feat: Update avm/res/web/static-site - Add additional param for publicNetworkAccess

[ChrisSidebotham]

Description

#Closes #4283

Pipeline Reference

Pipeline

Type of Change

• Update to CI Environment or utilities (Non-module affecting changes)
• Azure Verified Module updates:
  • Bugfix containing backwards-compatible bug fixes, and I have NOT bumped the MAJOR or MINOR version in version.json:
    • Someone has opened a bug report issue, and I have included "Closes #{bug_report_issue_number}" in the PR description.
    • The bug was found by the module author, and no one has opened an issue to report it yet.
  • Feature update backwards compatible feature updates, and I have bumped the MINOR version in version.json.
  • Breaking changes and I have bumped the MAJOR version in version.json.
  • Update to documentation

Checklist

• I'm sure there are no other open Pull Requests for the same update/change
• I have run Set-AVMModule locally to generate the supporting module files.
• My corresponding pipelines / checks run clean and green without any errors or warnings

[microsoft-github-policy-service]

Important

The "Needs: Triage 🔍" label must be removed once the triage process is complete!

Tip

For additional guidance on how to triage this issue/PR, see the BRM Issue Triage documentation.

[microsoft-github-policy-service]

Important

If this is a module-related PR, being submitted by the sole owner of the module, the AVM core team must review and approve it (as module owners can't approve their own PRs).

To indicate this PR needs the core team''s attention, apply the "Needs: Core Team 🧞" label!

The core team will only review and approve PRs that have this label applied!

[eriqua]

Leveraging the PR to trigger a discussion about this setting in general and current implementation across the library.
I see the inconsistency is strong with this one.
In CARML we started disabling publicNetworkAccess within the resource implementation instead of through its default value, and only in case private endpoint is enabled. This is still the current implementation for multiple modules, such as for example storage-account
The reasoning behind was that it won't be useful to disable public network access by default if private endpoint is not configured. In these cases the default value is set to empty ''.
Meanwhile, many other resource modules are now disabling publicNetworkAccess by default via default values in AVM. An example is RSV. In these cases the default value is set to Disabled.
Needless to say, we also have cases where the default value is set to Enabled.
I think it would be nice to align the behavior.

[AlexanderSehr]

I could imagine that some resources may have PSRule tests that request one or the other. Don't have an example at hand though (for RSV, for example, this test does not exist, so I guess the person implementing the parameter simply decided that it would be a good solution).
One added caveat is that aside from PEs, one could also navigate to a resource like a storage account using service endpoints, making the matter even harder to define a default for.

[ChrisSidebotham]

I am about t commit another push to this which updates it to the same configuration as we use for PaaS Services, but I am removing networkacl as this is not supportted for this resource

[eriqua]

Thanks a lot @ChrisSidebotham I agree with latest changes! Only comment would be, if networkAcls are not supported, to remove that mention from the publicNetworkAccess description metadata. Would you agree? Providing a suggestion to clarify

[eriqua]

Suggested change

	@description('Optional. Whether or not public network access is allowed for this resource. For security reasons it should be disabled. If not specified, it will be disabled by default if private endpoints are set and networkAcls are not set.')
	@description('Optional. Whether or not public network access is allowed for this resource. For security reasons it should be disabled. If not specified, it will be disabled by default if private endpoints are set.')