Merge pull request #4 from Azure/pull

Pull
This commit is contained in:
Sebastian Gräf 2022-09-22 12:43:18 +12:00 коммит произвёл GitHub
Родитель 36a0ffe37f 67987ea9b5
Коммит a93c5aa165
Не найден ключ, соответствующий данной подписи
Идентификатор ключа GPG: 4AEE18F83AFDEB23
1114 изменённых файлов: 121342 добавлений и 55 удалений

Просмотреть файл

@ -1,37 +0,0 @@
name: 'Set Environment Variables'
description: 'Set Environment Variables'
inputs:
variablesPath:
description: 'The path to the YAML file that contains the key value pairs for environment variables'
required: true
runs:
using: 'composite'
steps:
# [Set environment variables] task(s)
# ---------------
- name: 'Set environment variables'
id: set-env-variables
shell: pwsh
run: |
# Grouping task logs
Write-Output '::group::Set environment variables'
# Load used functions
. (Join-Path $env:GITHUB_WORKSPACE 'utilities' 'pipelines' 'sharedScripts' 'Add-YamlListToFile.ps1')
$functionInput = @{
InputFilePath = '${{ inputs.variablesPath }}'
ListName = 'variables'
OutputFilePath = $Env:GITHUB_ENV
}
Write-Verbose "Invoke task with" -Verbose
Write-Verbose ($functionInput | ConvertTo-Json | Out-String) -Verbose
# Convert YAML Variable File to Environment Variables
Add-YamlListToFile @functionInput -Verbose
Write-Output '::endgroup::'

28
.github/workflows/publish.yml поставляемый
Просмотреть файл

@ -24,10 +24,18 @@ env:
ARM_SUBSCRIPTION_ID: '${{ secrets.ARM_SUBSCRIPTION_ID }}'
ARM_MGMTGROUP_ID: '${{ secrets.ARM_MGMTGROUP_ID }}'
ARM_TENANT_ID: '${{ secrets.ARM_TENANT_ID }}'
TOKEN_NAMEPREFIX: '${{ secrets.TOKEN_NAMEPREFIX }}'
jobs:
job_publish_module:
job_pull_modules:
name: 'Publishing'
runs-on: ubuntu-20.04
steps:
- name: 'Checkout'
uses: actions/checkout@v2
with:
repository: 'Azure/ResourceModules'
fetch-depth: 0
job_publish_modules:
name: 'Publishing'
if: github.ref == 'refs/heads/main' || github.ref == 'refs/heads/master' || github.event.inputs.foo == 'true'
runs-on: ubuntu-20.04
@ -36,19 +44,3 @@ jobs:
uses: actions/checkout@v2
with:
fetch-depth: 0
- name: Set environment variables
uses: ./.github/actions/templates/setEnvironmentVariables
with:
variablesPath: ${{ env.variablesPath }}
- name: 'Publishing'
uses: ./.github/actions/templates/publishModule
with:
templateFilePath: '${{ env.modulePath }}/deploy.bicep'
templateSpecsRGName: '${{ env.templateSpecsRGName }}'
templateSpecsRGLocation: '${{ env.templateSpecsRGLocation }}'
templateSpecsDescription: '${{ env.templateSpecsDescription }}'
templateSpecsDoPublish: '${{ env.templateSpecsDoPublish }}'
bicepRegistryName: '${{ env.bicepRegistryName }}'
bicepRegistryRGName: '${{ env.bicepRegistryRGName }}'
bicepRegistryRgLocation: '${{ env.bicepRegistryRgLocation }}'
bicepRegistryDoPublish: '${{ env.bicepRegistryDoPublish }}'

Просмотреть файл

@ -0,0 +1,85 @@
@sys.description('Required. The IDs of the principals to assign the role to.')
param principalIds array
@sys.description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.')
param roleDefinitionIdOrName string
@sys.description('Required. The resource ID of the resource to apply the role assignment to.')
param resourceId string
@sys.description('Optional. The principal type of the assigned principal ID.')
@allowed([
'ServicePrincipal'
'Group'
'User'
'ForeignGroup'
'Device'
''
])
param principalType string = ''
@sys.description('Optional. The description of the role assignment.')
param description string = ''
@sys.description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"')
param condition string = ''
@sys.description('Optional. Version of the condition.')
@allowed([
'2.0'
])
param conditionVersion string = '2.0'
@sys.description('Optional. Id of the delegated managed identity resource.')
param delegatedManagedIdentityResourceId string = ''
var builtInRoleNames = {
'Owner': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')
'Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')
'Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')
'Avere Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4f8fab4f-1852-4a58-a46a-8eaf358af14a')
'Avere Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c025889f-8102-4ebf-b32c-fc0c6f0c6bd9')
'Backup Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5e467623-bb1f-42f4-a55d-6e525e11384b')
'Backup Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '00c29273-979b-4161-815c-10b084fb9324')
'Cosmos DB Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '230815da-be43-4aae-9cb4-875f7bd000aa')
'DevTest Labs User': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '76283e04-6283-4c54-8f91-bcf1374a3c64')
'DocumentDB Account Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5bd9cd88-fe45-4216-938b-f97437e15450')
'Log Analytics Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')
'Log Analytics Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893')
'Managed Application Contributor Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e')
'Managed Application Operator Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')
'Managed Applications Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')
'Monitoring Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')
'Monitoring Metrics Publisher': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '3913510d-42f4-4e42-8a64-420c390055eb')
'Monitoring Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')
'Network Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')
'Private DNS Zone Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')
'Resource Policy Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608')
'Site Recovery Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '6670b86e-a3f7-4917-ac9b-5d6ab1be4567')
'Site Recovery Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '494ae006-db33-4328-bf46-533a6560a3ca')
'SQL Managed Instance Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4939a1f6-9ae0-4e48-a1e0-f2cbe897382d')
'SQL Security Manager': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '056cd41c-7e88-42e1-933e-88ba6a50c9c3')
'Storage Account Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '17d1049b-9a84-46fb-8f53-869881c3d3ab')
'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')
'Virtual Machine Administrator Login': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1c0163c0-47e6-4577-8991-ea5c82e286e4')
'Virtual Machine Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c')
'Virtual Machine User Login': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'fb879df8-f326-4884-b1cf-06f3ad86be52')
}
resource AzureADDS 'Microsoft.AAD/DomainServices@2021-05-01' existing = {
name: last(split(resourceId, '/'))
}
resource roleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for principalId in principalIds: {
name: guid(AzureADDS.id, principalId, roleDefinitionIdOrName)
properties: {
description: description
roleDefinitionId: contains(builtInRoleNames, roleDefinitionIdOrName) ? builtInRoleNames[roleDefinitionIdOrName] : roleDefinitionIdOrName
principalId: principalId
principalType: !empty(principalType) ? any(principalType) : null
condition: !empty(condition) ? condition : null
conditionVersion: !empty(conditionVersion) && !empty(condition) ? conditionVersion : null
delegatedManagedIdentityResourceId: !empty(delegatedManagedIdentityResourceId) ? delegatedManagedIdentityResourceId : null
}
scope: AzureADDS
}]

Просмотреть файл

@ -0,0 +1,56 @@
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"domainName": {
"value": "<<namePrefix>>.onmicrosoft.com"
},
"sku": {
"value": "Standard"
},
"lock": {
"value": "CanNotDelete"
},
"replicaSets": {
"value": [
{
"location": "WestEurope",
"subnetId": "/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/adp-<<namePrefix>>-az-vnet-aadds-001/subnets/AADDSSubnet"
}
]
},
"pfxCertificate": {
"reference": {
"keyVault": {
"id": "/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.KeyVault/vaults/adp-<<namePrefix>>-az-kv-x-001"
},
"secretName": "pfxBase64Certificate"
}
},
"pfxCertificatePassword": {
"reference": {
"keyVault": {
"id": "/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.KeyVault/vaults/adp-<<namePrefix>>-az-kv-x-001"
},
"secretName": "pfxCertificatePassword"
}
},
"additionalRecipients": {
"value": [
"<<namePrefix>>@noreply.github.com"
]
},
"diagnosticWorkspaceId": {
"value": "/subscriptions/<<subscriptionId>>/resourcegroups/validation-rg/providers/microsoft.operationalinsights/workspaces/adp-<<namePrefix>>-az-law-x-001"
},
"diagnosticStorageAccountId": {
"value": "/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.Storage/storageAccounts/adp<<namePrefix>>azsax001"
},
"diagnosticEventHubAuthorizationRuleId": {
"value": "/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.EventHub/namespaces/adp-<<namePrefix>>-az-evhns-x-001/AuthorizationRules/RootManageSharedAccessKey"
},
"diagnosticEventHubName": {
"value": "adp-<<namePrefix>>-az-evh-x-001"
}
}
}

Просмотреть файл

@ -0,0 +1,268 @@
@description('Optional. The name of the AADDS resource. Defaults to the domain name specific to the Azure ADDS service.')
param name string = domainName
@description('Required. The domain name specific to the Azure ADDS service.')
param domainName string
@description('Optional. The name of the SKU specific to Azure ADDS Services.')
@allowed([
'Standard'
'Enterprise'
'Premium'
])
param sku string = 'Standard'
@description('Optional. The location to deploy the Azure ADDS Services.')
param location string = resourceGroup().location
@description('Optional. Additional replica set for the managed domain.')
param replicaSets array = []
@description('Conditional. The certificate required to configure Secure LDAP. Should be a base64encoded representation of the certificate PFX file. Required if secure LDAP is enabled and must be valid more than 30 days.')
param pfxCertificate string = ''
@description('Conditional. The password to decrypt the provided Secure LDAP certificate PFX file. Required if secure LDAP is enabled.')
@secure()
param pfxCertificatePassword string = ''
@description('Optional. The email recipient value to receive alerts.')
param additionalRecipients array = []
@description('Optional. The value is to provide domain configuration type.')
@allowed([
'FullySynced'
'ResourceTrusting'
])
param domainConfigurationType string = 'FullySynced'
@description('Optional. The value is to synchronize scoped users and groups.')
param filteredSync string = 'Enabled'
@description('Optional. The value is to enable clients making request using TLSv1.')
@allowed([
'Enabled'
'Disabled'
])
param tlsV1 string = 'Enabled'
@description('Optional. The value is to enable clients making request using NTLM v1.')
@allowed([
'Enabled'
'Disabled'
])
param ntlmV1 string = 'Enabled'
@description('Optional. The value is to enable synchronized users to use NTLM authentication.')
@allowed([
'Enabled'
'Disabled'
])
#disable-next-line secure-secrets-in-params // Not a secret
param syncNtlmPasswords string = 'Enabled'
@description('Optional. The value is to enable on-premises users to authenticate against managed domain.')
@allowed([
'Enabled'
'Disabled'
])
#disable-next-line secure-secrets-in-params // Not a secret
param syncOnPremPasswords string = 'Enabled'
@description('Optional. The value is to enable Kerberos requests that use RC4 encryption.')
@allowed([
'Enabled'
'Disabled'
])
param kerberosRc4Encryption string = 'Enabled'
@description('Optional. The value is to enable to provide a protected channel between the Kerberos client and the KDC.')
@allowed([
'Enabled'
'Disabled'
])
param kerberosArmoring string = 'Enabled'
@description('Optional. The value is to notify the DC Admins.')
@allowed([
'Enabled'
'Disabled'
])
param notifyDcAdmins string = 'Enabled'
@description('Optional. The value is to notify the Global Admins.')
@allowed([
'Enabled'
'Disabled'
])
param notifyGlobalAdmins string = 'Enabled'
@description('Optional. The value is to enable the Secure LDAP for external services of Azure ADDS Services.')
@allowed([
'Enabled'
'Disabled'
])
param externalAccess string = 'Enabled'
@description('Optional. A flag to determine whether or not Secure LDAP is enabled or disabled.')
@allowed([
'Enabled'
'Disabled'
])
param ldaps string = 'Enabled'
@description('Optional. Resource ID of the diagnostic storage account.')
param diagnosticStorageAccountId string = ''
@description('Optional. Resource ID of the diagnostic log analytics workspace.')
param diagnosticWorkspaceId string = ''
@description('Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to.')
param diagnosticEventHubAuthorizationRuleId string = ''
@description('Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category.')
param diagnosticEventHubName string = ''
@description('Optional. Tags of the resource.')
param tags object = {}
@description('Optional. Specifies the number of days that logs will be kept for; a value of 0 will retain data indefinitely.')
@minValue(0)
@maxValue(365)
param diagnosticLogsRetentionInDays int = 365
@description('Optional. Enable telemetry via the Customer Usage Attribution ID (GUID).')
param enableDefaultTelemetry bool = true
@allowed([
''
'CanNotDelete'
'ReadOnly'
])
@description('Optional. Specify the type of lock.')
param lock string = ''
@description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.')
param roleAssignments array = []
@description('Optional. The name of logs that will be streamed.')
@allowed([
'SystemSecurity'
'AccountManagement'
'LogonLogoff'
'ObjectAccess'
'PolicyChange'
'PrivilegeUse'
'DetailTracking'
'DirectoryServiceAccess'
'AccountLogon'
])
param logsToEnable array = [
'SystemSecurity'
'AccountManagement'
'LogonLogoff'
'ObjectAccess'
'PolicyChange'
'PrivilegeUse'
'DetailTracking'
'DirectoryServiceAccess'
'AccountLogon'
]
var diagnosticsLogs = [for log in logsToEnable: {
category: log
enabled: true
retentionPolicy: {
enabled: true
days: diagnosticLogsRetentionInDays
}
}]
resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) {
name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}'
properties: {
mode: 'Incremental'
template: {
'$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#'
contentVersion: '1.0.0.0'
resources: []
}
}
}
resource domainService 'Microsoft.AAD/DomainServices@2021-05-01' = {
name: name
location: location
tags: tags
properties: {
domainName: domainName
domainConfigurationType: domainConfigurationType
filteredSync: filteredSync
notificationSettings: {
additionalRecipients: additionalRecipients
notifyDcAdmins: notifyDcAdmins
notifyGlobalAdmins: notifyGlobalAdmins
}
ldapsSettings: {
externalAccess: externalAccess
ldaps: ldaps
pfxCertificate: !empty(pfxCertificate) ? pfxCertificate : null
pfxCertificatePassword: !empty(pfxCertificatePassword) ? pfxCertificatePassword : null
}
replicaSets: replicaSets
domainSecuritySettings: {
tlsV1: tlsV1
ntlmV1: ntlmV1
syncNtlmPasswords: syncNtlmPasswords
syncOnPremPasswords: syncOnPremPasswords
kerberosRc4Encryption: kerberosRc4Encryption
kerberosArmoring: kerberosArmoring
}
sku: sku
}
}
resource domainService_diagnosticSettings 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = if ((!empty(diagnosticStorageAccountId)) || (!empty(diagnosticWorkspaceId)) || (!empty(diagnosticEventHubAuthorizationRuleId)) || (!empty(diagnosticEventHubName))) {
name: '${domainService.name}-diagnosticSettings'
properties: {
storageAccountId: !empty(diagnosticStorageAccountId) ? diagnosticStorageAccountId : null
workspaceId: !empty(diagnosticWorkspaceId) ? diagnosticWorkspaceId : null
eventHubAuthorizationRuleId: !empty(diagnosticEventHubAuthorizationRuleId) ? diagnosticEventHubAuthorizationRuleId : null
eventHubName: !empty(diagnosticEventHubName) ? diagnosticEventHubName : null
logs: diagnosticsLogs
}
scope: domainService
}
resource domainService_lock 'Microsoft.Authorization/locks@2017-04-01' = if (!empty(lock)) {
name: '${domainService.name}-${lock}-lock'
properties: {
level: any(lock)
notes: lock == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.'
}
scope: domainService
}
module domainService_roleAssignments '.bicep/nested_roleAssignments.bicep' = [for (roleAssignment, index) in roleAssignments: {
name: '${uniqueString(deployment().name, location)}-VNet-Rbac-${index}'
params: {
description: contains(roleAssignment, 'description') ? roleAssignment.description : ''
principalIds: roleAssignment.principalIds
principalType: contains(roleAssignment, 'principalType') ? roleAssignment.principalType : ''
roleDefinitionIdOrName: roleAssignment.roleDefinitionIdOrName
condition: contains(roleAssignment, 'condition') ? roleAssignment.condition : ''
delegatedManagedIdentityResourceId: contains(roleAssignment, 'delegatedManagedIdentityResourceId') ? roleAssignment.delegatedManagedIdentityResourceId : ''
resourceId: domainService.id
}
}]
@description('The domain name of the Azure Active Directory Domain Services(Azure ADDS).')
output name string = domainService.name
@description('The name of the resource group the Azure Active Directory Domain Services(Azure ADDS) was created in.')
output resourceGroupName string = resourceGroup().name
@description('The resource ID of the Azure Active Directory Domain Services(Azure ADDS).')
output resourceId string = domainService.id
@description('The location the resource was deployed into.')
output location string = domainService.location

Просмотреть файл

@ -0,0 +1,328 @@
# Azure Active Directory Domain Services `[Microsoft.AAD/DomainServices]`
This template deploys Azure Active Directory Domain Services (AADDS).
## Navigation
- [Resource types](#Resource-types)
- [Parameters](#Parameters)
- [Considerations](#Considerations)
- [Outputs](#Outputs)
- [Cross-referenced modules](#Cross-referenced-modules)
- [Deployment examples](#Deployment-examples)
## Resource types
| Resource Type | API Version |
| :-- | :-- |
| `Microsoft.AAD/domainServices` | [2021-05-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.AAD/2021-05-01/domainServices) |
| `Microsoft.Authorization/locks` | [2017-04-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2017-04-01/locks) |
| `Microsoft.Authorization/roleAssignments` | [2022-04-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-04-01/roleAssignments) |
| `Microsoft.Insights/diagnosticSettings` | [2021-05-01-preview](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Insights/2021-05-01-preview/diagnosticSettings) |
## Parameters
**Required parameters**
| Parameter Name | Type | Description |
| :-- | :-- | :-- |
| `domainName` | string | The domain name specific to the Azure ADDS service. |
**Conditional parameters**
| Parameter Name | Type | Default Value | Description |
| :-- | :-- | :-- | :-- |
| `pfxCertificate` | string | `''` | The certificate required to configure Secure LDAP. Should be a base64encoded representation of the certificate PFX file. Required if secure LDAP is enabled and must be valid more than 30 days. |
| `pfxCertificatePassword` | secureString | `''` | The password to decrypt the provided Secure LDAP certificate PFX file. Required if secure LDAP is enabled. |
**Optional parameters**
| Parameter Name | Type | Default Value | Allowed Values | Description |
| :-- | :-- | :-- | :-- | :-- |
| `additionalRecipients` | array | `[]` | | The email recipient value to receive alerts. |
| `diagnosticEventHubAuthorizationRuleId` | string | `''` | | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. |
| `diagnosticEventHubName` | string | `''` | | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. |
| `diagnosticLogsRetentionInDays` | int | `365` | | Specifies the number of days that logs will be kept for; a value of 0 will retain data indefinitely. |
| `diagnosticStorageAccountId` | string | `''` | | Resource ID of the diagnostic storage account. |
| `diagnosticWorkspaceId` | string | `''` | | Resource ID of the diagnostic log analytics workspace. |
| `domainConfigurationType` | string | `'FullySynced'` | `[FullySynced, ResourceTrusting]` | The value is to provide domain configuration type. |
| `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via the Customer Usage Attribution ID (GUID). |
| `externalAccess` | string | `'Enabled'` | `[Disabled, Enabled]` | The value is to enable the Secure LDAP for external services of Azure ADDS Services. |
| `filteredSync` | string | `'Enabled'` | | The value is to synchronize scoped users and groups. |
| `kerberosArmoring` | string | `'Enabled'` | `[Disabled, Enabled]` | The value is to enable to provide a protected channel between the Kerberos client and the KDC. |
| `kerberosRc4Encryption` | string | `'Enabled'` | `[Disabled, Enabled]` | The value is to enable Kerberos requests that use RC4 encryption. |
| `ldaps` | string | `'Enabled'` | `[Disabled, Enabled]` | A flag to determine whether or not Secure LDAP is enabled or disabled. |
| `location` | string | `[resourceGroup().location]` | | The location to deploy the Azure ADDS Services. |
| `lock` | string | `''` | `['', CanNotDelete, ReadOnly]` | Specify the type of lock. |
| `logsToEnable` | array | `[AccountLogon, AccountManagement, DetailTracking, DirectoryServiceAccess, LogonLogoff, ObjectAccess, PolicyChange, PrivilegeUse, SystemSecurity]` | `[AccountLogon, AccountManagement, DetailTracking, DirectoryServiceAccess, LogonLogoff, ObjectAccess, PolicyChange, PrivilegeUse, SystemSecurity]` | The name of logs that will be streamed. |
| `name` | string | `[parameters('domainName')]` | | The name of the AADDS resource. Defaults to the domain name specific to the Azure ADDS service. |
| `notifyDcAdmins` | string | `'Enabled'` | `[Disabled, Enabled]` | The value is to notify the DC Admins. |
| `notifyGlobalAdmins` | string | `'Enabled'` | `[Disabled, Enabled]` | The value is to notify the Global Admins. |
| `ntlmV1` | string | `'Enabled'` | `[Disabled, Enabled]` | The value is to enable clients making request using NTLM v1. |
| `replicaSets` | array | `[]` | | Additional replica set for the managed domain. |
| `roleAssignments` | array | `[]` | | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. |
| `sku` | string | `'Standard'` | `[Enterprise, Premium, Standard]` | The name of the SKU specific to Azure ADDS Services. |
| `syncNtlmPasswords` | string | `'Enabled'` | `[Disabled, Enabled]` | The value is to enable synchronized users to use NTLM authentication. |
| `syncOnPremPasswords` | string | `'Enabled'` | `[Disabled, Enabled]` | The value is to enable on-premises users to authenticate against managed domain. |
| `tags` | object | `{object}` | | Tags of the resource. |
| `tlsV1` | string | `'Enabled'` | `[Disabled, Enabled]` | The value is to enable clients making request using TLSv1. |
### Parameter Usage: `roleAssignments`
Create a role assignment for the given resource. If you want to assign a service principal / managed identity that is created in the same deployment, make sure to also specify the `'principalType'` parameter and set it to `'ServicePrincipal'`. This will ensure the role assignment waits for the principal's propagation in Azure.
<details>
<summary>Parameter JSON format</summary>
```json
"roleAssignments": {
"value": [
{
"roleDefinitionIdOrName": "Reader",
"description": "Reader Role Assignment",
"principalIds": [
"12345678-1234-1234-1234-123456789012", // object 1
"78945612-1234-1234-1234-123456789012" // object 2
]
},
{
"roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11",
"principalIds": [
"12345678-1234-1234-1234-123456789012" // object 1
],
"principalType": "ServicePrincipal"
}
]
}
```
</details>
<details>
<summary>Bicep format</summary>
```bicep
roleAssignments: [
{
roleDefinitionIdOrName: 'Reader'
description: 'Reader Role Assignment'
principalIds: [
'12345678-1234-1234-1234-123456789012' // object 1
'78945612-1234-1234-1234-123456789012' // object 2
]
}
{
roleDefinitionIdOrName: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'
principalIds: [
'12345678-1234-1234-1234-123456789012' // object 1
]
principalType: 'ServicePrincipal'
}
]
```
</details>
<p>
### Parameter Usage: `tags`
Tag names and tag values can be provided as needed. A tag can be left without a value.
<details>
<summary>Parameter JSON format</summary>
```json
"tags": {
"value": {
"Environment": "Non-Prod",
"Contact": "test.user@testcompany.com",
"PurchaseOrder": "1234",
"CostCenter": "7890",
"ServiceName": "DeploymentValidation",
"Role": "DeploymentValidation"
}
}
```
</details>
<details>
<summary>Bicep format</summary>
```bicep
tags: {
Environment: 'Non-Prod'
Contact: 'test.user@testcompany.com'
PurchaseOrder: '1234'
CostCenter: '7890'
ServiceName: 'DeploymentValidation'
Role: 'DeploymentValidation'
}
```
</details>
<p>
## Considerations
- A network security group has to be created and assigned to the designated AADDS subnet before deploying this module
- The following inbound rules should be allowed on the network security group
| Name | Protocol | Source Port Range | Source Address Prefix | Destination Port Range | Destination Address Prefix |
| - | - | - | - | - | - |
| AllowSyncWithAzureAD | TCP | `*` | `AzureActiveDirectoryDomainServices` | `443` | `*` |
| AllowPSRemoting | TCP | `*` | `AzureActiveDirectoryDomainServices` | `5986` | `*` |
- Associating a route table to the AADDS subnet is not recommended
- The network used for AADDS must have its DNS Servers [configured](https://docs.microsoft.com/en-us/azure/active-directory-domain-services/tutorial-configure-networking#configure-dns-servers-in-the-peered-virtual-network) (e.g. with IPs `10.0.1.4` & `10.0.1.5`)
- Your Azure Active Directory must have the 'Domain Controller Services' service principal registered. If that's not the case, you can register it by executing the command `New-AzADServicePrincipal -ApplicationId '2565bd9d-da50-47d4-8b85-4c97f669dc36'` with an eligible user.
### Create self-signed certificate for secure LDAP
Follow the below PowerShell commands to get base64 encoded string of a self-signed certificate (with a `pfxCertificatePassword`)
```PowerShell
$pfxCertificatePassword = ConvertTo-SecureString '<<YourPfxCertificatePassword>>' -AsPlainText -Force
$certInputObject = @{
Subject = 'CN=*.<<YourDomainName>>'
DnsName = '*.<<YourDomainName>>'
CertStoreLocation = 'cert:\LocalMachine\My'
KeyExportPolicy = 'Exportable'
Provider = 'Microsoft Enhanced RSA and AES Cryptographic Provider'
NotAfter = (Get-Date).AddMonths(3)
HashAlgorithm = 'SHA256'
}
$rawCert = New-SelfSignedCertificate @certInputObject
Export-PfxCertificate -Cert ('Cert:\localmachine\my\' + $rawCert.Thumbprint) -FilePath "$home/aadds.pfx" -Password $pfxCertificatePassword -Force
$rawCertByteStream = Get-Content "$home/aadds.pfx" -AsByteStream
$pfxCertificate = [System.Convert]::ToBase64String($rawCertByteStream)
```
## Outputs
| Output Name | Type | Description |
| :-- | :-- | :-- |
| `location` | string | The location the resource was deployed into. |
| `name` | string | The domain name of the Azure Active Directory Domain Services(Azure ADDS). |
| `resourceGroupName` | string | The name of the resource group the Azure Active Directory Domain Services(Azure ADDS) was created in. |
| `resourceId` | string | The resource ID of the Azure Active Directory Domain Services(Azure ADDS). |
## Cross-referenced modules
_None_
## Deployment examples
The following module usage examples are retrieved from the content of the files hosted in the module's `.test` folder.
>**Note**: The name of each example is based on the name of the file from which it is taken.
>**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order.
<h3>Example 1: Parameters</h3>
<details>
<summary>via Bicep module</summary>
```bicep
resource kv1 'Microsoft.KeyVault/vaults@2019-09-01' existing = {
name: 'adp-<<namePrefix>>-az-kv-x-001'
scope: resourceGroup('<<subscriptionId>>','validation-rg')
}
module DomainServices './Microsoft.AAD/DomainServices/deploy.bicep' = {
name: '${uniqueString(deployment().name)}-DomainServices'
params: {
// Required parameters
domainName: '<<namePrefix>>.onmicrosoft.com'
// Non-required parameters
additionalRecipients: [
'<<namePrefix>>@noreply.github.com'
]
diagnosticEventHubAuthorizationRuleId: '/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.EventHub/namespaces/adp-<<namePrefix>>-az-evhns-x-001/AuthorizationRules/RootManageSharedAccessKey'
diagnosticEventHubName: 'adp-<<namePrefix>>-az-evh-x-001'
diagnosticStorageAccountId: '/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.Storage/storageAccounts/adp<<namePrefix>>azsax001'
diagnosticWorkspaceId: '/subscriptions/<<subscriptionId>>/resourcegroups/validation-rg/providers/microsoft.operationalinsights/workspaces/adp-<<namePrefix>>-az-law-x-001'
lock: 'CanNotDelete'
pfxCertificate: kv1.getSecret('pfxBase64Certificate')
pfxCertificatePassword: kv1.getSecret('pfxCertificatePassword')
replicaSets: [
{
location: 'WestEurope'
subnetId: '/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/adp-<<namePrefix>>-az-vnet-aadds-001/subnets/AADDSSubnet'
}
]
sku: 'Standard'
}
}
```
</details>
<p>
<details>
<summary>via JSON Parameter file</summary>
```json
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
"contentVersion": "1.0.0.0",
"parameters": {
// Required parameters
"domainName": {
"value": "<<namePrefix>>.onmicrosoft.com"
},
// Non-required parameters
"additionalRecipients": {
"value": [
"<<namePrefix>>@noreply.github.com"
]
},
"diagnosticEventHubAuthorizationRuleId": {
"value": "/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.EventHub/namespaces/adp-<<namePrefix>>-az-evhns-x-001/AuthorizationRules/RootManageSharedAccessKey"
},
"diagnosticEventHubName": {
"value": "adp-<<namePrefix>>-az-evh-x-001"
},
"diagnosticStorageAccountId": {
"value": "/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.Storage/storageAccounts/adp<<namePrefix>>azsax001"
},
"diagnosticWorkspaceId": {
"value": "/subscriptions/<<subscriptionId>>/resourcegroups/validation-rg/providers/microsoft.operationalinsights/workspaces/adp-<<namePrefix>>-az-law-x-001"
},
"lock": {
"value": "CanNotDelete"
},
"pfxCertificate": {
"reference": {
"keyVault": {
"id": "/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.KeyVault/vaults/adp-<<namePrefix>>-az-kv-x-001"
},
"secretName": "pfxBase64Certificate"
}
},
"pfxCertificatePassword": {
"reference": {
"keyVault": {
"id": "/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.KeyVault/vaults/adp-<<namePrefix>>-az-kv-x-001"
},
"secretName": "pfxCertificatePassword"
}
},
"replicaSets": {
"value": [
{
"location": "WestEurope",
"subnetId": "/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/adp-<<namePrefix>>-az-vnet-aadds-001/subnets/AADDSSubnet"
}
]
},
"sku": {
"value": "Standard"
}
}
}
```
</details>
<p>

Просмотреть файл

@ -0,0 +1,4 @@
{
"$schema": "https://raw.githubusercontent.com/dotnet/Nerdbank.GitVersioning/master/src/NerdBank.GitVersioning/version.schema.json",
"version": "0.4"
}

Просмотреть файл

@ -0,0 +1,68 @@
@sys.description('Required. The IDs of the principals to assign the role to.')
param principalIds array
@sys.description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.')
param roleDefinitionIdOrName string
@sys.description('Required. The resource ID of the resource to apply the role assignment to.')
param resourceId string
@sys.description('Optional. The principal type of the assigned principal ID.')
@allowed([
'ServicePrincipal'
'Group'
'User'
'ForeignGroup'
'Device'
''
])
param principalType string = ''
@sys.description('Optional. The description of the role assignment.')
param description string = ''
@sys.description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"')
param condition string = ''
@sys.description('Optional. Version of the condition.')
@allowed([
'2.0'
])
param conditionVersion string = '2.0'
@sys.description('Optional. Id of the delegated managed identity resource.')
param delegatedManagedIdentityResourceId string = ''
var builtInRoleNames = {
'Owner': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')
'Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')
'Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')
'Log Analytics Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')
'Log Analytics Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893')
'Managed Application Contributor Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e')
'Managed Application Operator Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')
'Managed Applications Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')
'Monitoring Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')
'Monitoring Metrics Publisher': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '3913510d-42f4-4e42-8a64-420c390055eb')
'Monitoring Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')
'Resource Policy Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608')
'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')
}
resource server 'Microsoft.AnalysisServices/servers@2017-08-01' existing = {
name: last(split(resourceId, '/'))
}
resource roleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for principalId in principalIds: {
name: guid(server.id, principalId, roleDefinitionIdOrName)
properties: {
description: description
roleDefinitionId: contains(builtInRoleNames, roleDefinitionIdOrName) ? builtInRoleNames[roleDefinitionIdOrName] : roleDefinitionIdOrName
principalId: principalId
principalType: !empty(principalType) ? any(principalType) : null
condition: !empty(condition) ? condition : null
conditionVersion: !empty(conditionVersion) && !empty(condition) ? conditionVersion : null
delegatedManagedIdentityResourceId: !empty(delegatedManagedIdentityResourceId) ? delegatedManagedIdentityResourceId : null
}
scope: server
}]

Просмотреть файл

@ -0,0 +1,66 @@
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"name": {
"value": "<<namePrefix>>azasweumax001"
},
"lock": {
"value": "CanNotDelete"
},
"skuName": {
"value": "S0"
},
"skuCapacity": {
"value": 1
},
"firewallSettings": {
"value": {
"firewallRules": [
{
"firewallRuleName": "AllowFromAll",
"rangeStart": "0.0.0.0",
"rangeEnd": "255.255.255.255"
}
],
"enablePowerBIService": true
}
},
"diagnosticLogsRetentionInDays": {
"value": 365
},
"diagnosticStorageAccountId": {
"value": "/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.Storage/storageAccounts/adp<<namePrefix>>azsax001"
},
"diagnosticWorkspaceId": {
"value": "/subscriptions/<<subscriptionId>>/resourcegroups/validation-rg/providers/microsoft.operationalinsights/workspaces/adp-<<namePrefix>>-az-law-x-001"
},
"diagnosticEventHubAuthorizationRuleId": {
"value": "/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.EventHub/namespaces/adp-<<namePrefix>>-az-evhns-x-001/AuthorizationRules/RootManageSharedAccessKey"
},
"diagnosticEventHubName": {
"value": "adp-<<namePrefix>>-az-evh-x-001"
},
"roleAssignments": {
"value": [
{
"roleDefinitionIdOrName": "Reader",
"principalIds": [
"<<deploymentSpId>>"
]
}
]
},
"diagnosticLogCategoriesToEnable": {
"value": [
"Engine",
"Service"
]
},
"diagnosticMetricsToEnable": {
"value": [
"AllMetrics"
]
}
}
}

Просмотреть файл

@ -0,0 +1,9 @@
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"name": {
"value": "<<namePrefix>>azasweumin001"
}
}
}

Просмотреть файл

@ -0,0 +1,40 @@
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"name": {
"value": "<<namePrefix>>azasweux001"
},
"lock": {
"value": "CanNotDelete"
},
"skuName": {
"value": "S0"
},
"roleAssignments": {
"value": [
{
"roleDefinitionIdOrName": "Reader",
"principalIds": [
"<<deploymentSpId>>"
]
}
]
},
"diagnosticLogsRetentionInDays": {
"value": 7
},
"diagnosticStorageAccountId": {
"value": "/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.Storage/storageAccounts/adp<<namePrefix>>azsax001"
},
"diagnosticWorkspaceId": {
"value": "/subscriptions/<<subscriptionId>>/resourcegroups/validation-rg/providers/microsoft.operationalinsights/workspaces/adp-<<namePrefix>>-az-law-x-001"
},
"diagnosticEventHubAuthorizationRuleId": {
"value": "/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.EventHub/namespaces/adp-<<namePrefix>>-az-evhns-x-001/AuthorizationRules/RootManageSharedAccessKey"
},
"diagnosticEventHubName": {
"value": "adp-<<namePrefix>>-az-evh-x-001"
}
}
}

Просмотреть файл

@ -0,0 +1,169 @@
@description('Required. The name of the Azure Analysis Services server to create.')
param name string
@description('Optional. The SKU name of the Azure Analysis Services server to create.')
param skuName string = 'S0'
@description('Optional. The total number of query replica scale-out instances.')
param skuCapacity int = 1
@description('Optional. The inbound firewall rules to define on the server. If not specified, firewall is disabled.')
param firewallSettings object = {
firewallRules: [
{
firewallRuleName: 'AllowFromAll'
rangeStart: '0.0.0.0'
rangeEnd: '255.255.255.255'
}
]
enablePowerBIService: true
}
@description('Optional. Location for all Resources.')
param location string = resourceGroup().location
@description('Optional. Specifies the number of days that logs will be kept for; a value of 0 will retain data indefinitely.')
@minValue(0)
@maxValue(365)
param diagnosticLogsRetentionInDays int = 365
@description('Optional. Resource ID of the diagnostic storage account.')
param diagnosticStorageAccountId string = ''
@description('Optional. Resource ID of the diagnostic log analytics workspace.')
param diagnosticWorkspaceId string = ''
@description('Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to.')
param diagnosticEventHubAuthorizationRuleId string = ''
@description('Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category.')
param diagnosticEventHubName string = ''
@allowed([
''
'CanNotDelete'
'ReadOnly'
])
@description('Optional. Specify the type of lock.')
param lock string = ''
@description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.')
param roleAssignments array = []
@description('Optional. Tags of the resource.')
param tags object = {}
@description('Optional. Enable telemetry via the Customer Usage Attribution ID (GUID).')
param enableDefaultTelemetry bool = true
@description('Optional. The name of logs that will be streamed.')
@allowed([
'Engine'
'Service'
])
param diagnosticLogCategoriesToEnable array = [
'Engine'
'Service'
]
@description('Optional. The name of metrics that will be streamed.')
@allowed([
'AllMetrics'
])
param diagnosticMetricsToEnable array = [
'AllMetrics'
]
@description('Optional. The name of the diagnostic setting, if deployed.')
param diagnosticSettingsName string = '${name}-diagnosticSettings'
var diagnosticsLogs = [for category in diagnosticLogCategoriesToEnable: {
category: category
enabled: true
retentionPolicy: {
enabled: true
days: diagnosticLogsRetentionInDays
}
}]
var diagnosticsMetrics = [for metric in diagnosticMetricsToEnable: {
category: metric
timeGrain: null
enabled: true
retentionPolicy: {
enabled: true
days: diagnosticLogsRetentionInDays
}
}]
resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) {
name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}'
properties: {
mode: 'Incremental'
template: {
'$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#'
contentVersion: '1.0.0.0'
resources: []
}
}
}
resource server 'Microsoft.AnalysisServices/servers@2017-08-01' = {
name: name
location: location
tags: tags
sku: {
name: skuName
capacity: skuCapacity
}
properties: {
ipV4FirewallSettings: firewallSettings
}
}
resource server_lock 'Microsoft.Authorization/locks@2017-04-01' = if (!empty(lock)) {
name: '${server.name}-${lock}-lock'
properties: {
level: any(lock)
notes: lock == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.'
}
scope: server
}
resource server_diagnosticSettings 'Microsoft.Insights/diagnosticsettings@2021-05-01-preview' = if ((!empty(diagnosticStorageAccountId)) || (!empty(diagnosticWorkspaceId)) || (!empty(diagnosticEventHubAuthorizationRuleId)) || (!empty(diagnosticEventHubName))) {
name: diagnosticSettingsName
properties: {
storageAccountId: !empty(diagnosticStorageAccountId) ? diagnosticStorageAccountId : null
workspaceId: !empty(diagnosticWorkspaceId) ? diagnosticWorkspaceId : null
eventHubAuthorizationRuleId: !empty(diagnosticEventHubAuthorizationRuleId) ? diagnosticEventHubAuthorizationRuleId : null
eventHubName: !empty(diagnosticEventHubName) ? diagnosticEventHubName : null
metrics: diagnosticsMetrics
logs: diagnosticsLogs
}
scope: server
}
module server_roleAssignments '.bicep/nested_roleAssignments.bicep' = [for (roleAssignment, index) in roleAssignments: {
name: '${uniqueString(deployment().name, location)}-AnServicesServer-Rbac-${index}'
params: {
description: contains(roleAssignment, 'description') ? roleAssignment.description : ''
principalIds: roleAssignment.principalIds
principalType: contains(roleAssignment, 'principalType') ? roleAssignment.principalType : ''
roleDefinitionIdOrName: roleAssignment.roleDefinitionIdOrName
condition: contains(roleAssignment, 'condition') ? roleAssignment.condition : ''
delegatedManagedIdentityResourceId: contains(roleAssignment, 'delegatedManagedIdentityResourceId') ? roleAssignment.delegatedManagedIdentityResourceId : ''
resourceId: server.id
}
}]
@description('The name of the analysis service.')
output name string = server.name
@description('The resource ID of the analysis service.')
output resourceId string = server.id
@description('The resource group the analysis service was deployed into.')
output resourceGroupName string = resourceGroup().name
@description('The location the resource was deployed into.')
output location string = server.location

Просмотреть файл

@ -0,0 +1,423 @@
# Analysis Services Servers `[Microsoft.AnalysisServices/servers]`
This module deploys an Analysis Services Server.
## Navigation
- [Resource Types](#Resource-Types)
- [Parameters](#Parameters)
- [Outputs](#Outputs)
- [Cross-referenced modules](#Cross-referenced-modules)
- [Deployment examples](#Deployment-examples)
## Resource Types
| Resource Type | API Version |
| :-- | :-- |
| `Microsoft.AnalysisServices/servers` | [2017-08-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.AnalysisServices/2017-08-01/servers) |
| `Microsoft.Authorization/locks` | [2017-04-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2017-04-01/locks) |
| `Microsoft.Authorization/roleAssignments` | [2022-04-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-04-01/roleAssignments) |
| `Microsoft.Insights/diagnosticSettings` | [2021-05-01-preview](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Insights/2021-05-01-preview/diagnosticSettings) |
## Parameters
**Required parameters**
| Parameter Name | Type | Description |
| :-- | :-- | :-- |
| `name` | string | The name of the Azure Analysis Services server to create. |
**Optional parameters**
| Parameter Name | Type | Default Value | Allowed Values | Description |
| :-- | :-- | :-- | :-- | :-- |
| `diagnosticEventHubAuthorizationRuleId` | string | `''` | | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. |
| `diagnosticEventHubName` | string | `''` | | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. |
| `diagnosticLogCategoriesToEnable` | array | `[Engine, Service]` | `[Engine, Service]` | The name of logs that will be streamed. |
| `diagnosticLogsRetentionInDays` | int | `365` | | Specifies the number of days that logs will be kept for; a value of 0 will retain data indefinitely. |
| `diagnosticMetricsToEnable` | array | `[AllMetrics]` | `[AllMetrics]` | The name of metrics that will be streamed. |
| `diagnosticSettingsName` | string | `[format('{0}-diagnosticSettings', parameters('name'))]` | | The name of the diagnostic setting, if deployed. |
| `diagnosticStorageAccountId` | string | `''` | | Resource ID of the diagnostic storage account. |
| `diagnosticWorkspaceId` | string | `''` | | Resource ID of the diagnostic log analytics workspace. |
| `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via the Customer Usage Attribution ID (GUID). |
| `firewallSettings` | object | `{object}` | | The inbound firewall rules to define on the server. If not specified, firewall is disabled. |
| `location` | string | `[resourceGroup().location]` | | Location for all Resources. |
| `lock` | string | `''` | `['', CanNotDelete, ReadOnly]` | Specify the type of lock. |
| `roleAssignments` | array | `[]` | | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. |
| `skuCapacity` | int | `1` | | The total number of query replica scale-out instances. |
| `skuName` | string | `'S0'` | | The SKU name of the Azure Analysis Services server to create. |
| `tags` | object | `{object}` | | Tags of the resource. |
### Parameter Usage: `tags`
Tag names and tag values can be provided as needed. A tag can be left without a value.
<details>
<summary>Parameter JSON format</summary>
```json
"tags": {
"value": {
"Environment": "Non-Prod",
"Contact": "test.user@testcompany.com",
"PurchaseOrder": "1234",
"CostCenter": "7890",
"ServiceName": "DeploymentValidation",
"Role": "DeploymentValidation"
}
}
```
</details>
<details>
<summary>Bicep format</summary>
```bicep
tags: {
Environment: 'Non-Prod'
Contact: 'test.user@testcompany.com'
PurchaseOrder: '1234'
CostCenter: '7890'
ServiceName: 'DeploymentValidation'
Role: 'DeploymentValidation'
}
```
</details>
<p>
### Parameter Usage: `roleAssignments`
Create a role assignment for the given resource. If you want to assign a service principal / managed identity that is created in the same deployment, make sure to also specify the `'principalType'` parameter and set it to `'ServicePrincipal'`. This will ensure the role assignment waits for the principal's propagation in Azure.
<details>
<summary>Parameter JSON format</summary>
```json
"roleAssignments": {
"value": [
{
"roleDefinitionIdOrName": "Reader",
"description": "Reader Role Assignment",
"principalIds": [
"12345678-1234-1234-1234-123456789012", // object 1
"78945612-1234-1234-1234-123456789012" // object 2
]
},
{
"roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11",
"principalIds": [
"12345678-1234-1234-1234-123456789012" // object 1
],
"principalType": "ServicePrincipal"
}
]
}
```
</details>
<details>
<summary>Bicep format</summary>
```bicep
roleAssignments: [
{
roleDefinitionIdOrName: 'Reader'
description: 'Reader Role Assignment'
principalIds: [
'12345678-1234-1234-1234-123456789012' // object 1
'78945612-1234-1234-1234-123456789012' // object 2
]
}
{
roleDefinitionIdOrName: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'
principalIds: [
'12345678-1234-1234-1234-123456789012' // object 1
]
principalType: 'ServicePrincipal'
}
]
```
</details>
<p>
## Outputs
| Output Name | Type | Description |
| :-- | :-- | :-- |
| `location` | string | The location the resource was deployed into. |
| `name` | string | The name of the analysis service. |
| `resourceGroupName` | string | The resource group the analysis service was deployed into. |
| `resourceId` | string | The resource ID of the analysis service. |
## Cross-referenced modules
_None_
## Deployment examples
The following module usage examples are retrieved from the content of the files hosted in the module's `.test` folder.
>**Note**: The name of each example is based on the name of the file from which it is taken.
>**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order.
<h3>Example 1: Max</h3>
<details>
<summary>via Bicep module</summary>
```bicep
module servers './Microsoft.AnalysisServices/servers/deploy.bicep' = {
name: '${uniqueString(deployment().name)}-Servers'
params: {
// Required parameters
name: '<<namePrefix>>azasweumax001'
// Non-required parameters
diagnosticEventHubAuthorizationRuleId: '/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.EventHub/namespaces/adp-<<namePrefix>>-az-evhns-x-001/AuthorizationRules/RootManageSharedAccessKey'
diagnosticEventHubName: 'adp-<<namePrefix>>-az-evh-x-001'
diagnosticLogCategoriesToEnable: [
'Engine'
'Service'
]
diagnosticLogsRetentionInDays: 365
diagnosticMetricsToEnable: [
'AllMetrics'
]
diagnosticStorageAccountId: '/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.Storage/storageAccounts/adp<<namePrefix>>azsax001'
diagnosticWorkspaceId: '/subscriptions/<<subscriptionId>>/resourcegroups/validation-rg/providers/microsoft.operationalinsights/workspaces/adp-<<namePrefix>>-az-law-x-001'
firewallSettings: {
enablePowerBIService: true
firewallRules: [
{
firewallRuleName: 'AllowFromAll'
rangeEnd: '255.255.255.255'
rangeStart: '0.0.0.0'
}
]
}
lock: 'CanNotDelete'
roleAssignments: [
{
principalIds: [
'<<deploymentSpId>>'
]
roleDefinitionIdOrName: 'Reader'
}
]
skuCapacity: 1
skuName: 'S0'
}
}
```
</details>
<p>
<details>
<summary>via JSON Parameter file</summary>
```json
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
"contentVersion": "1.0.0.0",
"parameters": {
// Required parameters
"name": {
"value": "<<namePrefix>>azasweumax001"
},
// Non-required parameters
"diagnosticEventHubAuthorizationRuleId": {
"value": "/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.EventHub/namespaces/adp-<<namePrefix>>-az-evhns-x-001/AuthorizationRules/RootManageSharedAccessKey"
},
"diagnosticEventHubName": {
"value": "adp-<<namePrefix>>-az-evh-x-001"
},
"diagnosticLogCategoriesToEnable": {
"value": [
"Engine",
"Service"
]
},
"diagnosticLogsRetentionInDays": {
"value": 365
},
"diagnosticMetricsToEnable": {
"value": [
"AllMetrics"
]
},
"diagnosticStorageAccountId": {
"value": "/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.Storage/storageAccounts/adp<<namePrefix>>azsax001"
},
"diagnosticWorkspaceId": {
"value": "/subscriptions/<<subscriptionId>>/resourcegroups/validation-rg/providers/microsoft.operationalinsights/workspaces/adp-<<namePrefix>>-az-law-x-001"
},
"firewallSettings": {
"value": {
"enablePowerBIService": true,
"firewallRules": [
{
"firewallRuleName": "AllowFromAll",
"rangeEnd": "255.255.255.255",
"rangeStart": "0.0.0.0"
}
]
}
},
"lock": {
"value": "CanNotDelete"
},
"roleAssignments": {
"value": [
{
"principalIds": [
"<<deploymentSpId>>"
],
"roleDefinitionIdOrName": "Reader"
}
]
},
"skuCapacity": {
"value": 1
},
"skuName": {
"value": "S0"
}
}
}
```
</details>
<p>
<h3>Example 2: Min</h3>
<details>
<summary>via Bicep module</summary>
```bicep
module servers './Microsoft.AnalysisServices/servers/deploy.bicep' = {
name: '${uniqueString(deployment().name)}-Servers'
params: {
name: '<<namePrefix>>azasweumin001'
}
}
```
</details>
<p>
<details>
<summary>via JSON Parameter file</summary>
```json
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"name": {
"value": "<<namePrefix>>azasweumin001"
}
}
}
```
</details>
<p>
<h3>Example 3: Parameters</h3>
<details>
<summary>via Bicep module</summary>
```bicep
module servers './Microsoft.AnalysisServices/servers/deploy.bicep' = {
name: '${uniqueString(deployment().name)}-Servers'
params: {
// Required parameters
name: '<<namePrefix>>azasweux001'
// Non-required parameters
diagnosticEventHubAuthorizationRuleId: '/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.EventHub/namespaces/adp-<<namePrefix>>-az-evhns-x-001/AuthorizationRules/RootManageSharedAccessKey'
diagnosticEventHubName: 'adp-<<namePrefix>>-az-evh-x-001'
diagnosticLogsRetentionInDays: 7
diagnosticStorageAccountId: '/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.Storage/storageAccounts/adp<<namePrefix>>azsax001'
diagnosticWorkspaceId: '/subscriptions/<<subscriptionId>>/resourcegroups/validation-rg/providers/microsoft.operationalinsights/workspaces/adp-<<namePrefix>>-az-law-x-001'
lock: 'CanNotDelete'
roleAssignments: [
{
principalIds: [
'<<deploymentSpId>>'
]
roleDefinitionIdOrName: 'Reader'
}
]
skuName: 'S0'
}
}
```
</details>
<p>
<details>
<summary>via JSON Parameter file</summary>
```json
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
"contentVersion": "1.0.0.0",
"parameters": {
// Required parameters
"name": {
"value": "<<namePrefix>>azasweux001"
},
// Non-required parameters
"diagnosticEventHubAuthorizationRuleId": {
"value": "/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.EventHub/namespaces/adp-<<namePrefix>>-az-evhns-x-001/AuthorizationRules/RootManageSharedAccessKey"
},
"diagnosticEventHubName": {
"value": "adp-<<namePrefix>>-az-evh-x-001"
},
"diagnosticLogsRetentionInDays": {
"value": 7
},
"diagnosticStorageAccountId": {
"value": "/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.Storage/storageAccounts/adp<<namePrefix>>azsax001"
},
"diagnosticWorkspaceId": {
"value": "/subscriptions/<<subscriptionId>>/resourcegroups/validation-rg/providers/microsoft.operationalinsights/workspaces/adp-<<namePrefix>>-az-law-x-001"
},
"lock": {
"value": "CanNotDelete"
},
"roleAssignments": {
"value": [
{
"principalIds": [
"<<deploymentSpId>>"
],
"roleDefinitionIdOrName": "Reader"
}
]
},
"skuName": {
"value": "S0"
}
}
}
```
</details>
<p>

Просмотреть файл

@ -0,0 +1,4 @@
{
"$schema": "https://raw.githubusercontent.com/dotnet/Nerdbank.GitVersioning/master/src/NerdBank.GitVersioning/version.schema.json",
"version": "0.4"
}

Просмотреть файл

@ -0,0 +1,117 @@
@description('Required. Identifier of the authorization server.')
param name string
@description('Required. The name of the API Management service.')
param apiManagementServiceName string
@description('Required. OAuth authorization endpoint. See <http://tools.ietf.org/html/rfc6749#section-3.2>.')
param authorizationEndpoint string
@description('Optional. HTTP verbs supported by the authorization endpoint. GET must be always present. POST is optional. - HEAD, OPTIONS, TRACE, GET, POST, PUT, PATCH, DELETE')
param authorizationMethods array = [
'GET'
]
@description('Optional. Specifies the mechanism by which access token is passed to the API. - authorizationHeader or query')
param bearerTokenSendingMethods array = [
'authorizationHeader'
]
@description('Optional. Method of authentication supported by the token endpoint of this authorization server. Possible values are Basic and/or Body. When Body is specified, client credentials and other parameters are passed within the request body in the application/x-www-form-urlencoded format. - Basic or Body')
param clientAuthenticationMethod array = [
'Basic'
]
@description('Optional. Optional reference to a page where client or app registration for this authorization server is performed. Contains absolute URL to entity being referenced.')
param clientRegistrationEndpoint string = ''
@description('Required. Name of the key vault that stores clientId and clientSecret for this authorization server.')
param clientCredentialsKeyVaultId string
@description('Required. Name of the secret that stores the Client or app ID registered with this authorization server.')
param clientIdSecretName string
@description('Required. Name of the secret that stores the Client or app secret registered with this authorization server. This property will not be filled on \'GET\' operations! Use \'/listSecrets\' POST request to get the value.')
param clientSecretSecretName string
@description('Optional. Enable telemetry via the Customer Usage Attribution ID (GUID).')
param enableDefaultTelemetry bool = true
@description('Optional. Access token scope that is going to be requested by default. Can be overridden at the API level. Should be provided in the form of a string containing space-delimited values.')
param defaultScope string = ''
@description('Optional. Description of the authorization server. Can contain HTML formatting tags.')
param serverDescription string = ''
@description('Required. Form of an authorization grant, which the client uses to request the access token. - authorizationCode, implicit, resourceOwnerPassword, clientCredentials')
param grantTypes array
@description('Optional. Can be optionally specified when resource owner password grant type is supported by this authorization server. Default resource owner password.')
#disable-next-line secure-secrets-in-params // Not a secret
param resourceOwnerPassword string = ''
@description('Optional. Can be optionally specified when resource owner password grant type is supported by this authorization server. Default resource owner username.')
param resourceOwnerUsername string = ''
@description('Optional. If true, authorization server will include state parameter from the authorization request to its response. Client may use state parameter to raise protocol security.')
param supportState bool = false
@description('Optional. Additional parameters required by the token endpoint of this authorization server represented as an array of JSON objects with name and value string properties, i.e. {"name" : "name value", "value": "a value"}. - TokenBodyParameterContract object')
param tokenBodyParameters array = []
@description('Optional. OAuth token endpoint. Contains absolute URI to entity being referenced.')
param tokenEndpoint string = ''
var defaultAuthorizationMethods = [
'GET'
]
var setAuthorizationMethods = union(authorizationMethods, defaultAuthorizationMethods)
resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) {
name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}'
properties: {
mode: 'Incremental'
template: {
'$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#'
contentVersion: '1.0.0.0'
resources: []
}
}
}
resource keyVault 'Microsoft.KeyVault/vaults@2019-09-01' existing = {
name: last(split(clientCredentialsKeyVaultId, '/'))
scope: resourceGroup(split(clientCredentialsKeyVaultId, '/')[2], split(clientCredentialsKeyVaultId, '/')[4])
}
module authorizationServer '../authorizationServers/deploy.bicep' = {
name: '${deployment().name}-AuthorizationServer'
params: {
apiManagementServiceName: apiManagementServiceName
serverDescription: serverDescription
authorizationMethods: setAuthorizationMethods
clientAuthenticationMethod: clientAuthenticationMethod
tokenBodyParameters: tokenBodyParameters
tokenEndpoint: tokenEndpoint
supportState: supportState
defaultScope: defaultScope
bearerTokenSendingMethods: bearerTokenSendingMethods
resourceOwnerUsername: resourceOwnerUsername
resourceOwnerPassword: resourceOwnerPassword
name: name
clientRegistrationEndpoint: clientRegistrationEndpoint
authorizationEndpoint: authorizationEndpoint
grantTypes: grantTypes
clientId: keyVault.getSecret(clientIdSecretName)
clientSecret: keyVault.getSecret(clientSecretSecretName)
}
}
@description('The name of the API management service authorization server')
output name string = authorizationServer.outputs.name
@description('The resource ID of the API management service authorization server')
output resourceId string = authorizationServer.outputs.resourceId
@description('The resource group the API management service authorization server was deployed into')
output resourceGroupName string = authorizationServer.outputs.resourceGroupName

Просмотреть файл

@ -0,0 +1,71 @@
@sys.description('Required. The IDs of the principals to assign the role to.')
param principalIds array
@sys.description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.')
param roleDefinitionIdOrName string
@sys.description('Required. The resource ID of the resource to apply the role assignment to.')
param resourceId string
@sys.description('Optional. The principal type of the assigned principal ID.')
@allowed([
'ServicePrincipal'
'Group'
'User'
'ForeignGroup'
'Device'
''
])
param principalType string = ''
@sys.description('Optional. The description of the role assignment.')
param description string = ''
@sys.description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"')
param condition string = ''
@sys.description('Optional. Version of the condition.')
@allowed([
'2.0'
])
param conditionVersion string = '2.0'
@sys.description('Optional. Id of the delegated managed identity resource.')
param delegatedManagedIdentityResourceId string = ''
var builtInRoleNames = {
'Owner': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')
'Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')
'Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')
'API Management Service Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '312a565d-c81f-4fd8-895a-4e21e48d571c')
'API Management Service Operator Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e022efe7-f5ba-4159-bbe4-b44f577e9b61')
'API Management Service Reader Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '71522526-b88f-4d52-b57f-d31fc3546d0d')
'Log Analytics Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')
'Log Analytics Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893')
'Managed Application Contributor Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e')
'Managed Application Operator Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')
'Managed Applications Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')
'Monitoring Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')
'Monitoring Metrics Publisher': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '3913510d-42f4-4e42-8a64-420c390055eb')
'Monitoring Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')
'Resource Policy Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608')
'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')
}
resource service 'Microsoft.ApiManagement/service@2020-12-01' existing = {
name: last(split(resourceId, '/'))
}
resource roleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for principalId in principalIds: {
name: guid(service.id, principalId, roleDefinitionIdOrName)
properties: {
description: description
roleDefinitionId: contains(builtInRoleNames, roleDefinitionIdOrName) ? builtInRoleNames[roleDefinitionIdOrName] : roleDefinitionIdOrName
principalId: principalId
principalType: !empty(principalType) ? any(principalType) : null
condition: !empty(condition) ? condition : null
conditionVersion: !empty(conditionVersion) && !empty(condition) ? conditionVersion : null
delegatedManagedIdentityResourceId: !empty(delegatedManagedIdentityResourceId) ? delegatedManagedIdentityResourceId : null
}
scope: service
}]

Просмотреть файл

@ -0,0 +1,177 @@
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"name": {
"value": "<<namePrefix>>-az-apim-max-001"
},
"lock": {
"value": "CanNotDelete"
},
"publisherEmail": {
"value": "apimgmt-noreply@mail.windowsazure.com"
},
"publisherName": {
"value": "<<namePrefix>>-az-amorg-x-001"
},
"apis": {
"value": [
{
"name": "echo-api",
"displayName": "Echo API",
"path": "echo",
"serviceUrl": "http://echoapi.cloudapp.net/api",
"apiVersionSet": {
"name": "echo-version-set",
"properties": {
"description": "echo-version-set",
"displayName": "echo-version-set",
"versioningScheme": "Segment"
}
}
}
]
},
"authorizationServers": {
"value": [
{
"name": "AuthServer1",
"authorizationEndpoint": "https://login.microsoftonline.com/651b43ce-ccb8-4301-b551-b04dd872d401/oauth2/v2.0/authorize",
"grantTypes": [
"authorizationCode"
],
"clientCredentialsKeyVaultId": "/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.KeyVault/vaults/adp-<<namePrefix>>-az-kv-x-001",
"clientIdSecretName": "apimclientid",
"clientSecretSecretName": "apimclientsecret",
"clientRegistrationEndpoint": "http://localhost",
"tokenEndpoint": "https://login.microsoftonline.com/651b43ce-ccb8-4301-b551-b04dd872d401/oauth2/v2.0/token"
}
]
},
"backends": {
"value": [
{
"name": "backend",
"url": "http://echoapi.cloudapp.net/api",
"tls": {
"validateCertificateChain": false,
"validateCertificateName": false
}
}
]
},
"caches": {
"value": [
{
"name": "westeurope",
"connectionString": "connectionstringtest",
"useFromLocation": "westeurope"
}
]
},
"identityProviders": {
"value": [
{
"name": "aadProvider"
}
]
},
"namedValues": {
"value": [
{
"name": "apimkey",
"displayName": "apimkey",
"secret": true
}
]
},
"policies": {
"value": [
{
"value": "<policies> <inbound> <rate-limit-by-key calls='250' renewal-period='60' counter-key='@(context.Request.IpAddress)' /> </inbound> <backend> <forward-request /> </backend> <outbound> </outbound> </policies>",
"format": "xml"
}
]
},
"portalSettings": {
"value": [
{
"name": "signin",
"properties": {
"enabled": false
}
},
{
"name": "signup",
"properties": {
"enabled": false,
"termsOfService": {
"enabled": false,
"consentRequired": false
}
}
}
]
},
"products": {
"value": [
{
"name": "Starter",
"subscriptionRequired": false,
"approvalRequired": false,
"apis": [
{
"name": "echo-api"
}
],
"groups": [
{
"name": "developers"
}
]
}
]
},
"subscriptions": {
"value": [
{
"scope": "/apis",
"name": "testArmSubscriptionAllApis"
}
]
},
"systemAssignedIdentity": {
"value": true
},
"userAssignedIdentities": {
"value": {
"/subscriptions/<<subscriptionId>>/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-<<namePrefix>>-az-msi-x-001": {}
}
},
"roleAssignments": {
"value": [
{
"roleDefinitionIdOrName": "Reader",
"principalIds": [
"<<deploymentSpId>>"
]
}
]
},
"diagnosticLogsRetentionInDays": {
"value": 7
},
"diagnosticStorageAccountId": {
"value": "/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.Storage/storageAccounts/adp<<namePrefix>>azsax001"
},
"diagnosticWorkspaceId": {
"value": "/subscriptions/<<subscriptionId>>/resourcegroups/validation-rg/providers/microsoft.operationalinsights/workspaces/adp-<<namePrefix>>-az-law-x-001"
},
"diagnosticEventHubAuthorizationRuleId": {
"value": "/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.EventHub/namespaces/adp-<<namePrefix>>-az-evhns-x-001/AuthorizationRules/RootManageSharedAccessKey"
},
"diagnosticEventHubName": {
"value": "adp-<<namePrefix>>-az-evh-x-001"
}
}
}

Просмотреть файл

@ -0,0 +1,15 @@
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"name": {
"value": "<<namePrefix>>-az-apim-min-001"
},
"publisherEmail": {
"value": "apimgmt-noreply@mail.windowsazure.com"
},
"publisherName": {
"value": "<<namePrefix>>-az-amorg-x-001"
}
}
}

Просмотреть файл

@ -0,0 +1,56 @@
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"name": {
"value": "<<namePrefix>>-az-apim-x-001"
},
"lock": {
"value": "CanNotDelete"
},
"publisherEmail": {
"value": "apimgmt-noreply@mail.windowsazure.com"
},
"publisherName": {
"value": "<<namePrefix>>-az-amorg-x-001"
},
"portalSettings": {
"value": [
{
"name": "signin",
"properties": {
"enabled": false
}
},
{
"name": "signup",
"properties": {
"enabled": false,
"termsOfService": {
"enabled": false,
"consentRequired": false
}
}
}
]
},
"policies": {
"value": [
{
"value": "<policies> <inbound> <rate-limit-by-key calls='250' renewal-period='60' counter-key='@(context.Request.IpAddress)' /> </inbound> <backend> <forward-request /> </backend> <outbound> </outbound> </policies>",
"format": "xml"
}
]
},
"roleAssignments": {
"value": [
{
"roleDefinitionIdOrName": "Reader",
"principalIds": [
"<<deploymentSpId>>"
]
}
]
}
}
}

Просмотреть файл

@ -0,0 +1,42 @@
@description('Conditional. The name of the parent API Management service. Required if the template is used in a standalone deployment.')
param apiManagementServiceName string
@description('Optional. Enable telemetry via the Customer Usage Attribution ID (GUID).')
param enableDefaultTelemetry bool = true
@description('Optional. API Version set name.')
param name string = 'default'
@description('Optional. API Version set properties.')
param properties object = {}
resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) {
name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}'
properties: {
mode: 'Incremental'
template: {
'$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#'
contentVersion: '1.0.0.0'
resources: []
}
}
}
resource service 'Microsoft.ApiManagement/service@2021-08-01' existing = {
name: apiManagementServiceName
}
resource apiVersionSet 'Microsoft.ApiManagement/service/apiVersionSets@2021-08-01' = {
name: name
parent: service
properties: properties
}
@description('The resource ID of the API Version set.')
output resourceId string = apiVersionSet.id
@description('The name of the API Version set.')
output name string = apiVersionSet.name
@description('The resource group the API Version set was deployed into.')
output resourceGroupName string = resourceGroup().name

Просмотреть файл

@ -0,0 +1,43 @@
# API Management Service API Version Sets `[Microsoft.ApiManagement/service/apiVersionSets]`
This module deploys API Management Service APIs Version Set.
## Navigation
- [Resource Types](#Resource-Types)
- [Parameters](#Parameters)
- [Outputs](#Outputs)
- [Cross-referenced modules](#Cross-referenced-modules)
## Resource Types
| Resource Type | API Version |
| :-- | :-- |
| `Microsoft.ApiManagement/service/apiVersionSets` | [2021-08-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.ApiManagement/2021-08-01/service/apiVersionSets) |
## Parameters
**Conditional parameters**
| Parameter Name | Type | Description |
| :-- | :-- | :-- |
| `apiManagementServiceName` | string | The name of the parent API Management service. Required if the template is used in a standalone deployment. |
**Optional parameters**
| Parameter Name | Type | Default Value | Description |
| :-- | :-- | :-- | :-- |
| `enableDefaultTelemetry` | bool | `True` | Enable telemetry via the Customer Usage Attribution ID (GUID). |
| `name` | string | `'default'` | API Version set name. |
| `properties` | object | `{object}` | API Version set properties. |
## Outputs
| Output Name | Type | Description |
| :-- | :-- | :-- |
| `name` | string | The name of the API Version set. |
| `resourceGroupName` | string | The resource group the API Version set was deployed into. |
| `resourceId` | string | The resource ID of the API Version set. |
## Cross-referenced modules
_None_

Просмотреть файл

@ -0,0 +1,4 @@
{
"$schema": "https://raw.githubusercontent.com/dotnet/Nerdbank.GitVersioning/master/src/NerdBank.GitVersioning/version.schema.json",
"version": "0.4"
}

Просмотреть файл

@ -0,0 +1,160 @@
@description('Required. API revision identifier. Must be unique in the current API Management service instance. Non-current revision has ;rev=n as a suffix where n is the revision number.')
param name string
@description('Optional. Array of Policies to apply to the Service API.')
param policies array = []
@description('Conditional. The name of the parent API Management service. Required if the template is used in a standalone deployment.')
param apiManagementServiceName string
@description('Optional. Describes the Revision of the API. If no value is provided, default revision 1 is created.')
param apiRevision string = ''
@description('Optional. Description of the API Revision.')
param apiRevisionDescription string = ''
@description('Optional. Type of API to create. * http creates a SOAP to REST API * soap creates a SOAP pass-through API.')
@allowed([
'http'
'soap'
])
param apiType string = 'http'
@description('Optional. Indicates the Version identifier of the API if the API is versioned.')
param apiVersion string = ''
@description('Optional. Indicates the Version identifier of the API version set.')
param apiVersionSetId string = ''
@description('Optional. Description of the API Version.')
param apiVersionDescription string = ''
@description('Optional. Collection of authentication settings included into this API.')
param authenticationSettings object = {}
@description('Optional. Enable telemetry via the Customer Usage Attribution ID (GUID).')
param enableDefaultTelemetry bool = true
@description('Optional. Description of the API. May include HTML formatting tags.')
param apiDescription string = ''
@description('Required. API name. Must be 1 to 300 characters long.')
@maxLength(300)
param displayName string
@description('Optional. Format of the Content in which the API is getting imported.')
@allowed([
'wadl-xml'
'wadl-link-json'
'swagger-json'
'swagger-link-json'
'wsdl'
'wsdl-link'
'openapi'
'openapi+json'
'openapi-link'
'openapi+json-link'
])
param format string = 'openapi'
@description('Optional. Indicates if API revision is current API revision.')
param isCurrent bool = true
@description('Required. Relative URL uniquely identifying this API and all of its resource paths within the API Management service instance. It is appended to the API endpoint base URL specified during the service instance creation to form a public URL for this API.')
param path string
@description('Optional. Describes on which protocols the operations in this API can be invoked. - HTTP or HTTPS.')
param protocols array = [
'https'
]
@description('Optional. Absolute URL of the backend service implementing this API. Cannot be more than 2000 characters long.')
@maxLength(2000)
param serviceUrl string = ''
@description('Optional. API identifier of the source API.')
param sourceApiId string = ''
@description('Optional. Protocols over which API is made available.')
param subscriptionKeyParameterNames object = {}
@description('Optional. Specifies whether an API or Product subscription is required for accessing the API.')
param subscriptionRequired bool = false
@description('Optional. Type of API.')
@allowed([
'http'
'soap'
])
param type string = 'http'
@description('Optional. Content value when Importing an API.')
param value string = ''
@description('Optional. Criteria to limit import of WSDL to a subset of the document.')
param wsdlSelector object = {}
var enableReferencedModulesTelemetry = false
resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) {
name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}'
properties: {
mode: 'Incremental'
template: {
'$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#'
contentVersion: '1.0.0.0'
resources: []
}
}
}
resource service 'Microsoft.ApiManagement/service@2021-08-01' existing = {
name: apiManagementServiceName
}
resource api 'Microsoft.ApiManagement/service/apis@2021-08-01' = {
name: name
parent: service
properties: {
apiRevision: !empty(apiRevision) ? apiRevision : null
apiRevisionDescription: !empty(apiRevisionDescription) ? apiRevisionDescription : null
apiType: !empty(apiType) ? apiType : null
apiVersion: !empty(apiVersion) ? apiVersion : null
apiVersionDescription: !empty(apiVersionDescription) ? apiVersionDescription : null
apiVersionSetId: !empty(apiVersionSetId) ? apiVersionSetId : null
authenticationSettings: authenticationSettings
description: apiDescription
displayName: displayName
format: !empty(value) ? format : null
isCurrent: isCurrent
path: path
protocols: protocols
serviceUrl: !empty(serviceUrl) ? serviceUrl : null
sourceApiId: !empty(sourceApiId) ? sourceApiId : null
subscriptionKeyParameterNames: !empty(subscriptionKeyParameterNames) ? subscriptionKeyParameterNames : null
subscriptionRequired: subscriptionRequired
type: type
value: !empty(value) ? value : null
wsdlSelector: wsdlSelector
}
}
module policy 'policies/deploy.bicep' = [for (policy, index) in policies: {
name: '${deployment().name}-Policy-${index}'
params: {
apiManagementServiceName: apiManagementServiceName
apiName: api.name
format: contains(policy, 'format') ? policy.format : 'xml'
value: policy.value
enableDefaultTelemetry: enableReferencedModulesTelemetry
}
}]
@description('The name of the API management service API.')
output name string = api.name
@description('The resource ID of the API management service API.')
output resourceId string = api.id
@description('The resource group the API management service API was deployed to.')
output resourceGroupName string = resourceGroup().name

Просмотреть файл

@ -0,0 +1,61 @@
@description('Conditional. The name of the parent API Management service. Required if the template is used in a standalone deployment.')
param apiManagementServiceName string
@description('Conditional. The name of the parent API. Required if the template is used in a standalone deployment.')
param apiName string
@description('Optional. The name of the policy.')
param name string = 'policy'
@description('Optional. Enable telemetry via the Customer Usage Attribution ID (GUID).')
param enableDefaultTelemetry bool = true
@description('Optional. Format of the policyContent.')
@allowed([
'rawxml'
'rawxml-link'
'xml'
'xml-link'
])
param format string = 'xml'
@description('Required. Contents of the Policy as defined by the format.')
param value string
resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) {
name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}'
properties: {
mode: 'Incremental'
template: {
'$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#'
contentVersion: '1.0.0.0'
resources: []
}
}
}
resource service 'Microsoft.ApiManagement/service@2021-08-01' existing = {
name: apiManagementServiceName
resource api 'apis@2021-08-01' existing = {
name: apiName
}
}
resource policy 'Microsoft.ApiManagement/service/apis/policies@2021-08-01' = {
name: name
parent: service::api
properties: {
format: format
value: value
}
}
@description('The resource ID of the API policy.')
output resourceId string = policy.id
@description('The name of the API policy.')
output name string = policy.name
@description('The resource group the API policy was deployed into.')
output resourceGroupName string = resourceGroup().name

Просмотреть файл

@ -0,0 +1,49 @@
# API Management Service APIs Policies `[Microsoft.ApiManagement/service/apis/policies]`
This module deploys API Management Service APIs policies.
## Navigation
- [Resource Types](#Resource-Types)
- [Parameters](#Parameters)
- [Outputs](#Outputs)
- [Cross-referenced modules](#Cross-referenced-modules)
## Resource Types
| Resource Type | API Version |
| :-- | :-- |
| `Microsoft.ApiManagement/service/apis/policies` | [2021-08-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.ApiManagement/2021-08-01/service/apis/policies) |
## Parameters
**Required parameters**
| Parameter Name | Type | Description |
| :-- | :-- | :-- |
| `value` | string | Contents of the Policy as defined by the format. |
**Conditional parameters**
| Parameter Name | Type | Description |
| :-- | :-- | :-- |
| `apiManagementServiceName` | string | The name of the parent API Management service. Required if the template is used in a standalone deployment. |
| `apiName` | string | The name of the parent API. Required if the template is used in a standalone deployment. |
**Optional parameters**
| Parameter Name | Type | Default Value | Allowed Values | Description |
| :-- | :-- | :-- | :-- | :-- |
| `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via the Customer Usage Attribution ID (GUID). |
| `format` | string | `'xml'` | `[rawxml, rawxml-link, xml, xml-link]` | Format of the policyContent. |
| `name` | string | `'policy'` | | The name of the policy. |
## Outputs
| Output Name | Type | Description |
| :-- | :-- | :-- |
| `name` | string | The name of the API policy. |
| `resourceGroupName` | string | The resource group the API policy was deployed into. |
| `resourceId` | string | The resource ID of the API policy. |
## Cross-referenced modules
_None_

Просмотреть файл

@ -0,0 +1,4 @@
{
"$schema": "https://raw.githubusercontent.com/dotnet/Nerdbank.GitVersioning/master/src/NerdBank.GitVersioning/version.schema.json",
"version": "0.4"
}

Просмотреть файл

@ -0,0 +1,68 @@
# API Management Service APIs `[Microsoft.ApiManagement/service/apis]`
This module deploys API Management Service APIs.
## Navigation
- [Resource types](#Resource-types)
- [Parameters](#Parameters)
- [Outputs](#Outputs)
- [Cross-referenced modules](#Cross-referenced-modules)
## Resource types
| Resource Type | API Version |
| :-- | :-- |
| `Microsoft.ApiManagement/service/apis` | [2021-08-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.ApiManagement/2021-08-01/service/apis) |
| `Microsoft.ApiManagement/service/apis/policies` | [2021-08-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.ApiManagement/2021-08-01/service/apis/policies) |
## Parameters
**Required parameters**
| Parameter Name | Type | Description |
| :-- | :-- | :-- |
| `displayName` | string | API name. Must be 1 to 300 characters long. |
| `name` | string | API revision identifier. Must be unique in the current API Management service instance. Non-current revision has ;rev=n as a suffix where n is the revision number. |
| `path` | string | Relative URL uniquely identifying this API and all of its resource paths within the API Management service instance. It is appended to the API endpoint base URL specified during the service instance creation to form a public URL for this API. |
**Conditional parameters**
| Parameter Name | Type | Description |
| :-- | :-- | :-- |
| `apiManagementServiceName` | string | The name of the parent API Management service. Required if the template is used in a standalone deployment. |
**Optional parameters**
| Parameter Name | Type | Default Value | Allowed Values | Description |
| :-- | :-- | :-- | :-- | :-- |
| `apiDescription` | string | `''` | | Description of the API. May include HTML formatting tags. |
| `apiRevision` | string | `''` | | Describes the Revision of the API. If no value is provided, default revision 1 is created. |
| `apiRevisionDescription` | string | `''` | | Description of the API Revision. |
| `apiType` | string | `'http'` | `[http, soap]` | Type of API to create. * http creates a SOAP to REST API * soap creates a SOAP pass-through API. |
| `apiVersion` | string | `''` | | Indicates the Version identifier of the API if the API is versioned. |
| `apiVersionDescription` | string | `''` | | Description of the API Version. |
| `apiVersionSetId` | string | `''` | | Indicates the Version identifier of the API version set. |
| `authenticationSettings` | object | `{object}` | | Collection of authentication settings included into this API. |
| `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via the Customer Usage Attribution ID (GUID). |
| `format` | string | `'openapi'` | `[openapi, openapi-link, openapi+json, openapi+json-link, swagger-json, swagger-link-json, wadl-link-json, wadl-xml, wsdl, wsdl-link]` | Format of the Content in which the API is getting imported. |
| `isCurrent` | bool | `True` | | Indicates if API revision is current API revision. |
| `policies` | _[policies](policies/readme.md)_ array | `[]` | | Array of Policies to apply to the Service API. |
| `protocols` | array | `[https]` | | Describes on which protocols the operations in this API can be invoked. - HTTP or HTTPS. |
| `serviceUrl` | string | `''` | | Absolute URL of the backend service implementing this API. Cannot be more than 2000 characters long. |
| `sourceApiId` | string | `''` | | API identifier of the source API. |
| `subscriptionKeyParameterNames` | object | `{object}` | | Protocols over which API is made available. |
| `subscriptionRequired` | bool | `False` | | Specifies whether an API or Product subscription is required for accessing the API. |
| `type` | string | `'http'` | `[http, soap]` | Type of API. |
| `value` | string | `''` | | Content value when Importing an API. |
| `wsdlSelector` | object | `{object}` | | Criteria to limit import of WSDL to a subset of the document. |
## Outputs
| Output Name | Type | Description |
| :-- | :-- | :-- |
| `name` | string | The name of the API management service API. |
| `resourceGroupName` | string | The resource group the API management service API was deployed to. |
| `resourceId` | string | The resource ID of the API management service API. |
## Cross-referenced modules
_None_

Просмотреть файл

@ -0,0 +1,4 @@
{
"$schema": "https://raw.githubusercontent.com/dotnet/Nerdbank.GitVersioning/master/src/NerdBank.GitVersioning/version.schema.json",
"version": "0.4"
}

Просмотреть файл

@ -0,0 +1,115 @@
@description('Required. Identifier of the authorization server.')
param name string
@description('Conditional. The name of the parent API Management service. Required if the template is used in a standalone deployment.')
param apiManagementServiceName string
@description('Required. OAuth authorization endpoint. See <http://tools.ietf.org/html/rfc6749#section-3.2>.')
param authorizationEndpoint string
@description('Optional. HTTP verbs supported by the authorization endpoint. GET must be always present. POST is optional. - HEAD, OPTIONS, TRACE, GET, POST, PUT, PATCH, DELETE.')
param authorizationMethods array = [
'GET'
]
@description('Optional. Specifies the mechanism by which access token is passed to the API. - authorizationHeader or query.')
param bearerTokenSendingMethods array = [
'authorizationHeader'
]
@description('Optional. Method of authentication supported by the token endpoint of this authorization server. Possible values are Basic and/or Body. When Body is specified, client credentials and other parameters are passed within the request body in the application/x-www-form-urlencoded format. - Basic or Body.')
param clientAuthenticationMethod array = [
'Basic'
]
@description('Required. Client or app ID registered with this authorization server.')
@secure()
param clientId string
@description('Optional. Optional reference to a page where client or app registration for this authorization server is performed. Contains absolute URL to entity being referenced.')
param clientRegistrationEndpoint string = ''
@description('Required. Client or app secret registered with this authorization server. This property will not be filled on \'GET\' operations! Use \'/listSecrets\' POST request to get the value.')
@secure()
param clientSecret string
@description('Optional. Enable telemetry via the Customer Usage Attribution ID (GUID).')
param enableDefaultTelemetry bool = true
@description('Optional. Access token scope that is going to be requested by default. Can be overridden at the API level. Should be provided in the form of a string containing space-delimited values.')
param defaultScope string = ''
@description('Optional. Description of the authorization server. Can contain HTML formatting tags.')
param serverDescription string = ''
@description('Required. Form of an authorization grant, which the client uses to request the access token. - authorizationCode, implicit, resourceOwnerPassword, clientCredentials.')
param grantTypes array
@description('Optional. Can be optionally specified when resource owner password grant type is supported by this authorization server. Default resource owner password.')
#disable-next-line secure-secrets-in-params // Not a secret
param resourceOwnerPassword string = ''
@description('Optional. Can be optionally specified when resource owner password grant type is supported by this authorization server. Default resource owner username.')
param resourceOwnerUsername string = ''
@description('Optional. If true, authorization server will include state parameter from the authorization request to its response. Client may use state parameter to raise protocol security.')
param supportState bool = false
@description('Optional. Additional parameters required by the token endpoint of this authorization server represented as an array of JSON objects with name and value string properties, i.e. {"name" : "name value", "value": "a value"}. - TokenBodyParameterContract object.')
param tokenBodyParameters array = []
@description('Optional. OAuth token endpoint. Contains absolute URI to entity being referenced.')
param tokenEndpoint string = ''
var defaultAuthorizationMethods = [
'GET'
]
var setAuthorizationMethods = union(authorizationMethods, defaultAuthorizationMethods)
resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) {
name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}'
properties: {
mode: 'Incremental'
template: {
'$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#'
contentVersion: '1.0.0.0'
resources: []
}
}
}
resource service 'Microsoft.ApiManagement/service@2021-08-01' existing = {
name: apiManagementServiceName
}
resource authorizationServer 'Microsoft.ApiManagement/service/authorizationServers@2021-08-01' = {
name: name
parent: service
properties: {
description: serverDescription
authorizationMethods: setAuthorizationMethods
clientAuthenticationMethod: clientAuthenticationMethod
tokenBodyParameters: tokenBodyParameters
tokenEndpoint: tokenEndpoint
supportState: supportState
defaultScope: defaultScope
bearerTokenSendingMethods: bearerTokenSendingMethods
resourceOwnerUsername: resourceOwnerUsername
resourceOwnerPassword: resourceOwnerPassword
displayName: name
clientRegistrationEndpoint: clientRegistrationEndpoint
authorizationEndpoint: authorizationEndpoint
grantTypes: grantTypes
clientId: clientId
clientSecret: clientSecret
}
}
@description('The name of the API management service authorization server.')
output name string = authorizationServer.name
@description('The resource ID of the API management service authorization server.')
output resourceId string = authorizationServer.id
@description('The resource group the API management service authorization server was deployed into.')
output resourceGroupName string = resourceGroup().name

Просмотреть файл

@ -0,0 +1,67 @@
# API Management Service Authorization Servers `[Microsoft.ApiManagement/service/authorizationServers]`
This module deploys API Management Service Authorization Servers.
## Navigation
- [Resource types](#Resource-types)
- [Parameters](#Parameters)
- [Outputs](#Outputs)
- [Cross-referenced modules](#Cross-referenced-modules)
## Resource types
| Resource Type | API Version |
| :-- | :-- |
| `Microsoft.ApiManagement/service/authorizationServers` | [2021-08-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.ApiManagement/2021-08-01/service/authorizationServers) |
### Resource dependency
The following resources are required to be able to deploy this resource.
- `Microsoft.ApiManagement/service`
## Parameters
**Required parameters**
| Parameter Name | Type | Description |
| :-- | :-- | :-- |
| `authorizationEndpoint` | string | OAuth authorization endpoint. See <http://tools.ietf.org/html/rfc6749#section-3.2>. |
| `clientId` | secureString | Client or app ID registered with this authorization server. |
| `clientSecret` | secureString | Client or app secret registered with this authorization server. This property will not be filled on 'GET' operations! Use '/listSecrets' POST request to get the value. |
| `grantTypes` | array | Form of an authorization grant, which the client uses to request the access token. - authorizationCode, implicit, resourceOwnerPassword, clientCredentials. |
| `name` | string | Identifier of the authorization server. |
**Conditional parameters**
| Parameter Name | Type | Description |
| :-- | :-- | :-- |
| `apiManagementServiceName` | string | The name of the parent API Management service. Required if the template is used in a standalone deployment. |
**Optional parameters**
| Parameter Name | Type | Default Value | Description |
| :-- | :-- | :-- | :-- |
| `authorizationMethods` | array | `[GET]` | HTTP verbs supported by the authorization endpoint. GET must be always present. POST is optional. - HEAD, OPTIONS, TRACE, GET, POST, PUT, PATCH, DELETE. |
| `bearerTokenSendingMethods` | array | `[authorizationHeader]` | Specifies the mechanism by which access token is passed to the API. - authorizationHeader or query. |
| `clientAuthenticationMethod` | array | `[Basic]` | Method of authentication supported by the token endpoint of this authorization server. Possible values are Basic and/or Body. When Body is specified, client credentials and other parameters are passed within the request body in the application/x-www-form-urlencoded format. - Basic or Body. |
| `clientRegistrationEndpoint` | string | `''` | Optional reference to a page where client or app registration for this authorization server is performed. Contains absolute URL to entity being referenced. |
| `defaultScope` | string | `''` | Access token scope that is going to be requested by default. Can be overridden at the API level. Should be provided in the form of a string containing space-delimited values. |
| `enableDefaultTelemetry` | bool | `True` | Enable telemetry via the Customer Usage Attribution ID (GUID). |
| `resourceOwnerPassword` | string | `''` | Can be optionally specified when resource owner password grant type is supported by this authorization server. Default resource owner password. |
| `resourceOwnerUsername` | string | `''` | Can be optionally specified when resource owner password grant type is supported by this authorization server. Default resource owner username. |
| `serverDescription` | string | `''` | Description of the authorization server. Can contain HTML formatting tags. |
| `supportState` | bool | `False` | If true, authorization server will include state parameter from the authorization request to its response. Client may use state parameter to raise protocol security. |
| `tokenBodyParameters` | array | `[]` | Additional parameters required by the token endpoint of this authorization server represented as an array of JSON objects with name and value string properties, i.e. {"name" : "name value", "value": "a value"}. - TokenBodyParameterContract object. |
| `tokenEndpoint` | string | `''` | OAuth token endpoint. Contains absolute URI to entity being referenced. |
## Outputs
| Output Name | Type | Description |
| :-- | :-- | :-- |
| `name` | string | The name of the API management service authorization server. |
| `resourceGroupName` | string | The resource group the API management service authorization server was deployed into. |
| `resourceId` | string | The resource ID of the API management service authorization server. |
## Cross-referenced modules
_None_

Просмотреть файл

@ -0,0 +1,4 @@
{
"$schema": "https://raw.githubusercontent.com/dotnet/Nerdbank.GitVersioning/master/src/NerdBank.GitVersioning/version.schema.json",
"version": "0.4"
}

Просмотреть файл

@ -0,0 +1,81 @@
@description('Conditional. The name of the parent API Management service. Required if the template is used in a standalone deployment.')
param apiManagementServiceName string
@description('Required. Backend Name.')
param name string
@description('Optional. Backend Credentials Contract Properties.')
param credentials object = {}
@description('Optional. Enable telemetry via the Customer Usage Attribution ID (GUID).')
param enableDefaultTelemetry bool = true
@description('Optional. Backend Description.')
param backendDescription string = ''
@description('Optional. Backend communication protocol. - http or soap.')
param protocol string = 'http'
@description('Optional. Backend Proxy Contract Properties.')
param proxy object = {}
@description('Optional. Management Uri of the Resource in External System. This URL can be the Arm Resource ID of Logic Apps, Function Apps or API Apps.')
param resourceId string = ''
@description('Optional. Backend Service Fabric Cluster Properties.')
param serviceFabricCluster object = {}
@description('Optional. Backend Title.')
param title string = ''
@description('Optional. Backend TLS Properties.')
param tls object = {
validateCertificateChain: false
validateCertificateName: false
}
@description('Required. Runtime URL of the Backend.')
param url string
resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) {
name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}'
properties: {
mode: 'Incremental'
template: {
'$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#'
contentVersion: '1.0.0.0'
resources: []
}
}
}
resource service 'Microsoft.ApiManagement/service@2021-08-01' existing = {
name: apiManagementServiceName
}
resource backend 'Microsoft.ApiManagement/service/backends@2021-08-01' = {
name: name
parent: service
properties: {
title: !empty(title) ? title : null
description: !empty(backendDescription) ? backendDescription : null
resourceId: !empty(resourceId) ? resourceId : null
properties: {
serviceFabricCluster: !empty(serviceFabricCluster) ? serviceFabricCluster : null
}
credentials: !empty(credentials) ? credentials : null
proxy: !empty(proxy) ? proxy : null
tls: !empty(tls) ? tls : null
url: url
protocol: protocol
}
}
@description('The resource ID of the API management service backend.')
output resourceId string = backend.id
@description('The name of the API management service backend.')
output name string = backend.name
@description('The resource group the API management service backend was deployed into.')
output resourceGroupName string = resourceGroup().name

Просмотреть файл

@ -0,0 +1,146 @@
# API Management Service Backends `[Microsoft.ApiManagement/service/backends]`
This module deploys API Management Service Backends.
## Navigation
- [Resource types](#Resource-types)
- [Parameters](#Parameters)
- [Outputs](#Outputs)
- [Cross-referenced modules](#Cross-referenced-modules)
## Resource types
| Resource Type | API Version |
| :-- | :-- |
| `Microsoft.ApiManagement/service/backends` | [2021-08-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.ApiManagement/2021-08-01/service/backends) |
### Resource dependency
The following resources are required to be able to deploy this resource.
- `Microsoft.ApiManagement/service`
## Parameters
**Required parameters**
| Parameter Name | Type | Description |
| :-- | :-- | :-- |
| `name` | string | Backend Name. |
| `url` | string | Runtime URL of the Backend. |
**Conditional parameters**
| Parameter Name | Type | Description |
| :-- | :-- | :-- |
| `apiManagementServiceName` | string | The name of the parent API Management service. Required if the template is used in a standalone deployment. |
**Optional parameters**
| Parameter Name | Type | Default Value | Description |
| :-- | :-- | :-- | :-- |
| `backendDescription` | string | `''` | Backend Description. |
| `credentials` | object | `{object}` | Backend Credentials Contract Properties. |
| `enableDefaultTelemetry` | bool | `True` | Enable telemetry via the Customer Usage Attribution ID (GUID). |
| `protocol` | string | `'http'` | Backend communication protocol. - http or soap. |
| `proxy` | object | `{object}` | Backend Proxy Contract Properties. |
| `resourceId` | string | `''` | Management Uri of the Resource in External System. This URL can be the Arm Resource ID of Logic Apps, Function Apps or API Apps. |
| `serviceFabricCluster` | object | `{object}` | Backend Service Fabric Cluster Properties. |
| `title` | string | `''` | Backend Title. |
| `tls` | object | `{object}` | Backend TLS Properties. |
### Parameter Usage: Credentials
| Parameter Name| Type | Default Value | Possible values | Description |
| :-- | :-- | :--- | :-- | :- |
| `certificate` | array | | | Optional. List of Client Certificate Thumbprint. - string |
| `query` | object | | | Optional. Query Parameter description. |
| `header` | object | | | Optional. Header Parameter description. |
| `authorization` | object | | | Optional. Authorization header authentication |
### Parameter Usage: `credentials`
<details>
<summary>Parameter JSON format</summary>
```json
"credentials": {
"value":{
"certificate": [
"string"
],
"query": {},
"header": {},
"authorization": {
"scheme": "Authentication Scheme name.-string",
"parameter": "Authentication Parameter value. - string"
}
}
}
```
</details>
<details>
<summary>Bicep format</summary>
```bicep
credentials: {
certificate: [
'string'
]
query: {}
header: {}
authorization: {
scheme: 'Authentication Scheme name.-string'
parameter: 'Authentication Parameter value. - string'
}
}
```
</details>
<p>
### Parameter Usage: `tls`
<details>
<summary>Parameter JSON format</summary>
```json
"tls": {
"value":{
"validateCertificateChain": "Flag indicating whether SSL certificate chain validation should be done when using self-signed certificates for this backend host. - boolean",
"validateCertificateName": "Flag indicating whether SSL certificate name validation should be done when using self-signed certificates for this backend host. - boolean"
}
}
```
</details>
<details>
<summary>Bicep format</summary>
```bicep
tls: {
validateCertificateChain: 'Flag indicating whether SSL certificate chain validation should be done when using self-signed certificates for this backend host. - boolean'
validateCertificateName: 'Flag indicating whether SSL certificate name validation should be done when using self-signed certificates for this backend host. - boolean'
}
```
</details>
<p>
## Outputs
| Output Name | Type | Description |
| :-- | :-- | :-- |
| `name` | string | The name of the API management service backend. |
| `resourceGroupName` | string | The resource group the API management service backend was deployed into. |
| `resourceId` | string | The resource ID of the API management service backend. |
## Cross-referenced modules
_None_

Просмотреть файл

@ -0,0 +1,4 @@
{
"$schema": "https://raw.githubusercontent.com/dotnet/Nerdbank.GitVersioning/master/src/NerdBank.GitVersioning/version.schema.json",
"version": "0.4"
}

Просмотреть файл

@ -0,0 +1,56 @@
@description('Conditional. The name of the parent API Management service. Required if the template is used in a standalone deployment.')
param apiManagementServiceName string
@description('Required. Identifier of the Cache entity. Cache identifier (should be either \'default\' or valid Azure region identifier).')
param name string
@description('Required. Runtime connection string to cache. Can be referenced by a named value like so, {{<named-value>}}.')
param connectionString string
@description('Optional. Enable telemetry via the Customer Usage Attribution ID (GUID).')
param enableDefaultTelemetry bool = true
@description('Optional. Cache description.')
param cacheDescription string = ''
@description('Optional. Original uri of entity in external system cache points to.')
param resourceId string = ''
@description('Required. Location identifier to use cache from (should be either \'default\' or valid Azure region identifier).')
param useFromLocation string
resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) {
name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}'
properties: {
mode: 'Incremental'
template: {
'$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#'
contentVersion: '1.0.0.0'
resources: []
}
}
}
resource service 'Microsoft.ApiManagement/service@2021-08-01' existing = {
name: apiManagementServiceName
}
resource cache 'Microsoft.ApiManagement/service/caches@2021-08-01' = {
name: name
parent: service
properties: {
description: !empty(cacheDescription) ? cacheDescription : null
connectionString: connectionString
useFromLocation: useFromLocation
resourceId: !empty(resourceId) ? resourceId : null
}
}
@description('The resource ID of the API management service cache.')
output resourceId string = cache.id
@description('The name of the API management service cache.')
output name string = cache.name
@description('The resource group the API management service cache was deployed into.')
output resourceGroupName string = resourceGroup().name

Просмотреть файл

@ -0,0 +1,50 @@
# API Management Service Cache `[Microsoft.ApiManagement/service/caches]`
This module deploys an API Management Service Cache.
## Navigation
- [Resource types](#Resource-types)
- [Parameters](#Parameters)
- [Outputs](#Outputs)
- [Cross-referenced modules](#Cross-referenced-modules)
## Resource types
| Resource Type | API Version |
| :-- | :-- |
| `Microsoft.ApiManagement/service/caches` | [2021-08-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.ApiManagement/2021-08-01/service/caches) |
## Parameters
**Required parameters**
| Parameter Name | Type | Description |
| :-- | :-- | :-- |
| `connectionString` | string | Runtime connection string to cache. Can be referenced by a named value like so, {{<named-value>}}. |
| `name` | string | Identifier of the Cache entity. Cache identifier (should be either 'default' or valid Azure region identifier). |
| `useFromLocation` | string | Location identifier to use cache from (should be either 'default' or valid Azure region identifier). |
**Conditional parameters**
| Parameter Name | Type | Description |
| :-- | :-- | :-- |
| `apiManagementServiceName` | string | The name of the parent API Management service. Required if the template is used in a standalone deployment. |
**Optional parameters**
| Parameter Name | Type | Default Value | Description |
| :-- | :-- | :-- | :-- |
| `cacheDescription` | string | `''` | Cache description. |
| `enableDefaultTelemetry` | bool | `True` | Enable telemetry via the Customer Usage Attribution ID (GUID). |
| `resourceId` | string | `''` | Original uri of entity in external system cache points to. |
## Outputs
| Output Name | Type | Description |
| :-- | :-- | :-- |
| `name` | string | The name of the API management service cache. |
| `resourceGroupName` | string | The resource group the API management service cache was deployed into. |
| `resourceId` | string | The resource ID of the API management service cache. |
## Cross-referenced modules
_None_

Просмотреть файл

@ -0,0 +1,4 @@
{
"$schema": "https://raw.githubusercontent.com/dotnet/Nerdbank.GitVersioning/master/src/NerdBank.GitVersioning/version.schema.json",
"version": "0.4"
}

Просмотреть файл

@ -0,0 +1,470 @@
@description('Optional. Additional datacenter locations of the API Management service.')
param additionalLocations array = []
@description('Required. The name of the API Management service.')
param name string
@description('Optional. List of Certificates that need to be installed in the API Management service. Max supported certificates that can be installed is 10.')
@maxLength(10)
param certificates array = []
@description('Optional. Enable telemetry via the Customer Usage Attribution ID (GUID).')
param enableDefaultTelemetry bool = true
@description('Optional. Custom properties of the API Management service.')
param customProperties object = {}
@description('Optional. Specifies the number of days that logs will be kept for; a value of 0 will retain data indefinitely.')
@minValue(0)
@maxValue(365)
param diagnosticLogsRetentionInDays int = 365
@description('Optional. Resource ID of the diagnostic storage account.')
param diagnosticStorageAccountId string = ''
@description('Optional. Property only valid for an API Management service deployed in multiple locations. This can be used to disable the gateway in master region.')
param disableGateway bool = false
@description('Optional. Property only meant to be used for Consumption SKU Service. This enforces a client certificate to be presented on each request to the gateway. This also enables the ability to authenticate the certificate in the policy on the gateway.')
param enableClientCertificate bool = false
@description('Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to.')
param diagnosticEventHubAuthorizationRuleId string = ''
@description('Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category.')
param diagnosticEventHubName string = ''
@description('Optional. Custom hostname configuration of the API Management service.')
param hostnameConfigurations array = []
@description('Optional. Enables system assigned managed identity on the resource.')
param systemAssignedIdentity bool = false
@description('Optional. The ID(s) to assign to the resource.')
param userAssignedIdentities object = {}
@description('Optional. Location for all Resources.')
param location string = resourceGroup().location
@allowed([
''
'CanNotDelete'
'ReadOnly'
])
@description('Optional. Specify the type of lock.')
param lock string = ''
@description('Optional. Limit control plane API calls to API Management service with version equal to or newer than this value.')
param minApiVersion string = ''
@description('Optional. The notification sender email address for the service.')
param notificationSenderEmail string = 'apimgmt-noreply@mail.windowsazure.com'
@description('Required. The email address of the owner of the service.')
param publisherEmail string
@description('Required. The name of the owner of the service.')
param publisherName string
@description('Optional. Undelete API Management Service if it was previously soft-deleted. If this flag is specified and set to True all other properties will be ignored.')
param restore bool = false
@description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.')
param roleAssignments array = []
@description('Optional. The pricing tier of this API Management service.')
@allowed([
'Consumption'
'Developer'
'Basic'
'Standard'
'Premium'
])
param sku string = 'Developer'
@description('Optional. The instance size of this API Management service.')
@allowed([
1
2
])
param skuCount int = 1
@description('Optional. The full resource ID of a subnet in a virtual network to deploy the API Management service in.')
param subnetResourceId string = ''
@description('Optional. Tags of the resource.')
param tags object = {}
@description('Optional. The type of VPN in which API Management service needs to be configured in. None (Default Value) means the API Management service is not part of any Virtual Network, External means the API Management deployment is set up inside a Virtual Network having an internet Facing Endpoint, and Internal means that API Management deployment is setup inside a Virtual Network having an Intranet Facing Endpoint only.')
@allowed([
'None'
'External'
'Internal'
])
param virtualNetworkType string = 'None'
@description('Optional. Resource ID of the diagnostic log analytics workspace.')
param diagnosticWorkspaceId string = ''
@description('Optional. A list of availability zones denoting where the resource needs to come from.')
param zones array = []
@description('Optional. The name of logs that will be streamed.')
@allowed([
'GatewayLogs'
])
param diagnosticLogCategoriesToEnable array = [
'GatewayLogs'
]
@description('Optional. The name of metrics that will be streamed.')
@allowed([
'AllMetrics'
])
param diagnosticMetricsToEnable array = [
'AllMetrics'
]
@description('Optional. Necessary to create a new GUID.')
param newGuidValue string = newGuid()
@description('Optional. APIs.')
param apis array = []
@description('Optional. API Version Sets.')
param apiVersionSets array = []
@description('Optional. Authorization servers.')
param authorizationServers array = []
@description('Optional. Backends.')
param backends array = []
@description('Optional. Caches.')
param caches array = []
@description('Optional. Identity providers.')
param identityProviders array = []
@description('Optional. Named values.')
param namedValues array = []
@description('Optional. Policies.')
param policies array = []
@description('Optional. Portal settings.')
param portalSettings array = []
@description('Optional. Products.')
param products array = []
@description('Optional. Subscriptions.')
param subscriptions array = []
@description('Optional. The name of the diagnostic setting, if deployed.')
param diagnosticSettingsName string = '${name}-diagnosticSettings'
var enableReferencedModulesTelemetry = false
var diagnosticsLogs = [for category in diagnosticLogCategoriesToEnable: {
category: category
enabled: true
retentionPolicy: {
enabled: true
days: diagnosticLogsRetentionInDays
}
}]
var diagnosticsMetrics = [for metric in diagnosticMetricsToEnable: {
category: metric
timeGrain: null
enabled: true
retentionPolicy: {
enabled: true
days: diagnosticLogsRetentionInDays
}
}]
var identityType = systemAssignedIdentity ? (!empty(userAssignedIdentities) ? 'SystemAssigned,UserAssigned' : 'SystemAssigned') : (!empty(userAssignedIdentities) ? 'UserAssigned' : 'None')
var identity = identityType != 'None' ? {
type: identityType
userAssignedIdentities: !empty(userAssignedIdentities) ? userAssignedIdentities : null
} : null
resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) {
name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}'
properties: {
mode: 'Incremental'
template: {
'$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#'
contentVersion: '1.0.0.0'
resources: []
}
}
}
resource apiManagementService 'Microsoft.ApiManagement/service@2021-08-01' = {
name: name
location: location
tags: tags
sku: {
name: sku
capacity: skuCount
}
zones: zones
identity: identity
properties: {
publisherEmail: publisherEmail
publisherName: publisherName
notificationSenderEmail: notificationSenderEmail
hostnameConfigurations: hostnameConfigurations
additionalLocations: additionalLocations
customProperties: customProperties
certificates: certificates
enableClientCertificate: enableClientCertificate ? true : null
disableGateway: disableGateway
virtualNetworkType: virtualNetworkType
virtualNetworkConfiguration: !empty(subnetResourceId) ? json('{"subnetResourceId": "${subnetResourceId}"}') : null
apiVersionConstraint: !empty(minApiVersion) ? json('{"minApiVersion": "${minApiVersion}"}') : null
restore: restore
}
}
module apis_resource 'apis/deploy.bicep' = [for (api, index) in apis: {
name: '${uniqueString(deployment().name, location)}-Apim-Api-${index}'
params: {
apiManagementServiceName: apiManagementService.name
displayName: api.displayName
name: api.name
path: api.path
apiDescription: contains(api, 'apiDescription') ? api.apiDescription : ''
apiRevision: contains(api, 'apiRevision') ? api.apiRevision : ''
apiRevisionDescription: contains(api, 'apiRevisionDescription') ? api.apiRevisionDescription : ''
apiType: contains(api, 'apiType') ? api.apiType : 'http'
apiVersion: contains(api, 'apiVersion') ? api.apiVersion : ''
apiVersionDescription: contains(api, 'apiVersionDescription') ? api.apiVersionDescription : ''
apiVersionSetId: contains(api, 'apiVersionSetId') ? api.apiVersionSetId : ''
authenticationSettings: contains(api, 'authenticationSettings') ? api.authenticationSettings : {}
format: contains(api, 'format') ? api.format : 'openapi'
isCurrent: contains(api, 'isCurrent') ? api.isCurrent : true
protocols: contains(api, 'protocols') ? api.protocols : [
'https'
]
policies: contains(api, 'policies') ? api.policies : []
serviceUrl: contains(api, 'serviceUrl') ? api.serviceUrl : ''
sourceApiId: contains(api, 'sourceApiId') ? api.sourceApiId : ''
subscriptionKeyParameterNames: contains(api, 'subscriptionKeyParameterNames') ? api.subscriptionKeyParameterNames : {}
subscriptionRequired: contains(api, 'subscriptionRequired') ? api.subscriptionRequired : false
type: contains(api, 'type') ? api.type : 'http'
value: contains(api, 'value') ? api.value : ''
wsdlSelector: contains(api, 'wsdlSelector') ? api.wsdlSelector : {}
enableDefaultTelemetry: enableReferencedModulesTelemetry
}
dependsOn: [
apiVersionSet_resource
]
}]
module apiVersionSet_resource 'apiVersionSets/deploy.bicep' = [for (apiVersionSet, index) in apiVersionSets: {
name: '${uniqueString(deployment().name, location)}-Apim-ApiVersionSet-${index}'
params: {
apiManagementServiceName: apiManagementService.name
name: apiVersionSet.name
properties: contains(apiVersionSet, 'properties') ? apiVersionSet.properties : {}
enableDefaultTelemetry: enableReferencedModulesTelemetry
}
}]
module authorizationServers_resource '.bicep/nested_authorizationServers.bicep' = [for (authorizationServer, index) in authorizationServers: {
name: '${uniqueString(deployment().name, location)}-Apim-AuthorizationServer-${index}'
params: {
apiManagementServiceName: apiManagementService.name
name: authorizationServer.name
authorizationEndpoint: authorizationServer.authorizationEndpoint
authorizationMethods: contains(authorizationServer, 'authorizationMethods') ? authorizationServer.authorizationMethods : [
'GET'
]
bearerTokenSendingMethods: contains(authorizationServer, 'bearerTokenSendingMethods') ? authorizationServer.bearerTokenSendingMethods : [
'authorizationHeader'
]
clientAuthenticationMethod: contains(authorizationServer, 'clientAuthenticationMethod') ? authorizationServer.clientAuthenticationMethod : [
'Basic'
]
clientCredentialsKeyVaultId: authorizationServer.clientCredentialsKeyVaultId
clientIdSecretName: authorizationServer.clientIdSecretName
clientSecretSecretName: authorizationServer.clientSecretSecretName
clientRegistrationEndpoint: contains(authorizationServer, 'clientRegistrationEndpoint') ? authorizationServer.clientRegistrationEndpoint : ''
defaultScope: contains(authorizationServer, 'defaultScope') ? authorizationServer.defaultScope : ''
grantTypes: authorizationServer.grantTypes
resourceOwnerPassword: contains(authorizationServer, 'resourceOwnerPassword') ? authorizationServer.resourceOwnerPassword : ''
resourceOwnerUsername: contains(authorizationServer, 'resourceOwnerUsername') ? authorizationServer.resourceOwnerUsername : ''
serverDescription: contains(authorizationServer, 'serverDescription') ? authorizationServer.serverDescription : ''
supportState: contains(authorizationServer, 'supportState') ? authorizationServer.supportState : false
tokenBodyParameters: contains(authorizationServer, 'tokenBodyParameters') ? authorizationServer.tokenBodyParameters : []
tokenEndpoint: contains(authorizationServer, 'tokenEndpoint') ? authorizationServer.tokenEndpoint : ''
enableDefaultTelemetry: enableReferencedModulesTelemetry
}
}]
module backends_resource 'backends/deploy.bicep' = [for (backend, index) in backends: {
name: '${uniqueString(deployment().name, location)}-Apim-Backend-${index}'
params: {
apiManagementServiceName: apiManagementService.name
url: contains(backend, 'url') ? backend.url : ''
backendDescription: contains(backend, 'backendDescription') ? backend.backendDescription : ''
credentials: contains(backend, 'credentials') ? backend.credentials : {}
name: backend.name
protocol: contains(backend, 'protocol') ? backend.protocol : 'http'
proxy: contains(backend, 'proxy') ? backend.proxy : {}
resourceId: contains(backend, 'resourceId') ? backend.resourceId : ''
serviceFabricCluster: contains(backend, 'serviceFabricCluster') ? backend.serviceFabricCluster : {}
title: contains(backend, 'title') ? backend.title : ''
tls: contains(backend, 'tls') ? backend.tls : {
validateCertificateChain: false
validateCertificateName: false
}
enableDefaultTelemetry: enableReferencedModulesTelemetry
}
}]
module caches_resource 'caches/deploy.bicep' = [for (cache, index) in caches: {
name: '${uniqueString(deployment().name, location)}-Apim-Cache-${index}'
params: {
apiManagementServiceName: apiManagementService.name
cacheDescription: contains(cache, 'cacheDescription') ? cache.cacheDescription : ''
connectionString: cache.connectionString
name: cache.name
resourceId: contains(cache, 'resourceId') ? cache.resourceId : ''
useFromLocation: cache.useFromLocation
enableDefaultTelemetry: enableReferencedModulesTelemetry
}
}]
module identityProvider_resource 'identityProviders/deploy.bicep' = [for (identityProvider, index) in identityProviders: {
name: '${uniqueString(deployment().name, location)}-Apim-IdentityProvider-${index}'
params: {
apiManagementServiceName: apiManagementService.name
name: identityProvider.name
enableIdentityProviders: contains(identityProvider, 'enableIdentityProviders') ? identityProvider.enableIdentityProviders : false
identityProviderAllowedTenants: contains(identityProvider, 'identityProviderAllowedTenants') ? identityProvider.identityProviderAllowedTenants : []
identityProviderAuthority: contains(identityProvider, 'identityProviderAuthority') ? identityProvider.identityProviderAuthority : ''
identityProviderClientId: contains(identityProvider, 'identityProviderClientId') ? identityProvider.identityProviderClientId : ''
identityProviderClientSecret: contains(identityProvider, 'identityProviderClientSecret') ? identityProvider.identityProviderClientSecret : ''
identityProviderPasswordResetPolicyName: contains(identityProvider, 'identityProviderPasswordResetPolicyName') ? identityProvider.identityProviderPasswordResetPolicyName : ''
identityProviderProfileEditingPolicyName: contains(identityProvider, 'identityProviderProfileEditingPolicyName') ? identityProvider.identityProviderProfileEditingPolicyName : ''
identityProviderSignInPolicyName: contains(identityProvider, 'identityProviderSignInPolicyName') ? identityProvider.identityProviderSignInPolicyName : ''
identityProviderSignInTenant: contains(identityProvider, 'identityProviderSignInTenant') ? identityProvider.identityProviderSignInTenant : ''
identityProviderSignUpPolicyName: contains(identityProvider, 'identityProviderSignUpPolicyName') ? identityProvider.identityProviderSignUpPolicyName : ''
identityProviderType: contains(identityProvider, 'identityProviderType') ? identityProvider.identityProviderType : 'aad'
enableDefaultTelemetry: enableReferencedModulesTelemetry
}
}]
module namedValues_resource 'namedValues/deploy.bicep' = [for (namedValue, index) in namedValues: {
name: '${uniqueString(deployment().name, location)}-Apim-NamedValue-${index}'
params: {
apiManagementServiceName: apiManagementService.name
displayName: namedValue.displayName
keyVault: contains(namedValue, 'keyVault') ? namedValue.keyVault : {}
name: namedValue.name
namedValueTags: contains(namedValue, 'namedValueTags') ? namedValue.namedValueTags : []
secret: contains(namedValue, 'secret') ? namedValue.secret : false
value: contains(namedValue, 'value') ? namedValue.value : newGuidValue
enableDefaultTelemetry: enableReferencedModulesTelemetry
}
}]
module portalSettings_resource 'portalsettings/deploy.bicep' = [for (portalSetting, index) in portalSettings: {
name: '${uniqueString(deployment().name, location)}-Apim-PortalSetting-${index}'
params: {
apiManagementServiceName: apiManagementService.name
name: portalSetting.name
properties: contains(portalSetting, 'properties') ? portalSetting.properties : {}
enableDefaultTelemetry: enableReferencedModulesTelemetry
}
}]
module policy_resource 'policies/deploy.bicep' = [for (policy, index) in policies: {
name: '${uniqueString(deployment().name, location)}-Apim-Policy-${index}'
params: {
apiManagementServiceName: apiManagementService.name
value: policy.value
format: contains(policy, 'format') ? policy.format : 'xml'
enableDefaultTelemetry: enableReferencedModulesTelemetry
}
}]
module products_resource 'products/deploy.bicep' = [for (product, index) in products: {
name: '${uniqueString(deployment().name, location)}-Apim-Product-${index}'
params: {
apiManagementServiceName: apiManagementService.name
apis: contains(product, 'apis') ? product.apis : []
approvalRequired: contains(product, 'approvalRequired') ? product.approvalRequired : false
groups: contains(product, 'groups') ? product.groups : []
name: product.name
productDescription: contains(product, 'productDescription') ? product.productDescription : ''
state: contains(product, 'state') ? product.state : 'published'
subscriptionRequired: contains(product, 'subscriptionRequired') ? product.subscriptionRequired : false
subscriptionsLimit: contains(product, 'subscriptionsLimit') ? product.subscriptionsLimit : 1
terms: contains(product, 'terms') ? product.terms : ''
enableDefaultTelemetry: enableReferencedModulesTelemetry
}
dependsOn: [
apis_resource
]
}]
module subscriptions_resource 'subscriptions/deploy.bicep' = [for (subscription, index) in subscriptions: {
name: '${uniqueString(deployment().name, location)}-Apim-Subscription-${index}'
params: {
apiManagementServiceName: apiManagementService.name
name: contains(subscription, 'name') ? subscription.name : ''
allowTracing: contains(subscription, 'allowTracing') ? subscription.allowTracing : false
ownerId: contains(subscription, 'ownerId') ? subscription.ownerId : ''
primaryKey: contains(subscription, 'primaryKey') ? subscription.primaryKey : ''
scope: contains(subscription, 'scope') ? subscription.scope : '/apis'
secondaryKey: contains(subscription, 'secondaryKey') ? subscription.secondaryKey : ''
state: contains(subscription, 'state') ? subscription.state : ''
enableDefaultTelemetry: enableReferencedModulesTelemetry
}
}]
resource apiManagementService_lock 'Microsoft.Authorization/locks@2017-04-01' = if (!empty(lock)) {
name: '${apiManagementService.name}-${lock}-lock'
properties: {
level: any(lock)
notes: lock == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.'
}
scope: apiManagementService
}
resource apiManagementService_diagnosticSettings 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = if (!empty(diagnosticStorageAccountId) || !empty(diagnosticWorkspaceId) || !empty(diagnosticEventHubAuthorizationRuleId) || !empty(diagnosticEventHubName)) {
name: diagnosticSettingsName
properties: {
storageAccountId: !empty(diagnosticStorageAccountId) ? diagnosticStorageAccountId : null
workspaceId: !empty(diagnosticWorkspaceId) ? diagnosticWorkspaceId : null
eventHubAuthorizationRuleId: !empty(diagnosticEventHubAuthorizationRuleId) ? diagnosticEventHubAuthorizationRuleId : null
eventHubName: !empty(diagnosticEventHubName) ? diagnosticEventHubName : null
metrics: diagnosticsMetrics
logs: diagnosticsLogs
}
scope: apiManagementService
}
module apiManagementService_roleAssignments '.bicep/nested_roleAssignments.bicep' = [for (roleAssignment, index) in roleAssignments: {
name: '${uniqueString(deployment().name, location)}-Apim-Rbac-${index}'
params: {
description: contains(roleAssignment, 'description') ? roleAssignment.description : ''
principalIds: roleAssignment.principalIds
principalType: contains(roleAssignment, 'principalType') ? roleAssignment.principalType : ''
roleDefinitionIdOrName: roleAssignment.roleDefinitionIdOrName
condition: contains(roleAssignment, 'condition') ? roleAssignment.condition : ''
delegatedManagedIdentityResourceId: contains(roleAssignment, 'delegatedManagedIdentityResourceId') ? roleAssignment.delegatedManagedIdentityResourceId : ''
resourceId: apiManagementService.id
}
}]
@description('The name of the API management service.')
output name string = apiManagementService.name
@description('The resource ID of the API management service.')
output resourceId string = apiManagementService.id
@description('The resource group the API management service was deployed into.')
output resourceGroupName string = resourceGroup().name
@description('The principal ID of the system assigned identity.')
output systemAssignedPrincipalId string = systemAssignedIdentity && contains(apiManagementService.identity, 'principalId') ? apiManagementService.identity.principalId : ''
@description('The location the resource was deployed into.')
output location string = apiManagementService.location

Просмотреть файл

@ -0,0 +1,95 @@
@description('Conditional. The name of the parent API Management service. Required if the template is used in a standalone deployment.')
param apiManagementServiceName string
@description('Optional. Enable telemetry via the Customer Usage Attribution ID (GUID).')
param enableDefaultTelemetry bool = true
@description('Optional. Used to enable the deployment of the identityProviders child resource.')
param enableIdentityProviders bool = false
@description('Optional. List of Allowed Tenants when configuring Azure Active Directory login. - string.')
param identityProviderAllowedTenants array = []
@description('Optional. OpenID Connect discovery endpoint hostname for AAD or AAD B2C.')
param identityProviderAuthority string = ''
@description('Conditional. Client ID of the Application in the external Identity Provider. Required if identity provider is used.')
param identityProviderClientId string = ''
@description('Conditional. Client secret of the Application in external Identity Provider, used to authenticate login request. Required if identity provider is used.')
@secure()
param identityProviderClientSecret string = ''
@description('Optional. Password Reset Policy Name. Only applies to AAD B2C Identity Provider.')
#disable-next-line secure-secrets-in-params // Not a secret
param identityProviderPasswordResetPolicyName string = ''
@description('Optional. Profile Editing Policy Name. Only applies to AAD B2C Identity Provider.')
param identityProviderProfileEditingPolicyName string = ''
@description('Optional. Signin Policy Name. Only applies to AAD B2C Identity Provider.')
param identityProviderSignInPolicyName string = ''
@description('Optional. The TenantId to use instead of Common when logging into Active Directory.')
param identityProviderSignInTenant string = ''
@description('Optional. Signup Policy Name. Only applies to AAD B2C Identity Provider.')
param identityProviderSignUpPolicyName string = ''
@description('Optional. Identity Provider Type identifier.')
@allowed([
'aad'
'aadB2C'
'facebook'
'google'
'microsoft'
'twitter'
])
param identityProviderType string = 'aad'
@description('Required. Identity provider name.')
param name string
var isAadB2C = (identityProviderType == 'aadB2C')
resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) {
name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}'
properties: {
mode: 'Incremental'
template: {
'$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#'
contentVersion: '1.0.0.0'
resources: []
}
}
}
resource service 'Microsoft.ApiManagement/service@2021-08-01' existing = {
name: apiManagementServiceName
}
resource identityProvider 'Microsoft.ApiManagement/service/identityProviders@2021-08-01' = if (enableIdentityProviders) {
name: name
parent: service
properties: {
type: identityProviderType
signinTenant: identityProviderSignInTenant
allowedTenants: identityProviderAllowedTenants
authority: identityProviderAuthority
signupPolicyName: isAadB2C ? identityProviderSignUpPolicyName : null
signinPolicyName: isAadB2C ? identityProviderSignInPolicyName : null
profileEditingPolicyName: isAadB2C ? identityProviderProfileEditingPolicyName : null
passwordResetPolicyName: isAadB2C ? identityProviderPasswordResetPolicyName : null
clientId: identityProviderClientId
clientSecret: identityProviderClientSecret
}
}
@description('The resource ID of the API management service identity provider.')
output resourceId string = identityProvider.id
@description('The name of the API management service identity provider.')
output name string = identityProvider.name
@description('The resource group the API management service identity provider was deployed into.')
output resourceGroupName string = resourceGroup().name

Просмотреть файл

@ -0,0 +1,57 @@
# API Management Service Identity Providers `[Microsoft.ApiManagement/service/identityProviders]`
This module deploys API Management Service Identity Provider.
## Navigation
- [Resource Types](#Resource-Types)
- [Parameters](#Parameters)
- [Outputs](#Outputs)
- [Cross-referenced modules](#Cross-referenced-modules)
## Resource Types
| Resource Type | API Version |
| :-- | :-- |
| `Microsoft.ApiManagement/service/identityProviders` | [2021-08-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.ApiManagement/2021-08-01/service/identityProviders) |
## Parameters
**Required parameters**
| Parameter Name | Type | Description |
| :-- | :-- | :-- |
| `name` | string | Identity provider name. |
**Conditional parameters**
| Parameter Name | Type | Default Value | Description |
| :-- | :-- | :-- | :-- |
| `apiManagementServiceName` | string | | The name of the parent API Management service. Required if the template is used in a standalone deployment. |
| `identityProviderClientId` | string | `''` | Client ID of the Application in the external Identity Provider. Required if identity provider is used. |
| `identityProviderClientSecret` | secureString | `''` | Client secret of the Application in external Identity Provider, used to authenticate login request. Required if identity provider is used. |
**Optional parameters**
| Parameter Name | Type | Default Value | Allowed Values | Description |
| :-- | :-- | :-- | :-- | :-- |
| `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via the Customer Usage Attribution ID (GUID). |
| `enableIdentityProviders` | bool | `False` | | Used to enable the deployment of the identityProviders child resource. |
| `identityProviderAllowedTenants` | array | `[]` | | List of Allowed Tenants when configuring Azure Active Directory login. - string. |
| `identityProviderAuthority` | string | `''` | | OpenID Connect discovery endpoint hostname for AAD or AAD B2C. |
| `identityProviderPasswordResetPolicyName` | string | `''` | | Password Reset Policy Name. Only applies to AAD B2C Identity Provider. |
| `identityProviderProfileEditingPolicyName` | string | `''` | | Profile Editing Policy Name. Only applies to AAD B2C Identity Provider. |
| `identityProviderSignInPolicyName` | string | `''` | | Signin Policy Name. Only applies to AAD B2C Identity Provider. |
| `identityProviderSignInTenant` | string | `''` | | The TenantId to use instead of Common when logging into Active Directory. |
| `identityProviderSignUpPolicyName` | string | `''` | | Signup Policy Name. Only applies to AAD B2C Identity Provider. |
| `identityProviderType` | string | `'aad'` | `[aad, aadB2C, facebook, google, microsoft, twitter]` | Identity Provider Type identifier. |
## Outputs
| Output Name | Type | Description |
| :-- | :-- | :-- |
| `name` | string | The name of the API management service identity provider. |
| `resourceGroupName` | string | The resource group the API management service identity provider was deployed into. |
| `resourceId` | string | The resource ID of the API management service identity provider. |
## Cross-referenced modules
_None_

Просмотреть файл

@ -0,0 +1,4 @@
{
"$schema": "https://raw.githubusercontent.com/dotnet/Nerdbank.GitVersioning/master/src/NerdBank.GitVersioning/version.schema.json",
"version": "0.4"
}

Просмотреть файл

@ -0,0 +1,63 @@
@description('Conditional. The name of the parent API Management service. Required if the template is used in a standalone deployment.')
param apiManagementServiceName string = ''
@description('Optional. Enable telemetry via the Customer Usage Attribution ID (GUID).')
param enableDefaultTelemetry bool = true
@description('Required. Unique name of NamedValue. It may contain only letters, digits, period, dash, and underscore characters.')
param displayName string
@description('Optional. KeyVault location details of the namedValue.')
param keyVault object = {}
@description('Required. Named value Name.')
param name string
@description('Optional. Tags that when provided can be used to filter the NamedValue list. - string.')
param namedValueTags array = []
@description('Optional. Determines whether the value is a secret and should be encrypted or not. Default value is false.')
#disable-next-line secure-secrets-in-params // Not a secret
param secret bool = false
@description('Optional. Value of the NamedValue. Can contain policy expressions. It may not be empty or consist only of whitespace. This property will not be filled on \'GET\' operations! Use \'/listSecrets\' POST request to get the value.')
param value string = newGuid()
var keyVaultEmpty = empty(keyVault)
resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) {
name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}'
properties: {
mode: 'Incremental'
template: {
'$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#'
contentVersion: '1.0.0.0'
resources: []
}
}
}
resource service 'Microsoft.ApiManagement/service@2021-08-01' existing = {
name: apiManagementServiceName
}
resource namedValue 'Microsoft.ApiManagement/service/namedValues@2021-08-01' = {
name: name
parent: service
properties: {
tags: !empty(namedValueTags) ? namedValueTags : null
secret: secret
displayName: displayName
value: keyVaultEmpty ? value : null
keyVault: !keyVaultEmpty ? keyVault : null
}
}
@description('The resource ID of the named value.')
output resourceId string = namedValue.id
@description('The name of the named value.')
output name string = namedValue.name
@description('The resource group the named value was deployed into.')
output resourceGroupName string = resourceGroup().name

Просмотреть файл

@ -0,0 +1,82 @@
# API Management Service Named Values `[Microsoft.ApiManagement/service/namedValues]`
This module deploys API Management Service Named Values.
## Navigation
- [Resource types](#Resource-types)
- [Parameters](#Parameters)
- [Outputs](#Outputs)
- [Cross-referenced modules](#Cross-referenced-modules)
## Resource types
| Resource Type | API Version |
| :-- | :-- |
| `Microsoft.ApiManagement/service/namedValues` | [2021-08-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.ApiManagement/2021-08-01/service/namedValues) |
## Parameters
**Required parameters**
| Parameter Name | Type | Description |
| :-- | :-- | :-- |
| `displayName` | string | Unique name of NamedValue. It may contain only letters, digits, period, dash, and underscore characters. |
| `name` | string | Named value Name. |
**Conditional parameters**
| Parameter Name | Type | Default Value | Description |
| :-- | :-- | :-- | :-- |
| `apiManagementServiceName` | string | `''` | The name of the parent API Management service. Required if the template is used in a standalone deployment. |
**Optional parameters**
| Parameter Name | Type | Default Value | Description |
| :-- | :-- | :-- | :-- |
| `enableDefaultTelemetry` | bool | `True` | Enable telemetry via the Customer Usage Attribution ID (GUID). |
| `keyVault` | object | `{object}` | KeyVault location details of the namedValue. |
| `namedValueTags` | array | `[]` | Tags that when provided can be used to filter the NamedValue list. - string. |
| `secret` | bool | `False` | Determines whether the value is a secret and should be encrypted or not. Default value is false. |
| `value` | string | `[newGuid()]` | Value of the NamedValue. Can contain policy expressions. It may not be empty or consist only of whitespace. This property will not be filled on 'GET' operations! Use '/listSecrets' POST request to get the value. |
### Parameter Usage: `keyVault`
<details>
<summary>Parameter JSON format</summary>
```json
"keyVault": {
"value":{
"secretIdentifier":"Key vault secret identifier for fetching secret.",
"identityClientId":"SystemAssignedIdentity or UserAssignedIdentity Client ID which will be used to access key vault secret."
}
}
```
</details>
<details>
<summary>Bicep format</summary>
```bicep
keyVault: {
secretIdentifier:'Key vault secret identifier for fetching secret.'
identityClientId:'SystemAssignedIdentity or UserAssignedIdentity Client ID which will be used to access key vault secret.'
}
```
</details>
<p>
## Outputs
| Output Name | Type | Description |
| :-- | :-- | :-- |
| `name` | string | The name of the named value. |
| `resourceGroupName` | string | The resource group the named value was deployed into. |
| `resourceId` | string | The resource ID of the named value. |
## Cross-referenced modules
_None_

Просмотреть файл

@ -0,0 +1,4 @@
{
"$schema": "https://raw.githubusercontent.com/dotnet/Nerdbank.GitVersioning/master/src/NerdBank.GitVersioning/version.schema.json",
"version": "0.4"
}

Просмотреть файл

@ -0,0 +1,54 @@
@description('Conditional. The name of the parent API Management service. Required if the template is used in a standalone deployment.')
param apiManagementServiceName string
@description('Optional. The name of the policy.')
param name string = 'policy'
@description('Optional. Enable telemetry via the Customer Usage Attribution ID (GUID).')
param enableDefaultTelemetry bool = true
@description('Optional. Format of the policyContent.')
@allowed([
'rawxml'
'rawxml-link'
'xml'
'xml-link'
])
param format string = 'xml'
@description('Required. Contents of the Policy as defined by the format.')
param value string
resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) {
name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}'
properties: {
mode: 'Incremental'
template: {
'$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#'
contentVersion: '1.0.0.0'
resources: []
}
}
}
resource service 'Microsoft.ApiManagement/service@2021-08-01' existing = {
name: apiManagementServiceName
}
resource policy 'Microsoft.ApiManagement/service/policies@2021-08-01' = {
name: name
parent: service
properties: {
format: format
value: value
}
}
@description('The resource ID of the API management service policy.')
output resourceId string = policy.id
@description('The name of the API management service policy.')
output name string = policy.name
@description('The resource group the API management service policy was deployed into.')
output resourceGroupName string = resourceGroup().name

Просмотреть файл

@ -0,0 +1,48 @@
# API Management Service Policies `[Microsoft.ApiManagement/service/policies]`
This module deploys API Management Service Policy.
## Navigation
- [Resource Types](#Resource-Types)
- [Parameters](#Parameters)
- [Outputs](#Outputs)
- [Cross-referenced modules](#Cross-referenced-modules)
## Resource Types
| Resource Type | API Version |
| :-- | :-- |
| `Microsoft.ApiManagement/service/policies` | [2021-08-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.ApiManagement/2021-08-01/service/policies) |
## Parameters
**Required parameters**
| Parameter Name | Type | Description |
| :-- | :-- | :-- |
| `value` | string | Contents of the Policy as defined by the format. |
**Conditional parameters**
| Parameter Name | Type | Description |
| :-- | :-- | :-- |
| `apiManagementServiceName` | string | The name of the parent API Management service. Required if the template is used in a standalone deployment. |
**Optional parameters**
| Parameter Name | Type | Default Value | Allowed Values | Description |
| :-- | :-- | :-- | :-- | :-- |
| `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via the Customer Usage Attribution ID (GUID). |
| `format` | string | `'xml'` | `[rawxml, rawxml-link, xml, xml-link]` | Format of the policyContent. |
| `name` | string | `'policy'` | | The name of the policy. |
## Outputs
| Output Name | Type | Description |
| :-- | :-- | :-- |
| `name` | string | The name of the API management service policy. |
| `resourceGroupName` | string | The resource group the API management service policy was deployed into. |
| `resourceId` | string | The resource ID of the API management service policy. |
## Cross-referenced modules
_None_

Просмотреть файл

@ -0,0 +1,4 @@
{
"$schema": "https://raw.githubusercontent.com/dotnet/Nerdbank.GitVersioning/master/src/NerdBank.GitVersioning/version.schema.json",
"version": "0.4"
}

Просмотреть файл

@ -0,0 +1,47 @@
@description('Conditional. The name of the parent API Management service. Required if the template is used in a standalone deployment.')
param apiManagementServiceName string
@description('Optional. Enable telemetry via the Customer Usage Attribution ID (GUID).')
param enableDefaultTelemetry bool = true
@description('Required. Portal setting name.')
@allowed([
'delegation'
'signin'
'signup'
])
param name string
@description('Optional. Portal setting properties.')
param properties object = {}
resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) {
name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}'
properties: {
mode: 'Incremental'
template: {
'$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#'
contentVersion: '1.0.0.0'
resources: []
}
}
}
resource service 'Microsoft.ApiManagement/service@2021-08-01' existing = {
name: apiManagementServiceName
}
resource portalSetting 'Microsoft.ApiManagement/service/portalsettings@2021-08-01' = if (!empty(properties)) {
name: any(name)
parent: service
properties: properties
}
@description('The resource ID of the API management service portal setting.')
output resourceId string = portalSetting.id
@description('The name of the API management service portal setting.')
output name string = portalSetting.name
@description('The resource group the API management service portal setting was deployed into.')
output resourceGroupName string = resourceGroup().name

Просмотреть файл

@ -0,0 +1,47 @@
# API Management Service Portal Settings `[Microsoft.ApiManagement/service/portalsettings]`
This module deploys API Management Service Portal Setting.
## Navigation
- [Resource Types](#Resource-Types)
- [Parameters](#Parameters)
- [Outputs](#Outputs)
- [Cross-referenced modules](#Cross-referenced-modules)
## Resource Types
| Resource Type | API Version |
| :-- | :-- |
| `Microsoft.ApiManagement/service/portalsettings` | [2021-08-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.ApiManagement/service) |
## Parameters
**Required parameters**
| Parameter Name | Type | Allowed Values | Description |
| :-- | :-- | :-- | :-- |
| `name` | string | `[delegation, signin, signup]` | Portal setting name. |
**Conditional parameters**
| Parameter Name | Type | Description |
| :-- | :-- | :-- |
| `apiManagementServiceName` | string | The name of the parent API Management service. Required if the template is used in a standalone deployment. |
**Optional parameters**
| Parameter Name | Type | Default Value | Description |
| :-- | :-- | :-- | :-- |
| `enableDefaultTelemetry` | bool | `True` | Enable telemetry via the Customer Usage Attribution ID (GUID). |
| `properties` | object | `{object}` | Portal setting properties. |
## Outputs
| Output Name | Type | Description |
| :-- | :-- | :-- |
| `name` | string | The name of the API management service portal setting. |
| `resourceGroupName` | string | The resource group the API management service portal setting was deployed into. |
| `resourceId` | string | The resource ID of the API management service portal setting. |
## Cross-referenced modules
_None_

Просмотреть файл

@ -0,0 +1,4 @@
{
"$schema": "https://raw.githubusercontent.com/dotnet/Nerdbank.GitVersioning/master/src/NerdBank.GitVersioning/version.schema.json",
"version": "0.4"
}

Просмотреть файл

@ -0,0 +1,45 @@
@description('Conditional. The name of the parent API Management service. Required if the template is used in a standalone deployment.')
param apiManagementServiceName string
@description('Conditional. The name of the parent Product. Required if the template is used in a standalone deployment.')
param productName string
@description('Optional. Enable telemetry via the Customer Usage Attribution ID (GUID).')
param enableDefaultTelemetry bool = true
@description('Required. Name of the product API.')
param name string
resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) {
name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}'
properties: {
mode: 'Incremental'
template: {
'$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#'
contentVersion: '1.0.0.0'
resources: []
}
}
}
resource service 'Microsoft.ApiManagement/service@2021-08-01' existing = {
name: apiManagementServiceName
resource product 'products@2021-04-01-preview' existing = {
name: productName
}
}
resource api 'Microsoft.ApiManagement/service/products/apis@2021-08-01' = {
name: name
parent: service::product
}
@description('The resource ID of the product API.')
output resourceId string = api.id
@description('The name of the product API.')
output name string = api.name
@description('The resource group the product API was deployed into.')
output resourceGroupName string = resourceGroup().name

Просмотреть файл

@ -0,0 +1,47 @@
# API Management Service Products APIs `[Microsoft.ApiManagement/service/products/apis]`
This module deploys API Management Service Product APIs.
## Navigation
- [Resource Types](#Resource-Types)
- [Parameters](#Parameters)
- [Outputs](#Outputs)
- [Cross-referenced modules](#Cross-referenced-modules)
## Resource Types
| Resource Type | API Version |
| :-- | :-- |
| `Microsoft.ApiManagement/service/products/apis` | [2021-08-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.ApiManagement/2021-08-01/service/products/apis) |
## Parameters
**Required parameters**
| Parameter Name | Type | Description |
| :-- | :-- | :-- |
| `name` | string | Name of the product API. |
**Conditional parameters**
| Parameter Name | Type | Description |
| :-- | :-- | :-- |
| `apiManagementServiceName` | string | The name of the parent API Management service. Required if the template is used in a standalone deployment. |
| `productName` | string | The name of the parent Product. Required if the template is used in a standalone deployment. |
**Optional parameters**
| Parameter Name | Type | Default Value | Description |
| :-- | :-- | :-- | :-- |
| `enableDefaultTelemetry` | bool | `True` | Enable telemetry via the Customer Usage Attribution ID (GUID). |
## Outputs
| Output Name | Type | Description |
| :-- | :-- | :-- |
| `name` | string | The name of the product API. |
| `resourceGroupName` | string | The resource group the product API was deployed into. |
| `resourceId` | string | The resource ID of the product API. |
## Cross-referenced modules
_None_

Просмотреть файл

@ -0,0 +1,4 @@
{
"$schema": "https://raw.githubusercontent.com/dotnet/Nerdbank.GitVersioning/master/src/NerdBank.GitVersioning/version.schema.json",
"version": "0.4"
}

Просмотреть файл

@ -0,0 +1,99 @@
@description('Conditional. The name of the parent API Management service. Required if the template is used in a standalone deployment.')
param apiManagementServiceName string
@description('Optional. Whether subscription approval is required. If false, new subscriptions will be approved automatically enabling developers to call the products APIs immediately after subscribing. If true, administrators must manually approve the subscription before the developer can any of the products APIs. Can be present only if subscriptionRequired property is present and has a value of false.')
param approvalRequired bool = false
@description('Optional. Enable telemetry via the Customer Usage Attribution ID (GUID).')
param enableDefaultTelemetry bool = true
@description('Optional. Product description. May include HTML formatting tags.')
param productDescription string = ''
@description('Optional. Array of Product APIs.')
param apis array = []
@description('Optional. Array of Product Groups.')
param groups array = []
@description('Required. Product Name.')
param name string
@description('Optional. whether product is published or not. Published products are discoverable by users of developer portal. Non published products are visible only to administrators. Default state of Product is notPublished. - notPublished or published.')
param state string = 'published'
@description('Optional. Whether a product subscription is required for accessing APIs included in this product. If true, the product is referred to as "protected" and a valid subscription key is required for a request to an API included in the product to succeed. If false, the product is referred to as "open" and requests to an API included in the product can be made without a subscription key. If property is omitted when creating a new product it\'s value is assumed to be true.')
param subscriptionRequired bool = false
@description('Optional. Whether the number of subscriptions a user can have to this product at the same time. Set to null or omit to allow unlimited per user subscriptions. Can be present only if subscriptionRequired property is present and has a value of false.')
param subscriptionsLimit int = 1
@description('Optional. Product terms of use. Developers trying to subscribe to the product will be presented and required to accept these terms before they can complete the subscription process.')
param terms string = ''
var enableReferencedModulesTelemetry = false
resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) {
name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}'
properties: {
mode: 'Incremental'
template: {
'$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#'
contentVersion: '1.0.0.0'
resources: []
}
}
}
resource service 'Microsoft.ApiManagement/service@2021-08-01' existing = {
name: apiManagementServiceName
}
resource product 'Microsoft.ApiManagement/service/products@2021-08-01' = {
name: name
parent: service
properties: {
description: productDescription
displayName: name
terms: terms
subscriptionRequired: subscriptionRequired
approvalRequired: subscriptionRequired ? approvalRequired : null
subscriptionsLimit: subscriptionRequired ? subscriptionsLimit : null
state: state
}
}
module product_apis 'apis/deploy.bicep' = [for (api, index) in apis: {
name: '${deployment().name}-Api-${index}'
params: {
apiManagementServiceName: apiManagementServiceName
name: api.name
productName: name
enableDefaultTelemetry: enableReferencedModulesTelemetry
}
}]
module product_groups 'groups/deploy.bicep' = [for (group, index) in groups: {
name: '${deployment().name}-Group-${index}'
params: {
apiManagementServiceName: apiManagementServiceName
name: group.name
productName: name
enableDefaultTelemetry: enableReferencedModulesTelemetry
}
}]
@description('The resource ID of the API management service product.')
output resourceId string = product.id
@description('The name of the API management service product.')
output name string = product.name
@description('The resource group the API management service product was deployed into.')
output resourceGroupName string = resourceGroup().name
@description('The Resources IDs of the API management service product APIs.')
output apiResourceIds array = [for index in range(0, length(apis)): product_apis[index].outputs.resourceId]
@description('The Resources IDs of the API management service product groups.')
output groupResourceIds array = [for index in range(0, length(groups)): product_groups[index].outputs.resourceId]

Просмотреть файл

@ -0,0 +1,45 @@
@description('Conditional. The name of the parent API Management service. Required if the template is used in a standalone deployment.')
param apiManagementServiceName string
@description('Conditional. The name of the parent Product. Required if the template is used in a standalone deployment.')
param productName string
@description('Optional. Enable telemetry via the Customer Usage Attribution ID (GUID).')
param enableDefaultTelemetry bool = true
@description('Required. Name of the product group.')
param name string
resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) {
name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}'
properties: {
mode: 'Incremental'
template: {
'$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#'
contentVersion: '1.0.0.0'
resources: []
}
}
}
resource service 'Microsoft.ApiManagement/service@2021-08-01' existing = {
name: apiManagementServiceName
resource product 'products@2021-04-01-preview' existing = {
name: productName
}
}
resource group 'Microsoft.ApiManagement/service/products/groups@2021-08-01' = {
name: name
parent: service::product
}
@description('The resource ID of the product group.')
output resourceId string = group.id
@description('The name of the product group.')
output name string = group.name
@description('The resource group the product group was deployed into.')
output resourceGroupName string = resourceGroup().name

Просмотреть файл

@ -0,0 +1,47 @@
# API Management Service Products Groups `[Microsoft.ApiManagement/service/products/groups]`
This module deploys API Management Service Product Groups.
## Navigation
- [Resource Types](#Resource-Types)
- [Parameters](#Parameters)
- [Outputs](#Outputs)
- [Cross-referenced modules](#Cross-referenced-modules)
## Resource Types
| Resource Type | API Version |
| :-- | :-- |
| `Microsoft.ApiManagement/service/products/groups` | [2021-08-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.ApiManagement/2021-08-01/service/products/groups) |
## Parameters
**Required parameters**
| Parameter Name | Type | Description |
| :-- | :-- | :-- |
| `name` | string | Name of the product group. |
**Conditional parameters**
| Parameter Name | Type | Description |
| :-- | :-- | :-- |
| `apiManagementServiceName` | string | The name of the parent API Management service. Required if the template is used in a standalone deployment. |
| `productName` | string | The name of the parent Product. Required if the template is used in a standalone deployment. |
**Optional parameters**
| Parameter Name | Type | Default Value | Description |
| :-- | :-- | :-- | :-- |
| `enableDefaultTelemetry` | bool | `True` | Enable telemetry via the Customer Usage Attribution ID (GUID). |
## Outputs
| Output Name | Type | Description |
| :-- | :-- | :-- |
| `name` | string | The name of the product group. |
| `resourceGroupName` | string | The resource group the product group was deployed into. |
| `resourceId` | string | The resource ID of the product group. |
## Cross-referenced modules
_None_

Просмотреть файл

@ -0,0 +1,4 @@
{
"$schema": "https://raw.githubusercontent.com/dotnet/Nerdbank.GitVersioning/master/src/NerdBank.GitVersioning/version.schema.json",
"version": "0.4"
}

Просмотреть файл

@ -0,0 +1,58 @@
# API Management Service Products `[Microsoft.ApiManagement/service/products]`
This module deploys API Management Service Products.
## Navigation
- [Resource types](#Resource-types)
- [Parameters](#Parameters)
- [Outputs](#Outputs)
- [Cross-referenced modules](#Cross-referenced-modules)
## Resource types
| Resource Type | API Version |
| :-- | :-- |
| `Microsoft.ApiManagement/service/products` | [2021-08-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.ApiManagement/2021-08-01/service/products) |
| `Microsoft.ApiManagement/service/products/apis` | [2021-08-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.ApiManagement/2021-08-01/service/products/apis) |
| `Microsoft.ApiManagement/service/products/groups` | [2021-08-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.ApiManagement/2021-08-01/service/products/groups) |
## Parameters
**Required parameters**
| Parameter Name | Type | Description |
| :-- | :-- | :-- |
| `name` | string | Product Name. |
**Conditional parameters**
| Parameter Name | Type | Description |
| :-- | :-- | :-- |
| `apiManagementServiceName` | string | The name of the parent API Management service. Required if the template is used in a standalone deployment. |
**Optional parameters**
| Parameter Name | Type | Default Value | Description |
| :-- | :-- | :-- | :-- |
| `apis` | _[apis](apis/readme.md)_ array | `[]` | Array of Product APIs. |
| `approvalRequired` | bool | `False` | Whether subscription approval is required. If false, new subscriptions will be approved automatically enabling developers to call the products APIs immediately after subscribing. If true, administrators must manually approve the subscription before the developer can any of the products APIs. Can be present only if subscriptionRequired property is present and has a value of false. |
| `enableDefaultTelemetry` | bool | `True` | Enable telemetry via the Customer Usage Attribution ID (GUID). |
| `groups` | _[groups](groups/readme.md)_ array | `[]` | Array of Product Groups. |
| `productDescription` | string | `''` | Product description. May include HTML formatting tags. |
| `state` | string | `'published'` | whether product is published or not. Published products are discoverable by users of developer portal. Non published products are visible only to administrators. Default state of Product is notPublished. - notPublished or published. |
| `subscriptionRequired` | bool | `False` | Whether a product subscription is required for accessing APIs included in this product. If true, the product is referred to as "protected" and a valid subscription key is required for a request to an API included in the product to succeed. If false, the product is referred to as "open" and requests to an API included in the product can be made without a subscription key. If property is omitted when creating a new product it's value is assumed to be true. |
| `subscriptionsLimit` | int | `1` | Whether the number of subscriptions a user can have to this product at the same time. Set to null or omit to allow unlimited per user subscriptions. Can be present only if subscriptionRequired property is present and has a value of false. |
| `terms` | string | `''` | Product terms of use. Developers trying to subscribe to the product will be presented and required to accept these terms before they can complete the subscription process. |
## Outputs
| Output Name | Type | Description |
| :-- | :-- | :-- |
| `apiResourceIds` | array | The Resources IDs of the API management service product APIs. |
| `groupResourceIds` | array | The Resources IDs of the API management service product groups. |
| `name` | string | The name of the API management service product. |
| `resourceGroupName` | string | The resource group the API management service product was deployed into. |
| `resourceId` | string | The resource ID of the API management service product. |
## Cross-referenced modules
_None_

Просмотреть файл

@ -0,0 +1,4 @@
{
"$schema": "https://raw.githubusercontent.com/dotnet/Nerdbank.GitVersioning/master/src/NerdBank.GitVersioning/version.schema.json",
"version": "0.4"
}

Просмотреть файл

@ -0,0 +1,788 @@
# API Management Services `[Microsoft.ApiManagement/service]`
This module deploys an API management service.
## Navigation
- [Resource types](#Resource-types)
- [Parameters](#Parameters)
- [Outputs](#Outputs)
- [Considerations](#Considerations)
- [Cross-referenced modules](#Cross-referenced-modules)
- [Deployment examples](#Deployment-examples)
## Resource types
| Resource Type | API Version |
| :-- | :-- |
| `Microsoft.ApiManagement/service` | [2021-08-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.ApiManagement/2021-08-01/service) |
| `Microsoft.ApiManagement/service/apis` | [2021-08-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.ApiManagement/2021-08-01/service/apis) |
| `Microsoft.ApiManagement/service/apis/policies` | [2021-08-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.ApiManagement/2021-08-01/service/apis/policies) |
| `Microsoft.ApiManagement/service/apiVersionSets` | [2021-08-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.ApiManagement/2021-08-01/service/apiVersionSets) |
| `Microsoft.ApiManagement/service/authorizationServers` | [2021-08-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.ApiManagement/2021-08-01/service/authorizationServers) |
| `Microsoft.ApiManagement/service/backends` | [2021-08-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.ApiManagement/2021-08-01/service/backends) |
| `Microsoft.ApiManagement/service/caches` | [2021-08-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.ApiManagement/2021-08-01/service/caches) |
| `Microsoft.ApiManagement/service/identityProviders` | [2021-08-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.ApiManagement/2021-08-01/service/identityProviders) |
| `Microsoft.ApiManagement/service/namedValues` | [2021-08-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.ApiManagement/2021-08-01/service/namedValues) |
| `Microsoft.ApiManagement/service/policies` | [2021-08-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.ApiManagement/2021-08-01/service/policies) |
| `Microsoft.ApiManagement/service/portalsettings` | [2021-08-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.ApiManagement/service) |
| `Microsoft.ApiManagement/service/products` | [2021-08-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.ApiManagement/2021-08-01/service/products) |
| `Microsoft.ApiManagement/service/products/apis` | [2021-08-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.ApiManagement/2021-08-01/service/products/apis) |
| `Microsoft.ApiManagement/service/products/groups` | [2021-08-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.ApiManagement/2021-08-01/service/products/groups) |
| `Microsoft.ApiManagement/service/subscriptions` | [2021-08-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.ApiManagement/2021-08-01/service/subscriptions) |
| `Microsoft.Authorization/locks` | [2017-04-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2017-04-01/locks) |
| `Microsoft.Authorization/roleAssignments` | [2022-04-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-04-01/roleAssignments) |
| `Microsoft.Insights/diagnosticSettings` | [2021-05-01-preview](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Insights/2021-05-01-preview/diagnosticSettings) |
## Parameters
**Required parameters**
| Parameter Name | Type | Description |
| :-- | :-- | :-- |
| `name` | string | The name of the API Management service. |
| `publisherEmail` | string | The email address of the owner of the service. |
| `publisherName` | string | The name of the owner of the service. |
**Optional parameters**
| Parameter Name | Type | Default Value | Allowed Values | Description |
| :-- | :-- | :-- | :-- | :-- |
| `additionalLocations` | array | `[]` | | Additional datacenter locations of the API Management service. |
| `apis` | _[apis](apis/readme.md)_ array | `[]` | | APIs. |
| `apiVersionSets` | _[apiVersionSets](apiVersionSets/readme.md)_ array | `[]` | | API Version Sets. |
| `authorizationServers` | _[authorizationServers](authorizationServers/readme.md)_ array | `[]` | | Authorization servers. |
| `backends` | _[backends](backends/readme.md)_ array | `[]` | | Backends. |
| `caches` | _[caches](caches/readme.md)_ array | `[]` | | Caches. |
| `certificates` | array | `[]` | | List of Certificates that need to be installed in the API Management service. Max supported certificates that can be installed is 10. |
| `customProperties` | object | `{object}` | | Custom properties of the API Management service. |
| `diagnosticEventHubAuthorizationRuleId` | string | `''` | | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. |
| `diagnosticEventHubName` | string | `''` | | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. |
| `diagnosticLogCategoriesToEnable` | array | `[GatewayLogs]` | `[GatewayLogs]` | The name of logs that will be streamed. |
| `diagnosticLogsRetentionInDays` | int | `365` | | Specifies the number of days that logs will be kept for; a value of 0 will retain data indefinitely. |
| `diagnosticMetricsToEnable` | array | `[AllMetrics]` | `[AllMetrics]` | The name of metrics that will be streamed. |
| `diagnosticSettingsName` | string | `[format('{0}-diagnosticSettings', parameters('name'))]` | | The name of the diagnostic setting, if deployed. |
| `diagnosticStorageAccountId` | string | `''` | | Resource ID of the diagnostic storage account. |
| `diagnosticWorkspaceId` | string | `''` | | Resource ID of the diagnostic log analytics workspace. |
| `disableGateway` | bool | `False` | | Property only valid for an API Management service deployed in multiple locations. This can be used to disable the gateway in master region. |
| `enableClientCertificate` | bool | `False` | | Property only meant to be used for Consumption SKU Service. This enforces a client certificate to be presented on each request to the gateway. This also enables the ability to authenticate the certificate in the policy on the gateway. |
| `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via the Customer Usage Attribution ID (GUID). |
| `hostnameConfigurations` | array | `[]` | | Custom hostname configuration of the API Management service. |
| `identityProviders` | _[identityProviders](identityProviders/readme.md)_ array | `[]` | | Identity providers. |
| `location` | string | `[resourceGroup().location]` | | Location for all Resources. |
| `lock` | string | `''` | `['', CanNotDelete, ReadOnly]` | Specify the type of lock. |
| `minApiVersion` | string | `''` | | Limit control plane API calls to API Management service with version equal to or newer than this value. |
| `namedValues` | _[namedValues](namedValues/readme.md)_ array | `[]` | | Named values. |
| `newGuidValue` | string | `[newGuid()]` | | Necessary to create a new GUID. |
| `notificationSenderEmail` | string | `'apimgmt-noreply@mail.windowsazure.com'` | | The notification sender email address for the service. |
| `policies` | _[policies](policies/readme.md)_ array | `[]` | | Policies. |
| `portalSettings` | _[portalSettings](portalSettings/readme.md)_ array | `[]` | | Portal settings. |
| `products` | _[products](products/readme.md)_ array | `[]` | | Products. |
| `restore` | bool | `False` | | Undelete API Management Service if it was previously soft-deleted. If this flag is specified and set to True all other properties will be ignored. |
| `roleAssignments` | array | `[]` | | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. |
| `sku` | string | `'Developer'` | `[Basic, Consumption, Developer, Premium, Standard]` | The pricing tier of this API Management service. |
| `skuCount` | int | `1` | `[1, 2]` | The instance size of this API Management service. |
| `subnetResourceId` | string | `''` | | The full resource ID of a subnet in a virtual network to deploy the API Management service in. |
| `subscriptions` | _[subscriptions](subscriptions/readme.md)_ array | `[]` | | Subscriptions. |
| `systemAssignedIdentity` | bool | `False` | | Enables system assigned managed identity on the resource. |
| `tags` | object | `{object}` | | Tags of the resource. |
| `userAssignedIdentities` | object | `{object}` | | The ID(s) to assign to the resource. |
| `virtualNetworkType` | string | `'None'` | `[External, Internal, None]` | The type of VPN in which API Management service needs to be configured in. None (Default Value) means the API Management service is not part of any Virtual Network, External means the API Management deployment is set up inside a Virtual Network having an internet Facing Endpoint, and Internal means that API Management deployment is setup inside a Virtual Network having an Intranet Facing Endpoint only. |
| `zones` | array | `[]` | | A list of availability zones denoting where the resource needs to come from. |
### Parameter Usage: `roleAssignments`
Create a role assignment for the given resource. If you want to assign a service principal / managed identity that is created in the same deployment, make sure to also specify the `'principalType'` parameter and set it to `'ServicePrincipal'`. This will ensure the role assignment waits for the principal's propagation in Azure.
<details>
<summary>Parameter JSON format</summary>
```json
"roleAssignments": {
"value": [
{
"roleDefinitionIdOrName": "Reader",
"description": "Reader Role Assignment",
"principalIds": [
"12345678-1234-1234-1234-123456789012", // object 1
"78945612-1234-1234-1234-123456789012" // object 2
]
},
{
"roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11",
"principalIds": [
"12345678-1234-1234-1234-123456789012" // object 1
],
"principalType": "ServicePrincipal"
}
]
}
```
</details>
<details>
<summary>Bicep format</summary>
```bicep
roleAssignments: [
{
roleDefinitionIdOrName: 'Reader'
description: 'Reader Role Assignment'
principalIds: [
'12345678-1234-1234-1234-123456789012' // object 1
'78945612-1234-1234-1234-123456789012' // object 2
]
}
{
roleDefinitionIdOrName: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'
principalIds: [
'12345678-1234-1234-1234-123456789012' // object 1
]
principalType: 'ServicePrincipal'
}
]
```
</details>
<p>
### Parameter Usage: `tags`
Tag names and tag values can be provided as needed. A tag can be left without a value.
<details>
<summary>Parameter JSON format</summary>
```json
"tags": {
"value": {
"Environment": "Non-Prod",
"Contact": "test.user@testcompany.com",
"PurchaseOrder": "1234",
"CostCenter": "7890",
"ServiceName": "DeploymentValidation",
"Role": "DeploymentValidation"
}
}
```
</details>
<details>
<summary>Bicep format</summary>
```bicep
tags: {
Environment: 'Non-Prod'
Contact: 'test.user@testcompany.com'
PurchaseOrder: '1234'
CostCenter: '7890'
ServiceName: 'DeploymentValidation'
Role: 'DeploymentValidation'
}
```
</details>
<p>
### Parameter Usage: `apiManagementServicePolicy`
<details>
<summary>Parameter JSON format</summary>
```json
"apiManagementServicePolicy": {
"value": {
"value":"<policies> <inbound> <rate-limit-by-key calls='250' renewal-period='60' counter-key='@(context.Request.IpAddress)' /> </inbound> <backend> <forward-request /> </backend> <outbound> </outbound> </policies>",
"format":"xml"
}
}
```
</details>
<details>
<summary>Bicep format</summary>
```bicep
apiManagementServicePolicy: {
value:'<policies> <inbound> <rate-limit-by-key calls=\'250\' renewal-period='60' counter-key=\'@(context.Request.IpAddress)\' /> </inbound> <backend> <forward-request /> </backend> <outbound> </outbound> </policies>'
format:'xml'
}
```
</details>
<p>
### Parameter Usage: `userAssignedIdentities`
You can specify multiple user assigned identities to a resource by providing additional resource IDs using the following format:
<details>
<summary>Parameter JSON format</summary>
```json
"userAssignedIdentities": {
"value": {
"/subscriptions/<<subscriptionId>>/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-001": {},
"/subscriptions/<<subscriptionId>>/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-002": {}
}
}
```
</details>
<details>
<summary>Bicep format</summary>
```bicep
userAssignedIdentities: {
'/subscriptions/<<subscriptionId>>/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-001': {}
'/subscriptions/<<subscriptionId>>/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-002': {}
}
```
</details>
<p>
## Outputs
| Output Name | Type | Description |
| :-- | :-- | :-- |
| `location` | string | The location the resource was deployed into. |
| `name` | string | The name of the API management service. |
| `resourceGroupName` | string | The resource group the API management service was deployed into. |
| `resourceId` | string | The resource ID of the API management service. |
| `systemAssignedPrincipalId` | string | The principal ID of the system assigned identity. |
## Considerations
- *None*
## Cross-referenced modules
This section gives you an overview of all local-referenced module files (i.e., other CARML modules that are referenced in this module) and all remote-referenced files (i.e., Bicep modules that are referenced from a Bicep Registry or Template Specs).
| Reference | Type |
| :-- | :-- |
| `Microsoft.ApiManagement/authorizationServers` | Local reference |
## Deployment examples
The following module usage examples are retrieved from the content of the files hosted in the module's `.test` folder.
>**Note**: The name of each example is based on the name of the file from which it is taken.
>**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order.
<h3>Example 1: Max</h3>
<details>
<summary>via Bicep module</summary>
```bicep
module service './Microsoft.ApiManagement/service/deploy.bicep' = {
name: '${uniqueString(deployment().name)}-Service'
params: {
// Required parameters
name: '<<namePrefix>>-az-apim-max-001'
publisherEmail: 'apimgmt-noreply@mail.windowsazure.com'
publisherName: '<<namePrefix>>-az-amorg-x-001'
// Non-required parameters
apis: [
{
apiVersionSet: {
name: 'echo-version-set'
properties: {
description: 'echo-version-set'
displayName: 'echo-version-set'
versioningScheme: 'Segment'
}
}
displayName: 'Echo API'
name: 'echo-api'
path: 'echo'
serviceUrl: 'http://echoapi.cloudapp.net/api'
}
]
authorizationServers: [
{
authorizationEndpoint: 'https://login.microsoftonline.com/651b43ce-ccb8-4301-b551-b04dd872d401/oauth2/v2.0/authorize'
clientCredentialsKeyVaultId: '/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.KeyVault/vaults/adp-<<namePrefix>>-az-kv-x-001'
clientIdSecretName: 'apimclientid'
clientRegistrationEndpoint: 'http://localhost'
clientSecretSecretName: 'apimclientsecret'
grantTypes: [
'authorizationCode'
]
name: 'AuthServer1'
tokenEndpoint: 'https://login.microsoftonline.com/651b43ce-ccb8-4301-b551-b04dd872d401/oauth2/v2.0/token'
}
]
backends: [
{
name: 'backend'
tls: {
validateCertificateChain: false
validateCertificateName: false
}
url: 'http://echoapi.cloudapp.net/api'
}
]
caches: [
{
connectionString: 'connectionstringtest'
name: 'westeurope'
useFromLocation: 'westeurope'
}
]
diagnosticEventHubAuthorizationRuleId: '/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.EventHub/namespaces/adp-<<namePrefix>>-az-evhns-x-001/AuthorizationRules/RootManageSharedAccessKey'
diagnosticEventHubName: 'adp-<<namePrefix>>-az-evh-x-001'
diagnosticLogsRetentionInDays: 7
diagnosticStorageAccountId: '/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.Storage/storageAccounts/adp<<namePrefix>>azsax001'
diagnosticWorkspaceId: '/subscriptions/<<subscriptionId>>/resourcegroups/validation-rg/providers/microsoft.operationalinsights/workspaces/adp-<<namePrefix>>-az-law-x-001'
identityProviders: [
{
name: 'aadProvider'
}
]
lock: 'CanNotDelete'
namedValues: [
{
displayName: 'apimkey'
name: 'apimkey'
secret: true
}
]
policies: [
{
format: 'xml'
value: '<policies> <inbound> <rate-limit-by-key calls='250' renewal-period='60' counter-key='@(context.Request.IpAddress)' /> </inbound> <backend> <forward-request /> </backend> <outbound> </outbound> </policies>'
}
]
portalSettings: [
{
name: 'signin'
properties: {
enabled: false
}
}
{
name: 'signup'
properties: {
enabled: false
termsOfService: {
consentRequired: false
enabled: false
}
}
}
]
products: [
{
apis: [
{
name: 'echo-api'
}
]
approvalRequired: false
groups: [
{
name: 'developers'
}
]
name: 'Starter'
subscriptionRequired: false
}
]
roleAssignments: [
{
principalIds: [
'<<deploymentSpId>>'
]
roleDefinitionIdOrName: 'Reader'
}
]
subscriptions: [
{
name: 'testArmSubscriptionAllApis'
scope: '/apis'
}
]
systemAssignedIdentity: true
userAssignedIdentities: {
'/subscriptions/<<subscriptionId>>/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-<<namePrefix>>-az-msi-x-001': {}
}
}
}
```
</details>
<p>
<details>
<summary>via JSON Parameter file</summary>
```json
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
"contentVersion": "1.0.0.0",
"parameters": {
// Required parameters
"name": {
"value": "<<namePrefix>>-az-apim-max-001"
},
"publisherEmail": {
"value": "apimgmt-noreply@mail.windowsazure.com"
},
"publisherName": {
"value": "<<namePrefix>>-az-amorg-x-001"
},
// Non-required parameters
"apis": {
"value": [
{
"apiVersionSet": {
"name": "echo-version-set",
"properties": {
"description": "echo-version-set",
"displayName": "echo-version-set",
"versioningScheme": "Segment"
}
},
"displayName": "Echo API",
"name": "echo-api",
"path": "echo",
"serviceUrl": "http://echoapi.cloudapp.net/api"
}
]
},
"authorizationServers": {
"value": [
{
"authorizationEndpoint": "https://login.microsoftonline.com/651b43ce-ccb8-4301-b551-b04dd872d401/oauth2/v2.0/authorize",
"clientCredentialsKeyVaultId": "/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.KeyVault/vaults/adp-<<namePrefix>>-az-kv-x-001",
"clientIdSecretName": "apimclientid",
"clientRegistrationEndpoint": "http://localhost",
"clientSecretSecretName": "apimclientsecret",
"grantTypes": [
"authorizationCode"
],
"name": "AuthServer1",
"tokenEndpoint": "https://login.microsoftonline.com/651b43ce-ccb8-4301-b551-b04dd872d401/oauth2/v2.0/token"
}
]
},
"backends": {
"value": [
{
"name": "backend",
"tls": {
"validateCertificateChain": false,
"validateCertificateName": false
},
"url": "http://echoapi.cloudapp.net/api"
}
]
},
"caches": {
"value": [
{
"connectionString": "connectionstringtest",
"name": "westeurope",
"useFromLocation": "westeurope"
}
]
},
"diagnosticEventHubAuthorizationRuleId": {
"value": "/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.EventHub/namespaces/adp-<<namePrefix>>-az-evhns-x-001/AuthorizationRules/RootManageSharedAccessKey"
},
"diagnosticEventHubName": {
"value": "adp-<<namePrefix>>-az-evh-x-001"
},
"diagnosticLogsRetentionInDays": {
"value": 7
},
"diagnosticStorageAccountId": {
"value": "/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.Storage/storageAccounts/adp<<namePrefix>>azsax001"
},
"diagnosticWorkspaceId": {
"value": "/subscriptions/<<subscriptionId>>/resourcegroups/validation-rg/providers/microsoft.operationalinsights/workspaces/adp-<<namePrefix>>-az-law-x-001"
},
"identityProviders": {
"value": [
{
"name": "aadProvider"
}
]
},
"lock": {
"value": "CanNotDelete"
},
"namedValues": {
"value": [
{
"displayName": "apimkey",
"name": "apimkey",
"secret": true
}
]
},
"policies": {
"value": [
{
"format": "xml",
"value": "<policies> <inbound> <rate-limit-by-key calls='250' renewal-period='60' counter-key='@(context.Request.IpAddress)' /> </inbound> <backend> <forward-request /> </backend> <outbound> </outbound> </policies>"
}
]
},
"portalSettings": {
"value": [
{
"name": "signin",
"properties": {
"enabled": false
}
},
{
"name": "signup",
"properties": {
"enabled": false,
"termsOfService": {
"consentRequired": false,
"enabled": false
}
}
}
]
},
"products": {
"value": [
{
"apis": [
{
"name": "echo-api"
}
],
"approvalRequired": false,
"groups": [
{
"name": "developers"
}
],
"name": "Starter",
"subscriptionRequired": false
}
]
},
"roleAssignments": {
"value": [
{
"principalIds": [
"<<deploymentSpId>>"
],
"roleDefinitionIdOrName": "Reader"
}
]
},
"subscriptions": {
"value": [
{
"name": "testArmSubscriptionAllApis",
"scope": "/apis"
}
]
},
"systemAssignedIdentity": {
"value": true
},
"userAssignedIdentities": {
"value": {
"/subscriptions/<<subscriptionId>>/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-<<namePrefix>>-az-msi-x-001": {}
}
}
}
}
```
</details>
<p>
<h3>Example 2: Min</h3>
<details>
<summary>via Bicep module</summary>
```bicep
module service './Microsoft.ApiManagement/service/deploy.bicep' = {
name: '${uniqueString(deployment().name)}-Service'
params: {
// Required parameters
name: '<<namePrefix>>-az-apim-min-001'
publisherEmail: 'apimgmt-noreply@mail.windowsazure.com'
publisherName: '<<namePrefix>>-az-amorg-x-001'
}
}
```
</details>
<p>
<details>
<summary>via JSON Parameter file</summary>
```json
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
"contentVersion": "1.0.0.0",
"parameters": {
// Required parameters
"name": {
"value": "<<namePrefix>>-az-apim-min-001"
},
"publisherEmail": {
"value": "apimgmt-noreply@mail.windowsazure.com"
},
"publisherName": {
"value": "<<namePrefix>>-az-amorg-x-001"
}
}
}
```
</details>
<p>
<h3>Example 3: Parameters</h3>
<details>
<summary>via Bicep module</summary>
```bicep
module service './Microsoft.ApiManagement/service/deploy.bicep' = {
name: '${uniqueString(deployment().name)}-Service'
params: {
// Required parameters
name: '<<namePrefix>>-az-apim-x-001'
publisherEmail: 'apimgmt-noreply@mail.windowsazure.com'
publisherName: '<<namePrefix>>-az-amorg-x-001'
// Non-required parameters
lock: 'CanNotDelete'
policies: [
{
format: 'xml'
value: '<policies> <inbound> <rate-limit-by-key calls='250' renewal-period='60' counter-key='@(context.Request.IpAddress)' /> </inbound> <backend> <forward-request /> </backend> <outbound> </outbound> </policies>'
}
]
portalSettings: [
{
name: 'signin'
properties: {
enabled: false
}
}
{
name: 'signup'
properties: {
enabled: false
termsOfService: {
consentRequired: false
enabled: false
}
}
}
]
roleAssignments: [
{
principalIds: [
'<<deploymentSpId>>'
]
roleDefinitionIdOrName: 'Reader'
}
]
}
}
```
</details>
<p>
<details>
<summary>via JSON Parameter file</summary>
```json
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
"contentVersion": "1.0.0.0",
"parameters": {
// Required parameters
"name": {
"value": "<<namePrefix>>-az-apim-x-001"
},
"publisherEmail": {
"value": "apimgmt-noreply@mail.windowsazure.com"
},
"publisherName": {
"value": "<<namePrefix>>-az-amorg-x-001"
},
// Non-required parameters
"lock": {
"value": "CanNotDelete"
},
"policies": {
"value": [
{
"format": "xml",
"value": "<policies> <inbound> <rate-limit-by-key calls='250' renewal-period='60' counter-key='@(context.Request.IpAddress)' /> </inbound> <backend> <forward-request /> </backend> <outbound> </outbound> </policies>"
}
]
},
"portalSettings": {
"value": [
{
"name": "signin",
"properties": {
"enabled": false
}
},
{
"name": "signup",
"properties": {
"enabled": false,
"termsOfService": {
"consentRequired": false,
"enabled": false
}
}
}
]
},
"roleAssignments": {
"value": [
{
"principalIds": [
"<<deploymentSpId>>"
],
"roleDefinitionIdOrName": "Reader"
}
]
}
}
}
```
</details>
<p>

Просмотреть файл

@ -0,0 +1,65 @@
@description('Optional. Determines whether tracing can be enabled.')
param allowTracing bool = true
@description('Conditional. The name of the parent API Management service. Required if the template is used in a standalone deployment.')
param apiManagementServiceName string
@description('Optional. Enable telemetry via the Customer Usage Attribution ID (GUID).')
param enableDefaultTelemetry bool = true
@description('Optional. User (user ID path) for whom subscription is being created in form /users/{userId}.')
param ownerId string = ''
@description('Optional. Primary subscription key. If not specified during request key will be generated automatically.')
param primaryKey string = ''
@description('Optional. Scope type to choose between a product, "allAPIs" or a specific API. Scope like "/products/{productId}" or "/apis" or "/apis/{apiId}".')
param scope string = '/apis'
@description('Optional. Secondary subscription key. If not specified during request key will be generated automatically.')
param secondaryKey string = ''
@description('Optional. Initial subscription state. If no value is specified, subscription is created with Submitted state. Possible states are "*" active "?" the subscription is active, "*" suspended "?" the subscription is blocked, and the subscriber cannot call any APIs of the product, * submitted ? the subscription request has been made by the developer, but has not yet been approved or rejected, * rejected ? the subscription request has been denied by an administrator, * cancelled ? the subscription has been cancelled by the developer or administrator, * expired ? the subscription reached its expiration date and was deactivated. - suspended, active, expired, submitted, rejected, cancelled.')
param state string = ''
@description('Required. Subscription name.')
param name string
resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) {
name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}'
properties: {
mode: 'Incremental'
template: {
'$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#'
contentVersion: '1.0.0.0'
resources: []
}
}
}
resource service 'Microsoft.ApiManagement/service@2021-08-01' existing = {
name: apiManagementServiceName
}
resource subscription 'Microsoft.ApiManagement/service/subscriptions@2021-08-01' = {
name: name
parent: service
properties: {
scope: scope
displayName: name
ownerId: !empty(ownerId) ? ownerId : null
primaryKey: !empty(primaryKey) ? primaryKey : null
secondaryKey: !empty(secondaryKey) ? secondaryKey : null
state: !empty(state) ? state : null
allowTracing: allowTracing
}
}
@description('The resource ID of the API management service subscription.')
output resourceId string = subscription.id
@description('The name of the API management service subscription.')
output name string = subscription.name
@description('The resource group the API management service subscription was deployed into.')
output resourceGroupName string = resourceGroup().name

Просмотреть файл

@ -0,0 +1,52 @@
# API Management Subscriptions `[Microsoft.ApiManagement/service/subscriptions]`
This module deploys API Management Subscriptions.
## Navigation
- [Resource types](#Resource-types)
- [Parameters](#Parameters)
- [Outputs](#Outputs)
- [Cross-referenced modules](#Cross-referenced-modules)
## Resource types
| Resource Type | API Version |
| :-- | :-- |
| `Microsoft.ApiManagement/service/subscriptions` | [2021-08-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.ApiManagement/2021-08-01/service/subscriptions) |
## Parameters
**Required parameters**
| Parameter Name | Type | Description |
| :-- | :-- | :-- |
| `name` | string | Subscription name. |
**Conditional parameters**
| Parameter Name | Type | Description |
| :-- | :-- | :-- |
| `apiManagementServiceName` | string | The name of the parent API Management service. Required if the template is used in a standalone deployment. |
**Optional parameters**
| Parameter Name | Type | Default Value | Description |
| :-- | :-- | :-- | :-- |
| `allowTracing` | bool | `True` | Determines whether tracing can be enabled. |
| `enableDefaultTelemetry` | bool | `True` | Enable telemetry via the Customer Usage Attribution ID (GUID). |
| `ownerId` | string | `''` | User (user ID path) for whom subscription is being created in form /users/{userId}. |
| `primaryKey` | string | `''` | Primary subscription key. If not specified during request key will be generated automatically. |
| `scope` | string | `'/apis'` | Scope type to choose between a product, "allAPIs" or a specific API. Scope like "/products/{productId}" or "/apis" or "/apis/{apiId}". |
| `secondaryKey` | string | `''` | Secondary subscription key. If not specified during request key will be generated automatically. |
| `state` | string | `''` | Initial subscription state. If no value is specified, subscription is created with Submitted state. Possible states are "*" active "?" the subscription is active, "*" suspended "?" the subscription is blocked, and the subscriber cannot call any APIs of the product, * submitted ? the subscription request has been made by the developer, but has not yet been approved or rejected, * rejected ? the subscription request has been denied by an administrator, * cancelled ? the subscription has been cancelled by the developer or administrator, * expired ? the subscription reached its expiration date and was deactivated. - suspended, active, expired, submitted, rejected, cancelled. |
## Outputs
| Output Name | Type | Description |
| :-- | :-- | :-- |
| `name` | string | The name of the API management service subscription. |
| `resourceGroupName` | string | The resource group the API management service subscription was deployed into. |
| `resourceId` | string | The resource ID of the API management service subscription. |
## Cross-referenced modules
_None_

Просмотреть файл

@ -0,0 +1,4 @@
{
"$schema": "https://raw.githubusercontent.com/dotnet/Nerdbank.GitVersioning/master/src/NerdBank.GitVersioning/version.schema.json",
"version": "0.4"
}

Просмотреть файл

@ -0,0 +1,4 @@
{
"$schema": "https://raw.githubusercontent.com/dotnet/Nerdbank.GitVersioning/master/src/NerdBank.GitVersioning/version.schema.json",
"version": "0.4"
}

Просмотреть файл

@ -0,0 +1,70 @@
@sys.description('Required. The IDs of the principals to assign the role to.')
param principalIds array
@sys.description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.')
param roleDefinitionIdOrName string
@sys.description('Required. The resource ID of the resource to apply the role assignment to.')
param resourceId string
@sys.description('Optional. The principal type of the assigned principal ID.')
@allowed([
'ServicePrincipal'
'Group'
'User'
'ForeignGroup'
'Device'
''
])
param principalType string = ''
@sys.description('Optional. The description of the role assignment.')
param description string = ''
@sys.description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"')
param condition string = ''
@sys.description('Optional. Version of the condition.')
@allowed([
'2.0'
])
param conditionVersion string = '2.0'
@sys.description('Optional. Id of the delegated managed identity resource.')
param delegatedManagedIdentityResourceId string = ''
var builtInRoleNames = {
'Owner': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')
'Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')
'Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')
'App Configuration Data Owner': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5ae67dd6-50cb-40e7-96ff-dc2bfa4b606b')
'App Configuration Data Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '516239f1-63e1-4d78-a4de-a74fb236a071')
'Log Analytics Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')
'Log Analytics Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893')
'Managed Application Contributor Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e')
'Managed Application Operator Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')
'Managed Applications Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')
'Monitoring Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')
'Monitoring Metrics Publisher': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '3913510d-42f4-4e42-8a64-420c390055eb')
'Monitoring Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')
'Resource Policy Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608')
'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')
}
resource appConfiguration 'Microsoft.AppConfiguration/configurationStores@2021-10-01-preview' existing = {
name: last(split(resourceId, '/'))
}
resource roleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for principalId in principalIds: {
name: guid(appConfiguration.id, principalId, roleDefinitionIdOrName)
properties: {
description: description
roleDefinitionId: contains(builtInRoleNames, roleDefinitionIdOrName) ? builtInRoleNames[roleDefinitionIdOrName] : roleDefinitionIdOrName
principalId: principalId
principalType: !empty(principalType) ? any(principalType) : null
condition: !empty(condition) ? condition : null
conditionVersion: !empty(conditionVersion) && !empty(condition) ? conditionVersion : null
delegatedManagedIdentityResourceId: !empty(delegatedManagedIdentityResourceId) ? delegatedManagedIdentityResourceId : null
}
scope: appConfiguration
}]

Просмотреть файл

@ -0,0 +1,9 @@
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"name": {
"value": "<<namePrefix>>-az-appc-min-001"
}
}
}

Просмотреть файл

@ -0,0 +1,69 @@
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"name": {
"value": "<<namePrefix>>-az-appc-x-001"
},
"lock": {
"value": "CanNotDelete"
},
"diagnosticLogsRetentionInDays": {
"value": 7
},
"diagnosticStorageAccountId": {
"value": "/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.Storage/storageAccounts/adp<<namePrefix>>azsax001"
},
"diagnosticWorkspaceId": {
"value": "/subscriptions/<<subscriptionId>>/resourcegroups/validation-rg/providers/microsoft.operationalinsights/workspaces/adp-<<namePrefix>>-az-law-x-001"
},
"diagnosticEventHubAuthorizationRuleId": {
"value": "/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.EventHub/namespaces/adp-<<namePrefix>>-az-evhns-x-001/AuthorizationRules/RootManageSharedAccessKey"
},
"diagnosticEventHubName": {
"value": "adp-<<namePrefix>>-az-evh-x-001"
},
"systemAssignedIdentity": {
"value": true
},
"keyValues": {
"value": [
{
"name": "keyName",
"value": "valueName",
"contentType": "contentType",
"roleAssignments": [
{
"roleDefinitionIdOrName": "Reader",
"principalIds": [
"<<deploymentSpId>>"
]
}
]
}
]
},
"roleAssignments": {
"value": [
{
"roleDefinitionIdOrName": "Reader",
"principalIds": [
"<<deploymentSpId>>"
]
}
]
},
"createMode": {
"value": "Default"
},
"disableLocalAuth": {
"value": false
},
"enablePurgeProtection": {
"value": false
},
"softDeleteRetentionInDays": {
"value": 1
}
}
}

Просмотреть файл

@ -0,0 +1,34 @@
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"name": {
"value": "<<namePrefix>>-az-appc-pe-001"
},
"createMode": {
"value": "Default"
},
"disableLocalAuth": {
"value": false
},
"enablePurgeProtection": {
"value": false
},
"softDeleteRetentionInDays": {
"value": 1
},
"privateEndpoints": {
"value": [
{
"subnetResourceId": "/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/adp-<<namePrefix>>-az-vnet-x-001/subnets/<<namePrefix>>-az-subnet-x-005-privateEndpoints",
"service": "configurationStores",
"privateDnsZoneGroup": {
"privateDNSResourceIds": [
"/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.Network/privateDnsZones/privatelink.azconfig.io"
]
}
}
]
}
}
}

Просмотреть файл

@ -0,0 +1,244 @@
@description('Required. Name of the Azure App Configuration.')
param name string
@description('Optional. Location for all Resources.')
param location string = resourceGroup().location
@description('Optional. Enables system assigned managed identity on the resource.')
param systemAssignedIdentity bool = false
@description('Optional. The ID(s) to assign to the resource.')
param userAssignedIdentities object = {}
@allowed([
'Free'
'Standard'
])
@description('Optional. Pricing tier of App Configuration.')
param sku string = 'Standard'
@allowed([
'Default'
'Recover'
])
@description('Optional. Indicates whether the configuration store need to be recovered.')
param createMode string = 'Default'
@description('Optional. Disables all authentication methods other than AAD authentication.')
param disableLocalAuth bool = false
@description('Optional. Property specifying whether protection against purge is enabled for this configuration store.')
param enablePurgeProtection bool = false
@description('Optional. Whether or not public network access is allowed for this resource. For security reasons it should be disabled. If not specified, it will be disabled by default if private endpoints are set.')
@allowed([
''
'Enabled'
'Disabled'
])
param publicNetworkAccess string = ''
@description('Optional. The amount of time in days that the configuration store will be retained when it is soft deleted.')
@minValue(1)
@maxValue(7)
param softDeleteRetentionInDays int = 1
@description('Optional. All Key / Values to create.')
param keyValues array = []
@description('Optional. Specifies the number of days that logs will be kept for; a value of 0 will retain data indefinitely.')
@minValue(0)
@maxValue(365)
param diagnosticLogsRetentionInDays int = 365
@description('Optional. Resource ID of the diagnostic storage account.')
param diagnosticStorageAccountId string = ''
@description('Optional. Resource ID of the diagnostic log analytics workspace.')
param diagnosticWorkspaceId string = ''
@description('Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to.')
param diagnosticEventHubAuthorizationRuleId string = ''
@description('Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category.')
param diagnosticEventHubName string = ''
@allowed([
''
'CanNotDelete'
'ReadOnly'
])
@description('Optional. Specify the type of lock.')
param lock string = ''
@description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.')
param roleAssignments array = []
@description('Optional. Tags of the resource.')
param tags object = {}
@description('Optional. Enable telemetry via the Customer Usage Attribution ID (GUID).')
param enableDefaultTelemetry bool = true
@description('Optional. The name of logs that will be streamed.')
@allowed([
'HttpRequest'
'Audit'
])
param diagnosticLogCategoriesToEnable array = [
'HttpRequest'
'Audit'
]
@description('Optional. The name of metrics that will be streamed.')
@allowed([
'AllMetrics'
])
param diagnosticMetricsToEnable array = [
'AllMetrics'
]
@description('Optional. The name of the diagnostic setting, if deployed.')
param diagnosticSettingsName string = '${name}-diagnosticSettings'
@description('Optional. Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible.')
param privateEndpoints array = []
var enableReferencedModulesTelemetry = false
var diagnosticsLogs = [for category in diagnosticLogCategoriesToEnable: {
category: category
enabled: true
retentionPolicy: {
enabled: true
days: diagnosticLogsRetentionInDays
}
}]
var diagnosticsMetrics = [for metric in diagnosticMetricsToEnable: {
category: metric
timeGrain: null
enabled: true
retentionPolicy: {
enabled: true
days: diagnosticLogsRetentionInDays
}
}]
var identityType = systemAssignedIdentity ? 'SystemAssigned' : !empty(userAssignedIdentities) ? 'UserAssigned' : 'None'
var identity = {
type: identityType
userAssignedIdentities: !empty(userAssignedIdentities) ? userAssignedIdentities : null
}
resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) {
name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}'
properties: {
mode: 'Incremental'
template: {
'$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#'
contentVersion: '1.0.0.0'
resources: []
}
}
}
resource configurationStore 'Microsoft.AppConfiguration/configurationStores@2021-10-01-preview' = {
name: name
location: location
tags: tags
sku: {
name: sku
}
identity: identity
properties: {
createMode: createMode
disableLocalAuth: disableLocalAuth
enablePurgeProtection: sku == 'Free' ? false : enablePurgeProtection
publicNetworkAccess: !empty(publicNetworkAccess) ? any(publicNetworkAccess) : null
softDeleteRetentionInDays: sku == 'Free' ? 0 : softDeleteRetentionInDays
}
}
module configurationStore_keyValues 'keyValues/deploy.bicep' = [for (keyValue, index) in keyValues: {
name: '${uniqueString(deployment().name, location)}-AppConfig-KeyValues-${index}'
params: {
appConfigurationName: configurationStore.name
name: keyValue.name
value: keyValue.value
contentType: contains(keyValue, 'contentType') ? keyValue.contentType : ''
tags: contains(keyValue, 'tags') ? keyValue.tags : {}
enableDefaultTelemetry: enableReferencedModulesTelemetry
}
}]
resource configurationStore_lock 'Microsoft.Authorization/locks@2017-04-01' = if (!empty(lock)) {
name: '${configurationStore.name}-${lock}-lock'
properties: {
level: any(lock)
notes: lock == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.'
}
scope: configurationStore
}
resource configurationStore_diagnosticSettings 'Microsoft.Insights/diagnosticsettings@2021-05-01-preview' = if ((!empty(diagnosticStorageAccountId)) || (!empty(diagnosticWorkspaceId)) || (!empty(diagnosticEventHubAuthorizationRuleId)) || (!empty(diagnosticEventHubName))) {
name: diagnosticSettingsName
properties: {
storageAccountId: !empty(diagnosticStorageAccountId) ? diagnosticStorageAccountId : null
workspaceId: !empty(diagnosticWorkspaceId) ? diagnosticWorkspaceId : null
eventHubAuthorizationRuleId: !empty(diagnosticEventHubAuthorizationRuleId) ? diagnosticEventHubAuthorizationRuleId : null
eventHubName: !empty(diagnosticEventHubName) ? diagnosticEventHubName : null
metrics: diagnosticsMetrics
logs: diagnosticsLogs
}
scope: configurationStore
}
module configurationStore_roleAssignments '.bicep/nested_roleAssignments.bicep' = [for (roleAssignment, index) in roleAssignments: {
name: '${uniqueString(deployment().name, location)}-AppConfig-Rbac-${index}'
params: {
description: contains(roleAssignment, 'description') ? roleAssignment.description : ''
principalIds: roleAssignment.principalIds
principalType: contains(roleAssignment, 'principalType') ? roleAssignment.principalType : ''
roleDefinitionIdOrName: roleAssignment.roleDefinitionIdOrName
condition: contains(roleAssignment, 'condition') ? roleAssignment.condition : ''
delegatedManagedIdentityResourceId: contains(roleAssignment, 'delegatedManagedIdentityResourceId') ? roleAssignment.delegatedManagedIdentityResourceId : ''
resourceId: configurationStore.id
}
}]
module configurationStore_privateEndpoints '../../Microsoft.Network/privateEndpoints/deploy.bicep' = [for (privateEndpoint, index) in privateEndpoints: {
name: '${uniqueString(deployment().name, location)}-AppConfig-PrivateEndpoint-${index}'
params: {
groupIds: [
privateEndpoint.service
]
name: contains(privateEndpoint, 'name') ? privateEndpoint.name : 'pe-${last(split(configurationStore.id, '/'))}-${privateEndpoint.service}-${index}'
serviceResourceId: configurationStore.id
subnetResourceId: privateEndpoint.subnetResourceId
enableDefaultTelemetry: enableReferencedModulesTelemetry
location: reference(split(privateEndpoint.subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location
lock: contains(privateEndpoint, 'lock') ? privateEndpoint.lock : lock
privateDnsZoneGroup: contains(privateEndpoint, 'privateDnsZoneGroup') ? privateEndpoint.privateDnsZoneGroup : {}
roleAssignments: contains(privateEndpoint, 'roleAssignments') ? privateEndpoint.roleAssignments : []
tags: contains(privateEndpoint, 'tags') ? privateEndpoint.tags : {}
manualPrivateLinkServiceConnections: contains(privateEndpoint, 'manualPrivateLinkServiceConnections') ? privateEndpoint.manualPrivateLinkServiceConnections : []
customDnsConfigs: contains(privateEndpoint, 'customDnsConfigs') ? privateEndpoint.customDnsConfigs : []
}
}]
@description('The name of the app configuration.')
output name string = configurationStore.name
@description('The resource ID of the app configuration.')
output resourceId string = configurationStore.id
@description('The resource group the app configuration store was deployed into.')
output resourceGroupName string = resourceGroup().name
@description('The principal ID of the system assigned identity.')
output systemAssignedPrincipalId string = systemAssignedIdentity && contains(configurationStore.identity, 'principalId') ? configurationStore.identity.principalId : ''
@description('The location the resource was deployed into.')
output location string = configurationStore.location

Просмотреть файл

@ -0,0 +1,67 @@
@sys.description('Required. The IDs of the principals to assign the role to.')
param principalIds array
@sys.description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.')
param roleDefinitionIdOrName string
@sys.description('Required. The resource ID of the resource to apply the role assignment to.')
param resourceId string
@sys.description('Optional. The principal type of the assigned principal ID.')
@allowed([
'ServicePrincipal'
'Group'
'User'
'ForeignGroup'
'Device'
''
])
param principalType string = ''
@sys.description('Optional. The description of the role assignment.')
param description string = ''
@sys.description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"')
param condition string = ''
@sys.description('Optional. Version of the condition.')
@allowed([
'2.0'
])
param conditionVersion string = '2.0'
@sys.description('Optional. Id of the delegated managed identity resource.')
param delegatedManagedIdentityResourceId string = ''
var builtInRoleNames = {
'Owner': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')
'Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')
'Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')
'App Configuration Data Owner': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5ae67dd6-50cb-40e7-96ff-dc2bfa4b606b')
'App Configuration Data Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '516239f1-63e1-4d78-a4de-a74fb236a071')
'Log Analytics Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')
'Log Analytics Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893')
'Managed Application Contributor Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e')
'Managed Application Operator Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')
'Managed Applications Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')
'Monitoring Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')
'Monitoring Metrics Publisher': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '3913510d-42f4-4e42-8a64-420c390055eb')
'Monitoring Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')
'Resource Policy Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608')
'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')
}
resource appConfiguration 'Microsoft.AppConfiguration/configurationStores@2021-10-01-preview' existing = {
name: last(split(resourceId, '/'))
}
resource roleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for principalId in principalIds: {
name: guid(appConfiguration.id, principalId, roleDefinitionIdOrName)
properties: {
description: description
roleDefinitionId: contains(builtInRoleNames, roleDefinitionIdOrName) ? builtInRoleNames[roleDefinitionIdOrName] : roleDefinitionIdOrName
principalId: principalId
principalType: !empty(principalType) ? principalType : null
}
scope: appConfiguration
}]

Просмотреть файл

@ -0,0 +1,51 @@
@description('Required. Name of the key.')
param name string
@description('Required. Name of the value.')
param value string
@description('Conditional. The name of the parent app configuration store. Required if the template is used in a standalone deployment.')
param appConfigurationName string
@description('Optional. The content type of the key-values value. Providing a proper content-type can enable transformations of values when they are retrieved by applications.')
param contentType string = ''
@description('Optional. Tags of the resource.')
param tags object = {}
@description('Optional. Enable telemetry via the Customer Usage Attribution ID (GUID).') // update all the descriptions
param enableDefaultTelemetry bool = true
resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) {
name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}'
properties: {
mode: 'Incremental'
template: {
'$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#'
contentVersion: '1.0.0.0'
resources: []
}
}
}
resource appConfiguration 'Microsoft.AppConfiguration/configurationStores@2021-10-01-preview' existing = {
name: appConfigurationName
}
resource keyValues 'Microsoft.AppConfiguration/configurationStores/keyValues@2021-10-01-preview' = {
name: name
parent: appConfiguration
properties: {
contentType: contentType
tags: tags
value: value
}
}
@description('The name of the key values.')
output name string = keyValues.name
@description('The resource ID of the key values.')
output resourceId string = keyValues.id
@description('The resource group the batch account was deployed into.')
output resourceGroupName string = resourceGroup().name

Просмотреть файл

@ -0,0 +1,182 @@
# App Configuration `[Microsoft.AppConfiguration/configurationStores/keyValues]`
This module deploys an App Configuration Store.
## Navigation
- [Resource types](#Resource-types)
- [Parameters](#Parameters)
- [Outputs](#Outputs)
- [Cross-referenced modules](#Cross-referenced-modules)
## Resource types
| Resource Type | API Version |
| :-- | :-- |
| `Microsoft.AppConfiguration/configurationStores/keyValues` | [2021-10-01-preview](https://docs.microsoft.com/en-us/azure/templates/Microsoft.AppConfiguration/2021-10-01-preview/configurationStores/keyValues) |
## Parameters
**Required parameters**
| Parameter Name | Type | Description |
| :-- | :-- | :-- |
| `name` | string | Name of the key. |
| `value` | string | Name of the value. |
**Conditional parameters**
| Parameter Name | Type | Description |
| :-- | :-- | :-- |
| `appConfigurationName` | string | The name of the parent app configuration store. Required if the template is used in a standalone deployment. |
**Optional parameters**
| Parameter Name | Type | Default Value | Description |
| :-- | :-- | :-- | :-- |
| `contentType` | string | `''` | The content type of the key-values value. Providing a proper content-type can enable transformations of values when they are retrieved by applications. |
| `enableDefaultTelemetry` | bool | `True` | Enable telemetry via the Customer Usage Attribution ID (GUID). |
| `tags` | object | `{object}` | Tags of the resource. |
### Parameter Usage: `tags`
Tag names and tag values can be provided as needed. A tag can be left without a value.
<details>
<summary>Parameter JSON format</summary>
```json
"tags": {
"value": {
"Environment": "Non-Prod",
"Contact": "test.user@testcompany.com",
"PurchaseOrder": "1234",
"CostCenter": "7890",
"ServiceName": "DeploymentValidation",
"Role": "DeploymentValidation"
}
}
```
</details>
<details>
<summary>Bicep format</summary>
```bicep
tags: {
Environment: 'Non-Prod'
Contact: 'test.user@testcompany.com'
PurchaseOrder: '1234'
CostCenter: '7890'
ServiceName: 'DeploymentValidation'
Role: 'DeploymentValidation'
}
```
</details>
<p>
### Parameter Usage: `userAssignedIdentities`
You can specify multiple user assigned identities to a resource by providing additional resource IDs using the following format:
<details>
<summary>Parameter JSON format</summary>
```json
"userAssignedIdentities": {
"value": {
"/subscriptions/12345678-1234-1234-1234-123456789012/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-001": {},
"/subscriptions/12345678-1234-1234-1234-123456789012/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-002": {}
}
}
```
</details>
<details>
<summary>Bicep format</summary>
```bicep
userAssignedIdentities: {
'/subscriptions/12345678-1234-1234-1234-123456789012/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-001': {}
'/subscriptions/12345678-1234-1234-1234-123456789012/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-002': {}
}
```
</details>
<p>
### Parameter Usage: `roleAssignments`
Create a role assignment for the given resource. If you want to assign a service principal / managed identity that is created in the same deployment, make sure to also specify the `'principalType'` parameter and set it to `'ServicePrincipal'`. This will ensure the role assignment waits for the principal's propagation in Azure.
<details>
<summary>Parameter JSON format</summary>
```json
"roleAssignments": {
"value": [
{
"roleDefinitionIdOrName": "Reader",
"description": "Reader Role Assignment",
"principalIds": [
"12345678-1234-1234-1234-123456789012", // object 1
"78945612-1234-1234-1234-123456789012" // object 2
]
},
{
"roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11",
"principalIds": [
"12345678-1234-1234-1234-123456789012" // object 1
],
"principalType": "ServicePrincipal"
}
]
}
```
</details>
<details>
<summary>Bicep format</summary>
```bicep
roleAssignments: [
{
roleDefinitionIdOrName: 'Reader'
description: 'Reader Role Assignment'
principalIds: [
'12345678-1234-1234-1234-123456789012' // object 1
'78945612-1234-1234-1234-123456789012' // object 2
]
}
{
roleDefinitionIdOrName: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'
principalIds: [
'12345678-1234-1234-1234-123456789012' // object 1
]
principalType: 'ServicePrincipal'
}
]
```
</details>
<p>
## Outputs
| Output Name | Type | Description |
| :-- | :-- | :-- |
| `name` | string | The name of the key values. |
| `resourceGroupName` | string | The resource group the batch account was deployed into. |
| `resourceId` | string | The resource ID of the key values. |
## Cross-referenced modules
_None_

Просмотреть файл

@ -0,0 +1,4 @@
{
"$schema": "https://raw.githubusercontent.com/dotnet/Nerdbank.GitVersioning/master/src/NerdBank.GitVersioning/version.schema.json",
"version": "0.1"
}

Просмотреть файл

@ -0,0 +1,550 @@
# App Configuration `[Microsoft.AppConfiguration/configurationStores]`
This module deploys an App Configuration Store.
## Navigation
- [Resource types](#Resource-types)
- [Parameters](#Parameters)
- [Outputs](#Outputs)
- [Cross-referenced modules](#Cross-referenced-modules)
- [Deployment examples](#Deployment-examples)
## Resource types
| Resource Type | API Version |
| :-- | :-- |
| `Microsoft.AppConfiguration/configurationStores` | [2021-10-01-preview](https://docs.microsoft.com/en-us/azure/templates/Microsoft.AppConfiguration/2021-10-01-preview/configurationStores) |
| `Microsoft.AppConfiguration/configurationStores/keyValues` | [2021-10-01-preview](https://docs.microsoft.com/en-us/azure/templates/Microsoft.AppConfiguration/2021-10-01-preview/configurationStores/keyValues) |
| `Microsoft.Authorization/locks` | [2017-04-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2017-04-01/locks) |
| `Microsoft.Authorization/roleAssignments` | [2022-04-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-04-01/roleAssignments) |
| `Microsoft.Insights/diagnosticSettings` | [2021-05-01-preview](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Insights/2021-05-01-preview/diagnosticSettings) |
| `Microsoft.Network/privateEndpoints` | [2021-08-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Network/2021-08-01/privateEndpoints) |
| `Microsoft.Network/privateEndpoints/privateDnsZoneGroups` | [2021-08-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Network/2021-08-01/privateEndpoints/privateDnsZoneGroups) |
## Parameters
**Required parameters**
| Parameter Name | Type | Description |
| :-- | :-- | :-- |
| `name` | string | Name of the Azure App Configuration. |
**Optional parameters**
| Parameter Name | Type | Default Value | Allowed Values | Description |
| :-- | :-- | :-- | :-- | :-- |
| `createMode` | string | `'Default'` | `[Default, Recover]` | Indicates whether the configuration store need to be recovered. |
| `diagnosticEventHubAuthorizationRuleId` | string | `''` | | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. |
| `diagnosticEventHubName` | string | `''` | | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. |
| `diagnosticLogCategoriesToEnable` | array | `[Audit, HttpRequest]` | `[Audit, HttpRequest]` | The name of logs that will be streamed. |
| `diagnosticLogsRetentionInDays` | int | `365` | | Specifies the number of days that logs will be kept for; a value of 0 will retain data indefinitely. |
| `diagnosticMetricsToEnable` | array | `[AllMetrics]` | `[AllMetrics]` | The name of metrics that will be streamed. |
| `diagnosticSettingsName` | string | `[format('{0}-diagnosticSettings', parameters('name'))]` | | The name of the diagnostic setting, if deployed. |
| `diagnosticStorageAccountId` | string | `''` | | Resource ID of the diagnostic storage account. |
| `diagnosticWorkspaceId` | string | `''` | | Resource ID of the diagnostic log analytics workspace. |
| `disableLocalAuth` | bool | `False` | | Disables all authentication methods other than AAD authentication. |
| `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via the Customer Usage Attribution ID (GUID). |
| `enablePurgeProtection` | bool | `False` | | Property specifying whether protection against purge is enabled for this configuration store. |
| `keyValues` | _[keyValues](keyValues/readme.md)_ array | `[]` | | All Key / Values to create. |
| `location` | string | `[resourceGroup().location]` | | Location for all Resources. |
| `lock` | string | `''` | `['', CanNotDelete, ReadOnly]` | Specify the type of lock. |
| `privateEndpoints` | array | `[]` | | Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. |
| `publicNetworkAccess` | string | `''` | `['', Disabled, Enabled]` | Whether or not public network access is allowed for this resource. For security reasons it should be disabled. If not specified, it will be disabled by default if private endpoints are set. |
| `roleAssignments` | array | `[]` | | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. |
| `sku` | string | `'Standard'` | `[Free, Standard]` | Pricing tier of App Configuration. |
| `softDeleteRetentionInDays` | int | `1` | | The amount of time in days that the configuration store will be retained when it is soft deleted. |
| `systemAssignedIdentity` | bool | `False` | | Enables system assigned managed identity on the resource. |
| `tags` | object | `{object}` | | Tags of the resource. |
| `userAssignedIdentities` | object | `{object}` | | The ID(s) to assign to the resource. |
### Parameter Usage: `tags`
Tag names and tag values can be provided as needed. A tag can be left without a value.
<details>
<summary>Parameter JSON format</summary>
```json
"tags": {
"value": {
"Environment": "Non-Prod",
"Contact": "test.user@testcompany.com",
"PurchaseOrder": "1234",
"CostCenter": "7890",
"ServiceName": "DeploymentValidation",
"Role": "DeploymentValidation"
}
}
```
</details>
<details>
<summary>Bicep format</summary>
```bicep
tags: {
Environment: 'Non-Prod'
Contact: 'test.user@testcompany.com'
PurchaseOrder: '1234'
CostCenter: '7890'
ServiceName: 'DeploymentValidation'
Role: 'DeploymentValidation'
}
```
</details>
<p>
### Parameter Usage: `userAssignedIdentities`
You can specify multiple user assigned identities to a resource by providing additional resource IDs using the following format:
<details>
<summary>Parameter JSON format</summary>
```json
"userAssignedIdentities": {
"value": {
"/subscriptions/<<subscriptionId>>/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-001": {},
"/subscriptions/<<subscriptionId>>/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-002": {}
}
}
```
</details>
<details>
<summary>Bicep format</summary>
```bicep
userAssignedIdentities: {
'/subscriptions/<<subscriptionId>>/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-001': {}
'/subscriptions/<<subscriptionId>>/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-002': {}
}
```
</details>
<p>
### Parameter Usage: `roleAssignments`
Create a role assignment for the given resource. If you want to assign a service principal / managed identity that is created in the same deployment, make sure to also specify the `'principalType'` parameter and set it to `'ServicePrincipal'`. This will ensure the role assignment waits for the principal's propagation in Azure.
<details>
<summary>Parameter JSON format</summary>
```json
"roleAssignments": {
"value": [
{
"roleDefinitionIdOrName": "Reader",
"description": "Reader Role Assignment",
"principalIds": [
"12345678-1234-1234-1234-123456789012", // object 1
"78945612-1234-1234-1234-123456789012" // object 2
]
},
{
"roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11",
"principalIds": [
"12345678-1234-1234-1234-123456789012" // object 1
],
"principalType": "ServicePrincipal"
}
]
}
```
</details>
<details>
<summary>Bicep format</summary>
```bicep
roleAssignments: [
{
roleDefinitionIdOrName: 'Reader'
description: 'Reader Role Assignment'
principalIds: [
'12345678-1234-1234-1234-123456789012' // object 1
'78945612-1234-1234-1234-123456789012' // object 2
]
}
{
roleDefinitionIdOrName: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'
principalIds: [
'12345678-1234-1234-1234-123456789012' // object 1
]
principalType: 'ServicePrincipal'
}
]
```
</details>
<p>
### Parameter Usage: `privateEndpoints`
To use Private Endpoint the following dependencies must be deployed:
- Destination subnet must be created with the following configuration option - `"privateEndpointNetworkPolicies": "Disabled"`. Setting this option acknowledges that NSG rules are not applied to Private Endpoints (this capability is coming soon). A full example is available in the Virtual Network Module.
- Although not strictly required, it is highly recommended to first create a private DNS Zone to host Private Endpoint DNS records. See [Azure Private Endpoint DNS configuration](https://docs.microsoft.com/en-us/azure/private-link/private-endpoint-dns) for more information.
<details>
<summary>Parameter JSON format</summary>
```json
"privateEndpoints": {
"value": [
// Example showing all available fields
{
"name": "sxx-az-pe", // Optional: Name will be automatically generated if one is not provided here
"subnetResourceId": "/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-x-001/subnets/sxx-az-subnet-x-001",
"service": "<serviceName>", // e.g. vault, registry, blob
"privateDnsZoneGroup": {
"privateDNSResourceIds": [ // Optional: No DNS record will be created if a private DNS zone Resource ID is not specified
"/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.Network/privateDnsZones/<privateDnsZoneName>" // e.g. privatelink.vaultcore.azure.net, privatelink.azurecr.io, privatelink.blob.core.windows.net
]
},
"customDnsConfigs": [ // Optional
{
"fqdn": "customname.test.local",
"ipAddresses": [
"10.10.10.10"
]
}
]
},
// Example showing only mandatory fields
{
"subnetResourceId": "/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-x-001/subnets/sxx-az-subnet-x-001",
"service": "<serviceName>" // e.g. vault, registry, blob
}
]
}
```
</details>
<details>
<summary>Bicep format</summary>
```bicep
privateEndpoints: [
// Example showing all available fields
{
name: 'sxx-az-pe' // Optional: Name will be automatically generated if one is not provided here
subnetResourceId: '/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-x-001/subnets/sxx-az-subnet-x-001'
service: '<serviceName>' // e.g. vault, registry, blob
privateDnsZoneGroups: {
privateDNSResourceIds: [ // Optional: No DNS record will be created if a private DNS zone Resource ID is not specified
'/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.Network/privateDnsZones/<privateDnsZoneName>' // e.g. privatelink.vaultcore.azure.net, privatelink.azurecr.io, privatelink.blob.core.windows.net
]
}
// Optional
customDnsConfigs: [
{
fqdn: 'customname.test.local'
ipAddresses: [
'10.10.10.10'
]
}
]
}
// Example showing only mandatory fields
{
subnetResourceId: '/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-x-001/subnets/sxx-az-subnet-x-001'
service: '<serviceName>' // e.g. vault, registry, blob
}
]
```
</details>
<p>
## Outputs
| Output Name | Type | Description |
| :-- | :-- | :-- |
| `location` | string | The location the resource was deployed into. |
| `name` | string | The name of the app configuration. |
| `resourceGroupName` | string | The resource group the app configuration store was deployed into. |
| `resourceId` | string | The resource ID of the app configuration. |
| `systemAssignedPrincipalId` | string | The principal ID of the system assigned identity. |
## Cross-referenced modules
This section gives you an overview of all local-referenced module files (i.e., other CARML modules that are referenced in this module) and all remote-referenced files (i.e., Bicep modules that are referenced from a Bicep Registry or Template Specs).
| Reference | Type |
| :-- | :-- |
| `Microsoft.Network/privateEndpoints` | Local reference |
## Deployment examples
The following module usage examples are retrieved from the content of the files hosted in the module's `.test` folder.
>**Note**: The name of each example is based on the name of the file from which it is taken.
>**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order.
<h3>Example 1: Min</h3>
<details>
<summary>via Bicep module</summary>
```bicep
module configurationStores './Microsoft.AppConfiguration/configurationStores/deploy.bicep' = {
name: '${uniqueString(deployment().name)}-ConfigurationStores'
params: {
name: '<<namePrefix>>-az-appc-min-001'
}
}
```
</details>
<p>
<details>
<summary>via JSON Parameter file</summary>
```json
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"name": {
"value": "<<namePrefix>>-az-appc-min-001"
}
}
}
```
</details>
<p>
<h3>Example 2: Parameters</h3>
<details>
<summary>via Bicep module</summary>
```bicep
module configurationStores './Microsoft.AppConfiguration/configurationStores/deploy.bicep' = {
name: '${uniqueString(deployment().name)}-ConfigurationStores'
params: {
// Required parameters
name: '<<namePrefix>>-az-appc-x-001'
// Non-required parameters
createMode: 'Default'
diagnosticEventHubAuthorizationRuleId: '/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.EventHub/namespaces/adp-<<namePrefix>>-az-evhns-x-001/AuthorizationRules/RootManageSharedAccessKey'
diagnosticEventHubName: 'adp-<<namePrefix>>-az-evh-x-001'
diagnosticLogsRetentionInDays: 7
diagnosticStorageAccountId: '/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.Storage/storageAccounts/adp<<namePrefix>>azsax001'
diagnosticWorkspaceId: '/subscriptions/<<subscriptionId>>/resourcegroups/validation-rg/providers/microsoft.operationalinsights/workspaces/adp-<<namePrefix>>-az-law-x-001'
disableLocalAuth: false
enablePurgeProtection: false
keyValues: [
{
contentType: 'contentType'
name: 'keyName'
roleAssignments: [
{
principalIds: [
'<<deploymentSpId>>'
]
roleDefinitionIdOrName: 'Reader'
}
]
value: 'valueName'
}
]
lock: 'CanNotDelete'
roleAssignments: [
{
principalIds: [
'<<deploymentSpId>>'
]
roleDefinitionIdOrName: 'Reader'
}
]
softDeleteRetentionInDays: 1
systemAssignedIdentity: true
}
}
```
</details>
<p>
<details>
<summary>via JSON Parameter file</summary>
```json
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
"contentVersion": "1.0.0.0",
"parameters": {
// Required parameters
"name": {
"value": "<<namePrefix>>-az-appc-x-001"
},
// Non-required parameters
"createMode": {
"value": "Default"
},
"diagnosticEventHubAuthorizationRuleId": {
"value": "/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.EventHub/namespaces/adp-<<namePrefix>>-az-evhns-x-001/AuthorizationRules/RootManageSharedAccessKey"
},
"diagnosticEventHubName": {
"value": "adp-<<namePrefix>>-az-evh-x-001"
},
"diagnosticLogsRetentionInDays": {
"value": 7
},
"diagnosticStorageAccountId": {
"value": "/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.Storage/storageAccounts/adp<<namePrefix>>azsax001"
},
"diagnosticWorkspaceId": {
"value": "/subscriptions/<<subscriptionId>>/resourcegroups/validation-rg/providers/microsoft.operationalinsights/workspaces/adp-<<namePrefix>>-az-law-x-001"
},
"disableLocalAuth": {
"value": false
},
"enablePurgeProtection": {
"value": false
},
"keyValues": {
"value": [
{
"contentType": "contentType",
"name": "keyName",
"roleAssignments": [
{
"principalIds": [
"<<deploymentSpId>>"
],
"roleDefinitionIdOrName": "Reader"
}
],
"value": "valueName"
}
]
},
"lock": {
"value": "CanNotDelete"
},
"roleAssignments": {
"value": [
{
"principalIds": [
"<<deploymentSpId>>"
],
"roleDefinitionIdOrName": "Reader"
}
]
},
"softDeleteRetentionInDays": {
"value": 1
},
"systemAssignedIdentity": {
"value": true
}
}
}
```
</details>
<p>
<h3>Example 3: Pe</h3>
<details>
<summary>via Bicep module</summary>
```bicep
module configurationStores './Microsoft.AppConfiguration/configurationStores/deploy.bicep' = {
name: '${uniqueString(deployment().name)}-ConfigurationStores'
params: {
// Required parameters
name: '<<namePrefix>>-az-appc-pe-001'
// Non-required parameters
createMode: 'Default'
disableLocalAuth: false
enablePurgeProtection: false
privateEndpoints: [
{
privateDnsZoneGroup: {
privateDNSResourceIds: [
'/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.Network/privateDnsZones/privatelink.azconfig.io'
]
}
service: 'configurationStores'
subnetResourceId: '/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/adp-<<namePrefix>>-az-vnet-x-001/subnets/<<namePrefix>>-az-subnet-x-005-privateEndpoints'
}
]
softDeleteRetentionInDays: 1
}
}
```
</details>
<p>
<details>
<summary>via JSON Parameter file</summary>
```json
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
"contentVersion": "1.0.0.0",
"parameters": {
// Required parameters
"name": {
"value": "<<namePrefix>>-az-appc-pe-001"
},
// Non-required parameters
"createMode": {
"value": "Default"
},
"disableLocalAuth": {
"value": false
},
"enablePurgeProtection": {
"value": false
},
"privateEndpoints": {
"value": [
{
"privateDnsZoneGroup": {
"privateDNSResourceIds": [
"/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.Network/privateDnsZones/privatelink.azconfig.io"
]
},
"service": "configurationStores",
"subnetResourceId": "/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/adp-<<namePrefix>>-az-vnet-x-001/subnets/<<namePrefix>>-az-subnet-x-005-privateEndpoints"
}
]
},
"softDeleteRetentionInDays": {
"value": 1
}
}
}
```
</details>
<p>

Просмотреть файл

@ -0,0 +1,4 @@
{
"$schema": "https://raw.githubusercontent.com/dotnet/Nerdbank.GitVersioning/master/src/NerdBank.GitVersioning/version.schema.json",
"version": "0.3"
}

Просмотреть файл

@ -0,0 +1,15 @@
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"level": {
"value": "CanNotDelete"
},
"resourceGroupName": {
"value": "adp-<<namePrefix>>-az-locks-rg-001"
},
"subscriptionId": {
"value": "<<subscriptionId>>"
}
}
}

Просмотреть файл

@ -0,0 +1,69 @@
targetScope = 'subscription'
@allowed([
'CanNotDelete'
'ReadOnly'
])
@description('Required. Set lock level.')
param level string
@description('Optional. The decription attached to the lock.')
param notes string = level == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.'
@description('Optional. Enable telemetry via the Customer Usage Attribution ID (GUID).')
param enableDefaultTelemetry bool = true
@description('Optional. Name of the Resource Group to assign the lock to. If Resource Group name is provided, and Subscription ID is provided, the module deploys at resource group level, therefore assigns the provided lock to the resource group.')
param resourceGroupName string = ''
@description('Optional. Subscription ID of the subscription to assign the lock to. If not provided, will use the current scope for deployment. If no resource group name is provided, the module deploys at subscription level, therefore assigns the provided locks to the subscription.')
param subscriptionId string = subscription().id
@sys.description('Optional. Location for all resources.')
param location string = deployment().location
var enableReferencedModulesTelemetry = false
resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) {
name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}'
location: location
properties: {
mode: 'Incremental'
template: {
'$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#'
contentVersion: '1.0.0.0'
resources: []
}
}
}
module lock_sub 'subscription/deploy.bicep' = if (!empty(subscriptionId) && empty(resourceGroupName)) {
name: '${uniqueString(deployment().name, location)}-Lock-Sub-Module'
scope: subscription(subscriptionId)
params: {
name: '${subscription().displayName}-${level}-lock'
level: level
notes: notes
enableDefaultTelemetry: enableReferencedModulesTelemetry
}
}
module lock_rg 'resourceGroup/deploy.bicep' = if (!empty(subscriptionId) && !empty(resourceGroupName)) {
name: '${uniqueString(deployment().name, location)}-Lock-RG-Module'
scope: resourceGroup(subscriptionId, resourceGroupName)
params: {
name: '${resourceGroupName}-${level}-lock'
level: level
notes: notes
enableDefaultTelemetry: enableReferencedModulesTelemetry
}
}
@description('The name of the lock.')
output name string = empty(resourceGroupName) ? lock_sub.outputs.name : lock_rg.outputs.name
@description('The resource ID of the lock.')
output resourceId string = empty(resourceGroupName) ? lock_sub.outputs.resourceId : lock_rg.outputs.resourceId
@sys.description('The scope this lock applies to.')
output scope string = empty(resourceGroupName) ? lock_sub.outputs.scope : lock_rg.outputs.scope

Просмотреть файл

@ -0,0 +1,102 @@
# Authorization Locks `[Microsoft.Authorization/locks]`
This module deploys Authorization Locks.
## Navigation
- [Resource Types](#Resource-Types)
- [Parameters](#Parameters)
- [Outputs](#Outputs)
- [Cross-referenced modules](#Cross-referenced-modules)
- [Deployment examples](#Deployment-examples)
## Resource Types
| Resource Type | API Version |
| :-- | :-- |
| `Microsoft.Authorization/locks` | [2017-04-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2017-04-01/locks) |
## Parameters
**Required parameters**
| Parameter Name | Type | Allowed Values | Description |
| :-- | :-- | :-- | :-- |
| `level` | string | `[CanNotDelete, ReadOnly]` | Set lock level. |
**Optional parameters**
| Parameter Name | Type | Default Value | Description |
| :-- | :-- | :-- | :-- |
| `enableDefaultTelemetry` | bool | `True` | Enable telemetry via the Customer Usage Attribution ID (GUID). |
| `location` | string | `[deployment().location]` | Location for all resources. |
| `notes` | string | `[if(equals(parameters('level'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot modify the resource or child resources.')]` | The decription attached to the lock. |
| `resourceGroupName` | string | `''` | Name of the Resource Group to assign the lock to. If Resource Group name is provided, and Subscription ID is provided, the module deploys at resource group level, therefore assigns the provided lock to the resource group. |
| `subscriptionId` | string | `[subscription().id]` | Subscription ID of the subscription to assign the lock to. If not provided, will use the current scope for deployment. If no resource group name is provided, the module deploys at subscription level, therefore assigns the provided locks to the subscription. |
## Outputs
| Output Name | Type | Description |
| :-- | :-- | :-- |
| `name` | string | The name of the lock. |
| `resourceId` | string | The resource ID of the lock. |
| `scope` | string | The scope this lock applies to. |
## Cross-referenced modules
_None_
## Deployment examples
The following module usage examples are retrieved from the content of the files hosted in the module's `.test` folder.
>**Note**: The name of each example is based on the name of the file from which it is taken.
>**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order.
<h3>Example 1: Rg</h3>
<details>
<summary>via Bicep module</summary>
```bicep
module locks './Microsoft.Authorization/locks/deploy.bicep' = {
name: '${uniqueString(deployment().name)}-Locks'
params: {
// Required parameters
level: 'CanNotDelete'
// Non-required parameters
resourceGroupName: 'adp-<<namePrefix>>-az-locks-rg-001'
subscriptionId: '<<subscriptionId>>'
}
}
```
</details>
<p>
<details>
<summary>via JSON Parameter file</summary>
```json
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
"contentVersion": "1.0.0.0",
"parameters": {
// Required parameters
"level": {
"value": "CanNotDelete"
},
// Non-required parameters
"resourceGroupName": {
"value": "adp-<<namePrefix>>-az-locks-rg-001"
},
"subscriptionId": {
"value": "<<subscriptionId>>"
}
}
}
```
</details>
<p>

Просмотреть файл

@ -0,0 +1,49 @@
targetScope = 'resourceGroup'
@description('Optional. The name of the lock.')
param name string = '${level}-lock'
@allowed([
'CanNotDelete'
'ReadOnly'
])
@description('Required. Set lock level.')
param level string
@description('Optional. The decription attached to the lock.')
param notes string = level == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.'
@description('Optional. Enable telemetry via the Customer Usage Attribution ID (GUID).')
param enableDefaultTelemetry bool = true
resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) {
name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}'
properties: {
mode: 'Incremental'
template: {
'$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#'
contentVersion: '1.0.0.0'
resources: []
}
}
}
resource lock 'Microsoft.Authorization/locks@2017-04-01' = {
name: name
properties: {
level: level
notes: notes
}
}
@description('The name of the lock.')
output name string = lock.name
@description('The resource ID of the lock.')
output resourceId string = lock.id
@description('The name of the resource group name the lock was applied to.')
output resourceGroupName string = resourceGroup().name
@sys.description('The scope this lock applies to.')
output scope string = resourceGroup().id

Просмотреть файл

@ -0,0 +1,44 @@
# Authorization Locks on Resource Group level `[Microsoft.Authorization/locks/resourceGroup]`
This module deploys Authorization Locks on Resource Group level.
## Navigation
- [Resource Types](#Resource-Types)
- [Parameters](#Parameters)
- [Outputs](#Outputs)
- [Cross-referenced modules](#Cross-referenced-modules)
## Resource Types
| Resource Type | API Version |
| :-- | :-- |
| `Microsoft.Authorization/locks` | [2017-04-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2017-04-01/locks) |
## Parameters
**Required parameters**
| Parameter Name | Type | Allowed Values | Description |
| :-- | :-- | :-- | :-- |
| `level` | string | `[CanNotDelete, ReadOnly]` | Set lock level. |
**Optional parameters**
| Parameter Name | Type | Default Value | Description |
| :-- | :-- | :-- | :-- |
| `enableDefaultTelemetry` | bool | `True` | Enable telemetry via the Customer Usage Attribution ID (GUID). |
| `name` | string | `[format('{0}-lock', parameters('level'))]` | The name of the lock. |
| `notes` | string | `[if(equals(parameters('level'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot modify the resource or child resources.')]` | The decription attached to the lock. |
## Outputs
| Output Name | Type | Description |
| :-- | :-- | :-- |
| `name` | string | The name of the lock. |
| `resourceGroupName` | string | The name of the resource group name the lock was applied to. |
| `resourceId` | string | The resource ID of the lock. |
| `scope` | string | The scope this lock applies to. |
## Cross-referenced modules
_None_

Просмотреть файл

@ -0,0 +1,4 @@
{
"$schema": "https://raw.githubusercontent.com/dotnet/Nerdbank.GitVersioning/master/src/NerdBank.GitVersioning/version.schema.json",
"version": "0.1"
}

Просмотреть файл

@ -0,0 +1,49 @@
targetScope = 'subscription'
@description('Optional. The name of the lock.')
param name string = '${level}-lock'
@allowed([
'CanNotDelete'
'ReadOnly'
])
@description('Required. Set lock level.')
param level string
@description('Optional. The decription attached to the lock.')
param notes string = level == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.'
@description('Optional. Enable telemetry via the Customer Usage Attribution ID (GUID).')
param enableDefaultTelemetry bool = true
resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) {
name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}'
properties: {
mode: 'Incremental'
template: {
'$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#'
contentVersion: '1.0.0.0'
resources: []
}
}
}
resource lock 'Microsoft.Authorization/locks@2017-04-01' = {
name: name
properties: {
level: level
notes: notes
}
}
@description('The name of the lock.')
output name string = lock.name
@description('The resource ID of the lock.')
output resourceId string = lock.id
@description('The subscription name the lock was deployed into.')
output subscriptionName string = subscription().displayName
@sys.description('The scope this lock applies to.')
output scope string = subscription().id

Просмотреть файл

@ -0,0 +1,44 @@
# Authorization Locks on Subscription level `[Microsoft.Authorization/locks/subscription]`
This module deploys Authorization Locks on Subscription level.
## Navigation
- [Resource Types](#Resource-Types)
- [Parameters](#Parameters)
- [Outputs](#Outputs)
- [Cross-referenced modules](#Cross-referenced-modules)
## Resource Types
| Resource Type | API Version |
| :-- | :-- |
| `Microsoft.Authorization/locks` | [2017-04-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2017-04-01/locks) |
## Parameters
**Required parameters**
| Parameter Name | Type | Allowed Values | Description |
| :-- | :-- | :-- | :-- |
| `level` | string | `[CanNotDelete, ReadOnly]` | Set lock level. |
**Optional parameters**
| Parameter Name | Type | Default Value | Description |
| :-- | :-- | :-- | :-- |
| `enableDefaultTelemetry` | bool | `True` | Enable telemetry via the Customer Usage Attribution ID (GUID). |
| `name` | string | `[format('{0}-lock', parameters('level'))]` | The name of the lock. |
| `notes` | string | `[if(equals(parameters('level'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot modify the resource or child resources.')]` | The decription attached to the lock. |
## Outputs
| Output Name | Type | Description |
| :-- | :-- | :-- |
| `name` | string | The name of the lock. |
| `resourceId` | string | The resource ID of the lock. |
| `scope` | string | The scope this lock applies to. |
| `subscriptionName` | string | The subscription name the lock was deployed into. |
## Cross-referenced modules
_None_

Просмотреть файл

@ -0,0 +1,4 @@
{
"$schema": "https://raw.githubusercontent.com/dotnet/Nerdbank.GitVersioning/master/src/NerdBank.GitVersioning/version.schema.json",
"version": "0.1"
}

Просмотреть файл

@ -0,0 +1,4 @@
{
"$schema": "https://raw.githubusercontent.com/dotnet/Nerdbank.GitVersioning/master/src/NerdBank.GitVersioning/version.schema.json",
"version": "0.1"
}

Просмотреть файл

@ -0,0 +1,12 @@
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"name": {
"value": "<<namePrefix>>-min-mg-polAss"
},
"policyDefinitionID": {
"value": "/providers/Microsoft.Authorization/policyDefinitions/06a78e20-9358-41c9-923c-fb736d382a4d"
}
}
}

Просмотреть файл

@ -0,0 +1,63 @@
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"name": {
"value": "<<namePrefix>>-mg-polAss"
},
"displayName": {
"value": "[Display Name] Policy Assignment at the management group scope"
},
"description": {
"value": "[Description] Policy Assignment at the management group scope"
},
"policyDefinitionId": {
"value": "/providers/Microsoft.Authorization/policyDefinitions/4f9dc7db-30c1-420c-b61a-e1d640128d26"
},
"parameters": {
"value": {
"tagName": {
"value": "env"
},
"tagValue": {
"value": "prod"
}
}
},
"nonComplianceMessages": {
"value": [
{
"message": "Violated Policy Assignment - This is a Non Compliance Message"
}
]
},
"enforcementMode": {
"value": "DoNotEnforce"
},
"metadata": {
"value": {
"category": "Security",
"version": "1.0"
}
},
"location": {
"value": "australiaeast"
},
"notScopes": {
"value": [
"/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg"
]
},
"identity": {
"value": "SystemAssigned"
},
"roleDefinitionIds": {
"value": [
"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
]
},
"managementGroupId": {
"value": "<<managementGroupId>>"
}
}
}

Просмотреть файл

@ -0,0 +1,18 @@
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"name": {
"value": "<<namePrefix>>-min-rg-polAss"
},
"policyDefinitionID": {
"value": "/providers/Microsoft.Authorization/policyDefinitions/06a78e20-9358-41c9-923c-fb736d382a4d"
},
"subscriptionId": {
"value": "<<subscriptionId>>"
},
"resourceGroupName": {
"value": "validation-rg"
}
}
}

Просмотреть файл

@ -0,0 +1,69 @@
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"name": {
"value": "<<namePrefix>>-rg-polAss"
},
"displayName": {
"value": "[Display Name] Policy Assignment at the resource group scope"
},
"description": {
"value": "[Description] Policy Assignment at the resource group scope"
},
"policyDefinitionId": {
"value": "/providers/Microsoft.Authorization/policyDefinitions/4f9dc7db-30c1-420c-b61a-e1d640128d26"
},
"parameters": {
"value": {
"tagName": {
"value": "env"
},
"tagValue": {
"value": "prod"
}
}
},
"nonComplianceMessages": {
"value": [
{
"message": "Violated Policy Assignment - This is a Non Compliance Message"
}
]
},
"enforcementMode": {
"value": "DoNotEnforce"
},
"metadata": {
"value": {
"category": "Security",
"version": "1.0"
}
},
"location": {
"value": "australiaeast"
},
"notScopes": {
"value": [
"/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.KeyVault/vaults/adp-<<namePrefix>>-az-kv-x-001"
]
},
"identity": {
"value": "UserAssigned"
},
"userAssignedIdentityId": {
"value": "/subscriptions/<<subscriptionId>>/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-<<namePrefix>>-az-msi-x-001"
},
"roleDefinitionIds": {
"value": [
"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
]
},
"subscriptionId": {
"value": "<<subscriptionId>>"
},
"resourceGroupName": {
"value": "validation-rg"
}
}
}

Просмотреть файл

@ -0,0 +1,15 @@
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"name": {
"value": "<<namePrefix>>-min-sub-polAss"
},
"policyDefinitionID": {
"value": "/providers/Microsoft.Authorization/policyDefinitions/06a78e20-9358-41c9-923c-fb736d382a4d"
},
"subscriptionId": {
"value": "<<subscriptionId>>"
}
}
}

Просмотреть файл

@ -0,0 +1,66 @@
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"name": {
"value": "<<namePrefix>>-sub-polAss"
},
"displayName": {
"value": "[Display Name] Policy Assignment at the subscription scope"
},
"description": {
"value": "[Description] Policy Assignment at the subscription scope"
},
"policyDefinitionId": {
"value": "/providers/Microsoft.Authorization/policyDefinitions/4f9dc7db-30c1-420c-b61a-e1d640128d26"
},
"parameters": {
"value": {
"tagName": {
"value": "env"
},
"tagValue": {
"value": "prod"
}
}
},
"nonComplianceMessages": {
"value": [
{
"message": "Violated Policy Assignment - This is a Non Compliance Message"
}
]
},
"enforcementMode": {
"value": "DoNotEnforce"
},
"metadata": {
"value": {
"category": "Security",
"version": "1.0"
}
},
"location": {
"value": "australiaeast"
},
"notScopes": {
"value": [
"/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg"
]
},
"identity": {
"value": "UserAssigned"
},
"userAssignedIdentityId": {
"value": "/subscriptions/<<subscriptionId>>/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-<<namePrefix>>-az-msi-x-001"
},
"roleDefinitionIds": {
"value": [
"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
]
},
"subscriptionId": {
"value": "<<subscriptionId>>"
}
}
}

Просмотреть файл

@ -0,0 +1,155 @@
targetScope = 'managementGroup'
@sys.description('Required. Specifies the name of the policy assignment. Maximum length is 24 characters for management group scope, 64 characters for subscription and resource group scopes.')
param name string
@sys.description('Optional. This message will be part of response in case of policy violation.')
param description string = ''
@sys.description('Optional. The display name of the policy assignment. Maximum length is 128 characters.')
@maxLength(128)
param displayName string = ''
@sys.description('Required. Specifies the ID of the policy definition or policy set definition being assigned.')
param policyDefinitionId string
@sys.description('Optional. Parameters for the policy assignment if needed.')
param parameters object = {}
@sys.description('Optional. The managed identity associated with the policy assignment. Policy assignments must include a resource identity when assigning \'Modify\' policy definitions.')
@allowed([
'SystemAssigned'
'UserAssigned'
'None'
])
param identity string = 'SystemAssigned'
@sys.description('Optional. The Resource ID for the user assigned identity to assign to the policy assignment.')
param userAssignedIdentityId string = ''
@sys.description('Optional. The IDs Of the Azure Role Definition list that is used to assign permissions to the identity. You need to provide either the fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.. See https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles for the list IDs for built-in Roles. They must match on what is on the policy definition.')
param roleDefinitionIds array = []
@sys.description('Optional. The policy assignment metadata. Metadata is an open ended object and is typically a collection of key-value pairs.')
param metadata object = {}
@sys.description('Optional. The messages that describe why a resource is non-compliant with the policy.')
param nonComplianceMessages array = []
@sys.description('Optional. The policy assignment enforcement mode. Possible values are Default and DoNotEnforce. - Default or DoNotEnforce.')
@allowed([
'Default'
'DoNotEnforce'
])
param enforcementMode string = 'Default'
@sys.description('Optional. The Target Scope for the Policy. The name of the management group for the policy assignment. If not provided, will use the current scope for deployment.')
param managementGroupId string = managementGroup().name
@sys.description('Optional. The Target Scope for the Policy. The subscription ID of the subscription for the policy assignment.')
param subscriptionId string = ''
@sys.description('Optional. The Target Scope for the Policy. The name of the resource group for the policy assignment.')
param resourceGroupName string = ''
@sys.description('Optional. The policy excluded scopes.')
param notScopes array = []
@sys.description('Optional. Location for all resources.')
param location string = deployment().location
@sys.description('Optional. Enable telemetry via the Customer Usage Attribution ID (GUID).')
param enableDefaultTelemetry bool = true
var enableReferencedModulesTelemetry = false
resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) {
name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}'
location: location
properties: {
mode: 'Incremental'
template: {
'$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#'
contentVersion: '1.0.0.0'
resources: []
}
}
}
module policyAssignment_mg 'managementGroup/deploy.bicep' = if (empty(subscriptionId) && empty(resourceGroupName)) {
name: '${uniqueString(deployment().name, location)}-PolicyAssignment-MG-Module'
scope: managementGroup(managementGroupId)
params: {
name: name
policyDefinitionId: policyDefinitionId
displayName: !empty(displayName) ? displayName : ''
description: !empty(description) ? description : ''
parameters: !empty(parameters) ? parameters : {}
identity: identity
userAssignedIdentityId: userAssignedIdentityId
roleDefinitionIds: !empty(roleDefinitionIds) ? roleDefinitionIds : []
metadata: !empty(metadata) ? metadata : {}
nonComplianceMessages: !empty(nonComplianceMessages) ? nonComplianceMessages : []
enforcementMode: enforcementMode
notScopes: !empty(notScopes) ? notScopes : []
managementGroupId: managementGroupId
location: location
enableDefaultTelemetry: enableReferencedModulesTelemetry
}
}
module policyAssignment_sub 'subscription/deploy.bicep' = if (!empty(subscriptionId) && empty(resourceGroupName)) {
name: '${uniqueString(deployment().name, location)}-PolicyAssignment-Sub-Module'
scope: subscription(subscriptionId)
params: {
name: name
policyDefinitionId: policyDefinitionId
displayName: !empty(displayName) ? displayName : ''
description: !empty(description) ? description : ''
parameters: !empty(parameters) ? parameters : {}
identity: identity
userAssignedIdentityId: userAssignedIdentityId
roleDefinitionIds: !empty(roleDefinitionIds) ? roleDefinitionIds : []
metadata: !empty(metadata) ? metadata : {}
nonComplianceMessages: !empty(nonComplianceMessages) ? nonComplianceMessages : []
enforcementMode: enforcementMode
notScopes: !empty(notScopes) ? notScopes : []
subscriptionId: subscriptionId
location: location
enableDefaultTelemetry: enableReferencedModulesTelemetry
}
}
module policyAssignment_rg 'resourceGroup/deploy.bicep' = if (!empty(resourceGroupName) && !empty(subscriptionId)) {
name: '${uniqueString(deployment().name, location)}-PolicyAssignment-RG-Module'
scope: resourceGroup(subscriptionId, resourceGroupName)
params: {
name: name
policyDefinitionId: policyDefinitionId
displayName: !empty(displayName) ? displayName : ''
description: !empty(description) ? description : ''
parameters: !empty(parameters) ? parameters : {}
identity: identity
userAssignedIdentityId: userAssignedIdentityId
roleDefinitionIds: !empty(roleDefinitionIds) ? roleDefinitionIds : []
metadata: !empty(metadata) ? metadata : {}
nonComplianceMessages: !empty(nonComplianceMessages) ? nonComplianceMessages : []
enforcementMode: enforcementMode
notScopes: !empty(notScopes) ? notScopes : []
subscriptionId: subscriptionId
location: location
enableDefaultTelemetry: enableReferencedModulesTelemetry
}
}
@sys.description('Policy Assignment Name.')
output name string = empty(subscriptionId) && empty(resourceGroupName) ? policyAssignment_mg.outputs.name : (!empty(subscriptionId) && empty(resourceGroupName) ? policyAssignment_sub.outputs.name : policyAssignment_rg.outputs.name)
@sys.description('Policy Assignment principal ID.')
output principalId string = empty(subscriptionId) && empty(resourceGroupName) ? policyAssignment_mg.outputs.principalId : (!empty(subscriptionId) && empty(resourceGroupName) ? policyAssignment_sub.outputs.principalId : policyAssignment_rg.outputs.principalId)
@sys.description('Policy Assignment resource ID.')
output resourceId string = empty(subscriptionId) && empty(resourceGroupName) ? policyAssignment_mg.outputs.resourceId : (!empty(subscriptionId) && empty(resourceGroupName) ? policyAssignment_sub.outputs.resourceId : policyAssignment_rg.outputs.resourceId)
@sys.description('The location the resource was deployed into.')
output location string = empty(subscriptionId) && empty(resourceGroupName) ? policyAssignment_mg.outputs.location : (!empty(subscriptionId) && empty(resourceGroupName) ? policyAssignment_sub.outputs.location : policyAssignment_rg.outputs.location)

Просмотреть файл

@ -0,0 +1,116 @@
targetScope = 'managementGroup'
@sys.description('Required. Specifies the name of the policy assignment. Maximum length is 24 characters for management group scope.')
@maxLength(24)
param name string
@sys.description('Optional. This message will be part of response in case of policy violation.')
param description string = ''
@sys.description('Optional. The display name of the policy assignment. Maximum length is 128 characters.')
@maxLength(128)
param displayName string = ''
@sys.description('Required. Specifies the ID of the policy definition or policy set definition being assigned.')
param policyDefinitionId string
@sys.description('Optional. Parameters for the policy assignment if needed.')
param parameters object = {}
@sys.description('Optional. The managed identity associated with the policy assignment. Policy assignments must include a resource identity when assigning \'Modify\' policy definitions.')
@allowed([
'SystemAssigned'
'UserAssigned'
'None'
])
param identity string = 'SystemAssigned'
@sys.description('Optional. The Resource ID for the user assigned identity to assign to the policy assignment.')
param userAssignedIdentityId string = ''
@sys.description('Optional. The IDs Of the Azure Role Definition list that is used to assign permissions to the identity. You need to provide either the fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.. See https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles for the list IDs for built-in Roles. They must match on what is on the policy definition.')
param roleDefinitionIds array = []
@sys.description('Optional. The policy assignment metadata. Metadata is an open ended object and is typically a collection of key-value pairs.')
param metadata object = {}
@sys.description('Optional. The messages that describe why a resource is non-compliant with the policy.')
param nonComplianceMessages array = []
@sys.description('Optional. The policy assignment enforcement mode. Possible values are Default and DoNotEnforce. - Default or DoNotEnforce.')
@allowed([
'Default'
'DoNotEnforce'
])
param enforcementMode string = 'Default'
@sys.description('Optional. The Target Scope for the Policy. The name of the management group for the policy assignment. If not provided, will use the current scope for deployment.')
param managementGroupId string = managementGroup().name
@sys.description('Optional. The policy excluded scopes.')
param notScopes array = []
@sys.description('Optional. Location for all resources.')
param location string = deployment().location
@sys.description('Optional. Enable telemetry via the Customer Usage Attribution ID (GUID).')
param enableDefaultTelemetry bool = true
var identity_var = identity == 'SystemAssigned' ? {
type: identity
} : identity == 'UserAssigned' ? {
type: identity
userAssignedIdentities: {
'${userAssignedIdentityId}': {}
}
} : null
resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) {
name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}'
location: location
properties: {
mode: 'Incremental'
template: {
'$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#'
contentVersion: '1.0.0.0'
resources: []
}
}
}
resource policyAssignment 'Microsoft.Authorization/policyAssignments@2021-06-01' = {
name: name
location: location
properties: {
displayName: !empty(displayName) ? displayName : null
metadata: !empty(metadata) ? metadata : null
description: !empty(description) ? description : null
policyDefinitionId: policyDefinitionId
parameters: parameters
nonComplianceMessages: !empty(nonComplianceMessages) ? nonComplianceMessages : []
enforcementMode: enforcementMode
notScopes: !empty(notScopes) ? notScopes : []
}
identity: identity_var
}
resource roleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for roleDefinitionId in roleDefinitionIds: if (!empty(roleDefinitionIds) && identity == 'SystemAssigned') {
name: guid(managementGroupId, roleDefinitionId, location, name)
properties: {
roleDefinitionId: roleDefinitionId
principalId: policyAssignment.identity.principalId
principalType: 'ServicePrincipal'
}
}]
@sys.description('Policy Assignment Name.')
output name string = policyAssignment.name
@sys.description('Policy Assignment principal ID.')
output principalId string = identity == 'SystemAssigned' ? policyAssignment.identity.principalId : ''
@sys.description('Policy Assignment resource ID.')
output resourceId string = extensionResourceId(tenantResourceId('Microsoft.Management/managementGroups', managementGroupId), 'Microsoft.Authorization/policyAssignments', policyAssignment.name)
@sys.description('The location the resource was deployed into.')
output location string = policyAssignment.location

Просмотреть файл

@ -0,0 +1,56 @@
# Policy Assignment on Management Group level `[Microsoft.Authorization/policyAssignments/managementGroup]`
With this module you can perform policy assignments on a management group level.
## Navigation
- [Resource Types](#Resource-Types)
- [Parameters](#Parameters)
- [Outputs](#Outputs)
- [Cross-referenced modules](#Cross-referenced-modules)
## Resource Types
| Resource Type | API Version |
| :-- | :-- |
| `Microsoft.Authorization/policyAssignments` | [2021-06-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2021-06-01/policyAssignments) |
| `Microsoft.Authorization/roleAssignments` | [2022-04-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-04-01/roleAssignments) |
## Parameters
**Required parameters**
| Parameter Name | Type | Description |
| :-- | :-- | :-- |
| `name` | string | Specifies the name of the policy assignment. Maximum length is 24 characters for management group scope. |
| `policyDefinitionId` | string | Specifies the ID of the policy definition or policy set definition being assigned. |
**Optional parameters**
| Parameter Name | Type | Default Value | Allowed Values | Description |
| :-- | :-- | :-- | :-- | :-- |
| `description` | string | `''` | | This message will be part of response in case of policy violation. |
| `displayName` | string | `''` | | The display name of the policy assignment. Maximum length is 128 characters. |
| `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via the Customer Usage Attribution ID (GUID). |
| `enforcementMode` | string | `'Default'` | `[Default, DoNotEnforce]` | The policy assignment enforcement mode. Possible values are Default and DoNotEnforce. - Default or DoNotEnforce. |
| `identity` | string | `'SystemAssigned'` | `[None, SystemAssigned, UserAssigned]` | The managed identity associated with the policy assignment. Policy assignments must include a resource identity when assigning 'Modify' policy definitions. |
| `location` | string | `[deployment().location]` | | Location for all resources. |
| `managementGroupId` | string | `[managementGroup().name]` | | The Target Scope for the Policy. The name of the management group for the policy assignment. If not provided, will use the current scope for deployment. |
| `metadata` | object | `{object}` | | The policy assignment metadata. Metadata is an open ended object and is typically a collection of key-value pairs. |
| `nonComplianceMessages` | array | `[]` | | The messages that describe why a resource is non-compliant with the policy. |
| `notScopes` | array | `[]` | | The policy excluded scopes. |
| `parameters` | object | `{object}` | | Parameters for the policy assignment if needed. |
| `roleDefinitionIds` | array | `[]` | | The IDs Of the Azure Role Definition list that is used to assign permissions to the identity. You need to provide either the fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'.. See https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles for the list IDs for built-in Roles. They must match on what is on the policy definition. |
| `userAssignedIdentityId` | string | `''` | | The Resource ID for the user assigned identity to assign to the policy assignment. |
## Outputs
| Output Name | Type | Description |
| :-- | :-- | :-- |
| `location` | string | The location the resource was deployed into. |
| `name` | string | Policy Assignment Name. |
| `principalId` | string | Policy Assignment principal ID. |
| `resourceId` | string | Policy Assignment resource ID. |
## Cross-referenced modules
_None_

Просмотреть файл

@ -0,0 +1,4 @@
{
"$schema": "https://raw.githubusercontent.com/dotnet/Nerdbank.GitVersioning/master/src/NerdBank.GitVersioning/version.schema.json",
"version": "0.4"
}

Просмотреть файл

@ -0,0 +1,711 @@
# Policy Assignments `[Microsoft.Authorization/policyAssignments]`
With this module you can perform policy assignments across the management group, subscription or resource group scope.
## Navigation
- [Resource types](#Resource-types)
- [Parameters](#Parameters)
- [Module Usage Guidance](#Module-Usage-Guidance)
- [Outputs](#Outputs)
- [Cross-referenced modules](#Cross-referenced-modules)
- [Deployment examples](#Deployment-examples)
## Resource types
| Resource Type | API Version |
| :-- | :-- |
| `Microsoft.Authorization/policyAssignments` | [2021-06-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2021-06-01/policyAssignments) |
| `Microsoft.Authorization/roleAssignments` | [2022-04-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-04-01/roleAssignments) |
## Parameters
**Required parameters**
| Parameter Name | Type | Description |
| :-- | :-- | :-- |
| `name` | string | Specifies the name of the policy assignment. Maximum length is 24 characters for management group scope, 64 characters for subscription and resource group scopes. |
| `policyDefinitionId` | string | Specifies the ID of the policy definition or policy set definition being assigned. |
**Optional parameters**
| Parameter Name | Type | Default Value | Allowed Values | Description |
| :-- | :-- | :-- | :-- | :-- |
| `description` | string | `''` | | This message will be part of response in case of policy violation. |
| `displayName` | string | `''` | | The display name of the policy assignment. Maximum length is 128 characters. |
| `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via the Customer Usage Attribution ID (GUID). |
| `enforcementMode` | string | `'Default'` | `[Default, DoNotEnforce]` | The policy assignment enforcement mode. Possible values are Default and DoNotEnforce. - Default or DoNotEnforce. |
| `identity` | string | `'SystemAssigned'` | `[None, SystemAssigned, UserAssigned]` | The managed identity associated with the policy assignment. Policy assignments must include a resource identity when assigning 'Modify' policy definitions. |
| `location` | string | `[deployment().location]` | | Location for all resources. |
| `managementGroupId` | string | `[managementGroup().name]` | | The Target Scope for the Policy. The name of the management group for the policy assignment. If not provided, will use the current scope for deployment. |
| `metadata` | object | `{object}` | | The policy assignment metadata. Metadata is an open ended object and is typically a collection of key-value pairs. |
| `nonComplianceMessages` | array | `[]` | | The messages that describe why a resource is non-compliant with the policy. |
| `notScopes` | array | `[]` | | The policy excluded scopes. |
| `parameters` | object | `{object}` | | Parameters for the policy assignment if needed. |
| `resourceGroupName` | string | `''` | | The Target Scope for the Policy. The name of the resource group for the policy assignment. |
| `roleDefinitionIds` | array | `[]` | | The IDs Of the Azure Role Definition list that is used to assign permissions to the identity. You need to provide either the fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'.. See https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles for the list IDs for built-in Roles. They must match on what is on the policy definition. |
| `subscriptionId` | string | `''` | | The Target Scope for the Policy. The subscription ID of the subscription for the policy assignment. |
| `userAssignedIdentityId` | string | `''` | | The Resource ID for the user assigned identity to assign to the policy assignment. |
### Parameter Usage: `managementGroupId`
To deploy resource to a Management Group, provide the `managementGroupId` as an input parameter to the module.
<details>
<summary>Parameter JSON format</summary>
```json
"managementGroupId": {
"value": "contoso-group"
}
```
</details>
<details>
<summary>Bicep format</summary>
```bicep
managementGroupId: 'contoso-group'
```
</details>
<p>
> `managementGroupId` is an optional parameter. If not provided, the deployment will use the management group defined in the current deployment scope (i.e. `managementGroup().name`).
### Parameter Usage: `subscriptionId`
To deploy resource to an Azure Subscription, provide the `subscriptionId` as an input parameter to the module. **Example**:
<details>
<summary>Parameter JSON format</summary>
```json
"subscriptionId": {
"value": "12345678-b049-471c-95af-123456789012"
}
```
</details>
<details>
<summary>Bicep format</summary>
```bicep
subscriptionId: '12345678-b049-471c-95af-123456789012'
```
</details>
<p>
### Parameter Usage: `resourceGroupName`
To deploy resource to a Resource Group, provide the `subscriptionId` and `resourceGroupName` as an input parameter to the module. **Example**:
<details>
<summary>Parameter JSON format</summary>
```json
"subscriptionId": {
"value": "12345678-b049-471c-95af-123456789012"
},
"resourceGroupName": {
"value": "target-resourceGroup"
}
```
</details>
<details>
<summary>Bicep format</summary>
```bicep
subscriptionId: '12345678-b049-471c-95af-123456789012'
resourceGroupName: 'target-resourceGroup'
```
</details>
<p>
> The `subscriptionId` is used to enable deployment to a Resource Group Scope, allowing the use of the `resourceGroup()` function from a Management Group Scope. [Additional Details](https://github.com/Azure/bicep/pull/1420).
## Module Usage Guidance
In general, most of the resources under the `Microsoft.Authorization` namespace allows deploying resources at multiple scopes (management groups, subscriptions, resource groups). The `deploy.bicep` root module is simply an orchestrator module that targets sub-modules for different scopes as seen in the parameter usage section. All sub-modules for this namespace have folders that represent the target scope. For example, if the orchestrator module in the [root](deploy.bicep) needs to target 'subscription' level scopes. It will look at the relative path ['/subscription/deploy.bicep'](./subscription/deploy.bicep) and use this sub-module for the actual deployment, while still passing the same parameters from the root module.
The above method is useful when you want to use a single point to interact with the module but rely on parameter combinations to achieve the target scope. But what if you want to incorporate this module in other modules with lower scopes? This would force you to deploy the module in scope `managementGroup` regardless and further require you to provide its ID with it. If you do not set the scope to management group, this would be the error that you can expect to face:
```bicep
Error BCP134: Scope "subscription" is not valid for this module. Permitted scopes: "managementGroup"
```
The solution is to have the option of directly targeting the sub-module that achieves the required scope. For example, if you have your own Bicep file wanting to create resources at the subscription level, and also use some of the modules from the `Microsoft.Authorization` namespace, then you can directly use the sub-module ['/subscription/deploy.bicep'](./subscription/deploy.bicep) as a path within your repository, or reference that same published module from the bicep registry. CARML also published the sub-modules so you would be able to reference it like the following:
**Bicep Registry Reference**
```bicep
module policyassignment 'br:bicepregistry.azurecr.io/bicep/modules/microsoft.authorization.policyassignments.subscription:version' = {}
```
**Local Path Reference**
```bicep
module policyassignment 'yourpath/modules/Microsoft.Authorization.policyAssignments/subscription/deploy.bicep' = {}
```
## Outputs
| Output Name | Type | Description |
| :-- | :-- | :-- |
| `location` | string | The location the resource was deployed into. |
| `name` | string | Policy Assignment Name. |
| `principalId` | string | Policy Assignment principal ID. |
| `resourceId` | string | Policy Assignment resource ID. |
## Cross-referenced modules
_None_
## Deployment examples
The following module usage examples are retrieved from the content of the files hosted in the module's `.test` folder.
>**Note**: The name of each example is based on the name of the file from which it is taken.
>**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order.
<h3>Example 1: Mg Min</h3>
<details>
<summary>via Bicep module</summary>
```bicep
module policyAssignments './Microsoft.Authorization/policyAssignments/deploy.bicep' = {
name: '${uniqueString(deployment().name)}-PolicyAssignments'
params: {
// Required parameters
name: '<<namePrefix>>-min-mg-polAss'
policyDefinitionID: '/providers/Microsoft.Authorization/policyDefinitions/06a78e20-9358-41c9-923c-fb736d382a4d'
}
}
```
</details>
<p>
<details>
<summary>via JSON Parameter file</summary>
```json
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
"contentVersion": "1.0.0.0",
"parameters": {
// Required parameters
"name": {
"value": "<<namePrefix>>-min-mg-polAss"
},
"policyDefinitionID": {
"value": "/providers/Microsoft.Authorization/policyDefinitions/06a78e20-9358-41c9-923c-fb736d382a4d"
}
}
}
```
</details>
<p>
<h3>Example 2: Mg</h3>
<details>
<summary>via Bicep module</summary>
```bicep
module policyAssignments './Microsoft.Authorization/policyAssignments/deploy.bicep' = {
name: '${uniqueString(deployment().name)}-PolicyAssignments'
params: {
// Required parameters
name: '<<namePrefix>>-mg-polAss'
policyDefinitionId: '/providers/Microsoft.Authorization/policyDefinitions/4f9dc7db-30c1-420c-b61a-e1d640128d26'
// Non-required parameters
description: '[Description] Policy Assignment at the management group scope'
displayName: '[Display Name] Policy Assignment at the management group scope'
enforcementMode: 'DoNotEnforce'
identity: 'SystemAssigned'
location: 'australiaeast'
managementGroupId: '<<managementGroupId>>'
metadata: {
category: 'Security'
version: '1.0'
}
nonComplianceMessages: [
{
message: 'Violated Policy Assignment - This is a Non Compliance Message'
}
]
notScopes: [
'/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg'
]
parameters: {
tagName: {
value: 'env'
}
tagValue: {
value: 'prod'
}
}
roleDefinitionIds: [
'/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c'
]
}
}
```
</details>
<p>
<details>
<summary>via JSON Parameter file</summary>
```json
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
"contentVersion": "1.0.0.0",
"parameters": {
// Required parameters
"name": {
"value": "<<namePrefix>>-mg-polAss"
},
"policyDefinitionId": {
"value": "/providers/Microsoft.Authorization/policyDefinitions/4f9dc7db-30c1-420c-b61a-e1d640128d26"
},
// Non-required parameters
"description": {
"value": "[Description] Policy Assignment at the management group scope"
},
"displayName": {
"value": "[Display Name] Policy Assignment at the management group scope"
},
"enforcementMode": {
"value": "DoNotEnforce"
},
"identity": {
"value": "SystemAssigned"
},
"location": {
"value": "australiaeast"
},
"managementGroupId": {
"value": "<<managementGroupId>>"
},
"metadata": {
"value": {
"category": "Security",
"version": "1.0"
}
},
"nonComplianceMessages": {
"value": [
{
"message": "Violated Policy Assignment - This is a Non Compliance Message"
}
]
},
"notScopes": {
"value": [
"/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg"
]
},
"parameters": {
"value": {
"tagName": {
"value": "env"
},
"tagValue": {
"value": "prod"
}
}
},
"roleDefinitionIds": {
"value": [
"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
]
}
}
}
```
</details>
<p>
<h3>Example 3: Rg Min</h3>
<details>
<summary>via Bicep module</summary>
```bicep
module policyAssignments './Microsoft.Authorization/policyAssignments/deploy.bicep' = {
name: '${uniqueString(deployment().name)}-PolicyAssignments'
params: {
// Required parameters
name: '<<namePrefix>>-min-rg-polAss'
policyDefinitionID: '/providers/Microsoft.Authorization/policyDefinitions/06a78e20-9358-41c9-923c-fb736d382a4d'
// Non-required parameters
resourceGroupName: 'validation-rg'
subscriptionId: '<<subscriptionId>>'
}
}
```
</details>
<p>
<details>
<summary>via JSON Parameter file</summary>
```json
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
"contentVersion": "1.0.0.0",
"parameters": {
// Required parameters
"name": {
"value": "<<namePrefix>>-min-rg-polAss"
},
"policyDefinitionID": {
"value": "/providers/Microsoft.Authorization/policyDefinitions/06a78e20-9358-41c9-923c-fb736d382a4d"
},
// Non-required parameters
"resourceGroupName": {
"value": "validation-rg"
},
"subscriptionId": {
"value": "<<subscriptionId>>"
}
}
}
```
</details>
<p>
<h3>Example 4: Rg</h3>
<details>
<summary>via Bicep module</summary>
```bicep
module policyAssignments './Microsoft.Authorization/policyAssignments/deploy.bicep' = {
name: '${uniqueString(deployment().name)}-PolicyAssignments'
params: {
// Required parameters
name: '<<namePrefix>>-rg-polAss'
policyDefinitionId: '/providers/Microsoft.Authorization/policyDefinitions/4f9dc7db-30c1-420c-b61a-e1d640128d26'
// Non-required parameters
description: '[Description] Policy Assignment at the resource group scope'
displayName: '[Display Name] Policy Assignment at the resource group scope'
enforcementMode: 'DoNotEnforce'
identity: 'UserAssigned'
location: 'australiaeast'
metadata: {
category: 'Security'
version: '1.0'
}
nonComplianceMessages: [
{
message: 'Violated Policy Assignment - This is a Non Compliance Message'
}
]
notScopes: [
'/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.KeyVault/vaults/adp-<<namePrefix>>-az-kv-x-001'
]
parameters: {
tagName: {
value: 'env'
}
tagValue: {
value: 'prod'
}
}
resourceGroupName: 'validation-rg'
roleDefinitionIds: [
'/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c'
]
subscriptionId: '<<subscriptionId>>'
userAssignedIdentityId: '/subscriptions/<<subscriptionId>>/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-<<namePrefix>>-az-msi-x-001'
}
}
```
</details>
<p>
<details>
<summary>via JSON Parameter file</summary>
```json
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
"contentVersion": "1.0.0.0",
"parameters": {
// Required parameters
"name": {
"value": "<<namePrefix>>-rg-polAss"
},
"policyDefinitionId": {
"value": "/providers/Microsoft.Authorization/policyDefinitions/4f9dc7db-30c1-420c-b61a-e1d640128d26"
},
// Non-required parameters
"description": {
"value": "[Description] Policy Assignment at the resource group scope"
},
"displayName": {
"value": "[Display Name] Policy Assignment at the resource group scope"
},
"enforcementMode": {
"value": "DoNotEnforce"
},
"identity": {
"value": "UserAssigned"
},
"location": {
"value": "australiaeast"
},
"metadata": {
"value": {
"category": "Security",
"version": "1.0"
}
},
"nonComplianceMessages": {
"value": [
{
"message": "Violated Policy Assignment - This is a Non Compliance Message"
}
]
},
"notScopes": {
"value": [
"/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.KeyVault/vaults/adp-<<namePrefix>>-az-kv-x-001"
]
},
"parameters": {
"value": {
"tagName": {
"value": "env"
},
"tagValue": {
"value": "prod"
}
}
},
"resourceGroupName": {
"value": "validation-rg"
},
"roleDefinitionIds": {
"value": [
"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
]
},
"subscriptionId": {
"value": "<<subscriptionId>>"
},
"userAssignedIdentityId": {
"value": "/subscriptions/<<subscriptionId>>/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-<<namePrefix>>-az-msi-x-001"
}
}
}
```
</details>
<p>
<h3>Example 5: Sub Min</h3>
<details>
<summary>via Bicep module</summary>
```bicep
module policyAssignments './Microsoft.Authorization/policyAssignments/deploy.bicep' = {
name: '${uniqueString(deployment().name)}-PolicyAssignments'
params: {
// Required parameters
name: '<<namePrefix>>-min-sub-polAss'
policyDefinitionID: '/providers/Microsoft.Authorization/policyDefinitions/06a78e20-9358-41c9-923c-fb736d382a4d'
// Non-required parameters
subscriptionId: '<<subscriptionId>>'
}
}
```
</details>
<p>
<details>
<summary>via JSON Parameter file</summary>
```json
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
"contentVersion": "1.0.0.0",
"parameters": {
// Required parameters
"name": {
"value": "<<namePrefix>>-min-sub-polAss"
},
"policyDefinitionID": {
"value": "/providers/Microsoft.Authorization/policyDefinitions/06a78e20-9358-41c9-923c-fb736d382a4d"
},
// Non-required parameters
"subscriptionId": {
"value": "<<subscriptionId>>"
}
}
}
```
</details>
<p>
<h3>Example 6: Sub</h3>
<details>
<summary>via Bicep module</summary>
```bicep
module policyAssignments './Microsoft.Authorization/policyAssignments/deploy.bicep' = {
name: '${uniqueString(deployment().name)}-PolicyAssignments'
params: {
// Required parameters
name: '<<namePrefix>>-sub-polAss'
policyDefinitionId: '/providers/Microsoft.Authorization/policyDefinitions/4f9dc7db-30c1-420c-b61a-e1d640128d26'
// Non-required parameters
description: '[Description] Policy Assignment at the subscription scope'
displayName: '[Display Name] Policy Assignment at the subscription scope'
enforcementMode: 'DoNotEnforce'
identity: 'UserAssigned'
location: 'australiaeast'
metadata: {
category: 'Security'
version: '1.0'
}
nonComplianceMessages: [
{
message: 'Violated Policy Assignment - This is a Non Compliance Message'
}
]
notScopes: [
'/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg'
]
parameters: {
tagName: {
value: 'env'
}
tagValue: {
value: 'prod'
}
}
roleDefinitionIds: [
'/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c'
]
subscriptionId: '<<subscriptionId>>'
userAssignedIdentityId: '/subscriptions/<<subscriptionId>>/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-<<namePrefix>>-az-msi-x-001'
}
}
```
</details>
<p>
<details>
<summary>via JSON Parameter file</summary>
```json
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
"contentVersion": "1.0.0.0",
"parameters": {
// Required parameters
"name": {
"value": "<<namePrefix>>-sub-polAss"
},
"policyDefinitionId": {
"value": "/providers/Microsoft.Authorization/policyDefinitions/4f9dc7db-30c1-420c-b61a-e1d640128d26"
},
// Non-required parameters
"description": {
"value": "[Description] Policy Assignment at the subscription scope"
},
"displayName": {
"value": "[Display Name] Policy Assignment at the subscription scope"
},
"enforcementMode": {
"value": "DoNotEnforce"
},
"identity": {
"value": "UserAssigned"
},
"location": {
"value": "australiaeast"
},
"metadata": {
"value": {
"category": "Security",
"version": "1.0"
}
},
"nonComplianceMessages": {
"value": [
{
"message": "Violated Policy Assignment - This is a Non Compliance Message"
}
]
},
"notScopes": {
"value": [
"/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg"
]
},
"parameters": {
"value": {
"tagName": {
"value": "env"
},
"tagValue": {
"value": "prod"
}
}
},
"roleDefinitionIds": {
"value": [
"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
]
},
"subscriptionId": {
"value": "<<subscriptionId>>"
},
"userAssignedIdentityId": {
"value": "/subscriptions/<<subscriptionId>>/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-<<namePrefix>>-az-msi-x-001"
}
}
}
```
</details>
<p>

Просмотреть файл

@ -0,0 +1,121 @@
targetScope = 'resourceGroup'
@sys.description('Required. Specifies the name of the policy assignment. Maximum length is 64 characters for resource group scope.')
@maxLength(64)
param name string
@sys.description('Optional. This message will be part of response in case of policy violation.')
param description string = ''
@sys.description('Optional. The display name of the policy assignment. Maximum length is 128 characters.')
@maxLength(128)
param displayName string = ''
@sys.description('Required. Specifies the ID of the policy definition or policy set definition being assigned.')
param policyDefinitionId string
@sys.description('Optional. Parameters for the policy assignment if needed.')
param parameters object = {}
@sys.description('Optional. The managed identity associated with the policy assignment. Policy assignments must include a resource identity when assigning \'Modify\' policy definitions.')
@allowed([
'SystemAssigned'
'UserAssigned'
'None'
])
param identity string = 'SystemAssigned'
@sys.description('Optional. The Resource ID for the user assigned identity to assign to the policy assignment.')
param userAssignedIdentityId string = ''
@sys.description('Optional. The IDs Of the Azure Role Definition list that is used to assign permissions to the identity. You need to provide either the fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.. See https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles for the list IDs for built-in Roles. They must match on what is on the policy definition.')
param roleDefinitionIds array = []
@sys.description('Optional. The policy assignment metadata. Metadata is an open ended object and is typically a collection of key-value pairs.')
param metadata object = {}
@sys.description('Optional. The messages that describe why a resource is non-compliant with the policy.')
param nonComplianceMessages array = []
@sys.description('Optional. The policy assignment enforcement mode. Possible values are Default and DoNotEnforce. - Default or DoNotEnforce.')
@allowed([
'Default'
'DoNotEnforce'
])
param enforcementMode string = 'Default'
@sys.description('Optional. The policy excluded scopes.')
param notScopes array = []
@sys.description('Optional. Location for all resources.')
param location string = resourceGroup().location
@sys.description('Optional. The Target Scope for the Policy. The subscription ID of the subscription for the policy assignment. If not provided, will use the current scope for deployment.')
param subscriptionId string = subscription().subscriptionId
@sys.description('Optional. The Target Scope for the Policy. The name of the resource group for the policy assignment. If not provided, will use the current scope for deployment.')
param resourceGroupName string = resourceGroup().name
@sys.description('Optional. Enable telemetry via the Customer Usage Attribution ID (GUID).')
param enableDefaultTelemetry bool = true
resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) {
name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}'
properties: {
mode: 'Incremental'
template: {
'$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#'
contentVersion: '1.0.0.0'
resources: []
}
}
}
var identity_var = identity == 'SystemAssigned' ? {
type: identity
} : identity == 'UserAssigned' ? {
type: identity
userAssignedIdentities: {
'${userAssignedIdentityId}': {}
}
} : null
resource policyAssignment 'Microsoft.Authorization/policyAssignments@2021-06-01' = {
name: name
location: location
properties: {
displayName: !empty(displayName) ? displayName : null
metadata: !empty(metadata) ? metadata : null
description: !empty(description) ? description : null
policyDefinitionId: policyDefinitionId
parameters: parameters
nonComplianceMessages: !empty(nonComplianceMessages) ? nonComplianceMessages : []
enforcementMode: enforcementMode
notScopes: !empty(notScopes) ? notScopes : []
}
identity: identity_var
}
resource roleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for roleDefinitionId in roleDefinitionIds: if (!empty(roleDefinitionIds) && identity == 'SystemAssigned') {
name: guid(subscriptionId, resourceGroupName, roleDefinitionId, location, name)
properties: {
roleDefinitionId: roleDefinitionId
principalId: policyAssignment.identity.principalId
principalType: 'ServicePrincipal'
}
}]
@sys.description('Policy Assignment Name.')
output name string = policyAssignment.name
@sys.description('Policy Assignment principal ID.')
output principalId string = identity == 'SystemAssigned' ? policyAssignment.identity.principalId : ''
@sys.description('Policy Assignment resource ID.')
output resourceId string = az.resourceId(subscriptionId, resourceGroupName, 'Microsoft.Authorization/policyAssignments', policyAssignment.name)
@sys.description('The name of the resource group the policy was assigned to.')
output resourceGroupName string = resourceGroup().name
@sys.description('The location the resource was deployed into.')
output location string = policyAssignment.location

Просмотреть файл

@ -0,0 +1,58 @@
# Policy Assignment on Resource Group level `[Microsoft.Authorization/policyAssignments/resourceGroup]`
With this module you can perform policy assignments on a resource group level
## Navigation
- [Resource Types](#Resource-Types)
- [Parameters](#Parameters)
- [Outputs](#Outputs)
- [Cross-referenced modules](#Cross-referenced-modules)
## Resource Types
| Resource Type | API Version |
| :-- | :-- |
| `Microsoft.Authorization/policyAssignments` | [2021-06-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2021-06-01/policyAssignments) |
| `Microsoft.Authorization/roleAssignments` | [2022-04-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-04-01/roleAssignments) |
## Parameters
**Required parameters**
| Parameter Name | Type | Description |
| :-- | :-- | :-- |
| `name` | string | Specifies the name of the policy assignment. Maximum length is 64 characters for resource group scope. |
| `policyDefinitionId` | string | Specifies the ID of the policy definition or policy set definition being assigned. |
**Optional parameters**
| Parameter Name | Type | Default Value | Allowed Values | Description |
| :-- | :-- | :-- | :-- | :-- |
| `description` | string | `''` | | This message will be part of response in case of policy violation. |
| `displayName` | string | `''` | | The display name of the policy assignment. Maximum length is 128 characters. |
| `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via the Customer Usage Attribution ID (GUID). |
| `enforcementMode` | string | `'Default'` | `[Default, DoNotEnforce]` | The policy assignment enforcement mode. Possible values are Default and DoNotEnforce. - Default or DoNotEnforce. |
| `identity` | string | `'SystemAssigned'` | `[None, SystemAssigned, UserAssigned]` | The managed identity associated with the policy assignment. Policy assignments must include a resource identity when assigning 'Modify' policy definitions. |
| `location` | string | `[resourceGroup().location]` | | Location for all resources. |
| `metadata` | object | `{object}` | | The policy assignment metadata. Metadata is an open ended object and is typically a collection of key-value pairs. |
| `nonComplianceMessages` | array | `[]` | | The messages that describe why a resource is non-compliant with the policy. |
| `notScopes` | array | `[]` | | The policy excluded scopes. |
| `parameters` | object | `{object}` | | Parameters for the policy assignment if needed. |
| `resourceGroupName` | string | `[resourceGroup().name]` | | The Target Scope for the Policy. The name of the resource group for the policy assignment. If not provided, will use the current scope for deployment. |
| `roleDefinitionIds` | array | `[]` | | The IDs Of the Azure Role Definition list that is used to assign permissions to the identity. You need to provide either the fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'.. See https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles for the list IDs for built-in Roles. They must match on what is on the policy definition. |
| `subscriptionId` | string | `[subscription().subscriptionId]` | | The Target Scope for the Policy. The subscription ID of the subscription for the policy assignment. If not provided, will use the current scope for deployment. |
| `userAssignedIdentityId` | string | `''` | | The Resource ID for the user assigned identity to assign to the policy assignment. |
## Outputs
| Output Name | Type | Description |
| :-- | :-- | :-- |
| `location` | string | The location the resource was deployed into. |
| `name` | string | Policy Assignment Name. |
| `principalId` | string | Policy Assignment principal ID. |
| `resourceGroupName` | string | The name of the resource group the policy was assigned to. |
| `resourceId` | string | Policy Assignment resource ID. |
## Cross-referenced modules
_None_

Просмотреть файл

@ -0,0 +1,4 @@
{
"$schema": "https://raw.githubusercontent.com/dotnet/Nerdbank.GitVersioning/master/src/NerdBank.GitVersioning/version.schema.json",
"version": "0.4"
}

Просмотреть файл

@ -0,0 +1,116 @@
targetScope = 'subscription'
@sys.description('Required. Specifies the name of the policy assignment. Maximum length is 64 characters for subscription scope.')
@maxLength(64)
param name string
@sys.description('Optional. This message will be part of response in case of policy violation.')
param description string = ''
@sys.description('Optional. The display name of the policy assignment. Maximum length is 128 characters.')
@maxLength(128)
param displayName string = ''
@sys.description('Required. Specifies the ID of the policy definition or policy set definition being assigned.')
param policyDefinitionId string
@sys.description('Optional. Parameters for the policy assignment if needed.')
param parameters object = {}
@sys.description('Optional. The managed identity associated with the policy assignment. Policy assignments must include a resource identity when assigning \'Modify\' policy definitions.')
@allowed([
'SystemAssigned'
'UserAssigned'
'None'
])
param identity string = 'SystemAssigned'
@sys.description('Optional. The Resource ID for the user assigned identity to assign to the policy assignment.')
param userAssignedIdentityId string = ''
@sys.description('Optional. The IDs Of the Azure Role Definition list that is used to assign permissions to the identity. You need to provide either the fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.. See https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles for the list IDs for built-in Roles. They must match on what is on the policy definition.')
param roleDefinitionIds array = []
@sys.description('Optional. The policy assignment metadata. Metadata is an open ended object and is typically a collection of key-value pairs.')
param metadata object = {}
@sys.description('Optional. The messages that describe why a resource is non-compliant with the policy.')
param nonComplianceMessages array = []
@sys.description('Optional. The policy assignment enforcement mode. Possible values are Default and DoNotEnforce. - Default or DoNotEnforce.')
@allowed([
'Default'
'DoNotEnforce'
])
param enforcementMode string = 'Default'
@sys.description('Optional. The policy excluded scopes.')
param notScopes array = []
@sys.description('Optional. Location for all resources.')
param location string = deployment().location
@sys.description('Optional. The Target Scope for the Policy. The subscription ID of the subscription for the policy assignment. If not provided, will use the current scope for deployment.')
param subscriptionId string = subscription().subscriptionId
@sys.description('Optional. Enable telemetry via the Customer Usage Attribution ID (GUID).')
param enableDefaultTelemetry bool = true
var identity_var = identity == 'SystemAssigned' ? {
type: identity
} : identity == 'UserAssigned' ? {
type: identity
userAssignedIdentities: {
'${userAssignedIdentityId}': {}
}
} : null
resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) {
name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}'
location: location
properties: {
mode: 'Incremental'
template: {
'$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#'
contentVersion: '1.0.0.0'
resources: []
}
}
}
resource policyAssignment 'Microsoft.Authorization/policyAssignments@2021-06-01' = {
name: name
location: location
properties: {
displayName: !empty(displayName) ? displayName : null
metadata: !empty(metadata) ? metadata : null
description: !empty(description) ? description : null
policyDefinitionId: policyDefinitionId
parameters: parameters
nonComplianceMessages: !empty(nonComplianceMessages) ? nonComplianceMessages : []
enforcementMode: enforcementMode
notScopes: !empty(notScopes) ? notScopes : []
}
identity: identity_var
}
resource roleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for roleDefinitionId in roleDefinitionIds: if (!empty(roleDefinitionIds) && identity == 'SystemAssigned') {
name: guid(subscriptionId, roleDefinitionId, location, name)
properties: {
roleDefinitionId: roleDefinitionId
principalId: policyAssignment.identity.principalId
principalType: 'ServicePrincipal'
}
}]
@sys.description('Policy Assignment Name.')
output name string = policyAssignment.name
@sys.description('Policy Assignment principal ID.')
output principalId string = identity == 'SystemAssigned' ? policyAssignment.identity.principalId : ''
@sys.description('Policy Assignment resource ID.')
output resourceId string = subscriptionResourceId(subscriptionId, 'Microsoft.Authorization/policyAssignments', policyAssignment.name)
@sys.description('The location the resource was deployed into.')
output location string = policyAssignment.location

Некоторые файлы не были показаны из-за слишком большого количества измененных файлов Показать больше