${namePrefix}-network.networksecurityperimeter-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param resourceLocation string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'nnspmax' + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '#_namePrefix_#' + +// ============ // +// Dependencies // +// ============ // + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, resourceLocation)}-nestedDependencies' + params: { + storageAccountName: 'dep${namePrefix}store${serviceShort}' + location: resourceLocation + } +} + +module diagnosticDependencies '../../../../../../../utilities/e2e-template-assets/templates/diagnostic.dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, resourceLocation)}-diagnosticDependencies' + params: { + storageAccountName: 'dep${namePrefix}azsa${serviceShort}01' + logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' + eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' + eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' + location: resourceLocation + } +} + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2024-07-01' = { + name: resourceGroupName + location: resourceLocation +} + +// ============== // +// Test Execution // +// ============== // + +@batchSize(1) +module testDeployment '../../../main.bicep' = [ + for iteration in ['init', 'idem']: { + scope: resourceGroup + name: '${uniqueString(deployment().name, resourceLocation)}-test-${serviceShort}-${iteration}' + params: { + name: '${namePrefix}${serviceShort}001' + location: resourceLocation + profiles: [ + { + name: 'profile-01' + accessRules: [ + { + name: 'rule-outbound-01' + direction: 'Outbound' + fullyQualifiedDomainNames: [ + 'www.contoso.com' + ] + } + { + name: 'rule-inbound-01' + direction: 'Inbound' + addressPrefixes: [ + '198.168.1.0/24' + ] + } + ] + } + ] + resourceAssociations: [ + { + profile: 'profile-01' + privateLinkResource: nestedDependencies.outputs.storageAccountResourceId + accessMode: 'Learning' + } + ] + diagnosticSettings: [ + { + name: 'customSetting' + eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId + storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId + workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId + } + ] + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + } + } +] diff --git a/avm/res/network/network-security-perimeter/version.json b/avm/res/network/network-security-perimeter/version.json new file mode 100644 index 0000000000..a8eda31021 --- /dev/null +++ b/avm/res/network/network-security-perimeter/version.json @@ -0,0 +1,7 @@ +{ + "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", + "version": "0.5", + "pathFilters": [ + "./main.json" + ] +} \ No newline at end of file From 8c30832eb7835c0eaa2211f0f4d6e7b48ec76db4 Mon Sep 17 00:00:00 2001 From: Peter Budai Date: Thu, 23 Jan 2025 06:17:31 +0000 Subject: [PATCH 2/8] Add WAF alignment test --- .../network-security-perimeter/README.md | 147 +++++++++++++++++- .../tests/e2e/max/main.test.bicep | 4 +- .../tests/e2e/waf-aligned/dependencies.bicep | 25 +++ .../tests/e2e/waf-aligned/main.test.bicep | 111 +++++++++++++ 4 files changed, 280 insertions(+), 7 deletions(-) create mode 100644 avm/res/network/network-security-perimeter/tests/e2e/waf-aligned/dependencies.bicep create mode 100644 avm/res/network/network-security-perimeter/tests/e2e/waf-aligned/main.test.bicep diff --git a/avm/res/network/network-security-perimeter/README.md b/avm/res/network/network-security-perimeter/README.md index 179c0810c7..3659d8a933 100644 --- a/avm/res/network/network-security-perimeter/README.md +++ b/avm/res/network/network-security-perimeter/README.md @@ -32,8 +32,8 @@ The following section provides usage examples for the module, which were used to >**Note**: To reference the module, please use the following syntax `br/public:avm/res/network/network-security-perimeter:`. - [Using only defaults](#example-1-using-only-defaults) -- [Using only defaults](#example-2-using-only-defaults) -- [Waf-Aligned](#example-3-waf-aligned) +- [Using large parameter set](#example-2-using-large-parameter-set) +- [WAF-aligned](#example-3-waf-aligned) ### Example 1: _Using only defaults_ @@ -99,9 +99,9 @@ param location = ''

-### Example 2: _Using only defaults_ +### Example 2: _Using large parameter set_ -This instance deploys the module with the minimum set of required parameters. +This instance deploys the module with most of its features enabled.

@@ -311,7 +311,10 @@ param tags = {

-### Example 3: _Waf-Aligned_ +### Example 3: _WAF-aligned_ + +This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. +

@@ -324,7 +327,49 @@ module networkSecurityPerimeter 'br/public:avm/res/network/network-security-peri // Required parameters name: 'nnspwaf001' // Non-required parameters + diagnosticSettings: [ + { + eventHubAuthorizationRuleResourceId: '' + eventHubName: '' + name: 'customSetting' + storageAccountResourceId: '' + workspaceResourceId: '' + } + ] location: '' + profiles: [ + { + accessRules: [ + { + direction: 'Outbound' + fullyQualifiedDomainNames: [ + 'www.contoso.com' + ] + name: 'rule-outbound-01' + } + { + addressPrefixes: [ + '198.168.1.0/24' + ] + direction: 'Inbound' + name: 'rule-inbound-01' + } + ] + name: 'profile-01' + } + ] + resourceAssociations: [ + { + accessMode: 'Learning' + privateLinkResource: '' + profile: 'profile-01' + } + ] + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } } } ``` @@ -346,8 +391,58 @@ module networkSecurityPerimeter 'br/public:avm/res/network/network-security-peri "value": "nnspwaf001" }, // Non-required parameters + "diagnosticSettings": { + "value": [ + { + "eventHubAuthorizationRuleResourceId": "", + "eventHubName": "", + "name": "customSetting", + "storageAccountResourceId": "", + "workspaceResourceId": "" + } + ] + }, "location": { "value": "" + }, + "profiles": { + "value": [ + { + "accessRules": [ + { + "direction": "Outbound", + "fullyQualifiedDomainNames": [ + "www.contoso.com" + ], + "name": "rule-outbound-01" + }, + { + "addressPrefixes": [ + "198.168.1.0/24" + ], + "direction": "Inbound", + "name": "rule-inbound-01" + } + ], + "name": "profile-01" + } + ] + }, + "resourceAssociations": { + "value": [ + { + "accessMode": "Learning", + "privateLinkResource": "", + "profile": "profile-01" + } + ] + }, + "tags": { + "value": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } } } } @@ -366,7 +461,49 @@ using 'br/public:avm/res/network/network-security-perimeter:' // Required parameters param name = 'nnspwaf001' // Non-required parameters +param diagnosticSettings = [ + { + eventHubAuthorizationRuleResourceId: '' + eventHubName: '' + name: 'customSetting' + storageAccountResourceId: '' + workspaceResourceId: '' + } +] param location = '' +param profiles = [ + { + accessRules: [ + { + direction: 'Outbound' + fullyQualifiedDomainNames: [ + 'www.contoso.com' + ] + name: 'rule-outbound-01' + } + { + addressPrefixes: [ + '198.168.1.0/24' + ] + direction: 'Inbound' + name: 'rule-inbound-01' + } + ] + name: 'profile-01' + } +] +param resourceAssociations = [ + { + accessMode: 'Learning' + privateLinkResource: '' + profile: 'profile-01' + } +] +param tags = { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' +} ```
diff --git a/avm/res/network/network-security-perimeter/tests/e2e/max/main.test.bicep b/avm/res/network/network-security-perimeter/tests/e2e/max/main.test.bicep index 4f644585ff..b98d891919 100644 --- a/avm/res/network/network-security-perimeter/tests/e2e/max/main.test.bicep +++ b/avm/res/network/network-security-perimeter/tests/e2e/max/main.test.bicep @@ -1,7 +1,7 @@ targetScope = 'subscription' -metadata name = 'Using only defaults' -metadata description = 'This instance deploys the module with the minimum set of required parameters.' +metadata name = 'Using large parameter set' +metadata description = 'This instance deploys the module with most of its features enabled.' // ========== // // Parameters // diff --git a/avm/res/network/network-security-perimeter/tests/e2e/waf-aligned/dependencies.bicep b/avm/res/network/network-security-perimeter/tests/e2e/waf-aligned/dependencies.bicep new file mode 100644 index 0000000000..6dd99e1ed6 --- /dev/null +++ b/avm/res/network/network-security-perimeter/tests/e2e/waf-aligned/dependencies.bicep @@ -0,0 +1,25 @@ +@description('Required. The name of the Storage Account to create.') +param storageAccountName string + +@description('Optional. The location to deploy resources to.') +param location string = resourceGroup().location + +resource storageAccount 'Microsoft.Storage/storageAccounts@2023-01-01' = { + name: storageAccountName + location: location + sku: { + name: 'Standard_LRS' + } + kind: 'StorageV2' + properties: { + allowBlobPublicAccess: false + publicNetworkAccess: 'Disabled' + networkAcls: { + defaultAction: 'Allow' + bypass: 'AzureServices' + } + } +} + +@description('The resource ID of the created Storage Account.') +output storageAccountResourceId string = storageAccount.id diff --git a/avm/res/network/network-security-perimeter/tests/e2e/waf-aligned/main.test.bicep b/avm/res/network/network-security-perimeter/tests/e2e/waf-aligned/main.test.bicep new file mode 100644 index 0000000000..0650a1d475 --- /dev/null +++ b/avm/res/network/network-security-perimeter/tests/e2e/waf-aligned/main.test.bicep @@ -0,0 +1,111 @@ +targetScope = 'subscription' + +metadata name = 'WAF-aligned' +metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'dep-${namePrefix}-network.networksecurityperimeter-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param resourceLocation string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'nnspwaf' + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '#_namePrefix_#' + +// ============ // +// Dependencies // +// ============ // + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, resourceLocation)}-nestedDependencies' + params: { + storageAccountName: 'dep${namePrefix}store${serviceShort}' + location: resourceLocation + } +} + +module diagnosticDependencies '../../../../../../../utilities/e2e-template-assets/templates/diagnostic.dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, resourceLocation)}-diagnosticDependencies' + params: { + storageAccountName: 'dep${namePrefix}azsa${serviceShort}01' + logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' + eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' + eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' + location: resourceLocation + } +} + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2024-07-01' = { + name: resourceGroupName + location: resourceLocation +} + +// ============== // +// Test Execution // +// ============== // + +@batchSize(1) +module testDeployment '../../../main.bicep' = [ + for iteration in ['init', 'idem']: { + scope: resourceGroup + name: '${uniqueString(deployment().name, resourceLocation)}-test-${serviceShort}-${iteration}' + params: { + name: '${namePrefix}${serviceShort}001' + location: resourceLocation + profiles: [ + { + name: 'profile-01' + accessRules: [ + { + name: 'rule-outbound-01' + direction: 'Outbound' + fullyQualifiedDomainNames: [ + 'www.contoso.com' + ] + } + { + name: 'rule-inbound-01' + direction: 'Inbound' + addressPrefixes: [ + '198.168.1.0/24' + ] + } + ] + } + ] + resourceAssociations: [ + { + profile: 'profile-01' + privateLinkResource: nestedDependencies.outputs.storageAccountResourceId + accessMode: 'Learning' + } + ] + diagnosticSettings: [ + { + name: 'customSetting' + eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId + storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId + workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId + } + ] + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + } + } +] From 9090c325dcfc2b1ff13ba020de3418065c83c2df Mon Sep 17 00:00:00 2001 From: Peter Budai Date: Thu, 23 Jan 2025 12:04:31 +0000 Subject: [PATCH 3/8] Add workflow --- ...res.network.network-security-perimeter.yml | 88 +++++++++++++++++++ 1 file changed, 88 insertions(+) create mode 100644 .github/workflows/avm.res.network.network-security-perimeter.yml diff --git a/.github/workflows/avm.res.network.network-security-perimeter.yml b/.github/workflows/avm.res.network.network-security-perimeter.yml new file mode 100644 index 0000000000..7f70cfdea8 --- /dev/null +++ b/.github/workflows/avm.res.network.network-security-perimeter.yml @@ -0,0 +1,88 @@ +name: "avm.res.network.network-security-perimeter" + +on: + workflow_dispatch: + inputs: + staticValidation: + type: boolean + description: "Execute static validation" + required: false + default: true + deploymentValidation: + type: boolean + description: "Execute deployment validation" + required: false + default: true + removeDeployment: + type: boolean + description: "Remove deployed module" + required: false + default: true + customLocation: + type: string + description: "Default location overwrite (e.g., eastus)" + required: false + push: + branches: + - main + paths: + - ".github/actions/templates/avm-**" + - ".github/workflows/avm.template.module.yml" + - ".github/workflows/avm.res.network.network-security-perimeter.yml" + - "avm/res/network/network-security-perimeter/**" + - "utilities/pipelines/**" + - "!utilities/pipelines/platform/**" + - "!*/**/README.md" + +env: + modulePath: "avm/res/network/network-security-perimeter" + workflowPath: ".github/workflows/avm.res.network.network-security-perimeter.yml" + +concurrency: + group: ${{ github.workflow }} + +jobs: + ########################### + # Initialize pipeline # + ########################### + job_initialize_pipeline: + runs-on: ubuntu-latest + name: "Initialize pipeline" + steps: + - name: "Checkout" + uses: actions/checkout@v4 + with: + fetch-depth: 0 + - name: "Set input parameters to output variables" + id: get-workflow-param + uses: ./.github/actions/templates/avm-getWorkflowInput + with: + workflowPath: "${{ env.workflowPath}}" + - name: "Get module test file paths" + id: get-module-test-file-paths + uses: ./.github/actions/templates/avm-getModuleTestFiles + with: + modulePath: "${{ env.modulePath }}" + outputs: + workflowInput: ${{ steps.get-workflow-param.outputs.workflowInput }} + moduleTestFilePaths: ${{ steps.get-module-test-file-paths.outputs.moduleTestFilePaths }} + psRuleModuleTestFilePaths: ${{ steps.get-module-test-file-paths.outputs.psRuleModuleTestFilePaths }} + modulePath: "${{ env.modulePath }}" + + ############################## + # Call reusable workflow # + ############################## + call-workflow-passing-data: + name: "Run" + permissions: + id-token: write # For OIDC + contents: write # For release tags + needs: + - job_initialize_pipeline + uses: ./.github/workflows/avm.template.module.yml + with: + workflowInput: "${{ needs.job_initialize_pipeline.outputs.workflowInput }}" + moduleTestFilePaths: "${{ needs.job_initialize_pipeline.outputs.moduleTestFilePaths }}" + psRuleModuleTestFilePaths: "${{ needs.job_initialize_pipeline.outputs.psRuleModuleTestFilePaths }}" + modulePath: "${{ needs.job_initialize_pipeline.outputs.modulePath}}" + secrets: inherit From 40c309224a1366608634a769bbd8f965decec7d0 Mon Sep 17 00:00:00 2001 From: Peter Budai Date: Thu, 23 Jan 2025 14:29:47 +0000 Subject: [PATCH 4/8] Fix static tests --- .github/CODEOWNERS | 1 + .github/ISSUE_TEMPLATE/avm_module_issue.yml | 1 + .../network-security-perimeter/README.md | 104 +++++++++--------- .../network-security-perimeter/main.bicep | 8 +- .../network-security-perimeter/main.json | 2 +- .../profile/README.md | 4 +- .../profile/main.bicep | 3 +- .../profile/main.json | 9 +- 8 files changed, 66 insertions(+), 66 deletions(-) diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS index 8fc0458129..e999c34754 100644 --- a/.github/CODEOWNERS +++ b/.github/CODEOWNERS @@ -133,6 +133,7 @@ /avm/res/network/network-interface/ @Azure/avm-res-network-networkinterface-module-owners-bicep @Azure/avm-module-reviewers-bicep /avm/res/network/network-manager/ @Azure/avm-res-network-networkmanager-module-owners-bicep @Azure/avm-module-reviewers-bicep /avm/res/network/network-security-group/ @Azure/avm-res-network-networksecuritygroup-module-owners-bicep @Azure/avm-module-reviewers-bicep +/avm/res/network/network-security-perimeter/ @Azure/avm-res-network-networksecurityperimeter-module-owners-bicep @Azure/avm-module-reviewers-bicep /avm/res/network/network-watcher/ @Azure/avm-res-network-networkwatcher-module-owners-bicep @Azure/avm-module-reviewers-bicep /avm/res/network/p2s-vpn-gateway/ @Azure/avm-res-network-p2svpngateway-module-owners-bicep @Azure/avm-module-reviewers-bicep /avm/res/network/private-dns-zone/ @Azure/avm-res-network-privatednszone-module-owners-bicep @Azure/avm-module-reviewers-bicep diff --git a/.github/ISSUE_TEMPLATE/avm_module_issue.yml b/.github/ISSUE_TEMPLATE/avm_module_issue.yml index 0c32aa15a1..b2fef46f2f 100644 --- a/.github/ISSUE_TEMPLATE/avm_module_issue.yml +++ b/.github/ISSUE_TEMPLATE/avm_module_issue.yml @@ -168,6 +168,7 @@ body: - "avm/res/network/network-interface" - "avm/res/network/network-manager" - "avm/res/network/network-security-group" + - "avm/res/network/network-security-perimeter" - "avm/res/network/network-watcher" - "avm/res/network/p2s-vpn-gateway" - "avm/res/network/private-dns-zone" diff --git a/avm/res/network/network-security-perimeter/README.md b/avm/res/network/network-security-perimeter/README.md index 3659d8a933..9109ac7668 100644 --- a/avm/res/network/network-security-perimeter/README.md +++ b/avm/res/network/network-security-perimeter/README.md @@ -516,7 +516,6 @@ param tags = { | Parameter | Type | Description | | :-- | :-- | :-- | | [`name`](#parameter-name) | string | Name of the Network Security Perimeter. | -| [`resourceAssociations`](#parameter-resourceassociations) | array | Array of resource associations to create. | **Optional parameters** @@ -527,6 +526,7 @@ param tags = { | [`location`](#parameter-location) | string | Location for all resources. | | [`lock`](#parameter-lock) | object | The lock settings of the service. | | [`profiles`](#parameter-profiles) | array | Array of Security Rules to deploy to the Network Security Group. When not provided, an NSG including only the built-in roles will be deployed. | +| [`resourceAssociations`](#parameter-resourceassociations) | array | Array of resource associations to create. | | [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. | | [`tags`](#parameter-tags) | object | Tags of the NSG resource. | @@ -537,55 +537,6 @@ Name of the Network Security Perimeter. - Required: Yes - Type: string -### Parameter: `resourceAssociations` - -Array of resource associations to create. - -- Required: No -- Type: array - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`privateLinkResource`](#parameter-resourceassociationsprivatelinkresource) | string | The resource identifier of the resource association. | -| [`profile`](#parameter-resourceassociationsprofile) | string | The name of the resource association. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`accessMode`](#parameter-resourceassociationsaccessmode) | string | The access mode of the resource association. | - -### Parameter: `resourceAssociations.privateLinkResource` - -The resource identifier of the resource association. - -- Required: Yes -- Type: string - -### Parameter: `resourceAssociations.profile` - -The name of the resource association. - -- Required: Yes -- Type: string - -### Parameter: `resourceAssociations.accessMode` - -The access mode of the resource association. - -- Required: Yes -- Type: string -- Allowed: - ```Bicep - [ - 'Audit' - 'Enforced' - 'Learning' - ] - ``` - ### Parameter: `diagnosticSettings` The diagnostic settings of the service. @@ -782,7 +733,7 @@ Whether network traffic is allowed or denied. | Parameter | Type | Description | | :-- | :-- | :-- | -| [`addressPrefixes`](#parameter-profilesaccessrulesaddressprefixes) | array | Inbound address prefixes (IPv4/IPv6).s | +| [`addressPrefixes`](#parameter-profilesaccessrulesaddressprefixes) | array | Inbound address prefixes (IPv4/IPv6).s. | | [`emailAddresses`](#parameter-profilesaccessrulesemailaddresses) | array | Outbound rules email address format. | | [`fullyQualifiedDomainNames`](#parameter-profilesaccessrulesfullyqualifieddomainnames) | array | Outbound rules fully qualified domain name format. | | [`phoneNumbers`](#parameter-profilesaccessrulesphonenumbers) | array | Outbound rules phone number format. | @@ -812,7 +763,7 @@ The name of the access rule. ### Parameter: `profiles.accessRules.addressPrefixes` -Inbound address prefixes (IPv4/IPv6).s +Inbound address prefixes (IPv4/IPv6).s. - Required: No - Type: array @@ -872,6 +823,55 @@ The name of the network security perimeter profile. - Required: Yes - Type: string +### Parameter: `resourceAssociations` + +Array of resource associations to create. + +- Required: No +- Type: array + +**Required parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`privateLinkResource`](#parameter-resourceassociationsprivatelinkresource) | string | The resource identifier of the resource association. | +| [`profile`](#parameter-resourceassociationsprofile) | string | The name of the resource association. | + +**Optional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`accessMode`](#parameter-resourceassociationsaccessmode) | string | The access mode of the resource association. | + +### Parameter: `resourceAssociations.privateLinkResource` + +The resource identifier of the resource association. + +- Required: Yes +- Type: string + +### Parameter: `resourceAssociations.profile` + +The name of the resource association. + +- Required: Yes +- Type: string + +### Parameter: `resourceAssociations.accessMode` + +The access mode of the resource association. + +- Required: No +- Type: string +- Allowed: + ```Bicep + [ + 'Audit' + 'Enforced' + 'Learning' + ] + ``` + ### Parameter: `roleAssignments` Array of role assignments to create. diff --git a/avm/res/network/network-security-perimeter/main.bicep b/avm/res/network/network-security-perimeter/main.bicep index 5d136ef030..76b485b315 100644 --- a/avm/res/network/network-security-perimeter/main.bicep +++ b/avm/res/network/network-security-perimeter/main.bicep @@ -11,7 +11,7 @@ param location string = resourceGroup().location @description('Optional. Array of Security Rules to deploy to the Network Security Group. When not provided, an NSG including only the built-in roles will be deployed.') param profiles profilesType -@description('Required. Array of resource associations to create.') +@description('Optional. Array of resource associations to create.') param resourceAssociations resourceAssociationsType @description('Optional. The diagnostic settings of the service.') @@ -60,7 +60,7 @@ var formattedRoleAssignments = [ #disable-next-line no-deployments-resources resource avmTelemetry 'Microsoft.Resources/deployments@2024-03-01' = if (enableTelemetry) { - name: '46d3xbcp.res.network-networksecuritygroup.${replace('-..--..-', '.', '-')}.${substring(uniqueString(deployment().name, location), 0, 4)}' + name: '46d3xbcp.res.network-nwsecurityperimeter.${replace('-..--..-', '.', '-')}.${substring(uniqueString(deployment().name, location), 0, 4)}' properties: { mode: 'Incremental' template: { @@ -106,7 +106,7 @@ resource networkSecurityPerimeter_resourceAssociations 'Microsoft.Network/networ #disable-next-line use-resource-id-functions id: '${resourceId('Microsoft.Network/networkSecurityPerimeters/profiles', name, resourceAssociation.profile)}' } - accessMode: resourceAssociation.accessMode + accessMode: resourceAssociation.accessMode ?? 'Learning' } dependsOn: [ networkSecurityPerimeter_profiles @@ -237,5 +237,5 @@ type resourceAssociationsType = { profile: string @description('Optional. The access mode of the resource association.') - accessMode: 'Learning' | 'Audit' | 'Enforced' + accessMode: 'Learning' | 'Audit' | 'Enforced'? }[]? diff --git a/avm/res/network/network-security-perimeter/main.json b/avm/res/network/network-security-perimeter/main.json index 28cab46a0c..d49b0e5b94 100644 --- a/avm/res/network/network-security-perimeter/main.json +++ b/avm/res/network/network-security-perimeter/main.json @@ -794,4 +794,4 @@ "value": "[reference('networkSecurityPerimeter', '2023-08-01-preview', 'full').location]" } } -} \ No newline at end of file +} diff --git a/avm/res/network/network-security-perimeter/profile/README.md b/avm/res/network/network-security-perimeter/profile/README.md index 97bc3f3bd1..26426c5944 100644 --- a/avm/res/network/network-security-perimeter/profile/README.md +++ b/avm/res/network/network-security-perimeter/profile/README.md @@ -67,7 +67,7 @@ Static Members to create for the network group. Contains virtual networks to add | Parameter | Type | Description | | :-- | :-- | :-- | -| [`addressPrefixes`](#parameter-accessrulesaddressprefixes) | array | Inbound address prefixes (IPv4/IPv6).s | +| [`addressPrefixes`](#parameter-accessrulesaddressprefixes) | array | Inbound address prefixes (IPv4/IPv6).s. | | [`emailAddresses`](#parameter-accessrulesemailaddresses) | array | Outbound rules email address format. | | [`fullyQualifiedDomainNames`](#parameter-accessrulesfullyqualifieddomainnames) | array | Outbound rules fully qualified domain name format. | | [`phoneNumbers`](#parameter-accessrulesphonenumbers) | array | Outbound rules phone number format. | @@ -97,7 +97,7 @@ The name of the access rule. ### Parameter: `accessRules.addressPrefixes` -Inbound address prefixes (IPv4/IPv6).s +Inbound address prefixes (IPv4/IPv6).s. - Required: No - Type: array diff --git a/avm/res/network/network-security-perimeter/profile/main.bicep b/avm/res/network/network-security-perimeter/profile/main.bicep index f99360ddcd..2494dc458b 100644 --- a/avm/res/network/network-security-perimeter/profile/main.bicep +++ b/avm/res/network/network-security-perimeter/profile/main.bicep @@ -43,7 +43,6 @@ type subscriptionIdType = { }[]? @export() -@description('The access rule type.') type accessRulesType = { @description('Required. The name of the access rule.') name: string @@ -51,7 +50,7 @@ type accessRulesType = { @description('Required. Direction that specifies whether the access rules is inbound/outbound.') direction: 'Inbound' | 'Outbound' - @description('Optional. Inbound address prefixes (IPv4/IPv6).s') + @description('Optional. Inbound address prefixes (IPv4/IPv6).s.') addressPrefixes: string[]? @description('Optional. Outbound rules email address format.') diff --git a/avm/res/network/network-security-perimeter/profile/main.json b/avm/res/network/network-security-perimeter/profile/main.json index b3b4ee50e7..dcb335984e 100644 --- a/avm/res/network/network-security-perimeter/profile/main.json +++ b/avm/res/network/network-security-perimeter/profile/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.32.4.45862", - "templateHash": "5096305151549437249" + "templateHash": "9411570515213964908" }, "name": "Network Security Perimeter Profile", "description": "This module deploys a Network Security Perimeter Profile.", @@ -56,7 +56,7 @@ }, "nullable": true, "metadata": { - "description": "Optional. Inbound address prefixes (IPv4/IPv6).s" + "description": "Optional. Inbound address prefixes (IPv4/IPv6).s." } }, "emailAddresses": { @@ -108,8 +108,7 @@ } }, "metadata": { - "__bicep_export!": true, - "description": "The access rule type." + "__bicep_export!": true } } }, @@ -168,4 +167,4 @@ ] } } -} \ No newline at end of file +} From 2aa741976e9e82213691a7c00e112cf7d39d34f3 Mon Sep 17 00:00:00 2001 From: Peter Budai Date: Thu, 23 Jan 2025 14:43:23 +0000 Subject: [PATCH 5/8] Fix more static tests --- .../network-security-perimeter/README.md | 2 +- .../network-security-perimeter/main.json | 64 +++++++++++++------ .../profile/README.md | 8 ++- .../profile/main.bicep | 13 +++- .../profile/main.json | 46 +++++++++---- 5 files changed, 97 insertions(+), 36 deletions(-) diff --git a/avm/res/network/network-security-perimeter/README.md b/avm/res/network/network-security-perimeter/README.md index 9109ac7668..881425cad9 100644 --- a/avm/res/network/network-security-perimeter/README.md +++ b/avm/res/network/network-security-perimeter/README.md @@ -719,7 +719,7 @@ Array of Security Rules to deploy to the Network Security Group. When not provid Whether network traffic is allowed or denied. -- Required: Yes +- Required: No - Type: array **Required parameters** diff --git a/avm/res/network/network-security-perimeter/main.json b/avm/res/network/network-security-perimeter/main.json index d49b0e5b94..5762798dfb 100644 --- a/avm/res/network/network-security-perimeter/main.json +++ b/avm/res/network/network-security-perimeter/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.32.4.45862", - "templateHash": "8183748185340254689" + "templateHash": "975290797092127058" }, "name": "Network Security Perimeter", "description": "This module deploys a Network Security Perimeter (NSP).", @@ -156,6 +156,7 @@ "Enforced", "Learning" ], + "nullable": true, "metadata": { "description": "Optional. The access mode of the resource association." } @@ -212,7 +213,7 @@ }, "nullable": true, "metadata": { - "description": "Optional. Inbound address prefixes (IPv4/IPv6).s" + "description": "Optional. Inbound address prefixes (IPv4/IPv6).s." } }, "emailAddresses": { @@ -263,8 +264,8 @@ } } }, + "nullable": true, "metadata": { - "description": "The access rule type.", "__bicep_imported_from!": { "sourceTemplate": "profile/main.bicep" } @@ -391,7 +392,7 @@ "resourceAssociations": { "$ref": "#/definitions/resourceAssociationsType", "metadata": { - "description": "Required. Array of resource associations to create." + "description": "Optional. Array of resource associations to create." } }, "diagnosticSettings": { @@ -453,7 +454,7 @@ "condition": "[parameters('enableTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2024-03-01", - "name": "[format('46d3xbcp.res.network-networksecuritygroup.{0}.{1}', replace('-..--..-', '.', '-'), substring(uniqueString(deployment().name, parameters('location')), 0, 4))]", + "name": "[format('46d3xbcp.res.network-nwsecurityperimeter.{0}.{1}', replace('-..--..-', '.', '-'), substring(uniqueString(deployment().name, parameters('location')), 0, 4))]", "properties": { "mode": "Incremental", "template": { @@ -491,7 +492,7 @@ "profile": { "id": "[format('{0}', resourceId('Microsoft.Network/networkSecurityPerimeters/profiles', parameters('name'), coalesce(parameters('resourceAssociations'), createArray())[copyIndex()].profile))]" }, - "accessMode": "[coalesce(parameters('resourceAssociations'), createArray())[copyIndex()].accessMode]" + "accessMode": "[coalesce(coalesce(parameters('resourceAssociations'), createArray())[copyIndex()].accessMode, 'Learning')]" }, "dependsOn": [ "networkSecurityPerimeter", @@ -598,7 +599,7 @@ "_generator": { "name": "bicep", "version": "0.32.4.45862", - "templateHash": "5096305151549437249" + "templateHash": "10525677449958227084" }, "name": "Network Security Perimeter Profile", "description": "This module deploys a Network Security Perimeter Profile.", @@ -648,7 +649,7 @@ }, "nullable": true, "metadata": { - "description": "Optional. Inbound address prefixes (IPv4/IPv6).s" + "description": "Optional. Inbound address prefixes (IPv4/IPv6).s." } }, "emailAddresses": { @@ -699,9 +700,9 @@ } } }, + "nullable": true, "metadata": { - "__bicep_export!": true, - "description": "The access rule type." + "__bicep_export!": true } } }, @@ -741,24 +742,47 @@ "nsp_accessRules": { "copy": { "name": "nsp_accessRules", - "count": "[length(parameters('accessRules'))]" + "count": "[length(coalesce(parameters('accessRules'), createArray()))]" }, "type": "Microsoft.Network/networkSecurityPerimeters/profiles/accessRules", "apiVersion": "2023-08-01-preview", - "name": "[format('{0}/{1}/{2}', parameters('networkPerimeterName'), parameters('name'), parameters('accessRules')[copyIndex()].name)]", + "name": "[format('{0}/{1}/{2}', parameters('networkPerimeterName'), parameters('name'), coalesce(parameters('accessRules'), createArray())[copyIndex()].name)]", "properties": { - "addressPrefixes": "[tryGet(parameters('accessRules')[copyIndex()], 'addressPrefixes')]", - "direction": "[parameters('accessRules')[copyIndex()].direction]", - "emailAddresses": "[tryGet(parameters('accessRules')[copyIndex()], 'emailAddresses')]", - "fullyQualifiedDomainNames": "[tryGet(parameters('accessRules')[copyIndex()], 'fullyQualifiedDomainNames')]", - "phoneNumbers": "[tryGet(parameters('accessRules')[copyIndex()], 'phoneNumbers')]", - "serviceTags": "[tryGet(parameters('accessRules')[copyIndex()], 'serviceTags')]", - "subscriptions": "[tryGet(parameters('accessRules')[copyIndex()], 'subscriptions')]" + "addressPrefixes": "[tryGet(coalesce(parameters('accessRules'), createArray())[copyIndex()], 'addressPrefixes')]", + "direction": "[coalesce(parameters('accessRules'), createArray())[copyIndex()].direction]", + "emailAddresses": "[tryGet(coalesce(parameters('accessRules'), createArray())[copyIndex()], 'emailAddresses')]", + "fullyQualifiedDomainNames": "[tryGet(coalesce(parameters('accessRules'), createArray())[copyIndex()], 'fullyQualifiedDomainNames')]", + "phoneNumbers": "[tryGet(coalesce(parameters('accessRules'), createArray())[copyIndex()], 'phoneNumbers')]", + "serviceTags": "[tryGet(coalesce(parameters('accessRules'), createArray())[copyIndex()], 'serviceTags')]", + "subscriptions": "[tryGet(coalesce(parameters('accessRules'), createArray())[copyIndex()], 'subscriptions')]" }, "dependsOn": [ "networkSecurityPerimeter_profile" ] } + }, + "outputs": { + "resourceGroupName": { + "type": "string", + "metadata": { + "description": "The resource group the network security perimeter was deployed into." + }, + "value": "[resourceGroup().name]" + }, + "resourceId": { + "type": "string", + "metadata": { + "description": "The resource ID of the deployed profile." + }, + "value": "[resourceId('Microsoft.Network/networkSecurityPerimeters/profiles', parameters('networkPerimeterName'), parameters('name'))]" + }, + "name": { + "type": "string", + "metadata": { + "description": "The name of the deployed profile." + }, + "value": "[parameters('name')]" + } } } } @@ -794,4 +818,4 @@ "value": "[reference('networkSecurityPerimeter', '2023-08-01-preview', 'full').location]" } } -} +} \ No newline at end of file diff --git a/avm/res/network/network-security-perimeter/profile/README.md b/avm/res/network/network-security-perimeter/profile/README.md index 26426c5944..7d6e6a0bdd 100644 --- a/avm/res/network/network-security-perimeter/profile/README.md +++ b/avm/res/network/network-security-perimeter/profile/README.md @@ -53,7 +53,7 @@ The name of the parent network perimeter. Required if the template is used in a Static Members to create for the network group. Contains virtual networks to add to the network group. -- Required: Yes +- Required: No - Type: array **Required parameters** @@ -152,4 +152,8 @@ The subscription id. ## Outputs -_None_ +| Output | Type | Description | +| :-- | :-- | :-- | +| `name` | string | The name of the deployed profile. | +| `resourceGroupName` | string | The resource group the network security perimeter was deployed into. | +| `resourceId` | string | The resource ID of the deployed profile. | diff --git a/avm/res/network/network-security-perimeter/profile/main.bicep b/avm/res/network/network-security-perimeter/profile/main.bicep index 2494dc458b..d81f1b70ce 100644 --- a/avm/res/network/network-security-perimeter/profile/main.bicep +++ b/avm/res/network/network-security-perimeter/profile/main.bicep @@ -22,7 +22,7 @@ resource networkSecurityPerimeter_profile 'Microsoft.Network/networkSecurityPeri } resource nsp_accessRules 'Microsoft.Network/networkSecurityPerimeters/profiles/accessRules@2023-08-01-preview' = [ - for (accessRule, index) in accessRules: { + for (accessRule, index) in (accessRules ?? []): { name: accessRule.name parent: networkSecurityPerimeter_profile properties: { @@ -37,6 +37,15 @@ resource nsp_accessRules 'Microsoft.Network/networkSecurityPerimeters/profiles/a } ] +@description('The resource group the network security perimeter was deployed into.') +output resourceGroupName string = resourceGroup().name + +@description('The resource ID of the deployed profile.') +output resourceId string = networkSecurityPerimeter_profile.id + +@description('The name of the deployed profile.') +output name string = networkSecurityPerimeter_profile.name + type subscriptionIdType = { @description('Required. The subscription id.') id: string @@ -67,4 +76,4 @@ type accessRulesType = { @description('Optional. List of subscription ids.') subscriptions: subscriptionIdType -}[] +}[]? diff --git a/avm/res/network/network-security-perimeter/profile/main.json b/avm/res/network/network-security-perimeter/profile/main.json index dcb335984e..4ddff0cee8 100644 --- a/avm/res/network/network-security-perimeter/profile/main.json +++ b/avm/res/network/network-security-perimeter/profile/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.32.4.45862", - "templateHash": "9411570515213964908" + "templateHash": "10525677449958227084" }, "name": "Network Security Perimeter Profile", "description": "This module deploys a Network Security Perimeter Profile.", @@ -107,6 +107,7 @@ } } }, + "nullable": true, "metadata": { "__bicep_export!": true } @@ -148,23 +149,46 @@ "nsp_accessRules": { "copy": { "name": "nsp_accessRules", - "count": "[length(parameters('accessRules'))]" + "count": "[length(coalesce(parameters('accessRules'), createArray()))]" }, "type": "Microsoft.Network/networkSecurityPerimeters/profiles/accessRules", "apiVersion": "2023-08-01-preview", - "name": "[format('{0}/{1}/{2}', parameters('networkPerimeterName'), parameters('name'), parameters('accessRules')[copyIndex()].name)]", + "name": "[format('{0}/{1}/{2}', parameters('networkPerimeterName'), parameters('name'), coalesce(parameters('accessRules'), createArray())[copyIndex()].name)]", "properties": { - "addressPrefixes": "[tryGet(parameters('accessRules')[copyIndex()], 'addressPrefixes')]", - "direction": "[parameters('accessRules')[copyIndex()].direction]", - "emailAddresses": "[tryGet(parameters('accessRules')[copyIndex()], 'emailAddresses')]", - "fullyQualifiedDomainNames": "[tryGet(parameters('accessRules')[copyIndex()], 'fullyQualifiedDomainNames')]", - "phoneNumbers": "[tryGet(parameters('accessRules')[copyIndex()], 'phoneNumbers')]", - "serviceTags": "[tryGet(parameters('accessRules')[copyIndex()], 'serviceTags')]", - "subscriptions": "[tryGet(parameters('accessRules')[copyIndex()], 'subscriptions')]" + "addressPrefixes": "[tryGet(coalesce(parameters('accessRules'), createArray())[copyIndex()], 'addressPrefixes')]", + "direction": "[coalesce(parameters('accessRules'), createArray())[copyIndex()].direction]", + "emailAddresses": "[tryGet(coalesce(parameters('accessRules'), createArray())[copyIndex()], 'emailAddresses')]", + "fullyQualifiedDomainNames": "[tryGet(coalesce(parameters('accessRules'), createArray())[copyIndex()], 'fullyQualifiedDomainNames')]", + "phoneNumbers": "[tryGet(coalesce(parameters('accessRules'), createArray())[copyIndex()], 'phoneNumbers')]", + "serviceTags": "[tryGet(coalesce(parameters('accessRules'), createArray())[copyIndex()], 'serviceTags')]", + "subscriptions": "[tryGet(coalesce(parameters('accessRules'), createArray())[copyIndex()], 'subscriptions')]" }, "dependsOn": [ "networkSecurityPerimeter_profile" ] } + }, + "outputs": { + "resourceGroupName": { + "type": "string", + "metadata": { + "description": "The resource group the network security perimeter was deployed into." + }, + "value": "[resourceGroup().name]" + }, + "resourceId": { + "type": "string", + "metadata": { + "description": "The resource ID of the deployed profile." + }, + "value": "[resourceId('Microsoft.Network/networkSecurityPerimeters/profiles', parameters('networkPerimeterName'), parameters('name'))]" + }, + "name": { + "type": "string", + "metadata": { + "description": "The name of the deployed profile." + }, + "value": "[parameters('name')]" + } } -} +} \ No newline at end of file From 6412eaeaac1825d6f118de94b165cbd86f4185a4 Mon Sep 17 00:00:00 2001 From: Peter Budai Date: Thu, 23 Jan 2025 14:50:54 +0000 Subject: [PATCH 6/8] And even more fixes --- avm/res/network/network-security-perimeter/README.md | 2 +- avm/res/network/network-security-perimeter/main.json | 7 +++---- .../network/network-security-perimeter/profile/main.bicep | 4 ++-- .../network/network-security-perimeter/profile/main.json | 4 ++-- 4 files changed, 8 insertions(+), 9 deletions(-) diff --git a/avm/res/network/network-security-perimeter/README.md b/avm/res/network/network-security-perimeter/README.md index 881425cad9..9109ac7668 100644 --- a/avm/res/network/network-security-perimeter/README.md +++ b/avm/res/network/network-security-perimeter/README.md @@ -719,7 +719,7 @@ Array of Security Rules to deploy to the Network Security Group. When not provid Whether network traffic is allowed or denied. -- Required: No +- Required: Yes - Type: array **Required parameters** diff --git a/avm/res/network/network-security-perimeter/main.json b/avm/res/network/network-security-perimeter/main.json index 5762798dfb..32e930f9a5 100644 --- a/avm/res/network/network-security-perimeter/main.json +++ b/avm/res/network/network-security-perimeter/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.32.4.45862", - "templateHash": "975290797092127058" + "templateHash": "263456475017494995" }, "name": "Network Security Perimeter", "description": "This module deploys a Network Security Perimeter (NSP).", @@ -264,7 +264,6 @@ } } }, - "nullable": true, "metadata": { "__bicep_imported_from!": { "sourceTemplate": "profile/main.bicep" @@ -599,7 +598,7 @@ "_generator": { "name": "bicep", "version": "0.32.4.45862", - "templateHash": "10525677449958227084" + "templateHash": "13454714808954601034" }, "name": "Network Security Perimeter Profile", "description": "This module deploys a Network Security Perimeter Profile.", @@ -700,7 +699,6 @@ } } }, - "nullable": true, "metadata": { "__bicep_export!": true } @@ -722,6 +720,7 @@ }, "accessRules": { "$ref": "#/definitions/accessRulesType", + "nullable": true, "metadata": { "description": "Optional. Static Members to create for the network group. Contains virtual networks to add to the network group." } diff --git a/avm/res/network/network-security-perimeter/profile/main.bicep b/avm/res/network/network-security-perimeter/profile/main.bicep index d81f1b70ce..da4daf85d0 100644 --- a/avm/res/network/network-security-perimeter/profile/main.bicep +++ b/avm/res/network/network-security-perimeter/profile/main.bicep @@ -10,7 +10,7 @@ param networkPerimeterName string param name string @description('Optional. Static Members to create for the network group. Contains virtual networks to add to the network group.') -param accessRules accessRulesType +param accessRules accessRulesType? resource networkSecurityPerimeter 'Microsoft.Network/networkSecurityPerimeters@2023-08-01-preview' existing = { name: networkPerimeterName @@ -76,4 +76,4 @@ type accessRulesType = { @description('Optional. List of subscription ids.') subscriptions: subscriptionIdType -}[]? +}[] diff --git a/avm/res/network/network-security-perimeter/profile/main.json b/avm/res/network/network-security-perimeter/profile/main.json index 4ddff0cee8..77978439c1 100644 --- a/avm/res/network/network-security-perimeter/profile/main.json +++ b/avm/res/network/network-security-perimeter/profile/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.32.4.45862", - "templateHash": "10525677449958227084" + "templateHash": "13454714808954601034" }, "name": "Network Security Perimeter Profile", "description": "This module deploys a Network Security Perimeter Profile.", @@ -107,7 +107,6 @@ } } }, - "nullable": true, "metadata": { "__bicep_export!": true } @@ -129,6 +128,7 @@ }, "accessRules": { "$ref": "#/definitions/accessRulesType", + "nullable": true, "metadata": { "description": "Optional. Static Members to create for the network group. Contains virtual networks to add to the network group." } From abb69f2b27e011d57ac0fec9dadbab83eade47e4 Mon Sep 17 00:00:00 2001 From: Peter Budai Date: Mon, 10 Feb 2025 09:18:37 +0000 Subject: [PATCH 7/8] Incorporate feedback --- .../network-security-perimeter/README.md | 88 +- .../network-security-perimeter/main.bicep | 68 +- .../network-security-perimeter/main.json | 840 +++++++++++------- .../profile/README.md | 4 +- .../profile/access-rule/README.md | 136 +++ .../profile/access-rule/main.bicep | 57 ++ .../profile/access-rule/main.json | 140 +++ .../profile/main.bicep | 30 +- .../profile/main.json | 369 +++++--- .../tests/e2e/max/dependencies.bicep | 11 + .../tests/e2e/max/main.test.bicep | 23 + .../network-security-perimeter/version.json | 2 +- 12 files changed, 1254 insertions(+), 514 deletions(-) create mode 100644 avm/res/network/network-security-perimeter/profile/access-rule/README.md create mode 100644 avm/res/network/network-security-perimeter/profile/access-rule/main.bicep create mode 100644 avm/res/network/network-security-perimeter/profile/access-rule/main.json diff --git a/avm/res/network/network-security-perimeter/README.md b/avm/res/network/network-security-perimeter/README.md index 9109ac7668..ddb33c6cd8 100644 --- a/avm/res/network/network-security-perimeter/README.md +++ b/avm/res/network/network-security-perimeter/README.md @@ -157,6 +157,25 @@ module networkSecurityPerimeter 'br/public:avm/res/network/network-security-peri profile: 'profile-01' } ] + roleAssignments: [ + { + name: 'b50cc72e-a2f2-4c4c-a3ad-86a43feb6ab8' + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Owner' + } + { + name: '' + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: '' + } + ] tags: { Environment: 'Non-Prod' 'hidden-title': 'This is visible in the resource name' @@ -235,6 +254,27 @@ module networkSecurityPerimeter 'br/public:avm/res/network/network-security-peri } ] }, + "roleAssignments": { + "value": [ + { + "name": "b50cc72e-a2f2-4c4c-a3ad-86a43feb6ab8", + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Owner" + }, + { + "name": "", + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "b24988ac-6180-42a0-ab88-20f7382dd24c" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "" + } + ] + }, "tags": { "value": { "Environment": "Non-Prod", @@ -301,6 +341,25 @@ param resourceAssociations = [ profile: 'profile-01' } ] +param roleAssignments = [ + { + name: 'b50cc72e-a2f2-4c4c-a3ad-86a43feb6ab8' + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Owner' + } + { + name: '' + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: '' + } +] param tags = { Environment: 'Non-Prod' 'hidden-title': 'This is visible in the resource name' @@ -712,21 +771,33 @@ Array of Security Rules to deploy to the Network Security Group. When not provid | Parameter | Type | Description | | :-- | :-- | :-- | -| [`accessRules`](#parameter-profilesaccessrules) | array | Whether network traffic is allowed or denied. | | [`name`](#parameter-profilesname) | string | The name of the network security perimeter profile. | +**Optional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`accessRules`](#parameter-profilesaccessrules) | array | Whether network traffic is allowed or denied. | + +### Parameter: `profiles.name` + +The name of the network security perimeter profile. + +- Required: Yes +- Type: string + ### Parameter: `profiles.accessRules` Whether network traffic is allowed or denied. -- Required: Yes +- Required: No - Type: array **Required parameters** | Parameter | Type | Description | | :-- | :-- | :-- | -| [`direction`](#parameter-profilesaccessrulesdirection) | string | Direction that specifies whether the access rules is inbound/outbound. | +| [`direction`](#parameter-profilesaccessrulesdirection) | string | The type for an access rule. | | [`name`](#parameter-profilesaccessrulesname) | string | The name of the access rule. | **Optional parameters** @@ -742,7 +813,7 @@ Whether network traffic is allowed or denied. ### Parameter: `profiles.accessRules.direction` -Direction that specifies whether the access rules is inbound/outbound. +The type for an access rule. - Required: Yes - Type: string @@ -816,13 +887,6 @@ The subscription id. - Required: Yes - Type: string -### Parameter: `profiles.name` - -The name of the network security perimeter profile. - -- Required: Yes -- Type: string - ### Parameter: `resourceAssociations` Array of resource associations to create. @@ -998,7 +1062,7 @@ This section gives you an overview of all local-referenced module files (i.e., o | Reference | Type | | :-- | :-- | -| `br/public:avm/utl/types/avm-common-types:0.4.1` | Remote reference | +| `br/public:avm/utl/types/avm-common-types:0.5.1` | Remote reference | ## Data Collection diff --git a/avm/res/network/network-security-perimeter/main.bicep b/avm/res/network/network-security-perimeter/main.bicep index 76b485b315..7f2b18d22b 100644 --- a/avm/res/network/network-security-perimeter/main.bicep +++ b/avm/res/network/network-security-perimeter/main.bicep @@ -1,6 +1,5 @@ metadata name = 'Network Security Perimeter' metadata description = 'This module deploys a Network Security Perimeter (NSP).' -metadata owner = 'Azure/module-maintainers' @description('Required. Name of the Network Security Perimeter.') param name string @@ -9,19 +8,22 @@ param name string param location string = resourceGroup().location @description('Optional. Array of Security Rules to deploy to the Network Security Group. When not provided, an NSG including only the built-in roles will be deployed.') -param profiles profilesType +param profiles profileType[]? @description('Optional. Array of resource associations to create.') -param resourceAssociations resourceAssociationsType +param resourceAssociations resourceAssociationType[]? +import { diagnosticSettingLogsOnlyType } from 'br/public:avm/utl/types/avm-common-types:0.5.1' @description('Optional. The diagnostic settings of the service.') param diagnosticSettings diagnosticSettingLogsOnlyType[]? +import { lockType } from 'br/public:avm/utl/types/avm-common-types:0.5.1' @description('Optional. The lock settings of the service.') -param lock lockType +param lock lockType? +import { roleAssignmentType } from 'br/public:avm/utl/types/avm-common-types:0.5.1' @description('Optional. Array of role assignments to create.') -param roleAssignments roleAssignmentType +param roleAssignments roleAssignmentType[]? @description('Optional. Tags of the NSG resource.') param tags object? @@ -89,7 +91,7 @@ module networkSecurityPerimeter_profiles 'profile/main.bicep' = [ params: { networkPerimeterName: name name: profile.name - accessRules: profile.accessRules + accessRules: profile.?accessRules } } ] @@ -183,53 +185,21 @@ output location string = networkSecurityPerimeter.location // Definitions // // =============== // -type lockType = { - @description('Optional. Specify the name of lock.') - name: string? +import { accessRuleType } from 'profile/main.bicep' - @description('Optional. Specify the type of lock.') - kind: ('CanNotDelete' | 'ReadOnly' | 'None')? -}? - -type roleAssignmentType = { - @description('Optional. The name (as GUID) of the role assignment. If not provided, a GUID will be generated.') - name: string? - - @description('Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') - roleDefinitionIdOrName: string - - @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') - principalId: string - - @description('Optional. The principal type of the assigned principal ID.') - principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')? - - @description('Optional. The description of the role assignment.') - description: string? - - @description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container".') - condition: string? - - @description('Optional. Version of the condition.') - conditionVersion: '2.0'? - - @description('Optional. The Resource Id of the delegated managed identity resource.') - delegatedManagedIdentityResourceId: string? -}[]? - -import { diagnosticSettingLogsOnlyType } from 'br/public:avm/utl/types/avm-common-types:0.4.1' - -import { accessRulesType } from 'profile/main.bicep' - -type profilesType = { +@export() +@description('The type for a profile.') +type profileType = { @description('Required. The name of the network security perimeter profile.') name: string - @description('Required. Whether network traffic is allowed or denied.') - accessRules: accessRulesType -}[]? + @description('Optional. Whether network traffic is allowed or denied.') + accessRules: accessRuleType[]? +} -type resourceAssociationsType = { +@export() +@description('The type for a resource association.') +type resourceAssociationType = { @description('Required. The resource identifier of the resource association.') privateLinkResource: string @@ -238,4 +208,4 @@ type resourceAssociationsType = { @description('Optional. The access mode of the resource association.') accessMode: 'Learning' | 'Audit' | 'Enforced'? -}[]? +} diff --git a/avm/res/network/network-security-perimeter/main.json b/avm/res/network/network-security-perimeter/main.json index 32e930f9a5..bf0183d09e 100644 --- a/avm/res/network/network-security-perimeter/main.json +++ b/avm/res/network/network-security-perimeter/main.json @@ -5,266 +5,161 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.32.4.45862", - "templateHash": "263456475017494995" + "version": "0.33.93.31351", + "templateHash": "15151011846661806559" }, "name": "Network Security Perimeter", - "description": "This module deploys a Network Security Perimeter (NSP).", - "owner": "Azure/module-maintainers" + "description": "This module deploys a Network Security Perimeter (NSP)." }, "definitions": { - "lockType": { + "profileType": { "type": "object", "properties": { "name": { "type": "string", - "nullable": true, "metadata": { - "description": "Optional. Specify the name of lock." + "description": "Required. The name of the network security perimeter profile." } }, - "kind": { - "type": "string", - "allowedValues": [ - "CanNotDelete", - "None", - "ReadOnly" - ], + "accessRules": { + "type": "array", + "items": { + "$ref": "#/definitions/accessRuleType" + }, "nullable": true, "metadata": { - "description": "Optional. Specify the type of lock." + "description": "Optional. Whether network traffic is allowed or denied." } } }, - "nullable": true - }, - "roleAssignmentType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The name (as GUID) of the role assignment. If not provided, a GUID will be generated." - } - }, - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." - } - }, - "principalId": { - "type": "string", - "metadata": { - "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." - } - }, - "principalType": { - "type": "string", - "allowedValues": [ - "Device", - "ForeignGroup", - "Group", - "ServicePrincipal", - "User" - ], - "nullable": true, - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"." - } - }, - "conditionVersion": { - "type": "string", - "allowedValues": [ - "2.0" - ], - "nullable": true, - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The Resource Id of the delegated managed identity resource." - } - } - } - }, - "nullable": true + "metadata": { + "__bicep_export!": true, + "description": "The type for a profile." + } }, - "profilesType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the network security perimeter profile." - } - }, - "accessRules": { - "$ref": "#/definitions/accessRulesType", - "metadata": { - "description": "Required. Whether network traffic is allowed or denied." - } + "resourceAssociationType": { + "type": "object", + "properties": { + "privateLinkResource": { + "type": "string", + "metadata": { + "description": "Required. The resource identifier of the resource association." } - } - }, - "nullable": true - }, - "resourceAssociationsType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "privateLinkResource": { - "type": "string", - "metadata": { - "description": "Required. The resource identifier of the resource association." - } - }, - "profile": { - "type": "string", - "metadata": { - "description": "Required. The name of the resource association." - } - }, - "accessMode": { - "type": "string", - "allowedValues": [ - "Audit", - "Enforced", - "Learning" - ], - "nullable": true, - "metadata": { - "description": "Optional. The access mode of the resource association." - } + }, + "profile": { + "type": "string", + "metadata": { + "description": "Required. The name of the resource association." } - } - }, - "nullable": true - }, - "_1.subscriptionIdType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "id": { - "type": "string", - "metadata": { - "description": "Required. The subscription id." - } + }, + "accessMode": { + "type": "string", + "allowedValues": [ + "Audit", + "Enforced", + "Learning" + ], + "nullable": true, + "metadata": { + "description": "Optional. The access mode of the resource association." } } }, - "nullable": true, "metadata": { - "__bicep_imported_from!": { - "sourceTemplate": "profile/main.bicep" - } + "__bicep_export!": true, + "description": "The type for a resource association." } }, - "accessRulesType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the access rule." - } - }, - "direction": { - "type": "string", - "allowedValues": [ - "Inbound", - "Outbound" - ], - "metadata": { - "description": "Required. Direction that specifies whether the access rules is inbound/outbound." - } + "accessRuleType": { + "type": "object", + "properties": { + "name": { + "type": "string", + "metadata": { + "description": "Required. The name of the access rule." + } + }, + "direction": { + "type": "string", + "allowedValues": [ + "Inbound", + "Outbound" + ], + "metadata": { + "description": "Required. The type for an access rule." + } + }, + "addressPrefixes": { + "type": "array", + "items": { + "type": "string" }, - "addressPrefixes": { - "type": "array", - "items": { - "type": "string" - }, - "nullable": true, - "metadata": { - "description": "Optional. Inbound address prefixes (IPv4/IPv6).s." - } + "nullable": true, + "metadata": { + "description": "Optional. Inbound address prefixes (IPv4/IPv6).s." + } + }, + "emailAddresses": { + "type": "array", + "items": { + "type": "string" }, - "emailAddresses": { - "type": "array", - "items": { - "type": "string" - }, - "nullable": true, - "metadata": { - "description": "Optional. Outbound rules email address format." - } + "nullable": true, + "metadata": { + "description": "Optional. Outbound rules email address format." + } + }, + "fullyQualifiedDomainNames": { + "type": "array", + "items": { + "type": "string" }, - "fullyQualifiedDomainNames": { - "type": "array", - "items": { - "type": "string" - }, - "nullable": true, - "metadata": { - "description": "Optional. Outbound rules fully qualified domain name format." - } + "nullable": true, + "metadata": { + "description": "Optional. Outbound rules fully qualified domain name format." + } + }, + "phoneNumbers": { + "type": "array", + "items": { + "type": "string" }, - "phoneNumbers": { - "type": "array", - "items": { - "type": "string" - }, - "nullable": true, - "metadata": { - "description": "Optional. Outbound rules phone number format." - } + "nullable": true, + "metadata": { + "description": "Optional. Outbound rules phone number format." + } + }, + "serviceTags": { + "type": "array", + "items": { + "type": "string" }, - "serviceTags": { - "type": "array", - "items": { - "type": "string" - }, - "nullable": true, - "metadata": { - "description": "Optional. Inbound rules service tag names." + "nullable": true, + "metadata": { + "description": "Optional. Inbound rules service tag names." + } + }, + "subscriptions": { + "type": "array", + "items": { + "type": "object", + "properties": { + "id": { + "type": "string", + "metadata": { + "description": "Required. The subscription id." + } + } } }, - "subscriptions": { - "$ref": "#/definitions/_1.subscriptionIdType", - "metadata": { - "description": "Optional. List of subscription ids." - } + "nullable": true, + "metadata": { + "description": "Optional. List of subscription ids." } } }, "metadata": { + "description": "The type for an access rule.", "__bicep_imported_from!": { "sourceTemplate": "profile/main.bicep" } @@ -363,7 +258,112 @@ "metadata": { "description": "An AVM-aligned type for a diagnostic setting. To be used if only logs are supported by the resource provider.", "__bicep_imported_from!": { - "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.4.1" + "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.5.1" + } + } + }, + "lockType": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Specify the name of lock." + } + }, + "kind": { + "type": "string", + "allowedValues": [ + "CanNotDelete", + "None", + "ReadOnly" + ], + "nullable": true, + "metadata": { + "description": "Optional. Specify the type of lock." + } + } + }, + "metadata": { + "description": "An AVM-aligned type for a lock.", + "__bicep_imported_from!": { + "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.5.1" + } + } + }, + "roleAssignmentType": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The name (as GUID) of the role assignment. If not provided, a GUID will be generated." + } + }, + "roleDefinitionIdOrName": { + "type": "string", + "metadata": { + "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + } + }, + "principalId": { + "type": "string", + "metadata": { + "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." + } + }, + "principalType": { + "type": "string", + "allowedValues": [ + "Device", + "ForeignGroup", + "Group", + "ServicePrincipal", + "User" + ], + "nullable": true, + "metadata": { + "description": "Optional. The principal type of the assigned principal ID." + } + }, + "description": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The description of the role assignment." + } + }, + "condition": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"." + } + }, + "conditionVersion": { + "type": "string", + "allowedValues": [ + "2.0" + ], + "nullable": true, + "metadata": { + "description": "Optional. Version of the condition." + } + }, + "delegatedManagedIdentityResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The Resource Id of the delegated managed identity resource." + } + } + }, + "metadata": { + "description": "An AVM-aligned type for a role assignment.", + "__bicep_imported_from!": { + "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.5.1" } } } @@ -383,13 +383,21 @@ } }, "profiles": { - "$ref": "#/definitions/profilesType", + "type": "array", + "items": { + "$ref": "#/definitions/profileType" + }, + "nullable": true, "metadata": { "description": "Optional. Array of Security Rules to deploy to the Network Security Group. When not provided, an NSG including only the built-in roles will be deployed." } }, "resourceAssociations": { - "$ref": "#/definitions/resourceAssociationsType", + "type": "array", + "items": { + "$ref": "#/definitions/resourceAssociationType" + }, + "nullable": true, "metadata": { "description": "Optional. Array of resource associations to create." } @@ -406,12 +414,17 @@ }, "lock": { "$ref": "#/definitions/lockType", + "nullable": true, "metadata": { "description": "Optional. The lock settings of the service." } }, "roleAssignments": { - "$ref": "#/definitions/roleAssignmentType", + "type": "array", + "items": { + "$ref": "#/definitions/roleAssignmentType" + }, + "nullable": true, "metadata": { "description": "Optional. Array of role assignments to create." } @@ -587,7 +600,7 @@ "value": "[coalesce(parameters('profiles'), createArray())[copyIndex()].name]" }, "accessRules": { - "value": "[coalesce(parameters('profiles'), createArray())[copyIndex()].accessRules]" + "value": "[tryGet(coalesce(parameters('profiles'), createArray())[copyIndex()], 'accessRules')]" } }, "template": { @@ -597,110 +610,104 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.32.4.45862", - "templateHash": "13454714808954601034" + "version": "0.33.93.31351", + "templateHash": "2297736787884946512" }, "name": "Network Security Perimeter Profile", - "description": "This module deploys a Network Security Perimeter Profile.", - "owner": "Azure/module-maintainers" + "description": "This module deploys a Network Security Perimeter Profile." }, "definitions": { - "subscriptionIdType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "id": { - "type": "string", - "metadata": { - "description": "Required. The subscription id." - } + "accessRuleType": { + "type": "object", + "properties": { + "name": { + "type": "string", + "metadata": { + "description": "Required. The name of the access rule." } - } - }, - "nullable": true - }, - "accessRulesType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the access rule." - } - }, - "direction": { - "type": "string", - "allowedValues": [ - "Inbound", - "Outbound" - ], - "metadata": { - "description": "Required. Direction that specifies whether the access rules is inbound/outbound." - } + }, + "direction": { + "type": "string", + "allowedValues": [ + "Inbound", + "Outbound" + ], + "metadata": { + "description": "Required. The type for an access rule." + } + }, + "addressPrefixes": { + "type": "array", + "items": { + "type": "string" }, - "addressPrefixes": { - "type": "array", - "items": { - "type": "string" - }, - "nullable": true, - "metadata": { - "description": "Optional. Inbound address prefixes (IPv4/IPv6).s." - } + "nullable": true, + "metadata": { + "description": "Optional. Inbound address prefixes (IPv4/IPv6).s." + } + }, + "emailAddresses": { + "type": "array", + "items": { + "type": "string" }, - "emailAddresses": { - "type": "array", - "items": { - "type": "string" - }, - "nullable": true, - "metadata": { - "description": "Optional. Outbound rules email address format." - } + "nullable": true, + "metadata": { + "description": "Optional. Outbound rules email address format." + } + }, + "fullyQualifiedDomainNames": { + "type": "array", + "items": { + "type": "string" }, - "fullyQualifiedDomainNames": { - "type": "array", - "items": { - "type": "string" - }, - "nullable": true, - "metadata": { - "description": "Optional. Outbound rules fully qualified domain name format." - } + "nullable": true, + "metadata": { + "description": "Optional. Outbound rules fully qualified domain name format." + } + }, + "phoneNumbers": { + "type": "array", + "items": { + "type": "string" }, - "phoneNumbers": { - "type": "array", - "items": { - "type": "string" - }, - "nullable": true, - "metadata": { - "description": "Optional. Outbound rules phone number format." - } + "nullable": true, + "metadata": { + "description": "Optional. Outbound rules phone number format." + } + }, + "serviceTags": { + "type": "array", + "items": { + "type": "string" }, - "serviceTags": { - "type": "array", - "items": { - "type": "string" - }, - "nullable": true, - "metadata": { - "description": "Optional. Inbound rules service tag names." + "nullable": true, + "metadata": { + "description": "Optional. Inbound rules service tag names." + } + }, + "subscriptions": { + "type": "array", + "items": { + "type": "object", + "properties": { + "id": { + "type": "string", + "metadata": { + "description": "Required. The subscription id." + } + } } }, - "subscriptions": { - "$ref": "#/definitions/subscriptionIdType", - "metadata": { - "description": "Optional. List of subscription ids." - } + "nullable": true, + "metadata": { + "description": "Optional. List of subscription ids." } } }, "metadata": { - "__bicep_export!": true + "__bicep_export!": true, + "description": "The type for an access rule." } } }, @@ -719,7 +726,10 @@ } }, "accessRules": { - "$ref": "#/definitions/accessRulesType", + "type": "array", + "items": { + "$ref": "#/definitions/accessRuleType" + }, "nullable": true, "metadata": { "description": "Optional. Static Members to create for the network group. Contains virtual networks to add to the network group." @@ -743,21 +753,187 @@ "name": "nsp_accessRules", "count": "[length(coalesce(parameters('accessRules'), createArray()))]" }, - "type": "Microsoft.Network/networkSecurityPerimeters/profiles/accessRules", - "apiVersion": "2023-08-01-preview", - "name": "[format('{0}/{1}/{2}', parameters('networkPerimeterName'), parameters('name'), coalesce(parameters('accessRules'), createArray())[copyIndex()].name)]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2022-09-01", + "name": "[format('{0}-nsp-accessrule-{1}', uniqueString(deployment().name), copyIndex())]", "properties": { - "addressPrefixes": "[tryGet(coalesce(parameters('accessRules'), createArray())[copyIndex()], 'addressPrefixes')]", - "direction": "[coalesce(parameters('accessRules'), createArray())[copyIndex()].direction]", - "emailAddresses": "[tryGet(coalesce(parameters('accessRules'), createArray())[copyIndex()], 'emailAddresses')]", - "fullyQualifiedDomainNames": "[tryGet(coalesce(parameters('accessRules'), createArray())[copyIndex()], 'fullyQualifiedDomainNames')]", - "phoneNumbers": "[tryGet(coalesce(parameters('accessRules'), createArray())[copyIndex()], 'phoneNumbers')]", - "serviceTags": "[tryGet(coalesce(parameters('accessRules'), createArray())[copyIndex()], 'serviceTags')]", - "subscriptions": "[tryGet(coalesce(parameters('accessRules'), createArray())[copyIndex()], 'subscriptions')]" - }, - "dependsOn": [ - "networkSecurityPerimeter_profile" - ] + "expressionEvaluationOptions": { + "scope": "inner" + }, + "mode": "Incremental", + "parameters": { + "networkPerimeterName": { + "value": "[parameters('networkPerimeterName')]" + }, + "networkPerimeterProfileName": { + "value": "[parameters('name')]" + }, + "name": { + "value": "[coalesce(parameters('accessRules'), createArray())[copyIndex()].name]" + }, + "addressPrefixes": { + "value": "[tryGet(coalesce(parameters('accessRules'), createArray())[copyIndex()], 'addressPrefixes')]" + }, + "direction": { + "value": "[coalesce(parameters('accessRules'), createArray())[copyIndex()].direction]" + }, + "emailAddresses": { + "value": "[tryGet(coalesce(parameters('accessRules'), createArray())[copyIndex()], 'emailAddresses')]" + }, + "fullyQualifiedDomainNames": { + "value": "[tryGet(coalesce(parameters('accessRules'), createArray())[copyIndex()], 'fullyQualifiedDomainNames')]" + }, + "phoneNumbers": { + "value": "[tryGet(coalesce(parameters('accessRules'), createArray())[copyIndex()], 'phoneNumbers')]" + }, + "serviceTags": { + "value": "[tryGet(coalesce(parameters('accessRules'), createArray())[copyIndex()], 'serviceTags')]" + }, + "subscriptions": { + "value": "[tryGet(coalesce(parameters('accessRules'), createArray())[copyIndex()], 'subscriptions')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", + "contentVersion": "1.0.0.0", + "metadata": { + "_generator": { + "name": "bicep", + "version": "0.33.93.31351", + "templateHash": "18212192177654041784" + }, + "name": "Network Security Perimeter Access Rule", + "description": "This module deploys a Network Security Perimeter Access Rule." + }, + "parameters": { + "networkPerimeterName": { + "type": "string", + "metadata": { + "description": "Conditional. The name of the parent network perimeter. Required if the template is used in a standalone deployment." + } + }, + "networkPerimeterProfileName": { + "type": "string", + "metadata": { + "description": "Conditional. The name of the parent network perimeter Profile. Required if the template is used in a standalone deployment." + } + }, + "name": { + "type": "string", + "metadata": { + "description": "Required. The name of the access rule." + } + }, + "addressPrefixes": { + "type": "array", + "items": { + "type": "string" + }, + "nullable": true, + "metadata": { + "description": "Optional. Inbound address prefixes (IPv4/IPv6).s." + } + }, + "direction": { + "type": "string", + "allowedValues": [ + "Inbound", + "Outbound" + ], + "metadata": { + "description": "Required. The type for an access rule." + } + }, + "emailAddresses": { + "type": "array", + "items": { + "type": "string" + }, + "nullable": true, + "metadata": { + "description": "Optional. Outbound rules email address format." + } + }, + "fullyQualifiedDomainNames": { + "type": "array", + "items": { + "type": "string" + }, + "nullable": true, + "metadata": { + "description": "Optional. Outbound rules fully qualified domain name format." + } + }, + "phoneNumbers": { + "type": "array", + "items": { + "type": "string" + }, + "nullable": true, + "metadata": { + "description": "Optional. Outbound rules phone number format." + } + }, + "serviceTags": { + "type": "array", + "items": { + "type": "string" + }, + "nullable": true, + "metadata": { + "description": "Optional. Inbound rules service tag names." + } + }, + "subscriptions": { + "type": "array", + "items": { + "type": "object", + "properties": { + "id": { + "type": "string", + "metadata": { + "description": "Required. The subscription id." + } + } + } + }, + "nullable": true, + "metadata": { + "description": "Optional. List of subscription ids." + } + } + }, + "resources": { + "networkPerimeter::networkSecurityPerimeterProfile": { + "existing": true, + "type": "Microsoft.Network/networkSecurityPerimeters/profiles", + "apiVersion": "2023-08-01-preview", + "name": "[format('{0}/{1}', parameters('networkPerimeterName'), parameters('networkPerimeterProfileName'))]" + }, + "networkPerimeter": { + "existing": true, + "type": "Microsoft.Network/networkSecurityPerimeters", + "apiVersion": "2023-08-01-preview", + "name": "[parameters('networkPerimeterName')]" + }, + "nsp_accessRules": { + "type": "Microsoft.Network/networkSecurityPerimeters/profiles/accessRules", + "apiVersion": "2023-08-01-preview", + "name": "[format('{0}/{1}/{2}', parameters('networkPerimeterName'), parameters('networkPerimeterProfileName'), parameters('name'))]", + "properties": { + "addressPrefixes": "[parameters('addressPrefixes')]", + "direction": "[parameters('direction')]", + "emailAddresses": "[parameters('emailAddresses')]", + "fullyQualifiedDomainNames": "[parameters('fullyQualifiedDomainNames')]", + "phoneNumbers": "[parameters('phoneNumbers')]", + "serviceTags": "[parameters('serviceTags')]", + "subscriptions": "[parameters('subscriptions')]" + } + } + } + } + } } }, "outputs": { diff --git a/avm/res/network/network-security-perimeter/profile/README.md b/avm/res/network/network-security-perimeter/profile/README.md index 7d6e6a0bdd..51809bf301 100644 --- a/avm/res/network/network-security-perimeter/profile/README.md +++ b/avm/res/network/network-security-perimeter/profile/README.md @@ -60,7 +60,7 @@ Static Members to create for the network group. Contains virtual networks to add | Parameter | Type | Description | | :-- | :-- | :-- | -| [`direction`](#parameter-accessrulesdirection) | string | Direction that specifies whether the access rules is inbound/outbound. | +| [`direction`](#parameter-accessrulesdirection) | string | The type for an access rule. | | [`name`](#parameter-accessrulesname) | string | The name of the access rule. | **Optional parameters** @@ -76,7 +76,7 @@ Static Members to create for the network group. Contains virtual networks to add ### Parameter: `accessRules.direction` -Direction that specifies whether the access rules is inbound/outbound. +The type for an access rule. - Required: Yes - Type: string diff --git a/avm/res/network/network-security-perimeter/profile/access-rule/README.md b/avm/res/network/network-security-perimeter/profile/access-rule/README.md new file mode 100644 index 0000000000..0b455b4844 --- /dev/null +++ b/avm/res/network/network-security-perimeter/profile/access-rule/README.md @@ -0,0 +1,136 @@ +# Network Security Perimeter Access Rule `[Microsoft.Network/networkSecurityPerimeters/profiles/accessRules]` + +This module deploys a Network Security Perimeter Access Rule. + +## Navigation + +- [Resource Types](#Resource-Types) +- [Parameters](#Parameters) +- [Outputs](#Outputs) + +## Resource Types + +| Resource Type | API Version | +| :-- | :-- | +| `Microsoft.Network/networkSecurityPerimeters/profiles/accessRules` | [2023-08-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2023-08-01-preview/networkSecurityPerimeters/profiles/accessRules) | + +## Parameters + +**Required parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`direction`](#parameter-direction) | string | The type for an access rule. | +| [`name`](#parameter-name) | string | The name of the access rule. | + +**Conditional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`networkPerimeterName`](#parameter-networkperimetername) | string | The name of the parent network perimeter. Required if the template is used in a standalone deployment. | +| [`networkPerimeterProfileName`](#parameter-networkperimeterprofilename) | string | The name of the parent network perimeter Profile. Required if the template is used in a standalone deployment. | + +**Optional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`addressPrefixes`](#parameter-addressprefixes) | array | Inbound address prefixes (IPv4/IPv6).s. | +| [`emailAddresses`](#parameter-emailaddresses) | array | Outbound rules email address format. | +| [`fullyQualifiedDomainNames`](#parameter-fullyqualifieddomainnames) | array | Outbound rules fully qualified domain name format. | +| [`phoneNumbers`](#parameter-phonenumbers) | array | Outbound rules phone number format. | +| [`serviceTags`](#parameter-servicetags) | array | Inbound rules service tag names. | +| [`subscriptions`](#parameter-subscriptions) | array | List of subscription ids. | + +### Parameter: `direction` + +The type for an access rule. + +- Required: Yes +- Type: string +- Allowed: + ```Bicep + [ + 'Inbound' + 'Outbound' + ] + ``` + +### Parameter: `name` + +The name of the access rule. + +- Required: Yes +- Type: string + +### Parameter: `networkPerimeterName` + +The name of the parent network perimeter. Required if the template is used in a standalone deployment. + +- Required: Yes +- Type: string + +### Parameter: `networkPerimeterProfileName` + +The name of the parent network perimeter Profile. Required if the template is used in a standalone deployment. + +- Required: Yes +- Type: string + +### Parameter: `addressPrefixes` + +Inbound address prefixes (IPv4/IPv6).s. + +- Required: No +- Type: array + +### Parameter: `emailAddresses` + +Outbound rules email address format. + +- Required: No +- Type: array + +### Parameter: `fullyQualifiedDomainNames` + +Outbound rules fully qualified domain name format. + +- Required: No +- Type: array + +### Parameter: `phoneNumbers` + +Outbound rules phone number format. + +- Required: No +- Type: array + +### Parameter: `serviceTags` + +Inbound rules service tag names. + +- Required: No +- Type: array + +### Parameter: `subscriptions` + +List of subscription ids. + +- Required: No +- Type: array + +**Required parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`id`](#parameter-subscriptionsid) | string | The subscription id. | + +### Parameter: `subscriptions.id` + +The subscription id. + +- Required: Yes +- Type: string + +## Outputs + +_None_ diff --git a/avm/res/network/network-security-perimeter/profile/access-rule/main.bicep b/avm/res/network/network-security-perimeter/profile/access-rule/main.bicep new file mode 100644 index 0000000000..bf8c721c45 --- /dev/null +++ b/avm/res/network/network-security-perimeter/profile/access-rule/main.bicep @@ -0,0 +1,57 @@ +metadata name = 'Network Security Perimeter Access Rule' +metadata description = 'This module deploys a Network Security Perimeter Access Rule.' + +@description('Conditional. The name of the parent network perimeter. Required if the template is used in a standalone deployment.') +param networkPerimeterName string + +@description('Conditional. The name of the parent network perimeter Profile. Required if the template is used in a standalone deployment.') +param networkPerimeterProfileName string + +@description('Required. The name of the access rule.') +param name string + +@description('Optional. Inbound address prefixes (IPv4/IPv6).s.') +param addressPrefixes string[]? + +@description('Required. The type for an access rule.') +param direction 'Inbound' | 'Outbound' + +@description('Optional. Outbound rules email address format.') +param emailAddresses string[]? + +@description('Optional. Outbound rules fully qualified domain name format.') +param fullyQualifiedDomainNames string[]? + +@description('Optional. Outbound rules phone number format.') +param phoneNumbers string[]? + +@description('Optional. Inbound rules service tag names.') +param serviceTags string[]? + +@description('Optional. List of subscription ids.') +param subscriptions { + @description('Required. The subscription id.') + id: string +}[]? + +resource networkPerimeter 'Microsoft.Network/networkSecurityPerimeters@2023-08-01-preview' existing = { + name: networkPerimeterName + + resource networkSecurityPerimeterProfile 'profiles@2023-08-01-preview' existing = { + name: networkPerimeterProfileName + } +} + +resource nsp_accessRules 'Microsoft.Network/networkSecurityPerimeters/profiles/accessRules@2023-08-01-preview' = { + name: name + parent: networkPerimeter::networkSecurityPerimeterProfile + properties: { + addressPrefixes: addressPrefixes + direction: direction + emailAddresses: emailAddresses + fullyQualifiedDomainNames: fullyQualifiedDomainNames + phoneNumbers: phoneNumbers + serviceTags: serviceTags + subscriptions: subscriptions + } +} diff --git a/avm/res/network/network-security-perimeter/profile/access-rule/main.json b/avm/res/network/network-security-perimeter/profile/access-rule/main.json new file mode 100644 index 0000000000..2b3daf327b --- /dev/null +++ b/avm/res/network/network-security-perimeter/profile/access-rule/main.json @@ -0,0 +1,140 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", + "contentVersion": "1.0.0.0", + "metadata": { + "_generator": { + "name": "bicep", + "version": "0.33.93.31351", + "templateHash": "18212192177654041784" + }, + "name": "Network Security Perimeter Access Rule", + "description": "This module deploys a Network Security Perimeter Access Rule." + }, + "parameters": { + "networkPerimeterName": { + "type": "string", + "metadata": { + "description": "Conditional. The name of the parent network perimeter. Required if the template is used in a standalone deployment." + } + }, + "networkPerimeterProfileName": { + "type": "string", + "metadata": { + "description": "Conditional. The name of the parent network perimeter Profile. Required if the template is used in a standalone deployment." + } + }, + "name": { + "type": "string", + "metadata": { + "description": "Required. The name of the access rule." + } + }, + "addressPrefixes": { + "type": "array", + "items": { + "type": "string" + }, + "nullable": true, + "metadata": { + "description": "Optional. Inbound address prefixes (IPv4/IPv6).s." + } + }, + "direction": { + "type": "string", + "allowedValues": [ + "Inbound", + "Outbound" + ], + "metadata": { + "description": "Required. The type for an access rule." + } + }, + "emailAddresses": { + "type": "array", + "items": { + "type": "string" + }, + "nullable": true, + "metadata": { + "description": "Optional. Outbound rules email address format." + } + }, + "fullyQualifiedDomainNames": { + "type": "array", + "items": { + "type": "string" + }, + "nullable": true, + "metadata": { + "description": "Optional. Outbound rules fully qualified domain name format." + } + }, + "phoneNumbers": { + "type": "array", + "items": { + "type": "string" + }, + "nullable": true, + "metadata": { + "description": "Optional. Outbound rules phone number format." + } + }, + "serviceTags": { + "type": "array", + "items": { + "type": "string" + }, + "nullable": true, + "metadata": { + "description": "Optional. Inbound rules service tag names." + } + }, + "subscriptions": { + "type": "array", + "items": { + "type": "object", + "properties": { + "id": { + "type": "string", + "metadata": { + "description": "Required. The subscription id." + } + } + } + }, + "nullable": true, + "metadata": { + "description": "Optional. List of subscription ids." + } + } + }, + "resources": { + "networkPerimeter::networkSecurityPerimeterProfile": { + "existing": true, + "type": "Microsoft.Network/networkSecurityPerimeters/profiles", + "apiVersion": "2023-08-01-preview", + "name": "[format('{0}/{1}', parameters('networkPerimeterName'), parameters('networkPerimeterProfileName'))]" + }, + "networkPerimeter": { + "existing": true, + "type": "Microsoft.Network/networkSecurityPerimeters", + "apiVersion": "2023-08-01-preview", + "name": "[parameters('networkPerimeterName')]" + }, + "nsp_accessRules": { + "type": "Microsoft.Network/networkSecurityPerimeters/profiles/accessRules", + "apiVersion": "2023-08-01-preview", + "name": "[format('{0}/{1}/{2}', parameters('networkPerimeterName'), parameters('networkPerimeterProfileName'), parameters('name'))]", + "properties": { + "addressPrefixes": "[parameters('addressPrefixes')]", + "direction": "[parameters('direction')]", + "emailAddresses": "[parameters('emailAddresses')]", + "fullyQualifiedDomainNames": "[parameters('fullyQualifiedDomainNames')]", + "phoneNumbers": "[parameters('phoneNumbers')]", + "serviceTags": "[parameters('serviceTags')]", + "subscriptions": "[parameters('subscriptions')]" + } + } + } +} \ No newline at end of file diff --git a/avm/res/network/network-security-perimeter/profile/main.bicep b/avm/res/network/network-security-perimeter/profile/main.bicep index da4daf85d0..bb358d67c5 100644 --- a/avm/res/network/network-security-perimeter/profile/main.bicep +++ b/avm/res/network/network-security-perimeter/profile/main.bicep @@ -1,6 +1,5 @@ metadata name = 'Network Security Perimeter Profile' metadata description = 'This module deploys a Network Security Perimeter Profile.' -metadata owner = 'Azure/module-maintainers' @description('Conditional. The name of the parent network perimeter. Required if the template is used in a standalone deployment.') param networkPerimeterName string @@ -10,7 +9,7 @@ param networkPerimeterName string param name string @description('Optional. Static Members to create for the network group. Contains virtual networks to add to the network group.') -param accessRules accessRulesType? +param accessRules accessRuleType[]? resource networkSecurityPerimeter 'Microsoft.Network/networkSecurityPerimeters@2023-08-01-preview' existing = { name: networkPerimeterName @@ -21,11 +20,13 @@ resource networkSecurityPerimeter_profile 'Microsoft.Network/networkSecurityPeri parent: networkSecurityPerimeter } -resource nsp_accessRules 'Microsoft.Network/networkSecurityPerimeters/profiles/accessRules@2023-08-01-preview' = [ +module nsp_accessRules 'access-rule/main.bicep' = [ for (accessRule, index) in (accessRules ?? []): { - name: accessRule.name - parent: networkSecurityPerimeter_profile - properties: { + name: '${uniqueString(deployment().name)}-nsp-accessrule-${index}' + params: { + networkPerimeterName: networkPerimeterName + networkPerimeterProfileName: name + name: accessRule.name addressPrefixes: accessRule.?addressPrefixes direction: accessRule.direction emailAddresses: accessRule.?emailAddresses @@ -46,17 +47,13 @@ output resourceId string = networkSecurityPerimeter_profile.id @description('The name of the deployed profile.') output name string = networkSecurityPerimeter_profile.name -type subscriptionIdType = { - @description('Required. The subscription id.') - id: string -}[]? - @export() -type accessRulesType = { +@description('The type for an access rule.') +type accessRuleType = { @description('Required. The name of the access rule.') name: string - @description('Required. Direction that specifies whether the access rules is inbound/outbound.') + @description('Required. The type for an access rule.') direction: 'Inbound' | 'Outbound' @description('Optional. Inbound address prefixes (IPv4/IPv6).s.') @@ -75,5 +72,8 @@ type accessRulesType = { serviceTags: string[]? @description('Optional. List of subscription ids.') - subscriptions: subscriptionIdType -}[] + subscriptions: { + @description('Required. The subscription id.') + id: string + }[]? +} diff --git a/avm/res/network/network-security-perimeter/profile/main.json b/avm/res/network/network-security-perimeter/profile/main.json index 77978439c1..f239acdbb3 100644 --- a/avm/res/network/network-security-perimeter/profile/main.json +++ b/avm/res/network/network-security-perimeter/profile/main.json @@ -5,110 +5,104 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.32.4.45862", - "templateHash": "13454714808954601034" + "version": "0.33.93.31351", + "templateHash": "2297736787884946512" }, "name": "Network Security Perimeter Profile", - "description": "This module deploys a Network Security Perimeter Profile.", - "owner": "Azure/module-maintainers" + "description": "This module deploys a Network Security Perimeter Profile." }, "definitions": { - "subscriptionIdType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "id": { - "type": "string", - "metadata": { - "description": "Required. The subscription id." - } + "accessRuleType": { + "type": "object", + "properties": { + "name": { + "type": "string", + "metadata": { + "description": "Required. The name of the access rule." } - } - }, - "nullable": true - }, - "accessRulesType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the access rule." - } - }, - "direction": { - "type": "string", - "allowedValues": [ - "Inbound", - "Outbound" - ], - "metadata": { - "description": "Required. Direction that specifies whether the access rules is inbound/outbound." - } + }, + "direction": { + "type": "string", + "allowedValues": [ + "Inbound", + "Outbound" + ], + "metadata": { + "description": "Required. The type for an access rule." + } + }, + "addressPrefixes": { + "type": "array", + "items": { + "type": "string" }, - "addressPrefixes": { - "type": "array", - "items": { - "type": "string" - }, - "nullable": true, - "metadata": { - "description": "Optional. Inbound address prefixes (IPv4/IPv6).s." - } + "nullable": true, + "metadata": { + "description": "Optional. Inbound address prefixes (IPv4/IPv6).s." + } + }, + "emailAddresses": { + "type": "array", + "items": { + "type": "string" }, - "emailAddresses": { - "type": "array", - "items": { - "type": "string" - }, - "nullable": true, - "metadata": { - "description": "Optional. Outbound rules email address format." - } + "nullable": true, + "metadata": { + "description": "Optional. Outbound rules email address format." + } + }, + "fullyQualifiedDomainNames": { + "type": "array", + "items": { + "type": "string" }, - "fullyQualifiedDomainNames": { - "type": "array", - "items": { - "type": "string" - }, - "nullable": true, - "metadata": { - "description": "Optional. Outbound rules fully qualified domain name format." - } + "nullable": true, + "metadata": { + "description": "Optional. Outbound rules fully qualified domain name format." + } + }, + "phoneNumbers": { + "type": "array", + "items": { + "type": "string" }, - "phoneNumbers": { - "type": "array", - "items": { - "type": "string" - }, - "nullable": true, - "metadata": { - "description": "Optional. Outbound rules phone number format." - } + "nullable": true, + "metadata": { + "description": "Optional. Outbound rules phone number format." + } + }, + "serviceTags": { + "type": "array", + "items": { + "type": "string" }, - "serviceTags": { - "type": "array", - "items": { - "type": "string" - }, - "nullable": true, - "metadata": { - "description": "Optional. Inbound rules service tag names." + "nullable": true, + "metadata": { + "description": "Optional. Inbound rules service tag names." + } + }, + "subscriptions": { + "type": "array", + "items": { + "type": "object", + "properties": { + "id": { + "type": "string", + "metadata": { + "description": "Required. The subscription id." + } + } } }, - "subscriptions": { - "$ref": "#/definitions/subscriptionIdType", - "metadata": { - "description": "Optional. List of subscription ids." - } + "nullable": true, + "metadata": { + "description": "Optional. List of subscription ids." } } }, "metadata": { - "__bicep_export!": true + "__bicep_export!": true, + "description": "The type for an access rule." } } }, @@ -127,7 +121,10 @@ } }, "accessRules": { - "$ref": "#/definitions/accessRulesType", + "type": "array", + "items": { + "$ref": "#/definitions/accessRuleType" + }, "nullable": true, "metadata": { "description": "Optional. Static Members to create for the network group. Contains virtual networks to add to the network group." @@ -151,21 +148,187 @@ "name": "nsp_accessRules", "count": "[length(coalesce(parameters('accessRules'), createArray()))]" }, - "type": "Microsoft.Network/networkSecurityPerimeters/profiles/accessRules", - "apiVersion": "2023-08-01-preview", - "name": "[format('{0}/{1}/{2}', parameters('networkPerimeterName'), parameters('name'), coalesce(parameters('accessRules'), createArray())[copyIndex()].name)]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2022-09-01", + "name": "[format('{0}-nsp-accessrule-{1}', uniqueString(deployment().name), copyIndex())]", "properties": { - "addressPrefixes": "[tryGet(coalesce(parameters('accessRules'), createArray())[copyIndex()], 'addressPrefixes')]", - "direction": "[coalesce(parameters('accessRules'), createArray())[copyIndex()].direction]", - "emailAddresses": "[tryGet(coalesce(parameters('accessRules'), createArray())[copyIndex()], 'emailAddresses')]", - "fullyQualifiedDomainNames": "[tryGet(coalesce(parameters('accessRules'), createArray())[copyIndex()], 'fullyQualifiedDomainNames')]", - "phoneNumbers": "[tryGet(coalesce(parameters('accessRules'), createArray())[copyIndex()], 'phoneNumbers')]", - "serviceTags": "[tryGet(coalesce(parameters('accessRules'), createArray())[copyIndex()], 'serviceTags')]", - "subscriptions": "[tryGet(coalesce(parameters('accessRules'), createArray())[copyIndex()], 'subscriptions')]" - }, - "dependsOn": [ - "networkSecurityPerimeter_profile" - ] + "expressionEvaluationOptions": { + "scope": "inner" + }, + "mode": "Incremental", + "parameters": { + "networkPerimeterName": { + "value": "[parameters('networkPerimeterName')]" + }, + "networkPerimeterProfileName": { + "value": "[parameters('name')]" + }, + "name": { + "value": "[coalesce(parameters('accessRules'), createArray())[copyIndex()].name]" + }, + "addressPrefixes": { + "value": "[tryGet(coalesce(parameters('accessRules'), createArray())[copyIndex()], 'addressPrefixes')]" + }, + "direction": { + "value": "[coalesce(parameters('accessRules'), createArray())[copyIndex()].direction]" + }, + "emailAddresses": { + "value": "[tryGet(coalesce(parameters('accessRules'), createArray())[copyIndex()], 'emailAddresses')]" + }, + "fullyQualifiedDomainNames": { + "value": "[tryGet(coalesce(parameters('accessRules'), createArray())[copyIndex()], 'fullyQualifiedDomainNames')]" + }, + "phoneNumbers": { + "value": "[tryGet(coalesce(parameters('accessRules'), createArray())[copyIndex()], 'phoneNumbers')]" + }, + "serviceTags": { + "value": "[tryGet(coalesce(parameters('accessRules'), createArray())[copyIndex()], 'serviceTags')]" + }, + "subscriptions": { + "value": "[tryGet(coalesce(parameters('accessRules'), createArray())[copyIndex()], 'subscriptions')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", + "contentVersion": "1.0.0.0", + "metadata": { + "_generator": { + "name": "bicep", + "version": "0.33.93.31351", + "templateHash": "18212192177654041784" + }, + "name": "Network Security Perimeter Access Rule", + "description": "This module deploys a Network Security Perimeter Access Rule." + }, + "parameters": { + "networkPerimeterName": { + "type": "string", + "metadata": { + "description": "Conditional. The name of the parent network perimeter. Required if the template is used in a standalone deployment." + } + }, + "networkPerimeterProfileName": { + "type": "string", + "metadata": { + "description": "Conditional. The name of the parent network perimeter Profile. Required if the template is used in a standalone deployment." + } + }, + "name": { + "type": "string", + "metadata": { + "description": "Required. The name of the access rule." + } + }, + "addressPrefixes": { + "type": "array", + "items": { + "type": "string" + }, + "nullable": true, + "metadata": { + "description": "Optional. Inbound address prefixes (IPv4/IPv6).s." + } + }, + "direction": { + "type": "string", + "allowedValues": [ + "Inbound", + "Outbound" + ], + "metadata": { + "description": "Required. The type for an access rule." + } + }, + "emailAddresses": { + "type": "array", + "items": { + "type": "string" + }, + "nullable": true, + "metadata": { + "description": "Optional. Outbound rules email address format." + } + }, + "fullyQualifiedDomainNames": { + "type": "array", + "items": { + "type": "string" + }, + "nullable": true, + "metadata": { + "description": "Optional. Outbound rules fully qualified domain name format." + } + }, + "phoneNumbers": { + "type": "array", + "items": { + "type": "string" + }, + "nullable": true, + "metadata": { + "description": "Optional. Outbound rules phone number format." + } + }, + "serviceTags": { + "type": "array", + "items": { + "type": "string" + }, + "nullable": true, + "metadata": { + "description": "Optional. Inbound rules service tag names." + } + }, + "subscriptions": { + "type": "array", + "items": { + "type": "object", + "properties": { + "id": { + "type": "string", + "metadata": { + "description": "Required. The subscription id." + } + } + } + }, + "nullable": true, + "metadata": { + "description": "Optional. List of subscription ids." + } + } + }, + "resources": { + "networkPerimeter::networkSecurityPerimeterProfile": { + "existing": true, + "type": "Microsoft.Network/networkSecurityPerimeters/profiles", + "apiVersion": "2023-08-01-preview", + "name": "[format('{0}/{1}', parameters('networkPerimeterName'), parameters('networkPerimeterProfileName'))]" + }, + "networkPerimeter": { + "existing": true, + "type": "Microsoft.Network/networkSecurityPerimeters", + "apiVersion": "2023-08-01-preview", + "name": "[parameters('networkPerimeterName')]" + }, + "nsp_accessRules": { + "type": "Microsoft.Network/networkSecurityPerimeters/profiles/accessRules", + "apiVersion": "2023-08-01-preview", + "name": "[format('{0}/{1}/{2}', parameters('networkPerimeterName'), parameters('networkPerimeterProfileName'), parameters('name'))]", + "properties": { + "addressPrefixes": "[parameters('addressPrefixes')]", + "direction": "[parameters('direction')]", + "emailAddresses": "[parameters('emailAddresses')]", + "fullyQualifiedDomainNames": "[parameters('fullyQualifiedDomainNames')]", + "phoneNumbers": "[parameters('phoneNumbers')]", + "serviceTags": "[parameters('serviceTags')]", + "subscriptions": "[parameters('subscriptions')]" + } + } + } + } + } } }, "outputs": { diff --git a/avm/res/network/network-security-perimeter/tests/e2e/max/dependencies.bicep b/avm/res/network/network-security-perimeter/tests/e2e/max/dependencies.bicep index 6dd99e1ed6..7c4ce12b47 100644 --- a/avm/res/network/network-security-perimeter/tests/e2e/max/dependencies.bicep +++ b/avm/res/network/network-security-perimeter/tests/e2e/max/dependencies.bicep @@ -1,6 +1,9 @@ @description('Required. The name of the Storage Account to create.') param storageAccountName string +@description('Required. The name of the Managed Identity to create.') +param managedIdentityName string + @description('Optional. The location to deploy resources to.') param location string = resourceGroup().location @@ -21,5 +24,13 @@ resource storageAccount 'Microsoft.Storage/storageAccounts@2023-01-01' = { } } +resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { + name: managedIdentityName + location: location +} + @description('The resource ID of the created Storage Account.') output storageAccountResourceId string = storageAccount.id + +@description('The principal ID of the created Managed Identity.') +output managedIdentityPrincipalId string = managedIdentity.properties.principalId diff --git a/avm/res/network/network-security-perimeter/tests/e2e/max/main.test.bicep b/avm/res/network/network-security-perimeter/tests/e2e/max/main.test.bicep index b98d891919..020eb083a9 100644 --- a/avm/res/network/network-security-perimeter/tests/e2e/max/main.test.bicep +++ b/avm/res/network/network-security-perimeter/tests/e2e/max/main.test.bicep @@ -30,6 +30,7 @@ module nestedDependencies 'dependencies.bicep' = { params: { storageAccountName: 'dep${namePrefix}store${serviceShort}' location: resourceLocation + managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' } } @@ -110,6 +111,28 @@ module testDeployment '../../../main.bicep' = [ kind: 'CanNotDelete' name: 'myCustomLockName' } + roleAssignments: [ + { + name: 'b50cc72e-a2f2-4c4c-a3ad-86a43feb6ab8' + roleDefinitionIdOrName: 'Owner' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + name: guid('Custom seed ${namePrefix}${serviceShort}') + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: subscriptionResourceId( + 'Microsoft.Authorization/roleDefinitions', + 'acdd72a7-3385-48ef-bd42-f606fba81ae7' + ) + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + ] } } ] diff --git a/avm/res/network/network-security-perimeter/version.json b/avm/res/network/network-security-perimeter/version.json index a8eda31021..83083db694 100644 --- a/avm/res/network/network-security-perimeter/version.json +++ b/avm/res/network/network-security-perimeter/version.json @@ -1,6 +1,6 @@ { "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.5", + "version": "0.1", "pathFilters": [ "./main.json" ] From 04d1de4e24180acffad7a06ce5432a76fd6f5790 Mon Sep 17 00:00:00 2001 From: Peter Budai Date: Mon, 10 Feb 2025 09:28:48 +0000 Subject: [PATCH 8/8] Add output params --- .../network-security-perimeter/main.json | 31 ++++++++++++++++--- .../profile/access-rule/README.md | 6 +++- .../profile/access-rule/main.bicep | 11 ++++++- .../profile/access-rule/main.json | 27 ++++++++++++++-- .../profile/main.json | 29 +++++++++++++++-- 5 files changed, 93 insertions(+), 11 deletions(-) diff --git a/avm/res/network/network-security-perimeter/main.json b/avm/res/network/network-security-perimeter/main.json index bf0183d09e..954b092c43 100644 --- a/avm/res/network/network-security-perimeter/main.json +++ b/avm/res/network/network-security-perimeter/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.33.93.31351", - "templateHash": "15151011846661806559" + "templateHash": "5001761265450278752" }, "name": "Network Security Perimeter", "description": "This module deploys a Network Security Perimeter (NSP)." @@ -611,7 +611,7 @@ "_generator": { "name": "bicep", "version": "0.33.93.31351", - "templateHash": "2297736787884946512" + "templateHash": "12754329895696619344" }, "name": "Network Security Perimeter Profile", "description": "This module deploys a Network Security Perimeter Profile." @@ -801,7 +801,7 @@ "_generator": { "name": "bicep", "version": "0.33.93.31351", - "templateHash": "18212192177654041784" + "templateHash": "12994955439990027696" }, "name": "Network Security Perimeter Access Rule", "description": "This module deploys a Network Security Perimeter Access Rule." @@ -917,7 +917,7 @@ "apiVersion": "2023-08-01-preview", "name": "[parameters('networkPerimeterName')]" }, - "nsp_accessRules": { + "nsp_accessRule": { "type": "Microsoft.Network/networkSecurityPerimeters/profiles/accessRules", "apiVersion": "2023-08-01-preview", "name": "[format('{0}/{1}/{2}', parameters('networkPerimeterName'), parameters('networkPerimeterProfileName'), parameters('name'))]", @@ -931,6 +931,29 @@ "subscriptions": "[parameters('subscriptions')]" } } + }, + "outputs": { + "resourceGroupName": { + "type": "string", + "metadata": { + "description": "The resource group the network security perimeter was deployed into." + }, + "value": "[resourceGroup().name]" + }, + "resourceId": { + "type": "string", + "metadata": { + "description": "The resource ID of the deployed profile." + }, + "value": "[resourceId('Microsoft.Network/networkSecurityPerimeters/profiles/accessRules', parameters('networkPerimeterName'), parameters('networkPerimeterProfileName'), parameters('name'))]" + }, + "name": { + "type": "string", + "metadata": { + "description": "The name of the deployed profile." + }, + "value": "[parameters('name')]" + } } } } diff --git a/avm/res/network/network-security-perimeter/profile/access-rule/README.md b/avm/res/network/network-security-perimeter/profile/access-rule/README.md index 0b455b4844..e82af484b0 100644 --- a/avm/res/network/network-security-perimeter/profile/access-rule/README.md +++ b/avm/res/network/network-security-perimeter/profile/access-rule/README.md @@ -133,4 +133,8 @@ The subscription id. ## Outputs -_None_ +| Output | Type | Description | +| :-- | :-- | :-- | +| `name` | string | The name of the deployed profile. | +| `resourceGroupName` | string | The resource group the network security perimeter was deployed into. | +| `resourceId` | string | The resource ID of the deployed profile. | diff --git a/avm/res/network/network-security-perimeter/profile/access-rule/main.bicep b/avm/res/network/network-security-perimeter/profile/access-rule/main.bicep index bf8c721c45..dd10231468 100644 --- a/avm/res/network/network-security-perimeter/profile/access-rule/main.bicep +++ b/avm/res/network/network-security-perimeter/profile/access-rule/main.bicep @@ -42,7 +42,7 @@ resource networkPerimeter 'Microsoft.Network/networkSecurityPerimeters@2023-08-0 } } -resource nsp_accessRules 'Microsoft.Network/networkSecurityPerimeters/profiles/accessRules@2023-08-01-preview' = { +resource nsp_accessRule 'Microsoft.Network/networkSecurityPerimeters/profiles/accessRules@2023-08-01-preview' = { name: name parent: networkPerimeter::networkSecurityPerimeterProfile properties: { @@ -55,3 +55,12 @@ resource nsp_accessRules 'Microsoft.Network/networkSecurityPerimeters/profiles/a subscriptions: subscriptions } } + +@description('The resource group the network security perimeter was deployed into.') +output resourceGroupName string = resourceGroup().name + +@description('The resource ID of the deployed profile.') +output resourceId string = nsp_accessRule.id + +@description('The name of the deployed profile.') +output name string = nsp_accessRule.name diff --git a/avm/res/network/network-security-perimeter/profile/access-rule/main.json b/avm/res/network/network-security-perimeter/profile/access-rule/main.json index 2b3daf327b..10bbde4d25 100644 --- a/avm/res/network/network-security-perimeter/profile/access-rule/main.json +++ b/avm/res/network/network-security-perimeter/profile/access-rule/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.33.93.31351", - "templateHash": "18212192177654041784" + "templateHash": "12994955439990027696" }, "name": "Network Security Perimeter Access Rule", "description": "This module deploys a Network Security Perimeter Access Rule." @@ -122,7 +122,7 @@ "apiVersion": "2023-08-01-preview", "name": "[parameters('networkPerimeterName')]" }, - "nsp_accessRules": { + "nsp_accessRule": { "type": "Microsoft.Network/networkSecurityPerimeters/profiles/accessRules", "apiVersion": "2023-08-01-preview", "name": "[format('{0}/{1}/{2}', parameters('networkPerimeterName'), parameters('networkPerimeterProfileName'), parameters('name'))]", @@ -136,5 +136,28 @@ "subscriptions": "[parameters('subscriptions')]" } } + }, + "outputs": { + "resourceGroupName": { + "type": "string", + "metadata": { + "description": "The resource group the network security perimeter was deployed into." + }, + "value": "[resourceGroup().name]" + }, + "resourceId": { + "type": "string", + "metadata": { + "description": "The resource ID of the deployed profile." + }, + "value": "[resourceId('Microsoft.Network/networkSecurityPerimeters/profiles/accessRules', parameters('networkPerimeterName'), parameters('networkPerimeterProfileName'), parameters('name'))]" + }, + "name": { + "type": "string", + "metadata": { + "description": "The name of the deployed profile." + }, + "value": "[parameters('name')]" + } } } \ No newline at end of file diff --git a/avm/res/network/network-security-perimeter/profile/main.json b/avm/res/network/network-security-perimeter/profile/main.json index f239acdbb3..79f56cbbd6 100644 --- a/avm/res/network/network-security-perimeter/profile/main.json +++ b/avm/res/network/network-security-perimeter/profile/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.33.93.31351", - "templateHash": "2297736787884946512" + "templateHash": "12754329895696619344" }, "name": "Network Security Perimeter Profile", "description": "This module deploys a Network Security Perimeter Profile." @@ -196,7 +196,7 @@ "_generator": { "name": "bicep", "version": "0.33.93.31351", - "templateHash": "18212192177654041784" + "templateHash": "12994955439990027696" }, "name": "Network Security Perimeter Access Rule", "description": "This module deploys a Network Security Perimeter Access Rule." @@ -312,7 +312,7 @@ "apiVersion": "2023-08-01-preview", "name": "[parameters('networkPerimeterName')]" }, - "nsp_accessRules": { + "nsp_accessRule": { "type": "Microsoft.Network/networkSecurityPerimeters/profiles/accessRules", "apiVersion": "2023-08-01-preview", "name": "[format('{0}/{1}/{2}', parameters('networkPerimeterName'), parameters('networkPerimeterProfileName'), parameters('name'))]", @@ -326,6 +326,29 @@ "subscriptions": "[parameters('subscriptions')]" } } + }, + "outputs": { + "resourceGroupName": { + "type": "string", + "metadata": { + "description": "The resource group the network security perimeter was deployed into." + }, + "value": "[resourceGroup().name]" + }, + "resourceId": { + "type": "string", + "metadata": { + "description": "The resource ID of the deployed profile." + }, + "value": "[resourceId('Microsoft.Network/networkSecurityPerimeters/profiles/accessRules', parameters('networkPerimeterName'), parameters('networkPerimeterProfileName'), parameters('name'))]" + }, + "name": { + "type": "string", + "metadata": { + "description": "The name of the deployed profile." + }, + "value": "[parameters('name')]" + } } } }